* [PATCH 6.12 000/567] 6.12.64-rc1 review
@ 2026-01-06 16:56 Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 001/567] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
` (580 more replies)
0 siblings, 581 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.12.64 release.
There are 567 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.64-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.12.64-rc1
Damien Le Moal <dlemoal@kernel.org>
block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio()
Christoph Hellwig <hch@lst.de>
iomap: allocate s_dio_done_wq for async reads as well
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
Kevin Tian <kevin.tian@intel.com>
vfio/pci: Disable qword access to the PCI ROM bar
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Remove vpu_vb_is_codecconfig
Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
media: amphion: Make some vpu_v4l2 functions static
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Add a frame flush mode for decoder
Chen-Yu Tsai <wenst@chromium.org>
media: mediatek: vcodec: Use spinlock for context list protection lock
David Hildenbrand <david@redhat.com>
powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
David Hildenbrand <david@redhat.com>
mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
David Hildenbrand <david@redhat.com>
mm/balloon_compaction: we cannot have isolated pages in the balloon list
Jim Quinlan <james.quinlan@broadcom.com>
PCI: brcmstb: Fix disabling L0s capability
Jim Quinlan <james.quinlan@broadcom.com>
PCI: brcmstb: Set MLW based on "num-lanes" DT property if present
Stanimir Varbanov <svarbanov@suse.de>
PCI: brcmstb: Reuse pcie_cfg_data structure
Biju Das <biju.das.jz@bp.renesas.com>
ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime
Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
soundwire: stream: extend sdw_alloc_stream() to take 'type' parameter
Damien Le Moal <dlemoal@kernel.org>
block: handle zone management operations completions
Biju Das <biju.das.jz@bp.renesas.com>
ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode
Ankit Garg <nktgrg@google.com>
gve: defer interrupt enabling until NAPI registration
Thomas Gleixner <tglx@linutronix.de>
hrtimers: Make hrtimer_update_function() less expensive
Joshua Hay <joshua.a.hay@intel.com>
idpf: remove obsolete stashing code
Joshua Hay <joshua.a.hay@intel.com>
idpf: stop Tx if there are insufficient buffer resources
Joshua Hay <joshua.a.hay@intel.com>
idpf: replace flow scheduling buffer ring with buffer pool
Joshua Hay <joshua.a.hay@intel.com>
idpf: simplify and fix splitq Tx packet rollback error path
Joshua Hay <joshua.a.hay@intel.com>
idpf: improve when to set RE bit logic
Joshua Hay <joshua.a.hay@intel.com>
idpf: add support for Tx refillqs in flow scheduling mode
Joshua Hay <joshua.a.hay@intel.com>
idpf: trigger SW interrupt when exiting wb_on_itr mode
Joshua Hay <joshua.a.hay@intel.com>
idpf: add support for SW triggered interrupts
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7925: add handler to hif suspend/resume event
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7925: fix CLC command timeout when suspend/resume
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend
Dave Stevenson <dave.stevenson@raspberrypi.com>
media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio
Borislav Petkov (AMD) <bp@alien8.de>
x86/microcode/AMD: Select which microcode patch to load
Jiri Slaby (SUSE) <jirislaby@kernel.org>
tty: fix tty_port_tty_*hangup() kernel-doc
Alexander Stein <alexander.stein@ew.tq-group.com>
serial: core: Fix serial device initialization
Zqiang <qiang.zhang@linux.dev>
usbnet: Fix using smp_processor_id() in preemptible code warnings
Eric Dumazet <edumazet@google.com>
net: use dst_dev_rcu() in sk_setup_caps()
Eric Dumazet <edumazet@google.com>
ipv6: adopt dst_dev() helper
Justin Iurman <justin.iurman@uliege.be>
net: ipv6: ioam6: use consistent dst names
Boris Brezillon <boris.brezillon@collabora.com>
drm/panthor: Flush shmem writes before mapping buffers CPU-uncached
Xiao Ni <xni@redhat.com>
md/raid10: wait barrier before returning discard request with REQ_NOWAIT
Andrii Melnychenko <a.melnychenko@vyos.io>
netfilter: nft_ct: add seqadj extension for natted connections
Askar Safin <safinaskar@gmail.com>
gpiolib: acpi: Add quirk for Dell Precision 7780
Mario Limonciello (AMD) <superm1@kernel.org>
gpiolib: acpi: Add quirk for ASUS ProArt PX13
Mario Limonciello <mario.limonciello@amd.com>
gpiolib: acpi: Add a quirk for Acer Nitro V15
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: acpi: Move quirks to a separate file
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: acpi: Add acpi_gpio_need_run_edge_events_on_boot() getter
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: acpi: Handle deferred list via new API
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: acpi: Switch to use enum in acpi_gpio_in_ignore_list()
Chao Yu <chao@kernel.org>
f2fs: fix to propagate error from f2fs_enable_checkpoint()
Chao Yu <chao@kernel.org>
f2fs: dump more information for f2fs_{enable,disable}_checkpoint()
Chao Yu <chao@kernel.org>
f2fs: add timeout in f2fs_enable_checkpoint()
Sheng Yong <shengyong@oppo.com>
f2fs: clear SBI_POR_DOING before initing inmem curseg
j.turek <jakub.turek@elsta.tech>
serial: xilinx_uartps: fix rs485 delay_rts_after_send
Nam Cao <namcao@linutronix.de>
serial: xilinx_uartps: Use helper function hrtimer_update_function()
Nam Cao <namcao@linutronix.de>
hrtimers: Introduce hrtimer_update_function()
Jani Nikula <jani.nikula@intel.com>
drm/displayid: add quirk to ignore DisplayID checksum errors
Tejun Heo <tj@kernel.org>
sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq()
Tejun Heo <tj@kernel.org>
sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue()
Jarkko Sakkinen <jarkko@kernel.org>
tpm2-sessions: Fix tpm2_read_public range checks
Damien Le Moal <dlemoal@kernel.org>
block: freeze queue when updating zone resources
Nicolas Ferre <nicolas.ferre@microchip.com>
ARM: dts: microchip: sama7g5: fix uart fifo size to 32
Joshua Rogers <linux@joshua.hu>
svcrdma: bound check rq_pages index in inline path
xu xin <xu.xin16@zte.com.cn>
mm/ksm: fix exec/fork inheritance support for prctl
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ignore unknown endpoint flags
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
serial: core: Restore sysfs fwnode information
Johan Hovold <johan@kernel.org>
serial: core: fix OF node leak
Chao Yu <chao@kernel.org>
f2fs: fix to avoid updating compression context during writeback
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: drop inode from the donation list when the last file is closed
Chao Yu <chao@kernel.org>
f2fs: use global inline_xattr_slab instead of per-sb slab cache
Chao Yu <chao@kernel.org>
f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
Łukasz Bartosik <ukaszb@chromium.org>
xhci: dbgtty: fix device unregister: fixup
Jiri Slaby (SUSE) <jirislaby@kernel.org>
tty: introduce and use tty_port_tty_vhangup() helper
Ye Bin <yebin10@huawei.com>
jbd2: fix the inconsistency between checksum and data in memory for journal sb
Zqiang <qiang.zhang@linux.dev>
sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks
Junbeom Yeom <junbeom.yeom@samsung.com>
erofs: fix unexpected EIO under memory pressure
Peter Zijlstra <peterz@infradead.org>
sched/eevdf: Fix min_vruntime vs avg_vruntime
Josef Bacik <josef@toxicpanda.com>
btrfs: don't rewrite ret from inode_permission
Alexey Velichayshiy <a.velichayshiy@ispras.ru>
gfs2: fix freeze error handling
Vivian Wang <wangruikang@iscas.ac.cn>
lib/crypto: riscv/chacha: Avoid s0/fp register
Alessio Belle <alessio.belle@imgtec.com>
drm/imagination: Disallow exporting of PM/FW protected objects
Lyude Paul <lyude@redhat.com>
drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb
Krzysztof Niemiec <krzysztof.niemiec@intel.com>
drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
Nikolay Kuratov <kniv@yandex-team.ru>
drm/msm/dpu: Add missing NULL pointer check for pingpong interface
Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/xe: Drop preempt-fences when destroying imported dma-bufs.
Matthew Brost <matthew.brost@intel.com>
drm/xe: Use usleep_range for accurate long-running workload timeslicing
Matthew Brost <matthew.brost@intel.com>
drm/xe: Adjust long-running workload timeslices to reasonable values
Ashutosh Dixit <ashutosh.dixit@intel.com>
drm/xe/oa: Disallow 0 OA property values
Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/xe/bo: Don't include the CCS metadata in the dma-buf sg-table
René Rebe <rene@exactco.de>
drm/mgag200: Fix big-endian support
Simon Richter <Simon.Richter@hogyros.de>
drm/ttm: Avoid NULL pointer deref for evicted BOs
Ard Biesheuvel <ardb@kernel.org>
drm/i915: Fix format string truncation warning
Jay Cornwall <jay.cornwall@amd.com>
drm/amdkfd: Trap handler support for expert scheduling mode
Jonathan Kim <jonathan.kim@amd.com>
drm/amdkfd: bump minimum vgpr size for gfx1151
Mario Limonciello <mario.limonciello@amd.com>
drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace
Johan Hovold <johan@kernel.org>
drm/mediatek: Fix probe device leaks
Johan Hovold <johan@kernel.org>
drm/mediatek: Fix probe memory leak
Johan Hovold <johan@kernel.org>
drm/mediatek: Fix probe resource leaks
Miaoqian Lin <linmq006@gmail.com>
drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse()
Sanjay Yadav <sanjay.kumar.yadav@intel.com>
drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
Jani Nikula <jani.nikula@intel.com>
drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident
Thomas Zimmermann <tzimmermann@suse.de>
drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
drm/buddy: Separate clear and dirty free block trees
Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
drm/buddy: Optimize free block management with RB tree
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling
Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling
Mario Limonciello (AMD) <superm1@kernel.org>
Revert "drm/amd: Skip power ungate during suspend for VPE"
Xiaolei Wang <xiaolei.wang@windriver.com>
net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
Deepanshu Kartikey <kartikey406@gmail.com>
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: usb: sr9700: fix incorrect command used to write single register
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
nfsd: Drop the client reference in client_states_open()
Hengqi Chen <hengqi.chen@gmail.com>
LoongArch: BPF: Sign extend kfunc call arguments
Hengqi Chen <hengqi.chen@gmail.com>
LoongArch: BPF: Zero-extend bpf_tail_call() index
Chenghao Duan <duanchenghao@kylinos.cn>
LoongArch: Refactor register restoration in ftrace_common_return
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
fjes: Add missing iounmap in fjes_hw_init()
Guangshuo Li <lgs201920130244@gmail.com>
e1000: fix OOB in e1000_tbi_should_accept()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/cm: Fix leaking the multicast GID table reference
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
Chenghao Duan <duanchenghao@kylinos.cn>
samples/ftrace: Adjust LoongArch register restore order in direct calls
Kaushlendra Kumar <kaushlendra.kumar@intel.com>
tools/mm/page_owner_sort: fix timestamp comparison for stable sorting
Rong Zhang <i@rong.moe>
x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo
Ran Xiaokai <ran.xiaokai@zte.com.cn>
mm/page_owner: fix memory leak in page_owner_stack_fops->release()
Matthew Wilcox (Oracle) <willy@infradead.org>
idr: fix idr_alloc() returning an ID out of range
NeilBrown <neil@brown.name>
lockd: fix vfs_test_lock() calls
Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
kasan: unpoison vms[area] addresses with a common tag
Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
kasan: refactor pcpu kasan vmalloc unpoison
Jiayuan Chen <jiayuan.chen@linux.dev>
mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN
H. Peter Anvin <hpa@zytor.com>
compiler_types.h: add "auto" as a macro for "__auto_type"
Wentao Liang <vulab@iscas.ac.cn>
pmdomain: imx: Fix reference count leak in imx_gpc_probe()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
SeongJae Park <sj@kernel.org>
mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets()
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: Use unsigned long for _end and _text
WangYuli <wangyl5933@chinaunicom.cn>
LoongArch: Use __pmd()/__pte() for swap entry conversions
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Fix build errors for CONFIG_RANDSTRUCT
Qiang Ma <maqianga@uniontech.com>
LoongArch: Correct the calculation logic of thread_count
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Add new PCI ID for pci_fixup_vgadev()
Haoxiang Li <haoxiang_li2024@163.com>
media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Cancel message work before releasing the VPU core
Johan Hovold <johan@kernel.org>
media: vpif_display: fix section mismatch
Johan Hovold <johan@kernel.org>
media: vpif_capture: fix section mismatch
Haotian Zhang <vulab@iscas.ac.cn>
media: videobuf2: Fix device reference leak in vb2_dc_alloc error path
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
Duoming Zhou <duoming@zju.edu.cn>
media: TDA1997x: Remove redundant cancel_delayed_work in probe
Marek Szyprowski <m.szyprowski@samsung.com>
media: samsung: exynos4-is: fix potential ABBA deadlock on init
Miaoqian Lin <linmq006@gmail.com>
media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
Johan Hovold <johan@kernel.org>
media: platform: mtk-mdp3: fix device leaks at probe
Ivan Abramov <i.abramov@mt-integration.ru>
media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
Haotian Zhang <vulab@iscas.ac.cn>
media: cec: Fix debugfs leak on bus_register() failure
René Rebe <rene@exactco.de>
fbdev: tcx.c fix mem_map to correct smem_start offset
Thorsten Blum <thorsten.blum@linux.dev>
fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
Rene Rebe <rene@exactco.de>
fbdev: gbefb: fix to use physical address instead of dma address
Mikulas Patocka <mpatocka@redhat.com>
dm-bufio: align write boundary on physical block size
Uladzislau Rezki (Sony) <urezki@gmail.com>
dm-ebs: Mark full buffer dirty even on partial write
Mahesh Rao <mahesh.rao@altera.com>
firmware: stratix10-svc: Add mutex in stratix10 memory management
Ivan Abramov <i.abramov@mt-integration.ru>
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
David Hildenbrand <david@redhat.com>
powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
Sandipan Das <sandipan.das@amd.com>
perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error
Sven Schnelle <svens@stackframe.org>
parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
Sven Schnelle <svens@stackframe.org>
parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips
Christian Marangi <ansuelsmth@gmail.com>
mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: verisilicon: Fix CPU stalls on G2 bus error
Haotian Zhang <vulab@iscas.ac.cn>
media: rc: st_rc: Fix reset control resource leak
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
mfd: max77620: Fix potential IRQ chip conflict when probing two devices
Johan Hovold <johan@kernel.org>
mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
Nathan Chancellor <nathan@kernel.org>
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Damien Le Moal <dlemoal@kernel.org>
block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: Enable chip before any communication
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: Allow LED 0 to be added to module bank
Thomas Weißschuh <linux@weissschuh.net>
leds: leds-cros_ec: Skip LEDs without color components
Donet Tom <donettom@linux.ibm.com>
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Dave Vasilevsky <dave@vasilevsky.ca>
powerpc, mm: Fix mprotect on book3s 32-bit
Siddharth Vadapalli <s-vadapalli@ti.com>
arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator
Lukas Wunner <lukas@wunner.de>
PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
Shengming Hu <hu.shengming@zte.com.cn>
fgraph: Check ftrace_pids_enabled on registration for early filtering
Shengming Hu <hu.shengming@zte.com.cn>
fgraph: Initialize ftrace_ops->private for function graph ops
Hans de Goede <johannes.goede@oss.qualcomm.com>
HID: logitech-dj: Remove duplicate error logging
Lu Baolu <baolu.lu@linux.intel.com>
iommu: disable SVA when CONFIG_X86 is set
Johan Hovold <johan@kernel.org>
iommu/tegra: fix device leak on probe_device()
Johan Hovold <johan@kernel.org>
iommu/sun50i: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/qcom: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/omap: fix device leaks on probe_device()
Johan Hovold <johan@kernel.org>
iommu/mediatek: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/mediatek-v1: fix device leaks on probe()
Johan Hovold <johan@kernel.org>
iommu/mediatek-v1: fix device leak on probe_device()
Johan Hovold <johan@kernel.org>
iommu/ipmmu-vmsa: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/exynos: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/apple-dart: fix device leak on of_xlate()
Jinhui Guo <guojinhui.liam@bytedance.com>
iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga()
Jinhui Guo <guojinhui.liam@bytedance.com>
iommu/amd: Fix pci_segment memleak in alloc_pci_segment()
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6adm: the the copp device only during last instance
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: perform correct state check before closing
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: codecs: lpass-tx-macro: fix SM6115 support
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix OF node leak on probe
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix clk prepare imbalance on probe failure
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix device leak on probe
Johan Hovold <johan@kernel.org>
ASoC: codecs: wcd939x: fix regmap leak on probe failure
Matthew Wilcox (Oracle) <willy@infradead.org>
ntfs: Do not overwrite uptodate pages
Yipeng Zou <zouyipeng@huawei.com>
selftests/ftrace: traceonoff_triggers: strip off names
Cong Zhang <cong.zhang@oss.qualcomm.com>
blk-mq: skip CPU offline notify on unmapped hctx
Thomas Fourier <fourier.thomas@gmail.com>
RDMA/bnxt_re: fix dma_free_coherent() pointer
Honggang LI <honggangli@163.com>
RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
Zilin Guan <zilin@seu.edu.cn>
ksmbd: Fix memory leak in get_file_all_info()
Tuo Li <islituo@gmail.com>
md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
Li Nan <linan122@huawei.com>
md: Fix static checker warning in analyze_sbs
Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
RDMA/bnxt_re: Fix to use correct page size for PDE table
Alok Tiwari <alok.a.tiwari@oracle.com>
RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
Alok Tiwari <alok.a.tiwari@oracle.com>
RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
Jang Ingyu <ingyujang25@korea.ac.kr>
RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
Michael Margolin <mrgolin@amazon.com>
RDMA/efa: Remove possible negative shift
Michal Schmidt <mschmidt@redhat.com>
RDMA/irdma: avoid invalid read in irdma_net_event
Jiayuan Chen <jiayuan.chen@linux.dev>
ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
Pwnverse <stanksal@purdue.edu>
net: rose: fix invalid array index in rose_kill_by_device()
Ido Schimmel <idosch@nvidia.com>
ipv4: Fix reference count leak when using error routes with nexthop objects
Will Rosenberg <whrosenb@asu.edu>
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Wei Fang <wei.fang@nxp.com>
net: stmmac: fix the crash issue for zero copy XDP_TX action
Anshumali Gaur <agaur@marvell.com>
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
Junrui Luo <moonafterrain@outlook.com>
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
Zilin Guan <zilin@seu.edu.cn>
vfio/pds: Fix memory leak in pds_vfio_dirty_enable()
Bagas Sanjaya <bagasdotme@gmail.com>
net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
Deepanshu Kartikey <kartikey406@gmail.com>
net: usb: asix: validate PHY address before use
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
kbuild: fix compilation of dtb specified on command-line without make rule
Jonas Gorski <jonas.gorski@gmail.com>
net: dsa: b53: skip multicast entries for fdb_dump()
Thomas Fourier <fourier.thomas@gmail.com>
firewire: nosy: Fix dma_free_coherent() size
Andrew Morton <akpm@linux-foundation.org>
genalloc.h: fix htmldocs warning
Yeoreum Yun <yeoreum.yun@arm.com>
smc91x: fix broken irq-context in PREEMPT_RT
Alice C. Munduruca <alice.munduruca@canonical.com>
selftests: net: fix "buffer overflow detected" for tap.c
Deepakkumar Karn <dkarn@redhat.com>
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: reset retries and mode on RX adapt failures
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: fix missing put_device() in dsa_tree_find_first_conduit()
Jiri Pirko <jiri@resnulli.us>
team: fix check for port enabled in team_queue_override_port_prio_changed()
Junrui Luo <moonafterrain@outlook.com>
platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
Thomas Fourier <fourier.thomas@gmail.com>
platform/x86: msi-laptop: add missing sysfs_remove_group()
Shravan Kumar Ramani <shravankr@nvidia.com>
platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names
Eric Dumazet <edumazet@google.com>
ip6_gre: make ip6gre_header() robust
Toke Høiland-Jørgensen <toke@redhat.com>
net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
Jacky Chou <jacky_chou@aspeedtech.com>
net: mdio: aspeed: add dummy read to avoid read-after-write issue
Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Herbert Xu <herbert@gondor.apana.org.au>
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
Brian Vazquez <brianvv@google.com>
idpf: reduce mbx_task schedule delay to 300us
Kohei Enju <enjuk@amazon.com>
iavf: fix off-by-one issues in iavf_config_rss_reg()
Gregory Herrero <gregory.herrero@oracle.com>
i40e: validate ring_len parameter against hardware-specific values
Przemyslaw Korba <przemyslaw.korba@intel.com>
i40e: fix scheduling in set_rx_mode
Aloka Dixit <aloka.dixit@oss.qualcomm.com>
wifi: mac80211: do not use old MBSSID elements
Dan Carpenter <dan.carpenter@linaro.org>
wifi: cfg80211: sme: store capped length in __cfg80211_connect_result()
Morning Star <alexbestoso@gmail.com>
wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtw88: limit indirect IO under powered off for RTL8822CS
Joanne Koong <joannelkoong@gmail.com>
fuse: fix readahead reclaim deadlock
Johan Hovold <johan@kernel.org>
iommu/mediatek: fix use-after-free on probe deferral
Thomas Gleixner <tglx@linutronix.de>
x86/msi: Make irq_retrigger() functional for posted MSI
Nicolas Ferre <nicolas.ferre@microchip.com>
ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
Johan Hovold <johan@kernel.org>
hwmon: (max6697) fix regmap leak on probe failure
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (max16065) Use local variable to avoid TOCTOU
Raviteja Laggyshetty <quic_rlaggysh@quicinc.com>
interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes
Ma Ke <make24@iscas.ac.cn>
i2c: amd-mp2: fix reference leak in MP2 PCI device
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
platform/x86: intel: chtwc_int33fe: don't dereference swnode args
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
rpmsg: glink: fix rpmsg device leak
Johan Hovold <johan@kernel.org>
soc: amlogic: canvas: fix device leak on lookup
Johan Hovold <johan@kernel.org>
soc: apple: mailbox: fix device leak on lookup
Johan Hovold <johan@kernel.org>
soc: qcom: ocmem: fix device leak on lookup
Johan Hovold <johan@kernel.org>
soc: qcom: pbs: fix device leak on lookup
Johan Hovold <johan@kernel.org>
soc: samsung: exynos-pmu: fix device leak on regmap lookup
Steven Rostedt <rostedt@goodmis.org>
tracing: Fix fixed array of synthetic event
Miaoqian Lin <linmq006@gmail.com>
virtio: vdpa: Fix reference count leak in octep_sriov_enable()
Johan Hovold <johan@kernel.org>
amba: tegra-ahb: Fix device leak on SMMU enable
Guangshuo Li <lgs201920130244@gmail.com>
crypto: caam - Add check for kcalloc() in test_len()
Shivani Agarwal <shivani.agarwal@broadcom.com>
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets
Marc Zyngier <maz@kernel.org>
arm64: Revamp HCR_EL2.E2H RES1 detection
Ahmed Genidi <ahmed.genidi@arm.com>
KVM: arm64: Initialize SCTLR_EL1 in __kvm_hyp_init_cpu()
Mark Rutland <mark.rutland@arm.com>
KVM: arm64: Initialize HCR_EL2.E2H early
Harshit Agarwal <harshit@nutanix.com>
sched/rt: Fix race in push_rt_task
Hangbin Liu <liuhangbin@gmail.com>
hsr: hold rcu and dev lock for hsr_get_port_ndev
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
pinctrl: renesas: rzg2l: Fix ISEL restore on resume
Junrui Luo <moonafterrain@outlook.com>
ALSA: wavefront: Clear substream pointers on close
Takashi Iwai <tiwai@suse.de>
ALSA: wavefront: Use guard() for spin locks
Denis Arefev <arefev@swemel.ru>
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
Jani Nikula <jani.nikula@intel.com>
drm/displayid: pass iter to drm_find_displayid_extension()
Ray Wu <ray.wu@amd.com>
drm/amd/display: Fix scratch registers offsets for DCN351
Ray Wu <ray.wu@amd.com>
drm/amd/display: Fix scratch registers offsets for DCN35
Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
Mario Limonciello <mario.limonciello@amd.com>
Revert "drm/amd/display: Fix pbn to kbps Conversion"
Jens Axboe <axboe@kernel.dk>
io_uring: fix min_wait wakeups for SQPOLL
Jens Axboe <axboe@kernel.dk>
io_uring/poll: correctly handle io_poll_add() return value on update
Wentao Guan <guanwentao@uniontech.com>
gpio: regmap: Fix memleak in error path in gpio_regmap_register()
Sven Schnelle <svens@linux.ibm.com>
s390/ipl: Clear SBP flag when bootprog is set
Filipe Manana <fdmanana@suse.com>
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
Nysal Jan K.A. <nysal@linux.ibm.com>
powerpc/kexec: Enable SMT before waking offline CPUs
Joshua Rogers <linux@joshua.hu>
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
Joshua Rogers <linux@joshua.hu>
svcrdma: use rc_pageoff for memcpy byte offset
Joshua Rogers <linux@joshua.hu>
svcrdma: return 0 on success from svc_rdma_copy_inline_range
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
nfsd: Mark variable __maybe_unused to avoid W=1 build break
Chuck Lever <chuck.lever@oracle.com>
NFSD: NFSv4 file creation neglects setting ACL
Chuck Lever <chuck.lever@oracle.com>
NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
caoping <caoping@cmss.chinamobile.com>
net/handshake: restore destructor on submit failure
Amir Goldstein <amir73il@gmail.com>
fsnotify: do not generate ACCESS/MODIFY events on child for special files
Thorsten Blum <thorsten.blum@linux.dev>
net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write
René Rebe <rene@exactco.de>
r8169: fix RTL8117 Wake-on-Lan in DASH mode
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: runtime: Do not clear needs_force_resume with enabled runtime PM
Steven Rostedt <rostedt@goodmis.org>
tracing: Do not register unsupported perf events
Darrick J. Wong <djwong@kernel.org>
xfs: fix a UAF problem in xattr repair
Darrick J. Wong <djwong@kernel.org>
xfs: fix stupid compiler warning
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
xfs: fix a memory leak in xfs_buf_item_init()
Sean Christopherson <seanjc@google.com>
KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
Sean Christopherson <seanjc@google.com>
KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
Dongli Zhang <dongli.zhang@oracle.com>
KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
Jim Mattson <jmattson@google.com>
KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
Jim Mattson <jmattson@google.com>
KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
fuqiang wang <fuqiang.wng@gmail.com>
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
fuqiang wang <fuqiang.wng@gmail.com>
KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
Sean Christopherson <seanjc@google.com>
KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
Finn Thain <fthain@linux-m68k.org>
powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf()
Ilya Dryomov <idryomov@gmail.com>
libceph: make decode_pool() more resilient against corrupted osdmaps
Helge Deller <deller@gmx.de>
parisc: Do not reprogram affinitiy on ASP chip
Zhichi Lin <zhichi.lin@vivo.com>
scs: fix a wrong parameter in __scs_magic
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Maxim Levitsky <mlevitsk@redhat.com>
KVM: x86: Don't clear async #PF queue when CR0.PG is disabled (e.g. on #SMI)
Prithvi Tambewagh <activprithvi@gmail.com>
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Jeongjun Park <aha310510@gmail.com>
media: vidtv: initialize local pointers upon transfer of memory ownership
Sean Christopherson <seanjc@google.com>
KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
Alison Schofield <alison.schofield@intel.com>
tools/testing/nvdimm: Use per-DIMM device handle
Chao Yu <chao@kernel.org>
f2fs: fix return value of f2fs_recover_fsync_data()
Xiaole He <hexiaole1994@126.com>
f2fs: fix uninitialized one_time_gc in victim_sel_policy
Xiaole He <hexiaole1994@126.com>
f2fs: fix age extent cache insertion skip on counter overflow
Deepanshu Kartikey <kartikey406@gmail.com>
f2fs: invalidate dentry cache on failed whiteout creation
Chao Yu <chao@kernel.org>
f2fs: fix to avoid updating zero-sized extent in extent cache
Chao Yu <chao@kernel.org>
f2fs: fix to avoid potential deadlock
Jan Prusakowski <jprusakowski@google.com>
f2fs: ensure node page reads complete before f2fs_put_super() finishes
Seunghwan Baek <sh8267.baek@samsung.com>
scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error
Chandrakanth Patil <chandrakanth.patil@broadcom.com>
scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow
Andrey Vatoropin <a.vatoropin@crpt.ru>
scsi: target: Reset t_task_cdb pointer in error case
Dai Ngo <dai.ngo@oracle.com>
NFSD: use correct reservation type in nfsd4_scsi_fence_client
Junrui Luo <moonafterrain@outlook.com>
scsi: aic94xx: fix use-after-free in device removal path
Tony Battersby <tonyb@cybernetics.com>
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Miaoqian Lin <linmq006@gmail.com>
cpufreq: nforce2: fix reference count leak in nforce2
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpuidle: governors: teo: Drop misguided target residency check
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
serial: sh-sci: Check that the DMA cookie is valid
Junxiao Chang <junxiao.chang@intel.com>
mei: gsc: add dependency on Xe driver
Ma Ke <make24@iscas.ac.cn>
intel_th: Fix error handling in intel_th_output_open
Tianchu Chen <flynnnchen@tencent.com>
char: applicom: fix NULL pointer dereference in ac_ioctl
Haoxiang Li <haoxiang_li2024@163.com>
usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
Udipto Goswami <udipto.goswami@oss.qualcomm.com>
usb: dwc3: keep susphy enabled during exit to avoid controller faults
Miaoqian Lin <linmq006@gmail.com>
usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
Johan Hovold <johan@kernel.org>
usb: gadget: lpc32xx_udc: fix clock imbalance in error path
Johan Hovold <johan@kernel.org>
usb: phy: isp1301: fix non-OF device reference imbalance
Duoming Zhou <duoming@zju.edu.cn>
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
Ma Ke <make24@iscas.ac.cn>
USB: lpc32xx_udc: Fix error handling in probe
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe()
Johan Hovold <johan@kernel.org>
usb: ohci-nxp: fix device leak on probe failure
Johan Hovold <johan@kernel.org>
phy: broadcom: bcm63xx-usbh: fix section mismatches
Colin Ian King <colin.i.king@gmail.com>
media: pvrusb2: Fix incorrect variable used in trace message
Jeongjun Park <aha310510@gmail.com>
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
Chen Changcheng <chenchangcheng@kylinos.cn>
usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
Paolo Abeni <pabeni@redhat.com>
mptcp: avoid deadlock on fallback while reinjecting
Paolo Abeni <pabeni@redhat.com>
mptcp: schedule rtx timer only after pushing data
Matthieu Baerts (NGI0) <matttbe@kernel.org>
selftests: mptcp: pm: ensure unknown flags are ignored
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: v4l2-mem2mem: Fix outdated documentation
Byungchul Park <byungchul@sk.com>
jbd2: use a weaker annotation in journal handling
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key
Baokun Li <libaokun1@huawei.com>
ext4: align max orphan file size with e2fsprogs limit
Yongjian Sun <sunyongjian1@huawei.com>
ext4: fix incorrect group number assertion in mb_check_buddy
Haibo Chen <haibo.chen@nxp.com>
ext4: clear i_state_flags when alloc inode
Karina Yankevich <k.yankevich@omp.ru>
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Fedor Pchelkin <pchelkin@ispras.ru>
ext4: fix string copying in parse_apply_sb_mount_options()
Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
tpm: Cap the number of PCR banks
Steven Rostedt <rostedt@goodmis.org>
ktest.pl: Fix uninitialized var in config-bisect.pl
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: fix mount failure for sparse runs in run_unpack()
Zheng Yejian <zhengyejian@huaweicloud.com>
kallsyms: Fix wrong "big" kernel symbol type read from procfs
Rene Rebe <rene@exactco.de>
floppy: fix for PAGE_SIZE != 4KB
Li Chen <chenl311@chinatelecom.cn>
block: rate-limit capacity change info log
Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
wifi: mt76: Fix DTS power-limits on little endian systems
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Fix gendisk parent after copy pair swap
Eric Biggers <ebiggers@kernel.org>
lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
Ma Ke <make24@iscas.ac.cn>
perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister()
Sarthak Garg <sarthak.garg@oss.qualcomm.com>
mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
Avadhut Naik <avadhut.naik@amd.com>
x86/mce: Do not clear bank's poll bit in mce_poll_banks on AMD SMCA systems
Prithvi Tambewagh <activprithvi@gmail.com>
io_uring: fix filename leak in __io_openat_prep()
Jarkko Sakkinen <jarkko@kernel.org>
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Zilin Guan <zilin@seu.edu.cn>
cifs: Fix memory and information leak in smb3_reconfigure()
Stefano Garzarella <sgarzare@redhat.com>
vhost/vsock: improve RCU read sections around vhost_vsock_get()
Dan Carpenter <dan.carpenter@linaro.org>
block: rnbd-clt: Fix signedness bug in init_dev()
John Garry <john.g.garry@oracle.com>
scsi: scsi_debug: Fix atomic write enable module param description
Gregory CLEMENT <gregory.clement@bootlin.com>
MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
Justin Tee <justintee8345@gmail.com>
nvme-fabrics: add ENOKEY to no retry criteria for authentication failures
Daniel Wagner <wagi@kernel.org>
nvme-fc: don't hold rport lock when putting ctrl
Jinhui Guo <guojinhui.liam@bytedance.com>
i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware
Jens Reidel <adrian@mainlining.org>
clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src
Ian Rogers <irogers@google.com>
libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map
Wenhua Lin <Wenhua.Lin@unisoc.com>
serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
Chen Changcheng <chenchangcheng@kylinos.cn>
usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: xhci: limit run_graceperiod for only usb 3.0 devices
Pei Xiao <xiaopei01@kylinos.cn>
iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains
Mark Pearson <mpearson-lenovo@squebb.ca>
usb: typec: ucsi: Handle incorrect num_connectors capability
Lizhi Xu <lizhi.xu@windriver.com>
usbip: Fix locking bug in RT-enabled kernels
Yuezhang Mo <Yuezhang.Mo@sony.com>
exfat: zero out post-EOF page cache on file extension
Yuezhang Mo <Yuezhang.Mo@sony.com>
exfat: fix remount failure in different process environments
Encrow Thorne <jyc0019@gmail.com>
reset: fix BIT macro reference
Li Qiang <liqiang01@kylinos.cn>
via_wdt: fix critical boot hang due to unnamed resource allocation
Bernd Schubert <bschubert@ddn.com>
fuse: Invalidate the page cache after FOPEN_DIRECT_IO write
Bernd Schubert <bschubert@ddn.com>
fuse: Always flush the page cache before FOPEN_DIRECT_IO write
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
Ben Collins <bcollins@kernel.org>
powerpc/addnote: Fix overflow on 32-bit builds
Josua Mayer <josua@solid-run.com>
clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
David Strahan <David.Strahan@microchip.com>
scsi: smartpqi: Add support for Hurray Data new controller PCI device
Matthias Schiffer <matthias.schiffer@tq-group.com>
ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
Peng Fan <peng.fan@nxp.com>
firmware: imx: scu-irq: Init workqueue before request mbox channel
Peter Wang <peter.wang@mediatek.com>
scsi: ufs: host: mediatek: Fix shutdown/suspend race condition
Jinhui Guo <guojinhui.liam@bytedance.com>
ipmi: Fix __scan_channels() failing to rescan channels
Jinhui Guo <guojinhui.liam@bytedance.com>
ipmi: Fix the race between __scan_channels() and deliver_response()
Shardul Bankar <shardul.b@mpiricsoftware.com>
nfsd: fix memory leak in nfsd_create_serv error paths
Mike Snitzer <snitzer@kernel.org>
nfsd: rename nfsd_serv_ prefixed methods and variables with nfsd_net_
Mike Snitzer <snitzer@kernel.org>
nfsd: update percpu_ref to manage references on nfsd_net
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: ak4458: remove the reset operation in probe and remove
Shipei Qu <qu@darknavy.com>
ALSA: usb-mixer: us16x08: validate meter packet indices
Haotian Zhang <vulab@iscas.ac.cn>
ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
Haotian Zhang <vulab@iscas.ac.cn>
ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
Yongxin Liu <yongxin.liu@windriver.com>
x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures
Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
Andrew Jeffery <andrew@codeconstruct.com.au>
dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml
Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds
Jared Kangas <jkangas@redhat.com>
mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
Christophe Leroy <christophe.leroy@csgroup.eu>
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Pengjie Zhang <zhangpengjie2@huawei.com>
ACPI: CPPC: Fix missing PCC check for guaranteed_perf
Pengjie Zhang <zhangpengjie2@huawei.com>
ACPI: PCC: Fix race condition by removing static qualifier
Kartik Rajput <kkartik@nvidia.com>
soc/tegra: fuse: Do not register SoC device on ACPI boot
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_can_open(): fix error handling
Christoph Hellwig <hch@lst.de>
xfs: don't leak a locked dquot when xfs_dquot_attach_buf fails
Christoffer Sandberg <cs@tuxedo.de>
Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
Duoming Zhou <duoming@zju.edu.cn>
Input: alps - fix use-after-free bugs caused by dev3_register_work
Minseong Kim <ii4gsp@gmail.com>
Input: lkkbd - disable pending work before freeing device
Junjie Cao <junjie.cao@intel.com>
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Ping Cheng <pinglinux@gmail.com>
HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix buffer validation by including null terminator size in EA length
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: Fix refcount leak when invalid session is found on session lookup
Qianchang Zhao <pioooooooooip@gmail.com>
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
Nuno Sá <nuno.sa@analog.com>
hwmon: (ltc4282): Fix reset_history file permissions
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe/oa: Limit num_syncs to prevent oversized allocations
Shuicheng Lin <shuicheng.lin@intel.com>
drm/xe: Limit num_syncs to prevent oversized allocations
Thomas Fourier <fourier.thomas@gmail.com>
block: rnbd-clt: Fix leaked ID in init_dev()
Anurag Dutta <a-dutta@ti.com>
spi: cadence-quadspi: Fix clock disable on probe failure path
Jianpeng Chang <jianpeng.chang.cn@windriver.com>
arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder
Juergen Gross <jgross@suse.com>
x86/xen: Fix sparse warning in enlighten_pv.c
Brian Gerst <brgerst@gmail.com>
x86/xen: Move Xen upcall handler
Marijn Suijten <marijn.suijten@somainline.org>
drm/panel: sony-td4353-jdi: Enable prepare_prev_first
Haoxiang Li <haoxiang_li2024@163.com>
MIPS: Fix a reference leak bug in ip22_check_gio()
Jan Maslak <jan.maslak@intel.com>
drm/xe: Restore engine registers before restarting schedulers after GT reset
Junxiao Chang <junxiao.chang@intel.com>
drm/me/gsc: mei interrupt top half should be in irq disabled context
Alexey Simakov <bigalex934@gmail.com>
hwmon: (tmp401) fix overflow caused by default conversion rate value
Junrui Luo <moonafterrain@outlook.com>
hwmon: (ibmpex) fix use-after-free in high/low store
Denis Sergeev <denserg.edu@gmail.com>
hwmon: (dell-smm) Limit fan multiplier to avoid overflow
Jian Shen <shenjian15@huawei.com>
net: hns3: add VLAN id validation before using
Jian Shen <shenjian15@huawei.com>
net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
Jian Shen <shenjian15@huawei.com>
net: hns3: using the num_tqps in the vf driver to apply for resources
Wei Fang <wei.fang@nxp.com>
net: enetc: do not transmit redirected XDP frames when the link is down
Scott Mayhew <smayhew@redhat.com>
net/handshake: duplicate handshake cancellations leak socket
Shay Drory <shayd@nvidia.com>
net/mlx5: Serialize firmware reset with devlink
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Handle escaped percent properly
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Validate format string parameters
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: Drain firmware reset in shutdown callback
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: fw reset, clear reset requested on drain_fw_reset
Gal Pressman <gal@nvidia.com>
ethtool: Avoid overflowing userspace buffer on stats query
Jason Gunthorpe <jgg@ziepe.ca>
iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
Jason Gunthorpe <jgg@ziepe.ca>
iommufd/selftest: Make it clearer to gcc that the access is not out of bounds
Nicolin Chen <nicolinc@nvidia.com>
iommufd/selftest: Update hw_info coverage for an input data_type
Yi Liu <yi.l.liu@intel.com>
iommufd/selftest: Add coverage for reporting max_pasid_log2 via IOMMU_HW_INFO
Florian Westphal <fw@strlen.de>
selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: remove redundant chain validation on register store
Florian Westphal <fw@strlen.de>
netfilter: nf_nat: remove bogus direction check
Dan Carpenter <dan.carpenter@linaro.org>
nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
Victor Nogueira <victor@mojatatu.com>
net/sched: ets: Remove drr class from the active list if it changes to strict
Junrui Luo <moonafterrain@outlook.com>
caif: fix integer underflow in cffrml_receive()
Slavin Liu <slavin452@gmail.com>
ipvs: fix ipv4 null-ptr-deref in route error path
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_conncount: fix leaked ct in error paths
Alexey Simakov <bigalex934@gmail.com>
broadcom: b44: prevent uninitialized value usage
Ilya Maximets <i.maximets@ovn.org>
net: openvswitch: fix middle attribute validation in push_nsh() action
Michael Chan <michael.chan@broadcom.com>
bnxt_en: Fix XDP_TX path
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_router: Fix neighbour use-after-free
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_router: Fix possible neighbour reference count leak
Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
Wang Liang <wangliang74@huawei.com>
netrom: Fix memory leak in nr_sendmsg()
Wei Fang <wei.fang@nxp.com>
net: fec: ERR007885 Workaround for XDP TX path
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix use of bio_chain
Max Chou <max.chou@realtek.com>
Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT
Gongwei Li <ligongwei@kylinos.cn>
Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
Chris Lu <chris.lu@mediatek.com>
Bluetooth: btusb: MT7920: Add VID/PID 0489/e135
Chris Lu <chris.lu@mediatek.com>
Bluetooth: btusb: MT7922: Add VID/PID 0489/e170
Chingbin Li <liqb365@163.com>
Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV
Qianchang Zhao <pioooooooooip@gmail.com>
ksmbd: vfs: fix race on m_flags in vfs_cache
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
ChenXiaoSong <chenxiaosong@kylinos.cn>
smb/server: fix return value of smb2_ioctl()
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad"
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: fix remote evict for read-only filesystems
Qu Wenruo <wqu@suse.com>
btrfs: scrub: always update btrfs_scrub_progress::last_physical
Hans de Goede <hansg@kernel.org>
wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet
Quan Zhou <quan.zhou@mediatek.com>
wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: use cfg80211_leave() in iftype change
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: stop radar detection in cfg80211_leave()
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: check for shutdown in fsync
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix volume corruption issue for generic/073
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
hfsplus: Verify inode mode when loading from disk
Yang Chenzhi <yang.chenzhi@vivo.com>
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix volume corruption issue for generic/070
Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
ntfs: set dummy blocksize to read boot_block when mounting
Mikhail Malyshev <mike.malyshev@gmail.com>
kbuild: Use objtree for module signing key path
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Support timestamps prior to epoch
Song Liu <song@kernel.org>
livepatch: Match old_sympos 0 and 1 in klp_find_func()
Aboorva Devarajan <aboorvad@linux.ibm.com>
cpuidle: menu: Use residency threshold in polling state override decisions
Shuhao Fu <sfual@cse.ust.hk>
cpufreq: s5pv210: fix refcount leak
Armin Wolf <W_Armin@gmx.de>
ACPI: fan: Workaround for 64-bit firmware bug
Hal Feng <hal.feng@starfivetech.com>
cpufreq: dt-platdev: Add JH7110S SOC to the allowlist
Sakari Ailus <sakari.ailus@linux.intel.com>
ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
ACPICA: Avoid walking the Namespace if start_node is NULL
Peter Zijlstra <peterz@infradead.org>
x86/ptrace: Always inline trivial accessors
Peter Zijlstra <peterz@infradead.org>
sched/fair: Revert max_newidle_lb_cost bump
Doug Berger <opendmb@gmail.com>
sched/deadline: only set free_cpus for online runqueues
George Kennedy <george.kennedy@oracle.com>
perf/x86/amd: Check event before enable to avoid GPF
Pankaj Raghav <p.raghav@samsung.com>
scripts/faddr2line: Fix "Argument list too long" error
Joanne Koong <joannelkoong@gmail.com>
iomap: account for unaligned end offsets when truncating read range
Joanne Koong <joannelkoong@gmail.com>
iomap: adjust read range correctly for non-block-aligned positions
Al Viro <viro@zeniv.linux.org.uk>
shmem: fix recovery on rename failures
Deepanshu Kartikey <kartikey406@gmail.com>
btrfs: fix memory leak of fs_devices in degraded seed device path
Ondrej Mosnacek <omosnace@redhat.com>
bpf, arm64: Do not audit capability check in do_jit()
Qu Wenruo <wqu@suse.com>
btrfs: fix a potential path leak in print_data_reloc_error()
Filipe Manana <fdmanana@suse.com>
btrfs: do not skip logging new dentries when logging a new name
-------------
Diffstat:
.../devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +-
.../devicetree/bindings/pci/qcom,pcie-sc7280.yaml | 5 +
.../bindings/pci/qcom,pcie-sc8280xp.yaml | 3 +
.../devicetree/bindings/pci/qcom,pcie-sm8150.yaml | 5 +
.../devicetree/bindings/pci/qcom,pcie-sm8250.yaml | 5 +
.../devicetree/bindings/pci/qcom,pcie-sm8350.yaml | 5 +
.../devicetree/bindings/pci/qcom,pcie-sm8450.yaml | 5 +
.../devicetree/bindings/pci/qcom,pcie-sm8550.yaml | 5 +
Documentation/driver-api/soundwire/stream.rst | 2 +-
Documentation/driver-api/tty/tty_port.rst | 5 +-
Documentation/filesystems/nfs/localio.rst | 81 +--
Makefile | 4 +-
arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +-
arch/arm/boot/dts/microchip/sama7g5.dtsi | 4 +-
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 12 +-
arch/arm64/include/asm/el2_setup.h | 57 +-
arch/arm64/kernel/head.S | 22 +-
arch/arm64/kvm/hyp/nvhe/hyp-init.S | 10 +-
arch/arm64/kvm/hyp/nvhe/psci-relay.c | 3 +
arch/arm64/net/bpf_jit_comp.c | 2 +-
arch/loongarch/include/asm/pgtable.h | 4 +-
arch/loongarch/kernel/mcount_dyn.S | 14 +-
arch/loongarch/kernel/relocate.c | 4 +-
arch/loongarch/kernel/setup.c | 8 +-
arch/loongarch/kernel/switch.S | 4 +-
arch/loongarch/net/bpf_jit.c | 18 +
arch/loongarch/net/bpf_jit.h | 26 +
arch/loongarch/pci/pci.c | 2 +
arch/mips/kernel/ftrace.c | 25 +-
arch/mips/sgi-ip22/ip22-gio.c | 3 +-
arch/parisc/kernel/asm-offsets.c | 2 +
arch/parisc/kernel/entry.S | 16 +-
arch/powerpc/boot/addnote.c | 7 +-
arch/powerpc/include/asm/book3s/32/tlbflush.h | 5 +-
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 -
arch/powerpc/kernel/btext.c | 3 +-
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/kexec/core_64.c | 19 +
arch/powerpc/mm/book3s32/tlb.c | 9 +
arch/powerpc/mm/book3s64/internal.h | 2 -
arch/powerpc/mm/book3s64/mmu_context.c | 2 -
arch/powerpc/mm/book3s64/slb.c | 88 ---
arch/powerpc/platforms/pseries/cmm.c | 5 +-
arch/riscv/crypto/chacha-riscv64-zvkb.S | 5 +-
arch/s390/include/uapi/asm/ipl.h | 1 +
arch/s390/kernel/ipl.c | 48 +-
arch/x86/crypto/blake2s-core.S | 4 +-
arch/x86/entry/common.c | 72 --
arch/x86/events/amd/core.c | 7 +-
arch/x86/events/amd/uncore.c | 5 +-
arch/x86/include/asm/irq_remapping.h | 7 +
arch/x86/include/asm/ptrace.h | 20 +-
arch/x86/kernel/cpu/mce/threshold.c | 3 +-
arch/x86/kernel/cpu/microcode/amd.c | 106 ++-
arch/x86/kernel/fpu/xstate.c | 4 +-
arch/x86/kernel/irq.c | 23 +
arch/x86/kvm/lapic.c | 32 +-
arch/x86/kvm/svm/nested.c | 6 +-
arch/x86/kvm/svm/svm.c | 54 +-
arch/x86/kvm/svm/svm.h | 7 +-
arch/x86/kvm/vmx/nested.c | 3 +-
arch/x86/kvm/x86.c | 25 +-
arch/x86/xen/enlighten_pv.c | 69 ++
block/blk-mq.c | 2 +-
block/blk-zoned.c | 193 +++--
block/blk.h | 14 +
block/genhd.c | 2 +-
crypto/af_alg.c | 5 +-
crypto/algif_hash.c | 3 +-
crypto/algif_rng.c | 3 +-
crypto/seqiv.c | 8 +-
drivers/acpi/acpi_pcc.c | 2 +-
drivers/acpi/acpica/nswalk.c | 9 +-
drivers/acpi/cppc_acpi.c | 3 +-
drivers/acpi/fan.h | 33 +
drivers/acpi/fan_hwmon.c | 10 +-
drivers/acpi/property.c | 8 +-
drivers/amba/tegra-ahb.c | 1 +
drivers/base/power/runtime.c | 22 +-
drivers/block/floppy.c | 2 +-
drivers/block/rnbd/rnbd-clt.c | 13 +-
drivers/block/rnbd/rnbd-clt.h | 2 +-
drivers/bluetooth/btusb.c | 22 +-
drivers/bus/ti-sysc.c | 11 +-
drivers/char/applicom.c | 5 +-
drivers/char/ipmi/ipmi_msghandler.c | 20 +-
drivers/char/tpm/tpm-chip.c | 1 -
drivers/char/tpm/tpm1-cmd.c | 5 -
drivers/char/tpm/tpm2-cmd.c | 11 +-
drivers/char/tpm/tpm2-sessions.c | 85 ++-
drivers/clk/mvebu/cp110-system-controller.c | 20 +
drivers/clk/qcom/dispcc-sm7150.c | 2 +-
drivers/clk/samsung/clk-exynos-clkout.c | 2 +-
drivers/cpufreq/cpufreq-dt-platdev.c | 1 +
drivers/cpufreq/cpufreq-nforce2.c | 3 +
drivers/cpufreq/s5pv210-cpufreq.c | 6 +-
drivers/cpuidle/governors/menu.c | 9 +-
drivers/cpuidle/governors/teo.c | 7 +-
drivers/crypto/caam/caamrng.c | 4 +-
drivers/firewire/nosy.c | 10 +-
drivers/firmware/imx/imx-scu-irq.c | 4 +-
drivers/firmware/stratix10-svc.c | 11 +
drivers/gpio/Makefile | 1 +
drivers/gpio/gpio-regmap.c | 2 +-
.../gpio/{gpiolib-acpi.c => gpiolib-acpi-core.c} | 344 +--------
drivers/gpio/gpiolib-acpi-quirks.c | 412 +++++++++++
drivers/gpio/gpiolib-acpi.h | 15 +
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +
drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 27 +
drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 27 +
drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h | 62 +-
.../gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm | 37 +
drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 1 +
drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 4 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 +-
drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
.../amd/display/dc/resource/dcn35/dcn35_resource.c | 8 +-
.../display/dc/resource/dcn351/dcn351_resource.c | 8 +-
drivers/gpu/drm/drm_buddy.c | 390 ++++++----
drivers/gpu/drm/drm_displayid.c | 58 +-
drivers/gpu/drm/drm_displayid_internal.h | 2 +
drivers/gpu/drm/gma500/fbdev.c | 43 --
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 37 +-
drivers/gpu/drm/i915/intel_memory_region.h | 2 +-
drivers/gpu/drm/imagination/pvr_gem.c | 11 +
drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 33 +-
drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 2 +-
drivers/gpu/drm/mediatek/mtk_dp.c | 1 +
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 +-
drivers/gpu/drm/mgag200/mgag200_mode.c | 25 +
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 10 +-
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
drivers/gpu/drm/panel/panel-sony-td4353-jdi.c | 2 +
drivers/gpu/drm/panthor/panthor_gem.c | 18 +
drivers/gpu/drm/ttm/ttm_bo_vm.c | 6 +
drivers/gpu/drm/xe/xe_bo.c | 15 +-
drivers/gpu/drm/xe/xe_dma_buf.c | 2 +-
drivers/gpu/drm/xe/xe_exec.c | 3 +-
drivers/gpu/drm/xe/xe_gt.c | 7 +-
drivers/gpu/drm/xe/xe_guc_submit.c | 20 +-
drivers/gpu/drm/xe/xe_heci_gsc.c | 4 +-
drivers/gpu/drm/xe/xe_oa.c | 13 +-
drivers/gpu/drm/xe/xe_vm.c | 8 +-
drivers/gpu/drm/xe/xe_vm_types.h | 2 +-
drivers/hid/hid-input.c | 18 +-
drivers/hid/hid-logitech-dj.c | 56 +-
drivers/hwmon/dell-smm-hwmon.c | 9 +
drivers/hwmon/ibmpex.c | 9 +-
drivers/hwmon/ltc4282.c | 9 +-
drivers/hwmon/max16065.c | 7 +-
drivers/hwmon/max6697.c | 2 +-
drivers/hwmon/tmp401.c | 2 +-
drivers/hwmon/w83791d.c | 19 +-
drivers/hwmon/w83l786ng.c | 26 +-
drivers/hwtracing/intel_th/core.c | 20 +-
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +-
drivers/i2c/busses/i2c-designware-core.h | 1 +
drivers/i2c/busses/i2c-designware-master.c | 7 +
drivers/iio/adc/ti_am335x_adc.c | 2 +-
drivers/infiniband/core/addr.c | 33 +-
drivers/infiniband/core/cma.c | 3 +
drivers/infiniband/core/device.c | 4 +-
drivers/infiniband/core/verbs.c | 2 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +-
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 8 +-
drivers/infiniband/hw/efa/efa_verbs.c | 4 -
drivers/infiniband/hw/irdma/utils.c | 3 +-
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
drivers/input/keyboard/lkkbd.c | 5 +-
drivers/input/mouse/alps.c | 1 +
drivers/input/serio/i8042-acpipnpio.h | 7 +
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
drivers/interconnect/qcom/sdx75.c | 26 -
drivers/interconnect/qcom/sdx75.h | 2 -
drivers/iommu/amd/init.c | 15 +-
drivers/iommu/amd/iommu.c | 2 +-
drivers/iommu/apple-dart.c | 2 +
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 +-
drivers/iommu/exynos-iommu.c | 9 +-
drivers/iommu/intel/irq_remapping.c | 8 +-
drivers/iommu/iommu-sva.c | 3 +
drivers/iommu/iommufd/selftest.c | 8 +-
drivers/iommu/ipmmu-vmsa.c | 2 +
drivers/iommu/mtk_iommu.c | 27 +-
drivers/iommu/mtk_iommu_v1.c | 25 +-
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 -
drivers/iommu/sun50i-iommu.c | 2 +
drivers/iommu/tegra-smmu.c | 5 +-
drivers/isdn/capi/capi.c | 8 +-
drivers/leds/leds-cros_ec.c | 5 +-
drivers/leds/leds-lp50xx.c | 67 +-
drivers/md/dm-bufio.c | 10 +-
drivers/md/dm-ebs-target.c | 2 +-
drivers/md/md.c | 5 +-
drivers/md/raid10.c | 3 +-
drivers/md/raid5.c | 10 +-
drivers/media/cec/core/cec-core.c | 1 +
.../media/common/videobuf2/videobuf2-dma-contig.c | 1 +
drivers/media/i2c/adv7604.c | 4 +-
drivers/media/i2c/adv7842.c | 11 +-
drivers/media/i2c/imx219.c | 9 +-
drivers/media/i2c/msp3400-kthreads.c | 2 +
drivers/media/i2c/tda1997x.c | 1 -
drivers/media/platform/amphion/vpu_malone.c | 35 +-
drivers/media/platform/amphion/vpu_v4l2.c | 28 +-
drivers/media/platform/amphion/vpu_v4l2.h | 18 -
.../media/platform/mediatek/mdp3/mtk-mdp3-core.c | 14 +
.../mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 14 +-
.../mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c | 12 +-
.../mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h | 2 +-
.../platform/mediatek/vcodec/decoder/vdec_vpu_if.c | 5 +-
.../mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c | 12 +-
.../mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h | 2 +-
.../platform/mediatek/vcodec/encoder/venc_vpu_if.c | 5 +-
drivers/media/platform/renesas/rcar_drif.c | 1 +
.../media/platform/samsung/exynos4-is/media-dev.c | 10 +-
drivers/media/platform/ti/davinci/vpif_capture.c | 4 +-
drivers/media/platform/ti/davinci/vpif_display.c | 4 +-
drivers/media/platform/verisilicon/hantro_g2.c | 84 ++-
.../platform/verisilicon/hantro_g2_hevc_dec.c | 17 +-
.../media/platform/verisilicon/hantro_g2_regs.h | 13 +
.../media/platform/verisilicon/hantro_g2_vp9_dec.c | 2 -
drivers/media/platform/verisilicon/hantro_hw.h | 1 +
drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 +
drivers/media/rc/st_rc.c | 2 +-
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +
drivers/media/usb/dvb-usb/dtv5100.c | 5 +
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
drivers/mfd/altera-sysmgr.c | 2 +
drivers/mfd/max77620.c | 15 +-
drivers/misc/mei/Kconfig | 2 +-
drivers/misc/vmw_balloon.c | 3 +-
drivers/mmc/host/Kconfig | 4 +-
drivers/mmc/host/sdhci-msm.c | 27 +-
drivers/mmc/host/sdhci-of-arasan.c | 2 +-
drivers/mtd/mtdpart.c | 7 +-
drivers/mtd/spi-nor/winbond.c | 24 +
drivers/net/can/usb/gs_usb.c | 2 +-
drivers/net/dsa/b53/b53_common.c | 3 +
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 +
drivers/net/ethernet/broadcom/b44.c | 3 +
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 3 +-
drivers/net/ethernet/cadence/macb_main.c | 3 +-
drivers/net/ethernet/freescale/enetc/enetc.c | 3 +-
drivers/net/ethernet/freescale/fec_main.c | 7 +-
drivers/net/ethernet/google/gve/gve_main.c | 2 +-
drivers/net/ethernet/google/gve/gve_utils.c | 2 +
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +-
drivers/net/ethernet/intel/i40e/i40e.h | 11 +
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 -
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 +-
drivers/net/ethernet/intel/idpf/idpf_dev.c | 3 +
drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 +-
.../net/ethernet/intel/idpf/idpf_singleq_txrx.c | 61 +-
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 782 ++++++++-------------
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 95 ++-
drivers/net/ethernet/intel/idpf/idpf_vf_dev.c | 3 +
.../ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 +
drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 5 +
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 97 ++-
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.h | 1 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 6 +
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 48 +-
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h | 1 +
drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 +
drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 +
.../net/ethernet/mellanox/mlxsw/spectrum_router.c | 27 +-
drivers/net/ethernet/realtek/r8169_main.c | 5 +-
drivers/net/ethernet/smsc/smc91x.c | 10 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +-
drivers/net/fjes/fjes_hw.c | 12 +-
drivers/net/ipvlan/ipvlan_core.c | 3 +
drivers/net/mdio/mdio-aspeed.c | 7 +
drivers/net/phy/marvell-88q2xxx.c | 2 +-
drivers/net/team/team_core.c | 2 +-
drivers/net/usb/asix_common.c | 5 +
drivers/net/usb/rtl8150.c | 2 +
drivers/net/usb/sr9700.c | 4 +-
drivers/net/usb/usbnet.c | 2 +
.../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 14 +
drivers/net/wireless/mediatek/mt76/eeprom.c | 37 +-
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7615/pci.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7615/sdio.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7615/usb.c | 4 +-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 +-
.../net/wireless/mediatek/mt76/mt76_connac_mcu.h | 3 +-
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7925/init.c | 24 +-
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 51 +-
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 21 +
drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 33 +-
drivers/net/wireless/mediatek/mt76/mt7925/usb.c | 20 +-
drivers/net/wireless/mediatek/mt76/mt792x.h | 2 +
drivers/net/wireless/realtek/rtl8xxxu/core.c | 7 +-
.../net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 3 +-
drivers/net/wireless/realtek/rtw88/sdio.c | 4 +-
drivers/nfc/pn533/usb.c | 2 +-
drivers/nvme/host/fabrics.c | 2 +-
drivers/nvme/host/fc.c | 6 +-
drivers/of/fdt.c | 2 +-
drivers/parisc/gsc.c | 4 +-
drivers/pci/controller/pcie-brcmstb.c | 107 +--
drivers/pci/pci-driver.c | 4 +
drivers/perf/arm_cspmu/arm_cspmu.c | 4 +-
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +-
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 75 +-
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
drivers/platform/mellanox/mlxbf-pmc.c | 14 +-
.../platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 +-
.../platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
.../x86/hp/hp-bioscfg/order-list-attributes.c | 5 +
.../x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +
.../platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
drivers/platform/x86/ibm_rtl.c | 2 +-
drivers/platform/x86/intel/chtwc_int33fe.c | 29 +-
drivers/platform/x86/intel/hid.c | 12 +
drivers/platform/x86/msi-laptop.c | 3 +
drivers/pmdomain/imx/gpc.c | 5 +-
drivers/rpmsg/qcom_glink_native.c | 8 +
drivers/s390/block/dasd_eckd.c | 8 +
drivers/scsi/aic94xx/aic94xx_init.c | 3 +
drivers/scsi/mpi3mr/mpi/mpi30_ioc.h | 1 +
drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 +
drivers/scsi/qla2xxx/qla_def.h | 1 -
drivers/scsi/qla2xxx/qla_gbl.h | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 32 +-
drivers/scsi/qla2xxx/qla_mbx.c | 2 +
drivers/scsi/qla2xxx/qla_mid.c | 4 +-
drivers/scsi/qla2xxx/qla_os.c | 14 +-
drivers/scsi/scsi_debug.c | 2 +-
drivers/scsi/smartpqi/smartpqi_init.c | 4 +
drivers/soc/amlogic/meson-canvas.c | 5 +-
drivers/soc/apple/mailbox.c | 15 +-
drivers/soc/qcom/ocmem.c | 2 +-
drivers/soc/qcom/qcom-pbs.c | 2 +
drivers/soc/samsung/exynos-pmu.c | 2 +
drivers/soc/tegra/fuse/fuse-tegra.c | 2 -
drivers/soundwire/stream.c | 6 +-
drivers/spi/spi-cadence-quadspi.c | 4 +-
drivers/spi/spi-fsl-spi.c | 2 +-
drivers/staging/greybus/uart.c | 7 +-
drivers/target/target_core_transport.c | 1 +
drivers/tty/serial/serial_base_bus.c | 8 +-
drivers/tty/serial/serial_core.c | 7 +-
drivers/tty/serial/sh-sci.c | 2 +-
drivers/tty/serial/sprd_serial.c | 6 +
drivers/tty/serial/xilinx_uartps.c | 16 +-
drivers/tty/tty_port.c | 17 +-
drivers/ufs/core/ufshcd.c | 5 +-
drivers/ufs/host/ufs-mediatek.c | 5 +
drivers/usb/class/cdc-acm.c | 7 +-
drivers/usb/dwc3/dwc3-of-simple.c | 7 +-
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +-
drivers/usb/host/ohci-nxp.c | 2 +
drivers/usb/host/xhci-dbgtty.c | 2 +-
drivers/usb/host/xhci-hub.c | 2 +-
drivers/usb/phy/phy-fsl-usb.c | 1 +
drivers/usb/phy/phy-isp1301.c | 7 +-
drivers/usb/renesas_usbhs/pipe.c | 2 +
drivers/usb/serial/usb-serial.c | 7 +-
drivers/usb/storage/unusual_uas.h | 2 +-
drivers/usb/typec/altmodes/displayport.c | 8 +-
drivers/usb/typec/ucsi/ucsi.c | 6 +
drivers/usb/usbip/vhci_hcd.c | 6 +-
drivers/vdpa/octeon_ep/octep_vdpa_main.c | 1 +
drivers/vfio/pci/nvgrace-gpu/main.c | 4 +-
drivers/vfio/pci/pds/dirty.c | 7 +-
drivers/vfio/pci/vfio_pci_rdwr.c | 24 +-
drivers/vhost/vsock.c | 15 +-
drivers/video/fbdev/gbefb.c | 5 +-
drivers/video/fbdev/pxafb.c | 12 +-
drivers/video/fbdev/tcx.c | 2 +-
drivers/virtio/virtio_balloon.c | 4 +-
drivers/watchdog/via_wdt.c | 1 +
fs/btrfs/inode.c | 1 +
fs/btrfs/ioctl.c | 4 +-
fs/btrfs/scrub.c | 5 +
fs/btrfs/tree-log.c | 46 +-
fs/btrfs/volumes.c | 1 +
fs/erofs/zdata.c | 8 +-
fs/exfat/file.c | 5 +
fs/exfat/super.c | 19 +-
fs/ext4/ialloc.c | 1 -
fs/ext4/inode.c | 1 -
fs/ext4/mballoc.c | 2 +
fs/ext4/orphan.c | 4 +-
fs/ext4/super.c | 6 +-
fs/ext4/xattr.c | 6 +-
fs/f2fs/compress.c | 5 +-
fs/f2fs/data.c | 17 +
fs/f2fs/extent_cache.c | 5 +-
fs/f2fs/f2fs.h | 17 +-
fs/f2fs/file.c | 20 +-
fs/f2fs/gc.c | 2 +-
fs/f2fs/inode.c | 2 +-
fs/f2fs/namei.c | 6 +-
fs/f2fs/recovery.c | 20 +-
fs/f2fs/segment.c | 9 +-
fs/f2fs/super.c | 160 ++---
fs/f2fs/xattr.c | 30 +-
fs/f2fs/xattr.h | 10 +-
fs/fuse/file.c | 37 +-
fs/gfs2/glops.c | 3 +-
fs/gfs2/lops.c | 2 +-
fs/gfs2/quota.c | 2 +-
fs/gfs2/super.c | 4 +-
fs/hfsplus/bnode.c | 4 +-
fs/hfsplus/dir.c | 7 +-
fs/hfsplus/inode.c | 32 +-
fs/iomap/buffered-io.c | 41 +-
fs/iomap/direct-io.c | 10 +-
fs/jbd2/journal.c | 20 +-
fs/jbd2/transaction.c | 2 +-
fs/libfs.c | 50 +-
fs/lockd/svc4proc.c | 4 +-
fs/lockd/svclock.c | 21 +-
fs/lockd/svcproc.c | 5 +-
fs/locks.c | 12 +-
fs/nfs_common/nfslocalio.c | 10 +-
fs/nfsd/blocklayout.c | 3 +-
fs/nfsd/export.c | 2 +-
fs/nfsd/filecache.c | 2 +-
fs/nfsd/localio.c | 4 +-
fs/nfsd/netns.h | 11 +-
fs/nfsd/nfs4state.c | 4 +-
fs/nfsd/nfs4xdr.c | 5 +
fs/nfsd/nfssvc.c | 45 +-
fs/nfsd/vfs.h | 3 +-
fs/notify/fsnotify.c | 9 +-
fs/ntfs3/file.c | 14 +-
fs/ntfs3/frecord.c | 35 +-
fs/ntfs3/ntfs_fs.h | 9 +-
fs/ntfs3/run.c | 6 +-
fs/ntfs3/super.c | 5 +
fs/ocfs2/suballoc.c | 10 +
fs/smb/client/fs_context.c | 2 +
fs/smb/server/mgmt/tree_connect.c | 18 +-
fs/smb/server/mgmt/tree_connect.h | 1 -
fs/smb/server/mgmt/user_session.c | 4 +-
fs/smb/server/smb2pdu.c | 20 +-
fs/smb/server/vfs.c | 5 +-
fs/smb/server/vfs_cache.c | 88 ++-
fs/xfs/scrub/attr_repair.c | 2 +-
fs/xfs/xfs_attr_item.c | 2 +-
fs/xfs/xfs_buf_item.c | 1 +
fs/xfs/xfs_qm.c | 5 +-
include/drm/drm_buddy.h | 11 +-
include/drm/drm_edid.h | 6 +
include/linux/balloon_compaction.h | 43 +-
include/linux/compiler_types.h | 13 +
include/linux/fs.h | 2 +-
include/linux/genalloc.h | 1 +
include/linux/hrtimer.h | 23 +
include/linux/jbd2.h | 6 +
include/linux/kasan.h | 16 +
include/linux/nfslocalio.h | 12 +-
include/linux/reset.h | 1 +
include/linux/soundwire/sdw.h | 2 +-
include/linux/tpm.h | 8 +-
include/linux/tty_port.h | 21 +-
include/linux/vfio_pci_core.h | 10 +-
include/media/v4l2-mem2mem.h | 3 +-
include/net/ip.h | 6 +-
include/net/ip6_route.h | 4 +-
include/net/route.h | 2 +-
include/uapi/drm/xe_drm.h | 1 +
include/uapi/linux/mptcp.h | 1 +
io_uring/io_uring.c | 3 +
io_uring/openclose.c | 2 +-
io_uring/poll.c | 9 +-
kernel/kallsyms.c | 5 +-
kernel/livepatch/core.c | 8 +-
kernel/sched/cpudeadline.c | 34 +-
kernel/sched/cpudeadline.h | 4 +-
kernel/sched/deadline.c | 8 +-
kernel/sched/debug.c | 8 +-
kernel/sched/ext.c | 58 +-
kernel/sched/fair.c | 103 +--
kernel/sched/rt.c | 52 +-
kernel/sched/sched.h | 4 +-
kernel/scs.c | 2 +-
kernel/trace/fgraph.c | 10 +-
kernel/trace/trace_events.c | 2 +
kernel/trace/trace_events_synth.c | 1 -
lib/idr.c | 2 +
mm/balloon_compaction.c | 9 +-
mm/damon/tests/core-kunit.h | 99 ++-
mm/damon/tests/sysfs-kunit.h | 25 +
mm/damon/tests/vaddr-kunit.h | 26 +-
mm/kasan/common.c | 32 +
mm/kasan/hw_tags.c | 2 +-
mm/kasan/shadow.c | 4 +-
mm/ksm.c | 18 +-
mm/page_owner.c | 2 +-
mm/shmem.c | 24 +-
mm/vmalloc.c | 8 +-
net/bluetooth/rfcomm/tty.c | 7 +-
net/bridge/br_private.h | 1 +
net/caif/cffrml.c | 9 +-
net/ceph/osdmap.c | 116 ++-
net/core/sock.c | 16 +-
net/dsa/dsa.c | 8 +-
net/ethtool/ioctl.c | 30 +-
net/handshake/request.c | 8 +-
net/hsr/hsr_device.c | 7 +-
net/hsr/hsr_forward.c | 2 +
net/ipv4/fib_trie.c | 7 +-
net/ipv6/calipso.c | 3 +-
net/ipv6/exthdrs.c | 2 +-
net/ipv6/icmp.c | 4 +-
net/ipv6/ila/ila_lwt.c | 2 +-
net/ipv6/ioam6_iptunnel.c | 37 +-
net/ipv6/ip6_gre.c | 17 +-
net/ipv6/ip6_output.c | 19 +-
net/ipv6/ip6_tunnel.c | 4 +-
net/ipv6/ip6_udp_tunnel.c | 2 +-
net/ipv6/ip6_vti.c | 2 +-
net/ipv6/ndisc.c | 6 +-
net/ipv6/netfilter/nf_dup_ipv6.c | 2 +-
net/ipv6/output_core.c | 2 +-
net/ipv6/route.c | 33 +-
net/ipv6/rpl_iptunnel.c | 4 +-
net/ipv6/seg6_iptunnel.c | 20 +-
net/ipv6/seg6_local.c | 2 +-
net/mac80211/cfg.c | 10 -
net/mptcp/pm_netlink.c | 3 +-
net/mptcp/protocol.c | 22 +-
net/netfilter/ipvs/ip_vs_xmit.c | 3 +
net/netfilter/nf_conncount.c | 25 +-
net/netfilter/nf_nat_core.c | 14 +-
net/netfilter/nf_tables_api.c | 11 -
net/netfilter/nft_ct.c | 5 +
net/netrom/nr_out.c | 4 +-
net/nfc/core.c | 9 +-
net/openvswitch/flow_netlink.c | 13 +-
net/openvswitch/vport-netdev.c | 17 +-
net/rose/af_rose.c | 2 +-
net/sched/sch_ets.c | 6 +-
net/sunrpc/auth_gss/svcauth_gss.c | 3 +-
net/sunrpc/xprtrdma/svc_rdma_rw.c | 7 +-
net/wireless/core.c | 1 +
net/wireless/core.h | 1 +
net/wireless/mlme.c | 19 +
net/wireless/sme.c | 2 +-
net/wireless/util.c | 23 +-
samples/ftrace/ftrace-direct-modify.c | 8 +-
samples/ftrace/ftrace-direct-multi-modify.c | 8 +-
samples/ftrace/ftrace-direct-multi.c | 4 +-
samples/ftrace/ftrace-direct-too.c | 4 +-
samples/ftrace/ftrace-direct.c | 4 +-
scripts/Makefile.build | 26 +-
scripts/Makefile.modinst | 2 +-
scripts/faddr2line | 13 +-
security/keys/trusted-keys/trusted_tpm2.c | 6 +-
sound/isa/wavefront/wavefront_midi.c | 131 ++--
sound/isa/wavefront/wavefront_synth.c | 18 +-
sound/pci/hda/cs35l41_hda.c | 2 +
sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +-
sound/pcmcia/vx/vxpocket.c | 8 +-
sound/soc/codecs/ak4458.c | 4 -
sound/soc/codecs/lpass-tx-macro.c | 3 +-
sound/soc/codecs/wcd939x-sdw.c | 8 +-
sound/soc/qcom/qdsp6/q6adm.c | 146 ++--
sound/soc/qcom/qdsp6/q6apm-dai.c | 2 +
sound/soc/qcom/qdsp6/q6asm-dai.c | 7 +-
sound/soc/qcom/sc7280.c | 2 +-
sound/soc/qcom/sc8280xp.c | 2 +-
sound/soc/qcom/sdw.c | 107 +--
sound/soc/qcom/sdw.h | 1 +
sound/soc/qcom/sm8250.c | 2 +-
sound/soc/qcom/x1e80100.c | 2 +-
sound/soc/sh/rz-ssi.c | 64 +-
sound/soc/stm/stm32_sai.c | 14 +-
sound/soc/stm/stm32_sai_sub.c | 51 +-
sound/usb/mixer_us16x08.c | 20 +-
tools/lib/perf/cpumap.c | 10 +-
tools/mm/page_owner_sort.c | 6 +-
tools/testing/ktest/config-bisect.pl | 4 +-
tools/testing/nvdimm/test/nfit.c | 7 +-
tools/testing/radix-tree/idr-test.c | 21 +
.../test.d/ftrace/func_traceonoff_triggers.tc | 5 +-
tools/testing/selftests/iommu/iommufd.c | 54 +-
tools/testing/selftests/iommu/iommufd_fail_nth.c | 3 +-
tools/testing/selftests/iommu/iommufd_utils.h | 36 +-
tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 +
tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 +
.../net/netfilter/conntrack_reverse_clash.c | 13 +-
.../net/netfilter/conntrack_reverse_clash.sh | 2 +
.../packetdrill/conntrack_syn_challenge_ack.pkt | 2 +-
tools/testing/selftests/net/tap.c | 16 +-
virt/kvm/kvm_main.c | 2 +-
607 files changed, 5906 insertions(+), 3784 deletions(-)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 001/567] btrfs: do not skip logging new dentries when logging a new name
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 002/567] btrfs: fix a potential path leak in print_data_reloc_error() Greg Kroah-Hartman
` (579 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vyacheslav Kovalevsky, Boris Burkov,
Filipe Manana, David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 5630f7557de61264ccb4f031d4734a1a97eaed16 ]
When we are logging a directory and the log context indicates that we
are logging a new name for some other file (that is or was inside that
directory), we skip logging the inodes for new dentries in the directory.
This is ok most of the time, but if after the rename or link operation
that triggered the logging of that directory, we have an explicit fsync
of that directory without the directory inode being evicted and reloaded,
we end up never logging the inodes for the new dentries that we found
during the new name logging, as the next directory fsync will only process
dentries that were added after the last time we logged the directory (we
are doing an incremental directory logging).
So make sure we always log new dentries for a directory even if we are
in a context of logging a new name.
We started skipping logging inodes for new dentries as of commit
c48792c6ee7a ("btrfs: do not log new dentries when logging that a new name
exists") and it was fine back then, because when logging a directory we
always iterated over all the directory entries (for leaves changed in the
current transaction) so a subsequent fsync would always log anything that
was previously skipped while logging a directory when logging a new name
(with btrfs_log_new_name()). But later support for incrementally logging
a directory was added in commit dc2872247ec0 ("btrfs: keep track of the
last logged keys when logging a directory"), to avoid checking all dir
items every time we log a directory, so the check to skip dentry logging
added in the first commit should have been removed when the incremental
support for logging a directory was added.
A test case for fstests will follow soon.
Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/84c4e713-85d6-42b9-8dcf-0722ed26cb05@gmail.com/
Fixes: dc2872247ec0 ("btrfs: keep track of the last logged keys when logging a directory")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-log.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 609f221d4c309..25ab8f3af56c8 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -5556,14 +5556,6 @@ static int log_new_dir_dentries(struct btrfs_trans_handle *trans,
struct btrfs_inode *curr_inode = start_inode;
int ret = 0;
- /*
- * If we are logging a new name, as part of a link or rename operation,
- * don't bother logging new dentries, as we just want to log the names
- * of an inode and that any new parents exist.
- */
- if (ctx->logging_new_name)
- return 0;
-
path = btrfs_alloc_path();
if (!path)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 002/567] btrfs: fix a potential path leak in print_data_reloc_error()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 001/567] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 003/567] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
` (578 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 313ef70a9f0f637a09d9ef45222f5bdcf30a354b ]
Inside print_data_reloc_error(), if extent_from_logical() failed we
return immediately.
However there are the following cases where extent_from_logical() can
return error but still holds a path:
- btrfs_search_slot() returned 0
- No backref item found in extent tree
- No flags_ret provided
This is not possible in this call site though.
So for the above two cases, we can return without releasing the path,
causing extent buffer leaks.
Fixes: b9a9a85059cd ("btrfs: output affected files when relocation fails")
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 01a1b979b717f..ce13b0ec978ed 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -253,6 +253,7 @@ static void print_data_reloc_error(const struct btrfs_inode *inode, u64 file_off
if (ret < 0) {
btrfs_err_rl(fs_info, "failed to lookup extent item for logical %llu: %d",
logical, ret);
+ btrfs_release_path(&path);
return;
}
eb = path.nodes[0];
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 003/567] bpf, arm64: Do not audit capability check in do_jit()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 001/567] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 002/567] btrfs: fix a potential path leak in print_data_reloc_error() Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 004/567] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
` (577 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek, Alexei Starovoitov,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 189e5deb944a6f9c7992355d60bffd8ec2e54a9c ]
Analogically to the x86 commit 881a9c9cb785 ("bpf: Do not audit
capability check in do_jit()"), change the capable() call to
ns_capable_noaudit() in order to avoid spurious SELinux denials in audit
log.
The commit log from that commit applies here as well:
"""
The failure of this check only results in a security mitigation being
applied, slightly affecting performance of the compiled BPF program. It
doesn't result in a failed syscall, an thus auditing a failed LSM
permission check for it is unwanted. For example with SELinux, it causes
a denial to be reported for confined processes running as root, which
tends to be flagged as a problem to be fixed in the policy. Yet
dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
desirable, as it would allow/silence also other checks - either going
against the principle of least privilege or making debugging potentially
harder.
Fix it by changing it from capable() to ns_capable_noaudit(), which
instructs the LSMs to not audit the resulting denials.
"""
Fixes: f300769ead03 ("arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Link: https://lore.kernel.org/r/20251204125916.441021-1-omosnace@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index ca6d002a6f137..82b57436f2f10 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -871,7 +871,7 @@ static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx)
arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
return;
- if (capable(CAP_SYS_ADMIN))
+ if (ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN))
return;
if (supports_clearbhb(SCOPE_SYSTEM)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 004/567] btrfs: fix memory leak of fs_devices in degraded seed device path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 003/567] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 005/567] shmem: fix recovery on rename failures Greg Kroah-Hartman
` (576 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+eadd98df8bceb15d7fed,
Qu Wenruo, Deepanshu Kartikey, David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b57f2ddd28737db6ff0e9da8467f0ab9d707e997 ]
In open_seed_devices(), when find_fsid() fails and we're in DEGRADED
mode, a new fs_devices is allocated via alloc_fs_devices() but is never
added to the seed_list before returning. This contrasts with the normal
path where fs_devices is properly added via list_add().
If any error occurs later in read_one_dev() or btrfs_read_chunk_tree(),
the cleanup code iterates seed_list to free seed devices, but this
orphaned fs_devices is never found and never freed, causing a memory
leak. Any devices allocated via add_missing_dev() and attached to this
fs_devices are also leaked.
Fix this by adding the newly allocated fs_devices to seed_list in the
degraded path, consistent with the normal path.
Fixes: 5f37583569442 ("Btrfs: move the missing device to its own fs device list")
Reported-by: syzbot+eadd98df8bceb15d7fed@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
Tested-by: syzbot+eadd98df8bceb15d7fed@syzkaller.appspotmail.com
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index ce991a8390466..9c6e96f630132 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -7071,6 +7071,7 @@ static struct btrfs_fs_devices *open_seed_devices(struct btrfs_fs_info *fs_info,
fs_devices->seeding = true;
fs_devices->opened = 1;
+ list_add(&fs_devices->seed_list, &fs_info->fs_devices->seed_list);
return fs_devices;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 005/567] shmem: fix recovery on rename failures
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 004/567] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 006/567] iomap: adjust read range correctly for non-block-aligned positions Greg Kroah-Hartman
` (575 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Chuck Lever,
Al Viro, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit e1b4c6a58304fd490124cc2b454d80edc786665c ]
maple_tree insertions can fail if we are seriously short on memory;
simple_offset_rename() does not recover well if it runs into that.
The same goes for simple_offset_rename_exchange().
Moreover, shmem_whiteout() expects that if it succeeds, the caller will
progress to d_move(), i.e. that shmem_rename2() won't fail past the
successful call of shmem_whiteout().
Not hard to fix, fortunately - mtree_store() can't fail if the index we
are trying to store into is already present in the tree as a singleton.
For simple_offset_rename_exchange() that's enough - we just need to be
careful about the order of operations.
For simple_offset_rename() solution is to preinsert the target into the
tree for new_dir; the rest can be done without any potentially failing
operations.
That preinsertion has to be done in shmem_rename2() rather than in
simple_offset_rename() itself - otherwise we'd need to deal with the
possibility of failure after successful shmem_whiteout().
Fixes: a2e459555c5f ("shmem: stable directory offsets")
Reviewed-by: Christian Brauner <brauner@kernel.org>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/libfs.c | 50 +++++++++++++++++++---------------------------
include/linux/fs.h | 2 +-
mm/shmem.c | 18 ++++++++++++-----
3 files changed, 35 insertions(+), 35 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c
index 8743241678496..028f2cf729d5d 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -345,22 +345,22 @@ void simple_offset_remove(struct offset_ctx *octx, struct dentry *dentry)
* User space expects the directory offset value of the replaced
* (new) directory entry to be unchanged after a rename.
*
- * Returns zero on success, a negative errno value on failure.
+ * Caller must have grabbed a slot for new_dentry in the maple_tree
+ * associated with new_dir, even if dentry is negative.
*/
-int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry,
- struct inode *new_dir, struct dentry *new_dentry)
+void simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry,
+ struct inode *new_dir, struct dentry *new_dentry)
{
struct offset_ctx *old_ctx = old_dir->i_op->get_offset_ctx(old_dir);
struct offset_ctx *new_ctx = new_dir->i_op->get_offset_ctx(new_dir);
long new_offset = dentry2offset(new_dentry);
- simple_offset_remove(old_ctx, old_dentry);
+ if (WARN_ON(!new_offset))
+ return;
- if (new_offset) {
- offset_set(new_dentry, 0);
- return simple_offset_replace(new_ctx, old_dentry, new_offset);
- }
- return simple_offset_add(new_ctx, old_dentry);
+ simple_offset_remove(old_ctx, old_dentry);
+ offset_set(new_dentry, 0);
+ WARN_ON(simple_offset_replace(new_ctx, old_dentry, new_offset));
}
/**
@@ -387,31 +387,23 @@ int simple_offset_rename_exchange(struct inode *old_dir,
long new_index = dentry2offset(new_dentry);
int ret;
- simple_offset_remove(old_ctx, old_dentry);
- simple_offset_remove(new_ctx, new_dentry);
+ if (WARN_ON(!old_index || !new_index))
+ return -EINVAL;
- ret = simple_offset_replace(new_ctx, old_dentry, new_index);
- if (ret)
- goto out_restore;
+ ret = mtree_store(&new_ctx->mt, new_index, old_dentry, GFP_KERNEL);
+ if (WARN_ON(ret))
+ return ret;
- ret = simple_offset_replace(old_ctx, new_dentry, old_index);
- if (ret) {
- simple_offset_remove(new_ctx, old_dentry);
- goto out_restore;
+ ret = mtree_store(&old_ctx->mt, old_index, new_dentry, GFP_KERNEL);
+ if (WARN_ON(ret)) {
+ mtree_store(&new_ctx->mt, new_index, new_dentry, GFP_KERNEL);
+ return ret;
}
- ret = simple_rename_exchange(old_dir, old_dentry, new_dir, new_dentry);
- if (ret) {
- simple_offset_remove(new_ctx, old_dentry);
- simple_offset_remove(old_ctx, new_dentry);
- goto out_restore;
- }
+ offset_set(old_dentry, new_index);
+ offset_set(new_dentry, old_index);
+ simple_rename_exchange(old_dir, old_dentry, new_dir, new_dentry);
return 0;
-
-out_restore:
- (void)simple_offset_replace(old_ctx, old_dentry, old_index);
- (void)simple_offset_replace(new_ctx, new_dentry, new_index);
- return ret;
}
/**
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 37a01c9d96583..87720e1b54192 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -3446,7 +3446,7 @@ struct offset_ctx {
void simple_offset_init(struct offset_ctx *octx);
int simple_offset_add(struct offset_ctx *octx, struct dentry *dentry);
void simple_offset_remove(struct offset_ctx *octx, struct dentry *dentry);
-int simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry,
+void simple_offset_rename(struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
int simple_offset_rename_exchange(struct inode *old_dir,
struct dentry *old_dentry,
diff --git a/mm/shmem.c b/mm/shmem.c
index 7e07188e82696..0c3113b5b5aaa 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -3749,6 +3749,7 @@ static int shmem_rename2(struct mnt_idmap *idmap,
{
struct inode *inode = d_inode(old_dentry);
int they_are_dirs = S_ISDIR(inode->i_mode);
+ bool had_offset = false;
int error;
if (flags & ~(RENAME_NOREPLACE | RENAME_EXCHANGE | RENAME_WHITEOUT))
@@ -3761,16 +3762,23 @@ static int shmem_rename2(struct mnt_idmap *idmap,
if (!simple_empty(new_dentry))
return -ENOTEMPTY;
+ error = simple_offset_add(shmem_get_offset_ctx(new_dir), new_dentry);
+ if (error == -EBUSY)
+ had_offset = true;
+ else if (unlikely(error))
+ return error;
+
if (flags & RENAME_WHITEOUT) {
error = shmem_whiteout(idmap, old_dir, old_dentry);
- if (error)
+ if (error) {
+ if (!had_offset)
+ simple_offset_remove(shmem_get_offset_ctx(new_dir),
+ new_dentry);
return error;
+ }
}
- error = simple_offset_rename(old_dir, old_dentry, new_dir, new_dentry);
- if (error)
- return error;
-
+ simple_offset_rename(old_dir, old_dentry, new_dir, new_dentry);
if (d_really_is_positive(new_dentry)) {
(void) shmem_unlink(new_dir, new_dentry);
if (they_are_dirs) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 006/567] iomap: adjust read range correctly for non-block-aligned positions
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 005/567] shmem: fix recovery on rename failures Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 007/567] iomap: account for unaligned end offsets when truncating read range Greg Kroah-Hartman
` (574 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, syzbot, Brian Foster,
Christoph Hellwig, Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit 7aa6bc3e8766990824f66ca76c19596ce10daf3e ]
iomap_adjust_read_range() assumes that the position and length passed in
are block-aligned. This is not always the case however, as shown in the
syzbot generated case for erofs. This causes too many bytes to be
skipped for uptodate blocks, which results in returning the incorrect
position and length to read in. If all the blocks are uptodate, this
underflows length and returns a position beyond the folio.
Fix the calculation to also take into account the block offset when
calculating how many bytes can be skipped for uptodate blocks.
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Tested-by: syzbot@syzkaller.appspotmail.com
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index d4b990938399c..258ac7bf658fd 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -250,17 +250,24 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
* to avoid reading in already uptodate ranges.
*/
if (ifs) {
- unsigned int i;
+ unsigned int i, blocks_skipped;
/* move forward for each leading block marked uptodate */
- for (i = first; i <= last; i++) {
+ for (i = first; i <= last; i++)
if (!ifs_block_is_uptodate(ifs, i))
break;
- *pos += block_size;
- poff += block_size;
- plen -= block_size;
- first++;
+
+ blocks_skipped = i - first;
+ if (blocks_skipped) {
+ unsigned long block_offset = *pos & (block_size - 1);
+ unsigned bytes_skipped =
+ (blocks_skipped << block_bits) - block_offset;
+
+ *pos += bytes_skipped;
+ poff += bytes_skipped;
+ plen -= bytes_skipped;
}
+ first = i;
/* truncate len if we find any trailing uptodate block(s) */
while (++i <= last) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 007/567] iomap: account for unaligned end offsets when truncating read range
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 006/567] iomap: adjust read range correctly for non-block-aligned positions Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 008/567] scripts/faddr2line: Fix "Argument list too long" error Greg Kroah-Hartman
` (573 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Christoph Hellwig,
Darrick J. Wong, Christian Brauner, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit 9d875e0eef8ec15b6b1da0cb9a0f8ed13efee89e ]
The end position to start truncating from may be at an offset into a
block, which under the current logic would result in overtruncation.
Adjust the calculation to account for unaligned end offsets.
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Link: https://patch.msgid.link/20251111193658.3495942-3-joannelkoong@gmail.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 258ac7bf658fd..397c96c25c31f 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -227,6 +227,22 @@ static void ifs_free(struct folio *folio)
kfree(ifs);
}
+/*
+ * Calculate how many bytes to truncate based off the number of blocks to
+ * truncate and the end position to start truncating from.
+ */
+static size_t iomap_bytes_to_truncate(loff_t end_pos, unsigned block_bits,
+ unsigned blocks_truncated)
+{
+ unsigned block_size = 1 << block_bits;
+ unsigned block_offset = end_pos & (block_size - 1);
+
+ if (!block_offset)
+ return blocks_truncated << block_bits;
+
+ return ((blocks_truncated - 1) << block_bits) + block_offset;
+}
+
/*
* Calculate the range inside the folio that we actually need to read.
*/
@@ -272,7 +288,8 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
/* truncate len if we find any trailing uptodate block(s) */
while (++i <= last) {
if (ifs_block_is_uptodate(ifs, i)) {
- plen -= (last - i + 1) * block_size;
+ plen -= iomap_bytes_to_truncate(*pos + plen,
+ block_bits, last - i + 1);
last = i - 1;
break;
}
@@ -288,7 +305,8 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
unsigned end = offset_in_folio(folio, isize - 1) >> block_bits;
if (first <= end && last > end)
- plen -= (last - end) * block_size;
+ plen -= iomap_bytes_to_truncate(*pos + plen, block_bits,
+ last - end);
}
*offp = poff;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 008/567] scripts/faddr2line: Fix "Argument list too long" error
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 007/567] iomap: account for unaligned end offsets when truncating read range Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 009/567] perf/x86/amd: Check event before enable to avoid GPF Greg Kroah-Hartman
` (572 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pankaj Raghav, Josh Poimboeuf,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pankaj Raghav <p.raghav@samsung.com>
[ Upstream commit ff5c0466486ba8d07ab2700380e8fd6d5344b4e9 ]
The run_readelf() function reads the entire output of readelf into a
single shell variable. For large object files with extensive debug
information, the size of this variable can exceed the system's
command-line argument length limit.
When this variable is subsequently passed to sed via `echo "${out}"`, it
triggers an "Argument list too long" error, causing the script to fail.
Fix this by redirecting the output of readelf to a temporary file
instead of a variable. The sed commands are then modified to read from
this file, avoiding the argument length limitation entirely.
Signed-off-by: Pankaj Raghav <p.raghav@samsung.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/faddr2line | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/scripts/faddr2line b/scripts/faddr2line
index 1fa6beef9f978..477b6d2aa3179 100755
--- a/scripts/faddr2line
+++ b/scripts/faddr2line
@@ -107,14 +107,19 @@ find_dir_prefix() {
run_readelf() {
local objfile=$1
- local out=$(${READELF} --file-header --section-headers --symbols --wide $objfile)
+ local tmpfile
+ tmpfile=$(mktemp)
+
+ ${READELF} --file-header --section-headers --symbols --wide "$objfile" > "$tmpfile"
# This assumes that readelf first prints the file header, then the section headers, then the symbols.
# Note: It seems that GNU readelf does not prefix section headers with the "There are X section headers"
# line when multiple options are given, so let's also match with the "Section Headers:" line.
- ELF_FILEHEADER=$(echo "${out}" | sed -n '/There are [0-9]* section headers, starting at offset\|Section Headers:/q;p')
- ELF_SECHEADERS=$(echo "${out}" | sed -n '/There are [0-9]* section headers, starting at offset\|Section Headers:/,$p' | sed -n '/Symbol table .* contains [0-9]* entries:/q;p')
- ELF_SYMS=$(echo "${out}" | sed -n '/Symbol table .* contains [0-9]* entries:/,$p')
+ ELF_FILEHEADER=$(sed -n '/There are [0-9]* section headers, starting at offset\|Section Headers:/q;p' "$tmpfile")
+ ELF_SECHEADERS=$(sed -n '/There are [0-9]* section headers, starting at offset\|Section Headers:/,$p' "$tmpfile" | sed -n '/Symbol table .* contains [0-9]* entries:/q;p')
+ ELF_SYMS=$(sed -n '/Symbol table .* contains [0-9]* entries:/,$p' "$tmpfile")
+
+ rm -f -- "$tmpfile"
}
check_vmlinux() {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 009/567] perf/x86/amd: Check event before enable to avoid GPF
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 008/567] scripts/faddr2line: Fix "Argument list too long" error Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 010/567] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
` (571 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, George Kennedy,
Peter Zijlstra (Intel), Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Kennedy <george.kennedy@oracle.com>
[ Upstream commit 866cf36bfee4fba6a492d2dcc5133f857e3446b0 ]
On AMD machines cpuc->events[idx] can become NULL in a subtle race
condition with NMI->throttle->x86_pmu_stop().
Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.
This appears to be an AMD only issue.
Syzkaller reported a GPF in amd_pmu_enable_all.
INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143
msecs
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]
CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk
RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195
arch/x86/events/core.c:1430)
RSP: 0018:ffff888118009d60 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601
FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0
Call Trace:
<IRQ>
amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))
x86_pmu_enable (arch/x86/events/core.c:1360)
event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186
kernel/events/core.c:2346)
__perf_remove_from_context (kernel/events/core.c:2435)
event_function (kernel/events/core.c:259)
remote_function (kernel/events/core.c:92 (discriminator 1)
kernel/events/core.c:72 (discriminator 1))
__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64
kernel/smp.c:135 kernel/smp.c:540)
__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207
./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)
sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)
arch/x86/kernel/smp.c:266 (discriminator 47))
</IRQ>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/amd/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
index b4a1a2576510e..36d28edf7a535 100644
--- a/arch/x86/events/amd/core.c
+++ b/arch/x86/events/amd/core.c
@@ -762,7 +762,12 @@ static void amd_pmu_enable_all(int added)
if (!test_bit(idx, cpuc->active_mask))
continue;
- amd_pmu_enable_event(cpuc->events[idx]);
+ /*
+ * FIXME: cpuc->events[idx] can become NULL in a subtle race
+ * condition with NMI->throttle->x86_pmu_stop().
+ */
+ if (cpuc->events[idx])
+ amd_pmu_enable_event(cpuc->events[idx]);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 010/567] sched/deadline: only set free_cpus for online runqueues
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 009/567] perf/x86/amd: Check event before enable to avoid GPF Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 011/567] sched/fair: Revert max_newidle_lb_cost bump Greg Kroah-Hartman
` (570 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Peter Zijlstra (Intel),
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 382748c05e58a9f1935f5a653c352422375566ea ]
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpudeadline.c | 34 +++++++++-------------------------
kernel/sched/cpudeadline.h | 4 +---
kernel/sched/deadline.c | 8 ++++----
3 files changed, 14 insertions(+), 32 deletions(-)
diff --git a/kernel/sched/cpudeadline.c b/kernel/sched/cpudeadline.c
index 95baa12a10293..59d7b4f48c086 100644
--- a/kernel/sched/cpudeadline.c
+++ b/kernel/sched/cpudeadline.c
@@ -165,12 +165,13 @@ int cpudl_find(struct cpudl *cp, struct task_struct *p,
* cpudl_clear - remove a CPU from the cpudl max-heap
* @cp: the cpudl max-heap context
* @cpu: the target CPU
+ * @online: the online state of the deadline runqueue
*
* Notes: assumes cpu_rq(cpu)->lock is locked
*
* Returns: (void)
*/
-void cpudl_clear(struct cpudl *cp, int cpu)
+void cpudl_clear(struct cpudl *cp, int cpu, bool online)
{
int old_idx, new_cpu;
unsigned long flags;
@@ -183,7 +184,7 @@ void cpudl_clear(struct cpudl *cp, int cpu)
if (old_idx == IDX_INVALID) {
/*
* Nothing to remove if old_idx was invalid.
- * This could happen if a rq_offline_dl is
+ * This could happen if rq_online_dl or rq_offline_dl is
* called for a CPU without -dl tasks running.
*/
} else {
@@ -194,9 +195,12 @@ void cpudl_clear(struct cpudl *cp, int cpu)
cp->elements[new_cpu].idx = old_idx;
cp->elements[cpu].idx = IDX_INVALID;
cpudl_heapify(cp, old_idx);
-
- cpumask_set_cpu(cpu, cp->free_cpus);
}
+ if (likely(online))
+ __cpumask_set_cpu(cpu, cp->free_cpus);
+ else
+ __cpumask_clear_cpu(cpu, cp->free_cpus);
+
raw_spin_unlock_irqrestore(&cp->lock, flags);
}
@@ -227,7 +231,7 @@ void cpudl_set(struct cpudl *cp, int cpu, u64 dl)
cp->elements[new_idx].cpu = cpu;
cp->elements[cpu].idx = new_idx;
cpudl_heapify_up(cp, new_idx);
- cpumask_clear_cpu(cpu, cp->free_cpus);
+ __cpumask_clear_cpu(cpu, cp->free_cpus);
} else {
cp->elements[old_idx].dl = dl;
cpudl_heapify(cp, old_idx);
@@ -236,26 +240,6 @@ void cpudl_set(struct cpudl *cp, int cpu, u64 dl)
raw_spin_unlock_irqrestore(&cp->lock, flags);
}
-/*
- * cpudl_set_freecpu - Set the cpudl.free_cpus
- * @cp: the cpudl max-heap context
- * @cpu: rd attached CPU
- */
-void cpudl_set_freecpu(struct cpudl *cp, int cpu)
-{
- cpumask_set_cpu(cpu, cp->free_cpus);
-}
-
-/*
- * cpudl_clear_freecpu - Clear the cpudl.free_cpus
- * @cp: the cpudl max-heap context
- * @cpu: rd attached CPU
- */
-void cpudl_clear_freecpu(struct cpudl *cp, int cpu)
-{
- cpumask_clear_cpu(cpu, cp->free_cpus);
-}
-
/*
* cpudl_init - initialize the cpudl structure
* @cp: the cpudl max-heap context
diff --git a/kernel/sched/cpudeadline.h b/kernel/sched/cpudeadline.h
index 0adeda93b5fb5..ecff718d94aea 100644
--- a/kernel/sched/cpudeadline.h
+++ b/kernel/sched/cpudeadline.h
@@ -18,9 +18,7 @@ struct cpudl {
#ifdef CONFIG_SMP
int cpudl_find(struct cpudl *cp, struct task_struct *p, struct cpumask *later_mask);
void cpudl_set(struct cpudl *cp, int cpu, u64 dl);
-void cpudl_clear(struct cpudl *cp, int cpu);
+void cpudl_clear(struct cpudl *cp, int cpu, bool online);
int cpudl_init(struct cpudl *cp);
-void cpudl_set_freecpu(struct cpudl *cp, int cpu);
-void cpudl_clear_freecpu(struct cpudl *cp, int cpu);
void cpudl_cleanup(struct cpudl *cp);
#endif /* CONFIG_SMP */
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 6ec66fef3f91e..abd0fb2d839c1 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1852,7 +1852,7 @@ static void dec_dl_deadline(struct dl_rq *dl_rq, u64 deadline)
if (!dl_rq->dl_nr_running) {
dl_rq->earliest_dl.curr = 0;
dl_rq->earliest_dl.next = 0;
- cpudl_clear(&rq->rd->cpudl, rq->cpu);
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, rq->online);
cpupri_set(&rq->rd->cpupri, rq->cpu, rq->rt.highest_prio.curr);
} else {
struct rb_node *leftmost = rb_first_cached(&dl_rq->root);
@@ -2950,9 +2950,10 @@ static void rq_online_dl(struct rq *rq)
if (rq->dl.overloaded)
dl_set_overload(rq);
- cpudl_set_freecpu(&rq->rd->cpudl, rq->cpu);
if (rq->dl.dl_nr_running > 0)
cpudl_set(&rq->rd->cpudl, rq->cpu, rq->dl.earliest_dl.curr);
+ else
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, true);
}
/* Assumes rq->lock is held */
@@ -2961,8 +2962,7 @@ static void rq_offline_dl(struct rq *rq)
if (rq->dl.overloaded)
dl_clear_overload(rq);
- cpudl_clear(&rq->rd->cpudl, rq->cpu);
- cpudl_clear_freecpu(&rq->rd->cpudl, rq->cpu);
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, false);
}
void __init init_sched_dl_class(void)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 011/567] sched/fair: Revert max_newidle_lb_cost bump
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 010/567] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 012/567] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
` (569 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Salisbury, Adam Li,
Dietmar Eggemann, Hazem Mohamed Abuelfotoh,
Peter Zijlstra (Intel), Chris Mason, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit d206fbad9328ddb68ebabd7cf7413392acd38081 ]
Many people reported regressions on their database workloads due to:
155213a2aed4 ("sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails")
For instance Adam Li reported a 6% regression on SpecJBB.
Conversely this will regress schbench again; on my machine from 2.22
Mrps/s down to 2.04 Mrps/s.
Reported-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Reported-by: Adam Li <adamli@os.amperecomputing.com>
Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Reported-by: Hazem Mohamed Abuelfotoh <abuehaze@amazon.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Chris Mason <clm@meta.com>
Link: https://lkml.kernel.org/r/20250626144017.1510594-2-clm@fb.com
Link: https://lkml.kernel.org/r/006c9df2-b691-47f1-82e6-e233c3f91faf@oracle.com
Link: https://patch.msgid.link/20251107161739.406147760@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 19 +++----------------
1 file changed, 3 insertions(+), 16 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 62b8c7e914ebc..3ceb7f69f8f7b 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -12238,14 +12238,8 @@ static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost)
/*
* Track max cost of a domain to make sure to not delay the
* next wakeup on the CPU.
- *
- * sched_balance_newidle() bumps the cost whenever newidle
- * balance fails, and we don't want things to grow out of
- * control. Use the sysctl_sched_migration_cost as the upper
- * limit, plus a litle extra to avoid off by ones.
*/
- sd->max_newidle_lb_cost =
- min(cost, sysctl_sched_migration_cost + 200);
+ sd->max_newidle_lb_cost = cost;
sd->last_decay_max_lb_cost = jiffies;
} else if (time_after(jiffies, sd->last_decay_max_lb_cost + HZ)) {
/*
@@ -12950,17 +12944,10 @@ static int sched_balance_newidle(struct rq *this_rq, struct rq_flags *rf)
t1 = sched_clock_cpu(this_cpu);
domain_cost = t1 - t0;
+ update_newidle_cost(sd, domain_cost);
+
curr_cost += domain_cost;
t0 = t1;
-
- /*
- * Failing newidle means it is not effective;
- * bump the cost so we end up doing less of it.
- */
- if (!pulled_task)
- domain_cost = (3 * sd->max_newidle_lb_cost) / 2;
-
- update_newidle_cost(sd, domain_cost);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 012/567] x86/ptrace: Always inline trivial accessors
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 011/567] sched/fair: Revert max_newidle_lb_cost bump Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 013/567] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
` (568 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Ingo Molnar,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 1fe4002cf7f23d70c79bda429ca2a9423ebcfdfa ]
A KASAN build bloats these single load/store helpers such that
it fails to inline them:
vmlinux.o: error: objtool: irqentry_exit+0x5e8: call to instruction_pointer_set() with UACCESS enabled
Make sure the compiler isn't allowed to do stupid.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://patch.msgid.link/20251031105435.GU4068168@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/ptrace.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index 5a83fbd9bc0b4..eb5b1e2aa7000 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -187,12 +187,12 @@ convert_ip_to_linear(struct task_struct *child, struct pt_regs *regs);
extern void send_sigtrap(struct pt_regs *regs, int error_code, int si_code);
-static inline unsigned long regs_return_value(struct pt_regs *regs)
+static __always_inline unsigned long regs_return_value(struct pt_regs *regs)
{
return regs->ax;
}
-static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
+static __always_inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
{
regs->ax = rc;
}
@@ -277,34 +277,34 @@ static __always_inline bool ip_within_syscall_gap(struct pt_regs *regs)
}
#endif
-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
+static __always_inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
{
return regs->sp;
}
-static inline unsigned long instruction_pointer(struct pt_regs *regs)
+static __always_inline unsigned long instruction_pointer(struct pt_regs *regs)
{
return regs->ip;
}
-static inline void instruction_pointer_set(struct pt_regs *regs,
- unsigned long val)
+static __always_inline
+void instruction_pointer_set(struct pt_regs *regs, unsigned long val)
{
regs->ip = val;
}
-static inline unsigned long frame_pointer(struct pt_regs *regs)
+static __always_inline unsigned long frame_pointer(struct pt_regs *regs)
{
return regs->bp;
}
-static inline unsigned long user_stack_pointer(struct pt_regs *regs)
+static __always_inline unsigned long user_stack_pointer(struct pt_regs *regs)
{
return regs->sp;
}
-static inline void user_stack_pointer_set(struct pt_regs *regs,
- unsigned long val)
+static __always_inline
+void user_stack_pointer_set(struct pt_regs *regs, unsigned long val)
{
regs->sp = val;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 013/567] ACPICA: Avoid walking the Namespace if start_node is NULL
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 012/567] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 014/567] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
` (567 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cryolitia PukNgae, WangYuli,
Rafael J. Wysocki, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
[ Upstream commit 9d6c58dae8f6590c746ac5d0012ffe14a77539f0 ]
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
Link: https://github.com/acpica/acpica/commit/1c1b57b9eba4554cb132ee658dd942c0210ed20d
Link: https://gist.github.com/Cryolitia/a860ffc97437dcd2cd988371d5b73ed7 [1]
Link: https://github.com/denis-bb/honor-fmb-p-dsdt [2]
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Reviewed-by: WangYuli <wangyl5933@chinaunicom.cn>
[ rjw: Subject adjustment, changelog edits ]
Link: https://patch.msgid.link/20251125-acpica-v1-1-99e63b1b25f8@linux.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/nswalk.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/acpica/nswalk.c b/drivers/acpi/acpica/nswalk.c
index eee396a77baec..1b000ccbf8e1f 100644
--- a/drivers/acpi/acpica/nswalk.c
+++ b/drivers/acpi/acpica/nswalk.c
@@ -169,9 +169,12 @@ acpi_ns_walk_namespace(acpi_object_type type,
if (start_node == ACPI_ROOT_OBJECT) {
start_node = acpi_gbl_root_node;
- if (!start_node) {
- return_ACPI_STATUS(AE_NO_NAMESPACE);
- }
+ }
+
+ /* Avoid walking the namespace if the StartNode is NULL */
+
+ if (!start_node) {
+ return_ACPI_STATUS(AE_NO_NAMESPACE);
}
/* Null child means "get first node" */
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 014/567] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 013/567] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 015/567] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Greg Kroah-Hartman
` (566 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Jonathan Cameron, Rafael J. Wysocki, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
[ Upstream commit 5d010473cdeaabf6a2d3a9e2aed2186c1b73c213 ]
Calling fwnode_get_next_child_node() in ACPI implementation of the fwnode
property API is somewhat problematic as the latter is used in the
impelementation of the former. Instead of using
fwnode_get_next_child_node() in acpi_graph_get_next_endpoint(), call
acpi_get_next_subnode() directly instead.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Link: https://patch.msgid.link/20251001104320.1272752-3-sakari.ailus@linux.intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/property.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
index b7ee463e757d2..8a37de04b69be 100644
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -1441,7 +1441,7 @@ static struct fwnode_handle *acpi_graph_get_next_endpoint(
if (!prev) {
do {
- port = fwnode_get_next_child_node(fwnode, port);
+ port = acpi_get_next_subnode(fwnode, port);
/*
* The names of the port nodes begin with "port@"
* followed by the number of the port node and they also
@@ -1459,13 +1459,13 @@ static struct fwnode_handle *acpi_graph_get_next_endpoint(
if (!port)
return NULL;
- endpoint = fwnode_get_next_child_node(port, prev);
+ endpoint = acpi_get_next_subnode(port, prev);
while (!endpoint) {
- port = fwnode_get_next_child_node(fwnode, port);
+ port = acpi_get_next_subnode(fwnode, port);
if (!port)
break;
if (is_acpi_graph_node(port, "port"))
- endpoint = fwnode_get_next_child_node(port, NULL);
+ endpoint = acpi_get_next_subnode(port, NULL);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 015/567] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 014/567] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 016/567] ACPI: fan: Workaround for 64-bit firmware bug Greg Kroah-Hartman
` (565 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hal Feng, Heinrich Schuchardt,
Viresh Kumar, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hal Feng <hal.feng@starfivetech.com>
[ Upstream commit 6e7970cab51d01b8f7c56f120486c571c22e1b80 ]
Add the compatible strings for supporting the generic
cpufreq driver on the StarFive JH7110S SoC.
Signed-off-by: Hal Feng <hal.feng@starfivetech.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq-dt-platdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/cpufreq/cpufreq-dt-platdev.c b/drivers/cpufreq/cpufreq-dt-platdev.c
index 67bac12d4d55b..dbd73cd0cf535 100644
--- a/drivers/cpufreq/cpufreq-dt-platdev.c
+++ b/drivers/cpufreq/cpufreq-dt-platdev.c
@@ -87,6 +87,7 @@ static const struct of_device_id allowlist[] __initconst = {
{ .compatible = "st-ericsson,u9540", },
{ .compatible = "starfive,jh7110", },
+ { .compatible = "starfive,jh7110s", },
{ .compatible = "ti,omap2", },
{ .compatible = "ti,omap4", },
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 016/567] ACPI: fan: Workaround for 64-bit firmware bug
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 015/567] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 017/567] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
` (564 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 2e00f7a4bb0ac25ec7477b55fe482da39fb4dce8 ]
Some firmware implementations use the "Ones" ASL opcode to produce
an integer with all bits set in order to indicate missing speed or
power readings. This however only works when using 32-bit integers,
as the ACPI spec requires a 32-bit integer (0xFFFFFFFF) to be
returned for missing speed/power readings. With 64-bit integers the
"Ones" opcode produces a 64-bit integer with all bits set, violating
the ACPI spec regarding the placeholder value for missing readings.
Work around such buggy firmware implementation by also checking for
64-bit integers with all bits set when reading _FST.
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
[ rjw: Typo fix in the changelog ]
Link: https://patch.msgid.link/20251007234149.2769-3-W_Armin@gmx.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/fan.h | 33 +++++++++++++++++++++++++++++++++
drivers/acpi/fan_hwmon.c | 10 +++-------
2 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/drivers/acpi/fan.h b/drivers/acpi/fan.h
index 612ccc4c28279..eb48ac000e3d9 100644
--- a/drivers/acpi/fan.h
+++ b/drivers/acpi/fan.h
@@ -11,6 +11,7 @@
#define _ACPI_FAN_H_
#include <linux/kconfig.h>
+#include <linux/limits.h>
#define ACPI_FAN_DEVICE_IDS \
{"INT3404", }, /* Fan */ \
@@ -58,6 +59,38 @@ struct acpi_fan {
struct device_attribute fine_grain_control;
};
+/**
+ * acpi_fan_speed_valid - Check if fan speed value is valid
+ * @speeed: Speed value returned by the ACPI firmware
+ *
+ * Check if the fan speed value returned by the ACPI firmware is valid. This function is
+ * necessary as ACPI firmware implementations can return 0xFFFFFFFF to signal that the
+ * ACPI fan does not support speed reporting. Additionally, some buggy ACPI firmware
+ * implementations return a value larger than the 32-bit integer value defined by
+ * the ACPI specification when using placeholder values. Such invalid values are also
+ * detected by this function.
+ *
+ * Returns: True if the fan speed value is valid, false otherwise.
+ */
+static inline bool acpi_fan_speed_valid(u64 speed)
+{
+ return speed < U32_MAX;
+}
+
+/**
+ * acpi_fan_power_valid - Check if fan power value is valid
+ * @power: Power value returned by the ACPI firmware
+ *
+ * Check if the fan power value returned by the ACPI firmware is valid.
+ * See acpi_fan_speed_valid() for details.
+ *
+ * Returns: True if the fan power value is valid, false otherwise.
+ */
+static inline bool acpi_fan_power_valid(u64 power)
+{
+ return power < U32_MAX;
+}
+
int acpi_fan_get_fst(acpi_handle handle, struct acpi_fan_fst *fst);
int acpi_fan_create_attributes(struct acpi_device *device);
void acpi_fan_delete_attributes(struct acpi_device *device);
diff --git a/drivers/acpi/fan_hwmon.c b/drivers/acpi/fan_hwmon.c
index 4b2c2007f2d7f..47a02ef5a6067 100644
--- a/drivers/acpi/fan_hwmon.c
+++ b/drivers/acpi/fan_hwmon.c
@@ -15,10 +15,6 @@
#include "fan.h"
-/* Returned when the ACPI fan does not support speed reporting */
-#define FAN_SPEED_UNAVAILABLE U32_MAX
-#define FAN_POWER_UNAVAILABLE U32_MAX
-
static struct acpi_fan_fps *acpi_fan_get_current_fps(struct acpi_fan *fan, u64 control)
{
unsigned int i;
@@ -77,7 +73,7 @@ static umode_t acpi_fan_hwmon_is_visible(const void *drvdata, enum hwmon_sensor_
* when the associated attribute should not be created.
*/
for (i = 0; i < fan->fps_count; i++) {
- if (fan->fps[i].power != FAN_POWER_UNAVAILABLE)
+ if (acpi_fan_power_valid(fan->fps[i].power))
return 0444;
}
@@ -106,7 +102,7 @@ static int acpi_fan_hwmon_read(struct device *dev, enum hwmon_sensor_types type,
case hwmon_fan:
switch (attr) {
case hwmon_fan_input:
- if (fst.speed == FAN_SPEED_UNAVAILABLE)
+ if (!acpi_fan_speed_valid(fst.speed))
return -ENODEV;
if (fst.speed > LONG_MAX)
@@ -134,7 +130,7 @@ static int acpi_fan_hwmon_read(struct device *dev, enum hwmon_sensor_types type,
if (!fps)
return -EIO;
- if (fps->power == FAN_POWER_UNAVAILABLE)
+ if (!acpi_fan_power_valid(fps->power))
return -ENODEV;
if (fps->power > LONG_MAX / MICROWATT_PER_MILLIWATT)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 017/567] cpufreq: s5pv210: fix refcount leak
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 016/567] ACPI: fan: Workaround for 64-bit firmware bug Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 018/567] cpuidle: menu: Use residency threshold in polling state override decisions Greg Kroah-Hartman
` (563 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Viresh Kumar, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
[ Upstream commit 2de5cb96060a1664880d65b120e59485a73588a8 ]
In function `s5pv210_cpu_init`, a possible refcount inconsistency has
been identified, causing a resource leak.
Why it is a bug:
1. For every clk_get, there should be a matching clk_put on every
successive error handling path.
2. After calling `clk_get(dmc1_clk)`, variable `dmc1_clk` will not be
freed even if any error happens.
How it is fixed: For every failed path, an extra goto label is added to
ensure `dmc1_clk` will be freed regardlessly.
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/s5pv210-cpufreq.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/s5pv210-cpufreq.c b/drivers/cpufreq/s5pv210-cpufreq.c
index 76c888ed8d160..d2fa42beae9c2 100644
--- a/drivers/cpufreq/s5pv210-cpufreq.c
+++ b/drivers/cpufreq/s5pv210-cpufreq.c
@@ -518,7 +518,7 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
if (policy->cpu != 0) {
ret = -EINVAL;
- goto out_dmc1;
+ goto out;
}
/*
@@ -530,7 +530,7 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
if ((mem_type != LPDDR) && (mem_type != LPDDR2)) {
pr_err("CPUFreq doesn't support this memory type\n");
ret = -EINVAL;
- goto out_dmc1;
+ goto out;
}
/* Find current refresh counter and frequency each DMC */
@@ -544,6 +544,8 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
cpufreq_generic_init(policy, s5pv210_freq_table, 40000);
return 0;
+out:
+ clk_put(dmc1_clk);
out_dmc1:
clk_put(dmc0_clk);
out_dmc0:
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 018/567] cpuidle: menu: Use residency threshold in polling state override decisions
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 017/567] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 019/567] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
` (562 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Loehle, Aboorva Devarajan,
Rafael J. Wysocki, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aboorva Devarajan <aboorvad@linux.ibm.com>
[ Upstream commit 07d815701274d156ad8c7c088a52e01642156fb8 ]
On virtualized PowerPC (pseries) systems, where only one polling state
(Snooze) and one deep state (CEDE) are available, selecting CEDE when
the predicted idle duration is less than the target residency of CEDE
state can hurt performance. In such cases, the entry/exit overhead of
CEDE outweighs the power savings, leading to unnecessary state
transitions and higher latency.
Menu governor currently contains a special-case rule that prioritizes
the first non-polling state over polling, even when its target residency
is much longer than the predicted idle duration. On PowerPC/pseries,
where the gap between the polling state (Snooze) and the first non-polling
state (CEDE) is large, this behavior causes performance regressions.
Refine that special case by adding an extra requirement: the first
non-polling state can only be chosen if its target residency is below
the defined RESIDENCY_THRESHOLD_NS. If this condition is not satisfied,
polling is allowed instead, avoiding suboptimal non-polling state
entries.
This change is limited to the single special-case rule for the first
non-polling state. The general non-polling state selection logic in the
menu governor remains unchanged.
Performance improvement observed with pgbench on PowerPC (pseries)
system:
+---------------------------+------------+------------+------------+
| Metric | Baseline | Patched | Change (%) |
+---------------------------+------------+------------+------------+
| Transactions/sec (TPS) | 495,210 | 536,982 | +8.45% |
| Avg latency (ms) | 0.163 | 0.150 | -7.98% |
+---------------------------+------------+------------+------------+
CPUIdle state usage:
+--------------+--------------+-------------+
| Metric | Baseline | Patched |
+--------------+--------------+-------------+
| Total usage | 12,735,820 | 13,918,442 |
| Above usage | 11,401,520 | 1,598,210 |
| Below usage | 20,145 | 702,395 |
+--------------+--------------+-------------+
Above/Total and Below/Total usage percentages:
+------------------------+-----------+---------+
| Metric | Baseline | Patched |
+------------------------+-----------+---------+
| Above % (Above/Total) | 89.56% | 11.49% |
| Below % (Below/Total) | 0.16% | 5.05% |
| Total cpuidle miss (%) | 89.72% | 16.54% |
+------------------------+-----------+---------+
The results indicate that restricting CEDE selection to cases where
its residency matches the predicted idle time reduces mispredictions,
lowers unnecessary state transitions, and improves overall throughput.
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Signed-off-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
[ rjw: Changelog edits, rebase ]
Link: https://patch.msgid.link/20251006013954.17972-1-aboorvad@linux.ibm.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--git a/drivers/cpuidle/governors/menu.c b/drivers/cpuidle/governors/menu.c
index 9069c36a491d5..3be761961f1be 100644
--- a/drivers/cpuidle/governors/menu.c
+++ b/drivers/cpuidle/governors/menu.c
@@ -323,12 +323,13 @@ static int menu_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
}
/*
- * Use a physical idle state, not busy polling, unless a timer
- * is going to trigger soon enough or the exit latency of the
- * idle state in question is greater than the predicted idle
- * duration.
+ * Use a physical idle state instead of busy polling so long as
+ * its target residency is below the residency threshold, its
+ * exit latency is not greater than the predicted idle duration,
+ * and the next timer doesn't expire soon.
*/
if ((drv->states[idx].flags & CPUIDLE_FLAG_POLLING) &&
+ s->target_residency_ns < RESIDENCY_THRESHOLD_NS &&
s->target_residency_ns <= data->next_timer_ns &&
s->exit_latency_ns <= predicted_ns) {
predicted_ns = s->target_residency_ns;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 019/567] livepatch: Match old_sympos 0 and 1 in klp_find_func()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 018/567] cpuidle: menu: Use residency threshold in polling state override decisions Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 020/567] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
` (561 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Josh Poimboeuf,
Petr Mladek, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Song Liu <song@kernel.org>
[ Upstream commit 139560e8b973402140cafeb68c656c1374bd4c20 ]
When there is only one function of the same name, old_sympos of 0 and 1
are logically identical. Match them in klp_find_func().
This is to avoid a corner case with different toolchain behavior.
In this specific issue, two versions of kpatch-build were used to
build livepatch for the same kernel. One assigns old_sympos == 0 for
unique local functions, the other assigns old_sympos == 1 for unique
local functions. Both versions work fine by themselves. (PS: This
behavior change was introduced in a downstream version of kpatch-build.
This change does not exist in upstream kpatch-build.)
However, during livepatch upgrade (with the replace flag set) from a
patch built with one version of kpatch-build to the same fix built with
the other version of kpatch-build, livepatching fails with errors like:
[ 14.218706] sysfs: cannot create duplicate filename 'xxx/somefunc,1'
...
[ 14.219466] Call Trace:
[ 14.219468] <TASK>
[ 14.219469] dump_stack_lvl+0x47/0x60
[ 14.219474] sysfs_warn_dup.cold+0x17/0x27
[ 14.219476] sysfs_create_dir_ns+0x95/0xb0
[ 14.219479] kobject_add_internal+0x9e/0x260
[ 14.219483] kobject_add+0x68/0x80
[ 14.219485] ? kstrdup+0x3c/0xa0
[ 14.219486] klp_enable_patch+0x320/0x830
[ 14.219488] patch_init+0x443/0x1000 [ccc_0_6]
[ 14.219491] ? 0xffffffffa05eb000
[ 14.219492] do_one_initcall+0x2e/0x190
[ 14.219494] do_init_module+0x67/0x270
[ 14.219496] init_module_from_file+0x75/0xa0
[ 14.219499] idempotent_init_module+0x15a/0x240
[ 14.219501] __x64_sys_finit_module+0x61/0xc0
[ 14.219503] do_syscall_64+0x5b/0x160
[ 14.219505] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 14.219507] RIP: 0033:0x7f545a4bd96d
...
[ 14.219516] kobject: kobject_add_internal failed for somefunc,1 with
-EEXIST, don't try to register things with the same name ...
This happens because klp_find_func() thinks somefunc with old_sympos==0
is not the same as somefunc with old_sympos==1, and klp_add_object_nops
adds another xxx/func,1 to the list of functions to patch.
Signed-off-by: Song Liu <song@kernel.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
[pmladek@suse.com: Fixed some typos.]
Reviewed-by: Petr Mladek <pmladek@suse.com>
Tested-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/livepatch/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 3c21c31796db0..077e078032e05 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -90,8 +90,14 @@ static struct klp_func *klp_find_func(struct klp_object *obj,
struct klp_func *func;
klp_for_each_func(obj, func) {
+ /*
+ * Besides identical old_sympos, also consider old_sympos
+ * of 0 and 1 are identical.
+ */
if ((strcmp(old_func->old_name, func->old_name) == 0) &&
- (old_func->old_sympos == func->old_sympos)) {
+ ((old_func->old_sympos == func->old_sympos) ||
+ (old_func->old_sympos == 0 && func->old_sympos == 1) ||
+ (old_func->old_sympos == 1 && func->old_sympos == 0))) {
return func;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 020/567] fs/ntfs3: Support timestamps prior to epoch
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 019/567] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 021/567] kbuild: Use objtree for module signing key path Greg Kroah-Hartman
` (560 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 5180138604323895b5c291eca6aa7c20be494ade ]
Before it used an unsigned 64-bit type, which prevented proper handling
of timestamps earlier than 1970-01-01. Switch to a signed 64-bit type to
support pre-epoch timestamps. The issue was caught by xfstests.
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/ntfs_fs.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index ff7f241a25b24..a1040060b081f 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -980,11 +980,12 @@ static inline __le64 kernel2nt(const struct timespec64 *ts)
*/
static inline void nt2kernel(const __le64 tm, struct timespec64 *ts)
{
- u64 t = le64_to_cpu(tm) - _100ns2seconds * SecondsToStartOf1970;
+ s32 t32;
+ /* use signed 64 bit to support timestamps prior to epoch. xfstest 258. */
+ s64 t = le64_to_cpu(tm) - _100ns2seconds * SecondsToStartOf1970;
- // WARNING: do_div changes its first argument(!)
- ts->tv_nsec = do_div(t, _100ns2seconds) * 100;
- ts->tv_sec = t;
+ ts->tv_sec = div_s64_rem(t, _100ns2seconds, &t32);
+ ts->tv_nsec = t32 * 100;
}
static inline struct ntfs_sb_info *ntfs_sb(struct super_block *sb)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 021/567] kbuild: Use objtree for module signing key path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 020/567] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 022/567] ntfs: set dummy blocksize to read boot_block when mounting Greg Kroah-Hartman
` (559 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Malyshev, Nathan Chancellor,
Nicolas Schier, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Malyshev <mike.malyshev@gmail.com>
[ Upstream commit af61da281f52aba0c5b090bafb3a31c5739850ff ]
When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
module signing fails because the private key path uses $(srctree)
while the public key path uses $(objtree). Since signing keys are
generated in the build directory during kernel compilation, both
paths should use $(objtree) for consistency.
This causes SSL errors like:
SSL error:02001002:system library:fopen:No such file or directory
sign-file: /kernel-src/certs/signing_key.pem
The issue occurs because:
- sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
- cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
But both keys are generated in $(objtree) during the build.
This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
external modules") which fixed the scripts path and public key path,
but missed the private key path inconsistency.
Fixes out-of-tree module signing for configurations with separate
source and build directories (e.g., O=/kernel-out).
Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251015163452.3754286-1-mike.malyshev@gmail.com
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/Makefile.modinst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index d977209431898..5dd52788a042a 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -100,7 +100,7 @@ endif
# Don't stop modules_install even if we can't sign external modules.
#
ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
-sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
+sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
else
sig-key := $(CONFIG_MODULE_SIG_KEY)
endif
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 022/567] ntfs: set dummy blocksize to read boot_block when mounting
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 021/567] kbuild: Use objtree for module signing key path Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 023/567] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
` (558 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f4f84b57a01d6b8364ad,
Pedro Demarchi Gomes, Konstantin Komarov, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
[ Upstream commit d1693a7d5a38acf6424235a6070bcf5b186a360d ]
When mounting, sb->s_blocksize is used to read the boot_block without
being defined or validated. Set a dummy blocksize before attempting to
read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0)
r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)
ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)
mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00',
&(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0)
syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount,
get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),
but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves
sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while
sb->s_blocksize is still zero, which triggers the bug.
Reported-by: syzbot+f4f84b57a01d6b8364ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f4f84b57a01d6b8364ad
Signed-off-by: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
[almaz.alexandrovich@paragon-software.com: changed comment style, added
return value handling]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 6a0f6b0a3ab2a..89d126c155c7d 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -892,6 +892,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
sbi->volume.blocks = dev_size >> PAGE_SHIFT;
+ /* Set dummy blocksize to read boot_block. */
+ if (!sb_min_blocksize(sb, PAGE_SIZE)) {
+ return -EINVAL;
+ }
+
read_boot:
bh = ntfs_bread(sb, boot_block);
if (!bh)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 023/567] hfsplus: fix volume corruption issue for generic/070
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 022/567] ntfs: set dummy blocksize to read boot_block when mounting Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 024/567] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
` (557 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit ed490f36f439b877393c12a2113601e4145a5a56 ]
The xfstests' test-case generic/070 leaves HFS+ volume
in corrupted state:
sudo ./check generic/070
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.17.0-rc1+ #4 SMP PREEMPT_DYNAMIC Wed Oct 1 15:02:44 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/070 _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
(see xfstests-dev/results//generic/070.full for details)
Ran: generic/070
Failures: generic/070
Failed 1 of 1 tests
sudo fsck.hfsplus -d /dev/loop50
** /dev/loop50
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking non-journaled HFS Plus Volume.
The volume name is test
** Checking extents overflow file.
Unused node is not erased (node = 1)
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0004
CBTStat = 0x0000 CatStat = 0x00000000
** Repairing volume.
** Rechecking volume.
** Checking non-journaled HFS Plus Volume.
The volume name is test
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume test was repaired successfully.
It is possible to see that fsck.hfsplus detected not
erased and unused node for the case of extents overflow file.
The HFS+ logic has special method that defines if the node
should be erased:
bool hfs_bnode_need_zeroout(struct hfs_btree *tree)
{
struct super_block *sb = tree->inode->i_sb;
struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);
const u32 volume_attr = be32_to_cpu(sbi->s_vhdr->attributes);
return tree->cnid == HFSPLUS_CAT_CNID &&
volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
}
However, it is possible to see that this method works
only for the case of catalog file. But debugging of the issue
has shown that HFSPLUS_VOL_UNUSED_NODE_FIX attribute has been
requested for the extents overflow file too:
catalog file
kernel: hfsplus: node 4, num_recs 0, flags 0x10
kernel: hfsplus: tree->cnid 4, volume_attr 0x80000800
extents overflow file
kernel: hfsplus: node 1, num_recs 0, flags 0x10
kernel: hfsplus: tree->cnid 3, volume_attr 0x80000800
This patch modifies the hfs_bnode_need_zeroout() by checking
only volume_attr but not the b-tree ID because node zeroing
can be requested for all HFS+ b-tree types.
sudo ./check generic/070
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.18.0-rc3+ #79 SMP PREEMPT_DYNAMIC Fri Oct 31 16:07:42 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/070 33s ... 34s
Ran: generic/070
Passed all 1 tests
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251101001229.247432-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 407d5152eb411..aa095e6fb20e8 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -704,6 +704,5 @@ bool hfs_bnode_need_zeroout(struct hfs_btree *tree)
struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);
const u32 volume_attr = be32_to_cpu(sbi->s_vhdr->attributes);
- return tree->cnid == HFSPLUS_CAT_CNID &&
- volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
+ return volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 024/567] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 023/567] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 025/567] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
` (556 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+005d2a9ecd9fbf525f6a,
Yang Chenzhi, Viacheslav Dubeyko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Chenzhi <yang.chenzhi@vivo.com>
[ Upstream commit 152af114287851583cf7e0abc10129941f19466a ]
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
Reported-by: syzbot+005d2a9ecd9fbf525f6a@syzkaller.appspotmail.com
Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250829093912.611853-1-yang.chenzhi@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index aa095e6fb20e8..c0089849be50e 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -481,6 +481,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else {
+ hfs_bnode_get(node2);
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 025/567] hfsplus: Verify inode mode when loading from disk
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 024/567] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 026/567] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
` (555 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Viacheslav Dubeyko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 005d4b0d33f6b4a23d382b7930f7a96b95b01f39 ]
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Link: https://developer.apple.com/library/archive/technotes/tn/tn1150.html#HFSPlusPermissions [1]
Link: https://developer.apple.com/library/archive/technotes/tn/tn1150.html#ReservedAndPadFields [2]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/04ded9f9-73fb-496c-bfa5-89c4f5d1d7bb@I-love.SAKURA.ne.jp
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/inode.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index c85b5802ec0f9..2d68c52f894f9 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -178,13 +178,29 @@ const struct dentry_operations hfsplus_dentry_operations = {
.d_compare = hfsplus_compare_dentry,
};
-static void hfsplus_get_perms(struct inode *inode,
- struct hfsplus_perm *perms, int dir)
+static int hfsplus_get_perms(struct inode *inode,
+ struct hfsplus_perm *perms, int dir)
{
struct hfsplus_sb_info *sbi = HFSPLUS_SB(inode->i_sb);
u16 mode;
mode = be16_to_cpu(perms->mode);
+ if (dir) {
+ if (mode && !S_ISDIR(mode))
+ goto bad_type;
+ } else if (mode) {
+ switch (mode & S_IFMT) {
+ case S_IFREG:
+ case S_IFLNK:
+ case S_IFCHR:
+ case S_IFBLK:
+ case S_IFIFO:
+ case S_IFSOCK:
+ break;
+ default:
+ goto bad_type;
+ }
+ }
i_uid_write(inode, be32_to_cpu(perms->owner));
if ((test_bit(HFSPLUS_SB_UID, &sbi->flags)) || (!i_uid_read(inode) && !mode))
@@ -210,6 +226,10 @@ static void hfsplus_get_perms(struct inode *inode,
inode->i_flags |= S_APPEND;
else
inode->i_flags &= ~S_APPEND;
+ return 0;
+bad_type:
+ pr_err("invalid file type 0%04o for inode %lu\n", mode, inode->i_ino);
+ return -EIO;
}
static int hfsplus_file_open(struct inode *inode, struct file *file)
@@ -514,7 +534,9 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
}
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_folder));
- hfsplus_get_perms(inode, &folder->permissions, 1);
+ res = hfsplus_get_perms(inode, &folder->permissions, 1);
+ if (res)
+ goto out;
set_nlink(inode, 1);
inode->i_size = 2 + be32_to_cpu(folder->valence);
inode_set_atime_to_ts(inode, hfsp_mt2ut(folder->access_date));
@@ -543,7 +565,9 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
hfsplus_inode_read_fork(inode, HFSPLUS_IS_RSRC(inode) ?
&file->rsrc_fork : &file->data_fork);
- hfsplus_get_perms(inode, &file->permissions, 0);
+ res = hfsplus_get_perms(inode, &file->permissions, 0);
+ if (res)
+ goto out;
set_nlink(inode, 1);
if (S_ISREG(inode->i_mode)) {
if (file->permissions.dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 026/567] hfsplus: fix volume corruption issue for generic/073
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 025/567] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 027/567] fs/ntfs3: check for shutdown in fsync Greg Kroah-Hartman
` (554 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 24e17a29cf7537f0947f26a50f85319abd723c6c ]
The xfstests' test-case generic/073 leaves HFS+ volume
in corrupted state:
sudo ./check generic/073
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.17.0-rc1+ #4 SMP PREEMPT_DYNAMIC Wed Oct 1 15:02:44 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/073 _check_generic_filesystem: filesystem on /dev/loop51 is inconsistent
(see XFSTESTS-2/xfstests-dev/results//generic/073.full for details)
Ran: generic/073
Failures: generic/073
Failed 1 of 1 tests
sudo fsck.hfsplus -d /dev/loop51
** /dev/loop51
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking non-journaled HFS Plus Volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
Invalid directory item count
(It should be 1 instead of 0)
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
CBTStat = 0x0000 CatStat = 0x00004000
** Repairing volume.
** Rechecking volume.
** Checking non-journaled HFS Plus Volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume untitled was repaired successfully.
The test is doing these steps on final phase:
mv $SCRATCH_MNT/testdir_1/bar $SCRATCH_MNT/testdir_2/bar
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/testdir_1
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo
So, we move file bar from testdir_1 into testdir_2 folder. It means that HFS+
logic decrements the number of entries in testdir_1 and increments number of
entries in testdir_2. Finally, we do fsync only for testdir_1 and foo but not
for testdir_2. As a result, this is the reason why fsck.hfsplus detects the
volume corruption afterwards.
This patch fixes the issue by means of adding the
hfsplus_cat_write_inode() call for old_dir and new_dir in
hfsplus_rename() after the successful ending of
hfsplus_rename_cat(). This method makes modification of in-core
inode objects for old_dir and new_dir but it doesn't save these
modifications in Catalog File's entries. It was expected that
hfsplus_write_inode() will save these modifications afterwards.
However, because generic/073 does fsync only for testdir_1 and foo
then testdir_2 modification hasn't beed saved into Catalog File's
entry and it was flushed without this modification. And it was
detected by fsck.hfsplus. Now, hfsplus_rename() stores in Catalog
File all modified entries and correct state of Catalog File will
be flushed during hfsplus_file_fsync() call. Finally, it makes
fsck.hfsplus happy.
sudo ./check generic/073
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.18.0-rc3+ #93 SMP PREEMPT_DYNAMIC Wed Nov 12 14:37:49 PST 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/073 32s ... 32s
Ran: generic/073
Passed all 1 tests
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251112232522.814038-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/dir.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index f5c4b3e31a1c2..33154c720a4e9 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -552,8 +552,13 @@ static int hfsplus_rename(struct mnt_idmap *idmap,
res = hfsplus_rename_cat((u32)(unsigned long)old_dentry->d_fsdata,
old_dir, &old_dentry->d_name,
new_dir, &new_dentry->d_name);
- if (!res)
+ if (!res) {
new_dentry->d_fsdata = old_dentry->d_fsdata;
+
+ res = hfsplus_cat_write_inode(old_dir);
+ if (!res)
+ res = hfsplus_cat_write_inode(new_dir);
+ }
return res;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 027/567] fs/ntfs3: check for shutdown in fsync
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 026/567] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 028/567] wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU Greg Kroah-Hartman
` (553 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 1b2ae190ea43bebb8c73d21f076addc8a8c71849 ]
Ensure fsync() returns -EIO when the ntfs3 filesystem is in forced
shutdown, instead of silently succeeding via generic_file_fsync().
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/file.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/file.c b/fs/ntfs3/file.c
index 902dc8ba878ef..f1122ac5be622 100644
--- a/fs/ntfs3/file.c
+++ b/fs/ntfs3/file.c
@@ -1396,6 +1396,18 @@ static ssize_t ntfs_file_splice_write(struct pipe_inode_info *pipe,
return iter_file_splice_write(pipe, file, ppos, len, flags);
}
+/*
+ * ntfs_file_fsync - file_operations::fsync
+ */
+static int ntfs_file_fsync(struct file *file, loff_t start, loff_t end, int datasync)
+{
+ struct inode *inode = file_inode(file);
+ if (unlikely(ntfs3_forced_shutdown(inode->i_sb)))
+ return -EIO;
+
+ return generic_file_fsync(file, start, end, datasync);
+}
+
// clang-format off
const struct inode_operations ntfs_file_inode_operations = {
.getattr = ntfs_getattr,
@@ -1420,7 +1432,7 @@ const struct file_operations ntfs_file_operations = {
.splice_write = ntfs_file_splice_write,
.mmap = ntfs_file_mmap,
.open = ntfs_file_open,
- .fsync = generic_file_fsync,
+ .fsync = ntfs_file_fsync,
.fallocate = ntfs_fallocate,
.release = ntfs_file_release,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 028/567] wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 027/567] fs/ntfs3: check for shutdown in fsync Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 029/567] wifi: cfg80211: stop radar detection in cfg80211_leave() Greg Kroah-Hartman
` (552 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit 5511ba3de434892e5ef3594d6eabbd12b1629356 ]
Flip the response rate subchannel. It was backwards, causing low
speeds when using 40 MHz channel width. "iw dev ... station dump"
showed a low RX rate, 11M or less.
Also fix the channel width field of RF6052_REG_MODE_AG.
Tested only with RTL8192CU, but these settings are identical for
RTL8723AU.
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/1f46571d-855b-43e1-8bfc-abacceb96043@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl8xxxu/core.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/core.c b/drivers/net/wireless/realtek/rtl8xxxu/core.c
index 260f720550134..b517df2db6d75 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/core.c
@@ -1252,7 +1252,7 @@ void rtl8xxxu_gen1_config_channel(struct ieee80211_hw *hw)
opmode &= ~BW_OPMODE_20MHZ;
rtl8xxxu_write8(priv, REG_BW_OPMODE, opmode);
rsr &= ~RSR_RSC_BANDWIDTH_40M;
- if (sec_ch_above)
+ if (!sec_ch_above)
rsr |= RSR_RSC_UPPER_SUB_CHANNEL;
else
rsr |= RSR_RSC_LOWER_SUB_CHANNEL;
@@ -1321,9 +1321,8 @@ void rtl8xxxu_gen1_config_channel(struct ieee80211_hw *hw)
for (i = RF_A; i < priv->rf_paths; i++) {
val32 = rtl8xxxu_read_rfreg(priv, i, RF6052_REG_MODE_AG);
- if (hw->conf.chandef.width == NL80211_CHAN_WIDTH_40)
- val32 &= ~MODE_AG_CHANNEL_20MHZ;
- else
+ val32 &= ~MODE_AG_BW_MASK;
+ if (hw->conf.chandef.width != NL80211_CHAN_WIDTH_40)
val32 |= MODE_AG_CHANNEL_20MHZ;
rtl8xxxu_write_rfreg(priv, i, RF6052_REG_MODE_AG, val32);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 029/567] wifi: cfg80211: stop radar detection in cfg80211_leave()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 028/567] wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 030/567] wifi: cfg80211: use cfg80211_leave() in iftype change Greg Kroah-Hartman
` (551 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 9f33477b9a31a1edfe2df9f1a0359cccb0e16b4c ]
If an interface is set down or, per the previous patch, changes
type, radar detection for it should be cancelled. This is done
for AP mode in mac80211 (somewhat needlessly, since cfg80211 can
do it, but didn't until now), but wasn't handled for mesh, so if
radar detection was started and then the interface set down or
its type switched (the latter sometimes happning in the hwsim
test 'mesh_peer_connected_dfs'), radar detection would be around
with the interface unknown to the driver, later leading to some
warnings around chanctx usage.
Link: https://patch.msgid.link/20251121174021.290120e419e3.I2a5650c9062e29c988992dd8ce0d8eb570d23267@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/core.c | 1 +
net/wireless/core.h | 1 +
net/wireless/mlme.c | 19 +++++++++++++++++++
3 files changed, 21 insertions(+)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index dc207a8986c7f..6bb8a7037d24d 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1343,6 +1343,7 @@ void cfg80211_leave(struct cfg80211_registered_device *rdev,
cfg80211_pmsr_wdev_down(wdev);
+ cfg80211_stop_radar_detection(wdev);
cfg80211_stop_background_radar_detection(wdev);
switch (wdev->iftype) {
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 3b3e3cd7027ac..d4b26cbe3342d 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -483,6 +483,7 @@ cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rde
struct wireless_dev *wdev,
struct cfg80211_chan_def *chandef);
+void cfg80211_stop_radar_detection(struct wireless_dev *wdev);
void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev);
void cfg80211_background_cac_done_wk(struct work_struct *work);
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index d1a66410b9c55..26319522c7abc 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -1271,6 +1271,25 @@ cfg80211_start_background_radar_detection(struct cfg80211_registered_device *rde
return 0;
}
+void cfg80211_stop_radar_detection(struct wireless_dev *wdev)
+{
+ struct wiphy *wiphy = wdev->wiphy;
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+ int link_id;
+
+ for_each_valid_link(wdev, link_id) {
+ struct cfg80211_chan_def chandef;
+
+ if (!wdev->links[link_id].cac_started)
+ continue;
+
+ chandef = *wdev_chandef(wdev, link_id);
+ rdev_end_cac(rdev, wdev->netdev, link_id);
+ nl80211_radar_notify(rdev, &chandef, NL80211_RADAR_CAC_ABORTED,
+ wdev->netdev, GFP_KERNEL);
+ }
+}
+
void cfg80211_stop_background_radar_detection(struct wireless_dev *wdev)
{
struct wiphy *wiphy = wdev->wiphy;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 030/567] wifi: cfg80211: use cfg80211_leave() in iftype change
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 029/567] wifi: cfg80211: stop radar detection in cfg80211_leave() Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 031/567] wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load Greg Kroah-Hartman
` (550 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 7a27b73943a70ee226fa125327101fb18e94701d ]
When changing the interface type, all activity on the interface has
to be stopped first. This was done independent of existing code in
cfg80211_leave(), so didn't handle e.g. background radar detection.
Use cfg80211_leave() to handle it the same way.
Note that cfg80211_leave() behaves slightly differently for IBSS in
wireless extensions, it won't send an event in that case. We could
handle that, but since nl80211 was used to change the type, IBSS is
rare, and wext is already a corner case, it doesn't seem worth it.
Link: https://patch.msgid.link/20251121174021.922ef48ce007.I970c8514252ef8a864a7fbdab9591b71031dee03@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/util.c | 23 +----------------------
1 file changed, 1 insertion(+), 22 deletions(-)
diff --git a/net/wireless/util.c b/net/wireless/util.c
index b115489a846f8..6aff651a9b68d 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1230,28 +1230,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
dev->ieee80211_ptr->use_4addr = false;
rdev_set_qos_map(rdev, dev, NULL);
- switch (otype) {
- case NL80211_IFTYPE_AP:
- case NL80211_IFTYPE_P2P_GO:
- cfg80211_stop_ap(rdev, dev, -1, true);
- break;
- case NL80211_IFTYPE_ADHOC:
- cfg80211_leave_ibss(rdev, dev, false);
- break;
- case NL80211_IFTYPE_STATION:
- case NL80211_IFTYPE_P2P_CLIENT:
- cfg80211_disconnect(rdev, dev,
- WLAN_REASON_DEAUTH_LEAVING, true);
- break;
- case NL80211_IFTYPE_MESH_POINT:
- /* mesh should be handled? */
- break;
- case NL80211_IFTYPE_OCB:
- cfg80211_leave_ocb(rdev, dev);
- break;
- default:
- break;
- }
+ cfg80211_leave(rdev, dev->ieee80211_ptr);
cfg80211_process_rdev_events(rdev);
cfg80211_mlme_purge_registrations(dev->ieee80211_ptr);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 031/567] wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 030/567] wifi: cfg80211: use cfg80211_leave() in iftype change Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 032/567] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Greg Kroah-Hartman
` (549 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Quan Zhou, druth, Felix Fietkau,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
[ Upstream commit 066f417be5fd8c7fe581c5550206364735dad7a3 ]
Set the MT76_STATE_MCU_RUNNING bit only after mt7921_load_clc()
has successfully completed. Previously, the MCU_RUNNING state
was set before loading CLC, which could cause conflict between
chip mcu_init retry and mac_reset flow, result in chip init fail
and chip abnormal status. By moving the state set after CLC load,
firmware initialization becomes robust and resolves init fail issue.
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Reviewed-by: druth@chromium.org
Link: https://patch.msgid.link/19ec8e4465142e774f17801025accd0ae2214092.1763465933.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +-
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
index 02c1de8620a7f..8d3f3c8b1a889 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
@@ -637,10 +637,10 @@ int mt7921_run_firmware(struct mt792x_dev *dev)
if (err)
return err;
- set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
err = mt7921_load_clc(dev, mt792x_ram_name(dev));
if (err)
return err;
+ set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
return mt7921_mcu_fw_log_2_host(dev, 1);
}
diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
index e42b4f0abbe7a..c42b3b376f77e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -958,10 +958,10 @@ int mt7925_run_firmware(struct mt792x_dev *dev)
if (err)
return err;
- set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
err = mt7925_load_clc(dev, mt792x_ram_name(dev));
if (err)
return err;
+ set_bit(MT76_STATE_MCU_RUNNING, &dev->mphy.state);
return mt7925_mcu_fw_log_2_host(dev, 1);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 032/567] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 031/567] wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 033/567] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
` (548 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arend van Spriel, Hans de Goede,
Johannes Berg, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hansg@kernel.org>
[ Upstream commit a8e5a110c0c38e08e5dd66356cd1156e91cf88e1 ]
The Acer A1 840 tablet contains quite generic names in the sys_vendor and
product_name DMI strings, without this patch brcmfmac will try to load:
brcmfmac43340-sdio.Insyde-BayTrail.txt as nvram file which is a bit
too generic.
Add a DMI quirk so that a unique and clearly identifiable nvram file name
is used on the Acer A1 840 tablet.
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Hans de Goede <hansg@kernel.org>
Link: https://patch.msgid.link/20251103100314.353826-1-hansg@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
index c3a602197662b..abe7f6501e5ed 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
@@ -24,6 +24,10 @@ static const struct brcmf_dmi_data acepc_t8_data = {
BRCM_CC_4345_CHIP_ID, 6, "acepc-t8"
};
+static const struct brcmf_dmi_data acer_a1_840_data = {
+ BRCM_CC_43340_CHIP_ID, 2, "acer-a1-840"
+};
+
/* The Chuwi Hi8 Pro uses the same Ampak AP6212 module as the Chuwi Vi8 Plus
* and the nvram for the Vi8 Plus is already in linux-firmware, so use that.
*/
@@ -91,6 +95,16 @@ static const struct dmi_system_id dmi_platform_data[] = {
},
.driver_data = (void *)&acepc_t8_data,
},
+ {
+ /* Acer Iconia One 8 A1-840 (non FHD version) */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "BayTrail"),
+ /* Above strings are too generic also match BIOS date */
+ DMI_MATCH(DMI_BIOS_DATE, "04/01/2014"),
+ },
+ .driver_data = (void *)&acer_a1_840_data,
+ },
{
/* Chuwi Hi8 Pro with D2D3_Hi8Pro.233 BIOS */
.matches = {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 033/567] btrfs: scrub: always update btrfs_scrub_progress::last_physical
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 032/567] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 034/567] gfs2: fix remote evict for read-only filesystems Greg Kroah-Hartman
` (547 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 54df8b80cc63aa0f22c4590cad11542731ed43ff ]
[BUG]
When a scrub failed immediately without any byte scrubbed, the returned
btrfs_scrub_progress::last_physical will always be 0, even if there is a
non-zero @start passed into btrfs_scrub_dev() for resume cases.
This will reset the progress and make later scrub resume start from the
beginning.
[CAUSE]
The function btrfs_scrub_dev() accepts a @progress parameter to copy its
updated progress to the caller, there are cases where we either don't
touch progress::last_physical at all or copy 0 into last_physical:
- last_physical not updated at all
If some error happened before scrubbing any super block or chunk, we
will not copy the progress, leaving the @last_physical untouched.
E.g. failed to allocate @sctx, scrubbing a missing device or even
there is already a running scrub and so on.
All those cases won't touch @progress at all, resulting the
last_physical untouched and will be left as 0 for most cases.
- Error out before scrubbing any bytes
In those case we allocated @sctx, and sctx->stat.last_physical is all
zero (initialized by kvzalloc()).
Unfortunately some critical errors happened during
scrub_enumerate_chunks() or scrub_supers() before any stripe is really
scrubbed.
In that case although we will copy sctx->stat back to @progress, since
no byte is really scrubbed, last_physical will be overwritten to 0.
[FIX]
Make sure the parameter @progress always has its @last_physical member
updated to @start parameter inside btrfs_scrub_dev().
At the very beginning of the function, set @progress->last_physical to
@start, so that even if we error out without doing progress copying,
last_physical is still at @start.
Then after we got @sctx allocated, set sctx->stat.last_physical to
@start, this will make sure even if we didn't get any byte scrubbed, at
the progress copying stage the @last_physical is not left as zero.
This should resolve the resume progress reset problem.
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/scrub.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index 9f811ea604f71..3cbb9f22d3944 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -2943,6 +2943,10 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
unsigned int nofs_flag;
bool need_commit = false;
+ /* Set the basic fallback @last_physical before we got a sctx. */
+ if (progress)
+ progress->last_physical = start;
+
if (btrfs_fs_closing(fs_info))
return -EAGAIN;
@@ -2961,6 +2965,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
sctx = scrub_setup_ctx(fs_info, is_dev_replace);
if (IS_ERR(sctx))
return PTR_ERR(sctx);
+ sctx->stat.last_physical = start;
ret = scrub_workers_get(fs_info);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 034/567] gfs2: fix remote evict for read-only filesystems
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 033/567] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 035/567] gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad" Greg Kroah-Hartman
` (546 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 64c10ed9274bc46416f502afea48b4ae11279669 ]
When a node tries to delete an inode, it first requests exclusive access
to the iopen glock. This triggers demote requests on all remote nodes
currently holding the iopen glock. To satisfy those requests, the
remote nodes evict the inode in question, or they poke the corresponding
inode glock to signal that the inode is still in active use.
This behavior doesn't depend on whether or not a filesystem is
read-only, so remove the incorrect read-only check.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/glops.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
index 1ed42f0e6ec7b..d13a050bcb9dc 100644
--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -631,8 +631,7 @@ static void iopen_go_callback(struct gfs2_glock *gl, bool remote)
struct gfs2_inode *ip = gl->gl_object;
struct gfs2_sbd *sdp = gl->gl_name.ln_sbd;
- if (!remote || sb_rdonly(sdp->sd_vfs) ||
- test_bit(SDF_KILL, &sdp->sd_flags))
+ if (!remote || test_bit(SDF_KILL, &sdp->sd_flags))
return;
if (gl->gl_demote_state == LM_ST_UNLOCKED &&
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 035/567] gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad"
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 034/567] gfs2: fix remote evict for read-only filesystems Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 036/567] smb/server: fix return value of smb2_ioctl() Greg Kroah-Hartman
` (545 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit dff1fb6d8b7abe5b1119fa060f5d6b3370bf10ac ]
Commit e4a8b5481c59a ("gfs2: Switch to wait_event in gfs2_quotad") broke
cyclic statfs syncing, so the numbers reported by "df" could easily get
completely out of sync with reality. Fix this by reverting part of
commit e4a8b5481c59a for now.
A follow-up commit will clean this code up later.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/quota.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 2e6bc77f4f81c..642584265a6f4 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -1617,7 +1617,7 @@ int gfs2_quotad(void *data)
t = min(quotad_timeo, statfs_timeo);
- t = wait_event_freezable_timeout(sdp->sd_quota_wait,
+ t -= wait_event_freezable_timeout(sdp->sd_quota_wait,
sdp->sd_statfs_force_sync ||
gfs2_withdrawing_or_withdrawn(sdp) ||
kthread_should_stop(),
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 036/567] smb/server: fix return value of smb2_ioctl()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 035/567] gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad" Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 037/567] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Greg Kroah-Hartman
` (544 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Namjae Jeon,
Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
[ Upstream commit 269df046c1e15ab34fa26fd90db9381f022a0963 ]
__process_request() will not print error messages if smb2_ioctl()
always returns 0.
Fix this by returning the correct value at the end of function.
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index cd42d25812661..d9e28191c267e 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8107,7 +8107,7 @@ int smb2_ioctl(struct ksmbd_work *work)
id = req->VolatileFileId;
if (req->Flags != cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL)) {
- rsp->hdr.Status = STATUS_NOT_SUPPORTED;
+ ret = -EOPNOTSUPP;
goto out;
}
@@ -8127,8 +8127,9 @@ int smb2_ioctl(struct ksmbd_work *work)
case FSCTL_DFS_GET_REFERRALS:
case FSCTL_DFS_GET_REFERRALS_EX:
/* Not support DFS yet */
+ ret = -EOPNOTSUPP;
rsp->hdr.Status = STATUS_FS_DRIVER_REQUIRED;
- goto out;
+ goto out2;
case FSCTL_CREATE_OR_GET_OBJECT_ID:
{
struct file_object_buf_type1_ioctl_rsp *obj_buf;
@@ -8418,8 +8419,10 @@ int smb2_ioctl(struct ksmbd_work *work)
rsp->hdr.Status = STATUS_BUFFER_TOO_SMALL;
else if (ret < 0 || rsp->hdr.Status == 0)
rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+
+out2:
smb2_set_err_rsp(work);
- return 0;
+ return ret;
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 037/567] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 036/567] smb/server: fix return value of smb2_ioctl() Greg Kroah-Hartman
@ 2026-01-06 16:56 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 038/567] ksmbd: vfs: fix race on m_flags in vfs_cache Greg Kroah-Hartman
` (543 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit b39a1833cc4a2755b02603eec3a71a85e9dff926 ]
Under high concurrency, A tree-connection object (tcon) is freed on
a disconnect path while another path still holds a reference and later
executes *_put()/write on it.
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/tree_connect.c | 18 ++++--------------
fs/smb/server/mgmt/tree_connect.h | 1 -
fs/smb/server/smb2pdu.c | 3 ---
3 files changed, 4 insertions(+), 18 deletions(-)
diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c
index ecfc575086712..d3483d9c757c7 100644
--- a/fs/smb/server/mgmt/tree_connect.c
+++ b/fs/smb/server/mgmt/tree_connect.c
@@ -78,7 +78,6 @@ ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name)
tree_conn->t_state = TREE_NEW;
status.tree_conn = tree_conn;
atomic_set(&tree_conn->refcount, 1);
- init_waitqueue_head(&tree_conn->refcount_q);
ret = xa_err(xa_store(&sess->tree_conns, tree_conn->id, tree_conn,
KSMBD_DEFAULT_GFP));
@@ -100,14 +99,8 @@ ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name)
void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon)
{
- /*
- * Checking waitqueue to releasing tree connect on
- * tree disconnect. waitqueue_active is safe because it
- * uses atomic operation for condition.
- */
- if (!atomic_dec_return(&tcon->refcount) &&
- waitqueue_active(&tcon->refcount_q))
- wake_up(&tcon->refcount_q);
+ if (atomic_dec_and_test(&tcon->refcount))
+ kfree(tcon);
}
int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess,
@@ -119,14 +112,11 @@ int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess,
xa_erase(&sess->tree_conns, tree_conn->id);
write_unlock(&sess->tree_conns_lock);
- if (!atomic_dec_and_test(&tree_conn->refcount))
- wait_event(tree_conn->refcount_q,
- atomic_read(&tree_conn->refcount) == 0);
-
ret = ksmbd_ipc_tree_disconnect_request(sess->id, tree_conn->id);
ksmbd_release_tree_conn_id(sess, tree_conn->id);
ksmbd_share_config_put(tree_conn->share_conf);
- kfree(tree_conn);
+ if (atomic_dec_and_test(&tree_conn->refcount))
+ kfree(tree_conn);
return ret;
}
diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h
index a42cdd0510411..f0023d86716f2 100644
--- a/fs/smb/server/mgmt/tree_connect.h
+++ b/fs/smb/server/mgmt/tree_connect.h
@@ -33,7 +33,6 @@ struct ksmbd_tree_connect {
int maximal_access;
bool posix_extensions;
atomic_t refcount;
- wait_queue_head_t refcount_q;
unsigned int t_state;
};
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index d9e28191c267e..b32df37da70d4 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2190,7 +2190,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
goto err_out;
}
- WARN_ON_ONCE(atomic_dec_and_test(&tcon->refcount));
tcon->t_state = TREE_DISCONNECTED;
write_unlock(&sess->tree_conns_lock);
@@ -2200,8 +2199,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
goto err_out;
}
- work->tcon = NULL;
-
rsp->StructureSize = cpu_to_le16(4);
err = ksmbd_iov_pin_rsp(work, rsp,
sizeof(struct smb2_tree_disconnect_rsp));
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 038/567] ksmbd: vfs: fix race on m_flags in vfs_cache
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-01-06 16:56 ` [PATCH 6.12 037/567] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 039/567] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Greg Kroah-Hartman
` (542 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianchang Zhao <pioooooooooip@gmail.com>
[ Upstream commit 991f8a79db99b14c48d20d2052c82d65b9186cad ]
ksmbd maintains delete-on-close and pending-delete state in
ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under
inconsistent locking: some paths read and modify m_flags under
ci->m_lock while others do so without taking the lock at all.
Examples:
- ksmbd_query_inode_status() and __ksmbd_inode_close() use
ci->m_lock when checking or updating m_flags.
- ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()
used to read and modify m_flags without ci->m_lock.
This creates a potential data race on m_flags when multiple threads
open, close and delete the same file concurrently. In the worst case
delete-on-close and pending-delete bits can be lost or observed in an
inconsistent state, leading to confusing delete semantics (files that
stay on disk after delete-on-close, or files that disappear while still
in use).
Fix it by:
- Making ksmbd_query_inode_status() look at m_flags under ci->m_lock
after dropping inode_hash_lock.
- Adding ci->m_lock protection to all helpers that read or modify
m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).
- Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),
and moving the actual unlink/xattr removal outside the lock.
This unifies the locking around m_flags and removes the data race while
preserving the existing delete-on-close behaviour.
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/vfs_cache.c | 88 +++++++++++++++++++++++++++------------
1 file changed, 62 insertions(+), 26 deletions(-)
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index dfed6fce89049..6ef116585af64 100644
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -112,40 +112,62 @@ int ksmbd_query_inode_status(struct dentry *dentry)
read_lock(&inode_hash_lock);
ci = __ksmbd_inode_lookup(dentry);
- if (ci) {
- ret = KSMBD_INODE_STATUS_OK;
- if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
- ret = KSMBD_INODE_STATUS_PENDING_DELETE;
- atomic_dec(&ci->m_count);
- }
read_unlock(&inode_hash_lock);
+ if (!ci)
+ return ret;
+
+ down_read(&ci->m_lock);
+ if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
+ ret = KSMBD_INODE_STATUS_PENDING_DELETE;
+ else
+ ret = KSMBD_INODE_STATUS_OK;
+ up_read(&ci->m_lock);
+
+ atomic_dec(&ci->m_count);
return ret;
}
bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)
{
- return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
+ struct ksmbd_inode *ci = fp->f_ci;
+ int ret;
+
+ down_read(&ci->m_lock);
+ ret = (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
+ up_read(&ci->m_lock);
+
+ return ret;
}
void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)
{
- fp->f_ci->m_flags |= S_DEL_PENDING;
+ struct ksmbd_inode *ci = fp->f_ci;
+
+ down_write(&ci->m_lock);
+ ci->m_flags |= S_DEL_PENDING;
+ up_write(&ci->m_lock);
}
void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp)
{
- fp->f_ci->m_flags &= ~S_DEL_PENDING;
+ struct ksmbd_inode *ci = fp->f_ci;
+
+ down_write(&ci->m_lock);
+ ci->m_flags &= ~S_DEL_PENDING;
+ up_write(&ci->m_lock);
}
void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp,
int file_info)
{
- if (ksmbd_stream_fd(fp)) {
- fp->f_ci->m_flags |= S_DEL_ON_CLS_STREAM;
- return;
- }
+ struct ksmbd_inode *ci = fp->f_ci;
- fp->f_ci->m_flags |= S_DEL_ON_CLS;
+ down_write(&ci->m_lock);
+ if (ksmbd_stream_fd(fp))
+ ci->m_flags |= S_DEL_ON_CLS_STREAM;
+ else
+ ci->m_flags |= S_DEL_ON_CLS;
+ up_write(&ci->m_lock);
}
static void ksmbd_inode_hash(struct ksmbd_inode *ci)
@@ -257,27 +279,41 @@ static void __ksmbd_inode_close(struct ksmbd_file *fp)
struct file *filp;
filp = fp->filp;
- if (ksmbd_stream_fd(fp) && (ci->m_flags & S_DEL_ON_CLS_STREAM)) {
- ci->m_flags &= ~S_DEL_ON_CLS_STREAM;
- err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp),
- &filp->f_path,
- fp->stream.name,
- true);
- if (err)
- pr_err("remove xattr failed : %s\n",
- fp->stream.name);
+
+ if (ksmbd_stream_fd(fp)) {
+ bool remove_stream_xattr = false;
+
+ down_write(&ci->m_lock);
+ if (ci->m_flags & S_DEL_ON_CLS_STREAM) {
+ ci->m_flags &= ~S_DEL_ON_CLS_STREAM;
+ remove_stream_xattr = true;
+ }
+ up_write(&ci->m_lock);
+
+ if (remove_stream_xattr) {
+ err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp),
+ &filp->f_path,
+ fp->stream.name,
+ true);
+ if (err)
+ pr_err("remove xattr failed : %s\n",
+ fp->stream.name);
+ }
}
if (atomic_dec_and_test(&ci->m_count)) {
+ bool do_unlink = false;
+
down_write(&ci->m_lock);
if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) {
ci->m_flags &= ~(S_DEL_ON_CLS | S_DEL_PENDING);
- up_write(&ci->m_lock);
- ksmbd_vfs_unlink(filp);
- down_write(&ci->m_lock);
+ do_unlink = true;
}
up_write(&ci->m_lock);
+ if (do_unlink)
+ ksmbd_vfs_unlink(filp);
+
ksmbd_inode_free(ci);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 039/567] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 038/567] ksmbd: vfs: fix race on m_flags in vfs_cache Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 040/567] Bluetooth: btusb: MT7922: Add VID/PID 0489/e170 Greg Kroah-Hartman
` (541 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chingbin Li, Luiz Augusto von Dentz,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chingbin Li <liqb365@163.com>
[ Upstream commit 8dbbb5423c0802ec21266765de80fd491868fab1 ]
Add VID 2b89 & PID 6275 for Realtek RTL8761BUV USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 6 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=2b89 ProdID=6275 Rev= 2.00
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00E04C239987
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Chingbin Li <liqb365@163.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index dc0c45756c448..479b98befdc5f 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -763,6 +763,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x2b89, 0x8761), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2b89, 0x6275), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Additional Realtek 8821AE Bluetooth devices */
{ USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 040/567] Bluetooth: btusb: MT7922: Add VID/PID 0489/e170
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 039/567] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 041/567] Bluetooth: btusb: MT7920: Add VID/PID 0489/e135 Greg Kroah-Hartman
` (540 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lu, Paul Menzel,
Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Lu <chris.lu@mediatek.com>
[ Upstream commit 5a6700a31c953af9a17a7e2681335f31d922614d ]
Add VID 0489 & PID e170 for MediaTek MT7922 USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=06 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e170 Rev= 1.00
S: Manufacturer=MediaTek Inc.
S: Product=Wireless_Device
S: SerialNumber=000000000
C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA
A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us
E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us
I: If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us
E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 479b98befdc5f..9dc3a50c5e833 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -673,6 +673,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x0489, 0xe153), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe170), .driver_info = BTUSB_MEDIATEK |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x04ca, 0x3804), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x04ca, 0x38e4), .driver_info = BTUSB_MEDIATEK |
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 041/567] Bluetooth: btusb: MT7920: Add VID/PID 0489/e135
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 040/567] Bluetooth: btusb: MT7922: Add VID/PID 0489/e170 Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 042/567] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
` (539 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Lu, Paul Menzel,
Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chris Lu <chris.lu@mediatek.com>
[ Upstream commit c126f98c011f5796ba118ef2093122d02809d30d ]
Add VID 0489 & PID e135 for MediaTek MT7920 USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=06 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e135 Rev= 1.00
S: Manufacturer=MediaTek Inc.
S: Product=Wireless_Device
S: SerialNumber=000000000
C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA
A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us
E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us
I: If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us
E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us
Signed-off-by: Chris Lu <chris.lu@mediatek.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 9dc3a50c5e833..78dc9012c5d75 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -611,6 +611,8 @@ static const struct usb_device_id quirks_table[] = {
/* Additional MediaTek MT7920 Bluetooth devices */
{ USB_DEVICE(0x0489, 0xe134), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe135), .driver_info = BTUSB_MEDIATEK |
+ BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3620), .driver_info = BTUSB_MEDIATEK |
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3621), .driver_info = BTUSB_MEDIATEK |
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 042/567] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 041/567] Bluetooth: btusb: MT7920: Add VID/PID 0489/e135 Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 043/567] Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT Greg Kroah-Hartman
` (538 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gongwei Li, Luiz Augusto von Dentz,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gongwei Li <ligongwei@kylinos.cn>
[ Upstream commit 525459da4bd62a81142fea3f3d52188ceb4d8907 ]
Add VID 13d3 & PID 3533 for Realtek RTL8821CE USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3533 Rev= 1.10
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Gongwei Li <ligongwei@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 78dc9012c5d75..2531ea7f163cb 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -501,6 +501,8 @@ static const struct usb_device_id quirks_table[] = {
/* Realtek 8821CE Bluetooth devices */
{ USB_DEVICE(0x13d3, 0x3529), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x13d3, 0x3533), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8822CE Bluetooth devices */
{ USB_DEVICE(0x0bda, 0xb00c), .driver_info = BTUSB_REALTEK |
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 043/567] Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 042/567] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 044/567] gfs2: Fix use of bio_chain Greg Kroah-Hartman
` (537 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Max Chou, Luiz Augusto von Dentz,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Chou <max.chou@realtek.com>
[ Upstream commit 32caa197b9b603e20f49fd3a0dffecd0cd620499 ]
Add the support ID(0x0489, 0xE12F) to usb_device_id table for
Realtek RTL8852BE-VT.
The device info from /sys/kernel/debug/usb/devices as below.
T: Bus=04 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 86 Spd=12 MxCh= 0
D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e12f Rev= 0.00
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Max Chou <max.chou@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 2531ea7f163cb..fc7b3e02f14b7 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -577,6 +577,8 @@ static const struct usb_device_id quirks_table[] = {
/* Realtek 8852BT/8852BE-VT Bluetooth devices */
{ USB_DEVICE(0x0bda, 0x8520), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe12f), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8922AE Bluetooth devices */
{ USB_DEVICE(0x0bda, 0x8922), .driver_info = BTUSB_REALTEK |
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 044/567] gfs2: Fix use of bio_chain
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 043/567] Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 045/567] net: fec: ERR007885 Workaround for XDP TX path Greg Kroah-Hartman
` (536 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Zhang, Andreas Gruenbacher,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 8a157e0a0aa5143b5d94201508c0ca1bb8cfb941 ]
In gfs2_chain_bio(), the call to bio_chain() has its arguments swapped.
The result is leaked bios and incorrect synchronization (only the last
bio will actually be waited for). This code is only used during mount
and filesystem thaw, so the bug normally won't be noticeable.
Reported-by: Stephen Zhang <starzhangzsd@gmail.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/lops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
index 314ec2a70167f..2e92b606d19e0 100644
--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -485,7 +485,7 @@ static struct bio *gfs2_chain_bio(struct bio *prev, unsigned int nr_iovecs)
new = bio_alloc(prev->bi_bdev, nr_iovecs, prev->bi_opf, GFP_NOIO);
bio_clone_blkg_association(new, prev);
new->bi_iter.bi_sector = bio_end_sector(prev);
- bio_chain(new, prev);
+ bio_chain(prev, new);
submit_bio(prev);
return new;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 045/567] net: fec: ERR007885 Workaround for XDP TX path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 044/567] gfs2: Fix use of bio_chain Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 046/567] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
` (535 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit e8e032cd24dda7cceaa27bc2eb627f82843f0466 ]
The ERR007885 will lead to a TDAR race condition for mutliQ when the
driver sets TDAR and the UDMA clears TDAR simultaneously or in a small
window (2-4 cycles). And it will cause the udma_tx and udma_tx_arbiter
state machines to hang. Therefore, the commit 53bb20d1faba ("net: fec:
add variable reg_desc_active to speed things up") and the commit
a179aad12bad ("net: fec: ERR007885 Workaround for conventional TX") have
added the workaround to fix the potential issue for the conventional TX
path. Similarly, the XDP TX path should also have the potential hang
issue, so add the workaround for XDP TX path.
Fixes: 6d6b39f180b8 ("net: fec: add initial XDP support")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251128025915.2486943-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index d1800868c2e01..9018a7d3864fd 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3934,7 +3934,12 @@ static int fec_enet_txq_xmit_frame(struct fec_enet_private *fep,
txq->bd.cur = bdp;
/* Trigger transmission start */
- writel(0, txq->bd.reg_desc_active);
+ if (!(fep->quirks & FEC_QUIRK_ERR007885) ||
+ !readl(txq->bd.reg_desc_active) ||
+ !readl(txq->bd.reg_desc_active) ||
+ !readl(txq->bd.reg_desc_active) ||
+ !readl(txq->bd.reg_desc_active))
+ writel(0, txq->bd.reg_desc_active);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 046/567] netrom: Fix memory leak in nr_sendmsg()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 045/567] net: fec: ERR007885 Workaround for XDP TX path Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 047/567] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
` (534 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d7abc36bbbb6d7d40b58,
Wang Liang, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit 613d12dd794e078be8ff3cf6b62a6b9acf7f4619 ]
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58
Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Link: https://patch.msgid.link/20251129041315.1550766-1-wangliang74@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netrom/nr_out.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
index 5e531394a724b..2b3cbceb0b52d 100644
--- a/net/netrom/nr_out.c
+++ b/net/netrom/nr_out.c
@@ -43,8 +43,10 @@ void nr_output(struct sock *sk, struct sk_buff *skb)
frontlen = skb_headroom(skb);
while (skb->len > 0) {
- if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL)
+ if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL) {
+ kfree_skb(skb);
return;
+ }
skb_reserve(skbn, frontlen);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 047/567] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 046/567] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 048/567] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
` (533 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zdi-disclosures, Victor Nogueira,
Jamal Hadi Salim, Davide Caratti, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit ce052b9402e461a9aded599f5b47e76bc727f7de ]
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent 1:2 || true
tc -s qdisc ls dev $DEV
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 1 strict 1
```
KASAN report
```
==================================================================
BUG: KASAN: slab-use-after-free in ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
Read of size 8 at addr ffff8880502fc018 by task ping/12308
>
CPU: 0 UID: 0 PID: 12308 Comm: ping Not tainted 6.18.0-rc4-dirty #1 PREEMPT(full)
Hardware name: QEMU Ubuntu 25.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack kernel/lib/dump_stack.c:94
dump_stack_lvl+0x100/0x190 kernel/lib/dump_stack.c:120
print_address_description kernel/mm/kasan/report.c:378
print_report+0x156/0x4c9 kernel/mm/kasan/report.c:482
kasan_report+0xdf/0x110 kernel/mm/kasan/report.c:595
ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
dequeue_skb kernel/net/sched/sch_generic.c:294
qdisc_restart kernel/net/sched/sch_generic.c:399
__qdisc_run+0x1c9/0x1b00 kernel/net/sched/sch_generic.c:417
__dev_xmit_skb kernel/net/core/dev.c:4221
__dev_queue_xmit+0x2848/0x4410 kernel/net/core/dev.c:4729
dev_queue_xmit kernel/./include/linux/netdevice.h:3365
[...]
Allocated by task 17115:
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
poison_kmalloc_redzone kernel/mm/kasan/common.c:400
__kasan_kmalloc+0xaa/0xb0 kernel/mm/kasan/common.c:417
kasan_kmalloc kernel/./include/linux/kasan.h:262
__do_kmalloc_node kernel/mm/slub.c:5642
__kmalloc_node_noprof+0x34e/0x990 kernel/mm/slub.c:5648
kmalloc_node_noprof kernel/./include/linux/slab.h:987
qdisc_alloc+0xb8/0xc30 kernel/net/sched/sch_generic.c:950
qdisc_create_dflt+0x93/0x490 kernel/net/sched/sch_generic.c:1012
ets_class_graft+0x4fd/0x800 kernel/net/sched/sch_ets.c:261
qdisc_graft+0x3e4/0x1780 kernel/net/sched/sch_api.c:1196
[...]
Freed by task 9905:
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x70 kernel/mm/kasan/generic.c:587
kasan_save_free_info kernel/mm/kasan/kasan.h:406
poison_slab_object kernel/mm/kasan/common.c:252
__kasan_slab_free+0x5f/0x80 kernel/mm/kasan/common.c:284
kasan_slab_free kernel/./include/linux/kasan.h:234
slab_free_hook kernel/mm/slub.c:2539
slab_free kernel/mm/slub.c:6630
kfree+0x144/0x700 kernel/mm/slub.c:6837
rcu_do_batch kernel/kernel/rcu/tree.c:2605
rcu_core+0x7c0/0x1500 kernel/kernel/rcu/tree.c:2861
handle_softirqs+0x1ea/0x8a0 kernel/kernel/softirq.c:622
__do_softirq kernel/kernel/softirq.c:656
[...]
Commentary:
1. Maher Azzouzi working with Trend Micro Zero Day Initiative was reported as
the person who found the issue. I requested to get a proper email to add to the
reported-by tag but got no response. For this reason i will credit the person
i exchanged emails with i.e zdi-disclosures@trendmicro.com
2. Neither i nor Victor who did a much more thorough testing was able to
reproduce a UAF with the PoC or other approaches we tried. We were both able to
reproduce a null ptr deref. After exchange with zdi-disclosures@trendmicro.com
they sent a small change to be made to the code to add an extra delay which
was able to simulate the UAF. i.e, this:
qdisc_put(q->classes[i].qdisc);
mdelay(90);
q->classes[i].qdisc = NULL;
I was informed by Thomas Gleixner(tglx@linutronix.de) that adding delays was
acceptable approach for demonstrating the bug, quote:
"Adding such delays is common exploit validation practice"
The equivalent delay could happen "by virt scheduling the vCPU out, SMIs,
NMIs, PREEMPT_RT enabled kernel"
3. I asked the OP to test and report back but got no response and after a
few days gave up and proceeded to submit this fix.
Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'")
Reported-by: zdi-disclosures@trendmicro.com
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/20251128151919.576920-1-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index 82635dd2cfa59..ae46643e596d3 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -652,7 +652,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+ if (cl_is_active(&q->classes[i]))
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 048/567] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 047/567] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 049/567] mlxsw: spectrum_router: Fix possible neighbour reference count leak Greg Kroah-Hartman
` (532 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Skorodumov, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
[ Upstream commit 0c57ff008a11f24f7f05fa760222692a00465fec ]
Packets with pkt_type == PACKET_LOOPBACK are captured by
handle_frame() function, but they don't have L2 header.
We should not process them in handle_mode_l2().
This doesn't affect old L2 functionality, since handling
was anyway incorrect.
Handle them the same way as in br_handle_frame():
just pass the skb.
To observe invalid behaviour, just start "ping -b" on bcast address
of port-interface.
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
Link: https://patch.msgid.link/20251202103906.4087675-1-skorodumov.dmitry@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipvlan/ipvlan_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index ca62188a317ad..83bd65a227709 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -737,6 +737,9 @@ static rx_handler_result_t ipvlan_handle_mode_l2(struct sk_buff **pskb,
struct ethhdr *eth = eth_hdr(skb);
rx_handler_result_t ret = RX_HANDLER_PASS;
+ if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
+ return RX_HANDLER_PASS;
+
if (is_multicast_ether_addr(eth->h_dest)) {
if (ipvlan_external_frame(skb, port)) {
struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 049/567] mlxsw: spectrum_router: Fix possible neighbour reference count leak
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 048/567] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 050/567] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
` (531 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
Simon Horman, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit b6b638bda240395dff49a87403b2e32493e56d2a ]
mlxsw_sp_router_schedule_work() takes a reference on a neighbour,
expecting a work item to release it later on. However, we might fail to
schedule the work item, in which case the neighbour reference count will
be leaked.
Fix by taking the reference just before scheduling the work item. Note
that mlxsw_sp_router_schedule_work() can receive a NULL neighbour
pointer, but neigh_clone() handles that correctly.
Spotted during code review, did not actually observe the reference count
leak.
Fixes: 151b89f6025a ("mlxsw: spectrum_router: Reuse work neighbor initialization in work scheduler")
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/ec2934ae4aca187a8d8c9329a08ce93cca411378.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 511cd92e0e3e7..4ab58cb1ab7f4 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -2858,6 +2858,11 @@ static int mlxsw_sp_router_schedule_work(struct net *net,
if (!net_work)
return NOTIFY_BAD;
+ /* Take a reference to ensure the neighbour won't be destructed until
+ * we drop the reference in the work item.
+ */
+ neigh_clone(n);
+
INIT_WORK(&net_work->work, cb);
net_work->mlxsw_sp = router->mlxsw_sp;
net_work->n = n;
@@ -2881,11 +2886,6 @@ static int mlxsw_sp_router_schedule_neigh_work(struct mlxsw_sp_router *router,
struct net *net;
net = neigh_parms_net(n->parms);
-
- /* Take a reference to ensure the neighbour won't be destructed until we
- * drop the reference in delayed work.
- */
- neigh_clone(n);
return mlxsw_sp_router_schedule_work(net, router, n,
mlxsw_sp_router_neigh_event_work);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 050/567] mlxsw: spectrum_router: Fix neighbour use-after-free
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 049/567] mlxsw: spectrum_router: Fix possible neighbour reference count leak Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 051/567] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
` (530 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Petr Machata,
Simon Horman, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8b0e69763ef948fb872a7767df4be665d18f5fd4 ]
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Fixes: 6cf3c971dc84 ("mlxsw: spectrum_router: Add private neigh table")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/92d75e21d95d163a41b5cea67a15cd33f547cba6.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/mellanox/mlxsw/spectrum_router.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 4ab58cb1ab7f4..7066bc5612c62 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -2265,6 +2265,7 @@ mlxsw_sp_neigh_entry_alloc(struct mlxsw_sp *mlxsw_sp, struct neighbour *n,
if (!neigh_entry)
return NULL;
+ neigh_hold(n);
neigh_entry->key.n = n;
neigh_entry->rif = rif;
INIT_LIST_HEAD(&neigh_entry->nexthop_list);
@@ -2274,6 +2275,7 @@ mlxsw_sp_neigh_entry_alloc(struct mlxsw_sp *mlxsw_sp, struct neighbour *n,
static void mlxsw_sp_neigh_entry_free(struct mlxsw_sp_neigh_entry *neigh_entry)
{
+ neigh_release(neigh_entry->key.n);
kfree(neigh_entry);
}
@@ -4320,6 +4322,8 @@ mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
if (err)
goto err_neigh_entry_insert;
+ neigh_release(old_n);
+
read_lock_bh(&n->lock);
nud_state = n->nud_state;
dead = n->dead;
@@ -4328,14 +4332,10 @@ mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
list_for_each_entry(nh, &neigh_entry->nexthop_list,
neigh_list_node) {
- neigh_release(old_n);
- neigh_clone(n);
__mlxsw_sp_nexthop_neigh_update(nh, !entry_connected);
mlxsw_sp_nexthop_group_refresh(mlxsw_sp, nh->nhgi->nh_grp);
}
- neigh_release(n);
-
return 0;
err_neigh_entry_insert:
@@ -4428,6 +4428,11 @@ static int mlxsw_sp_nexthop_neigh_init(struct mlxsw_sp *mlxsw_sp,
}
}
+ /* Release the reference taken by neigh_lookup() / neigh_create() since
+ * neigh_entry already holds one.
+ */
+ neigh_release(n);
+
/* If that is the first nexthop connected to that neigh, add to
* nexthop_neighs_list
*/
@@ -4454,11 +4459,9 @@ static void mlxsw_sp_nexthop_neigh_fini(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_nexthop *nh)
{
struct mlxsw_sp_neigh_entry *neigh_entry = nh->neigh_entry;
- struct neighbour *n;
if (!neigh_entry)
return;
- n = neigh_entry->key.n;
__mlxsw_sp_nexthop_neigh_update(nh, true);
list_del(&nh->neigh_list_node);
@@ -4472,8 +4475,6 @@ static void mlxsw_sp_nexthop_neigh_fini(struct mlxsw_sp *mlxsw_sp,
if (!neigh_entry->connected && list_empty(&neigh_entry->nexthop_list))
mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry);
-
- neigh_release(n);
}
static bool mlxsw_sp_ipip_netdev_ul_up(struct net_device *ol_dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 051/567] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 050/567] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 052/567] bnxt_en: Fix XDP_TX path Greg Kroah-Hartman
` (529 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Petr Machata,
Simon Horman, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8ac1dacec458f55f871f7153242ed6ab60373b90 ]
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Fixes: f38656d06725 ("mlxsw: spectrum_mr: Protect multicast route list with a lock")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/f996feecfd59fde297964bfc85040b6d83ec6089.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
index 5afe6b155ef0d..81935f87bfcd7 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
@@ -440,7 +440,9 @@ int mlxsw_sp_mr_route_add(struct mlxsw_sp_mr_table *mr_table,
rhashtable_remove_fast(&mr_table->route_ht,
&mr_orig_route->ht_node,
mlxsw_sp_mr_route_ht_params);
+ mutex_lock(&mr_table->route_list_lock);
list_del(&mr_orig_route->node);
+ mutex_unlock(&mr_table->route_list_lock);
mlxsw_sp_mr_route_destroy(mr_table, mr_orig_route);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 052/567] bnxt_en: Fix XDP_TX path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 051/567] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 053/567] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
` (528 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavel Dubovitsky, Andy Gospodarek,
Pavan Chebbi, Kalesh AP, Michael Chan, Jacob Keller,
Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Chan <michael.chan@broadcom.com>
[ Upstream commit 0373d5c387f24de749cc22e694a14b3a7c7eb515 ]
For XDP_TX action in bnxt_rx_xdp(), clearing of the event flags is not
correct. __bnxt_poll_work() -> bnxt_rx_pkt() -> bnxt_rx_xdp() may be
looping within NAPI and some event flags may be set in earlier
iterations. In particular, if BNXT_TX_EVENT is set earlier indicating
some XDP_TX packets are ready and pending, it will be cleared if it is
XDP_TX action again. Normally, we will set BNXT_TX_EVENT again when we
successfully call __bnxt_xmit_xdp(). But if the TX ring has no more
room, the flag will not be set. This will cause the TX producer to be
ahead but the driver will not hit the TX doorbell.
For multi-buf XDP_TX, there is no need to clear the event flags and set
BNXT_AGG_EVENT. The BNXT_AGG_EVENT flag should have been set earlier in
bnxt_rx_pkt().
The visible symptom of this is that the RX ring associated with the
TX XDP ring will eventually become empty and all packets will be dropped.
Because this condition will cause the driver to not refill the RX ring
seeing that the TX ring has forever pending XDP_TX packets.
The fix is to only clear BNXT_RX_EVENT when we have successfully
called __bnxt_xmit_xdp().
Fixes: 7f0a168b0441 ("bnxt_en: Add completion ring pointer in TX and RX ring structures")
Reported-by: Pavel Dubovitsky <pdubovitsky@meta.com>
Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20251203003024.2246699-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
index 844812bd65363..fa3c6515cc4d6 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c
@@ -268,13 +268,11 @@ bool bnxt_rx_xdp(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, u16 cons,
case XDP_TX:
rx_buf = &rxr->rx_buf_ring[cons];
mapping = rx_buf->mapping - bp->rx_dma_offset;
- *event &= BNXT_TX_CMP_EVENT;
if (unlikely(xdp_buff_has_frags(xdp))) {
struct skb_shared_info *sinfo = xdp_get_shared_info_from_buff(xdp);
tx_needed += sinfo->nr_frags;
- *event = BNXT_AGG_EVENT;
}
if (tx_avail < tx_needed) {
@@ -287,6 +285,7 @@ bool bnxt_rx_xdp(struct bnxt *bp, struct bnxt_rx_ring_info *rxr, u16 cons,
dma_sync_single_for_device(&pdev->dev, mapping + offset, *len,
bp->rx_dir);
+ *event &= ~BNXT_RX_EVENT;
*event |= BNXT_TX_EVENT;
__bnxt_xmit_xdp(bp, txr, mapping + offset, *len,
NEXT_RX(rxr->rx_prod), xdp);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 053/567] net: openvswitch: fix middle attribute validation in push_nsh() action
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 052/567] bnxt_en: Fix XDP_TX path Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 054/567] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
` (527 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junvy Yang, Ilya Maximets,
Aaron Conole, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e ]
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
Reported-by: Junvy Yang <zhuque@tencent.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Eelco Chaudron echaudro@redhat.com
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20251204105334.900379-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index e3359e15aa2e4..7d5490ea23e1d 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2802,13 +2802,20 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
return err;
}
-static bool validate_push_nsh(const struct nlattr *attr, bool log)
+static bool validate_push_nsh(const struct nlattr *a, bool log)
{
+ struct nlattr *nsh_key = nla_data(a);
struct sw_flow_match match;
struct sw_flow_key key;
+ /* There must be one and only one NSH header. */
+ if (!nla_ok(nsh_key, nla_len(a)) ||
+ nla_total_size(nla_len(nsh_key)) != nla_len(a) ||
+ nla_type(nsh_key) != OVS_KEY_ATTR_NSH)
+ return false;
+
ovs_match_init(&match, &key, true, NULL);
- return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ return !nsh_key_put_from_nlattr(nsh_key, &match, false, true, log);
}
/* Return false if there are any non-masked bits set.
@@ -3388,7 +3395,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
return -EINVAL;
}
mac_proto = MAC_PROTO_NONE;
- if (!validate_push_nsh(nla_data(a), log))
+ if (!validate_push_nsh(a, log))
return -EINVAL;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 054/567] broadcom: b44: prevent uninitialized value usage
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 053/567] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 055/567] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
` (526 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Andrew Lunn,
Alexey Simakov, Michael Chan, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 50b3db3e11864cb4e18ff099cfb38e11e7f87a68 ]
On execution path with raised B44_FLAG_EXTERNAL_PHY, b44_readphy()
leaves bmcr value uninitialized and it is used later in the code.
Add check of this flag at the beginning of the b44_nway_reset() and
exit early of the function with restarting autonegotiation if an
external PHY is used.
Fixes: 753f492093da ("[B44]: port to native ssb support")
Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20251205155815.4348-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/b44.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/b44.c b/drivers/net/ethernet/broadcom/b44.c
index e5809ad5eb827..29f0de9e31545 100644
--- a/drivers/net/ethernet/broadcom/b44.c
+++ b/drivers/net/ethernet/broadcom/b44.c
@@ -1789,6 +1789,9 @@ static int b44_nway_reset(struct net_device *dev)
u32 bmcr;
int r;
+ if (bp->flags & B44_FLAG_EXTERNAL_PHY)
+ return phy_ethtool_nway_reset(dev);
+
spin_lock_irq(&bp->lock);
b44_readphy(bp, MII_BMCR, &bmcr);
b44_readphy(bp, MII_BMCR, &bmcr);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 055/567] netfilter: nf_conncount: fix leaked ct in error paths
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 054/567] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 056/567] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
` (525 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 2e2a720766886190a6d35c116794693aabd332b6 ]
There are some situations where ct might be leaked as error paths are
skipping the refcounted check and return immediately. In order to solve
it make sure that the check is always called.
Fixes: be102eb6a0e7 ("netfilter: nf_conncount: rework API to use sk_buff directly")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index b84cfb5616df4..3c1b155f7a0ea 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -172,14 +172,14 @@ static int __nf_conncount_add(struct net *net,
struct nf_conn *found_ct;
unsigned int collect = 0;
bool refcounted = false;
+ int err = 0;
if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
return -ENOENT;
if (ct && nf_ct_is_confirmed(ct)) {
- if (refcounted)
- nf_ct_put(ct);
- return -EEXIST;
+ err = -EEXIST;
+ goto out_put;
}
if ((u32)jiffies == list->last_gc)
@@ -231,12 +231,16 @@ static int __nf_conncount_add(struct net *net,
}
add_new_node:
- if (WARN_ON_ONCE(list->count > INT_MAX))
- return -EOVERFLOW;
+ if (WARN_ON_ONCE(list->count > INT_MAX)) {
+ err = -EOVERFLOW;
+ goto out_put;
+ }
conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
- if (conn == NULL)
- return -ENOMEM;
+ if (conn == NULL) {
+ err = -ENOMEM;
+ goto out_put;
+ }
conn->tuple = tuple;
conn->zone = *zone;
@@ -249,7 +253,7 @@ static int __nf_conncount_add(struct net *net,
out_put:
if (refcounted)
nf_ct_put(ct);
- return 0;
+ return err;
}
int nf_conncount_add_skb(struct net *net,
@@ -446,11 +450,10 @@ insert_tree(struct net *net,
rb_link_node_rcu(&rbconn->node, parent, rbnode);
rb_insert_color(&rbconn->node, root);
-
- if (refcounted)
- nf_ct_put(ct);
}
out_unlock:
+ if (refcounted)
+ nf_ct_put(ct);
spin_unlock_bh(&nf_conncount_locks[hash]);
return count;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 056/567] ipvs: fix ipv4 null-ptr-deref in route error path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 055/567] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 057/567] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
` (524 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slavin Liu, Julian Anastasov,
Florian Westphal, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slavin Liu <slavin452@gmail.com>
[ Upstream commit ad891bb3d079a46a821bf2b8867854645191bab0 ]
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Slavin Liu <slavin452@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 014f077403695..fa2db17f6298b 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -409,6 +409,9 @@ __ip_vs_get_out_rt(struct netns_ipvs *ipvs, int skb_af, struct sk_buff *skb,
return -1;
err_unreach:
+ if (!skb->dev)
+ skb->dev = skb_dst(skb)->dev;
+
dst_link_failure(skb);
return -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 057/567] caif: fix integer underflow in cffrml_receive()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 056/567] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 058/567] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
` (523 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Simon Horman, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 8a11ff0948b5ad09b71896b7ccc850625f9878d1 ]
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/caif/cffrml.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
index 6651a8dc62e04..d4d63586053ad 100644
--- a/net/caif/cffrml.c
+++ b/net/caif/cffrml.c
@@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
len = le16_to_cpu(tmp);
/* Subtract for FCS on length if FCS is not used. */
- if (!this->dofcs)
+ if (!this->dofcs) {
+ if (len < 2) {
+ ++cffrml_rcv_error;
+ pr_err("Invalid frame length (%d)\n", len);
+ cfpkt_destroy(pkt);
+ return -EPROTO;
+ }
len -= 2;
+ }
if (cfpkt_setlen(pkt, len) < 0) {
++cffrml_rcv_error;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 058/567] net/sched: ets: Remove drr class from the active list if it changes to strict
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 057/567] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 059/567] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
` (522 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Victor Nogueira,
Petr Machata, Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
[ Upstream commit b1e125ae425aba9b45252e933ca8df52a843ec70 ]
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Fixes: cd9b50adc6bb9 ("net/sched: ets: fix crash when flipping from 'strict' to 'quantum'")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20251208190125.1868423-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index ae46643e596d3..306e046276d46 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -664,6 +664,10 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
q->classes[i].deficit = quanta[i];
}
}
+ for (i = q->nstrict; i < nstrict; i++) {
+ if (cl_is_active(&q->classes[i]))
+ list_del_init(&q->classes[i].alist);
+ }
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 059/567] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 058/567] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 060/567] netfilter: nf_nat: remove bogus direction check Greg Kroah-Hartman
` (521 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jakub Kicinski,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 885bebac9909994050bbbeed0829c727e42bd1b7 ]
Set the error code if "transferred != sizeof(cmd)" instead of
returning success.
Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aTfIJ9tZPmeUF4W1@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/pn533/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
index ffd7367ce1194..018a80674f06e 100644
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -406,7 +406,7 @@ static int pn533_acr122_poweron_rdr(struct pn533_usb_phy *phy)
if (rc || (transferred != sizeof(cmd))) {
nfc_err(&phy->udev->dev,
"Reader power on cmd error %d\n", rc);
- return rc;
+ return rc ?: -EINVAL;
}
rc = usb_submit_urb(phy->in_urb, GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 060/567] netfilter: nf_nat: remove bogus direction check
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 059/567] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 061/567] netfilter: nf_tables: remove redundant chain validation on register store Greg Kroah-Hartman
` (520 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 5ec8ca26fe93103577c904644b0957f069d0051a ]
Jakub reports spurious failures of the 'conntrack_reverse_clash.sh'
selftest. A bogus test makes nat core resort to port rewrite even
though there is no need for this.
When the test is made, nf_nat_used_tuple() would already have caused us
to return if no other CPU had added a colliding entry.
Moreover, nf_nat_used_tuple() would have ignored the colliding entry if
their origin tuples had been the same.
All that is left to check is if the colliding entry in the hash table
is subject to NAT, and, if its not, if our entry matches in the reverse
direction, e.g. hash table has
addr1:1234 -> addr2:80, and we want to commit
addr2:80 -> addr1:1234.
Because we already checked that neither the new nor the committed entry is
subject to NAT we only have to check origin vs. reply tuple:
for non-nat entries, the reply tuple is always the inverted original.
Just in case there are more problems extend the error reporting
in the selftest while at it and dump conntrack table/stats on error.
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20251206175135.4a56591b@kernel.org/
Fixes: d8f84a9bc7c4 ("netfilter: nf_nat: don't try nat source port reallocation for reverse dir clash")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_nat_core.c | 14 +-------------
.../net/netfilter/conntrack_reverse_clash.c | 13 +++++++++----
.../net/netfilter/conntrack_reverse_clash.sh | 2 ++
3 files changed, 12 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 02f10a46fab7c..746acd124ea28 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -298,25 +298,13 @@ nf_nat_used_tuple_new(const struct nf_conntrack_tuple *tuple,
ct = nf_ct_tuplehash_to_ctrack(thash);
- /* NB: IP_CT_DIR_ORIGINAL should be impossible because
- * nf_nat_used_tuple() handles origin collisions.
- *
- * Handle remote chance other CPU confirmed its ct right after.
- */
- if (thash->tuple.dst.dir != IP_CT_DIR_REPLY)
- goto out;
-
/* clashing connection subject to NAT? Retry with new tuple. */
if (READ_ONCE(ct->status) & uses_nat)
goto out;
if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
- &ignored_ct->tuplehash[IP_CT_DIR_REPLY].tuple) &&
- nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple,
- &ignored_ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple)) {
+ &ignored_ct->tuplehash[IP_CT_DIR_REPLY].tuple))
taken = false;
- goto out;
- }
out:
nf_ct_put(ct);
return taken;
diff --git a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
index 507930cee8cb6..462d628cc3bdb 100644
--- a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
+++ b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.c
@@ -33,9 +33,14 @@ static void die(const char *e)
exit(111);
}
-static void die_port(uint16_t got, uint16_t want)
+static void die_port(const struct sockaddr_in *sin, uint16_t want)
{
- fprintf(stderr, "Port number changed, wanted %d got %d\n", want, ntohs(got));
+ uint16_t got = ntohs(sin->sin_port);
+ char str[INET_ADDRSTRLEN];
+
+ inet_ntop(AF_INET, &sin->sin_addr, str, sizeof(str));
+
+ fprintf(stderr, "Port number changed, wanted %d got %d from %s\n", want, got, str);
exit(1);
}
@@ -100,7 +105,7 @@ int main(int argc, char *argv[])
die("child recvfrom");
if (peer.sin_port != htons(PORT))
- die_port(peer.sin_port, PORT);
+ die_port(&peer, PORT);
} else {
if (sendto(s2, buf, LEN, 0, (struct sockaddr *)&sa1, sizeof(sa1)) != LEN)
continue;
@@ -109,7 +114,7 @@ int main(int argc, char *argv[])
die("parent recvfrom");
if (peer.sin_port != htons((PORT + 1)))
- die_port(peer.sin_port, PORT + 1);
+ die_port(&peer, PORT + 1);
}
}
diff --git a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
index a24c896347a88..dc7e9d6da0624 100755
--- a/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
+++ b/tools/testing/selftests/net/netfilter/conntrack_reverse_clash.sh
@@ -45,6 +45,8 @@ if ip netns exec "$ns0" ./conntrack_reverse_clash; then
echo "PASS: No SNAT performed for null bindings"
else
echo "ERROR: SNAT performed without any matching snat rule"
+ ip netns exec "$ns0" conntrack -L
+ ip netns exec "$ns0" conntrack -S
exit 1
fi
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 061/567] netfilter: nf_tables: remove redundant chain validation on register store
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 060/567] netfilter: nf_nat: remove bogus direction check Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 062/567] selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel Greg Kroah-Hartman
` (519 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit a67fd55f6a09f4119b7232c19e0f348fe31ab0db ]
This validation predates the introduction of the state machine that
determines when to enter slow path validation for error reporting.
Currently, table validation is perform when:
- new rule contains expressions that need validation.
- new set element with jump/goto verdict.
Validation on register store skips most checks with no basechains, still
this walks the graph searching for loops and ensuring expressions are
called from the right hook. Remove this.
Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e1c617b488889..b4741fb337988 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -11211,21 +11211,10 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
enum nft_data_types type,
unsigned int len)
{
- int err;
-
switch (reg) {
case NFT_REG_VERDICT:
if (type != NFT_DATA_VERDICT)
return -EINVAL;
-
- if (data != NULL &&
- (data->verdict.code == NFT_GOTO ||
- data->verdict.code == NFT_JUMP)) {
- err = nft_chain_validate(ctx, data->verdict.chain);
- if (err < 0)
- return err;
- }
-
break;
default:
if (type != NFT_DATA_VALUE)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 062/567] selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 061/567] netfilter: nf_tables: remove redundant chain validation on register store Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 063/567] iommufd/selftest: Add coverage for reporting max_pasid_log2 via IOMMU_HW_INFO Greg Kroah-Hartman
` (518 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yi Chen, Florian Westphal,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit fec7b0795548b43e2c3c46e3143c34ef6070341c ]
packetdrill --ip_version=ipv4 --mtu=1500 --tolerance_usecs=1000000 --non_fatal packet conntrack_syn_challenge_ack.pkt
conntrack v1.4.8 (conntrack-tools): 1 flow entries have been shown.
conntrack_syn_challenge_ack.pkt:32: error executing `conntrack -f $NFCT_IP_VERSION \
-L -p tcp --dport 8080 | grep UNREPLIED | grep -q SYN_SENT` command: non-zero status 1
Affected kernel had CONFIG_HZ=100; reset packet was still sitting in
backlog.
Reported-by: Yi Chen <yiche@redhat.com>
Fixes: a8a388c2aae4 ("selftests: netfilter: add packetdrill based conntrack tests")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt b/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
index 3442cd29bc932..cdb3910af95b4 100644
--- a/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
+++ b/tools/testing/selftests/net/netfilter/packetdrill/conntrack_syn_challenge_ack.pkt
@@ -26,7 +26,7 @@
+0.01 > R 643160523:643160523(0) win 0
-+0.01 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep UNREPLIED | grep -q SYN_SENT`
++0.1 `conntrack -f $NFCT_IP_VERSION -L -p tcp --dport 8080 2>/dev/null | grep UNREPLIED | grep -q SYN_SENT`
// Must go through.
+0.01 > S 0:0(0) win 65535 <mss 1460,sackOK,TS val 1 ecr 0,nop,wscale 8>
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 063/567] iommufd/selftest: Add coverage for reporting max_pasid_log2 via IOMMU_HW_INFO
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 062/567] selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 064/567] iommufd/selftest: Update hw_info coverage for an input data_type Greg Kroah-Hartman
` (517 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Yi Liu,
Jason Gunthorpe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yi Liu <yi.l.liu@intel.com>
[ Upstream commit 6d9500bb1ff8c7f9c3ce199521c41aa41e8fd994 ]
IOMMU_HW_INFO is extended to report max_pasid_log2, hence add coverage
for it.
Link: https://patch.msgid.link/r/20250321180143.8468-6-yi.l.liu@intel.com
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Tested-by: Nicolin Chen <nicolinc@nvidia.com>
Signed-off-by: Yi Liu <yi.l.liu@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Stable-dep-of: 5b244b077c0b ("iommufd/selftest: Make it clearer to gcc that the access is not out of bounds")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/iommu/iommufd.c | 18 ++++++++++++++++++
.../testing/selftests/iommu/iommufd_fail_nth.c | 3 ++-
tools/testing/selftests/iommu/iommufd_utils.h | 17 +++++++++++++----
3 files changed, 33 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/iommu/iommufd.c b/tools/testing/selftests/iommu/iommufd.c
index 7a535c590245f..92c6020c15fa1 100644
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -194,12 +194,14 @@ FIXTURE(iommufd_ioas)
uint32_t hwpt_id;
uint32_t device_id;
uint64_t base_iova;
+ uint32_t device_pasid_id;
};
FIXTURE_VARIANT(iommufd_ioas)
{
unsigned int mock_domains;
unsigned int memory_limit;
+ bool pasid_capable;
};
FIXTURE_SETUP(iommufd_ioas)
@@ -222,6 +224,12 @@ FIXTURE_SETUP(iommufd_ioas)
&self->hwpt_id, &self->device_id);
self->base_iova = MOCK_APERTURE_START;
}
+
+ if (variant->pasid_capable)
+ test_cmd_mock_domain_flags(self->ioas_id,
+ MOCK_FLAGS_DEVICE_PASID,
+ NULL, NULL,
+ &self->device_pasid_id);
}
FIXTURE_TEARDOWN(iommufd_ioas)
@@ -237,6 +245,7 @@ FIXTURE_VARIANT_ADD(iommufd_ioas, no_domain)
FIXTURE_VARIANT_ADD(iommufd_ioas, mock_domain)
{
.mock_domains = 1,
+ .pasid_capable = true,
};
FIXTURE_VARIANT_ADD(iommufd_ioas, two_mock_domain)
@@ -602,6 +611,8 @@ TEST_F(iommufd_ioas, get_hw_info)
} buffer_smaller;
if (self->device_id) {
+ uint8_t max_pasid = 0;
+
/* Provide a zero-size user_buffer */
test_cmd_get_hw_info(self->device_id, NULL, 0);
/* Provide a user_buffer with exact size */
@@ -616,6 +627,13 @@ TEST_F(iommufd_ioas, get_hw_info)
* the fields within the size range still gets updated.
*/
test_cmd_get_hw_info(self->device_id, &buffer_smaller, sizeof(buffer_smaller));
+ test_cmd_get_hw_info_pasid(self->device_id, &max_pasid);
+ ASSERT_EQ(0, max_pasid);
+ if (variant->pasid_capable) {
+ test_cmd_get_hw_info_pasid(self->device_pasid_id,
+ &max_pasid);
+ ASSERT_EQ(MOCK_PASID_WIDTH, max_pasid);
+ }
} else {
test_err_get_hw_info(ENOENT, self->device_id,
&buffer_exact, sizeof(buffer_exact));
diff --git a/tools/testing/selftests/iommu/iommufd_fail_nth.c b/tools/testing/selftests/iommu/iommufd_fail_nth.c
index c5d5e69452b01..62d02556b34cc 100644
--- a/tools/testing/selftests/iommu/iommufd_fail_nth.c
+++ b/tools/testing/selftests/iommu/iommufd_fail_nth.c
@@ -612,7 +612,8 @@ TEST_FAIL_NTH(basic_fail_nth, device)
&idev_id))
return -1;
- if (_test_cmd_get_hw_info(self->fd, idev_id, &info, sizeof(info), NULL))
+ if (_test_cmd_get_hw_info(self->fd, idev_id, &info,
+ sizeof(info), NULL, NULL))
return -1;
if (_test_cmd_hwpt_alloc(self->fd, idev_id, ioas_id, 0, 0, &hwpt_id,
diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h
index 40f6f14ce136f..8994b43e86f89 100644
--- a/tools/testing/selftests/iommu/iommufd_utils.h
+++ b/tools/testing/selftests/iommu/iommufd_utils.h
@@ -638,7 +638,8 @@ static void teardown_iommufd(int fd, struct __test_metadata *_metadata)
/* @data can be NULL */
static int _test_cmd_get_hw_info(int fd, __u32 device_id, void *data,
- size_t data_len, uint32_t *capabilities)
+ size_t data_len, uint32_t *capabilities,
+ uint8_t *max_pasid)
{
struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data;
struct iommu_hw_info cmd = {
@@ -683,6 +684,9 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, void *data,
assert(!info->flags);
}
+ if (max_pasid)
+ *max_pasid = cmd.out_max_pasid_log2;
+
if (capabilities)
*capabilities = cmd.out_capabilities;
@@ -691,14 +695,19 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, void *data,
#define test_cmd_get_hw_info(device_id, data, data_len) \
ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, data, \
- data_len, NULL))
+ data_len, NULL, NULL))
#define test_err_get_hw_info(_errno, device_id, data, data_len) \
EXPECT_ERRNO(_errno, _test_cmd_get_hw_info(self->fd, device_id, data, \
- data_len, NULL))
+ data_len, NULL, NULL))
#define test_cmd_get_hw_capabilities(device_id, caps, mask) \
- ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, NULL, 0, &caps))
+ ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, NULL, \
+ 0, &caps, NULL))
+
+#define test_cmd_get_hw_info_pasid(device_id, max_pasid) \
+ ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, NULL, \
+ 0, NULL, max_pasid))
static int _test_ioctl_fault_alloc(int fd, __u32 *fault_id, __u32 *fault_fd)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 064/567] iommufd/selftest: Update hw_info coverage for an input data_type
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 063/567] iommufd/selftest: Add coverage for reporting max_pasid_log2 via IOMMU_HW_INFO Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 065/567] iommufd/selftest: Make it clearer to gcc that the access is not out of bounds Greg Kroah-Hartman
` (516 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolin Chen, Pranjal Shrivastava,
Jason Gunthorpe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
[ Upstream commit 3a35f7d4a4673edf6f02422bb2d78b17c667e167 ]
Test both IOMMU_HW_INFO_TYPE_DEFAULT and IOMMU_HW_INFO_TYPE_SELFTEST, and
add a negative test for an unsupported type.
Also drop the unused mask in test_cmd_get_hw_capabilities() as checkpatch
is complaining.
Link: https://patch.msgid.link/r/f01a1e50cd7366f217cbf192ad0b2b79e0eb89f0.1752126748.git.nicolinc@nvidia.com
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Pranjal Shrivastava <praan@google.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Stable-dep-of: 5b244b077c0b ("iommufd/selftest: Make it clearer to gcc that the access is not out of bounds")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/iommu/iommufd.c | 32 +++++++++++++-----
.../selftests/iommu/iommufd_fail_nth.c | 4 +--
tools/testing/selftests/iommu/iommufd_utils.h | 33 +++++++++++--------
3 files changed, 46 insertions(+), 23 deletions(-)
diff --git a/tools/testing/selftests/iommu/iommufd.c b/tools/testing/selftests/iommu/iommufd.c
index 92c6020c15fa1..b678b24f5a142 100644
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -614,19 +614,34 @@ TEST_F(iommufd_ioas, get_hw_info)
uint8_t max_pasid = 0;
/* Provide a zero-size user_buffer */
- test_cmd_get_hw_info(self->device_id, NULL, 0);
+ test_cmd_get_hw_info(self->device_id,
+ IOMMU_HW_INFO_TYPE_DEFAULT, NULL, 0);
/* Provide a user_buffer with exact size */
- test_cmd_get_hw_info(self->device_id, &buffer_exact, sizeof(buffer_exact));
+ test_cmd_get_hw_info(self->device_id,
+ IOMMU_HW_INFO_TYPE_DEFAULT, &buffer_exact,
+ sizeof(buffer_exact));
+
+ /* Request for a wrong data_type, and a correct one */
+ test_err_get_hw_info(EOPNOTSUPP, self->device_id,
+ IOMMU_HW_INFO_TYPE_SELFTEST + 1,
+ &buffer_exact, sizeof(buffer_exact));
+ test_cmd_get_hw_info(self->device_id,
+ IOMMU_HW_INFO_TYPE_SELFTEST, &buffer_exact,
+ sizeof(buffer_exact));
/*
* Provide a user_buffer with size larger than the exact size to check if
* kernel zero the trailing bytes.
*/
- test_cmd_get_hw_info(self->device_id, &buffer_larger, sizeof(buffer_larger));
+ test_cmd_get_hw_info(self->device_id,
+ IOMMU_HW_INFO_TYPE_DEFAULT, &buffer_larger,
+ sizeof(buffer_larger));
/*
* Provide a user_buffer with size smaller than the exact size to check if
* the fields within the size range still gets updated.
*/
- test_cmd_get_hw_info(self->device_id, &buffer_smaller, sizeof(buffer_smaller));
+ test_cmd_get_hw_info(self->device_id,
+ IOMMU_HW_INFO_TYPE_DEFAULT,
+ &buffer_smaller, sizeof(buffer_smaller));
test_cmd_get_hw_info_pasid(self->device_id, &max_pasid);
ASSERT_EQ(0, max_pasid);
if (variant->pasid_capable) {
@@ -636,9 +651,11 @@ TEST_F(iommufd_ioas, get_hw_info)
}
} else {
test_err_get_hw_info(ENOENT, self->device_id,
- &buffer_exact, sizeof(buffer_exact));
+ IOMMU_HW_INFO_TYPE_DEFAULT, &buffer_exact,
+ sizeof(buffer_exact));
test_err_get_hw_info(ENOENT, self->device_id,
- &buffer_larger, sizeof(buffer_larger));
+ IOMMU_HW_INFO_TYPE_DEFAULT, &buffer_larger,
+ sizeof(buffer_larger));
}
}
@@ -1945,8 +1962,7 @@ TEST_F(iommufd_dirty_tracking, device_dirty_capability)
test_cmd_hwpt_alloc(self->idev_id, self->ioas_id, 0, &hwpt_id);
test_cmd_mock_domain(hwpt_id, &stddev_id, NULL, NULL);
- test_cmd_get_hw_capabilities(self->idev_id, caps,
- IOMMU_HW_CAP_DIRTY_TRACKING);
+ test_cmd_get_hw_capabilities(self->idev_id, caps);
ASSERT_EQ(IOMMU_HW_CAP_DIRTY_TRACKING,
caps & IOMMU_HW_CAP_DIRTY_TRACKING);
diff --git a/tools/testing/selftests/iommu/iommufd_fail_nth.c b/tools/testing/selftests/iommu/iommufd_fail_nth.c
index 62d02556b34cc..e2012d128e11b 100644
--- a/tools/testing/selftests/iommu/iommufd_fail_nth.c
+++ b/tools/testing/selftests/iommu/iommufd_fail_nth.c
@@ -612,8 +612,8 @@ TEST_FAIL_NTH(basic_fail_nth, device)
&idev_id))
return -1;
- if (_test_cmd_get_hw_info(self->fd, idev_id, &info,
- sizeof(info), NULL, NULL))
+ if (_test_cmd_get_hw_info(self->fd, idev_id, IOMMU_HW_INFO_TYPE_DEFAULT,
+ &info, sizeof(info), NULL, NULL))
return -1;
if (_test_cmd_hwpt_alloc(self->fd, idev_id, ioas_id, 0, 0, &hwpt_id,
diff --git a/tools/testing/selftests/iommu/iommufd_utils.h b/tools/testing/selftests/iommu/iommufd_utils.h
index 8994b43e86f89..9668f2268bd9b 100644
--- a/tools/testing/selftests/iommu/iommufd_utils.h
+++ b/tools/testing/selftests/iommu/iommufd_utils.h
@@ -637,20 +637,24 @@ static void teardown_iommufd(int fd, struct __test_metadata *_metadata)
#endif
/* @data can be NULL */
-static int _test_cmd_get_hw_info(int fd, __u32 device_id, void *data,
- size_t data_len, uint32_t *capabilities,
- uint8_t *max_pasid)
+static int _test_cmd_get_hw_info(int fd, __u32 device_id, __u32 data_type,
+ void *data, size_t data_len,
+ uint32_t *capabilities, uint8_t *max_pasid)
{
struct iommu_test_hw_info *info = (struct iommu_test_hw_info *)data;
struct iommu_hw_info cmd = {
.size = sizeof(cmd),
.dev_id = device_id,
.data_len = data_len,
+ .in_data_type = data_type,
.data_uptr = (uint64_t)data,
.out_capabilities = 0,
};
int ret;
+ if (data_type != IOMMU_HW_INFO_TYPE_DEFAULT)
+ cmd.flags |= IOMMU_HW_INFO_FLAG_INPUT_TYPE;
+
ret = ioctl(fd, IOMMU_GET_HW_INFO, &cmd);
if (ret)
return ret;
@@ -693,20 +697,23 @@ static int _test_cmd_get_hw_info(int fd, __u32 device_id, void *data,
return 0;
}
-#define test_cmd_get_hw_info(device_id, data, data_len) \
- ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, data, \
- data_len, NULL, NULL))
+#define test_cmd_get_hw_info(device_id, data_type, data, data_len) \
+ ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, data_type, \
+ data, data_len, NULL, NULL))
-#define test_err_get_hw_info(_errno, device_id, data, data_len) \
- EXPECT_ERRNO(_errno, _test_cmd_get_hw_info(self->fd, device_id, data, \
- data_len, NULL, NULL))
+#define test_err_get_hw_info(_errno, device_id, data_type, data, data_len) \
+ EXPECT_ERRNO(_errno, \
+ _test_cmd_get_hw_info(self->fd, device_id, data_type, \
+ data, data_len, NULL, NULL))
-#define test_cmd_get_hw_capabilities(device_id, caps, mask) \
- ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, NULL, \
+#define test_cmd_get_hw_capabilities(device_id, caps) \
+ ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, \
+ IOMMU_HW_INFO_TYPE_DEFAULT, NULL, \
0, &caps, NULL))
-#define test_cmd_get_hw_info_pasid(device_id, max_pasid) \
- ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, NULL, \
+#define test_cmd_get_hw_info_pasid(device_id, max_pasid) \
+ ASSERT_EQ(0, _test_cmd_get_hw_info(self->fd, device_id, \
+ IOMMU_HW_INFO_TYPE_DEFAULT, NULL, \
0, NULL, max_pasid))
static int _test_ioctl_fault_alloc(int fd, __u32 *fault_id, __u32 *fault_fd)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 065/567] iommufd/selftest: Make it clearer to gcc that the access is not out of bounds
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 064/567] iommufd/selftest: Update hw_info coverage for an input data_type Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 066/567] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Greg Kroah-Hartman
` (515 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Tian, Nicolin Chen,
kernel test robot, Jason Gunthorpe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 5b244b077c0b0e76573fbb9542cf038e42368901 ]
GCC gets a bit confused and reports:
In function '_test_cmd_get_hw_info',
inlined from 'iommufd_ioas_get_hw_info' at iommufd.c:779:3,
inlined from 'wrapper_iommufd_ioas_get_hw_info' at iommufd.c:752:1:
>> iommufd_utils.h:804:37: warning: array subscript 'struct iommu_test_hw_info[0]' is partly outside array bounds of 'struct iommu_test_hw_info_buffer_smaller[1]' [-Warray-bounds=]
804 | assert(!info->flags);
| ~~~~^~~~~~~
iommufd.c: In function 'wrapper_iommufd_ioas_get_hw_info':
iommufd.c:761:11: note: object 'buffer_smaller' of size 4
761 | } buffer_smaller;
| ^~~~~~~~~~~~~~
While it is true that "struct iommu_test_hw_info[0]" is partly out of
bounds of the input pointer, it is not true that info->flags is out of
bounds. Unclear why it warns on this.
Reuse an existing properly sized stack buffer and pass a truncated length
instead to test the same thing.
Fixes: af4fde93c319 ("iommufd/selftest: Add coverage for IOMMU_GET_HW_INFO ioctl")
Link: https://patch.msgid.link/r/0-v1-63a2cffb09da+4486-iommufd_gcc_bounds_jgg@nvidia.com
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202512032344.kaAcKFIM-lkp@intel.com/
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/iommu/iommufd.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/tools/testing/selftests/iommu/iommufd.c b/tools/testing/selftests/iommu/iommufd.c
index b678b24f5a142..6f99268365338 100644
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -606,9 +606,6 @@ TEST_F(iommufd_ioas, get_hw_info)
struct iommu_test_hw_info info;
uint64_t trailing_bytes;
} buffer_larger;
- struct iommu_test_hw_info_buffer_smaller {
- __u32 flags;
- } buffer_smaller;
if (self->device_id) {
uint8_t max_pasid = 0;
@@ -640,8 +637,9 @@ TEST_F(iommufd_ioas, get_hw_info)
* the fields within the size range still gets updated.
*/
test_cmd_get_hw_info(self->device_id,
- IOMMU_HW_INFO_TYPE_DEFAULT,
- &buffer_smaller, sizeof(buffer_smaller));
+ IOMMU_HW_INFO_TYPE_DEFAULT, &buffer_exact,
+ offsetofend(struct iommu_test_hw_info,
+ flags));
test_cmd_get_hw_info_pasid(self->device_id, &max_pasid);
ASSERT_EQ(0, max_pasid);
if (variant->pasid_capable) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 066/567] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 065/567] iommufd/selftest: Make it clearer to gcc that the access is not out of bounds Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 067/567] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
` (514 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samiullah Khawaja, Kevin Tian,
Yi Liu, syzbot+57fdb0cf6a0c5d1f15a2, Jason Gunthorpe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit e6a973af11135439de32ece3b9cbe3bfc043bea8 ]
syzkaller found it could overflow math in the test infrastructure and
cause a WARN_ON by corrupting the reserved interval tree. This only
effects test kernels with CONFIG_IOMMUFD_TEST.
Validate the user input length in the test ioctl.
Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
Link: https://patch.msgid.link/r/0-v1-cd99f6049ba5+51-iommufd_syz_add_resv_jgg@nvidia.com
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Tested-by: Yi Liu <yi.l.liu@intel.com>
Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommufd/selftest.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
index 540437be168a0..aed260d4a93cc 100644
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -836,14 +836,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
unsigned int mockpt_id,
unsigned long start, size_t length)
{
+ unsigned long last;
struct iommufd_ioas *ioas;
int rc;
+ if (!length)
+ return -EINVAL;
+ if (check_add_overflow(start, length - 1, &last))
+ return -EOVERFLOW;
+
ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
if (IS_ERR(ioas))
return PTR_ERR(ioas);
down_write(&ioas->iopt.iova_rwsem);
- rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
+ rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
up_write(&ioas->iopt.iova_rwsem);
iommufd_put_object(ucmd->ictx, &ioas->obj);
return rc;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 067/567] ethtool: Avoid overflowing userspace buffer on stats query
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 066/567] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 068/567] net/mlx5: fw reset, clear reset requested on drain_fw_reset Greg Kroah-Hartman
` (513 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Gal Pressman, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 7b07be1ff1cb6c49869910518650e8d0abc7d25f ]
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20251208121901.3203692-1-gal@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 8b9692c35e706..67fba88f60984 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -2231,7 +2231,10 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
return -ENOMEM;
WARN_ON_ONCE(!ret);
- gstrings.len = ret;
+ if (gstrings.len && gstrings.len != ret)
+ gstrings.len = 0;
+ else
+ gstrings.len = ret;
if (gstrings.len) {
data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
@@ -2353,10 +2356,13 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
if (copy_from_user(&stats, useraddr, sizeof(stats)))
return -EFAULT;
- stats.n_stats = n_stats;
+ if (stats.n_stats && stats.n_stats != n_stats)
+ stats.n_stats = 0;
+ else
+ stats.n_stats = n_stats;
- if (n_stats) {
- data = vzalloc(array_size(n_stats, sizeof(u64)));
+ if (stats.n_stats) {
+ data = vzalloc(array_size(stats.n_stats, sizeof(u64)));
if (!data)
return -ENOMEM;
ops->get_ethtool_stats(dev, &stats, data);
@@ -2368,7 +2374,9 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
if (copy_to_user(useraddr, &stats, sizeof(stats)))
goto out;
useraddr += sizeof(stats);
- if (n_stats && copy_to_user(useraddr, data, array_size(n_stats, sizeof(u64))))
+ if (stats.n_stats &&
+ copy_to_user(useraddr, data,
+ array_size(stats.n_stats, sizeof(u64))))
goto out;
ret = 0;
@@ -2404,6 +2412,10 @@ static int ethtool_get_phy_stats_phydev(struct phy_device *phydev,
return -EOPNOTSUPP;
n_stats = phy_ops->get_sset_count(phydev);
+ if (stats->n_stats && stats->n_stats != n_stats) {
+ stats->n_stats = 0;
+ return 0;
+ }
ret = ethtool_vzalloc_stats_array(n_stats, data);
if (ret)
@@ -2424,6 +2436,10 @@ static int ethtool_get_phy_stats_ethtool(struct net_device *dev,
return -EOPNOTSUPP;
n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
+ if (stats->n_stats && stats->n_stats != n_stats) {
+ stats->n_stats = 0;
+ return 0;
+ }
ret = ethtool_vzalloc_stats_array(n_stats, data);
if (ret)
@@ -2460,7 +2476,9 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
}
useraddr += sizeof(stats);
- if (copy_to_user(useraddr, data, array_size(stats.n_stats, sizeof(u64))))
+ if (stats.n_stats &&
+ copy_to_user(useraddr, data,
+ array_size(stats.n_stats, sizeof(u64))))
ret = -EFAULT;
out:
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 068/567] net/mlx5: fw reset, clear reset requested on drain_fw_reset
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 067/567] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 069/567] net/mlx5: Drain firmware reset in shutdown callback Greg Kroah-Hartman
` (512 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Shay Drori,
Tariq Toukan, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit 89a898d63f6f588acf5c104c65c94a38b68c69a6 ]
drain_fw_reset() waits for ongoing firmware reset events and blocks new
event handling, but does not clear the reset requested flag, and may
keep sync reset polling.
To fix it, call mlx5_sync_reset_clear_reset_requested() to clear the
flag, stop sync reset polling, and resume health polling, ensuring
health issues are still detected after the firmware reset drain.
Fixes: 16d42d313350 ("net/mlx5: Drain fw_reset when removing device")
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Shay Drori <shayd@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
index 35d2fe08c0fb5..ad4d17a243de9 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
@@ -832,7 +832,8 @@ void mlx5_drain_fw_reset(struct mlx5_core_dev *dev)
cancel_work_sync(&fw_reset->reset_reload_work);
cancel_work_sync(&fw_reset->reset_now_work);
cancel_work_sync(&fw_reset->reset_abort_work);
- cancel_delayed_work(&fw_reset->reset_timeout_work);
+ if (test_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags))
+ mlx5_sync_reset_clear_reset_requested(dev, true);
}
static const struct devlink_param mlx5_fw_reset_devlink_params[] = {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 069/567] net/mlx5: Drain firmware reset in shutdown callback
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 068/567] net/mlx5: fw reset, clear reset requested on drain_fw_reset Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 070/567] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
` (511 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Shay Drori,
Tariq Toukan, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit 5846a365fc6476b02d6766963cf0985520f0385f ]
Invoke drain_fw_reset() in the shutdown callback to ensure all
firmware reset handling is completed before shutdown proceeds.
Fixes: 16d42d313350 ("net/mlx5: Drain fw_reset when removing device")
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Shay Drori <shayd@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 11d8739b9497a..e97b3494b9161 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -2196,6 +2196,7 @@ static void shutdown(struct pci_dev *pdev)
mlx5_core_info(dev, "Shutdown was called\n");
set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state);
+ mlx5_drain_fw_reset(dev);
mlx5_drain_health_wq(dev);
err = mlx5_try_fast_unload(dev);
if (err)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 070/567] net/mlx5: fw_tracer, Validate format string parameters
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 069/567] net/mlx5: Drain firmware reset in shutdown callback Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 071/567] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
` (510 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Moshe Shemesh,
Breno Leitao, Tariq Toukan, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit b35966042d20b14e2d83330049f77deec5229749 ]
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reported-by: Breno Leitao <leitao@debian.org>
Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5slqvelp@t3s3erottr6s/
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-4-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 83 ++++++++++++++++---
.../mellanox/mlx5/core/diag/fw_tracer.h | 1 +
2 files changed, 74 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index 080e7eab52c7e..9c86c8c72d049 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -33,6 +33,7 @@
#include "lib/eq.h"
#include "fw_tracer.h"
#include "fw_tracer_tracepoint.h"
+#include <linux/ctype.h>
static int mlx5_query_mtrc_caps(struct mlx5_fw_tracer *tracer)
{
@@ -358,6 +359,43 @@ static const char *VAL_PARM = "%llx";
static const char *REPLACE_64_VAL_PARM = "%x%x";
static const char *PARAM_CHAR = "%";
+static bool mlx5_is_valid_spec(const char *str)
+{
+ /* Parse format specifiers to find the actual type.
+ * Structure: %[flags][width][.precision][length]type
+ * Skip flags, width, precision & length.
+ */
+ while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l')
+ str++;
+
+ /* Check if it's a valid integer/hex specifier:
+ * Valid formats: %x, %d, %i, %u, etc.
+ */
+ if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' &&
+ *str != 'u' && *str != 'c')
+ return false;
+
+ return true;
+}
+
+static bool mlx5_tracer_validate_params(const char *str)
+{
+ const char *substr = str;
+
+ if (!str)
+ return false;
+
+ substr = strstr(substr, PARAM_CHAR);
+ while (substr) {
+ if (!mlx5_is_valid_spec(substr + 1))
+ return false;
+
+ substr = strstr(substr + 1, PARAM_CHAR);
+ }
+
+ return true;
+}
+
static int mlx5_tracer_message_hash(u32 message_id)
{
return jhash_1word(message_id, 0) & (MESSAGE_HASH_SIZE - 1);
@@ -419,6 +457,10 @@ static int mlx5_tracer_get_num_of_params(char *str)
char *substr, *pstr = str;
int num_of_params = 0;
+ /* Validate that all parameters are valid before processing */
+ if (!mlx5_tracer_validate_params(str))
+ return -EINVAL;
+
/* replace %llx with %x%x */
substr = strstr(pstr, VAL_PARM);
while (substr) {
@@ -570,14 +612,17 @@ void mlx5_tracer_print_trace(struct tracer_string_format *str_frmt,
{
char tmp[512];
- snprintf(tmp, sizeof(tmp), str_frmt->string,
- str_frmt->params[0],
- str_frmt->params[1],
- str_frmt->params[2],
- str_frmt->params[3],
- str_frmt->params[4],
- str_frmt->params[5],
- str_frmt->params[6]);
+ if (str_frmt->invalid_string)
+ snprintf(tmp, sizeof(tmp), "BAD_FORMAT: %s", str_frmt->string);
+ else
+ snprintf(tmp, sizeof(tmp), str_frmt->string,
+ str_frmt->params[0],
+ str_frmt->params[1],
+ str_frmt->params[2],
+ str_frmt->params[3],
+ str_frmt->params[4],
+ str_frmt->params[5],
+ str_frmt->params[6]);
trace_mlx5_fw(dev->tracer, trace_timestamp, str_frmt->lost,
str_frmt->event_id, tmp);
@@ -609,6 +654,13 @@ static int mlx5_tracer_handle_raw_string(struct mlx5_fw_tracer *tracer,
return 0;
}
+static void mlx5_tracer_handle_bad_format_string(struct mlx5_fw_tracer *tracer,
+ struct tracer_string_format *cur_string)
+{
+ cur_string->invalid_string = true;
+ list_add_tail(&cur_string->list, &tracer->ready_strings_list);
+}
+
static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
struct tracer_event *tracer_event)
{
@@ -619,12 +671,18 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
if (!cur_string)
return mlx5_tracer_handle_raw_string(tracer, tracer_event);
- cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
- cur_string->last_param_num = 0;
cur_string->event_id = tracer_event->event_id;
cur_string->tmsn = tracer_event->string_event.tmsn;
cur_string->timestamp = tracer_event->string_event.timestamp;
cur_string->lost = tracer_event->lost_event;
+ cur_string->last_param_num = 0;
+ cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
+ if (cur_string->num_of_params < 0) {
+ pr_debug("%s Invalid format string parameters\n",
+ __func__);
+ mlx5_tracer_handle_bad_format_string(tracer, cur_string);
+ return 0;
+ }
if (cur_string->num_of_params == 0) /* trace with no params */
list_add_tail(&cur_string->list, &tracer->ready_strings_list);
} else {
@@ -634,6 +692,11 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
__func__, tracer_event->string_event.tmsn);
return mlx5_tracer_handle_raw_string(tracer, tracer_event);
}
+ if (cur_string->num_of_params < 0) {
+ pr_debug("%s string parameter of invalid string, dumping\n",
+ __func__);
+ return 0;
+ }
cur_string->last_param_num += 1;
if (cur_string->last_param_num > TRACER_MAX_PARAMS) {
pr_debug("%s Number of params exceeds the max (%d)\n",
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
index 5c548bb74f07b..30d0bcba88479 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
@@ -125,6 +125,7 @@ struct tracer_string_format {
struct list_head list;
u32 timestamp;
bool lost;
+ bool invalid_string;
};
enum mlx5_fw_tracer_ownership_state {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 071/567] net/mlx5: fw_tracer, Handle escaped percent properly
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 070/567] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 072/567] net/mlx5: Serialize firmware reset with devlink Greg Kroah-Hartman
` (509 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Breno Leitao,
Moshe Shemesh, Tariq Toukan, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit c0289f67f7d6a0dfba0e92cfe661a5c70c8c6e92 ]
The firmware tracer's format string validation and parameter counting
did not properly handle escaped percent signs (%%). This caused
fw_tracer to count more parameters when trace format strings contained
literal percent characters.
To fix it, allow %% to pass string validation and skip %% sequences when
counting parameters since they represent literal percent signs rather
than format specifiers.
Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5slqvelp@t3s3erottr6s/
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-5-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 20 +++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index 9c86c8c72d049..0b82a6a133d6c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -368,11 +368,11 @@ static bool mlx5_is_valid_spec(const char *str)
while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l')
str++;
- /* Check if it's a valid integer/hex specifier:
+ /* Check if it's a valid integer/hex specifier or %%:
* Valid formats: %x, %d, %i, %u, etc.
*/
if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' &&
- *str != 'u' && *str != 'c')
+ *str != 'u' && *str != 'c' && *str != '%')
return false;
return true;
@@ -390,7 +390,11 @@ static bool mlx5_tracer_validate_params(const char *str)
if (!mlx5_is_valid_spec(substr + 1))
return false;
- substr = strstr(substr + 1, PARAM_CHAR);
+ if (*(substr + 1) == '%')
+ substr = strstr(substr + 2, PARAM_CHAR);
+ else
+ substr = strstr(substr + 1, PARAM_CHAR);
+
}
return true;
@@ -469,11 +473,15 @@ static int mlx5_tracer_get_num_of_params(char *str)
substr = strstr(pstr, VAL_PARM);
}
- /* count all the % characters */
+ /* count all the % characters, but skip %% (escaped percent) */
substr = strstr(str, PARAM_CHAR);
while (substr) {
- num_of_params += 1;
- str = substr + 1;
+ if (*(substr + 1) != '%') {
+ num_of_params += 1;
+ str = substr + 1;
+ } else {
+ str = substr + 2;
+ }
substr = strstr(str, PARAM_CHAR);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 072/567] net/mlx5: Serialize firmware reset with devlink
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 071/567] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 073/567] net/handshake: duplicate handshake cancellations leak socket Greg Kroah-Hartman
` (508 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Mateusz Berezecki,
Moshe Shemesh, Tariq Toukan, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit 367e501f8b095eca08d2eb0ba4ccea5b5e82c169 ]
The firmware reset mechanism can be triggered by asynchronous events,
which may race with other devlink operations like devlink reload or
devlink dev eswitch set, potentially leading to inconsistent states.
This patch addresses the race by using the devl_lock to serialize the
firmware reset against other devlink operations. When a reset is
requested, the driver attempts to acquire the lock. If successful, it
sets a flag to block devlink reload or eswitch changes, ACKs the reset
to firmware and then releases the lock. If the lock is already held by
another operation, the driver NACKs the firmware reset request,
indicating that the reset cannot proceed.
Firmware reset does not keep the devl_lock and instead uses an internal
firmware reset bit. This is because firmware resets can be triggered by
asynchronous events, and processed in different threads. It is illegal
and unsafe to acquire a lock in one thread and attempt to release it in
another, as lock ownership is intrinsically thread-specific.
This change ensures that firmware resets and other devlink operations
are mutually exclusive during the critical reset request phase,
preventing race conditions.
Fixes: 38b9f903f22b ("net/mlx5: Handle sync reset request event")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Mateusz Berezecki <mberezecki@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-6-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/devlink.c | 5 +++
.../mellanox/mlx5/core/eswitch_offloads.c | 6 +++
.../ethernet/mellanox/mlx5/core/fw_reset.c | 45 +++++++++++++++++--
.../ethernet/mellanox/mlx5/core/fw_reset.h | 1 +
4 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
index 511b3ba245420..e9d49afc31db5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
@@ -143,6 +143,11 @@ static int mlx5_devlink_reload_down(struct devlink *devlink, bool netns_change,
struct pci_dev *pdev = dev->pdev;
int ret = 0;
+ if (mlx5_fw_reset_in_progress(dev)) {
+ NL_SET_ERR_MSG_MOD(extack, "Can't reload during firmware reset");
+ return -EBUSY;
+ }
+
if (mlx5_dev_is_lightweight(dev)) {
if (action != DEVLINK_RELOAD_ACTION_DRIVER_REINIT)
return -EOPNOTSUPP;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index 558962423521c..f4cb3e78d0651 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -52,6 +52,7 @@
#include "devlink.h"
#include "lag/lag.h"
#include "en/tc/post_meter.h"
+#include "fw_reset.h"
/* There are two match-all miss flows, one for unicast dst mac and
* one for multicast.
@@ -3731,6 +3732,11 @@ int mlx5_devlink_eswitch_mode_set(struct devlink *devlink, u16 mode,
if (IS_ERR(esw))
return PTR_ERR(esw);
+ if (mlx5_fw_reset_in_progress(esw->dev)) {
+ NL_SET_ERR_MSG_MOD(extack, "Can't change eswitch mode during firmware reset");
+ return -EBUSY;
+ }
+
if (esw_mode_from_devlink(mode, &mlx5_mode))
return -EINVAL;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
index ad4d17a243de9..1411513da66b2 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
@@ -15,6 +15,7 @@ enum {
MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS,
MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED,
MLX5_FW_RESET_FLAGS_UNLOAD_EVENT,
+ MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS,
};
struct mlx5_fw_reset {
@@ -126,6 +127,16 @@ int mlx5_fw_reset_query(struct mlx5_core_dev *dev, u8 *reset_level, u8 *reset_ty
return mlx5_reg_mfrl_query(dev, reset_level, reset_type, NULL, NULL);
}
+bool mlx5_fw_reset_in_progress(struct mlx5_core_dev *dev)
+{
+ struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
+
+ if (!fw_reset)
+ return false;
+
+ return test_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
+}
+
static int mlx5_fw_reset_get_reset_method(struct mlx5_core_dev *dev,
u8 *reset_method)
{
@@ -241,6 +252,8 @@ static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev)
BIT(DEVLINK_RELOAD_ACTION_FW_ACTIVATE));
devl_unlock(devlink);
}
+
+ clear_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
}
static void mlx5_stop_sync_reset_poll(struct mlx5_core_dev *dev)
@@ -456,27 +469,48 @@ static void mlx5_sync_reset_request_event(struct work_struct *work)
struct mlx5_fw_reset *fw_reset = container_of(work, struct mlx5_fw_reset,
reset_request_work);
struct mlx5_core_dev *dev = fw_reset->dev;
+ bool nack_request = false;
+ struct devlink *devlink;
int err;
err = mlx5_fw_reset_get_reset_method(dev, &fw_reset->reset_method);
- if (err)
+ if (err) {
+ nack_request = true;
mlx5_core_warn(dev, "Failed reading MFRL, err %d\n", err);
+ } else if (!mlx5_is_reset_now_capable(dev, fw_reset->reset_method) ||
+ test_bit(MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST,
+ &fw_reset->reset_flags)) {
+ nack_request = true;
+ }
- if (err || test_bit(MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST, &fw_reset->reset_flags) ||
- !mlx5_is_reset_now_capable(dev, fw_reset->reset_method)) {
+ devlink = priv_to_devlink(dev);
+ /* For external resets, try to acquire devl_lock. Skip if devlink reset is
+ * pending (lock already held)
+ */
+ if (nack_request ||
+ (!test_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP,
+ &fw_reset->reset_flags) &&
+ !devl_trylock(devlink))) {
err = mlx5_fw_reset_set_reset_sync_nack(dev);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Nack %s",
err ? "Failed" : "Sent");
return;
}
+
if (mlx5_sync_reset_set_reset_requested(dev))
- return;
+ goto unlock;
+
+ set_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
err = mlx5_fw_reset_set_reset_sync_ack(dev);
if (err)
mlx5_core_warn(dev, "PCI Sync FW Update Reset Ack Failed. Error code: %d\n", err);
else
mlx5_core_warn(dev, "PCI Sync FW Update Reset Ack. Device reset is expected.\n");
+
+unlock:
+ if (!test_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP, &fw_reset->reset_flags))
+ devl_unlock(devlink);
}
static int mlx5_pci_link_toggle(struct mlx5_core_dev *dev, u16 dev_id)
@@ -710,6 +744,8 @@ static void mlx5_sync_reset_abort_event(struct work_struct *work)
if (mlx5_sync_reset_clear_reset_requested(dev, true))
return;
+
+ clear_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Aborted.\n");
}
@@ -746,6 +782,7 @@ static void mlx5_sync_reset_timeout_work(struct work_struct *work)
if (mlx5_sync_reset_clear_reset_requested(dev, true))
return;
+ clear_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Timeout.\n");
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h
index d5b28525c960d..2d96b2adc1cdf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h
@@ -10,6 +10,7 @@ int mlx5_fw_reset_query(struct mlx5_core_dev *dev, u8 *reset_level, u8 *reset_ty
int mlx5_fw_reset_set_reset_sync(struct mlx5_core_dev *dev, u8 reset_type_sel,
struct netlink_ext_ack *extack);
int mlx5_fw_reset_set_live_patch(struct mlx5_core_dev *dev);
+bool mlx5_fw_reset_in_progress(struct mlx5_core_dev *dev);
int mlx5_fw_reset_wait_reset_done(struct mlx5_core_dev *dev);
void mlx5_sync_reset_unload_flow(struct mlx5_core_dev *dev, bool locked);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 073/567] net/handshake: duplicate handshake cancellations leak socket
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 072/567] net/mlx5: Serialize firmware reset with devlink Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 074/567] net: enetc: do not transmit redirected XDP frames when the link is down Greg Kroah-Hartman
` (507 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Scott Mayhew,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
[ Upstream commit 15564bd67e2975002f2a8e9defee33e321d3183f ]
When a handshake request is cancelled it is removed from the
handshake_net->hn_requests list, but it is still present in the
handshake_rhashtbl until it is destroyed.
If a second cancellation request arrives for the same handshake request,
then remove_pending() will return false... and assuming
HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue
processing through the out_true label, where we put another reference on
the sock and a refcount underflow occurs.
This can happen for example if a handshake times out - particularly if
the SUNRPC client sends the AUTH_TLS probe to the server but doesn't
follow it up with the ClientHello due to a problem with tlshd. When the
timeout is hit on the server, the server will send a FIN, which triggers
a cancellation request via xs_reset_transport(). When the timeout is
hit on the client, another cancellation request happens via
xs_tls_handshake_sync().
Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel
path so duplicate cancels can be detected.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Suggested-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://patch.msgid.link/20251209193015.3032058-1-smayhew@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/handshake/request.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 94d5cef3e048b..0ac126b0add60 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -325,7 +325,11 @@ bool handshake_req_cancel(struct sock *sk)
hn = handshake_pernet(net);
if (hn && remove_pending(hn, req)) {
- /* Request hadn't been accepted */
+ /* Request hadn't been accepted - mark cancelled */
+ if (test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED, &req->hr_flags)) {
+ trace_handshake_cancel_busy(net, req, sk);
+ return false;
+ }
goto out_true;
}
if (test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED, &req->hr_flags)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 074/567] net: enetc: do not transmit redirected XDP frames when the link is down
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 073/567] net/handshake: duplicate handshake cancellations leak socket Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 075/567] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
` (506 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Frank Li, Hariprasad Kelam,
Vladimir Oltean, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 2939203ffee818f1e5ebd60bbb85a174d63aab9c ]
In the current implementation, the enetc_xdp_xmit() always transmits
redirected XDP frames even if the link is down, but the frames cannot
be transmitted from TX BD rings when the link is down, so the frames
are still kept in the TX BD rings. If the XDP program is uninstalled,
users will see the following warning logs.
fsl_enetc 0000:00:00.0 eno0: timeout for tx ring #6 clear
More worse, the TX BD ring cannot work properly anymore, because the
HW PIR and CIR are not equal after the re-initialization of the TX
BD ring. At this point, the BDs between CIR and PIR are invalid,
which will cause a hardware malfunction.
Another reason is that there is internal context in the ring prefetch
logic that will retain the state from the first incarnation of the ring
and continue prefetching from the stale location when we re-initialize
the ring. The internal context is only reset by an FLR. That is to say,
for LS1028A ENETC, software cannot set the HW CIR and PIR when
initializing the TX BD ring.
It does not make sense to transmit redirected XDP frames when the link is
down. Add a link status check to prevent transmission in this condition.
This fixes part of the issue, but more complex cases remain. For example,
the TX BD ring may still contain unsent frames when the link goes down.
Those situations require additional patches, which will build on this
one.
Fixes: 9d2b68cc108d ("net: enetc: add support for XDP_REDIRECT")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20251211020919.121113-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
index 749b65aab14a9..c58e44144c2fa 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc.c
@@ -1429,7 +1429,8 @@ int enetc_xdp_xmit(struct net_device *ndev, int num_frames,
int xdp_tx_bd_cnt, i, k;
int xdp_tx_frm_cnt = 0;
- if (unlikely(test_bit(ENETC_TX_DOWN, &priv->flags)))
+ if (unlikely(test_bit(ENETC_TX_DOWN, &priv->flags) ||
+ !netif_carrier_ok(ndev)))
return -ENETDOWN;
enetc_lock_mdio();
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 075/567] net: hns3: using the num_tqps in the vf driver to apply for resources
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 074/567] net: enetc: do not transmit redirected XDP frames when the link is down Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 076/567] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
` (505 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit c2a16269742e176fccdd0ef9c016a233491a49ad ]
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-2-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index e8573358309ca..0bf8fc7e6b3a8 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -370,12 +370,12 @@ static int hclgevf_knic_setup(struct hclgevf_dev *hdev)
new_tqps = kinfo->rss_size * num_tc;
kinfo->num_tqps = min(new_tqps, hdev->num_tqps);
- kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, kinfo->num_tqps,
+ kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, hdev->num_tqps,
sizeof(struct hnae3_queue *), GFP_KERNEL);
if (!kinfo->tqp)
return -ENOMEM;
- for (i = 0; i < kinfo->num_tqps; i++) {
+ for (i = 0; i < hdev->num_tqps; i++) {
hdev->htqp[i].q.handle = &hdev->nic;
hdev->htqp[i].q.tqp_index = i;
kinfo->tqp[i] = &hdev->htqp[i].q;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 076/567] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 075/567] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 077/567] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
` (504 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit d180c11aa8a6fa735f9ac2c72c61364a9afc2ba7 ]
Currently, rss_size = num_tqps / tc_num. If tc_num is 1, then num_tqps
equals rss_size. However, if the tc_num is greater than 1, then rss_size
will be less than num_tqps, causing the tqp_index check for subsequent TCs
using rss_size to always fail.
This patch uses the num_tqps to check whether tqp_index is out of range,
instead of rss_size.
Fixes: 326334aad024 ("net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-3-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index 59c863306657f..9eab095d784bd 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -193,10 +193,10 @@ static int hclge_get_ring_chain_from_mbx(
return -EINVAL;
for (i = 0; i < ring_num; i++) {
- if (req->msg.param[i].tqp_index >= vport->nic.kinfo.rss_size) {
+ if (req->msg.param[i].tqp_index >= vport->nic.kinfo.num_tqps) {
dev_err(&hdev->pdev->dev, "tqp index(%u) is out of range(0-%u)\n",
req->msg.param[i].tqp_index,
- vport->nic.kinfo.rss_size - 1U);
+ vport->nic.kinfo.num_tqps - 1U);
return -EINVAL;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 077/567] net: hns3: add VLAN id validation before using
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 076/567] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 078/567] hwmon: (dell-smm) Limit fan multiplier to avoid overflow Greg Kroah-Hartman
` (503 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit 6ef935e65902bfed53980ad2754b06a284ea8ac1 ]
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-4-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index f5eafd1ded413..8dd970ef02ac6 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -10572,6 +10572,9 @@ int hclge_set_vlan_filter(struct hnae3_handle *handle, __be16 proto,
bool writen_to_tbl = false;
int ret = 0;
+ if (vlan_id >= VLAN_N_VID)
+ return -EINVAL;
+
/* When device is resetting or reset failed, firmware is unable to
* handle mailbox. Just record the vlan id, and remove it after
* reset finished.
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 078/567] hwmon: (dell-smm) Limit fan multiplier to avoid overflow
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 077/567] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 079/567] hwmon: (ibmpex) fix use-after-free in high/low store Greg Kroah-Hartman
` (502 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Sergeev, Guenter Roeck,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Sergeev <denserg.edu@gmail.com>
[ Upstream commit 46c28bbbb150b80827e4bcbea231560af9d16854 ]
The fan nominal speed returned by SMM is limited to 16 bits, but the
driver allows the fan multiplier to be set via a module parameter.
Clamp the computed fan multiplier so that fan_nominal_speed *
i8k_fan_mult always fits into a signed 32-bit integer and refuse to
initialize the driver if the value is too large.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 20bdeebc88269 ("hwmon: (dell-smm) Introduce helper function for data init")
Signed-off-by: Denis Sergeev <denserg.edu@gmail.com>
Link: https://lore.kernel.org/r/20251209063706.49008-1-denserg.edu@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/dell-smm-hwmon.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
index f73f46193748..9df78861f5f8 100644
--- a/drivers/hwmon/dell-smm-hwmon.c
+++ b/drivers/hwmon/dell-smm-hwmon.c
@@ -75,6 +75,9 @@
#define DELL_SMM_NO_TEMP 10
#define DELL_SMM_NO_FANS 4
+/* limit fan multiplier to avoid overflow */
+#define DELL_SMM_MAX_FAN_MULT (INT_MAX / U16_MAX)
+
struct smm_regs {
unsigned int eax;
unsigned int ebx;
@@ -1203,6 +1206,12 @@ static int dell_smm_init_data(struct device *dev, const struct dell_smm_ops *ops
data->ops = ops;
/* All options must not be 0 */
data->i8k_fan_mult = fan_mult ? : I8K_FAN_MULT;
+ if (data->i8k_fan_mult > DELL_SMM_MAX_FAN_MULT) {
+ dev_err(dev,
+ "fan multiplier %u is too large (max %u)\n",
+ data->i8k_fan_mult, DELL_SMM_MAX_FAN_MULT);
+ return -EINVAL;
+ }
data->i8k_fan_max = fan_max ? : I8K_FAN_HIGH;
data->i8k_pwm_mult = DIV_ROUND_UP(255, data->i8k_fan_max);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 079/567] hwmon: (ibmpex) fix use-after-free in high/low store
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 078/567] hwmon: (dell-smm) Limit fan multiplier to avoid overflow Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 080/567] hwmon: (tmp401) fix overflow caused by default conversion rate value Greg Kroah-Hartman
` (501 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Guenter Roeck, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d ]
The ibmpex_high_low_store() function retrieves driver data using
dev_get_drvdata() and uses it without validation. This creates a race
condition where the sysfs callback can be invoked after the data
structure is freed, leading to use-after-free.
Fix by adding a NULL check after dev_get_drvdata(), and reordering
operations in the deletion path to prevent TOCTOU.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/r/MEYPR01MB7886BE2F51BFE41875B74B60AFA0A@MEYPR01MB7886.ausprd01.prod.outlook.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/ibmpex.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
index 228c5f6c6f38..129f3a9e8fe9 100644
--- a/drivers/hwmon/ibmpex.c
+++ b/drivers/hwmon/ibmpex.c
@@ -277,6 +277,9 @@ static ssize_t ibmpex_high_low_store(struct device *dev,
{
struct ibmpex_bmc_data *data = dev_get_drvdata(dev);
+ if (!data)
+ return -ENODEV;
+
ibmpex_reset_high_low_data(data);
return count;
@@ -508,6 +511,9 @@ static void ibmpex_bmc_delete(struct ibmpex_bmc_data *data)
{
int i, j;
+ hwmon_device_unregister(data->hwmon_dev);
+ dev_set_drvdata(data->bmc_device, NULL);
+
device_remove_file(data->bmc_device,
&sensor_dev_attr_reset_high_low.dev_attr);
device_remove_file(data->bmc_device, &dev_attr_name.attr);
@@ -521,8 +527,7 @@ static void ibmpex_bmc_delete(struct ibmpex_bmc_data *data)
}
list_del(&data->list);
- dev_set_drvdata(data->bmc_device, NULL);
- hwmon_device_unregister(data->hwmon_dev);
+
ipmi_destroy_user(data->user);
kfree(data->sensors);
kfree(data);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 080/567] hwmon: (tmp401) fix overflow caused by default conversion rate value
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 079/567] hwmon: (ibmpex) fix use-after-free in high/low store Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 081/567] drm/me/gsc: mei interrupt top half should be in irq disabled context Greg Kroah-Hartman
` (500 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Simakov, Guenter Roeck,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 82f2aab35a1ab2e1460de06ef04c726460aed51c ]
The driver computes conversion intervals using the formula:
interval = (1 << (7 - rate)) * 125ms
where 'rate' is the sensor's conversion rate register value. According to
the datasheet, the power-on reset value of this register is 0x8, which
could be assigned to the register, after handling i2c general call.
Using this default value causes a result greater than the bit width of
left operand and an undefined behaviour in the calculation above, since
shifting by values larger than the bit width is undefined behaviour as
per C language standard.
Limit the maximum usable 'rate' value to 7 to prevent undefined
behaviour in calculations.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Note (groeck):
This does not matter in practice unless someone overwrites the chip
configuration from outside the driver while the driver is loaded.
The conversion time register is initialized with a value of 5 (500ms)
when the driver is loaded, and the driver never writes a bad value.
Fixes: ca53e7640de7 ("hwmon: (tmp401) Convert to _info API")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Link: https://lore.kernel.org/r/20251211164342.6291-1-bigalex934@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/tmp401.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/tmp401.c b/drivers/hwmon/tmp401.c
index 02c5a3bb1071..84aaf817144c 100644
--- a/drivers/hwmon/tmp401.c
+++ b/drivers/hwmon/tmp401.c
@@ -401,7 +401,7 @@ static int tmp401_chip_read(struct device *dev, u32 attr, int channel, long *val
ret = regmap_read(data->regmap, TMP401_CONVERSION_RATE, ®val);
if (ret < 0)
return ret;
- *val = (1 << (7 - regval)) * 125;
+ *val = (1 << (7 - min(regval, 7))) * 125;
break;
case hwmon_chip_temp_reset_history:
*val = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 081/567] drm/me/gsc: mei interrupt top half should be in irq disabled context
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 080/567] hwmon: (tmp401) fix overflow caused by default conversion rate value Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 082/567] drm/xe: Restore engine registers before restarting schedulers after GT reset Greg Kroah-Hartman
` (499 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baoli Zhang, Junxiao Chang,
Sebastian Andrzej Siewior, Matthew Brost, Maarten Lankhorst,
Thomas Hellström, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Chang <junxiao.chang@intel.com>
[ Upstream commit 17445af7dcc7d645b6fb8951fd10c8b72cc7f23f ]
MEI GSC interrupt comes from i915 or xe driver. It has top half and
bottom half. Top half is called from i915/xe interrupt handler. It
should be in irq disabled context.
With RT kernel(PREEMPT_RT enabled), by default IRQ handler is in
threaded IRQ. MEI GSC top half might be in threaded IRQ context.
generic_handle_irq_safe API could be called from either IRQ or
process context, it disables local IRQ then calls MEI GSC interrupt
top half.
This change fixes B580 GPU boot issue with RT enabled.
Fixes: e02cea83d32d ("drm/xe/gsc: add Battlemage support")
Tested-by: Baoli Zhang <baoli.zhang@intel.com>
Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251107033152.834960-1-junxiao.chang@intel.com
Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>
(cherry picked from commit 3efadf028783a49ab2941294187c8b6dd86bf7da)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_heci_gsc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_heci_gsc.c b/drivers/gpu/drm/xe/xe_heci_gsc.c
index 65b2e147c4b9..894a6bd33285 100644
--- a/drivers/gpu/drm/xe/xe_heci_gsc.c
+++ b/drivers/gpu/drm/xe/xe_heci_gsc.c
@@ -230,7 +230,7 @@ void xe_heci_gsc_irq_handler(struct xe_device *xe, u32 iir)
if (xe->heci_gsc.irq < 0)
return;
- ret = generic_handle_irq(xe->heci_gsc.irq);
+ ret = generic_handle_irq_safe(xe->heci_gsc.irq);
if (ret)
drm_err_ratelimited(&xe->drm, "error handling GSC irq: %d\n", ret);
}
@@ -250,7 +250,7 @@ void xe_heci_csc_irq_handler(struct xe_device *xe, u32 iir)
if (xe->heci_gsc.irq < 0)
return;
- ret = generic_handle_irq(xe->heci_gsc.irq);
+ ret = generic_handle_irq_safe(xe->heci_gsc.irq);
if (ret)
drm_err_ratelimited(&xe->drm, "error handling GSC irq: %d\n", ret);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 082/567] drm/xe: Restore engine registers before restarting schedulers after GT reset
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 081/567] drm/me/gsc: mei interrupt top half should be in irq disabled context Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 083/567] MIPS: Fix a reference leak bug in ip22_check_gio() Greg Kroah-Hartman
` (498 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Maslak, Jonathan Cavitt,
Matthew Brost, Thomas Hellström, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Maslak <jan.maslak@intel.com>
[ Upstream commit eed5b815fa49c17d513202f54e980eb91955d3ed ]
During GT reset recovery in do_gt_restart(), xe_uc_start() was called
before xe_reg_sr_apply_mmio() restored engine-specific registers. This
created a race window where the scheduler could run jobs before hardware
state was fully restored.
This caused failures in eudebug tests (xe_exec_sip_eudebug@breakpoint-
waitsip-*) where TD_CTL register (containing TD_CTL_GLOBAL_DEBUG_ENABLE)
wasn't restored before jobs started executing. Breakpoints would fail to
trigger SIP entry because the debug enable bit wasn't set yet.
Fix by moving xe_uc_start() after all MMIO register restoration,
including engine registers and CCS mode configuration, ensuring all
hardware state is fully restored before any jobs can be scheduled.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Signed-off-by: Jan Maslak <jan.maslak@intel.com>
Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251210145618.169625-2-jan.maslak@intel.com
(cherry picked from commit 825aed0328588b2837636c1c5a0c48795d724617)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_gt.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/xe/xe_gt.c b/drivers/gpu/drm/xe/xe_gt.c
index de011f5629fd..292947e44a8a 100644
--- a/drivers/gpu/drm/xe/xe_gt.c
+++ b/drivers/gpu/drm/xe/xe_gt.c
@@ -721,9 +721,6 @@ static int do_gt_restart(struct xe_gt *gt)
xe_gt_sriov_pf_init_hw(gt);
xe_mocs_init(gt);
- err = xe_uc_start(>->uc);
- if (err)
- return err;
for_each_hw_engine(hwe, gt, id) {
xe_reg_sr_apply_mmio(&hwe->reg_sr, gt);
@@ -733,6 +730,10 @@ static int do_gt_restart(struct xe_gt *gt)
/* Get CCS mode in sync between sw/hw */
xe_gt_apply_ccs_mode(gt);
+ err = xe_uc_start(>->uc);
+ if (err)
+ return err;
+
/* Restore GT freq to expected values */
xe_gt_sanitize_freq(gt);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 083/567] MIPS: Fix a reference leak bug in ip22_check_gio()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 082/567] drm/xe: Restore engine registers before restarting schedulers after GT reset Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 084/567] drm/panel: sony-td4353-jdi: Enable prepare_prev_first Greg Kroah-Hartman
` (497 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Thomas Bogendoerfer,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
[ Upstream commit 680ad315caaa2860df411cb378bf3614d96c7648 ]
If gio_device_register fails, gio_dev_put() is required to
drop the gio_dev device reference.
Fixes: e84de0c61905 ("MIPS: GIO bus support for SGI IP22/28")
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/sgi-ip22/ip22-gio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/sgi-ip22/ip22-gio.c b/arch/mips/sgi-ip22/ip22-gio.c
index d20eec742bfa..f6e66c858e69 100644
--- a/arch/mips/sgi-ip22/ip22-gio.c
+++ b/arch/mips/sgi-ip22/ip22-gio.c
@@ -373,7 +373,8 @@ static void ip22_check_gio(int slotno, unsigned long addr, int irq)
gio_dev->resource.flags = IORESOURCE_MEM;
gio_dev->irq = irq;
dev_set_name(&gio_dev->dev, "%d", slotno);
- gio_device_register(gio_dev);
+ if (gio_device_register(gio_dev))
+ gio_dev_put(gio_dev);
} else
printk(KERN_INFO "GIO: slot %d : Empty\n", slotno);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 084/567] drm/panel: sony-td4353-jdi: Enable prepare_prev_first
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 083/567] MIPS: Fix a reference leak bug in ip22_check_gio() Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 085/567] x86/xen: Move Xen upcall handler Greg Kroah-Hartman
` (496 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marijn Suijten, Douglas Anderson,
AngeloGioacchino Del Regno, Martin Botka, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marijn Suijten <marijn.suijten@somainline.org>
[ Upstream commit 2b973ca48ff3ef1952091c8f988d7796781836c8 ]
The DSI host must be enabled before our prepare function can run, which
has to send its init sequence over DSI. Without enabling the host first
the panel will not probe.
Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset")
Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Martin Botka <martin.botka@somainline.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20251130-sony-akari-fix-panel-v1-1-1d27c60a55f5@somainline.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-sony-td4353-jdi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c b/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c
index 472195d4bbbe..9ac3e0759efc 100644
--- a/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c
+++ b/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c
@@ -274,6 +274,8 @@ static int sony_td4353_jdi_probe(struct mipi_dsi_device *dsi)
if (ret)
return dev_err_probe(dev, ret, "Failed to get backlight\n");
+ ctx->panel.prepare_prev_first = true;
+
drm_panel_add(&ctx->panel);
ret = mipi_dsi_attach(dsi);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 085/567] x86/xen: Move Xen upcall handler
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 084/567] drm/panel: sony-td4353-jdi: Enable prepare_prev_first Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 086/567] x86/xen: Fix sparse warning in enlighten_pv.c Greg Kroah-Hartman
` (495 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Gerst, Ingo Molnar,
Juergen Gross, Sohil Mehta, Andy Lutomirski, H. Peter Anvin,
Linus Torvalds, Josh Poimboeuf, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Gerst <brgerst@gmail.com>
[ Upstream commit 1ab7b5ed44ba9bce581e225f40219b793bc779d6 ]
Move the upcall handler to Xen-specific files.
No functional changes.
Signed-off-by: Brian Gerst <brgerst@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lore.kernel.org/r/20250314151220.862768-2-brgerst@gmail.com
Stable-dep-of: e5aff444e3a7 ("x86/xen: Fix sparse warning in enlighten_pv.c")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/entry/common.c | 72 -------------------------------------
arch/x86/xen/enlighten_pv.c | 69 +++++++++++++++++++++++++++++++++++
2 files changed, 69 insertions(+), 72 deletions(-)
diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
index 51efd2da4d7f..7b9321c48a90 100644
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -21,11 +21,6 @@
#include <linux/uaccess.h>
#include <linux/init.h>
-#ifdef CONFIG_XEN_PV
-#include <xen/xen-ops.h>
-#include <xen/events.h>
-#endif
-
#include <asm/apic.h>
#include <asm/desc.h>
#include <asm/traps.h>
@@ -454,70 +449,3 @@ SYSCALL_DEFINE0(ni_syscall)
{
return -ENOSYS;
}
-
-#ifdef CONFIG_XEN_PV
-#ifndef CONFIG_PREEMPTION
-/*
- * Some hypercalls issued by the toolstack can take many 10s of
- * seconds. Allow tasks running hypercalls via the privcmd driver to
- * be voluntarily preempted even if full kernel preemption is
- * disabled.
- *
- * Such preemptible hypercalls are bracketed by
- * xen_preemptible_hcall_begin() and xen_preemptible_hcall_end()
- * calls.
- */
-DEFINE_PER_CPU(bool, xen_in_preemptible_hcall);
-EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall);
-
-/*
- * In case of scheduling the flag must be cleared and restored after
- * returning from schedule as the task might move to a different CPU.
- */
-static __always_inline bool get_and_clear_inhcall(void)
-{
- bool inhcall = __this_cpu_read(xen_in_preemptible_hcall);
-
- __this_cpu_write(xen_in_preemptible_hcall, false);
- return inhcall;
-}
-
-static __always_inline void restore_inhcall(bool inhcall)
-{
- __this_cpu_write(xen_in_preemptible_hcall, inhcall);
-}
-#else
-static __always_inline bool get_and_clear_inhcall(void) { return false; }
-static __always_inline void restore_inhcall(bool inhcall) { }
-#endif
-
-static void __xen_pv_evtchn_do_upcall(struct pt_regs *regs)
-{
- struct pt_regs *old_regs = set_irq_regs(regs);
-
- inc_irq_stat(irq_hv_callback_count);
-
- xen_evtchn_do_upcall();
-
- set_irq_regs(old_regs);
-}
-
-__visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs)
-{
- irqentry_state_t state = irqentry_enter(regs);
- bool inhcall;
-
- instrumentation_begin();
- run_sysvec_on_irqstack_cond(__xen_pv_evtchn_do_upcall, regs);
-
- inhcall = get_and_clear_inhcall();
- if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) {
- irqentry_exit_cond_resched();
- instrumentation_end();
- restore_inhcall(inhcall);
- } else {
- instrumentation_end();
- irqentry_exit(regs, state);
- }
-}
-#endif /* CONFIG_XEN_PV */
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index e033d5594265..6e9d1b287f8e 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -72,6 +72,7 @@
#include <asm/mwait.h>
#include <asm/pci_x86.h>
#include <asm/cpu.h>
+#include <asm/irq_stack.h>
#ifdef CONFIG_X86_IOPL_IOPERM
#include <asm/io_bitmap.h>
#endif
@@ -93,6 +94,44 @@ void *xen_initial_gdt;
static int xen_cpu_up_prepare_pv(unsigned int cpu);
static int xen_cpu_dead_pv(unsigned int cpu);
+#ifndef CONFIG_PREEMPTION
+/*
+ * Some hypercalls issued by the toolstack can take many 10s of
+ * seconds. Allow tasks running hypercalls via the privcmd driver to
+ * be voluntarily preempted even if full kernel preemption is
+ * disabled.
+ *
+ * Such preemptible hypercalls are bracketed by
+ * xen_preemptible_hcall_begin() and xen_preemptible_hcall_end()
+ * calls.
+ */
+DEFINE_PER_CPU(bool, xen_in_preemptible_hcall);
+EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall);
+
+/*
+ * In case of scheduling the flag must be cleared and restored after
+ * returning from schedule as the task might move to a different CPU.
+ */
+static __always_inline bool get_and_clear_inhcall(void)
+{
+ bool inhcall = __this_cpu_read(xen_in_preemptible_hcall);
+
+ __this_cpu_write(xen_in_preemptible_hcall, false);
+ return inhcall;
+}
+
+static __always_inline void restore_inhcall(bool inhcall)
+{
+ __this_cpu_write(xen_in_preemptible_hcall, inhcall);
+}
+
+#else
+
+static __always_inline bool get_and_clear_inhcall(void) { return false; }
+static __always_inline void restore_inhcall(bool inhcall) { }
+
+#endif
+
struct tls_descs {
struct desc_struct desc[3];
};
@@ -686,6 +725,36 @@ DEFINE_IDTENTRY_RAW(xenpv_exc_machine_check)
}
#endif
+static void __xen_pv_evtchn_do_upcall(struct pt_regs *regs)
+{
+ struct pt_regs *old_regs = set_irq_regs(regs);
+
+ inc_irq_stat(irq_hv_callback_count);
+
+ xen_evtchn_do_upcall();
+
+ set_irq_regs(old_regs);
+}
+
+__visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs)
+{
+ irqentry_state_t state = irqentry_enter(regs);
+ bool inhcall;
+
+ instrumentation_begin();
+ run_sysvec_on_irqstack_cond(__xen_pv_evtchn_do_upcall, regs);
+
+ inhcall = get_and_clear_inhcall();
+ if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) {
+ irqentry_exit_cond_resched();
+ instrumentation_end();
+ restore_inhcall(inhcall);
+ } else {
+ instrumentation_end();
+ irqentry_exit(regs, state);
+ }
+}
+
struct trap_array_entry {
void (*orig)(void);
void (*xen)(void);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 086/567] x86/xen: Fix sparse warning in enlighten_pv.c
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 085/567] x86/xen: Move Xen upcall handler Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 087/567] arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder Greg Kroah-Hartman
` (494 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Boris Ostrovsky,
Juergen Gross, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit e5aff444e3a7bdeef5ea796a2099fc3c60a070fa ]
The sparse tool issues a warning for arch/x76/xen/enlighten_pv.c:
arch/x86/xen/enlighten_pv.c:120:9: sparse: sparse: incorrect type
in initializer (different address spaces)
expected void const [noderef] __percpu *__vpp_verify
got bool *
This is due to the percpu variable xen_in_preemptible_hcall being
exported via EXPORT_SYMBOL_GPL() instead of EXPORT_PER_CPU_SYMBOL_GPL().
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202512140856.Ic6FetG6-lkp@intel.com/
Fixes: fdfd811ddde3 ("x86/xen: allow privcmd hypercalls to be preempted")
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20251215115112.15072-1-jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/enlighten_pv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index 6e9d1b287f8e..bf750cd599b2 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -106,7 +106,7 @@ static int xen_cpu_dead_pv(unsigned int cpu);
* calls.
*/
DEFINE_PER_CPU(bool, xen_in_preemptible_hcall);
-EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall);
+EXPORT_PER_CPU_SYMBOL_GPL(xen_in_preemptible_hcall);
/*
* In case of scheduling the flag must be cleared and restored after
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 087/567] arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 086/567] x86/xen: Fix sparse warning in enlighten_pv.c Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 088/567] spi: cadence-quadspi: Fix clock disable on probe failure path Greg Kroah-Hartman
` (493 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianpeng Chang, Rob Herring (Arm),
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
[ Upstream commit 3e8ade58b71b48913d21b647b2089e03e81f117e ]
Commit 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved
memory regions are processed") changed the processing order of reserved
memory regions, causing elfcorehdr to overlap with dynamically allocated
reserved memory regions during kdump kernel boot.
The issue occurs because:
1. kexec-tools allocates elfcorehdr in the last crashkernel reserved
memory region and passes it to the second kernel
2. The problematic commit moved dynamic reserved memory allocation
(like bman-fbpr) to occur during fdt_scan_reserved_mem(), before
elfcorehdr reservation in fdt_reserve_elfcorehdr()
3. bman-fbpr with 16MB alignment requirement can get allocated at
addresses that overlap with the elfcorehdr location
4. When fdt_reserve_elfcorehdr() tries to reserve elfcorehdr memory,
overlap detection identifies the conflict and skips reservation
5. kdump kernel fails with "Unable to handle kernel paging request"
because elfcorehdr memory is not properly reserved
The boot log:
Before 8a6e02d0c00e:
OF: fdt: Reserving 1 KiB of memory at 0xf4fff000 for elfcorehdr
OF: reserved mem: 0xf3000000..0xf3ffffff bman-fbpr
After 8a6e02d0c00e:
OF: reserved mem: 0xf4000000..0xf4ffffff bman-fbpr
OF: fdt: elfcorehdr is overlapped
Fix this by ensuring elfcorehdr reservation occurs before dynamic
reserved memory allocation.
Fixes: 8a6e02d0c00e ("of: reserved_mem: Restructure how the reserved memory regions are processed")
Signed-off-by: Jianpeng Chang <jianpeng.chang.cn@windriver.com>
Link: https://patch.msgid.link/20251205015934.700016-1-jianpeng.chang.cn@windriver.com
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/of/fdt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
index 8c80f4dc8b3f..0940955d3701 100644
--- a/drivers/of/fdt.c
+++ b/drivers/of/fdt.c
@@ -501,8 +501,8 @@ void __init early_init_fdt_scan_reserved_mem(void)
if (!initial_boot_params)
return;
- fdt_scan_reserved_mem();
fdt_reserve_elfcorehdr();
+ fdt_scan_reserved_mem();
/* Process header /memreserve/ fields */
for (n = 0; ; n++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 088/567] spi: cadence-quadspi: Fix clock disable on probe failure path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 087/567] arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 089/567] block: rnbd-clt: Fix leaked ID in init_dev() Greg Kroah-Hartman
` (492 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anurag Dutta, Nishanth Menon,
Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anurag Dutta <a-dutta@ti.com>
[ Upstream commit 1889dd2081975ce1f6275b06cdebaa8d154847a9 ]
When cqspi_request_mmap_dma() returns -EPROBE_DEFER after runtime PM
is enabled, the error path calls clk_disable_unprepare() on an already
disabled clock, causing an imbalance.
Use pm_runtime_get_sync() to increment the usage counter and resume the
device. This prevents runtime_suspend() from being invoked and causing
a double clock disable.
Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
Signed-off-by: Anurag Dutta <a-dutta@ti.com>
Tested-by: Nishanth Menon <nm@ti.com>
Link: https://patch.msgid.link/20251212072312.2711806-3-a-dutta@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence-quadspi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
index 06e43b184d85..aca3681d32ea 100644
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1959,7 +1959,9 @@ static int cqspi_probe(struct platform_device *pdev)
probe_reset_failed:
if (cqspi->is_jh7110)
cqspi_jh7110_disable_clk(pdev, cqspi);
- clk_disable_unprepare(cqspi->clk);
+
+ if (pm_runtime_get_sync(&pdev->dev) >= 0)
+ clk_disable_unprepare(cqspi->clk);
probe_clk_failed:
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 089/567] block: rnbd-clt: Fix leaked ID in init_dev()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 088/567] spi: cadence-quadspi: Fix clock disable on probe failure path Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 090/567] drm/xe: Limit num_syncs to prevent oversized allocations Greg Kroah-Hartman
` (491 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jack Wang,
Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit c9b5645fd8ca10f310e41b07540f98e6a9720f40 ]
If kstrdup() fails in init_dev(), then the newly allocated ID is lost.
Fixes: 64e8a6ece1a5 ("block/rnbd-clt: Dynamically alloc buffer for pathname & blk_symlink_name")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/rnbd/rnbd-clt.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c
index c34695d2eea7..5be0581c3334 100644
--- a/drivers/block/rnbd/rnbd-clt.c
+++ b/drivers/block/rnbd/rnbd-clt.c
@@ -1424,9 +1424,11 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
goto out_alloc;
}
- ret = ida_alloc_max(&index_ida, (1 << (MINORBITS - RNBD_PART_BITS)) - 1,
- GFP_KERNEL);
- if (ret < 0) {
+ dev->clt_device_id = ida_alloc_max(&index_ida,
+ (1 << (MINORBITS - RNBD_PART_BITS)) - 1,
+ GFP_KERNEL);
+ if (dev->clt_device_id < 0) {
+ ret = dev->clt_device_id;
pr_err("Failed to initialize device '%s' from session %s, allocating idr failed, err: %d\n",
pathname, sess->sessname, ret);
goto out_queues;
@@ -1435,10 +1437,9 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
dev->pathname = kstrdup(pathname, GFP_KERNEL);
if (!dev->pathname) {
ret = -ENOMEM;
- goto out_queues;
+ goto out_ida;
}
- dev->clt_device_id = ret;
dev->sess = sess;
dev->access_mode = access_mode;
dev->nr_poll_queues = nr_poll_queues;
@@ -1454,6 +1455,8 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
return dev;
+out_ida:
+ ida_free(&index_ida, dev->clt_device_id);
out_queues:
kfree(dev->hw_queues);
out_alloc:
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 090/567] drm/xe: Limit num_syncs to prevent oversized allocations
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 089/567] block: rnbd-clt: Fix leaked ID in init_dev() Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 091/567] drm/xe/oa: " Greg Kroah-Hartman
` (490 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Koen Koning, Peter Senna Tschudin,
Matthew Brost, Michal Mrozek, Carl Zhang,
José Roberto de Souza, Lionel Landwerlin, Ivan Briano,
Thomas Hellström, Ashutosh Dixit, Shuicheng Lin, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit 8e461304009135270e9ccf2d7e2dfe29daec9b60 ]
The exec and vm_bind ioctl allow userspace to specify an arbitrary
num_syncs value. Without bounds checking, a very large num_syncs
can force an excessively large allocation, leading to kernel warnings
from the page allocator as below.
Introduce DRM_XE_MAX_SYNCS (set to 1024) and reject any request
exceeding this limit.
"
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1217 at mm/page_alloc.c:5124 __alloc_frozen_pages_noprof+0x2f8/0x2180 mm/page_alloc.c:5124
...
Call Trace:
<TASK>
alloc_pages_mpol+0xe4/0x330 mm/mempolicy.c:2416
___kmalloc_large_node+0xd8/0x110 mm/slub.c:4317
__kmalloc_large_node_noprof+0x18/0xe0 mm/slub.c:4348
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x3d4/0x4b0 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kmalloc_array_noprof include/linux/slab.h:948 [inline]
xe_exec_ioctl+0xa47/0x1e70 drivers/gpu/drm/xe/xe_exec.c:158
drm_ioctl_kernel+0x1f1/0x3e0 drivers/gpu/drm/drm_ioctl.c:797
drm_ioctl+0x5e7/0xc50 drivers/gpu/drm/drm_ioctl.c:894
xe_drm_ioctl+0x10b/0x170 drivers/gpu/drm/xe/xe_device.c:224
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:598 [inline]
__se_sys_ioctl fs/ioctl.c:584 [inline]
__x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:584
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xbb/0x380 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
...
"
v2: Add "Reported-by" and Cc stable kernels.
v3: Change XE_MAX_SYNCS from 64 to 1024. (Matt & Ashutosh)
v4: s/XE_MAX_SYNCS/DRM_XE_MAX_SYNCS/ (Matt)
v5: Do the check at the top of the exec func. (Matt)
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Reported-by: Koen Koning <koen.koning@intel.com>
Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6450
Cc: <stable@vger.kernel.org> # v6.12+
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Michal Mrozek <michal.mrozek@intel.com>
Cc: Carl Zhang <carl.zhang@intel.com>
Cc: José Roberto de Souza <jose.souza@intel.com>
Cc: Lionel Landwerlin <lionel.g.landwerlin@intel.com>
Cc: Ivan Briano <ivan.briano@intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Cc: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251205234715.2476561-5-shuicheng.lin@intel.com
(cherry picked from commit b07bac9bd708ec468cd1b8a5fe70ae2ac9b0a11c)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Stable-dep-of: f8dd66bfb4e1 ("drm/xe/oa: Limit num_syncs to prevent oversized allocations")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_exec.c | 3 ++-
drivers/gpu/drm/xe/xe_vm.c | 3 +++
include/uapi/drm/xe_drm.h | 1 +
3 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/xe/xe_exec.c b/drivers/gpu/drm/xe/xe_exec.c
index 31cca938956f..886d03ccf744 100644
--- a/drivers/gpu/drm/xe/xe_exec.c
+++ b/drivers/gpu/drm/xe/xe_exec.c
@@ -125,7 +125,8 @@ int xe_exec_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
if (XE_IOCTL_DBG(xe, args->extensions) ||
XE_IOCTL_DBG(xe, args->pad[0] || args->pad[1] || args->pad[2]) ||
- XE_IOCTL_DBG(xe, args->reserved[0] || args->reserved[1]))
+ XE_IOCTL_DBG(xe, args->reserved[0] || args->reserved[1]) ||
+ XE_IOCTL_DBG(xe, args->num_syncs > DRM_XE_MAX_SYNCS))
return -EINVAL;
q = xe_exec_queue_lookup(xef, args->exec_queue_id);
diff --git a/drivers/gpu/drm/xe/xe_vm.c b/drivers/gpu/drm/xe/xe_vm.c
index 30625ce691fa..79f08337cc27 100644
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -2829,6 +2829,9 @@ static int vm_bind_ioctl_check_args(struct xe_device *xe,
if (XE_IOCTL_DBG(xe, args->extensions))
return -EINVAL;
+ if (XE_IOCTL_DBG(xe, args->num_syncs > DRM_XE_MAX_SYNCS))
+ return -EINVAL;
+
if (args->num_binds > 1) {
u64 __user *bind_user =
u64_to_user_ptr(args->vector_of_binds);
diff --git a/include/uapi/drm/xe_drm.h b/include/uapi/drm/xe_drm.h
index 4a8a4a63e99c..05f01ad0bfd9 100644
--- a/include/uapi/drm/xe_drm.h
+++ b/include/uapi/drm/xe_drm.h
@@ -1281,6 +1281,7 @@ struct drm_xe_exec {
/** @exec_queue_id: Exec queue ID for the batch buffer */
__u32 exec_queue_id;
+#define DRM_XE_MAX_SYNCS 1024
/** @num_syncs: Amount of struct drm_xe_sync in array. */
__u32 num_syncs;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 091/567] drm/xe/oa: Limit num_syncs to prevent oversized allocations
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 090/567] drm/xe: Limit num_syncs to prevent oversized allocations Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 092/567] hwmon: (ltc4282): Fix reset_history file permissions Greg Kroah-Hartman
` (489 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Brost, Ashutosh Dixit,
Shuicheng Lin, Thomas Hellström, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuicheng Lin <shuicheng.lin@intel.com>
[ Upstream commit f8dd66bfb4e184c71bd26418a00546ebe7f5c17a ]
The OA open parameters did not validate num_syncs, allowing
userspace to pass arbitrarily large values, potentially
leading to excessive allocations.
Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS,
returning -EINVAL when the limit is violated.
v2: use XE_IOCTL_DBG() and drop duplicated check. (Ashutosh)
Fixes: c8507a25cebd ("drm/xe/oa/uapi: Define and parse OA sync properties")
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251205234715.2476561-6-shuicheng.lin@intel.com
(cherry picked from commit e057b2d2b8d815df3858a87dffafa2af37e5945b)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/xe/xe_oa.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
index d306ed0a0443..5916187cd78f 100644
--- a/drivers/gpu/drm/xe/xe_oa.c
+++ b/drivers/gpu/drm/xe/xe_oa.c
@@ -1200,6 +1200,9 @@ static int xe_oa_set_no_preempt(struct xe_oa *oa, u64 value,
static int xe_oa_set_prop_num_syncs(struct xe_oa *oa, u64 value,
struct xe_oa_open_param *param)
{
+ if (XE_IOCTL_DBG(oa->xe, value > DRM_XE_MAX_SYNCS))
+ return -EINVAL;
+
param->num_syncs = value;
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 092/567] hwmon: (ltc4282): Fix reset_history file permissions
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 091/567] drm/xe/oa: " Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 093/567] ksmbd: skip lock-range check on equal size to avoid size==0 underflow Greg Kroah-Hartman
` (488 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, Guenter Roeck,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sá <nuno.sa@analog.com>
[ Upstream commit b3db91c3bfea69a6c6258fea508f25a59c0feb1a ]
The reset_history attributes are write only. Hence don't report them as
readable just to return -EOPNOTSUPP later on.
Fixes: cbc29538dbf7 ("hwmon: Add driver for LTC4282")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20251219-ltc4282-fix-reset-history-v1-1-8eab974c124b@analog.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/ltc4282.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/hwmon/ltc4282.c b/drivers/hwmon/ltc4282.c
index 953dfe2bd166..d98c57918ce3 100644
--- a/drivers/hwmon/ltc4282.c
+++ b/drivers/hwmon/ltc4282.c
@@ -1016,8 +1016,9 @@ static umode_t ltc4282_in_is_visible(const struct ltc4282_state *st, u32 attr)
case hwmon_in_max:
case hwmon_in_min:
case hwmon_in_enable:
- case hwmon_in_reset_history:
return 0644;
+ case hwmon_in_reset_history:
+ return 0200;
default:
return 0;
}
@@ -1036,8 +1037,9 @@ static umode_t ltc4282_curr_is_visible(u32 attr)
return 0444;
case hwmon_curr_max:
case hwmon_curr_min:
- case hwmon_curr_reset_history:
return 0644;
+ case hwmon_curr_reset_history:
+ return 0200;
default:
return 0;
}
@@ -1055,8 +1057,9 @@ static umode_t ltc4282_power_is_visible(u32 attr)
return 0444;
case hwmon_power_max:
case hwmon_power_min:
- case hwmon_power_reset_history:
return 0644;
+ case hwmon_power_reset_history:
+ return 0200;
default:
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 093/567] ksmbd: skip lock-range check on equal size to avoid size==0 underflow
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 092/567] hwmon: (ltc4282): Fix reset_history file permissions Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 094/567] ksmbd: Fix refcount leak when invalid session is found on session lookup Greg Kroah-Hartman
` (487 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianchang Zhao <pioooooooooip@gmail.com>
commit 5d510ac31626ed157d2182149559430350cf2104 upstream.
When size equals the current i_size (including 0), the code used to call
check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
and can underflow for size==0. Skip the equal case.
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -333,6 +333,9 @@ static int check_lock_range(struct file
struct file_lock_context *ctx = locks_inode_context(file_inode(filp));
int error = 0;
+ if (start == end)
+ return 0;
+
if (!ctx || list_empty_careful(&ctx->flc_posix))
return 0;
@@ -839,7 +842,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work
if (size < inode->i_size) {
err = check_lock_range(filp, size,
inode->i_size - 1, WRITE);
- } else {
+ } else if (size > inode->i_size) {
err = check_lock_range(filp, inode->i_size,
size - 1, WRITE);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 094/567] ksmbd: Fix refcount leak when invalid session is found on session lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 093/567] ksmbd: skip lock-range check on equal size to avoid size==0 underflow Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 095/567] ksmbd: fix buffer validation by including null terminator size in EA length Greg Kroah-Hartman
` (486 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre, Stanislas Polu,
Namjae Jeon, Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit cafb57f7bdd57abba87725eb4e82bbdca4959644 upstream.
When a session is found but its state is not SMB2_SESSION_VALID, It
indicates that no valid session was found, but it is missing to decrement
the reference count acquired by the session lookup, which results in
a reference count leak. This patch fixes the issue by explicitly calling
ksmbd_user_session_put to release the reference to the session.
Cc: stable@vger.kernel.org
Reported-by: Alexandre <roger.andersen@protonmail.com>
Reported-by: Stanislas Polu <spolu@dust.tt>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/mgmt/user_session.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -325,8 +325,10 @@ struct ksmbd_session *ksmbd_session_look
sess = ksmbd_session_lookup(conn, id);
if (!sess && conn->binding)
sess = ksmbd_session_lookup_slowpath(id);
- if (sess && sess->state != SMB2_SESSION_VALID)
+ if (sess && sess->state != SMB2_SESSION_VALID) {
+ ksmbd_user_session_put(sess);
sess = NULL;
+ }
return sess;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 095/567] ksmbd: fix buffer validation by including null terminator size in EA length
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 094/567] ksmbd: Fix refcount leak when invalid session is found on session lookup Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 096/567] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
` (485 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roger, Stanislas Polu, Namjae Jeon,
Steve French
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 95d7a890e4b03e198836d49d699408fd1867cb55 upstream.
The smb2_set_ea function, which handles Extended Attributes (EA),
was performing buffer validation checks that incorrectly omitted the size
of the null terminating character (+1 byte) for EA Name.
This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
the null terminator is expected to be present in the buffer, ensuring
the validation accurately reflects the total required buffer size.
Cc: stable@vger.kernel.org
Reported-by: Roger <roger.andersen@protonmail.com>
Reported-by: Stanislas Polu <spolu@dust.tt>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2363,7 +2363,7 @@ static int smb2_set_ea(struct smb2_ea_in
int rc = 0;
unsigned int next = 0;
- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
+ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
le16_to_cpu(eabuf->EaValueLength))
return -EINVAL;
@@ -2440,7 +2440,7 @@ next:
break;
}
- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
+ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
le16_to_cpu(eabuf->EaValueLength)) {
rc = -EINVAL;
break;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 096/567] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 095/567] ksmbd: fix buffer validation by including null terminator size in EA length Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 097/567] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
` (484 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping Cheng, stable, Jiri Kosina
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ping Cheng <pinglinux@gmail.com>
commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream.
HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z
should be used to report ABS_DISTANCE for stylus and pen as described at:
Documentation/input/event-codes.rst#n226
* ABS_DISTANCE:
- Used to describe the distance of a tool from an interaction surface. This
event should only be emitted while the tool is hovering, meaning in close
proximity of the device and while the value of the BTN_TOUCH code is 0. If
the input device may be used freely in three dimensions, consider ABS_Z
instead.
- BTN_TOOL_<name> should be set to 1 when the tool comes into detectable
proximity and set to 0 when the tool leaves detectable proximity.
BTN_TOOL_<name> signals the type of tool that is currently detected by the
hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH.
This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped
by any HID usage in hid-generic driver.
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-input.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -864,7 +864,7 @@ static void hidinput_configure_usage(str
switch (usage->hid) {
/* These usage IDs map directly to the usage codes. */
- case HID_GD_X: case HID_GD_Y: case HID_GD_Z:
+ case HID_GD_X: case HID_GD_Y:
case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ:
if (field->flags & HID_MAIN_ITEM_RELATIVE)
map_rel(usage->hid & 0xf);
@@ -872,6 +872,22 @@ static void hidinput_configure_usage(str
map_abs_clear(usage->hid & 0xf);
break;
+ case HID_GD_Z:
+ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */
+ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
+ map_rel(usage->hid & 0xf);
+ } else {
+ if (field->application == HID_DG_PEN ||
+ field->physical == HID_DG_PEN ||
+ field->logical == HID_DG_STYLUS ||
+ field->physical == HID_DG_STYLUS ||
+ field->application == HID_DG_DIGITIZER)
+ map_abs_clear(ABS_DISTANCE);
+ else
+ map_abs_clear(usage->hid & 0xf);
+ }
+ break;
+
case HID_GD_WHEEL:
if (field->flags & HID_MAIN_ITEM_RELATIVE) {
set_bit(REL_WHEEL, input->relbit);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 097/567] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 096/567] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
@ 2026-01-06 16:57 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 098/567] Input: lkkbd - disable pending work before freeing device Greg Kroah-Hartman
` (483 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junjie Cao, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junjie Cao <junjie.cao@intel.com>
commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream.
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com
Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/ti_am335x_tsc.c
+++ b/drivers/input/touchscreen/ti_am335x_tsc.c
@@ -85,7 +85,7 @@ static int titsc_config_wires(struct tit
wire_order[i] = ts_dev->config_inp[i] & 0x0F;
if (WARN_ON(analog_line[i] > 7))
return -EINVAL;
- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins)))
+ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins)))
return -EINVAL;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 098/567] Input: lkkbd - disable pending work before freeing device
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-01-06 16:57 ` [PATCH 6.12 097/567] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 099/567] Input: alps - fix use-after-free bugs caused by dev3_register_work Greg Kroah-Hartman
` (482 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Minseong Kim, Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Minseong Kim <ii4gsp@gmail.com>
commit e58c88f0cb2d8ed89de78f6f17409d29cfab6c5c upstream.
lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work
handler lkkbd_reinit() dereferences the lkkbd structure and its
serio/input_dev fields.
lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd
structure without preventing the reinit work from being queued again
until serio_close() returns. This can allow the work handler to run
after the structure has been freed, leading to a potential use-after-free.
Use disable_work_sync() instead of cancel_work_sync() to ensure the
reinit work cannot be re-queued, and call it both in lkkbd_disconnect()
and in lkkbd_connect() error paths after serio_open().
Signed-off-by: Minseong Kim <ii4gsp@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251212052314.16139-1-ii4gsp@gmail.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/lkkbd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/input/keyboard/lkkbd.c
+++ b/drivers/input/keyboard/lkkbd.c
@@ -670,7 +670,8 @@ static int lkkbd_connect(struct serio *s
return 0;
- fail3: serio_close(serio);
+ fail3: disable_work_sync(&lk->tq);
+ serio_close(serio);
fail2: serio_set_drvdata(serio, NULL);
fail1: input_free_device(input_dev);
kfree(lk);
@@ -684,6 +685,8 @@ static void lkkbd_disconnect(struct seri
{
struct lkkbd *lk = serio_get_drvdata(serio);
+ disable_work_sync(&lk->tq);
+
input_get_device(lk->dev);
input_unregister_device(lk->dev);
serio_close(serio);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 099/567] Input: alps - fix use-after-free bugs caused by dev3_register_work
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 098/567] Input: lkkbd - disable pending work before freeing device Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 100/567] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
` (481 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Duoming Zhou,
Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit bf40644ef8c8a288742fa45580897ed0e0289474 upstream.
The dev3_register_work delayed work item is initialized within
alps_reconnect() and scheduled upon receipt of the first bare
PS/2 packet from an external PS/2 device connected to the ALPS
touchpad. During device detachment, the original implementation
calls flush_workqueue() in psmouse_disconnect() to ensure
completion of dev3_register_work. However, the flush_workqueue()
in psmouse_disconnect() only blocks and waits for work items that
were already queued to the workqueue prior to its invocation. Any
work items submitted after flush_workqueue() is called are not
included in the set of tasks that the flush operation awaits.
This means that after flush_workqueue() has finished executing,
the dev3_register_work could still be scheduled. Although the
psmouse state is set to PSMOUSE_CMD_MODE in psmouse_disconnect(),
the scheduling of dev3_register_work remains unaffected.
The race condition can occur as follows:
CPU 0 (cleanup path) | CPU 1 (delayed work)
psmouse_disconnect() |
psmouse_set_state() |
flush_workqueue() | alps_report_bare_ps2_packet()
alps_disconnect() | psmouse_queue_work()
kfree(priv); // FREE | alps_register_bare_ps2_mouse()
| priv = container_of(work...); // USE
| priv->dev3 // USE
Add disable_delayed_work_sync() in alps_disconnect() to ensure
that dev3_register_work is properly canceled and prevented from
executing after the alps_data structure has been deallocated.
This bug is identified by static analysis.
Fixes: 04aae283ba6a ("Input: ALPS - do not mix trackstick and external PS/2 mouse data")
Cc: stable@kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/b57b0a9ccca51a3f06be141bfc02b9ffe69d1845.1765939397.git.duoming@zju.edu.cn
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/mouse/alps.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/alps.c
+++ b/drivers/input/mouse/alps.c
@@ -2977,6 +2977,7 @@ static void alps_disconnect(struct psmou
psmouse_reset(psmouse);
timer_shutdown_sync(&priv->timer);
+ disable_delayed_work_sync(&priv->dev3_register_work);
if (priv->dev2)
input_unregister_device(priv->dev2);
if (!IS_ERR_OR_NULL(priv->dev3))
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 100/567] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 099/567] Input: alps - fix use-after-free bugs caused by dev3_register_work Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 101/567] xfs: dont leak a locked dquot when xfs_dquot_attach_buf fails Greg Kroah-Hartman
` (480 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoffer Sandberg, Werner Sembach,
Dmitry Torokhov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream.
The device occasionally wakes up from suspend with missing input on the
internal keyboard and the following suspend attempt results in an instant
wake-up. The quirks fix both issues for this device.
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_
.driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"),
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
/*
* A lot of modern Clevo barebones have touchpad and/or keyboard issues
* after suspend fixable with the forcenorestore quirk.
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 101/567] xfs: dont leak a locked dquot when xfs_dquot_attach_buf fails
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 100/567] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 102/567] can: gs_usb: gs_can_open(): fix error handling Greg Kroah-Hartman
` (479 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Christoph Hellwig, Darrick J. Wong, Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 204c8f77e8d4a3006f8abe40331f221a597ce608 upstream.
xfs_qm_quotacheck_dqadjust acquired the dquot through xfs_qm_dqget,
which means it owns a reference and holds q_qlock. Both need to
be dropped on an error exit.
Cc: <stable@vger.kernel.org> # v6.13
Fixes: ca378189fdfa ("xfs: convert quotacheck to attach dquot buffers")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_qm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/xfs/xfs_qm.c
+++ b/fs/xfs/xfs_qm.c
@@ -1134,7 +1134,7 @@ xfs_qm_quotacheck_dqadjust(
error = xfs_dquot_attach_buf(NULL, dqp);
if (error)
- return error;
+ goto out_unlock;
trace_xfs_dqadjust(dqp);
@@ -1164,8 +1164,9 @@ xfs_qm_quotacheck_dqadjust(
}
dqp->q_flags |= XFS_DQFLAG_DIRTY;
+out_unlock:
xfs_qm_dqput(dqp);
- return 0;
+ return error;
}
/*
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 102/567] can: gs_usb: gs_can_open(): fix error handling
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 101/567] xfs: dont leak a locked dquot when xfs_dquot_attach_buf fails Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 103/567] soc/tegra: fuse: Do not register SoC device on ACPI boot Greg Kroah-Hartman
` (478 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 3e54d3b4a8437b6783d4145c86962a2aa51022f3 upstream.
Commit 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling")
added missing error handling to the gs_can_open() function.
The driver uses 2 USB anchors to track the allocated URBs: the TX URBs in
struct gs_can::tx_submitted for each netdev and the RX URBs in struct
gs_usb::rx_submitted for the USB device. gs_can_open() allocates the RX
URBs, while TX URBs are allocated during gs_can_start_xmit().
The cleanup in gs_can_open() kills all anchored dev->tx_submitted
URBs (which is not necessary since the netdev is not yet registered), but
misses the parent->rx_submitted URBs.
Fix the problem by killing the rx_submitted instead of the tx_submitted.
Fixes: 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251210-gs_usb-fix-error-handling-v1-1-d6a5a03f10bb@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/gs_usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -1071,7 +1071,7 @@ out_usb_free_urb:
usb_free_urb(urb);
out_usb_kill_anchored_urbs:
if (!parent->active_channels) {
- usb_kill_anchored_urbs(&dev->tx_submitted);
+ usb_kill_anchored_urbs(&parent->rx_submitted);
if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
gs_usb_timestamp_stop(parent);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 103/567] soc/tegra: fuse: Do not register SoC device on ACPI boot
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 102/567] can: gs_usb: gs_can_open(): fix error handling Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 104/567] ACPI: PCC: Fix race condition by removing static qualifier Greg Kroah-Hartman
` (477 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kartik Rajput, Thierry Reding
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kartik Rajput <kkartik@nvidia.com>
commit c87f820bc4748fdd4d50969e8930cd88d1b61582 upstream.
On Tegra platforms using ACPI, the SMCCC driver already registers the
SoC device. This makes the registration performed by the Tegra fuse
driver redundant.
When booted via ACPI, skip registering the SoC device and suppress
printing SKU information from the Tegra fuse driver, as this information
is already provided by the SMCCC driver.
Fixes: 972167c69080 ("soc/tegra: fuse: Add ACPI support for Tegra194 and Tegra234")
Cc: stable@vger.kernel.org
Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/tegra/fuse/fuse-tegra.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/soc/tegra/fuse/fuse-tegra.c
+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
@@ -182,8 +182,6 @@ static int tegra_fuse_probe(struct platf
}
fuse->soc->init(fuse);
- tegra_fuse_print_sku_info(&tegra_sku_info);
- tegra_soc_device_register();
err = tegra_fuse_add_lookups(fuse);
if (err)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 104/567] ACPI: PCC: Fix race condition by removing static qualifier
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 103/567] soc/tegra: fuse: Do not register SoC device on ACPI boot Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 105/567] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
` (476 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengjie Zhang, Sudeep Holla,
lihuisong, Rafael J. Wysocki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengjie Zhang <zhangpengjie2@huawei.com>
commit f103fa127c93016bcd89b05d8e11dc1a84f6990d upstream.
Local variable 'ret' in acpi_pcc_address_space_setup() is currently
declared as 'static'. This can lead to race conditions in a
multithreaded environment.
Remove the 'static' qualifier to ensure that 'ret' will be allocated
directly on the stack as a local variable.
Fixes: a10b1c99e2dc ("ACPI: PCC: Setup PCC Opregion handler only if platform interrupt is available")
Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Acked-by: lihuisong@huawei.com
Cc: 6.2+ <stable@vger.kernel.org> # 6.2+
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20251210132634.2050033-1-zhangpengjie2@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpi_pcc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/acpi/acpi_pcc.c
+++ b/drivers/acpi/acpi_pcc.c
@@ -53,7 +53,7 @@ acpi_pcc_address_space_setup(acpi_handle
struct pcc_data *data;
struct acpi_pcc_info *ctx = handler_context;
struct pcc_mbox_chan *pcc_chan;
- static acpi_status ret;
+ acpi_status ret;
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 105/567] ACPI: CPPC: Fix missing PCC check for guaranteed_perf
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 104/567] ACPI: PCC: Fix race condition by removing static qualifier Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 106/567] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
` (475 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pengjie Zhang, Rafael J. Wysocki
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengjie Zhang <zhangpengjie2@huawei.com>
commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream.
The current implementation overlooks the 'guaranteed_perf'
register in this check.
If the Guaranteed Performance register is located in the PCC
subspace, the function currently attempts to read it without
acquiring the lock and without sending the CMD_READ doorbell
to the firmware. This can result in reading stale data.
Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance")
Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
[ rjw: Subject and changelog edits ]
Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -1297,7 +1297,8 @@ int cppc_get_perf_caps(int cpunum, struc
/* Are any of the regs PCC ?*/
if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) ||
CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) ||
- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) {
+ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) ||
+ CPC_IN_PCC(guaranteed_reg)) {
if (pcc_ss_id < 0) {
pr_debug("Invalid pcc_ss_id\n");
return -ENODEV;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 106/567] spi: fsl-cpm: Check length parity before switching to 16 bit mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 105/567] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 107/567] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
` (474 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Sverdlin Alexander,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
commit 1417927df8049a0194933861e9b098669a95c762 upstream.
Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
with even size") failed to make sure that the size is really even
before switching to 16 bit mode. Until recently the problem went
unnoticed because kernfs uses a pre-allocated bounce buffer of size
PAGE_SIZE for reading EEPROM.
But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
introduced an additional dynamically allocated bounce buffer whose size
is exactly the size of the transfer, leading to a buffer overrun in
the fsl-cpm driver when that size is odd.
Add the missing length parity verification and remain in 8 bit mode
when the length is not even.
Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Sverdlin Alexander <alexander.sverdlin@siemens.com>
Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -335,7 +335,7 @@ static int fsl_spi_prepare_message(struc
if (t->bits_per_word == 16 || t->bits_per_word == 32)
t->bits_per_word = 8; /* pretend its 8 bits */
if (t->bits_per_word == 8 && t->len >= 256 &&
- (mpc8xxx_spi->flags & SPI_CPM1))
+ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1))
t->bits_per_word = 16;
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 107/567] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 106/567] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 108/567] mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds Greg Kroah-Hartman
` (473 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jared Kangas, Haibo Chen,
Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jared Kangas <jkangas@redhat.com>
commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream.
MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on
ARCH_S32, which results in unmet dependencies when compiling strictly
for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to
ARCH_MXC in the driver's dependencies.
Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support")
Cc: stable@bvger.kernel.org
Signed-off-by: Jared Kangas <jkangas@redhat.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/Kconfig
+++ b/drivers/mmc/host/Kconfig
@@ -291,14 +291,14 @@ config MMC_SDHCI_ESDHC_MCF
config MMC_SDHCI_ESDHC_IMX
tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller"
- depends on ARCH_MXC || COMPILE_TEST
+ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST
depends on MMC_SDHCI_PLTFM
depends on OF
select MMC_SDHCI_IO_ACCESSORS
select MMC_CQHCI
help
This selects the Freescale eSDHC/uSDHC controller support
- found on i.MX25, i.MX35 i.MX5x and i.MX6x.
+ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G.
If you have a controller with this interface, say Y or M here.
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 108/567] mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 107/567] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 109/567] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Greg Kroah-Hartman
` (472 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sai Krishna Potthuri, Adrian Hunter,
Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
commit a9c4c9085ec8ce3ce01be21b75184789e74f5f19 upstream.
On Xilinx/AMD platforms, the CD stable bit take slightly longer than
one second(about an additional 100ms) to assert after a host
controller reset. Although no functional failure observed with the
existing one second delay but to ensure reliable initialization, increase
the CD stable timeout to 2 seconds.
Fixes: e251709aaddb ("mmc: sdhci-of-arasan: Ensure CD logic stabilization before power-up")
Cc: stable@vger.kernel.org
Signed-off-by: Sai Krishna Potthuri <sai.krishna.potthuri@amd.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-of-arasan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci-of-arasan.c
+++ b/drivers/mmc/host/sdhci-of-arasan.c
@@ -99,7 +99,7 @@
#define HIWORD_UPDATE(val, mask, shift) \
((val) << (shift) | (mask) << ((shift) + 16))
-#define CD_STABLE_TIMEOUT_US 1000000
+#define CD_STABLE_TIMEOUT_US 2000000
#define CD_STABLE_MAX_SLEEP_US 10
/**
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 109/567] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 108/567] mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 110/567] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
` (471 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Jeffery, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jeffery <andrew@codeconstruct.com.au>
commit ed724ea1b82a800af4704311cb89e5ef1b4ea7ac upstream.
Enable use of common SDHCI-related properties such as sdhci-caps-mask as
found in the AST2600 EVB DTS.
Cc: stable@vger.kernel.org # v6.2+
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml
+++ b/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml
@@ -41,7 +41,7 @@ properties:
patternProperties:
"^sdhci@[0-9a-f]+$":
type: object
- $ref: mmc-controller.yaml
+ $ref: sdhci-common.yaml
unevaluatedProperties: false
properties:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 110/567] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 109/567] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 111/567] x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures Greg Kroah-Hartman
` (470 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2fa344348a579b779e05,
Shaurya Rane, Felix Maurer, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
commit 188e0fa5a679570ea35474575e724d8211423d17 upstream.
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Reviewed-by: Felix Maurer <fmaurer@redhat.com>
Tested-by: Felix Maurer <fmaurer@redhat.com>
Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_forward.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -205,6 +205,8 @@ struct sk_buff *prp_get_untagged_frame(s
__pskb_copy(frame->skb_prp,
skb_headroom(frame->skb_prp),
GFP_ATOMIC);
+ if (!frame->skb_std)
+ return NULL;
} else {
/* Unexpected */
WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n",
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 111/567] x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 110/567] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 112/567] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
` (469 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yongxin Liu, Ingo Molnar,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongxin Liu <yongxin.liu@windriver.com>
[ Upstream commit c8161e5304abb26e6c0bec6efc947992500fa6c5 ]
Zero can be a valid value of num_records. For example, on Intel Atom x6425RE,
only x87 and SSE are supported (features 0, 1), and fpu_user_cfg.max_features
is 3. The for_each_extended_xfeature() loop only iterates feature 2, which is
not enabled, so num_records = 0. This is valid and should not cause core dump
failure.
The issue is that dump_xsave_layout_desc() returns 0 for both genuine errors
(dump_emit() failure) and valid cases (no extended features). Use negative
return values for errors and only abort on genuine failures.
Fixes: ba386777a30b ("x86/elf: Add a new FPU buffer layout info to x86 core files")
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://patch.msgid.link/20251210000219.4094353-2-yongxin.liu@windriver.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/fpu/xstate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 22abb5ee0cf2..aacb59c4a35c 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1879,7 +1879,7 @@ static int dump_xsave_layout_desc(struct coredump_params *cprm)
};
if (!dump_emit(cprm, &xc, sizeof(xc)))
- return 0;
+ return -1;
num_records++;
}
@@ -1917,7 +1917,7 @@ int elf_coredump_extra_notes_write(struct coredump_params *cprm)
return 1;
num_records = dump_xsave_layout_desc(cprm);
- if (!num_records)
+ if (num_records < 0)
return 1;
/* Total size should be equal to the number of records */
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 112/567] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 111/567] x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 113/567] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
` (468 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Takashi Iwai,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 2a03b40deacbd293ac9aed0f9b11197dad54fe5f ]
When vxpocket_config() fails, vxpocket_probe() returns the error code
directly without freeing the sound card resources allocated by
snd_card_new(), which leads to a memory leak.
Add proper error handling to free the sound card and clear the
allocation bit when vxpocket_config() fails.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251215042652.695-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pcmcia/vx/vxpocket.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pcmcia/vx/vxpocket.c b/sound/pcmcia/vx/vxpocket.c
index d2d5f64d63b4..e1f5b8cfeef0 100644
--- a/sound/pcmcia/vx/vxpocket.c
+++ b/sound/pcmcia/vx/vxpocket.c
@@ -284,7 +284,13 @@ static int vxpocket_probe(struct pcmcia_device *p_dev)
vxp->p_dev = p_dev;
- return vxpocket_config(p_dev);
+ err = vxpocket_config(p_dev);
+ if (err < 0) {
+ card_alloc &= ~(1 << i);
+ snd_card_free(card);
+ return err;
+ }
+ return 0;
}
static void vxpocket_detach(struct pcmcia_device *link)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 113/567] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 112/567] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 114/567] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
` (467 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Haotian Zhang,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 5032347c04ba7ff9ba878f262e075d745c06a2a8 ]
When pdacf_config() fails, snd_pdacf_probe() returns the error code
directly without freeing the sound card resources allocated by
snd_card_new(), which leads to a memory leak.
Add proper error handling to free the sound card and clear the card
list entry when pdacf_config() fails.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251215090433.211-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pcmcia/pdaudiocf/pdaudiocf.c b/sound/pcmcia/pdaudiocf/pdaudiocf.c
index 494460746614..7531e89e35da 100644
--- a/sound/pcmcia/pdaudiocf/pdaudiocf.c
+++ b/sound/pcmcia/pdaudiocf/pdaudiocf.c
@@ -131,7 +131,13 @@ static int snd_pdacf_probe(struct pcmcia_device *link)
link->config_index = 1;
link->config_regs = PRESENT_OPTION;
- return pdacf_config(link);
+ err = pdacf_config(link);
+ if (err < 0) {
+ card_list[i] = NULL;
+ snd_card_free(card);
+ return err;
+ }
+ return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 114/567] ALSA: usb-mixer: us16x08: validate meter packet indices
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 113/567] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 115/567] ASoC: ak4458: remove the reset operation in probe and remove Greg Kroah-Hartman
` (466 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DARKNAVY (@DarkNavyOrg), Shipei Qu,
Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shipei Qu <qu@darknavy.com>
[ Upstream commit 5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e ]
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Closes: https://lore.kernel.org/tencent_21C112743C44C1A2517FF219@qq.com
Signed-off-by: Shipei Qu <qu@darknavy.com>
Link: https://patch.msgid.link/20251217024630.59576-1-qu@darknavy.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_us16x08.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
index 20ac32635f1f..d05cb54de788 100644
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -656,17 +656,25 @@ static void get_meter_levels_from_urb(int s,
u8 *meter_urb)
{
int val = MUC2(meter_urb, s) + (MUC3(meter_urb, s) << 8);
+ int ch = MUB2(meter_urb, s) - 1;
+
+ if (ch < 0)
+ return;
if (MUA0(meter_urb, s) == 0x61 && MUA1(meter_urb, s) == 0x02 &&
MUA2(meter_urb, s) == 0x04 && MUB0(meter_urb, s) == 0x62) {
- if (MUC0(meter_urb, s) == 0x72)
- store->meter_level[MUB2(meter_urb, s) - 1] = val;
- if (MUC0(meter_urb, s) == 0xb2)
- store->comp_level[MUB2(meter_urb, s) - 1] = val;
+ if (ch < SND_US16X08_MAX_CHANNELS) {
+ if (MUC0(meter_urb, s) == 0x72)
+ store->meter_level[ch] = val;
+ if (MUC0(meter_urb, s) == 0xb2)
+ store->comp_level[ch] = val;
+ }
}
if (MUA0(meter_urb, s) == 0x61 && MUA1(meter_urb, s) == 0x02 &&
- MUA2(meter_urb, s) == 0x02 && MUB0(meter_urb, s) == 0x62)
- store->master_level[MUB2(meter_urb, s) - 1] = val;
+ MUA2(meter_urb, s) == 0x02 && MUB0(meter_urb, s) == 0x62) {
+ if (ch < ARRAY_SIZE(store->master_level))
+ store->master_level[ch] = val;
+ }
}
/* Function to retrieve current meter values from the device.
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 115/567] ASoC: ak4458: remove the reset operation in probe and remove
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 114/567] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 116/567] nfsd: update percpu_ref to manage references on nfsd_net Greg Kroah-Hartman
` (465 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 00b960a83c764208b0623089eb70af3685e3906f ]
The reset_control handler has the reference count for usage, as there is
reset operation in runtime suspend and resume, then reset operation in
probe() would cause the reference count of reset not balanced.
Previously add reset operation in probe and remove is to fix the compile
issue with !CONFIG_PM, as the driver has been update to use
RUNTIME_PM_OPS(), so that change can be reverted.
Fixes: 1e0dff741b0a ("ASoC: ak4458: remove "reset-gpios" property handler")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251216070201.358477-1-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ak4458.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c
index fb1ab335a4c1..e2e12dbc8cf2 100644
--- a/sound/soc/codecs/ak4458.c
+++ b/sound/soc/codecs/ak4458.c
@@ -790,16 +790,12 @@ static int ak4458_i2c_probe(struct i2c_client *i2c)
pm_runtime_enable(&i2c->dev);
regcache_cache_only(ak4458->regmap, true);
- ak4458_reset(ak4458, false);
return 0;
}
static void ak4458_i2c_remove(struct i2c_client *i2c)
{
- struct ak4458_priv *ak4458 = i2c_get_clientdata(i2c);
-
- ak4458_reset(ak4458, true);
pm_runtime_disable(&i2c->dev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 116/567] nfsd: update percpu_ref to manage references on nfsd_net
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 115/567] ASoC: ak4458: remove the reset operation in probe and remove Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 117/567] nfsd: rename nfsd_serv_ prefixed methods and variables with nfsd_net_ Greg Kroah-Hartman
` (464 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Snitzer, Jeff Layton,
Chuck Lever, Anna Schumaker, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@kernel.org>
[ Upstream commit 39972494e318a21b3059287909fc090186dbe60a ]
Holding a reference on nfsd_net is what is required, it was never
actually about ensuring nn->nfsd_serv available.
Move waiting for outstanding percpu references from
nfsd_destroy_serv() to nfsd_shutdown_net().
By moving it later it will be possible to invalidate localio clients
during nfsd_file_cache_shutdown_net() via __nfsd_file_cache_purge().
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Stable-dep-of: df8d829bba3a ("nfsd: fix memory leak in nfsd_create_serv error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfssvc.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 45f1bb2c6f13..f9bb408478dc 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -436,6 +436,10 @@ static void nfsd_shutdown_net(struct net *net)
if (!nn->nfsd_net_up)
return;
+
+ percpu_ref_kill_and_confirm(&nn->nfsd_serv_ref, nfsd_serv_done);
+ wait_for_completion(&nn->nfsd_serv_confirm_done);
+
nfsd_export_flush(net);
nfs4_state_shutdown_net(net);
nfsd_reply_cache_shutdown(nn);
@@ -444,7 +448,10 @@ static void nfsd_shutdown_net(struct net *net)
lockd_down(net);
nn->lockd_up = false;
}
+
+ wait_for_completion(&nn->nfsd_serv_free_done);
percpu_ref_exit(&nn->nfsd_serv_ref);
+
nn->nfsd_net_up = false;
nfsd_shutdown_generic();
}
@@ -526,11 +533,6 @@ void nfsd_destroy_serv(struct net *net)
lockdep_assert_held(&nfsd_mutex);
- percpu_ref_kill_and_confirm(&nn->nfsd_serv_ref, nfsd_serv_done);
- wait_for_completion(&nn->nfsd_serv_confirm_done);
- wait_for_completion(&nn->nfsd_serv_free_done);
- /* percpu_ref_exit is called in nfsd_shutdown_net */
-
spin_lock(&nfsd_notifier_lock);
nn->nfsd_serv = NULL;
spin_unlock(&nfsd_notifier_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 117/567] nfsd: rename nfsd_serv_ prefixed methods and variables with nfsd_net_
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 116/567] nfsd: update percpu_ref to manage references on nfsd_net Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 118/567] nfsd: fix memory leak in nfsd_create_serv error paths Greg Kroah-Hartman
` (463 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Snitzer, Jeff Layton,
Chuck Lever, Anna Schumaker, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@kernel.org>
[ Upstream commit b33f7dec3a67216123312c7bb752b8f6faa1c465 ]
Also update Documentation/filesystems/nfs/localio.rst accordingly
and reduce the technical documentation debt that was previously
captured in that document.
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Stable-dep-of: df8d829bba3a ("nfsd: fix memory leak in nfsd_create_serv error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/filesystems/nfs/localio.rst | 85 +++++++----------------
fs/nfs_common/nfslocalio.c | 10 ++-
fs/nfsd/filecache.c | 2 +-
fs/nfsd/localio.c | 4 +-
fs/nfsd/netns.h | 11 +--
fs/nfsd/nfssvc.c | 34 ++++-----
include/linux/nfslocalio.h | 12 ++--
7 files changed, 66 insertions(+), 92 deletions(-)
diff --git a/Documentation/filesystems/nfs/localio.rst b/Documentation/filesystems/nfs/localio.rst
index 20fc901a08f4..7d2dbf75e96d 100644
--- a/Documentation/filesystems/nfs/localio.rst
+++ b/Documentation/filesystems/nfs/localio.rst
@@ -218,64 +218,30 @@ NFS Client and Server Interlock
===============================
LOCALIO provides the nfs_uuid_t object and associated interfaces to
-allow proper network namespace (net-ns) and NFSD object refcounting:
-
- We don't want to keep a long-term counted reference on each NFSD's
- net-ns in the client because that prevents a server container from
- completely shutting down.
-
- So we avoid taking a reference at all and rely on the per-cpu
- reference to the server (detailed below) being sufficient to keep
- the net-ns active. This involves allowing the NFSD's net-ns exit
- code to iterate all active clients and clear their ->net pointers
- (which are needed to find the per-cpu-refcount for the nfsd_serv).
-
- Details:
-
- - Embed nfs_uuid_t in nfs_client. nfs_uuid_t provides a list_head
- that can be used to find the client. It does add the 16-byte
- uuid_t to nfs_client so it is bigger than needed (given that
- uuid_t is only used during the initial NFS client and server
- LOCALIO handshake to determine if they are local to each other).
- If that is really a problem we can find a fix.
-
- - When the nfs server confirms that the uuid_t is local, it moves
- the nfs_uuid_t onto a per-net-ns list in NFSD's nfsd_net.
-
- - When each server's net-ns is shutting down - in a "pre_exit"
- handler, all these nfs_uuid_t have their ->net cleared. There is
- an rcu_synchronize() call between pre_exit() handlers and exit()
- handlers so any caller that sees nfs_uuid_t ->net as not NULL can
- safely manage the per-cpu-refcount for nfsd_serv.
-
- - The client's nfs_uuid_t is passed to nfsd_open_local_fh() so it
- can safely dereference ->net in a private rcu_read_lock() section
- to allow safe access to the associated nfsd_net and nfsd_serv.
-
-So LOCALIO required the introduction and use of NFSD's percpu_ref to
-interlock nfsd_destroy_serv() and nfsd_open_local_fh(), to ensure each
-nn->nfsd_serv is not destroyed while in use by nfsd_open_local_fh(), and
+allow proper network namespace (net-ns) and NFSD object refcounting.
+
+LOCALIO required the introduction and use of NFSD's percpu nfsd_net_ref
+to interlock nfsd_shutdown_net() and nfsd_open_local_fh(), to ensure
+each net-ns is not destroyed while in use by nfsd_open_local_fh(), and
warrants a more detailed explanation:
- nfsd_open_local_fh() uses nfsd_serv_try_get() before opening its
+ nfsd_open_local_fh() uses nfsd_net_try_get() before opening its
nfsd_file handle and then the caller (NFS client) must drop the
- reference for the nfsd_file and associated nn->nfsd_serv using
- nfs_file_put_local() once it has completed its IO.
+ reference for the nfsd_file and associated net-ns using
+ nfsd_file_put_local() once it has completed its IO.
This interlock working relies heavily on nfsd_open_local_fh() being
afforded the ability to safely deal with the possibility that the
NFSD's net-ns (and nfsd_net by association) may have been destroyed
- by nfsd_destroy_serv() via nfsd_shutdown_net() -- which is only
- possible given the nfs_uuid_t ->net pointer managemenet detailed
- above.
-
-All told, this elaborate interlock of the NFS client and server has been
-verified to fix an easy to hit crash that would occur if an NFSD
-instance running in a container, with a LOCALIO client mounted, is
-shutdown. Upon restart of the container and associated NFSD the client
-would go on to crash due to NULL pointer dereference that occurred due
-to the LOCALIO client's attempting to nfsd_open_local_fh(), using
-nn->nfsd_serv, without having a proper reference on nn->nfsd_serv.
+ by nfsd_destroy_serv() via nfsd_shutdown_net().
+
+This interlock of the NFS client and server has been verified to fix an
+easy to hit crash that would occur if an NFSD instance running in a
+container, with a LOCALIO client mounted, is shutdown. Upon restart of
+the container and associated NFSD, the client would go on to crash due
+to NULL pointer dereference that occurred due to the LOCALIO client's
+attempting to nfsd_open_local_fh() without having a proper reference on
+NFSD's net-ns.
NFS Client issues IO instead of Server
======================================
@@ -308,16 +274,19 @@ fs/nfs/localio.c:nfs_local_commit().
With normal NFS that makes use of RPC to issue IO to the server, if an
application uses O_DIRECT the NFS client will bypass the pagecache but
-the NFS server will not. Because the NFS server's use of buffered IO
-affords applications to be less precise with their alignment when
-issuing IO to the NFS client. LOCALIO can be configured to use O_DIRECT
-semantics by setting the 'localio_O_DIRECT_semantics' nfs module
+the NFS server will not. The NFS server's use of buffered IO affords
+applications to be less precise with their alignment when issuing IO to
+the NFS client. But if all applications properly align their IO, LOCALIO
+can be configured to use end-to-end O_DIRECT semantics from the NFS
+client to the underlying local filesystem, that it is sharing with
+the NFS server, by setting the 'localio_O_DIRECT_semantics' nfs module
parameter to Y, e.g.:
- echo Y > /sys/module/nfs/parameters/localio_O_DIRECT_semantics
+ echo Y > /sys/module/nfs/parameters/localio_O_DIRECT_semantics
-Once enabled, it will cause LOCALIO to use O_DIRECT semantics (this may
-cause IO to fail if applications do not properly align their IO).
+Once enabled, it will cause LOCALIO to use end-to-end O_DIRECT semantics
+(but again, this may cause IO to fail if applications do not properly
+align their IO).
Security
========
diff --git a/fs/nfs_common/nfslocalio.c b/fs/nfs_common/nfslocalio.c
index a74ec08f6c96..e6fbc45ec4f1 100644
--- a/fs/nfs_common/nfslocalio.c
+++ b/fs/nfs_common/nfslocalio.c
@@ -128,6 +128,10 @@ void nfs_uuid_invalidate_one_client(nfs_uuid_t *nfs_uuid)
}
EXPORT_SYMBOL_GPL(nfs_uuid_invalidate_one_client);
+/*
+ * Caller is responsible for calling nfsd_net_put and
+ * nfsd_file_put (via nfs_to_nfsd_file_put_local).
+ */
struct nfsd_file *nfs_open_local_fh(nfs_uuid_t *uuid,
struct rpc_clnt *rpc_clnt, const struct cred *cred,
const struct nfs_fh *nfs_fh, const fmode_t fmode)
@@ -139,7 +143,7 @@ struct nfsd_file *nfs_open_local_fh(nfs_uuid_t *uuid,
* Not running in nfsd context, so must safely get reference on nfsd_serv.
* But the server may already be shutting down, if so disallow new localio.
* uuid->net is NOT a counted reference, but rcu_read_lock() ensures that
- * if uuid->net is not NULL, then calling nfsd_serv_try_get() is safe
+ * if uuid->net is not NULL, then calling nfsd_net_try_get() is safe
* and if it succeeds we will have an implied reference to the net.
*
* Otherwise NFS may not have ref on NFSD and therefore cannot safely
@@ -147,12 +151,12 @@ struct nfsd_file *nfs_open_local_fh(nfs_uuid_t *uuid,
*/
rcu_read_lock();
net = rcu_dereference(uuid->net);
- if (!net || !nfs_to->nfsd_serv_try_get(net)) {
+ if (!net || !nfs_to->nfsd_net_try_get(net)) {
rcu_read_unlock();
return ERR_PTR(-ENXIO);
}
rcu_read_unlock();
- /* We have an implied reference to net thanks to nfsd_serv_try_get */
+ /* We have an implied reference to net thanks to nfsd_net_try_get */
localio = nfs_to->nfsd_open_local_fh(net, uuid->dom, rpc_clnt,
cred, nfs_fh, fmode);
if (IS_ERR(localio))
diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
index d19968881855..05f0a4867673 100644
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -391,7 +391,7 @@ nfsd_file_put(struct nfsd_file *nf)
}
/**
- * nfsd_file_put_local - put nfsd_file reference and arm nfsd_serv_put in caller
+ * nfsd_file_put_local - put nfsd_file reference and arm nfsd_net_put in caller
* @nf: nfsd_file of which to put the reference
*
* First save the associated net to return to caller, then put
diff --git a/fs/nfsd/localio.c b/fs/nfsd/localio.c
index f441cb9f74d5..ce6d408598c7 100644
--- a/fs/nfsd/localio.c
+++ b/fs/nfsd/localio.c
@@ -25,8 +25,8 @@
#include "cache.h"
static const struct nfsd_localio_operations nfsd_localio_ops = {
- .nfsd_serv_try_get = nfsd_serv_try_get,
- .nfsd_serv_put = nfsd_serv_put,
+ .nfsd_net_try_get = nfsd_net_try_get,
+ .nfsd_net_put = nfsd_net_put,
.nfsd_open_local_fh = nfsd_open_local_fh,
.nfsd_file_put_local = nfsd_file_put_local,
.nfsd_file_file = nfsd_file_file,
diff --git a/fs/nfsd/netns.h b/fs/nfsd/netns.h
index a05a45bb1978..ceab4a3e503f 100644
--- a/fs/nfsd/netns.h
+++ b/fs/nfsd/netns.h
@@ -140,9 +140,10 @@ struct nfsd_net {
struct svc_info nfsd_info;
#define nfsd_serv nfsd_info.serv
- struct percpu_ref nfsd_serv_ref;
- struct completion nfsd_serv_confirm_done;
- struct completion nfsd_serv_free_done;
+
+ struct percpu_ref nfsd_net_ref;
+ struct completion nfsd_net_confirm_done;
+ struct completion nfsd_net_free_done;
/*
* clientid and stateid data for construction of net unique COPY
@@ -229,8 +230,8 @@ struct nfsd_net {
extern bool nfsd_support_version(int vers);
extern unsigned int nfsd_net_id;
-bool nfsd_serv_try_get(struct net *net);
-void nfsd_serv_put(struct net *net);
+bool nfsd_net_try_get(struct net *net);
+void nfsd_net_put(struct net *net);
void nfsd_copy_write_verifier(__be32 verf[2], struct nfsd_net *nn);
void nfsd_reset_write_verifier(struct nfsd_net *nn);
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index f9bb408478dc..571a6ae90833 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -214,32 +214,32 @@ int nfsd_minorversion(struct nfsd_net *nn, u32 minorversion, enum vers_op change
return 0;
}
-bool nfsd_serv_try_get(struct net *net) __must_hold(rcu)
+bool nfsd_net_try_get(struct net *net) __must_hold(rcu)
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- return (nn && percpu_ref_tryget_live(&nn->nfsd_serv_ref));
+ return (nn && percpu_ref_tryget_live(&nn->nfsd_net_ref));
}
-void nfsd_serv_put(struct net *net) __must_hold(rcu)
+void nfsd_net_put(struct net *net) __must_hold(rcu)
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- percpu_ref_put(&nn->nfsd_serv_ref);
+ percpu_ref_put(&nn->nfsd_net_ref);
}
-static void nfsd_serv_done(struct percpu_ref *ref)
+static void nfsd_net_done(struct percpu_ref *ref)
{
- struct nfsd_net *nn = container_of(ref, struct nfsd_net, nfsd_serv_ref);
+ struct nfsd_net *nn = container_of(ref, struct nfsd_net, nfsd_net_ref);
- complete(&nn->nfsd_serv_confirm_done);
+ complete(&nn->nfsd_net_confirm_done);
}
-static void nfsd_serv_free(struct percpu_ref *ref)
+static void nfsd_net_free(struct percpu_ref *ref)
{
- struct nfsd_net *nn = container_of(ref, struct nfsd_net, nfsd_serv_ref);
+ struct nfsd_net *nn = container_of(ref, struct nfsd_net, nfsd_net_ref);
- complete(&nn->nfsd_serv_free_done);
+ complete(&nn->nfsd_net_free_done);
}
/*
@@ -437,8 +437,8 @@ static void nfsd_shutdown_net(struct net *net)
if (!nn->nfsd_net_up)
return;
- percpu_ref_kill_and_confirm(&nn->nfsd_serv_ref, nfsd_serv_done);
- wait_for_completion(&nn->nfsd_serv_confirm_done);
+ percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done);
+ wait_for_completion(&nn->nfsd_net_confirm_done);
nfsd_export_flush(net);
nfs4_state_shutdown_net(net);
@@ -449,8 +449,8 @@ static void nfsd_shutdown_net(struct net *net)
nn->lockd_up = false;
}
- wait_for_completion(&nn->nfsd_serv_free_done);
- percpu_ref_exit(&nn->nfsd_serv_ref);
+ wait_for_completion(&nn->nfsd_net_free_done);
+ percpu_ref_exit(&nn->nfsd_net_ref);
nn->nfsd_net_up = false;
nfsd_shutdown_generic();
@@ -654,12 +654,12 @@ int nfsd_create_serv(struct net *net)
if (nn->nfsd_serv)
return 0;
- error = percpu_ref_init(&nn->nfsd_serv_ref, nfsd_serv_free,
+ error = percpu_ref_init(&nn->nfsd_net_ref, nfsd_net_free,
0, GFP_KERNEL);
if (error)
return error;
- init_completion(&nn->nfsd_serv_free_done);
- init_completion(&nn->nfsd_serv_confirm_done);
+ init_completion(&nn->nfsd_net_free_done);
+ init_completion(&nn->nfsd_net_confirm_done);
if (nfsd_max_blksize == 0)
nfsd_max_blksize = nfsd_get_default_max_blksize();
diff --git a/include/linux/nfslocalio.h b/include/linux/nfslocalio.h
index 9202f4b24343..e1b8018ba639 100644
--- a/include/linux/nfslocalio.h
+++ b/include/linux/nfslocalio.h
@@ -47,8 +47,8 @@ nfsd_open_local_fh(struct net *, struct auth_domain *, struct rpc_clnt *,
const fmode_t) __must_hold(rcu);
struct nfsd_localio_operations {
- bool (*nfsd_serv_try_get)(struct net *);
- void (*nfsd_serv_put)(struct net *);
+ bool (*nfsd_net_try_get)(struct net *);
+ void (*nfsd_net_put)(struct net *);
struct nfsd_file *(*nfsd_open_local_fh)(struct net *,
struct auth_domain *,
struct rpc_clnt *,
@@ -69,12 +69,12 @@ struct nfsd_file *nfs_open_local_fh(nfs_uuid_t *,
static inline void nfs_to_nfsd_net_put(struct net *net)
{
/*
- * Once reference to nfsd_serv is dropped, NFSD could be
- * unloaded, so ensure safe return from nfsd_file_put_local()
- * by always taking RCU.
+ * Once reference to net (and associated nfsd_serv) is dropped, NFSD
+ * could be unloaded, so ensure safe return from nfsd_net_put() by
+ * always taking RCU.
*/
rcu_read_lock();
- nfs_to->nfsd_serv_put(net);
+ nfs_to->nfsd_net_put(net);
rcu_read_unlock();
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 118/567] nfsd: fix memory leak in nfsd_create_serv error paths
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 117/567] nfsd: rename nfsd_serv_ prefixed methods and variables with nfsd_net_ Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 119/567] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
` (462 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+099461f8558eb0a1f4f3,
Shardul Bankar, Jeff Layton, Chuck Lever, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shardul Bankar <shardul.b@mpiricsoftware.com>
[ Upstream commit df8d829bba3adcf3cc744c01d933b6fd7cf06e91 ]
When nfsd_create_serv() calls percpu_ref_init() to initialize
nn->nfsd_net_ref, it allocates both a percpu reference counter
and a percpu_ref_data structure (64 bytes). However, if the
function fails later due to svc_create_pooled() returning NULL
or svc_bind() returning an error, these allocations are not
cleaned up, resulting in a memory leak.
The leak manifests as:
- Unreferenced percpu allocation (8 bytes per CPU)
- Unreferenced percpu_ref_data structure (64 bytes)
Fix this by adding percpu_ref_exit() calls in both error paths
to properly clean up the percpu_ref_init() allocations.
This patch fixes the percpu_ref leak in nfsd_create_serv() seen
as an auxiliary leak in syzbot report 099461f8558eb0a1f4f3; the
prepare_creds() and vsock-related leaks in the same report
remain to be addressed separately.
Reported-by: syzbot+099461f8558eb0a1f4f3@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=099461f8558eb0a1f4f3
Fixes: 47e988147f40 ("nfsd: add nfsd_serv_try_get and nfsd_serv_put")
Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfssvc.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 571a6ae90833..cc185c00e309 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -667,13 +667,16 @@ int nfsd_create_serv(struct net *net)
serv = svc_create_pooled(nfsd_programs, ARRAY_SIZE(nfsd_programs),
&nn->nfsd_svcstats,
nfsd_max_blksize, nfsd);
- if (serv == NULL)
+ if (serv == NULL) {
+ percpu_ref_exit(&nn->nfsd_net_ref);
return -ENOMEM;
+ }
serv->sv_maxconn = nn->max_connections;
error = svc_bind(serv, net);
if (error < 0) {
svc_destroy(&serv);
+ percpu_ref_exit(&nn->nfsd_net_ref);
return error;
}
spin_lock(&nfsd_notifier_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 119/567] ipmi: Fix the race between __scan_channels() and deliver_response()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 118/567] nfsd: fix memory leak in nfsd_create_serv error paths Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 120/567] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
` (461 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Corey Minyard,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit 936750fdba4c45e13bbd17f261bb140dd55f5e93 ]
The race window between __scan_channels() and deliver_response() causes
the parameters of some channels to be set to 0.
1.[CPUA] __scan_channels() issues an IPMI request and waits with
wait_event() until all channels have been scanned.
wait_event() internally calls might_sleep(), which might
yield the CPU. (Moreover, an interrupt can preempt
wait_event() and force the task to yield the CPU.)
2.[CPUB] deliver_response() is invoked when the CPU receives the
IPMI response. After processing a IPMI response,
deliver_response() directly assigns intf->wchannels to
intf->channel_list and sets intf->channels_ready to true.
However, not all channels are actually ready for use.
3.[CPUA] Since intf->channels_ready is already true, wait_event()
never enters __wait_event(). __scan_channels() immediately
clears intf->null_user_handler and exits.
4.[CPUB] Once intf->null_user_handler is set to NULL, deliver_response()
ignores further IPMI responses, leaving the remaining
channels zero-initialized and unusable.
CPUA CPUB
------------------------------- -----------------------------
__scan_channels()
intf->null_user_handler
= channel_handler;
send_channel_info_cmd(intf,
0);
wait_event(intf->waitq,
intf->channels_ready);
do {
might_sleep();
deliver_response()
channel_handler()
intf->channel_list =
intf->wchannels + set;
intf->channels_ready = true;
send_channel_info_cmd(intf,
intf->curr_channel);
if (condition)
break;
__wait_event(wq_head,
condition);
} while(0)
intf->null_user_handler
= NULL;
deliver_response()
if (!msg->user)
if (intf->null_user_handler)
rv = -EINVAL;
return rv;
------------------------------- -----------------------------
Fix the race between __scan_channels() and deliver_response() by
deferring both the assignment intf->channel_list = intf->wchannels
and the flag intf->channels_ready = true until all channels have
been successfully scanned or until the IPMI request has failed.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Message-ID: <20250930074239.2353-2-guojinhui.liam@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 99fe01321971..29106325aba7 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -3414,8 +3414,6 @@ channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
intf->channels_ready = true;
wake_up(&intf->waitq);
} else {
- intf->channel_list = intf->wchannels + set;
- intf->channels_ready = true;
rv = send_channel_info_cmd(intf, intf->curr_channel);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 120/567] ipmi: Fix __scan_channels() failing to rescan channels
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 119/567] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 121/567] scsi: ufs: host: mediatek: Fix shutdown/suspend race condition Greg Kroah-Hartman
` (460 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Corey Minyard,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit 6bd30d8fc523fb880b4be548e8501bc0fe8f42d4 ]
channel_handler() sets intf->channels_ready to true but never
clears it, so __scan_channels() skips any rescan. When the BMC
firmware changes a rescan is required. Allow it by clearing
the flag before starting a new scan.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Message-ID: <20250930074239.2353-3-guojinhui.liam@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 29106325aba7..188722ec0337 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -613,7 +613,8 @@ static void __ipmi_bmc_unregister(struct ipmi_smi *intf);
static int __ipmi_bmc_register(struct ipmi_smi *intf,
struct ipmi_device_id *id,
bool guid_set, guid_t *guid, int intf_num);
-static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id);
+static int __scan_channels(struct ipmi_smi *intf,
+ struct ipmi_device_id *id, bool rescan);
/*
@@ -2665,7 +2666,7 @@ static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
if (__ipmi_bmc_register(intf, &id, guid_set, &guid, intf_num))
need_waiter(intf); /* Retry later on an error. */
else
- __scan_channels(intf, &id);
+ __scan_channels(intf, &id, false);
if (!intf_set) {
@@ -2685,7 +2686,7 @@ static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
goto out_noprocessing;
} else if (memcmp(&bmc->fetch_id, &bmc->id, sizeof(bmc->id)))
/* Version info changes, scan the channels again. */
- __scan_channels(intf, &bmc->fetch_id);
+ __scan_channels(intf, &bmc->fetch_id, true);
bmc->dyn_id_expiry = jiffies + IPMI_DYN_DEV_ID_EXPIRY;
@@ -3435,10 +3436,17 @@ channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
/*
* Must be holding intf->bmc_reg_mutex to call this.
*/
-static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id)
+static int __scan_channels(struct ipmi_smi *intf,
+ struct ipmi_device_id *id,
+ bool rescan)
{
int rv;
+ if (rescan) {
+ /* Clear channels_ready to force channels rescan. */
+ intf->channels_ready = false;
+ }
+
if (ipmi_version_major(id) > 1
|| (ipmi_version_major(id) == 1
&& ipmi_version_minor(id) >= 5)) {
@@ -3640,7 +3648,7 @@ int ipmi_add_smi(struct module *owner,
}
mutex_lock(&intf->bmc_reg_mutex);
- rv = __scan_channels(intf, &id);
+ rv = __scan_channels(intf, &id, false);
mutex_unlock(&intf->bmc_reg_mutex);
if (rv)
goto out_err_bmc_reg;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 121/567] scsi: ufs: host: mediatek: Fix shutdown/suspend race condition
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 120/567] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 122/567] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
` (459 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Wang, Chun-Hung Wu,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Wang <peter.wang@mediatek.com>
[ Upstream commit 014de20bb36ba03e0e0b0a7e0a1406ab900c9fda ]
Address a race condition between shutdown and suspend operations in the
UFS Mediatek driver. Before entering suspend, check if a shutdown is in
progress to prevent conflicts and ensure system stability.
Signed-off-by: Peter Wang <peter.wang@mediatek.com>
Acked-by: Chun-Hung Wu <chun-hung.wu@mediatek.com>
Link: https://patch.msgid.link/20250924094527.2992256-6-peter.wang@mediatek.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/host/ufs-mediatek.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c
index 00ecfe14c1fd..1fb98af4ac56 100644
--- a/drivers/ufs/host/ufs-mediatek.c
+++ b/drivers/ufs/host/ufs-mediatek.c
@@ -1994,6 +1994,11 @@ static int ufs_mtk_system_suspend(struct device *dev)
struct arm_smccc_res res;
int ret;
+ if (hba->shutting_down) {
+ ret = -EBUSY;
+ goto out;
+ }
+
ret = ufshcd_system_suspend(dev);
if (ret)
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 122/567] firmware: imx: scu-irq: Init workqueue before request mbox channel
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 121/567] scsi: ufs: host: mediatek: Fix shutdown/suspend race condition Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 123/567] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
` (458 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Peng Fan, Shawn Guo,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 81fb53feb66a3aefbf6fcab73bb8d06f5b0c54ad ]
With mailbox channel requested, there is possibility that interrupts may
come in, so need to make sure the workqueue is initialized before
the queue is scheduled by mailbox rx callback.
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/imx-scu-irq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/imx/imx-scu-irq.c b/drivers/firmware/imx/imx-scu-irq.c
index f2b902e95b73..b9f6128d56f7 100644
--- a/drivers/firmware/imx/imx-scu-irq.c
+++ b/drivers/firmware/imx/imx-scu-irq.c
@@ -214,6 +214,8 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
cl->dev = dev;
cl->rx_callback = imx_scu_irq_callback;
+ INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
+
/* SCU general IRQ uses general interrupt channel 3 */
ch = mbox_request_channel_byname(cl, "gip3");
if (IS_ERR(ch)) {
@@ -223,8 +225,6 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
return ret;
}
- INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
-
if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
"#mbox-cells", 0, &spec)) {
i = of_alias_get_id(spec.np, "mu");
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 123/567] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 122/567] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 124/567] scsi: smartpqi: Add support for Hurray Data new controller PCI device Greg Kroah-Hartman
` (457 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Schiffer, Alexander Stein,
Kevin Hilman, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <matthias.schiffer@tq-group.com>
[ Upstream commit 3f61783920504b2cf99330b372d82914bb004d8e ]
am33xx.dtsi has the same clock setup as am35xx.dtsi, setting
ti,no-reset-on-init and ti,no-idle on timer1_target and timer2_target,
so AM33 needs the same workaround as AM35 to avoid ti-sysc probe
failing on certain target modules.
Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20250825131114.2206804-1-alexander.stein@ew.tq-group.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/ti-sysc.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
index f715c8d28129..27149eb29afb 100644
--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -48,6 +48,7 @@ enum sysc_soc {
SOC_UNKNOWN,
SOC_2420,
SOC_2430,
+ SOC_AM33,
SOC_3430,
SOC_AM35,
SOC_3630,
@@ -2896,6 +2897,7 @@ static void ti_sysc_idle(struct work_struct *work)
static const struct soc_device_attribute sysc_soc_match[] = {
SOC_FLAG("OMAP242*", SOC_2420),
SOC_FLAG("OMAP243*", SOC_2430),
+ SOC_FLAG("AM33*", SOC_AM33),
SOC_FLAG("AM35*", SOC_AM35),
SOC_FLAG("OMAP3[45]*", SOC_3430),
SOC_FLAG("OMAP3[67]*", SOC_3630),
@@ -3101,10 +3103,15 @@ static int sysc_check_active_timer(struct sysc *ddata)
* can be dropped if we stop supporting old beagleboard revisions
* A to B4 at some point.
*/
- if (sysc_soc->soc == SOC_3430 || sysc_soc->soc == SOC_AM35)
+ switch (sysc_soc->soc) {
+ case SOC_AM33:
+ case SOC_3430:
+ case SOC_AM35:
error = -ENXIO;
- else
+ break;
+ default:
error = -EBUSY;
+ }
if ((ddata->cfg.quirks & SYSC_QUIRK_NO_RESET_ON_INIT) &&
(ddata->cfg.quirks & SYSC_QUIRK_NO_IDLE))
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 124/567] scsi: smartpqi: Add support for Hurray Data new controller PCI device
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 123/567] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 125/567] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
` (456 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Benesh, Scott Teel,
Mike McGowen, David Strahan, Don Brace, Martin K. Petersen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Strahan <David.Strahan@microchip.com>
[ Upstream commit 48e6b7e708029cea451e53a8c16fc8c16039ecdc ]
Add support for new Hurray Data controller.
All entries are in HEX.
Add PCI IDs for Hurray Data controllers:
VID / DID / SVID / SDID
---- ---- ---- ----
9005 028f 207d 4840
Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
Reviewed-by: Scott Teel <scott.teel@microchip.com>
Reviewed-by: Mike McGowen <mike.mcgowen@microchip.com>
Signed-off-by: David Strahan <David.Strahan@microchip.com>
Signed-off-by: Don Brace <don.brace@microchip.com>
Link: https://patch.msgid.link/20251106163823.786828-4-don.brace@microchip.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/smartpqi/smartpqi_init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index 018f5428a07d..f0fb22e4117e 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -10091,6 +10091,10 @@ static const struct pci_device_id pqi_pci_id_table[] = {
PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
0x207d, 0x4240)
},
+ {
+ PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
+ 0x207d, 0x4840)
+ },
{
PCI_DEVICE_SUB(PCI_VENDOR_ID_ADAPTEC2, 0x028f,
PCI_VENDOR_ID_ADVANTECH, 0x8312)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 125/567] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 124/567] scsi: smartpqi: Add support for Hurray Data new controller PCI device Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 126/567] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
` (455 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josua Mayer, Andrew Lunn,
Gregory CLEMENT, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit f0e6bc0c3ef4b4afb299bd6912586cafd5d864e9 ]
CP110 based platforms rely on the bootloader for pci port
initialization.
TF-A actively prevents non-uboot re-configuration of pci lanes, and many
boards do not have software control over the pci card reset.
If a pci port had link at boot-time and the clock is stopped at a later
point, the link fails and can not be recovered.
PCI controller driver probe - and by extension ownership of a driver for
the pci clocks - may be delayed especially on large modular kernels,
causing the clock core to start disabling unused clocks.
Add the CLK_IGNORE_UNUSED flag to the three pci port's clocks to ensure
they are not stopped before the pci controller driver has taken
ownership and tested for an existing link.
This fixes failed pci link detection when controller driver probes late,
e.g. with arm64 defconfig and CONFIG_PHY_MVEBU_CP110_COMPHY=m.
Closes: https://lore.kernel.org/r/b71596c7-461b-44b6-89ab-3cfbd492639f@solid-run.com
Signed-off-by: Josua Mayer <josua@solid-run.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/mvebu/cp110-system-controller.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/clk/mvebu/cp110-system-controller.c b/drivers/clk/mvebu/cp110-system-controller.c
index 03c59bf22106..b47c86906046 100644
--- a/drivers/clk/mvebu/cp110-system-controller.c
+++ b/drivers/clk/mvebu/cp110-system-controller.c
@@ -110,6 +110,25 @@ static const char * const gate_base_names[] = {
[CP110_GATE_EIP197] = "eip197"
};
+static unsigned long gate_flags(const u8 bit_idx)
+{
+ switch (bit_idx) {
+ case CP110_GATE_PCIE_X1_0:
+ case CP110_GATE_PCIE_X1_1:
+ case CP110_GATE_PCIE_X4:
+ /*
+ * If a port had an active link at boot time, stopping
+ * the clock creates a failed state from which controller
+ * driver can not recover.
+ * Prevent stopping this clock till after a driver has taken
+ * ownership.
+ */
+ return CLK_IGNORE_UNUSED;
+ default:
+ return 0;
+ }
+};
+
struct cp110_gate_clk {
struct clk_hw hw;
struct regmap *regmap;
@@ -171,6 +190,7 @@ static struct clk_hw *cp110_register_gate(const char *name,
init.ops = &cp110_gate_ops;
init.parent_names = &parent_name;
init.num_parents = 1;
+ init.flags = gate_flags(bit_idx);
gate->regmap = regmap;
gate->bit_idx = bit_idx;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 126/567] powerpc/addnote: Fix overflow on 32-bit builds
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 125/567] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 127/567] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
` (454 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Collins, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Collins <bcollins@kernel.org>
[ Upstream commit 825ce89a3ef17f84cf2c0eacfa6b8dc9fd11d13f ]
The PUT_64[LB]E() macros need to cast the value to unsigned long long
like the GET_64[LB]E() macros. Caused lots of warnings when compiled
on 32-bit, and clobbered addresses (36-bit P4080).
Signed-off-by: Ben Collins <bcollins@kernel.org>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/2025042122-mustard-wrasse-694572@boujee-and-buff
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/boot/addnote.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
index 53b3b2621457..78704927453a 100644
--- a/arch/powerpc/boot/addnote.c
+++ b/arch/powerpc/boot/addnote.c
@@ -68,8 +68,8 @@ static int e_class = ELFCLASS32;
#define PUT_16BE(off, v)(buf[off] = ((v) >> 8) & 0xff, \
buf[(off) + 1] = (v) & 0xff)
#define PUT_32BE(off, v)(PUT_16BE((off), (v) >> 16L), PUT_16BE((off) + 2, (v)))
-#define PUT_64BE(off, v)((PUT_32BE((off), (v) >> 32L), \
- PUT_32BE((off) + 4, (v))))
+#define PUT_64BE(off, v)((PUT_32BE((off), (unsigned long long)(v) >> 32L), \
+ PUT_32BE((off) + 4, (unsigned long long)(v))))
#define GET_16LE(off) ((buf[off]) + (buf[(off)+1] << 8))
#define GET_32LE(off) (GET_16LE(off) + (GET_16LE((off)+2U) << 16U))
@@ -78,7 +78,8 @@ static int e_class = ELFCLASS32;
#define PUT_16LE(off, v) (buf[off] = (v) & 0xff, \
buf[(off) + 1] = ((v) >> 8) & 0xff)
#define PUT_32LE(off, v) (PUT_16LE((off), (v)), PUT_16LE((off) + 2, (v) >> 16L))
-#define PUT_64LE(off, v) (PUT_32LE((off), (v)), PUT_32LE((off) + 4, (v) >> 32L))
+#define PUT_64LE(off, v) (PUT_32LE((off), (unsigned long long)(v)), \
+ PUT_32LE((off) + 4, (unsigned long long)(v) >> 32L))
#define GET_16(off) (e_data == ELFDATA2MSB ? GET_16BE(off) : GET_16LE(off))
#define GET_32(off) (e_data == ELFDATA2MSB ? GET_32BE(off) : GET_32LE(off))
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 127/567] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 126/567] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 128/567] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
` (453 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 4f6aaade2a22ac428fa99ed716cf2b87e79c9837 ]
When qla2xxx is loaded with qlini_mode=disabled,
ha->flags.disable_msix_handshake is used before it is set, resulting in
the wrong interrupt handler being used on certain HBAs
(qla2xxx_msix_rsp_q_hs() is used when qla2xxx_msix_rsp_q() should be
used). The only difference between these two interrupt handlers is that
the _hs() version writes to a register to clear the "RISC" interrupt,
whereas the other version does not. So this bug results in the RISC
interrupt being cleared when it should not be. This occasionally causes
a different interrupt handler qla24xx_msix_default() for a different
vector to see ((stat & HSRX_RISC_INT) == 0) and ignore its interrupt,
which then causes problems like:
qla2xxx [0000:02:00.0]-d04c:6: MBX Command timeout for cmd 20,
iocontrol=8 jiffies=1090c0300 mb[0-3]=[0x4000 0x0 0x40 0xda] mb7 0x500
host_status 0x40000010 hccr 0x3f00
qla2xxx [0000:02:00.0]-101e:6: Mailbox cmd timeout occurred, cmd=0x20,
mb[0]=0x20. Scheduling ISP abort
(the cmd varies; sometimes it is 0x20, 0x22, 0x54, 0x5a, 0x5d, or 0x6a)
This problem can be reproduced with a 16 or 32 Gbps HBA by loading
qla2xxx with qlini_mode=disabled and running a high IOPS test while
triggering frequent RSCN database change events.
While analyzing the problem I discovered that even with
disable_msix_handshake forced to 0, it is not necessary to clear the
RISC interrupt from qla2xxx_msix_rsp_q_hs() (more below). So just
completely remove qla2xxx_msix_rsp_q_hs() and the logic for selecting
it, which also fixes the bug with qlini_mode=disabled.
The test below describes the justification for not needing
qla2xxx_msix_rsp_q_hs():
Force disable_msix_handshake to 0:
qla24xx_config_rings():
if (0 && (ha->fw_attributes & BIT_6) && (IS_MSIX_NACK_CAPABLE(ha)) &&
(ha->flags.msix_enabled)) {
In qla24xx_msix_rsp_q() and qla2xxx_msix_rsp_q_hs(), check:
(rd_reg_dword(®->host_status) & HSRX_RISC_INT)
Count the number of calls to each function with HSRX_RISC_INT set and
the number with HSRX_RISC_INT not set while performing some I/O.
If qla2xxx_msix_rsp_q_hs() clears the RISC interrupt (original code):
qla24xx_msix_rsp_q: 50% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 5% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
If qla2xxx_msix_rsp_q_hs() does not clear the RISC interrupt (patched
code):
qla24xx_msix_rsp_q: 100% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 9% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
In the case of the original code, qla24xx_msix_rsp_q() was seeing
HSRX_RISC_INT set only 50% of the time because qla2xxx_msix_rsp_q_hs()
was clearing it when it shouldn't have been. In the patched code,
qla24xx_msix_rsp_q() sees HSRX_RISC_INT set 100% of the time, which
makes sense if that interrupt handler needs to clear the RISC interrupt
(which it does). qla2xxx_msix_rsp_q_hs() sees HSRX_RISC_INT only 9% of
the time, which is just overlap from the other interrupt during the
high IOPS test.
Tested with SCST on:
QLE2742 FW:v9.08.02 (32 Gbps 2-port)
QLE2694L FW:v9.10.11 (16 Gbps 4-port)
QLE2694L FW:v9.08.02 (16 Gbps 4-port)
QLE2672 FW:v8.07.12 (16 Gbps 2-port)
both initiator and target mode
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/56d378eb-14ad-49c7-bae9-c649b6c7691e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_def.h | 1 -
drivers/scsi/qla2xxx/qla_gbl.h | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 32 +++-----------------------------
drivers/scsi/qla2xxx/qla_mid.c | 4 +---
4 files changed, 5 insertions(+), 34 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index cb95b7b12051..b3265952c4be 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3503,7 +3503,6 @@ struct isp_operations {
#define QLA_MSIX_RSP_Q 0x01
#define QLA_ATIO_VECTOR 0x02
#define QLA_MSIX_QPAIR_MULTIQ_RSP_Q 0x03
-#define QLA_MSIX_QPAIR_MULTIQ_RSP_Q_HS 0x04
#define QLA_MIDX_DEFAULT 0
#define QLA_MIDX_RSP_Q 1
diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index e556f57c91af..59f448e2e319 100644
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -768,7 +768,7 @@ extern int qla2x00_dfs_remove(scsi_qla_host_t *);
/* Globa function prototypes for multi-q */
extern int qla25xx_request_irq(struct qla_hw_data *, struct qla_qpair *,
- struct qla_msix_entry *, int);
+ struct qla_msix_entry *);
extern int qla25xx_init_req_que(struct scsi_qla_host *, struct req_que *);
extern int qla25xx_init_rsp_que(struct scsi_qla_host *, struct rsp_que *);
extern int qla25xx_create_req_que(struct qla_hw_data *, uint16_t, uint8_t,
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index fe98c76e9be3..77c779cca97f 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -4467,32 +4467,6 @@ qla2xxx_msix_rsp_q(int irq, void *dev_id)
return IRQ_HANDLED;
}
-irqreturn_t
-qla2xxx_msix_rsp_q_hs(int irq, void *dev_id)
-{
- struct qla_hw_data *ha;
- struct qla_qpair *qpair;
- struct device_reg_24xx __iomem *reg;
- unsigned long flags;
-
- qpair = dev_id;
- if (!qpair) {
- ql_log(ql_log_info, NULL, 0x505b,
- "%s: NULL response queue pointer.\n", __func__);
- return IRQ_NONE;
- }
- ha = qpair->hw;
-
- reg = &ha->iobase->isp24;
- spin_lock_irqsave(&ha->hardware_lock, flags);
- wrt_reg_dword(®->hccr, HCCRX_CLR_RISC_INT);
- spin_unlock_irqrestore(&ha->hardware_lock, flags);
-
- queue_work(ha->wq, &qpair->q_work);
-
- return IRQ_HANDLED;
-}
-
/* Interrupt handling helpers. */
struct qla_init_msix_entry {
@@ -4505,7 +4479,6 @@ static const struct qla_init_msix_entry msix_entries[] = {
{ "rsp_q", qla24xx_msix_rsp_q },
{ "atio_q", qla83xx_msix_atio_q },
{ "qpair_multiq", qla2xxx_msix_rsp_q },
- { "qpair_multiq_hs", qla2xxx_msix_rsp_q_hs },
};
static const struct qla_init_msix_entry qla82xx_msix_entries[] = {
@@ -4792,9 +4765,10 @@ qla2x00_free_irqs(scsi_qla_host_t *vha)
}
int qla25xx_request_irq(struct qla_hw_data *ha, struct qla_qpair *qpair,
- struct qla_msix_entry *msix, int vector_type)
+ struct qla_msix_entry *msix)
{
- const struct qla_init_msix_entry *intr = &msix_entries[vector_type];
+ const struct qla_init_msix_entry *intr =
+ &msix_entries[QLA_MSIX_QPAIR_MULTIQ_RSP_Q];
scsi_qla_host_t *vha = pci_get_drvdata(ha->pdev);
int ret;
diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
index 79879c4743e6..9946899dd83b 100644
--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -899,9 +899,7 @@ qla25xx_create_rsp_que(struct qla_hw_data *ha, uint16_t options,
rsp->options, rsp->id, rsp->rsp_q_in,
rsp->rsp_q_out);
- ret = qla25xx_request_irq(ha, qpair, qpair->msix,
- ha->flags.disable_msix_handshake ?
- QLA_MSIX_QPAIR_MULTIQ_RSP_Q : QLA_MSIX_QPAIR_MULTIQ_RSP_Q_HS);
+ ret = qla25xx_request_irq(ha, qpair, qpair->msix);
if (ret)
goto que_failed;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 128/567] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 127/567] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 129/567] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
` (452 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 8f58fc64d559b5fda1b0a5e2a71422be61e79ab9 ]
When given the module parameter qlini_mode=exclusive, qla2xxx in
initiator mode is initially unable to successfully send SCSI commands to
devices it finds while scanning, resulting in an escalating series of
resets until an adapter reset clears the issue. Fix by checking the
active mode instead of the module parameter.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/1715ec14-ba9a-45dc-9cf2-d41aa6b81b5e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_os.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 81c76678f25a..9f35c42102be 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3456,13 +3456,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
ha->mqenable = 0;
if (ha->mqenable) {
- bool startit = false;
-
- if (QLA_TGT_MODE_ENABLED())
- startit = false;
-
- if (ql2x_ini_mode == QLA2XXX_INI_MODE_ENABLED)
- startit = true;
+ bool startit = !!(host->active_mode & MODE_INITIATOR);
/* Create start of day qpairs for Block MQ */
for (i = 0; i < ha->max_qpairs; i++)
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 129/567] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 128/567] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 130/567] fuse: Always flush the page cache before FOPEN_DIRECT_IO write Greg Kroah-Hartman
` (451 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 957aa5974989fba4ae4f807ebcb27f12796edd4d ]
If a mailbox command completes immediately after
wait_for_completion_timeout() times out, ha->mbx_intr_comp could be left
in an inconsistent state, causing the next mailbox command not to wait
for the hardware. Fix by reinitializing the completion before use.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/11b6485e-0bfd-4784-8f99-c06a196dad94@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_mbx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index 13b6cb1b93ac..41435e98092a 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -253,6 +253,7 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
/* Issue set host interrupt command to send cmd out. */
ha->flags.mbox_int = 0;
clear_bit(MBX_INTERRUPT, &ha->mbx_cmd_flags);
+ reinit_completion(&ha->mbx_intr_comp);
/* Unlock mbx registers and wait for interrupt */
ql_dbg(ql_dbg_mbx, vha, 0x100f,
@@ -279,6 +280,7 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
"cmd=%x Timeout.\n", command);
spin_lock_irqsave(&ha->hardware_lock, flags);
clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
+ reinit_completion(&ha->mbx_intr_comp);
spin_unlock_irqrestore(&ha->hardware_lock, flags);
if (chip_reset != ha->chip_reset) {
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 130/567] fuse: Always flush the page cache before FOPEN_DIRECT_IO write
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 129/567] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 131/567] fuse: Invalidate the page cache after " Greg Kroah-Hartman
` (450 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Schubert, Miklos Szeredi,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bschubert@ddn.com>
[ Upstream commit 1ce120dcefc056ce8af2486cebbb77a458aad4c3 ]
This was done as condition on direct_io_allow_mmap, but I believe
this is not right, as a file might be open two times - once with
write-back enabled another time with FOPEN_DIRECT_IO.
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index a8218a3bc0b4..ec1b235df91d 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1582,7 +1582,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
if (!ia)
return -ENOMEM;
- if (fopen_direct_io && fc->direct_io_allow_mmap) {
+ if (fopen_direct_io) {
res = filemap_write_and_wait_range(mapping, pos, pos + count - 1);
if (res) {
fuse_io_free(ia);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 131/567] fuse: Invalidate the page cache after FOPEN_DIRECT_IO write
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 130/567] fuse: Always flush the page cache before FOPEN_DIRECT_IO write Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 132/567] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
` (449 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Schubert, Miklos Szeredi,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bschubert@ddn.com>
[ Upstream commit b359af8275a982a458e8df6c6beab1415be1f795 ]
generic_file_direct_write() also does this and has a large
comment about.
Reproducer here is xfstest's generic/209, which is exactly to
have competing DIO write and cached IO read.
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/file.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index ec1b235df91d..4c5cf2d116d2 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1656,6 +1656,15 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
if (res > 0)
*ppos = pos;
+ if (res > 0 && write && fopen_direct_io) {
+ /*
+ * As in generic_file_direct_write(), invalidate after the
+ * write, to invalidate read-ahead cache that may have competed
+ * with the write.
+ */
+ invalidate_inode_pages2_range(mapping, idx_from, idx_to);
+ }
+
return res > 0 ? res : err;
}
EXPORT_SYMBOL_GPL(fuse_direct_io);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 132/567] via_wdt: fix critical boot hang due to unnamed resource allocation
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 131/567] fuse: Invalidate the page cache after " Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 133/567] reset: fix BIT macro reference Greg Kroah-Hartman
` (448 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Qiang, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Qiang <liqiang01@kylinos.cn>
[ Upstream commit 7aa31ee9ec92915926e74731378c009c9cc04928 ]
The VIA watchdog driver uses allocate_resource() to reserve a MMIO
region for the watchdog control register. However, the allocated
resource was not given a name, which causes the kernel resource tree
to contain an entry marked as "<BAD>" under /proc/iomem on x86
platforms.
During boot, this unnamed resource can lead to a critical hang because
subsequent resource lookups and conflict checks fail to handle the
invalid entry properly.
Signed-off-by: Li Qiang <liqiang01@kylinos.cn>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/via_wdt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/watchdog/via_wdt.c b/drivers/watchdog/via_wdt.c
index eeb39f96e72e..c1ed3ce153cf 100644
--- a/drivers/watchdog/via_wdt.c
+++ b/drivers/watchdog/via_wdt.c
@@ -165,6 +165,7 @@ static int wdt_probe(struct pci_dev *pdev,
dev_err(&pdev->dev, "cannot enable PCI device\n");
return -ENODEV;
}
+ wdt_res.name = "via_wdt";
/*
* Allocate a MMIO region which contains watchdog control register
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 133/567] reset: fix BIT macro reference
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 132/567] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 134/567] exfat: fix remount failure in different process environments Greg Kroah-Hartman
` (447 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Troy Mitchell, Philipp Zabel,
Encrow Thorne, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Encrow Thorne <jyc0019@gmail.com>
[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ]
RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not
include bits.h. This causes compilation errors when including
reset.h standalone.
Include bits.h to make reset.h self-contained.
Suggested-by: Troy Mitchell <troy.mitchell@linux.dev>
Reviewed-by: Troy Mitchell <troy.mitchell@linux.dev>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Encrow Thorne <jyc0019@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/reset.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/reset.h b/include/linux/reset.h
index 514ddf003efc..4b31d683776e 100644
--- a/include/linux/reset.h
+++ b/include/linux/reset.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_RESET_H_
#define _LINUX_RESET_H_
+#include <linux/bits.h>
#include <linux/err.h>
#include <linux/errno.h>
#include <linux/types.h>
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 134/567] exfat: fix remount failure in different process environments
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 133/567] reset: fix BIT macro reference Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 135/567] exfat: zero out post-EOF page cache on file extension Greg Kroah-Hartman
` (446 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Yuezhang Mo,
Namjae Jeon, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
[ Upstream commit 51fc7b4ce10ccab8ea5e4876bcdc42cf5202a0ef ]
The kernel test robot reported that the exFAT remount operation
failed. The reason for the failure was that the process's umask
is different between mount and remount, causing fs_fmask and
fs_dmask are changed.
Potentially, both gid and uid may also be changed. Therefore, when
initializing fs_context for remount, inherit these mount options
from the options used during mount.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202511251637.81670f5c-lkp@intel.com
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exfat/super.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 82acff400f4c..75c6d5046e31 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -801,10 +801,21 @@ static int exfat_init_fs_context(struct fs_context *fc)
ratelimit_state_init(&sbi->ratelimit, DEFAULT_RATELIMIT_INTERVAL,
DEFAULT_RATELIMIT_BURST);
- sbi->options.fs_uid = current_uid();
- sbi->options.fs_gid = current_gid();
- sbi->options.fs_fmask = current->fs->umask;
- sbi->options.fs_dmask = current->fs->umask;
+ if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE && fc->root) {
+ struct super_block *sb = fc->root->d_sb;
+ struct exfat_mount_options *cur_opts = &EXFAT_SB(sb)->options;
+
+ sbi->options.fs_uid = cur_opts->fs_uid;
+ sbi->options.fs_gid = cur_opts->fs_gid;
+ sbi->options.fs_fmask = cur_opts->fs_fmask;
+ sbi->options.fs_dmask = cur_opts->fs_dmask;
+ } else {
+ sbi->options.fs_uid = current_uid();
+ sbi->options.fs_gid = current_gid();
+ sbi->options.fs_fmask = current->fs->umask;
+ sbi->options.fs_dmask = current->fs->umask;
+ }
+
sbi->options.allow_utime = -1;
sbi->options.iocharset = exfat_default_iocharset;
sbi->options.errors = EXFAT_ERRORS_RO;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 135/567] exfat: zero out post-EOF page cache on file extension
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 134/567] exfat: fix remount failure in different process environments Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 136/567] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
` (445 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuezhang Mo, Namjae Jeon,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
[ Upstream commit 4e163c39dd4e70fcdce948b8774d96e0482b4a11 ]
xfstests generic/363 was failing due to unzeroed post-EOF page
cache that allowed mmap writes beyond EOF to become visible
after file extension.
For example, in following xfs_io sequence, 0x22 should not be
written to the file but would become visible after the extension:
xfs_io -f -t -c "pwrite -S 0x11 0 8" \
-c "mmap 0 4096" \
-c "mwrite -S 0x22 32 32" \
-c "munmap" \
-c "pwrite -S 0x33 512 32" \
$testfile
This violates the expected behavior where writes beyond EOF via
mmap should not persist after the file is extended. Instead, the
extended region should contain zeros.
Fix this by using truncate_pagecache() to truncate the page cache
after the current EOF when extending the file.
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exfat/file.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/exfat/file.c b/fs/exfat/file.c
index 7ac5126aa4f1..033852efe5dc 100644
--- a/fs/exfat/file.c
+++ b/fs/exfat/file.c
@@ -25,6 +25,8 @@ static int exfat_cont_expand(struct inode *inode, loff_t size)
struct exfat_sb_info *sbi = EXFAT_SB(sb);
struct exfat_chain clu;
+ truncate_pagecache(inode, i_size_read(inode));
+
ret = inode_newsize_ok(inode, size);
if (ret)
return ret;
@@ -587,6 +589,9 @@ static ssize_t exfat_file_write_iter(struct kiocb *iocb, struct iov_iter *iter)
inode_lock(inode);
+ if (pos > i_size_read(inode))
+ truncate_pagecache(inode, i_size_read(inode));
+
valid_size = ei->valid_size;
ret = generic_write_checks(iocb, iter);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 136/567] usbip: Fix locking bug in RT-enabled kernels
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 135/567] exfat: zero out post-EOF page cache on file extension Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 137/567] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
` (444 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+205ef33a3b636b4181fb,
Lizhi Xu, Shuah Khan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit 09bf21bf5249880f62fe759b53b14b4b52900c6c ]
Interrupts are disabled before entering usb_hcd_giveback_urb().
A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be
acquired with disabled interrupts.
Save the interrupt status and restore it after usb_hcd_giveback_urb().
syz reported:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
rt_spin_lock+0xc7/0x2c0 kernel/locking/spinlock_rt.c:57
spin_lock include/linux/spinlock_rt.h:44 [inline]
mon_bus_complete drivers/usb/mon/mon_main.c:134 [inline]
mon_complete+0x5c/0x200 drivers/usb/mon/mon_main.c:147
usbmon_urb_complete include/linux/usb/hcd.h:738 [inline]
__usb_hcd_giveback_urb+0x254/0x5e0 drivers/usb/core/hcd.c:1647
vhci_urb_enqueue+0xb4f/0xe70 drivers/usb/usbip/vhci_hcd.c:818
Reported-by: syzbot+205ef33a3b636b4181fb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=205ef33a3b636b4181fb
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916014143.1439759-1-lizhi.xu@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/usbip/vhci_hcd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index a793e30d46b7..f67b4d33a0ab 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -830,15 +830,15 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
no_need_xmit:
usb_hcd_unlink_urb_from_ep(hcd, urb);
no_need_unlink:
- spin_unlock_irqrestore(&vhci->lock, flags);
if (!ret) {
/* usb_hcd_giveback_urb() should be called with
* irqs disabled
*/
- local_irq_disable();
+ spin_unlock(&vhci->lock);
usb_hcd_giveback_urb(hcd, urb, urb->status);
- local_irq_enable();
+ spin_lock(&vhci->lock);
}
+ spin_unlock_irqrestore(&vhci->lock, flags);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 137/567] usb: typec: ucsi: Handle incorrect num_connectors capability
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 136/567] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 138/567] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Greg Kroah-Hartman
` (443 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Heikki Krogerus,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Pearson <mpearson-lenovo@squebb.ca>
[ Upstream commit 30cd2cb1abf4c4acdb1ddb468c946f68939819fb ]
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250821185319.2585023-1-mpearson-lenovo@squebb.ca
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/ucsi/ucsi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 896e6bc1b5e2..9a0fb6a79b21 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1772,6 +1772,12 @@ static int ucsi_init(struct ucsi *ucsi)
ret = -ENODEV;
goto err_reset;
}
+ /* Check if reserved bit set. This is out of spec but happens in buggy FW */
+ if (ucsi->cap.num_connectors & 0x80) {
+ dev_warn(ucsi->dev, "UCSI: Invalid num_connectors %d. Likely buggy FW\n",
+ ucsi->cap.num_connectors);
+ ucsi->cap.num_connectors &= 0x7f; // clear bit and carry on
+ }
/* Allocate the connectors. Released in ucsi_unregister() */
connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 138/567] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 137/567] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 139/567] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
` (442 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Pei Xiao,
Jonathan Cameron, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit c9fb952360d0c78bbe98239bd6b702f05c2dbb31 ]
FIELD_PREP() checks that a value fits into the available bitfield, add a
check for step_avg to fix gcc complains.
which gcc complains about:
drivers/iio/adc/ti_am335x_adc.c: In function 'tiadc_step_config':
include/linux/compiler_types.h:572:38: error: call to
'__compiletime_assert_491' declared with attribute error: FIELD_PREP: value
too large for the field include/linux/mfd/ti_am335x_tscadc.h:58:29: note:
in expansion of macro 'FIELD_PREP'
#define STEPCONFIG_AVG(val) FIELD_PREP(GENMASK(4, 2), (val))
^~~~~~~~~~
drivers/iio/adc/ti_am335x_adc.c:127:17: note: in expansion of macro 'STEPCONFIG_AVG'
stepconfig = STEPCONFIG_AVG(ffs(adc_dev->step_avg[i]) - 1)
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510102117.Jqxrw1vF-lkp@intel.com/
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ti_am335x_adc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ti_am335x_adc.c b/drivers/iio/adc/ti_am335x_adc.c
index 426e3c9f88a1..205d1f103b3c 100644
--- a/drivers/iio/adc/ti_am335x_adc.c
+++ b/drivers/iio/adc/ti_am335x_adc.c
@@ -123,7 +123,7 @@ static void tiadc_step_config(struct iio_dev *indio_dev)
chan = adc_dev->channel_line[i];
- if (adc_dev->step_avg[i])
+ if (adc_dev->step_avg[i] && adc_dev->step_avg[i] <= STEPCONFIG_AVG_16)
stepconfig = STEPCONFIG_AVG(ffs(adc_dev->step_avg[i]) - 1) |
STEPCONFIG_FIFO1;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 139/567] usb: xhci: limit run_graceperiod for only usb 3.0 devices
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 138/567] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 140/567] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
` (441 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, Mathias Nyman,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
[ Upstream commit 8d34983720155b8f05de765f0183d9b0e1345cc0 ]
run_graceperiod blocks usb 2.0 devices from auto suspending after
xhci_start for 500ms.
Log shows:
[ 13.387170] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.387177] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.387182] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.387188] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.387191] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.387193] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.387296] hub_event:5779: hub 3-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.393343] handle_port_status:2034: xhci-hcd PNP0D10:02: handle_port_status: starting usb5 port polling.
[ 13.393353] xhci_hub_control:1271: xhci-hcd PNP0D10:02: Get port status 5-1 read: 0x206e1, return 0x10101
[ 13.400047] hub_suspend:3903: hub 3-0:1.0: hub_suspend
[ 13.403077] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.403080] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.403085] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.403087] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.403090] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.403093] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.403095] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.405002] handle_port_status:1913: xhci-hcd PNP0D10:04: Port change event, 9-1, id 1, portsc: 0x6e1
[ 13.405016] hub_activate:1169: usb usb5-port1: status 0101 change 0001
[ 13.405026] xhci_clear_port_change_bit:658: xhci-hcd PNP0D10:02: clear port1 connect change, portsc: 0x6e1
[ 13.413275] hcd_bus_suspend:2250: usb usb3: bus auto-suspend, wakeup 1
[ 13.419081] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.419086] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.419095] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.419100] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.419106] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.419110] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.419112] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.420455] handle_port_status:2034: xhci-hcd PNP0D10:04: handle_port_status: starting usb9 port polling.
[ 13.420493] handle_port_status:1913: xhci-hcd PNP0D10:05: Port change event, 10-1, id 1, portsc: 0x6e1
[ 13.425332] hcd_bus_suspend:2279: usb usb3: suspend raced with wakeup event
[ 13.431931] handle_port_status:2034: xhci-hcd PNP0D10:05: handle_port_status: starting usb10 port polling.
[ 13.435080] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.435084] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.435092] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.435096] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.435102] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.435106] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
usb7 and other usb 2.0 root hub were rapidly toggling between suspend
and resume states. More, "suspend raced with wakeup event" confuses people.
So, limit run_graceperiod for only usb 3.0 devices
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20251119142417.2820519-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-hub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index 69aedce9d67b..49cba1cdd91b 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1671,7 +1671,7 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf)
* SS devices are only visible to roothub after link training completes.
* Keep polling roothubs for a grace period after xHC start
*/
- if (xhci->run_graceperiod) {
+ if (hcd->speed >= HCD_USB3 && xhci->run_graceperiod) {
if (time_before(jiffies, xhci->run_graceperiod))
status = 1;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 140/567] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 139/567] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 141/567] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
` (440 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Changcheng, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Changcheng <chenchangcheng@kylinos.cn>
[ Upstream commit 955a48a5353f4fe009704a9a4272a3adf627cd35 ]
The optical drive of EL-R12 has the same vid and pid as INIC-3069,
as follows:
T: Bus=02 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=13fd ProdID=3940 Rev= 3.10
S: Manufacturer=HL-DT-ST
S: Product= DVD+-RW GT80N
S: SerialNumber=423349524E4E38303338323439202020
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=144mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=02 Prot=50 Driver=usb-storage
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=0a(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
This will result in the optical drive device also adding
the quirks of US_FL_NO_ATA_1X. When performing an erase operation,
it will fail, and the reason for the failure is as follows:
[ 388.967742] sr 5:0:0:0: [sr0] tag#0 Send: scmd 0x00000000d20c33a7
[ 388.967742] sr 5:0:0:0: [sr0] tag#0 CDB: ATA command pass through(12)/Blank a1 11 00 00 00 00 00 00 00 00 00 00
[ 388.967773] sr 5:0:0:0: [sr0] tag#0 Done: SUCCESS Result: hostbyte=DID_TARGET_FAILURE driverbyte=DRIVER_OK cmd_age=0s
[ 388.967773] sr 5:0:0:0: [sr0] tag#0 CDB: ATA command pass through(12)/Blank a1 11 00 00 00 00 00 00 00 00 00 00
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 Sense Key : Illegal Request [current]
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 Add. Sense: Invalid field in cdb
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 scsi host busy 1 failed 0
[ 388.967803] sr 5:0:0:0: Notifying upper driver of completion (result 8100002)
[ 388.967834] sr 5:0:0:0: [sr0] tag#0 0 sectors total, 0 bytes done.
For the EL-R12 standard optical drive, all operational commands
and usage scenarios were tested without adding the IGNORE_RESIDUE quirks,
and no issues were encountered. It can be reasonably concluded
that removing the IGNORE_RESIDUE quirks has no impact.
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251121064020.29332-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/unusual_uas.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
index 1477e31d7763..b695f5ba9a40 100644
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160,
US_FL_NO_ATA_1X),
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
-UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
+UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
"Initio Corporation",
"INIC-3069",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 141/567] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 140/567] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 142/567] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Greg Kroah-Hartman
` (439 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wenhua Lin, Cixi Geng, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenhua Lin <Wenhua.Lin@unisoc.com>
[ Upstream commit 29e8a0c587e328ed458380a45d6028adf64d7487 ]
In sprd_clk_init(), when devm_clk_get() returns -EPROBE_DEFER
for either uart or source clock, we should propagate the
error instead of just warning and continuing with NULL clocks.
Currently the driver only emits a warning when clock acquisition
fails and proceeds with NULL clock pointers. This can lead to
issues later when the clocks are actually needed. More importantly,
when the clock provider is not ready yet and returns -EPROBE_DEFER,
we should return this error to allow deferred probing.
This change adds explicit checks for -EPROBE_DEFER after both:
1. devm_clk_get(uport->dev, uart)
2. devm_clk_get(uport->dev, source)
When -EPROBE_DEFER is encountered, the function now returns
-EPROBE_DEFER to let the driver framework retry probing
later when the clock dependencies are resolved.
Signed-off-by: Wenhua Lin <Wenhua.Lin@unisoc.com>
Link: https://patch.msgid.link/20251022030840.956589-1-Wenhua.Lin@unisoc.com
Reviewed-by: Cixi Geng <cixi.geng@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sprd_serial.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
index 3fc54cc02a1f..c575c38b513d 100644
--- a/drivers/tty/serial/sprd_serial.c
+++ b/drivers/tty/serial/sprd_serial.c
@@ -1109,6 +1109,9 @@ static int sprd_clk_init(struct uart_port *uport)
clk_uart = devm_clk_get(uport->dev, "uart");
if (IS_ERR(clk_uart)) {
+ if (PTR_ERR(clk_uart) == -EPROBE_DEFER)
+ return -EPROBE_DEFER;
+
dev_warn(uport->dev, "uart%d can't get uart clock\n",
uport->line);
clk_uart = NULL;
@@ -1116,6 +1119,9 @@ static int sprd_clk_init(struct uart_port *uport)
clk_parent = devm_clk_get(uport->dev, "source");
if (IS_ERR(clk_parent)) {
+ if (PTR_ERR(clk_parent) == -EPROBE_DEFER)
+ return -EPROBE_DEFER;
+
dev_warn(uport->dev, "uart%d can't get source clock\n",
uport->line);
clk_parent = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 142/567] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 141/567] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 143/567] clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src Greg Kroah-Hartman
` (438 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Ian Rogers,
Thomas Richter, Namhyung Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit a0a4173631bfcfd3520192c0a61cf911d6a52c3a ]
Passing an empty map to perf_cpu_map__max triggered a SEGV. Explicitly
test for the empty map.
Reported-by: Ingo Molnar <mingo@kernel.org>
Closes: https://lore.kernel.org/linux-perf-users/aSwt7yzFjVJCEmVp@gmail.com/
Tested-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/perf/cpumap.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/tools/lib/perf/cpumap.c b/tools/lib/perf/cpumap.c
index cae799ad44e1..e5938b91199f 100644
--- a/tools/lib/perf/cpumap.c
+++ b/tools/lib/perf/cpumap.c
@@ -409,10 +409,12 @@ struct perf_cpu perf_cpu_map__max(const struct perf_cpu_map *map)
.cpu = -1
};
- // cpu_map__trim_new() qsort()s it, cpu_map__default_new() sorts it as well.
- return __perf_cpu_map__nr(map) > 0
- ? __perf_cpu_map__cpu(map, __perf_cpu_map__nr(map) - 1)
- : result;
+ if (!map)
+ return result;
+
+ // The CPUs are always sorted and nr is always > 0 as 0 length map is
+ // encoded as NULL.
+ return __perf_cpu_map__cpu(map, __perf_cpu_map__nr(map) - 1);
}
/** Is 'b' a subset of 'a'. */
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 143/567] clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 142/567] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 144/567] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Greg Kroah-Hartman
` (437 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jens Reidel, Dmitry Baryshkov,
Bjorn Andersson, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Reidel <adrian@mainlining.org>
[ Upstream commit e3c13e0caa8ceb7dec1a7c4fcfd9dbef56a69fbe ]
Set CLK_OPS_PARENT_ENABLE to ensure the parent gets prepared and enabled
when switching to it, fixing an "rcg didn't update its configuration"
warning.
Signed-off-by: Jens Reidel <adrian@mainlining.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250919-sm7150-dispcc-fixes-v1-3-308ad47c5fce@mainlining.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/dispcc-sm7150.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/dispcc-sm7150.c b/drivers/clk/qcom/dispcc-sm7150.c
index d32bd7df1433..1e2a98a63511 100644
--- a/drivers/clk/qcom/dispcc-sm7150.c
+++ b/drivers/clk/qcom/dispcc-sm7150.c
@@ -357,7 +357,7 @@ static struct clk_rcg2 dispcc_mdss_pclk0_clk_src = {
.name = "dispcc_mdss_pclk0_clk_src",
.parent_data = dispcc_parent_data_4,
.num_parents = ARRAY_SIZE(dispcc_parent_data_4),
- .flags = CLK_SET_RATE_PARENT,
+ .flags = CLK_SET_RATE_PARENT | CLK_OPS_PARENT_ENABLE,
.ops = &clk_pixel_ops,
},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 144/567] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 143/567] clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 145/567] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
` (436 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Andy Shevchenko,
Mika Westerberg, Andi Shyti, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit d3429178ee51dd7155445d15a5ab87a45fae3c73 ]
When probing the I2C master, disable SMBus interrupts to prevent
storms caused by broken firmware mis-configuring IC_SMBUS=1; the
handler never services them and a mis-configured SMBUS Master
extend-clock timeout or SMBUS Slave extend-clock timeout can
flood the CPU.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251021075714.3712-2-guojinhui.liam@bytedance.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-designware-core.h | 1 +
drivers/i2c/busses/i2c-designware-master.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h
index 2d32896d0673..e3d76e423842 100644
--- a/drivers/i2c/busses/i2c-designware-core.h
+++ b/drivers/i2c/busses/i2c-designware-core.h
@@ -78,6 +78,7 @@
#define DW_IC_TX_ABRT_SOURCE 0x80
#define DW_IC_ENABLE_STATUS 0x9c
#define DW_IC_CLR_RESTART_DET 0xa8
+#define DW_IC_SMBUS_INTR_MASK 0xcc
#define DW_IC_COMP_PARAM_1 0xf4
#define DW_IC_COMP_VERSION 0xf8
#define DW_IC_SDA_HOLD_MIN_VERS 0x3131312A /* "111*" == v1.11* */
diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c
index 52dc666c3ef4..196bb073c6bc 100644
--- a/drivers/i2c/busses/i2c-designware-master.c
+++ b/drivers/i2c/busses/i2c-designware-master.c
@@ -203,6 +203,13 @@ static int i2c_dw_init_master(struct dw_i2c_dev *dev)
/* Disable the adapter */
__i2c_dw_disable(dev);
+ /*
+ * Mask SMBus interrupts to block storms from broken
+ * firmware that leaves IC_SMBUS=1; the handler never
+ * services them.
+ */
+ regmap_write(dev->map, DW_IC_SMBUS_INTR_MASK, 0);
+
/* Write standard speed timing parameters */
regmap_write(dev->map, DW_IC_SS_SCL_HCNT, dev->ss_hcnt);
regmap_write(dev->map, DW_IC_SS_SCL_LCNT, dev->ss_lcnt);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 145/567] nvme-fc: dont hold rport lock when putting ctrl
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 144/567] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 146/567] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures Greg Kroah-Hartman
` (435 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Christoph Hellwig,
Daniel Wagner, Keith Busch, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit b71cbcf7d170e51148d5467820ae8a72febcb651 ]
nvme_fc_ctrl_put can acquire the rport lock when freeing the
ctrl object:
nvme_fc_ctrl_put
nvme_fc_ctrl_free
spin_lock_irqsave(rport->lock)
Thus we can't hold the rport lock when calling nvme_fc_ctrl_put.
Justin suggested use the safe list iterator variant because
nvme_fc_ctrl_put will also modify the rport->list.
Cc: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/fc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index d01bd3c300fa..3d90ace0b537 100644
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -1462,14 +1462,14 @@ nvme_fc_match_disconn_ls(struct nvme_fc_rport *rport,
{
struct fcnvme_ls_disconnect_assoc_rqst *rqst =
&lsop->rqstbuf->rq_dis_assoc;
- struct nvme_fc_ctrl *ctrl, *ret = NULL;
+ struct nvme_fc_ctrl *ctrl, *tmp, *ret = NULL;
struct nvmefc_ls_rcv_op *oldls = NULL;
u64 association_id = be64_to_cpu(rqst->associd.association_id);
unsigned long flags;
spin_lock_irqsave(&rport->lock, flags);
- list_for_each_entry(ctrl, &rport->ctrl_list, ctrl_list) {
+ list_for_each_entry_safe(ctrl, tmp, &rport->ctrl_list, ctrl_list) {
if (!nvme_fc_ctrl_get(ctrl))
continue;
spin_lock(&ctrl->lock);
@@ -1482,7 +1482,9 @@ nvme_fc_match_disconn_ls(struct nvme_fc_rport *rport,
if (ret)
/* leave the ctrl get reference */
break;
+ spin_unlock_irqrestore(&rport->lock, flags);
nvme_fc_ctrl_put(ctrl);
+ spin_lock_irqsave(&rport->lock, flags);
}
spin_unlock_irqrestore(&rport->lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 146/567] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 145/567] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 147/567] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
` (434 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Hannes Reinecke,
Justin Tee, Keith Busch, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justintee8345@gmail.com>
[ Upstream commit 13989207ee29c40501e719512e8dc90768325895 ]
With authentication, in addition to EKEYREJECTED there is also no point in
retrying reconnects when status is ENOKEY. Thus, add -ENOKEY as another
criteria to determine when to stop retries.
Cc: Daniel Wagner <wagi@kernel.org>
Cc: Hannes Reinecke <hare@suse.de>
Closes: https://lore.kernel.org/linux-nvme/20250829-nvme-fc-sync-v3-0-d69c87e63aee@kernel.org/
Signed-off-by: Justin Tee <justintee8345@gmail.com>
Tested-by: Daniel Wagner <wagi@kernel.org>
Reviewed-by: Daniel Wagner <wagi@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/fabrics.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/fabrics.c b/drivers/nvme/host/fabrics.c
index 432efcbf9e2f..2e47c56b2d4b 100644
--- a/drivers/nvme/host/fabrics.c
+++ b/drivers/nvme/host/fabrics.c
@@ -591,7 +591,7 @@ bool nvmf_should_reconnect(struct nvme_ctrl *ctrl, int status)
if (status > 0 && (status & NVME_STATUS_DNR))
return false;
- if (status == -EKEYREJECTED)
+ if (status == -EKEYREJECTED || status == -ENOKEY)
return false;
if (ctrl->opts->max_reconnects == -1 ||
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 147/567] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 146/567] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 148/567] MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Greg Kroah-Hartman
` (433 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chia-Lin Kao (AceLan), Hans de Goede,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
[ Upstream commit b169e1733cadb614e87f69d7a5ae1b186c50d313 ]
Dell Pro Rugged 10/12 tablets has a reliable VGBS method.
If VGBS is not called on boot, the on-screen keyboard won't appear if the
device is booted without a keyboard.
Call VGBS on boot on thess devices to get the initial state of
SW_TABLET_MODE in a reliable way.
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20251127070407.656463-1-acelan.kao@canonical.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index 59392f1a0d8a..04056fbd9219 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -168,6 +168,18 @@ static const struct dmi_system_id dmi_vgbs_allow_list[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "HP Elite Dragonfly G2 Notebook PC"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 10 Tablet RA00260"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 12 Tablet RA02260"),
+ },
+ },
{ }
};
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 148/567] MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 147/567] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 149/567] scsi: scsi_debug: Fix atomic write enable module param description Greg Kroah-Hartman
` (432 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregory CLEMENT, Thomas Bogendoerfer,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregory CLEMENT <gregory.clement@bootlin.com>
[ Upstream commit 36dac9a3dda1f2bae343191bc16b910c603cac25 ]
Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of
dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used,
and this macro can generate more than 2 instructions. At the same
time, the code in ftrace assumes that no more than 2 instructions can
be generated, which is why it stores them in an int[2] array. However,
as previously noted, the macro UASM_i_LA_mostly (and now UASM_i_LA)
causes a buffer overflow when _mcount is beyond 32 bits. This leads to
corruption of the variables located in the __read_mostly section.
This corruption was observed because the variable
__cpu_primary_thread_mask was corrupted, causing a hang very early
during boot.
This fix prevents the corruption by avoiding the generation of
instructions if they could exceed 2 instructions in
length. Fortunately, insn_la_mcount is only used if the instrumented
code is located outside the kernel code section, so dynamic ftrace can
still be used, albeit in a more limited scope. This is still
preferable to corrupting memory and/or crashing the kernel.
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/ftrace.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/arch/mips/kernel/ftrace.c b/arch/mips/kernel/ftrace.c
index f39e85fd58fa..b15615b28569 100644
--- a/arch/mips/kernel/ftrace.c
+++ b/arch/mips/kernel/ftrace.c
@@ -54,10 +54,20 @@ static inline void ftrace_dyn_arch_init_insns(void)
u32 *buf;
unsigned int v1;
- /* la v1, _mcount */
- v1 = 3;
- buf = (u32 *)&insn_la_mcount[0];
- UASM_i_LA(&buf, v1, MCOUNT_ADDR);
+ /* If we are not in compat space, the number of generated
+ * instructions will exceed the maximum expected limit of 2.
+ * To prevent buffer overflow, we avoid generating them.
+ * insn_la_mcount will not be used later in ftrace_make_call.
+ */
+ if (uasm_in_compat_space_p(MCOUNT_ADDR)) {
+ /* la v1, _mcount */
+ v1 = 3;
+ buf = (u32 *)&insn_la_mcount[0];
+ UASM_i_LA(&buf, v1, MCOUNT_ADDR);
+ } else {
+ pr_warn("ftrace: mcount address beyond 32 bits is not supported (%lX)\n",
+ MCOUNT_ADDR);
+ }
/* jal (ftrace_caller + 8), jump over the first two instruction */
buf = (u32 *)&insn_jal_ftrace_caller;
@@ -189,6 +199,13 @@ int ftrace_make_call(struct dyn_ftrace *rec, unsigned long addr)
unsigned int new;
unsigned long ip = rec->ip;
+ /* When the code to patch does not belong to the kernel code
+ * space, we must use insn_la_mcount. However, if MCOUNT_ADDR
+ * is not in compat space, insn_la_mcount is not usable.
+ */
+ if (!core_kernel_text(ip) && !uasm_in_compat_space_p(MCOUNT_ADDR))
+ return -EFAULT;
+
new = core_kernel_text(ip) ? insn_jal_ftrace_caller : insn_la_mcount[0];
#ifdef CONFIG_64BIT
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 149/567] scsi: scsi_debug: Fix atomic write enable module param description
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 148/567] MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 150/567] block: rnbd-clt: Fix signedness bug in init_dev() Greg Kroah-Hartman
` (431 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Garry, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Garry <john.g.garry@oracle.com>
[ Upstream commit 1f7d6e2efeedd8f545d3e0e9bf338023bf4ea584 ]
The atomic write enable module param is "atomic_wr", and not
"atomic_write", so fix the module param description.
Fixes: 84f3a3c01d70 ("scsi: scsi_debug: Atomic write support")
Signed-off-by: John Garry <john.g.garry@oracle.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20251211100651.9056-1-john.g.garry@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 89a2aaccdcfc..dfe38d34d051 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -6716,7 +6716,7 @@ MODULE_PARM_DESC(lbprz,
MODULE_PARM_DESC(lbpu, "enable LBP, support UNMAP command (def=0)");
MODULE_PARM_DESC(lbpws, "enable LBP, support WRITE SAME(16) with UNMAP bit (def=0)");
MODULE_PARM_DESC(lbpws10, "enable LBP, support WRITE SAME(10) with UNMAP bit (def=0)");
-MODULE_PARM_DESC(atomic_write, "enable ATOMIC WRITE support, support WRITE ATOMIC(16) (def=0)");
+MODULE_PARM_DESC(atomic_wr, "enable ATOMIC WRITE support, support WRITE ATOMIC(16) (def=0)");
MODULE_PARM_DESC(lowest_aligned, "lowest aligned lba (def=0)");
MODULE_PARM_DESC(lun_format, "LUN format: 0->peripheral (def); 1 --> flat address method");
MODULE_PARM_DESC(max_luns, "number of LUNs per target to simulate(def=1)");
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 150/567] block: rnbd-clt: Fix signedness bug in init_dev()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 149/567] scsi: scsi_debug: Fix atomic write enable module param description Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 151/567] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
` (430 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jens Axboe,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
The "dev->clt_device_id" variable is set using ida_alloc_max() which
returns an int and in particular it returns negative error codes.
Change the type from u32 to int to fix the error checking.
Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/rnbd/rnbd-clt.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
index a48e040abe63..fbc1ed766025 100644
--- a/drivers/block/rnbd/rnbd-clt.h
+++ b/drivers/block/rnbd/rnbd-clt.h
@@ -112,7 +112,7 @@ struct rnbd_clt_dev {
struct rnbd_queue *hw_queues;
u32 device_id;
/* local Idr index - used to track minor number allocations. */
- u32 clt_device_id;
+ int clt_device_id;
struct mutex lock;
enum rnbd_clt_dev_state dev_state;
refcount_t refcount;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 151/567] vhost/vsock: improve RCU read sections around vhost_vsock_get()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 150/567] block: rnbd-clt: Fix signedness bug in init_dev() Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 152/567] cifs: Fix memory and information leak in smb3_reconfigure() Greg Kroah-Hartman
` (429 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stefanha, Stefano Garzarella,
Jason Wang, Michael S. Tsirkin, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
should only be called within an RCU read section, as mentioned in the
following comment in include/linux/rculist.h:
/**
* hlist_for_each_entry_rcu - iterate over rcu list of given type
* @pos: the type * to use as a loop cursor.
* @head: the head for your list.
* @member: the name of the hlist_node within the struct.
* @cond: optional lockdep expression if called from non-RCU protection.
*
* This list-traversal primitive may safely run concurrently with
* the _rcu list-mutation primitives such as hlist_add_head_rcu()
* as long as the traversal is guarded by rcu_read_lock().
*/
Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
vhost_vsock_reset_orphans(). In both cases, the current code is safe,
but we can make improvements to make it more robust.
About vhost_vsock_set_cid(), when building the kernel with
CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
WARNING: suspicious RCU usage
6.18.0-rc7 #62 Not tainted
-----------------------------
drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by rpc-libvirtd/3443:
#0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
stack backtrace:
CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
Call Trace:
<TASK>
dump_stack_lvl+0x75/0xb0
dump_stack+0x14/0x1a
lockdep_rcu_suspicious.cold+0x4e/0x97
vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
__x64_sys_ioctl+0x4f2/0xa00
x64_sys_call+0xed0/0x1da0
do_syscall_64+0x73/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
</TASK>
This is not a real problem, because the vhost_vsock_get() caller, i.e.
vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
table writers. Anyway, to prevent that warning, add lockdep_is_held()
condition to hash_for_each_possible_rcu() to verify that either the
caller is in an RCU read section or `vhost_vsock_mutex` is held when
CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
vhost_vsock_get() to better describe the locking requirements and the
scope of the returned pointer validity.
About vhost_vsock_reset_orphans(), currently this function is only
called via vsock_for_each_connected_socket(), which holds the
`vsock_table_lock` spinlock (which is also an RCU read-side critical
section). However, add an explicit RCU read lock there to make the code
more robust and explicit about the RCU requirements, and to prevent
issues if the calling context changes in the future or if
vhost_vsock_reset_orphans() is called from other contexts.
Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
Cc: stefanha@redhat.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
Message-ID: <20251126210313.GA499503@fedora>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vsock.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 66a0f060770e..2dea6f868674 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -64,14 +64,15 @@ static u32 vhost_transport_get_local_cid(void)
return VHOST_VSOCK_DEFAULT_HOST_CID;
}
-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
- * RCU read lock.
+/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
+ * The return value can only be dereferenced while within the section.
*/
static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
{
struct vhost_vsock *vsock;
- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
+ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
+ lockdep_is_held(&vhost_vsock_mutex)) {
u32 other_cid = vsock->guest_cid;
/* Skip instances that have no CID yet */
@@ -708,9 +709,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
* executing.
*/
+ rcu_read_lock();
+
/* If the peer is still valid, no need to reset connection */
- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
+ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
+ rcu_read_unlock();
return;
+ }
+
+ rcu_read_unlock();
/* If the close timeout is pending, let it expire. This avoids races
* with the timeout callback.
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 152/567] cifs: Fix memory and information leak in smb3_reconfigure()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 151/567] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 153/567] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
` (428 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, ChenXiaoSong,
Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ]
In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
function returns immediately without freeing and erasing the newly
allocated new_password and new_password2. This causes both a memory leak
and a potential information leak.
Fix this by calling kfree_sensitive() on both password buffers before
returning in this error case.
Fixes: 0f0e357902957 ("cifs: during remount, make sure passwords are in sync")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/fs_context.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index 17133adfe798..ee9c95811477 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1011,6 +1011,8 @@ static int smb3_reconfigure(struct fs_context *fc)
rc = smb3_sync_session_ctx_passwords(cifs_sb, ses);
if (rc) {
mutex_unlock(&ses->session_mutex);
+ kfree_sensitive(new_password);
+ kfree_sensitive(new_password2);
return rc;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 153/567] KEYS: trusted: Fix a memory leak in tpm2_load_cmd
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 152/567] cifs: Fix memory and information leak in smb3_reconfigure() Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 154/567] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
` (427 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jarkko Sakkinen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko@kernel.org>
commit 62cd5d480b9762ce70d720a81fa5b373052ae05f upstream.
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
Cc: stable@vger.kernel.org # v5.13+
Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/trusted-keys/trusted_tpm2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -387,6 +387,7 @@ static int tpm2_load_cmd(struct tpm_chip
struct trusted_key_options *options,
u32 *blob_handle)
{
+ u8 *blob_ref __free(kfree) = NULL;
struct tpm_buf buf;
unsigned int private_len;
unsigned int public_len;
@@ -400,6 +401,9 @@ static int tpm2_load_cmd(struct tpm_chip
/* old form */
blob = payload->blob;
payload->old_format = 1;
+ } else {
+ /* Bind for cleanup: */
+ blob_ref = blob;
}
/* new format carries keyhandle but old format doesn't */
@@ -464,8 +468,6 @@ static int tpm2_load_cmd(struct tpm_chip
(__be32 *) &buf.data[TPM_HEADER_SIZE]);
out:
- if (blob != payload->blob)
- kfree(blob);
tpm_buf_destroy(&buf);
if (rc > 0)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 154/567] io_uring: fix filename leak in __io_openat_prep()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 153/567] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 155/567] x86/mce: Do not clear banks poll bit in mce_poll_banks on AMD SMCA systems Greg Kroah-Hartman
` (426 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+00e61c43eb5e4740438f,
Prithvi Tambewagh, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit b14fad555302a2104948feaff70503b64c80ac01 upstream.
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Fixes: b9445598d8c6 ("io_uring: openat directly into fixed fd table")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/openclose.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -70,13 +70,13 @@ static int __io_openat_prep(struct io_ki
open->filename = NULL;
return ret;
}
+ req->flags |= REQ_F_NEED_CLEANUP;
open->file_slot = READ_ONCE(sqe->file_index);
if (open->file_slot && (open->how.flags & O_CLOEXEC))
return -EINVAL;
open->nofile = rlimit(RLIMIT_NOFILE);
- req->flags |= REQ_F_NEED_CLEANUP;
if (io_openat_force_async(open))
req->flags |= REQ_F_FORCE_ASYNC;
return 0;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 155/567] x86/mce: Do not clear banks poll bit in mce_poll_banks on AMD SMCA systems
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 154/567] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 156/567] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
` (425 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Avadhut Naik, Borislav Petkov (AMD)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avadhut Naik <avadhut.naik@amd.com>
commit d7ac083f095d894a0b8ac0573516bfd035e6b25a upstream.
Currently, when a CMCI storm detected on a Machine Check bank, subsides, the
bank's corresponding bit in the mce_poll_banks per-CPU variable is cleared
unconditionally by cmci_storm_end().
On AMD SMCA systems, this essentially disables polling on that particular bank
on that CPU. Consequently, any subsequent correctable errors or storms will not
be logged.
Since AMD SMCA systems allow banks to be managed by both polling and
interrupts, the polling banks bitmap for a CPU, i.e., mce_poll_banks, should
not be modified when a storm subsides.
Fixes: 7eae17c4add5 ("x86/mce: Add per-bank CMCI storm mitigation")
Signed-off-by: Avadhut Naik <avadhut.naik@amd.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251121190542.2447913-2-avadhut.naik@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/mce/threshold.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/mce/threshold.c
+++ b/arch/x86/kernel/cpu/mce/threshold.c
@@ -85,7 +85,8 @@ void cmci_storm_end(unsigned int bank)
{
struct mca_storm_desc *storm = this_cpu_ptr(&storm_desc);
- __clear_bit(bank, this_cpu_ptr(mce_poll_banks));
+ if (!mce_flags.amd_threshold)
+ __clear_bit(bank, this_cpu_ptr(mce_poll_banks));
storm->banks[bank].history = 0;
storm->banks[bank].in_storm_mode = false;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 156/567] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 155/567] x86/mce: Do not clear banks poll bit in mce_poll_banks on AMD SMCA systems Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 157/567] perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister() Greg Kroah-Hartman
` (424 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarthak Garg, Bjorn Andersson,
Adrian Hunter, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarthak Garg <sarthak.garg@oss.qualcomm.com>
commit b1f856b1727c2eaa4be2c6d7cd7a8ed052bbeb87 upstream.
According to the hardware programming guide, the clock frequency must
remain below 52MHz during the transition to HS400 mode.
However,in the current implementation, the timing is set to HS400 (a
DDR mode) before adjusting the clock. This causes the clock to double
prematurely to 104MHz during the transition phase, violating the
specification and potentially resulting in CRC errors or CMD timeouts.
This change ensures that clock doubling is avoided during intermediate
transitions and is applied only when the card requires a 200MHz clock
for HS400 operation.
Signed-off-by: Sarthak Garg <sarthak.garg@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-msm.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -344,41 +344,43 @@ static void sdhci_msm_v5_variant_writel_
writel_relaxed(val, host->ioaddr + offset);
}
-static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host)
+static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host,
+ unsigned int clock,
+ unsigned int timing)
{
- struct mmc_ios ios = host->mmc->ios;
/*
* The SDHC requires internal clock frequency to be double the
* actual clock that will be set for DDR mode. The controller
* uses the faster clock(100/400MHz) for some of its parts and
* send the actual required clock (50/200MHz) to the card.
*/
- if (ios.timing == MMC_TIMING_UHS_DDR50 ||
- ios.timing == MMC_TIMING_MMC_DDR52 ||
- ios.timing == MMC_TIMING_MMC_HS400 ||
+ if (timing == MMC_TIMING_UHS_DDR50 ||
+ timing == MMC_TIMING_MMC_DDR52 ||
+ (timing == MMC_TIMING_MMC_HS400 &&
+ clock == MMC_HS200_MAX_DTR) ||
host->flags & SDHCI_HS400_TUNING)
return 2;
return 1;
}
static void msm_set_clock_rate_for_bus_mode(struct sdhci_host *host,
- unsigned int clock)
+ unsigned int clock,
+ unsigned int timing)
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
- struct mmc_ios curr_ios = host->mmc->ios;
struct clk *core_clk = msm_host->bulk_clks[0].clk;
unsigned long achieved_rate;
unsigned int desired_rate;
unsigned int mult;
int rc;
- mult = msm_get_clock_mult_for_bus_mode(host);
+ mult = msm_get_clock_mult_for_bus_mode(host, clock, timing);
desired_rate = clock * mult;
rc = dev_pm_opp_set_rate(mmc_dev(host->mmc), desired_rate);
if (rc) {
pr_err("%s: Failed to set clock at rate %u at timing %d\n",
- mmc_hostname(host->mmc), desired_rate, curr_ios.timing);
+ mmc_hostname(host->mmc), desired_rate, timing);
return;
}
@@ -397,7 +399,7 @@ static void msm_set_clock_rate_for_bus_m
msm_host->clk_rate = desired_rate;
pr_debug("%s: Setting clock at rate %lu at timing %d\n",
- mmc_hostname(host->mmc), achieved_rate, curr_ios.timing);
+ mmc_hostname(host->mmc), achieved_rate, timing);
}
/* Platform specific tuning */
@@ -1239,7 +1241,7 @@ static int sdhci_msm_execute_tuning(stru
*/
if (host->flags & SDHCI_HS400_TUNING) {
sdhci_msm_hc_select_mode(host);
- msm_set_clock_rate_for_bus_mode(host, ios.clock);
+ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing);
host->flags &= ~SDHCI_HS400_TUNING;
}
@@ -1864,6 +1866,7 @@ static void sdhci_msm_set_clock(struct s
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ struct mmc_ios ios = host->mmc->ios;
if (!clock) {
host->mmc->actual_clock = msm_host->clk_rate = 0;
@@ -1872,7 +1875,7 @@ static void sdhci_msm_set_clock(struct s
sdhci_msm_hc_select_mode(host);
- msm_set_clock_rate_for_bus_mode(host, clock);
+ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing);
out:
__sdhci_msm_set_clock(host, clock);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 157/567] perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 156/567] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
@ 2026-01-06 16:58 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 158/567] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
` (423 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Will Deacon
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 970e1e41805f0bd49dc234330a9390f4708d097d upstream.
driver_find_device() calls get_device() to increment the reference
count once a matching device is found. device_release_driver()
releases the driver, but it does not decrease the reference count that
was incremented by driver_find_device(). At the end of the loop, there
is no put_device() to balance the reference count. To avoid reference
count leakage, add put_device() to decrease the reference count.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: bfc653aa89cb ("perf: arm_cspmu: Separate Arm and vendor module")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/perf/arm_cspmu/arm_cspmu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/perf/arm_cspmu/arm_cspmu.c
+++ b/drivers/perf/arm_cspmu/arm_cspmu.c
@@ -1412,8 +1412,10 @@ void arm_cspmu_impl_unregister(const str
/* Unbind the driver from all matching backend devices. */
while ((dev = driver_find_device(&arm_cspmu_driver.driver, NULL,
- match, arm_cspmu_match_device)))
+ match, arm_cspmu_match_device))) {
device_release_driver(dev);
+ put_device(dev);
+ }
mutex_lock(&arm_cspmu_lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 158/567] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-01-06 16:58 ` [PATCH 6.12 157/567] perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 159/567] s390/dasd: Fix gendisk parent after copy pair swap Greg Kroah-Hartman
` (422 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Eric Biggers
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 2f22115709fc7ebcfa40af3367a508fbbd2f71e9 upstream.
In the C code, the 'inc' argument to the assembly functions
blake2s_compress_ssse3() and blake2s_compress_avx512() is declared with
type u32, matching blake2s_compress(). The assembly code then reads it
from the 64-bit %rcx. However, the ABI doesn't guarantee zero-extension
to 64 bits, nor do gcc or clang guarantee it. Therefore, fix these
functions to read this argument from the 32-bit %ecx.
In theory, this bug could have caused the wrong 'inc' value to be used,
causing incorrect BLAKE2s hashes. In practice, probably not: I've fixed
essentially this same bug in many other assembly files too, but there's
never been a real report of it having caused a problem. In x86_64, all
writes to 32-bit registers are zero-extended to 64 bits. That results
in zero-extension in nearly all situations. I've only been able to
demonstrate a lack of zero-extension with a somewhat contrived example
involving truncation, e.g. when the C code has a u64 variable holding
0x1234567800000040 and passes it as a u32 expecting it to be truncated
to 0x40 (64). But that's not what the real code does, of course.
Fixes: ed0356eda153 ("crypto: blake2s - x86_64 SIMD implementation")
Cc: stable@vger.kernel.org
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251102234209.62133-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/crypto/blake2s-core.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/crypto/blake2s-core.S
+++ b/arch/x86/crypto/blake2s-core.S
@@ -54,7 +54,7 @@ SYM_FUNC_START(blake2s_compress_ssse3)
movdqa ROT16(%rip),%xmm12
movdqa ROR328(%rip),%xmm13
movdqu 0x20(%rdi),%xmm14
- movq %rcx,%xmm15
+ movd %ecx,%xmm15
leaq SIGMA+0xa0(%rip),%r8
jmp .Lbeginofloop
.align 32
@@ -179,7 +179,7 @@ SYM_FUNC_START(blake2s_compress_avx512)
vmovdqu (%rdi),%xmm0
vmovdqu 0x10(%rdi),%xmm1
vmovdqu 0x20(%rdi),%xmm4
- vmovq %rcx,%xmm5
+ vmovd %ecx,%xmm5
vmovdqa IV(%rip),%xmm14
vmovdqa IV+16(%rip),%xmm15
jmp .Lblake2s_compress_avx512_mainloop
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 159/567] s390/dasd: Fix gendisk parent after copy pair swap
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 158/567] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 160/567] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
` (421 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit c943bfc6afb8d0e781b9b7406f36caa8bbf95cb9 upstream.
After a copy pair swap the block device's "device" symlink points to
the secondary CCW device, but the gendisk's parent remained the
primary, leaving /sys/block/<dasdx> under the wrong parent.
Move the gendisk to the secondary's device with device_move(), keeping
the sysfs topology consistent after the swap.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6149,6 +6149,7 @@ static int dasd_eckd_copy_pair_swap(stru
struct dasd_copy_relation *copy;
struct dasd_block *block;
struct gendisk *gdp;
+ int rc;
copy = device->copy;
if (!copy)
@@ -6183,6 +6184,13 @@ static int dasd_eckd_copy_pair_swap(stru
/* swap blocklayer device link */
gdp = block->gdp;
dasd_add_link_to_gendisk(gdp, secondary);
+ rc = device_move(disk_to_dev(gdp), &secondary->cdev->dev, DPM_ORDER_NONE);
+ if (rc) {
+ dev_err(&primary->cdev->dev,
+ "copy_pair_swap: moving blockdevice parent %s->%s failed (%d)\n",
+ dev_name(&primary->cdev->dev),
+ dev_name(&secondary->cdev->dev), rc);
+ }
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 160/567] wifi: mt76: Fix DTS power-limits on little endian systems
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 159/567] s390/dasd: Fix gendisk parent after copy pair swap Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 161/567] block: rate-limit capacity change info log Greg Kroah-Hartman
` (420 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Eckelmann (Plasma Cloud),
Felix Fietkau
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
commit 38b845e1f9e810869b0a0b69f202b877b7b7fb12 upstream.
The power-limits for ru and mcs and stored in the devicetree as bytewise
array (often with sizes which are not a multiple of 4). These arrays have a
prefix which defines for how many modes a line is applied. This prefix is
also only a byte - but the code still tried to fix the endianness of this
byte with a be32 operation. As result, loading was mostly failing or was
sending completely unexpected values to the firmware.
Since the other rates are also stored in the devicetree as bytewise arrays,
just drop the u32 access + be32_to_cpu conversion and directly access them
as bytes arrays.
Cc: stable@vger.kernel.org
Fixes: 22b980badc0f ("mt76: add functions for parsing rate power limits from DT")
Fixes: a9627d992b5e ("mt76: extend DT rate power limits to support 11ax devices")
Signed-off-by: Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/eeprom.c | 37 ++++++++++++++++++----------
1 file changed, 24 insertions(+), 13 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
@@ -253,6 +253,19 @@ mt76_get_of_array(struct device_node *np
return prop->value;
}
+static const s8 *
+mt76_get_of_array_s8(struct device_node *np, char *name, size_t *len, int min)
+{
+ struct property *prop = of_find_property(np, name, NULL);
+
+ if (!prop || !prop->value || prop->length < min)
+ return NULL;
+
+ *len = prop->length;
+
+ return prop->value;
+}
+
struct device_node *
mt76_find_channel_node(struct device_node *np, struct ieee80211_channel *chan)
{
@@ -294,7 +307,7 @@ mt76_get_txs_delta(struct device_node *n
}
static void
-mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data,
+mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const s8 *data,
s8 target_power, s8 nss_delta, s8 *max_power)
{
int i;
@@ -303,15 +316,14 @@ mt76_apply_array_limit(s8 *pwr, size_t p
return;
for (i = 0; i < pwr_len; i++) {
- pwr[i] = min_t(s8, target_power,
- be32_to_cpu(data[i]) + nss_delta);
+ pwr[i] = min_t(s8, target_power, data[i] + nss_delta);
*max_power = max(*max_power, pwr[i]);
}
}
static void
mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num,
- const __be32 *data, size_t len, s8 target_power,
+ const s8 *data, size_t len, s8 target_power,
s8 nss_delta, s8 *max_power)
{
int i, cur;
@@ -319,8 +331,7 @@ mt76_apply_multi_array_limit(s8 *pwr, si
if (!data)
return;
- len /= 4;
- cur = be32_to_cpu(data[0]);
+ cur = data[0];
for (i = 0; i < pwr_num; i++) {
if (len < pwr_len + 1)
break;
@@ -335,7 +346,7 @@ mt76_apply_multi_array_limit(s8 *pwr, si
if (!len)
break;
- cur = be32_to_cpu(data[0]);
+ cur = data[0];
}
}
@@ -346,7 +357,7 @@ s8 mt76_get_rate_power_limits(struct mt7
{
struct mt76_dev *dev = phy->dev;
struct device_node *np;
- const __be32 *val;
+ const s8 *val;
char name[16];
u32 mcs_rates = dev->drv->mcs_rates;
u32 ru_rates = ARRAY_SIZE(dest->ru[0]);
@@ -392,21 +403,21 @@ s8 mt76_get_rate_power_limits(struct mt7
txs_delta = mt76_get_txs_delta(np, hweight16(phy->chainmask));
- val = mt76_get_of_array(np, "rates-cck", &len, ARRAY_SIZE(dest->cck));
+ val = mt76_get_of_array_s8(np, "rates-cck", &len, ARRAY_SIZE(dest->cck));
mt76_apply_array_limit(dest->cck, ARRAY_SIZE(dest->cck), val,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-ofdm",
- &len, ARRAY_SIZE(dest->ofdm));
+ val = mt76_get_of_array_s8(np, "rates-ofdm",
+ &len, ARRAY_SIZE(dest->ofdm));
mt76_apply_array_limit(dest->ofdm, ARRAY_SIZE(dest->ofdm), val,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-mcs", &len, mcs_rates + 1);
+ val = mt76_get_of_array_s8(np, "rates-mcs", &len, mcs_rates + 1);
mt76_apply_multi_array_limit(dest->mcs[0], ARRAY_SIZE(dest->mcs[0]),
ARRAY_SIZE(dest->mcs), val, len,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-ru", &len, ru_rates + 1);
+ val = mt76_get_of_array_s8(np, "rates-ru", &len, ru_rates + 1);
mt76_apply_multi_array_limit(dest->ru[0], ARRAY_SIZE(dest->ru[0]),
ARRAY_SIZE(dest->ru), val, len,
target_power, txs_delta, &max_power);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 161/567] block: rate-limit capacity change info log
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 160/567] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 162/567] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
` (419 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Chen, Chaitanya Kulkarni,
Bart Van Assche, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Chen <chenl311@chinatelecom.cn>
commit 3179a5f7f86bcc3acd5d6fb2a29f891ef5615852 upstream.
loop devices under heavy stress-ng loop streessor can trigger many
capacity change events in a short time. Each event prints an info
message from set_capacity_and_notify(), flooding the console and
contributing to soft lockups on slow consoles.
Switch the printk in set_capacity_and_notify() to
pr_info_ratelimited() so frequent capacity changes do not spam
the log while still reporting occasional changes.
Cc: stable@vger.kernel.org
Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/genhd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -83,7 +83,7 @@ bool set_capacity_and_notify(struct gend
(disk->flags & GENHD_FL_HIDDEN))
return false;
- pr_info("%s: detected capacity change from %lld to %lld\n",
+ pr_info_ratelimited("%s: detected capacity change from %lld to %lld\n",
disk->disk_name, capacity, size);
/*
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 162/567] floppy: fix for PAGE_SIZE != 4KB
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 161/567] block: rate-limit capacity change info log Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 163/567] kallsyms: Fix wrong "big" kernel symbol type read from procfs Greg Kroah-Hartman
` (418 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
commit 82d20481024cbae2ea87fe8b86d12961bfda7169 upstream.
For years I wondered why the floppy driver does not just work on
sparc64, e.g:
root@SUNW_375_0066:# disktype /dev/fd0
disktype: Can't open /dev/fd0: No such device or address
[ 525.341906] disktype: attempt to access beyond end of device
fd0: rw=0, sector=0, nr_sectors = 16 limit=8
[ 525.341991] floppy: error 10 while reading block 0
Turns out floppy.c __floppy_read_block_0 tries to read one page for
the first test read to determine the disk size and thus fails if that
is greater than 4k. Adjust minimum MAX_DISK_SIZE to PAGE_SIZE to fix
floppy on sparc64 and likely all other PAGE_SIZE != 4KB configs.
Cc: stable@vger.kernel.org
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/floppy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -331,7 +331,7 @@ static bool initialized;
* This default is used whenever the current disk size is unknown.
* [Now it is rather a minimum]
*/
-#define MAX_DISK_SIZE 4 /* 3984 */
+#define MAX_DISK_SIZE (PAGE_SIZE / 1024)
/*
* globals used by 'result()'
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 163/567] kallsyms: Fix wrong "big" kernel symbol type read from procfs
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 162/567] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 164/567] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
` (417 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Yejian, Gary Guo, Miguel Ojeda
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Yejian <zhengyejian@huaweicloud.com>
commit f3f9f42232dee596d15491ca3f611d02174db49c upstream.
Currently when the length of a symbol is longer than 0x7f characters,
its type shown in /proc/kallsyms can be incorrect.
I found this issue when reading the code, but it can be reproduced by
following steps:
1. Define a function which symbol length is 130 characters:
#define X13(x) x##x##x##x##x##x##x##x##x##x##x##x##x
static noinline void X13(x123456789)(void)
{
printk("hello world\n");
}
2. The type in vmlinux is 't':
$ nm vmlinux | grep x123456
ffffffff816290f0 t x123456789x123456789x123456789x12[...]
3. Then boot the kernel, the type shown in /proc/kallsyms becomes 'g'
instead of the expected 't':
# cat /proc/kallsyms | grep x123456
ffffffff816290f0 g x123456789x123456789x123456789x12[...]
The root cause is that, after commit 73bbb94466fd ("kallsyms: support
"big" kernel symbols"), ULEB128 was used to encode symbol name length.
That is, for "big" kernel symbols of which name length is longer than
0x7f characters, the length info is encoded into 2 bytes.
kallsyms_get_symbol_type() expects to read the first char of the
symbol name which indicates the symbol type. However, due to the
"big" symbol case not being handled, the symbol type read from
/proc/kallsyms may be wrong, so handle it properly.
Cc: stable@vger.kernel.org
Fixes: 73bbb94466fd ("kallsyms: support "big" kernel symbols")
Signed-off-by: Zheng Yejian <zhengyejian@huaweicloud.com>
Acked-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20241011143853.3022643-1-zhengyejian@huaweicloud.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kallsyms.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -103,8 +103,11 @@ static char kallsyms_get_symbol_type(uns
{
/*
* Get just the first code, look it up in the token table,
- * and return the first char from this token.
+ * and return the first char from this token. If MSB of length
+ * is 1, it is a "big" symbol, so needs an additional byte.
*/
+ if (kallsyms_names[off] & 0x80)
+ off++;
return kallsyms_token_table[kallsyms_token_index[kallsyms_names[off + 1]]];
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 164/567] fs/ntfs3: fix mount failure for sparse runs in run_unpack()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 163/567] kallsyms: Fix wrong "big" kernel symbol type read from procfs Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 165/567] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
` (416 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 801f614ba263cb37624982b27b4c82f3c3c597a9 upstream.
Some NTFS volumes failed to mount because sparse data runs were not
handled correctly during runlist unpacking. The code performed arithmetic
on the special SPARSE_LCN64 marker, leading to invalid LCN values and
mount errors.
Add an explicit check for the case described above, marking the run as
sparse without applying arithmetic.
Fixes: 736fc7bf5f68 ("fs: ntfs3: Fix integer overflow in run_unpack()")
Cc: stable@vger.kernel.org
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -984,8 +984,12 @@ int run_unpack(struct runs_tree *run, st
if (!dlcn)
return -EINVAL;
- if (check_add_overflow(prev_lcn, dlcn, &lcn))
+ /* Check special combination: 0 + SPARSE_LCN64. */
+ if (!prev_lcn && dlcn == SPARSE_LCN64) {
+ lcn = SPARSE_LCN64;
+ } else if (check_add_overflow(prev_lcn, dlcn, &lcn)) {
return -EINVAL;
+ }
prev_lcn = lcn;
} else {
/* The size of 'dlcn' can't be > 8. */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 165/567] ktest.pl: Fix uninitialized var in config-bisect.pl
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 164/567] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 166/567] tpm: Cap the number of PCR banks Greg Kroah-Hartman
` (415 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, John W. Krahn,
Steven Rostedt
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit d3042cbe84a060b4df764eb6c5300bbe20d125ca upstream.
The error path of copying the old config used the wrong variable in the
error message:
$ mkdir /tmp/build
$ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad
$ chmod 0 /tmp/build
$ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad good
cp /tmp/build//.config config-good.tmp ... [0 seconds] FAILED!
Use of uninitialized value $config in concatenation (.) or string at ./tools/testing/ktest/config-bisect.pl line 744.
failed to copy to config-good.tmp
When it should have shown:
failed to copy /tmp/build//.config to config-good.tmp
Cc: stable@vger.kernel.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
Fixes: 0f0db065999cf ("ktest: Add standalone config-bisect.pl program")
Link: https://patch.msgid.link/20251203180924.6862bd26@gandalf.local.home
Reported-by: "John W. Krahn" <jwkrahn@shaw.ca>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/config-bisect.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/testing/ktest/config-bisect.pl
+++ b/tools/testing/ktest/config-bisect.pl
@@ -741,9 +741,9 @@ if ($start) {
die "Can not find file $bad\n";
}
if ($val eq "good") {
- run_command "cp $output_config $good" or die "failed to copy $config to $good\n";
+ run_command "cp $output_config $good" or die "failed to copy $output_config to $good\n";
} elsif ($val eq "bad") {
- run_command "cp $output_config $bad" or die "failed to copy $config to $bad\n";
+ run_command "cp $output_config $bad" or die "failed to copy $output_config to $bad\n";
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 166/567] tpm: Cap the number of PCR banks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 165/567] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 167/567] ext4: fix string copying in parse_apply_sb_mount_options() Greg Kroah-Hartman
` (414 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lai Yi, Jonathan McDowell,
Roberto Sassu, Jarkko Sakkinen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream.
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
Cc: stable@vger.kernel.org # v5.10+
Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
Tested-by: Lai Yi <yi1.lai@linux.intel.com>
Reviewed-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm-chip.c | 1 -
drivers/char/tpm/tpm1-cmd.c | 5 -----
drivers/char/tpm/tpm2-cmd.c | 8 +++-----
include/linux/tpm.h | 8 +++++---
4 files changed, 8 insertions(+), 14 deletions(-)
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -282,7 +282,6 @@ static void tpm_dev_release(struct devic
kfree(chip->work_space.context_buf);
kfree(chip->work_space.session_buf);
- kfree(chip->allocated_banks);
#ifdef CONFIG_TCG_TPM2_HMAC
kfree(chip->auth);
#endif
--- a/drivers/char/tpm/tpm1-cmd.c
+++ b/drivers/char/tpm/tpm1-cmd.c
@@ -799,11 +799,6 @@ int tpm1_pm_suspend(struct tpm_chip *chi
*/
int tpm1_get_pcr_allocation(struct tpm_chip *chip)
{
- chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks),
- GFP_KERNEL);
- if (!chip->allocated_banks)
- return -ENOMEM;
-
chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -602,11 +602,9 @@ ssize_t tpm2_get_pcr_allocation(struct t
nr_possible_banks = be32_to_cpup(
(__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
-
- chip->allocated_banks = kcalloc(nr_possible_banks,
- sizeof(*chip->allocated_banks),
- GFP_KERNEL);
- if (!chip->allocated_banks) {
+ if (nr_possible_banks > TPM2_MAX_PCR_BANKS) {
+ pr_err("tpm: out of bank capacity: %u > %u\n",
+ nr_possible_banks, TPM2_MAX_PCR_BANKS);
rc = -ENOMEM;
goto out;
}
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -26,7 +26,9 @@
#include <crypto/aes.h>
#define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
-#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
+
+#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
+#define TPM2_MAX_PCR_BANKS 8
struct tpm_chip;
struct trusted_key_payload;
@@ -68,7 +70,7 @@ enum tpm2_curves {
struct tpm_digest {
u16 alg_id;
- u8 digest[TPM_MAX_DIGEST_SIZE];
+ u8 digest[TPM2_MAX_DIGEST_SIZE];
} __packed;
struct tpm_bank_info {
@@ -188,7 +190,7 @@ struct tpm_chip {
unsigned int groups_cnt;
u32 nr_allocated_banks;
- struct tpm_bank_info *allocated_banks;
+ struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS];
#ifdef CONFIG_ACPI
acpi_handle acpi_dev_handle;
char ppi_version[TPM_PPI_VERSION_LEN + 1];
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 167/567] ext4: fix string copying in parse_apply_sb_mount_options()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 166/567] tpm: Cap the number of PCR banks Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 168/567] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
` (413 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Baokun Li, Jan Kara,
Theodore Tso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
commit ee5a977b4e771cc181f39d504426dbd31ed701cc upstream.
strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term
string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce
memtostr() and memtostr_pad()") provides additional information in that
regard. So if this happens, the following warning is observed:
strnlen: detected buffer overflow: 65 byte read of buffer size 64
WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Modules linked in:
CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Call Trace:
<TASK>
__fortify_panic+0x1f/0x30 lib/string_helpers.c:1039
strnlen include/linux/fortify-string.h:235 [inline]
sized_strscpy include/linux/fortify-string.h:309 [inline]
parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]
__ext4_fill_super fs/ext4/super.c:5261 [inline]
ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706
get_tree_bdev_flags+0x387/0x620 fs/super.c:1636
vfs_get_tree+0x93/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3553 [inline]
path_mount+0x6ae/0x1f70 fs/namespace.c:3880
do_mount fs/namespace.c:3893 [inline]
__do_sys_mount fs/namespace.c:4103 [inline]
__se_sys_mount fs/namespace.c:4080 [inline]
__x64_sys_mount+0x280/0x300 fs/namespace.c:4080
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Since userspace is expected to provide s_mount_opts field to be at most 63
characters long with the ending byte being NUL-term, use a 64-byte buffer
which matches the size of s_mount_opts, so that strscpy_pad() does its job
properly. Return with error if the user still managed to provide a
non-NUL-term string here.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 8ecb790ea8c3 ("ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251101160430.222297-1-pchelkin@ispras.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2493,7 +2493,7 @@ static int parse_apply_sb_mount_options(
struct ext4_fs_context *m_ctx)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- char s_mount_opts[65];
+ char s_mount_opts[64];
struct ext4_fs_context *s_ctx = NULL;
struct fs_context *fc = NULL;
int ret = -ENOMEM;
@@ -2501,7 +2501,8 @@ static int parse_apply_sb_mount_options(
if (!sbi->s_es->s_mount_opts[0])
return 0;
- strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts);
+ if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts) < 0)
+ return -E2BIG;
fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL);
if (!fc)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 168/567] ext4: xattr: fix null pointer deref in ext4_raw_inode()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 167/567] ext4: fix string copying in parse_apply_sb_mount_options() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 169/567] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
` (412 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Karina Yankevich,
Sergey Shtylyov, Baokun Li, Theodore Tso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karina Yankevich <k.yankevich@omp.ru>
commit b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 upstream.
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c8e008b60492 ("ext4: ignore xattrs past end")
Cc: stable@kernel.org
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Message-ID: <20251022093253.3546296-1-k.yankevich@omp.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1174,7 +1174,11 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
if (block_csum)
end = (void *)bh->b_data + bh->b_size;
else {
- ext4_get_inode_loc(parent, &iloc);
+ err = ext4_get_inode_loc(parent, &iloc);
+ if (err) {
+ EXT4_ERROR_INODE(parent, "parent inode loc (error %d)", err);
+ return;
+ }
end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 169/567] ext4: clear i_state_flags when alloc inode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 168/567] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 170/567] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
` (411 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Baokun Li, Zhang Yi,
Jan Kara, Theodore Tso, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit 4091c8206cfd2e3bb529ef260887296b90d9b6a2 upstream.
i_state_flags used on 32-bit archs, need to clear this flag when
alloc inode.
Find this issue when umount ext4, sometimes track the inode as orphan
accidently, cause ext4 mesg dump.
Fixes: acf943e9768e ("ext4: fix checks for orphan inodes")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251104-ext4-v1-1-73691a0800f9@nxp.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ialloc.c | 1 -
fs/ext4/inode.c | 1 -
fs/ext4/super.c | 1 +
3 files changed, 1 insertion(+), 2 deletions(-)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1292,7 +1292,6 @@ got:
sizeof(gen));
}
- ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
ext4_set_inode_state(inode, EXT4_STATE_NEW);
ei->i_extra_isize = sbi->s_want_extra_isize;
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4878,7 +4878,6 @@ struct inode *__ext4_iget(struct super_b
ei->i_projid = make_kprojid(&init_user_ns, i_projid);
set_nlink(inode, le16_to_cpu(raw_inode->i_links_count));
- ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
ei->i_inline_off = 0;
ei->i_dir_start_lookup = 0;
ei->i_dtime = le32_to_cpu(raw_inode->i_dtime);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1418,6 +1418,7 @@ static struct inode *ext4_alloc_inode(st
inode_set_iversion(&ei->vfs_inode, 1);
ei->i_flags = 0;
+ ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
spin_lock_init(&ei->i_raw_lock);
ei->i_prealloc_node = RB_ROOT;
atomic_set(&ei->i_prealloc_active, 0);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 170/567] ext4: fix incorrect group number assertion in mb_check_buddy
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 169/567] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 171/567] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
` (410 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongjian Sun, Baokun Li, Jan Kara,
Theodore Tso, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
commit 3f7a79d05c692c7cfec70bf104b1b3c3d0ce6247 upstream.
When the MB_CHECK_ASSERT macro is enabled, an assertion failure can
occur in __mb_check_buddy when checking preallocated blocks (pa) in
a block group:
Assertion failure in mb_free_blocks() : "groupnr == e4b->bd_group"
This happens when a pa at the very end of a block group (e.g.,
pa_pstart=32765, pa_len=3 in a group of 32768 blocks) becomes
exhausted - its pa_pstart is advanced by pa_len to 32768, which
lies in the next block group. If this exhausted pa (with pa_len == 0)
is still in the bb_prealloc_list during the buddy check, the assertion
incorrectly flags it as belonging to the wrong group. A possible
sequence is as follows:
ext4_mb_new_blocks
ext4_mb_release_context
pa->pa_pstart += EXT4_C2B(sbi, ac->ac_b_ex.fe_len)
pa->pa_len -= ac->ac_b_ex.fe_len
__mb_check_buddy
for each pa in group
ext4_get_group_no_and_offset
MB_CHECK_ASSERT(groupnr == e4b->bd_group)
To fix this, we modify the check to skip block group validation for
exhausted preallocations (where pa_len == 0). Such entries are in a
transitional state and will be removed from the list soon, so they
should not trigger an assertion. This change prevents the false
positive while maintaining the integrity of the checks for active
allocations.
Fixes: c9de560ded61f ("ext4: Add multi block allocator for ext4")
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251106060614.631382-2-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -778,6 +778,8 @@ static void __mb_check_buddy(struct ext4
ext4_group_t groupnr;
struct ext4_prealloc_space *pa;
pa = list_entry(cur, struct ext4_prealloc_space, pa_group_list);
+ if (!pa->pa_len)
+ continue;
ext4_get_group_no_and_offset(sb, pa->pa_pstart, &groupnr, &k);
MB_CHECK_ASSERT(groupnr == e4b->bd_group);
for (i = 0; i < pa->pa_len; i++)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 171/567] ext4: align max orphan file size with e2fsprogs limit
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 170/567] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 172/567] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Greg Kroah-Hartman
` (409 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 7c11c56eb32eae96893eebafdbe3decadefe88ad upstream.
Kernel commit 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
limits the maximum supported orphan file size to 8 << 20.
However, in e2fsprogs, the orphan file size is set to 32–512 filesystem
blocks when creating a filesystem.
With 64k block size, formatting an ext4 fs >32G gives an orphan file bigger
than the kernel allows, so mount prints an error and fails:
EXT4-fs (vdb): orphan file too big: 8650752
EXT4-fs (vdb): mount failed
To prevent this issue and allow previously created 64KB filesystems to
mount, we updates the maximum allowed orphan file size in the kernel to
512 filesystem blocks.
Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251120134233.2994147-1-libaokun@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -8,6 +8,8 @@
#include "ext4.h"
#include "ext4_jbd2.h"
+#define EXT4_MAX_ORPHAN_FILE_BLOCKS 512
+
static int ext4_orphan_file_add(handle_t *handle, struct inode *inode)
{
int i, j, start;
@@ -589,7 +591,7 @@ int ext4_init_orphan_info(struct super_b
* consuming absurd amounts of memory when pinning blocks of orphan
* file in memory.
*/
- if (inode->i_size > 8 << 20) {
+ if (inode->i_size > (EXT4_MAX_ORPHAN_FILE_BLOCKS << inode->i_blkbits)) {
ext4_msg(sb, KERN_ERR, "orphan file too big: %llu",
(unsigned long long)inode->i_size);
ret = -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 172/567] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 171/567] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 173/567] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
` (408 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6e493c165d26d6fcbf72,
Tetsuo Handa, Jan Kara, Theodore Tso, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 524c3853831cf4f7e1db579e487c757c3065165c upstream.
syzbot is reporting possibility of deadlock due to sharing lock_class_key
for jbd2_handle across ext4 and ocfs2. But this is a false positive, for
one disk partition can't have two filesystems at the same time.
Reported-by: syzbot+6e493c165d26d6fcbf72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6e493c165d26d6fcbf72
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot+6e493c165d26d6fcbf72@syzkaller.appspotmail.com
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <987110fc-5470-457a-a218-d286a09dd82f@I-love.SAKURA.ne.jp>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 6 ++++--
include/linux/jbd2.h | 6 ++++++
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1526,7 +1526,6 @@ static journal_t *journal_init_common(st
struct block_device *fs_dev,
unsigned long long start, int len, int blocksize)
{
- static struct lock_class_key jbd2_trans_commit_key;
journal_t *journal;
int err;
int n;
@@ -1535,6 +1534,7 @@ static journal_t *journal_init_common(st
if (!journal)
return ERR_PTR(-ENOMEM);
+ lockdep_register_key(&journal->jbd2_trans_commit_key);
journal->j_blocksize = blocksize;
journal->j_dev = bdev;
journal->j_fs_dev = fs_dev;
@@ -1565,7 +1565,7 @@ static journal_t *journal_init_common(st
journal->j_max_batch_time = 15000; /* 15ms */
atomic_set(&journal->j_reserved_credits, 0);
lockdep_init_map(&journal->j_trans_commit_map, "jbd2_handle",
- &jbd2_trans_commit_key, 0);
+ &journal->jbd2_trans_commit_key, 0);
/* The journal is marked for error until we succeed with recovery! */
journal->j_flags = JBD2_ABORT;
@@ -1618,6 +1618,7 @@ err_cleanup:
kfree(journal->j_wbuf);
jbd2_journal_destroy_revoke(journal);
journal_fail_superblock(journal);
+ lockdep_unregister_key(&journal->jbd2_trans_commit_key);
kfree(journal);
return ERR_PTR(err);
}
@@ -2199,6 +2200,7 @@ int jbd2_journal_destroy(journal_t *jour
crypto_free_shash(journal->j_chksum_driver);
kfree(journal->j_fc_wbuf);
kfree(journal->j_wbuf);
+ lockdep_unregister_key(&journal->jbd2_trans_commit_key);
kfree(journal);
return err;
--- a/include/linux/jbd2.h
+++ b/include/linux/jbd2.h
@@ -1268,6 +1268,12 @@ struct journal_s
*/
struct lockdep_map j_trans_commit_map;
#endif
+ /**
+ * @jbd2_trans_commit_key:
+ *
+ * "struct lock_class_key" for @j_trans_commit_map
+ */
+ struct lock_class_key jbd2_trans_commit_key;
/**
* @j_fc_cleanup_callback:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 173/567] jbd2: use a weaker annotation in journal handling
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 172/567] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 174/567] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
` (407 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Byungchul Park, Jan Kara, stable,
Theodore Tso
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Byungchul Park <byungchul@sk.com>
commit 40a71b53d5a6d4ea17e4d54b99b2ac03a7f5e783 upstream.
jbd2 journal handling code doesn't want jbd2_might_wait_for_commit()
to be placed between start_this_handle() and stop_this_handle(). So it
marks the region with rwsem_acquire_read() and rwsem_release().
However, the annotation is too strong for that purpose. We don't have
to use more than try lock annotation for that.
rwsem_acquire_read() implies:
1. might be a waiter on contention of the lock.
2. enter to the critical section of the lock.
All we need in here is to act 2, not 1. So trylock version of
annotation is sufficient for that purpose. Now that dept partially
relies on lockdep annotaions, dept interpets rwsem_acquire_read() as a
potential wait and might report a deadlock by the wait.
Replace it with trylock version of annotation.
Signed-off-by: Byungchul Park <byungchul@sk.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Message-ID: <20251024073940.1063-1-byungchul@sk.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -445,7 +445,7 @@ repeat:
read_unlock(&journal->j_state_lock);
current->journal_info = handle;
- rwsem_acquire_read(&journal->j_trans_commit_map, 0, 0, _THIS_IP_);
+ rwsem_acquire_read(&journal->j_trans_commit_map, 0, 1, _THIS_IP_);
jbd2_journal_free_transaction(new_transaction);
/*
* Ensure that no allocations done while the transaction is open are
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 174/567] media: v4l2-mem2mem: Fix outdated documentation
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 173/567] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 175/567] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
` (406 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
commit 082b86919b7a94de01d849021b4da820a6cb89dc upstream.
Commit cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in
v4l2_m2m_job_finish") deferred calls to .device_run() to a work queue to
avoid recursive calls when a job is finished right away from
.device_run(). It failed to update the v4l2_m2m_job_finish()
documentation that still states the function must not be called from
.device_run(). Fix it.
Fixes: cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish")
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/media/v4l2-mem2mem.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/include/media/v4l2-mem2mem.h
+++ b/include/media/v4l2-mem2mem.h
@@ -192,8 +192,7 @@ void v4l2_m2m_try_schedule(struct v4l2_m
* other instances to take control of the device.
*
* This function has to be called only after &v4l2_m2m_ops->device_run
- * callback has been called on the driver. To prevent recursion, it should
- * not be called directly from the &v4l2_m2m_ops->device_run callback though.
+ * callback has been called on the driver.
*/
void v4l2_m2m_job_finish(struct v4l2_m2m_dev *m2m_dev,
struct v4l2_m2m_ctx *m2m_ctx);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 175/567] selftests: mptcp: pm: ensure unknown flags are ignored
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 174/567] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 176/567] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
` (405 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 29f4801e9c8dfd12bdcb33b61a6ac479c7162bd7 upstream.
This validates the previous commit: the userspace can set unknown flags
-- the 7th bit is currently unused -- without errors, but only the
supported ones are printed in the endpoints dumps.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-2-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 ++++
tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 11 +++++++++++
2 files changed, 15 insertions(+)
--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
+++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
@@ -191,6 +191,10 @@ check "show_endpoints" \
flush_endpoint
check "show_endpoints" "" "flush addrs"
+add_endpoint 10.0.1.1 flags unknown
+check "show_endpoints" "$(format_endpoints "1,10.0.1.1")" "ignore unknown flags"
+flush_endpoint
+
set_limits 9 1 2>/dev/null
check "get_limits" "${default_limits}" "rcv addrs above hard limit"
--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
+++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
@@ -23,6 +23,8 @@
#define IPPROTO_MPTCP 262
#endif
+#define MPTCP_PM_ADDR_FLAG_UNKNOWN _BITUL(7)
+
static void syntax(char *argv[])
{
fprintf(stderr, "%s add|ann|rem|csf|dsf|get|set|del|flush|dump|events|listen|accept [<args>]\n", argv[0]);
@@ -827,6 +829,8 @@ int add_addr(int fd, int pm_family, int
flags |= MPTCP_PM_ADDR_FLAG_BACKUP;
else if (!strcmp(tok, "fullmesh"))
flags |= MPTCP_PM_ADDR_FLAG_FULLMESH;
+ else if (!strcmp(tok, "unknown"))
+ flags |= MPTCP_PM_ADDR_FLAG_UNKNOWN;
else
error(1, errno,
"unknown flag %s", argv[arg]);
@@ -1031,6 +1035,13 @@ static void print_addr(struct rtattr *at
if (flags)
printf(",");
}
+
+ if (flags & MPTCP_PM_ADDR_FLAG_UNKNOWN) {
+ printf("unknown");
+ flags &= ~MPTCP_PM_ADDR_FLAG_UNKNOWN;
+ if (flags)
+ printf(",");
+ }
/* bump unknown flags, if any */
if (flags)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 176/567] mptcp: schedule rtx timer only after pushing data
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 175/567] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 177/567] mptcp: avoid deadlock on fallback while reinjecting Greg Kroah-Hartman
` (404 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 2ea6190f42d0416a4310e60a7fcb0b49fcbbd4fb upstream.
The MPTCP protocol usually schedule the retransmission timer only
when there is some chances for such retransmissions to happen.
With a notable exception: __mptcp_push_pending() currently schedule
such timer unconditionally, potentially leading to unnecessary rtx
timer expiration.
The issue is present since the blamed commit below but become easily
reproducible after commit 27b0e701d387 ("mptcp: drop bogus optimization
in __mptcp_check_push()")
Fixes: 33d41c9cd74c ("mptcp: more accurate timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-3-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1637,7 +1637,7 @@ void __mptcp_push_pending(struct sock *s
struct mptcp_sendmsg_info info = {
.flags = flags,
};
- bool do_check_data_fin = false;
+ bool copied = false;
int push_count = 1;
while (mptcp_send_head(sk) && (push_count > 0)) {
@@ -1679,7 +1679,7 @@ void __mptcp_push_pending(struct sock *s
push_count--;
continue;
}
- do_check_data_fin = true;
+ copied = true;
}
}
}
@@ -1688,11 +1688,14 @@ void __mptcp_push_pending(struct sock *s
if (ssk)
mptcp_push_release(ssk, &info);
- /* ensure the rtx timer is running */
- if (!mptcp_rtx_timer_pending(sk))
- mptcp_reset_rtx_timer(sk);
- if (do_check_data_fin)
+ /* Avoid scheduling the rtx timer if no data has been pushed; the timer
+ * will be updated on positive acks by __mptcp_cleanup_una().
+ */
+ if (copied) {
+ if (!mptcp_rtx_timer_pending(sk))
+ mptcp_reset_rtx_timer(sk);
mptcp_check_send_data_fin(sk);
+ }
}
static void __mptcp_subflow_push_pending(struct sock *sk, struct sock *ssk, bool first)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 177/567] mptcp: avoid deadlock on fallback while reinjecting
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 176/567] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 178/567] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
` (403 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Paolo Abeni,
Matthieu Baerts (NGI0)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit ffb8c27b0539dd90262d1021488e7817fae57c42 upstream.
Jakub reported an MPTCP deadlock at fallback time:
WARNING: possible recursive locking detected
6.18.0-rc7-virtme #1 Not tainted
--------------------------------------------
mptcp_connect/20858 is trying to acquire lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280
but task is already holding lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&msk->fallback_lock);
lock(&msk->fallback_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by mptcp_connect/20858:
#0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0
#1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0
#2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
stack backtrace:
CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)
Hardware name: Bochs, BIOS Bochs 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_deadlock_bug.cold+0xc0/0xcd
validate_chain+0x2ff/0x5f0
__lock_acquire+0x34c/0x740
lock_acquire.part.0+0xbc/0x260
_raw_spin_lock_bh+0x38/0x50
__mptcp_try_fallback+0xd8/0x280
mptcp_sendmsg_frag+0x16c2/0x3050
__mptcp_retrans+0x421/0xaa0
mptcp_release_cb+0x5aa/0xa70
release_sock+0xab/0x1d0
mptcp_sendmsg+0xd5b/0x1bc0
sock_write_iter+0x281/0x4d0
new_sync_write+0x3c5/0x6f0
vfs_write+0x65e/0xbb0
ksys_write+0x17e/0x200
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fa5627cbc5e
Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e
RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005
RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920
R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c
The packet scheduler could attempt a reinjection after receiving an
MP_FAIL and before the infinite map has been transmitted, causing a
deadlock since MPTCP needs to do the reinjection atomically from WRT
fallback.
Address the issue explicitly avoiding the reinjection in the critical
scenario. Note that this is the only fallback critical section that
could potentially send packets and hit the double-lock.
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://netdev-ctrl.bots.linux.dev/logs/vmksft/mptcp-dbg/results/412720/1-mptcp-join-sh/stderr
Fixes: f8a1d9b18c5e ("mptcp: make fallback action and fallback decision atomic")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-4-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2749,10 +2749,13 @@ static void __mptcp_retrans(struct sock
/*
* make the whole retrans decision, xmit, disallow
- * fallback atomic
+ * fallback atomic, note that we can't retrans even
+ * when an infinite fallback is in progress, i.e. new
+ * subflows are disallowed.
*/
spin_lock_bh(&msk->fallback_lock);
- if (__mptcp_check_fallback(msk)) {
+ if (__mptcp_check_fallback(msk) ||
+ !msk->allow_subflows) {
spin_unlock_bh(&msk->fallback_lock);
release_sock(ssk);
goto clear_scheduled;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 178/567] usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 177/567] mptcp: avoid deadlock on fallback while reinjecting Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 179/567] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
` (402 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Changcheng
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Changcheng <chenchangcheng@kylinos.cn>
commit 0831269b5f71594882accfceb02638124f88955d upstream.
We cannot determine which models require the NO_ATA_1X and
IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01
US_FL_NO_ATA_1X),
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
+UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309,
"Initio Corporation",
"INIC-3069",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 179/567] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 178/567] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 180/567] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
` (401 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream.
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
Cc: stable@vger.kernel.org
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us
}
index = (addr << 8) + wbuf[0];
+ if (rlen > sizeof(st->data)) {
+ warn("rlen = %x is too big!\n", rlen);
+ return -EINVAL;
+ }
+
memcpy(st->data, rbuf, rlen);
msleep(1); /* avoid I2C errors */
return usb_control_msg(d->udev, pipe, request,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 180/567] media: pvrusb2: Fix incorrect variable used in trace message
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 179/567] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 181/567] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
` (400 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream.
The pvr2_trace message is reporting an error about control read
transfers, however it is using the incorrect variable write_len
instead of read_lean. Fix this by using the correct variable
read_len.
Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
Cc: stable@vger.kernel.org
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -3622,7 +3622,7 @@ static int pvr2_send_request_ex(struct p
pvr2_trace(
PVR2_TRACE_ERROR_LEGS,
"Attempted to execute %d byte control-read transfer (limit=%d)",
- write_len,PVR2_CTL_BUFFSIZE);
+ read_len, PVR2_CTL_BUFFSIZE);
return -EINVAL;
}
if ((!write_len) && (!read_len)) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 181/567] phy: broadcom: bcm63xx-usbh: fix section mismatches
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 180/567] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 182/567] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
` (399 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Johan Hovold, Neil Armstrong, Vinod Koul
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function and match table must not live in init.
Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver")
Cc: stable@vger.kernel.org # 5.9
Cc: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c
+++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c
@@ -375,7 +375,7 @@ static struct phy *bcm63xx_usbh_phy_xlat
return of_phy_simple_xlate(dev, args);
}
-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev)
+static int bcm63xx_usbh_phy_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
struct bcm63xx_usbh_phy *usbh;
@@ -432,7 +432,7 @@ static int __init bcm63xx_usbh_phy_probe
return 0;
}
-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = {
+static const struct of_device_id bcm63xx_usbh_phy_ids[] = {
{ .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 },
{ .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 },
{ .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 },
@@ -443,7 +443,7 @@ static const struct of_device_id bcm63xx
};
MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids);
-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = {
+static struct platform_driver bcm63xx_usbh_phy_driver = {
.driver = {
.name = "bcm63xx-usbh-phy",
.of_match_table = bcm63xx_usbh_phy_ids,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 182/567] usb: ohci-nxp: fix device leak on probe failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 181/567] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 183/567] usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() Greg Kroah-Hartman
` (398 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold, Alan Stern,
Vladimir Zapolskiy
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 upstream.
Make sure to drop the reference taken when looking up the PHY I2C device
during probe on probe failure (e.g. probe deferral) and on driver
unbind.
Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver")
Cc: stable@vger.kernel.org # 3.5
Reported-by: Ma Ke <make24@iscas.ac.cn>
Link: https://lore.kernel.org/lkml/20251117013428.21840-1-make24@iscas.ac.cn/
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-nxp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/host/ohci-nxp.c
+++ b/drivers/usb/host/ohci-nxp.c
@@ -223,6 +223,7 @@ static int ohci_hcd_nxp_probe(struct pla
fail_resource:
usb_put_hcd(hcd);
fail_disable:
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
return ret;
}
@@ -234,6 +235,7 @@ static void ohci_hcd_nxp_remove(struct p
usb_remove_hcd(hcd);
ohci_nxp_stop_hc();
usb_put_hcd(hcd);
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 183/567] usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 182/567] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 184/567] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
` (397 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li, Heikki Krogerus
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 128bb7fab342546352603bde8b49ff54e3af0529 upstream.
In error paths, call typec_altmode_put_plug() to drop the device reference
obtained by typec_altmode_get_plug().
Fixes: 71ba4fe56656 ("usb: typec: altmodes/displayport: add SOP' support")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://patch.msgid.link/20251206070445.190770-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -736,12 +736,16 @@ int dp_altmode_probe(struct typec_altmod
if (!(DP_CAP_PIN_ASSIGN_DFP_D(port->vdo) &
DP_CAP_PIN_ASSIGN_UFP_D(alt->vdo)) &&
!(DP_CAP_PIN_ASSIGN_UFP_D(port->vdo) &
- DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo)))
+ DP_CAP_PIN_ASSIGN_DFP_D(alt->vdo))) {
+ typec_altmode_put_plug(plug);
return -ENODEV;
+ }
dp = devm_kzalloc(&alt->dev, sizeof(*dp), GFP_KERNEL);
- if (!dp)
+ if (!dp) {
+ typec_altmode_put_plug(plug);
return -ENOMEM;
+ }
INIT_WORK(&dp->work, dp_altmode_work);
mutex_init(&dp->lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 184/567] USB: lpc32xx_udc: Fix error handling in probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 183/567] usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 185/567] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
` (396 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ma Ke
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
lpc32xx_udc_probe() acquires an i2c_client reference through
isp1301_get_client() but fails to release it in both error handling
paths and the normal removal path. This could result in a reference
count leak for the I2C device, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the probe failure path and in the remove function.
Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
says, 'The user must call put_device(&client->dev) once done with the
i2c client.'
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct plat
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- return retval;
+ goto i2c_fail;
udc->board = &lpc32xx_usbddata;
@@ -3038,28 +3038,32 @@ static int lpc32xx_udc_probe(struct plat
/* Get IRQs */
for (i = 0; i < 4; i++) {
udc->udp_irq[i] = platform_get_irq(pdev, i);
- if (udc->udp_irq[i] < 0)
- return udc->udp_irq[i];
+ if (udc->udp_irq[i] < 0) {
+ retval = udc->udp_irq[i];
+ goto i2c_fail;
+ }
}
udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
- return PTR_ERR(udc->udp_baseaddr);
+ retval = PTR_ERR(udc->udp_baseaddr);
+ goto i2c_fail;
}
/* Get USB device clock */
udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
- return PTR_ERR(udc->usb_slv_clk);
+ retval = PTR_ERR(udc->usb_slv_clk);
+ goto i2c_fail;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- return retval;
+ goto i2c_fail;
}
/* Setup deferred workqueue data */
@@ -3161,6 +3165,8 @@ dma_alloc_fail:
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
+ if (udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
@@ -3189,6 +3195,9 @@ static void lpc32xx_udc_remove(struct pl
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
+ if (udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
+
clk_disable_unprepare(udc->usb_slv_clk);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 185/567] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 184/567] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 186/567] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
` (395 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Duoming Zhou
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
The delayed work item otg_event is initialized in fsl_otg_conf() and
scheduled under two conditions:
1. When a host controller binds to the OTG controller.
2. When the USB ID pin state changes (cable insertion/removal).
A race condition occurs when the device is removed via fsl_otg_remove():
the fsl_otg instance may be freed while the delayed work is still pending
or executing. This leads to use-after-free when the work function
fsl_otg_event() accesses the already freed memory.
The problematic scenario:
(detach thread) | (delayed work)
fsl_otg_remove() |
kfree(fsl_otg_dev) //FREE| fsl_otg_event()
| og = container_of(...) //USE
| og-> //USE
Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
before deallocating the fsl_otg structure. This ensures the delayed work
is properly canceled and completes execution prior to memory deallocation.
This bug was identified through static analysis.
Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy-fsl-usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/phy/phy-fsl-usb.c
+++ b/drivers/usb/phy/phy-fsl-usb.c
@@ -987,6 +987,7 @@ static void fsl_otg_remove(struct platfo
{
struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
usb_remove_phy(&fsl_otg_dev->phy);
free_irq(fsl_otg_dev->irq, fsl_otg_dev);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 186/567] usb: phy: isp1301: fix non-OF device reference imbalance
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 185/567] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 187/567] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
` (394 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold,
Vladimir Zapolskiy
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream.
A recent change fixing a device reference leak in a UDC driver
introduced a potential use-after-free in the non-OF case as the
isp1301_get_client() helper only increases the reference count for the
returned I2C device in the OF case.
Increment the reference count also for non-OF so that the caller can
decrement it unconditionally.
Note that this is inherently racy just as using the returned I2C device
is since nothing is preventing the PHY driver from being unbound while
in use.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy-isp1301.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/phy/phy-isp1301.c
+++ b/drivers/usb/phy/phy-isp1301.c
@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(st
return client;
/* non-DT: only one ISP1301 chip supported */
- return isp1301_i2c_client;
+ if (isp1301_i2c_client) {
+ get_device(&isp1301_i2c_client->dev);
+ return isp1301_i2c_client;
+ }
+
+ return NULL;
}
EXPORT_SYMBOL_GPL(isp1301_get_client);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 187/567] usb: gadget: lpc32xx_udc: fix clock imbalance in error path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 186/567] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 188/567] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
` (393 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold,
Vladimir Zapolskiy
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 782be79e4551550d7a82b1957fc0f7347e6d461f upstream.
A recent change fixing a device reference leak introduced a clock
imbalance by reusing an error path so that the clock may be disabled
before having been enabled.
Note that the clock framework allows for passing in NULL clocks so there
is no risk for a NULL pointer dereference.
Also drop the bogus I2C client NULL check added by the offending commit
as the pointer has already been verified to be non-NULL.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -3020,7 +3020,7 @@ static int lpc32xx_udc_probe(struct plat
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- goto i2c_fail;
+ goto err_put_client;
udc->board = &lpc32xx_usbddata;
@@ -3040,7 +3040,7 @@ static int lpc32xx_udc_probe(struct plat
udc->udp_irq[i] = platform_get_irq(pdev, i);
if (udc->udp_irq[i] < 0) {
retval = udc->udp_irq[i];
- goto i2c_fail;
+ goto err_put_client;
}
}
@@ -3048,7 +3048,7 @@ static int lpc32xx_udc_probe(struct plat
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
retval = PTR_ERR(udc->udp_baseaddr);
- goto i2c_fail;
+ goto err_put_client;
}
/* Get USB device clock */
@@ -3056,14 +3056,14 @@ static int lpc32xx_udc_probe(struct plat
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
retval = PTR_ERR(udc->usb_slv_clk);
- goto i2c_fail;
+ goto err_put_client;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- goto i2c_fail;
+ goto err_put_client;
}
/* Setup deferred workqueue data */
@@ -3165,9 +3165,10 @@ dma_alloc_fail:
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
- if (udc->isp1301_i2c_client)
- put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
+err_put_client:
+ put_device(&udc->isp1301_i2c_client->dev);
+
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
return retval;
@@ -3195,10 +3196,9 @@ static void lpc32xx_udc_remove(struct pl
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
- if (udc->isp1301_i2c_client)
- put_device(&udc->isp1301_i2c_client->dev);
-
clk_disable_unprepare(udc->usb_slv_clk);
+
+ put_device(&udc->isp1301_i2c_client->dev);
}
#ifdef CONFIG_PM
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 188/567] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 187/567] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 189/567] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
` (392 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin, Thinh Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream.
When clk_bulk_prepare_enable() fails, the error path jumps to
err_resetc_assert, skipping clk_bulk_put_all() and leaking the
clock references acquired by clk_bulk_get_all().
Add err_clk_put_all label to properly release clock resources
in all error paths.
Found via static analysis and code review.
Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/dwc3/dwc3-of-simple.c
+++ b/drivers/usb/dwc3/dwc3-of-simple.c
@@ -70,11 +70,11 @@ static int dwc3_of_simple_probe(struct p
simple->num_clocks = ret;
ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks);
if (ret)
- goto err_resetc_assert;
+ goto err_clk_put_all;
ret = of_platform_populate(np, NULL, NULL, dev);
if (ret)
- goto err_clk_put;
+ goto err_clk_disable;
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
@@ -82,8 +82,9 @@ static int dwc3_of_simple_probe(struct p
return 0;
-err_clk_put:
+err_clk_disable:
clk_bulk_disable_unprepare(simple->num_clocks, simple->clks);
+err_clk_put_all:
clk_bulk_put_all(simple->num_clocks, simple->clks);
err_resetc_assert:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 189/567] usb: dwc3: keep susphy enabled during exit to avoid controller faults
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 188/567] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 190/567] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
` (391 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Udipto Goswami
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 upstream.
On some platforms, switching USB roles from host to device can trigger
controller faults due to premature PHY power-down. This occurs when the
PHY is disabled too early during teardown, causing synchronization
issues between the PHY and controller.
Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit()
ensures the PHY remains in a low-power state capable of handling
required commands during role switch.
Cc: stable <stable@kernel.org>
Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -4793,7 +4793,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
if (!dwc->gadget)
return;
- dwc3_enable_susphy(dwc, false);
+ dwc3_enable_susphy(dwc, true);
usb_del_gadget(dwc->gadget);
dwc3_gadget_free_endpoints(dwc);
usb_put_gadget(dwc->gadget);
--- a/drivers/usb/dwc3/host.c
+++ b/drivers/usb/dwc3/host.c
@@ -223,7 +223,7 @@ void dwc3_host_exit(struct dwc3 *dwc)
if (dwc->sys_wakeup)
device_init_wakeup(&dwc->xhci->dev, false);
- dwc3_enable_susphy(dwc, false);
+ dwc3_enable_susphy(dwc, true);
platform_device_unregister(dwc->xhci);
dwc->xhci = NULL;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 190/567] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 189/567] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 191/567] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
` (390 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream.
usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths,
usbhsp_put_pipe() is required to clear pipe's flags to prevent
pipe exhaustion.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/pipe.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/renesas_usbhs/pipe.c
+++ b/drivers/usb/renesas_usbhs/pipe.c
@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
/* make sure pipe is not busy */
ret = usbhsp_pipe_barrier(pipe);
if (ret < 0) {
+ usbhsp_put_pipe(pipe);
dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe));
return NULL;
}
if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) {
+ usbhsp_put_pipe(pipe);
dev_err(dev, "can't setup pipe\n");
return NULL;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 191/567] char: applicom: fix NULL pointer dereference in ac_ioctl
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 190/567] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 192/567] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
` (389 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianchu Chen, Arnd Bergmann, stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen <flynnnchen@tencent.com>
commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/applicom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -835,7 +835,10 @@ static long ac_ioctl(struct file *file,
ret = -ENOTTY;
break;
}
- Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
+ if (cmd != 6)
+ Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
kfree(adgl);
mutex_unlock(&ac_mutex);
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 192/567] intel_th: Fix error handling in intel_th_output_open
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 191/567] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 193/567] mei: gsc: add dependency on Xe driver Greg Kroah-Hartman
` (388 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ma Ke
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream.
intel_th_output_open() calls bus_find_device_by_devt() which
internally increments the device reference count via get_device(), but
this reference is not properly released in several error paths. When
device driver is unavailable, file operations cannot be obtained, or
the driver's open method fails, the function returns without calling
put_device(), leading to a permanent device reference count leak. This
prevents the device from being properly released and could cause
resource exhaustion over time.
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i
int err;
dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
- if (!dev || !dev->driver)
- return -ENODEV;
+ if (!dev || !dev->driver) {
+ err = -ENODEV;
+ goto out_no_device;
+ }
thdrv = to_intel_th_driver(dev->driver);
fops = fops_get(thdrv->fops);
- if (!fops)
- return -ENODEV;
+ if (!fops) {
+ err = -ENODEV;
+ goto out_put_device;
+ }
replace_fops(file, fops);
@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i
if (file->f_op->open) {
err = file->f_op->open(inode, file);
- return err;
+ if (err)
+ goto out_put_device;
}
return 0;
+
+out_put_device:
+ put_device(dev);
+out_no_device:
+ return err;
}
static const struct file_operations intel_th_output_fops = {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 193/567] mei: gsc: add dependency on Xe driver
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 192/567] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 194/567] serial: sh-sci: Check that the DMA cookie is valid Greg Kroah-Hartman
` (387 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baoli Zhang, Junxiao Chang,
Alexander Usyskin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junxiao Chang <junxiao.chang@intel.com>
commit 5d92c3b41f0bddfa416130c6e1b424414f3d2acf upstream.
INTEL_MEI_GSC depends on either i915 or Xe
and can be present when either of above is present.
Cc: stable <stable@kernel.org>
Fixes: 87a4c85d3a3e ("drm/xe/gsc: add gsc device support")
Tested-by: Baoli Zhang <baoli.zhang@intel.com>
Signed-off-by: Junxiao Chang <junxiao.chang@intel.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Link: https://patch.msgid.link/20251109153533.3179787-1-alexander.usyskin@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/misc/mei/Kconfig
+++ b/drivers/misc/mei/Kconfig
@@ -49,7 +49,7 @@ config INTEL_MEI_TXE
config INTEL_MEI_GSC
tristate "Intel MEI GSC embedded device"
depends on INTEL_MEI_ME
- depends on DRM_I915
+ depends on DRM_I915 || DRM_XE
help
Intel auxiliary driver for GSC devices embedded in Intel graphics devices.
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 194/567] serial: sh-sci: Check that the DMA cookie is valid
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 193/567] mei: gsc: add dependency on Xe driver Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 195/567] cpuidle: governors: teo: Drop misguided target residency check Greg Kroah-Hartman
` (386 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Claudiu Beznea
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit c3ca8a0aac832fe8047608bb2ae2cca314c6d717 upstream.
The driver updates struct sci_port::tx_cookie to zero right before the TX
work is scheduled, or to -EINVAL when DMA is disabled.
dma_async_is_complete(), called through dma_cookie_status() (and possibly
through dmaengine_tx_status()), considers cookies valid only if they have
values greater than or equal to 1.
Passing zero or -EINVAL to dmaengine_tx_status() before any TX DMA
transfer has started leads to an incorrect TX status being reported, as the
cookie is invalid for the DMA subsystem. This may cause long wait times
when the serial device is opened for configuration before any TX activity
has occurred.
Check that the TX cookie is valid before passing it to
dmaengine_tx_status().
Fixes: 7cc0e0a43a91 ("serial: sh-sci: Check if TX data was written to device in .tx_empty()")
Cc: stable <stable@kernel.org>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://patch.msgid.link/20251217135759.402015-1-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/sh-sci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -1761,7 +1761,7 @@ static void sci_dma_check_tx_occurred(st
struct dma_tx_state state;
enum dma_status status;
- if (!s->chan_tx)
+ if (!s->chan_tx || s->cookie_tx <= 0)
return;
status = dmaengine_tx_status(s->chan_tx, s->cookie_tx, &state);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 195/567] cpuidle: governors: teo: Drop misguided target residency check
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 194/567] serial: sh-sci: Check that the DMA cookie is valid Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 196/567] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
` (385 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit a03b2011808ab02ccb7ab6b573b013b77fbb5921 upstream.
When the target residency of the current candidate idle state is
greater than the expected time till the closest timer (the sleep
length), it does not matter whether or not the tick has already been
stopped or if it is going to be stopped. The closest timer will
trigger anyway at its due time, so if an idle state with target
residency above the sleep length is selected, energy will be wasted
and there may be excess latency.
Of course, if the closest timer were canceled before it could trigger,
a deeper idle state would be more suitable, but this is not expected
to happen (generally speaking, hrtimers are not expected to be
canceled as a rule).
Accordingly, the teo_state_ok() check done in that case causes energy to
be wasted more often than it allows any energy to be saved (if it allows
any energy to be saved at all), so drop it and let the governor use the
teo_find_shallower_state() return value as the new candidate idle state
index.
Fixes: 21d28cd2fa5f ("cpuidle: teo: Do not call tick_nohz_get_sleep_length() upfront")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Tested-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/5955081.DvuYhMxLoT@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpuidle/governors/teo.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/cpuidle/governors/teo.c
+++ b/drivers/cpuidle/governors/teo.c
@@ -462,11 +462,8 @@ static int teo_select(struct cpuidle_dri
* If the closest expected timer is before the target residency of the
* candidate state, a shallower one needs to be found.
*/
- if (drv->states[idx].target_residency_ns > duration_ns) {
- i = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
- if (teo_state_ok(i, drv))
- idx = i;
- }
+ if (drv->states[idx].target_residency_ns > duration_ns)
+ idx = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
/*
* If the selected state's target residency is below the tick length
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 196/567] cpufreq: nforce2: fix reference count leak in nforce2
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 195/567] cpuidle: governors: teo: Drop misguided target residency check Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 197/567] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
` (384 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Viresh Kumar
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream.
There are two reference count leaks in this driver:
1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count
of the PCI device, but pci_dev_put() is never called to release it,
thus leaking the reference.
2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the
nforce2_dev which is stored in a global variable, but the reference
is never released when the module is unloaded.
Fix both by:
- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading
the configuration.
- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the
global device reference.
Found via static analysis.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq-nforce2.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/cpufreq/cpufreq-nforce2.c
+++ b/drivers/cpufreq/cpufreq-nforce2.c
@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int
pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb);
fsb /= 1000000;
+ pci_dev_put(nforce2_sub5);
+
/* Check if PLL register is already set */
pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp);
@@ -426,6 +428,7 @@ static int __init nforce2_init(void)
static void __exit nforce2_exit(void)
{
cpufreq_unregister_driver(&nforce2_driver);
+ pci_dev_put(nforce2_dev);
}
module_init(nforce2_init);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 197/567] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 196/567] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 198/567] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
` (383 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream.
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
Cc: stable@vger.kernel.org
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_os.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1874,12 +1874,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
sp = req->outstanding_cmds[cnt];
if (sp) {
- if (qla2x00_chip_is_down(vha)) {
- req->outstanding_cmds[cnt] = NULL;
- sp->done(sp, res);
- continue;
- }
-
switch (sp->cmd_type) {
case TYPE_SRB:
qla2x00_abort_srb(qp, sp, res, &flags);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 198/567] scsi: aic94xx: fix use-after-free in device removal path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 197/567] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 199/567] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
` (382 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream.
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/aic94xx/aic94xx_init.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/scsi/aic94xx/aic94xx_init.c
+++ b/drivers/scsi/aic94xx/aic94xx_init.c
@@ -882,6 +882,9 @@ static void asd_pci_remove(struct pci_de
asd_disable_ints(asd_ha);
+ /* Ensure all scheduled tasklets complete before freeing resources */
+ tasklet_kill(&asd_ha->seq.dl_tasklet);
+
asd_remove_dev_attrs(asd_ha);
/* XXX more here as needed */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 199/567] NFSD: use correct reservation type in nfsd4_scsi_fence_client
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 198/567] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 200/567] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
` (381 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dai Ngo, Christoph Hellwig,
Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream.
The reservation type argument for the pr_preempt call should match the
one used in nfsd4_block_get_device_info_scsi.
Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support")
Cc: stable@vger.kernel.org
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/blocklayout.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -341,7 +341,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo
struct block_device *bdev = file->nf_file->f_path.mnt->mnt_sb->s_bdev;
bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY,
- nfsd4_scsi_pr_key(clp), 0, true);
+ nfsd4_scsi_pr_key(clp),
+ PR_EXCLUSIVE_ACCESS_REG_ONLY, true);
}
const struct nfsd4_layout_ops scsi_layout_ops = {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 200/567] scsi: target: Reset t_task_cdb pointer in error case
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 199/567] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 201/567] scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow Greg Kroah-Hartman
` (380 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Vatoropin, Mike Christie,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Vatoropin <a.vatoropin@crpt.ru>
commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream.
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_transport.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd,
if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp);
if (!cmd->t_task_cdb) {
+ cmd->t_task_cdb = &cmd->__t_task_cdb[0];
pr_err("Unable to allocate cmd->t_task_cdb"
" %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
scsi_command_size(cdb),
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 201/567] scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 200/567] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 202/567] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Greg Kroah-Hartman
` (379 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chandrakanth Patil,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
commit d373163194982f43b92c552c138c29d9f0b79553 upstream.
The driver was not reading the MAX_REQ_PER_REPLY_QUEUE_LIMIT IOCFacts
flag, so the reply-queue-full handling was never enabled, even on
firmware that supports it. Reading this flag enables the feature and
prevents reply queue overflow.
Fixes: f08b24d82749 ("scsi: mpi3mr: Avoid reply queue full condition")
Cc: stable@vger.kernel.org
Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
Link: https://patch.msgid.link/20251211002929.22071-1-chandrakanth.patil@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/mpi3mr/mpi/mpi30_ioc.h | 1 +
drivers/scsi/mpi3mr/mpi3mr_fw.c | 2 ++
2 files changed, 3 insertions(+)
--- a/drivers/scsi/mpi3mr/mpi/mpi30_ioc.h
+++ b/drivers/scsi/mpi3mr/mpi/mpi30_ioc.h
@@ -160,6 +160,7 @@ struct mpi3_ioc_facts_data {
#define MPI3_IOCFACTS_FLAGS_SIGNED_NVDATA_REQUIRED (0x00010000)
#define MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK (0x0000ff00)
#define MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT (8)
+#define MPI3_IOCFACTS_FLAGS_MAX_REQ_PER_REPLY_QUEUE_LIMIT (0x00000040)
#define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_MASK (0x00000030)
#define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_NOT_STARTED (0x00000000)
#define MPI3_IOCFACTS_FLAGS_INITIAL_PORT_ENABLE_IN_PROGRESS (0x00000010)
--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
@@ -3135,6 +3135,8 @@ static void mpi3mr_process_factsdata(str
mrioc->facts.dma_mask = (facts_flags &
MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_MASK) >>
MPI3_IOCFACTS_FLAGS_DMA_ADDRESS_WIDTH_SHIFT;
+ mrioc->facts.max_req_limit = (facts_flags &
+ MPI3_IOCFACTS_FLAGS_MAX_REQ_PER_REPLY_QUEUE_LIMIT);
mrioc->facts.protocol_flags = facts_data->protocol_flags;
mrioc->facts.mpi_version = le32_to_cpu(facts_data->mpi_version.word);
mrioc->facts.max_reqs = le16_to_cpu(facts_data->max_outstanding_requests);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 202/567] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 201/567] scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 203/567] f2fs: ensure node page reads complete before f2fs_put_super() finishes Greg Kroah-Hartman
` (378 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seunghwan Baek, Peter Wang,
Martin K. Petersen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seunghwan Baek <sh8267.baek@samsung.com>
commit c9f36f04a8a2725172cdf2b5e32363e4addcb14c upstream.
If UFS resume fails, the event history is updated in ufshcd_resume(), but
there is no code anywhere to record UFS suspend. Therefore, add code to
record UFS suspend error event history.
Fixes: dd11376b9f1b ("scsi: ufs: Split the drivers/scsi/ufs directory")
Cc: stable@vger.kernel.org
Signed-off-by: Seunghwan Baek <sh8267.baek@samsung.com>
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Link: https://patch.msgid.link/20251210063854.1483899-2-sh8267.baek@samsung.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/core/ufshcd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -10112,7 +10112,7 @@ static int ufshcd_suspend(struct ufs_hba
ret = ufshcd_setup_clocks(hba, false);
if (ret) {
ufshcd_enable_irq(hba);
- return ret;
+ goto out;
}
if (ufshcd_is_clkgating_allowed(hba)) {
hba->clk_gating.state = CLKS_OFF;
@@ -10124,6 +10124,9 @@ static int ufshcd_suspend(struct ufs_hba
/* Put the host controller in low power mode if possible */
ufshcd_hba_vreg_set_lpm(hba);
ufshcd_pm_qos_update(hba, false);
+out:
+ if (ret)
+ ufshcd_update_evt_hist(hba, UFS_EVT_SUSPEND_ERR, (u32)ret);
return ret;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 203/567] f2fs: ensure node page reads complete before f2fs_put_super() finishes
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 202/567] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 204/567] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
` (377 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jan Prusakowski, Chao Yu,
Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Prusakowski <jprusakowski@google.com>
commit 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 upstream.
Xfstests generic/335, generic/336 sometimes crash with the following message:
F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
------------[ cut here ]------------
kernel BUG at fs/f2fs/super.c:1939!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:f2fs_put_super+0x3b3/0x3c0
Call Trace:
<TASK>
generic_shutdown_super+0x7e/0x190
kill_block_super+0x1a/0x40
kill_f2fs_super+0x9d/0x190
deactivate_locked_super+0x30/0xb0
cleanup_mnt+0xba/0x150
task_work_run+0x5c/0xa0
exit_to_user_mode_loop+0xb7/0xc0
do_syscall_64+0x1ae/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
---[ end trace 0000000000000000 ]---
It appears that sometimes it is possible that f2fs_put_super() is called before
all node page reads are completed.
Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
Cc: stable@kernel.org
Fixes: 20872584b8c0b ("f2fs: fix to drop all dirty meta/node pages during umount()")
Signed-off-by: Jan Prusakowski <jprusakowski@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1654,14 +1654,6 @@ static void f2fs_put_super(struct super_
truncate_inode_pages_final(META_MAPPING(sbi));
}
- for (i = 0; i < NR_COUNT_TYPE; i++) {
- if (!get_pages(sbi, i))
- continue;
- f2fs_err(sbi, "detect filesystem reference count leak during "
- "umount, type: %d, count: %lld", i, get_pages(sbi, i));
- f2fs_bug_on(sbi, 1);
- }
-
f2fs_bug_on(sbi, sbi->fsync_node_num);
f2fs_destroy_compress_inode(sbi);
@@ -1672,6 +1664,15 @@ static void f2fs_put_super(struct super_
iput(sbi->meta_inode);
sbi->meta_inode = NULL;
+ /* Should check the page counts after dropping all node/meta pages */
+ for (i = 0; i < NR_COUNT_TYPE; i++) {
+ if (!get_pages(sbi, i))
+ continue;
+ f2fs_err(sbi, "detect filesystem reference count leak during "
+ "umount, type: %d, count: %lld", i, get_pages(sbi, i));
+ f2fs_bug_on(sbi, 1);
+ }
+
/*
* iput() can update stat information, if f2fs_write_checkpoint()
* above failed with error.
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 204/567] f2fs: fix to avoid potential deadlock
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 203/567] f2fs: ensure node page reads complete before f2fs_put_super() finishes Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 205/567] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
` (376 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+14b90e1156b9f6fc1266,
Jiaming Zhang, Chao Yu, Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit ca8b201f28547e28343a6f00a6e91fa8c09572fe upstream.
As Jiaming Zhang and syzbot reported, there is potential deadlock in
f2fs as below:
Chain exists of:
&sbi->cp_rwsem --> fs_reclaim --> sb_internal#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(sb_internal#2);
lock(fs_reclaim);
lock(sb_internal#2);
rlock(&sbi->cp_rwsem);
*** DEADLOCK ***
3 locks held by kswapd0/73:
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197
#2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890
stack backtrace:
CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537
f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]
f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]
f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791
f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867
f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925
f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897
evict+0x504/0x9c0 fs/inode.c:810
f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853
evict+0x504/0x9c0 fs/inode.c:810
dispose_list fs/inode.c:852 [inline]
prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000
super_cache_scan+0x39b/0x4b0 fs/super.c:224
do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437
shrink_slab_memcg mm/shrinker.c:550 [inline]
shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628
shrink_one+0x28a/0x7c0 mm/vmscan.c:4955
shrink_many mm/vmscan.c:5016 [inline]
lru_gen_shrink_node mm/vmscan.c:5094 [inline]
shrink_node+0x315d/0x3780 mm/vmscan.c:6081
kswapd_shrink_node mm/vmscan.c:6941 [inline]
balance_pgdat mm/vmscan.c:7124 [inline]
kswapd+0x147c/0x2800 mm/vmscan.c:7389
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The root cause is deadlock among four locks as below:
kswapd
- fs_reclaim --- Lock A
- shrink_one
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- iput
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- f2fs_truncate
- f2fs_truncate_blocks
- f2fs_do_truncate_blocks
- f2fs_lock_op --- Lock C
ioctl
- f2fs_ioc_commit_atomic_write
- f2fs_lock_op --- Lock C
- __f2fs_commit_atomic_write
- __replace_atomic_write_block
- f2fs_get_dnode_of_data
- __get_node_folio
- f2fs_check_nid_range
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
open
- do_open
- do_truncate
- security_inode_need_killpriv
- f2fs_getxattr
- lookup_all_xattrs
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
- f2fs_commit_super
- read_mapping_folio
- filemap_alloc_folio_noprof
- prepare_alloc_pages
- fs_reclaim_acquire --- Lock A
In order to avoid such deadlock, we need to avoid grabbing sb_lock in
f2fs_handle_error(), so, let's use asynchronous method instead:
- remove f2fs_handle_error() implementation
- rename f2fs_handle_error_async() to f2fs_handle_error()
- spread f2fs_handle_error()
Fixes: 95fa90c9e5a7 ("f2fs: support recording errors into superblock")
Cc: stable@kernel.org
Reported-by: syzbot+14b90e1156b9f6fc1266@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/68eae49b.050a0220.ac43.0001.GAE@google.com
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://lore.kernel.org/lkml/CANypQFa-Gy9sD-N35o3PC+FystOWkNuN8pv6S75HLT0ga-Tzgw@mail.gmail.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/compress.c | 5 +----
fs/f2fs/f2fs.h | 1 -
fs/f2fs/super.c | 41 -----------------------------------------
3 files changed, 1 insertion(+), 46 deletions(-)
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -757,10 +757,7 @@ void f2fs_decompress_cluster(struct deco
ret = -EFSCORRUPTED;
/* Avoid f2fs_commit_super in irq context */
- if (!in_task)
- f2fs_handle_error_async(sbi, ERROR_FAIL_DECOMPRESSION);
- else
- f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION);
+ f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION);
goto out_release;
}
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3694,7 +3694,6 @@ void f2fs_quota_off_umount(struct super_
void f2fs_save_errors(struct f2fs_sb_info *sbi, unsigned char flag);
void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason);
void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error);
-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error);
int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover);
int f2fs_sync_fs(struct super_block *sb, int sync);
int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4143,50 +4143,9 @@ void f2fs_save_errors(struct f2fs_sb_inf
spin_unlock_irqrestore(&sbi->error_lock, flags);
}
-static bool f2fs_update_errors(struct f2fs_sb_info *sbi)
-{
- unsigned long flags;
- bool need_update = false;
-
- spin_lock_irqsave(&sbi->error_lock, flags);
- if (sbi->error_dirty) {
- memcpy(F2FS_RAW_SUPER(sbi)->s_errors, sbi->errors,
- MAX_F2FS_ERRORS);
- sbi->error_dirty = false;
- need_update = true;
- }
- spin_unlock_irqrestore(&sbi->error_lock, flags);
-
- return need_update;
-}
-
-static void f2fs_record_errors(struct f2fs_sb_info *sbi, unsigned char error)
-{
- int err;
-
- f2fs_down_write(&sbi->sb_lock);
-
- if (!f2fs_update_errors(sbi))
- goto out_unlock;
-
- err = f2fs_commit_super(sbi, false);
- if (err)
- f2fs_err_ratelimited(sbi,
- "f2fs_commit_super fails to record errors:%u, err:%d",
- error, err);
-out_unlock:
- f2fs_up_write(&sbi->sb_lock);
-}
-
void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error)
{
f2fs_save_errors(sbi, error);
- f2fs_record_errors(sbi, error);
-}
-
-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error)
-{
- f2fs_save_errors(sbi, error);
if (!sbi->error_dirty)
return;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 205/567] f2fs: fix to avoid updating zero-sized extent in extent cache
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 204/567] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 206/567] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
` (375 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+24124df3170c3638b35f,
Chao Yu, Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec upstream.
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page")
Cc: stable@kernel.org
Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1594,8 +1594,11 @@ static int f2fs_do_zero_range(struct dno
f2fs_set_data_blkaddr(dn, NEW_ADDR);
}
- f2fs_update_read_extent_cache_range(dn, start, 0, index - start);
- f2fs_update_age_extent_cache_range(dn, start, index - start);
+ if (index > start) {
+ f2fs_update_read_extent_cache_range(dn, start, 0,
+ index - start);
+ f2fs_update_age_extent_cache_range(dn, start, index - start);
+ }
return ret;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 206/567] f2fs: invalidate dentry cache on failed whiteout creation
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 205/567] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 207/567] f2fs: fix age extent cache insertion skip on counter overflow Greg Kroah-Hartman
` (374 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+632cf32276a9a564188d, Chao Yu,
Deepanshu Kartikey, Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream.
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d
Suggested-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1]
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/namei.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -1044,9 +1044,11 @@ static int f2fs_rename(struct mnt_idmap
if (whiteout) {
set_inode_flag(whiteout, FI_INC_LINK);
err = f2fs_add_link(old_dentry, whiteout);
- if (err)
+ if (err) {
+ d_invalidate(old_dentry);
+ d_invalidate(new_dentry);
goto put_out_dir;
-
+ }
spin_lock(&whiteout->i_lock);
whiteout->i_state &= ~I_LINKABLE;
spin_unlock(&whiteout->i_lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 207/567] f2fs: fix age extent cache insertion skip on counter overflow
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 206/567] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 208/567] f2fs: fix uninitialized one_time_gc in victim_sel_policy Greg Kroah-Hartman
` (373 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xiaole He, Chao Yu,
Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaole He <hexiaole1994@126.com>
commit 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 upstream.
The age extent cache uses last_blocks (derived from
allocated_data_blocks) to determine data age. However, there's a
conflict between the deletion
marker (last_blocks=0) and legitimate last_blocks=0 cases when
allocated_data_blocks overflows to 0 after reaching ULLONG_MAX.
In this case, valid extents are incorrectly skipped due to the
"if (!tei->last_blocks)" check in __update_extent_tree_range().
This patch fixes the issue by:
1. Reserving ULLONG_MAX as an invalid/deletion marker
2. Limiting allocated_data_blocks to range [0, ULLONG_MAX-1]
3. Using F2FS_EXTENT_AGE_INVALID for deletion scenarios
4. Adjusting overflow age calculation from ULLONG_MAX to (ULLONG_MAX-1)
Reproducer (using a patched kernel with allocated_data_blocks
initialized to ULLONG_MAX - 3 for quick testing):
Step 1: Mount and check initial state
# dd if=/dev/zero of=/tmp/test.img bs=1M count=100
# mkfs.f2fs -f /tmp/test.img
# mkdir -p /mnt/f2fs_test
# mount -t f2fs -o loop,age_extent_cache /tmp/test.img /mnt/f2fs_test
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551612 # ULLONG_MAX - 3
Inner Struct Count: tree: 1(0), node: 0
Step 2: Create files and write data to trigger overflow
# touch /mnt/f2fs_test/{1,2,3,4}.txt; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551613 # ULLONG_MAX - 2
Inner Struct Count: tree: 5(0), node: 1
# dd if=/dev/urandom of=/mnt/f2fs_test/1.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551614 # ULLONG_MAX - 1
Inner Struct Count: tree: 5(0), node: 2
# dd if=/dev/urandom of=/mnt/f2fs_test/2.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551615 # ULLONG_MAX
Inner Struct Count: tree: 5(0), node: 3
# dd if=/dev/urandom of=/mnt/f2fs_test/3.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 0 # Counter overflowed!
Inner Struct Count: tree: 5(0), node: 4
Step 3: Trigger the bug - next write should create node but gets skipped
# dd if=/dev/urandom of=/mnt/f2fs_test/4.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 1
Inner Struct Count: tree: 5(0), node: 4
Expected: node: 5 (new extent node for 4.txt)
Actual: node: 4 (extent insertion was incorrectly skipped due to
last_blocks = allocated_data_blocks = 0 in __get_new_block_age)
After this fix, the extent node is correctly inserted and node count
becomes 5 as expected.
Fixes: 71644dff4811 ("f2fs: add block_age-based extent cache")
Cc: stable@kernel.org
Signed-off-by: Xiaole He <hexiaole1994@126.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/extent_cache.c | 5 +++--
fs/f2fs/f2fs.h | 6 ++++++
fs/f2fs/segment.c | 9 +++++++--
3 files changed, 16 insertions(+), 4 deletions(-)
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -756,7 +756,7 @@ static void __update_extent_tree_range(s
}
goto out_read_extent_cache;
update_age_extent_cache:
- if (!tei->last_blocks)
+ if (tei->last_blocks == F2FS_EXTENT_AGE_INVALID)
goto out_read_extent_cache;
__set_extent_info(&ei, fofs, len, 0, false,
@@ -860,7 +860,7 @@ static int __get_new_block_age(struct in
cur_age = cur_blocks - tei.last_blocks;
else
/* allocated_data_blocks overflow */
- cur_age = ULLONG_MAX - tei.last_blocks + cur_blocks;
+ cur_age = (ULLONG_MAX - 1) - tei.last_blocks + cur_blocks;
if (tei.age)
ei->age = __calculate_block_age(sbi, cur_age, tei.age);
@@ -1062,6 +1062,7 @@ void f2fs_update_age_extent_cache_range(
struct extent_info ei = {
.fofs = fofs,
.len = len,
+ .last_blocks = F2FS_EXTENT_AGE_INVALID,
};
if (!__may_extent_tree(dn->inode, EX_BLOCK_AGE))
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -644,6 +644,12 @@ enum extent_type {
NR_EXTENT_CACHES,
};
+/*
+ * Reserved value to mark invalid age extents, hence valid block range
+ * from 0 to ULLONG_MAX-1
+ */
+#define F2FS_EXTENT_AGE_INVALID ULLONG_MAX
+
struct extent_info {
unsigned int fofs; /* start offset in a file */
unsigned int len; /* length of the extent */
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3746,8 +3746,13 @@ skip_new_segment:
locate_dirty_segment(sbi, GET_SEGNO(sbi, old_blkaddr));
locate_dirty_segment(sbi, GET_SEGNO(sbi, *new_blkaddr));
- if (IS_DATASEG(curseg->seg_type))
- atomic64_inc(&sbi->allocated_data_blocks);
+ if (IS_DATASEG(curseg->seg_type)) {
+ unsigned long long new_val;
+
+ new_val = atomic64_inc_return(&sbi->allocated_data_blocks);
+ if (unlikely(new_val == ULLONG_MAX))
+ atomic64_set(&sbi->allocated_data_blocks, 0);
+ }
up_write(&sit_i->sentry_lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 208/567] f2fs: fix uninitialized one_time_gc in victim_sel_policy
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 207/567] f2fs: fix age extent cache insertion skip on counter overflow Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 209/567] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
` (372 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xiaole He, Chao Yu,
Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaole He <hexiaole1994@126.com>
commit 392711ef18bff524a873b9c239a73148c5432262 upstream.
The one_time_gc field in struct victim_sel_policy is conditionally
initialized but unconditionally read, leading to undefined behavior
that triggers UBSAN warnings.
In f2fs_get_victim() at fs/f2fs/gc.c:774, the victim_sel_policy
structure is declared without initialization:
struct victim_sel_policy p;
The field p.one_time_gc is only assigned when the 'one_time' parameter
is true (line 789):
if (one_time) {
p.one_time_gc = one_time;
...
}
However, this field is unconditionally read in subsequent get_gc_cost()
at line 395:
if (p->one_time_gc && (valid_thresh_ratio < 100) && ...)
When one_time is false, p.one_time_gc contains uninitialized stack
memory. Hence p.one_time_gc is an invalid bool value.
UBSAN detects this invalid bool value:
UBSAN: invalid-load in fs/f2fs/gc.c:395:7
load of value 77 is not a valid value for type '_Bool'
CPU: 3 UID: 0 PID: 1297 Comm: f2fs_gc-252:16 Not tainted 6.18.0-rc3
#5 PREEMPT(voluntary)
Hardware name: OpenStack Foundation OpenStack Nova,
BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x70/0x90
dump_stack+0x14/0x20
__ubsan_handle_load_invalid_value+0xb3/0xf0
? dl_server_update+0x2e/0x40
? update_curr+0x147/0x170
f2fs_get_victim.cold+0x66/0x134 [f2fs]
? sched_balance_newidle+0x2ca/0x470
? finish_task_switch.isra.0+0x8d/0x2a0
f2fs_gc+0x2ba/0x8e0 [f2fs]
? _raw_spin_unlock_irqrestore+0x12/0x40
? __timer_delete_sync+0x80/0xe0
? timer_delete_sync+0x14/0x20
? schedule_timeout+0x82/0x100
gc_thread_func+0x38b/0x860 [f2fs]
? gc_thread_func+0x38b/0x860 [f2fs]
? __pfx_autoremove_wake_function+0x10/0x10
kthread+0x10b/0x220
? __pfx_gc_thread_func+0x10/0x10 [f2fs]
? _raw_spin_unlock_irq+0x12/0x40
? __pfx_kthread+0x10/0x10
ret_from_fork+0x11a/0x160
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
This issue is reliably reproducible with the following steps on a
100GB SSD /dev/vdb:
mkfs.f2fs -f /dev/vdb
mount /dev/vdb /mnt/f2fs_test
fio --name=gc --directory=/mnt/f2fs_test --rw=randwrite \
--bs=4k --size=8G --numjobs=12 --fsync=4 --runtime=10 \
--time_based
echo 1 > /sys/fs/f2fs/vdb/gc_urgent
The uninitialized value causes incorrect GC victim selection, leading
to unpredictable garbage collection behavior.
Fix by zero-initializing the entire victim_sel_policy structure to
ensure all fields have defined values.
Fixes: e791d00bd06c ("f2fs: add valid block ratio not to do excessive GC for one time GC")
Cc: stable@kernel.org
Signed-off-by: Xiaole He <hexiaole1994@126.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -787,7 +787,7 @@ int f2fs_get_victim(struct f2fs_sb_info
{
struct dirty_seglist_info *dirty_i = DIRTY_I(sbi);
struct sit_info *sm = SIT_I(sbi);
- struct victim_sel_policy p;
+ struct victim_sel_policy p = {0};
unsigned int secno, last_victim;
unsigned int last_segment;
unsigned int nsearched;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 209/567] f2fs: fix return value of f2fs_recover_fsync_data()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 208/567] f2fs: fix uninitialized one_time_gc in victim_sel_policy Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 210/567] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
` (371 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream.
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
Cc: stable@kernel.org
Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4776,11 +4776,15 @@ try_onemore:
}
} else {
err = f2fs_recover_fsync_data(sbi, true);
-
- if (!f2fs_readonly(sb) && err > 0) {
- err = -EINVAL;
- f2fs_err(sbi, "Need to recover fsync data");
- goto free_meta;
+ if (err > 0) {
+ if (!f2fs_readonly(sb)) {
+ f2fs_err(sbi, "Need to recover fsync data");
+ err = -EINVAL;
+ goto free_meta;
+ } else {
+ f2fs_info(sbi, "drop all fsynced data");
+ err = 0;
+ }
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 210/567] tools/testing/nvdimm: Use per-DIMM device handle
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 209/567] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 211/567] KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Greg Kroah-Hartman
` (370 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alison Schofield, Ira Weiny,
Dave Jiang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <alison.schofield@intel.com>
commit f59b701b4674f7955170b54c4167c5590f4714eb upstream.
KASAN reports a global-out-of-bounds access when running these nfit
tests: clear.sh, pmem-errors.sh, pfn-meta-errors.sh, btt-errors.sh,
daxdev-errors.sh, and inject-error.sh.
[] BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x769f/0x7840 [nfit_test]
[] Read of size 4 at addr ffffffffc03ea01c by task ndctl/1215
[] The buggy address belongs to the variable:
[] handle+0x1c/0x1df4 [nfit_test]
nfit_test_search_spa() uses handle[nvdimm->id] to retrieve a device
handle and triggers a KASAN error when it reads past the end of the
handle array. It should not be indexing the handle array at all.
The correct device handle is stored in per-DIMM test data. Each DIMM
has a struct nfit_mem that embeds a struct acpi_nfit_memdev that
describes the NFIT device handle. Use that device handle here.
Fixes: 10246dc84dfc ("acpi nfit: nfit_test supports translate SPA")
Cc: stable@vger.kernel.org
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>> ---
Link: https://patch.msgid.link/20251031234227.1303113-1-alison.schofield@intel.com
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/nvdimm/test/nfit.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -670,6 +670,7 @@ static int nfit_test_search_spa(struct n
.addr = spa->spa,
.region = NULL,
};
+ struct nfit_mem *nfit_mem;
u64 dpa;
ret = device_for_each_child(&bus->dev, &ctx,
@@ -687,8 +688,12 @@ static int nfit_test_search_spa(struct n
*/
nd_mapping = &nd_region->mapping[nd_region->ndr_mappings - 1];
nvdimm = nd_mapping->nvdimm;
+ nfit_mem = nvdimm_provider_data(nvdimm);
+ if (!nfit_mem)
+ return -EINVAL;
- spa->devices[0].nfit_device_handle = handle[nvdimm->id];
+ spa->devices[0].nfit_device_handle =
+ __to_nfit_memdev(nfit_mem)->device_handle;
spa->num_nvdimms = 1;
spa->devices[0].dpa = dpa;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 211/567] KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 210/567] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 212/567] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
` (369 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko,
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 9935df5333aa503a18de5071f53762b65c783c4c upstream.
Reject attempts to disable KVM_MEM_GUEST_MEMFD on a memslot that was
initially created with a guest_memfd binding, as KVM doesn't support
toggling KVM_MEM_GUEST_MEMFD on existing memslots. KVM prevents enabling
KVM_MEM_GUEST_MEMFD, but doesn't prevent clearing the flag.
Failure to reject the new memslot results in a use-after-free due to KVM
not unbinding from the guest_memfd instance. Unbinding on a FLAGS_ONLY
change is easy enough, and can/will be done as a hardening measure (in
anticipation of KVM supporting dirty logging on guest_memfd at some point),
but fixing the use-after-free would only address the immediate symptom.
==================================================================
BUG: KASAN: slab-use-after-free in kvm_gmem_release+0x362/0x400 [kvm]
Write of size 8 at addr ffff8881111ae908 by task repro/745
CPU: 7 UID: 1000 PID: 745 Comm: repro Not tainted 6.18.0-rc6-115d5de2eef3-next-kasan #3 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x60
print_report+0xcb/0x5c0
kasan_report+0xb4/0xe0
kvm_gmem_release+0x362/0x400 [kvm]
__fput+0x2fa/0x9d0
task_work_run+0x12c/0x200
do_exit+0x6ae/0x2100
do_group_exit+0xa8/0x230
__x64_sys_exit_group+0x3a/0x50
x64_sys_call+0x737/0x740
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f581f2eac31
</TASK>
Allocated by task 745 on cpu 6 at 9.746971s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_kmalloc+0x77/0x90
kvm_set_memory_region.part.0+0x652/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 745 on cpu 6 at 9.747467s:
kasan_save_stack+0x20/0x40
kasan_save_track+0x13/0x50
__kasan_save_free_info+0x37/0x50
__kasan_slab_free+0x3b/0x60
kfree+0xf5/0x440
kvm_set_memslot+0x3c2/0x1160 [kvm]
kvm_set_memory_region.part.0+0x86a/0x1110 [kvm]
kvm_vm_ioctl+0x14b0/0x3290 [kvm]
__x64_sys_ioctl+0x129/0x1a0
do_syscall_64+0x5b/0x900
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Reported-by: Alexander Potapenko <glider@google.com>
Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251202020334.1171351-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
virt/kvm/kvm_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2062,7 +2062,7 @@ int __kvm_set_memory_region(struct kvm *
return -EINVAL;
if ((mem->userspace_addr != old->userspace_addr) ||
(npages != old->npages) ||
- ((mem->flags ^ old->flags) & KVM_MEM_READONLY))
+ ((mem->flags ^ old->flags) & (KVM_MEM_READONLY | KVM_MEM_GUEST_MEMFD)))
return -EINVAL;
if (base_gfn != old->base_gfn)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 212/567] media: vidtv: initialize local pointers upon transfer of memory ownership
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 211/567] KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 213/567] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
` (368 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1d9c0edea5907af239e0,
Jeongjun Park, Daniel Almeida, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 upstream.
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+1d9c0edea5907af239e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1d9c0edea5907af239e0
Fixes: 3be8037960bc ("media: vidtv: add error checks")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -461,12 +461,15 @@ int vidtv_channel_si_init(struct vidtv_m
/* assemble all programs and assign to PAT */
vidtv_psi_pat_program_assign(m->si.pat, programs);
+ programs = NULL;
/* assemble all services and assign to SDT */
vidtv_psi_sdt_service_assign(m->si.sdt, services);
+ services = NULL;
/* assemble all events and assign to EIT */
vidtv_psi_eit_event_assign(m->si.eit, events);
+ events = NULL;
m->si.pmt_secs = vidtv_psi_pmt_create_sec_for_each_pat_entry(m->si.pat,
m->pcr_pid);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 213/567] ocfs2: fix kernel BUG in ocfs2_find_victim_chain
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 212/567] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 214/567] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Greg Kroah-Hartman
` (367 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prithvi Tambewagh,
syzbot+96d38c6e1655c1420a72, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit 039bef30e320827bac8990c9f29d2a68cd8adb5f upstream.
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Link: https://lkml.kernel.org/r/20251201130711.143900-1-activprithvi@gmail.com
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Reported-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72
Tested-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/suballoc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1992,6 +1992,16 @@ static int ocfs2_claim_suballoc_bits(str
}
cl = (struct ocfs2_chain_list *) &fe->id2.i_chain;
+ if (!le16_to_cpu(cl->cl_next_free_rec) ||
+ le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(ac->ac_inode->i_sb,
+ "Chain allocator dinode %llu has invalid next "
+ "free chain record %u, but only %u total\n",
+ (unsigned long long)le64_to_cpu(fe->i_blkno),
+ le16_to_cpu(cl->cl_next_free_rec),
+ le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
victim = ocfs2_find_victim_chain(cl);
ac->ac_chain = victim;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 214/567] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI)
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 213/567] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 215/567] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
` (366 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
commit ab4e41eb9fabd4607304fa7cfe8ec9c0bd8e1552 upstream.
Fix an interaction between SMM and PV asynchronous #PFs where an #SMI can
cause KVM to drop an async #PF ready event, and thus result in guest tasks
becoming permanently stuck due to the task that encountered the #PF never
being resumed. Specifically, don't clear the completion queue when paging
is disabled, and re-check for completed async #PFs if/when paging is
enabled.
Prior to commit 2635b5c4a0e4 ("KVM: x86: interrupt based APF 'page ready'
event delivery"), flushing the APF queue without notifying the guest of
completed APF requests when paging is disabled was "necessary", in that
delivering a #PF to the guest when paging is disabled would likely confuse
and/or crash the guest. And presumably the original async #PF development
assumed that a guest would only disable paging when there was no intent to
ever re-enable paging.
That assumption fails in several scenarios, most visibly on an emulated
SMI, as entering SMM always disables CR0.PG (i.e. initially runs with
paging disabled). When the SMM handler eventually executes RSM, the
interrupted paging-enabled is restored, and the async #PF event is lost.
Similarly, invoking firmware, e.g. via EFI runtime calls, might require a
transition through paging modes and thus also disable paging with valid
entries in the competion queue.
To avoid dropping completion events, drop the "clear" entirely, and handle
paging-enable transitions in the same way KVM already handles APIC
enable/disable events: if a vCPU's APIC is disabled, APF completion events
are not kept pending and not injected while APIC is disabled. Once a
vCPU's APIC is re-enabled, KVM raises KVM_REQ_APF_READY so that the vCPU
recognizes any pending pending #APF ready events.
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251015033258.50974-4-mlevitsk@redhat.com
[sean: rework changelog to call out #PF injection, drop "real mode"
references, expand the code comment]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1035,6 +1035,13 @@ bool kvm_require_dr(struct kvm_vcpu *vcp
}
EXPORT_SYMBOL_GPL(kvm_require_dr);
+static bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu)
+{
+ u64 mask = KVM_ASYNC_PF_ENABLED | KVM_ASYNC_PF_DELIVERY_AS_INT;
+
+ return (vcpu->arch.apf.msr_en_val & mask) == mask;
+}
+
static inline u64 pdptr_rsvd_bits(struct kvm_vcpu *vcpu)
{
return vcpu->arch.reserved_gpa_bits | rsvd_bits(5, 8) | rsvd_bits(1, 2);
@@ -1127,15 +1134,20 @@ void kvm_post_set_cr0(struct kvm_vcpu *v
}
if ((cr0 ^ old_cr0) & X86_CR0_PG) {
- kvm_clear_async_pf_completion_queue(vcpu);
- kvm_async_pf_hash_reset(vcpu);
-
/*
* Clearing CR0.PG is defined to flush the TLB from the guest's
* perspective.
*/
if (!(cr0 & X86_CR0_PG))
kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu);
+ /*
+ * Check for async #PF completion events when enabling paging,
+ * as the vCPU may have previously encountered async #PFs (it's
+ * entirely legal for the guest to toggle paging on/off without
+ * waiting for the async #PF queue to drain).
+ */
+ else if (kvm_pv_async_pf_enabled(vcpu))
+ kvm_make_request(KVM_REQ_APF_READY, vcpu);
}
if ((cr0 ^ old_cr0) & KVM_MMU_CR0_ROLE_BITS)
@@ -3539,13 +3551,6 @@ static int set_msr_mce(struct kvm_vcpu *
return 0;
}
-static inline bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu)
-{
- u64 mask = KVM_ASYNC_PF_ENABLED | KVM_ASYNC_PF_DELIVERY_AS_INT;
-
- return (vcpu->arch.apf.msr_en_val & mask) == mask;
-}
-
static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
{
gpa_t gpa = data & ~0x3f;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 215/567] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 214/567] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 216/567] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
` (365 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
commit 944edca81e7aea15f83cf9a13a6ab67f711e8abd upstream.
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
Fixes: 26a14267aff2 ("platform/chrome: Add ChromeOS EC ISHTP driver")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20251031033900.3577394-1-tzungbi@kernel.org
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/platform/chrome/cros_ec_ishtp.c
+++ b/drivers/platform/chrome/cros_ec_ishtp.c
@@ -671,6 +671,7 @@ static void cros_ec_ishtp_remove(struct
cancel_work_sync(&client_data->work_ishtp_reset);
cancel_work_sync(&client_data->work_ec_evt);
+ cros_ec_unregister(client_data->ec_dev);
cros_ish_deinit(cros_ish_cl);
ishtp_put_device(cl_device);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 216/567] scs: fix a wrong parameter in __scs_magic
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 215/567] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 217/567] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
` (364 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiyuan Xie, Zhichi Lin,
Sami Tolvanen, Will Deacon, Andrey Konovalov, Kees Cook,
Marco Elver, Yee Lee, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhichi Lin <zhichi.lin@vivo.com>
commit 08bd4c46d5e63b78e77f2605283874bbe868ab19 upstream.
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
to:
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
Link: https://lkml.kernel.org/r/20251011082222.12965-1-zhichi.lin@vivo.com
Fixes: 5bbaf9d1fcb9 ("scs: Add support for stack usage debugging")
Signed-off-by: Jiyuan Xie <xiejiyuan@vivo.com>
Signed-off-by: Zhichi Lin <zhichi.lin@vivo.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Will Deacon <will@kernel.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Marco Elver <elver@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: Yee Lee <yee.lee@mediatek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/scs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/scs.c
+++ b/kernel/scs.c
@@ -135,7 +135,7 @@ static void scs_check_usage(struct task_
if (!IS_ENABLED(CONFIG_DEBUG_STACK_USAGE))
return;
- for (p = task_scs(tsk); p < __scs_magic(tsk); ++p) {
+ for (p = task_scs(tsk); p < __scs_magic(task_scs(tsk)); ++p) {
if (!READ_ONCE_NOCHECK(*p))
break;
used += sizeof(*p);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 217/567] parisc: Do not reprogram affinitiy on ASP chip
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 216/567] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
@ 2026-01-06 16:59 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 218/567] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
` (363 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 16:59 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit dca7da244349eef4d78527cafc0bf80816b261f5 upstream.
The ASP chip is a very old variant of the GSP chip and is used e.g. in
HP 730 workstations. When trying to reprogram the affinity it will crash
with a HPMC as the relevant registers don't seem to be at the usual
location. Let's avoid the crash by checking the sversion. Also note,
that reprogramming isn't necessary either, as the HP730 is a just a
single-CPU machine.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/gsc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/parisc/gsc.c
+++ b/drivers/parisc/gsc.c
@@ -154,7 +154,9 @@ static int gsc_set_affinity_irq(struct i
gsc_dev->eim = ((u32) gsc_dev->gsc_irq.txn_addr) | gsc_dev->gsc_irq.txn_data;
/* switch IRQ's for devices below LASI/WAX to other CPU */
- gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR);
+ /* ASP chip (svers 0x70) does not support reprogramming */
+ if (gsc_dev->gsc->id.sversion != 0x70)
+ gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR);
irq_data_update_effective_affinity(d, &tmask);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 218/567] libceph: make decode_pool() more resilient against corrupted osdmaps
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-01-06 16:59 ` [PATCH 6.12 217/567] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 219/567] powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf() Greg Kroah-Hartman
` (362 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov, Xiubo Li
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 8c738512714e8c0aa18f8a10c072d5b01c83db39 upstream.
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Tested-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 118 ++++++++++++++++++++++++------------------------------
1 file changed, 53 insertions(+), 65 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -806,51 +806,49 @@ static int decode_pool(void **p, void *e
ceph_decode_need(p, end, len, bad);
pool_end = *p + len;
+ ceph_decode_need(p, end, 4 + 4 + 4, bad);
pi->type = ceph_decode_8(p);
pi->size = ceph_decode_8(p);
pi->crush_ruleset = ceph_decode_8(p);
pi->object_hash = ceph_decode_8(p);
-
pi->pg_num = ceph_decode_32(p);
pi->pgp_num = ceph_decode_32(p);
- *p += 4 + 4; /* skip lpg* */
- *p += 4; /* skip last_change */
- *p += 8 + 4; /* skip snap_seq, snap_epoch */
+ /* lpg*, last_change, snap_seq, snap_epoch */
+ ceph_decode_skip_n(p, end, 8 + 4 + 8 + 4, bad);
/* skip snaps */
- num = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, num, bad);
while (num--) {
- *p += 8; /* snapid key */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* snapid key, pool snap (with versions) */
+ ceph_decode_skip_n(p, end, 8 + 2, bad);
+ ceph_decode_skip_string(p, end, bad);
}
- /* skip removed_snaps */
- num = ceph_decode_32(p);
- *p += num * (8 + 8);
+ /* removed_snaps */
+ ceph_decode_skip_map(p, end, 64, 64, bad);
+ ceph_decode_need(p, end, 8 + 8 + 4, bad);
*p += 8; /* skip auid */
pi->flags = ceph_decode_64(p);
*p += 4; /* skip crash_replay_interval */
if (ev >= 7)
- pi->min_size = ceph_decode_8(p);
+ ceph_decode_8_safe(p, end, pi->min_size, bad);
else
pi->min_size = pi->size - pi->size / 2;
if (ev >= 8)
- *p += 8 + 8; /* skip quota_max_* */
+ /* quota_max_* */
+ ceph_decode_skip_n(p, end, 8 + 8, bad);
if (ev >= 9) {
- /* skip tiers */
- num = ceph_decode_32(p);
- *p += num * 8;
+ /* tiers */
+ ceph_decode_skip_set(p, end, 64, bad);
+ ceph_decode_need(p, end, 8 + 1 + 8 + 8, bad);
*p += 8; /* skip tier_of */
*p += 1; /* skip cache_mode */
-
pi->read_tier = ceph_decode_64(p);
pi->write_tier = ceph_decode_64(p);
} else {
@@ -858,86 +856,76 @@ static int decode_pool(void **p, void *e
pi->write_tier = -1;
}
- if (ev >= 10) {
- /* skip properties */
- num = ceph_decode_32(p);
- while (num--) {
- len = ceph_decode_32(p);
- *p += len; /* key */
- len = ceph_decode_32(p);
- *p += len; /* val */
- }
- }
+ if (ev >= 10)
+ /* properties */
+ ceph_decode_skip_map(p, end, string, string, bad);
if (ev >= 11) {
- /* skip hit_set_params */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* hit_set_params (with versions) */
+ ceph_decode_skip_n(p, end, 2, bad);
+ ceph_decode_skip_string(p, end, bad);
- *p += 4; /* skip hit_set_period */
- *p += 4; /* skip hit_set_count */
+ /* hit_set_period, hit_set_count */
+ ceph_decode_skip_n(p, end, 4 + 4, bad);
}
if (ev >= 12)
- *p += 4; /* skip stripe_width */
+ /* stripe_width */
+ ceph_decode_skip_32(p, end, bad);
- if (ev >= 13) {
- *p += 8; /* skip target_max_bytes */
- *p += 8; /* skip target_max_objects */
- *p += 4; /* skip cache_target_dirty_ratio_micro */
- *p += 4; /* skip cache_target_full_ratio_micro */
- *p += 4; /* skip cache_min_flush_age */
- *p += 4; /* skip cache_min_evict_age */
- }
-
- if (ev >= 14) {
- /* skip erasure_code_profile */
- len = ceph_decode_32(p);
- *p += len;
- }
+ if (ev >= 13)
+ /* target_max_*, cache_target_*, cache_min_* */
+ ceph_decode_skip_n(p, end, 16 + 8 + 8, bad);
+
+ if (ev >= 14)
+ /* erasure_code_profile */
+ ceph_decode_skip_string(p, end, bad);
/*
* last_force_op_resend_preluminous, will be overridden if the
* map was encoded with RESEND_ON_SPLIT
*/
if (ev >= 15)
- pi->last_force_request_resend = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, pi->last_force_request_resend, bad);
else
pi->last_force_request_resend = 0;
if (ev >= 16)
- *p += 4; /* skip min_read_recency_for_promote */
+ /* min_read_recency_for_promote */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 17)
- *p += 8; /* skip expected_num_objects */
+ /* expected_num_objects */
+ ceph_decode_skip_64(p, end, bad);
if (ev >= 19)
- *p += 4; /* skip cache_target_dirty_high_ratio_micro */
+ /* cache_target_dirty_high_ratio_micro */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 20)
- *p += 4; /* skip min_write_recency_for_promote */
+ /* min_write_recency_for_promote */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 21)
- *p += 1; /* skip use_gmt_hitset */
+ /* use_gmt_hitset */
+ ceph_decode_skip_8(p, end, bad);
if (ev >= 22)
- *p += 1; /* skip fast_read */
+ /* fast_read */
+ ceph_decode_skip_8(p, end, bad);
- if (ev >= 23) {
- *p += 4; /* skip hit_set_grade_decay_rate */
- *p += 4; /* skip hit_set_search_last_n */
- }
+ if (ev >= 23)
+ /* hit_set_grade_decay_rate, hit_set_search_last_n */
+ ceph_decode_skip_n(p, end, 4 + 4, bad);
if (ev >= 24) {
- /* skip opts */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* opts (with versions) */
+ ceph_decode_skip_n(p, end, 2, bad);
+ ceph_decode_skip_string(p, end, bad);
}
if (ev >= 25)
- pi->last_force_request_resend = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, pi->last_force_request_resend, bad);
/* ignore the rest */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 219/567] powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 218/567] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 220/567] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
` (361 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cedar Maxwell, Stan Johnson,
Christophe Leroy, Finn Thain, Madhavan Srinivasan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
commit b94b73567561642323617155bf4ee24ef0d258fe upstream.
Since Linux v6.7, booting using BootX on an Old World PowerMac produces
an early crash. Stan Johnson writes, "the symptoms are that the screen
goes blank and the backlight stays on, and the system freezes (Linux
doesn't boot)."
Further testing revealed that the failure can be avoided by disabling
CONFIG_BOOTX_TEXT. Bisection revealed that the regression was caused by
a change to the font bitmap pointer that's used when btext_init() begins
painting characters on the display, early in the boot process.
Christophe Leroy explains, "before kernel text is relocated to its final
location ... data is addressed with an offset which is added to the
Global Offset Table (GOT) entries at the start of bootx_init()
by function reloc_got2(). But the pointers that are located inside a
structure are not referenced in the GOT and are therefore not updated by
reloc_got2(). It is therefore needed to apply the offset manually by using
PTRRELOC() macro."
Cc: stable@vger.kernel.org
Link: https://lists.debian.org/debian-powerpc/2025/10/msg00111.html
Link: https://lore.kernel.org/linuxppc-dev/d81ddca8-c5ee-d583-d579-02b19ed95301@yahoo.com/
Reported-by: Cedar Maxwell <cedarmaxwell@mac.com>
Closes: https://lists.debian.org/debian-powerpc/2025/09/msg00031.html
Bisected-by: Stan Johnson <userm57@yahoo.com>
Tested-by: Stan Johnson <userm57@yahoo.com>
Fixes: 0ebc7feae79a ("powerpc: Use shared font data")
Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/22b3b247425a052b079ab84da926706b3702c2c7.1762731022.git.fthain@linux-m68k.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kernel/btext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/powerpc/kernel/btext.c
+++ b/arch/powerpc/kernel/btext.c
@@ -20,6 +20,7 @@
#include <asm/io.h>
#include <asm/processor.h>
#include <asm/udbg.h>
+#include <asm/setup.h>
#define NO_SCROLL
@@ -463,7 +464,7 @@ static noinline void draw_byte(unsigned
{
unsigned char *base = calc_base(locX << 3, locY << 4);
unsigned int font_index = c * 16;
- const unsigned char *font = font_sun_8x16.data + font_index;
+ const unsigned char *font = PTRRELOC(font_sun_8x16.data) + font_index;
int rb = dispDeviceRowBytes;
rmci_maybe_on();
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 220/567] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 219/567] powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 221/567] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
` (360 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0ea9494be9c931ddbc084ad5e11fda91b554cf47 upstream.
WARN and don't restart the hrtimer if KVM's callback runs with the guest's
APIC timer in periodic mode but with a period of '0', as not advancing the
hrtimer's deadline would put the CPU into an infinite loop of hrtimer
events. Observing a period of '0' should be impossible, even when the
hrtimer is running on a different CPU than the vCPU, as KVM is supposed to
cancel the hrtimer before changing (or zeroing) the period, e.g. when
switching from periodic to one-shot.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251113205114.1647493-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2869,7 +2869,7 @@ static enum hrtimer_restart apic_timer_f
apic_timer_expired(apic, true);
- if (lapic_is_periodic(apic)) {
+ if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) {
advance_periodic_target_expiration(apic);
hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);
return HRTIMER_RESTART;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 221/567] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 220/567] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 222/567] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
` (359 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, fuqiang wang, Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: fuqiang wang <fuqiang.wng@gmail.com>
commit 9633f180ce994ab293ce4924a9b7aaf4673aa114 upstream.
When restarting an hrtimer to emulate a the guest's APIC timer in periodic
mode, explicitly set the expiration using the target expiration computed
by advance_periodic_target_expiration() instead of adding the period to
the existing timer. This will allow making adjustments to the expiration,
e.g. to deal with expirations far in the past, without having to implement
the same logic in both advance_periodic_target_expiration() and
apic_timer_fn().
Cc: stable@vger.kernel.org
Signed-off-by: fuqiang wang <fuqiang.wng@gmail.com>
[sean: split to separate patch, write changelog]
Link: https://patch.msgid.link/20251113205114.1647493-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2871,7 +2871,7 @@ static enum hrtimer_restart apic_timer_f
if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) {
advance_periodic_target_expiration(apic);
- hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);
+ hrtimer_set_expires(&ktimer->timer, ktimer->target_expiration);
return HRTIMER_RESTART;
} else
return HRTIMER_NORESTART;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 222/567] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 221/567] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 223/567] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE Greg Kroah-Hartman
` (358 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, fuqiang wang, Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: fuqiang wang <fuqiang.wng@gmail.com>
commit 18ab3fc8e880791aa9f7c000261320fc812b5465 upstream.
When advancing the target expiration for the guest's APIC timer in periodic
mode, set the expiration to "now" if the target expiration is in the past
(similar to what is done in update_target_expiration()). Blindly adding
the period to the previous target expiration can result in KVM generating
a practically unbounded number of hrtimer IRQs due to programming an
expired timer over and over. In extreme scenarios, e.g. if userspace
pauses/suspends a VM for an extended duration, this can even cause hard
lockups in the host.
Currently, the bug only affects Intel CPUs when using the hypervisor timer
(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,
a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the
HV timer only runs while the guest is active. As a result, if the vCPU
does not run for an extended duration, there will be a huge gap between
the target expiration and the current time the vCPU resumes running.
Because the target expiration is incremented by only one period on each
timer expiration, this leads to a series of timer expirations occurring
rapidly after the vCPU/VM resumes.
More critically, when the vCPU first triggers a periodic HV timer
expiration after resuming, advancing the expiration by only one period
will result in a target expiration in the past. As a result, the delta
may be calculated as a negative value. When the delta is converted into
an absolute value (tscdeadline is an unsigned u64), the resulting value
can overflow what the HV timer is capable of programming. I.e. the large
value will exceed the VMX Preemption Timer's maximum bit width of
cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the
HV timer to the software timer (hrtimers).
After switching to the software timer, periodic timer expiration callbacks
may be executed consecutively within a single clock interrupt handler,
because hrtimers honors KVM's request for an expiration in the past and
immediately re-invokes KVM's callback after reprogramming. And because
the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer
over and over until the target expiration is advanced to "now" can result
in a hard lockup.
E.g. the following hard lockup was triggered in the host when running a
Windows VM (only relevant because it used the APIC timer in periodic mode)
after resuming the VM from a long suspend (in the host).
NMI watchdog: Watchdog detected hard LOCKUP on cpu 45
...
RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]
...
RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046
RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc
RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500
RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0
R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0
R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8
FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0
PKRU: 55555554
Call Trace:
<IRQ>
apic_timer_fn+0x31/0x50 [kvm]
__hrtimer_run_queues+0x100/0x280
hrtimer_interrupt+0x100/0x210
? ttwu_do_wakeup+0x19/0x160
smp_apic_timer_interrupt+0x6a/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
Moreover, if the suspend duration of the virtual machine is not long enough
to trigger a hard lockup in this scenario, since commit 98c25ead5eda
("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM
will continue using the software timer until the guest reprograms the APIC
timer in some way. Since the periodic timer does not require frequent APIC
timer register programming, the guest may continue to use the software
timer in perpetuity.
Fixes: d8f2f498d9ed ("x86/kvm: fix LAPIC timer drift when guest uses periodic mode")
Cc: stable@vger.kernel.org
Signed-off-by: fuqiang wang <fuqiang.wng@gmail.com>
[sean: massage comments and changelog]
Link: https://patch.msgid.link/20251113205114.1647493-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2070,15 +2070,33 @@ static void advance_periodic_target_expi
ktime_t delta;
/*
- * Synchronize both deadlines to the same time source or
- * differences in the periods (caused by differences in the
- * underlying clocks or numerical approximation errors) will
- * cause the two to drift apart over time as the errors
- * accumulate.
+ * Use kernel time as the time source for both the hrtimer deadline and
+ * TSC-based deadline so that they stay synchronized. Computing each
+ * deadline independently will cause the two deadlines to drift apart
+ * over time as differences in the periods accumulate, e.g. due to
+ * differences in the underlying clocks or numerical approximation errors.
*/
apic->lapic_timer.target_expiration =
ktime_add_ns(apic->lapic_timer.target_expiration,
apic->lapic_timer.period);
+
+ /*
+ * If the new expiration is in the past, e.g. because userspace stopped
+ * running the VM for an extended duration, then force the expiration
+ * to "now" and don't try to play catch-up with the missed events. KVM
+ * will only deliver a single interrupt regardless of how many events
+ * are pending, i.e. restarting the timer with an expiration in the
+ * past will do nothing more than waste host cycles, and can even lead
+ * to a hard lockup in extreme cases.
+ */
+ if (ktime_before(apic->lapic_timer.target_expiration, now))
+ apic->lapic_timer.target_expiration = now;
+
+ /*
+ * Note, ensuring the expiration isn't in the past also prevents delta
+ * from going negative, which could cause the TSC deadline to become
+ * excessively large due to it an unsigned value.
+ */
delta = ktime_sub(apic->lapic_timer.target_expiration, now);
apic->lapic_timer.tscdeadline = kvm_read_l1_tsc(apic->vcpu, tscl) +
nsec_to_cycles(apic->vcpu, delta);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 223/567] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 222/567] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 224/567] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
` (357 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 3d80f4c93d3d26d0f9a0dd2844961a632eeea634 upstream.
When emulating L2 instructions, svm_check_intercept() checks whether a
write to CR0 should trigger a synthesized #VMEXIT with
SVM_EXIT_CR0_SEL_WRITE. However, it does not check whether L1 enabled
the intercept for SVM_EXIT_WRITE_CR0, which has higher priority
according to the APM (24593—Rev. 3.42—March 2024, Table 15-7):
When both selective and non-selective CR0-write intercepts are active at
the same time, the non-selective intercept takes priority. With respect
to exceptions, the priority of this intercept is the same as the generic
CR0-write intercept.
Make sure L1 does NOT intercept SVM_EXIT_WRITE_CR0 before checking if
SVM_EXIT_CR0_SEL_WRITE needs to be injected.
Opportunistically tweak the "not CR0" logic to explicitly bail early so
that it's more obvious that only CR0 has a selective intercept, and that
modifying icpt_info.exit_code is functionally necessary so that the call
to nested_svm_exit_handled() checks the correct exit code.
Fixes: cfec82cb7d31 ("KVM: SVM: Add intercept check for emulated cr accesses")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251024192918.3191141-4-yosry.ahmed@linux.dev
[sean: isolate non-CR0 write logic, tweak comments accordingly]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4650,15 +4650,29 @@ static int svm_check_intercept(struct kv
case SVM_EXIT_WRITE_CR0: {
unsigned long cr0, val;
- if (info->intercept == x86_intercept_cr_write)
+ /*
+ * Adjust the exit code accordingly if a CR other than CR0 is
+ * being written, and skip straight to the common handling as
+ * only CR0 has an additional selective intercept.
+ */
+ if (info->intercept == x86_intercept_cr_write && info->modrm_reg) {
icpt_info.exit_code += info->modrm_reg;
+ break;
+ }
- if (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 ||
- info->intercept == x86_intercept_clts)
+ /*
+ * Convert the exit_code to SVM_EXIT_CR0_SEL_WRITE if a
+ * selective CR0 intercept is triggered (the common logic will
+ * treat the selective intercept as being enabled). Note, the
+ * unconditional intercept has higher priority, i.e. this is
+ * only relevant if *only* the selective intercept is enabled.
+ */
+ if (vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_CR0_WRITE) ||
+ !(vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_SELECTIVE_CR0)))
break;
- if (!(vmcb12_is_intercept(&svm->nested.ctl,
- INTERCEPT_SELECTIVE_CR0)))
+ /* CLTS never triggers INTERCEPT_SELECTIVE_CR0 */
+ if (info->intercept == x86_intercept_clts)
break;
cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 224/567] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 223/567] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 225/567] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
` (356 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 7c8b465a1c91f674655ea9cec5083744ec5f796a upstream.
Mark the VMCB_NPT bit as dirty in nested_vmcb02_prepare_save()
on every nested VMRUN.
If L1 changes the PAT MSR between two VMRUN instructions on the same
L1 vCPU, the g_pat field in the associated vmcb02 will change, and the
VMCB_NPT clean bit should be cleared.
Fixes: 4bb170a5430b ("KVM: nSVM: do not mark all VMCB02 fields dirty on nested vmexit")
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250922162935.621409-3-jmattson@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -546,6 +546,7 @@ static void nested_vmcb02_prepare_save(s
struct kvm_vcpu *vcpu = &svm->vcpu;
nested_vmcb02_compute_g_pat(svm);
+ vmcb_mark_dirty(vmcb02, VMCB_NPT);
/* Load the nested guest state */
if (svm->nested.vmcb12_gpa != svm->nested.last_vmcb12_gpa) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 225/567] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 224/567] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 226/567] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Greg Kroah-Hartman
` (355 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Rizzo, Yosry Ahmed,
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 5674a76db0213f9db1e4d08e847ff649b46889c0 upstream.
When emulating L2 instructions, svm_check_intercept() checks whether a
write to CR0 should trigger a synthesized #VMEXIT with
SVM_EXIT_CR0_SEL_WRITE. For MOV-to-CR0, SVM_EXIT_CR0_SEL_WRITE is only
triggered if any bit other than CR0.MP and CR0.TS is updated. However,
according to the APM (24593—Rev. 3.42—March 2024, Table 15-7):
The LMSW instruction treats the selective CR0-write
intercept as a non-selective intercept (i.e., it intercepts
regardless of the value being written).
Skip checking the changed bits for x86_intercept_lmsw and always inject
SVM_EXIT_CR0_SEL_WRITE.
Fixes: cfec82cb7d31 ("KVM: SVM: Add intercept check for emulated cr accesses")
Cc: stable@vger.kernel.org
Reported-by: Matteo Rizzo <matteorizzo@google.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251024192918.3191141-3-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4675,20 +4675,20 @@ static int svm_check_intercept(struct kv
if (info->intercept == x86_intercept_clts)
break;
- cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
- val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
-
+ /* LMSW always triggers INTERCEPT_SELECTIVE_CR0 */
if (info->intercept == x86_intercept_lmsw) {
- cr0 &= 0xfUL;
- val &= 0xfUL;
- /* lmsw can't clear PE - catch this here */
- if (cr0 & X86_CR0_PE)
- val |= X86_CR0_PE;
+ icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+ break;
}
+ /*
+ * MOV-to-CR0 only triggers INTERCEPT_SELECTIVE_CR0 if any bit
+ * other than SVM_CR0_SELECTIVE_MASK is changed.
+ */
+ cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
+ val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
if (cr0 ^ val)
icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
-
break;
}
case SVM_EXIT_READ_DR0:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 226/567] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 225/567] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 227/567] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
` (354 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Rizzo, Jim Mattson,
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 93c9e107386dbe1243287a5b14ceca894de372b9 upstream.
Mark the VMCB_PERM_MAP bit as dirty in nested_vmcb02_prepare_control()
on every nested VMRUN.
If L1 changes MSR interception (INTERCEPT_MSR_PROT) between two VMRUN
instructions on the same L1 vCPU, the msrpm_base_pa in the associated
vmcb02 will change, and the VMCB_PERM_MAP clean bit should be cleared.
Fixes: 4bb170a5430b ("KVM: nSVM: do not mark all VMCB02 fields dirty on nested vmexit")
Reported-by: Matteo Rizzo <matteorizzo@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250922162935.621409-2-jmattson@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -677,6 +677,7 @@ static void nested_vmcb02_prepare_contro
vmcb02->control.nested_ctl = vmcb01->control.nested_ctl;
vmcb02->control.iopm_base_pa = vmcb01->control.iopm_base_pa;
vmcb02->control.msrpm_base_pa = vmcb01->control.msrpm_base_pa;
+ vmcb_mark_dirty(vmcb02, VMCB_PERM_MAP);
/* Done at vmrun: asid. */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 227/567] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 226/567] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 228/567] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
` (353 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Gao, Dongli Zhang,
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dongli Zhang <dongli.zhang@oracle.com>
commit 29763138830916f46daaa50e83e7f4f907a3236b upstream.
If an APICv status updated was pended while L2 was active, immediately
refresh vmcs01's controls instead of pending KVM_REQ_APICV_UPDATE as
kvm_vcpu_update_apicv() only calls into vendor code if a change is
necessary.
E.g. if APICv is inhibited, and then activated while L2 is running:
kvm_vcpu_update_apicv()
|
-> __kvm_vcpu_update_apicv()
|
-> apic->apicv_active = true
|
-> vmx_refresh_apicv_exec_ctrl()
|
-> vmx->nested.update_vmcs01_apicv_status = true
|
-> return
Then L2 exits to L1:
__nested_vmx_vmexit()
|
-> kvm_make_request(KVM_REQ_APICV_UPDATE)
vcpu_enter_guest(): KVM_REQ_APICV_UPDATE
-> kvm_vcpu_update_apicv()
|
-> __kvm_vcpu_update_apicv()
|
-> return // because if (apic->apicv_active == activate)
Reported-by: Chao Gao <chao.gao@intel.com>
Closes: https://lore.kernel.org/all/aQ2jmnN8wUYVEawF@intel.com
Fixes: 7c69661e225c ("KVM: nVMX: Defer APICv updates while L2 is active until L1 is active")
Cc: stable@vger.kernel.org
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
[sean: write changelog]
Link: https://patch.msgid.link/20251205231913.441872-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -18,6 +18,7 @@
#include "trace.h"
#include "vmx.h"
#include "smm.h"
+#include "x86_ops.h"
static bool __read_mostly enable_shadow_vmcs = 1;
module_param_named(enable_shadow_vmcs, enable_shadow_vmcs, bool, S_IRUGO);
@@ -5051,7 +5052,7 @@ void nested_vmx_vmexit(struct kvm_vcpu *
if (vmx->nested.update_vmcs01_apicv_status) {
vmx->nested.update_vmcs01_apicv_status = false;
- kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
+ vmx_refresh_apicv_exec_ctrl(vcpu);
}
if (vmx->nested.update_vmcs01_hwapic_isr) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 228/567] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 227/567] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 229/567] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
` (352 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f402ecd7a8b6446547076f4bd24bd5d4dcc94481 upstream.
Set exit_code_hi to -1u as a temporary band-aid to fix a long-standing
(effectively since KVM's inception) bug where KVM treats the exit code as
a 32-bit value, when in reality it's a 64-bit value. Per the APM, offset
0x70 is a single 64-bit value:
070h 63:0 EXITCODE
And a sane reading of the error values defined in "Table C-1. SVM Intercept
Codes" is that negative values use the full 64 bits:
–1 VMEXIT_INVALID Invalid guest state in VMCB.
–2 VMEXIT_BUSYBUSY bit was set in the VMSA
–3 VMEXIT_IDLE_REQUIREDThe sibling thread is not in an idle state
-4 VMEXIT_INVALID_PMC Invalid PMC state
And that interpretation is confirmed by testing on Milan and Turin (by
setting bits in CR0[63:32] to generate VMEXIT_INVALID on VMRUN).
Furthermore, Xen has treated exitcode as a 64-bit value since HVM support
was adding in 2006 (see Xen commit d1bd157fbc ("Big merge the HVM
full-virtualisation abstractions.")).
Cc: Jim Mattson <jmattson@google.com>
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251113225621.1688428-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -883,7 +883,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
if (!nested_vmcb_check_save(vcpu) ||
!nested_vmcb_check_controls(vcpu)) {
vmcb12->control.exit_code = SVM_EXIT_ERR;
- vmcb12->control.exit_code_hi = 0;
+ vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
vmcb12->control.exit_info_2 = 0;
goto out;
@@ -916,7 +916,7 @@ out_exit_err:
svm->soft_int_injected = false;
svm->vmcb->control.exit_code = SVM_EXIT_ERR;
- svm->vmcb->control.exit_code_hi = 0;
+ svm->vmcb->control.exit_code_hi = -1u;
svm->vmcb->control.exit_info_1 = 0;
svm->vmcb->control.exit_info_2 = 0;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 229/567] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 228/567] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 230/567] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
` (351 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit da01f64e7470988f8607776aa7afa924208863fb upstream.
Explicitly clear exit_code_hi in the VMCB when synthesizing "normal"
nested VM-Exits, as the full exit code is a 64-bit value (spoiler alert),
and all exit codes for non-failing VMRUN use only bits 31:0.
Cc: Jim Mattson <jmattson@google.com>
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251113225621.1688428-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 2 ++
arch/x86/kvm/svm/svm.h | 7 ++++---
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2702,6 +2702,7 @@ static bool check_selective_cr0_intercep
if (cr0 ^ val) {
svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+ svm->vmcb->control.exit_code_hi = 0;
ret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);
}
@@ -4749,6 +4750,7 @@ static int svm_check_intercept(struct kv
if (static_cpu_has(X86_FEATURE_NRIPS))
vmcb->control.next_rip = info->next_rip;
vmcb->control.exit_code = icpt_info.exit_code;
+ vmcb->control.exit_code_hi = 0;
vmexit = nested_svm_exit_handled(svm);
ret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -662,9 +662,10 @@ int nested_svm_vmexit(struct vcpu_svm *s
static inline int nested_svm_simple_vmexit(struct vcpu_svm *svm, u32 exit_code)
{
- svm->vmcb->control.exit_code = exit_code;
- svm->vmcb->control.exit_info_1 = 0;
- svm->vmcb->control.exit_info_2 = 0;
+ svm->vmcb->control.exit_code = exit_code;
+ svm->vmcb->control.exit_code_hi = 0;
+ svm->vmcb->control.exit_info_1 = 0;
+ svm->vmcb->control.exit_info_2 = 0;
return nested_svm_vmexit(svm);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 230/567] xfs: fix a memory leak in xfs_buf_item_init()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 229/567] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 231/567] xfs: fix stupid compiler warning Greg Kroah-Hartman
` (350 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Christoph Hellwig,
Carlos Maiolino, Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit fc40459de82543b565ebc839dca8f7987f16f62e upstream.
xfs_buf_item_get_format() may allocate memory for bip->bli_formats,
free the memory in the error path.
Fixes: c3d5f0c2fb85 ("xfs: complain if anyone tries to create a too-large buffer log item")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_buf_item.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -900,6 +900,7 @@ xfs_buf_item_init(
map_size = DIV_ROUND_UP(chunks, NBWORD);
if (map_size > XFS_BLF_DATAMAP_SIZE) {
+ xfs_buf_item_free_format(bip);
kmem_cache_free(xfs_buf_item_cache, bip);
xfs_err(mp,
"buffer item dirty bitmap (%u uints) too small to reflect %u bytes!",
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 231/567] xfs: fix stupid compiler warning
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 230/567] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 232/567] xfs: fix a UAF problem in xattr repair Greg Kroah-Hartman
` (349 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Carlos Maiolino,
Christoph Hellwig, Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit f06725052098d7b1133ac3846d693c383dc427a2 upstream.
gcc 14.2 warns about:
xfs_attr_item.c: In function ‘xfs_attr_recover_work’:
xfs_attr_item.c:785:9: warning: ‘ip’ may be used uninitialized [-Wmaybe-uninitialized]
785 | xfs_trans_ijoin(tp, ip, 0);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
xfs_attr_item.c:740:42: note: ‘ip’ was declared here
740 | struct xfs_inode *ip;
| ^~
I think this is bogus since xfs_attri_recover_work either returns a real
pointer having initialized ip or an ERR_PTR having not touched it, but
the tools are smarter than me so let's just null-init the variable
anyway.
Cc: stable@vger.kernel.org # v6.8
Fixes: e70fb328d52772 ("xfs: recreate work items when recovering intent items")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_attr_item.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/xfs_attr_item.c
+++ b/fs/xfs/xfs_attr_item.c
@@ -739,7 +739,7 @@ xfs_attr_recover_work(
struct xfs_attri_log_item *attrip = ATTRI_ITEM(lip);
struct xfs_attr_intent *attr;
struct xfs_mount *mp = lip->li_log->l_mp;
- struct xfs_inode *ip;
+ struct xfs_inode *ip = NULL;
struct xfs_da_args *args;
struct xfs_trans *tp;
struct xfs_trans_res resv;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 232/567] xfs: fix a UAF problem in xattr repair
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 231/567] xfs: fix stupid compiler warning Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 233/567] tracing: Do not register unsupported perf events Greg Kroah-Hartman
` (348 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Carlos Maiolino
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
commit 5990fd756943836978ad184aac980e2b36ab7e01 upstream.
The xchk_setup_xattr_buf function can allocate a new value buffer, which
means that any reference to ab->value before the call could become a
dangling pointer. Fix this by moving an assignment to after the buffer
setup.
Cc: stable@vger.kernel.org # v6.10
Fixes: e47dcf113ae348 ("xfs: repair extended attributes")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/scrub/attr_repair.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/scrub/attr_repair.c b/fs/xfs/scrub/attr_repair.c
index c7eb94069caf..09d63aa10314 100644
--- a/fs/xfs/scrub/attr_repair.c
+++ b/fs/xfs/scrub/attr_repair.c
@@ -333,7 +333,6 @@ xrep_xattr_salvage_remote_attr(
.attr_filter = ent->flags & XFS_ATTR_NSP_ONDISK_MASK,
.namelen = rentry->namelen,
.name = rentry->name,
- .value = ab->value,
.valuelen = be32_to_cpu(rentry->valuelen),
};
unsigned int namesize;
@@ -363,6 +362,7 @@ xrep_xattr_salvage_remote_attr(
error = -EDEADLOCK;
if (error)
return error;
+ args.value = ab->value;
/* Look up the remote value and stash it for reconstruction. */
error = xfs_attr3_leaf_getvalue(leaf_bp, &args);
--
2.52.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 233/567] tracing: Do not register unsupported perf events
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 232/567] xfs: fix a UAF problem in xattr repair Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 234/567] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
` (347 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim, Ian Rogers,
Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit ef7f38df890f5dcd2ae62f8dbde191d72f3bebae upstream.
Synthetic events currently do not have a function to register perf events.
This leads to calling the tracepoint register functions with a NULL
function pointer which triggers:
------------[ cut here ]------------
WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272
Modules linked in: kvm_intel kvm irqbypass
CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:tracepoint_add_func+0x357/0x370
Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f
RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8
RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780
R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a
R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78
FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0
Call Trace:
<TASK>
tracepoint_probe_register+0x5d/0x90
synth_event_reg+0x3c/0x60
perf_trace_event_init+0x204/0x340
perf_trace_init+0x85/0xd0
perf_tp_event_init+0x2e/0x50
perf_try_init_event+0x6f/0x230
? perf_event_alloc+0x4bb/0xdc0
perf_event_alloc+0x65a/0xdc0
__se_sys_perf_event_open+0x290/0x9f0
do_syscall_64+0x93/0x7b0
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? trace_hardirqs_off+0x53/0xc0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Instead, have the code return -ENODEV, which doesn't warn and has perf
error out with:
# perf record -e synthetic:futex_wait
Error:
The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).
"dmesg | grep -i perf" may provide additional information.
Ideally perf should support synthetic events, but for now just fix the
warning. The support can come later.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://patch.msgid.link/20251216182440.147e4453@gandalf.local.home
Fixes: 4b147936fa509 ("tracing: Add support for 'synthetic' events")
Reported-by: Ian Rogers <irogers@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -689,6 +689,8 @@ int trace_event_reg(struct trace_event_c
#ifdef CONFIG_PERF_EVENTS
case TRACE_REG_PERF_REGISTER:
+ if (!call->class->perf_probe)
+ return -ENODEV;
return tracepoint_probe_register(call->tp,
call->class->perf_probe,
call);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 234/567] PM: runtime: Do not clear needs_force_resume with enabled runtime PM
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 233/567] tracing: Do not register unsupported perf events Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 235/567] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
` (346 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ed Tsai, Rafael J. Wysocki,
Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 359afc8eb02a518fbdd0cbd462c8c2827c6cbec2 upstream.
Commit 89d9cec3b1e9 ("PM: runtime: Clear power.needs_force_resume in
pm_runtime_reinit()") added provisional clearing of power.needs_force_resume
to pm_runtime_reinit(), but it is done unconditionally which is a
mistake because pm_runtime_reinit() may race with driver probing
and removal [1].
To address this, notice that power.needs_force_resume should never
be set when runtime PM is enabled and so it only needs to be cleared
when runtime PM is disabled, and update pm_runtime_init() to only
clear that flag when runtime PM is disabled.
Fixes: 89d9cec3b1e9 ("PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()")
Reported-by: Ed Tsai <ed.tsai@mediatek.com>
Closes: https://lore.kernel.org/linux-pm/20251215122154.3180001-1-ed.tsai@mediatek.com/ [1]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: 6.17+ <stable@vger.kernel.org> # 6.17+
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://patch.msgid.link/12807571.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/runtime.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1829,16 +1829,18 @@ void pm_runtime_init(struct device *dev)
*/
void pm_runtime_reinit(struct device *dev)
{
- if (!pm_runtime_enabled(dev)) {
- if (dev->power.runtime_status == RPM_ACTIVE)
- pm_runtime_set_suspended(dev);
- if (dev->power.irq_safe) {
- spin_lock_irq(&dev->power.lock);
- dev->power.irq_safe = 0;
- spin_unlock_irq(&dev->power.lock);
- if (dev->parent)
- pm_runtime_put(dev->parent);
- }
+ if (pm_runtime_enabled(dev))
+ return;
+
+ if (dev->power.runtime_status == RPM_ACTIVE)
+ pm_runtime_set_suspended(dev);
+
+ if (dev->power.irq_safe) {
+ spin_lock_irq(&dev->power.lock);
+ dev->power.irq_safe = 0;
+ spin_unlock_irq(&dev->power.lock);
+ if (dev->parent)
+ pm_runtime_put(dev->parent);
}
/*
* Clear power.needs_force_resume in case it has been set by
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 235/567] r8169: fix RTL8117 Wake-on-Lan in DASH mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 234/567] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 236/567] net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write Greg Kroah-Hartman
` (345 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Heiner Kallweit,
Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit dd75c723ef566f7f009c047f47e0eee95fe348ab upstream.
Wake-on-Lan does currently not work for r8169 in DASH mode, e.g. the
ASUS Pro WS X570-ACE with RTL8168fp/RTL8117.
Fix by not returning early in rtl_prepare_power_down when dash_enabled.
While this fixes WoL, it still kills the OOB RTL8117 remote management
BMC connection. Fix by not calling rtl8168_driver_stop if WoL is enabled.
Fixes: 065c27c184d6 ("r8169: phy power ops")
Signed-off-by: René Rebe <rene@exactco.de>
Cc: stable@vger.kernel.org
Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://patch.msgid.link/20251202.194137.1647877804487085954.rene@exactco.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -2724,9 +2724,6 @@ static void rtl_wol_enable_rx(struct rtl
static void rtl_prepare_power_down(struct rtl8169_private *tp)
{
- if (tp->dash_enabled)
- return;
-
if (tp->mac_version == RTL_GIGA_MAC_VER_32 ||
tp->mac_version == RTL_GIGA_MAC_VER_33)
rtl_ephy_write(tp, 0x19, 0xff64);
@@ -4862,7 +4859,7 @@ static void rtl8169_down(struct rtl8169_
rtl_disable_exit_l1(tp);
rtl_prepare_power_down(tp);
- if (tp->dash_type != RTL_DASH_NONE)
+ if (tp->dash_type != RTL_DASH_NONE && !tp->saved_wolopts)
rtl8168_driver_stop(tp);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 236/567] net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 235/567] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 237/567] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
` (344 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Dimitri Fedrau,
Andrew Lunn, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit c4cdf7376271bce5714c06d79ec67759b18910eb upstream.
The local variable 'val' was never clamped to -75000 or 180000 because
the return value of clamp_val() was not used. Fix this by assigning the
clamped value back to 'val', and use clamp() instead of clamp_val().
Cc: stable@vger.kernel.org
Fixes: a557a92e6881 ("net: phy: marvell-88q2xxx: add support for temperature sensor")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Dimitri Fedrau <dima.fedrau@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251202172743.453055-3-thorsten.blum@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/marvell-88q2xxx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/phy/marvell-88q2xxx.c
+++ b/drivers/net/phy/marvell-88q2xxx.c
@@ -647,7 +647,7 @@ static int mv88q2xxx_hwmon_write(struct
switch (attr) {
case hwmon_temp_max:
- clamp_val(val, -75000, 180000);
+ val = clamp(val, -75000, 180000);
val = (val / 1000) + 75;
val = FIELD_PREP(MDIO_MMD_PCS_MV_TEMP_SENSOR3_INT_THRESH_MASK,
val);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 237/567] fsnotify: do not generate ACCESS/MODIFY events on child for special files
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 236/567] net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 238/567] net/handshake: restore destructor on submit failure Greg Kroah-Hartman
` (343 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sudheendra Raghav Neela,
Amir Goldstein, Jan Kara
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 635bc4def026a24e071436f4f356ea08c0eed6ff upstream.
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
Reported-by: Sudheendra Raghav Neela <sneela@tugraz.at>
CC: stable@vger.kernel.org
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fsnotify.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -247,8 +247,15 @@ int __fsnotify_parent(struct dentry *den
/*
* Include parent/name in notification either if some notification
* groups require parent info or the parent is interested in this event.
+ * The parent interest in ACCESS/MODIFY events does not apply to special
+ * files, where read/write are not on the filesystem of the parent and
+ * events can provide an undesirable side-channel for information
+ * exfiltration.
*/
- parent_interested = mask & p_mask & ALL_FSNOTIFY_EVENTS;
+ parent_interested = mask & p_mask & ALL_FSNOTIFY_EVENTS &&
+ !(data_type == FSNOTIFY_EVENT_PATH &&
+ d_is_special(dentry) &&
+ (mask & (FS_ACCESS | FS_MODIFY)));
if (parent_needed || parent_interested) {
/* When notifying parent, child should be passed as data */
WARN_ON_ONCE(inode != fsnotify_data_inode(data, data_type));
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 238/567] net/handshake: restore destructor on submit failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 237/567] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 239/567] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
` (342 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, caoping, Jakub Kicinski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: caoping <caoping@cmss.chinamobile.com>
commit 6af2a01d65f89e73c1cbb9267f8880d83a88cee4 upstream.
handshake_req_submit() replaces sk->sk_destruct but never restores it when
submission fails before the request is hashed. handshake_sk_destruct() then
returns early and the original destructor never runs, leaking the socket.
Restore sk_destruct on the error path.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: caoping <caoping@cmss.chinamobile.com>
Link: https://patch.msgid.link/20251204091058.1545151-1-caoping@cmss.chinamobile.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/handshake/request.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -277,6 +277,8 @@ int handshake_req_submit(struct socket *
out_unlock:
spin_unlock(&hn->hn_lock);
out_err:
+ /* Restore original destructor so socket teardown still runs on failure */
+ req->hr_sk->sk_destruct = req->hr_odestruct;
trace_handshake_submit_err(net, req, req->hr_sk, ret);
handshake_req_destroy(req);
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 239/567] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 238/567] net/handshake: restore destructor on submit failure Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 240/567] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
` (341 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 27d17641cacfedd816789b75d342430f6b912bd2 upstream.
>From RFC 8881:
5.8.1.14. Attribute 75: suppattr_exclcreat
> The bit vector that would set all REQUIRED and RECOMMENDED
> attributes that are supported by the EXCLUSIVE4_1 method of file
> creation via the OPEN operation. The scope of this attribute
> applies to all objects with a matching fsid.
There's nothing in RFC 8881 that states that suppattr_exclcreat is
or is not allowed to contain bits for attributes that are clear in
the reported supported_attrs bitmask. But it doesn't make sense for
an NFS server to indicate that it /doesn't/ implement an attribute,
but then also indicate that clients /are/ allowed to set that
attribute using OPEN(create) with EXCLUSIVE4_1.
Ensure that the SECURITY_LABEL and ACL bits are not set in the
suppattr_exclcreat bitmask when they are also not set in the
supported_attrs bitmask.
Fixes: 8c18f2052e75 ("nfsd41: SUPPATTR_EXCLCREAT attribute")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3362,6 +3362,11 @@ static __be32 nfsd4_encode_fattr4_suppat
u32 supp[3];
memcpy(supp, nfsd_suppattrs[resp->cstate.minorversion], sizeof(supp));
+ if (!IS_POSIXACL(d_inode(args->dentry)))
+ supp[0] &= ~FATTR4_WORD0_ACL;
+ if (!args->contextsupport)
+ supp[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+
supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 240/567] NFSD: NFSv4 file creation neglects setting ACL
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 239/567] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 241/567] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
` (340 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aurélien Couderc, Roland Mainz,
Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 913f7cf77bf14c13cfea70e89bcb6d0b22239562 upstream.
An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(), which calls
nfsd_attrs_valid() to determine whether to call nfsd_setattr().
However, nfsd_attrs_valid() checks only for iattr changes and
security labels, but not POSIX ACLs. When only an ACL is present,
the function returns false, nfsd_setattr() is skipped, and the
POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
Reported-by: Aurélien Couderc <aurelien.couderc2002@gmail.com>
Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs")
Cc: Roland Mainz <roland.mainz@nrubsig.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/vfs.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/vfs.h
+++ b/fs/nfsd/vfs.h
@@ -67,7 +67,8 @@ static inline bool nfsd_attrs_valid(stru
struct iattr *iap = attrs->na_iattr;
return (iap->ia_valid || (attrs->na_seclabel &&
- attrs->na_seclabel->len));
+ attrs->na_seclabel->len) ||
+ attrs->na_pacl || attrs->na_dpacl);
}
__be32 nfserrno (int errno);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 241/567] nfsd: Mark variable __maybe_unused to avoid W=1 build break
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 240/567] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 242/567] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
` (339 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit ebae102897e760e9e6bc625f701dd666b2163bd1 upstream.
Clang is not happy about set but (in some cases) unused variable:
fs/nfsd/export.c:1027:17: error: variable 'inode' set but not used [-Werror,-Wunused-but-set-variable]
since it's used as a parameter to dprintk() which might be configured
a no-op. To avoid uglifying code with the specific ifdeffery just mark
the variable __maybe_unused.
The commit [1], which introduced this behaviour, is quite old and hence
the Fixes tag points to the first of the Git era.
Link: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0431923fb7a1 [1]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1017,7 +1017,7 @@ exp_rootfh(struct net *net, struct auth_
{
struct svc_export *exp;
struct path path;
- struct inode *inode;
+ struct inode *inode __maybe_unused;
struct svc_fh fh;
int err;
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 242/567] svcrdma: return 0 on success from svc_rdma_copy_inline_range
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 241/567] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 243/567] svcrdma: use rc_pageoff for memcpy byte offset Greg Kroah-Hartman
` (338 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
commit 94972027ab55b200e031059fd6c7a649f8248020 upstream.
The function comment specifies 0 on success and -EINVAL on invalid
parameters. Make the tail return 0 after a successful copy loop.
Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -860,7 +860,7 @@ static int svc_rdma_copy_inline_range(st
offset += page_len;
}
- return -EINVAL;
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 243/567] svcrdma: use rc_pageoff for memcpy byte offset
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 242/567] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 244/567] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
` (337 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
commit a8ee9099f30654917aa68f55d707b5627e1dbf77 upstream.
svc_rdma_copy_inline_range added rc_curpage (page index) to the page
base instead of the byte offset rc_pageoff. Use rc_pageoff so copies
land within the current page.
Found by ZeroPath (https://zeropath.com)
Fixes: 8e122582680c ("svcrdma: Move svc_rdma_read_info::ri_pageno to struct svc_rdma_recv_ctxt")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -851,7 +851,7 @@ static int svc_rdma_copy_inline_range(st
head->rc_page_count++;
dst = page_address(rqstp->rq_pages[head->rc_curpage]);
- memcpy(dst + head->rc_curpage, src + offset, page_len);
+ memcpy((unsigned char *)dst + head->rc_pageoff, src + offset, page_len);
head->rc_readbytes += page_len;
head->rc_pageoff += page_len;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 244/567] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 243/567] svcrdma: use rc_pageoff for memcpy byte offset Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 245/567] powerpc/kexec: Enable SMT before waking offline CPUs Greg Kroah-Hartman
` (336 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
commit d4b69a6186b215d2dc1ebcab965ed88e8d41768d upstream.
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/auth_gss/svcauth_gss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1083,7 +1083,8 @@ static int gss_read_proxy_verf(struct sv
}
length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p);
- memcpy(page_address(in_token->pages[0]), xdr->p, length);
+ if (length)
+ memcpy(page_address(in_token->pages[0]), xdr->p, length);
inlen -= length;
to_offs = length;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 245/567] powerpc/kexec: Enable SMT before waking offline CPUs
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 244/567] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 246/567] btrfs: dont log conflicting inode if its a dir moved in the current transaction Greg Kroah-Hartman
` (335 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sachin P Bappalige,
Srikar Dronamraju, Nysal Jan K.A., Samir M, Sourabh Jain,
Madhavan Srinivasan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nysal Jan K.A. <nysal@linux.ibm.com>
commit c2296a1e42418556efbeb5636c4fa6aa6106713a upstream.
If SMT is disabled or a partial SMT state is enabled, when a new kernel
image is loaded for kexec, on reboot the following warning is observed:
kexec: Waking offline cpu 228.
WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc
[snip]
NIP kexec_prepare_cpus+0x1b0/0x1bc
LR kexec_prepare_cpus+0x1a0/0x1bc
Call Trace:
kexec_prepare_cpus+0x1a0/0x1bc (unreliable)
default_machine_kexec+0x160/0x19c
machine_kexec+0x80/0x88
kernel_kexec+0xd0/0x118
__do_sys_reboot+0x210/0x2c4
system_call_exception+0x124/0x320
system_call_vectored_common+0x15c/0x2ec
This occurs as add_cpu() fails due to cpu_bootable() returning false for
CPUs that fail the cpu_smt_thread_allowed() check or non primary
threads if SMT is disabled.
Fix the issue by enabling SMT and resetting the number of SMT threads to
the number of threads per core, before attempting to wake up all present
CPUs.
Fixes: 38253464bc82 ("cpu/SMT: Create topology_smt_thread_allowed()")
Reported-by: Sachin P Bappalige <sachinpb@linux.ibm.com>
Cc: stable@vger.kernel.org # v6.6+
Reviewed-by: Srikar Dronamraju <srikar@linux.ibm.com>
Signed-off-by: Nysal Jan K.A. <nysal@linux.ibm.com>
Tested-by: Samir M <samir@linux.ibm.com>
Reviewed-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251028105516.26258-1-nysal@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kexec/core_64.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/arch/powerpc/kexec/core_64.c
+++ b/arch/powerpc/kexec/core_64.c
@@ -202,6 +202,23 @@ static void kexec_prepare_cpus_wait(int
mb();
}
+
+/*
+ * The add_cpu() call in wake_offline_cpus() can fail as cpu_bootable()
+ * returns false for CPUs that fail the cpu_smt_thread_allowed() check
+ * or non primary threads if SMT is disabled. Re-enable SMT and set the
+ * number of SMT threads to threads per core.
+ */
+static void kexec_smt_reenable(void)
+{
+#if defined(CONFIG_SMP) && defined(CONFIG_HOTPLUG_SMT)
+ lock_device_hotplug();
+ cpu_smt_num_threads = threads_per_core;
+ cpu_smt_control = CPU_SMT_ENABLED;
+ unlock_device_hotplug();
+#endif
+}
+
/*
* We need to make sure each present CPU is online. The next kernel will scan
* the device tree and assume primary threads are online and query secondary
@@ -216,6 +233,8 @@ static void wake_offline_cpus(void)
{
int cpu = 0;
+ kexec_smt_reenable();
+
for_each_present_cpu(cpu) {
if (!cpu_online(cpu)) {
printk(KERN_INFO "kexec: Waking offline cpu %d.\n",
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 246/567] btrfs: dont log conflicting inode if its a dir moved in the current transaction
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 245/567] powerpc/kexec: Enable SMT before waking offline CPUs Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 247/567] s390/ipl: Clear SBP flag when bootprog is set Greg Kroah-Hartman
` (334 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vyacheslav Kovalevsky, Filipe Manana,
David Sterba
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 266273eaf4d99475f1ae57f687b3e42bc71ec6f0 upstream.
We can't log a conflicting inode if it's a directory and it was moved
from one parent directory to another parent directory in the current
transaction, as this can result an attempt to have a directory with
two hard links during log replay, one for the old parent directory and
another for the new parent directory.
The following scenario triggers that issue:
1) We have directories "dir1" and "dir2" created in a past transaction.
Directory "dir1" has inode A as its parent directory;
2) We move "dir1" to some other directory;
3) We create a file with the name "dir1" in directory inode A;
4) We fsync the new file. This results in logging the inode of the new file
and the inode for the directory "dir1" that was previously moved in the
current transaction. So the log tree has the INODE_REF item for the
new location of "dir1";
5) We move the new file to some other directory. This results in updating
the log tree to included the new INODE_REF for the new location of the
file and removes the INODE_REF for the old location. This happens
during the rename when we call btrfs_log_new_name();
6) We fsync the file, and that persists the log tree changes done in the
previous step (btrfs_log_new_name() only updates the log tree in
memory);
7) We have a power failure;
8) Next time the fs is mounted, log replay happens and when processing
the inode for directory "dir1" we find a new INODE_REF and add that
link, but we don't remove the old link of the inode since we have
not logged the old parent directory of the directory inode "dir1".
As a result after log replay finishes when we trigger writeback of the
subvolume tree's extent buffers, the tree check will detect that we have
a directory a hard link count of 2 and we get a mount failure.
The errors and stack traces reported in dmesg/syslog are like this:
[ 3845.729764] BTRFS info (device dm-0): start tree-log replay
[ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c
[ 3845.731236] memcg:ffff9264c02f4e00
[ 3845.731751] aops:btree_aops [btrfs] ino:1
[ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8
[ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00
[ 3845.735305] page dumped because: eb page dump
[ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir
[ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5
[ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701
[ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384
[ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737797] rdev 0 sequence 2 flags 0x0
[ 3845.737798] atime 1764259517.0
[ 3845.737800] ctime 1764259517.572889464
[ 3845.737801] mtime 1764259517.572889464
[ 3845.737802] otime 1764259517.0
[ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[ 3845.737805] index 0 name_len 2
[ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34
[ 3845.737808] location key (257 1 0) type 2
[ 3845.737810] transid 9 data_len 0 name_len 4
[ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34
[ 3845.737813] location key (258 1 0) type 2
[ 3845.737814] transid 9 data_len 0 name_len 4
[ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[ 3845.737816] location key (257 1 0) type 2
[ 3845.737818] transid 9 data_len 0 name_len 4
[ 3845.737819] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[ 3845.737820] location key (258 1 0) type 2
[ 3845.737821] transid 9 data_len 0 name_len 4
[ 3845.737822] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[ 3845.737824] inode generation 9 transid 10 size 6 nbytes 0
[ 3845.737825] block group 0 mode 40755 links 2 uid 0 gid 0
[ 3845.737826] rdev 0 sequence 1 flags 0x0
[ 3845.737827] atime 1764259517.572889464
[ 3845.737828] ctime 1764259517.572889464
[ 3845.737830] mtime 1764259517.572889464
[ 3845.737831] otime 1764259517.572889464
[ 3845.737832] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[ 3845.737833] index 2 name_len 4
[ 3845.737834] item 8 key (257 INODE_REF 258) itemoff 15787 itemsize 14
[ 3845.737836] index 2 name_len 4
[ 3845.737837] item 9 key (257 DIR_ITEM 2507850652) itemoff 15754 itemsize 33
[ 3845.737838] location key (259 1 0) type 1
[ 3845.737839] transid 10 data_len 0 name_len 3
[ 3845.737840] item 10 key (257 DIR_INDEX 2) itemoff 15721 itemsize 33
[ 3845.737842] location key (259 1 0) type 1
[ 3845.737843] transid 10 data_len 0 name_len 3
[ 3845.737844] item 11 key (258 INODE_ITEM 0) itemoff 15561 itemsize 160
[ 3845.737846] inode generation 9 transid 10 size 8 nbytes 0
[ 3845.737847] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737848] rdev 0 sequence 1 flags 0x0
[ 3845.737849] atime 1764259517.572889464
[ 3845.737850] ctime 1764259517.572889464
[ 3845.737851] mtime 1764259517.572889464
[ 3845.737852] otime 1764259517.572889464
[ 3845.737853] item 12 key (258 INODE_REF 256) itemoff 15547 itemsize 14
[ 3845.737855] index 3 name_len 4
[ 3845.737856] item 13 key (258 DIR_ITEM 1843588421) itemoff 15513 itemsize 34
[ 3845.737857] location key (257 1 0) type 2
[ 3845.737858] transid 10 data_len 0 name_len 4
[ 3845.737860] item 14 key (258 DIR_INDEX 2) itemoff 15479 itemsize 34
[ 3845.737861] location key (257 1 0) type 2
[ 3845.737862] transid 10 data_len 0 name_len 4
[ 3845.737863] item 15 key (259 INODE_ITEM 0) itemoff 15319 itemsize 160
[ 3845.737865] inode generation 10 transid 10 size 0 nbytes 0
[ 3845.737866] block group 0 mode 100600 links 1 uid 0 gid 0
[ 3845.737867] rdev 0 sequence 2 flags 0x0
[ 3845.737868] atime 1764259517.580874966
[ 3845.737869] ctime 1764259517.586121869
[ 3845.737870] mtime 1764259517.580874966
[ 3845.737872] otime 1764259517.580874966
[ 3845.737873] item 16 key (259 INODE_REF 257) itemoff 15306 itemsize 13
[ 3845.737874] index 2 name_len 3
[ 3845.737875] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected
[ 3845.739448] ------------[ cut here ]------------
[ 3845.740092] WARNING: CPU: 5 PID: 30701 at fs/btrfs/disk-io.c:335 btree_csum_one_bio+0x25a/0x270 [btrfs]
[ 3845.741439] Modules linked in: btrfs dm_flakey crc32c_cryptoapi (...)
[ 3845.750626] CPU: 5 UID: 0 PID: 30701 Comm: mount Tainted: G W 6.18.0-rc6-btrfs-next-218+ #1 PREEMPT(full)
[ 3845.752414] Tainted: [W]=WARN
[ 3845.752828] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 3845.754499] RIP: 0010:btree_csum_one_bio+0x25a/0x270 [btrfs]
[ 3845.755460] Code: 31 f6 48 89 (...)
[ 3845.758685] RSP: 0018:ffffa8d9c5677678 EFLAGS: 00010246
[ 3845.759450] RAX: 0000000000000000 RBX: ffff92650e6d4738 RCX: 0000000000000000
[ 3845.760309] RDX: 0000000000000000 RSI: ffffffff9aab45b9 RDI: ffff9264c4748000
[ 3845.761239] RBP: ffff9264d4324000 R08: 0000000000000000 R09: ffffa8d9c5677468
[ 3845.762607] R10: ffff926bdc1fffa8 R11: 0000000000000003 R12: ffffa8d9c5677680
[ 3845.764099] R13: 0000000000004000 R14: ffff9264dd624000 R15: ffff9264d978aba8
[ 3845.765094] FS: 00007f751fa5a840(0000) GS:ffff926c42a82000(0000) knlGS:0000000000000000
[ 3845.766226] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3845.766970] CR2: 0000558df1815380 CR3: 000000010ed88003 CR4: 0000000000370ef0
[ 3845.768009] Call Trace:
[ 3845.768392] <TASK>
[ 3845.768714] btrfs_submit_bbio+0x6ee/0x7f0 [btrfs]
[ 3845.769640] ? write_one_eb+0x28e/0x340 [btrfs]
[ 3845.770588] btree_write_cache_pages+0x2f0/0x550 [btrfs]
[ 3845.771286] ? alloc_extent_state+0x19/0x100 [btrfs]
[ 3845.771967] ? merge_next_state+0x1a/0x90 [btrfs]
[ 3845.772586] ? set_extent_bit+0x233/0x8b0 [btrfs]
[ 3845.773198] ? xas_load+0x9/0xc0
[ 3845.773589] ? xas_find+0x14d/0x1a0
[ 3845.773969] do_writepages+0xc6/0x160
[ 3845.774367] filemap_fdatawrite_wbc+0x48/0x60
[ 3845.775003] __filemap_fdatawrite_range+0x5b/0x80
[ 3845.775902] btrfs_write_marked_extents+0x61/0x170 [btrfs]
[ 3845.776707] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs]
[ 3845.777379] ? _raw_spin_unlock_irqrestore+0x23/0x40
[ 3845.777923] btrfs_commit_transaction+0x5ea/0xd20 [btrfs]
[ 3845.778551] ? _raw_spin_unlock+0x15/0x30
[ 3845.778986] ? release_extent_buffer+0x34/0x160 [btrfs]
[ 3845.779659] btrfs_recover_log_trees+0x7a3/0x7c0 [btrfs]
[ 3845.780416] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[ 3845.781499] open_ctree+0x10bb/0x15f0 [btrfs]
[ 3845.782194] btrfs_get_tree.cold+0xb/0x16c [btrfs]
[ 3845.782764] ? fscontext_read+0x15c/0x180
[ 3845.783202] ? rw_verify_area+0x50/0x180
[ 3845.783667] vfs_get_tree+0x25/0xd0
[ 3845.784047] vfs_cmd_create+0x59/0xe0
[ 3845.784458] __do_sys_fsconfig+0x4f6/0x6b0
[ 3845.784914] do_syscall_64+0x50/0x1220
[ 3845.785340] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 3845.785980] RIP: 0033:0x7f751fc7f4aa
[ 3845.786759] Code: 73 01 c3 48 (...)
[ 3845.789951] RSP: 002b:00007ffcdba45dc8 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[ 3845.791402] RAX: ffffffffffffffda RBX: 000055ccc8291c20 RCX: 00007f751fc7f4aa
[ 3845.792688] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[ 3845.794308] RBP: 000055ccc8292120 R08: 0000000000000000 R09: 0000000000000000
[ 3845.795829] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 3845.797183] R13: 00007f751fe11580 R14: 00007f751fe1326c R15: 00007f751fdf8a23
[ 3845.798633] </TASK>
[ 3845.799067] ---[ end trace 0000000000000000 ]---
[ 3845.800215] BTRFS: error (device dm-0) in btrfs_commit_transaction:2553: errno=-5 IO failure (Error while writing out transaction)
[ 3845.801860] BTRFS warning (device dm-0 state E): Skipping commit of aborted transaction.
[ 3845.802815] BTRFS error (device dm-0 state EA): Transaction aborted (error -5)
[ 3845.803728] BTRFS: error (device dm-0 state EA) in cleanup_transaction:2036: errno=-5 IO failure
[ 3845.805374] BTRFS: error (device dm-0 state EA) in btrfs_replay_log:2083: errno=-5 IO failure (Failed to recover log tree)
[ 3845.807919] BTRFS error (device dm-0 state EA): open_ctree failed: -5
Fix this by never logging a conflicting inode that is a directory and was
moved in the current transaction (its last_unlink_trans equals the current
transaction) and instead fallback to a transaction commit.
A test case for fstests will follow soon.
Reported-by: Vyacheslav Kovalevsky <slva.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/7bbc9419-5c56-450a-b5a0-efeae7457113@gmail.com/
CC: stable@vger.kernel.org # 6.1+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -5734,6 +5734,33 @@ static int conflicting_inode_is_dir(stru
return ret;
}
+static bool can_log_conflicting_inode(const struct btrfs_trans_handle *trans,
+ const struct btrfs_inode *inode)
+{
+ if (!S_ISDIR(inode->vfs_inode.i_mode))
+ return true;
+
+ if (inode->last_unlink_trans < trans->transid)
+ return true;
+
+ /*
+ * If this is a directory and its unlink_trans is not from a past
+ * transaction then we must fallback to a transaction commit in order
+ * to avoid getting a directory with 2 hard links after log replay.
+ *
+ * This happens if a directory A is renamed, moved from one parent
+ * directory to another one, a new file is created in the old parent
+ * directory with the old name of our directory A, the new file is
+ * fsynced, then we moved the new file to some other parent directory
+ * and fsync again the new file. This results in a log tree where we
+ * logged that directory A existed, with the INODE_REF item for the
+ * new location but without having logged its old parent inode, so
+ * that on log replay we add a new link for the new location but the
+ * old link remains, resulting in a link count of 2.
+ */
+ return false;
+}
+
static int add_conflicting_inode(struct btrfs_trans_handle *trans,
struct btrfs_root *root,
struct btrfs_path *path,
@@ -5837,6 +5864,11 @@ static int add_conflicting_inode(struct
return 0;
}
+ if (!can_log_conflicting_inode(trans, inode)) {
+ btrfs_add_delayed_iput(inode);
+ return BTRFS_LOG_FORCE_COMMIT;
+ }
+
btrfs_add_delayed_iput(inode);
ino_elem = kmalloc(sizeof(*ino_elem), GFP_NOFS);
@@ -5901,6 +5933,12 @@ static int log_conflicting_inodes(struct
break;
}
+ if (!can_log_conflicting_inode(trans, inode)) {
+ btrfs_add_delayed_iput(inode);
+ ret = BTRFS_LOG_FORCE_COMMIT;
+ break;
+ }
+
/*
* Always log the directory, we cannot make this
* conditional on need_log_inode() because the directory
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 247/567] s390/ipl: Clear SBP flag when bootprog is set
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 246/567] btrfs: dont log conflicting inode if its a dir moved in the current transaction Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 248/567] gpio: regmap: Fix memleak in error path in gpio_regmap_register() Greg Kroah-Hartman
` (333 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Oberparleiter, Heiko Carstens,
Sven Schnelle
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@linux.ibm.com>
commit b1aa01d31249bd116b18c7f512d3e46b4b4ad83b upstream.
With z16 a new flag 'search boot program' was introduced for
list-directed IPL (SCSI, NVMe, ECKD DASD). If this flag is set,
e.g. via selecting the "Automatic" value for the "Boot program
selector" control on an HMC load panel, it is copied to the reipl
structure from the initial ipl structure. When a user now sets a
boot prog via sysfs, the flag is not cleared and the bootloader
will again automatically select the boot program, ignoring user
configuration.
To avoid that, clear the SBP flag when a bootprog sysfs file is
written.
Cc: stable@vger.kernel.org
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/uapi/asm/ipl.h | 1
arch/s390/kernel/ipl.c | 48 +++++++++++++++++++++++++++++----------
2 files changed, 37 insertions(+), 12 deletions(-)
--- a/arch/s390/include/uapi/asm/ipl.h
+++ b/arch/s390/include/uapi/asm/ipl.h
@@ -15,6 +15,7 @@ struct ipl_pl_hdr {
#define IPL_PL_FLAG_IPLPS 0x80
#define IPL_PL_FLAG_SIPL 0x40
#define IPL_PL_FLAG_IPLSR 0x20
+#define IPL_PL_FLAG_SBP 0x10
/* IPL Parameter Block header */
struct ipl_pb_hdr {
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -261,6 +261,24 @@ static struct kobj_attribute sys_##_pref
sys_##_prefix##_##_name##_show, \
sys_##_prefix##_##_name##_store)
+#define DEFINE_IPL_ATTR_BOOTPROG_RW(_prefix, _name, _fmt_out, _fmt_in, _hdr, _value) \
+ IPL_ATTR_SHOW_FN(_prefix, _name, _fmt_out, (unsigned long long) _value) \
+static ssize_t sys_##_prefix##_##_name##_store(struct kobject *kobj, \
+ struct kobj_attribute *attr, \
+ const char *buf, size_t len) \
+{ \
+ unsigned long long value; \
+ if (sscanf(buf, _fmt_in, &value) != 1) \
+ return -EINVAL; \
+ (_value) = value; \
+ (_hdr).flags &= ~IPL_PL_FLAG_SBP; \
+ return len; \
+} \
+static struct kobj_attribute sys_##_prefix##_##_name##_attr = \
+ __ATTR(_name, 0644, \
+ sys_##_prefix##_##_name##_show, \
+ sys_##_prefix##_##_name##_store)
+
#define DEFINE_IPL_ATTR_STR_RW(_prefix, _name, _fmt_out, _fmt_in, _value)\
IPL_ATTR_SHOW_FN(_prefix, _name, _fmt_out, _value) \
static ssize_t sys_##_prefix##_##_name##_store(struct kobject *kobj, \
@@ -817,12 +835,13 @@ DEFINE_IPL_ATTR_RW(reipl_fcp, wwpn, "0x%
reipl_block_fcp->fcp.wwpn);
DEFINE_IPL_ATTR_RW(reipl_fcp, lun, "0x%016llx\n", "%llx\n",
reipl_block_fcp->fcp.lun);
-DEFINE_IPL_ATTR_RW(reipl_fcp, bootprog, "%lld\n", "%lld\n",
- reipl_block_fcp->fcp.bootprog);
DEFINE_IPL_ATTR_RW(reipl_fcp, br_lba, "%lld\n", "%lld\n",
reipl_block_fcp->fcp.br_lba);
DEFINE_IPL_ATTR_RW(reipl_fcp, device, "0.0.%04llx\n", "0.0.%llx\n",
reipl_block_fcp->fcp.devno);
+DEFINE_IPL_ATTR_BOOTPROG_RW(reipl_fcp, bootprog, "%lld\n", "%lld\n",
+ reipl_block_fcp->hdr,
+ reipl_block_fcp->fcp.bootprog);
static void reipl_get_ascii_loadparm(char *loadparm,
struct ipl_parameter_block *ibp)
@@ -941,10 +960,11 @@ DEFINE_IPL_ATTR_RW(reipl_nvme, fid, "0x%
reipl_block_nvme->nvme.fid);
DEFINE_IPL_ATTR_RW(reipl_nvme, nsid, "0x%08llx\n", "%llx\n",
reipl_block_nvme->nvme.nsid);
-DEFINE_IPL_ATTR_RW(reipl_nvme, bootprog, "%lld\n", "%lld\n",
- reipl_block_nvme->nvme.bootprog);
DEFINE_IPL_ATTR_RW(reipl_nvme, br_lba, "%lld\n", "%lld\n",
reipl_block_nvme->nvme.br_lba);
+DEFINE_IPL_ATTR_BOOTPROG_RW(reipl_nvme, bootprog, "%lld\n", "%lld\n",
+ reipl_block_nvme->hdr,
+ reipl_block_nvme->nvme.bootprog);
static struct attribute *reipl_nvme_attrs[] = {
&sys_reipl_nvme_fid_attr.attr,
@@ -1037,8 +1057,9 @@ static struct bin_attribute *reipl_eckd_
};
DEFINE_IPL_CCW_ATTR_RW(reipl_eckd, device, reipl_block_eckd->eckd);
-DEFINE_IPL_ATTR_RW(reipl_eckd, bootprog, "%lld\n", "%lld\n",
- reipl_block_eckd->eckd.bootprog);
+DEFINE_IPL_ATTR_BOOTPROG_RW(reipl_eckd, bootprog, "%lld\n", "%lld\n",
+ reipl_block_eckd->hdr,
+ reipl_block_eckd->eckd.bootprog);
static struct attribute *reipl_eckd_attrs[] = {
&sys_reipl_eckd_device_attr.attr,
@@ -1566,12 +1587,13 @@ DEFINE_IPL_ATTR_RW(dump_fcp, wwpn, "0x%0
dump_block_fcp->fcp.wwpn);
DEFINE_IPL_ATTR_RW(dump_fcp, lun, "0x%016llx\n", "%llx\n",
dump_block_fcp->fcp.lun);
-DEFINE_IPL_ATTR_RW(dump_fcp, bootprog, "%lld\n", "%lld\n",
- dump_block_fcp->fcp.bootprog);
DEFINE_IPL_ATTR_RW(dump_fcp, br_lba, "%lld\n", "%lld\n",
dump_block_fcp->fcp.br_lba);
DEFINE_IPL_ATTR_RW(dump_fcp, device, "0.0.%04llx\n", "0.0.%llx\n",
dump_block_fcp->fcp.devno);
+DEFINE_IPL_ATTR_BOOTPROG_RW(dump_fcp, bootprog, "%lld\n", "%lld\n",
+ dump_block_fcp->hdr,
+ dump_block_fcp->fcp.bootprog);
DEFINE_IPL_ATTR_SCP_DATA_RW(dump_fcp, dump_block_fcp->hdr,
dump_block_fcp->fcp,
@@ -1603,10 +1625,11 @@ DEFINE_IPL_ATTR_RW(dump_nvme, fid, "0x%0
dump_block_nvme->nvme.fid);
DEFINE_IPL_ATTR_RW(dump_nvme, nsid, "0x%08llx\n", "%llx\n",
dump_block_nvme->nvme.nsid);
-DEFINE_IPL_ATTR_RW(dump_nvme, bootprog, "%lld\n", "%llx\n",
- dump_block_nvme->nvme.bootprog);
DEFINE_IPL_ATTR_RW(dump_nvme, br_lba, "%lld\n", "%llx\n",
dump_block_nvme->nvme.br_lba);
+DEFINE_IPL_ATTR_BOOTPROG_RW(dump_nvme, bootprog, "%lld\n", "%llx\n",
+ dump_block_nvme->hdr,
+ dump_block_nvme->nvme.bootprog);
DEFINE_IPL_ATTR_SCP_DATA_RW(dump_nvme, dump_block_nvme->hdr,
dump_block_nvme->nvme,
@@ -1634,8 +1657,9 @@ static struct attribute_group dump_nvme_
/* ECKD dump device attributes */
DEFINE_IPL_CCW_ATTR_RW(dump_eckd, device, dump_block_eckd->eckd);
-DEFINE_IPL_ATTR_RW(dump_eckd, bootprog, "%lld\n", "%llx\n",
- dump_block_eckd->eckd.bootprog);
+DEFINE_IPL_ATTR_BOOTPROG_RW(dump_eckd, bootprog, "%lld\n", "%llx\n",
+ dump_block_eckd->hdr,
+ dump_block_eckd->eckd.bootprog);
IPL_ATTR_BR_CHR_SHOW_FN(dump, dump_block_eckd->eckd);
IPL_ATTR_BR_CHR_STORE_FN(dump, dump_block_eckd->eckd);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 248/567] gpio: regmap: Fix memleak in error path in gpio_regmap_register()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 247/567] s390/ipl: Clear SBP flag when bootprog is set Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 249/567] io_uring/poll: correctly handle io_poll_add() return value on update Greg Kroah-Hartman
` (332 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli, Wentao Guan,
Andy Shevchenko, Bartosz Golaszewski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 52721cfc78c76b09c66e092b52617006390ae96a upstream.
Call gpiochip_remove() to free the resources allocated by
gpiochip_add_data() in error path.
Fixes: 553b75d4bfe9 ("gpio: regmap: Allow to allocate regmap-irq device")
Fixes: ae495810cffe ("gpio: regmap: add the .fixed_direction_output configuration parameter")
CC: stable@vger.kernel.org
Co-developed-by: WangYuli <wangyl5933@chinaunicom.cn>
Signed-off-by: WangYuli <wangyl5933@chinaunicom.cn>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20251204101303.30353-1-guanwentao@uniontech.com
[Bartosz: reworked the commit message]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-regmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpio-regmap.c
+++ b/drivers/gpio/gpio-regmap.c
@@ -310,7 +310,7 @@ struct gpio_regmap *gpio_regmap_register
config->regmap_irq_line, config->regmap_irq_flags,
0, config->regmap_irq_chip, &gpio->irq_chip_data);
if (ret)
- goto err_free_bitmap;
+ goto err_remove_gpiochip;
irq_domain = regmap_irq_get_domain(gpio->irq_chip_data);
} else
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 249/567] io_uring/poll: correctly handle io_poll_add() return value on update
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 248/567] gpio: regmap: Fix memleak in error path in gpio_regmap_register() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 250/567] io_uring: fix min_wait wakeups for SQPOLL Greg Kroah-Hartman
` (331 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+641eec6b7af1f62f2b99,
Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e upstream.
When the core of io_uring was updated to handle completions
consistently and with fixed return codes, the POLL_REMOVE opcode
with updates got slightly broken. If a POLL_ADD is pending and
then POLL_REMOVE is used to update the events of that request, if that
update causes the POLL_ADD to now trigger, then that completion is lost
and a CQE is never posted.
Additionally, ensure that if an update does cause an existing POLL_ADD
to complete, that the completion value isn't always overwritten with
-ECANCELED. For that case, whatever io_poll_add() set the value to
should just be retained.
Cc: stable@vger.kernel.org
Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Tested-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/poll.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -1038,12 +1038,17 @@ found:
ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED);
/* successfully updated, don't complete poll request */
- if (!ret2 || ret2 == -EIOCBQUEUED)
+ if (ret2 == IOU_ISSUE_SKIP_COMPLETE)
goto out;
+ /* request completed as part of the update, complete it */
+ else if (ret2 == IOU_OK)
+ goto complete;
}
- req_set_fail(preq);
io_req_set_res(preq, -ECANCELED, 0);
+complete:
+ if (preq->cqe.res < 0)
+ req_set_fail(preq);
preq->io_task_work.func = io_req_task_complete;
io_req_task_work_add(preq);
out:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 250/567] io_uring: fix min_wait wakeups for SQPOLL
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 249/567] io_uring/poll: correctly handle io_poll_add() return value on update Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 251/567] Revert "drm/amd/display: Fix pbn to kbps Conversion" Greg Kroah-Hartman
` (330 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tip ten Brink, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit e15cb2200b934e507273510ba6bc747d5cde24a3 upstream.
Using min_wait, two timeouts are given:
1) The min_wait timeout, within which up to 'wait_nr' events are
waited for.
2) The overall long timeout, which is entered if no events are generated
in the min_wait window.
If the min_wait has expired, any event being posted must wake the task.
For SQPOLL, that isn't the case, as it won't trigger the io_has_work()
condition, as it will have already processed the task_work that happened
when an event was posted. This causes any event to trigger post the
min_wait to not always cause the waiting application to wakeup, and
instead it will wait until the overall timeout has expired. This can be
shown in a test case that has a 1 second min_wait, with a 5 second
overall wait, even if an event triggers after 1.5 seconds:
axboe@m2max-kvm /d/iouring-mre (master)> zig-out/bin/iouring
info: MIN_TIMEOUT supported: true, features: 0x3ffff
info: Testing: min_wait=1000ms, timeout=5s, wait_nr=4
info: 1 cqes in 5000.2ms
where the expected result should be:
axboe@m2max-kvm /d/iouring-mre (master)> zig-out/bin/iouring
info: MIN_TIMEOUT supported: true, features: 0x3ffff
info: Testing: min_wait=1000ms, timeout=5s, wait_nr=4
info: 1 cqes in 1500.3ms
When the min_wait timeout triggers, reset the number of completions
needed to wake the task. This should ensure that any future events will
wake the task, regardless of how many events it originally wanted to
wait for.
Reported-by: Tip ten Brink <tip@tenbrinkmeijs.com>
Cc: stable@vger.kernel.org
Fixes: 1100c4a2656d ("io_uring: add support for batch wait timeout")
Link: https://github.com/axboe/liburing/issues/1477
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit e15cb2200b934e507273510ba6bc747d5cde24a3)
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 3 +++
1 file changed, 3 insertions(+)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2421,6 +2421,9 @@ static enum hrtimer_restart io_cqring_mi
goto out_wake;
}
+ /* any generated CQE posted past this time should wake us up */
+ iowq->cq_tail = iowq->cq_min_tail;
+
iowq->t.function = io_cqring_timer_wakeup;
hrtimer_set_expires(timer, iowq->timeout);
return HRTIMER_RESTART;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 251/567] Revert "drm/amd/display: Fix pbn to kbps Conversion"
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 250/567] io_uring: fix min_wait wakeups for SQPOLL Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 252/567] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
` (329 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jerry Zuo, nat, Mario Limonciello,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 72e24456a54fe04710d89626cc5a88703e2f6202 upstream.
Deeply daisy chained DP/MST displays are no longer able to light
up. This reverts commit e0dec00f3d05 ("drm/amd/display: Fix pbn
to kbps Conversion")
Cc: Jerry Zuo <jerry.zuo@amd.com>
Reported-by: nat@nullable.se
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4756
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e1c94109c76e8a77a21531bd53f6c63356c81158)
Cc: stable@vger.kernel.org # 6.17+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 59 +++++++-----
1 file changed, 36 insertions(+), 23 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -846,28 +846,26 @@ struct dsc_mst_fairness_params {
};
#if defined(CONFIG_DRM_AMD_DC_FP)
-static uint64_t kbps_to_pbn(int kbps, bool is_peak_pbn)
+static uint16_t get_fec_overhead_multiplier(struct dc_link *dc_link)
{
- uint64_t effective_kbps = (uint64_t)kbps;
+ u8 link_coding_cap;
+ uint16_t fec_overhead_multiplier_x1000 = PBN_FEC_OVERHEAD_MULTIPLIER_8B_10B;
- if (is_peak_pbn) { // add 0.6% (1006/1000) overhead into effective kbps
- effective_kbps *= 1006;
- effective_kbps = div_u64(effective_kbps, 1000);
- }
+ link_coding_cap = dc_link_dp_mst_decide_link_encoding_format(dc_link);
+ if (link_coding_cap == DP_128b_132b_ENCODING)
+ fec_overhead_multiplier_x1000 = PBN_FEC_OVERHEAD_MULTIPLIER_128B_132B;
- return (uint64_t) DIV64_U64_ROUND_UP(effective_kbps * 64, (54 * 8 * 1000));
+ return fec_overhead_multiplier_x1000;
}
-static uint32_t pbn_to_kbps(unsigned int pbn, bool with_margin)
+static int kbps_to_peak_pbn(int kbps, uint16_t fec_overhead_multiplier_x1000)
{
- uint64_t pbn_effective = (uint64_t)pbn;
-
- if (with_margin) // deduct 0.6% (994/1000) overhead from effective pbn
- pbn_effective *= (1000000 / PEAK_FACTOR_X1000);
- else
- pbn_effective *= 1000;
+ u64 peak_kbps = kbps;
- return DIV_U64_ROUND_UP(pbn_effective * 8 * 54, 64);
+ peak_kbps *= 1006;
+ peak_kbps *= fec_overhead_multiplier_x1000;
+ peak_kbps = div_u64(peak_kbps, 1000 * 1000);
+ return (int) DIV64_U64_ROUND_UP(peak_kbps * 64, (54 * 8 * 1000));
}
static void set_dsc_configs_from_fairness_vars(struct dsc_mst_fairness_params *params,
@@ -938,7 +936,7 @@ static int bpp_x16_from_pbn(struct dsc_m
dc_dsc_get_default_config_option(param.sink->ctx->dc, &dsc_options);
dsc_options.max_target_bpp_limit_override_x16 = drm_connector->display_info.max_dsc_bpp * 16;
- kbps = pbn_to_kbps(pbn, false);
+ kbps = div_u64((u64)pbn * 994 * 8 * 54, 64);
dc_dsc_compute_config(
param.sink->ctx->dc->res_pool->dscs[0],
¶m.sink->dsc_caps.dsc_dec_caps,
@@ -967,11 +965,12 @@ static int increase_dsc_bpp(struct drm_a
int link_timeslots_used;
int fair_pbn_alloc;
int ret = 0;
+ uint16_t fec_overhead_multiplier_x1000 = get_fec_overhead_multiplier(dc_link);
for (i = 0; i < count; i++) {
if (vars[i + k].dsc_enabled) {
initial_slack[i] =
- kbps_to_pbn(params[i].bw_range.max_kbps, false) - vars[i + k].pbn;
+ kbps_to_peak_pbn(params[i].bw_range.max_kbps, fec_overhead_multiplier_x1000) - vars[i + k].pbn;
bpp_increased[i] = false;
remaining_to_increase += 1;
} else {
@@ -1067,6 +1066,7 @@ static int try_disable_dsc(struct drm_at
int next_index;
int remaining_to_try = 0;
int ret;
+ uint16_t fec_overhead_multiplier_x1000 = get_fec_overhead_multiplier(dc_link);
int var_pbn;
for (i = 0; i < count; i++) {
@@ -1099,7 +1099,7 @@ static int try_disable_dsc(struct drm_at
DRM_DEBUG_DRIVER("MST_DSC index #%d, try no compression\n", next_index);
var_pbn = vars[next_index].pbn;
- vars[next_index].pbn = kbps_to_pbn(params[next_index].bw_range.stream_kbps, true);
+ vars[next_index].pbn = kbps_to_peak_pbn(params[next_index].bw_range.stream_kbps, fec_overhead_multiplier_x1000);
ret = drm_dp_atomic_find_time_slots(state,
params[next_index].port->mgr,
params[next_index].port,
@@ -1159,6 +1159,7 @@ static int compute_mst_dsc_configs_for_l
int count = 0;
int i, k, ret;
bool debugfs_overwrite = false;
+ uint16_t fec_overhead_multiplier_x1000 = get_fec_overhead_multiplier(dc_link);
struct drm_connector_state *new_conn_state;
memset(params, 0, sizeof(params));
@@ -1239,7 +1240,7 @@ static int compute_mst_dsc_configs_for_l
DRM_DEBUG_DRIVER("MST_DSC Try no compression\n");
for (i = 0; i < count; i++) {
vars[i + k].aconnector = params[i].aconnector;
- vars[i + k].pbn = kbps_to_pbn(params[i].bw_range.stream_kbps, false);
+ vars[i + k].pbn = kbps_to_peak_pbn(params[i].bw_range.stream_kbps, fec_overhead_multiplier_x1000);
vars[i + k].dsc_enabled = false;
vars[i + k].bpp_x16 = 0;
ret = drm_dp_atomic_find_time_slots(state, params[i].port->mgr, params[i].port,
@@ -1261,7 +1262,7 @@ static int compute_mst_dsc_configs_for_l
DRM_DEBUG_DRIVER("MST_DSC Try max compression\n");
for (i = 0; i < count; i++) {
if (params[i].compression_possible && params[i].clock_force_enable != DSC_CLK_FORCE_DISABLE) {
- vars[i + k].pbn = kbps_to_pbn(params[i].bw_range.min_kbps, false);
+ vars[i + k].pbn = kbps_to_peak_pbn(params[i].bw_range.min_kbps, fec_overhead_multiplier_x1000);
vars[i + k].dsc_enabled = true;
vars[i + k].bpp_x16 = params[i].bw_range.min_target_bpp_x16;
ret = drm_dp_atomic_find_time_slots(state, params[i].port->mgr,
@@ -1269,7 +1270,7 @@ static int compute_mst_dsc_configs_for_l
if (ret < 0)
return ret;
} else {
- vars[i + k].pbn = kbps_to_pbn(params[i].bw_range.stream_kbps, false);
+ vars[i + k].pbn = kbps_to_peak_pbn(params[i].bw_range.stream_kbps, fec_overhead_multiplier_x1000);
vars[i + k].dsc_enabled = false;
vars[i + k].bpp_x16 = 0;
ret = drm_dp_atomic_find_time_slots(state, params[i].port->mgr,
@@ -1721,6 +1722,18 @@ clean_exit:
return ret;
}
+static uint32_t kbps_from_pbn(unsigned int pbn)
+{
+ uint64_t kbps = (uint64_t)pbn;
+
+ kbps *= (1000000 / PEAK_FACTOR_X1000);
+ kbps *= 8;
+ kbps *= 54;
+ kbps /= 64;
+
+ return (uint32_t)kbps;
+}
+
static bool is_dsc_common_config_possible(struct dc_stream_state *stream,
struct dc_dsc_bw_range *bw_range)
{
@@ -1812,7 +1825,7 @@ enum dc_status dm_dp_mst_is_port_support
dc_link_get_highest_encoding_format(stream->link));
cur_link_settings = stream->link->verified_link_cap;
root_link_bw_in_kbps = dc_link_bandwidth_kbps(aconnector->dc_link, &cur_link_settings);
- virtual_channel_bw_in_kbps = pbn_to_kbps(aconnector->mst_output_port->full_pbn, true);
+ virtual_channel_bw_in_kbps = kbps_from_pbn(aconnector->mst_output_port->full_pbn);
/* pick the end to end bw bottleneck */
end_to_end_bw_in_kbps = min(root_link_bw_in_kbps, virtual_channel_bw_in_kbps);
@@ -1863,7 +1876,7 @@ enum dc_status dm_dp_mst_is_port_support
immediate_upstream_port = aconnector->mst_output_port->parent->port_parent;
if (immediate_upstream_port) {
- virtual_channel_bw_in_kbps = pbn_to_kbps(immediate_upstream_port->full_pbn, true);
+ virtual_channel_bw_in_kbps = kbps_from_pbn(immediate_upstream_port->full_pbn);
virtual_channel_bw_in_kbps = min(root_link_bw_in_kbps, virtual_channel_bw_in_kbps);
} else {
/* For topology LCT 1 case - only one mstb*/
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 252/567] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 251/567] Revert "drm/amd/display: Fix pbn to kbps Conversion" Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 253/567] drm/amd/display: Fix scratch registers offsets for DCN35 Greg Kroah-Hartman
` (328 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harry Wentland, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3c41114dcdabb7b25f5bc33273c6db9c7af7f4a7 upstream.
This can get called from an atomic context.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4470
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8acdad9344cc7b4e7bc01f0dfea80093eb3768db)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_surface.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_surface.c
@@ -93,7 +93,7 @@ void enable_surface_flip_reporting(struc
struct dc_plane_state *dc_create_plane_state(const struct dc *dc)
{
struct dc_plane_state *plane_state = kvzalloc(sizeof(*plane_state),
- GFP_KERNEL);
+ GFP_ATOMIC);
if (NULL == plane_state)
return NULL;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 253/567] drm/amd/display: Fix scratch registers offsets for DCN35
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 252/567] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 254/567] drm/amd/display: Fix scratch registers offsets for DCN351 Greg Kroah-Hartman
` (327 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Ray Wu, Chenyu Chen, Daniel Wheeler
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ray Wu <ray.wu@amd.com>
commit 69741d9ccc7222e6b6f138db67b012ecc0d72542 upstream.
[Why]
Different platforms use differnet NBIO header files,
causing display code to use differnt offset and read
wrong accelerated status.
[How]
- Unified NBIO offset header file across platform.
- Correct scratch registers offsets to proper locations.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4667
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Signed-off-by: Chenyu Chen <chen-yu.chen@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 49a63bc8eda0304ba307f5ba68305f936174f72d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
@@ -203,12 +203,12 @@ enum dcn35_clk_src_array_id {
NBIO_BASE_INNER(seg)
#define NBIO_SR(reg_name)\
- REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \
- regBIF_BX2_ ## reg_name
+ REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \
+ regBIF_BX1_ ## reg_name
#define NBIO_SR_ARR(reg_name, id)\
- REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \
- regBIF_BX2_ ## reg_name
+ REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \
+ regBIF_BX1_ ## reg_name
#define bios_regs_init() \
( \
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 254/567] drm/amd/display: Fix scratch registers offsets for DCN351
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 253/567] drm/amd/display: Fix scratch registers offsets for DCN35 Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 255/567] drm/displayid: pass iter to drm_find_displayid_extension() Greg Kroah-Hartman
` (326 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Ray Wu, Chenyu Chen, Daniel Wheeler
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ray Wu <ray.wu@amd.com>
commit fd62aa13d3ee0f21c756a40a7c2f900f98992d6a upstream.
[Why]
Different platforms use different NBIO header files,
causing display code to use differnt offset and read
wrong accelerated status.
[How]
- Unified NBIO offset header file across platform.
- Correct scratch registers offsets to proper locations.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4667
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Ray Wu <ray.wu@amd.com>
Signed-off-by: Chenyu Chen <chen-yu.chen@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 576e032e909c8a6bb3d907b4ef5f6abe0f644199)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
@@ -183,12 +183,12 @@ enum dcn351_clk_src_array_id {
NBIO_BASE_INNER(seg)
#define NBIO_SR(reg_name)\
- REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \
- regBIF_BX2_ ## reg_name
+ REG_STRUCT.reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \
+ regBIF_BX1_ ## reg_name
#define NBIO_SR_ARR(reg_name, id)\
- REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX2_ ## reg_name ## _BASE_IDX) + \
- regBIF_BX2_ ## reg_name
+ REG_STRUCT[id].reg_name = NBIO_BASE(regBIF_BX1_ ## reg_name ## _BASE_IDX) + \
+ regBIF_BX1_ ## reg_name
#define bios_regs_init() \
( \
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 255/567] drm/displayid: pass iter to drm_find_displayid_extension()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 254/567] drm/amd/display: Fix scratch registers offsets for DCN351 Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 256/567] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() Greg Kroah-Hartman
` (325 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tiago Martins Araújo,
Alex Deucher, Jani Nikula
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 520f37c30992fd0c212a34fbe99c062b7a3dc52e upstream.
It's more convenient to pass iter than a handful of its members to
drm_find_displayid_extension(), especially as we're about to add another
member.
Rename the function find_next_displayid_extension() while at it, to be
more descriptive.
Cc: Tiago Martins Araújo <tiago.martins.araujo@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Tiago Martins Araújo <tiago.martins.araujo@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/3837ae7f095e77a082ac2422ce2fac96c4f9373d.1761681968.git.jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_displayid.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/drm_displayid.c
+++ b/drivers/gpu/drm/drm_displayid.c
@@ -48,26 +48,24 @@ validate_displayid(const u8 *displayid,
return base;
}
-static const u8 *drm_find_displayid_extension(const struct drm_edid *drm_edid,
- int *length, int *idx,
- int *ext_index)
+static const u8 *find_next_displayid_extension(struct displayid_iter *iter)
{
const struct displayid_header *base;
const u8 *displayid;
- displayid = drm_edid_find_extension(drm_edid, DISPLAYID_EXT, ext_index);
+ displayid = drm_edid_find_extension(iter->drm_edid, DISPLAYID_EXT, &iter->ext_index);
if (!displayid)
return NULL;
/* EDID extensions block checksum isn't for us */
- *length = EDID_LENGTH - 1;
- *idx = 1;
+ iter->length = EDID_LENGTH - 1;
+ iter->idx = 1;
- base = validate_displayid(displayid, *length, *idx);
+ base = validate_displayid(displayid, iter->length, iter->idx);
if (IS_ERR(base))
return NULL;
- *length = *idx + sizeof(*base) + base->bytes;
+ iter->length = iter->idx + sizeof(*base) + base->bytes;
return displayid;
}
@@ -126,10 +124,7 @@ __displayid_iter_next(struct displayid_i
/* The first section we encounter is the base section */
bool base_section = !iter->section;
- iter->section = drm_find_displayid_extension(iter->drm_edid,
- &iter->length,
- &iter->idx,
- &iter->ext_index);
+ iter->section = find_next_displayid_extension(iter);
if (!iter->section) {
iter->drm_edid = NULL;
return NULL;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 256/567] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 255/567] drm/displayid: pass iter to drm_find_displayid_extension() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 257/567] ALSA: wavefront: Use guard() for spin locks Greg Kroah-Hartman
` (324 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Arefev, Richard Fitzgerald,
Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
[ Upstream commit c34b04cc6178f33c08331568c7fd25c5b9a39f66 ]
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems")
Cc: stable@vger.kernel.org
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru
[ sound/hda/codecs/side-codecs/ -> sound/pci/hda/ ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/cs35l41_hda.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/cs35l41_hda.c
+++ b/sound/pci/hda/cs35l41_hda.c
@@ -1865,6 +1865,8 @@ static int cs35l41_hda_read_acpi(struct
cs35l41->dacpi = adev;
physdev = get_device(acpi_get_first_physical_node(adev));
+ if (!physdev)
+ return -ENODEV;
sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev));
if (IS_ERR(sub))
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 257/567] ALSA: wavefront: Use guard() for spin locks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 256/567] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 258/567] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
` (323 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 4b97f8e614ba46a50bd181d40b5a1424411a211a ]
Clean up the code using guard() for spin locks.
Merely code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829145300.5460-19-tiwai@suse.de
Stable-dep-of: e11c5c13ce0a ("ALSA: wavefront: Clear substream pointers on close")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_midi.c | 127 +++++++++++++---------------------
sound/isa/wavefront/wavefront_synth.c | 18 ++--
2 files changed, 59 insertions(+), 86 deletions(-)
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -113,7 +113,6 @@ static void snd_wavefront_midi_output_wr
{
snd_wavefront_midi_t *midi = &card->wavefront.midi;
snd_wavefront_mpu_id mpu;
- unsigned long flags;
unsigned char midi_byte;
int max = 256, mask = 1;
int timeout;
@@ -142,11 +141,9 @@ static void snd_wavefront_midi_output_wr
break;
}
- spin_lock_irqsave (&midi->virtual, flags);
- if ((midi->mode[midi->output_mpu] & MPU401_MODE_OUTPUT) == 0) {
- spin_unlock_irqrestore (&midi->virtual, flags);
+ guard(spinlock_irqsave)(&midi->virtual);
+ if ((midi->mode[midi->output_mpu] & MPU401_MODE_OUTPUT) == 0)
goto __second;
- }
if (output_ready (midi)) {
if (snd_rawmidi_transmit(midi->substream_output[midi->output_mpu], &midi_byte, 1) == 1) {
if (!midi->isvirtual ||
@@ -160,14 +157,11 @@ static void snd_wavefront_midi_output_wr
del_timer(&midi->timer);
}
midi->mode[midi->output_mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
- spin_unlock_irqrestore (&midi->virtual, flags);
goto __second;
}
} else {
- spin_unlock_irqrestore (&midi->virtual, flags);
return;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
}
__second:
@@ -185,15 +179,13 @@ static void snd_wavefront_midi_output_wr
break;
}
- spin_lock_irqsave (&midi->virtual, flags);
+ guard(spinlock_irqsave)(&midi->virtual);
if (!midi->isvirtual)
mask = 0;
mpu = midi->output_mpu ^ mask;
mask = 0; /* don't invert the value from now */
- if ((midi->mode[mpu] & MPU401_MODE_OUTPUT) == 0) {
- spin_unlock_irqrestore (&midi->virtual, flags);
+ if ((midi->mode[mpu] & MPU401_MODE_OUTPUT) == 0)
return;
- }
if (snd_rawmidi_transmit_empty(midi->substream_output[mpu]))
goto __timer;
if (output_ready (midi)) {
@@ -215,20 +207,16 @@ static void snd_wavefront_midi_output_wr
del_timer(&midi->timer);
}
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
- spin_unlock_irqrestore (&midi->virtual, flags);
return;
}
} else {
- spin_unlock_irqrestore (&midi->virtual, flags);
return;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
}
}
static int snd_wavefront_midi_input_open(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -243,17 +231,15 @@ static int snd_wavefront_midi_input_open
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] |= MPU401_MODE_INPUT;
midi->substream_input[mpu] = substream;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_output_open(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -268,17 +254,15 @@ static int snd_wavefront_midi_output_ope
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] |= MPU401_MODE_OUTPUT;
midi->substream_output[mpu] = substream;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_input_close(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -293,16 +277,14 @@ static int snd_wavefront_midi_input_clos
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_output_close(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -317,15 +299,13 @@ static int snd_wavefront_midi_output_clo
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static void snd_wavefront_midi_input_trigger(struct snd_rawmidi_substream *substream, int up)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -341,30 +321,27 @@ static void snd_wavefront_midi_input_tri
if (!midi)
return;
- spin_lock_irqsave (&midi->virtual, flags);
+ guard(spinlock_irqsave)(&midi->virtual);
if (up) {
midi->mode[mpu] |= MPU401_MODE_INPUT_TRIGGER;
} else {
midi->mode[mpu] &= ~MPU401_MODE_INPUT_TRIGGER;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
}
static void snd_wavefront_midi_output_timer(struct timer_list *t)
{
snd_wavefront_midi_t *midi = from_timer(midi, t, timer);
snd_wavefront_card_t *card = midi->timer_card;
- unsigned long flags;
- spin_lock_irqsave (&midi->virtual, flags);
- mod_timer(&midi->timer, 1 + jiffies);
- spin_unlock_irqrestore (&midi->virtual, flags);
+ scoped_guard(spinlock_irqsave, &midi->virtual) {
+ mod_timer(&midi->timer, 1 + jiffies);
+ }
snd_wavefront_midi_output_write(card);
}
static void snd_wavefront_midi_output_trigger(struct snd_rawmidi_substream *substream, int up)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -380,22 +357,22 @@ static void snd_wavefront_midi_output_tr
if (!midi)
return;
- spin_lock_irqsave (&midi->virtual, flags);
- if (up) {
- if ((midi->mode[mpu] & MPU401_MODE_OUTPUT_TRIGGER) == 0) {
- if (!midi->istimer) {
- timer_setup(&midi->timer,
- snd_wavefront_midi_output_timer,
- 0);
- mod_timer(&midi->timer, 1 + jiffies);
+ scoped_guard(spinlock_irqsave, &midi->virtual) {
+ if (up) {
+ if ((midi->mode[mpu] & MPU401_MODE_OUTPUT_TRIGGER) == 0) {
+ if (!midi->istimer) {
+ timer_setup(&midi->timer,
+ snd_wavefront_midi_output_timer,
+ 0);
+ mod_timer(&midi->timer, 1 + jiffies);
+ }
+ midi->istimer++;
+ midi->mode[mpu] |= MPU401_MODE_OUTPUT_TRIGGER;
}
- midi->istimer++;
- midi->mode[mpu] |= MPU401_MODE_OUTPUT_TRIGGER;
+ } else {
+ midi->mode[mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
}
- } else {
- midi->mode[mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
if (up)
snd_wavefront_midi_output_write((snd_wavefront_card_t *)substream->rmidi->card->private_data);
@@ -405,7 +382,6 @@ void
snd_wavefront_midi_interrupt (snd_wavefront_card_t *card)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
static struct snd_rawmidi_substream *substream = NULL;
static int mpu = external_mpu;
@@ -419,37 +395,37 @@ snd_wavefront_midi_interrupt (snd_wavefr
return;
}
- spin_lock_irqsave (&midi->virtual, flags);
- while (--max) {
+ scoped_guard(spinlock_irqsave, &midi->virtual) {
+ while (--max) {
- if (input_avail (midi)) {
- byte = read_data (midi);
+ if (input_avail(midi)) {
+ byte = read_data(midi);
- if (midi->isvirtual) {
- if (byte == WF_EXTERNAL_SWITCH) {
- substream = midi->substream_input[external_mpu];
- mpu = external_mpu;
- } else if (byte == WF_INTERNAL_SWITCH) {
- substream = midi->substream_output[internal_mpu];
+ if (midi->isvirtual) {
+ if (byte == WF_EXTERNAL_SWITCH) {
+ substream = midi->substream_input[external_mpu];
+ mpu = external_mpu;
+ } else if (byte == WF_INTERNAL_SWITCH) {
+ substream = midi->substream_output[internal_mpu];
+ mpu = internal_mpu;
+ } /* else just leave it as it is */
+ } else {
+ substream = midi->substream_input[internal_mpu];
mpu = internal_mpu;
- } /* else just leave it as it is */
- } else {
- substream = midi->substream_input[internal_mpu];
- mpu = internal_mpu;
- }
+ }
- if (substream == NULL) {
- continue;
- }
+ if (substream == NULL) {
+ continue;
+ }
- if (midi->mode[mpu] & MPU401_MODE_INPUT_TRIGGER) {
- snd_rawmidi_receive(substream, &byte, 1);
+ if (midi->mode[mpu] & MPU401_MODE_INPUT_TRIGGER) {
+ snd_rawmidi_receive(substream, &byte, 1);
+ }
+ } else {
+ break;
}
- } else {
- break;
}
- }
- spin_unlock_irqrestore (&midi->virtual, flags);
+ }
snd_wavefront_midi_output_write(card);
}
@@ -471,13 +447,10 @@ void
snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *card)
{
- unsigned long flags;
-
- spin_lock_irqsave (&card->wavefront.midi.virtual, flags);
+ guard(spinlock_irqsave)(&card->wavefront.midi.virtual);
// snd_wavefront_midi_input_close (card->ics2115_external_rmidi);
// snd_wavefront_midi_output_close (card->ics2115_external_rmidi);
card->wavefront.midi.isvirtual = 0;
- spin_unlock_irqrestore (&card->wavefront.midi.virtual, flags);
}
int
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -1741,10 +1741,10 @@ snd_wavefront_internal_interrupt (snd_wa
return;
}
- spin_lock(&dev->irq_lock);
- dev->irq_ok = 1;
- dev->irq_cnt++;
- spin_unlock(&dev->irq_lock);
+ scoped_guard(spinlock, &dev->irq_lock) {
+ dev->irq_ok = 1;
+ dev->irq_cnt++;
+ }
wake_up(&dev->interrupt_sleeper);
}
@@ -1796,11 +1796,11 @@ wavefront_should_cause_interrupt (snd_wa
wait_queue_entry_t wait;
init_waitqueue_entry(&wait, current);
- spin_lock_irq(&dev->irq_lock);
- add_wait_queue(&dev->interrupt_sleeper, &wait);
- dev->irq_ok = 0;
- outb (val,port);
- spin_unlock_irq(&dev->irq_lock);
+ scoped_guard(spinlock_irq, &dev->irq_lock) {
+ add_wait_queue(&dev->interrupt_sleeper, &wait);
+ dev->irq_ok = 0;
+ outb(val, port);
+ }
while (!dev->irq_ok && time_before(jiffies, timeout)) {
schedule_timeout_uninterruptible(1);
barrier();
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 258/567] ALSA: wavefront: Clear substream pointers on close
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 257/567] ALSA: wavefront: Use guard() for spin locks Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 259/567] pinctrl: renesas: rzg2l: Fix ISEL restore on resume Greg Kroah-Hartman
` (322 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Takashi Iwai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit e11c5c13ce0ab2325d38fe63500be1dd88b81e38 ]
Clear substream pointers in close functions to avoid leaving dangling
pointers, helping to improve code safety and
prevents potential issues.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_midi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_clos
return -EIO;
guard(spinlock_irqsave)(&midi->open);
+ midi->substream_input[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
return 0;
@@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_clo
return -EIO;
guard(spinlock_irqsave)(&midi->open);
+ midi->substream_output[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
return 0;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 259/567] pinctrl: renesas: rzg2l: Fix ISEL restore on resume
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 258/567] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 260/567] hsr: hold rcu and dev lock for hsr_get_port_ndev Greg Kroah-Hartman
` (321 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, claudiu.beznea, Claudiu Beznea,
Geert Uytterhoeven
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
commit 44bf66122c12ef6d3382a9b84b9be1802e5f0e95 upstream.
Commit 1d2da79708cb ("pinctrl: renesas: rzg2l: Avoid configuring ISEL in
gpio_irq_{en,dis}able*()") dropped the configuration of ISEL from
struct irq_chip::{irq_enable, irq_disable} APIs and moved it to
struct gpio_chip::irq::{child_to_parent_hwirq,
child_irq_domain_ops::free} APIs to fix spurious IRQs.
After commit 1d2da79708cb ("pinctrl: renesas: rzg2l: Avoid configuring ISEL
in gpio_irq_{en,dis}able*()"), ISEL was no longer configured properly on
resume. This is because the pinctrl resume code used
struct irq_chip::irq_enable (called from rzg2l_gpio_irq_restore()) to
reconfigure the wakeup interrupts. Some drivers (e.g. Ethernet) may also
reconfigure non-wakeup interrupts on resume through their own code,
eventually calling struct irq_chip::irq_enable.
Fix this by adding ISEL configuration back into the
struct irq_chip::irq_enable API and on resume path for wakeup interrupts.
As struct irq_chip::irq_enable needs now to lock to update the ISEL,
convert the struct rzg2l_pinctrl::lock to a raw spinlock and replace the
locking API calls with the raw variants. Otherwise the lockdep reports
invalid wait context when probing the adv7511 module on RZ/G2L:
[ BUG: Invalid wait context ]
6.17.0-rc5-next-20250911-00001-gfcfac22533c9 #18 Not tainted
-----------------------------
(udev-worker)/165 is trying to lock:
ffff00000e3664a8 (&pctrl->lock){....}-{3:3}, at: rzg2l_gpio_irq_enable+0x38/0x78
other info that might help us debug this:
context-{5:5}
3 locks held by (udev-worker)/165:
#0: ffff00000e890108 (&dev->mutex){....}-{4:4}, at: __driver_attach+0x90/0x1ac
#1: ffff000011c07240 (request_class){+.+.}-{4:4}, at: __setup_irq+0xb4/0x6dc
#2: ffff000011c070c8 (lock_class){....}-{2:2}, at: __setup_irq+0xdc/0x6dc
stack backtrace:
CPU: 1 UID: 0 PID: 165 Comm: (udev-worker) Not tainted 6.17.0-rc5-next-20250911-00001-gfcfac22533c9 #18 PREEMPT
Hardware name: Renesas SMARC EVK based on r9a07g044l2 (DT)
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0x90/0xd0
dump_stack+0x18/0x24
__lock_acquire+0xa14/0x20b4
lock_acquire+0x1c8/0x354
_raw_spin_lock_irqsave+0x60/0x88
rzg2l_gpio_irq_enable+0x38/0x78
irq_enable+0x40/0x8c
__irq_startup+0x78/0xa4
irq_startup+0x108/0x16c
__setup_irq+0x3c0/0x6dc
request_threaded_irq+0xec/0x1ac
devm_request_threaded_irq+0x80/0x134
adv7511_probe+0x928/0x9a4 [adv7511]
i2c_device_probe+0x22c/0x3dc
really_probe+0xbc/0x2a0
__driver_probe_device+0x78/0x12c
driver_probe_device+0x40/0x164
__driver_attach+0x9c/0x1ac
bus_for_each_dev+0x74/0xd0
driver_attach+0x24/0x30
bus_add_driver+0xe4/0x208
driver_register+0x60/0x128
i2c_register_driver+0x48/0xd0
adv7511_init+0x5c/0x1000 [adv7511]
do_one_initcall+0x64/0x30c
do_init_module+0x58/0x23c
load_module+0x1bcc/0x1d40
init_module_from_file+0x88/0xc4
idempotent_init_module+0x188/0x27c
__arm64_sys_finit_module+0x68/0xac
invoke_syscall+0x48/0x110
el0_svc_common.constprop.0+0xc0/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x4c/0x160
el0t_64_sync_handler+0xa0/0xe4
el0t_64_sync+0x198/0x19c
Having ISEL configuration back into the struct irq_chip::irq_enable API
should be safe with respect to spurious IRQs, as in the probe case IRQs
are enabled anyway in struct gpio_chip::irq::child_to_parent_hwirq. No
spurious IRQs were detected on suspend/resume, boot, ethernet link
insert/remove tests (executed on RZ/G3S). Boot, ethernet link
insert/remove tests were also executed successfully on RZ/G2L.
Fixes: 1d2da79708cb ("pinctrl: renesas: rzg2l: Avoid configuring ISEL in gpio_irq_{en,dis}able*(")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20250912095308.3603704-1-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
[claudiu.beznea:
- in rzg2l_write_oen() kept v6.12 code and use
raw_spin_lock_irqsave()/raw_spin_unlock_irqrestore()
- in rzg2l_gpio_set() kept v6.12 code and use raw_spin_unlock_irqrestore()
- in rzg2l_pinctrl_resume_noirq() kept v6.12 code
- manually adjust rzg3s_oen_write(), rzv2h_oen_write() to use
raw_spin_lock_irqsave()/raw_spin_unlock_irqrestore()]
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/renesas/pinctrl-rzg2l.c | 75 +++++++++++++++++++-------------
1 file changed, 46 insertions(+), 29 deletions(-)
--- a/drivers/pinctrl/renesas/pinctrl-rzg2l.c
+++ b/drivers/pinctrl/renesas/pinctrl-rzg2l.c
@@ -349,7 +349,7 @@ struct rzg2l_pinctrl {
spinlock_t bitmap_lock; /* protect tint_slot bitmap */
unsigned int hwirq[RZG2L_TINT_MAX_INTERRUPT];
- spinlock_t lock; /* lock read/write registers */
+ raw_spinlock_t lock; /* lock read/write registers */
struct mutex mutex; /* serialize adding groups and functions */
struct rzg2l_pinctrl_pin_settings *settings;
@@ -454,7 +454,7 @@ static void rzg2l_pinctrl_set_pfc_mode(s
unsigned long flags;
u32 reg;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
/* Set pin to 'Non-use (Hi-Z input protection)' */
reg = readw(pctrl->base + PM(off));
@@ -478,7 +478,7 @@ static void rzg2l_pinctrl_set_pfc_mode(s
pctrl->data->pwpr_pfc_lock_unlock(pctrl, true);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
};
static int rzg2l_pinctrl_set_mux(struct pinctrl_dev *pctldev,
@@ -805,10 +805,10 @@ static void rzg2l_rmw_pin_config(struct
addr += 4;
}
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
reg = readl(addr) & ~(mask << (bit * 8));
writel(reg | (val << (bit * 8)), addr);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
}
static int rzg2l_caps_to_pwr_reg(const struct rzg2l_register_offsets *regs, u32 caps)
@@ -1036,14 +1036,14 @@ static int rzg2l_write_oen(struct rzg2l_
if (bit < 0)
return bit;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
val = readb(pctrl->base + ETH_MODE);
if (oen)
val &= ~BIT(bit);
else
val |= BIT(bit);
writeb(val, pctrl->base + ETH_MODE);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
return 0;
}
@@ -1089,14 +1089,14 @@ static int rzg3s_oen_write(struct rzg2l_
if (bit < 0)
return bit;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
val = readb(pctrl->base + ETH_MODE);
if (oen)
val &= ~BIT(bit);
else
val |= BIT(bit);
writeb(val, pctrl->base + ETH_MODE);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
return 0;
}
@@ -1201,7 +1201,7 @@ static int rzv2h_oen_write(struct rzg2l_
u8 pwpr;
bit = rzv2h_pin_to_oen_bit(pctrl, _pin);
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
val = readb(pctrl->base + PFC_OEN);
if (oen)
val &= ~BIT(bit);
@@ -1212,7 +1212,7 @@ static int rzv2h_oen_write(struct rzg2l_
writeb(pwpr | PWPR_REGWE_B, pctrl->base + regs->pwpr);
writeb(val, pctrl->base + PFC_OEN);
writeb(pwpr & ~PWPR_REGWE_B, pctrl->base + regs->pwpr);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
return 0;
}
@@ -1613,14 +1613,14 @@ static int rzg2l_gpio_request(struct gpi
if (ret)
return ret;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
/* Select GPIO mode in PMC Register */
reg8 = readb(pctrl->base + PMC(off));
reg8 &= ~BIT(bit);
pctrl->data->pmc_writeb(pctrl, reg8, PMC(off));
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
return 0;
}
@@ -1635,7 +1635,7 @@ static void rzg2l_gpio_set_direction(str
unsigned long flags;
u16 reg16;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
reg16 = readw(pctrl->base + PM(off));
reg16 &= ~(PM_MASK << (bit * 2));
@@ -1643,7 +1643,7 @@ static void rzg2l_gpio_set_direction(str
reg16 |= (output ? PM_OUTPUT : PM_INPUT) << (bit * 2);
writew(reg16, pctrl->base + PM(off));
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
}
static int rzg2l_gpio_get_direction(struct gpio_chip *chip, unsigned int offset)
@@ -1687,7 +1687,7 @@ static void rzg2l_gpio_set(struct gpio_c
unsigned long flags;
u8 reg8;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
reg8 = readb(pctrl->base + P(off));
@@ -1696,7 +1696,7 @@ static void rzg2l_gpio_set(struct gpio_c
else
writeb(reg8 & ~BIT(bit), pctrl->base + P(off));
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
}
static int rzg2l_gpio_direction_output(struct gpio_chip *chip,
@@ -2236,14 +2236,13 @@ static int rzg2l_gpio_get_gpioint(unsign
return gpioint;
}
-static void rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl,
- unsigned int hwirq, bool enable)
+static void __rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl,
+ unsigned int hwirq, bool enable)
{
const struct pinctrl_pin_desc *pin_desc = &pctrl->desc.pins[hwirq];
u64 *pin_data = pin_desc->drv_data;
u32 off = RZG2L_PIN_CFG_TO_PORT_OFFSET(*pin_data);
u8 bit = RZG2L_PIN_ID_TO_PIN(hwirq);
- unsigned long flags;
void __iomem *addr;
addr = pctrl->base + ISEL(off);
@@ -2252,12 +2251,20 @@ static void rzg2l_gpio_irq_endisable(str
addr += 4;
}
- spin_lock_irqsave(&pctrl->lock, flags);
if (enable)
writel(readl(addr) | BIT(bit * 8), addr);
else
writel(readl(addr) & ~BIT(bit * 8), addr);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+}
+
+static void rzg2l_gpio_irq_endisable(struct rzg2l_pinctrl *pctrl,
+ unsigned int hwirq, bool enable)
+{
+ unsigned long flags;
+
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
+ __rzg2l_gpio_irq_endisable(pctrl, hwirq, enable);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
}
static void rzg2l_gpio_irq_disable(struct irq_data *d)
@@ -2269,15 +2276,25 @@ static void rzg2l_gpio_irq_disable(struc
gpiochip_disable_irq(gc, hwirq);
}
-static void rzg2l_gpio_irq_enable(struct irq_data *d)
+static void __rzg2l_gpio_irq_enable(struct irq_data *d, bool lock)
{
struct gpio_chip *gc = irq_data_get_irq_chip_data(d);
+ struct rzg2l_pinctrl *pctrl = container_of(gc, struct rzg2l_pinctrl, gpio_chip);
unsigned int hwirq = irqd_to_hwirq(d);
gpiochip_enable_irq(gc, hwirq);
+ if (lock)
+ rzg2l_gpio_irq_endisable(pctrl, hwirq, true);
+ else
+ __rzg2l_gpio_irq_endisable(pctrl, hwirq, true);
irq_chip_enable_parent(d);
}
+static void rzg2l_gpio_irq_enable(struct irq_data *d)
+{
+ __rzg2l_gpio_irq_enable(d, true);
+}
+
static int rzg2l_gpio_irq_set_type(struct irq_data *d, unsigned int type)
{
return irq_chip_set_type_parent(d, type);
@@ -2438,11 +2455,11 @@ static void rzg2l_gpio_irq_restore(struc
* This has to be atomically executed to protect against a concurrent
* interrupt.
*/
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
ret = rzg2l_gpio_irq_set_type(data, irqd_get_trigger_type(data));
if (!ret && !irqd_irq_disabled(data))
- rzg2l_gpio_irq_enable(data);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ __rzg2l_gpio_irq_enable(data, false);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
if (ret)
dev_crit(pctrl->dev, "Failed to set IRQ type for virq=%u\n", virq);
@@ -2765,7 +2782,7 @@ static int rzg2l_pinctrl_probe(struct pl
"failed to enable GPIO clk\n");
}
- spin_lock_init(&pctrl->lock);
+ raw_spin_lock_init(&pctrl->lock);
spin_lock_init(&pctrl->bitmap_lock);
mutex_init(&pctrl->mutex);
atomic_set(&pctrl->wakeup_path, 0);
@@ -2908,7 +2925,7 @@ static void rzg2l_pinctrl_pm_setup_pfc(s
u32 nports = pctrl->data->n_port_pins / RZG2L_PINS_PER_PORT;
unsigned long flags;
- spin_lock_irqsave(&pctrl->lock, flags);
+ raw_spin_lock_irqsave(&pctrl->lock, flags);
pctrl->data->pwpr_pfc_lock_unlock(pctrl, false);
/* Restore port registers. */
@@ -2953,7 +2970,7 @@ static void rzg2l_pinctrl_pm_setup_pfc(s
}
pctrl->data->pwpr_pfc_lock_unlock(pctrl, true);
- spin_unlock_irqrestore(&pctrl->lock, flags);
+ raw_spin_unlock_irqrestore(&pctrl->lock, flags);
}
static int rzg2l_pinctrl_suspend_noirq(struct device *dev)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 260/567] hsr: hold rcu and dev lock for hsr_get_port_ndev
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 259/567] pinctrl: renesas: rzg2l: Fix ISEL restore on resume Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 261/567] sched/rt: Fix race in push_rt_task Greg Kroah-Hartman
` (320 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Hangbin Liu,
Simon Horman, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 847748fc66d08a89135a74e29362a66ba4e3ab15 ]
hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock.
On the other hand, before return the port device, we need to hold the
device reference to avoid UaF in the caller function.
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Fixes: 9c10dd8eed74 ("net: hsr: Create and export hsr_get_port_ndev()")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250905091533.377443-4-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Drop multicast filtering changes ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_device.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -682,9 +682,14 @@ struct net_device *hsr_get_port_ndev(str
struct hsr_priv *hsr = netdev_priv(ndev);
struct hsr_port *port;
+ rcu_read_lock();
hsr_for_each_port(hsr, port)
- if (port->type == pt)
+ if (port->type == pt) {
+ dev_hold(port->dev);
+ rcu_read_unlock();
return port->dev;
+ }
+ rcu_read_unlock();
return NULL;
}
EXPORT_SYMBOL(hsr_get_port_ndev);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 261/567] sched/rt: Fix race in push_rt_task
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 260/567] hsr: hold rcu and dev lock for hsr_get_port_ndev Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 262/567] KVM: arm64: Initialize HCR_EL2.E2H early Greg Kroah-Hartman
` (319 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Kohler, Gauri Patwardhan,
Rahul Chunduru, Harshit Agarwal, Peter Zijlstra (Intel),
Steven Rostedt (Google), Phil Auld, Will Ton, Rajani Kantha
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshit Agarwal <harshit@nutanix.com>
commit 690e47d1403e90b7f2366f03b52ed3304194c793 upstream.
Overview
========
When a CPU chooses to call push_rt_task and picks a task to push to
another CPU's runqueue then it will call find_lock_lowest_rq method
which would take a double lock on both CPUs' runqueues. If one of the
locks aren't readily available, it may lead to dropping the current
runqueue lock and reacquiring both the locks at once. During this window
it is possible that the task is already migrated and is running on some
other CPU. These cases are already handled. However, if the task is
migrated and has already been executed and another CPU is now trying to
wake it up (ttwu) such that it is queued again on the runqeue
(on_rq is 1) and also if the task was run by the same CPU, then the
current checks will pass even though the task was migrated out and is no
longer in the pushable tasks list.
Crashes
=======
This bug resulted in quite a few flavors of crashes triggering kernel
panics with various crash signatures such as assert failures, page
faults, null pointer dereferences, and queue corruption errors all
coming from scheduler itself.
Some of the crashes:
-> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? pick_next_task_rt+0x6e/0x1d0
? do_error_trap+0x64/0xa0
? pick_next_task_rt+0x6e/0x1d0
? exc_invalid_op+0x4c/0x60
? pick_next_task_rt+0x6e/0x1d0
? asm_exc_invalid_op+0x12/0x20
? pick_next_task_rt+0x6e/0x1d0
__schedule+0x5cb/0x790
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: kernel NULL pointer dereference, address: 00000000000000c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? __warn+0x8a/0xe0
? exc_page_fault+0x3d6/0x520
? asm_exc_page_fault+0x1e/0x30
? pick_next_task_rt+0xb5/0x1d0
? pick_next_task_rt+0x8c/0x1d0
__schedule+0x583/0x7e0
? update_ts_time_stats+0x55/0x70
schedule_idle+0x1e/0x40
do_idle+0x15e/0x200
cpu_startup_entry+0x19/0x20
start_secondary+0x117/0x160
secondary_startup_64_no_verify+0xb0/0xbb
-> BUG: unable to handle page fault for address: ffff9464daea5900
kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p))
-> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running)
Call Trace:
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0x85/0x100
? dequeue_top_rt_rq+0xa2/0xb0
? do_error_trap+0x64/0xa0
? dequeue_top_rt_rq+0xa2/0xb0
? exc_invalid_op+0x4c/0x60
? dequeue_top_rt_rq+0xa2/0xb0
? asm_exc_invalid_op+0x12/0x20
? dequeue_top_rt_rq+0xa2/0xb0
dequeue_rt_entity+0x1f/0x70
dequeue_task_rt+0x2d/0x70
__schedule+0x1a8/0x7e0
? blk_finish_plug+0x25/0x40
schedule+0x3c/0xb0
futex_wait_queue_me+0xb6/0x120
futex_wait+0xd9/0x240
do_futex+0x344/0xa90
? get_mm_exe_file+0x30/0x60
? audit_exe_compare+0x58/0x70
? audit_filter_rules.constprop.26+0x65e/0x1220
__x64_sys_futex+0x148/0x1f0
do_syscall_64+0x30/0x80
entry_SYSCALL_64_after_hwframe+0x62/0xc7
-> BUG: unable to handle page fault for address: ffff8cf3608bc2c0
Call Trace:
? __die_body+0x1a/0x60
? no_context+0x183/0x350
? spurious_kernel_fault+0x171/0x1c0
? exc_page_fault+0x3b6/0x520
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? asm_exc_page_fault+0x1e/0x30
? _cond_resched+0x15/0x30
? futex_wait_queue_me+0xc8/0x120
? futex_wait+0xd9/0x240
? try_to_wake_up+0x1b8/0x490
? futex_wake+0x78/0x160
? do_futex+0xcd/0xa90
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? plist_del+0x6a/0xd0
? plist_check_list+0x15/0x40
? plist_check_list+0x2e/0x40
? dequeue_pushable_task+0x20/0x70
? __schedule+0x382/0x7e0
? asm_sysvec_reschedule_ipi+0xa/0x20
? schedule+0x3c/0xb0
? exit_to_user_mode_prepare+0x9e/0x150
? irqentry_exit_to_user_mode+0x5/0x30
? asm_sysvec_reschedule_ipi+0x12/0x20
Above are some of the common examples of the crashes that were observed
due to this issue.
Details
=======
Let's look at the following scenario to understand this race.
1) CPU A enters push_rt_task
a) CPU A has chosen next_task = task p.
b) CPU A calls find_lock_lowest_rq(Task p, CPU Z’s rq).
c) CPU A identifies CPU X as a destination CPU (X < Z).
d) CPU A enters double_lock_balance(CPU Z’s rq, CPU X’s rq).
e) Since X is lower than Z, CPU A unlocks CPU Z’s rq. Someone else has
locked CPU X’s rq, and thus, CPU A must wait.
2) At CPU Z
a) Previous task has completed execution and thus, CPU Z enters
schedule, locks its own rq after CPU A releases it.
b) CPU Z dequeues previous task and begins executing task p.
c) CPU Z unlocks its rq.
d) Task p yields the CPU (ex. by doing IO or waiting to acquire a
lock) which triggers the schedule function on CPU Z.
e) CPU Z enters schedule again, locks its own rq, and dequeues task p.
f) As part of dequeue, it sets p.on_rq = 0 and unlocks its rq.
3) At CPU B
a) CPU B enters try_to_wake_up with input task p.
b) Since CPU Z dequeued task p, p.on_rq = 0, and CPU B updates
B.state = WAKING.
c) CPU B via select_task_rq determines CPU Y as the target CPU.
4) The race
a) CPU A acquires CPU X’s lock and relocks CPU Z.
b) CPU A reads task p.cpu = Z and incorrectly concludes task p is
still on CPU Z.
c) CPU A failed to notice task p had been dequeued from CPU Z while
CPU A was waiting for locks in double_lock_balance. If CPU A knew
that task p had been dequeued, it would return NULL forcing
push_rt_task to give up the task p's migration.
d) CPU B updates task p.cpu = Y and calls ttwu_queue.
e) CPU B locks Ys rq. CPU B enqueues task p onto Y and sets task
p.on_rq = 1.
f) CPU B unlocks CPU Y, triggering memory synchronization.
g) CPU A reads task p.on_rq = 1, cementing its assumption that task p
has not migrated.
h) CPU A decides to migrate p to CPU X.
This leads to A dequeuing p from Y's queue and various crashes down the
line.
Solution
========
The solution here is fairly simple. After obtaining the lock (at 4a),
the check is enhanced to make sure that the task is still at the head of
the pushable tasks list. If not, then it is anyway not suitable for
being pushed out.
Testing
=======
The fix is tested on a cluster of 3 nodes, where the panics due to this
are hit every couple of days. A fix similar to this was deployed on such
cluster and was stable for more than 30 days.
Co-developed-by: Jon Kohler <jon@nutanix.com>
Signed-off-by: Jon Kohler <jon@nutanix.com>
Co-developed-by: Gauri Patwardhan <gauri.patwardhan@nutanix.com>
Signed-off-by: Gauri Patwardhan <gauri.patwardhan@nutanix.com>
Co-developed-by: Rahul Chunduru <rahul.chunduru@nutanix.com>
Signed-off-by: Rahul Chunduru <rahul.chunduru@nutanix.com>
Signed-off-by: Harshit Agarwal <harshit@nutanix.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: "Steven Rostedt (Google)" <rostedt@goodmis.org>
Reviewed-by: Phil Auld <pauld@redhat.com>
Tested-by: Will Ton <william.ton@nutanix.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20250225180553.167995-1-harshit@nutanix.com
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/rt.c | 52 +++++++++++++++++++++++++---------------------------
1 file changed, 25 insertions(+), 27 deletions(-)
--- a/kernel/sched/rt.c
+++ b/kernel/sched/rt.c
@@ -1895,6 +1895,26 @@ static int find_lowest_rq(struct task_st
return -1;
}
+static struct task_struct *pick_next_pushable_task(struct rq *rq)
+{
+ struct task_struct *p;
+
+ if (!has_pushable_tasks(rq))
+ return NULL;
+
+ p = plist_first_entry(&rq->rt.pushable_tasks,
+ struct task_struct, pushable_tasks);
+
+ BUG_ON(rq->cpu != task_cpu(p));
+ BUG_ON(task_current(rq, p));
+ BUG_ON(p->nr_cpus_allowed <= 1);
+
+ BUG_ON(!task_on_rq_queued(p));
+ BUG_ON(!rt_task(p));
+
+ return p;
+}
+
/* Will lock the rq it finds */
static struct rq *find_lock_lowest_rq(struct task_struct *task, struct rq *rq)
{
@@ -1925,18 +1945,16 @@ static struct rq *find_lock_lowest_rq(st
/*
* We had to unlock the run queue. In
* the mean time, task could have
- * migrated already or had its affinity changed.
- * Also make sure that it wasn't scheduled on its rq.
+ * migrated already or had its affinity changed,
+ * therefore check if the task is still at the
+ * head of the pushable tasks list.
* It is possible the task was scheduled, set
* "migrate_disabled" and then got preempted, so we must
* check the task migration disable flag here too.
*/
- if (unlikely(task_rq(task) != rq ||
+ if (unlikely(is_migration_disabled(task) ||
!cpumask_test_cpu(lowest_rq->cpu, &task->cpus_mask) ||
- task_on_cpu(rq, task) ||
- !rt_task(task) ||
- is_migration_disabled(task) ||
- !task_on_rq_queued(task))) {
+ task != pick_next_pushable_task(rq))) {
double_unlock_balance(rq, lowest_rq);
lowest_rq = NULL;
@@ -1956,26 +1974,6 @@ static struct rq *find_lock_lowest_rq(st
return lowest_rq;
}
-static struct task_struct *pick_next_pushable_task(struct rq *rq)
-{
- struct task_struct *p;
-
- if (!has_pushable_tasks(rq))
- return NULL;
-
- p = plist_first_entry(&rq->rt.pushable_tasks,
- struct task_struct, pushable_tasks);
-
- BUG_ON(rq->cpu != task_cpu(p));
- BUG_ON(task_current(rq, p));
- BUG_ON(p->nr_cpus_allowed <= 1);
-
- BUG_ON(!task_on_rq_queued(p));
- BUG_ON(!rt_task(p));
-
- return p;
-}
-
/*
* If the current CPU has more than one RT task, see if the non
* running task can migrate over to a CPU that is running a task
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 262/567] KVM: arm64: Initialize HCR_EL2.E2H early
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 261/567] sched/rt: Fix race in push_rt_task Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 263/567] KVM: arm64: Initialize SCTLR_EL1 in __kvm_hyp_init_cpu() Greg Kroah-Hartman
` (318 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Ahmed Genidi,
Ben Horgan, Catalin Marinas, Leo Yan, Marc Zyngier, Oliver Upton,
Will Deacon, Wei-Lin Chang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 7a68b55ff39b0a1638acb1694c185d49f6077a0d ]
On CPUs without FEAT_E2H0, HCR_EL2.E2H is RES1, but may reset to an
UNKNOWN value out of reset and consequently may not read as 1 unless it
has been explicitly initialized.
We handled this for the head.S boot code in commits:
3944382fa6f22b54 ("arm64: Treat HCR_EL2.E2H as RES1 when ID_AA64MMFR4_EL1.E2H0 is negative")
b3320142f3db9b3f ("arm64: Fix early handling of FEAT_E2H0 not being implemented")
Unfortunately, we forgot to apply a similar fix to the KVM PSCI entry
points used when relaying CPU_ON, CPU_SUSPEND, and SYSTEM SUSPEND. When
KVM is entered via these entry points, the value of HCR_EL2.E2H may be
consumed before it has been initialized (e.g. by the 'init_el2_state'
macro).
Initialize HCR_EL2.E2H early in these paths such that it can be consumed
reliably. The existing code in head.S is factored out into a new
'init_el2_hcr' macro, and this is used in the __kvm_hyp_init_cpu()
function common to all the relevant PSCI entry points.
For clarity, I've tweaked the assembly used to check whether
ID_AA64MMFR4_EL1.E2H0 is negative. The bitfield is extracted as a signed
value, and this is checked with a signed-greater-or-equal (GE) comparison.
As the hyp code will reconfigure HCR_EL2 later in ___kvm_hyp_init(), all
bits other than E2H are initialized to zero in __kvm_hyp_init_cpu().
Fixes: 3944382fa6f22b54 ("arm64: Treat HCR_EL2.E2H as RES1 when ID_AA64MMFR4_EL1.E2H0 is negative")
Fixes: b3320142f3db9b3f ("arm64: Fix early handling of FEAT_E2H0 not being implemented")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Ahmed Genidi <ahmed.genidi@arm.com>
Cc: Ben Horgan <ben.horgan@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Leo Yan <leo.yan@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20250227180526.1204723-2-mark.rutland@arm.com
[maz: fixed LT->GE thinko]
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Wei-Lin Chang <weilin.chang@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/el2_setup.h | 26 ++++++++++++++++++++++++++
arch/arm64/kernel/head.S | 19 +------------------
arch/arm64/kvm/hyp/nvhe/hyp-init.S | 8 +++++++-
3 files changed, 34 insertions(+), 19 deletions(-)
--- a/arch/arm64/include/asm/el2_setup.h
+++ b/arch/arm64/include/asm/el2_setup.h
@@ -16,6 +16,32 @@
#include <asm/sysreg.h>
#include <linux/irqchip/arm-gic-v3.h>
+.macro init_el2_hcr val
+ mov_q x0, \val
+
+ /*
+ * Compliant CPUs advertise their VHE-onlyness with
+ * ID_AA64MMFR4_EL1.E2H0 < 0. On such CPUs HCR_EL2.E2H is RES1, but it
+ * can reset into an UNKNOWN state and might not read as 1 until it has
+ * been initialized explicitly.
+ *
+ * Fruity CPUs seem to have HCR_EL2.E2H set to RAO/WI, but
+ * don't advertise it (they predate this relaxation).
+ *
+ * Initalize HCR_EL2.E2H so that later code can rely upon HCR_EL2.E2H
+ * indicating whether the CPU is running in E2H mode.
+ */
+ mrs_s x1, SYS_ID_AA64MMFR4_EL1
+ sbfx x1, x1, #ID_AA64MMFR4_EL1_E2H0_SHIFT, #ID_AA64MMFR4_EL1_E2H0_WIDTH
+ cmp x1, #0
+ b.ge .LnVHE_\@
+
+ orr x0, x0, #HCR_E2H
+.LnVHE_\@:
+ msr hcr_el2, x0
+ isb
+.endm
+
.macro __init_el2_sctlr
mov_q x0, INIT_SCTLR_EL2_MMU_OFF
msr sctlr_el2, x0
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -295,25 +295,8 @@ SYM_INNER_LABEL(init_el2, SYM_L_LOCAL)
msr sctlr_el2, x0
isb
0:
- mov_q x0, HCR_HOST_NVHE_FLAGS
-
- /*
- * Compliant CPUs advertise their VHE-onlyness with
- * ID_AA64MMFR4_EL1.E2H0 < 0. HCR_EL2.E2H can be
- * RES1 in that case. Publish the E2H bit early so that
- * it can be picked up by the init_el2_state macro.
- *
- * Fruity CPUs seem to have HCR_EL2.E2H set to RAO/WI, but
- * don't advertise it (they predate this relaxation).
- */
- mrs_s x1, SYS_ID_AA64MMFR4_EL1
- tbz x1, #(ID_AA64MMFR4_EL1_E2H0_SHIFT + ID_AA64MMFR4_EL1_E2H0_WIDTH - 1), 1f
-
- orr x0, x0, #HCR_E2H
-1:
- msr hcr_el2, x0
- isb
+ init_el2_hcr HCR_HOST_NVHE_FLAGS
init_el2_state
/* Hypervisor stub */
--- a/arch/arm64/kvm/hyp/nvhe/hyp-init.S
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-init.S
@@ -73,8 +73,12 @@ __do_hyp_init:
eret
SYM_CODE_END(__kvm_hyp_init)
+/*
+ * Initialize EL2 CPU state to sane values.
+ *
+ * HCR_EL2.E2H must have been initialized already.
+ */
SYM_CODE_START_LOCAL(__kvm_init_el2_state)
- /* Initialize EL2 CPU state to sane values. */
init_el2_state // Clobbers x0..x2
finalise_el2_state
ret
@@ -206,6 +210,8 @@ SYM_CODE_START_LOCAL(__kvm_hyp_init_cpu)
2: msr SPsel, #1 // We want to use SP_EL{1,2}
+ init_el2_hcr 0
+
bl __kvm_init_el2_state
__init_el2_nvhe_prepare_eret
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 263/567] KVM: arm64: Initialize SCTLR_EL1 in __kvm_hyp_init_cpu()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 262/567] KVM: arm64: Initialize HCR_EL2.E2H early Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 264/567] arm64: Revamp HCR_EL2.E2H RES1 detection Greg Kroah-Hartman
` (317 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ahmed Genidi, Mark Rutland,
Ben Horgan, Catalin Marinas, Marc Zyngier, Oliver Upton,
Will Deacon, Wei-Lin Chang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed Genidi <ahmed.genidi@arm.com>
[ Upstream commit 3855a7b91d42ebf3513b7ccffc44807274978b3d ]
When KVM is in protected mode, host calls to PSCI are proxied via EL2,
and cold entries from CPU_ON, CPU_SUSPEND, and SYSTEM_SUSPEND bounce
through __kvm_hyp_init_cpu() at EL2 before entering the host kernel's
entry point at EL1. While __kvm_hyp_init_cpu() initializes SPSR_EL2 for
the exception return to EL1, it does not initialize SCTLR_EL1.
Due to this, it's possible to enter EL1 with SCTLR_EL1 in an UNKNOWN
state. In practice this has been seen to result in kernel crashes after
CPU_ON as a result of SCTLR_EL1.M being 1 in violation of the initial
core configuration specified by PSCI.
Fix this by initializing SCTLR_EL1 for cold entry to the host kernel.
As it's necessary to write to SCTLR_EL12 in VHE mode, this
initialization is moved into __kvm_host_psci_cpu_entry() where we can
use write_sysreg_el1().
The remnants of the '__init_el2_nvhe_prepare_eret' macro are folded into
its only caller, as this is clearer than having the macro.
Fixes: cdf367192766ad11 ("KVM: arm64: Intercept host's CPU_ON SMCs")
Reported-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Ahmed Genidi <ahmed.genidi@arm.com>
[ Mark: clarify commit message, handle E2H, move to C, remove macro ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Ahmed Genidi <ahmed.genidi@arm.com>
Cc: Ben Horgan <ben.horgan@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Leo Yan <leo.yan@arm.com>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Oliver Upton <oliver.upton@linux.dev>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Leo Yan <leo.yan@arm.com>
Link: https://lore.kernel.org/r/20250227180526.1204723-3-mark.rutland@arm.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Wei-Lin Chang <weilin.chang@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/el2_setup.h | 5 -----
arch/arm64/kernel/head.S | 3 ++-
arch/arm64/kvm/hyp/nvhe/hyp-init.S | 2 --
arch/arm64/kvm/hyp/nvhe/psci-relay.c | 3 +++
4 files changed, 5 insertions(+), 8 deletions(-)
--- a/arch/arm64/include/asm/el2_setup.h
+++ b/arch/arm64/include/asm/el2_setup.h
@@ -265,11 +265,6 @@
.Lskip_fgt2_\@:
.endm
-.macro __init_el2_nvhe_prepare_eret
- mov x0, #INIT_PSTATE_EL1
- msr spsr_el2, x0
-.endm
-
/**
* Initialize EL2 registers to sane values. This should be called early on all
* cores that were booted in EL2. Note that everything gets initialised as
--- a/arch/arm64/kernel/head.S
+++ b/arch/arm64/kernel/head.S
@@ -319,7 +319,8 @@ SYM_INNER_LABEL(init_el2, SYM_L_LOCAL)
msr sctlr_el1, x1
mov x2, xzr
3:
- __init_el2_nvhe_prepare_eret
+ mov x0, #INIT_PSTATE_EL1
+ msr spsr_el2, x0
mov w0, #BOOT_CPU_MODE_EL2
orr x0, x0, x2
--- a/arch/arm64/kvm/hyp/nvhe/hyp-init.S
+++ b/arch/arm64/kvm/hyp/nvhe/hyp-init.S
@@ -214,8 +214,6 @@ SYM_CODE_START_LOCAL(__kvm_hyp_init_cpu)
bl __kvm_init_el2_state
- __init_el2_nvhe_prepare_eret
-
/* Enable MMU, set vectors and stack. */
mov x0, x28
bl ___kvm_hyp_init // Clobbers x0..x2
--- a/arch/arm64/kvm/hyp/nvhe/psci-relay.c
+++ b/arch/arm64/kvm/hyp/nvhe/psci-relay.c
@@ -218,6 +218,9 @@ asmlinkage void __noreturn __kvm_host_ps
if (is_cpu_on)
release_boot_args(boot_args);
+ write_sysreg_el1(INIT_SCTLR_EL1_MMU_OFF, SYS_SCTLR);
+ write_sysreg(INIT_PSTATE_EL1, SPSR_EL2);
+
__host_enter(host_ctxt);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 264/567] arm64: Revamp HCR_EL2.E2H RES1 detection
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 263/567] KVM: arm64: Initialize SCTLR_EL1 in __kvm_hyp_init_cpu() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 265/567] dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets Greg Kroah-Hartman
` (316 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Oliver Upton, Jan Kotas, Marc Zyngier, Wei-Lin Chang
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <maz@kernel.org>
[ Upstream commit ca88ecdce5f51874a7c151809bd2c936ee0d3805 ]
We currently have two ways to identify CPUs that only implement FEAT_VHE
and not FEAT_E2H0:
- either they advertise it via ID_AA64MMFR4_EL1.E2H0,
- or the HCR_EL2.E2H bit is RAO/WI
However, there is a third category of "cpus" that fall between these
two cases: on CPUs that do not implement FEAT_FGT, it is IMPDEF whether
an access to ID_AA64MMFR4_EL1 can trap to EL2 when the register value
is zero.
A consequence of this is that on systems such as Neoverse V2, a NV
guest cannot reliably detect that it is in a VHE-only configuration
(E2H is writable, and ID_AA64MMFR0_EL1 is 0), despite the hypervisor's
best effort to repaint the id register.
Replace the RAO/WI test by a sequence that makes use of the VHE
register remnapping between EL1 and EL2 to detect this situation,
and work out whether we get the VHE behaviour even after having
set HCR_EL2.E2H to 0.
This solves the NV problem, and provides a more reliable acid test
for CPUs that do not completely follow the letter of the architecture
while providing a RES1 behaviour for HCR_EL2.E2H.
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Tested-by: Jan Kotas <jank@cadence.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/15A85F2B-1A0C-4FA7-9FE4-EEC2203CC09E@global.cadence.com
Signed-off-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Wei-Lin Chang <weilin.chang@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/el2_setup.h | 38 +++++++++++++++++++++++++++++++------
1 file changed, 32 insertions(+), 6 deletions(-)
--- a/arch/arm64/include/asm/el2_setup.h
+++ b/arch/arm64/include/asm/el2_setup.h
@@ -24,22 +24,48 @@
* ID_AA64MMFR4_EL1.E2H0 < 0. On such CPUs HCR_EL2.E2H is RES1, but it
* can reset into an UNKNOWN state and might not read as 1 until it has
* been initialized explicitly.
- *
- * Fruity CPUs seem to have HCR_EL2.E2H set to RAO/WI, but
- * don't advertise it (they predate this relaxation).
- *
* Initalize HCR_EL2.E2H so that later code can rely upon HCR_EL2.E2H
* indicating whether the CPU is running in E2H mode.
*/
mrs_s x1, SYS_ID_AA64MMFR4_EL1
sbfx x1, x1, #ID_AA64MMFR4_EL1_E2H0_SHIFT, #ID_AA64MMFR4_EL1_E2H0_WIDTH
cmp x1, #0
- b.ge .LnVHE_\@
+ b.lt .LnE2H0_\@
+
+ /*
+ * Unfortunately, HCR_EL2.E2H can be RES1 even if not advertised
+ * as such via ID_AA64MMFR4_EL1.E2H0:
+ *
+ * - Fruity CPUs predate the !FEAT_E2H0 relaxation, and seem to
+ * have HCR_EL2.E2H implemented as RAO/WI.
+ *
+ * - On CPUs that lack FEAT_FGT, a hypervisor can't trap guest
+ * reads of ID_AA64MMFR4_EL1 to advertise !FEAT_E2H0. NV
+ * guests on these hosts can write to HCR_EL2.E2H without
+ * trapping to the hypervisor, but these writes have no
+ * functional effect.
+ *
+ * Handle both cases by checking for an essential VHE property
+ * (system register remapping) to decide whether we're
+ * effectively VHE-only or not.
+ */
+ msr hcr_el2, x0 // Setup HCR_EL2 as nVHE
+ isb
+ mov x1, #1 // Write something to FAR_EL1
+ msr far_el1, x1
+ isb
+ mov x1, #2 // Try to overwrite it via FAR_EL2
+ msr far_el2, x1
+ isb
+ mrs x1, far_el1 // If we see the latest write in FAR_EL1,
+ cmp x1, #2 // we can safely assume we are VHE only.
+ b.ne .LnVHE_\@ // Otherwise, we know that nVHE works.
+.LnE2H0_\@:
orr x0, x0, #HCR_E2H
-.LnVHE_\@:
msr hcr_el2, x0
isb
+.LnVHE_\@:
.endm
.macro __init_el2_sctlr
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 265/567] dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 264/567] arm64: Revamp HCR_EL2.E2H RES1 detection Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 266/567] dt-bindings: PCI: qcom,pcie-sc8280xp: " Greg Kroah-Hartman
` (315 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit ef99c2efeacac7758cc8c2d00e3200100a4da16c upstream.
Commit 756485bfbb85 ("dt-bindings: PCI: qcom,pcie-sc7280: Move SC7280 to
dedicated schema") move the device schema to separate file, but it
missed a "if:not:...then:" clause in the original binding which was
requiring power-domains and resets for this particular chip.
Fixes: 756485bfbb85 ("dt-bindings: PCI: qcom,pcie-sc7280: Move SC7280 to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-2-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sc7280.yaml
@@ -74,6 +74,11 @@ properties:
items:
- const: pci
+required:
+ - power-domains
+ - resets
+ - reset-names
+
allOf:
- $ref: qcom,pcie-common.yaml#
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 266/567] dt-bindings: PCI: qcom,pcie-sc8280xp: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 265/567] dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 267/567] dt-bindings: PCI: qcom,pcie-sm8150: " Greg Kroah-Hartman
` (314 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit ea551601404d286813aef6819ddf0bf1d7d69a24 upstream.
Commit c007a5505504 ("dt-bindings: PCI: qcom,pcie-sc8280xp: Move
SC8280XP to dedicated schema") move the device schema to separate file,
but it missed a "if:not:...then:" clause in the original binding which
was requiring power-domains and resets for this particular chip.
Fixes: c007a5505504 ("dt-bindings: PCI: qcom,pcie-sc8280xp: Move SC8280XP to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-3-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml b/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml
index a18cba10acea..bc0e71dc06a3 100644
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sc8280xp.yaml
@@ -61,6 +61,9 @@ properties:
required:
- interconnects
- interconnect-names
+ - power-domains
+ - resets
+ - reset-names
allOf:
- $ref: qcom,pcie-common.yaml#
--
2.52.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 267/567] dt-bindings: PCI: qcom,pcie-sm8150: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 266/567] dt-bindings: PCI: qcom,pcie-sc8280xp: " Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 268/567] dt-bindings: PCI: qcom,pcie-sm8250: " Greg Kroah-Hartman
` (313 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 31cb432b62fb796e0c1084542ba39311d2f716d5 upstream.
Commit 51bc04d5b49d ("dt-bindings: PCI: qcom,pcie-sm8150: Move SM8150 to
dedicated schema") move the device schema to separate file, but it
missed a "if:not:...then:" clause in the original binding which was
requiring power-domains and resets for this particular chip.
Fixes: 51bc04d5b49d ("dt-bindings: PCI: qcom,pcie-sm8150: Move SM8150 to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-4-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8150.yaml
@@ -69,6 +69,11 @@ properties:
items:
- const: pci
+required:
+ - power-domains
+ - resets
+ - reset-names
+
allOf:
- $ref: qcom,pcie-common.yaml#
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 268/567] dt-bindings: PCI: qcom,pcie-sm8250: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 267/567] dt-bindings: PCI: qcom,pcie-sm8150: " Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 269/567] dt-bindings: PCI: qcom,pcie-sm8350: " Greg Kroah-Hartman
` (312 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2620c6bcd8c141b79ff2afe95dc814dfab644f63 upstream.
Commit 4891b66185c1 ("dt-bindings: PCI: qcom,pcie-sm8250: Move SM8250 to
dedicated schema") move the device schema to separate file, but it
missed a "if:not:...then:" clause in the original binding which was
requiring power-domains and resets for this particular chip.
Fixes: 4891b66185c1 ("dt-bindings: PCI: qcom,pcie-sm8250: Move SM8250 to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-5-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8250.yaml
@@ -81,6 +81,11 @@ properties:
items:
- const: pci
+required:
+ - power-domains
+ - resets
+ - reset-names
+
allOf:
- $ref: qcom,pcie-common.yaml#
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 269/567] dt-bindings: PCI: qcom,pcie-sm8350: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 268/567] dt-bindings: PCI: qcom,pcie-sm8250: " Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 270/567] dt-bindings: PCI: qcom,pcie-sm8450: " Greg Kroah-Hartman
` (311 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 012ba0d5f02e1f192eda263b5f9f826e47d607bb upstream.
Commit 2278b8b54773 ("dt-bindings: PCI: qcom,pcie-sm8350: Move SM8350 to
dedicated schema") move the device schema to separate file, but it
missed a "if:not:...then:" clause in the original binding which was
requiring power-domains and resets for this particular chip.
Fixes: 2278b8b54773 ("dt-bindings: PCI: qcom,pcie-sm8350: Move SM8350 to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-6-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8350.yaml
@@ -71,6 +71,11 @@ properties:
items:
- const: pci
+required:
+ - power-domains
+ - resets
+ - reset-names
+
allOf:
- $ref: qcom,pcie-common.yaml#
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 270/567] dt-bindings: PCI: qcom,pcie-sm8450: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 269/567] dt-bindings: PCI: qcom,pcie-sm8350: " Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 271/567] dt-bindings: PCI: qcom,pcie-sm8550: " Greg Kroah-Hartman
` (310 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 667facc4000c49a7c280097ef6638f133bcb1e59 upstream.
Commit 88c9b3af4e31 ("dt-bindings: PCI: qcom,pcie-sm8450: Move SM8450 to
dedicated schema") move the device schema to separate file, but it
missed a "if:not:...then:" clause in the original binding which was
requiring power-domains and resets for this particular chip.
Fixes: 88c9b3af4e31 ("dt-bindings: PCI: qcom,pcie-sm8450: Move SM8450 to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-7-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8450.yaml
@@ -81,6 +81,11 @@ properties:
items:
- const: pci
+required:
+ - power-domains
+ - resets
+ - reset-names
+
allOf:
- $ref: qcom,pcie-common.yaml#
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 271/567] dt-bindings: PCI: qcom,pcie-sm8550: Add missing required power-domains and resets
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 270/567] dt-bindings: PCI: qcom,pcie-sm8450: " Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 272/567] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
` (309 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Rob Herring (Arm)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit e60c6f34b9f3a83f96006243c0ef96c134520257 upstream.
Commit b8d3404058a6 ("dt-bindings: PCI: qcom,pcie-sm8550: Move SM8550 to
dedicated schema") move the device schema to separate file, but it
missed a "if:not:...then:" clause in the original binding which was
requiring power-domains and resets for this particular chip.
Fixes: b8d3404058a6 ("dt-bindings: PCI: qcom,pcie-sm8550: Move SM8550 to dedicated schema")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251030-dt-bindings-pci-qcom-fixes-power-domains-v2-8-28c1f11599fe@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml | 5 +++++
1 file changed, 5 insertions(+)
--- a/Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml
+++ b/Documentation/devicetree/bindings/pci/qcom,pcie-sm8550.yaml
@@ -78,6 +78,11 @@ properties:
- const: pci # PCIe core reset
- const: link_down # PCIe link down reset
+required:
+ - power-domains
+ - resets
+ - reset-names
+
allOf:
- $ref: qcom,pcie-common.yaml#
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 272/567] crypto: af_alg - zero initialize memory allocated via sock_kmalloc
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 271/567] dt-bindings: PCI: qcom,pcie-sm8550: " Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 273/567] crypto: caam - Add check for kcalloc() in test_len() Greg Kroah-Hartman
` (308 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shivani Agarwal, Herbert Xu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivani Agarwal <shivani.agarwal@broadcom.com>
commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 upstream.
Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.
The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.
A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:
67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:
https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.
Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations")
Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support")
Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")
Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Cc: stable@vger.kernel.org
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/af_alg.c | 5 ++---
crypto/algif_hash.c | 3 +--
crypto/algif_rng.c | 3 +--
3 files changed, 4 insertions(+), 7 deletions(-)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1212,15 +1212,14 @@ struct af_alg_async_req *af_alg_alloc_ar
if (unlikely(!areq))
return ERR_PTR(-ENOMEM);
+ memset(areq, 0, areqlen);
+
ctx->inflight = true;
areq->areqlen = areqlen;
areq->sk = sk;
areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl;
- areq->last_rsgl = NULL;
INIT_LIST_HEAD(&areq->rsgl_list);
- areq->tsgl = NULL;
- areq->tsgl_entries = 0;
return areq;
}
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void
if (!ctx)
return -ENOMEM;
- ctx->result = NULL;
+ memset(ctx, 0, len);
ctx->len = len;
- ctx->more = false;
crypto_init_wait(&ctx->wait);
ask->private = ctx;
--- a/crypto/algif_rng.c
+++ b/crypto/algif_rng.c
@@ -248,9 +248,8 @@ static int rng_accept_parent(void *priva
if (!ctx)
return -ENOMEM;
+ memset(ctx, 0, len);
ctx->len = len;
- ctx->addtl = NULL;
- ctx->addtl_len = 0;
/*
* No seeding done at that point -- if multiple accepts are
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 273/567] crypto: caam - Add check for kcalloc() in test_len()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 272/567] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 274/567] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
` (307 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Herbert Xu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 upstream.
As kcalloc() may fail, check its return value to avoid a NULL pointer
dereference when passing the buffer to rng->read(). On allocation
failure, log the error and return since test_len() returns void.
Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamrng.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/crypto/caam/caamrng.c
+++ b/drivers/crypto/caam/caamrng.c
@@ -181,7 +181,9 @@ static inline void test_len(struct hwrng
struct device *dev = ctx->ctrldev;
buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL);
-
+ if (!buf) {
+ return;
+ }
while (len > 0) {
read_len = rng->read(rng, buf, len, wait);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 274/567] amba: tegra-ahb: Fix device leak on SMMU enable
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 273/567] crypto: caam - Add check for kcalloc() in test_len() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 275/567] virtio: vdpa: Fix reference count leak in octep_sriov_enable() Greg Kroah-Hartman
` (306 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thierry Reding
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream.
Make sure to drop the reference taken to the AHB platform device when
looking up its driver data while enabling the SMMU.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB")
Cc: stable@vger.kernel.org # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/amba/tegra-ahb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/amba/tegra-ahb.c
+++ b/drivers/amba/tegra-ahb.c
@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_
if (!dev)
return -EPROBE_DEFER;
ahb = dev_get_drvdata(dev);
+ put_device(dev);
val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL);
val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE;
gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 275/567] virtio: vdpa: Fix reference count leak in octep_sriov_enable()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 274/567] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 276/567] tracing: Fix fixed array of synthetic event Greg Kroah-Hartman
` (305 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Michael S. Tsirkin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit b41ca62c0019de1321d75f2b2f274a28784a41ed upstream.
pci_get_device() will increase the reference count for the returned
pci_dev, and also decrease the reference count for the input parameter
from if it is not NULL.
If we break the loop in with 'vf_pdev' not NULL. We
need to call pci_dev_put() to decrease the reference count.
Found via static anlaysis and this is similar to commit c508eb042d97
("perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology()")
Fixes: 8b6c724cdab8 ("virtio: vdpa: vDPA driver for Marvell OCTEON DPU devices")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251027060737.33815-1-linmq006@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vdpa/octeon_ep/octep_vdpa_main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/vdpa/octeon_ep/octep_vdpa_main.c
+++ b/drivers/vdpa/octeon_ep/octep_vdpa_main.c
@@ -692,6 +692,7 @@ static int octep_sriov_enable(struct pci
octep_vdpa_assign_barspace(vf_pdev, pdev, index);
if (++index == num_vfs) {
done = true;
+ pci_dev_put(vf_pdev);
break;
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 276/567] tracing: Fix fixed array of synthetic event
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 275/567] virtio: vdpa: Fix reference count leak in octep_sriov_enable() Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 277/567] soc: samsung: exynos-pmu: fix device leak on regmap lookup Greg Kroah-Hartman
` (304 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Douglas Raillard, Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 47ef834209e5981f443240d8a8b45bf680df22aa upstream.
The commit 4d38328eb442d ("tracing: Fix synth event printk format for str
fields") replaced "%.*s" with "%s" but missed removing the number size of
the dynamic and static strings. The commit e1a453a57bc7 ("tracing: Do not
add length to print format in synthetic events") fixed the dynamic part
but did not fix the static part. That is, with the commands:
# echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
# echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger
# echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger
That caused the output of:
<idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155
sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58
<idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91
The commit e1a453a57bc7 fixed the part where the synthetic event had
"char[] wakee". But if one were to replace that with a static size string:
# echo 's:wake_lat char[16] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
Where "wakee" is defined as "char[16]" and not "char[]" making it a static
size, the code triggered the "(efaul)" again.
Remove the added STR_VAR_LEN_MAX size as the string is still going to be
nul terminated.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Douglas Raillard <douglas.raillard@arm.com>
Link: https://patch.msgid.link/20251204151935.5fa30355@gandalf.local.home
Fixes: e1a453a57bc7 ("tracing: Do not add length to print format in synthetic events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_synth.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -382,7 +382,6 @@ static enum print_line_t print_synth_eve
n_u64++;
} else {
trace_seq_printf(s, print_fmt, se->fields[i]->name,
- STR_VAR_LEN_MAX,
(char *)&entry->fields[n_u64].as_u64,
i == se->n_fields - 1 ? "" : " ");
n_u64 += STR_VAR_LEN_MAX / sizeof(u64);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 277/567] soc: samsung: exynos-pmu: fix device leak on regmap lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 276/567] tracing: Fix fixed array of synthetic event Greg Kroah-Hartman
@ 2026-01-06 17:00 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 278/567] soc: qcom: pbs: fix device leak on lookup Greg Kroah-Hartman
` (303 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:00 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Griffin, Johan Hovold,
Krzysztof Kozlowski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 990eb9a8eb4540ab90c7b34bb07b87ff13881cad upstream.
Make sure to drop the reference taken when looking up the PMU device and
its regmap.
Note that holding a reference to a device does not prevent its regmap
from going away so there is no point in keeping the reference.
Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs")
Cc: stable@vger.kernel.org # 6.9
Cc: Peter Griffin <peter.griffin@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251121121852.16825-1-johan@kernel.org
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/samsung/exynos-pmu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/soc/samsung/exynos-pmu.c
+++ b/drivers/soc/samsung/exynos-pmu.c
@@ -322,6 +322,8 @@ struct regmap *exynos_get_pmu_regmap_by_
if (!dev)
return ERR_PTR(-EPROBE_DEFER);
+ put_device(dev);
+
return syscon_node_to_regmap(pmu_np);
}
EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 278/567] soc: qcom: pbs: fix device leak on lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-01-06 17:00 ` [PATCH 6.12 277/567] soc: samsung: exynos-pmu: fix device leak on regmap lookup Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 279/567] soc: qcom: ocmem: " Greg Kroah-Hartman
` (302 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anjelique Melendez, Johan Hovold,
Bjorn Andersson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 94124bf253d24b13e89c45618a168d5a1d8a61e7 upstream.
Make sure to drop the reference taken to the pbs platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 5b2dd77be1d8 ("soc: qcom: add QCOM PBS driver")
Cc: stable@vger.kernel.org # 6.9
Cc: Anjelique Melendez <quic_amelende@quicinc.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250926143511.6715-3-johan@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/qcom-pbs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/soc/qcom/qcom-pbs.c
+++ b/drivers/soc/qcom/qcom-pbs.c
@@ -179,6 +179,8 @@ struct pbs_dev *get_pbs_client_device(st
return ERR_PTR(-EINVAL);
}
+ platform_device_put(pdev);
+
return pbs;
}
EXPORT_SYMBOL_GPL(get_pbs_client_device);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 279/567] soc: qcom: ocmem: fix device leak on lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 278/567] soc: qcom: pbs: fix device leak on lookup Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 280/567] soc: apple: mailbox: " Greg Kroah-Hartman
` (301 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Miaoqian Lin,
Johan Hovold, Bjorn Andersson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream.
Make sure to drop the reference taken to the ocmem platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing
put_device() call in of_get_ocmem") fixed the leak in a lookup error
path, but the reference is still leaking on success.
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Cc: stable@vger.kernel.org # 5.5: 0ff027027e05
Cc: Brian Masney <bmasney@redhat.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/ocmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -202,9 +202,9 @@ struct ocmem *of_get_ocmem(struct device
}
ocmem = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!ocmem) {
dev_err(dev, "Cannot get ocmem\n");
- put_device(&pdev->dev);
return ERR_PTR(-ENODEV);
}
return ocmem;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 280/567] soc: apple: mailbox: fix device leak on lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 279/567] soc: qcom: ocmem: " Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 281/567] soc: amlogic: canvas: " Greg Kroah-Hartman
` (300 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Neal Gompa, Sven Peter
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f401671e90ccc26b3022f177c4156a429c024f6c upstream.
Make sure to drop the reference taken to the mbox platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 6e1457fcad3f ("soc: apple: mailbox: Add ASC/M3 mailbox driver")
Cc: stable@vger.kernel.org # 6.8
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Sven Peter <sven@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/apple/mailbox.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/soc/apple/mailbox.c
+++ b/drivers/soc/apple/mailbox.c
@@ -299,11 +299,18 @@ struct apple_mbox *apple_mbox_get(struct
return ERR_PTR(-EPROBE_DEFER);
mbox = platform_get_drvdata(pdev);
- if (!mbox)
- return ERR_PTR(-EPROBE_DEFER);
+ if (!mbox) {
+ mbox = ERR_PTR(-EPROBE_DEFER);
+ goto out_put_pdev;
+ }
+
+ if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER)) {
+ mbox = ERR_PTR(-ENODEV);
+ goto out_put_pdev;
+ }
- if (!device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_CONSUMER))
- return ERR_PTR(-ENODEV);
+out_put_pdev:
+ put_device(&pdev->dev);
return mbox;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 281/567] soc: amlogic: canvas: fix device leak on lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 280/567] soc: apple: mailbox: " Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 282/567] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
` (299 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Johan Hovold,
Martin Blumenstingl, Neil Armstrong
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 32200f4828de9d7e6db379909898e718747f4e18 upstream.
Make sure to drop the reference taken to the canvas platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing
put_device() call in meson_canvas_get()") fixed the leak in a lookup
error path, but the reference is still leaking on success.
Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver")
Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/amlogic/meson-canvas.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/soc/amlogic/meson-canvas.c
+++ b/drivers/soc/amlogic/meson-canvas.c
@@ -73,10 +73,9 @@ struct meson_canvas *meson_canvas_get(st
* current state, this driver probe cannot return -EPROBE_DEFER
*/
canvas = dev_get_drvdata(&canvas_pdev->dev);
- if (!canvas) {
- put_device(&canvas_pdev->dev);
+ put_device(&canvas_pdev->dev);
+ if (!canvas)
return ERR_PTR(-EINVAL);
- }
return canvas;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 282/567] rpmsg: glink: fix rpmsg device leak
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 281/567] soc: amlogic: canvas: " Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 283/567] platform/x86: intel: chtwc_int33fe: dont dereference swnode args Greg Kroah-Hartman
` (298 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Dmitry Baryshkov, Bjorn Andersson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream.
While testing rpmsg-char interface it was noticed that duplicate sysfs
entries are getting created and below warning is noticed.
Reason for this is that we are leaking rpmsg device pointer, setting it
null without actually unregistering device.
Any further attempts to unregister fail because rpdev is NULL,
resulting in a leak.
Fix this by unregistering rpmsg device before removing its reference
from rpmsg channel.
sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot
eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc:
glink-edge.adsp_apps.-1.-1'
[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not
tainted 6.16.0-rc4 #7 PREEMPT
[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT)
[ 114.115358] Workqueue: events qcom_glink_work
[ 114.115371] Call trace:8
[ 114.115374] show_stack+0x18/0x24 (C)
[ 114.115382] dump_stack_lvl+0x60/0x80
[ 114.115388] dump_stack+0x18/0x24
[ 114.115393] sysfs_warn_dup+0x64/0x80
[ 114.115402] sysfs_create_dir_ns+0xf4/0x120
[ 114.115409] kobject_add_internal+0x98/0x260
[ 114.115416] kobject_add+0x9c/0x108
[ 114.115421] device_add+0xc4/0x7a0
[ 114.115429] rpmsg_register_device+0x5c/0xb0
[ 114.115434] qcom_glink_work+0x4bc/0x820
[ 114.115438] process_one_work+0x148/0x284
[ 114.115446] worker_thread+0x2c4/0x3e0
[ 114.115452] kthread+0x12c/0x204
[ 114.115457] ret_from_fork+0x10/0x20
[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc:
glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with
the same name in the same directory.
[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1:
device_add failed: -17
Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/qcom_glink_native.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1399,6 +1399,7 @@ static void qcom_glink_destroy_ept(struc
{
struct glink_channel *channel = to_glink_channel(ept);
struct qcom_glink *glink = channel->glink;
+ struct rpmsg_channel_info chinfo;
unsigned long flags;
spin_lock_irqsave(&channel->recv_lock, flags);
@@ -1406,6 +1407,13 @@ static void qcom_glink_destroy_ept(struc
spin_unlock_irqrestore(&channel->recv_lock, flags);
/* Decouple the potential rpdev from the channel */
+ if (channel->rpdev) {
+ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name));
+ chinfo.src = RPMSG_ADDR_ANY;
+ chinfo.dst = RPMSG_ADDR_ANY;
+
+ rpmsg_unregister_device(glink->dev, &chinfo);
+ }
channel->rpdev = NULL;
qcom_glink_send_close_req(glink, channel);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 283/567] platform/x86: intel: chtwc_int33fe: dont dereference swnode args
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 282/567] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 284/567] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
` (297 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell,
Bartosz Golaszewski, Hans de Goede, Ilpo Järvinen,
Philipp Zabel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream.
Members of struct software_node_ref_args should not be dereferenced
directly but set using the provided macros. Commit d7cdbbc93c56
("software node: allow referencing firmware nodes") changed the name of
the software node member and caused a build failure. Remove all direct
dereferences of the ref struct as a fix.
However, this driver also seems to abuse the software node interface by
waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear
in the system before setting up the reference for the I2C device, while
the actual software node already exists in the intel-xhci-usb-role-switch
module and should be used to set up a static reference. Add a FIXME for
a future improvement.
Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes")
Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties")
Cc: stable@vger.kernel.org
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
--- a/drivers/platform/x86/intel/chtwc_int33fe.c
+++ b/drivers/platform/x86/intel/chtwc_int33fe.c
@@ -77,7 +77,7 @@ static const struct software_node max170
* software node.
*/
static struct software_node_ref_args fusb302_mux_refs[] = {
- { .node = NULL },
+ SOFTWARE_NODE_REFERENCE(NULL),
};
static const struct property_entry fusb302_properties[] = {
@@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(str
{
software_node_unregister_node_group(node_group);
- if (fusb302_mux_refs[0].node) {
- fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node));
- fusb302_mux_refs[0].node = NULL;
- }
-
if (data->dp) {
data->dp->secondary = NULL;
fwnode_handle_put(data->dp);
@@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(str
}
}
-static int cht_int33fe_add_nodes(struct cht_int33fe_data *data)
+static void cht_int33fe_put_swnode(void *data)
+{
+ struct fwnode_handle *fwnode = data;
+
+ fwnode_handle_put(fwnode);
+ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL);
+}
+
+static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data)
{
const struct software_node *mux_ref_node;
int ret;
@@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct
* until the mux driver has created software node for the mux device.
* It means we depend on the mux driver. This function will return
* -EPROBE_DEFER until the mux device is registered.
+ *
+ * FIXME: the relevant software node exists in intel-xhci-usb-role-switch
+ * and - if exported - could be used to set up a static reference.
*/
mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw");
if (!mux_ref_node)
return -EPROBE_DEFER;
+ ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode,
+ software_node_fwnode(mux_ref_node));
+ if (ret)
+ return ret;
+
/*
* Update node used in "usb-role-switch" property. Note that we
* rely on software_node_register_node_group() to use the original
* instance of properties instead of copying them.
*/
- fusb302_mux_refs[0].node = mux_ref_node;
+ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node);
ret = software_node_register_node_group(node_group);
if (ret)
@@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struc
return fusb302_irq;
}
- ret = cht_int33fe_add_nodes(data);
+ ret = cht_int33fe_add_nodes(dev, data);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 284/567] i2c: amd-mp2: fix reference leak in MP2 PCI device
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 283/567] platform/x86: intel: chtwc_int33fe: dont dereference swnode args Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 285/567] interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes Greg Kroah-Hartman
` (296 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Andi Shyti
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream.
In i2c_amd_probe(), amd_mp2_find_device() utilizes
driver_find_next_device() which internally calls driver_find_device()
to locate the matching device. driver_find_device() increments the
reference count of the found device by calling get_device(), but
amd_mp2_find_device() fails to call put_device() to decrement the
reference count before returning. This results in a reference count
leak of the PCI device each time i2c_amd_probe() is executed, which
may prevent the device from being properly released and cause a memory
leak.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c
+++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c
@@ -461,13 +461,16 @@ struct amd_mp2_dev *amd_mp2_find_device(
{
struct device *dev;
struct pci_dev *pci_dev;
+ struct amd_mp2_dev *mp2_dev;
dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL);
if (!dev)
return NULL;
pci_dev = to_pci_dev(dev);
- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
+ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
+ put_device(dev);
+ return mp2_dev;
}
EXPORT_SYMBOL_GPL(amd_mp2_find_device);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 285/567] interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 284/567] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 286/567] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
` (295 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raviteja Laggyshetty,
Manivannan Sadhasivam, Konrad Dybcio, Georgi Djakov,
Lakshmi Sowjanya D
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raviteja Laggyshetty <quic_rlaggysh@quicinc.com>
commit 295f58fdccd05b2d6da1f4a4f81952ccb565c4dc upstream.
As like other SDX SoCs, SDX75 SoC's QPIC BCM resource was modeled as a
RPMh clock in clk-rpmh driver. However, for SDX75, this resource was also
described as an interconnect and BCM node mistakenly. It is incorrect to
describe the same resource in two different providers, as it will lead to
votes from clients overriding each other.
Hence, drop the QPIC interconnect and BCM nodes and let the clients use
clk-rpmh driver to vote for this resource.
Without this change, the NAND driver fails to probe on SDX75, as the
interconnect sync state disables the QPIC nodes as there were no clients
voting for this ICC resource. However, the NAND driver had already voted
for this BCM resource through the clk-rpmh driver. Since both votes come
from Linux, RPMh was unable to distinguish between these two and ends up
disabling the QPIC resource during sync state.
Cc: stable@vger.kernel.org
Fixes: 3642b4e5cbfe ("interconnect: qcom: Add SDX75 interconnect provider driver")
Signed-off-by: Raviteja Laggyshetty <quic_rlaggysh@quicinc.com>
[mani: dropped the reference to bcm_qp0, reworded description]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Tested-by: Lakshmi Sowjanya D <quic_laksd@quicinc.com> # on SDX75
Link: https://lore.kernel.org/r/20250926-sdx75-icc-v2-1-20d6820e455c@oss.qualcomm.com
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/interconnect/qcom/sdx75.c | 26 --------------------------
drivers/interconnect/qcom/sdx75.h | 2 --
2 files changed, 28 deletions(-)
--- a/drivers/interconnect/qcom/sdx75.c
+++ b/drivers/interconnect/qcom/sdx75.c
@@ -16,15 +16,6 @@
#include "icc-rpmh.h"
#include "sdx75.h"
-static struct qcom_icc_node qpic_core_master = {
- .name = "qpic_core_master",
- .id = SDX75_MASTER_QPIC_CORE,
- .channels = 1,
- .buswidth = 4,
- .num_links = 1,
- .links = { SDX75_SLAVE_QPIC_CORE },
-};
-
static struct qcom_icc_node qup0_core_master = {
.name = "qup0_core_master",
.id = SDX75_MASTER_QUP_CORE_0,
@@ -375,14 +366,6 @@ static struct qcom_icc_node xm_usb3 = {
.links = { SDX75_SLAVE_A1NOC_CFG },
};
-static struct qcom_icc_node qpic_core_slave = {
- .name = "qpic_core_slave",
- .id = SDX75_SLAVE_QPIC_CORE,
- .channels = 1,
- .buswidth = 4,
- .num_links = 0,
-};
-
static struct qcom_icc_node qup0_core_slave = {
.name = "qup0_core_slave",
.id = SDX75_SLAVE_QUP_CORE_0,
@@ -831,12 +814,6 @@ static struct qcom_icc_bcm bcm_mc0 = {
.nodes = { &ebi },
};
-static struct qcom_icc_bcm bcm_qp0 = {
- .name = "QP0",
- .num_nodes = 1,
- .nodes = { &qpic_core_slave },
-};
-
static struct qcom_icc_bcm bcm_qup0 = {
.name = "QUP0",
.keepalive = true,
@@ -898,14 +875,11 @@ static struct qcom_icc_bcm bcm_sn4 = {
};
static struct qcom_icc_bcm * const clk_virt_bcms[] = {
- &bcm_qp0,
&bcm_qup0,
};
static struct qcom_icc_node * const clk_virt_nodes[] = {
- [MASTER_QPIC_CORE] = &qpic_core_master,
[MASTER_QUP_CORE_0] = &qup0_core_master,
- [SLAVE_QPIC_CORE] = &qpic_core_slave,
[SLAVE_QUP_CORE_0] = &qup0_core_slave,
};
--- a/drivers/interconnect/qcom/sdx75.h
+++ b/drivers/interconnect/qcom/sdx75.h
@@ -33,7 +33,6 @@
#define SDX75_MASTER_QDSS_ETR 24
#define SDX75_MASTER_QDSS_ETR_1 25
#define SDX75_MASTER_QPIC 26
-#define SDX75_MASTER_QPIC_CORE 27
#define SDX75_MASTER_QUP_0 28
#define SDX75_MASTER_QUP_CORE_0 29
#define SDX75_MASTER_SDCC_1 30
@@ -76,7 +75,6 @@
#define SDX75_SLAVE_QDSS_CFG 67
#define SDX75_SLAVE_QDSS_STM 68
#define SDX75_SLAVE_QPIC 69
-#define SDX75_SLAVE_QPIC_CORE 70
#define SDX75_SLAVE_QUP_0 71
#define SDX75_SLAVE_QUP_CORE_0 72
#define SDX75_SLAVE_SDCC_1 73
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 286/567] hwmon: (max16065) Use local variable to avoid TOCTOU
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 285/567] interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 287/567] hwmon: (max6697) fix regmap leak on probe failure Greg Kroah-Hartman
` (294 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream.
In max16065_current_show, data->curr_sense is read twice: once for the
error check and again for the calculation. Since
i2c_smbus_read_byte_data returns negative error codes on failure, if the
data changes to an error code between the check and the use, ADC_TO_CURR
results in an incorrect calculation.
Read data->curr_sense into a local variable to ensure consistency. Note
that data->curr_gain is constant and safe to access directly.
This aligns max16065_current_show with max16065_input_show, which
already uses a local variable for the same reason.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/max16065.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/hwmon/max16065.c
+++ b/drivers/hwmon/max16065.c
@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str
struct device_attribute *da, char *buf)
{
struct max16065_data *data = max16065_update_device(dev);
+ int curr_sense = data->curr_sense;
- if (unlikely(data->curr_sense < 0))
- return data->curr_sense;
+ if (unlikely(curr_sense < 0))
+ return curr_sense;
return sysfs_emit(buf, "%d\n",
- ADC_TO_CURR(data->curr_sense, data->curr_gain));
+ ADC_TO_CURR(curr_sense, data->curr_gain));
}
static ssize_t max16065_limit_store(struct device *dev,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 287/567] hwmon: (max6697) fix regmap leak on probe failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 286/567] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 288/567] hwmon: (w83791d) Convert macros to functions to avoid TOCTOU Greg Kroah-Hartman
` (293 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Johan Hovold
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 02f0ad8e8de8cf5344f8f0fa26d9529b8339da47 upstream.
The i2c regmap allocated during probe is never freed.
Switch to using the device managed allocator so that the regmap is
released on probe failures (e.g. probe deferral) and on driver unbind.
Fixes: 3a2a8cc3fe24 ("hwmon: (max6697) Convert to use regmap")
Cc: stable@vger.kernel.org # 6.12
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20251127134351.1585-1-johan@kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/max6697.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwmon/max6697.c
+++ b/drivers/hwmon/max6697.c
@@ -548,7 +548,7 @@ static int max6697_probe(struct i2c_clie
struct regmap *regmap;
int err;
- regmap = regmap_init_i2c(client, &max6697_regmap_config);
+ regmap = devm_regmap_init_i2c(client, &max6697_regmap_config);
if (IS_ERR(regmap))
return PTR_ERR(regmap);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 288/567] hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 287/567] hwmon: (max6697) fix regmap leak on probe failure Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 289/567] hwmon: (w83l786ng) " Greg Kroah-Hartman
` (292 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream.
The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/w83791d.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/drivers/hwmon/w83791d.c
+++ b/drivers/hwmon/w83791d.c
@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div)
return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
}
-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
- ((val) == 255 ? 0 : \
- 1350000 / ((val) * (div))))
+static int fan_from_reg(int val, int div)
+{
+ if (val == 0)
+ return -1;
+ if (val == 255)
+ return 0;
+ return 1350000 / (val * div);
+}
/* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */
#define TEMP1_FROM_REG(val) ((val) * 1000)
@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device
struct w83791d_data *data = w83791d_update_device(dev); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", \
- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi
if (err)
return err;
+ mutex_lock(&data->update_lock);
/* Save fan_min */
- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
- mutex_lock(&data->update_lock);
data->fan_div[nr] = div_to_reg(nr, val);
switch (nr) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 289/567] hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 288/567] hwmon: (w83791d) Convert macros to functions to avoid TOCTOU Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 290/567] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
` (291 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 07272e883fc61574b8367d44de48917f622cdd83 upstream.
The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments
multiple times. When used in lockless contexts involving shared driver
data, this causes Time-of-Check to Time-of-Use (TOCTOU) race
conditions.
Convert the macros to static functions. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/hwmon/w83l786ng.c
+++ b/drivers/hwmon/w83l786ng.c
@@ -76,15 +76,25 @@ FAN_TO_REG(long rpm, int div)
return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
}
-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
- ((val) == 255 ? 0 : \
- 1350000 / ((val) * (div))))
+static int fan_from_reg(int val, int div)
+{
+ if (val == 0)
+ return -1;
+ if (val == 255)
+ return 0;
+ return 1350000 / (val * div);
+}
/* for temp */
#define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \
: (val)) / 1000, 0, 0xff))
-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \
- (val) - 0x100 : (val)) * 1000)
+
+static int temp_from_reg(int val)
+{
+ if (val & 0x80)
+ return (val - 0x100) * 1000;
+ return val * 1000;
+}
/*
* The analog voltage inputs have 8mV LSB. Since the sysfs output is
@@ -280,7 +290,7 @@ static ssize_t show_##reg(struct device
int nr = to_sensor_dev_attr(attr)->index; \
struct w83l786ng_data *data = w83l786ng_update_device(dev); \
return sprintf(buf, "%d\n", \
- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
@@ -347,7 +357,7 @@ store_fan_div(struct device *dev, struct
/* Save fan_min */
mutex_lock(&data->update_lock);
- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
data->fan_div[nr] = DIV_TO_REG(val);
@@ -409,7 +419,7 @@ show_temp(struct device *dev, struct dev
int nr = sensor_attr->nr;
int index = sensor_attr->index;
struct w83l786ng_data *data = w83l786ng_update_device(dev);
- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index]));
+ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index]));
}
static ssize_t
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 290/567] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 289/567] hwmon: (w83l786ng) " Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 291/567] x86/msi: Make irq_retrigger() functional for posted MSI Greg Kroah-Hartman
` (290 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolas Ferre, Claudiu Beznea
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@microchip.com>
commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce upstream.
Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo
size of 32 data. Fix flexcom/spi nodes where this property is wrong.
Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions")
Cc: stable@vger.kernel.org # 5.8+
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/arm/boot/dts/microchip/sama5d2.dtsi
+++ b/arch/arm/boot/dts/microchip/sama5d2.dtsi
@@ -568,7 +568,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(12))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -639,7 +639,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(14))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -851,7 +851,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(16))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -922,7 +922,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(18))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -994,7 +994,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(20))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 291/567] x86/msi: Make irq_retrigger() functional for posted MSI
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 290/567] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 292/567] iommu/mediatek: fix use-after-free on probe deferral Greg Kroah-Hartman
` (289 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luigi Rizzo, Thomas Gleixner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 0edc78b82bea85e1b2165d8e870a5c3535919695 ]
Luigi reported that retriggering a posted MSI interrupt does not work
correctly.
The reason is that the retrigger happens at the vector domain by sending an
IPI to the actual vector on the target CPU. That works correctly exactly
once because the posted MSI interrupt chip does not issue an EOI as that's
only required for the posted MSI notification vector itself.
As a consequence the vector becomes stale in the ISR, which not only
affects this vector but also any lower priority vector in the affected
APIC because the ISR bit is not cleared.
Luigi proposed to set the vector in the remap PIR bitmap and raise the
posted MSI notification vector. That works, but that still does not cure a
related problem:
If there is ever a stray interrupt on such a vector, then the related
APIC ISR bit becomes stale due to the lack of EOI as described above.
Unlikely to happen, but if it happens it's not debuggable at all.
So instead of playing games with the PIR, this can be actually solved
for both cases by:
1) Keeping track of the posted interrupt vector handler state
2) Implementing a posted MSI specific irq_ack() callback which checks that
state. If the posted vector handler is inactive it issues an EOI,
otherwise it delegates that to the posted handler.
This is correct versus affinity changes and concurrent events on the posted
vector as the actual handler invocation is serialized through the interrupt
descriptor lock.
Fixes: ed1e48ea4370 ("iommu/vt-d: Enable posted mode for device MSIs")
Reported-by: Luigi Rizzo <lrizzo@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Luigi Rizzo <lrizzo@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251125214631.044440658@linutronix.de
Closes: https://lore.kernel.org/lkml/20251124104836.3685533-1-lrizzo@google.com
[ DEFINE_PER_CPU_CACHE_HOT => DEFINE_PER_CPU ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/irq_remapping.h | 7 +++++++
arch/x86/kernel/irq.c | 23 +++++++++++++++++++++++
drivers/iommu/intel/irq_remapping.c | 8 ++++----
3 files changed, 34 insertions(+), 4 deletions(-)
--- a/arch/x86/include/asm/irq_remapping.h
+++ b/arch/x86/include/asm/irq_remapping.h
@@ -72,4 +72,11 @@ static inline void panic_if_irq_remap(co
}
#endif /* CONFIG_IRQ_REMAP */
+
+#ifdef CONFIG_X86_POSTED_MSI
+void intel_ack_posted_msi_irq(struct irq_data *irqd);
+#else
+#define intel_ack_posted_msi_irq NULL
+#endif
+
#endif /* __X86_IRQ_REMAPPING_H */
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -391,6 +391,7 @@ DEFINE_IDTENTRY_SYSVEC_SIMPLE(sysvec_kvm
/* Posted Interrupt Descriptors for coalesced MSIs to be posted */
DEFINE_PER_CPU_ALIGNED(struct pi_desc, posted_msi_pi_desc);
+static DEFINE_PER_CPU(bool, posted_msi_handler_active);
void intel_posted_msi_init(void)
{
@@ -408,6 +409,25 @@ void intel_posted_msi_init(void)
this_cpu_write(posted_msi_pi_desc.ndst, destination);
}
+void intel_ack_posted_msi_irq(struct irq_data *irqd)
+{
+ irq_move_irq(irqd);
+
+ /*
+ * Handle the rare case that irq_retrigger() raised the actual
+ * assigned vector on the target CPU, which means that it was not
+ * invoked via the posted MSI handler below. In that case APIC EOI
+ * is required as otherwise the ISR entry becomes stale and lower
+ * priority interrupts are never going to be delivered after that.
+ *
+ * If the posted handler invoked the device interrupt handler then
+ * the EOI would be premature because it would acknowledge the
+ * posted vector.
+ */
+ if (unlikely(!__this_cpu_read(posted_msi_handler_active)))
+ apic_eoi();
+}
+
/*
* De-multiplexing posted interrupts is on the performance path, the code
* below is written to optimize the cache performance based on the following
@@ -483,6 +503,8 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi
pid = this_cpu_ptr(&posted_msi_pi_desc);
+ /* Mark the handler active for intel_ack_posted_msi_irq() */
+ __this_cpu_write(posted_msi_handler_active, true);
inc_irq_stat(posted_msi_notification_count);
irq_enter();
@@ -511,6 +533,7 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_posted_msi
apic_eoi();
irq_exit();
+ __this_cpu_write(posted_msi_handler_active, false);
set_irq_regs(old_regs);
}
#endif /* X86_POSTED_MSI */
--- a/drivers/iommu/intel/irq_remapping.c
+++ b/drivers/iommu/intel/irq_remapping.c
@@ -1309,17 +1309,17 @@ static struct irq_chip intel_ir_chip = {
* irq_enter();
* handle_edge_irq()
* irq_chip_ack_parent()
- * irq_move_irq(); // No EOI
+ * intel_ack_posted_msi_irq(); // No EOI
* handle_irq_event()
* driver_handler()
* handle_edge_irq()
* irq_chip_ack_parent()
- * irq_move_irq(); // No EOI
+ * intel_ack_posted_msi_irq(); // No EOI
* handle_irq_event()
* driver_handler()
* handle_edge_irq()
* irq_chip_ack_parent()
- * irq_move_irq(); // No EOI
+ * intel_ack_posted_msi_irq(); // No EOI
* handle_irq_event()
* driver_handler()
* apic_eoi()
@@ -1328,7 +1328,7 @@ static struct irq_chip intel_ir_chip = {
*/
static struct irq_chip intel_ir_chip_post_msi = {
.name = "INTEL-IR-POST",
- .irq_ack = irq_move_irq,
+ .irq_ack = intel_ack_posted_msi_irq,
.irq_set_affinity = intel_ir_set_affinity,
.irq_compose_msi_msg = intel_ir_compose_msi_msg,
.irq_set_vcpu_affinity = intel_ir_set_vcpu_affinity,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 292/567] iommu/mediatek: fix use-after-free on probe deferral
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 291/567] x86/msi: Make irq_retrigger() functional for posted MSI Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 293/567] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
` (288 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, Robin Murphy, Johan Hovold,
AngeloGioacchino Del Regno, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit de83d4617f9fe059623e97acf7e1e10d209625b5 upstream.
The driver is dropping the references taken to the larb devices during
probe after successful lookup as well as on errors. This can
potentially lead to a use-after-free in case a larb device has not yet
been bound to its driver so that the iommu driver probe defers.
Fix this by keeping the references as expected while the iommu driver is
bound.
Fixes: 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse")
Cc: stable@vger.kernel.org
Cc: Yong Wu <yong.wu@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -1213,16 +1213,19 @@ static int mtk_iommu_mm_dts_parse(struct
}
component_match_add(dev, match, component_compare_dev, &plarbdev->dev);
- platform_device_put(plarbdev);
}
- if (!frst_avail_smicomm_node)
- return -EINVAL;
+ if (!frst_avail_smicomm_node) {
+ ret = -EINVAL;
+ goto err_larbdev_put;
+ }
pcommdev = of_find_device_by_node(frst_avail_smicomm_node);
of_node_put(frst_avail_smicomm_node);
- if (!pcommdev)
- return -ENODEV;
+ if (!pcommdev) {
+ ret = -ENODEV;
+ goto err_larbdev_put;
+ }
data->smicomm_dev = &pcommdev->dev;
link = device_link_add(data->smicomm_dev, dev,
@@ -1230,7 +1233,8 @@ static int mtk_iommu_mm_dts_parse(struct
platform_device_put(pcommdev);
if (!link) {
dev_err(dev, "Unable to link %s.\n", dev_name(data->smicomm_dev));
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_larbdev_put;
}
return 0;
@@ -1402,8 +1406,12 @@ out_sysfs_remove:
iommu_device_sysfs_remove(&data->iommu);
out_list_del:
list_del(&data->list);
- if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM))
+ if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) {
device_link_remove(data->smicomm_dev, dev);
+
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
+ }
out_runtime_disable:
pm_runtime_disable(dev);
return ret;
@@ -1423,6 +1431,9 @@ static void mtk_iommu_remove(struct plat
if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) {
device_link_remove(data->smicomm_dev, &pdev->dev);
component_master_del(&pdev->dev, &mtk_iommu_com_ops);
+
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
}
pm_runtime_disable(&pdev->dev);
for (i = 0; i < data->plat_data->banks_num; i++) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 293/567] fuse: fix readahead reclaim deadlock
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 292/567] iommu/mediatek: fix use-after-free on probe deferral Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 294/567] wifi: rtw88: limit indirect IO under powered off for RTL8822CS Greg Kroah-Hartman
` (287 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Omar Sandoval,
Miklos Szeredi
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
commit bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 upstream.
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
Fixes: e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Reported-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -109,7 +109,9 @@ static void fuse_file_put(struct fuse_fi
fuse_file_io_release(ff, ra->inode);
if (!args) {
- /* Do nothing when server does not implement 'open' */
+ /* Do nothing when server does not implement 'opendir' */
+ } else if (args->opcode == FUSE_RELEASE && ff->fm->fc->no_open) {
+ fuse_release_end(ff->fm, args, 0);
} else if (sync) {
fuse_simple_request(ff->fm, args);
fuse_release_end(ff->fm, args, 0);
@@ -130,8 +132,17 @@ struct fuse_file *fuse_file_open(struct
struct fuse_file *ff;
int opcode = isdir ? FUSE_OPENDIR : FUSE_OPEN;
bool open = isdir ? !fc->no_opendir : !fc->no_open;
+ bool release = !isdir || open;
- ff = fuse_file_alloc(fm, open);
+ /*
+ * ff->args->release_args still needs to be allocated (so we can hold an
+ * inode reference while there are pending inflight file operations when
+ * ->release() is called, see fuse_prepare_release()) even if
+ * fc->no_open is set else it becomes possible for reclaim to deadlock
+ * if while servicing the readahead request the server triggers reclaim
+ * and reclaim evicts the inode of the file being read ahead.
+ */
+ ff = fuse_file_alloc(fm, release);
if (!ff)
return ERR_PTR(-ENOMEM);
@@ -151,13 +162,14 @@ struct fuse_file *fuse_file_open(struct
fuse_file_free(ff);
return ERR_PTR(err);
} else {
- /* No release needed */
- kfree(ff->args);
- ff->args = NULL;
- if (isdir)
+ if (isdir) {
+ /* No release needed */
+ kfree(ff->args);
+ ff->args = NULL;
fc->no_opendir = 1;
- else
+ } else {
fc->no_open = 1;
+ }
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 294/567] wifi: rtw88: limit indirect IO under powered off for RTL8822CS
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 293/567] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 295/567] wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() Greg Kroah-Hartman
` (286 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Skvortsov, Ping-Ke Shih,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ping-Ke Shih <pkshih@realtek.com>
[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ]
The indirect IO is necessary for RTL8822CS, but not necessary for other
chips. Otherwiese, it throws errors and becomes unusable.
rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0
rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0
rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110
rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but
RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only.
Reported-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4
Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Tested-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
index d6bea5ec8e24..d8db341a5731 100644
--- a/drivers/net/wireless/realtek/rtw88/sdio.c
+++ b/drivers/net/wireless/realtek/rtw88/sdio.c
@@ -144,8 +144,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr,
static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr)
{
+ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C;
+
if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) &&
- !rtw_sdio_is_bus_addr(addr))
+ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off)
return false;
return !rtw_sdio_is_sdio30_supported(rtwdev) ||
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 295/567] wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 294/567] wifi: rtw88: limit indirect IO under powered off for RTL8822CS Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 296/567] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() Greg Kroah-Hartman
` (285 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Morning Star, Ping-Ke Shih,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Morning Star <alexbestoso@gmail.com>
[ Upstream commit dd39edb445f07400e748da967a07d5dca5c5f96e ]
TID getting from ieee80211_get_tid() might be out of range of array size
of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise,
UBSAN warn:
UBSAN: array-index-out-of-bounds in drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c:514:30
index 10 is out of range for type 'rtl_tid_data [9]'
Fixes: 8ca4cdef9329 ("wifi: rtlwifi: rtl8192cu: Fix TX aggregation")
Signed-off-by: Morning Star <alexbestoso@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/1764232628-13625-1-git-send-email-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
index aa702ba7c9f5..d6c35e8d02a5 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192cu/trx.c
@@ -511,7 +511,8 @@ void rtl92cu_tx_fill_desc(struct ieee80211_hw *hw,
if (sta) {
sta_entry = (struct rtl_sta_info *)sta->drv_priv;
tid = ieee80211_get_tid(hdr);
- agg_state = sta_entry->tids[tid].agg.agg_state;
+ if (tid < MAX_TID_COUNT)
+ agg_state = sta_entry->tids[tid].agg.agg_state;
ampdu_density = sta->deflink.ht_cap.ampdu_density;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 296/567] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 295/567] wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 297/567] wifi: mac80211: do not use old MBSSID elements Greg Kroah-Hartman
` (284 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Johannes Berg,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ]
The QGenie AI code review tool says we should store the capped length to
wdev->u.client.ssid_len. The AI is correct.
Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/sme.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index e0d3c713538b..d8250ae17d94 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -913,7 +913,7 @@ void __cfg80211_connect_result(struct net_device *dev,
ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
- wdev->u.client.ssid_len = ssid->datalen;
+ wdev->u.client.ssid_len = ssid_len;
break;
}
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 297/567] wifi: mac80211: do not use old MBSSID elements
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 296/567] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 298/567] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
` (283 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aloka Dixit, Johannes Berg,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ]
When userspace brings down and deletes a non-transmitted profile,
it is expected to send a new updated Beacon template for the
transmitted profile of that multiple BSSID (MBSSID) group which
does not include the removed profile in MBSSID element. This
update comes via NL80211_CMD_SET_BEACON.
Such updates work well as long as the group continues to have at
least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS
is included in the new Beacon template.
But when the last non-trasmitted profile is removed, it still
gets included in Beacon templates sent to driver. This happens
because when no MBSSID elements are sent by the userspace,
ieee80211_assign_beacon() ends up using the element stored from
earlier Beacon template.
Do not copy old MBSSID elements, instead userspace should always
include these when applicable.
Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode")
Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/cfg.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 2df4df75f195..0abb687fd58d 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1140,7 +1140,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
size = sizeof(*new) + new_head_len + new_tail_len;
- /* new or old multiple BSSID elements? */
if (params->mbssid_ies) {
mbssid = params->mbssid_ies;
size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
@@ -1150,15 +1149,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
}
size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
mbssid->cnt);
- } else if (old && old->mbssid_ies) {
- mbssid = old->mbssid_ies;
- size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
- if (old && old->rnr_ies) {
- rnr = old->rnr_ies;
- size += struct_size(new->rnr_ies, elem, rnr->cnt);
- }
- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
- mbssid->cnt);
}
new = kzalloc(size, GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 298/567] i40e: fix scheduling in set_rx_mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 297/567] wifi: mac80211: do not use old MBSSID elements Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 299/567] i40e: validate ring_len parameter against hardware-specific values Greg Kroah-Hartman
` (282 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grzegorz Nitka, Jacob Keller,
Aleksandr Loktionov, Przemyslaw Korba, Tony Nguyen, Sasha Levin,
Rinitha S
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Przemyslaw Korba <przemyslaw.korba@intel.com>
[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
Add service task schedule to set_rx_mode.
In some cases there are error messages printed out in PTP application
(ptp4l):
ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
This happens when service task would not run immediately after
set_rx_mode, and we need it for setup tasks. This service task checks, if
PTP RX packets are hung in firmware, and propagate correct settings such
as multicast address for IEEE 1588 Precision Time Protocol.
RX timestamping depends on some of these filters set. Bug happens only
with high PTP packets frequency incoming, and not every run since
sometimes service task is being ran from a different place immediately
after starting ptp4l.
Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index eae5923104f7..2dc737c7e3fd 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -2256,6 +2256,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
}
+ i40e_service_event_schedule(vsi->back);
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 299/567] i40e: validate ring_len parameter against hardware-specific values
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 298/567] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 300/567] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
` (281 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregory Herrero, Rafal Romanowski,
Aleksandr Loktionov, Tony Nguyen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregory Herrero <gregory.herrero@oracle.com>
[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ]
The maximum number of descriptors supported by the hardware is
hardware-dependent and can be retrieved using
i40e_get_max_num_descriptors(). Move this function to a shared header
and use it when checking for valid ring_len parameter rather than using
hardcoded value.
By fixing an over-acceptance issue, behavior change could be seen where
ring_len could now be rejected while configuring rx and tx queues if its
size is larger than the hardware-dependent maximum number of
descriptors.
Fixes: 55d225670def ("i40e: add validation for ring_len param")
Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
3 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
index b8de97343ad3..de3d5e5b8306 100644
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -1415,4 +1415,15 @@ static inline struct i40e_veb *i40e_pf_get_main_veb(struct i40e_pf *pf)
return (pf->lan_veb != I40E_NO_VEB) ? pf->veb[pf->lan_veb] : NULL;
}
+static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf)
+{
+ const struct i40e_hw *hw = &pf->hw;
+
+ switch (hw->mac.type) {
+ case I40E_MAC_XL710:
+ return I40E_MAX_NUM_DESCRIPTORS_XL710;
+ default:
+ return I40E_MAX_NUM_DESCRIPTORS;
+ }
+}
#endif /* _I40E_H_ */
diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index bce5b76f1e7a..9a96f67fb648 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -2010,18 +2010,6 @@ static void i40e_get_drvinfo(struct net_device *netdev,
drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
}
-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
-{
- struct i40e_hw *hw = &pf->hw;
-
- switch (hw->mac.type) {
- case I40E_MAC_XL710:
- return I40E_MAX_NUM_DESCRIPTORS_XL710;
- default:
- return I40E_MAX_NUM_DESCRIPTORS;
- }
-}
-
static void i40e_get_ringparam(struct net_device *netdev,
struct ethtool_ringparam *ring,
struct kernel_ethtool_ringparam *kernel_ring,
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 646e394f5190..3251ffa7d994 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id,
/* ring_len has to be multiple of 8 */
if (!IS_ALIGNED(info->ring_len, 8) ||
- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
+ info->ring_len > i40e_get_max_num_descriptors(pf)) {
ret = -EINVAL;
goto error_context;
}
@@ -726,7 +726,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id,
/* ring_len has to be multiple of 32 */
if (!IS_ALIGNED(info->ring_len, 32) ||
- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
+ info->ring_len > i40e_get_max_num_descriptors(pf)) {
ret = -EINVAL;
goto error_param;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 300/567] iavf: fix off-by-one issues in iavf_config_rss_reg()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 299/567] i40e: validate ring_len parameter against hardware-specific values Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 301/567] idpf: reduce mbx_task schedule delay to 300us Greg Kroah-Hartman
` (280 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Aleksandr Loktionov,
Przemek Kitszel, Rafal Romanowski, Tony Nguyen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <enjuk@amazon.com>
[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
Signed-off-by: Kohei Enju <enjuk@amazon.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 5516795cc250..422af897d933 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -1718,11 +1718,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
u16 i;
dw = (u32 *)adapter->rss_key;
- for (i = 0; i <= adapter->rss_key_size / 4; i++)
+ for (i = 0; i < adapter->rss_key_size / 4; i++)
wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
dw = (u32 *)adapter->rss_lut;
- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
+ for (i = 0; i < adapter->rss_lut_size / 4; i++)
wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
iavf_flush(hw);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 301/567] idpf: reduce mbx_task schedule delay to 300us
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 300/567] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 302/567] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
` (279 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Vazquez, Aleksandr Loktionov,
Samuel Salin, Tony Nguyen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Vazquez <brianvv@google.com>
[ Upstream commit b3d6bbae1d6d5638a4ab702ab195476787cde857 ]
During the IDPF init phase, the mailbox runs in poll mode until it is
configured to properly handle interrupts. The previous delay of 300ms is
excessively long for the mailbox polling mechanism, which causes a slow
initialization of ~2s:
echo 0000:06:12.4 > /sys/bus/pci/drivers/idpf/bind
[ 52.444239] idpf 0000:06:12.4: enabling device (0000 -> 0002)
[ 52.485005] idpf 0000:06:12.4: Device HW Reset initiated
[ 54.177181] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP
[ 54.206177] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default
[ 54.206182] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default
Changing the delay to 300us avoids the delays during the initial mailbox
transactions, making the init phase much faster:
[ 83.342590] idpf 0000:06:12.4: enabling device (0000 -> 0002)
[ 83.384402] idpf 0000:06:12.4: Device HW Reset initiated
[ 83.518323] idpf 0000:06:12.4: PTP init failed, err=-EOPNOTSUPP
[ 83.547430] idpf 0000:06:12.4: Minimum RX descriptor support not provided, using the default
[ 83.547435] idpf 0000:06:12.4: Minimum TX descriptor support not provided, using the default
Fixes: 4930fbf419a7 ("idpf: add core init and interrupt request")
Signed-off-by: Brian Vazquez <brianvv@google.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index 371fc5052420..173ddc248867 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1214,7 +1214,7 @@ void idpf_mbx_task(struct work_struct *work)
idpf_mb_irq_enable(adapter);
else
queue_delayed_work(adapter->mbx_wq, &adapter->mbx_task,
- msecs_to_jiffies(300));
+ usecs_to_jiffies(300));
idpf_recv_mb_msg(adapter);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 302/567] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 301/567] idpf: reduce mbx_task schedule delay to 300us Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 303/567] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
` (278 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiumei Mu, Xin Long, Herbert Xu,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
As soon as crypto_aead_encrypt is called, the underlying request
may be freed by an asynchronous completion. Thus dereferencing
req->iv after it returns is invalid.
Instead of checking req->iv against info, create a new variable
unaligned_info and use it for that purpose instead.
Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
Reported-by: Xiumei Mu <xmu@redhat.com>
Reported-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/seqiv.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/crypto/seqiv.c b/crypto/seqiv.c
index 17e11d51ddc3..04928df0095b 100644
--- a/crypto/seqiv.c
+++ b/crypto/seqiv.c
@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
struct aead_request *subreq = aead_request_ctx(req);
crypto_completion_t compl;
+ bool unaligned_info;
void *data;
u8 *info;
unsigned int ivsize = 8;
@@ -79,8 +80,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
return err;
}
- if (unlikely(!IS_ALIGNED((unsigned long)info,
- crypto_aead_alignmask(geniv) + 1))) {
+ unaligned_info = !IS_ALIGNED((unsigned long)info,
+ crypto_aead_alignmask(geniv) + 1);
+ if (unlikely(unaligned_info)) {
info = kmemdup(req->iv, ivsize, req->base.flags &
CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
GFP_ATOMIC);
@@ -100,7 +102,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
err = crypto_aead_encrypt(subreq);
- if (unlikely(info != req->iv))
+ if (unlikely(unaligned_info))
seqiv_aead_encrypt_complete2(req, err);
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 303/567] Bluetooth: btusb: revert use of devm_kzalloc in btusb
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 302/567] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 304/567] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
` (277 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Pinsonneault-Thibeault,
Luiz Augusto von Dentz, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index fc7b3e02f14b..603ff13d9f7c 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3835,7 +3835,7 @@ static int btusb_probe(struct usb_interface *intf,
return -ENODEV;
}
- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
+ data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
@@ -3858,8 +3858,10 @@ static int btusb_probe(struct usb_interface *intf,
}
}
- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
+ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
+ kfree(data);
return -ENODEV;
+ }
if (id->driver_info & BTUSB_AMP) {
data->cmdreq_type = USB_TYPE_CLASS | 0x01;
@@ -3914,8 +3916,10 @@ static int btusb_probe(struct usb_interface *intf,
data->recv_acl = hci_recv_frame;
hdev = hci_alloc_dev_priv(priv_size);
- if (!hdev)
+ if (!hdev) {
+ kfree(data);
return -ENOMEM;
+ }
hdev->bus = HCI_USB;
hci_set_drvdata(hdev, data);
@@ -4187,6 +4191,7 @@ static int btusb_probe(struct usb_interface *intf,
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
hci_free_dev(hdev);
+ kfree(data);
return err;
}
@@ -4235,6 +4240,7 @@ static void btusb_disconnect(struct usb_interface *intf)
}
hci_free_dev(hdev);
+ kfree(data);
}
#ifdef CONFIG_PM
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 304/567] net: mdio: aspeed: add dummy read to avoid read-after-write issue
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 303/567] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 305/567] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
` (276 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacky Chou, Andrew Lunn, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacky Chou <jacky_chou@aspeedtech.com>
[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
The Aspeed MDIO controller may return incorrect data when a read operation
follows immediately after a write. Due to a controller bug, the subsequent
read can latch stale data, causing the polling logic to terminate earlier
than expected.
To work around this hardware issue, insert a dummy read after each write
operation. This ensures that the next actual read returns the correct
data and prevents premature polling exit.
This workaround has been verified to stabilize MDIO transactions on
affected Aspeed platforms.
Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mdio/mdio-aspeed.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
index c2170650415c..4f2bd20cdc05 100644
--- a/drivers/net/mdio/mdio-aspeed.c
+++ b/drivers/net/mdio/mdio-aspeed.c
@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+ /* Workaround for read-after-write issue.
+ * The controller may return stale data if a read follows immediately
+ * after a write. A dummy read forces the hardware to update its
+ * internal state, ensuring that the next real read returns correct data.
+ */
+ ioread32(ctx->base + ASPEED_MDIO_CTRL);
+
return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
!(ctrl & ASPEED_MDIO_CTRL_FIRE),
ASPEED_MDIO_INTERVAL_US,
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 305/567] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 304/567] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 306/567] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
` (275 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno,
Toke Høiland-Jørgensen, Eelco Chaudron, Aaron Conole,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
The openvswitch teardown code will immediately call
ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
It will then start the dp_notify_work workqueue, which will later end up
calling the vport destroy() callback. This callback takes the RTNL to do
another ovs_netdev_detach_port(), which in this case is unnecessary.
This causes extra pressure on the RTNL, in some cases leading to
"unregister_netdevice: waiting for XX to become free" warnings on
teardown.
We can straight-forwardly avoid the extra RTNL lock acquisition by
checking the device flags before taking the lock, and skip the locking
altogether if the IFF_OVS_DATAPATH flag has already been unset.
Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
Tested-by: Adrian Moreno <amorenoz@redhat.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/vport-netdev.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 91a11067e458..6574f9bcdc02 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -160,10 +160,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
static void netdev_destroy(struct vport *vport)
{
- rtnl_lock();
- if (netif_is_ovs_port(vport->dev))
- ovs_netdev_detach_dev(vport);
- rtnl_unlock();
+ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
+ * port has already been detached, so we can avoid taking the RTNL by
+ * checking this first.
+ */
+ if (netif_is_ovs_port(vport->dev)) {
+ rtnl_lock();
+ /* Check again while holding the lock to ensure we don't race
+ * with the netdev notifier and detach twice.
+ */
+ if (netif_is_ovs_port(vport->dev))
+ ovs_netdev_detach_dev(vport);
+ rtnl_unlock();
+ }
call_rcu(&vport->rcu, vport_netdev_free);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 306/567] ip6_gre: make ip6gre_header() robust
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 305/567] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 307/567] platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names Greg Kroah-Hartman
` (274 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+43a2ebcf2a64b1102d64,
Eric Dumazet, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_gre.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 68e9a41eed49..1c186d132fe0 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1395,9 +1395,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
{
struct ip6_tnl *t = netdev_priv(dev);
struct ipv6hdr *ipv6h;
+ int needed;
__be16 *p;
- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
+ needed = t->hlen + sizeof(*ipv6h);
+ if (skb_headroom(skb) < needed &&
+ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
+ 0, GFP_ATOMIC))
+ return -needed;
+
+ ipv6h = skb_push(skb, needed);
ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
t->fl.u.ip6.flowlabel,
true, &t->fl.u.ip6));
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 307/567] platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 306/567] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 308/567] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
` (273 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shravan Kumar Ramani, David Thompson,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shravan Kumar Ramani <shravankr@nvidia.com>
[ Upstream commit f13bce715d1600698310a4a7832f6a52499d5395 ]
Some event names have trailing whitespaces at the end which causes programming
of counters using the name for these specific events to fail and hence need to
be removed.
Fixes: 423c3361855c ("platform/mellanox: mlxbf-pmc: Add support for BlueField-3")
Signed-off-by: Shravan Kumar Ramani <shravankr@nvidia.com>
Reviewed-by: David Thompson <davthompson@nvidia.com>
Link: https://patch.msgid.link/065cbae0717dcc1169681c4dbb1a6e050b8574b3.1766059953.git.shravankr@nvidia.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/mellanox/mlxbf-pmc.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/platform/mellanox/mlxbf-pmc.c b/drivers/platform/mellanox/mlxbf-pmc.c
index 9a0220b4de3c..67d9b19731ed 100644
--- a/drivers/platform/mellanox/mlxbf-pmc.c
+++ b/drivers/platform/mellanox/mlxbf-pmc.c
@@ -796,18 +796,18 @@ static const struct mlxbf_pmc_events mlxbf_pmc_llt_miss_events[] = {
{11, "GDC_MISS_MACHINE_CHI_TXDAT"},
{12, "GDC_MISS_MACHINE_CHI_RXDAT"},
{13, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_0"},
- {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1 "},
+ {14, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_1"},
{15, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_2"},
- {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3 "},
- {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0 "},
- {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1 "},
- {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2 "},
- {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3 "},
+ {16, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC0_3"},
+ {17, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_0"},
+ {18, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_1"},
+ {19, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_2"},
+ {20, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC1_3"},
{21, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_0"},
{22, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_1"},
{23, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_2"},
{24, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE0_3"},
- {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0 "},
+ {25, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_0"},
{26, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_1"},
{27, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_2"},
{28, "GDC_MISS_MACHINE_G_FIFO_FF_EXEC_DONE1_3"},
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 308/567] platform/x86: msi-laptop: add missing sysfs_remove_group()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 307/567] platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 309/567] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
` (272 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ilpo Järvinen,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
A sysfs group is created in msi_init() when old_ec_model is enabled, but
never removed. Remove the msipf_old_attribute_group in that case.
Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/msi-laptop.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
index e5391a37014d..db3dadd29b29 100644
--- a/drivers/platform/x86/msi-laptop.c
+++ b/drivers/platform/x86/msi-laptop.c
@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void)
sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
if (!quirks->old_ec_model && threeg_exists)
device_remove_file(&msipf_device->dev, &dev_attr_threeg);
+ if (quirks->old_ec_model)
+ sysfs_remove_group(&msipf_device->dev.kobj,
+ &msipf_old_attribute_group);
platform_device_unregister(msipf_device);
platform_driver_unregister(&msipf_driver);
backlight_device_unregister(msibl_device);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 309/567] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 308/567] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 310/567] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
` (271 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
The ibm_rtl_init() function searches for the signature but has a pointer
arithmetic error. The loop counter suggests searching at 4-byte intervals
but the implementation only advances by 1 byte per iteration.
Fix by properly advancing the pointer by sizeof(unsigned int) bytes
each iteration.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/ibm_rtl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
index 231b37909801..139956168cf9 100644
--- a/drivers/platform/x86/ibm_rtl.c
+++ b/drivers/platform/x86/ibm_rtl.c
@@ -273,7 +273,7 @@ static int __init ibm_rtl_init(void) {
/* search for the _RTL_ signature at the start of the table */
for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
struct ibm_rtl_table __iomem * tmp;
- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
+ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
phys_addr_t addr;
unsigned int plen;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 310/567] team: fix check for port enabled in team_queue_override_port_prio_changed()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 309/567] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 311/567] net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() Greg Kroah-Hartman
` (270 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+422806e5f4cce722a71f,
Jiri Pirko, Simon Horman, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@nvidia.com>
[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/team/team_core.c b/drivers/net/team/team_core.c
index 94c40c5cebdd..50732f9699ee 100644
--- a/drivers/net/team/team_core.c
+++ b/drivers/net/team/team_core.c
@@ -877,7 +877,7 @@ static void __team_queue_override_enabled_check(struct team *team)
static void team_queue_override_port_prio_changed(struct team *team,
struct team_port *port)
{
- if (!port->queue_id || team_port_enabled(port))
+ if (!port->queue_id || !team_port_enabled(port))
return;
__team_queue_override_port_del(team, port);
__team_queue_override_port_add(team, port);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 311/567] net: dsa: fix missing put_device() in dsa_tree_find_first_conduit()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 310/567] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 312/567] amd-xgbe: reset retries and mode on RX adapt failures Greg Kroah-Hartman
` (269 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit a9f96dc59b4a50ffbf86158f315e115969172d48 ]
of_find_net_device_by_node() searches net devices by their /sys/class/net/,
entry. It is documented in its kernel-doc that:
* If successful, returns a pointer to the net_device with the embedded
* struct device refcount incremented by one, or NULL on failure. The
* refcount must be dropped when done with the net_device.
We are missing a put_device(&conduit->dev) which we could place at the
end of dsa_tree_find_first_conduit(). But to explain why calling
put_device() right away is safe is the same as to explain why the chosen
solution is different.
The code is very poorly split: dsa_tree_find_first_conduit() was first
introduced in commit 95f510d0b792 ("net: dsa: allow the DSA master to be
seen and changed through rtnetlink") but was first used several commits
later, in commit acc43b7bf52a ("net: dsa: allow masters to join a LAG").
Assume there is a switch with 2 CPU ports and 2 conduits, eno2 and eno3.
When we create a LAG (bonding or team device) and place eno2 and eno3
beneath it, we create a 3rd conduit (the LAG device itself), but this is
slightly different than the first two.
Namely, the cpu_dp->conduit pointer of the CPU ports does not change,
and remains pointing towards the physical Ethernet controllers which are
now LAG ports. Only 2 things change:
- the LAG device has a dev->dsa_ptr which marks it as a DSA conduit
- dsa_port_to_conduit(user port) finds the LAG and not the physical
conduit, because of the dp->cpu_port_in_lag bit being set.
When the LAG device is destroyed, dsa_tree_migrate_ports_from_lag_conduit()
is called and this is where dsa_tree_find_first_conduit() kicks in.
This is the logical mistake and the reason why introducing code in one
patch and using it from another is bad practice. I didn't realize that I
don't have to call of_find_net_device_by_node() again; the cpu_dp->conduit
association was never undone, and is still available for direct (re)use.
There's only one concern - maybe the conduit disappeared in the
meantime, but the netdev_hold() call we made during dsa_port_parse_cpu()
(see previous change) ensures that this was not the case.
Therefore, fixing the code means reimplementing it in the simplest way.
I am blaming the time of use, since this is what "git blame" would show
if we were to monitor for the conduit's kobject's refcount remaining
elevated instead of being freed.
Tested on the NXP LS1028A, using the steps from
Documentation/networking/dsa/configuration.rst section "Affinity of user
ports to CPU ports", followed by (extra prints added by me):
$ ip link del bond0
mscc_felix 0000:00:00.5 swp3: Link is Down
bond0 (unregistering): (slave eno2): Releasing backup interface
fsl_enetc 0000:00:00.2 eno2: Link is Down
mscc_felix 0000:00:00.5 swp0: bond0 disappeared, migrating to eno2
mscc_felix 0000:00:00.5 swp1: bond0 disappeared, migrating to eno2
mscc_felix 0000:00:00.5 swp2: bond0 disappeared, migrating to eno2
mscc_felix 0000:00:00.5 swp3: bond0 disappeared, migrating to eno2
Fixes: acc43b7bf52a ("net: dsa: allow masters to join a LAG")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20251215150236.3931670-2-vladimir.oltean@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/dsa/dsa.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index ac3a252969cb..97599e0d5a1d 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -366,16 +366,10 @@ static struct dsa_port *dsa_tree_find_first_cpu(struct dsa_switch_tree *dst)
struct net_device *dsa_tree_find_first_conduit(struct dsa_switch_tree *dst)
{
- struct device_node *ethernet;
- struct net_device *conduit;
struct dsa_port *cpu_dp;
cpu_dp = dsa_tree_find_first_cpu(dst);
- ethernet = of_parse_phandle(cpu_dp->dn, "ethernet", 0);
- conduit = of_find_net_device_by_node(ethernet);
- of_node_put(ethernet);
-
- return conduit;
+ return cpu_dp->conduit;
}
/* Assign the default CPU port (the first one in the tree) to all ports of the
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 312/567] amd-xgbe: reset retries and mode on RX adapt failures
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 311/567] net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 313/567] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
` (268 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Simon Horman,
Shyam Sundar S K, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ]
During the stress tests, early RX adaptation handshakes can fail, such
as missing the RX_ADAPT ACK or not receiving a coefficient update before
block lock is established. Continuing to retry RX adaptation in this
state is often ineffective if the current mode selection is not viable.
Resetting the RX adaptation retry counter when an RX_ADAPT request fails
to receive ACK or a coefficient update prior to block lock, and clearing
mode_set so the next bring-up performs a fresh mode selection rather
than looping on a likely invalid configuration.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 32e633d11348..6d2c401bb246 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2036,6 +2036,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
{
if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) {
pdata->rx_adapt_retries = 0;
+ pdata->mode_set = false;
return;
}
@@ -2082,6 +2083,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
*/
netif_dbg(pdata, link, pdata->netdev, "Block_lock done");
pdata->rx_adapt_done = true;
+ pdata->rx_adapt_retries = 0;
pdata->mode_set = false;
return;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 313/567] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 312/567] amd-xgbe: reset retries and mode on RX adapt failures Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 314/567] selftests: net: fix "buffer overflow detected" for tap.c Greg Kroah-Hartman
` (267 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8dd915c7cb0490fc8c52,
Deepakkumar Karn, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepakkumar Karn <dkarn@redhat.com>
[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 278e6cb6f4d9..e40b0669d9f4 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
if (res == -ENODEV)
netif_device_detach(dev->netdev);
dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
+ kfree(req);
+ usb_free_urb(async_urb);
}
return res;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 314/567] selftests: net: fix "buffer overflow detected" for tap.c
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 313/567] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 315/567] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
` (266 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alice C. Munduruca, Cengiz Can,
Willem de Bruijn, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice C. Munduruca <alice.munduruca@canonical.com>
[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
the strcpy() in rtattr_add_strsz() is replaced with a checked
version which causes the test to consistently fail when compiled
with toolchains for which this option is enabled by default.
TAP version 13
1..3
# Starting 3 tests from 1 test cases.
# RUN tap.test_packet_valid_udp_gso ...
*** buffer overflow detected ***: terminated
# test_packet_valid_udp_gso: Test terminated by assertion
# FAIL tap.test_packet_valid_udp_gso
not ok 1 tap.test_packet_valid_udp_gso
# RUN tap.test_packet_valid_udp_csum ...
*** buffer overflow detected ***: terminated
# test_packet_valid_udp_csum: Test terminated by assertion
# FAIL tap.test_packet_valid_udp_csum
not ok 2 tap.test_packet_valid_udp_csum
# RUN tap.test_packet_crash_tap_invalid_eth_proto ...
*** buffer overflow detected ***: terminated
# test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
# FAIL tap.test_packet_crash_tap_invalid_eth_proto
not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
# FAILED: 0 / 3 tests passed.
# Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
A buffer overflow is detected by the fortified glibc __strcpy_chk()
since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
reported as 1, even though there is ample space in its bounding
buffer `req`.
Additionally, given that IFLA_IFNAME also expects a null-terminated
string, callers of rtaddr_add_str{,sz}() could simply use the
rtaddr_add_strsz() variant. (which has been renamed to remove the
trailing `sz`) memset() has been used for this function since it
is unchecked and thus circumvents the issue discussed in the
previous paragraph.
Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/tap.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
index 247c3b3ac1c9..51a209014f1c 100644
--- a/tools/testing/selftests/net/tap.c
+++ b/tools/testing/selftests/net/tap.c
@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type,
const char *s)
{
- struct rtattr *rta = rtattr_add(nh, type, strlen(s));
+ unsigned int strsz = strlen(s) + 1;
+ struct rtattr *rta;
- memcpy(RTA_DATA(rta), s, strlen(s));
- return rta;
-}
-
-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
- const char *s)
-{
- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
+ rta = rtattr_add(nh, type, strsz);
- strcpy(RTA_DATA(rta), s);
+ memcpy(RTA_DATA(rta), s, strsz);
return rta;
}
@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type,
link_info = rtattr_begin(&req.nh, IFLA_LINKINFO);
- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type);
+ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type);
if (fill_info_data) {
info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 315/567] smc91x: fix broken irq-context in PREEMPT_RT
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 314/567] selftests: net: fix "buffer overflow detected" for tap.c Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 316/567] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
` (265 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Simon Horman,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
When smc91x.c is built with PREEMPT_RT, the following splat occurs
in FVP_RevC:
[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
[ 13.062266] C
** replaying previous printk message **
[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
[ 13.062353] Hardware name: , BIOS
[ 13.062382] Workqueue: mld mld_ifc_work
[ 13.062469] Call trace:
[ 13.062494] show_stack+0x24/0x40 (C)
[ 13.062602] __dump_stack+0x28/0x48
[ 13.062710] dump_stack_lvl+0x7c/0xb0
[ 13.062818] dump_stack+0x18/0x34
[ 13.062926] process_scheduled_works+0x294/0x450
[ 13.063043] worker_thread+0x260/0x3d8
[ 13.063124] kthread+0x1c4/0x228
[ 13.063235] ret_from_fork+0x10/0x20
This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/smsc/smc91x.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
index a5e23e2da90f..953a1d22e60a 100644
--- a/drivers/net/ethernet/smsc/smc91x.c
+++ b/drivers/net/ethernet/smsc/smc91x.c
@@ -516,15 +516,7 @@ static inline void smc_rcv(struct net_device *dev)
* any other concurrent access and C would always interrupt B. But life
* isn't that easy in a SMP world...
*/
-#define smc_special_trylock(lock, flags) \
-({ \
- int __ret; \
- local_irq_save(flags); \
- __ret = spin_trylock(lock); \
- if (!__ret) \
- local_irq_restore(flags); \
- __ret; \
-})
+#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
#define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
#define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
#else
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 316/567] genalloc.h: fix htmldocs warning
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 315/567] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 317/567] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
` (264 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Randy Dunlap,
Alexey Skidanov, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Morton <akpm@linux-foundation.org>
[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Alexey Skidanov <alexey.skidanov@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/genalloc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
index 0bd581003cd5..60de63e46b33 100644
--- a/include/linux/genalloc.h
+++ b/include/linux/genalloc.h
@@ -44,6 +44,7 @@ struct gen_pool;
* @nr: The number of zeroed bits we're looking for
* @data: optional additional data used by the callback
* @pool: the pool being allocated from
+ * @start_addr: start address of memory chunk
*/
typedef unsigned long (*genpool_algo_t)(unsigned long *map,
unsigned long size,
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 317/567] firewire: nosy: Fix dma_free_coherent() size
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 316/567] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 318/567] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
` (263 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Christophe JAILLET,
Takashi Sakamoto, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
It looks like the buffer allocated and mapped in add_card() is done
with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firewire/nosy.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
index ea31ac7ac1ca..e59053738a43 100644
--- a/drivers/firewire/nosy.c
+++ b/drivers/firewire/nosy.c
@@ -36,6 +36,8 @@
static char driver_name[] = KBUILD_MODNAME;
+#define RCV_BUFFER_SIZE (16 * 1024)
+
/* this is the physical layout of a PCL, its size is 128 bytes */
struct pcl {
__le32 next;
@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
lynx->rcv_pcl, lynx->rcv_pcl_bus);
- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
- lynx->rcv_buffer_bus);
+ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
pci_disable_device(dev);
lynx_put(lynx);
}
-#define RCV_BUFFER_SIZE (16 * 1024)
-
static int
add_card(struct pci_dev *dev, const struct pci_device_id *unused)
{
@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
lynx->rcv_pcl, lynx->rcv_pcl_bus);
if (lynx->rcv_buffer)
- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
+ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 318/567] net: dsa: b53: skip multicast entries for fdb_dump()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 317/567] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 319/567] kbuild: fix compilation of dtb specified on command-line without make rule Greg Kroah-Hartman
` (262 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Florian Fainelli,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
port_fdb_dump() is supposed to only add fdb entries, but we iterate over
the full ARL table, which also includes multicast entries.
So check if the entry is a multicast entry before passing it on to the
callback().
Additionally, the port of those entries is a bitmask, not a port number,
so any included entries would have even be for the wrong port.
Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index 01eb62706412..0b666a77ea97 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1972,6 +1972,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
if (!ent->is_valid)
return 0;
+ if (is_multicast_ether_addr(ent->mac))
+ return 0;
+
if (port != ent->port)
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 319/567] kbuild: fix compilation of dtb specified on command-line without make rule
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 318/567] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 320/567] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
` (261 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas De Schampheleire,
Nathan Chancellor, Rob Herring (Arm), Nicolas Schier, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
[ Upstream commit b08fc4d0ec2466558f6d5511434efdfabbddf2a6 ]
Since commit e7e2941300d2 ("kbuild: split device tree build rules into
scripts/Makefile.dtbs"), it is no longer possible to compile a device tree
blob that is not specified in a make rule
like:
dtb-$(CONFIG_FOO) += foo.dtb
Before the mentioned commit, one could copy a dts file to e.g.
arch/arm64/boot/dts/ (or a new subdirectory) and then convert it to a dtb
file using:
make ARCH=arm64 foo.dtb
In this scenario, both 'dtb-y' and 'dtb-' are empty, and the inclusion of
scripts/Makefile.dtbs relies on 'targets' to contain the MAKECMDGOALS. The
value of 'targets', however, is only final later in the code.
Move the conditional include of scripts/Makefile.dtbs down to where the
value of 'targets' is final. Since Makefile.dtbs updates 'always-y' which is
used as a prerequisite in the build rule, the build rule also needs to move
down.
Fixes: e7e2941300d2 ("kbuild: split device tree build rules into scripts/Makefile.dtbs")
Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Rob Herring (Arm) <robh@kernel.org>
Link: https://patch.msgid.link/20251126100017.1162330-1-thomas.de_schampheleire@nokia.com
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/Makefile.build | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/scripts/Makefile.build b/scripts/Makefile.build
index 2c5c1a214f3b..6e07023b5442 100644
--- a/scripts/Makefile.build
+++ b/scripts/Makefile.build
@@ -449,18 +449,6 @@ ifneq ($(userprogs),)
include $(srctree)/scripts/Makefile.userprogs
endif
-ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),)
-include $(srctree)/scripts/Makefile.dtbs
-endif
-
-# Build
-# ---------------------------------------------------------------------------
-
-$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \
- $(if $(KBUILD_MODULES), $(targets-for-modules)) \
- $(subdir-ym) $(always-y)
- @:
-
# Single targets
# ---------------------------------------------------------------------------
@@ -490,6 +478,20 @@ FORCE:
targets += $(filter-out $(single-subdir-goals), $(MAKECMDGOALS))
targets := $(filter-out $(PHONY), $(targets))
+# Now that targets is fully known, include dtb rules if needed
+ifneq ($(need-dtbslist)$(dtb-y)$(dtb-)$(filter %.dtb %.dtb.o %.dtbo.o,$(targets)),)
+include $(srctree)/scripts/Makefile.dtbs
+endif
+
+# Build
+# Needs to be after the include of Makefile.dtbs, which updates always-y
+# ---------------------------------------------------------------------------
+
+$(obj)/: $(if $(KBUILD_BUILTIN), $(targets-for-builtin)) \
+ $(if $(KBUILD_MODULES), $(targets-for-modules)) \
+ $(subdir-ym) $(always-y)
+ @:
+
# Read all saved command lines and dependencies for the $(targets) we
# may be building above, using $(if_changed{,_dep}). As an
# optimization, we don't need to read them if the target does not
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 320/567] net: usb: asix: validate PHY address before use
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 319/567] kbuild: fix compilation of dtb specified on command-line without make rule Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 321/567] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
` (260 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3d43c9066a5b54902232,
Deepanshu Kartikey, Andrew Lunn, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/asix_common.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
index 7fd763917ae2..6ab3486072cb 100644
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
offset = (internal ? 1 : 0);
ret = buf[offset];
+ if (ret >= PHY_MAX_ADDR) {
+ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
+ return -ENODEV;
+ }
+
netdev_dbg(dev->net, "%s PHY address 0x%x\n",
internal ? "internal" : "external", ret);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 321/567] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 320/567] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 322/567] vfio/pds: Fix memory leak in pds_vfio_dirty_enable() Greg Kroah-Hartman
` (259 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Nikolay Aleksandrov,
Ido Schimmel, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
Sphinx reports kernel-doc warning:
WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
Fix it by describing @tunnel_hash member.
Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_private.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 741b0b8c4bab..a2e59108a5dc 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -247,6 +247,7 @@ struct net_bridge_vlan {
* struct net_bridge_vlan_group
*
* @vlan_hash: VLAN entry rhashtable
+ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
* @vlan_list: sorted VLAN entry list
* @num_vlans: number of total VLAN entries
* @pvid: PVID VLAN id
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 322/567] vfio/pds: Fix memory leak in pds_vfio_dirty_enable()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 321/567] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 323/567] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing Greg Kroah-Hartman
` (258 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Alex Williamson,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 665077d78dc7941ce6a330c02023a2b469cc8cc7 ]
pds_vfio_dirty_enable() allocates memory for region_info. If
interval_tree_iter_first() returns NULL, the function returns -EINVAL
immediately without freeing the allocated memory, causing a memory leak.
Fix this by jumping to the out_free_region_info label to ensure
region_info is freed.
Fixes: 2e7c6feb4ef52 ("vfio/pds: Add multi-region support")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://lore.kernel.org/r/20251225143150.1117366-1-zilin@seu.edu.cn
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/pds/dirty.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/vfio/pci/pds/dirty.c b/drivers/vfio/pci/pds/dirty.c
index 481992142f79..4915a7c1c491 100644
--- a/drivers/vfio/pci/pds/dirty.c
+++ b/drivers/vfio/pci/pds/dirty.c
@@ -292,8 +292,11 @@ static int pds_vfio_dirty_enable(struct pds_vfio_pci_device *pds_vfio,
len = num_ranges * sizeof(*region_info);
node = interval_tree_iter_first(ranges, 0, ULONG_MAX);
- if (!node)
- return -EINVAL;
+ if (!node) {
+ err = -EINVAL;
+ goto out_free_region_info;
+ }
+
for (int i = 0; i < num_ranges; i++) {
struct pds_lm_dirty_region_info *ri = ®ion_info[i];
u64 region_size = node->last - node->start + 1;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 323/567] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 322/567] vfio/pds: Fix memory leak in pds_vfio_dirty_enable() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 324/567] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
` (257 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ]
The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.
These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.
The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.
The fix changes the bounds check to validate the actual accessed index.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++--
drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++
drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++
drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
5 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
index c50ad5880503..f346aad8e9d8 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
@@ -207,7 +207,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
case PREREQUISITES:
size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
- if (elem >= enum_obj_count) {
+ if (elem + reqs >= enum_obj_count) {
pr_err("Error enum-objects package is too small\n");
return -EINVAL;
}
@@ -255,7 +255,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;
pos_values++) {
- if (elem >= enum_obj_count) {
+ if (elem + pos_values >= enum_obj_count) {
pr_err("Error enum-objects package is too small\n");
return -EINVAL;
}
diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
index 6c7f4d5fa9cb..63b1fda2be4e 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
@@ -227,7 +227,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_
size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
- if (elem >= integer_obj_count) {
+ if (elem + reqs >= integer_obj_count) {
pr_err("Error elem-objects package is too small\n");
return -EINVAL;
}
diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
index c6e57bb9d8b7..6a31f47ce3f5 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
@@ -216,6 +216,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
size = min_t(u32, ordered_list_data->common.prerequisites_size,
MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
+ if (elem + reqs >= order_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+
ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,
order_obj[elem + reqs].string.length,
&str_value, &value_len);
diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
index 35936c05e45b..a5c457d06b9c 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
@@ -303,6 +303,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor
MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
+ if (elem + reqs >= password_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+
ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,
password_obj[elem + reqs].string.length,
&str_value, &value_len);
diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
index 27758b779b2d..7b885d25650c 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
@@ -217,7 +217,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob
MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
- if (elem >= string_obj_count) {
+ if (elem + reqs >= string_obj_count) {
pr_err("Error elem-objects package is too small\n");
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 324/567] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 323/567] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 325/567] net: stmmac: fix the crash issue for zero copy XDP_TX action Greg Kroah-Hartman
` (256 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anshumali Gaur, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshumali Gaur <agaur@marvell.com>
[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
Signed-off-by: Anshumali Gaur <agaur@marvell.com>
Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
index 5197ce816581..cc6a63e2573f 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
@@ -432,6 +432,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
*/
if (rx_count < pfvf->hw.rq_skid)
rx_count = pfvf->hw.rq_skid;
+
+ if (ring->rx_pending < 16) {
+ netdev_err(netdev,
+ "rx ring size %u invalid, min is 16\n",
+ ring->rx_pending);
+ return -EINVAL;
+ }
+
rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
/* Due pipelining impact minimum 2000 unused SQ CQE's
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 325/567] net: stmmac: fix the crash issue for zero copy XDP_TX action
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 324/567] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 326/567] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
` (255 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Hariprasad Kelam,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ]
There is a crash issue when running zero copy XDP_TX action, the crash
log is shown below.
[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
[ 216.301694] Call trace:
[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
[ 216.326576] __napi_poll+0x40/0x218
[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
For XDP_TX action, the xdp_buff is converted to xdp_frame by
xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
depends on the memory type of the xdp_buff. For page pool based xdp_buff
it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
XSK pool based xdp_buff it produces xdp_frame with memory type
MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
memory type and always uses the page pool type, this leads to invalid
mappings and causes the crash. Therefore, check the xdp_buff memory type
in stmmac_xdp_xmit_back() to fix this issue.
Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index ce35a6f12679..112287a6e9ab 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -87,6 +87,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address");
#define STMMAC_XDP_CONSUMED BIT(0)
#define STMMAC_XDP_TX BIT(1)
#define STMMAC_XDP_REDIRECT BIT(2)
+#define STMMAC_XSK_CONSUMED BIT(3)
static int flow_ctrl = FLOW_AUTO;
module_param(flow_ctrl, int, 0644);
@@ -4998,6 +4999,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv,
static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
struct xdp_buff *xdp)
{
+ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL);
struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp);
int cpu = smp_processor_id();
struct netdev_queue *nq;
@@ -5014,9 +5016,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
/* Avoids TX time-out as we are sharing with slow path */
txq_trans_cond_update(nq);
- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
- if (res == STMMAC_XDP_TX)
+ /* For zero copy XDP_TX action, dma_map is true */
+ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
+ if (res == STMMAC_XDP_TX) {
stmmac_flush_tx_descriptors(priv, queue);
+ } else if (res == STMMAC_XDP_CONSUMED && zc) {
+ /* xdp has been freed by xdp_convert_buff_to_frame(),
+ * no need to call xsk_buff_free() again, so return
+ * STMMAC_XSK_CONSUMED.
+ */
+ res = STMMAC_XSK_CONSUMED;
+ xdp_return_frame(xdpf);
+ }
__netif_tx_unlock(nq);
@@ -5366,6 +5377,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
break;
case STMMAC_XDP_CONSUMED:
xsk_buff_free(buf->xdp);
+ fallthrough;
+ case STMMAC_XSK_CONSUMED:
rx_dropped++;
break;
case STMMAC_XDP_TX:
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 326/567] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 325/567] net: stmmac: fix the crash issue for zero copy XDP_TX action Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 327/567] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
` (254 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moore, Will Rosenberg,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Rosenberg <whrosenb@asu.edu>
[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/calipso.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index a247bb93908b..f5cc02ea3092 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1342,7 +1342,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
/* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
pad = ((new_end & 4) + (end & 7)) & 7;
len_delta = new_end - (int)end + pad;
- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
+ ret_val = skb_cow(skb,
+ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
if (ret_val < 0)
return ret_val;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 327/567] ipv4: Fix reference count leak when using error routes with nexthop objects
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 326/567] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 328/567] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
` (253 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tetsuo Handa,
syzbot+881d65229ca4f9ae8c84, Ido Schimmel, David Ahern,
Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/fib_trie.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index cc86031d2050..658f26d9a9ec 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
continue;
}
- /* Do not flush error routes if network namespace is
- * not being dismantled
+ /* When not flushing the entire table, skip error
+ * routes that are not marked for deletion.
*/
- if (!flush_all && fib_props[fa->fa_type].error) {
+ if (!flush_all && fib_props[fa->fa_type].error &&
+ !(fi->fib_flags & RTNH_F_DEAD)) {
slen = fa->fa_slen;
continue;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 328/567] net: rose: fix invalid array index in rose_kill_by_device()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 327/567] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 329/567] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT Greg Kroah-Hartman
` (252 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fatma Alwasmi, Pwnverse, Paolo Abeni,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pwnverse <stanksal@purdue.edu>
[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Pwnverse <stanksal@purdue.edu>
Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/af_rose.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index b8078b42f5de..1676c9f4ab84 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev)
spin_unlock_bh(&rose_list_lock);
for (i = 0; i < cnt; i++) {
- sk = array[cnt];
+ sk = array[i];
rose = rose_sk(sk);
lock_sock(sk);
spin_lock_bh(&rose_list_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 329/567] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 328/567] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 330/567] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
` (251 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9b35e9bc0951140d13e6,
Jiayuan Chen, Paolo Abeni, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
[ Upstream commit 1adaea51c61b52e24e7ab38f7d3eba023b2d050d ]
On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the
current task can be preempted. Another task running on the same CPU
may then execute rt6_make_pcpu_route() and successfully install a
pcpu_rt entry. When the first task resumes execution, its cmpxchg()
in rt6_make_pcpu_route() will fail because rt6i_pcpu is no longer
NULL, triggering the BUG_ON(prev). It's easy to reproduce it by adding
mdelay() after rt6_get_pcpu_route().
Using preempt_disable/enable is not appropriate here because
ip6_rt_pcpu_alloc() may sleep.
Fix this by handling the cmpxchg() failure gracefully on PREEMPT_RT:
free our allocation and return the existing pcpu_rt installed by
another task. The BUG_ON is replaced by WARN_ON_ONCE for non-PREEMPT_RT
kernels where such races should not occur.
Link: https://syzkaller.appspot.com/bug?extid=9b35e9bc0951140d13e6
Fixes: d2d6422f8bd1 ("x86: Allow to enable PREEMPT_RT.")
Reported-by: syzbot+9b35e9bc0951140d13e6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6918cd88.050a0220.1c914e.0045.GAE@google.com/T/
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Link: https://patch.msgid.link/20251223051413.124687-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/route.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 22866444efc0..276fa74af206 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1470,7 +1470,18 @@ static struct rt6_info *rt6_make_pcpu_route(struct net *net,
p = this_cpu_ptr(res->nh->rt6i_pcpu);
prev = cmpxchg(p, NULL, pcpu_rt);
- BUG_ON(prev);
+ if (unlikely(prev)) {
+ /*
+ * Another task on this CPU already installed a pcpu_rt.
+ * This can happen on PREEMPT_RT where preemption is possible.
+ * Free our allocation and return the existing one.
+ */
+ WARN_ON_ONCE(!IS_ENABLED(CONFIG_PREEMPT_RT));
+
+ dst_dev_put(&pcpu_rt->dst);
+ dst_release(&pcpu_rt->dst);
+ return prev;
+ }
if (res->f6i->fib6_destroying) {
struct fib6_info *from;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 330/567] RDMA/irdma: avoid invalid read in irdma_net_event
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 329/567] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 331/567] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
` (250 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jason Gunthorpe,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index 0422787592d8..87a6d58663de 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
void *ptr)
{
struct neighbour *neigh = ptr;
- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
+ struct net_device *real_dev, *netdev;
struct irdma_device *iwdev;
struct ib_device *ibdev;
__be32 *p;
@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
switch (event) {
case NETEVENT_NEIGH_UPDATE:
+ netdev = neigh->dev;
real_dev = rdma_vlan_dev_real_dev(netdev);
if (!real_dev)
real_dev = netdev;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 331/567] RDMA/efa: Remove possible negative shift
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 330/567] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 332/567] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
` (249 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Sela, Yonatan Nachum,
Michael Margolin, Gal Pressman, Jason Gunthorpe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Margolin <mrgolin@amazon.com>
[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
The page size used for device might in some cases be smaller than
PAGE_SIZE what results in a negative shift when calculating the number of
host pages in PAGE_SIZE for a debug log. Remove the debug line together
with the calculation.
Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
Reviewed-by: Tom Sela <tomsela@amazon.com>
Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
Signed-off-by: Michael Margolin <mrgolin@amazon.com>
Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
index cc13415ff7e7..46eddef7a1cc 100644
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -1241,13 +1241,9 @@ static int umem_to_page_list(struct efa_dev *dev,
u32 hp_cnt,
u8 hp_shift)
{
- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
struct ib_block_iter biter;
unsigned int hp_idx = 0;
- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
- hp_cnt, pages_in_hp);
-
rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 332/567] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 331/567] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 333/567] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
` (248 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jang Ingyu, Leon Romanovsky,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jang Ingyu <ingyujang25@korea.ac.kr>
[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
conditional statement. The constant was used directly instead of
being compared with net_type, causing the condition to always
evaluate to true.
Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index dc40001072a5..8dd96dc98fd3 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
(struct in6_addr *)dgid);
return 0;
} else if (net_type == RDMA_NETWORK_IPV6 ||
- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
+ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
*dgid = hdr->ibgrh.dgid;
*sgid = hdr->ibgrh.sgid;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 333/567] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 332/567] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 334/567] RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Greg Kroah-Hartman
` (247 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Kalesh AP,
Leon Romanovsky, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
!creq_db->reg.bar_id is incorrect and always false.
pci_resource_start() returns the BAR base address, and a value of 0
indicates that the BAR is unassigned. Update the condition to test
bar_base == 0 instead.
This ensures the driver detects and logs an error for an unassigned
RCFW communication BAR.
Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
index 7a099580ca8b..38ded4687122 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
@@ -1117,7 +1117,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
creq_db->dbinfo.flags = 0;
creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
- if (!creq_db->reg.bar_id)
+ if (!creq_db->reg.bar_base)
dev_err(&pdev->dev,
"QPLIB: CREQ BAR region %d resc start is 0!",
creq_db->reg.bar_id);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 334/567] RDMA/core: always drop device refcount in ib_del_sub_device_and_put()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 333/567] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 335/567] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
` (246 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+881d65229ca4f9ae8c84,
Tetsuo Handa, Parav Pandit, Leon Romanovsky, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit fa3c411d21ebc26ffd175c7256c37cefa35020aa ]
Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add
support to add/delete a sub IB device through netlink") grabs a reference
using ib_device_get_by_index() before calling ib_del_sub_device_and_put(),
we need to drop that reference before returning -EOPNOTSUPP error.
Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
Fixes: bca51197620a ("RDMA/core: Support IB sub device with type "SMI"")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://patch.msgid.link/80749a85-cbe2-460c-8451-42516013f9fa@I-love.SAKURA.ne.jp
Reviewed-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/device.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index df2aa15a5bc9..bbc131737378 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -2823,8 +2823,10 @@ int ib_del_sub_device_and_put(struct ib_device *sub)
{
struct ib_device *parent = sub->parent;
- if (!parent)
+ if (!parent) {
+ ib_device_put(sub);
return -EOPNOTSUPP;
+ }
mutex_lock(&parent->subdev_lock);
list_del(&sub->subdev_list);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 335/567] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 334/567] RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 336/567] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
` (245 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Kalesh AP,
Leon Romanovsky, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
The bnxt_re SEND path checks wr->send_flags to enable features such as
IP checksum offload. However, send_flags is a bitmask and may contain
multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
existing code uses a switch() statement that only matches when
send_flags is exactly IB_SEND_IP_CSUM.
As a result, checksum offload is not enabled when additional SEND
flags are present.
Replace the switch() with a bitmask test:
if (wr->send_flags & IB_SEND_IP_CSUM)
This ensures IP checksum offload is enabled correctly when multiple
SEND flags are used.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
index c2abf2bb8026..c1587845f280 100644
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -2823,14 +2823,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
wqe.rawqp1.lflags |=
SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
}
- switch (wr->send_flags) {
- case IB_SEND_IP_CSUM:
+ if (wr->send_flags & IB_SEND_IP_CSUM)
wqe.rawqp1.lflags |=
SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
- break;
- default:
- break;
- }
fallthrough;
case IB_WR_SEND_WITH_INV:
rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 336/567] RDMA/bnxt_re: Fix to use correct page size for PDE table
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 335/567] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 337/567] md: Fix static checker warning in analyze_sbs Greg Kroah-Hartman
` (244 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damodharam Ammepalli, Kalesh AP,
Selvin Xavier, Leon Romanovsky, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
driver incorrectly is using the "pg_size" value passed to the function.
Fixed to use the right value 4K. Also, fixed the allocation size for
PBL table.
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index b785d9e7774c..f1a4bce6ce64 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
if (npbl % BIT(MAX_PDL_LVL_SHIFT))
npde++;
/* Alloc PDE pages */
- sginfo.pgsize = npde * pg_size;
+ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
sginfo.npages = 1;
rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
if (rc)
@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
/* Alloc PBL pages */
sginfo.npages = npbl;
- sginfo.pgsize = PAGE_SIZE;
+ sginfo.pgsize = ROCE_PG_SIZE_4K;
rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
if (rc)
goto fail;
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 337/567] md: Fix static checker warning in analyze_sbs
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 336/567] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
@ 2026-01-06 17:01 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 338/567] md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() Greg Kroah-Hartman
` (243 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:01 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Li Nan, Yu Kuai,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Nan <linan122@huawei.com>
[ Upstream commit 00f6c1b4d15d35fadb7f34768a1831c81aaa8936 ]
The following warn is reported:
drivers/md/md.c:3912 analyze_sbs()
warn: iterator 'i' not incremented
Fixes: d8730f0cf4ef ("md: Remove deprecated CONFIG_MD_MULTIPATH")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/linux-raid/7e2e95ce-3740-09d8-a561-af6bfb767f18@huaweicloud.com/T/#t
Signed-off-by: Li Nan <linan122@huawei.com>
Link: https://lore.kernel.org/linux-raid/20251215124412.4015572-1-linan666@huaweicloud.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/md/md.c b/drivers/md/md.c
index 5c39246c467e..26056d53f40c 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -3729,7 +3729,6 @@ static struct md_rdev *md_import_device(dev_t newdev, int super_format, int supe
static int analyze_sbs(struct mddev *mddev)
{
- int i;
struct md_rdev *rdev, *freshest, *tmp;
freshest = NULL;
@@ -3756,11 +3755,9 @@ static int analyze_sbs(struct mddev *mddev)
super_types[mddev->major_version].
validate_super(mddev, NULL/*freshest*/, freshest);
- i = 0;
rdev_for_each_safe(rdev, tmp, mddev) {
if (mddev->max_disks &&
- (rdev->desc_nr >= mddev->max_disks ||
- i > mddev->max_disks)) {
+ rdev->desc_nr >= mddev->max_disks) {
pr_warn("md: %s: %pg: only %d devices permitted\n",
mdname(mddev), rdev->bdev,
mddev->max_disks);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 338/567] md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-01-06 17:01 ` [PATCH 6.12 337/567] md: Fix static checker warning in analyze_sbs Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 339/567] ksmbd: Fix memory leak in get_file_all_info() Greg Kroah-Hartman
` (242 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tuo Li, Xiao Ni, Paul Menzel,
Yu Kuai, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li <islituo@gmail.com>
[ Upstream commit 7ad6ef91d8745d04aff9cce7bdbc6320d8e05fe9 ]
The variable mddev->private is first assigned to conf and then checked:
conf = mddev->private;
if (!conf) ...
If conf is NULL, then mddev->private is also NULL. In this case,
null-pointer dereferences can occur when calling raid5_quiesce():
raid5_quiesce(mddev, true);
raid5_quiesce(mddev, false);
since mddev->private is assigned to conf again in raid5_quiesce(), and conf
is dereferenced in several places, for example:
conf->quiesce = 0;
wake_up(&conf->wait_for_quiescent);
To fix this issue, the function should unlock mddev and return before
invoking raid5_quiesce() when conf is NULL, following the existing pattern
in raid5_change_consistency_policy().
Fixes: fa1944bbe622 ("md/raid5: Wait sync io to finish before changing group cnt")
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Xiao Ni <xni@redhat.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Link: https://lore.kernel.org/linux-raid/20251225130326.67780-1-islituo@gmail.com
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid5.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index 8e5ccca3b68b..7262b77a8e02 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -7181,12 +7181,14 @@ raid5_store_group_thread_cnt(struct mddev *mddev, const char *page, size_t len)
err = mddev_suspend_and_lock(mddev);
if (err)
return err;
+ conf = mddev->private;
+ if (!conf) {
+ mddev_unlock_and_resume(mddev);
+ return -ENODEV;
+ }
raid5_quiesce(mddev, true);
- conf = mddev->private;
- if (!conf)
- err = -ENODEV;
- else if (new != conf->worker_cnt_per_group) {
+ if (new != conf->worker_cnt_per_group) {
old_groups = conf->worker_groups;
if (old_groups)
flush_workqueue(raid5_wq);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 339/567] ksmbd: Fix memory leak in get_file_all_info()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 338/567] md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 340/567] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
` (241 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Namjae Jeon,
Steve French, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ]
In get_file_all_info(), if vfs_getattr() fails, the function returns
immediately without freeing the allocated filename, leading to a memory
leak.
Fix this by freeing the filename before returning in this error case.
Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index a1579f76e063..e2cde9723001 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4926,8 +4926,10 @@ static int get_file_all_info(struct ksmbd_work *work,
ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
AT_STATX_SYNC_AS_STAT);
- if (ret)
+ if (ret) {
+ kfree(filename);
return ret;
+ }
ksmbd_debug(SMB, "filename = %s\n", filename);
delete_pending = ksmbd_inode_pending_delete(fp);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 340/567] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 339/567] ksmbd: Fix memory leak in get_file_all_info() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 341/567] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
` (240 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honggang LI, Leon Romanovsky,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Honggang LI <honggangli@163.com>
[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
are zero, the `min3` function will set clt_path::max_pages_per_mr to
zero.
`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
to `ib_alloc_mr`.
Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
Signed-off-by: Honggang LI <honggangli@163.com>
Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
index 71387811b281..2b397a544cb9 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
@@ -1464,6 +1464,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
max_pages_per_mr = ib_dev->attrs.max_mr_size;
do_div(max_pages_per_mr, (1ull << mr_page_shift));
+ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
clt_path->max_pages_per_mr =
min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
ib_dev->attrs.max_fast_reg_page_list_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 341/567] RDMA/bnxt_re: fix dma_free_coherent() pointer
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 340/567] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 342/567] blk-mq: skip CPU offline notify on unmapped hctx Greg Kroah-Hartman
` (239 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Leon Romanovsky,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
The dma_free_coherent() should pass the same buffer to
dma_free_coherent() and not page-aligned.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index f1a4bce6ce64..dfb72a5adc91 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
for (i = 0; i < pbl->pg_count; i++) {
if (pbl->pg_arr[i])
dma_free_coherent(&pdev->dev, pbl->pg_size,
- (void *)((unsigned long)
- pbl->pg_arr[i] &
- PAGE_MASK),
+ pbl->pg_arr[i],
pbl->pg_map_arr[i]);
else
dev_warn(&pdev->dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 342/567] blk-mq: skip CPU offline notify on unmapped hctx
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 341/567] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 343/567] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
` (238 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Zhang, Ming Lei, Jens Axboe,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Zhang <cong.zhang@oss.qualcomm.com>
[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ]
If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
notifier can still run for that hctx, return early since hctx cannot
hold any requests.
Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index db72779760d5..1891863dcba1 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3658,7 +3658,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
struct blk_mq_hw_ctx, cpuhp_online);
int ret = 0;
- if (blk_mq_hctx_has_online_cpu(hctx, cpu))
+ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
return 0;
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 343/567] selftests/ftrace: traceonoff_triggers: strip off names
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 342/567] blk-mq: skip CPU offline notify on unmapped hctx Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 344/567] ntfs: Do not overwrite uptodate pages Greg Kroah-Hartman
` (237 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google), Yipeng Zou,
Masami Hiramatsu (Google), Shuah Khan, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yipeng Zou <zouyipeng@huawei.com>
[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
The func_traceonoff_triggers.tc sometimes goes to fail
on my board, Kunpeng-920.
[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
=== Ftrace unit tests ===
[1] ftrace - test for function traceon/off triggers [FAIL]
[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
I look up the log, and it shows that the md5sum is different between csum1 and csum2.
++ cnt=611
++ sleep .1
+++ cnt_trace
+++ grep -v '^#' trace
+++ wc -l
++ cnt2=611
++ '[' 611 -ne 611 ']'
+++ cat tracing_on
++ on=0
++ '[' 0 '!=' 0 ']'
+++ md5sum trace
++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
++ sleep .1
+++ md5sum trace
++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
++ fail 'Tracing file is still changing'
++ echo Tracing file is still changing
Tracing file is still changing
++ exit_fail
++ exit 1
So I directly dump the trace file before md5sum, the diff shows that:
[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
And we can see that <...> filed be filled with names.
We can strip off the names there to fix that.
After strip off the names:
kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
index aee22289536b..1b57771dbfdf 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
fail "Tracing is not off"
fi
-csum1=`md5sum trace`
+# Cannot rely on names being around as they are only cached, strip them
+csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
sleep $SLEEP_TIME
-csum2=`md5sum trace`
+csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
if [ "$csum1" != "$csum2" ]; then
fail "Tracing file is still changing"
--
2.51.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 344/567] ntfs: Do not overwrite uptodate pages
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 343/567] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 345/567] ASoC: codecs: wcd939x: fix regmap leak on probe failure Greg Kroah-Hartman
` (236 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Konstantin Komarov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit 68f6bd128e75a032432eda9d16676ed2969a1096 upstream.
When reading a compressed file, we may read several pages in addition to
the one requested. The current code will overwrite pages in the page
cache with the data from disc which can definitely result in changes
that have been made being lost.
For example if we have four consecutie pages ABCD in the file compressed
into a single extent, on first access, we'll bring in ABCD. Then we
write to page B. Memory pressure results in the eviction of ACD.
When we attempt to write to page C, we will overwrite the data in page
B with the data currently on disk.
I haven't investigated the decompression code to check whether it's
OK to overwrite a clean page or whether it might be possible to see
corrupt data. Out of an abundance of caution, decline to overwrite
uptodate pages, not just dirty pages.
Fixes: 4342306f0f0d (fs/ntfs3: Add file operations and implementation)
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/frecord.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -2077,6 +2077,29 @@ out:
return err;
}
+static struct page *ntfs_lock_new_page(struct address_space *mapping,
+ pgoff_t index, gfp_t gfp)
+{
+ struct folio *folio = __filemap_get_folio(mapping, index,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ struct page *page;
+
+ if (IS_ERR(folio))
+ return ERR_CAST(folio);
+
+ if (!folio_test_uptodate(folio))
+ return folio_file_page(folio, index);
+
+ /* Use a temporary page to avoid data corruption */
+ folio_unlock(folio);
+ folio_put(folio);
+ page = alloc_page(gfp);
+ if (!page)
+ return ERR_PTR(-ENOMEM);
+ __SetPageLocked(page);
+ return page;
+}
+
/*
* ni_readpage_cmpr
*
@@ -2131,9 +2154,9 @@ int ni_readpage_cmpr(struct ntfs_inode *
if (i == idx)
continue;
- pg = find_or_create_page(mapping, index, gfp_mask);
- if (!pg) {
- err = -ENOMEM;
+ pg = ntfs_lock_new_page(mapping, index, gfp_mask);
+ if (IS_ERR(pg)) {
+ err = PTR_ERR(pg);
goto out1;
}
pages[i] = pg;
@@ -2232,13 +2255,13 @@ int ni_decompress_file(struct ntfs_inode
for (i = 0; i < pages_per_frame; i++, index++) {
struct page *pg;
- pg = find_or_create_page(mapping, index, gfp_mask);
- if (!pg) {
+ pg = ntfs_lock_new_page(mapping, index, gfp_mask);
+ if (IS_ERR(pg)) {
while (i--) {
unlock_page(pages[i]);
put_page(pages[i]);
}
- err = -ENOMEM;
+ err = PTR_ERR(pg);
goto out;
}
pages[i] = pg;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 345/567] ASoC: codecs: wcd939x: fix regmap leak on probe failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 344/567] ntfs: Do not overwrite uptodate pages Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 346/567] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
` (235 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Johan Hovold,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 86dc090f737953f16f8dc60c546ae7854690d4f6 upstream.
The soundwire regmap that may be allocated during probe is not freed on
late probe failures.
Add the missing error handling.
Fixes: be2af391cea0 ("ASoC: codecs: Add WCD939x Soundwire devices driver")
Cc: stable@vger.kernel.org # 6.9
Cc: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251127135057.2216-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd939x-sdw.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd939x-sdw.c
+++ b/sound/soc/codecs/wcd939x-sdw.c
@@ -1480,12 +1480,18 @@ static int wcd9390_probe(struct sdw_slav
ret = component_add(dev, &wcd939x_sdw_component_ops);
if (ret)
- return ret;
+ goto err_free_regmap;
/* Set suspended until aggregate device is bind */
pm_runtime_set_suspended(dev);
return 0;
+
+err_free_regmap:
+ if (wcd->regmap)
+ regmap_exit(wcd->regmap);
+
+ return ret;
}
static int wcd9390_remove(struct sdw_slave *pdev)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 346/567] ASoC: stm32: sai: fix device leak on probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 345/567] ASoC: codecs: wcd939x: fix regmap leak on probe failure Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 347/567] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
` (234 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, olivier moysan, Wen Yang,
Johan Hovold, olivier moysan, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e26ff429eaf10c4ef1bc3dabd9bf27eb54b7e1f4 upstream.
Make sure to drop the reference taken when looking up the sync provider
device and its driver data during DAI probe on probe failures and on
unbind.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 7dd0d835582f ("ASoC: stm32: sai: simplify sync modes management")
Fixes: 1c3816a19487 ("ASoC: stm32: sai: add missing put_device()")
Cc: stable@vger.kernel.org # 4.16: 1c3816a19487
Cc: olivier moysan <olivier.moysan@st.com>
Cc: Wen Yang <yellowriver2010@hotmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -127,6 +127,7 @@ static int stm32_sai_set_sync(struct stm
}
sai_provider = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!sai_provider) {
dev_err(&sai_client->pdev->dev,
"SAI sync provider data not found\n");
@@ -143,7 +144,6 @@ static int stm32_sai_set_sync(struct stm
ret = stm32_sai_sync_conf_provider(sai_provider, synco);
error:
- put_device(&pdev->dev);
of_node_put(np_provider);
return ret;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 347/567] ASoC: stm32: sai: fix clk prepare imbalance on probe failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 346/567] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 348/567] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
` (233 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Johan Hovold,
olivier moysan, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 312ec2f0d9d1a5656f76d770bbf1d967e9289aa7 upstream.
Make sure to unprepare the parent clock also on probe failures (e.g.
probe deferral).
Fixes: a14bf98c045b ("ASoC: stm32: sai: fix possible circular locking")
Cc: stable@vger.kernel.org # 5.5
Cc: Olivier Moysan <olivier.moysan@st.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai_sub.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1501,14 +1501,21 @@ static int stm32_sai_sub_parse_of(struct
if (of_property_present(np, "#clock-cells")) {
ret = stm32_sai_add_mclk_provider(sai);
if (ret < 0)
- return ret;
+ goto err_unprepare_pclk;
} else {
sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK");
- if (IS_ERR(sai->sai_mclk))
- return PTR_ERR(sai->sai_mclk);
+ if (IS_ERR(sai->sai_mclk)) {
+ ret = PTR_ERR(sai->sai_mclk);
+ goto err_unprepare_pclk;
+ }
}
return 0;
+
+err_unprepare_pclk:
+ clk_unprepare(sai->pdata->pclk);
+
+ return ret;
}
static int stm32_sai_sub_probe(struct platform_device *pdev)
@@ -1548,26 +1555,33 @@ static int stm32_sai_sub_probe(struct pl
IRQF_SHARED, dev_name(&pdev->dev), sai);
if (ret) {
dev_err(&pdev->dev, "IRQ request returned %d\n", ret);
- return ret;
+ goto err_unprepare_pclk;
}
if (STM_SAI_PROTOCOL_IS_SPDIF(sai))
conf = &stm32_sai_pcm_config_spdif;
ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0);
- if (ret)
- return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ if (ret) {
+ ret = dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ goto err_unprepare_pclk;
+ }
ret = snd_soc_register_component(&pdev->dev, &stm32_component,
&sai->cpu_dai_drv, 1);
if (ret) {
snd_dmaengine_pcm_unregister(&pdev->dev);
- return ret;
+ goto err_unprepare_pclk;
}
pm_runtime_enable(&pdev->dev);
return 0;
+
+err_unprepare_pclk:
+ clk_unprepare(sai->pdata->pclk);
+
+ return ret;
}
static void stm32_sai_sub_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 348/567] ASoC: stm32: sai: fix OF node leak on probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 347/567] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 349/567] ASoC: codecs: lpass-tx-macro: fix SM6115 support Greg Kroah-Hartman
` (232 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Johan Hovold,
olivier moysan, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 23261f0de09427367e99f39f588e31e2856a690e upstream.
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
Fixes: 5914d285f6b7 ("ASoC: stm32: sai: Add synchronization support")
Fixes: d4180b4c02e7 ("ASoC: stm32: sai: fix set_sync service")
Cc: Olivier Moysan <olivier.moysan@st.com>
Cc: stable@vger.kernel.org # 4.16: d4180b4c02e7
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai.c | 12 +++---------
sound/soc/stm/stm32_sai_sub.c | 23 ++++++++++++++++-------
2 files changed, 19 insertions(+), 16 deletions(-)
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -122,7 +122,6 @@ static int stm32_sai_set_sync(struct stm
if (!pdev) {
dev_err(&sai_client->pdev->dev,
"Device not found for node %pOFn\n", np_provider);
- of_node_put(np_provider);
return -ENODEV;
}
@@ -131,21 +130,16 @@ static int stm32_sai_set_sync(struct stm
if (!sai_provider) {
dev_err(&sai_client->pdev->dev,
"SAI sync provider data not found\n");
- ret = -EINVAL;
- goto error;
+ return -EINVAL;
}
/* Configure sync client */
ret = stm32_sai_sync_conf_client(sai_client, synci);
if (ret < 0)
- goto error;
+ return ret;
/* Configure sync provider */
- ret = stm32_sai_sync_conf_provider(sai_provider, synco);
-
-error:
- of_node_put(np_provider);
- return ret;
+ return stm32_sai_sync_conf_provider(sai_provider, synco);
}
static int stm32_sai_probe(struct platform_device *pdev)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1453,7 +1453,8 @@ static int stm32_sai_sub_parse_of(struct
dev_err(&pdev->dev,
"External synchro not supported\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
sai->sync = SAI_SYNC_EXTERNAL;
@@ -1462,7 +1463,8 @@ static int stm32_sai_sub_parse_of(struct
(sai->synci > (SAI_GCR_SYNCIN_MAX + 1))) {
dev_err(&pdev->dev, "Wrong SAI index\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
if (of_property_match_string(args.np, "compatible",
@@ -1476,7 +1478,8 @@ static int stm32_sai_sub_parse_of(struct
if (!sai->synco) {
dev_err(&pdev->dev, "Unknown SAI sub-block\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
}
@@ -1486,13 +1489,15 @@ static int stm32_sai_sub_parse_of(struct
of_node_put(args.np);
sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck");
- if (IS_ERR(sai->sai_ck))
- return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
- "Missing kernel clock sai_ck\n");
+ if (IS_ERR(sai->sai_ck)) {
+ ret = dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
+ "Missing kernel clock sai_ck\n");
+ goto err_put_sync_provider;
+ }
ret = clk_prepare(sai->pdata->pclk);
if (ret < 0)
- return ret;
+ goto err_put_sync_provider;
if (STM_SAI_IS_F4(sai->pdata))
return 0;
@@ -1514,6 +1519,8 @@ static int stm32_sai_sub_parse_of(struct
err_unprepare_pclk:
clk_unprepare(sai->pdata->pclk);
+err_put_sync_provider:
+ of_node_put(sai->np_sync_provider);
return ret;
}
@@ -1580,6 +1587,7 @@ static int stm32_sai_sub_probe(struct pl
err_unprepare_pclk:
clk_unprepare(sai->pdata->pclk);
+ of_node_put(sai->np_sync_provider);
return ret;
}
@@ -1592,6 +1600,7 @@ static void stm32_sai_sub_remove(struct
snd_dmaengine_pcm_unregister(&pdev->dev);
snd_soc_unregister_component(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ of_node_put(sai->np_sync_provider);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 349/567] ASoC: codecs: lpass-tx-macro: fix SM6115 support
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 348/567] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 350/567] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr Greg Kroah-Hartman
` (231 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 7c63b5a8ed972a2c8c03d984f6a43349007cea93 upstream.
SM6115 does have soundwire controller in tx. For some reason
we ended up with this incorrect patch.
Fix this by adding the flag to reflect this in SoC data.
Fixes: 510c46884299 ("ASoC: codecs: lpass-tx-macro: Add SM6115 support")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20251031120703.590201-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/lpass-tx-macro.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/soc/codecs/lpass-tx-macro.c
+++ b/sound/soc/codecs/lpass-tx-macro.c
@@ -2474,7 +2474,8 @@ static const struct tx_macro_data lpass_
};
static const struct tx_macro_data lpass_ver_10_sm6115 = {
- .flags = LPASS_MACRO_FLAG_HAS_NPL_CLOCK,
+ .flags = LPASS_MACRO_FLAG_HAS_NPL_CLOCK |
+ LPASS_MACRO_FLAG_RESET_SWR,
.ver = LPASS_VER_10_0_0,
.extra_widgets = tx_macro_dapm_widgets_v9_2,
.extra_widgets_num = ARRAY_SIZE(tx_macro_dapm_widgets_v9_2),
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 350/567] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 349/567] ASoC: codecs: lpass-tx-macro: fix SM6115 support Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 351/567] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
` (230 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 950a4e5788fc7dc6e8e93614a7d4d0449c39fb8d upstream.
Driver does not expect the appl_ptr to move backward and requires
explict sync. Make sure that the userspace does not do appl_ptr rewinds
by specifying the correct flags in pcm_info.
Without this patch, the result could be a forever loop as current logic assumes
that appl_ptr can only move forward.
Fixes: 3d4a4411aa8b ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -85,6 +85,7 @@ static const struct snd_pcm_hardware q6a
.info = (SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_BLOCK_TRANSFER |
SNDRV_PCM_INFO_MMAP_VALID | SNDRV_PCM_INFO_INTERLEAVED |
SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME |
+ SNDRV_PCM_INFO_NO_REWINDS | SNDRV_PCM_INFO_SYNC_APPLPTR |
SNDRV_PCM_INFO_BATCH),
.formats = (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE),
.rates = SNDRV_PCM_RATE_8000_48000,
@@ -104,6 +105,7 @@ static const struct snd_pcm_hardware q6a
.info = (SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_BLOCK_TRANSFER |
SNDRV_PCM_INFO_MMAP_VALID | SNDRV_PCM_INFO_INTERLEAVED |
SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME |
+ SNDRV_PCM_INFO_NO_REWINDS | SNDRV_PCM_INFO_SYNC_APPLPTR |
SNDRV_PCM_INFO_BATCH),
.formats = (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE),
.rates = SNDRV_PCM_RATE_8000_192000,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 351/567] ASoC: qcom: q6asm-dai: perform correct state check before closing
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 350/567] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 352/567] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
` (229 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit bfbb12dfa144d45575bcfe139a71360b3ce80237 upstream.
Do not stop a q6asm stream if its not started, this can result in
unnecessary dsp command which will timeout anyway something like below:
q6asm-dai ab00000.remoteproc:glink-edge:apr:service@7:dais: CMD 10bcd timeout
Fix this by correctly checking the state.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-5-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -232,13 +232,14 @@ static int q6asm_dai_prepare(struct snd_
prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
prtd->pcm_irq_pos = 0;
/* rate and channels are sent to audio driver */
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
+ prtd->state = Q6ASM_STREAM_STOPPED;
}
ret = q6asm_map_memory_regions(substream->stream, prtd->audio_client,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 352/567] ASoC: qcom: q6adm: the the copp device only during last instance
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 351/567] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 353/567] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
` (228 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Martino Facchin,
Srinivas Kandagatla, Mark Brown, Alexey Klimov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 74cc4f3ea4e99262ba0d619c6a4ee33e2cd47f65 upstream.
A matching Common object post processing instance is normally resused
across multiple streams. However currently we close this on DSP
even though there is a refcount on this copp object, this can result in
below error.
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0
qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2]
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0
qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2
qcom-q6adm aprsvc:service:4:8: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: Failed to close copp -22
qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2
qcom-q6adm aprsvc:service:4:8: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: Failed to close copp -22
Fix this by addressing moving the adm_close to copp_kref destructor
callback.
Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver")
Cc: Stable@vger.kernel.org
Reported-by: Martino Facchin <m.facchin@arduino.cc>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6adm.c | 146 ++++++++++++++++++++-----------------------
1 file changed, 71 insertions(+), 75 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6adm.c
+++ b/sound/soc/qcom/qdsp6/q6adm.c
@@ -109,11 +109,75 @@ static struct q6copp *q6adm_find_copp(st
}
+static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp,
+ struct apr_pkt *pkt, uint32_t rsp_opcode)
+{
+ struct device *dev = adm->dev;
+ uint32_t opcode = pkt->hdr.opcode;
+ int ret;
+
+ mutex_lock(&adm->lock);
+ copp->result.opcode = 0;
+ copp->result.status = 0;
+ ret = apr_send_pkt(adm->apr, pkt);
+ if (ret < 0) {
+ dev_err(dev, "Failed to send APR packet\n");
+ ret = -EINVAL;
+ goto err;
+ }
+
+ /* Wait for the callback with copp id */
+ if (rsp_opcode)
+ ret = wait_event_timeout(copp->wait,
+ (copp->result.opcode == opcode) ||
+ (copp->result.opcode == rsp_opcode),
+ msecs_to_jiffies(TIMEOUT_MS));
+ else
+ ret = wait_event_timeout(copp->wait,
+ (copp->result.opcode == opcode),
+ msecs_to_jiffies(TIMEOUT_MS));
+
+ if (!ret) {
+ dev_err(dev, "ADM copp cmd timedout\n");
+ ret = -ETIMEDOUT;
+ } else if (copp->result.status > 0) {
+ dev_err(dev, "DSP returned error[%d]\n",
+ copp->result.status);
+ ret = -EINVAL;
+ }
+
+err:
+ mutex_unlock(&adm->lock);
+ return ret;
+}
+
+static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp,
+ int port_id, int copp_idx)
+{
+ struct apr_pkt close;
+
+ close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
+ APR_HDR_LEN(APR_HDR_SIZE),
+ APR_PKT_VER);
+ close.hdr.pkt_size = sizeof(close);
+ close.hdr.src_port = port_id;
+ close.hdr.dest_port = copp->id;
+ close.hdr.token = port_id << 16 | copp_idx;
+ close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5;
+
+ return q6adm_apr_send_copp_pkt(adm, copp, &close, 0);
+}
+
static void q6adm_free_copp(struct kref *ref)
{
struct q6copp *c = container_of(ref, struct q6copp, refcount);
struct q6adm *adm = c->adm;
unsigned long flags;
+ int ret;
+
+ ret = q6adm_device_close(adm, c, c->afe_port, c->copp_idx);
+ if (ret < 0)
+ dev_err(adm->dev, "Failed to close copp %d\n", ret);
spin_lock_irqsave(&adm->copps_list_lock, flags);
clear_bit(c->copp_idx, &adm->copp_bitmap[c->afe_port]);
@@ -155,13 +219,13 @@ static int q6adm_callback(struct apr_dev
switch (result->opcode) {
case ADM_CMD_DEVICE_OPEN_V5:
case ADM_CMD_DEVICE_CLOSE_V5:
- copp = q6adm_find_copp(adm, port_idx, copp_idx);
- if (!copp)
- return 0;
-
- copp->result = *result;
- wake_up(&copp->wait);
- kref_put(&copp->refcount, q6adm_free_copp);
+ list_for_each_entry(copp, &adm->copps_list, node) {
+ if ((port_idx == copp->afe_port) && (copp_idx == copp->copp_idx)) {
+ copp->result = *result;
+ wake_up(&copp->wait);
+ break;
+ }
+ }
break;
case ADM_CMD_MATRIX_MAP_ROUTINGS_V5:
adm->result = *result;
@@ -234,65 +298,6 @@ static struct q6copp *q6adm_alloc_copp(s
return c;
}
-static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp,
- struct apr_pkt *pkt, uint32_t rsp_opcode)
-{
- struct device *dev = adm->dev;
- uint32_t opcode = pkt->hdr.opcode;
- int ret;
-
- mutex_lock(&adm->lock);
- copp->result.opcode = 0;
- copp->result.status = 0;
- ret = apr_send_pkt(adm->apr, pkt);
- if (ret < 0) {
- dev_err(dev, "Failed to send APR packet\n");
- ret = -EINVAL;
- goto err;
- }
-
- /* Wait for the callback with copp id */
- if (rsp_opcode)
- ret = wait_event_timeout(copp->wait,
- (copp->result.opcode == opcode) ||
- (copp->result.opcode == rsp_opcode),
- msecs_to_jiffies(TIMEOUT_MS));
- else
- ret = wait_event_timeout(copp->wait,
- (copp->result.opcode == opcode),
- msecs_to_jiffies(TIMEOUT_MS));
-
- if (!ret) {
- dev_err(dev, "ADM copp cmd timedout\n");
- ret = -ETIMEDOUT;
- } else if (copp->result.status > 0) {
- dev_err(dev, "DSP returned error[%d]\n",
- copp->result.status);
- ret = -EINVAL;
- }
-
-err:
- mutex_unlock(&adm->lock);
- return ret;
-}
-
-static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp,
- int port_id, int copp_idx)
-{
- struct apr_pkt close;
-
- close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
- APR_HDR_LEN(APR_HDR_SIZE),
- APR_PKT_VER);
- close.hdr.pkt_size = sizeof(close);
- close.hdr.src_port = port_id;
- close.hdr.dest_port = copp->id;
- close.hdr.token = port_id << 16 | copp_idx;
- close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5;
-
- return q6adm_apr_send_copp_pkt(adm, copp, &close, 0);
-}
-
static struct q6copp *q6adm_find_matching_copp(struct q6adm *adm,
int port_id, int topology,
int mode, int rate,
@@ -567,15 +572,6 @@ EXPORT_SYMBOL_GPL(q6adm_matrix_map);
*/
int q6adm_close(struct device *dev, struct q6copp *copp)
{
- struct q6adm *adm = dev_get_drvdata(dev->parent);
- int ret = 0;
-
- ret = q6adm_device_close(adm, copp, copp->afe_port, copp->copp_idx);
- if (ret < 0) {
- dev_err(adm->dev, "Failed to close copp %d\n", ret);
- return ret;
- }
-
kref_put(&copp->refcount, q6adm_free_copp);
return 0;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 353/567] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 352/567] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 354/567] iommu/amd: Fix pci_segment memleak in alloc_pci_segment() Greg Kroah-Hartman
` (227 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 81c53b52de21b8d5a3de55ebd06b6bf188bf7efd upstream.
DSP expects the periods to be aligned to fragment sizes, currently
setting up to hw constriants on periods bytes is not going to work
correctly as we can endup with periods sizes aligned to 32 bytes however
not aligned to fragment size.
Update the constriants to use fragment size, and also set at step of
10ms for period size to accommodate DSP requirements of 10ms latency.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -403,13 +403,13 @@ static int q6asm_dai_open(struct snd_soc
}
ret = snd_pcm_hw_constraint_step(runtime, 0,
- SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
+ SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for period bytes step ret = %d\n",
ret);
}
ret = snd_pcm_hw_constraint_step(runtime, 0,
- SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
+ SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for buffer bytes step ret = %d\n",
ret);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 354/567] iommu/amd: Fix pci_segment memleak in alloc_pci_segment()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 353/567] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 355/567] iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga() Greg Kroah-Hartman
` (226 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
commit 75ba146c2674ba49ed8a222c67f9abfb4a4f2a4f upstream.
Fix a memory leak of struct amd_iommu_pci_segment in alloc_pci_segment()
when system memory (or contiguous memory) is insufficient.
Fixes: 04230c119930 ("iommu/amd: Introduce per PCI segment device table")
Fixes: eda797a27795 ("iommu/amd: Introduce per PCI segment rlookup table")
Fixes: 99fc4ac3d297 ("iommu/amd: Introduce per PCI segment alias_table")
Cc: stable@vger.kernel.org
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/init.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -1602,13 +1602,22 @@ static struct amd_iommu_pci_seg *__init
list_add_tail(&pci_seg->list, &amd_iommu_pci_seg_list);
if (alloc_dev_table(pci_seg))
- return NULL;
+ goto err_free_pci_seg;
if (alloc_alias_table(pci_seg))
- return NULL;
+ goto err_free_dev_table;
if (alloc_rlookup_table(pci_seg))
- return NULL;
+ goto err_free_alias_table;
return pci_seg;
+
+err_free_alias_table:
+ free_alias_table(pci_seg);
+err_free_dev_table:
+ free_dev_table(pci_seg);
+err_free_pci_seg:
+ list_del(&pci_seg->list);
+ kfree(pci_seg);
+ return NULL;
}
static struct amd_iommu_pci_seg *__init get_pci_segment(u16 id,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 355/567] iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 354/567] iommu/amd: Fix pci_segment memleak in alloc_pci_segment() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 356/567] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
` (225 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Vasant Hegde,
Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
commit 2381a1b40be4b286062fb3cf67dd7f005692aa2a upstream.
The return type of __modify_irte_ga() is int, but modify_irte_ga()
treats it as a bool. Casting the int to bool discards the error code.
To fix the issue, change the type of ret to int in modify_irte_ga().
Fixes: 57cdb720eaa5 ("iommu/amd: Do not flush IRTE when only updating isRun and destination fields")
Cc: stable@vger.kernel.org
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -3172,7 +3172,7 @@ static int __modify_irte_ga(struct amd_i
static int modify_irte_ga(struct amd_iommu *iommu, u16 devid, int index,
struct irte_ga *irte)
{
- bool ret;
+ int ret;
ret = __modify_irte_ga(iommu, devid, index, irte);
if (ret)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 356/567] iommu/apple-dart: fix device leak on of_xlate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 355/567] iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 357/567] iommu/exynos: " Greg Kroah-Hartman
` (224 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Peter, Robin Murphy,
Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a6eaa872c52a181ae9a290fd4e40c9df91166d7a upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 46d1fb072e76 ("iommu/dart: Add DART iommu driver")
Cc: stable@vger.kernel.org # 5.15
Cc: Sven Peter <sven@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/apple-dart.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/apple-dart.c
+++ b/drivers/iommu/apple-dart.c
@@ -790,6 +790,8 @@ static int apple_dart_of_xlate(struct de
struct apple_dart *cfg_dart;
int i, sid;
+ put_device(&iommu_pdev->dev);
+
if (args->args_count != 1)
return -EINVAL;
sid = args->args[0];
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 357/567] iommu/exynos: fix device leak on of_xlate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 356/567] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 358/567] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
` (223 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Robin Murphy,
Marek Szyprowski, Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 05913cc43cb122f9afecdbe775115c058b906e1b upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Note that commit 1a26044954a6 ("iommu/exynos: add missing put_device()
call in exynos_iommu_of_xlate()") fixed the leak in a couple of error
paths, but the reference is still leaking on success.
Fixes: aa759fd376fb ("iommu/exynos: Add callback for initializing devices from device tree")
Cc: stable@vger.kernel.org # 4.2: 1a26044954a6
Cc: Yu Kuai <yukuai3@huawei.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/exynos-iommu.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/iommu/exynos-iommu.c
+++ b/drivers/iommu/exynos-iommu.c
@@ -1443,17 +1443,14 @@ static int exynos_iommu_of_xlate(struct
return -ENODEV;
data = platform_get_drvdata(sysmmu);
- if (!data) {
- put_device(&sysmmu->dev);
+ put_device(&sysmmu->dev);
+ if (!data)
return -ENODEV;
- }
if (!owner) {
owner = kzalloc(sizeof(*owner), GFP_KERNEL);
- if (!owner) {
- put_device(&sysmmu->dev);
+ if (!owner)
return -ENOMEM;
- }
INIT_LIST_HEAD(&owner->controllers);
mutex_init(&owner->rpm_lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 358/567] iommu/ipmmu-vmsa: fix device leak on of_xlate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 357/567] iommu/exynos: " Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 359/567] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
` (222 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Magnus Damm, Robin Murphy,
Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 80aa518452c4aceb9459f9a8e3184db657d1b441 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 7b2d59611fef ("iommu/ipmmu-vmsa: Replace local utlb code with fwspec ids")
Cc: stable@vger.kernel.org # 4.14
Cc: Magnus Damm <damm+renesas@opensource.se>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/ipmmu-vmsa.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/ipmmu-vmsa.c
+++ b/drivers/iommu/ipmmu-vmsa.c
@@ -719,6 +719,8 @@ static int ipmmu_init_platform_device(st
dev_iommu_priv_set(dev, platform_get_drvdata(ipmmu_pdev));
+ put_device(&ipmmu_pdev->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 359/567] iommu/mediatek-v1: fix device leak on probe_device()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 358/567] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 360/567] iommu/mediatek-v1: fix device leaks on probe() Greg Kroah-Hartman
` (221 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honghui Zhang, Robin Murphy, Yong Wu,
Johan Hovold, AngeloGioacchino Del Regno, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c77ad28bfee0df9cbc719eb5adc9864462cfb65b upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during probe_device().
Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
Cc: stable@vger.kernel.org # 4.8
Cc: Honghui Zhang <honghui.zhang@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu_v1.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/mtk_iommu_v1.c
+++ b/drivers/iommu/mtk_iommu_v1.c
@@ -423,6 +423,8 @@ static int mtk_iommu_v1_create_mapping(s
return -EINVAL;
dev_iommu_priv_set(dev, platform_get_drvdata(m4updev));
+
+ put_device(&m4updev->dev);
}
ret = iommu_fwspec_add_ids(dev, args->args, 1);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 360/567] iommu/mediatek-v1: fix device leaks on probe()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 359/567] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 361/567] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
` (220 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honghui Zhang, Robin Murphy,
Johan Hovold, AngeloGioacchino Del Regno, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 46207625c9f33da0e43bb4ae1e91f0791b6ed633 upstream.
Make sure to drop the references taken to the larb devices during
probe on probe failure (e.g. probe deferral) and on driver unbind.
Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
Cc: stable@vger.kernel.org # 4.8
Cc: Honghui Zhang <honghui.zhang@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu_v1.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/iommu/mtk_iommu_v1.c
+++ b/drivers/iommu/mtk_iommu_v1.c
@@ -647,8 +647,10 @@ static int mtk_iommu_v1_probe(struct pla
struct platform_device *plarbdev;
larbnode = of_parse_phandle(dev->of_node, "mediatek,larbs", i);
- if (!larbnode)
- return -EINVAL;
+ if (!larbnode) {
+ ret = -EINVAL;
+ goto out_put_larbs;
+ }
if (!of_device_is_available(larbnode)) {
of_node_put(larbnode);
@@ -658,11 +660,14 @@ static int mtk_iommu_v1_probe(struct pla
plarbdev = of_find_device_by_node(larbnode);
if (!plarbdev) {
of_node_put(larbnode);
- return -ENODEV;
+ ret = -ENODEV;
+ goto out_put_larbs;
}
if (!plarbdev->dev.driver) {
of_node_put(larbnode);
- return -EPROBE_DEFER;
+ put_device(&plarbdev->dev);
+ ret = -EPROBE_DEFER;
+ goto out_put_larbs;
}
data->larb_imu[i].dev = &plarbdev->dev;
@@ -674,7 +679,7 @@ static int mtk_iommu_v1_probe(struct pla
ret = mtk_iommu_v1_hw_init(data);
if (ret)
- return ret;
+ goto out_put_larbs;
ret = iommu_device_sysfs_add(&data->iommu, &pdev->dev, NULL,
dev_name(&pdev->dev));
@@ -696,12 +701,17 @@ out_sysfs_remove:
iommu_device_sysfs_remove(&data->iommu);
out_clk_unprepare:
clk_disable_unprepare(data->bclk);
+out_put_larbs:
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
+
return ret;
}
static void mtk_iommu_v1_remove(struct platform_device *pdev)
{
struct mtk_iommu_v1_data *data = platform_get_drvdata(pdev);
+ int i;
iommu_device_sysfs_remove(&data->iommu);
iommu_device_unregister(&data->iommu);
@@ -709,6 +719,9 @@ static void mtk_iommu_v1_remove(struct p
clk_disable_unprepare(data->bclk);
devm_free_irq(&pdev->dev, data->irq, data);
component_master_del(&pdev->dev, &mtk_iommu_v1_com_ops);
+
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
}
static int __maybe_unused mtk_iommu_v1_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 361/567] iommu/mediatek: fix device leak on of_xlate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 360/567] iommu/mediatek-v1: fix device leaks on probe() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 362/567] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
` (219 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robin Murphy, Yong Wu, Johan Hovold,
AngeloGioacchino Del Regno, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b3f1ee18280363ef17f82b564fc379ceba9ec86f upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver")
Cc: stable@vger.kernel.org # 4.6
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -975,6 +975,8 @@ static int mtk_iommu_of_xlate(struct dev
return -EINVAL;
dev_iommu_priv_set(dev, platform_get_drvdata(m4updev));
+
+ put_device(&m4updev->dev);
}
return iommu_fwspec_add_ids(dev, args->args, 1);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 362/567] iommu/omap: fix device leaks on probe_device()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 361/567] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 363/567] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
` (218 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Anna, Robin Murphy,
Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b5870691065e6bbe6ba0650c0412636c6a239c5a upstream.
Make sure to drop the references taken to the iommu platform devices
when looking up their driver data during probe_device().
Note that the arch data device pointer added by commit 604629bcb505
("iommu/omap: add support for late attachment of iommu devices") has
never been used. Remove it to underline that the references are not
needed.
Fixes: 9d5018deec86 ("iommu/omap: Add support to program multiple iommus")
Fixes: 7d6827748d54 ("iommu/omap: Fix iommu archdata name for DT-based devices")
Cc: stable@vger.kernel.org # 3.18
Cc: Suman Anna <s-anna@ti.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/iommu/omap-iommu.c
+++ b/drivers/iommu/omap-iommu.c
@@ -1688,6 +1688,7 @@ static struct iommu_device *omap_iommu_p
}
oiommu = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!oiommu) {
of_node_put(np);
kfree(arch_data);
@@ -1695,7 +1696,6 @@ static struct iommu_device *omap_iommu_p
}
tmp->iommu_dev = oiommu;
- tmp->dev = &pdev->dev;
of_node_put(np);
}
--- a/drivers/iommu/omap-iommu.h
+++ b/drivers/iommu/omap-iommu.h
@@ -88,7 +88,6 @@ struct omap_iommu {
/**
* struct omap_iommu_arch_data - omap iommu private data
* @iommu_dev: handle of the OMAP iommu device
- * @dev: handle of the iommu device
*
* This is an omap iommu private data object, which binds an iommu user
* to its iommu device. This object should be placed at the iommu user's
@@ -97,7 +96,6 @@ struct omap_iommu {
*/
struct omap_iommu_arch_data {
struct omap_iommu *iommu_dev;
- struct device *dev;
};
struct cr_regs {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 363/567] iommu/qcom: fix device leak on of_xlate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 362/567] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 364/567] iommu/sun50i: " Greg Kroah-Hartman
` (217 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Yu Kuai, Robin Murphy,
Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6a3908ce56e6879920b44ef136252b2f0c954194 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Note that commit e2eae09939a8 ("iommu/qcom: add missing put_device()
call in qcom_iommu_of_xlate()") fixed the leak in a couple of error
paths, but the reference is still leaking on success and late failures.
Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu")
Cc: stable@vger.kernel.org # 4.14: e2eae09939a8
Cc: Rob Clark <robin.clark@oss.qualcomm.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
+++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
@@ -566,14 +566,14 @@ static int qcom_iommu_of_xlate(struct de
qcom_iommu = platform_get_drvdata(iommu_pdev);
+ put_device(&iommu_pdev->dev);
+
/* make sure the asid specified in dt is valid, so we don't have
* to sanity check this elsewhere:
*/
if (WARN_ON(asid > qcom_iommu->max_asid) ||
- WARN_ON(qcom_iommu->ctxs[asid] == NULL)) {
- put_device(&iommu_pdev->dev);
+ WARN_ON(qcom_iommu->ctxs[asid] == NULL))
return -EINVAL;
- }
if (!dev_iommu_priv_get(dev)) {
dev_iommu_priv_set(dev, qcom_iommu);
@@ -582,10 +582,8 @@ static int qcom_iommu_of_xlate(struct de
* multiple different iommu devices. Multiple context
* banks are ok, but multiple devices are not:
*/
- if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) {
- put_device(&iommu_pdev->dev);
+ if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev)))
return -EINVAL;
- }
}
return iommu_fwspec_add_ids(dev, &asid, 1);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 364/567] iommu/sun50i: fix device leak on of_xlate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 363/567] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 365/567] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
` (216 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Robin Murphy,
Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f916109bf53864605d10bf6f4215afa023a80406 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Cc: stable@vger.kernel.org # 5.8
Cc: Maxime Ripard <mripard@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/sun50i-iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -837,6 +837,8 @@ static int sun50i_iommu_of_xlate(struct
dev_iommu_priv_set(dev, platform_get_drvdata(iommu_pdev));
+ put_device(&iommu_pdev->dev);
+
return iommu_fwspec_add_ids(dev, &id, 1);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 365/567] iommu/tegra: fix device leak on probe_device()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 364/567] iommu/sun50i: " Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 366/567] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
` (215 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Robin Murphy,
Thierry Reding, Johan Hovold, Joerg Roedel
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c08934a61201db8f1d1c66fcc63fb2eb526b656d upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during probe_device().
Note that commit 9826e393e4a8 ("iommu/tegra-smmu: Fix missing
put_device() call in tegra_smmu_find") fixed the leak in an error path,
but the reference is still leaking on success.
Fixes: 891846516317 ("memory: Add NVIDIA Tegra memory controller support")
Cc: stable@vger.kernel.org # 3.19: 9826e393e4a8
Cc: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/tegra-smmu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -823,10 +823,9 @@ static struct tegra_smmu *tegra_smmu_fin
return NULL;
mc = platform_get_drvdata(pdev);
- if (!mc) {
- put_device(&pdev->dev);
+ put_device(&pdev->dev);
+ if (!mc)
return NULL;
- }
return mc->smmu;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 366/567] iommu: disable SVA when CONFIG_X86 is set
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 365/567] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 367/567] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
` (214 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lu Baolu, Jason Gunthorpe,
Alistair Popple, Andy Lutomirski, Borislav Betkov, Dave Hansen,
David Hildenbrand, Ingo Molnar, Jann Horn, Jean-Philippe Brucker,
Joerg Roedel, Kevin Tian, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Michal Hocko, Mike Rapoport,
Peter Zijlstra, Robin Murohy, Thomas Gleinxer,
Uladzislau Rezki (Sony), Vasant Hegde, Vinicius Costa Gomes,
Vlastimil Babka, Will Deacon, Yi Lai, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 72f98ef9a4be30d2a60136dd6faee376f780d06c upstream.
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com
Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com
Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Kevin Tian <kevin.tian@intel.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommu-sva.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/iommu-sva.c
+++ b/drivers/iommu/iommu-sva.c
@@ -80,6 +80,9 @@ struct iommu_sva *iommu_sva_bind_device(
if (!group)
return ERR_PTR(-ENODEV);
+ if (IS_ENABLED(CONFIG_X86))
+ return ERR_PTR(-EOPNOTSUPP);
+
mutex_lock(&iommu_sva_lock);
/* Allocate mm->pasid if necessary. */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 367/567] HID: logitech-dj: Remove duplicate error logging
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 366/567] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 368/567] fgraph: Initialize ftrace_ops->private for function graph ops Greg Kroah-Hartman
` (213 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Jiri Kosina
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
commit ca389a55d8b2d86a817433bf82e0602b68c4d541 upstream.
logi_dj_recv_query_paired_devices() and logi_dj_recv_switch_to_dj_mode()
both have 2 callers which all log an error if the function fails. Move
the error logging to inside these 2 functions to remove the duplicated
error logging in the callers.
While at it also move the logi_dj_recv_send_report() call error handling
in logi_dj_recv_switch_to_dj_mode() to directly after the call. That call
only fails if the report cannot be found and in that case it does nothing,
so the msleep() is not necessary on failures.
Fixes: 6f20d3261265 ("HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-logitech-dj.c | 56 +++++++++++++++++-------------------------
1 file changed, 23 insertions(+), 33 deletions(-)
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -805,7 +805,6 @@ static void delayedwork_callback(struct
struct dj_workitem workitem;
unsigned long flags;
int count;
- int retval;
dbg_hid("%s\n", __func__);
@@ -842,11 +841,7 @@ static void delayedwork_callback(struct
logi_dj_recv_destroy_djhid_device(djrcv_dev, &workitem);
break;
case WORKITEM_TYPE_UNKNOWN:
- retval = logi_dj_recv_query_paired_devices(djrcv_dev);
- if (retval) {
- hid_err(djrcv_dev->hidpp, "%s: logi_dj_recv_query_paired_devices error: %d\n",
- __func__, retval);
- }
+ logi_dj_recv_query_paired_devices(djrcv_dev);
break;
case WORKITEM_TYPE_EMPTY:
dbg_hid("%s: device list is empty\n", __func__);
@@ -1239,8 +1234,10 @@ static int logi_dj_recv_query_paired_dev
djrcv_dev->last_query = jiffies;
- if (djrcv_dev->type != recvr_type_dj)
- return logi_dj_recv_query_hidpp_devices(djrcv_dev);
+ if (djrcv_dev->type != recvr_type_dj) {
+ retval = logi_dj_recv_query_hidpp_devices(djrcv_dev);
+ goto out;
+ }
dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL);
if (!dj_report)
@@ -1250,6 +1247,10 @@ static int logi_dj_recv_query_paired_dev
dj_report->report_type = REPORT_TYPE_CMD_GET_PAIRED_DEVICES;
retval = logi_dj_recv_send_report(djrcv_dev, dj_report);
kfree(dj_report);
+out:
+ if (retval < 0)
+ hid_err(djrcv_dev->hidpp, "%s error:%d\n", __func__, retval);
+
return retval;
}
@@ -1275,6 +1276,8 @@ static int logi_dj_recv_switch_to_dj_mod
(u8)timeout;
retval = logi_dj_recv_send_report(djrcv_dev, dj_report);
+ if (retval)
+ goto out;
/*
* Ugly sleep to work around a USB 3.0 bug when the receiver is
@@ -1283,11 +1286,6 @@ static int logi_dj_recv_switch_to_dj_mod
* 50 msec should gives enough time to the receiver to be ready.
*/
msleep(50);
-
- if (retval) {
- kfree(dj_report);
- return retval;
- }
}
/*
@@ -1313,7 +1311,12 @@ static int logi_dj_recv_switch_to_dj_mod
HIDPP_REPORT_SHORT_LENGTH, HID_OUTPUT_REPORT,
HID_REQ_SET_REPORT);
+out:
kfree(dj_report);
+
+ if (retval < 0)
+ hid_err(hdev, "%s error:%d\n", __func__, retval);
+
return retval;
}
@@ -1835,11 +1838,8 @@ static int logi_dj_probe(struct hid_devi
if (has_hidpp) {
retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_switch_to_dj_mode returned error:%d\n",
- __func__, retval);
+ if (retval < 0)
goto switch_to_dj_mode_fail;
- }
}
/* This is enabling the polling urb on the IN endpoint */
@@ -1857,15 +1857,11 @@ static int logi_dj_probe(struct hid_devi
spin_lock_irqsave(&djrcv_dev->lock, flags);
djrcv_dev->ready = true;
spin_unlock_irqrestore(&djrcv_dev->lock, flags);
- retval = logi_dj_recv_query_paired_devices(djrcv_dev);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_query_paired_devices error:%d\n",
- __func__, retval);
- /*
- * This can happen with a KVM, let the probe succeed,
- * logi_dj_recv_queue_unknown_work will retry later.
- */
- }
+ /*
+ * This can fail with a KVM. Ignore errors to let the probe
+ * succeed, logi_dj_recv_queue_unknown_work will retry later.
+ */
+ logi_dj_recv_query_paired_devices(djrcv_dev);
}
return 0;
@@ -1882,18 +1878,12 @@ hid_hw_start_fail:
#ifdef CONFIG_PM
static int logi_dj_reset_resume(struct hid_device *hdev)
{
- int retval;
struct dj_receiver_dev *djrcv_dev = hid_get_drvdata(hdev);
if (!djrcv_dev || djrcv_dev->hidpp != hdev)
return 0;
- retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_switch_to_dj_mode returned error:%d\n",
- __func__, retval);
- }
-
+ logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
return 0;
}
#endif
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 368/567] fgraph: Initialize ftrace_ops->private for function graph ops
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 367/567] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 369/567] fgraph: Check ftrace_pids_enabled on registration for early filtering Greg Kroah-Hartman
` (212 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wang.yaxin, mhiramat, mark.rutland,
mathieu.desnoyers, zhang.run, yang.yang29, Shengming Hu,
Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengming Hu <hu.shengming@zte.com.cn>
commit b5d6d3f73d0bac4a7e3a061372f6da166fc6ee5c upstream.
The ftrace_pids_enabled(op) check relies on op->private being properly
initialized, but fgraph_ops's underlying ftrace_ops->private was left
uninitialized. This caused ftrace_pids_enabled() to always return false,
effectively disabling PID filtering for function graph tracing.
Fix this by copying src_ops->private to dst_ops->private in
fgraph_init_ops(), ensuring PID filter state is correctly propagated.
Cc: stable@vger.kernel.org
Cc: <wang.yaxin@zte.com.cn>
Cc: <mhiramat@kernel.org>
Cc: <mark.rutland@arm.com>
Cc: <mathieu.desnoyers@efficios.com>
Cc: <zhang.run@zte.com.cn>
Cc: <yang.yang29@zte.com.cn>
Fixes: c132be2c4fcc1 ("function_graph: Have the instances use their own ftrace_ops for filtering")
Link: https://patch.msgid.link/20251126172926004y3hC8QyU4WFOjBkU_UxLC@zte.com.cn
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/fgraph.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/trace/fgraph.c
+++ b/kernel/trace/fgraph.c
@@ -943,6 +943,7 @@ void fgraph_init_ops(struct ftrace_ops *
mutex_init(&dst_ops->local_hash.regex_lock);
INIT_LIST_HEAD(&dst_ops->subop_list);
dst_ops->flags |= FTRACE_OPS_FL_INITIALIZED;
+ dst_ops->private = src_ops->private;
}
#endif
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 369/567] fgraph: Check ftrace_pids_enabled on registration for early filtering
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 368/567] fgraph: Initialize ftrace_ops->private for function graph ops Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 370/567] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
` (211 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wang.yaxin, mhiramat, mark.rutland,
mathieu.desnoyers, zhang.run, yang.yang29, Shengming Hu,
Steven Rostedt (Google)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengming Hu <hu.shengming@zte.com.cn>
commit 1650a1b6cb1ae6cb99bb4fce21b30ebdf9fc238e upstream.
When registering ftrace_graph, check if ftrace_pids_enabled is active.
If enabled, assign entryfunc to fgraph_pid_func to ensure filtering
is performed before executing the saved original entry function.
Cc: stable@vger.kernel.org
Cc: <wang.yaxin@zte.com.cn>
Cc: <mhiramat@kernel.org>
Cc: <mark.rutland@arm.com>
Cc: <mathieu.desnoyers@efficios.com>
Cc: <zhang.run@zte.com.cn>
Cc: <yang.yang29@zte.com.cn>
Link: https://patch.msgid.link/20251126173331679XGVF98NLhyLJRdtNkVZ6w@zte.com.cn
Fixes: df3ec5da6a1e7 ("function_graph: Add pid tracing back to function graph tracer")
Signed-off-by: Shengming Hu <hu.shengming@zte.com.cn>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/fgraph.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/kernel/trace/fgraph.c
+++ b/kernel/trace/fgraph.c
@@ -1286,6 +1286,13 @@ int register_ftrace_graph(struct fgraph_
ftrace_graph_active++;
+ /* Always save the function, and reset at unregistering */
+ gops->saved_func = gops->entryfunc;
+#ifdef CONFIG_DYNAMIC_FTRACE
+ if (ftrace_pids_enabled(&gops->ops))
+ gops->entryfunc = fgraph_pid_func;
+#endif
+
if (ftrace_graph_active == 2)
ftrace_graph_disable_direct(true);
@@ -1305,8 +1312,6 @@ int register_ftrace_graph(struct fgraph_
} else {
init_task_vars(gops->idx);
}
- /* Always save the function, and reset at unregistering */
- gops->saved_func = gops->entryfunc;
ret = ftrace_startup_subops(&graph_ops, &gops->ops, command);
if (!ret)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 370/567] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 369/567] fgraph: Check ftrace_pids_enabled on registration for early filtering Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 371/567] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator Greg Kroah-Hartman
` (210 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Rafael J. Wysocki (Intel)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 894f475f88e06c0f352c829849560790dbdedbe5 upstream.
When a PCI device is suspended, it is normally the PCI core's job to save
Config Space and put the device into a low power state. However drivers
are allowed to assume these responsibilities. When they do, the PCI core
can tell by looking at the state_saved flag in struct pci_dev: The flag
is cleared before commencing the suspend sequence and it is set when
pci_save_state() is called. If the PCI core finds the flag set late in
the suspend sequence, it refrains from calling pci_save_state() itself.
But there are two corner cases where the PCI core neglects to clear the
flag before commencing the suspend sequence:
* If a driver has legacy PCI PM callbacks, pci_legacy_suspend() neglects
to clear the flag. The (stale) flag is subsequently queried by
pci_legacy_suspend() itself and pci_legacy_suspend_late().
* If a device has no driver or its driver has no PCI PM callbacks,
pci_pm_freeze() neglects to clear the flag. The (stale) flag is
subsequently queried by pci_pm_freeze_noirq().
The flag may be set prior to suspend if the device went through error
recovery: Drivers commonly invoke pci_restore_state() + pci_save_state()
to restore Config Space after reset.
The flag may also be set if drivers call pci_save_state() on probe to
allow for recovery from subsequent errors.
The result is that pci_legacy_suspend_late() and pci_pm_freeze_noirq()
don't call pci_save_state() and so the state that will be restored on
resume is the one recorded on last error recovery or on probe, not the one
that the device had on suspend. If the two states happen to be identical,
there's no problem.
Reinstate clearing the flag in pci_legacy_suspend() and pci_pm_freeze().
The two functions used to do that until commit 4b77b0a2ba27 ("PCI: Clear
saved_state after the state has been restored") deemed it unnecessary
because it assumed that it's sufficient to clear the flag on resume in
pci_restore_state(). The commit seemingly did not take into account that
pci_save_state() and pci_restore_state() are not only used by power
management code, but also for error recovery.
Devices without driver or whose driver has no PCI PM callbacks may be in
runtime suspend when pci_pm_freeze() is called. Their state has already
been saved, so don't clear the flag to skip a pointless pci_save_state()
in pci_pm_freeze_noirq().
None of the drivers with legacy PCI PM callbacks seem to use runtime PM,
so clear the flag unconditionally in their case.
Fixes: 4b77b0a2ba27 ("PCI: Clear saved_state after the state has been restored")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Cc: stable@vger.kernel.org # v2.6.32+
Link: https://patch.msgid.link/094f2aad64418710daf0940112abe5a0afdc6bce.1763483367.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-driver.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -635,6 +635,8 @@ static int pci_legacy_suspend(struct dev
struct pci_dev *pci_dev = to_pci_dev(dev);
struct pci_driver *drv = pci_dev->driver;
+ pci_dev->state_saved = false;
+
if (drv && drv->suspend) {
pci_power_t prev = pci_dev->current_state;
int error;
@@ -1039,6 +1041,8 @@ static int pci_pm_freeze(struct device *
if (!pm) {
pci_pm_default_suspend(pci_dev);
+ if (!pm_runtime_suspended(dev))
+ pci_dev->state_saved = false;
return 0;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 371/567] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 370/567] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 372/567] powerpc, mm: Fix mprotect on book3s 32-bit Greg Kroah-Hartman
` (209 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Yemike Abhilash Chandra, Vignesh Raghavendra
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit 51f89c488f2ecc020f82bfedd77482584ce8027a upstream.
The SoC pin Y1 is incorrectly defined in the WKUP Pinmux device-tree node
(pinctrl@4301c000) leading to the following silent failure:
pinctrl-single 4301c000.pinctrl: mux offset out of range: 0x1dc (0x178)
According to the datasheet for the J721E SoC [0], the pin Y1 belongs to the
MAIN Pinmux device-tree node (pinctrl@11c000). This is confirmed by the
address of the pinmux register for it on page 142 of the datasheet which is
0x00011C1DC.
Hence fix it.
[0]: https://www.ti.com/lit/ds/symlink/tda4vm.pdf
Fixes: 97b67cc102dc ("arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators")
Cc: stable@vger.kernel.org
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Reviewed-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
Link: https://patch.msgid.link/20251119160148.2752616-1-s-vadapalli@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
@@ -572,6 +572,12 @@
J721E_IOPAD(0x234, PIN_INPUT, 7) /* (U3) EXT_REFCLK1.GPIO1_12 */
>;
};
+
+ vdd_sd_dv_pins_default: vdd-sd-dv-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */
+ >;
+ };
};
&wkup_pmx0 {
@@ -633,12 +639,6 @@
>;
};
- vdd_sd_dv_pins_default: vdd-sd-dv-default-pins {
- pinctrl-single,pins = <
- J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */
- >;
- };
-
wkup_uart0_pins_default: wkup-uart0-default-pins {
pinctrl-single,pins = <
J721E_WKUP_IOPAD(0xa0, PIN_INPUT, 0) /* (J29) WKUP_UART0_RXD */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 372/567] powerpc, mm: Fix mprotect on book3s 32-bit
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 371/567] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 373/567] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
` (208 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy,
Ritesh Harjani (IBM), Dave Vasilevsky, Madhavan Srinivasan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Vasilevsky <dave@vasilevsky.ca>
commit 78fc63ffa7813e33681839bb33826c24195f0eb7 upstream.
On 32-bit book3s with hash-MMUs, tlb_flush() was a no-op. This was
unnoticed because all uses until recently were for unmaps, and thus
handled by __tlb_remove_tlb_entry().
After commit 4a18419f71cd ("mm/mprotect: use mmu_gather") in kernel 5.19,
tlb_gather_mmu() started being used for mprotect as well. This caused
mprotect to simply not work on these machines:
int *ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
*ptr = 1; // force HPTE to be created
mprotect(ptr, 4096, PROT_READ);
*ptr = 2; // should segfault, but succeeds
Fixed by making tlb_flush() actually flush TLB pages. This finally
agrees with the behaviour of boot3s64's tlb_flush().
Fixes: 4a18419f71cd ("mm/mprotect: use mmu_gather")
Cc: stable@vger.kernel.org
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Dave Vasilevsky <dave@vasilevsky.ca>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251116-vasi-mprotect-g3-v3-1-59a9bd33ba00@vasilevsky.ca
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/book3s/32/tlbflush.h | 5 ++++-
arch/powerpc/mm/book3s32/tlb.c | 9 +++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/arch/powerpc/include/asm/book3s/32/tlbflush.h
+++ b/arch/powerpc/include/asm/book3s/32/tlbflush.h
@@ -11,6 +11,7 @@
void hash__flush_tlb_mm(struct mm_struct *mm);
void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr);
void hash__flush_range(struct mm_struct *mm, unsigned long start, unsigned long end);
+void hash__flush_gather(struct mmu_gather *tlb);
#ifdef CONFIG_SMP
void _tlbie(unsigned long address);
@@ -29,7 +30,9 @@ void _tlbia(void);
static inline void tlb_flush(struct mmu_gather *tlb)
{
/* 603 needs to flush the whole TLB here since it doesn't use a hash table. */
- if (!mmu_has_feature(MMU_FTR_HPTE_TABLE))
+ if (mmu_has_feature(MMU_FTR_HPTE_TABLE))
+ hash__flush_gather(tlb);
+ else
_tlbia();
}
--- a/arch/powerpc/mm/book3s32/tlb.c
+++ b/arch/powerpc/mm/book3s32/tlb.c
@@ -105,3 +105,12 @@ void hash__flush_tlb_page(struct vm_area
flush_hash_pages(mm->context.id, vmaddr, pmd_val(*pmd), 1);
}
EXPORT_SYMBOL(hash__flush_tlb_page);
+
+void hash__flush_gather(struct mmu_gather *tlb)
+{
+ if (tlb->fullmm || tlb->need_flush_all)
+ hash__flush_tlb_mm(tlb->mm);
+ else
+ hash__flush_range(tlb->mm, tlb->start, tlb->end);
+}
+EXPORT_SYMBOL(hash__flush_gather);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 373/567] powerpc/64s/slb: Fix SLB multihit issue during SLB preload
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 372/567] powerpc, mm: Fix mprotect on book3s 32-bit Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 374/567] leds: leds-cros_ec: Skip LEDs without color components Greg Kroah-Hartman
` (207 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Piggin, Donet Tom,
Ritesh Harjani (IBM), Madhavan Srinivasan
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
commit 00312419f0863964625d6dcda8183f96849412c6 upstream.
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary continues...
START_THREAD
start_thread
preload_new_slb_context
/*
* This tries to add a new EA to preload cache which was earlier
* evicted from both cpu-1 HW SLB and preload cache. This caused the
* HW SLB of cpu-0 to go out of sync with the SW preload cache. The
* reason for this was, that when we context switched back on CPU-0,
* we should have ideally called switch_mmu_context() which will
* bring the HW SLB entries on CPU-0 in sync with SW preload cache
* entries by setting up the mmu context properly. But we didn't do
* that since the prev mm_struct running on cpu-0 was same as the
* next mm_struct (which is true for swapper / kernel threads). So
* now when we try to add this new entry into the HW SLB of cpu-0,
* we hit a SLB multi-hit error.
*/
WARNING: CPU: 0 PID: 1810970 at arch/powerpc/mm/book3s64/slb.c:62
assert_slb_presence+0x2c/0x50(48 results) 02:47:29 [20157/42149]
Modules linked in:
CPU: 0 UID: 0 PID: 1810970 Comm: dd Not tainted 6.16.0-rc3-dirty #12
VOLUNTARY
Hardware name: IBM pSeries (emulated by qemu) POWER8 (architected)
0x4d0200 0xf000004 of:SLOF,HEAD hv:linux,kvm pSeries
NIP: c00000000015426c LR: c0000000001543b4 CTR: 0000000000000000
REGS: c0000000497c77e0 TRAP: 0700 Not tainted (6.16.0-rc3-dirty)
MSR: 8000000002823033 <SF,VEC,VSX,FP,ME,IR,DR,RI,LE> CR: 28888482 XER: 00000000
CFAR: c0000000001543b0 IRQMASK: 3
<...>
NIP [c00000000015426c] assert_slb_presence+0x2c/0x50
LR [c0000000001543b4] slb_insert_entry+0x124/0x390
Call Trace:
0x7fffceb5ffff (unreliable)
preload_new_slb_context+0x100/0x1a0
start_thread+0x26c/0x420
load_elf_binary+0x1b04/0x1c40
bprm_execve+0x358/0x680
do_execveat_common+0x1f8/0x240
sys_execve+0x58/0x70
system_call_exception+0x114/0x300
system_call_common+0x160/0x2c4
>From the above analysis, during early exec the hardware SLB is cleared,
and entries from the software preload cache are reloaded into hardware
by switch_slb. However, preload_new_slb_context and slb_setup_new_exec
also attempt to load some of the same entries, which can trigger a
multi-hit. In most cases, these additional preloads simply hit existing
entries and add nothing new. Removing these functions avoids redundant
preloads and eliminates the multi-hit issue. This patch removes these
two functions.
We tested process switching performance using the context_switch
benchmark on POWER9/hash, and observed no regression.
Without this patch: 129041 ops/sec
With this patch: 129341 ops/sec
We also measured SLB faults during boot, and the counts are essentially
the same with and without this patch.
SLB faults without this patch: 19727
SLB faults with this patch: 19786
Fixes: 5434ae74629a ("powerpc/64s/hash: Add a SLB preload cache")
cc: stable@vger.kernel.org
Suggested-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/0ac694ae683494fe8cadbd911a1a5018d5d3c541.1761834163.git.ritesh.list@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/mm/book3s64/internal.h | 2
arch/powerpc/mm/book3s64/mmu_context.c | 2
arch/powerpc/mm/book3s64/slb.c | 88 --------------------------
5 files changed, 98 deletions(-)
--- a/arch/powerpc/include/asm/book3s/64/mmu-hash.h
+++ b/arch/powerpc/include/asm/book3s/64/mmu-hash.h
@@ -524,7 +524,6 @@ void slb_save_contents(struct slb_entry
void slb_dump_contents(struct slb_entry *slb_ptr);
extern void slb_vmalloc_update(void);
-void preload_new_slb_context(unsigned long start, unsigned long sp);
#ifdef CONFIG_PPC_64S_HASH_MMU
void slb_set_size(u16 size);
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1897,8 +1897,6 @@ int copy_thread(struct task_struct *p, c
return 0;
}
-void preload_new_slb_context(unsigned long start, unsigned long sp);
-
/*
* Set up a thread for executing a new program
*/
@@ -1906,9 +1904,6 @@ void start_thread(struct pt_regs *regs,
{
#ifdef CONFIG_PPC64
unsigned long load_addr = regs->gpr[2]; /* saved by ELF_PLAT_INIT */
-
- if (IS_ENABLED(CONFIG_PPC_BOOK3S_64) && !radix_enabled())
- preload_new_slb_context(start, sp);
#endif
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
--- a/arch/powerpc/mm/book3s64/internal.h
+++ b/arch/powerpc/mm/book3s64/internal.h
@@ -24,8 +24,6 @@ static inline bool stress_hpt(void)
void hpt_do_stress(unsigned long ea, unsigned long hpte_group);
-void slb_setup_new_exec(void);
-
void exit_lazy_flush_tlb(struct mm_struct *mm, bool always_flush);
#endif /* ARCH_POWERPC_MM_BOOK3S64_INTERNAL_H */
--- a/arch/powerpc/mm/book3s64/mmu_context.c
+++ b/arch/powerpc/mm/book3s64/mmu_context.c
@@ -150,8 +150,6 @@ static int hash__init_new_context(struct
void hash__setup_new_exec(void)
{
slice_setup_new_exec();
-
- slb_setup_new_exec();
}
#else
static inline int hash__init_new_context(struct mm_struct *mm)
--- a/arch/powerpc/mm/book3s64/slb.c
+++ b/arch/powerpc/mm/book3s64/slb.c
@@ -328,94 +328,6 @@ static void preload_age(struct thread_in
ti->slb_preload_tail = (ti->slb_preload_tail + 1) % SLB_PRELOAD_NR;
}
-void slb_setup_new_exec(void)
-{
- struct thread_info *ti = current_thread_info();
- struct mm_struct *mm = current->mm;
- unsigned long exec = 0x10000000;
-
- WARN_ON(irqs_disabled());
-
- /*
- * preload cache can only be used to determine whether a SLB
- * entry exists if it does not start to overflow.
- */
- if (ti->slb_preload_nr + 2 > SLB_PRELOAD_NR)
- return;
-
- hard_irq_disable();
-
- /*
- * We have no good place to clear the slb preload cache on exec,
- * flush_thread is about the earliest arch hook but that happens
- * after we switch to the mm and have already preloaded the SLBEs.
- *
- * For the most part that's probably okay to use entries from the
- * previous exec, they will age out if unused. It may turn out to
- * be an advantage to clear the cache before switching to it,
- * however.
- */
-
- /*
- * preload some userspace segments into the SLB.
- * Almost all 32 and 64bit PowerPC executables are linked at
- * 0x10000000 so it makes sense to preload this segment.
- */
- if (!is_kernel_addr(exec)) {
- if (preload_add(ti, exec))
- slb_allocate_user(mm, exec);
- }
-
- /* Libraries and mmaps. */
- if (!is_kernel_addr(mm->mmap_base)) {
- if (preload_add(ti, mm->mmap_base))
- slb_allocate_user(mm, mm->mmap_base);
- }
-
- /* see switch_slb */
- asm volatile("isync" : : : "memory");
-
- local_irq_enable();
-}
-
-void preload_new_slb_context(unsigned long start, unsigned long sp)
-{
- struct thread_info *ti = current_thread_info();
- struct mm_struct *mm = current->mm;
- unsigned long heap = mm->start_brk;
-
- WARN_ON(irqs_disabled());
-
- /* see above */
- if (ti->slb_preload_nr + 3 > SLB_PRELOAD_NR)
- return;
-
- hard_irq_disable();
-
- /* Userspace entry address. */
- if (!is_kernel_addr(start)) {
- if (preload_add(ti, start))
- slb_allocate_user(mm, start);
- }
-
- /* Top of stack, grows down. */
- if (!is_kernel_addr(sp)) {
- if (preload_add(ti, sp))
- slb_allocate_user(mm, sp);
- }
-
- /* Bottom of heap, grows up. */
- if (heap && !is_kernel_addr(heap)) {
- if (preload_add(ti, heap))
- slb_allocate_user(mm, heap);
- }
-
- /* see switch_slb */
- asm volatile("isync" : : : "memory");
-
- local_irq_enable();
-}
-
static void slb_cache_slbie_kernel(unsigned int index)
{
unsigned long slbie_data = get_paca()->slb_cache[index];
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 374/567] leds: leds-cros_ec: Skip LEDs without color components
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 373/567] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 375/567] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
` (206 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
commit 4dbf066d965cd3299fb396f1375d10423c9c625c upstream.
A user reports that on their Lenovo Corsola Magneton with EC firmware
steelix-15194.270.0 the driver probe fails with EINVAL. It turns out
that the power LED does not contain any color components as indicated
by the following "ectool led power query" output:
Brightness range for LED 1:
red : 0x0
green : 0x0
blue : 0x0
yellow : 0x0
white : 0x0
amber : 0x0
The LED also does not react to commands sent manually through ectool and
is generally non-functional.
Instead of failing the probe for all LEDs managed by the EC when one
without color components is encountered, silently skip those.
Cc: stable@vger.kernel.org
Fixes: 8d6ce6f3ec9d ("leds: Add ChromeOS EC driver")
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://patch.msgid.link/20251028-cros_ec-leds-no-colors-v1-1-ebe13a02022a@weissschuh.net
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-cros_ec.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/leds/leds-cros_ec.c
+++ b/drivers/leds/leds-cros_ec.c
@@ -155,9 +155,6 @@ static int cros_ec_led_count_subleds(str
}
}
- if (!num_subleds)
- return -EINVAL;
-
*max_brightness = common_range;
return num_subleds;
}
@@ -202,6 +199,8 @@ static int cros_ec_led_probe_one(struct
&priv->led_mc_cdev.led_cdev.max_brightness);
if (num_subleds < 0)
return num_subleds;
+ if (num_subleds == 0)
+ return 0; /* LED without any colors, skip */
priv->cros_ec = cros_ec;
priv->led_id = id;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 375/567] leds: leds-lp50xx: Allow LED 0 to be added to module bank
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 374/567] leds: leds-cros_ec: Skip LEDs without color components Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 376/567] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
` (205 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hitz, Jacek Anaszewski,
Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 26fe74d598c32e7bc6f150edfc4aa43e1bee55db upstream.
led_banks contains LED module number(s) that should be grouped into the
module bank. led_banks is 0-initialized.
By checking the led_banks entries for 0, un-set entries are detected.
But a 0-entry also indicates that LED module 0 should be grouped into the
module bank.
By only iterating over the available entries no check for unused entries
is required and LED module 0 can be added to bank.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Link: https://patch.msgid.link/20251008123222.1117331-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -343,17 +343,15 @@ out:
return ret;
}
-static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[])
+static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[], int num_leds)
{
u8 led_config_lo, led_config_hi;
u32 bank_enable_mask = 0;
int ret;
int i;
- for (i = 0; i < priv->chip_info->max_modules; i++) {
- if (led_banks[i])
- bank_enable_mask |= (1 << led_banks[i]);
- }
+ for (i = 0; i < num_leds; i++)
+ bank_enable_mask |= (1 << led_banks[i]);
led_config_lo = bank_enable_mask;
led_config_hi = bank_enable_mask >> 8;
@@ -407,7 +405,7 @@ static int lp50xx_probe_leds(struct fwno
return ret;
}
- ret = lp50xx_set_banks(priv, led_banks);
+ ret = lp50xx_set_banks(priv, led_banks, num_leds);
if (ret) {
dev_err(priv->dev, "Cannot setup banked LEDs\n");
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 376/567] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 375/567] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 377/567] leds: leds-lp50xx: Enable chip before any communication Greg Kroah-Hartman
` (204 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Hitz, Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 5246e3673eeeccb4f5bf4f42375dd495d465ac15 upstream.
LP5009 supports 9 LED outputs that are grouped into 3 modules.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Link: https://patch.msgid.link/20251022063305.972190-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -56,7 +56,7 @@
/* There are 3 LED outputs per bank */
#define LP50XX_LEDS_PER_MODULE 3
-#define LP5009_MAX_LED_MODULES 2
+#define LP5009_MAX_LED_MODULES 3
#define LP5012_MAX_LED_MODULES 4
#define LP5018_MAX_LED_MODULES 6
#define LP5024_MAX_LED_MODULES 8
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 377/567] leds: leds-lp50xx: Enable chip before any communication
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 376/567] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 378/567] block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs Greg Kroah-Hartman
` (203 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Hitz, Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 434959618c47efe9e5f2e20f4a850caac4f6b823 upstream.
If a GPIO is used to control the chip's enable pin, it needs to be pulled
high before any i2c communication is attempted.
Currently, the enable GPIO handling is not correct.
Assume the enable GPIO is low when the probe function is entered. In this
case the device is in SHUTDOWN mode and does not react to i2c commands.
During probe the following sequence happens:
1. The call to lp50xx_reset() on line 548 has no effect as i2c is not
possible yet.
2. Then - on line 552 - lp50xx_enable_disable() is called. As
"priv->enable_gpio“ has not yet been initialized, setting the GPIO has
no effect. Also the i2c enable command is not executed as the device
is still in SHUTDOWN.
3. On line 556 the call to lp50xx_probe_dt() finally parses the rest of
the DT and the configured priv->enable_gpio is set up.
As a result the device is still in SHUTDOWN mode and not ready for
operation.
Split lp50xx_enable_disable() into distinct enable and disable functions
to enforce correct ordering between enable_gpio manipulations and i2c
commands.
Read enable_gpio configuration from DT before attempting to manipulate
enable_gpio.
Add delays to observe correct wait timing after manipulating enable_gpio
and before any i2c communication.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Link: https://patch.msgid.link/20251028155141.1603193-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 55 ++++++++++++++++++++++++++++++++-------------
1 file changed, 40 insertions(+), 15 deletions(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -52,6 +52,12 @@
#define LP50XX_SW_RESET 0xff
#define LP50XX_CHIP_EN BIT(6)
+#define LP50XX_CHIP_DISABLE 0x00
+#define LP50XX_START_TIME_US 500
+#define LP50XX_RESET_TIME_US 3
+
+#define LP50XX_EN_GPIO_LOW 0
+#define LP50XX_EN_GPIO_HIGH 1
/* There are 3 LED outputs per bank */
#define LP50XX_LEDS_PER_MODULE 3
@@ -371,19 +377,42 @@ static int lp50xx_reset(struct lp50xx *p
return regmap_write(priv->regmap, priv->chip_info->reset_reg, LP50XX_SW_RESET);
}
-static int lp50xx_enable_disable(struct lp50xx *priv, int enable_disable)
+static int lp50xx_enable(struct lp50xx *priv)
{
int ret;
- ret = gpiod_direction_output(priv->enable_gpio, enable_disable);
+ if (priv->enable_gpio) {
+ ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_HIGH);
+ if (ret)
+ return ret;
+
+ udelay(LP50XX_START_TIME_US);
+ }
+
+ ret = lp50xx_reset(priv);
if (ret)
return ret;
- if (enable_disable)
- return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);
- else
- return regmap_write(priv->regmap, LP50XX_DEV_CFG0, 0);
+ return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);
+}
+static int lp50xx_disable(struct lp50xx *priv)
+{
+ int ret;
+
+ ret = regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_DISABLE);
+ if (ret)
+ return ret;
+
+ if (priv->enable_gpio) {
+ ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_LOW);
+ if (ret)
+ return ret;
+
+ udelay(LP50XX_RESET_TIME_US);
+ }
+
+ return 0;
}
static int lp50xx_probe_leds(struct fwnode_handle *child, struct lp50xx *priv,
@@ -448,6 +477,10 @@ static int lp50xx_probe_dt(struct lp50xx
return dev_err_probe(priv->dev, PTR_ERR(priv->enable_gpio),
"Failed to get enable GPIO\n");
+ ret = lp50xx_enable(priv);
+ if (ret)
+ return ret;
+
priv->regulator = devm_regulator_get(priv->dev, "vled");
if (IS_ERR(priv->regulator))
priv->regulator = NULL;
@@ -554,14 +587,6 @@ static int lp50xx_probe(struct i2c_clien
return ret;
}
- ret = lp50xx_reset(led);
- if (ret)
- return ret;
-
- ret = lp50xx_enable_disable(led, 1);
- if (ret)
- return ret;
-
return lp50xx_probe_dt(led);
}
@@ -570,7 +595,7 @@ static void lp50xx_remove(struct i2c_cli
struct lp50xx *led = i2c_get_clientdata(client);
int ret;
- ret = lp50xx_enable_disable(led, 0);
+ ret = lp50xx_disable(led);
if (ret)
dev_err(led->dev, "Failed to disable chip\n");
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 378/567] block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 377/567] leds: leds-lp50xx: Enable chip before any communication Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 379/567] clk: samsung: exynos-clkout: Assign .num before accessing .hws Greg Kroah-Hartman
` (202 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Johannes Thumshirn, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit 552c1149af7ac0cffab6fccd13feeaf816dd1f53 upstream.
Commit fe0418eb9bd6 ("block: Prevent potential deadlocks in zone write
plug error recovery") added a WARN check in disk_put_zone_wplug() to
verify that when the last reference to a zone write plug is dropped,
this zone write plug does not have the BLK_ZONE_WPLUG_PLUGGED flag set,
that is, that it is not plugged.
However, the function disk_zone_wplug_abort(), which is called for zone
reset and zone finish operations, does not clear this flag after
emptying a zone write plug BIO list. This can result in the
disk_put_zone_wplug() warning to trigger if the user (erroneously as
that is bad pratcice) issues zone reset or zone finish operations while
the target zone still has plugged BIOs.
Modify disk_put_zone_wplug() to clear the BLK_ZONE_WPLUG_PLUGGED flag.
And while at it, also add a lockdep annotation to ensure that this
function is called with the zone write plug spinlock held.
Fixes: fe0418eb9bd6 ("block: Prevent potential deadlocks in zone write plug error recovery")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-zoned.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -621,6 +621,8 @@ static void disk_zone_wplug_abort(struct
{
struct bio *bio;
+ lockdep_assert_held(&zwplug->lock);
+
if (bio_list_empty(&zwplug->bio_list))
return;
@@ -628,6 +630,8 @@ static void disk_zone_wplug_abort(struct
zwplug->disk->disk_name, zwplug->zone_no);
while ((bio = bio_list_pop(&zwplug->bio_list)))
blk_zone_wplug_bio_io_error(zwplug, bio);
+
+ zwplug->flags &= ~BLK_ZONE_WPLUG_PLUGGED;
}
/*
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 379/567] clk: samsung: exynos-clkout: Assign .num before accessing .hws
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 378/567] block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 380/567] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
` (201 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jochen Sprickerhof,
Nathan Chancellor, Kees Cook, Sam Protsenko, Krzysztof Kozlowski,
Stephen Boyd
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit cf33f0b7df13685234ccea7be7bfe316b60db4db upstream.
Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
__counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)
about the number of elements in .hws[], so that it can warn when .hws[]
is accessed out of bounds. As noted in that change, the __counted_by
member must be initialized with the number of elements before the first
array access happens, otherwise there will be a warning from each access
prior to the initialization because the number of elements is zero. This
occurs in exynos_clkout_probe() due to .num being assigned after .hws[]
has been accessed:
UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18
index 0 is out of range for type 'clk_hw *[*]'
Move the .num initialization to before the first access of .hws[],
clearing up the warning.
Cc: stable@vger.kernel.org
Fixes: f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by")
Reported-by: Jochen Sprickerhof <jochen@sprickerhof.de>
Closes: https://lore.kernel.org/aSIYDN5eyKFKoXKL@eldamar.lan/
Tested-by: Jochen Sprickerhof <jochen@sprickerhof.de>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <kees@kernel.org>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/samsung/clk-exynos-clkout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/samsung/clk-exynos-clkout.c
+++ b/drivers/clk/samsung/clk-exynos-clkout.c
@@ -174,6 +174,7 @@ static int exynos_clkout_probe(struct pl
clkout->mux.shift = EXYNOS_CLKOUT_MUX_SHIFT;
clkout->mux.lock = &clkout->slock;
+ clkout->data.num = EXYNOS_CLKOUT_NR_CLKS;
clkout->data.hws[0] = clk_hw_register_composite(NULL, "clkout",
parent_names, parent_count, &clkout->mux.hw,
&clk_mux_ops, NULL, NULL, &clkout->gate.hw,
@@ -184,7 +185,6 @@ static int exynos_clkout_probe(struct pl
goto err_unmap;
}
- clkout->data.num = EXYNOS_CLKOUT_NR_CLKS;
ret = of_clk_add_hw_provider(clkout->np, of_clk_hw_onecell_get, &clkout->data);
if (ret)
goto err_clk_unreg;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 380/567] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 379/567] clk: samsung: exynos-clkout: Assign .num before accessing .hws Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 381/567] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
` (200 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ccb7cd3218e48665f3c7e19eede0da5f069c323d upstream.
Make sure to drop the reference taken to the sysmgr platform device when
retrieving its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: f36e789a1f8d ("mfd: altera-sysmgr: Add SOCFPGA System Manager")
Cc: stable@vger.kernel.org # 5.2
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/altera-sysmgr.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mfd/altera-sysmgr.c
+++ b/drivers/mfd/altera-sysmgr.c
@@ -117,6 +117,8 @@ struct regmap *altr_sysmgr_regmap_lookup
sysmgr = dev_get_drvdata(dev);
+ put_device(dev);
+
return sysmgr->regmap;
}
EXPORT_SYMBOL_GPL(altr_sysmgr_regmap_lookup_by_phandle);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 381/567] mfd: max77620: Fix potential IRQ chip conflict when probing two devices
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 380/567] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 382/567] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
` (199 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Lee Jones
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2bac49bad1f3553cc3b3bfb22cc194e9bd9e8427 upstream.
MAX77620 is most likely always a single device on the board, however
nothing stops board designers to have two of them, thus same device
driver could probe twice. Or user could manually try to probing second
time.
Device driver is not ready for that case, because it allocates
statically 'struct regmap_irq_chip' as non-const and stores during
probe in 'irq_drv_data' member a pointer to per-probe state
container ('struct max77620_chip'). devm_regmap_add_irq_chip() does not
make a copy of 'struct regmap_irq_chip' but store the pointer.
Second probe - either successful or failure - would overwrite the
'irq_drv_data' from previous device probe, so interrupts would be
executed in a wrong context.
Cc: stable@vger.kernel.org
Fixes: 3df140d11c6d ("mfd: max77620: Mask/unmask interrupt before/after servicing it")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20251023101939.67991-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/max77620.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/mfd/max77620.c
+++ b/drivers/mfd/max77620.c
@@ -253,7 +253,7 @@ static int max77620_irq_global_unmask(vo
return ret;
}
-static struct regmap_irq_chip max77620_top_irq_chip = {
+static const struct regmap_irq_chip max77620_top_irq_chip = {
.name = "max77620-top",
.irqs = max77620_top_irqs,
.num_irqs = ARRAY_SIZE(max77620_top_irqs),
@@ -497,6 +497,7 @@ static int max77620_probe(struct i2c_cli
const struct i2c_device_id *id = i2c_client_get_device_id(client);
const struct regmap_config *rmap_config;
struct max77620_chip *chip;
+ struct regmap_irq_chip *chip_desc;
const struct mfd_cell *mfd_cells;
int n_mfd_cells;
bool pm_off;
@@ -507,6 +508,14 @@ static int max77620_probe(struct i2c_cli
return -ENOMEM;
i2c_set_clientdata(client, chip);
+
+ chip_desc = devm_kmemdup(&client->dev, &max77620_top_irq_chip,
+ sizeof(max77620_top_irq_chip),
+ GFP_KERNEL);
+ if (!chip_desc)
+ return -ENOMEM;
+ chip_desc->irq_drv_data = chip;
+
chip->dev = &client->dev;
chip->chip_irq = client->irq;
chip->chip_id = (enum max77620_chip_id)id->driver_data;
@@ -543,11 +552,9 @@ static int max77620_probe(struct i2c_cli
if (ret < 0)
return ret;
- max77620_top_irq_chip.irq_drv_data = chip;
ret = devm_regmap_add_irq_chip(chip->dev, chip->rmap, client->irq,
IRQF_ONESHOT | IRQF_SHARED, 0,
- &max77620_top_irq_chip,
- &chip->top_irq_data);
+ chip_desc, &chip->top_irq_data);
if (ret < 0) {
dev_err(chip->dev, "Failed to add regmap irq: %d\n", ret);
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 382/567] media: rc: st_rc: Fix reset control resource leak
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 381/567] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 383/567] media: verisilicon: Fix CPU stalls on G2 bus error Greg Kroah-Hartman
` (198 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Patrice Chotard,
Sean Young, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit 1240abf4b71f632f0117b056e22488e4d9808938 upstream.
The driver calls reset_control_get_optional_exclusive() but never calls
reset_control_put() in error paths or in the remove function. This causes
a resource leak when probe fails after successfully acquiring the reset
control, or when the driver is unloaded.
Switch to devm_reset_control_get_optional_exclusive() to automatically
manage the reset control resource.
Fixes: a4b80242d046 ("media: st-rc: explicitly request exclusive reset control")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/st_rc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/st_rc.c
+++ b/drivers/media/rc/st_rc.c
@@ -284,7 +284,7 @@ static int st_rc_probe(struct platform_d
else
rc_dev->rx_base = rc_dev->base;
- rc_dev->rstc = reset_control_get_optional_exclusive(dev, NULL);
+ rc_dev->rstc = devm_reset_control_get_optional_exclusive(dev, NULL);
if (IS_ERR(rc_dev->rstc)) {
ret = PTR_ERR(rc_dev->rstc);
goto err;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 383/567] media: verisilicon: Fix CPU stalls on G2 bus error
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 382/567] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 384/567] mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions Greg Kroah-Hartman
` (197 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Nicolas Dufresne,
Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
commit 19c286b755072a22a063052f530a6b1fac8a1f63 upstream.
In some seek stress tests, we are getting IRQ from the G2 decoder where
the dec_bus_int and the dec_e bits are high, meaning the decoder is
still running despite the error.
Fix this by reworking the IRQ handler to only finish the job once we
have reached completion and move the software reset to when our software
watchdog triggers.
This way, we let the hardware continue on errors when it did not self
reset and in worse case scenario the hardware timeout will
automatically stop it. The actual error will be fixed in a follow up
patch.
Fixes: 3385c514ecc5a ("media: hantro: Convert imx8m_vpu_g2_irq to helper")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/hantro_g2.c | 84 ++++++++++++----
drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 2
drivers/media/platform/verisilicon/hantro_g2_regs.h | 13 ++
drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c | 2
drivers/media/platform/verisilicon/hantro_hw.h | 1
drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2
6 files changed, 83 insertions(+), 21 deletions(-)
--- a/drivers/media/platform/verisilicon/hantro_g2.c
+++ b/drivers/media/platform/verisilicon/hantro_g2.c
@@ -5,43 +5,93 @@
* Copyright (C) 2021 Collabora Ltd, Andrzej Pietrasiewicz <andrzej.p@collabora.com>
*/
+#include <linux/delay.h>
#include "hantro_hw.h"
#include "hantro_g2_regs.h"
#define G2_ALIGN 16
-void hantro_g2_check_idle(struct hantro_dev *vpu)
+static bool hantro_g2_active(struct hantro_ctx *ctx)
{
- int i;
+ struct hantro_dev *vpu = ctx->dev;
+ u32 status;
+
+ status = vdpu_read(vpu, G2_REG_INTERRUPT);
+
+ return (status & G2_REG_INTERRUPT_DEC_E);
+}
- for (i = 0; i < 3; i++) {
- u32 status;
+/**
+ * hantro_g2_reset:
+ * @ctx: the hantro context
+ *
+ * Emulates a reset using Hantro abort function. Failing this procedure would
+ * results in programming a running IP which leads to CPU hang.
+ *
+ * Using a hard reset procedure instead is prefferred.
+ */
+void hantro_g2_reset(struct hantro_ctx *ctx)
+{
+ struct hantro_dev *vpu = ctx->dev;
+ u32 status;
- /* Make sure the VPU is idle */
- status = vdpu_read(vpu, G2_REG_INTERRUPT);
- if (status & G2_REG_INTERRUPT_DEC_E) {
- dev_warn(vpu->dev, "device still running, aborting");
- status |= G2_REG_INTERRUPT_DEC_ABORT_E | G2_REG_INTERRUPT_DEC_IRQ_DIS;
- vdpu_write(vpu, status, G2_REG_INTERRUPT);
- }
+ status = vdpu_read(vpu, G2_REG_INTERRUPT);
+ if (status & G2_REG_INTERRUPT_DEC_E) {
+ dev_warn_ratelimited(vpu->dev, "device still running, aborting");
+ status |= G2_REG_INTERRUPT_DEC_ABORT_E | G2_REG_INTERRUPT_DEC_IRQ_DIS;
+ vdpu_write(vpu, status, G2_REG_INTERRUPT);
+
+ do {
+ mdelay(1);
+ } while (hantro_g2_active(ctx));
}
}
irqreturn_t hantro_g2_irq(int irq, void *dev_id)
{
struct hantro_dev *vpu = dev_id;
- enum vb2_buffer_state state;
u32 status;
status = vdpu_read(vpu, G2_REG_INTERRUPT);
- state = (status & G2_REG_INTERRUPT_DEC_RDY_INT) ?
- VB2_BUF_STATE_DONE : VB2_BUF_STATE_ERROR;
- vdpu_write(vpu, 0, G2_REG_INTERRUPT);
- vdpu_write(vpu, G2_REG_CONFIG_DEC_CLK_GATE_E, G2_REG_CONFIG);
+ if (!(status & G2_REG_INTERRUPT_DEC_IRQ))
+ return IRQ_NONE;
+
+ hantro_reg_write(vpu, &g2_dec_irq, 0);
+ hantro_reg_write(vpu, &g2_dec_int_stat, 0);
+ hantro_reg_write(vpu, &g2_clk_gate_e, 1);
+
+ if (status & G2_REG_INTERRUPT_DEC_RDY_INT) {
+ hantro_irq_done(vpu, VB2_BUF_STATE_DONE);
+ return IRQ_HANDLED;
+ }
+
+ if (status & G2_REG_INTERRUPT_DEC_ABORT_INT) {
+ /* disabled on abort, though lets be safe and handle it */
+ dev_warn_ratelimited(vpu->dev, "decode operation aborted.");
+ return IRQ_HANDLED;
+ }
+
+ if (status & G2_REG_INTERRUPT_DEC_LAST_SLICE_INT)
+ dev_warn_ratelimited(vpu->dev, "not all macroblocks were decoded.");
+
+ if (status & G2_REG_INTERRUPT_DEC_BUS_INT)
+ dev_warn_ratelimited(vpu->dev, "bus error detected.");
+
+ if (status & G2_REG_INTERRUPT_DEC_ERROR_INT)
+ dev_warn_ratelimited(vpu->dev, "decode error detected.");
- hantro_irq_done(vpu, state);
+ if (status & G2_REG_INTERRUPT_DEC_TIMEOUT)
+ dev_warn_ratelimited(vpu->dev, "frame decode timed out.");
+
+ /**
+ * If the decoding haven't stopped, let it continue. The hardware timeout
+ * will trigger if it is trully stuck.
+ */
+ if (status & G2_REG_INTERRUPT_DEC_E)
+ return IRQ_HANDLED;
+ hantro_irq_done(vpu, VB2_BUF_STATE_ERROR);
return IRQ_HANDLED;
}
--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
@@ -582,8 +582,6 @@ int hantro_g2_hevc_dec_run(struct hantro
struct hantro_dev *vpu = ctx->dev;
int ret;
- hantro_g2_check_idle(vpu);
-
/* Prepare HEVC decoder context. */
ret = hantro_hevc_dec_prepare_run(ctx);
if (ret)
--- a/drivers/media/platform/verisilicon/hantro_g2_regs.h
+++ b/drivers/media/platform/verisilicon/hantro_g2_regs.h
@@ -22,7 +22,14 @@
#define G2_REG_VERSION G2_SWREG(0)
#define G2_REG_INTERRUPT G2_SWREG(1)
+#define G2_REG_INTERRUPT_DEC_LAST_SLICE_INT BIT(19)
+#define G2_REG_INTERRUPT_DEC_TIMEOUT BIT(18)
+#define G2_REG_INTERRUPT_DEC_ERROR_INT BIT(16)
+#define G2_REG_INTERRUPT_DEC_BUF_INT BIT(14)
+#define G2_REG_INTERRUPT_DEC_BUS_INT BIT(13)
#define G2_REG_INTERRUPT_DEC_RDY_INT BIT(12)
+#define G2_REG_INTERRUPT_DEC_ABORT_INT BIT(11)
+#define G2_REG_INTERRUPT_DEC_IRQ BIT(8)
#define G2_REG_INTERRUPT_DEC_ABORT_E BIT(5)
#define G2_REG_INTERRUPT_DEC_IRQ_DIS BIT(4)
#define G2_REG_INTERRUPT_DEC_E BIT(0)
@@ -35,6 +42,9 @@
#define BUS_WIDTH_128 2
#define BUS_WIDTH_256 3
+#define g2_dec_int_stat G2_DEC_REG(1, 11, 0xf)
+#define g2_dec_irq G2_DEC_REG(1, 8, 0x1)
+
#define g2_strm_swap G2_DEC_REG(2, 28, 0xf)
#define g2_strm_swap_old G2_DEC_REG(2, 27, 0x1f)
#define g2_pic_swap G2_DEC_REG(2, 22, 0x1f)
@@ -225,6 +235,9 @@
#define vp9_filt_level_seg5 G2_DEC_REG(19, 8, 0x3f)
#define vp9_quant_seg5 G2_DEC_REG(19, 0, 0xff)
+#define g2_timemout_override_e G2_DEC_REG(45, 31, 0x1)
+#define g2_timemout_cycles G2_DEC_REG(45, 0, 0x7fffffff)
+
#define hevc_cur_poc_00 G2_DEC_REG(46, 24, 0xff)
#define hevc_cur_poc_01 G2_DEC_REG(46, 16, 0xff)
#define hevc_cur_poc_02 G2_DEC_REG(46, 8, 0xff)
--- a/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
@@ -893,8 +893,6 @@ int hantro_g2_vp9_dec_run(struct hantro_
struct vb2_v4l2_buffer *dst;
int ret;
- hantro_g2_check_idle(ctx->dev);
-
ret = start_prepare_run(ctx, &decode_params);
if (ret) {
hantro_end_prepare_run(ctx);
--- a/drivers/media/platform/verisilicon/hantro_hw.h
+++ b/drivers/media/platform/verisilicon/hantro_hw.h
@@ -583,6 +583,7 @@ void hantro_g2_vp9_dec_done(struct hantr
int hantro_vp9_dec_init(struct hantro_ctx *ctx);
void hantro_vp9_dec_exit(struct hantro_ctx *ctx);
void hantro_g2_check_idle(struct hantro_dev *vpu);
+void hantro_g2_reset(struct hantro_ctx *ctx);
irqreturn_t hantro_g2_irq(int irq, void *dev_id);
#endif /* HANTRO_HW_H_ */
--- a/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
+++ b/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
@@ -312,11 +312,13 @@ static const struct hantro_codec_ops imx
static const struct hantro_codec_ops imx8mq_vpu_g2_codec_ops[] = {
[HANTRO_MODE_HEVC_DEC] = {
.run = hantro_g2_hevc_dec_run,
+ .reset = hantro_g2_reset,
.init = hantro_hevc_dec_init,
.exit = hantro_hevc_dec_exit,
},
[HANTRO_MODE_VP9_DEC] = {
.run = hantro_g2_vp9_dec_run,
+ .reset = hantro_g2_reset,
.done = hantro_g2_vp9_dec_done,
.init = hantro_vp9_dec_init,
.exit = hantro_vp9_dec_exit,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 384/567] mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 383/567] media: verisilicon: Fix CPU stalls on G2 bus error Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 385/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips Greg Kroah-Hartman
` (196 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Marangi, Miquel Raynal
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Marangi <ansuelsmth@gmail.com>
commit 64ef5f454e167bb66cf70104f033c3d71e6ef9c0 upstream.
Commit 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing
result") introduced some kind of regression with parser on subpartitions
where if a parser emits an error then the entire parsing process from the
upper parser fails and partitions are deleted.
Not checking for error in subpartitions was originally intended as
special parser can emit error also in the case of the partition not
correctly init (for example a wiped partition) or special case where the
partition should be skipped due to some ENV variables externally
provided (from bootloader for example)
One example case is the TRX partition where, in the context of a wiped
partition, returns a -ENOENT as the trx_magic is not found in the
expected TRX header (as the partition is wiped)
To better handle this and still keep some kind of error tracking (for
example to catch -ENOMEM errors or -EINVAL errors), permit parser on
subpartition to emit -ENOENT error, print a debug log and skip them
accordingly.
This results in giving better tracking of the status of the parser
(instead of returning just 0, dropping any kind of signal that there is
something wrong with the parser) and to some degree restore the original
logic of the subpartitions parse.
(worth to notice that some special partition might have all the special
header present for the parser and declare 0 partition in it, this is why
it would be wrong to simply return 0 in the case of a special partition
that is NOT init for the scanning parser)
Cc: stable@vger.kernel.org
Fixes: 5c2f7727d437 ("mtd: mtdpart: check for subpartitions parsing result")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtdpart.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/mtd/mtdpart.c
+++ b/drivers/mtd/mtdpart.c
@@ -425,9 +425,12 @@ int add_mtd_partitions(struct mtd_info *
mtd_add_partition_attrs(child);
- /* Look for subpartitions */
+ /* Look for subpartitions (skip if no maching parser found) */
ret = parse_mtd_partitions(child, parts[i].types, NULL);
- if (ret < 0) {
+ if (ret < 0 && ret == -ENOENT) {
+ pr_debug("Skip parsing subpartitions: %d\n", ret);
+ continue;
+ } else if (ret < 0) {
pr_err("Failed to parse subpartitions: %d\n", ret);
goto err_del_partitions;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 385/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 384/567] mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 386/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips Greg Kroah-Hartman
` (195 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Michael Walle,
Pratyush Yadav
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit aee8c4d9d48d661624d72de670ebe5c6b5687842 upstream.
This chip must be described as none of the block protection information
are discoverable. This chip supports 4 bits plus the top/bottom
addressing capability to identify the protected blocks.
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/winbond.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/mtd/spi-nor/winbond.c
+++ b/drivers/mtd/spi-nor/winbond.c
@@ -254,6 +254,10 @@ static const struct flash_info winbond_n
.id = SNOR_ID(0xef, 0x80, 0x20),
.name = "w25q512nwm",
.otp = SNOR_OTP(256, 3, 0x1000, 0x1000),
+ }, {
+ /* W25Q01NWxxIQ */
+ .id = SNOR_ID(0xef, 0x60, 0x21),
+ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
},
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 386/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 385/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 387/567] mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips Greg Kroah-Hartman
` (194 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Michael Walle,
Pratyush Yadav
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit a607e676c8b9258eabc3fc88f45bcd70ea178b41 upstream.
These chips must be described as none of the block protection
information are discoverable. This chip supports 4 bits plus the
top/bottom addressing capability to identify the protected blocks.
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/winbond.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/mtd/spi-nor/winbond.c
+++ b/drivers/mtd/spi-nor/winbond.c
@@ -258,6 +258,10 @@ static const struct flash_info winbond_n
/* W25Q01NWxxIQ */
.id = SNOR_ID(0xef, 0x60, 0x21),
.flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
+ }, {
+ /* W25Q01NWxxIM */
+ .id = SNOR_ID(0xef, 0x80, 0x21),
+ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
},
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 387/567] mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 386/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 388/567] mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips Greg Kroah-Hartman
` (193 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Michael Walle,
Pratyush Yadav
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 71c239348d9fbdb1f0d6f36013f1697cc06c3e9c upstream.
These chips must be described as none of the block protection
information are discoverable. This chip supports 4 bits plus the
top/bottom addressing capability to identify the protected blocks.
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/winbond.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/mtd/spi-nor/winbond.c
+++ b/drivers/mtd/spi-nor/winbond.c
@@ -262,6 +262,10 @@ static const struct flash_info winbond_n
/* W25Q01NWxxIM */
.id = SNOR_ID(0xef, 0x80, 0x21),
.flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
+ }, {
+ /* W25Q02NWxxIM */
+ .id = SNOR_ID(0xef, 0x80, 0x22),
+ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
},
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 388/567] mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 387/567] mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 389/567] mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips Greg Kroah-Hartman
` (192 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Michael Walle,
Pratyush Yadav
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit f21d2c7d37553b24825918f2f61df123e182b712 upstream.
These chips must be described as none of the block protection
information are discoverable. This chip supports 4 bits plus the
top/bottom addressing capability to identify the protected blocks.
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/winbond.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/mtd/spi-nor/winbond.c
+++ b/drivers/mtd/spi-nor/winbond.c
@@ -266,6 +266,10 @@ static const struct flash_info winbond_n
/* W25Q02NWxxIM */
.id = SNOR_ID(0xef, 0x80, 0x22),
.flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
+ }, {
+ /* W25H512NWxxAM */
+ .id = SNOR_ID(0xef, 0xa0, 0x20),
+ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
},
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 389/567] mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 388/567] mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 390/567] mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips Greg Kroah-Hartman
` (191 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Michael Walle,
Pratyush Yadav
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 1df1fdbc7e63350b2962dc7d87ded124ee26f3ad upstream.
These chips must be described as none of the block protection
information are discoverable. This chip supports 4 bits plus the
top/bottom addressing capability to identify the protected blocks.
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/winbond.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/mtd/spi-nor/winbond.c
+++ b/drivers/mtd/spi-nor/winbond.c
@@ -270,6 +270,10 @@ static const struct flash_info winbond_n
/* W25H512NWxxAM */
.id = SNOR_ID(0xef, 0xa0, 0x20),
.flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
+ }, {
+ /* W25H01NWxxAM */
+ .id = SNOR_ID(0xef, 0xa0, 0x21),
+ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
},
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 390/567] mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 389/567] mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 391/567] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
` (190 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Michael Walle,
Pratyush Yadav
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 604cf6a40157abba4677dea9834de8df9047d798 upstream.
These chips must be described as none of the block protection
information are discoverable. This chip supports 4 bits plus the
top/bottom addressing capability to identify the protected blocks.
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/winbond.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/mtd/spi-nor/winbond.c
+++ b/drivers/mtd/spi-nor/winbond.c
@@ -274,6 +274,10 @@ static const struct flash_info winbond_n
/* W25H01NWxxAM */
.id = SNOR_ID(0xef, 0xa0, 0x21),
.flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
+ }, {
+ /* W25H02NWxxAM */
+ .id = SNOR_ID(0xef, 0xa0, 0x22),
+ .flags = SPI_NOR_HAS_LOCK | SPI_NOR_HAS_TB | SPI_NOR_TB_SR_BIT6 | SPI_NOR_4BIT_BP,
},
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 391/567] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 390/567] mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 392/567] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
` (189 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@stackframe.org>
commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream.
In wide mode, the IASQ contain the upper part of the GVA
during interruption. This needs to be reversed before
the space is used - otherwise it contains parts of IAOQ.
See Page 2-13 "Processing Resources / Interruption Instruction
Address Queues" in the Parisc 2.0 Architecture Manual page 2-13
for an explanation.
The IAOQ/IASQ space_adjust was skipped for other interruptions
than itlb misses. However, the code in handle_interruption()
checks whether iasq[0] contains a valid space. Due to the not
masked out bits this match failed and the process was killed.
Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values.
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org # v6.0+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/entry.S | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1059,8 +1059,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */
STREG %r17, PT_IOR(%r29)
#if defined(CONFIG_64BIT)
- b,n intr_save2
-
skip_save_ior:
/* We have a itlb miss, and when executing code above 4 Gb on ILP64, we
* need to adjust iasq/iaoq here in the same way we adjusted isr/ior
@@ -1069,10 +1067,17 @@ skip_save_ior:
bb,COND(>=),n %r8,PSW_W_BIT,intr_save2
LDREG PT_IASQ0(%r29), %r16
LDREG PT_IAOQ0(%r29), %r17
- /* adjust iasq/iaoq */
+ /* adjust iasq0/iaoq0 */
space_adjust %r16,%r17,%r1
STREG %r16, PT_IASQ0(%r29)
STREG %r17, PT_IAOQ0(%r29)
+
+ LDREG PT_IASQ1(%r29), %r16
+ LDREG PT_IAOQ1(%r29), %r17
+ /* adjust iasq1/iaoq1 */
+ space_adjust %r16,%r17,%r1
+ STREG %r16, PT_IASQ1(%r29)
+ STREG %r17, PT_IAOQ1(%r29)
#else
skip_save_ior:
#endif
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 392/567] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 391/567] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 393/567] perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error Greg Kroah-Hartman
` (188 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@stackframe.org>
commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream.
When the kernel leaves to userspace via syscall_restore_rfi(), the
W bit is not set in the new PSW. This doesn't cause any problems
because there's no 64 bit userspace for parisc. Simple static binaries
are usually loaded at addresses way below the 32 bit limit so the W bit
doesn't matter.
Fix this by setting the W bit when TIF_32BIT is not set.
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/asm-offsets.c | 2 ++
arch/parisc/kernel/entry.S | 5 ++++-
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/asm-offsets.c
+++ b/arch/parisc/kernel/asm-offsets.c
@@ -258,6 +258,8 @@ int main(void)
BLANK();
DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP);
DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP);
+ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT);
+
BLANK();
DEFINE(ASM_PMD_SHIFT, PMD_SHIFT);
DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT);
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1846,6 +1846,10 @@ syscall_restore_rfi:
extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0
depi -1,7,1,%r20 /* T bit */
+#ifdef CONFIG_64BIT
+ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0
+ depi -1,4,1,%r20 /* W bit */
+#endif
STREG %r20,TASK_PT_PSW(%r1)
/* Always store space registers, since sr3 can be changed (e.g. fork) */
@@ -1859,7 +1863,6 @@ syscall_restore_rfi:
STREG %r25,TASK_PT_IASQ0(%r1)
STREG %r25,TASK_PT_IASQ1(%r1)
- /* XXX W bit??? */
/* Now if old D bit is clear, it means we didn't save all registers
* on syscall entry, so do that now. This only happens on TRACEME
* calls, or if someone attached to us while we were on a syscall.
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 393/567] perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 392/567] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 394/567] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
` (187 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Sandipan Das,
Ingo Molnar, Peter Zijlstra
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sandipan Das <sandipan.das@amd.com>
commit 01439286514ce9d13b8123f8ec3717d7135ff1d6 upstream.
If amd_uncore_event_init() fails, return an error irrespective of the
pmu_version. Setting hwc->config should be safe even if there is an
error so use this opportunity to simplify the code.
Closes: https://lore.kernel.org/all/aTaI0ci3vZ44lmBn@stanley.mountain/
Fixes: d6389d3ccc13 ("perf/x86/amd/uncore: Refactor uncore management")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Sandipan Das <sandipan.das@amd.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/076935e23a70335d33bd6e23308b75ae0ad35ba2.1765268667.git.sandipan.das@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/amd/uncore.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/arch/x86/events/amd/uncore.c
+++ b/arch/x86/events/amd/uncore.c
@@ -595,14 +595,11 @@ static int amd_uncore_df_event_init(stru
struct hw_perf_event *hwc = &event->hw;
int ret = amd_uncore_event_init(event);
- if (ret || pmu_version < 2)
- return ret;
-
hwc->config = event->attr.config &
(pmu_version >= 2 ? AMD64_PERFMON_V2_RAW_EVENT_MASK_NB :
AMD64_RAW_EVENT_MASK_NB);
- return 0;
+ return ret;
}
static int amd_uncore_df_add(struct perf_event *event, int flags)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 394/567] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 393/567] perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 395/567] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
` (186 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Ritesh Harjani (IBM), Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 upstream.
Patch series "powerpc/pseries/cmm: two smaller fixes".
Two smaller fixes identified while doing a bigger rework.
This patch (of 2):
We always have to initialize the balloon_dev_info, even when compaction is
not configured in: otherwise the containing list and the lock are left
uninitialized.
Likely not many such configs exist in practice, but let's CC stable to
be sure.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20251021100606.148294-1-david@redhat.com
Link: https://lkml.kernel.org/r/20251021100606.148294-2-david@redhat.com
Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo
static void cmm_balloon_compaction_init(void)
{
- balloon_devinfo_init(&b_dev_info);
b_dev_info.migratepage = cmm_migratepage;
}
#else /* CONFIG_BALLOON_COMPACTION */
@@ -572,6 +571,7 @@ static int cmm_init(void)
if (!firmware_has_feature(FW_FEATURE_CMO) && !simulate)
return -EOPNOTSUPP;
+ balloon_devinfo_init(&b_dev_info);
cmm_balloon_compaction_init();
rc = register_oom_notifier(&cmm_oom_nb);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 395/567] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 394/567] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 396/567] firmware: stratix10-svc: Add mutex in stratix10 memory management Greg Kroah-Hartman
` (185 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream.
It's possible for cp_read() and hdmi_read() to return -EIO. Those
values are further used as indexes for accessing arrays.
Fix that by checking return values where it's needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7842.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -2689,6 +2689,7 @@ static int adv7842_cp_log_status(struct
/* CP block */
struct adv7842_state *state = to_state(sd);
struct v4l2_dv_timings timings;
+ int temp;
u8 reg_io_0x02 = io_read(sd, 0x02);
u8 reg_io_0x21 = io_read(sd, 0x21);
u8 reg_rep_0x77 = rep_read(sd, 0x77);
@@ -2811,8 +2812,9 @@ static int adv7842_cp_log_status(struct
(((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
"(16-235)" : "(0-255)",
(reg_io_0x02 & 0x08) ? "enabled" : "disabled");
+ temp = cp_read(sd, 0xf4) >> 4;
v4l2_info(sd, "Color space conversion: %s\n",
- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]);
+ temp < 0 ? "" : csc_coeff_sel_rb[temp]);
if (!is_digital_input(sd))
return 0;
@@ -2842,8 +2844,9 @@ static int adv7842_cp_log_status(struct
hdmi_read(sd, 0x5f));
v4l2_info(sd, "AV Mute: %s\n",
(hdmi_read(sd, 0x04) & 0x40) ? "on" : "off");
+ temp = hdmi_read(sd, 0x0b) >> 6;
v4l2_info(sd, "Deep color mode: %s\n",
- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]);
+ temp < 0 ? "" : deep_color_mode_txt[temp]);
adv7842_log_infoframes(sd);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 396/567] firmware: stratix10-svc: Add mutex in stratix10 memory management
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 395/567] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 397/567] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
` (184 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Rao, Matthew Gerlach,
Dinh Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Rao <mahesh.rao@altera.com>
commit 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b upstream.
Add mutex lock to stratix10_svc_allocate_memory and
stratix10_svc_free_memory for thread safety. This prevents race
conditions and ensures proper synchronization during memory operations.
This is required for parallel communication with the Stratix10 service
channel.
Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
Cc: stable@vger.kernel.org
Signed-off-by: Mahesh Rao <mahesh.rao@altera.com>
Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-svc.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2017-2018, Intel Corporation
+ * Copyright (C) 2025, Altera Corporation
*/
#include <linux/completion.h>
@@ -176,6 +177,12 @@ static LIST_HEAD(svc_ctrl);
static LIST_HEAD(svc_data_mem);
/**
+ * svc_mem_lock protects access to the svc_data_mem list for
+ * concurrent multi-client operations
+ */
+static DEFINE_MUTEX(svc_mem_lock);
+
+/**
* svc_pa_to_va() - translate physical address to virtual address
* @addr: to be translated physical address
*
@@ -187,6 +194,7 @@ static void *svc_pa_to_va(unsigned long
struct stratix10_svc_data_mem *pmem;
pr_debug("claim back P-addr=0x%016x\n", (unsigned int)addr);
+ guard(mutex)(&svc_mem_lock);
list_for_each_entry(pmem, &svc_data_mem, node)
if (pmem->paddr == addr)
return pmem->vaddr;
@@ -996,6 +1004,7 @@ int stratix10_svc_send(struct stratix10_
p_data->flag = ct->flags;
}
} else {
+ guard(mutex)(&svc_mem_lock);
list_for_each_entry(p_mem, &svc_data_mem, node)
if (p_mem->vaddr == p_msg->payload) {
p_data->paddr = p_mem->paddr;
@@ -1078,6 +1087,7 @@ void *stratix10_svc_allocate_memory(stru
if (!pmem)
return ERR_PTR(-ENOMEM);
+ guard(mutex)(&svc_mem_lock);
va = gen_pool_alloc(genpool, s);
if (!va)
return ERR_PTR(-ENOMEM);
@@ -1106,6 +1116,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate
void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
{
struct stratix10_svc_data_mem *pmem;
+ guard(mutex)(&svc_mem_lock);
list_for_each_entry(pmem, &svc_data_mem, node)
if (pmem->vaddr == kaddr) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 397/567] dm-ebs: Mark full buffer dirty even on partial write
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 396/567] firmware: stratix10-svc: Add mutex in stratix10 memory management Greg Kroah-Hartman
@ 2026-01-06 17:02 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 398/567] dm-bufio: align write boundary on physical block size Greg Kroah-Hartman
` (183 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:02 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uladzislau Rezki (Sony),
Mikulas Patocka
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uladzislau Rezki (Sony) <urezki@gmail.com>
commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream.
When performing a read-modify-write(RMW) operation, any modification
to a buffered block must cause the entire buffer to be marked dirty.
Marking only a subrange as dirty is incorrect because the underlying
device block size(ubs) defines the minimum read/write granularity. A
lower device can perform I/O only on regions which are fully aligned
and sized to ubs.
This change ensures that write-back operations always occur in full
ubs-sized chunks, matching the intended emulation semantics of the
EBS target.
As for user space visible impact, submitting sub-ubs and misaligned
I/O for devices which are tuned to ubs sizes only, will reject such
requests, therefore it can lead to losing data. Example:
1) Create a 8K nvme device in qemu by adding
-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192
2) Setup dm-ebs to emulate 512B to 8K mapping
urezki@pc638:~/bin$ cat dmsetup.sh
lower=/dev/nvme0n1
len=$(blockdev --getsz "$lower")
echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k
urezki@pc638:~/bin$
offset 0, ebs=1 and ubs=16(in sectors).
3) Create an ext4 filesystem(default 4K block size)
urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 2072576 4k blocks and 518144 inodes
Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system
urezki@pc638:~/bin$ dmesg
<snip>
[ 1618.875449] buffer_io_error: 1028 callbacks suppressed
[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write
[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write
[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write
[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write
[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write
[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write
[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write
[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write
[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write
[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write
<snip>
Many I/O errors because the lower 8K device rejects sub-ubs/misaligned
requests.
with a patch:
urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 2072576 4k blocks and 518144 inodes
Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/
urezki@pc638:~/bin$ ls -al /mnt/
total 24
drwxr-xr-x 3 root root 4096 Oct 17 15:13 .
drwxr-xr-x 19 root root 4096 Jul 10 19:42 ..
drwx------ 2 root root 16384 Oct 17 15:13 lost+found
urezki@pc638:~/bin$
After this change: mkfs completes; mount succeeds.
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ebs-target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ebs-target.c
+++ b/drivers/md/dm-ebs-target.c
@@ -103,7 +103,7 @@ static int __ebs_rw_bvec(struct ebs_c *e
} else {
flush_dcache_page(bv->bv_page);
memcpy(ba, pa, cur_len);
- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len);
+ dm_bufio_mark_buffer_dirty(b);
}
dm_bufio_release(b);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 398/567] dm-bufio: align write boundary on physical block size
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-01-06 17:02 ` [PATCH 6.12 397/567] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 399/567] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
` (182 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikulas Patocka,
Uladzislau Rezki (Sony)
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit d0ac06ae53be0cdb61f5fe6b62d25d3317c51657 upstream.
There may be devices with physical block size larger than 4k.
If dm-bufio sends I/O that is not aligned on physical block size,
performance is degraded.
The 4k minimum alignment limit is there because some SSDs report logical
and physical block size 512 despite having 4k internally - so dm-bufio
shouldn't send I/Os not aligned on 4k boundary, because they perform
badly (the SSD does read-modify-write for them).
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-bufio.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -1375,7 +1375,7 @@ static void submit_io(struct dm_buffer *
{
unsigned int n_sectors;
sector_t sector;
- unsigned int offset, end;
+ unsigned int offset, end, align;
b->end_io = end_io;
@@ -1389,9 +1389,11 @@ static void submit_io(struct dm_buffer *
b->c->write_callback(b);
offset = b->write_start;
end = b->write_end;
- offset &= -DM_BUFIO_WRITE_ALIGN;
- end += DM_BUFIO_WRITE_ALIGN - 1;
- end &= -DM_BUFIO_WRITE_ALIGN;
+ align = max(DM_BUFIO_WRITE_ALIGN,
+ bdev_physical_block_size(b->c->bdev));
+ offset &= -align;
+ end += align - 1;
+ end &= -align;
if (unlikely(end > b->c->block_size))
end = b->c->block_size;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 399/567] fbdev: gbefb: fix to use physical address instead of dma address
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 398/567] dm-bufio: align write boundary on physical block size Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 400/567] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
` (181 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream.
While debuggigng why X would not start on mips64 Sgi/O2 I found the
phys adress being off. Turns out the gbefb passed the internal
dma_addr as phys. May be broken pre git history. Fix by converting
dma_to_phys.
Signed-off-by: René Rebe <rene@exactco.de>
Cc: <stable@vger.kernel.org> # v4.0+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/gbefb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/gbefb.c
+++ b/drivers/video/fbdev/gbefb.c
@@ -12,6 +12,7 @@
#include <linux/delay.h>
#include <linux/platform_device.h>
#include <linux/dma-mapping.h>
+#include <linux/dma-direct.h>
#include <linux/errno.h>
#include <linux/gfp.h>
#include <linux/fb.h>
@@ -65,7 +66,7 @@ struct gbefb_par {
static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024;
static void *gbe_mem;
static dma_addr_t gbe_dma_addr;
-static unsigned long gbe_mem_phys;
+static phys_addr_t gbe_mem_phys;
static struct {
uint16_t *cpu;
@@ -1183,7 +1184,7 @@ static int gbefb_probe(struct platform_d
goto out_release_mem_region;
}
- gbe_mem_phys = (unsigned long) gbe_dma_addr;
+ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr);
}
par = info->par;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 400/567] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 399/567] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 401/567] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
` (180 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream.
The variables were never clamped because the return value of clamp_val()
was not used. Fix this by assigning the clamped values, and use clamp()
instead of clamp_val().
Cc: stable@vger.kernel.org
Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/pxafb.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/video/fbdev/pxafb.c
+++ b/drivers/video/fbdev/pxafb.c
@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px
var->yres = max_t(int, var->yres, MIN_YRES);
if (!(fbi->lccr0 & LCCR0_LCDT)) {
- clamp_val(var->hsync_len, 1, 64);
- clamp_val(var->vsync_len, 1, 64);
- clamp_val(var->left_margin, 1, 255);
- clamp_val(var->right_margin, 1, 255);
- clamp_val(var->upper_margin, 1, 255);
- clamp_val(var->lower_margin, 1, 255);
+ var->hsync_len = clamp(var->hsync_len, 1, 64);
+ var->vsync_len = clamp(var->vsync_len, 1, 64);
+ var->left_margin = clamp(var->left_margin, 1, 255);
+ var->right_margin = clamp(var->right_margin, 1, 255);
+ var->upper_margin = clamp(var->upper_margin, 1, 255);
+ var->lower_margin = clamp(var->lower_margin, 1, 255);
}
/* make sure each line is aligned on word boundary */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 401/567] fbdev: tcx.c fix mem_map to correct smem_start offset
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 400/567] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 402/567] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
` (179 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Helge Deller
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream.
403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the
physbase initializing breaking the user-space mmap, e.g. for Xorg
entirely.
Fix fbdev mmap table so the sbus mmap helper work correctly, and
not try to map vastly (physbase) offset memory.
Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning")
Cc: <stable@vger.kernel.org>
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/tcx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/tcx.c
+++ b/drivers/video/fbdev/tcx.c
@@ -428,7 +428,7 @@ static int tcx_probe(struct platform_dev
j = i;
break;
}
- par->mmap_map[i].poff = op->resource[j].start;
+ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start;
}
info->fbops = &tcx_ops;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 402/567] media: cec: Fix debugfs leak on bus_register() failure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 401/567] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 403/567] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
` (178 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream.
In cec_devnode_init(), the debugfs directory created with
debugfs_create_dir() is not removed if bus_register() fails.
This leaves a stale "cec" entry in debugfs and prevents
proper module reloading.
Fix this by removing the debugfs directory in the error path.
Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/cec/core/cec-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/cec/core/cec-core.c
+++ b/drivers/media/cec/core/cec-core.c
@@ -420,6 +420,7 @@ static int __init cec_devnode_init(void)
ret = bus_register(&cec_bus_type);
if (ret < 0) {
+ debugfs_remove_recursive(top_cec_dir);
unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES);
pr_warn("cec: bus_register failed\n");
return -EIO;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 403/567] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 402/567] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 404/567] media: platform: mtk-mdp3: fix device leaks at probe Greg Kroah-Hartman
` (177 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream.
It's possible for max1 to remain -1 if msp_read() always fail. This
variable is further used as index for accessing arrays.
Fix that by checking max1 prior to array accesses.
It seems that restart is the preferable action in case of out-of-bounds
value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/msp3400-kthreads.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/msp3400-kthreads.c
+++ b/drivers/media/i2c/msp3400-kthreads.c
@@ -596,6 +596,8 @@ restart:
"carrier2 val: %5d / %s\n", val, cd[i].name);
}
+ if (max1 < 0 || max1 > 3)
+ goto restart;
/* program the msp3400 according to the results */
state->main = msp3400c_carrier_detect_main[max1].cdo;
switch (max1) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 404/567] media: platform: mtk-mdp3: fix device leaks at probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 403/567] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 405/567] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
` (176 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moudy Ho, Johan Hovold,
AngeloGioacchino Del Regno, Nicolas Dufresne, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 8f6f3aa21517ef34d50808af0c572e69580dca20 upstream.
Make sure to drop the references taken when looking up the subsys
devices during probe on probe failure (e.g. probe deferral) and on
driver unbind.
Similarly, drop the SCP device reference after retrieving its platform
data during probe to avoid leaking it.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver")
Cc: stable@vger.kernel.org # 6.1
Cc: Moudy Ho <moudy.ho@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c
+++ b/drivers/media/platform/mediatek/mdp3/mtk-mdp3-core.c
@@ -176,10 +176,18 @@ void mdp_video_device_release(struct vid
kfree(mdp);
}
+static void mdp_put_device(void *_dev)
+{
+ struct device *dev = _dev;
+
+ put_device(dev);
+}
+
static int mdp_mm_subsys_deploy(struct mdp_dev *mdp, enum mdp_infra_id id)
{
struct platform_device *mm_pdev = NULL;
struct device **dev;
+ int ret;
int i;
if (!mdp)
@@ -213,6 +221,11 @@ static int mdp_mm_subsys_deploy(struct m
if (WARN_ON(!mm_pdev))
return -ENODEV;
+ ret = devm_add_action_or_reset(&mdp->pdev->dev, mdp_put_device,
+ &mm_pdev->dev);
+ if (ret)
+ return ret;
+
*dev = &mm_pdev->dev;
}
@@ -298,6 +311,7 @@ static int mdp_probe(struct platform_dev
goto err_destroy_clock_wq;
}
mdp->scp = platform_get_drvdata(mm_pdev);
+ put_device(&mm_pdev->dev);
}
mdp->rproc_handle = scp_get_rproc(mdp->scp);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 405/567] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 404/567] media: platform: mtk-mdp3: fix device leaks at probe Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 406/567] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
` (175 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Geert Uytterhoeven,
Fabrizio Castro, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 445e1658894fd74eab7e53071fa16233887574ed upstream.
The function calls of_parse_phandle() which returns
a device node with an incremented reference count. When the bonded device
is not available, the function
returns NULL without releasing the reference, causing a reference leak.
Add of_node_put(np) to release the device node reference.
The of_node_put function handles NULL pointers.
Found through static analysis by reviewing the doc of of_parse_phandle()
and cross-checking its usage patterns across the codebase.
Fixes: 7625ee981af1 ("[media] media: platform: rcar_drif: Add DRIF support")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/renesas/rcar_drif.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/renesas/rcar_drif.c
+++ b/drivers/media/platform/renesas/rcar_drif.c
@@ -1249,6 +1249,7 @@ static struct device_node *rcar_drif_bon
if (np && of_device_is_available(np))
return np;
+ of_node_put(np);
return NULL;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 406/567] media: samsung: exynos4-is: fix potential ABBA deadlock on init
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 405/567] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 407/567] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
` (174 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Sylwester Nawrocki,
Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b upstream.
v4l2_device_register_subdev_nodes() must called without taking
media_dev->graph_mutex to avoid potential AB-BA deadlock on further
subdevice driver initialization.
Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/samsung/exynos4-is/media-dev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c
+++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c
@@ -1410,12 +1410,14 @@ static int subdev_notifier_complete(stru
mutex_lock(&fmd->media_dev.graph_mutex);
ret = fimc_md_create_links(fmd);
- if (ret < 0)
- goto unlock;
+ if (ret < 0) {
+ mutex_unlock(&fmd->media_dev.graph_mutex);
+ return ret;
+ }
- ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
-unlock:
mutex_unlock(&fmd->media_dev.graph_mutex);
+
+ ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 407/567] media: TDA1997x: Remove redundant cancel_delayed_work in probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 406/567] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 408/567] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
` (173 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream.
The delayed_work delayed_work_enable_hpd is initialized with
INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe().
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path in tda1997x_probe() to avoid potential confusion.
Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/tda1997x.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/media/i2c/tda1997x.c
+++ b/drivers/media/i2c/tda1997x.c
@@ -2798,7 +2798,6 @@ err_free_media:
err_free_handler:
v4l2_ctrl_handler_free(&state->hdl);
err_free_mutex:
- cancel_delayed_work(&state->delayed_work_enable_hpd);
mutex_destroy(&state->page_lock);
mutex_destroy(&state->lock);
tda1997x_set_power(state, 0);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 408/567] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 407/567] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 409/567] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path Greg Kroah-Hartman
` (172 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Nicolas Dufresne,
Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
commit 47825b1646a6a9eca0f90baa3d4f98947c2add96 upstream.
Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a
ninvalid index is received from user space. This protects the hardware
from doing faulty memory access which then leads to bus errors.
To be noted that when a reference is missing, userspace such as GStreamer
passes an invalid DPB index of 255. This issue was found by seeking to a
CRA picture using GStreamer. The framework is currently missing the code
to skip over RASL pictures placed after the CRA. This situation can also
occur while doing live streaming over lossy transport.
Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
@@ -283,6 +283,15 @@ static void set_params(struct hantro_ctx
hantro_reg_write(vpu, &g2_apf_threshold, 8);
}
+static u32 get_dpb_index(const struct v4l2_ctrl_hevc_decode_params *decode_params,
+ const u32 index)
+{
+ if (index > decode_params->num_active_dpb_entries)
+ return 0;
+
+ return index;
+}
+
static void set_ref_pic_list(struct hantro_ctx *ctx)
{
const struct hantro_hevc_dec_ctrls *ctrls = &ctx->hevc_dec.ctrls;
@@ -355,8 +364,10 @@ static void set_ref_pic_list(struct hant
list1[j++] = list1[i++];
for (i = 0; i < V4L2_HEVC_DPB_ENTRIES_NUM_MAX; i++) {
- hantro_reg_write(vpu, &ref_pic_regs0[i], list0[i]);
- hantro_reg_write(vpu, &ref_pic_regs1[i], list1[i]);
+ hantro_reg_write(vpu, &ref_pic_regs0[i],
+ get_dpb_index(decode_params, list0[i]));
+ hantro_reg_write(vpu, &ref_pic_regs1[i],
+ get_dpb_index(decode_params, list1[i]));
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 409/567] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 408/567] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 410/567] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
` (171 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Marek Szyprowski,
Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit 94de23a9aa487d7c1372efb161721d7949a177ae upstream.
In vb2_dc_alloc(), get_device() is called to increment the device
reference count. However, if subsequent DMA allocation fails
(vb2_dc_alloc_coherent or vb2_dc_alloc_non_coherent returns error),
the function returns without calling put_device(), causing a device
reference leak.
Add put_device() call in the error path before kfree() to properly
release the device reference acquired earlier.
Fixes: de27891f675e ("media: videobuf2: handle non-contiguous DMA allocations")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/videobuf2/videobuf2-dma-contig.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
@@ -258,6 +258,7 @@ static void *vb2_dc_alloc(struct vb2_buf
if (ret) {
dev_err(dev, "dma alloc of size %lu failed\n", size);
+ put_device(buf->dev);
kfree(buf);
return ERR_PTR(-ENOMEM);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 410/567] media: vpif_capture: fix section mismatch
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 409/567] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 411/567] media: vpif_display: " Greg Kroah-Hartman
` (170 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0ef841113724166c3c484d0e9ae6db1eb5634fde upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function must not live in init.
Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section
mismatch warning") incorrectly suppressed the modpost warning.
Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning")
Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467")
Cc: stable@vger.kernel.org # 2.6.32
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/davinci/vpif_capture.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/ti/davinci/vpif_capture.c
+++ b/drivers/media/platform/ti/davinci/vpif_capture.c
@@ -1602,7 +1602,7 @@ err_cleanup:
* This creates device entries by register itself to the V4L2 driver and
* initializes fields of each channel objects
*/
-static __init int vpif_probe(struct platform_device *pdev)
+static int vpif_probe(struct platform_device *pdev)
{
struct vpif_subdev_info *subdevdata;
struct i2c_adapter *i2c_adap;
@@ -1809,7 +1809,7 @@ static int vpif_resume(struct device *de
static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume);
-static __refdata struct platform_driver vpif_driver = {
+static struct platform_driver vpif_driver = {
.driver = {
.name = VPIF_DRIVER_NAME,
.pm = &vpif_pm_ops,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 411/567] media: vpif_display: fix section mismatch
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 410/567] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 412/567] media: amphion: Cancel message work before releasing the VPU core Greg Kroah-Hartman
` (169 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 59ca64bf98e4209df8ace8057d31ae3c80f948cd upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function must not live in init.
Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section
mismatch warning") incorrectly suppressed the modpost warning.
Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning")
Fixes: e7332e3a552f ("V4L/DVB (12176): davinci/vpif_display: Add VPIF display driver")
Cc: stable@vger.kernel.org # 2.6.32
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/davinci/vpif_display.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/ti/davinci/vpif_display.c
+++ b/drivers/media/platform/ti/davinci/vpif_display.c
@@ -1216,7 +1216,7 @@ probe_out:
* vpif_probe: This function creates device entries by register itself to the
* V4L2 driver and initializes fields of each channel objects
*/
-static __init int vpif_probe(struct platform_device *pdev)
+static int vpif_probe(struct platform_device *pdev)
{
struct vpif_subdev_info *subdevdata;
struct i2c_adapter *i2c_adap;
@@ -1392,7 +1392,7 @@ static int vpif_resume(struct device *de
static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume);
-static __refdata struct platform_driver vpif_driver = {
+static struct platform_driver vpif_driver = {
.driver = {
.name = VPIF_DRIVER_NAME,
.pm = &vpif_pm_ops,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 412/567] media: amphion: Cancel message work before releasing the VPU core
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 411/567] media: vpif_display: " Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 413/567] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
` (168 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd upstream.
To avoid accessing the VPU register after release of the VPU core,
cancel the message work and destroy the workqueue that handles the
VPU message before release of the VPU core.
Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_v4l2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -698,15 +698,15 @@ static int vpu_v4l2_release(struct vpu_i
{
vpu_trace(inst->vpu->dev, "%p\n", inst);
- vpu_release_core(inst->core);
- put_device(inst->dev);
-
if (inst->workqueue) {
cancel_work_sync(&inst->msg_work);
destroy_workqueue(inst->workqueue);
inst->workqueue = NULL;
}
+ vpu_release_core(inst->core);
+ put_device(inst->dev);
+
v4l2_ctrl_handler_free(&inst->ctrl_handler);
mutex_destroy(&inst->lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 413/567] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 412/567] media: amphion: Cancel message work before releasing the VPU core Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 414/567] media: i2c: adv7842: " Greg Kroah-Hartman
` (167 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream.
The delayed_work delayed_work_enable_hotplug is initialized with
INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled
anywhere in the probe function.
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path and adjust the goto label accordingly to simplify the code
and avoid potential confusion.
Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7604.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -3620,7 +3620,7 @@ static int adv76xx_probe(struct i2c_clie
err = media_entity_pads_init(&sd->entity, state->source_pad + 1,
state->pads);
if (err)
- goto err_work_queues;
+ goto err_i2c;
/* Configure regmaps */
err = configure_regmaps(state);
@@ -3661,8 +3661,6 @@ static int adv76xx_probe(struct i2c_clie
err_entity:
media_entity_cleanup(&sd->entity);
-err_work_queues:
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
err_i2c:
adv76xx_unregister_clients(state);
err_hdl:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 414/567] media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 413/567] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 415/567] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
` (166 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream.
The delayed_work delayed_work_enable_hotplug is initialized with
INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled
anywhere in the probe function.
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path and adjust the goto label accordingly to simplify the code
and avoid potential confusion.
Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7842.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -3573,7 +3573,7 @@ static int adv7842_probe(struct i2c_clie
err = media_entity_pads_init(&sd->entity, ADV7842_PAD_SOURCE + 1,
state->pads);
if (err)
- goto err_work_queues;
+ goto err_i2c;
err = adv7842_core_init(sd);
if (err)
@@ -3594,8 +3594,6 @@ static int adv7842_probe(struct i2c_clie
err_entity:
media_entity_cleanup(&sd->entity);
-err_work_queues:
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
err_i2c:
adv7842_unregister_clients(sd);
err_hdl:
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 415/567] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 414/567] media: i2c: adv7842: " Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 416/567] LoongArch: Add new PCI ID for pci_fixup_vgadev() Greg Kroah-Hartman
` (165 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li,
AngeloGioacchino Del Regno, Tzung-Bi Shih, Nicolas Dufresne,
Hans Verkuil
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd upstream.
vpu_get_plat_device() increases the reference count of the returned
platform device. However, when devm_kzalloc() fails, the reference
is not released, causing a reference leak.
Fix this by calling put_device() on fw_pdev->dev before returning
on the error path.
Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
+++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
@@ -117,8 +117,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_
vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_enc_handler, priv, rst_id);
fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL);
- if (!fw)
+ if (!fw) {
+ put_device(&fw_pdev->dev);
return ERR_PTR(-ENOMEM);
+ }
fw->type = VPU;
fw->ops = &mtk_vcodec_vpu_msg;
fw->pdev = fw_pdev;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 416/567] LoongArch: Add new PCI ID for pci_fixup_vgadev()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 415/567] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 417/567] LoongArch: Correct the calculation logic of thread_count Greg Kroah-Hartman
` (164 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianrui Zhao, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d upstream.
Loongson-2K3000 has a new PCI ID (0x7a46) for its display controller,
Add it for pci_fixup_vgadev() since we prefer a discrete graphics card
as default boot device if present.
Cc: stable@vger.kernel.org
Signed-off-by: Tianrui Zhao <zhaotianrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/loongarch/pci/pci.c
+++ b/arch/loongarch/pci/pci.c
@@ -15,6 +15,7 @@
#define PCI_DEVICE_ID_LOONGSON_HOST 0x7a00
#define PCI_DEVICE_ID_LOONGSON_DC1 0x7a06
#define PCI_DEVICE_ID_LOONGSON_DC2 0x7a36
+#define PCI_DEVICE_ID_LOONGSON_DC3 0x7a46
int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
int reg, int len, u32 *val)
@@ -98,3 +99,4 @@ static void pci_fixup_vgadev(struct pci_
}
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC1, pci_fixup_vgadev);
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC2, pci_fixup_vgadev);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC3, pci_fixup_vgadev);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 417/567] LoongArch: Correct the calculation logic of thread_count
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 416/567] LoongArch: Add new PCI ID for pci_fixup_vgadev() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 418/567] LoongArch: Fix build errors for CONFIG_RANDSTRUCT Greg Kroah-Hartman
` (163 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f upstream.
For thread_count, the current calculation method has a maximum of 255,
which may not be sufficient in the future. Therefore, we are correcting
it now.
Reference: SMBIOS Specification, 7.5 Processor Information (Type 4)[1]
[1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.9.0.pdf
Cc: stable@vger.kernel.org
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/setup.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/loongarch/kernel/setup.c
+++ b/arch/loongarch/kernel/setup.c
@@ -56,6 +56,7 @@
#define SMBIOS_FREQLOW_MASK 0xFF
#define SMBIOS_CORE_PACKAGE_OFFSET 0x23
#define SMBIOS_THREAD_PACKAGE_OFFSET 0x25
+#define SMBIOS_THREAD_PACKAGE_2_OFFSET 0x2E
#define LOONGSON_EFI_ENABLE (1 << 3)
unsigned long fw_arg0, fw_arg1, fw_arg2;
@@ -126,7 +127,12 @@ static void __init parse_cpu_table(const
cpu_clock_freq = freq_temp * 1000000;
loongson_sysconf.cpuname = (void *)dmi_string_parse(dm, dmi_data[16]);
- loongson_sysconf.cores_per_package = *(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET);
+ loongson_sysconf.cores_per_package = *(u8 *)(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET);
+ if (dm->length >= 0x30 && loongson_sysconf.cores_per_package == 0xff) {
+ /* SMBIOS 3.0+ has ThreadCount2 for more than 255 threads */
+ loongson_sysconf.cores_per_package =
+ *(u16 *)(dmi_data + SMBIOS_THREAD_PACKAGE_2_OFFSET);
+ }
pr_info("CpuClock = %llu\n", cpu_clock_freq);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 418/567] LoongArch: Fix build errors for CONFIG_RANDSTRUCT
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 417/567] LoongArch: Correct the calculation logic of thread_count Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 419/567] LoongArch: Use __pmd()/__pte() for swap entry conversions Greg Kroah-Hartman
` (162 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Rui Wang,
Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 3c250aecef62da81deb38ac6738ac0a88d91f1fc upstream.
When CONFIG_RANDSTRUCT enabled, members of task_struct are randomized.
There is a chance that TASK_STACK_CANARY be out of 12bit immediate's
range and causes build errors. TASK_STACK_CANARY is naturally aligned,
so fix it by replacing ld.d/st.d with ldptr.d/stptr.d which have 14bit
immediates.
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202511240656.0NaPcJs1-lkp@intel.com/
Suggested-by: Rui Wang <wangrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/switch.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/kernel/switch.S
+++ b/arch/loongarch/kernel/switch.S
@@ -25,8 +25,8 @@ SYM_FUNC_START(__switch_to)
stptr.d a4, a0, THREAD_SCHED_CFA
#if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_SMP)
la t7, __stack_chk_guard
- LONG_L t8, a1, TASK_STACK_CANARY
- LONG_S t8, t7, 0
+ ldptr.d t8, a1, TASK_STACK_CANARY
+ stptr.d t8, t7, 0
#endif
move tp, a2
cpu_restore_nonscratch a1
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 419/567] LoongArch: Use __pmd()/__pte() for swap entry conversions
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 418/567] LoongArch: Fix build errors for CONFIG_RANDSTRUCT Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 420/567] LoongArch: Use unsigned long for _end and _text Greg Kroah-Hartman
` (161 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuli Wang, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyl5933@chinaunicom.cn>
commit 4a71df151e703b5e7e85b33369cee59ef2665e61 upstream.
The __pmd() and __pte() helper macros provide the correct initialization
syntax and abstraction for the pmd_t and pte_t types.
Use __pmd() to fix follow warning about __swp_entry_to_pmd() with gcc-15
under specific configs [1] :
In file included from ./include/linux/pgtable.h:6,
from ./include/linux/mm.h:31,
from ./include/linux/pagemap.h:8,
from arch/loongarch/mm/init.c:14:
./include/linux/swapops.h: In function ‘swp_entry_to_pmd’:
./arch/loongarch/include/asm/pgtable.h:302:34: error: missing braces around initializer [-Werror=missing-braces]
302 | #define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE })
| ^
./include/linux/swapops.h:559:16: note: in expansion of macro ‘__swp_entry_to_pmd’
559 | return __swp_entry_to_pmd(arch_entry);
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Also update __swp_entry_to_pte() to use __pte() for consistency.
[1]. https://download.01.org/0day-ci/archive/20251119/202511190316.luI90kAo-lkp@intel.com/config
Cc: stable@vger.kernel.org
Signed-off-by: Yuli Wang <wangyl5933@chinaunicom.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/pgtable.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/include/asm/pgtable.h
+++ b/arch/loongarch/include/asm/pgtable.h
@@ -295,9 +295,9 @@ static inline pte_t mk_swap_pte(unsigned
#define __swp_offset(x) ((x).val >> 24)
#define __swp_entry(type, offset) ((swp_entry_t) { pte_val(mk_swap_pte((type), (offset))) })
#define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) })
-#define __swp_entry_to_pte(x) ((pte_t) { (x).val })
+#define __swp_entry_to_pte(x) __pte((x).val)
#define __pmd_to_swp_entry(pmd) ((swp_entry_t) { pmd_val(pmd) })
-#define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE })
+#define __swp_entry_to_pmd(x) __pmd((x).val | _PAGE_HUGE)
static inline int pte_swp_exclusive(pte_t pte)
{
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 420/567] LoongArch: Use unsigned long for _end and _text
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 419/567] LoongArch: Use __pmd()/__pte() for swap entry conversions Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 421/567] mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() Greg Kroah-Hartman
` (160 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tiezhu Yang, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tiezhu Yang <yangtiezhu@loongson.cn>
commit a258a3cb1895e3acf5f2fe245d17426e894bc935 upstream.
It is better to use unsigned long rather than long for _end and _text to
calculate the kernel length.
Cc: stable@vger.kernel.org # v6.3+
Fixes: e5f02b51fa0c ("LoongArch: Add support for kernel address space layout randomization (KASLR)")
Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/relocate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/kernel/relocate.c
+++ b/arch/loongarch/kernel/relocate.c
@@ -183,7 +183,7 @@ static inline void __init *determine_rel
if (kaslr_disabled())
return destination;
- kernel_length = (long)_end - (long)_text;
+ kernel_length = (unsigned long)_end - (unsigned long)_text;
random_offset = get_random_boot() << 16;
random_offset &= (CONFIG_RANDOMIZE_BASE_MAX_OFFSET - 1);
@@ -232,7 +232,7 @@ unsigned long __init relocate_kernel(voi
early_memunmap(cmdline, COMMAND_LINE_SIZE);
if (random_offset) {
- kernel_length = (long)(_end) - (long)(_text);
+ kernel_length = (unsigned long)(_end) - (unsigned long)(_text);
/* Copy the kernel to it's new location */
memcpy(location_new, _text, kernel_length);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 421/567] mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 420/567] LoongArch: Use unsigned long for _end and _text Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 422/567] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
` (159 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 7d808bf13943f4c6a6142400bffe14267f6dc997 upstream.
damon_sysfs_test_add_targets() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-21-sj@kernel.org
Fixes: b8ee5575f763 ("mm/damon/sysfs-test: add a unit test for damon_sysfs_set_targets()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.7+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/sysfs-kunit.h | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/mm/damon/tests/sysfs-kunit.h b/mm/damon/tests/sysfs-kunit.h
index 7b5c7b307da9..ce7218469f20 100644
--- a/mm/damon/tests/sysfs-kunit.h
+++ b/mm/damon/tests/sysfs-kunit.h
@@ -45,16 +45,41 @@ static void damon_sysfs_test_add_targets(struct kunit *test)
struct damon_ctx *ctx;
sysfs_targets = damon_sysfs_targets_alloc();
+ if (!sysfs_targets)
+ kunit_skip(test, "sysfs_targets alloc fail");
sysfs_targets->nr = 1;
sysfs_targets->targets_arr = kmalloc_array(1,
sizeof(*sysfs_targets->targets_arr), GFP_KERNEL);
+ if (!sysfs_targets->targets_arr) {
+ kfree(sysfs_targets);
+ kunit_skip(test, "targets_arr alloc fail");
+ }
sysfs_target = damon_sysfs_target_alloc();
+ if (!sysfs_target) {
+ kfree(sysfs_targets->targets_arr);
+ kfree(sysfs_targets);
+ kunit_skip(test, "sysfs_target alloc fail");
+ }
sysfs_target->pid = __damon_sysfs_test_get_any_pid(12, 100);
sysfs_target->regions = damon_sysfs_regions_alloc();
+ if (!sysfs_target->regions) {
+ kfree(sysfs_targets->targets_arr);
+ kfree(sysfs_targets);
+ kfree(sysfs_target);
+ kunit_skip(test, "sysfs_regions alloc fail");
+ }
+
sysfs_targets->targets_arr[0] = sysfs_target;
ctx = damon_new_ctx();
+ if (!ctx) {
+ kfree(sysfs_targets->targets_arr);
+ kfree(sysfs_targets);
+ kfree(sysfs_target);
+ kfree(sysfs_target->regions);
+ kunit_skip(test, "ctx alloc fail");
+ }
damon_sysfs_add_targets(ctx, sysfs_targets);
KUNIT_EXPECT_EQ(test, 1u, nr_damon_targets(ctx));
--
2.52.0
^ permalink raw reply related [flat|nested] 587+ messages in thread
* [PATCH 6.12 422/567] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 421/567] mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 423/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
` (158 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 7890e5b5bb6e386155c6e755fe70e0cdcc77f18e upstream.
damon_test_split_evenly_fail() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-19-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/vaddr-kunit.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/mm/damon/tests/vaddr-kunit.h
+++ b/mm/damon/tests/vaddr-kunit.h
@@ -250,7 +250,16 @@ static void damon_test_split_evenly_fail
unsigned long start, unsigned long end, unsigned int nr_pieces)
{
struct damon_target *t = damon_new_target();
- struct damon_region *r = damon_new_region(start, end);
+ struct damon_region *r;
+
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+
+ r = damon_new_region(start, end);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
KUNIT_EXPECT_EQ(test,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 423/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 422/567] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 424/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
` (157 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0a63a0e7570b9b2631dfb8d836dc572709dce39e upstream.
damon_test_split_evenly_succ() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-20-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/vaddr-kunit.h | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/damon/tests/vaddr-kunit.h
+++ b/mm/damon/tests/vaddr-kunit.h
@@ -278,10 +278,17 @@ static void damon_test_split_evenly_succ
unsigned long start, unsigned long end, unsigned int nr_pieces)
{
struct damon_target *t = damon_new_target();
- struct damon_region *r = damon_new_region(start, end);
+ struct damon_region *r;
unsigned long expected_width = (end - start) / nr_pieces;
unsigned long i = 0;
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+ r = damon_new_region(start, end);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
KUNIT_EXPECT_EQ(test,
damon_va_evenly_split_region(t, r, nr_pieces), 0);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 424/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 423/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 425/567] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
` (156 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 5e80d73f22043c59c8ad36452a3253937ed77955 upstream.
damon_test_split_at() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-6-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -124,8 +124,19 @@ static void damon_test_split_at(struct k
struct damon_target *t;
struct damon_region *r, *r_new;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(0, 100);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses_bp = 420000;
r->nr_accesses = 42;
r->last_nr_accesses = 15;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 425/567] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 424/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 426/567] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
` (155 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit e16fdd4f754048d6e23c56bd8d920b71e41e3777 upstream.
damon_test_regions() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-3-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -20,11 +20,17 @@ static void damon_test_regions(struct ku
struct damon_target *t;
r = damon_new_region(1, 2);
+ if (!r)
+ kunit_skip(test, "region alloc fail");
KUNIT_EXPECT_EQ(test, 1ul, r->ar.start);
KUNIT_EXPECT_EQ(test, 2ul, r->ar.end);
KUNIT_EXPECT_EQ(test, 0u, r->nr_accesses);
t = damon_new_target();
+ if (!t) {
+ damon_free_region(r);
+ kunit_skip(test, "target alloc fail");
+ }
KUNIT_EXPECT_EQ(test, 0u, damon_nr_regions(t));
damon_add_region(r, t);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 426/567] mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 425/567] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 427/567] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
` (154 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit fafe953de2c661907c94055a2497c6b8dbfd26f3 upstream.
damon_test_target() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-4-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -58,7 +58,14 @@ static void damon_test_target(struct kun
struct damon_ctx *c = damon_new_ctx();
struct damon_target *t;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
KUNIT_EXPECT_EQ(test, 0u, nr_damon_targets(c));
damon_add_target(c, t);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 427/567] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 426/567] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 428/567] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
` (153 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit f79f2fc44ebd0ed655239046be3e80e8804b5545 upstream.
damon_test_aggregate() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-5-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -97,8 +97,15 @@ static void damon_test_aggregate(struct
struct damon_region *r;
int it, ir;
+ if (!ctx)
+ kunit_skip(test, "ctx alloc fail");
+
for (it = 0; it < 3; it++) {
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(ctx);
+ kunit_skip(test, "target alloc fail");
+ }
damon_add_target(ctx, t);
}
@@ -106,6 +113,10 @@ static void damon_test_aggregate(struct
damon_for_each_target(t, ctx) {
for (ir = 0; ir < 3; ir++) {
r = damon_new_region(saddr[it][ir], eaddr[it][ir]);
+ if (!r) {
+ damon_destroy_ctx(ctx);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = accesses[it][ir];
r->nr_accesses_bp = accesses[it][ir] * 10000;
damon_add_region(r, t);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 428/567] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 427/567] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 429/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
` (152 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0998d2757218771c59d5ca59ccf13d1542a38f17 upstream.
damon_test_merge_regions_of() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-8-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -238,8 +238,14 @@ static void damon_test_merge_regions_of(
int i;
t = damon_new_target();
+ if (!t)
+ kunit_skip(test, "target alloc fail");
for (i = 0; i < ARRAY_SIZE(sa); i++) {
r = damon_new_region(sa[i], ea[i]);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = nrs[i];
r->nr_accesses_bp = nrs[i] * 10000;
damon_add_region(r, t);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 429/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 428/567] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 430/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Greg Kroah-Hartman
` (151 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 3d443dd29a1db7efa587a4bb0c06a497e13ca9e4 upstream.
damon_test_merge_two() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-7-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -188,11 +188,21 @@ static void damon_test_merge_two(struct
int i;
t = damon_new_target();
+ if (!t)
+ kunit_skip(test, "target alloc fail");
r = damon_new_region(0, 100);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = 10;
r->nr_accesses_bp = 100000;
damon_add_region(r, t);
r2 = damon_new_region(100, 300);
+ if (!r2) {
+ damon_free_target(t);
+ kunit_skip(test, "second region alloc fail");
+ }
r2->nr_accesses = 20;
r2->nr_accesses_bp = 200000;
damon_add_region(r2, t);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 430/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 429/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 431/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Greg Kroah-Hartman
` (150 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 74d5969995d129fd59dd93b9c7daa6669cb6810f upstream.
damon_test_set_regions() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-11-sj@kernel.org
Fixes: 62f409560eb2 ("mm/damon/core-test: test damon_set_regions")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -345,13 +345,26 @@ static void damon_test_ops_registration(
static void damon_test_set_regions(struct kunit *test)
{
struct damon_target *t = damon_new_target();
- struct damon_region *r1 = damon_new_region(4, 16);
- struct damon_region *r2 = damon_new_region(24, 32);
+ struct damon_region *r1, *r2;
struct damon_addr_range range = {.start = 8, .end = 28};
unsigned long expects[] = {8, 16, 16, 24, 24, 28};
int expect_idx = 0;
struct damon_region *r;
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+ r1 = damon_new_region(4, 16);
+ if (!r1) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
+ r2 = damon_new_region(24, 32);
+ if (!r2) {
+ damon_free_target(t);
+ damon_free_region(r1);
+ kunit_skip(test, "second region alloc fail");
+ }
+
damon_add_region(r1, t);
damon_add_region(r2, t);
damon_set_regions(t, &range, 1);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 431/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 430/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 432/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Greg Kroah-Hartman
` (149 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 8cf298c01b7fdb08eef5b6b26d0fe98d48134d72 upstream.
damon_test_update_monitoring_result() is assuming all dynamic memory
allocation in it will succeed. Those are indeed likely in the real use
cases since those allocations are too small to fail, but theoretically
those could fail. In the case, inappropriate memory access can happen.
Fix it by appropriately cleanup pre-allocated memory and skip the
execution of the remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-12-sj@kernel.org
Fixes: f4c978b6594b ("mm/damon/core-test: add a test for damon_update_monitoring_results()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.3+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -406,6 +406,9 @@ static void damon_test_update_monitoring
struct damon_attrs new_attrs;
struct damon_region *r = damon_new_region(3, 7);
+ if (!r)
+ kunit_skip(test, "region alloc fail");
+
r->nr_accesses = 15;
r->nr_accesses_bp = 150000;
r->age = 20;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 432/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 431/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 433/567] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Greg Kroah-Hartman
` (148 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 4f835f4e8c863985f15abd69db033c2f66546094 upstream.
damon_test_ops_registration() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-10-sj@kernel.org
Fixes: 4f540f5ab4f2 ("mm/damon/core-test: add a kunit test case for ops registration")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.19+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -300,6 +300,9 @@ static void damon_test_ops_registration(
struct damon_operations ops = {.id = DAMON_OPS_VADDR}, bak;
bool need_cleanup = false;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
/* DAMON_OPS_VADDR is registered only if CONFIG_DAMON_VADDR is set */
if (!damon_is_registered_ops(DAMON_OPS_VADDR)) {
bak.id = DAMON_OPS_VADDR;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 433/567] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 432/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 434/567] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
` (147 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 915a2453d824a9b6bf724e3f970d86ae1d092a61 upstream.
damon_test_set_attrs() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-13-sj@kernel.org
Fixes: aa13779be6b7 ("mm/damon/core-test: add a test for damon_set_attrs()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -445,6 +445,9 @@ static void damon_test_set_attrs(struct
.sample_interval = 5000, .aggr_interval = 100000,};
struct damon_attrs invalid_attrs;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
KUNIT_EXPECT_EQ(test, damon_set_attrs(c, &valid_attrs), 0);
invalid_attrs = valid_attrs;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 434/567] pmdomain: imx: Fix reference count leak in imx_gpc_probe()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 433/567] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 435/567] compiler_types.h: add "auto" as a macro for "__auto_type" Greg Kroah-Hartman
` (146 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wentao Liang, Frank Li, Ulf Hansson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit 73cb5f6eafb0ac7aea8cdeb8ff12981aa741d8fb upstream.
of_get_child_by_name() returns a node pointer with refcount incremented.
Use the __free() attribute to manage the pgc_node reference, ensuring
automatic of_node_put() cleanup when pgc_node goes out of scope.
This eliminates the need for explicit error handling paths and avoids
reference count leaks.
Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/imx/gpc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/pmdomain/imx/gpc.c
+++ b/drivers/pmdomain/imx/gpc.c
@@ -403,13 +403,12 @@ clk_err:
static int imx_gpc_probe(struct platform_device *pdev)
{
const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
- struct device_node *pgc_node;
+ struct device_node *pgc_node __free(device_node)
+ = of_get_child_by_name(pdev->dev.of_node, "pgc");
struct regmap *regmap;
void __iomem *base;
int ret;
- pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc");
-
/* bail out if DT too old and doesn't provide the necessary info */
if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") &&
!pgc_node)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 435/567] compiler_types.h: add "auto" as a macro for "__auto_type"
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 434/567] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 436/567] mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN Greg Kroah-Hartman
` (145 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, H. Peter Anvin (Intel), Miguel Ojeda,
stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: H. Peter Anvin <hpa@zytor.com>
commit 2fb6915fa22dc5524d704afba58a13305dd9f533 upstream.
"auto" was defined as a keyword back in the K&R days, but as a storage
type specifier. No one ever used it, since it was and is the default
storage type for local variables.
C++11 recycled the keyword to allow a type to be declared based on the
type of an initializer. This was finally adopted into standard C in
C23.
gcc and clang provide the "__auto_type" alias keyword as an extension
for pre-C23, however, there is no reason to pollute the bulk of the
source base with this temporary keyword; instead define "auto" as a
macro unless the compiler is running in C23+ mode.
This macro is added in <linux/compiler_types.h> because that header is
included in some of the tools headers, wheres <linux/compiler.h> is
not as it has a bunch of very kernel-specific things in it.
[ Cc: stable to reduce potential backporting burden. ]
Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/compiler_types.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -14,6 +14,19 @@
#ifndef __ASSEMBLY__
/*
+ * C23 introduces "auto" as a standard way to define type-inferred
+ * variables, but "auto" has been a (useless) keyword even since K&R C,
+ * so it has always been "namespace reserved."
+ *
+ * Until at some future time we require C23 support, we need the gcc
+ * extension __auto_type, but there is no reason to put that elsewhere
+ * in the source code.
+ */
+#if __STDC_VERSION__ < 202311L
+# define auto __auto_type
+#endif
+
+/*
* Skipped when running bindgen due to a libclang issue;
* see https://github.com/rust-lang/rust-bindgen/issues/2244.
*/
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 436/567] mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 435/567] compiler_types.h: add "auto" as a macro for "__auto_type" Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 437/567] kasan: refactor pcpu kasan vmalloc unpoison Greg Kroah-Hartman
` (144 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiayuan Chen, Maciej Wieczor-Retman,
syzbot+997752115a851cb0cf36, Andrey Konovalov,
Alexander Potapenko, Andrey Ryabinin, Danilo Krummrich,
Dmitriy Vyukov, Kees Cook, Marco Elver, Uladzislau Rezki (Sony),
Vincenzo Frascino, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiayuan Chen <jiayuan.chen@linux.dev>
commit 007f5da43b3d0ecff972e2616062b8da1f862f5e upstream.
Patch series "kasan: vmalloc: Fixes for the percpu allocator and
vrealloc", v3.
Patches fix two issues related to KASAN and vmalloc.
The first one, a KASAN tag mismatch, possibly resulting in a kernel panic,
can be observed on systems with a tag-based KASAN enabled and with
multiple NUMA nodes. Initially it was only noticed on x86 [1] but later a
similar issue was also reported on arm64 [2].
Specifically the problem is related to how vm_structs interact with
pcpu_chunks - both when they are allocated, assigned and when pcpu_chunk
addresses are derived.
When vm_structs are allocated they are unpoisoned, each with a different
random tag, if vmalloc support is enabled along the KASAN mode. Later
when first pcpu chunk is allocated it gets its 'base_addr' field set to
the first allocated vm_struct. With that it inherits that vm_struct's
tag.
When pcpu_chunk addresses are later derived (by pcpu_chunk_addr(), for
example in pcpu_alloc_noprof()) the base_addr field is used and offsets
are added to it. If the initial conditions are satisfied then some of the
offsets will point into memory allocated with a different vm_struct. So
while the lower bits will get accurately derived the tag bits in the top
of the pointer won't match the shadow memory contents.
The solution (proposed at v2 of the x86 KASAN series [3]) is to unpoison
the vm_structs with the same tag when allocating them for the per cpu
allocator (in pcpu_get_vm_areas()).
The second one reported by syzkaller [4] is related to vrealloc and
happens because of random tag generation when unpoisoning memory without
allocating new pages. This breaks shadow memory tracking and needs to
reuse the existing tag instead of generating a new one. At the same time
an inconsistency in used flags is corrected.
This patch (of 3):
Syzkaller reported a memory out-of-bounds bug [4]. This patch fixes two
issues:
1. In vrealloc the KASAN_VMALLOC_VM_ALLOC flag is missing when
unpoisoning the extended region. This flag is required to correctly
associate the allocation with KASAN's vmalloc tracking.
Note: In contrast, vzalloc (via __vmalloc_node_range_noprof)
explicitly sets KASAN_VMALLOC_VM_ALLOC and calls
kasan_unpoison_vmalloc() with it. vrealloc must behave consistently --
especially when reusing existing vmalloc regions -- to ensure KASAN can
track allocations correctly.
2. When vrealloc reuses an existing vmalloc region (without allocating
new pages) KASAN generates a new tag, which breaks tag-based memory
access tracking.
Introduce KASAN_VMALLOC_KEEP_TAG, a new KASAN flag that allows reusing the
tag already attached to the pointer, ensuring consistent tag behavior
during reallocation.
Pass KASAN_VMALLOC_KEEP_TAG and KASAN_VMALLOC_VM_ALLOC to the
kasan_unpoison_vmalloc inside vrealloc_node_align_noprof().
Link: https://lkml.kernel.org/r/cover.1765978969.git.m.wieczorretman@pm.me
Link: https://lkml.kernel.org/r/38dece0a4074c43e48150d1e242f8242c73bf1a5.1764874575.git.m.wieczorretman@pm.me
Link: https://lore.kernel.org/all/e7e04692866d02e6d3b32bb43b998e5d17092ba4.1738686764.git.maciej.wieczor-retman@intel.com/ [1]
Link: https://lore.kernel.org/all/aMUrW1Znp1GEj7St@MiWiFi-R3L-srv/ [2]
Link: https://lore.kernel.org/all/CAPAsAGxDRv_uFeMYu9TwhBVWHCCtkSxoWY4xmFB_vowMbi8raw@mail.gmail.com/ [3]
Link: https://syzkaller.appspot.com/bug?extid=997752115a851cb0cf36 [4]
Fixes: a0309faf1cb0 ("mm: vmalloc: support more granular vrealloc() sizing")
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Co-developed-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
Reported-by: syzbot+997752115a851cb0cf36@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68e243a2.050a0220.1696c6.007d.GAE@google.com/T/
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kasan.h | 1 +
mm/kasan/hw_tags.c | 2 +-
mm/kasan/shadow.c | 4 +++-
mm/vmalloc.c | 4 +++-
4 files changed, 8 insertions(+), 3 deletions(-)
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -28,6 +28,7 @@ typedef unsigned int __bitwise kasan_vma
#define KASAN_VMALLOC_INIT ((__force kasan_vmalloc_flags_t)0x01u)
#define KASAN_VMALLOC_VM_ALLOC ((__force kasan_vmalloc_flags_t)0x02u)
#define KASAN_VMALLOC_PROT_NORMAL ((__force kasan_vmalloc_flags_t)0x04u)
+#define KASAN_VMALLOC_KEEP_TAG ((__force kasan_vmalloc_flags_t)0x08u)
#define KASAN_VMALLOC_PAGE_RANGE 0x1 /* Apply exsiting page range */
#define KASAN_VMALLOC_TLB_FLUSH 0x2 /* TLB flush */
--- a/mm/kasan/hw_tags.c
+++ b/mm/kasan/hw_tags.c
@@ -345,7 +345,7 @@ void *__kasan_unpoison_vmalloc(const voi
return (void *)start;
}
- tag = kasan_random_tag();
+ tag = (flags & KASAN_VMALLOC_KEEP_TAG) ? get_tag(start) : kasan_random_tag();
start = set_tag(start, tag);
/* Unpoison and initialize memory up to size. */
--- a/mm/kasan/shadow.c
+++ b/mm/kasan/shadow.c
@@ -561,7 +561,9 @@ void *__kasan_unpoison_vmalloc(const voi
!(flags & KASAN_VMALLOC_PROT_NORMAL))
return (void *)start;
- start = set_tag(start, kasan_random_tag());
+ if (unlikely(!(flags & KASAN_VMALLOC_KEEP_TAG)))
+ start = set_tag(start, kasan_random_tag());
+
kasan_unpoison(start, size, false);
return (void *)start;
}
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -4118,7 +4118,9 @@ void *vrealloc_noprof(const void *p, siz
*/
if (size <= alloced_size) {
kasan_unpoison_vmalloc(p + old_size, size - old_size,
- KASAN_VMALLOC_PROT_NORMAL);
+ KASAN_VMALLOC_PROT_NORMAL |
+ KASAN_VMALLOC_VM_ALLOC |
+ KASAN_VMALLOC_KEEP_TAG);
/*
* No need to zero memory here, as unused memory will have
* already been zeroed at initial allocation time or during
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 437/567] kasan: refactor pcpu kasan vmalloc unpoison
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 436/567] mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 438/567] kasan: unpoison vms[area] addresses with a common tag Greg Kroah-Hartman
` (143 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Wieczor-Retman,
Andrey Konovalov, Alexander Potapenko, Andrey Ryabinin,
Danilo Krummrich, Dmitriy Vyukov, Jiayuan Chen, Kees Cook,
Marco Elver, Uladzislau Rezki (Sony), Vincenzo Frascino,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
commit 6f13db031e27e88213381039032a9cc061578ea6 upstream.
A KASAN tag mismatch, possibly causing a kernel panic, can be observed
on systems with a tag-based KASAN enabled and with multiple NUMA nodes.
It was reported on arm64 and reproduced on x86. It can be explained in
the following points:
1. There can be more than one virtual memory chunk.
2. Chunk's base address has a tag.
3. The base address points at the first chunk and thus inherits
the tag of the first chunk.
4. The subsequent chunks will be accessed with the tag from the
first chunk.
5. Thus, the subsequent chunks need to have their tag set to
match that of the first chunk.
Refactor code by reusing __kasan_unpoison_vmalloc in a new helper in
preparation for the actual fix.
Link: https://lkml.kernel.org/r/eb61d93b907e262eefcaa130261a08bcb6c5ce51.1764874575.git.m.wieczorretman@pm.me
Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS")
Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: Kees Cook <kees@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: <stable@vger.kernel.org> [6.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kasan.h | 15 +++++++++++++++
mm/kasan/common.c | 17 +++++++++++++++++
mm/vmalloc.c | 4 +---
3 files changed, 33 insertions(+), 3 deletions(-)
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -608,6 +608,16 @@ static __always_inline void kasan_poison
__kasan_poison_vmalloc(start, size);
}
+void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags);
+static __always_inline void
+kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{
+ if (kasan_enabled())
+ __kasan_unpoison_vmap_areas(vms, nr_vms, flags);
+}
+
#else /* CONFIG_KASAN_VMALLOC */
static inline void kasan_populate_early_vm_area_shadow(void *start,
@@ -632,6 +642,11 @@ static inline void *kasan_unpoison_vmall
static inline void kasan_poison_vmalloc(const void *start, unsigned long size)
{ }
+static __always_inline void
+kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{ }
+
#endif /* CONFIG_KASAN_VMALLOC */
#if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -28,6 +28,7 @@
#include <linux/string.h>
#include <linux/types.h>
#include <linux/bug.h>
+#include <linux/vmalloc.h>
#include "kasan.h"
#include "../slab.h"
@@ -559,3 +560,19 @@ bool __kasan_check_byte(const void *addr
}
return true;
}
+
+#ifdef CONFIG_KASAN_VMALLOC
+void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{
+ unsigned long size;
+ void *addr;
+ int area;
+
+ for (area = 0 ; area < nr_vms ; area++) {
+ size = vms[area]->size;
+ addr = vms[area]->addr;
+ vms[area]->addr = __kasan_unpoison_vmalloc(addr, size, flags);
+ }
+}
+#endif
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -4812,9 +4812,7 @@ retry:
* With hardware tag-based KASAN, marking is skipped for
* non-VM_ALLOC mappings, see __kasan_unpoison_vmalloc().
*/
- for (area = 0; area < nr_vms; area++)
- vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr,
- vms[area]->size, KASAN_VMALLOC_PROT_NORMAL);
+ kasan_unpoison_vmap_areas(vms, nr_vms, KASAN_VMALLOC_PROT_NORMAL);
kfree(vas);
return vms;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 438/567] kasan: unpoison vms[area] addresses with a common tag
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 437/567] kasan: refactor pcpu kasan vmalloc unpoison Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 439/567] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
` (142 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Wieczor-Retman,
Andrey Konovalov, Alexander Potapenko, Andrey Ryabinin,
Danilo Krummrich, Dmitriy Vyukov, Jiayuan Chen, Kees Cook,
Marco Elver, Uladzislau Rezki (Sony), Vincenzo Frascino,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
commit 6a0e5b333842cf65d6f4e4f0a2a4386504802515 upstream.
A KASAN tag mismatch, possibly causing a kernel panic, can be observed on
systems with a tag-based KASAN enabled and with multiple NUMA nodes. It
was reported on arm64 and reproduced on x86. It can be explained in the
following points:
1. There can be more than one virtual memory chunk.
2. Chunk's base address has a tag.
3. The base address points at the first chunk and thus inherits
the tag of the first chunk.
4. The subsequent chunks will be accessed with the tag from the
first chunk.
5. Thus, the subsequent chunks need to have their tag set to
match that of the first chunk.
Use the new vmalloc flag that disables random tag assignment in
__kasan_unpoison_vmalloc() - pass the same random tag to all the
vm_structs by tagging the pointers before they go inside
__kasan_unpoison_vmalloc(). Assigning a common tag resolves the pcpu
chunk address mismatch.
[akpm@linux-foundation.org: use WARN_ON_ONCE(), per Andrey]
Link: https://lkml.kernel.org/r/CA+fCnZeuGdKSEm11oGT6FS71_vGq1vjq-xY36kxVdFvwmag2ZQ@mail.gmail.com
[maciej.wieczor-retman@intel.com: remove unneeded pr_warn()]
Link: https://lkml.kernel.org/r/919897daaaa3c982a27762a2ee038769ad033991.1764945396.git.m.wieczorretman@pm.me
Link: https://lkml.kernel.org/r/873821114a9f722ffb5d6702b94782e902883fdf.1764874575.git.m.wieczorretman@pm.me
Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS")
Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: Kees Cook <kees@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: <stable@vger.kernel.org> [6.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kasan/common.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -568,11 +568,26 @@ void __kasan_unpoison_vmap_areas(struct
unsigned long size;
void *addr;
int area;
+ u8 tag;
- for (area = 0 ; area < nr_vms ; area++) {
+ /*
+ * If KASAN_VMALLOC_KEEP_TAG was set at this point, all vms[] pointers
+ * would be unpoisoned with the KASAN_TAG_KERNEL which would disable
+ * KASAN checks down the line.
+ */
+ if (WARN_ON_ONCE(flags & KASAN_VMALLOC_KEEP_TAG))
+ return;
+
+ size = vms[0]->size;
+ addr = vms[0]->addr;
+ vms[0]->addr = __kasan_unpoison_vmalloc(addr, size, flags);
+ tag = get_tag(vms[0]->addr);
+
+ for (area = 1 ; area < nr_vms ; area++) {
size = vms[area]->size;
- addr = vms[area]->addr;
- vms[area]->addr = __kasan_unpoison_vmalloc(addr, size, flags);
+ addr = set_tag(vms[area]->addr, tag);
+ vms[area]->addr =
+ __kasan_unpoison_vmalloc(addr, size, flags | KASAN_VMALLOC_KEEP_TAG);
}
}
#endif
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 439/567] lockd: fix vfs_test_lock() calls
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 438/567] kasan: unpoison vms[area] addresses with a common tag Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 440/567] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
` (141 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, NeilBrown,
Jeff Layton, Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
commit a49a2a1baa0c553c3548a1c414b6a3c005a8deba upstream.
Usage of vfs_test_lock() is somewhat confused. Documentation suggests
it is given a "lock" but this is not the case. It is given a struct
file_lock which contains some details of the sort of lock it should be
looking for.
In particular passing a "file_lock" containing fl_lmops or fl_ops is
meaningless and possibly confusing.
This is particularly problematic in lockd. nlmsvc_testlock() receives
an initialised "file_lock" from xdr-decode, including manager ops and an
owner. It then mistakenly passes this to vfs_test_lock() which might
replace the owner and the ops. This can lead to confusion when freeing
the lock.
The primary role of the 'struct file_lock' passed to vfs_test_lock() is
to report a conflicting lock that was found, so it makes more sense for
nlmsvc_testlock() to pass "conflock", which it uses for returning the
conflicting lock.
With this change, freeing of the lock is not confused and code in
__nlm4svc_proc_test() and __nlmsvc_proc_test() can be simplified.
Documentation for vfs_test_lock() is improved to reflect its real
purpose, and a WARN_ON_ONCE() is added to avoid a similar problem in the
future.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Closes: https://lore.kernel.org/all/20251021130506.45065-1-okorniev@redhat.com
Signed-off-by: NeilBrown <neil@brown.name>
Fixes: 20fa19027286 ("nfs: add export operations")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/lockd/svc4proc.c | 4 +---
fs/lockd/svclock.c | 21 ++++++++++++---------
fs/lockd/svcproc.c | 5 +----
fs/locks.c | 12 ++++++++++--
4 files changed, 24 insertions(+), 18 deletions(-)
--- a/fs/lockd/svc4proc.c
+++ b/fs/lockd/svc4proc.c
@@ -96,7 +96,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
struct nlm_args *argp = rqstp->rq_argp;
struct nlm_host *host;
struct nlm_file *file;
- struct nlm_lockowner *test_owner;
__be32 rc = rpc_success;
dprintk("lockd: TEST4 called\n");
@@ -106,7 +105,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
if ((resp->status = nlm4svc_retrieve_args(rqstp, argp, &host, &file)))
return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
- test_owner = argp->lock.fl.c.flc_owner;
/* Now check for conflicting locks */
resp->status = nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie);
if (resp->status == nlm_drop_reply)
@@ -114,7 +112,7 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
else
dprintk("lockd: TEST4 status %d\n", ntohl(resp->status));
- nlmsvc_put_lockowner(test_owner);
+ nlmsvc_release_lockowner(&argp->lock);
nlmsvc_release_host(host);
nlm_release_file(file);
return rc;
--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -628,7 +628,13 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
}
mode = lock_to_openmode(&lock->fl);
- error = vfs_test_lock(file->f_file[mode], &lock->fl);
+ locks_init_lock(&conflock->fl);
+ /* vfs_test_lock only uses start, end, and owner, but tests flc_file */
+ conflock->fl.c.flc_file = lock->fl.c.flc_file;
+ conflock->fl.fl_start = lock->fl.fl_start;
+ conflock->fl.fl_end = lock->fl.fl_end;
+ conflock->fl.c.flc_owner = lock->fl.c.flc_owner;
+ error = vfs_test_lock(file->f_file[mode], &conflock->fl);
if (error) {
/* We can't currently deal with deferred test requests */
if (error == FILE_LOCK_DEFERRED)
@@ -638,22 +644,19 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
goto out;
}
- if (lock->fl.c.flc_type == F_UNLCK) {
+ if (conflock->fl.c.flc_type == F_UNLCK) {
ret = nlm_granted;
goto out;
}
dprintk("lockd: conflicting lock(ty=%d, %Ld-%Ld)\n",
- lock->fl.c.flc_type, (long long)lock->fl.fl_start,
- (long long)lock->fl.fl_end);
+ conflock->fl.c.flc_type, (long long)conflock->fl.fl_start,
+ (long long)conflock->fl.fl_end);
conflock->caller = "somehost"; /* FIXME */
conflock->len = strlen(conflock->caller);
conflock->oh.len = 0; /* don't return OH info */
- conflock->svid = lock->fl.c.flc_pid;
- conflock->fl.c.flc_type = lock->fl.c.flc_type;
- conflock->fl.fl_start = lock->fl.fl_start;
- conflock->fl.fl_end = lock->fl.fl_end;
- locks_release_private(&lock->fl);
+ conflock->svid = conflock->fl.c.flc_pid;
+ locks_release_private(&conflock->fl);
ret = nlm_lck_denied;
out:
--- a/fs/lockd/svcproc.c
+++ b/fs/lockd/svcproc.c
@@ -117,7 +117,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
struct nlm_args *argp = rqstp->rq_argp;
struct nlm_host *host;
struct nlm_file *file;
- struct nlm_lockowner *test_owner;
__be32 rc = rpc_success;
dprintk("lockd: TEST called\n");
@@ -127,8 +126,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
if ((resp->status = nlmsvc_retrieve_args(rqstp, argp, &host, &file)))
return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
- test_owner = argp->lock.fl.c.flc_owner;
-
/* Now check for conflicting locks */
resp->status = cast_status(nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie));
if (resp->status == nlm_drop_reply)
@@ -137,7 +134,7 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
dprintk("lockd: TEST status %d vers %d\n",
ntohl(resp->status), rqstp->rq_vers);
- nlmsvc_put_lockowner(test_owner);
+ nlmsvc_release_lockowner(&argp->lock);
nlmsvc_release_host(host);
nlm_release_file(file);
return rc;
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -2190,13 +2190,21 @@ SYSCALL_DEFINE2(flock, unsigned int, fd,
/**
* vfs_test_lock - test file byte range lock
* @filp: The file to test lock for
- * @fl: The lock to test; also used to hold result
+ * @fl: The byte-range in the file to test; also used to hold result
*
+ * On entry, @fl does not contain a lock, but identifies a range (fl_start, fl_end)
+ * in the file (c.flc_file), and an owner (c.flc_owner) for whom existing locks
+ * should be ignored. c.flc_type and c.flc_flags are ignored.
+ * Both fl_lmops and fl_ops in @fl must be NULL.
* Returns -ERRNO on failure. Indicates presence of conflicting lock by
- * setting conf->fl_type to something other than F_UNLCK.
+ * setting fl->fl_type to something other than F_UNLCK.
+ *
+ * If vfs_test_lock() does find a lock and return it, the caller must
+ * use locks_free_lock() or locks_release_private() on the returned lock.
*/
int vfs_test_lock(struct file *filp, struct file_lock *fl)
{
+ WARN_ON_ONCE(fl->fl_ops || fl->fl_lmops);
WARN_ON_ONCE(filp != fl->c.flc_file);
if (filp->f_op->lock)
return filp->f_op->lock(filp, F_GETLK, fl);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 440/567] idr: fix idr_alloc() returning an ID out of range
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 439/567] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 441/567] mm/page_owner: fix memory leak in page_owner_stack_fops->release() Greg Kroah-Hartman
` (140 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Jan Sokolowski, Koen Koning, Peter Senna Tschudin,
Christian König, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit c6e8e595a0798ad67da0f7bebaf69c31ef70dfff upstream.
If you use an IDR with a non-zero base, and specify a range that lies
entirely below the base, 'max - base' becomes very large and
idr_get_free() can return an ID that lies outside of the requested range.
Link: https://lkml.kernel.org/r/20251128161853.3200058-1-willy@infradead.org
Fixes: 6ce711f27500 ("idr: Make 1-based IDRs more efficient")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reported-by: Koen Koning <koen.koning@intel.com>
Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449
Reviewed-by: Christian König <christian.koenig@amd.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/idr.c | 2 ++
tools/testing/radix-tree/idr-test.c | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+)
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -40,6 +40,8 @@ int idr_alloc_u32(struct idr *idr, void
if (WARN_ON_ONCE(!(idr->idr_rt.xa_flags & ROOT_IS_IDR)))
idr->idr_rt.xa_flags |= IDR_RT_MARKER;
+ if (max < base)
+ return -ENOSPC;
id = (id < base) ? 0 : id - base;
radix_tree_iter_init(&iter, id);
--- a/tools/testing/radix-tree/idr-test.c
+++ b/tools/testing/radix-tree/idr-test.c
@@ -57,6 +57,26 @@ void idr_alloc_test(void)
idr_destroy(&idr);
}
+void idr_alloc2_test(void)
+{
+ int id;
+ struct idr idr = IDR_INIT_BASE(idr, 1);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 1, 2, GFP_KERNEL);
+ assert(id == 1);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 2, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ idr_destroy(&idr);
+}
+
void idr_replace_test(void)
{
DEFINE_IDR(idr);
@@ -409,6 +429,7 @@ void idr_checks(void)
idr_replace_test();
idr_alloc_test();
+ idr_alloc2_test();
idr_null_test();
idr_nowait_test();
idr_get_next_test(0);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 441/567] mm/page_owner: fix memory leak in page_owner_stack_fops->release()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 440/567] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 442/567] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo Greg Kroah-Hartman
` (139 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ran Xiaokai, Michal Hocko,
Vlastimil Babka, Andrey Konovalov, Brendan Jackman,
Johannes Weiner, Marco Elver, Suren Baghdasaryan, Zi Yan,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ran Xiaokai <ran.xiaokai@zte.com.cn>
commit a76a5ae2c6c645005672c2caf2d49361c6f2500f upstream.
The page_owner_stack_fops->open() callback invokes seq_open_private(),
therefore its corresponding ->release() callback must call
seq_release_private(). Otherwise it will cause a memory leak of struct
stack_print_ctx.
Link: https://lkml.kernel.org/r/20251219074232.136482-1-ranxiaokai627@163.com
Fixes: 765973a09803 ("mm,page_owner: display all stacks and their count")
Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Marco Elver <elver@google.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_owner.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/page_owner.c
+++ b/mm/page_owner.c
@@ -933,7 +933,7 @@ static const struct file_operations page
.open = page_owner_stack_open,
.read = seq_read,
.llseek = seq_lseek,
- .release = seq_release,
+ .release = seq_release_private,
};
static int page_owner_threshold_get(void *data, u64 *val)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 442/567] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 441/567] mm/page_owner: fix memory leak in page_owner_stack_fops->release() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 443/567] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting Greg Kroah-Hartman
` (138 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rong Zhang, Borislav Petkov (AMD),
stable
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <i@rong.moe>
commit 150b1b97e27513535dcd3795d5ecd28e61b6cb8c upstream.
Zen5 also contains family 1Ah, models 70h-7Fh, which are mistakenly missing
from cpu_has_entrysign(). Add the missing range.
Fixes: 8a9fb5129e8e ("x86/microcode/AMD: Limit Entrysign signature checking to known generations")
Signed-off-by: Rong Zhang <i@rong.moe>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20251229182245.152747-1-i@rong.moe
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -235,7 +235,7 @@ static bool cpu_has_entrysign(void)
if (fam == 0x1a) {
if (model <= 0x2f ||
(0x40 <= model && model <= 0x4f) ||
- (0x60 <= model && model <= 0x6f))
+ (0x60 <= model && model <= 0x7f))
return true;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 443/567] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 442/567] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 444/567] samples/ftrace: Adjust LoongArch register restore order in direct calls Greg Kroah-Hartman
` (137 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaushlendra Kumar, Chongxi Zhao,
Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
commit 7013803444dd3bbbe28fd3360c084cec3057c554 upstream.
The ternary operator in compare_ts() returns 1 when timestamps are equal,
causing unstable sorting behavior. Replace with explicit three-way
comparison that returns 0 for equal timestamps, ensuring stable qsort
ordering and consistent output.
Link: https://lkml.kernel.org/r/20251209044552.3396468-1-kaushlendra.kumar@intel.com
Fixes: 8f9c447e2e2b ("tools/vm/page_owner_sort.c: support sorting pid and time")
Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
Cc: Chongxi Zhao <zhaochongxi2019@email.szu.edu.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/mm/page_owner_sort.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/tools/mm/page_owner_sort.c
+++ b/tools/mm/page_owner_sort.c
@@ -183,7 +183,11 @@ static int compare_ts(const void *p1, co
{
const struct block_list *l1 = p1, *l2 = p2;
- return l1->ts_nsec < l2->ts_nsec ? -1 : 1;
+ if (l1->ts_nsec < l2->ts_nsec)
+ return -1;
+ if (l1->ts_nsec > l2->ts_nsec)
+ return 1;
+ return 0;
}
static int compare_cull_condition(const void *p1, const void *p2)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 444/567] samples/ftrace: Adjust LoongArch register restore order in direct calls
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 443/567] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 445/567] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
` (136 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youling Tang,
Steven Rostedt (Google), Chenghao Duan, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghao Duan <duanchenghao@kylinos.cn>
commit bb85d206be208bbf834883e948125a35ac59993a upstream.
Ensure that in the ftrace direct call logic, the CPU register state
(with ra = parent return address) is restored to the correct state after
the execution of the custom trampoline function and before returning to
the traced function. Additionally, guarantee the correctness of the jump
logic for jr t0 (traced function address).
Cc: stable@vger.kernel.org
Fixes: 9cdc3b6a299c ("LoongArch: ftrace: Add direct call support")
Reported-by: Youling Tang <tangyouling@kylinos.cn>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Chenghao Duan <duanchenghao@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
samples/ftrace/ftrace-direct-modify.c | 8 ++++----
samples/ftrace/ftrace-direct-multi-modify.c | 8 ++++----
samples/ftrace/ftrace-direct-multi.c | 4 ++--
samples/ftrace/ftrace-direct-too.c | 4 ++--
samples/ftrace/ftrace-direct.c | 4 ++--
5 files changed, 14 insertions(+), 14 deletions(-)
--- a/samples/ftrace/ftrace-direct-modify.c
+++ b/samples/ftrace/ftrace-direct-modify.c
@@ -176,8 +176,8 @@ asm (
" st.d $t0, $sp, 0\n"
" st.d $ra, $sp, 8\n"
" bl my_direct_func1\n"
-" ld.d $t0, $sp, 0\n"
-" ld.d $ra, $sp, 8\n"
+" ld.d $ra, $sp, 0\n"
+" ld.d $t0, $sp, 8\n"
" addi.d $sp, $sp, 16\n"
" jr $t0\n"
" .size my_tramp1, .-my_tramp1\n"
@@ -189,8 +189,8 @@ asm (
" st.d $t0, $sp, 0\n"
" st.d $ra, $sp, 8\n"
" bl my_direct_func2\n"
-" ld.d $t0, $sp, 0\n"
-" ld.d $ra, $sp, 8\n"
+" ld.d $ra, $sp, 0\n"
+" ld.d $t0, $sp, 8\n"
" addi.d $sp, $sp, 16\n"
" jr $t0\n"
" .size my_tramp2, .-my_tramp2\n"
--- a/samples/ftrace/ftrace-direct-multi-modify.c
+++ b/samples/ftrace/ftrace-direct-multi-modify.c
@@ -199,8 +199,8 @@ asm (
" move $a0, $t0\n"
" bl my_direct_func1\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp1, .-my_tramp1\n"
@@ -215,8 +215,8 @@ asm (
" move $a0, $t0\n"
" bl my_direct_func2\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp2, .-my_tramp2\n"
--- a/samples/ftrace/ftrace-direct-multi.c
+++ b/samples/ftrace/ftrace-direct-multi.c
@@ -131,8 +131,8 @@ asm (
" move $a0, $t0\n"
" bl my_direct_func\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp, .-my_tramp\n"
--- a/samples/ftrace/ftrace-direct-too.c
+++ b/samples/ftrace/ftrace-direct-too.c
@@ -143,8 +143,8 @@ asm (
" ld.d $a0, $sp, 0\n"
" ld.d $a1, $sp, 8\n"
" ld.d $a2, $sp, 16\n"
-" ld.d $t0, $sp, 24\n"
-" ld.d $ra, $sp, 32\n"
+" ld.d $ra, $sp, 24\n"
+" ld.d $t0, $sp, 32\n"
" addi.d $sp, $sp, 48\n"
" jr $t0\n"
" .size my_tramp, .-my_tramp\n"
--- a/samples/ftrace/ftrace-direct.c
+++ b/samples/ftrace/ftrace-direct.c
@@ -124,8 +124,8 @@ asm (
" st.d $ra, $sp, 16\n"
" bl my_direct_func\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp, .-my_tramp\n"
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 445/567] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 444/567] samples/ftrace: Adjust LoongArch register restore order in direct calls Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 446/567] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
` (135 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+938fcd548c303fe33c1a,
Jason Gunthorpe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit a7b8e876e0ef0232b8076972c57ce9a7286b47ca upstream.
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Link: https://patch.msgid.link/r/0-v1-3fbaef094271+2cf-rdma_op_ip_rslv_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/68dc3dac.a00a0220.102ee.004f.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 33 ++++++++++-----------------------
1 file changed, 10 insertions(+), 23 deletions(-)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -80,37 +80,25 @@ static const struct nla_policy ib_nl_add
.min = sizeof(struct rdma_nla_ls_gid)},
};
-static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
+static void ib_nl_process_ip_rsep(const struct nlmsghdr *nlh)
{
struct nlattr *tb[LS_NLA_TYPE_MAX] = {};
+ union ib_gid gid;
+ struct addr_req *req;
+ int found = 0;
int ret;
if (nlh->nlmsg_flags & RDMA_NL_LS_F_ERR)
- return false;
+ return;
ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
nlmsg_len(nlh), ib_nl_addr_policy, NULL);
if (ret)
- return false;
-
- return true;
-}
-
-static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
-{
- const struct nlattr *head, *curr;
- union ib_gid gid;
- struct addr_req *req;
- int len, rem;
- int found = 0;
-
- head = (const struct nlattr *)nlmsg_data(nlh);
- len = nlmsg_len(nlh);
+ return;
- nla_for_each_attr(curr, head, len, rem) {
- if (curr->nla_type == LS_NLA_TYPE_DGID)
- memcpy(&gid, nla_data(curr), nla_len(curr));
- }
+ if (!tb[LS_NLA_TYPE_DGID])
+ return;
+ memcpy(&gid, nla_data(tb[LS_NLA_TYPE_DGID]), sizeof(gid));
spin_lock_bh(&lock);
list_for_each_entry(req, &req_list, list) {
@@ -137,8 +125,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b
!(NETLINK_CB(skb).sk))
return -EPERM;
- if (ib_nl_is_good_ip_resp(nlh))
- ib_nl_process_good_ip_rsep(nlh);
+ ib_nl_process_ip_rsep(nlh);
return 0;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 446/567] RDMA/cm: Fix leaking the multicast GID table reference
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 445/567] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 447/567] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
` (134 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b0da83a6c0e2e2bddbd4,
Jason Gunthorpe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 57f3cb6c84159d12ba343574df2115fb18dd83ca upstream.
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Link: https://patch.msgid.link/r/0-v1-4285d070a6b2+20a-rdma_mc_gid_leak_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: fe454dc31e84 ("RDMA/ucma: Fix use-after-free bug in ucma_create_uevent")
Reported-by: syzbot+b0da83a6c0e2e2bddbd4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68232e7b.050a0220.f2294.09f6.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2009,6 +2009,7 @@ static void destroy_mc(struct rdma_id_pr
ib_sa_free_multicast(mc->sa_mc);
if (rdma_protocol_roce(id_priv->id.device, id_priv->id.port_num)) {
+ struct rdma_cm_event *event = &mc->iboe_join.event;
struct rdma_dev_addr *dev_addr =
&id_priv->id.route.addr.dev_addr;
struct net_device *ndev = NULL;
@@ -2031,6 +2032,8 @@ static void destroy_mc(struct rdma_id_pr
dev_put(ndev);
cancel_work_sync(&mc->iboe_join.work);
+ if (event->event == RDMA_CM_EVENT_MULTICAST_JOIN)
+ rdma_destroy_ah_attr(&event->param.ud.ah_attr);
}
kfree(mc);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 447/567] e1000: fix OOB in e1000_tbi_should_accept()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 446/567] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 448/567] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
` (133 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Simon Horman,
Aleksandr Loktionov, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9c72a5182ed92904d01057f208c390a303f00a0f upstream.
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
Fixes: 2037110c96d5 ("e1000: move tbi workaround code into helper function")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -4088,7 +4088,15 @@ static bool e1000_tbi_should_accept(stru
u32 length, const u8 *data)
{
struct e1000_hw *hw = &adapter->hw;
- u8 last_byte = *(data + length - 1);
+ u8 last_byte;
+
+ /* Guard against OOB on data[length - 1] */
+ if (unlikely(!length))
+ return false;
+ /* Upper bound: length must not exceed rx_buffer_len */
+ if (unlikely(length > adapter->rx_buffer_len))
+ return false;
+ last_byte = *(data + length - 1);
if (TBI_ACCEPT(hw, status, errors, length, last_byte)) {
unsigned long irq_flags;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 448/567] fjes: Add missing iounmap in fjes_hw_init()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 447/567] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 449/567] LoongArch: Refactor register restoration in ftrace_common_return Greg Kroah-Hartman
` (132 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Simon Horman,
Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 15ef641a0c6728d25a400df73922e80ab2cf029c upstream.
In error paths, add fjes_hw_iounmap() to release the
resource acquired by fjes_hw_iomap(). Add a goto label
to do so.
Fixes: 8cdc3f6c5d22 ("fjes: Hardware initialization routine")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211073756.101824-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/fjes/fjes_hw.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/fjes/fjes_hw.c
+++ b/drivers/net/fjes/fjes_hw.c
@@ -334,7 +334,7 @@ int fjes_hw_init(struct fjes_hw *hw)
ret = fjes_hw_reset(hw);
if (ret)
- return ret;
+ goto err_iounmap;
fjes_hw_set_irqmask(hw, REG_ICTL_MASK_ALL, true);
@@ -347,8 +347,10 @@ int fjes_hw_init(struct fjes_hw *hw)
hw->max_epid = fjes_hw_get_max_epid(hw);
hw->my_epid = fjes_hw_get_my_epid(hw);
- if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid))
- return -ENXIO;
+ if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid)) {
+ ret = -ENXIO;
+ goto err_iounmap;
+ }
ret = fjes_hw_setup(hw);
@@ -356,6 +358,10 @@ int fjes_hw_init(struct fjes_hw *hw)
hw->hw_info.trace_size = FJES_DEBUG_BUFFER_SIZE;
return ret;
+
+err_iounmap:
+ fjes_hw_iounmap(hw);
+ return ret;
}
void fjes_hw_exit(struct fjes_hw *hw)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 449/567] LoongArch: Refactor register restoration in ftrace_common_return
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 448/567] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 450/567] LoongArch: BPF: Zero-extend bpf_tail_call() index Greg Kroah-Hartman
` (131 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenghao Duan, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghao Duan <duanchenghao@kylinos.cn>
commit 45cb47c628dfbd1994c619f3eac271a780602826 upstream.
Refactor the register restoration sequence in the ftrace_common_return
function to clearly distinguish between the logic of normal returns and
direct call returns in function tracing scenarios. The logic is as
follows:
1. In the case of a normal return, the execution flow returns to the
traced function, and ftrace must ensure that the register data is
consistent with the state when the function was entered.
ra = parent return address; t0 = traced function return address.
2. In the case of a direct call return, the execution flow jumps to the
custom trampoline function, and ftrace must ensure that the register
data is consistent with the state when ftrace was entered.
ra = traced function return address; t0 = parent return address.
Cc: stable@vger.kernel.org
Fixes: 9cdc3b6a299c ("LoongArch: ftrace: Add direct call support")
Signed-off-by: Chenghao Duan <duanchenghao@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/mcount_dyn.S | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/arch/loongarch/kernel/mcount_dyn.S
+++ b/arch/loongarch/kernel/mcount_dyn.S
@@ -94,7 +94,6 @@ SYM_INNER_LABEL(ftrace_graph_call, SYM_L
* at the callsite, so there is no need to restore the T series regs.
*/
ftrace_common_return:
- PTR_L ra, sp, PT_R1
PTR_L a0, sp, PT_R4
PTR_L a1, sp, PT_R5
PTR_L a2, sp, PT_R6
@@ -104,12 +103,17 @@ ftrace_common_return:
PTR_L a6, sp, PT_R10
PTR_L a7, sp, PT_R11
PTR_L fp, sp, PT_R22
- PTR_L t0, sp, PT_ERA
PTR_L t1, sp, PT_R13
- PTR_ADDI sp, sp, PT_SIZE
bnez t1, .Ldirect
+
+ PTR_L ra, sp, PT_R1
+ PTR_L t0, sp, PT_ERA
+ PTR_ADDI sp, sp, PT_SIZE
jr t0
.Ldirect:
+ PTR_L t0, sp, PT_R1
+ PTR_L ra, sp, PT_ERA
+ PTR_ADDI sp, sp, PT_SIZE
jr t1
SYM_CODE_END(ftrace_common)
@@ -161,6 +165,8 @@ SYM_CODE_END(return_to_handler)
#ifdef CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
SYM_CODE_START(ftrace_stub_direct_tramp)
UNWIND_HINT_UNDEFINED
- jr t0
+ move t1, ra
+ move ra, t0
+ jr t1
SYM_CODE_END(ftrace_stub_direct_tramp)
#endif /* CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 450/567] LoongArch: BPF: Zero-extend bpf_tail_call() index
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 449/567] LoongArch: Refactor register restoration in ftrace_common_return Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 451/567] LoongArch: BPF: Sign extend kfunc call arguments Greg Kroah-Hartman
` (130 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hengqi Chen, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hengqi Chen <hengqi.chen@gmail.com>
commit eb71f5c433e1c6dff089b315881dec40a88a7baf upstream.
The bpf_tail_call() index should be treated as a u32 value. Let's
zero-extend it to avoid calling wrong BPF progs. See similar fixes
for x86 [1]) and arm64 ([2]) for more details.
[1]: https://github.com/torvalds/linux/commit/90caccdd8cc0215705f18b92771b449b01e2474a
[2]: https://github.com/torvalds/linux/commit/16338a9b3ac30740d49f5dfed81bac0ffa53b9c7
Cc: stable@vger.kernel.org
Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/net/bpf_jit.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -231,6 +231,8 @@ static int emit_bpf_tail_call(struct jit
* goto out;
*/
tc_ninsn = insn ? ctx->offset[insn+1] - ctx->offset[insn] : ctx->offset[0];
+ emit_zext_32(ctx, a2, true);
+
off = offsetof(struct bpf_array, map.max_entries);
emit_insn(ctx, ldwu, t1, a1, off);
/* bgeu $a2, $t1, jmp_offset */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 451/567] LoongArch: BPF: Sign extend kfunc call arguments
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 450/567] LoongArch: BPF: Zero-extend bpf_tail_call() index Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 452/567] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
` (129 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hengqi Chen, Huacai Chen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hengqi Chen <hengqi.chen@gmail.com>
commit 3f5a238f24d7b75f9efe324d3539ad388f58536e upstream.
The kfunc calls are native calls so they should follow LoongArch calling
conventions. Sign extend its arguments properly to avoid kernel panic.
This is done by adding a new emit_abi_ext() helper. The emit_abi_ext()
helper performs extension in place meaning a value already store in the
target register (Note: this is different from the existing sign_extend()
helper and thus we can't reuse it).
Cc: stable@vger.kernel.org
Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/net/bpf_jit.c | 16 ++++++++++++++++
arch/loongarch/net/bpf_jit.h | 26 ++++++++++++++++++++++++++
2 files changed, 42 insertions(+)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -897,6 +897,22 @@ static int build_insn(const struct bpf_i
if (ret < 0)
return ret;
+ if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {
+ const struct btf_func_model *m;
+ int i;
+
+ m = bpf_jit_find_kfunc_model(ctx->prog, insn);
+ if (!m)
+ return -EINVAL;
+
+ for (i = 0; i < m->nr_args; i++) {
+ u8 reg = regmap[BPF_REG_1 + i];
+ bool sign = m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG;
+
+ emit_abi_ext(ctx, reg, m->arg_size[i], sign);
+ }
+ }
+
move_addr(ctx, t1, func_addr);
emit_insn(ctx, jirl, LOONGARCH_GPR_RA, t1, 0);
--- a/arch/loongarch/net/bpf_jit.h
+++ b/arch/loongarch/net/bpf_jit.h
@@ -87,6 +87,32 @@ static inline void emit_sext_32(struct j
emit_insn(ctx, addiw, reg, reg, 0);
}
+/* Emit proper extension according to ABI requirements.
+ * Note that it requires a value of size `size` already resides in register `reg`.
+ */
+static inline void emit_abi_ext(struct jit_ctx *ctx, int reg, u8 size, bool sign)
+{
+ /* ABI requires unsigned char/short to be zero-extended */
+ if (!sign && (size == 1 || size == 2))
+ return;
+
+ switch (size) {
+ case 1:
+ emit_insn(ctx, extwb, reg, reg);
+ break;
+ case 2:
+ emit_insn(ctx, extwh, reg, reg);
+ break;
+ case 4:
+ emit_insn(ctx, addiw, reg, reg, 0);
+ break;
+ case 8:
+ break;
+ default:
+ pr_warn("bpf_jit: invalid size %d for extension\n", size);
+ }
+}
+
static inline void move_addr(struct jit_ctx *ctx, enum loongarch_gpr rd, u64 addr)
{
u64 imm_11_0, imm_31_12, imm_51_32, imm_63_52;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 452/567] nfsd: Drop the client reference in client_states_open()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 451/567] LoongArch: BPF: Sign extend kfunc call arguments Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 453/567] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
` (128 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Haoxiang Li,
Chuck Lever
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 1f941b2c23fd34c6f3b76d36f9d0a2528fa92b8f upstream.
In error path, call drop_client() to drop the reference
obtained by get_nfsdfs_clp().
Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2989,8 +2989,10 @@ static int client_states_open(struct ino
return -ENXIO;
ret = seq_open(file, &states_seq_ops);
- if (ret)
+ if (ret) {
+ drop_client(clp);
return ret;
+ }
s = file->private_data;
s->private = clp;
return 0;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 453/567] net: usb: sr9700: fix incorrect command used to write single register
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 452/567] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 454/567] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
` (127 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
commit fa0b198be1c6775bc7804731a43be5d899d19e7a upstream.
This fixes the device failing to initialize with "error reading MAC
address" for me, probably because the incorrect write of NCR_RST to
SR_NCR is not actually resetting the device.
Fixes: c9b37458e95629b1d1171457afdcc1bf1eb7881d ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
Cc: stable@vger.kernel.org
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20251221082400.50688-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/sr9700.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -52,7 +52,7 @@ static int sr_read_reg(struct usbnet *de
static int sr_write_reg(struct usbnet *dev, u8 reg, u8 value)
{
- return usbnet_write_cmd(dev, SR_WR_REGS, SR_REQ_WR_REG,
+ return usbnet_write_cmd(dev, SR_WR_REG, SR_REQ_WR_REG,
value, reg, NULL, 0);
}
@@ -65,7 +65,7 @@ static void sr_write_async(struct usbnet
static void sr_write_reg_async(struct usbnet *dev, u8 reg, u8 value)
{
- usbnet_write_cmd_async(dev, SR_WR_REGS, SR_REQ_WR_REG,
+ usbnet_write_cmd_async(dev, SR_WR_REG, SR_REQ_WR_REG,
value, reg, NULL, 0);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 454/567] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 453/567] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 455/567] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
` (126 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4ef89409a235d804c6c2,
Deepanshu Kartikey, Krzysztof Kozlowski, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 upstream.
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
Cc: stable@vger.kernel.org
Reported-by: syzbot+4ef89409a235d804c6c2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4ef89409a235d804c6c2
Link: https://lore.kernel.org/all/20251217054908.178907-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20251218012355.279940-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -1154,6 +1154,7 @@ EXPORT_SYMBOL(nfc_register_device);
void nfc_unregister_device(struct nfc_dev *dev)
{
int rc;
+ struct rfkill *rfk = NULL;
pr_debug("dev_name=%s\n", dev_name(&dev->dev));
@@ -1164,13 +1165,17 @@ void nfc_unregister_device(struct nfc_de
device_lock(&dev->dev);
if (dev->rfkill) {
- rfkill_unregister(dev->rfkill);
- rfkill_destroy(dev->rfkill);
+ rfk = dev->rfkill;
dev->rfkill = NULL;
}
dev->shutting_down = true;
device_unlock(&dev->dev);
+ if (rfk) {
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
+
if (dev->ops->check_presence) {
del_timer_sync(&dev->check_pres_timer);
cancel_work_sync(&dev->check_pres_work);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 455/567] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 454/567] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 456/567] Revert "drm/amd: Skip power ungate during suspend for VPE" Greg Kroah-Hartman
` (125 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Xiaolei Wang, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit 99537d5c476cada9cf75aef9fa75579a31faadb9 upstream.
In the non-RT kernel, local_bh_disable() merely disables preemption,
whereas it maps to an actual spin lock in the RT kernel. Consequently,
when attempting to refill RX buffers via netdev_alloc_skb() in
macb_mac_link_up(), a deadlock scenario arises as follows:
WARNING: possible circular locking dependency detected
6.18.0-08691-g2061f18ad76e #39 Not tainted
------------------------------------------------------
kworker/0:0/8 is trying to acquire lock:
ffff00080369bbe0 (&bp->lock){+.+.}-{3:3}, at: macb_start_xmit+0x808/0xb7c
but task is already holding lock:
ffff000803698e58 (&queue->tx_ptr_lock){+...}-{3:3}, at: macb_start_xmit
+0x148/0xb7c
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&queue->tx_ptr_lock){+...}-{3:3}:
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x148/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #2 (_xmit_ETHER#2){+...}-{3:3}:
rt_spin_lock+0x50/0x1f0
sch_direct_xmit+0x11c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #1 ((softirq_ctrl.lock)){+.+.}-{3:3}:
lock_release+0x250/0x348
__local_bh_enable_ip+0x7c/0x240
__netdev_alloc_skb+0x1b4/0x1d8
gem_rx_refill+0xdc/0x240
gem_init_rings+0xb4/0x108
macb_mac_link_up+0x9c/0x2b4
phylink_resolve+0x170/0x614
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #0 (&bp->lock){+.+.}-{3:3}:
__lock_acquire+0x15a8/0x2084
lock_acquire+0x1cc/0x350
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x808/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
other info that might help us debug this:
Chain exists of:
&bp->lock --> _xmit_ETHER#2 --> &queue->tx_ptr_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&queue->tx_ptr_lock);
lock(_xmit_ETHER#2);
lock(&queue->tx_ptr_lock);
lock(&bp->lock);
*** DEADLOCK ***
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0xa0/0xf0
dump_stack+0x18/0x24
print_circular_bug+0x28c/0x370
check_noncircular+0x198/0x1ac
__lock_acquire+0x15a8/0x2084
lock_acquire+0x1cc/0x350
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x808/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
Notably, invoking the mog_init_rings() callback upon link establishment
is unnecessary. Instead, we can exclusively call mog_init_rings() within
the ndo_open() callback. This adjustment resolves the deadlock issue.
Furthermore, since MACB_CAPS_MACB_IS_EMAC cases do not use mog_init_rings()
when opening the network interface via at91ether_open(), moving
mog_init_rings() to macb_open() also eliminates the MACB_CAPS_MACB_IS_EMAC
check.
Fixes: 633e98a711ac ("net: macb: use resolved link config in mac_link_up()")
Cc: stable@vger.kernel.org
Suggested-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://patch.msgid.link/20251222015624.1994551-1-xiaolei.wang@windriver.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -759,7 +759,6 @@ static void macb_mac_link_up(struct phyl
/* Initialize rings & buffers as clearing MACB_BIT(TE) in link down
* cleared the pipeline and control registers.
*/
- bp->macbgem_ops.mog_init_rings(bp);
macb_init_buffers(bp);
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
@@ -2985,6 +2984,8 @@ static int macb_open(struct net_device *
goto pm_exit;
}
+ bp->macbgem_ops.mog_init_rings(bp);
+
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) {
napi_enable(&queue->napi_rx);
napi_enable(&queue->napi_tx);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 456/567] Revert "drm/amd: Skip power ungate during suspend for VPE"
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 455/567] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 457/567] drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling Greg Kroah-Hartman
` (124 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD),
Alex Deucher, Konstantin, Matthew Schwartz
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
commit 3925683515e93844be204381d2d5a1df5de34f31 upstream.
Skipping power ungate exposed some scenarios that will fail
like below:
```
amdgpu: Register(0) [regVPEC_QUEUE_RESET_REQ] failed to reach value 0x00000000 != 0x00000001n
amdgpu 0000:c1:00.0: amdgpu: VPE queue reset failed
...
amdgpu: [drm] *ERROR* wait_for_completion_timeout timeout!
```
The underlying s2idle issue that prompted this commit is going to
be fixed in BIOS.
This reverts commit 2a6c826cfeedd7714611ac115371a959ead55bda.
Fixes: 2a6c826cfeed ("drm/amd: Skip power ungate during suspend for VPE")
Cc: stable@vger.kernel.org
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reported-by: Konstantin <answer2019@yandex.ru>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220812
Reported-by: Matthew Schwartz <matthew.schwartz@linux.dev>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -3092,11 +3092,10 @@ int amdgpu_device_set_pg_state(struct am
(adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_GFX ||
adev->ip_blocks[i].version->type == AMD_IP_BLOCK_TYPE_SDMA))
continue;
- /* skip CG for VCE/UVD/VPE, it's handled specially */
+ /* skip CG for VCE/UVD, it's handled specially */
if (adev->ip_blocks[i].version->type != AMD_IP_BLOCK_TYPE_UVD &&
adev->ip_blocks[i].version->type != AMD_IP_BLOCK_TYPE_VCE &&
adev->ip_blocks[i].version->type != AMD_IP_BLOCK_TYPE_VCN &&
- adev->ip_blocks[i].version->type != AMD_IP_BLOCK_TYPE_VPE &&
adev->ip_blocks[i].version->type != AMD_IP_BLOCK_TYPE_JPEG &&
adev->ip_blocks[i].version->funcs->set_powergating_state) {
/* enable powergating to save power */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 457/567] drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 456/567] Revert "drm/amd: Skip power ungate during suspend for VPE" Greg Kroah-Hartman
@ 2026-01-06 17:03 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 458/567] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma Greg Kroah-Hartman
` (123 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:03 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit ff28ff98db6a8eeb469e02fb8bd1647b353232a9 upstream.
We need to call amdgpu_vm_handle_fault() on page fault
on all gfx9 and newer parts to properly update the
page tables, not just for recoverable page faults.
Cc: stable@vger.kernel.org
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gmc_v12_0.c
@@ -91,6 +91,8 @@ static int gmc_v12_0_process_interrupt(s
struct amdgpu_iv_entry *entry)
{
struct amdgpu_vmhub *hub;
+ bool retry_fault = !!(entry->src_data[1] & 0x80);
+ bool write_fault = !!(entry->src_data[1] & 0x20);
uint32_t status = 0;
u64 addr;
@@ -102,6 +104,31 @@ static int gmc_v12_0_process_interrupt(s
else
hub = &adev->vmhub[AMDGPU_GFXHUB(0)];
+ if (retry_fault) {
+ /* Returning 1 here also prevents sending the IV to the KFD */
+
+ /* Process it only if it's the first fault for this address */
+ if (entry->ih != &adev->irq.ih_soft &&
+ amdgpu_gmc_filter_faults(adev, entry->ih, addr, entry->pasid,
+ entry->timestamp))
+ return 1;
+
+ /* Delegate it to a different ring if the hardware hasn't
+ * already done it.
+ */
+ if (entry->ih == &adev->irq.ih) {
+ amdgpu_irq_delegate(adev, entry, 8);
+ return 1;
+ }
+
+ /* Try to handle the recoverable page faults by filling page
+ * tables
+ */
+ if (amdgpu_vm_handle_fault(adev, entry->pasid, 0, 0, addr,
+ entry->timestamp, write_fault))
+ return 1;
+ }
+
if (!amdgpu_sriov_vf(adev)) {
/*
* Issue a dummy read to wait for the status register to
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 458/567] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-01-06 17:03 ` [PATCH 6.12 457/567] drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 459/567] drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling Greg Kroah-Hartman
` (122 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Eric Pelloux-Prayer,
Christian König, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
commit 4fa944255be521b1bbd9780383f77206303a3a5c upstream.
Users of ttm entities need to hold the gtt_window_lock before using them
to guarantee proper ordering of jobs.
Cc: stable@vger.kernel.org
Fixes: cb5cc4f573e1 ("drm/amdgpu: improve debug VRAM access performance using sdma")
Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -1513,6 +1513,7 @@ static int amdgpu_ttm_access_memory_sdma
if (r)
goto out;
+ mutex_lock(&adev->mman.gtt_window_lock);
amdgpu_res_first(abo->tbo.resource, offset, len, &src_mm);
src_addr = amdgpu_ttm_domain_start(adev, bo->resource->mem_type) +
src_mm.start;
@@ -1527,6 +1528,7 @@ static int amdgpu_ttm_access_memory_sdma
WARN_ON(job->ibs[0].length_dw > num_dw);
fence = amdgpu_job_submit(job);
+ mutex_unlock(&adev->mman.gtt_window_lock);
if (!dma_fence_wait_timeout(fence, false, adev->sdma_timeout))
r = -ETIMEDOUT;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 459/567] drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 458/567] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 460/567] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
` (121 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Timur Kristóf, Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3f2289b56cd98f5741056bdb6e521324eff07ce5 upstream.
We need to call amdgpu_vm_handle_fault() on page fault
on all gfx9 and newer parts to properly update the
page tables, not just for recoverable page faults.
Cc: stable@vger.kernel.org
Reviewed-by: Timur Kristóf <timur.kristof@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gmc_v11_0.c
@@ -103,12 +103,39 @@ static int gmc_v11_0_process_interrupt(s
uint32_t vmhub_index = entry->client_id == SOC21_IH_CLIENTID_VMC ?
AMDGPU_MMHUB0(0) : AMDGPU_GFXHUB(0);
struct amdgpu_vmhub *hub = &adev->vmhub[vmhub_index];
+ bool retry_fault = !!(entry->src_data[1] & 0x80);
+ bool write_fault = !!(entry->src_data[1] & 0x20);
uint32_t status = 0;
u64 addr;
addr = (u64)entry->src_data[0] << 12;
addr |= ((u64)entry->src_data[1] & 0xf) << 44;
+ if (retry_fault) {
+ /* Returning 1 here also prevents sending the IV to the KFD */
+
+ /* Process it only if it's the first fault for this address */
+ if (entry->ih != &adev->irq.ih_soft &&
+ amdgpu_gmc_filter_faults(adev, entry->ih, addr, entry->pasid,
+ entry->timestamp))
+ return 1;
+
+ /* Delegate it to a different ring if the hardware hasn't
+ * already done it.
+ */
+ if (entry->ih == &adev->irq.ih) {
+ amdgpu_irq_delegate(adev, entry, 8);
+ return 1;
+ }
+
+ /* Try to handle the recoverable page faults by filling page
+ * tables
+ */
+ if (amdgpu_vm_handle_fault(adev, entry->pasid, 0, 0, addr,
+ entry->timestamp, write_fault))
+ return 1;
+ }
+
if (!amdgpu_sriov_vf(adev)) {
/*
* Issue a dummy read to wait for the status register to
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 460/567] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 459/567] drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 461/567] drm/buddy: Optimize free block management with RB tree Greg Kroah-Hartman
` (120 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Konrad Dybcio,
Rob Clark
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
commit 779b68a5bf2764c8ed3aa800e41ba0d5d007e1e7 upstream.
REG_A6XX_GMU_AO_AHB_FENCE_CTRL register falls under GMU's register
range. So, use gmu_write() routines to write to this register.
Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
Cc: stable@vger.kernel.org
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/688993/
Message-ID: <20251118-kaana-gpu-support-v4-1-86eeb8e93fb6@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -1231,7 +1231,7 @@ static void a6xx_get_gmu_registers(struc
return;
/* Set the fence to ALLOW mode so we can access the registers */
- gpu_write(gpu, REG_A6XX_GMU_AO_AHB_FENCE_CTRL, 0);
+ gmu_write(&a6xx_gpu->gmu, REG_A6XX_GMU_AO_AHB_FENCE_CTRL, 0);
_a6xx_get_gmu_registers(gpu, a6xx_state, &a6xx_gmu_reglist[2],
&a6xx_state->gmu_registers[2], false);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 461/567] drm/buddy: Optimize free block management with RB tree
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 460/567] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 462/567] drm/buddy: Separate clear and dirty free block trees Greg Kroah-Hartman
` (119 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arunpravin Paneer Selvam,
Matthew Auld
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
commit c178e534fff1d5a74da80ea03b20e2b948a00113 upstream.
Replace the freelist (O(n)) used for free block management with a
red-black tree, providing more efficient O(log n) search, insert,
and delete operations. This improves scalability and performance
when managing large numbers of free blocks per order (e.g., hundreds
or thousands).
In the VK-CTS memory stress subtest, the buddy manager merges
fragmented memory and inserts freed blocks into the freelist. Since
freelist insertion is O(n), this becomes a bottleneck as fragmentation
increases. Benchmarking shows list_insert_sorted() consumes ~52.69% CPU
with the freelist, compared to just 0.03% with the RB tree
(rbtree_insert.isra.0), despite performing the same sorted insert.
This also improves performance in heavily fragmented workloads,
such as games or graphics tests that stress memory.
As the buddy allocator evolves with new features such as clear-page
tracking, the resulting fragmentation and complexity have grown.
These RB-tree based design changes are introduced to address that
growth and ensure the allocator continues to perform efficiently
under fragmented conditions.
The RB tree implementation with separate clear/dirty trees provides:
- O(n log n) aggregate complexity for all operations instead of O(n^2)
- Elimination of soft lockups and system instability
- Improved code maintainability and clarity
- Better scalability for large memory systems
- Predictable performance under fragmentation
v3(Matthew):
- Remove RB_EMPTY_NODE check in force_merge function.
- Rename rb for loop macros to have less generic names and move to
.c file.
- Make the rb node rb and link field as union.
v4(Jani Nikula):
- The kernel-doc comment should be "/**"
- Move all the rbtree macros to rbtree.h and add parens to ensure
correct precedence.
v5:
- Remove the inline in a .c file (Jani Nikula).
v6(Peter Zijlstra):
- Add rb_add() function replacing the existing rbtree_insert() code.
v7:
- A full walk iteration in rbtree is slower than the list (Peter Zijlstra).
- The existing rbtree_postorder_for_each_entry_safe macro should be used
in scenarios where traversal order is not a critical factor (Christian).
v8(Matthew):
- Remove the rbtree_is_empty() check in this patch as well.
Cc: stable@vger.kernel.org
Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality")
Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Link: https://lore.kernel.org/r/20251006095124.1663-1-Arunpravin.PaneerSelvam@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_buddy.c | 195 ++++++++++++++++++++++++++------------------
include/drm/drm_buddy.h | 11 +-
2 files changed, 126 insertions(+), 80 deletions(-)
--- a/drivers/gpu/drm/drm_buddy.c
+++ b/drivers/gpu/drm/drm_buddy.c
@@ -11,6 +11,8 @@
static struct kmem_cache *slab_blocks;
+#define rbtree_get_free_block(node) rb_entry((node), struct drm_buddy_block, rb)
+
static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm,
struct drm_buddy_block *parent,
unsigned int order,
@@ -28,6 +30,8 @@ static struct drm_buddy_block *drm_block
block->header |= order;
block->parent = parent;
+ RB_CLEAR_NODE(&block->rb);
+
BUG_ON(block->header & DRM_BUDDY_HEADER_UNUSED);
return block;
}
@@ -38,23 +42,49 @@ static void drm_block_free(struct drm_bu
kmem_cache_free(slab_blocks, block);
}
-static void list_insert_sorted(struct drm_buddy *mm,
- struct drm_buddy_block *block)
+static bool drm_buddy_block_offset_less(const struct drm_buddy_block *block,
+ const struct drm_buddy_block *node)
{
- struct drm_buddy_block *node;
- struct list_head *head;
+ return drm_buddy_block_offset(block) < drm_buddy_block_offset(node);
+}
- head = &mm->free_list[drm_buddy_block_order(block)];
- if (list_empty(head)) {
- list_add(&block->link, head);
- return;
- }
+static bool rbtree_block_offset_less(struct rb_node *block,
+ const struct rb_node *node)
+{
+ return drm_buddy_block_offset_less(rbtree_get_free_block(block),
+ rbtree_get_free_block(node));
+}
- list_for_each_entry(node, head, link)
- if (drm_buddy_block_offset(block) < drm_buddy_block_offset(node))
- break;
+static void rbtree_insert(struct drm_buddy *mm,
+ struct drm_buddy_block *block)
+{
+ rb_add(&block->rb,
+ &mm->free_tree[drm_buddy_block_order(block)],
+ rbtree_block_offset_less);
+}
+
+static void rbtree_remove(struct drm_buddy *mm,
+ struct drm_buddy_block *block)
+{
+ struct rb_root *root;
+
+ root = &mm->free_tree[drm_buddy_block_order(block)];
+ rb_erase(&block->rb, root);
+
+ RB_CLEAR_NODE(&block->rb);
+}
+
+static struct drm_buddy_block *
+rbtree_last_entry(struct drm_buddy *mm, unsigned int order)
+{
+ struct rb_node *node = rb_last(&mm->free_tree[order]);
+
+ return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL;
+}
- __list_add(&block->link, node->link.prev, &node->link);
+static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order)
+{
+ return RB_EMPTY_ROOT(&mm->free_tree[order]);
}
static void clear_reset(struct drm_buddy_block *block)
@@ -67,12 +97,13 @@ static void mark_cleared(struct drm_budd
block->header |= DRM_BUDDY_HEADER_CLEAR;
}
-static void mark_allocated(struct drm_buddy_block *block)
+static void mark_allocated(struct drm_buddy *mm,
+ struct drm_buddy_block *block)
{
block->header &= ~DRM_BUDDY_HEADER_STATE;
block->header |= DRM_BUDDY_ALLOCATED;
- list_del(&block->link);
+ rbtree_remove(mm, block);
}
static void mark_free(struct drm_buddy *mm,
@@ -81,15 +112,16 @@ static void mark_free(struct drm_buddy *
block->header &= ~DRM_BUDDY_HEADER_STATE;
block->header |= DRM_BUDDY_FREE;
- list_insert_sorted(mm, block);
+ rbtree_insert(mm, block);
}
-static void mark_split(struct drm_buddy_block *block)
+static void mark_split(struct drm_buddy *mm,
+ struct drm_buddy_block *block)
{
block->header &= ~DRM_BUDDY_HEADER_STATE;
block->header |= DRM_BUDDY_SPLIT;
- list_del(&block->link);
+ rbtree_remove(mm, block);
}
static inline bool overlaps(u64 s1, u64 e1, u64 s2, u64 e2)
@@ -145,7 +177,7 @@ static unsigned int __drm_buddy_free(str
mark_cleared(parent);
}
- list_del(&buddy->link);
+ rbtree_remove(mm, buddy);
if (force_merge && drm_buddy_block_is_clear(buddy))
mm->clear_avail -= drm_buddy_block_size(mm, buddy);
@@ -176,13 +208,19 @@ static int __force_merge(struct drm_budd
return -EINVAL;
for (i = min_order - 1; i >= 0; i--) {
- struct drm_buddy_block *block, *prev;
+ struct rb_root *root = &mm->free_tree[i];
+ struct rb_node *iter;
+
+ iter = rb_last(root);
- list_for_each_entry_safe_reverse(block, prev, &mm->free_list[i], link) {
- struct drm_buddy_block *buddy;
+ while (iter) {
+ struct drm_buddy_block *block, *buddy;
u64 block_start, block_end;
- if (!block->parent)
+ block = rbtree_get_free_block(iter);
+ iter = rb_prev(iter);
+
+ if (!block || !block->parent)
continue;
block_start = drm_buddy_block_offset(block);
@@ -198,15 +236,10 @@ static int __force_merge(struct drm_budd
WARN_ON(drm_buddy_block_is_clear(block) ==
drm_buddy_block_is_clear(buddy));
- /*
- * If the prev block is same as buddy, don't access the
- * block in the next iteration as we would free the
- * buddy block as part of the free function.
- */
- if (prev == buddy)
- prev = list_prev_entry(prev, link);
+ if (iter == &buddy->rb)
+ iter = rb_prev(iter);
- list_del(&block->link);
+ rbtree_remove(mm, block);
if (drm_buddy_block_is_clear(block))
mm->clear_avail -= drm_buddy_block_size(mm, block);
@@ -234,7 +267,7 @@ static int __force_merge(struct drm_budd
int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size)
{
unsigned int i;
- u64 offset;
+ u64 offset = 0;
if (size < chunk_size)
return -EINVAL;
@@ -255,14 +288,14 @@ int drm_buddy_init(struct drm_buddy *mm,
BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER);
- mm->free_list = kmalloc_array(mm->max_order + 1,
- sizeof(struct list_head),
+ mm->free_tree = kmalloc_array(mm->max_order + 1,
+ sizeof(struct rb_root),
GFP_KERNEL);
- if (!mm->free_list)
+ if (!mm->free_tree)
return -ENOMEM;
for (i = 0; i <= mm->max_order; ++i)
- INIT_LIST_HEAD(&mm->free_list[i]);
+ mm->free_tree[i] = RB_ROOT;
mm->n_roots = hweight64(size);
@@ -270,9 +303,8 @@ int drm_buddy_init(struct drm_buddy *mm,
sizeof(struct drm_buddy_block *),
GFP_KERNEL);
if (!mm->roots)
- goto out_free_list;
+ goto out_free_tree;
- offset = 0;
i = 0;
/*
@@ -309,8 +341,8 @@ out_free_roots:
while (i--)
drm_block_free(mm, mm->roots[i]);
kfree(mm->roots);
-out_free_list:
- kfree(mm->free_list);
+out_free_tree:
+ kfree(mm->free_tree);
return -ENOMEM;
}
EXPORT_SYMBOL(drm_buddy_init);
@@ -320,7 +352,7 @@ EXPORT_SYMBOL(drm_buddy_init);
*
* @mm: DRM buddy manager to free
*
- * Cleanup memory manager resources and the freelist
+ * Cleanup memory manager resources and the freetree
*/
void drm_buddy_fini(struct drm_buddy *mm)
{
@@ -345,7 +377,7 @@ void drm_buddy_fini(struct drm_buddy *mm
WARN_ON(mm->avail != mm->size);
kfree(mm->roots);
- kfree(mm->free_list);
+ kfree(mm->free_tree);
}
EXPORT_SYMBOL(drm_buddy_fini);
@@ -378,7 +410,7 @@ static int split_block(struct drm_buddy
clear_reset(block);
}
- mark_split(block);
+ mark_split(mm, block);
return 0;
}
@@ -407,7 +439,7 @@ EXPORT_SYMBOL(drm_get_buddy);
* @is_clear: blocks clear state
*
* Reset the clear state based on @is_clear value for each block
- * in the freelist.
+ * in the freetree.
*/
void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear)
{
@@ -426,9 +458,9 @@ void drm_buddy_reset_clear(struct drm_bu
}
for (i = 0; i <= mm->max_order; ++i) {
- struct drm_buddy_block *block;
+ struct drm_buddy_block *block, *tmp;
- list_for_each_entry_reverse(block, &mm->free_list[i], link) {
+ rbtree_postorder_for_each_entry_safe(block, tmp, &mm->free_tree[i], rb) {
if (is_clear != drm_buddy_block_is_clear(block)) {
if (is_clear) {
mark_cleared(block);
@@ -634,14 +666,18 @@ get_maxblock(struct drm_buddy *mm, unsig
unsigned int i;
for (i = order; i <= mm->max_order; ++i) {
+ struct rb_node *iter = rb_last(&mm->free_tree[i]);
struct drm_buddy_block *tmp_block;
- list_for_each_entry_reverse(tmp_block, &mm->free_list[i], link) {
- if (block_incompatible(tmp_block, flags))
- continue;
+ while (iter) {
+ tmp_block = rbtree_get_free_block(iter);
- block = tmp_block;
- break;
+ if (!block_incompatible(tmp_block, flags)) {
+ block = tmp_block;
+ break;
+ }
+
+ iter = rb_prev(iter);
}
if (!block)
@@ -662,7 +698,7 @@ get_maxblock(struct drm_buddy *mm, unsig
}
static struct drm_buddy_block *
-alloc_from_freelist(struct drm_buddy *mm,
+alloc_from_freetree(struct drm_buddy *mm,
unsigned int order,
unsigned long flags)
{
@@ -677,14 +713,18 @@ alloc_from_freelist(struct drm_buddy *mm
tmp = drm_buddy_block_order(block);
} else {
for (tmp = order; tmp <= mm->max_order; ++tmp) {
+ struct rb_node *iter = rb_last(&mm->free_tree[tmp]);
struct drm_buddy_block *tmp_block;
- list_for_each_entry_reverse(tmp_block, &mm->free_list[tmp], link) {
- if (block_incompatible(tmp_block, flags))
- continue;
+ while (iter) {
+ tmp_block = rbtree_get_free_block(iter);
- block = tmp_block;
- break;
+ if (!block_incompatible(tmp_block, flags)) {
+ block = tmp_block;
+ break;
+ }
+
+ iter = rb_prev(iter);
}
if (block)
@@ -695,13 +735,9 @@ alloc_from_freelist(struct drm_buddy *mm
if (!block) {
/* Fallback method */
for (tmp = order; tmp <= mm->max_order; ++tmp) {
- if (!list_empty(&mm->free_list[tmp])) {
- block = list_last_entry(&mm->free_list[tmp],
- struct drm_buddy_block,
- link);
- if (block)
- break;
- }
+ block = rbtree_last_entry(mm, tmp);
+ if (block)
+ break;
}
if (!block)
@@ -766,7 +802,7 @@ static int __alloc_range(struct drm_budd
if (contains(start, end, block_start, block_end)) {
if (drm_buddy_block_is_free(block)) {
- mark_allocated(block);
+ mark_allocated(mm, block);
total_allocated += drm_buddy_block_size(mm, block);
mm->avail -= drm_buddy_block_size(mm, block);
if (drm_buddy_block_is_clear(block))
@@ -844,8 +880,8 @@ static int __alloc_contig_try_harder(str
{
u64 rhs_offset, lhs_offset, lhs_size, filled;
struct drm_buddy_block *block;
- struct list_head *list;
LIST_HEAD(blocks_lhs);
+ struct rb_node *iter;
unsigned long pages;
unsigned int order;
u64 modify_size;
@@ -857,11 +893,14 @@ static int __alloc_contig_try_harder(str
if (order == 0)
return -ENOSPC;
- list = &mm->free_list[order];
- if (list_empty(list))
+ if (rbtree_is_empty(mm, order))
return -ENOSPC;
- list_for_each_entry_reverse(block, list, link) {
+ iter = rb_last(&mm->free_tree[order]);
+
+ while (iter) {
+ block = rbtree_get_free_block(iter);
+
/* Allocate blocks traversing RHS */
rhs_offset = drm_buddy_block_offset(block);
err = __drm_buddy_alloc_range(mm, rhs_offset, size,
@@ -886,6 +925,8 @@ static int __alloc_contig_try_harder(str
}
/* Free blocks for the next iteration */
drm_buddy_free_list_internal(mm, blocks);
+
+ iter = rb_prev(iter);
}
return -ENOSPC;
@@ -971,7 +1012,7 @@ int drm_buddy_block_trim(struct drm_budd
list_add(&block->tmp_link, &dfs);
err = __alloc_range(mm, &dfs, new_start, new_size, blocks, NULL);
if (err) {
- mark_allocated(block);
+ mark_allocated(mm, block);
mm->avail -= drm_buddy_block_size(mm, block);
if (drm_buddy_block_is_clear(block))
mm->clear_avail -= drm_buddy_block_size(mm, block);
@@ -994,8 +1035,8 @@ __drm_buddy_alloc_blocks(struct drm_budd
return __drm_buddy_alloc_range_bias(mm, start, end,
order, flags);
else
- /* Allocate from freelist */
- return alloc_from_freelist(mm, order, flags);
+ /* Allocate from freetree */
+ return alloc_from_freetree(mm, order, flags);
}
/**
@@ -1012,8 +1053,8 @@ __drm_buddy_alloc_blocks(struct drm_budd
* alloc_range_bias() called on range limitations, which traverses
* the tree and returns the desired block.
*
- * alloc_from_freelist() called when *no* range restrictions
- * are enforced, which picks the block from the freelist.
+ * alloc_from_freetree() called when *no* range restrictions
+ * are enforced, which picks the block from the freetree.
*
* Returns:
* 0 on success, error code on failure.
@@ -1115,7 +1156,7 @@ int drm_buddy_alloc_blocks(struct drm_bu
}
} while (1);
- mark_allocated(block);
+ mark_allocated(mm, block);
mm->avail -= drm_buddy_block_size(mm, block);
if (drm_buddy_block_is_clear(block))
mm->clear_avail -= drm_buddy_block_size(mm, block);
@@ -1196,10 +1237,10 @@ void drm_buddy_print(struct drm_buddy *m
mm->chunk_size >> 10, mm->size >> 20, mm->avail >> 20, mm->clear_avail >> 20);
for (order = mm->max_order; order >= 0; order--) {
- struct drm_buddy_block *block;
+ struct drm_buddy_block *block, *tmp;
u64 count = 0, free;
- list_for_each_entry(block, &mm->free_list[order], link) {
+ rbtree_postorder_for_each_entry_safe(block, tmp, &mm->free_tree[order], rb) {
BUG_ON(!drm_buddy_block_is_free(block));
count++;
}
--- a/include/drm/drm_buddy.h
+++ b/include/drm/drm_buddy.h
@@ -10,6 +10,7 @@
#include <linux/list.h>
#include <linux/slab.h>
#include <linux/sched.h>
+#include <linux/rbtree.h>
#include <drm/drm_print.h>
@@ -53,7 +54,11 @@ struct drm_buddy_block {
* a list, if so desired. As soon as the block is freed with
* drm_buddy_free* ownership is given back to the mm.
*/
- struct list_head link;
+ union {
+ struct rb_node rb;
+ struct list_head link;
+ };
+
struct list_head tmp_link;
};
@@ -68,7 +73,7 @@ struct drm_buddy_block {
*/
struct drm_buddy {
/* Maintain a free list for each order. */
- struct list_head *free_list;
+ struct rb_root *free_tree;
/*
* Maintain explicit binary tree(s) to track the allocation of the
@@ -94,7 +99,7 @@ struct drm_buddy {
};
static inline u64
-drm_buddy_block_offset(struct drm_buddy_block *block)
+drm_buddy_block_offset(const struct drm_buddy_block *block)
{
return block->header & DRM_BUDDY_HEADER_OFFSET;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 462/567] drm/buddy: Separate clear and dirty free block trees
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 461/567] drm/buddy: Optimize free block management with RB tree Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 463/567] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
` (118 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Arunpravin Paneer Selvam,
Matthew Auld
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
commit d4cd665c98c144dd6ad5d66d30396e13d23118c9 upstream.
Maintain two separate RB trees per order - one for clear (zeroed) blocks
and another for dirty (uncleared) blocks. This separation improves
code clarity and makes it more obvious which tree is being searched
during allocation. It also improves scalability and efficiency when
searching for a specific type of block, avoiding unnecessary checks
and making the allocator more predictable under fragmentation.
The changes have been validated using the existing drm_buddy_test
KUnit test cases, along with selected graphics workloads,
to ensure correctness and avoid regressions.
v2: Missed adding the suggested-by tag. Added it in v2.
v3(Matthew):
- Remove the double underscores from the internal functions.
- Rename the internal functions to have less generic names.
- Fix the error handling code.
- Pass tree argument for the tree macro.
- Use the existing dirty/free bit instead of new tree field.
- Make free_trees[] instead of clear_tree and dirty_tree for
more cleaner approach.
v4:
- A bug was reported by Intel CI and it is fixed by
Matthew Auld.
- Replace the get_root function with
&mm->free_trees[tree][order] (Matthew)
- Remove the unnecessary rbtree_is_empty() check (Matthew)
- Remove the unnecessary get_tree_for_flags() function.
- Rename get_tree_for_block() name with get_block_tree() for more
clarity.
v5(Jani Nikula):
- Don't use static inline in .c files.
- enum free_tree and enumerator names are quite generic for a header
and usage and the whole enum should be an implementation detail.
v6:
- Rewrite the __force_merge() function using the rb_last() and rb_prev().
v7(Matthew):
- Replace the open-coded tree iteration for loops with the
for_each_free_tree() macro throughout the code.
- Fixed out_free_roots to prevent double decrement of i,
addressing potential crash.
- Replaced enum drm_buddy_free_tree with unsigned int
in for_each_free_tree loops.
Cc: stable@vger.kernel.org
Fixes: a68c7eaa7a8f ("drm/amdgpu: Enable clear page functionality")
Signed-off-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
Suggested-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4260
Link: https://lore.kernel.org/r/20251006095124.1663-2-Arunpravin.PaneerSelvam@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_buddy.c | 329 ++++++++++++++++++++++++--------------------
include/drm/drm_buddy.h | 2
2 files changed, 186 insertions(+), 145 deletions(-)
--- a/drivers/gpu/drm/drm_buddy.c
+++ b/drivers/gpu/drm/drm_buddy.c
@@ -9,9 +9,16 @@
#include <drm/drm_buddy.h>
+enum drm_buddy_free_tree {
+ DRM_BUDDY_CLEAR_TREE = 0,
+ DRM_BUDDY_DIRTY_TREE,
+ DRM_BUDDY_MAX_FREE_TREES,
+};
+
static struct kmem_cache *slab_blocks;
-#define rbtree_get_free_block(node) rb_entry((node), struct drm_buddy_block, rb)
+#define for_each_free_tree(tree) \
+ for ((tree) = 0; (tree) < DRM_BUDDY_MAX_FREE_TREES; (tree)++)
static struct drm_buddy_block *drm_block_alloc(struct drm_buddy *mm,
struct drm_buddy_block *parent,
@@ -42,6 +49,30 @@ static void drm_block_free(struct drm_bu
kmem_cache_free(slab_blocks, block);
}
+static enum drm_buddy_free_tree
+get_block_tree(struct drm_buddy_block *block)
+{
+ return drm_buddy_block_is_clear(block) ?
+ DRM_BUDDY_CLEAR_TREE : DRM_BUDDY_DIRTY_TREE;
+}
+
+static struct drm_buddy_block *
+rbtree_get_free_block(const struct rb_node *node)
+{
+ return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL;
+}
+
+static struct drm_buddy_block *
+rbtree_last_free_block(struct rb_root *root)
+{
+ return rbtree_get_free_block(rb_last(root));
+}
+
+static bool rbtree_is_empty(struct rb_root *root)
+{
+ return RB_EMPTY_ROOT(root);
+}
+
static bool drm_buddy_block_offset_less(const struct drm_buddy_block *block,
const struct drm_buddy_block *node)
{
@@ -56,37 +87,28 @@ static bool rbtree_block_offset_less(str
}
static void rbtree_insert(struct drm_buddy *mm,
- struct drm_buddy_block *block)
+ struct drm_buddy_block *block,
+ enum drm_buddy_free_tree tree)
{
rb_add(&block->rb,
- &mm->free_tree[drm_buddy_block_order(block)],
+ &mm->free_trees[tree][drm_buddy_block_order(block)],
rbtree_block_offset_less);
}
static void rbtree_remove(struct drm_buddy *mm,
struct drm_buddy_block *block)
{
+ unsigned int order = drm_buddy_block_order(block);
+ enum drm_buddy_free_tree tree;
struct rb_root *root;
- root = &mm->free_tree[drm_buddy_block_order(block)];
- rb_erase(&block->rb, root);
+ tree = get_block_tree(block);
+ root = &mm->free_trees[tree][order];
+ rb_erase(&block->rb, root);
RB_CLEAR_NODE(&block->rb);
}
-static struct drm_buddy_block *
-rbtree_last_entry(struct drm_buddy *mm, unsigned int order)
-{
- struct rb_node *node = rb_last(&mm->free_tree[order]);
-
- return node ? rb_entry(node, struct drm_buddy_block, rb) : NULL;
-}
-
-static bool rbtree_is_empty(struct drm_buddy *mm, unsigned int order)
-{
- return RB_EMPTY_ROOT(&mm->free_tree[order]);
-}
-
static void clear_reset(struct drm_buddy_block *block)
{
block->header &= ~DRM_BUDDY_HEADER_CLEAR;
@@ -109,10 +131,13 @@ static void mark_allocated(struct drm_bu
static void mark_free(struct drm_buddy *mm,
struct drm_buddy_block *block)
{
+ enum drm_buddy_free_tree tree;
+
block->header &= ~DRM_BUDDY_HEADER_STATE;
block->header |= DRM_BUDDY_FREE;
- rbtree_insert(mm, block);
+ tree = get_block_tree(block);
+ rbtree_insert(mm, block, tree);
}
static void mark_split(struct drm_buddy *mm,
@@ -198,7 +223,7 @@ static int __force_merge(struct drm_budd
u64 end,
unsigned int min_order)
{
- unsigned int order;
+ unsigned int tree, order;
int i;
if (!min_order)
@@ -207,45 +232,48 @@ static int __force_merge(struct drm_budd
if (min_order > mm->max_order)
return -EINVAL;
- for (i = min_order - 1; i >= 0; i--) {
- struct rb_root *root = &mm->free_tree[i];
- struct rb_node *iter;
+ for_each_free_tree(tree) {
+ for (i = min_order - 1; i >= 0; i--) {
+ struct rb_node *iter = rb_last(&mm->free_trees[tree][i]);
- iter = rb_last(root);
-
- while (iter) {
- struct drm_buddy_block *block, *buddy;
- u64 block_start, block_end;
+ while (iter) {
+ struct drm_buddy_block *block, *buddy;
+ u64 block_start, block_end;
- block = rbtree_get_free_block(iter);
- iter = rb_prev(iter);
+ block = rbtree_get_free_block(iter);
+ iter = rb_prev(iter);
- if (!block || !block->parent)
- continue;
+ if (!block || !block->parent)
+ continue;
- block_start = drm_buddy_block_offset(block);
- block_end = block_start + drm_buddy_block_size(mm, block) - 1;
+ block_start = drm_buddy_block_offset(block);
+ block_end = block_start + drm_buddy_block_size(mm, block) - 1;
- if (!contains(start, end, block_start, block_end))
- continue;
+ if (!contains(start, end, block_start, block_end))
+ continue;
- buddy = __get_buddy(block);
- if (!drm_buddy_block_is_free(buddy))
- continue;
+ buddy = __get_buddy(block);
+ if (!drm_buddy_block_is_free(buddy))
+ continue;
- WARN_ON(drm_buddy_block_is_clear(block) ==
- drm_buddy_block_is_clear(buddy));
+ WARN_ON(drm_buddy_block_is_clear(block) ==
+ drm_buddy_block_is_clear(buddy));
- if (iter == &buddy->rb)
- iter = rb_prev(iter);
+ /*
+ * Advance to the next node when the current node is the buddy,
+ * as freeing the block will also remove its buddy from the tree.
+ */
+ if (iter == &buddy->rb)
+ iter = rb_prev(iter);
- rbtree_remove(mm, block);
- if (drm_buddy_block_is_clear(block))
- mm->clear_avail -= drm_buddy_block_size(mm, block);
+ rbtree_remove(mm, block);
+ if (drm_buddy_block_is_clear(block))
+ mm->clear_avail -= drm_buddy_block_size(mm, block);
- order = __drm_buddy_free(mm, block, true);
- if (order >= min_order)
- return 0;
+ order = __drm_buddy_free(mm, block, true);
+ if (order >= min_order)
+ return 0;
+ }
}
}
@@ -266,7 +294,7 @@ static int __force_merge(struct drm_budd
*/
int drm_buddy_init(struct drm_buddy *mm, u64 size, u64 chunk_size)
{
- unsigned int i;
+ unsigned int i, j, root_count = 0;
u64 offset = 0;
if (size < chunk_size)
@@ -288,14 +316,22 @@ int drm_buddy_init(struct drm_buddy *mm,
BUG_ON(mm->max_order > DRM_BUDDY_MAX_ORDER);
- mm->free_tree = kmalloc_array(mm->max_order + 1,
- sizeof(struct rb_root),
- GFP_KERNEL);
- if (!mm->free_tree)
+ mm->free_trees = kmalloc_array(DRM_BUDDY_MAX_FREE_TREES,
+ sizeof(*mm->free_trees),
+ GFP_KERNEL);
+ if (!mm->free_trees)
return -ENOMEM;
- for (i = 0; i <= mm->max_order; ++i)
- mm->free_tree[i] = RB_ROOT;
+ for_each_free_tree(i) {
+ mm->free_trees[i] = kmalloc_array(mm->max_order + 1,
+ sizeof(struct rb_root),
+ GFP_KERNEL);
+ if (!mm->free_trees[i])
+ goto out_free_tree;
+
+ for (j = 0; j <= mm->max_order; ++j)
+ mm->free_trees[i][j] = RB_ROOT;
+ }
mm->n_roots = hweight64(size);
@@ -305,8 +341,6 @@ int drm_buddy_init(struct drm_buddy *mm,
if (!mm->roots)
goto out_free_tree;
- i = 0;
-
/*
* Split into power-of-two blocks, in case we are given a size that is
* not itself a power-of-two.
@@ -325,24 +359,26 @@ int drm_buddy_init(struct drm_buddy *mm,
mark_free(mm, root);
- BUG_ON(i > mm->max_order);
+ BUG_ON(root_count > mm->max_order);
BUG_ON(drm_buddy_block_size(mm, root) < chunk_size);
- mm->roots[i] = root;
+ mm->roots[root_count] = root;
offset += root_size;
size -= root_size;
- i++;
+ root_count++;
} while (size);
return 0;
out_free_roots:
- while (i--)
- drm_block_free(mm, mm->roots[i]);
+ while (root_count--)
+ drm_block_free(mm, mm->roots[root_count]);
kfree(mm->roots);
out_free_tree:
- kfree(mm->free_tree);
+ while (i--)
+ kfree(mm->free_trees[i]);
+ kfree(mm->free_trees);
return -ENOMEM;
}
EXPORT_SYMBOL(drm_buddy_init);
@@ -376,8 +412,9 @@ void drm_buddy_fini(struct drm_buddy *mm
WARN_ON(mm->avail != mm->size);
+ for_each_free_tree(i)
+ kfree(mm->free_trees[i]);
kfree(mm->roots);
- kfree(mm->free_tree);
}
EXPORT_SYMBOL(drm_buddy_fini);
@@ -401,8 +438,7 @@ static int split_block(struct drm_buddy
return -ENOMEM;
}
- mark_free(mm, block->left);
- mark_free(mm, block->right);
+ mark_split(mm, block);
if (drm_buddy_block_is_clear(block)) {
mark_cleared(block->left);
@@ -410,7 +446,8 @@ static int split_block(struct drm_buddy
clear_reset(block);
}
- mark_split(mm, block);
+ mark_free(mm, block->left);
+ mark_free(mm, block->right);
return 0;
}
@@ -443,6 +480,7 @@ EXPORT_SYMBOL(drm_get_buddy);
*/
void drm_buddy_reset_clear(struct drm_buddy *mm, bool is_clear)
{
+ enum drm_buddy_free_tree src_tree, dst_tree;
u64 root_size, size, start;
unsigned int order;
int i;
@@ -457,19 +495,24 @@ void drm_buddy_reset_clear(struct drm_bu
size -= root_size;
}
+ src_tree = is_clear ? DRM_BUDDY_DIRTY_TREE : DRM_BUDDY_CLEAR_TREE;
+ dst_tree = is_clear ? DRM_BUDDY_CLEAR_TREE : DRM_BUDDY_DIRTY_TREE;
+
for (i = 0; i <= mm->max_order; ++i) {
+ struct rb_root *root = &mm->free_trees[src_tree][i];
struct drm_buddy_block *block, *tmp;
- rbtree_postorder_for_each_entry_safe(block, tmp, &mm->free_tree[i], rb) {
- if (is_clear != drm_buddy_block_is_clear(block)) {
- if (is_clear) {
- mark_cleared(block);
- mm->clear_avail += drm_buddy_block_size(mm, block);
- } else {
- clear_reset(block);
- mm->clear_avail -= drm_buddy_block_size(mm, block);
- }
+ rbtree_postorder_for_each_entry_safe(block, tmp, root, rb) {
+ rbtree_remove(mm, block);
+ if (is_clear) {
+ mark_cleared(block);
+ mm->clear_avail += drm_buddy_block_size(mm, block);
+ } else {
+ clear_reset(block);
+ mm->clear_avail -= drm_buddy_block_size(mm, block);
}
+
+ rbtree_insert(mm, block, dst_tree);
}
}
}
@@ -659,27 +702,17 @@ __drm_buddy_alloc_range_bias(struct drm_
}
static struct drm_buddy_block *
-get_maxblock(struct drm_buddy *mm, unsigned int order,
- unsigned long flags)
+get_maxblock(struct drm_buddy *mm,
+ unsigned int order,
+ enum drm_buddy_free_tree tree)
{
struct drm_buddy_block *max_block = NULL, *block = NULL;
+ struct rb_root *root;
unsigned int i;
for (i = order; i <= mm->max_order; ++i) {
- struct rb_node *iter = rb_last(&mm->free_tree[i]);
- struct drm_buddy_block *tmp_block;
-
- while (iter) {
- tmp_block = rbtree_get_free_block(iter);
-
- if (!block_incompatible(tmp_block, flags)) {
- block = tmp_block;
- break;
- }
-
- iter = rb_prev(iter);
- }
-
+ root = &mm->free_trees[tree][i];
+ block = rbtree_last_free_block(root);
if (!block)
continue;
@@ -703,39 +736,37 @@ alloc_from_freetree(struct drm_buddy *mm
unsigned long flags)
{
struct drm_buddy_block *block = NULL;
+ struct rb_root *root;
+ enum drm_buddy_free_tree tree;
unsigned int tmp;
int err;
+ tree = (flags & DRM_BUDDY_CLEAR_ALLOCATION) ?
+ DRM_BUDDY_CLEAR_TREE : DRM_BUDDY_DIRTY_TREE;
+
if (flags & DRM_BUDDY_TOPDOWN_ALLOCATION) {
- block = get_maxblock(mm, order, flags);
+ block = get_maxblock(mm, order, tree);
if (block)
/* Store the obtained block order */
tmp = drm_buddy_block_order(block);
} else {
for (tmp = order; tmp <= mm->max_order; ++tmp) {
- struct rb_node *iter = rb_last(&mm->free_tree[tmp]);
- struct drm_buddy_block *tmp_block;
-
- while (iter) {
- tmp_block = rbtree_get_free_block(iter);
-
- if (!block_incompatible(tmp_block, flags)) {
- block = tmp_block;
- break;
- }
-
- iter = rb_prev(iter);
- }
-
+ /* Get RB tree root for this order and tree */
+ root = &mm->free_trees[tree][tmp];
+ block = rbtree_last_free_block(root);
if (block)
break;
}
}
if (!block) {
- /* Fallback method */
+ /* Try allocating from the other tree */
+ tree = (tree == DRM_BUDDY_CLEAR_TREE) ?
+ DRM_BUDDY_DIRTY_TREE : DRM_BUDDY_CLEAR_TREE;
+
for (tmp = order; tmp <= mm->max_order; ++tmp) {
- block = rbtree_last_entry(mm, tmp);
+ root = &mm->free_trees[tree][tmp];
+ block = rbtree_last_free_block(root);
if (block)
break;
}
@@ -880,10 +911,9 @@ static int __alloc_contig_try_harder(str
{
u64 rhs_offset, lhs_offset, lhs_size, filled;
struct drm_buddy_block *block;
+ unsigned int tree, order;
LIST_HEAD(blocks_lhs);
- struct rb_node *iter;
unsigned long pages;
- unsigned int order;
u64 modify_size;
int err;
@@ -893,40 +923,45 @@ static int __alloc_contig_try_harder(str
if (order == 0)
return -ENOSPC;
- if (rbtree_is_empty(mm, order))
- return -ENOSPC;
+ for_each_free_tree(tree) {
+ struct rb_root *root;
+ struct rb_node *iter;
- iter = rb_last(&mm->free_tree[order]);
+ root = &mm->free_trees[tree][order];
+ if (rbtree_is_empty(root))
+ continue;
- while (iter) {
- block = rbtree_get_free_block(iter);
+ iter = rb_last(root);
+ while (iter) {
+ block = rbtree_get_free_block(iter);
- /* Allocate blocks traversing RHS */
- rhs_offset = drm_buddy_block_offset(block);
- err = __drm_buddy_alloc_range(mm, rhs_offset, size,
- &filled, blocks);
- if (!err || err != -ENOSPC)
- return err;
-
- lhs_size = max((size - filled), min_block_size);
- if (!IS_ALIGNED(lhs_size, min_block_size))
- lhs_size = round_up(lhs_size, min_block_size);
-
- /* Allocate blocks traversing LHS */
- lhs_offset = drm_buddy_block_offset(block) - lhs_size;
- err = __drm_buddy_alloc_range(mm, lhs_offset, lhs_size,
- NULL, &blocks_lhs);
- if (!err) {
- list_splice(&blocks_lhs, blocks);
- return 0;
- } else if (err != -ENOSPC) {
+ /* Allocate blocks traversing RHS */
+ rhs_offset = drm_buddy_block_offset(block);
+ err = __drm_buddy_alloc_range(mm, rhs_offset, size,
+ &filled, blocks);
+ if (!err || err != -ENOSPC)
+ return err;
+
+ lhs_size = max((size - filled), min_block_size);
+ if (!IS_ALIGNED(lhs_size, min_block_size))
+ lhs_size = round_up(lhs_size, min_block_size);
+
+ /* Allocate blocks traversing LHS */
+ lhs_offset = drm_buddy_block_offset(block) - lhs_size;
+ err = __drm_buddy_alloc_range(mm, lhs_offset, lhs_size,
+ NULL, &blocks_lhs);
+ if (!err) {
+ list_splice(&blocks_lhs, blocks);
+ return 0;
+ } else if (err != -ENOSPC) {
+ drm_buddy_free_list_internal(mm, blocks);
+ return err;
+ }
+ /* Free blocks for the next iteration */
drm_buddy_free_list_internal(mm, blocks);
- return err;
- }
- /* Free blocks for the next iteration */
- drm_buddy_free_list_internal(mm, blocks);
- iter = rb_prev(iter);
+ iter = rb_prev(iter);
+ }
}
return -ENOSPC;
@@ -1238,11 +1273,17 @@ void drm_buddy_print(struct drm_buddy *m
for (order = mm->max_order; order >= 0; order--) {
struct drm_buddy_block *block, *tmp;
+ struct rb_root *root;
u64 count = 0, free;
+ unsigned int tree;
+
+ for_each_free_tree(tree) {
+ root = &mm->free_trees[tree][order];
- rbtree_postorder_for_each_entry_safe(block, tmp, &mm->free_tree[order], rb) {
- BUG_ON(!drm_buddy_block_is_free(block));
- count++;
+ rbtree_postorder_for_each_entry_safe(block, tmp, root, rb) {
+ BUG_ON(!drm_buddy_block_is_free(block));
+ count++;
+ }
}
drm_printf(p, "order-%2d ", order);
--- a/include/drm/drm_buddy.h
+++ b/include/drm/drm_buddy.h
@@ -73,7 +73,7 @@ struct drm_buddy_block {
*/
struct drm_buddy {
/* Maintain a free list for each order. */
- struct rb_root *free_tree;
+ struct rb_root **free_trees;
/*
* Maintain explicit binary tree(s) to track the allocation of the
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 463/567] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 462/567] drm/buddy: Separate clear and dirty free block trees Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 464/567] drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident Greg Kroah-Hartman
` (117 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Stefan Christ,
Daniel Vetter, dri-devel, Thomas Zimmermann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit be729f9de6c64240645dc80a24162ac4d3fe00a8 upstream.
Remove psb_fbdev_fb_setcolreg(), which hasn't been called in almost
a decade.
Gma500 commit 4d8d096e9ae8 ("gma500: introduce the framebuffer support
code") added the helper psb_fbdev_fb_setcolreg() for setting the fbdev
palette via fbdev's fb_setcolreg callback. Later
commit 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for
fb_ops") set several default helpers for fbdev emulation, including
fb_setcmap.
The fbdev subsystem always prefers fb_setcmap over fb_setcolreg. [1]
Hence, the gma500 code is no longer in use and gma500 has been using
drm_fb_helper_setcmap() for several years without issues.
Fixes: 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops")
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: Stefan Christ <contact@stefanchrist.eu>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v4.10+
Link: https://elixir.bootlin.com/linux/v6.16.9/source/drivers/video/fbdev/core/fbcmap.c#L246 # [1]
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Acked-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://lore.kernel.org/r/20250929082338.18845-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/fbdev.c | 43 -----------------------------------------
1 file changed, 43 deletions(-)
--- a/drivers/gpu/drm/gma500/fbdev.c
+++ b/drivers/gpu/drm/gma500/fbdev.c
@@ -51,48 +51,6 @@ static const struct vm_operations_struct
* struct fb_ops
*/
-#define CMAP_TOHW(_val, _width) ((((_val) << (_width)) + 0x7FFF - (_val)) >> 16)
-
-static int psb_fbdev_fb_setcolreg(unsigned int regno,
- unsigned int red, unsigned int green,
- unsigned int blue, unsigned int transp,
- struct fb_info *info)
-{
- struct drm_fb_helper *fb_helper = info->par;
- struct drm_framebuffer *fb = fb_helper->fb;
- uint32_t v;
-
- if (!fb)
- return -ENOMEM;
-
- if (regno > 255)
- return 1;
-
- red = CMAP_TOHW(red, info->var.red.length);
- blue = CMAP_TOHW(blue, info->var.blue.length);
- green = CMAP_TOHW(green, info->var.green.length);
- transp = CMAP_TOHW(transp, info->var.transp.length);
-
- v = (red << info->var.red.offset) |
- (green << info->var.green.offset) |
- (blue << info->var.blue.offset) |
- (transp << info->var.transp.offset);
-
- if (regno < 16) {
- switch (fb->format->cpp[0] * 8) {
- case 16:
- ((uint32_t *) info->pseudo_palette)[regno] = v;
- break;
- case 24:
- case 32:
- ((uint32_t *) info->pseudo_palette)[regno] = v;
- break;
- }
- }
-
- return 0;
-}
-
static int psb_fbdev_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
{
if (vma->vm_pgoff != 0)
@@ -137,7 +95,6 @@ static const struct fb_ops psb_fbdev_fb_
.owner = THIS_MODULE,
__FB_DEFAULT_IOMEM_OPS_RDWR,
DRM_FB_HELPER_DEFAULT_OPS,
- .fb_setcolreg = psb_fbdev_fb_setcolreg,
__FB_DEFAULT_IOMEM_OPS_DRAW,
.fb_mmap = psb_fbdev_fb_mmap,
.fb_destroy = psb_fbdev_fb_destroy,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 464/567] drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 463/567] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 465/567] drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() Greg Kroah-Hartman
` (116 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tiago Martins Araújo,
Alex Deucher, Jani Nikula
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 8b61583f993589a64c061aa91b44f5bd350d90a5 upstream.
Add a convenience helper for initializing struct drm_edid_ident.
Cc: Tiago Martins Araújo <tiago.martins.araujo@gmail.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Tiago Martins Araújo <tiago.martins.araujo@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/710b2ac6a211606ec1f90afa57b79e8c7375a27e.1761681968.git.jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/drm/drm_edid.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/include/drm/drm_edid.h
+++ b/include/drm/drm_edid.h
@@ -333,6 +333,12 @@ struct drm_edid_ident {
const char *name;
};
+#define DRM_EDID_IDENT_INIT(_vend_chr_0, _vend_chr_1, _vend_chr_2, _product_id, _name) \
+{ \
+ .panel_id = drm_edid_encode_panel_id(_vend_chr_0, _vend_chr_1, _vend_chr_2, _product_id), \
+ .name = _name, \
+}
+
#define EDID_PRODUCT_ID(e) ((e)->prod_code[0] | ((e)->prod_code[1] << 8))
/* Short Audio Descriptor */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 465/567] drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 464/567] drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 466/567] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() Greg Kroah-Hartman
` (115 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Sanjay Yadav,
Thomas Hellström
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
commit dcb171931954c51a1a7250d558f02b8f36570783 upstream.
In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping
metrics_lock. Since this lock protects the lifetime of oa_config, an
attacker could guess the id and call xe_oa_remove_config_ioctl() with
perfect timing, freeing oa_config before we dereference it, leading to
a potential use-after-free.
Fix this by caching the id in a local variable while holding the lock.
v2: (Matt A)
- Dropped mutex_unlock(&oa->metrics_lock) ordering change from
xe_oa_remove_config_ioctl()
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6614
Fixes: cdf02fe1a94a7 ("drm/xe/oa/uapi: Add/remove OA config perf ops")
Cc: <stable@vger.kernel.org> # v6.11+
Suggested-by: Matthew Auld <matthew.auld@intel.com>
Signed-off-by: Sanjay Yadav <sanjay.kumar.yadav@intel.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Link: https://patch.msgid.link/20251118114859.3379952-2-sanjay.kumar.yadav@intel.com
(cherry picked from commit 28aeaed130e8e587fd1b73b6d66ca41ccc5a1a31)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_oa.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/xe/xe_oa.c
+++ b/drivers/gpu/drm/xe/xe_oa.c
@@ -2378,11 +2378,13 @@ int xe_oa_add_config_ioctl(struct drm_de
goto sysfs_err;
}
- mutex_unlock(&oa->metrics_lock);
+ id = oa_config->id;
+
+ drm_dbg(&oa->xe->drm, "Added config %s id=%i\n", oa_config->uuid, id);
- drm_dbg(&oa->xe->drm, "Added config %s id=%i\n", oa_config->uuid, oa_config->id);
+ mutex_unlock(&oa->metrics_lock);
- return oa_config->id;
+ return id;
sysfs_err:
mutex_unlock(&oa->metrics_lock);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 466/567] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 465/567] drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 467/567] drm/mediatek: Fix probe resource leaks Greg Kroah-Hartman
` (114 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin,
Markus Schneider-Pargmann, CK Hu, Chun-Kuang Hu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit a846505a193d7492ad3531e33cacfca31e4bcdd1 upstream.
The function mtk_dp_dt_parse() calls of_graph_get_endpoint_by_regs()
to get the endpoint device node, but fails to call of_node_put() to release
the reference when the function returns. This results in a device node
reference leak.
Fix this by adding the missing of_node_put() call before returning from
the function.
Found via static analysis and code review.
Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20251029072307.10955-1-linmq006@gmail.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_dp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/mediatek/mtk_dp.c
+++ b/drivers/gpu/drm/mediatek/mtk_dp.c
@@ -2067,6 +2067,7 @@ static int mtk_dp_dt_parse(struct mtk_dp
endpoint = of_graph_get_endpoint_by_regs(pdev->dev.of_node, 1, -1);
len = of_property_count_elems_of_size(endpoint,
"data-lanes", sizeof(u32));
+ of_node_put(endpoint);
if (len < 0 || len > 4 || len == 3) {
dev_err(dev, "invalid data lane size: %d\n", len);
return -EINVAL;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 467/567] drm/mediatek: Fix probe resource leaks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 466/567] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 468/567] drm/mediatek: Fix probe memory leak Greg Kroah-Hartman
` (113 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, Johan Hovold,
AngeloGioacchino Del Regno, Chun-Kuang Hu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 07c7c640a8eb9e196f357d15d88a59602a947197 upstream.
Make sure to unmap and release the component iomap and clock on probe
failure (e.g. probe deferral) and on driver unbind.
Note that unlike of_iomap(), devm_of_iomap() also checks whether the
region is already mapped.
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Cc: stable@vger.kernel.org # 4.7
Cc: CK Hu <ck.hu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-2-johan@kernel.org/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 20 ++++++++++++++++----
drivers/gpu/drm/mediatek/mtk_ddp_comp.h | 2 +-
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++--
3 files changed, 19 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c
+++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c
@@ -621,15 +621,20 @@ int mtk_find_possible_crtcs(struct drm_d
return ret;
}
-int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp,
+static void mtk_ddp_comp_clk_put(void *_clk)
+{
+ struct clk *clk = _clk;
+
+ clk_put(clk);
+}
+
+int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_ddp_comp *comp,
unsigned int comp_id)
{
struct platform_device *comp_pdev;
enum mtk_ddp_comp_type type;
struct mtk_ddp_comp_dev *priv;
-#if IS_REACHABLE(CONFIG_MTK_CMDQ)
int ret;
-#endif
if (comp_id >= DDP_COMPONENT_DRM_ID_MAX)
return -EINVAL;
@@ -670,11 +675,18 @@ int mtk_ddp_comp_init(struct device_node
if (!priv)
return -ENOMEM;
- priv->regs = of_iomap(node, 0);
+ priv->regs = devm_of_iomap(dev, node, 0, NULL);
+ if (IS_ERR(priv->regs))
+ return PTR_ERR(priv->regs);
+
priv->clk = of_clk_get(node, 0);
if (IS_ERR(priv->clk))
return PTR_ERR(priv->clk);
+ ret = devm_add_action_or_reset(dev, mtk_ddp_comp_clk_put, priv->clk);
+ if (ret)
+ return ret;
+
#if IS_REACHABLE(CONFIG_MTK_CMDQ)
ret = cmdq_dev_get_client_reg(comp->dev, &priv->cmdq_reg, 0);
if (ret)
--- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.h
+++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.h
@@ -350,7 +350,7 @@ static inline void mtk_ddp_comp_encoder_
int mtk_ddp_comp_get_id(struct device_node *node,
enum mtk_ddp_comp_type comp_type);
int mtk_find_possible_crtcs(struct drm_device *drm, struct device *dev);
-int mtk_ddp_comp_init(struct device_node *comp_node, struct mtk_ddp_comp *comp,
+int mtk_ddp_comp_init(struct device *dev, struct device_node *comp_node, struct mtk_ddp_comp *comp,
unsigned int comp_id);
enum mtk_ddp_comp_type mtk_ddp_comp_get_type(unsigned int comp_id);
void mtk_ddp_write(struct cmdq_pkt *cmdq_pkt, unsigned int value,
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -874,7 +874,7 @@ static int mtk_drm_probe(struct platform
(void *)private->mmsys_dev,
sizeof(*private->mmsys_dev));
private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR].dev = &ovl_adaptor->dev;
- mtk_ddp_comp_init(NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR],
+ mtk_ddp_comp_init(dev, NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR],
DDP_COMPONENT_DRM_OVL_ADAPTOR);
component_match_add(dev, &match, compare_dev, &ovl_adaptor->dev);
}
@@ -943,7 +943,7 @@ static int mtk_drm_probe(struct platform
node);
}
- ret = mtk_ddp_comp_init(node, &private->ddp_comp[comp_id], comp_id);
+ ret = mtk_ddp_comp_init(dev, node, &private->ddp_comp[comp_id], comp_id);
if (ret) {
of_node_put(node);
goto err_node;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 468/567] drm/mediatek: Fix probe memory leak
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 467/567] drm/mediatek: Fix probe resource leaks Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 469/567] drm/mediatek: Fix probe device leaks Greg Kroah-Hartman
` (112 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, Johan Hovold,
AngeloGioacchino Del Regno, Chun-Kuang Hu
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 5e49200593f331cd0629b5376fab9192f698e8ef upstream.
The Mediatek DRM driver allocates private data for components without a
platform driver but as the lifetime is tied to each component device,
the memory is never freed.
Tie the allocation lifetime to the DRM platform device so that the
memory is released on probe failure (e.g. probe deferral) and when the
driver is unbound.
Fixes: c0d36de868a6 ("drm/mediatek: Move clk info from struct mtk_ddp_comp to sub driver private data")
Cc: stable@vger.kernel.org # 5.12
Cc: CK Hu <ck.hu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-3-johan@kernel.org/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c
+++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c
@@ -671,7 +671,7 @@ int mtk_ddp_comp_init(struct device *dev
type == MTK_DSI)
return 0;
- priv = devm_kzalloc(comp->dev, sizeof(*priv), GFP_KERNEL);
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 469/567] drm/mediatek: Fix probe device leaks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 468/567] drm/mediatek: Fix probe memory leak Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 470/567] drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace Greg Kroah-Hartman
` (111 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chun-Kuang Hu, Johan Hovold,
AngeloGioacchino Del Regno
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 2a2a04be8e869a19c9f950b89b1e05832a0f7ec7 upstream.
Make sure to drop the reference taken to each component device during
probe on probe failure (e.g. probe deferral) and on driver unbind.
Fixes: 6ea6f8276725 ("drm/mediatek: Use correct device pointer to get CMDQ client register")
Cc: stable@vger.kernel.org # 5.12
Cc: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-4-johan@kernel.org/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_ddp_comp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/gpu/drm/mediatek/mtk_ddp_comp.c
+++ b/drivers/gpu/drm/mediatek/mtk_ddp_comp.c
@@ -621,6 +621,13 @@ int mtk_find_possible_crtcs(struct drm_d
return ret;
}
+static void mtk_ddp_comp_put_device(void *_dev)
+{
+ struct device *dev = _dev;
+
+ put_device(dev);
+}
+
static void mtk_ddp_comp_clk_put(void *_clk)
{
struct clk *clk = _clk;
@@ -656,6 +663,10 @@ int mtk_ddp_comp_init(struct device *dev
}
comp->dev = &comp_pdev->dev;
+ ret = devm_add_action_or_reset(dev, mtk_ddp_comp_put_device, comp->dev);
+ if (ret)
+ return ret;
+
if (type == MTK_DISP_AAL ||
type == MTK_DISP_BLS ||
type == MTK_DISP_CCORR ||
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 470/567] drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 469/567] drm/mediatek: Fix probe device leaks Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 471/567] drm/amdkfd: bump minimum vgpr size for gfx1151 Greg Kroah-Hartman
` (110 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kent Russell, Mario Limonciello,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit 8fc2796dea6f1210e1a01573961d5836a7ce531e upstream.
This is important for userspace to avoid hardcoding VGPR size.
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 71776e0965f9f730af19c5f548827f2a7c91f5a8)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_topology.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_topology.c
@@ -509,6 +509,10 @@ static ssize_t node_show(struct kobject
dev->node_props.num_sdma_queues_per_engine);
sysfs_show_32bit_prop(buffer, offs, "num_cp_queues",
dev->node_props.num_cp_queues);
+ sysfs_show_32bit_prop(buffer, offs, "cwsr_size",
+ dev->node_props.cwsr_size);
+ sysfs_show_32bit_prop(buffer, offs, "ctl_stack_size",
+ dev->node_props.ctl_stack_size);
if (dev->gpu) {
log_max_watch_addr =
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 471/567] drm/amdkfd: bump minimum vgpr size for gfx1151
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 470/567] drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 472/567] drm/amdkfd: Trap handler support for expert scheduling mode Greg Kroah-Hartman
` (109 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Kim, Mario Limonciello,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Kim <jonathan.kim@amd.com>
commit cf326449637a566ba98fb82c47d46cd479608c88 upstream.
GFX1151 has 1.5x the number of available physical VGPRs per SIMD.
Bump total memory availability for acquire checks on queue creation.
Signed-off-by: Jonathan Kim <jonathan.kim@amd.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b42f3bf9536c9b710fd1d4deb7d1b0dc819dc72d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_queue.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_queue.c
@@ -408,6 +408,7 @@ static u32 kfd_get_vgpr_size_per_cu(u32
vgpr_size = 0x80000;
else if (gfxv == 110000 || /* GFX_VERSION_PLUM_BONITO */
gfxv == 110001 || /* GFX_VERSION_WHEAT_NAS */
+ gfxv == 110501 || /* GFX_VERSION_GFX1151 */
gfxv == 120000 || /* GFX_VERSION_GFX1200 */
gfxv == 120001) /* GFX_VERSION_GFX1201 */
vgpr_size = 0x60000;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 472/567] drm/amdkfd: Trap handler support for expert scheduling mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 471/567] drm/amdkfd: bump minimum vgpr size for gfx1151 Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 473/567] drm/i915: Fix format string truncation warning Greg Kroah-Hartman
` (108 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jay Cornwall, Lancelot Six,
Alex Deucher
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jay Cornwall <jay.cornwall@amd.com>
commit b7851f8c66191cd23a0a08bd484465ad74bbbb7d upstream.
The trap may be entered with dependency checking disabled.
Wait for dependency counters and save/restore scheduling mode.
v2:
Use ttmp1 instead of ttmp11. ttmp11 is not zero-initialized.
While the trap handler does zero this field before use, a user-mode
second-level trap handler could not rely on this being zero when
using an older kernel mode driver.
v3:
Use ttmp11 primarily but copy to ttmp1 before jumping to the
second level trap handler. ttmp1 is inspectable by a debugger.
Unexpected bits in the unused space may regress existing software.
Signed-off-by: Jay Cornwall <jay.cornwall@amd.com>
Reviewed-by: Lancelot Six <lancelot.six@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 423888879412e94725ca2bdccd89414887d98e31)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h | 62 +++++++++--------
drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm | 37 ++++++++++
2 files changed, 73 insertions(+), 26 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h
+++ b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h
@@ -3640,14 +3640,18 @@ static const uint32_t cwsr_trap_gfx9_4_3
};
static const uint32_t cwsr_trap_gfx12_hex[] = {
- 0xbfa00001, 0xbfa002a2,
- 0xb0804009, 0xb8f8f804,
+ 0xbfa00001, 0xbfa002b2,
+ 0xb0804009, 0xb8eef81a,
+ 0xbf880000, 0xb980081a,
+ 0x00000000, 0xb8f8f804,
+ 0x9177ff77, 0x0c000000,
+ 0x846e9a6e, 0x8c776e77,
0x9178ff78, 0x00008c00,
0xb8fbf811, 0x8b6eff78,
0x00004000, 0xbfa10008,
0x8b6eff7b, 0x00000080,
0xbfa20018, 0x8b6ea07b,
- 0xbfa20042, 0xbf830010,
+ 0xbfa2004a, 0xbf830010,
0xb8fbf811, 0xbfa0fffb,
0x8b6eff7b, 0x00000bd0,
0xbfa20010, 0xb8eef812,
@@ -3658,28 +3662,32 @@ static const uint32_t cwsr_trap_gfx12_he
0xf0000000, 0xbfa20005,
0x8b6fff6f, 0x00000200,
0xbfa20002, 0x8b6ea07b,
- 0xbfa2002c, 0xbefa4d82,
+ 0xbfa20034, 0xbefa4d82,
0xbf8a0000, 0x84fa887a,
0xbf0d8f7b, 0xbfa10002,
0x8c7bff7b, 0xffff0000,
- 0xf4601bbd, 0xf8000010,
- 0xbf8a0000, 0x846e976e,
- 0x9177ff77, 0x00800000,
- 0x8c776e77, 0xf4603bbd,
- 0xf8000000, 0xbf8a0000,
- 0xf4603ebd, 0xf8000008,
- 0xbf8a0000, 0x8bee6e6e,
- 0xbfa10001, 0xbe80486e,
- 0x8b6eff6d, 0xf0000000,
- 0xbfa20009, 0xb8eef811,
- 0x8b6eff6e, 0x00000080,
- 0xbfa20007, 0x8c78ff78,
- 0x00004000, 0x80ec886c,
- 0x82ed806d, 0xbfa00002,
- 0x806c846c, 0x826d806d,
- 0x8b6dff6d, 0x0000ffff,
- 0x8bfe7e7e, 0x8bea6a6a,
- 0x85788978, 0xb9783244,
+ 0x8b6eff77, 0x0c000000,
+ 0x916dff6d, 0x0c000000,
+ 0x8c6d6e6d, 0xf4601bbd,
+ 0xf8000010, 0xbf8a0000,
+ 0x846e976e, 0x9177ff77,
+ 0x00800000, 0x8c776e77,
+ 0xf4603bbd, 0xf8000000,
+ 0xbf8a0000, 0xf4603ebd,
+ 0xf8000008, 0xbf8a0000,
+ 0x8bee6e6e, 0xbfa10001,
+ 0xbe80486e, 0x8b6eff6d,
+ 0xf0000000, 0xbfa20009,
+ 0xb8eef811, 0x8b6eff6e,
+ 0x00000080, 0xbfa20007,
+ 0x8c78ff78, 0x00004000,
+ 0x80ec886c, 0x82ed806d,
+ 0xbfa00002, 0x806c846c,
+ 0x826d806d, 0x8b6dff6d,
+ 0x0000ffff, 0x8bfe7e7e,
+ 0x8bea6a6a, 0x85788978,
+ 0x936eff77, 0x0002001a,
+ 0xb96ef81a, 0xb9783244,
0xbe804a6c, 0xb8faf802,
0xbf0d987a, 0xbfa10001,
0xbfb00000, 0x8b6dff6d,
@@ -3977,7 +3985,7 @@ static const uint32_t cwsr_trap_gfx12_he
0x008ce800, 0x00000000,
0x807d817d, 0x8070ff70,
0x00000080, 0xbf0a7b7d,
- 0xbfa2fff7, 0xbfa0016e,
+ 0xbfa2fff7, 0xbfa00171,
0xbef4007e, 0x8b75ff7f,
0x0000ffff, 0x8c75ff75,
0x00040000, 0xbef60080,
@@ -4159,10 +4167,12 @@ static const uint32_t cwsr_trap_gfx12_he
0xf8000074, 0xbf8a0000,
0x8b6dff6d, 0x0000ffff,
0x8bfe7e7e, 0x8bea6a6a,
- 0xb97af804, 0xbe804ec2,
- 0xbf94fffe, 0xbe804a6c,
+ 0x936eff77, 0x0002001a,
+ 0xb96ef81a, 0xb97af804,
0xbe804ec2, 0xbf94fffe,
- 0xbfb10000, 0xbf9f0000,
+ 0xbe804a6c, 0xbe804ec2,
+ 0xbf94fffe, 0xbfb10000,
0xbf9f0000, 0xbf9f0000,
0xbf9f0000, 0xbf9f0000,
+ 0xbf9f0000, 0x00000000,
};
--- a/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm
+++ b/drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx12.asm
@@ -78,9 +78,16 @@ var SQ_WAVE_EXCP_FLAG_PRIV_RESTORE_PART_
var SQ_WAVE_EXCP_FLAG_PRIV_RESTORE_PART_2_SIZE = SQ_WAVE_EXCP_FLAG_PRIV_HOST_TRAP_SHIFT - SQ_WAVE_EXCP_FLAG_PRIV_ILLEGAL_INST_SHIFT
var SQ_WAVE_EXCP_FLAG_PRIV_RESTORE_PART_3_SHIFT = SQ_WAVE_EXCP_FLAG_PRIV_WAVE_START_SHIFT
var SQ_WAVE_EXCP_FLAG_PRIV_RESTORE_PART_3_SIZE = 32 - SQ_WAVE_EXCP_FLAG_PRIV_RESTORE_PART_3_SHIFT
+
+var SQ_WAVE_SCHED_MODE_DEP_MODE_SHIFT = 0
+var SQ_WAVE_SCHED_MODE_DEP_MODE_SIZE = 2
+
var BARRIER_STATE_SIGNAL_OFFSET = 16
var BARRIER_STATE_VALID_OFFSET = 0
+var TTMP11_SCHED_MODE_SHIFT = 26
+var TTMP11_SCHED_MODE_SIZE = 2
+var TTMP11_SCHED_MODE_MASK = 0xC000000
var TTMP11_DEBUG_TRAP_ENABLED_SHIFT = 23
var TTMP11_DEBUG_TRAP_ENABLED_MASK = 0x800000
@@ -160,8 +167,19 @@ L_JUMP_TO_RESTORE:
s_branch L_RESTORE
L_SKIP_RESTORE:
+ // Assume most relaxed scheduling mode is set. Save and revert to normal mode.
+ s_getreg_b32 ttmp2, hwreg(HW_REG_WAVE_SCHED_MODE)
+ s_wait_alu 0
+ s_setreg_imm32_b32 hwreg(HW_REG_WAVE_SCHED_MODE, \
+ SQ_WAVE_SCHED_MODE_DEP_MODE_SHIFT, SQ_WAVE_SCHED_MODE_DEP_MODE_SIZE), 0
+
s_getreg_b32 s_save_state_priv, hwreg(HW_REG_WAVE_STATE_PRIV) //save STATUS since we will change SCC
+ // Save SCHED_MODE[1:0] into ttmp11[27:26].
+ s_andn2_b32 ttmp11, ttmp11, TTMP11_SCHED_MODE_MASK
+ s_lshl_b32 ttmp2, ttmp2, TTMP11_SCHED_MODE_SHIFT
+ s_or_b32 ttmp11, ttmp11, ttmp2
+
// Clear SPI_PRIO: do not save with elevated priority.
// Clear ECC_ERR: prevents SQC store and triggers FATAL_HALT if setreg'd.
s_andn2_b32 s_save_state_priv, s_save_state_priv, SQ_WAVE_STATE_PRIV_ALWAYS_CLEAR_MASK
@@ -238,6 +256,13 @@ L_FETCH_2ND_TRAP:
s_cbranch_scc0 L_NO_SIGN_EXTEND_TMA
s_or_b32 ttmp15, ttmp15, 0xFFFF0000
L_NO_SIGN_EXTEND_TMA:
+#if ASIC_FAMILY == CHIP_GFX12
+ // Move SCHED_MODE[1:0] from ttmp11 to unused bits in ttmp1[27:26] (return PC_HI).
+ // The second-level trap will restore from ttmp1 for backwards compatibility.
+ s_and_b32 ttmp2, ttmp11, TTMP11_SCHED_MODE_MASK
+ s_andn2_b32 ttmp1, ttmp1, TTMP11_SCHED_MODE_MASK
+ s_or_b32 ttmp1, ttmp1, ttmp2
+#endif
s_load_dword ttmp2, [ttmp14, ttmp15], 0x10 scope:SCOPE_SYS // debug trap enabled flag
s_wait_idle
@@ -287,6 +312,10 @@ L_EXIT_TRAP:
// STATE_PRIV.BARRIER_COMPLETE may have changed since we read it.
// Only restore fields which the trap handler changes.
s_lshr_b32 s_save_state_priv, s_save_state_priv, SQ_WAVE_STATE_PRIV_SCC_SHIFT
+
+ // Assume relaxed scheduling mode after this point.
+ restore_sched_mode(ttmp2)
+
s_setreg_b32 hwreg(HW_REG_WAVE_STATE_PRIV, SQ_WAVE_STATE_PRIV_SCC_SHIFT, \
SQ_WAVE_STATE_PRIV_POISON_ERR_SHIFT - SQ_WAVE_STATE_PRIV_SCC_SHIFT + 1), s_save_state_priv
@@ -1043,6 +1072,9 @@ L_SKIP_BARRIER_RESTORE:
s_and_b64 exec, exec, exec // Restore STATUS.EXECZ, not writable by s_setreg_b32
s_and_b64 vcc, vcc, vcc // Restore STATUS.VCCZ, not writable by s_setreg_b32
+ // Assume relaxed scheduling mode after this point.
+ restore_sched_mode(s_restore_tmp)
+
s_setreg_b32 hwreg(HW_REG_WAVE_STATE_PRIV), s_restore_state_priv // SCC is included, which is changed by previous salu
// Make barrier and LDS state visible to all waves in the group.
@@ -1134,3 +1166,8 @@ function valu_sgpr_hazard
end
#endif
end
+
+function restore_sched_mode(s_tmp)
+ s_bfe_u32 s_tmp, ttmp11, (TTMP11_SCHED_MODE_SHIFT | (TTMP11_SCHED_MODE_SIZE << 0x10))
+ s_setreg_b32 hwreg(HW_REG_WAVE_SCHED_MODE), s_tmp
+end
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 473/567] drm/i915: Fix format string truncation warning
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 472/567] drm/amdkfd: Trap handler support for expert scheduling mode Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 474/567] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
` (107 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Tvrtko Ursulin,
Jani Nikula
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
commit 1c7f9e528f8f488b060b786bfb90b40540854db3 upstream.
GCC notices that the 16-byte uabi_name field could theoretically be too
small for the formatted string if the instance number exceeds 100.
So grow the field to 20 bytes.
drivers/gpu/drm/i915/intel_memory_region.c: In function ‘intel_memory_region_create’:
drivers/gpu/drm/i915/intel_memory_region.c:273:61: error: ‘%u’ directive output may be truncated writing between 1 and 5 bytes into a region of size between 3 and 11 [-Werror=format-truncation=]
273 | snprintf(mem->uabi_name, sizeof(mem->uabi_name), "%s%u",
| ^~
drivers/gpu/drm/i915/intel_memory_region.c:273:58: note: directive argument in the range [0, 65535]
273 | snprintf(mem->uabi_name, sizeof(mem->uabi_name), "%s%u",
| ^~~~~~
drivers/gpu/drm/i915/intel_memory_region.c:273:9: note: ‘snprintf’ output between 7 and 19 bytes into a destination of size 16
273 | snprintf(mem->uabi_name, sizeof(mem->uabi_name), "%s%u",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
274 | intel_memory_type_str(type), instance);
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fixes: 3b38d3515753 ("drm/i915: Add stable memory region names")
Cc: <stable@vger.kernel.org> # v6.8+
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Tvrtko Ursulin <tursulin@ursulin.net>
Link: https://lore.kernel.org/r/20251205113500.684286-2-ardb@kernel.org
(cherry picked from commit 18476087f1a18dc279d200d934ad94fba1fb51d5)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/intel_memory_region.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/intel_memory_region.h
+++ b/drivers/gpu/drm/i915/intel_memory_region.h
@@ -72,7 +72,7 @@ struct intel_memory_region {
u16 instance;
enum intel_region_id id;
char name[16];
- char uabi_name[16];
+ char uabi_name[20];
bool private; /* not for userspace */
struct {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 474/567] drm/ttm: Avoid NULL pointer deref for evicted BOs
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 473/567] drm/i915: Fix format string truncation warning Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 475/567] drm/mgag200: Fix big-endian support Greg Kroah-Hartman
` (106 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Simon Richter, Matthew Brost,
Shuicheng Lin, Christian König
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Richter <Simon.Richter@hogyros.de>
commit 491adc6a0f9903c32b05f284df1148de39e8e644 upstream.
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
Fixes: 7d08df5d0bd3 ("drm/ttm: Add ttm_bo_access")
Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
Cc: stable <stable@kernel.org>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6271
Signed-off-by: Simon Richter <Simon.Richter@hogyros.de>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251013161241.709916-1-Simon.Richter@hogyros.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/ttm/ttm_bo_vm.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -421,6 +421,11 @@ int ttm_bo_vm_access(struct vm_area_stru
if (ret)
return ret;
+ if (!bo->resource) {
+ ret = -ENODATA;
+ goto unlock;
+ }
+
switch (bo->resource->mem_type) {
case TTM_PL_SYSTEM:
fallthrough;
@@ -435,6 +440,7 @@ int ttm_bo_vm_access(struct vm_area_stru
ret = -EIO;
}
+unlock:
ttm_bo_unreserve(bo);
return ret;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 475/567] drm/mgag200: Fix big-endian support
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 474/567] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 476/567] drm/xe/bo: Dont include the CCS metadata in the dma-buf sg-table Greg Kroah-Hartman
` (105 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, stable,
Thomas Zimmermann
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit 6cb31fba137d45e682ce455b8ea364f44d5d4f98 upstream.
Unlike the original, deleted Matrox mga driver, the new mgag200 driver
has the XRGB frame-buffer byte swapped on big-endian "RISC"
systems. Fix by enabling byte swapping "PowerPC" OPMODE for any
__BIG_ENDIAN config.
Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)")
Signed-off-by: René Rebe <rene@exactco.de>
Cc: stable@kernel.org
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20251208.141827.965103015954471168.rene@exactco.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mgag200/mgag200_mode.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
@@ -175,6 +175,30 @@ static void mgag200_set_startadd(struct
WREG_ECRT(0x00, crtcext0);
}
+/*
+ * Set the opmode for the hardware swapper for Big-Endian processor
+ * support for the frame buffer aperture and DMAWIN space.
+ */
+static void mgag200_set_datasiz(struct mga_device *mdev, u32 format)
+{
+#if defined(__BIG_ENDIAN)
+ u32 opmode = RREG32(MGAREG_OPMODE);
+
+ opmode &= ~(GENMASK(17, 16) | GENMASK(9, 8) | GENMASK(3, 2));
+
+ /* Big-endian byte-swapping */
+ switch (format) {
+ case DRM_FORMAT_RGB565:
+ opmode |= 0x10100;
+ break;
+ case DRM_FORMAT_XRGB8888:
+ opmode |= 0x20200;
+ break;
+ }
+ WREG32(MGAREG_OPMODE, opmode);
+#endif
+}
+
void mgag200_init_registers(struct mga_device *mdev)
{
u8 crtc11, misc;
@@ -510,6 +534,7 @@ void mgag200_primary_plane_helper_atomic
struct drm_atomic_helper_damage_iter iter;
struct drm_rect damage;
+ mgag200_set_datasiz(mdev, fb->format->format);
drm_atomic_helper_damage_iter_init(&iter, old_plane_state, plane_state);
drm_atomic_for_each_plane_damage(&iter, &damage) {
mgag200_handle_damage(mdev, shadow_plane_state->data, fb, &damage);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 476/567] drm/xe/bo: Dont include the CCS metadata in the dma-buf sg-table
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 475/567] drm/mgag200: Fix big-endian support Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 477/567] drm/xe/oa: Disallow 0 OA property values Greg Kroah-Hartman
` (104 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Vivi, Matthew Brost,
Maarten Lankhorst, Thomas Hellström, Karol Wachowski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
commit 449bcd5d45eb4ce26740f11f8601082fe734bed2 upstream.
Some Xe bos are allocated with extra backing-store for the CCS
metadata. It's never been the intention to share the CCS metadata
when exporting such bos as dma-buf. Don't include it in the
dma-buf sg-table.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: <stable@vger.kernel.org> # v6.8+
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Link: https://patch.msgid.link/20251209204920.224374-1-thomas.hellstrom@linux.intel.com
(cherry picked from commit a4ebfb9d95d78a12512b435a698ee6886d712571)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_dma_buf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/xe/xe_dma_buf.c
+++ b/drivers/gpu/drm/xe/xe_dma_buf.c
@@ -111,7 +111,7 @@ static struct sg_table *xe_dma_buf_map(s
case XE_PL_TT:
sgt = drm_prime_pages_to_sg(obj->dev,
bo->ttm.ttm->pages,
- bo->ttm.ttm->num_pages);
+ obj->size >> PAGE_SHIFT);
if (IS_ERR(sgt))
return sgt;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 477/567] drm/xe/oa: Disallow 0 OA property values
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 476/567] drm/xe/bo: Dont include the CCS metadata in the dma-buf sg-table Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 478/567] drm/xe: Adjust long-running workload timeslices to reasonable values Greg Kroah-Hartman
` (103 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Senna Tschudin, Ashutosh Dixit,
Harish Chegondi, Thomas Hellström
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ashutosh Dixit <ashutosh.dixit@intel.com>
commit 3595114bc31d1eb5e1996164c901485c1ffac6f7 upstream.
An OA property value of 0 is invalid and will cause a NPD.
Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6452
Fixes: cc4e6994d5a2 ("drm/xe/oa: Move functions up so they can be reused for config ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Reviewed-by: Harish Chegondi <harish.chegondi@intel.com>
Link: https://patch.msgid.link/20251212061850.1565459-3-ashutosh.dixit@intel.com
(cherry picked from commit 7a100e6ddcc47c1f6ba7a19402de86ce24790621)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_oa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/xe/xe_oa.c
+++ b/drivers/gpu/drm/xe/xe_oa.c
@@ -1266,7 +1266,7 @@ static int xe_oa_user_ext_set_property(s
ARRAY_SIZE(xe_oa_set_property_funcs_config));
if (XE_IOCTL_DBG(oa->xe, ext.property >= ARRAY_SIZE(xe_oa_set_property_funcs_open)) ||
- XE_IOCTL_DBG(oa->xe, ext.pad))
+ XE_IOCTL_DBG(oa->xe, !ext.property) || XE_IOCTL_DBG(oa->xe, ext.pad))
return -EINVAL;
idx = array_index_nospec(ext.property, ARRAY_SIZE(xe_oa_set_property_funcs_open));
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 478/567] drm/xe: Adjust long-running workload timeslices to reasonable values
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 477/567] drm/xe/oa: Disallow 0 OA property values Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 479/567] drm/xe: Use usleep_range for accurate long-running workload timeslicing Greg Kroah-Hartman
` (102 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Brost, Thomas Hellström
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Brost <matthew.brost@intel.com>
commit 6f0f404bd289d79a260b634c5b3f4d330b13472c upstream.
A 10ms timeslice for long-running workloads is far too long and causes
significant jitter in benchmarks when the system is shared. Adjust the
value to 5ms for preempt-fencing VMs, as the resume step there is quite
costly as memory is moved around, and set it to zero for pagefault VMs,
since switching back to pagefault mode after dma-fence mode is
relatively fast.
Also change min_run_period_ms to 'unsiged int' type rather than 's64' as
only positive values make sense.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Link: https://patch.msgid.link/20251212182847.1683222-2-matthew.brost@intel.com
(cherry picked from commit 33a5abd9a68394aa67f9618b20eee65ee8702ff4)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_vm.c | 5 ++++-
drivers/gpu/drm/xe/xe_vm_types.h | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/xe/xe_vm.c
+++ b/drivers/gpu/drm/xe/xe_vm.c
@@ -1468,7 +1468,10 @@ struct xe_vm *xe_vm_create(struct xe_dev
INIT_WORK(&vm->destroy_work, vm_destroy_work_func);
INIT_LIST_HEAD(&vm->preempt.exec_queues);
- vm->preempt.min_run_period_ms = 10; /* FIXME: Wire up to uAPI */
+ if (flags & XE_VM_FLAG_FAULT_MODE)
+ vm->preempt.min_run_period_ms = 0;
+ else
+ vm->preempt.min_run_period_ms = 5;
for_each_tile(tile, xe, id)
xe_range_fence_tree_init(&vm->rftree[id]);
--- a/drivers/gpu/drm/xe/xe_vm_types.h
+++ b/drivers/gpu/drm/xe/xe_vm_types.h
@@ -243,7 +243,7 @@ struct xe_vm {
* @min_run_period_ms: The minimum run period before preempting
* an engine again
*/
- s64 min_run_period_ms;
+ unsigned int min_run_period_ms;
/** @exec_queues: list of exec queues attached to this VM */
struct list_head exec_queues;
/** @num_exec_queues: number exec queues attached to this VM */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 479/567] drm/xe: Use usleep_range for accurate long-running workload timeslicing
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 478/567] drm/xe: Adjust long-running workload timeslices to reasonable values Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 480/567] drm/xe: Drop preempt-fences when destroying imported dma-bufs Greg Kroah-Hartman
` (101 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Brost, Thomas Hellström
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Brost <matthew.brost@intel.com>
commit 80f9c601d9c4d26f00356c0a9c461650e7089273 upstream.
msleep is not very accurate in terms of how long it actually sleeps,
whereas usleep_range is precise. Replace the timeslice sleep for
long-running workloads with the more accurate usleep_range to avoid
jitter if the sleep period is less than 20ms.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Cc: stable@vger.kernel.org
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Link: https://patch.msgid.link/20251212182847.1683222-3-matthew.brost@intel.com
(cherry picked from commit ca415c4d4c17ad676a2c8981e1fcc432221dce79)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_guc_submit.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/xe/xe_guc_submit.c
+++ b/drivers/gpu/drm/xe/xe_guc_submit.c
@@ -578,6 +578,24 @@ static u32 wq_space_until_wrap(struct xe
return (WQ_SIZE - q->guc->wqi_tail);
}
+static inline void relaxed_ms_sleep(unsigned int delay_ms)
+{
+ unsigned long min_us, max_us;
+
+ if (!delay_ms)
+ return;
+
+ if (delay_ms > 20) {
+ msleep(delay_ms);
+ return;
+ }
+
+ min_us = mul_u32_u32(delay_ms, 1000);
+ max_us = min_us + 500;
+
+ usleep_range(min_us, max_us);
+}
+
static int wq_wait_for_space(struct xe_exec_queue *q, u32 wqi_size)
{
struct xe_guc *guc = exec_queue_to_guc(q);
@@ -1356,7 +1374,7 @@ static void __guc_exec_queue_process_msg
since_resume_ms;
if (wait_ms > 0 && q->guc->resume_time)
- msleep(wait_ms);
+ relaxed_ms_sleep(wait_ms);
set_exec_queue_suspended(q);
disable_scheduling(q, false);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 480/567] drm/xe: Drop preempt-fences when destroying imported dma-bufs.
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 479/567] drm/xe: Use usleep_range for accurate long-running workload timeslicing Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 481/567] drm/msm/dpu: Add missing NULL pointer check for pingpong interface Greg Kroah-Hartman
` (100 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Brost, Thomas Hellström
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Hellström <thomas.hellstrom@linux.intel.com>
commit fe3ccd24138fd391ae8e32289d492c85f67770fc upstream.
When imported dma-bufs are destroyed, TTM is not fully
individualizing the dma-resv, but it *is* copying the fences that
need to be waited for before declaring idle. So in the case where
the bo->resv != bo->_resv we can still drop the preempt-fences, but
make sure we do that on bo->_resv which contains the fence-pointer
copy.
In the case where the copying fails, bo->_resv will typically not
contain any fences pointers at all, so there will be nothing to
drop. In that case, TTM would have ensured all fences that would
have been copied are signaled, including any remaining preempt
fences.
Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
Fixes: fa0af721bd1f ("drm/ttm: test private resv obj on release/destroy")
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: <stable@vger.kernel.org> # v6.16+
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Tested-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251217093441.5073-1-thomas.hellstrom@linux.intel.com
(cherry picked from commit 425fe550fb513b567bd6d01f397d274092a9c274)
Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/xe/xe_bo.c | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/xe/xe_bo.c
+++ b/drivers/gpu/drm/xe/xe_bo.c
@@ -1041,7 +1041,7 @@ static bool xe_ttm_bo_lock_in_destructor
* always succeed here, as long as we hold the lru lock.
*/
spin_lock(&ttm_bo->bdev->lru_lock);
- locked = dma_resv_trylock(ttm_bo->base.resv);
+ locked = dma_resv_trylock(&ttm_bo->base._resv);
spin_unlock(&ttm_bo->bdev->lru_lock);
xe_assert(xe, locked);
@@ -1061,13 +1061,6 @@ static void xe_ttm_bo_release_notify(str
bo = ttm_to_xe_bo(ttm_bo);
xe_assert(xe_bo_device(bo), !(bo->created && kref_read(&ttm_bo->base.refcount)));
- /*
- * Corner case where TTM fails to allocate memory and this BOs resv
- * still points the VMs resv
- */
- if (ttm_bo->base.resv != &ttm_bo->base._resv)
- return;
-
if (!xe_ttm_bo_lock_in_destructor(ttm_bo))
return;
@@ -1077,14 +1070,14 @@ static void xe_ttm_bo_release_notify(str
* TODO: Don't do this for external bos once we scrub them after
* unbind.
*/
- dma_resv_for_each_fence(&cursor, ttm_bo->base.resv,
+ dma_resv_for_each_fence(&cursor, &ttm_bo->base._resv,
DMA_RESV_USAGE_BOOKKEEP, fence) {
if (xe_fence_is_xe_preempt(fence) &&
!dma_fence_is_signaled(fence)) {
if (!replacement)
replacement = dma_fence_get_stub();
- dma_resv_replace_fences(ttm_bo->base.resv,
+ dma_resv_replace_fences(&ttm_bo->base._resv,
fence->context,
replacement,
DMA_RESV_USAGE_BOOKKEEP);
@@ -1092,7 +1085,7 @@ static void xe_ttm_bo_release_notify(str
}
dma_fence_put(replacement);
- dma_resv_unlock(ttm_bo->base.resv);
+ dma_resv_unlock(&ttm_bo->base._resv);
}
static void xe_ttm_bo_delete_mem_notify(struct ttm_buffer_object *ttm_bo)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 481/567] drm/msm/dpu: Add missing NULL pointer check for pingpong interface
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 480/567] drm/xe: Drop preempt-fences when destroying imported dma-bufs Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 482/567] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Greg Kroah-Hartman
` (99 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikolay Kuratov, Dmitry Baryshkov
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Kuratov <kniv@yandex-team.ru>
commit 88733a0b64872357e5ecd82b7488121503cb9cc6 upstream.
It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a
single place the check is missing.
Also use convenient locals instead of phys_enc->* where available.
Cc: stable@vger.kernel.org
Fixes: d7d0e73f7de33 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/693860/
Link: https://lore.kernel.org/r/20251211093630.171014-1-kniv@yandex-team.ru
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
@@ -243,14 +243,12 @@ static void dpu_encoder_phys_wb_setup_ct
if (hw_cdm)
intf_cfg.cdm = hw_cdm->idx;
- if (phys_enc->hw_pp->merge_3d && phys_enc->hw_pp->merge_3d->ops.setup_3d_mode)
- phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d,
- mode_3d);
+ if (hw_pp && hw_pp->merge_3d && hw_pp->merge_3d->ops.setup_3d_mode)
+ hw_pp->merge_3d->ops.setup_3d_mode(hw_pp->merge_3d, mode_3d);
/* setup which pp blk will connect to this wb */
- if (hw_pp && phys_enc->hw_wb->ops.bind_pingpong_blk)
- phys_enc->hw_wb->ops.bind_pingpong_blk(phys_enc->hw_wb,
- phys_enc->hw_pp->idx);
+ if (hw_pp && hw_wb->ops.bind_pingpong_blk)
+ hw_wb->ops.bind_pingpong_blk(hw_wb, hw_pp->idx);
phys_enc->hw_ctl->ops.setup_intf_cfg(phys_enc->hw_ctl, &intf_cfg);
} else if (phys_enc->hw_ctl && phys_enc->hw_ctl->ops.setup_intf_cfg) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 482/567] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 481/567] drm/msm/dpu: Add missing NULL pointer check for pingpong interface Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 483/567] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
` (98 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gangmin Kim, Krzysztof Niemiec,
Janusz Krzysztofik, Krzysztof Karas, Andi Shyti, Andi Shyti,
Jani Nikula
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
commit 4fe2bd195435e71c117983d87f278112c5ab364c upstream.
Initialize the eb.vma array with values of 0 when the eb structure is
first set up. In particular, this sets the eb->vma[i].vma pointers to
NULL, simplifying cleanup and getting rid of the bug described below.
During the execution of eb_lookup_vmas(), the eb->vma array is
successively filled up with struct eb_vma objects. This process includes
calling eb_add_vma(), which might fail; however, even in the event of
failure, eb->vma[i].vma is set for the currently processed buffer.
If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which
prompts a call to eb_release_vmas() to clean up the mess. Since
eb_lookup_vmas() might fail during processing any (possibly not first)
buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know
at what point did the lookup function fail.
In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper
function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is
set to NULL in case i915_gem_object_userptr_submit_init() fails; the
current one needs to be cleaned up by eb_release_vmas() at this point,
so the next one is set. If eb_add_vma() fails, neither the current nor
the next vma is set to NULL, which is a source of a NULL deref bug
described in the issue linked in the Closes tag.
When entering eb_lookup_vmas(), the vma pointers are set to the slab
poison value, instead of NULL. This doesn't matter for the actual
lookup, since it gets overwritten anyway, however the eb_release_vmas()
function only recognizes NULL as the stopping value, hence the pointers
are being set to NULL as they go in case of intermediate failure. This
patch changes the approach to filling them all with NULL at the start
instead, rather than handling that manually during failure.
Reported-by: Gangmin Kim <km.kim1503@gmail.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15062
Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf")
Cc: stable@vger.kernel.org # 5.16.x
Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
Reviewed-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251216180900.54294-2-krzysztof.niemiec@intel.com
(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 37 +++++++++++--------------
1 file changed, 17 insertions(+), 20 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -951,13 +951,13 @@ static int eb_lookup_vmas(struct i915_ex
vma = eb_lookup_vma(eb, eb->exec[i].handle);
if (IS_ERR(vma)) {
err = PTR_ERR(vma);
- goto err;
+ return err;
}
err = eb_validate_vma(eb, &eb->exec[i], vma);
if (unlikely(err)) {
i915_vma_put(vma);
- goto err;
+ return err;
}
err = eb_add_vma(eb, ¤t_batch, i, vma);
@@ -966,19 +966,8 @@ static int eb_lookup_vmas(struct i915_ex
if (i915_gem_object_is_userptr(vma->obj)) {
err = i915_gem_object_userptr_submit_init(vma->obj);
- if (err) {
- if (i + 1 < eb->buffer_count) {
- /*
- * Execbuffer code expects last vma entry to be NULL,
- * since we already initialized this entry,
- * set the next value to NULL or we mess up
- * cleanup handling.
- */
- eb->vma[i + 1].vma = NULL;
- }
-
+ if (err)
return err;
- }
eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT;
eb->args->flags |= __EXEC_USERPTR_USED;
@@ -986,10 +975,6 @@ static int eb_lookup_vmas(struct i915_ex
}
return 0;
-
-err:
- eb->vma[i].vma = NULL;
- return err;
}
static int eb_lock_vmas(struct i915_execbuffer *eb)
@@ -3374,7 +3359,8 @@ i915_gem_do_execbuffer(struct drm_device
eb.exec = exec;
eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1);
- eb.vma[0].vma = NULL;
+ memset(eb.vma, 0, (args->buffer_count + 1) * sizeof(struct eb_vma));
+
eb.batch_pool = NULL;
eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
@@ -3583,7 +3569,18 @@ i915_gem_execbuffer2_ioctl(struct drm_de
if (err)
return err;
- /* Allocate extra slots for use by the command parser */
+ /*
+ * Allocate extra slots for use by the command parser.
+ *
+ * Note that this allocation handles two different arrays (the
+ * exec2_list array, and the eventual eb.vma array introduced in
+ * i915_gem_do_execbuffer()), that reside in virtually contiguous
+ * memory. Also note that the allocation intentionally doesn't fill the
+ * area with zeros, because the exec2_list part doesn't need to be, as
+ * it's immediately overwritten by user data a few lines below.
+ * However, the eb.vma part is explicitly zeroed later in
+ * i915_gem_do_execbuffer().
+ */
exec2_list = kvmalloc_array(count + 2, eb_element_size(),
__GFP_NOWARN | GFP_KERNEL);
if (exec2_list == NULL) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 483/567] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 482/567] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 484/567] drm/imagination: Disallow exporting of PM/FW protected objects Greg Kroah-Hartman
` (97 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyude Paul <lyude@redhat.com>
commit 560271e10b2c86e95ea35afa9e79822e4847f07a upstream.
Since we recently started warning about uses of this function after the
atomic check phase completes, we've started getting warnings about this in
nouveau. It appears a misplaced drm_atomic_get_crtc_state() call has been
hiding in our .prepare_fb callback for a while.
So, fix this by adding a new nv50_head_atom_get_new() function and use that
in our .prepare_fb callback instead.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Fixes: 1590700d94ac ("drm/nouveau/kms/nv50-: split each resource type into their own source files")
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://patch.msgid.link/20251211190256.396742-1-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +++++++++++++
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/dispnv50/atom.h
+++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h
@@ -152,8 +152,21 @@ static inline struct nv50_head_atom *
nv50_head_atom_get(struct drm_atomic_state *state, struct drm_crtc *crtc)
{
struct drm_crtc_state *statec = drm_atomic_get_crtc_state(state, crtc);
+
if (IS_ERR(statec))
return (void *)statec;
+
+ return nv50_head_atom(statec);
+}
+
+static inline struct nv50_head_atom *
+nv50_head_atom_get_new(struct drm_atomic_state *state, struct drm_crtc *crtc)
+{
+ struct drm_crtc_state *statec = drm_atomic_get_new_crtc_state(state, crtc);
+
+ if (!statec)
+ return NULL;
+
return nv50_head_atom(statec);
}
--- a/drivers/gpu/drm/nouveau/dispnv50/wndw.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/wndw.c
@@ -567,7 +567,7 @@ nv50_wndw_prepare_fb(struct drm_plane *p
asyw->image.offset[0] = nvbo->offset;
if (wndw->func->prepare) {
- asyh = nv50_head_atom_get(asyw->state.state, asyw->state.crtc);
+ asyh = nv50_head_atom_get_new(asyw->state.state, asyw->state.crtc);
if (IS_ERR(asyh))
return PTR_ERR(asyh);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 484/567] drm/imagination: Disallow exporting of PM/FW protected objects
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 483/567] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 485/567] lib/crypto: riscv/chacha: Avoid s0/fp register Greg Kroah-Hartman
` (96 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alessio Belle, Matt Coster
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alessio Belle <alessio.belle@imgtec.com>
commit 6b991ad8dc3abfe5720fc2e9ee96be63ae43e362 upstream.
These objects are meant to be used by the GPU firmware or by the PM unit
within the GPU, in which case they may contain physical addresses.
This adds a layer of protection against exposing potentially exploitable
information outside of the driver.
Fixes: ff5f643de0bf ("drm/imagination: Add GEM and VM related code")
Signed-off-by: Alessio Belle <alessio.belle@imgtec.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251208-no-export-pm-fw-obj-v1-1-83ab12c61693@imgtec.com
Signed-off-by: Matt Coster <matt.coster@imgtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/imagination/pvr_gem.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/gpu/drm/imagination/pvr_gem.c
+++ b/drivers/gpu/drm/imagination/pvr_gem.c
@@ -27,6 +27,16 @@ static void pvr_gem_object_free(struct d
drm_gem_shmem_object_free(obj);
}
+static struct dma_buf *pvr_gem_export(struct drm_gem_object *obj, int flags)
+{
+ struct pvr_gem_object *pvr_obj = gem_to_pvr_gem(obj);
+
+ if (pvr_obj->flags & DRM_PVR_BO_PM_FW_PROTECT)
+ return ERR_PTR(-EPERM);
+
+ return drm_gem_prime_export(obj, flags);
+}
+
static int pvr_gem_mmap(struct drm_gem_object *gem_obj, struct vm_area_struct *vma)
{
struct pvr_gem_object *pvr_obj = gem_to_pvr_gem(gem_obj);
@@ -41,6 +51,7 @@ static int pvr_gem_mmap(struct drm_gem_o
static const struct drm_gem_object_funcs pvr_gem_object_funcs = {
.free = pvr_gem_object_free,
.print_info = drm_gem_shmem_object_print_info,
+ .export = pvr_gem_export,
.pin = drm_gem_shmem_object_pin,
.unpin = drm_gem_shmem_object_unpin,
.get_sg_table = drm_gem_shmem_object_get_sg_table,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 485/567] lib/crypto: riscv/chacha: Avoid s0/fp register
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 484/567] drm/imagination: Disallow exporting of PM/FW protected objects Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 486/567] gfs2: fix freeze error handling Greg Kroah-Hartman
` (95 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vivian Wang, Eric Biggers
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
commit 43169328c7b4623b54b7713ec68479cebda5465f upstream.
In chacha_zvkb, avoid using the s0 register, which is the frame pointer,
by reallocating KEY0 to t5. This makes stack traces available if e.g. a
crash happens in chacha_zvkb.
No frame pointer maintenance is otherwise required since this is a leaf
function.
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Fixes: bb54668837a0 ("crypto: riscv - add vector crypto accelerated ChaCha20")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20251202-riscv-chacha_zvkb-fp-v2-1-7bd00098c9dc@iscas.ac.cn
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/crypto/chacha-riscv64-zvkb.S | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/arch/riscv/crypto/chacha-riscv64-zvkb.S
+++ b/arch/riscv/crypto/chacha-riscv64-zvkb.S
@@ -60,7 +60,8 @@
#define VL t2
#define STRIDE t3
#define NROUNDS t4
-#define KEY0 s0
+#define KEY0 t5
+// Avoid s0/fp to allow for unwinding
#define KEY1 s1
#define KEY2 s2
#define KEY3 s3
@@ -141,7 +142,6 @@ SYM_FUNC_START(chacha20_zvkb)
srli LEN, LEN, 6 // Bytes to blocks
addi sp, sp, -96
- sd s0, 0(sp)
sd s1, 8(sp)
sd s2, 16(sp)
sd s3, 24(sp)
@@ -277,7 +277,6 @@ SYM_FUNC_START(chacha20_zvkb)
add INP, INP, TMP
bnez LEN, .Lblock_loop
- ld s0, 0(sp)
ld s1, 8(sp)
ld s2, 16(sp)
ld s3, 24(sp)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 486/567] gfs2: fix freeze error handling
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 485/567] lib/crypto: riscv/chacha: Avoid s0/fp register Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 487/567] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
` (94 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Velichayshiy,
Andreas Gruenbacher, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
[ Upstream commit 4cfc7d5a4a01d2133b278cdbb1371fba1b419174 ]
After commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"),
the freeze error handling is broken because gfs2_do_thaw()
overwrites the 'error' variable, causing incorrect processing
of the original freeze error.
Fix this by calling gfs2_do_thaw() when gfs2_lock_fs_check_clean()
fails but ignoring its return value to preserve the original
freeze error for proper reporting.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b77b4a4815a9 ("gfs2: Rework freeze / thaw logic")
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[ gfs2_do_thaw() only takes 2 params ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/super.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -759,9 +759,7 @@ static int gfs2_freeze_super(struct supe
break;
}
- error = gfs2_do_thaw(sdp, who);
- if (error)
- goto out;
+ (void)gfs2_do_thaw(sdp, who);
if (error == -EBUSY)
fs_err(sdp, "waiting for recovery before freeze\n");
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 487/567] btrfs: dont rewrite ret from inode_permission
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 486/567] gfs2: fix freeze error handling Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 488/567] sched/eevdf: Fix min_vruntime vs avg_vruntime Greg Kroah-Hartman
` (93 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Josef Bacik,
Daniel Vacek, David Sterba, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 0185c2292c600993199bc6b1f342ad47a9e8c678 ]
In our user safe ino resolve ioctl we'll just turn any ret into -EACCES
from inode_permission(). This is redundant, and could potentially be
wrong if we had an ENOMEM in the security layer or some such other
error, so simply return the actual return value.
Note: The patch was taken from v5 of fscrypt patchset
(https://lore.kernel.org/linux-btrfs/cover.1706116485.git.josef@toxicpanda.com/)
which was handled over time by various people: Omar Sandoval, Sweet Tea
Dorminy, Josef Bacik.
Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Daniel Vacek <neelx@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add note ]
Signed-off-by: David Sterba <dsterba@suse.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2012,10 +2012,8 @@ static int btrfs_search_path_in_tree_use
ret = inode_permission(idmap, temp_inode,
MAY_READ | MAY_EXEC);
iput(temp_inode);
- if (ret) {
- ret = -EACCES;
+ if (ret)
goto out_put;
- }
if (key.offset == upper_limit)
break;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 488/567] sched/eevdf: Fix min_vruntime vs avg_vruntime
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 487/567] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 489/567] erofs: fix unexpected EIO under memory pressure Greg Kroah-Hartman
` (92 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zicheng Qu, Peter Zijlstra (Intel),
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 79f3f9bedd149ea438aaeb0fb6a083637affe205 ]
Basically, from the constraint that the sum of lag is zero, you can
infer that the 0-lag point is the weighted average of the individual
vruntime, which is what we're trying to compute:
\Sum w_i * v_i
avg = --------------
\Sum w_i
Now, since vruntime takes the whole u64 (worse, it wraps), this
multiplication term in the numerator is not something we can compute;
instead we do the min_vruntime (v0 henceforth) thing like:
v_i = (v_i - v0) + v0
This does two things:
- it keeps the key: (v_i - v0) 'small';
- it creates a relative 0-point in the modular space.
If you do that subtitution and work it all out, you end up with:
\Sum w_i * (v_i - v0)
avg = --------------------- + v0
\Sum w_i
Since you cannot very well track a ratio like that (and not suffer
terrible numerical problems) we simpy track the numerator and
denominator individually and only perform the division when strictly
needed.
Notably, the numerator lives in cfs_rq->avg_vruntime and the denominator
lives in cfs_rq->avg_load.
The one extra 'funny' is that these numbers track the entities in the
tree, and current is typically outside of the tree, so avg_vruntime()
adds current when needed before doing the division.
(vruntime_eligible() elides the division by cross-wise multiplication)
Anyway, as mentioned above, we currently use the CFS era min_vruntime
for this purpose. However, this thing can only move forward, while the
above avg can in fact move backward (when a non-eligible task leaves,
the average becomes smaller), this can cause trouble when through
happenstance (or construction) these values drift far enough apart to
wreck the game.
Replace cfs_rq::min_vruntime with cfs_rq::zero_vruntime which is kept
near/at avg_vruntime, following its motion.
The down-side is that this requires computing the avg more often.
Fixes: 147f3efaa241 ("sched/fair: Implement an EEVDF-like scheduling policy")
Reported-by: Zicheng Qu <quzicheng@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20251106111741.GC4068168@noisy.programming.kicks-ass.net
Cc: stable@vger.kernel.org
[ Adjust context in comments + init_cfs_rq ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/debug.c | 8 ++--
kernel/sched/fair.c | 84 +++++++++++----------------------------------------
kernel/sched/sched.h | 4 +-
3 files changed, 25 insertions(+), 71 deletions(-)
--- a/kernel/sched/debug.c
+++ b/kernel/sched/debug.c
@@ -804,7 +804,7 @@ static void print_rq(struct seq_file *m,
void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq)
{
- s64 left_vruntime = -1, min_vruntime, right_vruntime = -1, left_deadline = -1, spread;
+ s64 left_vruntime = -1, zero_vruntime, right_vruntime = -1, left_deadline = -1, spread;
struct sched_entity *last, *first, *root;
struct rq *rq = cpu_rq(cpu);
unsigned long flags;
@@ -827,15 +827,15 @@ void print_cfs_rq(struct seq_file *m, in
last = __pick_last_entity(cfs_rq);
if (last)
right_vruntime = last->vruntime;
- min_vruntime = cfs_rq->min_vruntime;
+ zero_vruntime = cfs_rq->zero_vruntime;
raw_spin_rq_unlock_irqrestore(rq, flags);
SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "left_deadline",
SPLIT_NS(left_deadline));
SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "left_vruntime",
SPLIT_NS(left_vruntime));
- SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "min_vruntime",
- SPLIT_NS(min_vruntime));
+ SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "zero_vruntime",
+ SPLIT_NS(zero_vruntime));
SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "avg_vruntime",
SPLIT_NS(avg_vruntime(cfs_rq)));
SEQ_printf(m, " .%-30s: %Ld.%06ld\n", "right_vruntime",
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -553,7 +553,7 @@ static inline bool entity_before(const s
static inline s64 entity_key(struct cfs_rq *cfs_rq, struct sched_entity *se)
{
- return (s64)(se->vruntime - cfs_rq->min_vruntime);
+ return (s64)(se->vruntime - cfs_rq->zero_vruntime);
}
#define __node_2_se(node) \
@@ -605,13 +605,13 @@ static inline s64 entity_key(struct cfs_
*
* Which we track using:
*
- * v0 := cfs_rq->min_vruntime
+ * v0 := cfs_rq->zero_vruntime
* \Sum (v_i - v0) * w_i := cfs_rq->avg_vruntime
* \Sum w_i := cfs_rq->avg_load
*
- * Since min_vruntime is a monotonic increasing variable that closely tracks
- * the per-task service, these deltas: (v_i - v), will be in the order of the
- * maximal (virtual) lag induced in the system due to quantisation.
+ * Since zero_vruntime closely tracks the per-task service, these
+ * deltas: (v_i - v), will be in the order of the maximal (virtual) lag
+ * induced in the system due to quantisation.
*
* Also, we use scale_load_down() to reduce the size.
*
@@ -670,7 +670,7 @@ u64 avg_vruntime(struct cfs_rq *cfs_rq)
avg = div_s64(avg, load);
}
- return cfs_rq->min_vruntime + avg;
+ return cfs_rq->zero_vruntime + avg;
}
/*
@@ -736,7 +736,7 @@ static int vruntime_eligible(struct cfs_
load += weight;
}
- return avg >= (s64)(vruntime - cfs_rq->min_vruntime) * load;
+ return avg >= (s64)(vruntime - cfs_rq->zero_vruntime) * load;
}
int entity_eligible(struct cfs_rq *cfs_rq, struct sched_entity *se)
@@ -744,42 +744,14 @@ int entity_eligible(struct cfs_rq *cfs_r
return vruntime_eligible(cfs_rq, se->vruntime);
}
-static u64 __update_min_vruntime(struct cfs_rq *cfs_rq, u64 vruntime)
+static void update_zero_vruntime(struct cfs_rq *cfs_rq)
{
- u64 min_vruntime = cfs_rq->min_vruntime;
- /*
- * open coded max_vruntime() to allow updating avg_vruntime
- */
- s64 delta = (s64)(vruntime - min_vruntime);
- if (delta > 0) {
- avg_vruntime_update(cfs_rq, delta);
- min_vruntime = vruntime;
- }
- return min_vruntime;
-}
-
-static void update_min_vruntime(struct cfs_rq *cfs_rq)
-{
- struct sched_entity *se = __pick_root_entity(cfs_rq);
- struct sched_entity *curr = cfs_rq->curr;
- u64 vruntime = cfs_rq->min_vruntime;
+ u64 vruntime = avg_vruntime(cfs_rq);
+ s64 delta = (s64)(vruntime - cfs_rq->zero_vruntime);
- if (curr) {
- if (curr->on_rq)
- vruntime = curr->vruntime;
- else
- curr = NULL;
- }
+ avg_vruntime_update(cfs_rq, delta);
- if (se) {
- if (!curr)
- vruntime = se->min_vruntime;
- else
- vruntime = min_vruntime(vruntime, se->min_vruntime);
- }
-
- /* ensure we never gain time by being placed backwards. */
- cfs_rq->min_vruntime = __update_min_vruntime(cfs_rq, vruntime);
+ cfs_rq->zero_vruntime = vruntime;
}
static inline u64 cfs_rq_min_slice(struct cfs_rq *cfs_rq)
@@ -852,6 +824,7 @@ RB_DECLARE_CALLBACKS(static, min_vruntim
static void __enqueue_entity(struct cfs_rq *cfs_rq, struct sched_entity *se)
{
avg_vruntime_add(cfs_rq, se);
+ update_zero_vruntime(cfs_rq);
se->min_vruntime = se->vruntime;
se->min_slice = se->slice;
rb_add_augmented_cached(&se->run_node, &cfs_rq->tasks_timeline,
@@ -863,6 +836,7 @@ static void __dequeue_entity(struct cfs_
rb_erase_augmented_cached(&se->run_node, &cfs_rq->tasks_timeline,
&min_vruntime_cb);
avg_vruntime_sub(cfs_rq, se);
+ update_zero_vruntime(cfs_rq);
}
struct sched_entity *__pick_root_entity(struct cfs_rq *cfs_rq)
@@ -1243,7 +1217,6 @@ static void update_curr(struct cfs_rq *c
curr->vruntime += calc_delta_fair(delta_exec, curr);
resched = update_deadline(cfs_rq, curr);
- update_min_vruntime(cfs_rq);
if (entity_is_task(curr)) {
struct task_struct *p = task_of(curr);
@@ -3937,15 +3910,6 @@ static void reweight_entity(struct cfs_r
update_load_add(&cfs_rq->load, se->load.weight);
if (!curr)
__enqueue_entity(cfs_rq, se);
-
- /*
- * The entity's vruntime has been adjusted, so let's check
- * whether the rq-wide min_vruntime needs updated too. Since
- * the calculations above require stable min_vruntime rather
- * than up-to-date one, we do the update at the end of the
- * reweight process.
- */
- update_min_vruntime(cfs_rq);
}
}
@@ -5614,15 +5578,6 @@ dequeue_entity(struct cfs_rq *cfs_rq, st
update_cfs_group(se);
- /*
- * Now advance min_vruntime if @se was the entity holding it back,
- * except when: DEQUEUE_SAVE && !DEQUEUE_MOVE, in this case we'll be
- * put back on, and if we advance min_vruntime, we'll be placed back
- * further than we started -- i.e. we'll be penalized.
- */
- if ((flags & (DEQUEUE_SAVE | DEQUEUE_MOVE)) != DEQUEUE_SAVE)
- update_min_vruntime(cfs_rq);
-
if (flags & DEQUEUE_DELAYED)
finish_delayed_dequeue_entity(se);
@@ -9165,7 +9120,6 @@ static void yield_task_fair(struct rq *r
if (entity_eligible(cfs_rq, se)) {
se->vruntime = se->deadline;
se->deadline += calc_delta_fair(se->slice, se);
- update_min_vruntime(cfs_rq);
}
}
@@ -13093,7 +13047,7 @@ static inline void task_tick_core(struct
}
/*
- * se_fi_update - Update the cfs_rq->min_vruntime_fi in a CFS hierarchy if needed.
+ * se_fi_update - Update the cfs_rq->zero_vruntime_fi in a CFS hierarchy if needed.
*/
static void se_fi_update(const struct sched_entity *se, unsigned int fi_seq,
bool forceidle)
@@ -13107,7 +13061,7 @@ static void se_fi_update(const struct sc
cfs_rq->forceidle_seq = fi_seq;
}
- cfs_rq->min_vruntime_fi = cfs_rq->min_vruntime;
+ cfs_rq->zero_vruntime_fi = cfs_rq->zero_vruntime;
}
}
@@ -13160,11 +13114,11 @@ bool cfs_prio_less(const struct task_str
/*
* Find delta after normalizing se's vruntime with its cfs_rq's
- * min_vruntime_fi, which would have been updated in prior calls
+ * zero_vruntime_fi, which would have been updated in prior calls
* to se_fi_update().
*/
delta = (s64)(sea->vruntime - seb->vruntime) +
- (s64)(cfs_rqb->min_vruntime_fi - cfs_rqa->min_vruntime_fi);
+ (s64)(cfs_rqb->zero_vruntime_fi - cfs_rqa->zero_vruntime_fi);
return delta > 0;
}
@@ -13402,7 +13356,7 @@ static void set_next_task_fair(struct rq
void init_cfs_rq(struct cfs_rq *cfs_rq)
{
cfs_rq->tasks_timeline = RB_ROOT_CACHED;
- cfs_rq->min_vruntime = (u64)(-(1LL << 20));
+ cfs_rq->zero_vruntime = (u64)(-(1LL << 20));
#ifdef CONFIG_SMP
raw_spin_lock_init(&cfs_rq->removed.lock);
#endif
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -660,10 +660,10 @@ struct cfs_rq {
s64 avg_vruntime;
u64 avg_load;
- u64 min_vruntime;
+ u64 zero_vruntime;
#ifdef CONFIG_SCHED_CORE
unsigned int forceidle_seq;
- u64 min_vruntime_fi;
+ u64 zero_vruntime_fi;
#endif
struct rb_root_cached tasks_timeline;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 489/567] erofs: fix unexpected EIO under memory pressure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 488/567] sched/eevdf: Fix min_vruntime vs avg_vruntime Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 490/567] sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks Greg Kroah-Hartman
` (91 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaewook Kim, Sungjong Seo,
Junbeom Yeom, Gao Xiang, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junbeom Yeom <junbeom.yeom@samsung.com>
[ Upstream commit 4012d78562193ef5eb613bad4b0c0fa187637cfe ]
erofs readahead could fail with ENOMEM under the memory pressure because
it tries to alloc_page with GFP_NOWAIT | GFP_NORETRY, while GFP_KERNEL
for a regular read. And if readahead fails (with non-uptodate folios),
the original request will then fall back to synchronous read, and
`.read_folio()` should return appropriate errnos.
However, in scenarios where readahead and read operations compete,
read operation could return an unintended EIO because of an incorrect
error propagation.
To resolve this, this patch modifies the behavior so that, when the
PCL is for read(which means pcl.besteffort is true), it attempts actual
decompression instead of propagating the privios error except initial EIO.
- Page size: 4K
- The original size of FileA: 16K
- Compress-ratio per PCL: 50% (Uncompressed 8K -> Compressed 4K)
[page0, page1] [page2, page3]
[PCL0]---------[PCL1]
- functions declaration:
. pread(fd, buf, count, offset)
. readahead(fd, offset, count)
- Thread A tries to read the last 4K
- Thread B tries to do readahead 8K from 4K
- RA, besteffort == false
- R, besteffort == true
<process A> <process B>
pread(FileA, buf, 4K, 12K)
do readahead(page3) // failed with ENOMEM
wait_lock(page3)
if (!uptodate(page3))
goto do_read
readahead(FileA, 4K, 8K)
// Here create PCL-chain like below:
// [null, page1] [page2, null]
// [PCL0:RA]-----[PCL1:RA]
...
do read(page3) // found [PCL1:RA] and add page3 into it,
// and then, change PCL1 from RA to R
...
// Now, PCL-chain is as below:
// [null, page1] [page2, page3]
// [PCL0:RA]-----[PCL1:R]
// try to decompress PCL-chain...
z_erofs_decompress_queue
err = 0;
// failed with ENOMEM, so page 1
// only for RA will not be uptodated.
// it's okay.
err = decompress([PCL0:RA], err)
// However, ENOMEM propagated to next
// PCL, even though PCL is not only
// for RA but also for R. As a result,
// it just failed with ENOMEM without
// trying any decompression, so page2
// and page3 will not be uptodated.
** BUG HERE ** --> err = decompress([PCL1:R], err)
return err as ENOMEM
...
wait_lock(page3)
if (!uptodate(page3))
return EIO <-- Return an unexpected EIO!
...
Fixes: 2349d2fa02db ("erofs: sunset unneeded NOFAILs")
Cc: stable@vger.kernel.org
Reviewed-by: Jaewook Kim <jw5454.kim@samsung.com>
Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
Signed-off-by: Junbeom Yeom <junbeom.yeom@samsung.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/erofs/zdata.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1244,14 +1244,14 @@ static int z_erofs_parse_in_bvecs(struct
return err;
}
-static int z_erofs_decompress_pcluster(struct z_erofs_backend *be, int err)
+static int z_erofs_decompress_pcluster(struct z_erofs_backend *be, bool eio)
{
struct erofs_sb_info *const sbi = EROFS_SB(be->sb);
struct z_erofs_pcluster *pcl = be->pcl;
unsigned int pclusterpages = z_erofs_pclusterpages(pcl);
const struct z_erofs_decompressor *decomp =
z_erofs_decomp[pcl->algorithmformat];
- int i, j, jtop, err2;
+ int i, j, jtop, err2, err = eio ? -EIO : 0;
struct page *page;
bool overlapped;
bool try_free = true;
@@ -1381,12 +1381,12 @@ static int z_erofs_decompress_queue(cons
.pcl = io->head,
};
struct z_erofs_pcluster *next;
- int err = io->eio ? -EIO : 0;
+ int err = 0;
for (; be.pcl != Z_EROFS_PCLUSTER_TAIL; be.pcl = next) {
DBG_BUGON(!be.pcl);
next = READ_ONCE(be.pcl->next);
- err = z_erofs_decompress_pcluster(&be, err) ?: err;
+ err = z_erofs_decompress_pcluster(&be, io->eio) ?: err;
}
return err;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 490/567] sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 489/567] erofs: fix unexpected EIO under memory pressure Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 491/567] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
` (90 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zqiang, Andrea Righi, Tejun Heo,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zqiang <qiang.zhang@linux.dev>
[ Upstream commit 1dd6c84f1c544e552848a8968599220bd464e338 ]
When loading the ebpf scheduler, the tasks in the scx_tasks list will
be traversed and invoke __setscheduler_class() to get new sched_class.
however, this would also incorrectly set the per-cpu migration
task's->sched_class to rt_sched_class, even after unload, the per-cpu
migration task's->sched_class remains sched_rt_class.
The log for this issue is as follows:
./scx_rustland --stats 1
[ 199.245639][ T630] sched_ext: "rustland" does not implement cgroup cpu.weight
[ 199.269213][ T630] sched_ext: BPF scheduler "rustland" enabled
04:25:09 [INFO] RustLand scheduler attached
bpftrace -e 'iter:task /strcontains(ctx->task->comm, "migration")/
{ printf("%s:%d->%pS\n", ctx->task->comm, ctx->task->pid, ctx->task->sched_class); }'
Attaching 1 probe...
migration/0:24->rt_sched_class+0x0/0xe0
migration/1:27->rt_sched_class+0x0/0xe0
migration/2:33->rt_sched_class+0x0/0xe0
migration/3:39->rt_sched_class+0x0/0xe0
migration/4:45->rt_sched_class+0x0/0xe0
migration/5:52->rt_sched_class+0x0/0xe0
migration/6:58->rt_sched_class+0x0/0xe0
migration/7:64->rt_sched_class+0x0/0xe0
sched_ext: BPF scheduler "rustland" disabled (unregistered from user space)
EXIT: unregistered from user space
04:25:21 [INFO] Unregister RustLand scheduler
bpftrace -e 'iter:task /strcontains(ctx->task->comm, "migration")/
{ printf("%s:%d->%pS\n", ctx->task->comm, ctx->task->pid, ctx->task->sched_class); }'
Attaching 1 probe...
migration/0:24->rt_sched_class+0x0/0xe0
migration/1:27->rt_sched_class+0x0/0xe0
migration/2:33->rt_sched_class+0x0/0xe0
migration/3:39->rt_sched_class+0x0/0xe0
migration/4:45->rt_sched_class+0x0/0xe0
migration/5:52->rt_sched_class+0x0/0xe0
migration/6:58->rt_sched_class+0x0/0xe0
migration/7:64->rt_sched_class+0x0/0xe0
This commit therefore generate a new scx_setscheduler_class() and
add check for stop_sched_class to replace __setscheduler_class().
Fixes: f0e1a0643a59 ("sched_ext: Implement BPF extensible scheduler class")
Cc: stable@vger.kernel.org # v6.12+
Signed-off-by: Zqiang <qiang.zhang@linux.dev>
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -1057,6 +1057,14 @@ static struct scx_dispatch_q *find_user_
return rhashtable_lookup_fast(&dsq_hash, &dsq_id, dsq_hash_params);
}
+static const struct sched_class *scx_setscheduler_class(struct task_struct *p)
+{
+ if (p->sched_class == &stop_sched_class)
+ return &stop_sched_class;
+
+ return __setscheduler_class(p->policy, p->prio);
+}
+
/*
* scx_kf_mask enforcement. Some kfuncs can only be called from specific SCX
* ops. When invoking SCX ops, SCX_CALL_OP[_RET]() should be used to indicate
@@ -4653,8 +4661,7 @@ static void scx_ops_disable_workfn(struc
scx_task_iter_start(&sti);
while ((p = scx_task_iter_next_locked(&sti))) {
const struct sched_class *old_class = p->sched_class;
- const struct sched_class *new_class =
- __setscheduler_class(p->policy, p->prio);
+ const struct sched_class *new_class = scx_setscheduler_class(p);
struct sched_enq_and_set_ctx ctx;
if (old_class != new_class && p->se.sched_delayed)
@@ -5368,8 +5375,7 @@ static int scx_ops_enable(struct sched_e
scx_task_iter_start(&sti);
while ((p = scx_task_iter_next_locked(&sti))) {
const struct sched_class *old_class = p->sched_class;
- const struct sched_class *new_class =
- __setscheduler_class(p->policy, p->prio);
+ const struct sched_class *new_class = scx_setscheduler_class(p);
struct sched_enq_and_set_ctx ctx;
if (!tryget_task_struct(p))
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 491/567] jbd2: fix the inconsistency between checksum and data in memory for journal sb
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 490/567] sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 492/567] tty: introduce and use tty_port_tty_vhangup() helper Greg Kroah-Hartman
` (89 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Baokun Li, Darrick J. Wong,
Jan Kara, Theodore Tso, stable, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 6abfe107894af7e8ce3a2e120c619d81ee764ad5 ]
Copying the file system while it is mounted as read-only results in
a mount failure:
[~]# mkfs.ext4 -F /dev/sdc
[~]# mount /dev/sdc -o ro /mnt/test
[~]# dd if=/dev/sdc of=/dev/sda bs=1M
[~]# mount /dev/sda /mnt/test1
[ 1094.849826] JBD2: journal checksum error
[ 1094.850927] EXT4-fs (sda): Could not load journal inode
mount: mount /dev/sda on /mnt/test1 failed: Bad message
The process described above is just an abstracted way I came up with to
reproduce the issue. In the actual scenario, the file system was mounted
read-only and then copied while it was still mounted. It was found that
the mount operation failed. The user intended to verify the data or use
it as a backup, and this action was performed during a version upgrade.
Above issue may happen as follows:
ext4_fill_super
set_journal_csum_feature_set(sb)
if (ext4_has_metadata_csum(sb))
incompat = JBD2_FEATURE_INCOMPAT_CSUM_V3;
if (test_opt(sb, JOURNAL_CHECKSUM)
jbd2_journal_set_features(sbi->s_journal, compat, 0, incompat);
lock_buffer(journal->j_sb_buffer);
sb->s_feature_incompat |= cpu_to_be32(incompat);
//The data in the journal sb was modified, but the checksum was not
updated, so the data remaining in memory has a mismatch between the
data and the checksum.
unlock_buffer(journal->j_sb_buffer);
In this case, the journal sb copied over is in a state where the checksum
and data are inconsistent, so mounting fails.
To solve the above issue, update the checksum in memory after modifying
the journal sb.
Fixes: 4fd5ea43bc11 ("jbd2: checksum journal superblock")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251103010123.3753631-1-yebin@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ jbd2_superblock_csum() also takes a journal param ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -2375,6 +2375,12 @@ int jbd2_journal_set_features(journal_t
sb->s_feature_compat |= cpu_to_be32(compat);
sb->s_feature_ro_compat |= cpu_to_be32(ro);
sb->s_feature_incompat |= cpu_to_be32(incompat);
+ /*
+ * Update the checksum now so that it is valid even for read-only
+ * filesystems where jbd2_write_superblock() doesn't get called.
+ */
+ if (jbd2_journal_has_csum_v2or3(journal))
+ sb->s_checksum = jbd2_superblock_csum(journal, sb);
unlock_buffer(journal->j_sb_buffer);
jbd2_journal_init_transaction_limits(journal);
@@ -2404,9 +2410,17 @@ void jbd2_journal_clear_features(journal
sb = journal->j_superblock;
+ lock_buffer(journal->j_sb_buffer);
sb->s_feature_compat &= ~cpu_to_be32(compat);
sb->s_feature_ro_compat &= ~cpu_to_be32(ro);
sb->s_feature_incompat &= ~cpu_to_be32(incompat);
+ /*
+ * Update the checksum now so that it is valid even for read-only
+ * filesystems where jbd2_write_superblock() doesn't get called.
+ */
+ if (jbd2_journal_has_csum_v2or3(journal))
+ sb->s_checksum = jbd2_superblock_csum(journal, sb);
+ unlock_buffer(journal->j_sb_buffer);
jbd2_journal_init_transaction_limits(journal);
}
EXPORT_SYMBOL(jbd2_journal_clear_features);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 492/567] tty: introduce and use tty_port_tty_vhangup() helper
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 491/567] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
` (88 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Karsten Keil,
David Lin, Johan Hovold, Alex Elder, Oliver Neukum,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
Ilpo Järvinen, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
[ Upstream commit 2b5eac0f8c6e79bc152c8804f9f88d16717013ab ]
This code (tty_get -> vhangup -> tty_put) is repeated on few places.
Introduce a helper similar to tty_port_tty_hangup() (asynchronous) to
handle even vhangup (synchronous).
And use it on those places.
In fact, reuse the tty_port_tty_hangup()'s code and call tty_vhangup()
depending on a new bool parameter.
Signed-off-by: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: David Lin <dtwlin@gmail.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: Alex Elder <elder@kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20250611100319.186924-2-jirislaby@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 74098cc06e75 ("xhci: dbgtty: fix device unregister: fixup")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/capi/capi.c | 8 +-------
drivers/staging/greybus/uart.c | 7 +------
drivers/tty/serial/serial_core.c | 7 +------
drivers/tty/tty_port.c | 12 ++++++++----
drivers/usb/class/cdc-acm.c | 7 +------
drivers/usb/serial/usb-serial.c | 7 +------
include/linux/tty_port.h | 12 +++++++++++-
net/bluetooth/rfcomm/tty.c | 7 +------
8 files changed, 25 insertions(+), 42 deletions(-)
--- a/drivers/isdn/capi/capi.c
+++ b/drivers/isdn/capi/capi.c
@@ -306,15 +306,9 @@ static void capincci_alloc_minor(struct
static void capincci_free_minor(struct capincci *np)
{
struct capiminor *mp = np->minorp;
- struct tty_struct *tty;
if (mp) {
- tty = tty_port_tty_get(&mp->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
-
+ tty_port_tty_vhangup(&mp->port);
capiminor_free(mp);
}
}
--- a/drivers/staging/greybus/uart.c
+++ b/drivers/staging/greybus/uart.c
@@ -914,7 +914,6 @@ static void gb_uart_remove(struct gbphy_
{
struct gb_tty *gb_tty = gb_gbphy_get_data(gbphy_dev);
struct gb_connection *connection = gb_tty->connection;
- struct tty_struct *tty;
int ret;
ret = gbphy_runtime_get_sync(gbphy_dev);
@@ -927,11 +926,7 @@ static void gb_uart_remove(struct gbphy_
wake_up_all(&gb_tty->wioctl);
mutex_unlock(&gb_tty->mutex);
- tty = tty_port_tty_get(&gb_tty->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&gb_tty->port);
gb_connection_disable_rx(connection);
tty_unregister_device(gb_tty_driver, gb_tty->minor);
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -3238,7 +3238,6 @@ static void serial_core_remove_one_port(
struct uart_state *state = drv->state + uport->line;
struct tty_port *port = &state->port;
struct uart_port *uart_port;
- struct tty_struct *tty;
mutex_lock(&port->mutex);
uart_port = uart_port_check(state);
@@ -3257,11 +3256,7 @@ static void serial_core_remove_one_port(
*/
tty_port_unregister_device(port, drv->tty_driver, uport->line);
- tty = tty_port_tty_get(port);
- if (tty) {
- tty_vhangup(port->tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(port);
/*
* If the port is used as a console, unregister it
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -416,15 +416,19 @@ EXPORT_SYMBOL(tty_port_hangup);
* @port: tty port
* @check_clocal: hang only ttys with %CLOCAL unset?
*/
-void tty_port_tty_hangup(struct tty_port *port, bool check_clocal)
+void __tty_port_tty_hangup(struct tty_port *port, bool check_clocal, bool async)
{
struct tty_struct *tty = tty_port_tty_get(port);
- if (tty && (!check_clocal || !C_CLOCAL(tty)))
- tty_hangup(tty);
+ if (tty && (!check_clocal || !C_CLOCAL(tty))) {
+ if (async)
+ tty_hangup(tty);
+ else
+ tty_vhangup(tty);
+ }
tty_kref_put(tty);
}
-EXPORT_SYMBOL_GPL(tty_port_tty_hangup);
+EXPORT_SYMBOL_GPL(__tty_port_tty_hangup);
/**
* tty_port_tty_wakeup - helper to wake up a tty
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1572,7 +1572,6 @@ err_put_port:
static void acm_disconnect(struct usb_interface *intf)
{
struct acm *acm = usb_get_intfdata(intf);
- struct tty_struct *tty;
int i;
/* sibling interface is already cleaning up */
@@ -1599,11 +1598,7 @@ static void acm_disconnect(struct usb_in
usb_set_intfdata(acm->data, NULL);
mutex_unlock(&acm->mutex);
- tty = tty_port_tty_get(&acm->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&acm->port);
cancel_delayed_work_sync(&acm->dwork);
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -1178,7 +1178,6 @@ static void usb_serial_disconnect(struct
struct usb_serial *serial = usb_get_intfdata(interface);
struct device *dev = &interface->dev;
struct usb_serial_port *port;
- struct tty_struct *tty;
/* sibling interface is cleaning up */
if (!serial)
@@ -1193,11 +1192,7 @@ static void usb_serial_disconnect(struct
for (i = 0; i < serial->num_ports; ++i) {
port = serial->port[i];
- tty = tty_port_tty_get(&port->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&port->port);
usb_serial_port_poison_urbs(port);
wake_up_interruptible(&port->port.delta_msr_wait);
cancel_work_sync(&port->work);
--- a/include/linux/tty_port.h
+++ b/include/linux/tty_port.h
@@ -235,7 +235,7 @@ bool tty_port_carrier_raised(struct tty_
void tty_port_raise_dtr_rts(struct tty_port *port);
void tty_port_lower_dtr_rts(struct tty_port *port);
void tty_port_hangup(struct tty_port *port);
-void tty_port_tty_hangup(struct tty_port *port, bool check_clocal);
+void __tty_port_tty_hangup(struct tty_port *port, bool check_clocal, bool async);
void tty_port_tty_wakeup(struct tty_port *port);
int tty_port_block_til_ready(struct tty_port *port, struct tty_struct *tty,
struct file *filp);
@@ -254,4 +254,14 @@ static inline int tty_port_users(struct
return port->count + port->blocked_open;
}
+static inline void tty_port_tty_hangup(struct tty_port *port, bool check_clocal)
+{
+ __tty_port_tty_hangup(port, check_clocal, true);
+}
+
+static inline void tty_port_tty_vhangup(struct tty_port *port)
+{
+ __tty_port_tty_hangup(port, false, false);
+}
+
#endif
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -438,7 +438,6 @@ static int __rfcomm_release_dev(void __u
{
struct rfcomm_dev_req req;
struct rfcomm_dev *dev;
- struct tty_struct *tty;
if (copy_from_user(&req, arg, sizeof(req)))
return -EFAULT;
@@ -464,11 +463,7 @@ static int __rfcomm_release_dev(void __u
rfcomm_dlc_close(dev->dlc, 0);
/* Shut down TTY synchronously before freeing rfcomm_dev */
- tty = tty_port_tty_get(&dev->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&dev->port);
if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
tty_port_put(&dev->port);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 492/567] tty: introduce and use tty_port_tty_vhangup() helper Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-07 0:04 ` Łukasz Bartosik
2026-01-06 17:04 ` [PATCH 6.12 494/567] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
` (87 subsequent siblings)
580 siblings, 1 reply; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Łukasz Bartosik,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Łukasz Bartosik <ukaszb@chromium.org>
[ Upstream commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 ]
This fixup replaces tty_vhangup() call with call to
tty_port_tty_vhangup(). Both calls hangup tty device
synchronously however tty_port_tty_vhangup() increases
reference count during the hangup operation using
scoped_guard(tty_port_tty).
Cc: stable <stable@kernel.org>
Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgtty.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -522,7 +522,7 @@ static void xhci_dbc_tty_unregister_devi
* Hang up the TTY. This wakes up any blocked
* writers and causes subsequent writes to fail.
*/
- tty_vhangup(port->port.tty);
+ tty_port_tty_vhangup(&port->port);
tty_unregister_device(dbc_tty_driver, port->minor);
xhci_dbc_tty_exit_port(port);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 494/567] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 495/567] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
` (86 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 68d05693f8c031257a0822464366e1c2a239a512 ]
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync # avoid CP_UMOUNT_FLAG in last f2fs_checkpoint.ckpt_flags
touch /mnt/f2fs/bar
f2fs_io fsync /mnt/f2fs/bar
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
blockdev --setro /dev/vdd
mount /dev/vdd /mnt/f2fs
mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.
For the case if we create and fsync a new inode before sudden power-cut,
without norecovery or disable_roll_forward mount option, the following
mount will succeed w/o recovering last fsynced inode.
The problem here is that we only check inode_list list after
find_fsync_dnodes() in f2fs_recover_fsync_data() to find out whether
there is recoverable data in the iamge, but there is a missed case, if
last fsynced inode is not existing in last checkpoint, then, we will
fail to get its inode due to nat of inode node is not existing in last
checkpoint, so the inode won't be linked in inode_list.
Let's detect such case in dyrun mode to fix this issue.
After this change, mount will fail as expected below:
mount: /mnt/f2fs: cannot mount /dev/vdd read-only.
dmesg(1) may have more information after failed mount system call.
demsg:
F2FS-fs (vdd): Need to recover fsync data, but write access unavailable, please try mount w/ disable_roll_forward or norecovery
Cc: stable@kernel.org
Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/recovery.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -398,7 +398,7 @@ static int sanity_check_node_chain(struc
}
static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head,
- bool check_only)
+ bool check_only, bool *new_inode)
{
struct curseg_info *curseg;
struct page *page = NULL;
@@ -445,16 +445,19 @@ static int find_fsync_dnodes(struct f2fs
quota_inode = true;
}
- /*
- * CP | dnode(F) | inode(DF)
- * For this case, we should not give up now.
- */
entry = add_fsync_inode(sbi, head, ino_of_node(page),
quota_inode);
if (IS_ERR(entry)) {
err = PTR_ERR(entry);
- if (err == -ENOENT)
+ /*
+ * CP | dnode(F) | inode(DF)
+ * For this case, we should not give up now.
+ */
+ if (err == -ENOENT) {
+ if (check_only)
+ *new_inode = true;
goto next;
+ }
f2fs_put_page(page, 1);
break;
}
@@ -852,6 +855,7 @@ int f2fs_recover_fsync_data(struct f2fs_
int ret = 0;
unsigned long s_flags = sbi->sb->s_flags;
bool need_writecp = false;
+ bool new_inode = false;
if (is_sbi_flag_set(sbi, SBI_IS_WRITABLE))
f2fs_info(sbi, "recover fsync data on readonly fs");
@@ -864,8 +868,8 @@ int f2fs_recover_fsync_data(struct f2fs_
f2fs_down_write(&sbi->cp_global_sem);
/* step #1: find fsynced inode numbers */
- err = find_fsync_dnodes(sbi, &inode_list, check_only);
- if (err || list_empty(&inode_list))
+ err = find_fsync_dnodes(sbi, &inode_list, check_only, &new_inode);
+ if (err < 0 || (list_empty(&inode_list) && (!check_only || !new_inode)))
goto skip;
if (check_only) {
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 495/567] f2fs: use global inline_xattr_slab instead of per-sb slab cache
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 494/567] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 496/567] f2fs: drop inode from the donation list when the last file is closed Greg Kroah-Hartman
` (85 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Hong Yun, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 ]
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
__kmem_cache_create include/linux/slab.h:353 [inline]
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
vfs_get_tree+0x43/0x140 fs/super.c:1815
do_new_mount+0x201/0x550 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
Fixes: a999150f4fe3 ("f2fs: use kmem_cache pool during inline xattr lookups")
Cc: stable@kernel.org
Reported-by: Hong Yun <yhong@link.cuhk.edu.hk>
Tested-by: Hong Yun <yhong@link.cuhk.edu.hk>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 ---
fs/f2fs/super.c | 17 ++++++++---------
fs/f2fs/xattr.c | 30 ++++++++++--------------------
fs/f2fs/xattr.h | 10 ++++++----
4 files changed, 24 insertions(+), 36 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1804,9 +1804,6 @@ struct f2fs_sb_info {
spinlock_t error_lock; /* protect errors/stop_reason array */
bool error_dirty; /* errors of sb is dirty */
- struct kmem_cache *inline_xattr_slab; /* inline xattr entry */
- unsigned int inline_xattr_slab_size; /* default inline xattr slab size */
-
/* For reclaimed segs statistics per each GC mode */
unsigned int gc_segment_mode; /* GC state for reclaimed segments */
unsigned int gc_reclaimed_segs[MAX_GC_MODE]; /* Reclaimed segs for each mode */
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1695,7 +1695,6 @@ static void f2fs_put_super(struct super_
kfree(sbi->raw_super);
f2fs_destroy_page_array_cache(sbi);
- f2fs_destroy_xattr_caches(sbi);
#ifdef CONFIG_QUOTA
for (i = 0; i < MAXQUOTAS; i++)
kfree(F2FS_OPTION(sbi).s_qf_names[i]);
@@ -4568,13 +4567,9 @@ try_onemore:
if (err)
goto free_iostat;
- /* init per sbi slab cache */
- err = f2fs_init_xattr_caches(sbi);
- if (err)
- goto free_percpu;
err = f2fs_init_page_array_cache(sbi);
if (err)
- goto free_xattr_cache;
+ goto free_percpu;
/* get an inode for meta space */
sbi->meta_inode = f2fs_iget(sb, F2FS_META_INO(sbi));
@@ -4906,8 +4901,6 @@ free_meta_inode:
sbi->meta_inode = NULL;
free_page_array_cache:
f2fs_destroy_page_array_cache(sbi);
-free_xattr_cache:
- f2fs_destroy_xattr_caches(sbi);
free_percpu:
destroy_percpu_info(sbi);
free_iostat:
@@ -5069,10 +5062,15 @@ static int __init init_f2fs_fs(void)
err = f2fs_create_casefold_cache();
if (err)
goto free_compress_cache;
- err = register_filesystem(&f2fs_fs_type);
+ err = f2fs_init_xattr_cache();
if (err)
goto free_casefold_cache;
+ err = register_filesystem(&f2fs_fs_type);
+ if (err)
+ goto free_xattr_cache;
return 0;
+free_xattr_cache:
+ f2fs_destroy_xattr_cache();
free_casefold_cache:
f2fs_destroy_casefold_cache();
free_compress_cache:
@@ -5113,6 +5111,7 @@ fail:
static void __exit exit_f2fs_fs(void)
{
unregister_filesystem(&f2fs_fs_type);
+ f2fs_destroy_xattr_cache();
f2fs_destroy_casefold_cache();
f2fs_destroy_compress_cache();
f2fs_destroy_compress_mempool();
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -23,11 +23,12 @@
#include "xattr.h"
#include "segment.h"
+static struct kmem_cache *inline_xattr_slab;
static void *xattr_alloc(struct f2fs_sb_info *sbi, int size, bool *is_inline)
{
- if (likely(size == sbi->inline_xattr_slab_size)) {
+ if (likely(size == DEFAULT_XATTR_SLAB_SIZE)) {
*is_inline = true;
- return f2fs_kmem_cache_alloc(sbi->inline_xattr_slab,
+ return f2fs_kmem_cache_alloc(inline_xattr_slab,
GFP_F2FS_ZERO, false, sbi);
}
*is_inline = false;
@@ -38,7 +39,7 @@ static void xattr_free(struct f2fs_sb_in
bool is_inline)
{
if (is_inline)
- kmem_cache_free(sbi->inline_xattr_slab, xattr_addr);
+ kmem_cache_free(inline_xattr_slab, xattr_addr);
else
kfree(xattr_addr);
}
@@ -830,25 +831,14 @@ int f2fs_setxattr(struct inode *inode, i
return err;
}
-int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi)
+int __init f2fs_init_xattr_cache(void)
{
- dev_t dev = sbi->sb->s_bdev->bd_dev;
- char slab_name[32];
-
- sprintf(slab_name, "f2fs_xattr_entry-%u:%u", MAJOR(dev), MINOR(dev));
-
- sbi->inline_xattr_slab_size = F2FS_OPTION(sbi).inline_xattr_size *
- sizeof(__le32) + XATTR_PADDING_SIZE;
-
- sbi->inline_xattr_slab = f2fs_kmem_cache_create(slab_name,
- sbi->inline_xattr_slab_size);
- if (!sbi->inline_xattr_slab)
- return -ENOMEM;
-
- return 0;
+ inline_xattr_slab = f2fs_kmem_cache_create("f2fs_xattr_entry",
+ DEFAULT_XATTR_SLAB_SIZE);
+ return inline_xattr_slab ? 0 : -ENOMEM;
}
-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi)
+void f2fs_destroy_xattr_cache(void)
{
- kmem_cache_destroy(sbi->inline_xattr_slab);
+ kmem_cache_destroy(inline_xattr_slab);
}
--- a/fs/f2fs/xattr.h
+++ b/fs/f2fs/xattr.h
@@ -89,6 +89,8 @@ struct f2fs_xattr_entry {
F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \
DEF_INLINE_RESERVED_SIZE - \
MIN_INLINE_DENTRY_SIZE / sizeof(__le32))
+#define DEFAULT_XATTR_SLAB_SIZE (DEFAULT_INLINE_XATTR_ADDRS * \
+ sizeof(__le32) + XATTR_PADDING_SIZE)
/*
* On-disk structure of f2fs_xattr
@@ -132,8 +134,8 @@ extern int f2fs_setxattr(struct inode *,
extern int f2fs_getxattr(struct inode *, int, const char *, void *,
size_t, struct page *);
extern ssize_t f2fs_listxattr(struct dentry *, char *, size_t);
-extern int f2fs_init_xattr_caches(struct f2fs_sb_info *);
-extern void f2fs_destroy_xattr_caches(struct f2fs_sb_info *);
+extern int __init f2fs_init_xattr_cache(void);
+extern void f2fs_destroy_xattr_cache(void);
#else
#define f2fs_xattr_handlers NULL
@@ -150,8 +152,8 @@ static inline int f2fs_getxattr(struct i
{
return -EOPNOTSUPP;
}
-static inline int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) { return 0; }
-static inline void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) { }
+static inline int __init f2fs_init_xattr_cache(void) { return 0; }
+static inline void f2fs_destroy_xattr_cache(void) { }
#endif
#ifdef CONFIG_F2FS_FS_SECURITY
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 496/567] f2fs: drop inode from the donation list when the last file is closed
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 495/567] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 497/567] f2fs: fix to avoid updating compression context during writeback Greg Kroah-Hartman
` (84 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
[ Upstream commit 078cad8212ce4f4ebbafcc0936475b8215e1ca2a ]
Let's drop the inode from the donation list when there is no other
open file.
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 10b591e7fb7c ("f2fs: fix to avoid updating compression context during writeback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 ++
fs/f2fs/file.c | 8 +++++++-
fs/f2fs/inode.c | 2 +-
fs/f2fs/super.c | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -859,6 +859,7 @@ struct f2fs_inode_info {
/* linked in global inode list for cache donation */
struct list_head gdonate_list;
pgoff_t donate_start, donate_end; /* inclusive */
+ atomic_t open_count; /* # of open files */
struct task_struct *atomic_write_task; /* store atomic write task */
struct extent_tree *extent_tree[NR_EXTENT_CACHES];
@@ -3600,6 +3601,7 @@ int f2fs_try_to_free_nats(struct f2fs_sb
void f2fs_update_inode(struct inode *inode, struct page *node_page);
void f2fs_update_inode_page(struct inode *inode);
int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc);
+void f2fs_remove_donate_inode(struct inode *inode);
void f2fs_evict_inode(struct inode *inode);
void f2fs_handle_failed_inode(struct inode *inode);
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -631,7 +631,10 @@ static int f2fs_file_open(struct inode *
if (err)
return err;
- return finish_preallocate_blocks(inode);
+ err = finish_preallocate_blocks(inode);
+ if (!err)
+ atomic_inc(&F2FS_I(inode)->open_count);
+ return err;
}
void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count)
@@ -1992,6 +1995,9 @@ out:
static int f2fs_release_file(struct inode *inode, struct file *filp)
{
+ if (atomic_dec_and_test(&F2FS_I(inode)->open_count))
+ f2fs_remove_donate_inode(inode);
+
/*
* f2fs_release_file is called at every close calls. So we should
* not drop any inmemory pages by close called by other process.
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -807,7 +807,7 @@ int f2fs_write_inode(struct inode *inode
return 0;
}
-static void f2fs_remove_donate_inode(struct inode *inode)
+void f2fs_remove_donate_inode(struct inode *inode)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1425,6 +1425,7 @@ static struct inode *f2fs_alloc_inode(st
/* Initialize f2fs-specific inode info */
atomic_set(&fi->dirty_pages, 0);
atomic_set(&fi->i_compr_blocks, 0);
+ atomic_set(&fi->open_count, 0);
init_f2fs_rwsem(&fi->i_sem);
spin_lock_init(&fi->i_size_lock);
INIT_LIST_HEAD(&fi->dirty_list);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 497/567] f2fs: fix to avoid updating compression context during writeback
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 496/567] f2fs: drop inode from the donation list when the last file is closed Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 498/567] serial: core: fix OF node leak Greg Kroah-Hartman
` (83 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bai, Shuangpeng, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 ]
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
Call Trace:
<TASK>
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
do_writepages+0x38e/0x640 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
generic_write_sync include/linux/fs.h:3043 [inline]
f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7e9/0xe00 fs/read_write.c:686
ksys_write+0x19d/0x2d0 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl
- f2fs_do_sync_file
- file_write_and_wait_range
- f2fs_write_cache_pages
: inode is non-compressed
: cc.cluster_size =
F2FS_I(inode)->i_cluster_size = 0
- tag_pages_for_writeback
- f2fs_setattr
- truncate_setsize
- f2fs_truncate
- f2fs_fileattr_set
- f2fs_setflags_common
- set_compress_context
: F2FS_I(inode)->i_cluster_size = 4
: set_inode_flag(inode, FI_COMPRESSED_FILE)
- f2fs_compressed_file
: return true
- f2fs_all_cluster_page_ready
: "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue:
- introduce a new atomic type variable .writeback in structure f2fs_inode_info
to track the number of threads which calling f2fs_write_cache_pages().
- use .i_sem lock to protect .writeback update.
- check .writeback before update compression context in f2fs_setflags_common()
to avoid race w/ ->writepages.
Fixes: 4c8ff7095bef ("f2fs: support data compression")
Cc: stable@kernel.org
Reported-by: Bai, Shuangpeng <sjb7183@psu.edu>
Tested-by: Bai, Shuangpeng <sjb7183@psu.edu>
Closes: https://lore.kernel.org/lkml/44D8F7B3-68AD-425F-9915-65D27591F93F@psu.edu
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 17 +++++++++++++++++
fs/f2fs/f2fs.h | 3 ++-
fs/f2fs/file.c | 5 +++--
fs/f2fs/super.c | 1 +
4 files changed, 23 insertions(+), 3 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3272,6 +3272,19 @@ static inline bool __should_serialize_io
return false;
}
+static inline void account_writeback(struct inode *inode, bool inc)
+{
+ if (!f2fs_sb_has_compression(F2FS_I_SB(inode)))
+ return;
+
+ f2fs_down_read(&F2FS_I(inode)->i_sem);
+ if (inc)
+ atomic_inc(&F2FS_I(inode)->writeback);
+ else
+ atomic_dec(&F2FS_I(inode)->writeback);
+ f2fs_up_read(&F2FS_I(inode)->i_sem);
+}
+
static int __f2fs_write_data_pages(struct address_space *mapping,
struct writeback_control *wbc,
enum iostat_type io_type)
@@ -3321,10 +3334,14 @@ static int __f2fs_write_data_pages(struc
locked = true;
}
+ account_writeback(inode, true);
+
blk_start_plug(&plug);
ret = f2fs_write_cache_pages(mapping, wbc, io_type);
blk_finish_plug(&plug);
+ account_writeback(inode, false);
+
if (locked)
mutex_unlock(&sbi->writepages);
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -887,6 +887,7 @@ struct f2fs_inode_info {
unsigned char i_compress_level; /* compress level (lz4hc,zstd) */
unsigned char i_compress_flag; /* compress flag */
unsigned int i_cluster_size; /* cluster size */
+ atomic_t writeback; /* count # of writeback thread */
unsigned int atomic_write_cnt;
loff_t original_i_size; /* original i_size before atomic write */
@@ -4540,7 +4541,7 @@ static inline bool f2fs_disable_compress
f2fs_up_write(&fi->i_sem);
return true;
}
- if (f2fs_is_mmap_file(inode) ||
+ if (f2fs_is_mmap_file(inode) || atomic_read(&fi->writeback) ||
(S_ISREG(inode->i_mode) && F2FS_HAS_BLOCKS(inode))) {
f2fs_up_write(&fi->i_sem);
return false;
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2071,8 +2071,9 @@ static int f2fs_setflags_common(struct i
f2fs_down_write(&fi->i_sem);
if (!f2fs_may_compress(inode) ||
- (S_ISREG(inode->i_mode) &&
- F2FS_HAS_BLOCKS(inode))) {
+ atomic_read(&fi->writeback) ||
+ (S_ISREG(inode->i_mode) &&
+ F2FS_HAS_BLOCKS(inode))) {
f2fs_up_write(&fi->i_sem);
return -EINVAL;
}
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1426,6 +1426,7 @@ static struct inode *f2fs_alloc_inode(st
atomic_set(&fi->dirty_pages, 0);
atomic_set(&fi->i_compr_blocks, 0);
atomic_set(&fi->open_count, 0);
+ atomic_set(&fi->writeback, 0);
init_f2fs_rwsem(&fi->i_sem);
spin_lock_init(&fi->i_size_lock);
INIT_LIST_HEAD(&fi->dirty_list);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 498/567] serial: core: fix OF node leak
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 497/567] f2fs: fix to avoid updating compression context during writeback Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 499/567] serial: core: Restore sysfs fwnode information Greg Kroah-Hartman
` (82 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aidan Stewart, Johan Hovold,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 273cc3406c8d4e830ed45967c70d08d20ca1380e ]
Make sure to drop the OF node reference taken when initialising the
control and port devices when the devices are later released.
Fixes: d36f0e9a0002 ("serial: core: restore of_node information in sysfs")
Cc: Aidan Stewart <astewart@tektelic.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20250708085817.16070-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 24ec03cc5512 ("serial: core: Restore sysfs fwnode information")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/serial_base_bus.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/tty/serial/serial_base_bus.c
+++ b/drivers/tty/serial/serial_base_bus.c
@@ -13,6 +13,7 @@
#include <linux/device.h>
#include <linux/idr.h>
#include <linux/module.h>
+#include <linux/of.h>
#include <linux/serial_core.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
@@ -93,6 +94,7 @@ static void serial_base_ctrl_release(str
{
struct serial_ctrl_device *ctrl_dev = to_serial_base_ctrl_device(dev);
+ of_node_put(dev->of_node);
kfree(ctrl_dev);
}
@@ -140,6 +142,7 @@ static void serial_base_port_release(str
{
struct serial_port_device *port_dev = to_serial_base_port_device(dev);
+ of_node_put(dev->of_node);
kfree(port_dev);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 499/567] serial: core: Restore sysfs fwnode information
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 498/567] serial: core: fix OF node leak Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 500/567] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
` (81 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Andy Shevchenko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 24ec03cc55126b7b3adf102f4b3d9f716532b329 ]
The change that restores sysfs fwnode information does it only for OF cases.
Update the fix to cover all possible types of fwnodes.
Fixes: d36f0e9a0002 ("serial: core: restore of_node information in sysfs")
Cc: stable <stable@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20251127163650.2942075-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/serial_base_bus.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/tty/serial/serial_base_bus.c
+++ b/drivers/tty/serial/serial_base_bus.c
@@ -13,7 +13,7 @@
#include <linux/device.h>
#include <linux/idr.h>
#include <linux/module.h>
-#include <linux/of.h>
+#include <linux/property.h>
#include <linux/serial_core.h>
#include <linux/slab.h>
#include <linux/spinlock.h>
@@ -60,6 +60,7 @@ void serial_base_driver_unregister(struc
driver_unregister(driver);
}
+/* On failure the caller must put device @dev with put_device() */
static int serial_base_device_init(struct uart_port *port,
struct device *dev,
struct device *parent_dev,
@@ -73,7 +74,8 @@ static int serial_base_device_init(struc
dev->parent = parent_dev;
dev->bus = &serial_base_bus_type;
dev->release = release;
- device_set_of_node_from_dev(dev, parent_dev);
+
+ device_set_node(dev, fwnode_handle_get(dev_fwnode(parent_dev)));
if (!serial_base_initialized) {
dev_dbg(port->dev, "uart_add_one_port() called before arch_initcall()?\n");
@@ -94,7 +96,7 @@ static void serial_base_ctrl_release(str
{
struct serial_ctrl_device *ctrl_dev = to_serial_base_ctrl_device(dev);
- of_node_put(dev->of_node);
+ fwnode_handle_put(dev_fwnode(dev));
kfree(ctrl_dev);
}
@@ -142,7 +144,7 @@ static void serial_base_port_release(str
{
struct serial_port_device *port_dev = to_serial_base_port_device(dev);
- of_node_put(dev->of_node);
+ fwnode_handle_put(dev_fwnode(dev));
kfree(port_dev);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 500/567] mptcp: pm: ignore unknown endpoint flags
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 499/567] serial: core: Restore sysfs fwnode information Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 501/567] mm/ksm: fix exec/fork inheritance support for prctl Greg Kroah-Hartman
` (80 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 0ace3297a7301911e52d8195cb1006414897c859 ]
Before this patch, the kernel was saving any flags set by the userspace,
even unknown ones. This doesn't cause critical issues because the kernel
is only looking at specific ones. But on the other hand, endpoints dumps
could tell the userspace some recent flags seem to be supported on older
kernel versions.
Instead, ignore all unknown flags when parsing them. By doing that, the
userspace can continue to set unsupported flags, but it has a way to
verify what is supported by the kernel.
Note that it sounds better to continue accepting unsupported flags not
to change the behaviour, but also that eases things on the userspace
side by adding "optional" endpoint types only supported by newer kernel
versions without having to deal with the different kernel versions.
A note for the backports: there will be conflicts in mptcp.h on older
versions not having the mentioned flags, the new line should still be
added last, and the '5' needs to be adapted to have the same value as
the last entry.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-1-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ GENMASK(5, 0) => GENMASK(4, 0) + context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/mptcp.h | 1 +
net/mptcp/pm_netlink.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/include/uapi/linux/mptcp.h
+++ b/include/uapi/linux/mptcp.h
@@ -38,6 +38,7 @@
#define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2)
#define MPTCP_PM_ADDR_FLAG_FULLMESH (1 << 3)
#define MPTCP_PM_ADDR_FLAG_IMPLICIT (1 << 4)
+#define MPTCP_PM_ADDR_FLAGS_MASK GENMASK(4, 0)
struct mptcp_info {
__u8 mptcpi_subflows;
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1409,7 +1409,8 @@ int mptcp_pm_parse_entry(struct nlattr *
}
if (tb[MPTCP_PM_ADDR_ATTR_FLAGS])
- entry->flags = nla_get_u32(tb[MPTCP_PM_ADDR_ATTR_FLAGS]);
+ entry->flags = nla_get_u32(tb[MPTCP_PM_ADDR_ATTR_FLAGS]) &
+ MPTCP_PM_ADDR_FLAGS_MASK;
if (tb[MPTCP_PM_ADDR_ATTR_PORT])
entry->addr.port = htons(nla_get_u16(tb[MPTCP_PM_ADDR_ATTR_PORT]));
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 501/567] mm/ksm: fix exec/fork inheritance support for prctl
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 500/567] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 502/567] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
` (79 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xu xin, Stefan Roesch,
David Hildenbrand, Jinjiang Tu, Wang Yaxin, Yang Yang,
Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: xu xin <xu.xin16@zte.com.cn>
[ Upstream commit 590c03ca6a3fbb114396673314e2aa483839608b ]
Patch series "ksm: fix exec/fork inheritance", v2.
This series fixes exec/fork inheritance. See the detailed description of
the issue below.
This patch (of 2):
Background
==========
commit d7597f59d1d33 ("mm: add new api to enable ksm per process")
introduced MMF_VM_MERGE_ANY for mm->flags, and allowed user to set it by
prctl() so that the process's VMAs are forcibly scanned by ksmd.
Subsequently, the 3c6f33b7273a ("mm/ksm: support fork/exec for prctl")
supported inheriting the MMF_VM_MERGE_ANY flag when a task calls execve().
Finally, commit 3a9e567ca45fb ("mm/ksm: fix ksm exec support for prctl")
fixed the issue that ksmd doesn't scan the mm_struct with MMF_VM_MERGE_ANY
by adding the mm_slot to ksm_mm_head in __bprm_mm_init().
Problem
=======
In some extreme scenarios, however, this inheritance of MMF_VM_MERGE_ANY
during exec/fork can fail. For example, when the scanning frequency of
ksmd is tuned extremely high, a process carrying MMF_VM_MERGE_ANY may
still fail to pass it to the newly exec'd process. This happens because
ksm_execve() is executed too early in the do_execve flow (prematurely
adding the new mm_struct to the ksm_mm_slot list).
As a result, before do_execve completes, ksmd may have already performed a
scan and found that this new mm_struct has no VM_MERGEABLE VMAs, thus
clearing its MMF_VM_MERGE_ANY flag. Consequently, when the new program
executes, the flag MMF_VM_MERGE_ANY inheritance missed.
Root reason
===========
commit d7597f59d1d33 ("mm: add new api to enable ksm per process") clear
the flag MMF_VM_MERGE_ANY when ksmd found no VM_MERGEABLE VMAs.
Solution
========
Firstly, Don't clear MMF_VM_MERGE_ANY when ksmd found no VM_MERGEABLE
VMAs, because perhaps their mm_struct has just been added to ksm_mm_slot
list, and its process has not yet officially started running or has not
yet performed mmap/brk to allocate anonymous VMAS.
Secondly, recheck MMF_VM_MERGEABLE again if a process takes
MMF_VM_MERGE_ANY, and create a mm_slot and join it into ksm_scan_list
again.
Link: https://lkml.kernel.org/r/20251007182504440BJgK8VXRHh8TD7IGSUIY4@zte.com.cn
Link: https://lkml.kernel.org/r/20251007182821572h_SoFqYZXEP1mvWI4n9VL@zte.com.cn
Fixes: 3c6f33b7273a ("mm/ksm: support fork/exec for prctl")
Fixes: d7597f59d1d3 ("mm: add new api to enable ksm per process")
Signed-off-by: xu xin <xu.xin16@zte.com.cn>
Cc: Stefan Roesch <shr@devkernel.io>
Cc: David Hildenbrand <david@redhat.com>
Cc: Jinjiang Tu <tujinjiang@huawei.com>
Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
Cc: Yang Yang <yang.yang29@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ changed mm_flags_test() and mm_flags_clear() calls to test_bit() and clear_bit() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/ksm.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -2704,8 +2704,14 @@ no_vmas:
spin_unlock(&ksm_mmlist_lock);
mm_slot_free(mm_slot_cache, mm_slot);
+ /*
+ * Only clear MMF_VM_MERGEABLE. We must not clear
+ * MMF_VM_MERGE_ANY, because for those MMF_VM_MERGE_ANY process,
+ * perhaps their mm_struct has just been added to ksm_mm_slot
+ * list, and its process has not yet officially started running
+ * or has not yet performed mmap/brk to allocate anonymous VMAS.
+ */
clear_bit(MMF_VM_MERGEABLE, &mm->flags);
- clear_bit(MMF_VM_MERGE_ANY, &mm->flags);
mmap_read_unlock(mm);
mmdrop(mm);
} else {
@@ -2820,8 +2826,16 @@ void ksm_add_vma(struct vm_area_struct *
{
struct mm_struct *mm = vma->vm_mm;
- if (test_bit(MMF_VM_MERGE_ANY, &mm->flags))
+ if (test_bit(MMF_VM_MERGE_ANY, &mm->flags)) {
__ksm_add_vma(vma);
+ /*
+ * Generally, the flags here always include MMF_VM_MERGEABLE.
+ * However, in rare cases, this flag may be cleared by ksmd who
+ * scans a cycle without finding any mergeable vma.
+ */
+ if (unlikely(!test_bit(MMF_VM_MERGEABLE, &mm->flags)))
+ __ksm_enter(mm);
+ }
}
static void ksm_add_vmas(struct mm_struct *mm)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 502/567] svcrdma: bound check rq_pages index in inline path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 501/567] mm/ksm: fix exec/fork inheritance support for prctl Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 503/567] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
` (78 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
[ Upstream commit d1bea0ce35b6095544ee82bb54156fc62c067e58 ]
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ replaced rqstp->rq_maxpages with ARRAY_SIZE(rqstp->rq_pages) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -841,6 +841,9 @@ static int svc_rdma_copy_inline_range(st
for (page_no = 0; page_no < numpages; page_no++) {
unsigned int page_len;
+ if (head->rc_curpage >= ARRAY_SIZE(rqstp->rq_pages))
+ return -EINVAL;
+
page_len = min_t(unsigned int, remaining,
PAGE_SIZE - head->rc_pageoff);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 503/567] ARM: dts: microchip: sama7g5: fix uart fifo size to 32
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 502/567] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 504/567] block: freeze queue when updating zone resources Greg Kroah-Hartman
` (77 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Ferre, Claudiu Beznea,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@microchip.com>
[ Upstream commit 5654889a94b0de5ad6ceae3793e7f5e0b61b50b6 ]
On some flexcom nodes related to uart, the fifo sizes were wrong: fix
them to 32 data.
Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek")
Cc: stable@vger.kernel.org # 5.15+
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20251114103313.20220-2-nicolas.ferre@microchip.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/microchip/sama7g5.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/boot/dts/microchip/sama7g5.dtsi
+++ b/arch/arm/boot/dts/microchip/sama7g5.dtsi
@@ -811,7 +811,7 @@
dma-names = "tx", "rx";
atmel,use-dma-rx;
atmel,use-dma-tx;
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
};
@@ -837,7 +837,7 @@
dma-names = "tx", "rx";
atmel,use-dma-rx;
atmel,use-dma-tx;
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 504/567] block: freeze queue when updating zone resources
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 503/567] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 505/567] tpm2-sessions: Fix tpm2_read_public range checks Greg Kroah-Hartman
` (76 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Christoph Hellwig,
Johannes Thumshirn, Chaitanya Kulkarni, Hannes Reinecke,
Martin K. Petersen, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit bba4322e3f303b2d656e748be758320b567f046f ]
Modify disk_update_zone_resources() to freeze the device queue before
updating the number of zones, zone capacity and other zone related
resources. The locking order resulting from the call to
queue_limits_commit_update_frozen() is preserved, that is, the queue
limits lock is first taken by calling queue_limits_start_update() before
freezing the queue, and the queue is unfrozen after executing
queue_limits_commit_update(), which replaces the call to
queue_limits_commit_update_frozen().
This change ensures that there are no in-flights I/Os when the zone
resources are updated due to a zone revalidation. In case of error when
the limits are applied, directly call disk_free_zone_resources() from
disk_update_zone_resources() while the disk queue is still frozen to
avoid needing to freeze & unfreeze the queue again in
blk_revalidate_disk_zones(), thus simplifying that function code a
little.
Fixes: 0b83c86b444a ("block: Prevent potential deadlock in blk_revalidate_disk_zones()")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ adapted blk_mq_freeze_queue/unfreeze_queue calls to single-argument void API ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-zoned.c | 39 +++++++++++++++++++++++----------------
1 file changed, 23 insertions(+), 16 deletions(-)
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -1514,6 +1514,11 @@ static int disk_update_zone_resources(st
unsigned int nr_seq_zones, nr_conv_zones;
unsigned int pool_size;
struct queue_limits lim;
+ int ret = 0;
+
+ lim = queue_limits_start_update(q);
+
+ blk_mq_freeze_queue(q);
disk->nr_zones = args->nr_zones;
disk->zone_capacity = args->zone_capacity;
@@ -1523,11 +1528,10 @@ static int disk_update_zone_resources(st
if (nr_conv_zones >= disk->nr_zones) {
pr_warn("%s: Invalid number of conventional zones %u / %u\n",
disk->disk_name, nr_conv_zones, disk->nr_zones);
- return -ENODEV;
+ ret = -ENODEV;
+ goto unfreeze;
}
- lim = queue_limits_start_update(q);
-
/*
* Some devices can advertize zone resource limits that are larger than
* the number of sequential zones of the zoned block device, e.g. a
@@ -1564,7 +1568,15 @@ static int disk_update_zone_resources(st
}
commit:
- return queue_limits_commit_update_frozen(q, &lim);
+ ret = queue_limits_commit_update(q, &lim);
+
+unfreeze:
+ if (ret)
+ disk_free_zone_resources(disk);
+
+ blk_mq_unfreeze_queue(q);
+
+ return ret;
}
static int blk_revalidate_conv_zone(struct blk_zone *zone, unsigned int idx,
@@ -1785,19 +1797,14 @@ int blk_revalidate_disk_zones(struct gen
ret = -ENODEV;
}
- /*
- * Set the new disk zone parameters only once the queue is frozen and
- * all I/Os are completed.
- */
if (ret > 0)
- ret = disk_update_zone_resources(disk, &args);
- else
- pr_warn("%s: failed to revalidate zones\n", disk->disk_name);
- if (ret) {
- blk_mq_freeze_queue(q);
- disk_free_zone_resources(disk);
- blk_mq_unfreeze_queue(q);
- }
+ return disk_update_zone_resources(disk, &args);
+
+ pr_warn("%s: failed to revalidate zones\n", disk->disk_name);
+
+ blk_mq_freeze_queue(q);
+ disk_free_zone_resources(disk);
+ blk_mq_unfreeze_queue(q);
return ret;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 505/567] tpm2-sessions: Fix tpm2_read_public range checks
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 504/567] block: freeze queue when updating zone resources Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 506/567] sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue() Greg Kroah-Hartman
` (75 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jarkko Sakkinen, Jonathan McDowell,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko@kernel.org>
[ Upstream commit bda1cbf73c6e241267c286427f2ed52b5735d872 ]
tpm2_read_public() has some rudimentary range checks but the function does
not ensure that the response buffer has enough bytes for the full TPMT_HA
payload.
Re-implement the function with necessary checks and validation, and return
name and name size for all handle types back to the caller.
Cc: stable@vger.kernel.org # v6.10+
Fixes: d0a25bb961e6 ("tpm: Add HMAC session name/handle append")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Jonathan McDowell <noodles@meta.com>
[ different semantics around u8 name_size() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm2-cmd.c | 3 +
drivers/char/tpm/tpm2-sessions.c | 85 ++++++++++++++++++++++++---------------
2 files changed, 56 insertions(+), 32 deletions(-)
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -11,8 +11,11 @@
* used by the kernel internally.
*/
+#include "linux/dev_printk.h"
+#include "linux/tpm.h"
#include "tpm.h"
#include <crypto/hash_info.h>
+#include <linux/unaligned.h>
static bool disable_pcr_integrity;
module_param(disable_pcr_integrity, bool, 0444);
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -156,47 +156,60 @@ static u8 name_size(const u8 *name)
return size_map[alg] + 2;
}
-static int tpm2_parse_read_public(char *name, struct tpm_buf *buf)
+static int tpm2_read_public(struct tpm_chip *chip, u32 handle, void *name)
{
- struct tpm_header *head = (struct tpm_header *)buf->data;
+ u32 mso = tpm2_handle_mso(handle);
off_t offset = TPM_HEADER_SIZE;
- u32 tot_len = be32_to_cpu(head->length);
- u32 val;
-
- /* we're starting after the header so adjust the length */
- tot_len -= TPM_HEADER_SIZE;
-
- /* skip public */
- val = tpm_buf_read_u16(buf, &offset);
- if (val > tot_len)
- return -EINVAL;
- offset += val;
- /* name */
- val = tpm_buf_read_u16(buf, &offset);
- if (val != name_size(&buf->data[offset]))
- return -EINVAL;
- memcpy(name, &buf->data[offset], val);
- /* forget the rest */
- return 0;
-}
-
-static int tpm2_read_public(struct tpm_chip *chip, u32 handle, char *name)
-{
- struct tpm_buf buf;
int rc;
+ u8 name_size_alg;
+ struct tpm_buf buf;
+
+ if (mso != TPM2_MSO_PERSISTENT && mso != TPM2_MSO_VOLATILE &&
+ mso != TPM2_MSO_NVRAM) {
+ memcpy(name, &handle, sizeof(u32));
+ return sizeof(u32);
+ }
rc = tpm_buf_init(&buf, TPM2_ST_NO_SESSIONS, TPM2_CC_READ_PUBLIC);
if (rc)
return rc;
tpm_buf_append_u32(&buf, handle);
- rc = tpm_transmit_cmd(chip, &buf, 0, "read public");
- if (rc == TPM2_RC_SUCCESS)
- rc = tpm2_parse_read_public(name, &buf);
- tpm_buf_destroy(&buf);
+ rc = tpm_transmit_cmd(chip, &buf, 0, "TPM2_ReadPublic");
+ if (rc) {
+ tpm_buf_destroy(&buf);
+ return tpm_ret_to_err(rc);
+ }
- return rc;
+ /* Skip TPMT_PUBLIC: */
+ offset += tpm_buf_read_u16(&buf, &offset);
+
+ /*
+ * Ensure space for the length field of TPM2B_NAME and hashAlg field of
+ * TPMT_HA (the extra four bytes).
+ */
+ if (offset + 4 > tpm_buf_length(&buf)) {
+ tpm_buf_destroy(&buf);
+ return -EIO;
+ }
+
+ rc = tpm_buf_read_u16(&buf, &offset);
+ name_size_alg = name_size(&buf.data[offset]);
+
+ if (rc != name_size_alg) {
+ tpm_buf_destroy(&buf);
+ return -EIO;
+ }
+
+ if (offset + rc > tpm_buf_length(&buf)) {
+ tpm_buf_destroy(&buf);
+ return -EIO;
+ }
+
+ memcpy(name, &buf.data[offset], rc);
+ tpm_buf_destroy(&buf);
+ return name_size_alg;
}
#endif /* CONFIG_TCG_TPM2_HMAC */
@@ -229,6 +242,7 @@ void tpm_buf_append_name(struct tpm_chip
enum tpm2_mso_type mso = tpm2_handle_mso(handle);
struct tpm2_auth *auth;
int slot;
+ int ret;
#endif
if (!tpm2_chip_auth(chip)) {
@@ -251,8 +265,11 @@ void tpm_buf_append_name(struct tpm_chip
if (mso == TPM2_MSO_PERSISTENT ||
mso == TPM2_MSO_VOLATILE ||
mso == TPM2_MSO_NVRAM) {
- if (!name)
- tpm2_read_public(chip, handle, auth->name[slot]);
+ if (!name) {
+ ret = tpm2_read_public(chip, handle, auth->name[slot]);
+ if (ret < 0)
+ goto err;
+ }
} else {
if (name)
dev_err(&chip->dev, "TPM: Handle does not require name but one is specified\n");
@@ -261,6 +278,10 @@ void tpm_buf_append_name(struct tpm_chip
auth->name_h[slot] = handle;
if (name)
memcpy(auth->name[slot], name, name_size(name));
+ return;
+
+err:
+ tpm2_end_auth_session(chip);
#endif
}
EXPORT_SYMBOL_GPL(tpm_buf_append_name);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 506/567] sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 505/567] tpm2-sessions: Fix tpm2_read_public range checks Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 507/567] sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq() Greg Kroah-Hartman
` (74 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Righi, Emil Tsalapatis,
Tejun Heo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit 530b6637c79e728d58f1d9b66bd4acf4b735b86d ]
Factor out local_dsq_post_enq() which performs post-enqueue handling for
local DSQs - triggering resched_curr() if SCX_ENQ_PREEMPT is specified or if
the current CPU is idle. No functional change.
This will be used by the next patch to fix move_local_task_to_local_dsq().
Cc: stable@vger.kernel.org # v6.12+
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 34 +++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -1676,6 +1676,22 @@ static void dsq_mod_nr(struct scx_dispat
WRITE_ONCE(dsq->nr, dsq->nr + delta);
}
+static void local_dsq_post_enq(struct scx_dispatch_q *dsq, struct task_struct *p,
+ u64 enq_flags)
+{
+ struct rq *rq = container_of(dsq, struct rq, scx.local_dsq);
+ bool preempt = false;
+
+ if ((enq_flags & SCX_ENQ_PREEMPT) && p != rq->curr &&
+ rq->curr->sched_class == &ext_sched_class) {
+ rq->curr->scx.slice = 0;
+ preempt = true;
+ }
+
+ if (preempt || sched_class_above(&ext_sched_class, rq->curr->sched_class))
+ resched_curr(rq);
+}
+
static void dispatch_enqueue(struct scx_dispatch_q *dsq, struct task_struct *p,
u64 enq_flags)
{
@@ -1773,22 +1789,10 @@ static void dispatch_enqueue(struct scx_
if (enq_flags & SCX_ENQ_CLEAR_OPSS)
atomic_long_set_release(&p->scx.ops_state, SCX_OPSS_NONE);
- if (is_local) {
- struct rq *rq = container_of(dsq, struct rq, scx.local_dsq);
- bool preempt = false;
-
- if ((enq_flags & SCX_ENQ_PREEMPT) && p != rq->curr &&
- rq->curr->sched_class == &ext_sched_class) {
- rq->curr->scx.slice = 0;
- preempt = true;
- }
-
- if (preempt || sched_class_above(&ext_sched_class,
- rq->curr->sched_class))
- resched_curr(rq);
- } else {
+ if (is_local)
+ local_dsq_post_enq(dsq, p, enq_flags);
+ else
raw_spin_unlock(&dsq->lock);
- }
}
static void task_unlink_from_dsq(struct task_struct *p,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 507/567] sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 506/567] sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 508/567] drm/displayid: add quirk to ignore DisplayID checksum errors Greg Kroah-Hartman
` (73 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Righi, Emil Tsalapatis,
Tejun Heo, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
[ Upstream commit f5e1e5ec204da11fa87fdf006d451d80ce06e118 ]
move_local_task_to_local_dsq() is used when moving a task from a non-local
DSQ to a local DSQ on the same CPU. It directly manipulates the local DSQ
without going through dispatch_enqueue() and was missing the post-enqueue
handling that triggers preemption when SCX_ENQ_PREEMPT is set or the idle
task is running.
The function is used by move_task_between_dsqs() which backs
scx_bpf_dsq_move() and may be called while the CPU is busy.
Add local_dsq_post_enq() call to move_local_task_to_local_dsq(). As the
dispatch path doesn't need post-enqueue handling, add SCX_RQ_IN_BALANCE
early exit to keep consume_dispatch_q() behavior unchanged and avoid
triggering unnecessary resched when scx_bpf_dsq_move() is used from the
dispatch path.
Fixes: 4c30f5ce4f7a ("sched_ext: Implement scx_bpf_dispatch[_vtime]_from_dsq()")
Cc: stable@vger.kernel.org # v6.12+
Reviewed-by: Andrea Righi <arighi@nvidia.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/ext.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/kernel/sched/ext.c
+++ b/kernel/sched/ext.c
@@ -1682,6 +1682,14 @@ static void local_dsq_post_enq(struct sc
struct rq *rq = container_of(dsq, struct rq, scx.local_dsq);
bool preempt = false;
+ /*
+ * If @rq is in balance, the CPU is already vacant and looking for the
+ * next task to run. No need to preempt or trigger resched after moving
+ * @p into its local DSQ.
+ */
+ if (rq->scx.flags & SCX_RQ_IN_BALANCE)
+ return;
+
if ((enq_flags & SCX_ENQ_PREEMPT) && p != rq->curr &&
rq->curr->sched_class == &ext_sched_class) {
rq->curr->scx.slice = 0;
@@ -2259,6 +2267,8 @@ static void move_local_task_to_local_dsq
dsq_mod_nr(dst_dsq, 1);
p->scx.dsq = dst_dsq;
+
+ local_dsq_post_enq(dst_dsq, p, enq_flags);
}
#ifdef CONFIG_SMP
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 508/567] drm/displayid: add quirk to ignore DisplayID checksum errors
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 507/567] sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 509/567] hrtimers: Introduce hrtimer_update_function() Greg Kroah-Hartman
` (72 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tiago Martins Araújo,
Alex Deucher, Jani Nikula, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
[ Upstream commit 83cbb4d33dc22b0ca1a4e85c6e892c9b729e28d4 ]
Add a mechanism for DisplayID specific quirks, and add the first quirk
to ignore DisplayID section checksum errors.
It would be quite inconvenient to pass existing EDID quirks from
drm_edid.c for DisplayID parsing. Not all places doing DisplayID
iteration have the quirks readily available, and would have to pass it
in all places. Simply add a separate array of DisplayID specific EDID
quirks. We do end up checking it every time we iterate DisplayID blocks,
but hopefully the number of quirks remains small.
There are a few laptop models with DisplayID checksum failures, leading
to higher refresh rates only present in the DisplayID blocks being
ignored. Add a quirk for the panel in the machines.
Reported-by: Tiago Martins Araújo <tiago.martins.araujo@gmail.com>
Closes: https://lore.kernel.org/r/CACRbrPGvLP5LANXuFi6z0S7XMbAG4X5y2YOLBDxfOVtfGGqiKQ@mail.gmail.com
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/14703
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Tiago Martins Araújo <tiago.martins.araujo@gmail.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/c04d81ae648c5f21b3f5b7953f924718051f2798.1761681968.git.jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_displayid.c | 41 +++++++++++++++++++++++++++----
drivers/gpu/drm/drm_displayid_internal.h | 2 +
2 files changed, 39 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/drm_displayid.c
+++ b/drivers/gpu/drm/drm_displayid.c
@@ -9,6 +9,34 @@
#include "drm_crtc_internal.h"
#include "drm_displayid_internal.h"
+enum {
+ QUIRK_IGNORE_CHECKSUM,
+};
+
+struct displayid_quirk {
+ const struct drm_edid_ident ident;
+ u8 quirks;
+};
+
+static const struct displayid_quirk quirks[] = {
+ {
+ .ident = DRM_EDID_IDENT_INIT('C', 'S', 'O', 5142, "MNE007ZA1-5"),
+ .quirks = BIT(QUIRK_IGNORE_CHECKSUM),
+ },
+};
+
+static u8 get_quirks(const struct drm_edid *drm_edid)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(quirks); i++) {
+ if (drm_edid_match(drm_edid, &quirks[i].ident))
+ return quirks[i].quirks;
+ }
+
+ return 0;
+}
+
static const struct displayid_header *
displayid_get_header(const u8 *displayid, int length, int index)
{
@@ -23,7 +51,7 @@ displayid_get_header(const u8 *displayid
}
static const struct displayid_header *
-validate_displayid(const u8 *displayid, int length, int idx)
+validate_displayid(const u8 *displayid, int length, int idx, bool ignore_checksum)
{
int i, dispid_length;
u8 csum = 0;
@@ -41,8 +69,11 @@ validate_displayid(const u8 *displayid,
for (i = 0; i < dispid_length; i++)
csum += displayid[idx + i];
if (csum) {
- DRM_NOTE("DisplayID checksum invalid, remainder is %d\n", csum);
- return ERR_PTR(-EINVAL);
+ DRM_NOTE("DisplayID checksum invalid, remainder is %d%s\n", csum,
+ ignore_checksum ? " (ignoring)" : "");
+
+ if (!ignore_checksum)
+ return ERR_PTR(-EINVAL);
}
return base;
@@ -52,6 +83,7 @@ static const u8 *find_next_displayid_ext
{
const struct displayid_header *base;
const u8 *displayid;
+ bool ignore_checksum = iter->quirks & BIT(QUIRK_IGNORE_CHECKSUM);
displayid = drm_edid_find_extension(iter->drm_edid, DISPLAYID_EXT, &iter->ext_index);
if (!displayid)
@@ -61,7 +93,7 @@ static const u8 *find_next_displayid_ext
iter->length = EDID_LENGTH - 1;
iter->idx = 1;
- base = validate_displayid(displayid, iter->length, iter->idx);
+ base = validate_displayid(displayid, iter->length, iter->idx, ignore_checksum);
if (IS_ERR(base))
return NULL;
@@ -76,6 +108,7 @@ void displayid_iter_edid_begin(const str
memset(iter, 0, sizeof(*iter));
iter->drm_edid = drm_edid;
+ iter->quirks = get_quirks(drm_edid);
}
static const struct displayid_block *
--- a/drivers/gpu/drm/drm_displayid_internal.h
+++ b/drivers/gpu/drm/drm_displayid_internal.h
@@ -154,6 +154,8 @@ struct displayid_iter {
u8 version;
u8 primary_use;
+
+ u8 quirks;
};
void displayid_iter_edid_begin(const struct drm_edid *drm_edid,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 509/567] hrtimers: Introduce hrtimer_update_function()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 508/567] drm/displayid: add quirk to ignore DisplayID checksum errors Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 510/567] serial: xilinx_uartps: Use helper function hrtimer_update_function() Greg Kroah-Hartman
` (71 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Thomas Gleixner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
[ Upstream commit 8f02e3563bb5824eb01c94f2c75f1dcee2d05625 ]
Some users of hrtimer need to change the callback function after the
initial setup. They write to hrtimer::function directly.
That's not safe under all circumstances as the write is lockless and a
concurrent timer expiry might end up using the wrong function pointer.
Introduce hrtimer_update_function(), which also performs runtime checks
whether it is safe to modify the callback.
This allows to make hrtimer::function private once all users are converted.
Signed-off-by: Nam Cao <namcao@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20a937b0ae09ad54b5b6d86eabead7c570f1b72e.1730386209.git.namcao@linutronix.de
Stable-dep-of: 267ee93c417e ("serial: xilinx_uartps: fix rs485 delay_rts_after_send")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hrtimer.h | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -337,6 +337,28 @@ static inline int hrtimer_callback_runni
return timer->base->running == timer;
}
+/**
+ * hrtimer_update_function - Update the timer's callback function
+ * @timer: Timer to update
+ * @function: New callback function
+ *
+ * Only safe to call if the timer is not enqueued. Can be called in the callback function if the
+ * timer is not enqueued at the same time (see the comments above HRTIMER_STATE_ENQUEUED).
+ */
+static inline void hrtimer_update_function(struct hrtimer *timer,
+ enum hrtimer_restart (*function)(struct hrtimer *))
+{
+ guard(raw_spinlock_irqsave)(&timer->base->cpu_base->lock);
+
+ if (WARN_ON_ONCE(hrtimer_is_queued(timer)))
+ return;
+
+ if (WARN_ON_ONCE(!function))
+ return;
+
+ timer->function = function;
+}
+
/* Forward a hrtimer so it expires after now: */
extern u64
hrtimer_forward(struct hrtimer *timer, ktime_t now, ktime_t interval);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 510/567] serial: xilinx_uartps: Use helper function hrtimer_update_function()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 509/567] hrtimers: Introduce hrtimer_update_function() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 511/567] serial: xilinx_uartps: fix rs485 delay_rts_after_send Greg Kroah-Hartman
` (70 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nam Cao, Thomas Gleixner,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nam Cao <namcao@linutronix.de>
[ Upstream commit eee00df8e1f1f5648ed8f9e40e2bb54c2877344a ]
The field 'function' of struct hrtimer should not be changed directly, as
the write is lockless and a concurrent timer expiry might end up using the
wrong function pointer.
Switch to use hrtimer_update_function() which also performs runtime checks
that it is safe to modify the callback.
Signed-off-by: Nam Cao <namcao@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/af7823518fb060c6c97105a2513cfc61adbdf38f.1738746927.git.namcao@linutronix.de
Stable-dep-of: 267ee93c417e ("serial: xilinx_uartps: fix rs485 delay_rts_after_send")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/xilinx_uartps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -454,7 +454,7 @@ static void cdns_uart_handle_tx(void *de
if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED &&
(kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port))) {
- cdns_uart->tx_timer.function = &cdns_rs485_rx_callback;
+ hrtimer_update_function(&cdns_uart->tx_timer, cdns_rs485_rx_callback);
hrtimer_start(&cdns_uart->tx_timer,
ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart)), HRTIMER_MODE_REL);
}
@@ -734,7 +734,7 @@ static void cdns_uart_start_tx(struct ua
if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED) {
if (!cdns_uart->rs485_tx_started) {
- cdns_uart->tx_timer.function = &cdns_rs485_tx_callback;
+ hrtimer_update_function(&cdns_uart->tx_timer, cdns_rs485_tx_callback);
cdns_rs485_tx_setup(cdns_uart);
return hrtimer_start(&cdns_uart->tx_timer,
ms_to_ktime(port->rs485.delay_rts_before_send),
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 511/567] serial: xilinx_uartps: fix rs485 delay_rts_after_send
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 510/567] serial: xilinx_uartps: Use helper function hrtimer_update_function() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 512/567] f2fs: clear SBI_POR_DOING before initing inmem curseg Greg Kroah-Hartman
` (69 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jakub Turek, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "j.turek" <jakub.turek@elsta.tech>
[ Upstream commit 267ee93c417e685d9f8e079e41c70ba6ee4df5a5 ]
RTS line control with delay should be triggered when there is no more
bytes in kfifo and hardware buffer is empty. Without this patch RTS
control is scheduled right after feeding hardware buffer and this is too
early.
RTS line may change state before hardware buffer is empty.
With this patch delayed RTS state change is triggered when function
cdns_uart_handle_tx is called from cdns_uart_isr on
CDNS_UART_IXR_TXEMPTY exactly when hardware completed transmission
Fixes: fccc9d9233f9 ("tty: serial: uartps: Add rs485 support to uartps driver")
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20251221103221.1971125-1-jakub.turek@elsta.tech
Signed-off-by: Jakub Turek <jakub.turek@elsta.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/xilinx_uartps.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -431,10 +431,17 @@ static void cdns_uart_handle_tx(void *de
struct tty_port *tport = &port->state->port;
unsigned int numbytes;
unsigned char ch;
+ ktime_t rts_delay;
if (kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port)) {
/* Disable the TX Empty interrupt */
writel(CDNS_UART_IXR_TXEMPTY, port->membase + CDNS_UART_IDR);
+ /* Set RTS line after delay */
+ if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED) {
+ cdns_uart->tx_timer.function = &cdns_rs485_rx_callback;
+ rts_delay = ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart));
+ hrtimer_start(&cdns_uart->tx_timer, rts_delay, HRTIMER_MODE_REL);
+ }
return;
}
@@ -451,13 +458,6 @@ static void cdns_uart_handle_tx(void *de
/* Enable the TX Empty interrupt */
writel(CDNS_UART_IXR_TXEMPTY, cdns_uart->port->membase + CDNS_UART_IER);
-
- if (cdns_uart->port->rs485.flags & SER_RS485_ENABLED &&
- (kfifo_is_empty(&tport->xmit_fifo) || uart_tx_stopped(port))) {
- hrtimer_update_function(&cdns_uart->tx_timer, cdns_rs485_rx_callback);
- hrtimer_start(&cdns_uart->tx_timer,
- ns_to_ktime(cdns_calc_after_tx_delay(cdns_uart)), HRTIMER_MODE_REL);
- }
}
/**
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 512/567] f2fs: clear SBI_POR_DOING before initing inmem curseg
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 511/567] serial: xilinx_uartps: fix rs485 delay_rts_after_send Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 513/567] f2fs: add timeout in f2fs_enable_checkpoint() Greg Kroah-Hartman
` (68 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Feng, Yongpeng Yang, Sheng Yong,
Chao Yu, Jaegeuk Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sheng Yong <shengyong@oppo.com>
[ Upstream commit f88c7904b5c7e35ab8037e2a59e10d80adf6fd7e ]
SBI_POR_DOING can be cleared after recovery is completed, so that
changes made before recovery can be persistent, and subsequent
errors can be recorded into cp/sb.
Signed-off-by: Song Feng <songfeng@oppo.com>
Signed-off-by: Yongpeng Yang <yangyongpeng1@oppo.com>
Signed-off-by: Sheng Yong <shengyong@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: be112e7449a6 ("f2fs: fix to propagate error from f2fs_enable_checkpoint()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4804,13 +4804,13 @@ reset_checkpoint:
if (err)
goto free_meta;
+ /* f2fs_recover_fsync_data() cleared this already */
+ clear_sbi_flag(sbi, SBI_POR_DOING);
+
err = f2fs_init_inmem_curseg(sbi);
if (err)
goto sync_free_meta;
- /* f2fs_recover_fsync_data() cleared this already */
- clear_sbi_flag(sbi, SBI_POR_DOING);
-
if (test_opt(sbi, DISABLE_CHECKPOINT)) {
err = f2fs_disable_checkpoint(sbi);
if (err)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 513/567] f2fs: add timeout in f2fs_enable_checkpoint()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 512/567] f2fs: clear SBI_POR_DOING before initing inmem curseg Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 514/567] f2fs: dump more information for f2fs_{enable,disable}_checkpoint() Greg Kroah-Hartman
` (67 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 4bc347779698b5e67e1514bab105c2c083e55502 ]
During f2fs_enable_checkpoint() in remount(), if we flush a large
amount of dirty pages into slow device, it may take long time which
will block write IO, let's add a timeout machanism during dirty
pages flush to avoid long time block in f2fs_enable_checkpoint().
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: be112e7449a6 ("f2fs: fix to propagate error from f2fs_enable_checkpoint()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 ++
fs/f2fs/super.c | 21 +++++++++++++++------
2 files changed, 17 insertions(+), 6 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -249,6 +249,7 @@ enum {
#define DEF_CP_INTERVAL 60 /* 60 secs */
#define DEF_IDLE_INTERVAL 5 /* 5 secs */
#define DEF_DISABLE_INTERVAL 5 /* 5 secs */
+#define DEF_ENABLE_INTERVAL 16 /* 16 secs */
#define DEF_DISABLE_QUICK_INTERVAL 1 /* 1 secs */
#define DEF_UMOUNT_DISCARD_TIMEOUT 5 /* 5 secs */
@@ -1351,6 +1352,7 @@ enum {
DISCARD_TIME,
GC_TIME,
DISABLE_TIME,
+ ENABLE_TIME,
UMOUNT_DISCARD_TIMEOUT,
MAX_TIME,
};
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2283,16 +2283,24 @@ restore_flag:
static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
{
- int retry = DEFAULT_RETRY_IO_COUNT;
+ unsigned int nr_pages = get_pages(sbi, F2FS_DIRTY_DATA) / 16;
+
+ f2fs_update_time(sbi, ENABLE_TIME);
/* we should flush all the data to keep data consistency */
- do {
- sync_inodes_sb(sbi->sb);
+ while (get_pages(sbi, F2FS_DIRTY_DATA)) {
+ writeback_inodes_sb_nr(sbi->sb, nr_pages, WB_REASON_SYNC);
f2fs_io_schedule_timeout(DEFAULT_IO_TIMEOUT);
- } while (get_pages(sbi, F2FS_DIRTY_DATA) && retry--);
- if (unlikely(retry < 0))
- f2fs_warn(sbi, "checkpoint=enable has some unwritten data.");
+ if (f2fs_time_over(sbi, ENABLE_TIME))
+ break;
+ }
+
+ sync_inodes_sb(sbi->sb);
+
+ if (unlikely(get_pages(sbi, F2FS_DIRTY_DATA)))
+ f2fs_warn(sbi, "checkpoint=enable has some unwritten data: %lld",
+ get_pages(sbi, F2FS_DIRTY_DATA));
f2fs_down_write(&sbi->gc_lock);
f2fs_dirty_to_prefree(sbi);
@@ -3868,6 +3876,7 @@ static void init_sb_info(struct f2fs_sb_
sbi->interval_time[DISCARD_TIME] = DEF_IDLE_INTERVAL;
sbi->interval_time[GC_TIME] = DEF_IDLE_INTERVAL;
sbi->interval_time[DISABLE_TIME] = DEF_DISABLE_INTERVAL;
+ sbi->interval_time[ENABLE_TIME] = DEF_ENABLE_INTERVAL;
sbi->interval_time[UMOUNT_DISCARD_TIMEOUT] =
DEF_UMOUNT_DISCARD_TIMEOUT;
clear_sbi_flag(sbi, SBI_NEED_FSCK);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 514/567] f2fs: dump more information for f2fs_{enable,disable}_checkpoint()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 513/567] f2fs: add timeout in f2fs_enable_checkpoint() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 515/567] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
` (66 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 80b6d1d2535a343e43d658777a46f1ebce8f3413 ]
Changes as below:
- print more logs for f2fs_{enable,disable}_checkpoint()
- account and dump time stats for f2fs_enable_checkpoint()
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: be112e7449a6 ("f2fs: fix to propagate error from f2fs_enable_checkpoint()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2278,15 +2278,24 @@ out_unlock:
restore_flag:
sbi->gc_mode = gc_mode;
sbi->sb->s_flags = s_flags; /* Restore SB_RDONLY status */
+ f2fs_info(sbi, "f2fs_disable_checkpoint() finish, err:%d", err);
return err;
}
static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
{
unsigned int nr_pages = get_pages(sbi, F2FS_DIRTY_DATA) / 16;
+ long long start, writeback, end;
+
+ f2fs_info(sbi, "f2fs_enable_checkpoint() starts, meta: %lld, node: %lld, data: %lld",
+ get_pages(sbi, F2FS_DIRTY_META),
+ get_pages(sbi, F2FS_DIRTY_NODES),
+ get_pages(sbi, F2FS_DIRTY_DATA));
f2fs_update_time(sbi, ENABLE_TIME);
+ start = ktime_get();
+
/* we should flush all the data to keep data consistency */
while (get_pages(sbi, F2FS_DIRTY_DATA)) {
writeback_inodes_sb_nr(sbi->sb, nr_pages, WB_REASON_SYNC);
@@ -2295,6 +2304,7 @@ static void f2fs_enable_checkpoint(struc
if (f2fs_time_over(sbi, ENABLE_TIME))
break;
}
+ writeback = ktime_get();
sync_inodes_sb(sbi->sb);
@@ -2313,6 +2323,12 @@ static void f2fs_enable_checkpoint(struc
/* Let's ensure there's no pending checkpoint anymore */
f2fs_flush_ckpt_thread(sbi);
+
+ end = ktime_get();
+
+ f2fs_info(sbi, "f2fs_enable_checkpoint() finishes, writeback:%llu, sync:%llu",
+ ktime_ms_delta(writeback, start),
+ ktime_ms_delta(end, writeback));
}
static int f2fs_remount(struct super_block *sb, int *flags, char *data)
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 515/567] f2fs: fix to propagate error from f2fs_enable_checkpoint()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 514/567] f2fs: dump more information for f2fs_{enable,disable}_checkpoint() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 516/567] gpiolib: acpi: Switch to use enum in acpi_gpio_in_ignore_list() Greg Kroah-Hartman
` (65 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit be112e7449a6e1b54aa9feac618825d154b3a5c7 ]
In order to let userspace detect such error rather than suffering
silent failure.
Fixes: 4354994f097d ("f2fs: checkpoint disabling")
Cc: stable@kernel.org
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2282,10 +2282,11 @@ restore_flag:
return err;
}
-static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
+static int f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
{
unsigned int nr_pages = get_pages(sbi, F2FS_DIRTY_DATA) / 16;
long long start, writeback, end;
+ int ret;
f2fs_info(sbi, "f2fs_enable_checkpoint() starts, meta: %lld, node: %lld, data: %lld",
get_pages(sbi, F2FS_DIRTY_META),
@@ -2319,7 +2320,9 @@ static void f2fs_enable_checkpoint(struc
set_sbi_flag(sbi, SBI_IS_DIRTY);
f2fs_up_write(&sbi->gc_lock);
- f2fs_sync_fs(sbi->sb, 1);
+ ret = f2fs_sync_fs(sbi->sb, 1);
+ if (ret)
+ f2fs_err(sbi, "%s sync_fs failed, ret: %d", __func__, ret);
/* Let's ensure there's no pending checkpoint anymore */
f2fs_flush_ckpt_thread(sbi);
@@ -2329,6 +2332,7 @@ static void f2fs_enable_checkpoint(struc
f2fs_info(sbi, "f2fs_enable_checkpoint() finishes, writeback:%llu, sync:%llu",
ktime_ms_delta(writeback, start),
ktime_ms_delta(end, writeback));
+ return ret;
}
static int f2fs_remount(struct super_block *sb, int *flags, char *data)
@@ -2543,7 +2547,9 @@ static int f2fs_remount(struct super_blo
goto restore_discard;
need_enable_checkpoint = true;
} else {
- f2fs_enable_checkpoint(sbi);
+ err = f2fs_enable_checkpoint(sbi);
+ if (err)
+ goto restore_discard;
need_disable_checkpoint = true;
}
}
@@ -2585,7 +2591,8 @@ skip:
return 0;
restore_checkpoint:
if (need_enable_checkpoint) {
- f2fs_enable_checkpoint(sbi);
+ if (f2fs_enable_checkpoint(sbi))
+ f2fs_warn(sbi, "checkpoint has not been enabled");
} else if (need_disable_checkpoint) {
if (f2fs_disable_checkpoint(sbi))
f2fs_warn(sbi, "checkpoint has not been disabled");
@@ -4836,13 +4843,12 @@ reset_checkpoint:
if (err)
goto sync_free_meta;
- if (test_opt(sbi, DISABLE_CHECKPOINT)) {
+ if (test_opt(sbi, DISABLE_CHECKPOINT))
err = f2fs_disable_checkpoint(sbi);
- if (err)
- goto sync_free_meta;
- } else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) {
- f2fs_enable_checkpoint(sbi);
- }
+ else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG))
+ err = f2fs_enable_checkpoint(sbi);
+ if (err)
+ goto sync_free_meta;
/*
* If filesystem is not mounted as read-only then
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 516/567] gpiolib: acpi: Switch to use enum in acpi_gpio_in_ignore_list()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 515/567] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 517/567] gpiolib: acpi: Handle deferred list via new API Greg Kroah-Hartman
` (64 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mika Westerberg,
Andy Shevchenko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit b24fd5bc8e6d6b6006db65b5956c2c2cd0ee5a7b ]
Switch to use enum instead of pointers in acpi_gpio_in_ignore_list()
which moves towards isolating the GPIO ACPI and quirk APIs. It will
helps splitting them completely in the next changes.
No functional changes.
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Stable-dep-of: 2d967310c49e ("gpiolib: acpi: Add quirk for Dell Precision 7780")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 21 ++++++++++++++++-----
drivers/gpio/gpiolib-acpi.h | 8 ++++++++
2 files changed, 24 insertions(+), 5 deletions(-)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -350,14 +350,25 @@ static struct gpio_desc *acpi_request_ow
return desc;
}
-static bool acpi_gpio_in_ignore_list(const char *ignore_list, const char *controller_in,
- unsigned int pin_in)
+bool acpi_gpio_in_ignore_list(enum acpi_gpio_ignore_list list, const char *controller_in,
+ unsigned int pin_in)
{
- const char *controller, *pin_str;
+ const char *ignore_list, *controller, *pin_str;
unsigned int pin;
char *endp;
int len;
+ switch (list) {
+ case ACPI_GPIO_IGNORE_WAKE:
+ ignore_list = ignore_wake;
+ break;
+ case ACPI_GPIO_IGNORE_INTERRUPT:
+ ignore_list = ignore_interrupt;
+ break;
+ default:
+ return false;
+ }
+
controller = ignore_list;
while (controller) {
pin_str = strchr(controller, '@');
@@ -394,7 +405,7 @@ static bool acpi_gpio_irq_is_wake(struct
if (agpio->wake_capable != ACPI_WAKE_CAPABLE)
return false;
- if (acpi_gpio_in_ignore_list(ignore_wake, dev_name(parent), pin)) {
+ if (acpi_gpio_in_ignore_list(ACPI_GPIO_IGNORE_WAKE, dev_name(parent), pin)) {
dev_info(parent, "Ignoring wakeup on pin %u\n", pin);
return false;
}
@@ -437,7 +448,7 @@ static acpi_status acpi_gpiochip_alloc_e
if (!handler)
return AE_OK;
- if (acpi_gpio_in_ignore_list(ignore_interrupt, dev_name(chip->parent), pin)) {
+ if (acpi_gpio_in_ignore_list(ACPI_GPIO_IGNORE_INTERRUPT, dev_name(chip->parent), pin)) {
dev_info(chip->parent, "Ignoring interrupt on pin %u\n", pin);
return AE_OK;
}
--- a/drivers/gpio/gpiolib-acpi.h
+++ b/drivers/gpio/gpiolib-acpi.h
@@ -58,4 +58,12 @@ static inline int acpi_gpio_count(const
}
#endif
+enum acpi_gpio_ignore_list {
+ ACPI_GPIO_IGNORE_WAKE,
+ ACPI_GPIO_IGNORE_INTERRUPT,
+};
+
+bool acpi_gpio_in_ignore_list(enum acpi_gpio_ignore_list list,
+ const char *controller_in, unsigned int pin_in);
+
#endif /* GPIOLIB_ACPI_H */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 517/567] gpiolib: acpi: Handle deferred list via new API
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 516/567] gpiolib: acpi: Switch to use enum in acpi_gpio_in_ignore_list() Greg Kroah-Hartman
@ 2026-01-06 17:04 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 518/567] gpiolib: acpi: Add acpi_gpio_need_run_edge_events_on_boot() getter Greg Kroah-Hartman
` (63 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mika Westerberg,
Andy Shevchenko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit a594877663d1e3d5cf57ec8af739582fc5c47cec ]
Introduce a new API and handle deferred list via it which moves
towards isolating the GPIO ACPI and quirk APIs. It will helps
splitting them completely in the next changes.
No functional changes.
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Stable-dep-of: 2d967310c49e ("gpiolib: acpi: Add quirk for Dell Precision 7780")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 52 +++++++++++++++++++++++++++-----------------
drivers/gpio/gpiolib-acpi.h | 5 ++++
2 files changed, 37 insertions(+), 20 deletions(-)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -350,6 +350,27 @@ static struct gpio_desc *acpi_request_ow
return desc;
}
+bool acpi_gpio_add_to_deferred_list(struct list_head *list)
+{
+ bool defer;
+
+ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
+ defer = !acpi_gpio_deferred_req_irqs_done;
+ if (defer)
+ list_add(list, &acpi_gpio_deferred_req_irqs_list);
+ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+
+ return defer;
+}
+
+void acpi_gpio_remove_from_deferred_list(struct list_head *list)
+{
+ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
+ if (!list_empty(list))
+ list_del_init(list);
+ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+}
+
bool acpi_gpio_in_ignore_list(enum acpi_gpio_ignore_list list, const char *controller_in,
unsigned int pin_in)
{
@@ -536,7 +557,6 @@ void acpi_gpiochip_request_interrupts(st
struct acpi_gpio_chip *acpi_gpio;
acpi_handle handle;
acpi_status status;
- bool defer;
if (!chip->parent || !chip->to_irq)
return;
@@ -555,14 +575,7 @@ void acpi_gpiochip_request_interrupts(st
acpi_walk_resources(handle, METHOD_NAME__AEI,
acpi_gpiochip_alloc_event, acpi_gpio);
- mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
- defer = !acpi_gpio_deferred_req_irqs_done;
- if (defer)
- list_add(&acpi_gpio->deferred_req_irqs_list_entry,
- &acpi_gpio_deferred_req_irqs_list);
- mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
-
- if (defer)
+ if (acpi_gpio_add_to_deferred_list(&acpi_gpio->deferred_req_irqs_list_entry))
return;
acpi_gpiochip_request_irqs(acpi_gpio);
@@ -594,10 +607,7 @@ void acpi_gpiochip_free_interrupts(struc
if (ACPI_FAILURE(status))
return;
- mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
- if (!list_empty(&acpi_gpio->deferred_req_irqs_list_entry))
- list_del_init(&acpi_gpio->deferred_req_irqs_list_entry);
- mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+ acpi_gpio_remove_from_deferred_list(&acpi_gpio->deferred_req_irqs_list_entry);
list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) {
if (event->irq_requested) {
@@ -615,6 +625,14 @@ void acpi_gpiochip_free_interrupts(struc
}
EXPORT_SYMBOL_GPL(acpi_gpiochip_free_interrupts);
+void __init acpi_gpio_process_deferred_list(struct list_head *list)
+{
+ struct acpi_gpio_chip *acpi_gpio, *tmp;
+
+ list_for_each_entry_safe(acpi_gpio, tmp, list, deferred_req_irqs_list_entry)
+ acpi_gpiochip_request_irqs(acpi_gpio);
+}
+
int acpi_dev_add_driver_gpios(struct acpi_device *adev,
const struct acpi_gpio_mapping *gpios)
{
@@ -1505,14 +1523,8 @@ int acpi_gpio_count(const struct fwnode_
/* Run deferred acpi_gpiochip_request_irqs() */
static int __init acpi_gpio_handle_deferred_request_irqs(void)
{
- struct acpi_gpio_chip *acpi_gpio, *tmp;
-
mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
- list_for_each_entry_safe(acpi_gpio, tmp,
- &acpi_gpio_deferred_req_irqs_list,
- deferred_req_irqs_list_entry)
- acpi_gpiochip_request_irqs(acpi_gpio);
-
+ acpi_gpio_process_deferred_list(&acpi_gpio_deferred_req_irqs_list);
acpi_gpio_deferred_req_irqs_done = true;
mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
--- a/drivers/gpio/gpiolib-acpi.h
+++ b/drivers/gpio/gpiolib-acpi.h
@@ -58,6 +58,11 @@ static inline int acpi_gpio_count(const
}
#endif
+void acpi_gpio_process_deferred_list(struct list_head *list);
+
+bool acpi_gpio_add_to_deferred_list(struct list_head *list);
+void acpi_gpio_remove_from_deferred_list(struct list_head *list);
+
enum acpi_gpio_ignore_list {
ACPI_GPIO_IGNORE_WAKE,
ACPI_GPIO_IGNORE_INTERRUPT,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 518/567] gpiolib: acpi: Add acpi_gpio_need_run_edge_events_on_boot() getter
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-01-06 17:04 ` [PATCH 6.12 517/567] gpiolib: acpi: Handle deferred list via new API Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file Greg Kroah-Hartman
` (62 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mika Westerberg,
Andy Shevchenko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 5666a8777add09d1167de308df2147983486a0af ]
Add acpi_gpio_need_run_edge_events_on_boot() getter which moves
towards isolating the GPIO ACPI and quirk APIs. It will helps
splitting them completely in the next changes.
No functional changes.
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Stable-dep-of: 2d967310c49e ("gpiolib: acpi: Add quirk for Dell Precision 7780")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 7 ++++++-
drivers/gpio/gpiolib-acpi.h | 2 ++
2 files changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -268,7 +268,7 @@ static void acpi_gpiochip_request_irq(st
event->irq_requested = true;
/* Make sure we trigger the initial state of edge-triggered IRQs */
- if (run_edge_events_on_boot &&
+ if (acpi_gpio_need_run_edge_events_on_boot() &&
(event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) {
value = gpiod_get_raw_value_cansleep(event->desc);
if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
@@ -371,6 +371,11 @@ void acpi_gpio_remove_from_deferred_list
mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
}
+int acpi_gpio_need_run_edge_events_on_boot(void)
+{
+ return run_edge_events_on_boot;
+}
+
bool acpi_gpio_in_ignore_list(enum acpi_gpio_ignore_list list, const char *controller_in,
unsigned int pin_in)
{
--- a/drivers/gpio/gpiolib-acpi.h
+++ b/drivers/gpio/gpiolib-acpi.h
@@ -63,6 +63,8 @@ void acpi_gpio_process_deferred_list(str
bool acpi_gpio_add_to_deferred_list(struct list_head *list);
void acpi_gpio_remove_from_deferred_list(struct list_head *list);
+int acpi_gpio_need_run_edge_events_on_boot(void);
+
enum acpi_gpio_ignore_list {
ACPI_GPIO_IGNORE_WAKE,
ACPI_GPIO_IGNORE_INTERRUPT,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 518/567] gpiolib: acpi: Add acpi_gpio_need_run_edge_events_on_boot() getter Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-02-10 16:06 ` Ben Hutchings
2026-01-06 17:05 ` [PATCH 6.12 520/567] gpiolib: acpi: Add a quirk for Acer Nitro V15 Greg Kroah-Hartman
` (61 subsequent siblings)
580 siblings, 1 reply; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mika Westerberg,
Andy Shevchenko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 92dc572852ddcae687590cb159189004d58e382e ]
The gpiolib-acpi.c is huge enough even without DMI quirks.
Move them to a separate file for a better maintenance.
No functional change intended.
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Stable-dep-of: 2d967310c49e ("gpiolib: acpi: Add quirk for Dell Precision 7780")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/Makefile | 1
drivers/gpio/gpiolib-acpi-core.c | 1419 +++++++++++++++++++++++++++++
drivers/gpio/gpiolib-acpi-quirks.c | 363 +++++++
drivers/gpio/gpiolib-acpi.c | 1765 -------------------------------------
4 files changed, 1783 insertions(+), 1765 deletions(-)
rename drivers/gpio/{gpiolib-acpi.c => gpiolib-acpi-core.c} (79%)
create mode 100644 drivers/gpio/gpiolib-acpi-quirks.c
--- a/drivers/gpio/Makefile
+++ b/drivers/gpio/Makefile
@@ -10,6 +10,7 @@ obj-$(CONFIG_OF_GPIO) += gpiolib-of.o
obj-$(CONFIG_GPIO_CDEV) += gpiolib-cdev.o
obj-$(CONFIG_GPIO_SYSFS) += gpiolib-sysfs.o
obj-$(CONFIG_GPIO_ACPI) += gpiolib-acpi.o
+gpiolib-acpi-y := gpiolib-acpi-core.o gpiolib-acpi-quirks.o
obj-$(CONFIG_GPIOLIB) += gpiolib-swnode.o
# Device drivers. Generally keep list sorted alphabetically
--- /dev/null
+++ b/drivers/gpio/gpiolib-acpi-core.c
@@ -0,0 +1,1419 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * ACPI helpers for GPIO API
+ *
+ * Copyright (C) 2012, Intel Corporation
+ * Authors: Mathias Nyman <mathias.nyman@linux.intel.com>
+ * Mika Westerberg <mika.westerberg@linux.intel.com>
+ */
+
+#include <linux/acpi.h>
+#include <linux/dmi.h>
+#include <linux/errno.h>
+#include <linux/export.h>
+#include <linux/interrupt.h>
+#include <linux/irq.h>
+#include <linux/mutex.h>
+#include <linux/pinctrl/pinctrl.h>
+
+#include <linux/gpio/consumer.h>
+#include <linux/gpio/driver.h>
+#include <linux/gpio/machine.h>
+
+#include "gpiolib.h"
+#include "gpiolib-acpi.h"
+
+/**
+ * struct acpi_gpio_event - ACPI GPIO event handler data
+ *
+ * @node: list-entry of the events list of the struct acpi_gpio_chip
+ * @handle: handle of ACPI method to execute when the IRQ triggers
+ * @handler: handler function to pass to request_irq() when requesting the IRQ
+ * @pin: GPIO pin number on the struct gpio_chip
+ * @irq: Linux IRQ number for the event, for request_irq() / free_irq()
+ * @irqflags: flags to pass to request_irq() when requesting the IRQ
+ * @irq_is_wake: If the ACPI flags indicate the IRQ is a wakeup source
+ * @irq_requested:True if request_irq() has been done
+ * @desc: struct gpio_desc for the GPIO pin for this event
+ */
+struct acpi_gpio_event {
+ struct list_head node;
+ acpi_handle handle;
+ irq_handler_t handler;
+ unsigned int pin;
+ unsigned int irq;
+ unsigned long irqflags;
+ bool irq_is_wake;
+ bool irq_requested;
+ struct gpio_desc *desc;
+};
+
+struct acpi_gpio_connection {
+ struct list_head node;
+ unsigned int pin;
+ struct gpio_desc *desc;
+};
+
+struct acpi_gpio_chip {
+ /*
+ * ACPICA requires that the first field of the context parameter
+ * passed to acpi_install_address_space_handler() is large enough
+ * to hold struct acpi_connection_info.
+ */
+ struct acpi_connection_info conn_info;
+ struct list_head conns;
+ struct mutex conn_lock;
+ struct gpio_chip *chip;
+ struct list_head events;
+ struct list_head deferred_req_irqs_list_entry;
+};
+
+/**
+ * struct acpi_gpio_info - ACPI GPIO specific information
+ * @adev: reference to ACPI device which consumes GPIO resource
+ * @flags: GPIO initialization flags
+ * @gpioint: if %true this GPIO is of type GpioInt otherwise type is GpioIo
+ * @pin_config: pin bias as provided by ACPI
+ * @polarity: interrupt polarity as provided by ACPI
+ * @triggering: triggering type as provided by ACPI
+ * @wake_capable: wake capability as provided by ACPI
+ * @debounce: debounce timeout as provided by ACPI
+ * @quirks: Linux specific quirks as provided by struct acpi_gpio_mapping
+ */
+struct acpi_gpio_info {
+ struct acpi_device *adev;
+ enum gpiod_flags flags;
+ bool gpioint;
+ int pin_config;
+ int polarity;
+ int triggering;
+ bool wake_capable;
+ unsigned int debounce;
+ unsigned int quirks;
+};
+
+static int acpi_gpiochip_find(struct gpio_chip *gc, const void *data)
+{
+ /* First check the actual GPIO device */
+ if (device_match_acpi_handle(&gc->gpiodev->dev, data))
+ return true;
+
+ /*
+ * When the ACPI device is artificially split to the banks of GPIOs,
+ * where each of them is represented by a separate GPIO device,
+ * the firmware node of the physical device may not be shared among
+ * the banks as they may require different values for the same property,
+ * e.g., number of GPIOs in a certain bank. In such case the ACPI handle
+ * of a GPIO device is NULL and can not be used. Hence we have to check
+ * the parent device to be sure that there is no match before bailing
+ * out.
+ */
+ if (gc->parent)
+ return device_match_acpi_handle(gc->parent, data);
+
+ return false;
+}
+
+/**
+ * acpi_get_gpiod() - Translate ACPI GPIO pin to GPIO descriptor usable with GPIO API
+ * @path: ACPI GPIO controller full path name, (e.g. "\\_SB.GPO1")
+ * @pin: ACPI GPIO pin number (0-based, controller-relative)
+ *
+ * Returns:
+ * GPIO descriptor to use with Linux generic GPIO API.
+ * If the GPIO cannot be translated or there is an error an ERR_PTR is
+ * returned.
+ *
+ * Specifically returns %-EPROBE_DEFER if the referenced GPIO
+ * controller does not have GPIO chip registered at the moment. This is to
+ * support probe deferral.
+ */
+static struct gpio_desc *acpi_get_gpiod(char *path, unsigned int pin)
+{
+ acpi_handle handle;
+ acpi_status status;
+
+ status = acpi_get_handle(NULL, path, &handle);
+ if (ACPI_FAILURE(status))
+ return ERR_PTR(-ENODEV);
+
+ struct gpio_device *gdev __free(gpio_device_put) =
+ gpio_device_find(handle, acpi_gpiochip_find);
+ if (!gdev)
+ return ERR_PTR(-EPROBE_DEFER);
+
+ /*
+ * FIXME: keep track of the reference to the GPIO device somehow
+ * instead of putting it here.
+ */
+ return gpio_device_get_desc(gdev, pin);
+}
+
+static irqreturn_t acpi_gpio_irq_handler(int irq, void *data)
+{
+ struct acpi_gpio_event *event = data;
+
+ acpi_evaluate_object(event->handle, NULL, NULL, NULL);
+
+ return IRQ_HANDLED;
+}
+
+static irqreturn_t acpi_gpio_irq_handler_evt(int irq, void *data)
+{
+ struct acpi_gpio_event *event = data;
+
+ acpi_execute_simple_method(event->handle, NULL, event->pin);
+
+ return IRQ_HANDLED;
+}
+
+static void acpi_gpio_chip_dh(acpi_handle handle, void *data)
+{
+ /* The address of this function is used as a key. */
+}
+
+bool acpi_gpio_get_irq_resource(struct acpi_resource *ares,
+ struct acpi_resource_gpio **agpio)
+{
+ struct acpi_resource_gpio *gpio;
+
+ if (ares->type != ACPI_RESOURCE_TYPE_GPIO)
+ return false;
+
+ gpio = &ares->data.gpio;
+ if (gpio->connection_type != ACPI_RESOURCE_GPIO_TYPE_INT)
+ return false;
+
+ *agpio = gpio;
+ return true;
+}
+EXPORT_SYMBOL_GPL(acpi_gpio_get_irq_resource);
+
+/**
+ * acpi_gpio_get_io_resource - Fetch details of an ACPI resource if it is a GPIO
+ * I/O resource or return False if not.
+ * @ares: Pointer to the ACPI resource to fetch
+ * @agpio: Pointer to a &struct acpi_resource_gpio to store the output pointer
+ *
+ * Returns:
+ * %true if GpioIo resource is found, %false otherwise.
+ */
+bool acpi_gpio_get_io_resource(struct acpi_resource *ares,
+ struct acpi_resource_gpio **agpio)
+{
+ struct acpi_resource_gpio *gpio;
+
+ if (ares->type != ACPI_RESOURCE_TYPE_GPIO)
+ return false;
+
+ gpio = &ares->data.gpio;
+ if (gpio->connection_type != ACPI_RESOURCE_GPIO_TYPE_IO)
+ return false;
+
+ *agpio = gpio;
+ return true;
+}
+EXPORT_SYMBOL_GPL(acpi_gpio_get_io_resource);
+
+static void acpi_gpiochip_request_irq(struct acpi_gpio_chip *acpi_gpio,
+ struct acpi_gpio_event *event)
+{
+ struct device *parent = acpi_gpio->chip->parent;
+ int ret, value;
+
+ ret = request_threaded_irq(event->irq, NULL, event->handler,
+ event->irqflags | IRQF_ONESHOT, "ACPI:Event", event);
+ if (ret) {
+ dev_err(parent, "Failed to setup interrupt handler for %d\n", event->irq);
+ return;
+ }
+
+ if (event->irq_is_wake)
+ enable_irq_wake(event->irq);
+
+ event->irq_requested = true;
+
+ /* Make sure we trigger the initial state of edge-triggered IRQs */
+ if (acpi_gpio_need_run_edge_events_on_boot() &&
+ (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) {
+ value = gpiod_get_raw_value_cansleep(event->desc);
+ if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
+ ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
+ event->handler(event->irq, event);
+ }
+}
+
+static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio)
+{
+ struct acpi_gpio_event *event;
+
+ list_for_each_entry(event, &acpi_gpio->events, node)
+ acpi_gpiochip_request_irq(acpi_gpio, event);
+}
+
+static enum gpiod_flags
+acpi_gpio_to_gpiod_flags(const struct acpi_resource_gpio *agpio, int polarity)
+{
+ /* GpioInt() implies input configuration */
+ if (agpio->connection_type == ACPI_RESOURCE_GPIO_TYPE_INT)
+ return GPIOD_IN;
+
+ switch (agpio->io_restriction) {
+ case ACPI_IO_RESTRICT_INPUT:
+ return GPIOD_IN;
+ case ACPI_IO_RESTRICT_OUTPUT:
+ /*
+ * ACPI GPIO resources don't contain an initial value for the
+ * GPIO. Therefore we deduce that value from the pull field
+ * and the polarity instead. If the pin is pulled up we assume
+ * default to be high, if it is pulled down we assume default
+ * to be low, otherwise we leave pin untouched. For active low
+ * polarity values will be switched. See also
+ * Documentation/firmware-guide/acpi/gpio-properties.rst.
+ */
+ switch (agpio->pin_config) {
+ case ACPI_PIN_CONFIG_PULLUP:
+ return polarity == GPIO_ACTIVE_LOW ? GPIOD_OUT_LOW : GPIOD_OUT_HIGH;
+ case ACPI_PIN_CONFIG_PULLDOWN:
+ return polarity == GPIO_ACTIVE_LOW ? GPIOD_OUT_HIGH : GPIOD_OUT_LOW;
+ default:
+ break;
+ }
+ break;
+ default:
+ break;
+ }
+
+ /*
+ * Assume that the BIOS has configured the direction and pull
+ * accordingly.
+ */
+ return GPIOD_ASIS;
+}
+
+static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip,
+ struct acpi_resource_gpio *agpio,
+ unsigned int index,
+ const char *label)
+{
+ int polarity = GPIO_ACTIVE_HIGH;
+ enum gpiod_flags flags = acpi_gpio_to_gpiod_flags(agpio, polarity);
+ unsigned int pin = agpio->pin_table[index];
+ struct gpio_desc *desc;
+ int ret;
+
+ desc = gpiochip_request_own_desc(chip, pin, label, polarity, flags);
+ if (IS_ERR(desc))
+ return desc;
+
+ /* ACPI uses hundredths of milliseconds units */
+ ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout * 10);
+ if (ret)
+ dev_warn(chip->parent,
+ "Failed to set debounce-timeout for pin 0x%04X, err %d\n",
+ pin, ret);
+
+ return desc;
+}
+
+static bool acpi_gpio_irq_is_wake(struct device *parent,
+ const struct acpi_resource_gpio *agpio)
+{
+ unsigned int pin = agpio->pin_table[0];
+
+ if (agpio->wake_capable != ACPI_WAKE_CAPABLE)
+ return false;
+
+ if (acpi_gpio_in_ignore_list(ACPI_GPIO_IGNORE_WAKE, dev_name(parent), pin)) {
+ dev_info(parent, "Ignoring wakeup on pin %u\n", pin);
+ return false;
+ }
+
+ return true;
+}
+
+/* Always returns AE_OK so that we keep looping over the resources */
+static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares,
+ void *context)
+{
+ struct acpi_gpio_chip *acpi_gpio = context;
+ struct gpio_chip *chip = acpi_gpio->chip;
+ struct acpi_resource_gpio *agpio;
+ acpi_handle handle, evt_handle;
+ struct acpi_gpio_event *event;
+ irq_handler_t handler = NULL;
+ struct gpio_desc *desc;
+ unsigned int pin;
+ int ret, irq;
+
+ if (!acpi_gpio_get_irq_resource(ares, &agpio))
+ return AE_OK;
+
+ handle = ACPI_HANDLE(chip->parent);
+ pin = agpio->pin_table[0];
+
+ if (pin <= 255) {
+ char ev_name[8];
+ sprintf(ev_name, "_%c%02X",
+ agpio->triggering == ACPI_EDGE_SENSITIVE ? 'E' : 'L',
+ pin);
+ if (ACPI_SUCCESS(acpi_get_handle(handle, ev_name, &evt_handle)))
+ handler = acpi_gpio_irq_handler;
+ }
+ if (!handler) {
+ if (ACPI_SUCCESS(acpi_get_handle(handle, "_EVT", &evt_handle)))
+ handler = acpi_gpio_irq_handler_evt;
+ }
+ if (!handler)
+ return AE_OK;
+
+ if (acpi_gpio_in_ignore_list(ACPI_GPIO_IGNORE_INTERRUPT, dev_name(chip->parent), pin)) {
+ dev_info(chip->parent, "Ignoring interrupt on pin %u\n", pin);
+ return AE_OK;
+ }
+
+ desc = acpi_request_own_gpiod(chip, agpio, 0, "ACPI:Event");
+ if (IS_ERR(desc)) {
+ dev_err(chip->parent,
+ "Failed to request GPIO for pin 0x%04X, err %ld\n",
+ pin, PTR_ERR(desc));
+ return AE_OK;
+ }
+
+ ret = gpiochip_lock_as_irq(chip, pin);
+ if (ret) {
+ dev_err(chip->parent,
+ "Failed to lock GPIO pin 0x%04X as interrupt, err %d\n",
+ pin, ret);
+ goto fail_free_desc;
+ }
+
+ irq = gpiod_to_irq(desc);
+ if (irq < 0) {
+ dev_err(chip->parent,
+ "Failed to translate GPIO pin 0x%04X to IRQ, err %d\n",
+ pin, irq);
+ goto fail_unlock_irq;
+ }
+
+ event = kzalloc(sizeof(*event), GFP_KERNEL);
+ if (!event)
+ goto fail_unlock_irq;
+
+ event->irqflags = IRQF_ONESHOT;
+ if (agpio->triggering == ACPI_LEVEL_SENSITIVE) {
+ if (agpio->polarity == ACPI_ACTIVE_HIGH)
+ event->irqflags |= IRQF_TRIGGER_HIGH;
+ else
+ event->irqflags |= IRQF_TRIGGER_LOW;
+ } else {
+ switch (agpio->polarity) {
+ case ACPI_ACTIVE_HIGH:
+ event->irqflags |= IRQF_TRIGGER_RISING;
+ break;
+ case ACPI_ACTIVE_LOW:
+ event->irqflags |= IRQF_TRIGGER_FALLING;
+ break;
+ default:
+ event->irqflags |= IRQF_TRIGGER_RISING |
+ IRQF_TRIGGER_FALLING;
+ break;
+ }
+ }
+
+ event->handle = evt_handle;
+ event->handler = handler;
+ event->irq = irq;
+ event->irq_is_wake = acpi_gpio_irq_is_wake(chip->parent, agpio);
+ event->pin = pin;
+ event->desc = desc;
+
+ list_add_tail(&event->node, &acpi_gpio->events);
+
+ return AE_OK;
+
+fail_unlock_irq:
+ gpiochip_unlock_as_irq(chip, pin);
+fail_free_desc:
+ gpiochip_free_own_desc(desc);
+
+ return AE_OK;
+}
+
+/**
+ * acpi_gpiochip_request_interrupts() - Register isr for gpio chip ACPI events
+ * @chip: GPIO chip
+ *
+ * ACPI5 platforms can use GPIO signaled ACPI events. These GPIO interrupts are
+ * handled by ACPI event methods which need to be called from the GPIO
+ * chip's interrupt handler. acpi_gpiochip_request_interrupts() finds out which
+ * GPIO pins have ACPI event methods and assigns interrupt handlers that calls
+ * the ACPI event methods for those pins.
+ */
+void acpi_gpiochip_request_interrupts(struct gpio_chip *chip)
+{
+ struct acpi_gpio_chip *acpi_gpio;
+ acpi_handle handle;
+ acpi_status status;
+
+ if (!chip->parent || !chip->to_irq)
+ return;
+
+ handle = ACPI_HANDLE(chip->parent);
+ if (!handle)
+ return;
+
+ status = acpi_get_data(handle, acpi_gpio_chip_dh, (void **)&acpi_gpio);
+ if (ACPI_FAILURE(status))
+ return;
+
+ if (acpi_quirk_skip_gpio_event_handlers())
+ return;
+
+ acpi_walk_resources(handle, METHOD_NAME__AEI,
+ acpi_gpiochip_alloc_event, acpi_gpio);
+
+ if (acpi_gpio_add_to_deferred_list(&acpi_gpio->deferred_req_irqs_list_entry))
+ return;
+
+ acpi_gpiochip_request_irqs(acpi_gpio);
+}
+EXPORT_SYMBOL_GPL(acpi_gpiochip_request_interrupts);
+
+/**
+ * acpi_gpiochip_free_interrupts() - Free GPIO ACPI event interrupts.
+ * @chip: GPIO chip
+ *
+ * Free interrupts associated with GPIO ACPI event method for the given
+ * GPIO chip.
+ */
+void acpi_gpiochip_free_interrupts(struct gpio_chip *chip)
+{
+ struct acpi_gpio_chip *acpi_gpio;
+ struct acpi_gpio_event *event, *ep;
+ acpi_handle handle;
+ acpi_status status;
+
+ if (!chip->parent || !chip->to_irq)
+ return;
+
+ handle = ACPI_HANDLE(chip->parent);
+ if (!handle)
+ return;
+
+ status = acpi_get_data(handle, acpi_gpio_chip_dh, (void **)&acpi_gpio);
+ if (ACPI_FAILURE(status))
+ return;
+
+ acpi_gpio_remove_from_deferred_list(&acpi_gpio->deferred_req_irqs_list_entry);
+
+ list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) {
+ if (event->irq_requested) {
+ if (event->irq_is_wake)
+ disable_irq_wake(event->irq);
+
+ free_irq(event->irq, event);
+ }
+
+ gpiochip_unlock_as_irq(chip, event->pin);
+ gpiochip_free_own_desc(event->desc);
+ list_del(&event->node);
+ kfree(event);
+ }
+}
+EXPORT_SYMBOL_GPL(acpi_gpiochip_free_interrupts);
+
+void __init acpi_gpio_process_deferred_list(struct list_head *list)
+{
+ struct acpi_gpio_chip *acpi_gpio, *tmp;
+
+ list_for_each_entry_safe(acpi_gpio, tmp, list, deferred_req_irqs_list_entry)
+ acpi_gpiochip_request_irqs(acpi_gpio);
+}
+
+int acpi_dev_add_driver_gpios(struct acpi_device *adev,
+ const struct acpi_gpio_mapping *gpios)
+{
+ if (adev && gpios) {
+ adev->driver_gpios = gpios;
+ return 0;
+ }
+ return -EINVAL;
+}
+EXPORT_SYMBOL_GPL(acpi_dev_add_driver_gpios);
+
+void acpi_dev_remove_driver_gpios(struct acpi_device *adev)
+{
+ if (adev)
+ adev->driver_gpios = NULL;
+}
+EXPORT_SYMBOL_GPL(acpi_dev_remove_driver_gpios);
+
+static void acpi_dev_release_driver_gpios(void *adev)
+{
+ acpi_dev_remove_driver_gpios(adev);
+}
+
+int devm_acpi_dev_add_driver_gpios(struct device *dev,
+ const struct acpi_gpio_mapping *gpios)
+{
+ struct acpi_device *adev = ACPI_COMPANION(dev);
+ int ret;
+
+ ret = acpi_dev_add_driver_gpios(adev, gpios);
+ if (ret)
+ return ret;
+
+ return devm_add_action_or_reset(dev, acpi_dev_release_driver_gpios, adev);
+}
+EXPORT_SYMBOL_GPL(devm_acpi_dev_add_driver_gpios);
+
+static bool acpi_get_driver_gpio_data(struct acpi_device *adev,
+ const char *name, int index,
+ struct fwnode_reference_args *args,
+ unsigned int *quirks)
+{
+ const struct acpi_gpio_mapping *gm;
+
+ if (!adev || !adev->driver_gpios)
+ return false;
+
+ for (gm = adev->driver_gpios; gm->name; gm++)
+ if (!strcmp(name, gm->name) && gm->data && index < gm->size) {
+ const struct acpi_gpio_params *par = gm->data + index;
+
+ args->fwnode = acpi_fwnode_handle(adev);
+ args->args[0] = par->crs_entry_index;
+ args->args[1] = par->line_index;
+ args->args[2] = par->active_low;
+ args->nargs = 3;
+
+ *quirks = gm->quirks;
+ return true;
+ }
+
+ return false;
+}
+
+static int
+__acpi_gpio_update_gpiod_flags(enum gpiod_flags *flags, enum gpiod_flags update)
+{
+ const enum gpiod_flags mask =
+ GPIOD_FLAGS_BIT_DIR_SET | GPIOD_FLAGS_BIT_DIR_OUT |
+ GPIOD_FLAGS_BIT_DIR_VAL;
+ int ret = 0;
+
+ /*
+ * Check if the BIOS has IoRestriction with explicitly set direction
+ * and update @flags accordingly. Otherwise use whatever caller asked
+ * for.
+ */
+ if (update & GPIOD_FLAGS_BIT_DIR_SET) {
+ enum gpiod_flags diff = *flags ^ update;
+
+ /*
+ * Check if caller supplied incompatible GPIO initialization
+ * flags.
+ *
+ * Return %-EINVAL to notify that firmware has different
+ * settings and we are going to use them.
+ */
+ if (((*flags & GPIOD_FLAGS_BIT_DIR_SET) && (diff & GPIOD_FLAGS_BIT_DIR_OUT)) ||
+ ((*flags & GPIOD_FLAGS_BIT_DIR_OUT) && (diff & GPIOD_FLAGS_BIT_DIR_VAL)))
+ ret = -EINVAL;
+ *flags = (*flags & ~mask) | (update & mask);
+ }
+ return ret;
+}
+
+static int acpi_gpio_update_gpiod_flags(enum gpiod_flags *flags,
+ struct acpi_gpio_info *info)
+{
+ struct device *dev = &info->adev->dev;
+ enum gpiod_flags old = *flags;
+ int ret;
+
+ ret = __acpi_gpio_update_gpiod_flags(&old, info->flags);
+ if (info->quirks & ACPI_GPIO_QUIRK_NO_IO_RESTRICTION) {
+ if (ret)
+ dev_warn(dev, FW_BUG "GPIO not in correct mode, fixing\n");
+ } else {
+ if (ret)
+ dev_dbg(dev, "Override GPIO initialization flags\n");
+ *flags = old;
+ }
+
+ return ret;
+}
+
+static int acpi_gpio_update_gpiod_lookup_flags(unsigned long *lookupflags,
+ struct acpi_gpio_info *info)
+{
+ switch (info->pin_config) {
+ case ACPI_PIN_CONFIG_PULLUP:
+ *lookupflags |= GPIO_PULL_UP;
+ break;
+ case ACPI_PIN_CONFIG_PULLDOWN:
+ *lookupflags |= GPIO_PULL_DOWN;
+ break;
+ case ACPI_PIN_CONFIG_NOPULL:
+ *lookupflags |= GPIO_PULL_DISABLE;
+ break;
+ default:
+ break;
+ }
+
+ if (info->polarity == GPIO_ACTIVE_LOW)
+ *lookupflags |= GPIO_ACTIVE_LOW;
+
+ return 0;
+}
+
+struct acpi_gpio_lookup {
+ struct acpi_gpio_info info;
+ int index;
+ u16 pin_index;
+ bool active_low;
+ struct gpio_desc *desc;
+ int n;
+};
+
+static int acpi_populate_gpio_lookup(struct acpi_resource *ares, void *data)
+{
+ struct acpi_gpio_lookup *lookup = data;
+
+ if (ares->type != ACPI_RESOURCE_TYPE_GPIO)
+ return 1;
+
+ if (!lookup->desc) {
+ const struct acpi_resource_gpio *agpio = &ares->data.gpio;
+ bool gpioint = agpio->connection_type == ACPI_RESOURCE_GPIO_TYPE_INT;
+ struct gpio_desc *desc;
+ u16 pin_index;
+
+ if (lookup->info.quirks & ACPI_GPIO_QUIRK_ONLY_GPIOIO && gpioint)
+ lookup->index++;
+
+ if (lookup->n++ != lookup->index)
+ return 1;
+
+ pin_index = lookup->pin_index;
+ if (pin_index >= agpio->pin_table_length)
+ return 1;
+
+ if (lookup->info.quirks & ACPI_GPIO_QUIRK_ABSOLUTE_NUMBER)
+ desc = gpio_to_desc(agpio->pin_table[pin_index]);
+ else
+ desc = acpi_get_gpiod(agpio->resource_source.string_ptr,
+ agpio->pin_table[pin_index]);
+ lookup->desc = desc;
+ lookup->info.pin_config = agpio->pin_config;
+ lookup->info.debounce = agpio->debounce_timeout;
+ lookup->info.gpioint = gpioint;
+ lookup->info.wake_capable = acpi_gpio_irq_is_wake(&lookup->info.adev->dev, agpio);
+
+ /*
+ * Polarity and triggering are only specified for GpioInt
+ * resource.
+ * Note: we expect here:
+ * - ACPI_ACTIVE_LOW == GPIO_ACTIVE_LOW
+ * - ACPI_ACTIVE_HIGH == GPIO_ACTIVE_HIGH
+ */
+ if (lookup->info.gpioint) {
+ lookup->info.polarity = agpio->polarity;
+ lookup->info.triggering = agpio->triggering;
+ } else {
+ lookup->info.polarity = lookup->active_low;
+ }
+
+ lookup->info.flags = acpi_gpio_to_gpiod_flags(agpio, lookup->info.polarity);
+ }
+
+ return 1;
+}
+
+static int acpi_gpio_resource_lookup(struct acpi_gpio_lookup *lookup,
+ struct acpi_gpio_info *info)
+{
+ struct acpi_device *adev = lookup->info.adev;
+ struct list_head res_list;
+ int ret;
+
+ INIT_LIST_HEAD(&res_list);
+
+ ret = acpi_dev_get_resources(adev, &res_list,
+ acpi_populate_gpio_lookup,
+ lookup);
+ if (ret < 0)
+ return ret;
+
+ acpi_dev_free_resource_list(&res_list);
+
+ if (!lookup->desc)
+ return -ENOENT;
+
+ if (info)
+ *info = lookup->info;
+ return 0;
+}
+
+static int acpi_gpio_property_lookup(struct fwnode_handle *fwnode,
+ const char *propname, int index,
+ struct acpi_gpio_lookup *lookup)
+{
+ struct fwnode_reference_args args;
+ unsigned int quirks = 0;
+ int ret;
+
+ memset(&args, 0, sizeof(args));
+ ret = __acpi_node_get_property_reference(fwnode, propname, index, 3,
+ &args);
+ if (ret) {
+ struct acpi_device *adev;
+
+ adev = to_acpi_device_node(fwnode);
+ if (!acpi_get_driver_gpio_data(adev, propname, index, &args, &quirks))
+ return ret;
+ }
+ /*
+ * The property was found and resolved, so need to lookup the GPIO based
+ * on returned args.
+ */
+ if (!to_acpi_device_node(args.fwnode))
+ return -EINVAL;
+ if (args.nargs != 3)
+ return -EPROTO;
+
+ lookup->index = args.args[0];
+ lookup->pin_index = args.args[1];
+ lookup->active_low = !!args.args[2];
+
+ lookup->info.adev = to_acpi_device_node(args.fwnode);
+ lookup->info.quirks = quirks;
+
+ return 0;
+}
+
+/**
+ * acpi_get_gpiod_by_index() - get a GPIO descriptor from device resources
+ * @adev: pointer to a ACPI device to get GPIO from
+ * @propname: Property name of the GPIO (optional)
+ * @index: index of GpioIo/GpioInt resource (starting from %0)
+ * @info: info pointer to fill in (optional)
+ *
+ * Function goes through ACPI resources for @adev and based on @index looks
+ * up a GpioIo/GpioInt resource, translates it to the Linux GPIO descriptor,
+ * and returns it. @index matches GpioIo/GpioInt resources only so if there
+ * are total %3 GPIO resources, the index goes from %0 to %2.
+ *
+ * If @propname is specified the GPIO is looked using device property. In
+ * that case @index is used to select the GPIO entry in the property value
+ * (in case of multiple).
+ *
+ * Returns:
+ * GPIO descriptor to use with Linux generic GPIO API.
+ * If the GPIO cannot be translated or there is an error an ERR_PTR is
+ * returned.
+ *
+ * Note: if the GPIO resource has multiple entries in the pin list, this
+ * function only returns the first.
+ */
+static struct gpio_desc *acpi_get_gpiod_by_index(struct acpi_device *adev,
+ const char *propname,
+ int index,
+ struct acpi_gpio_info *info)
+{
+ struct acpi_gpio_lookup lookup;
+ int ret;
+
+ memset(&lookup, 0, sizeof(lookup));
+ lookup.index = index;
+
+ if (propname) {
+ dev_dbg(&adev->dev, "GPIO: looking up %s\n", propname);
+
+ ret = acpi_gpio_property_lookup(acpi_fwnode_handle(adev),
+ propname, index, &lookup);
+ if (ret)
+ return ERR_PTR(ret);
+
+ dev_dbg(&adev->dev, "GPIO: _DSD returned %s %d %u %u\n",
+ dev_name(&lookup.info.adev->dev), lookup.index,
+ lookup.pin_index, lookup.active_low);
+ } else {
+ dev_dbg(&adev->dev, "GPIO: looking up %d in _CRS\n", index);
+ lookup.info.adev = adev;
+ }
+
+ ret = acpi_gpio_resource_lookup(&lookup, info);
+ return ret ? ERR_PTR(ret) : lookup.desc;
+}
+
+/**
+ * acpi_get_gpiod_from_data() - get a GPIO descriptor from ACPI data node
+ * @fwnode: pointer to an ACPI firmware node to get the GPIO information from
+ * @propname: Property name of the GPIO
+ * @index: index of GpioIo/GpioInt resource (starting from %0)
+ * @info: info pointer to fill in (optional)
+ *
+ * This function uses the property-based GPIO lookup to get to the GPIO
+ * resource with the relevant information from a data-only ACPI firmware node
+ * and uses that to obtain the GPIO descriptor to return.
+ *
+ * Returns:
+ * GPIO descriptor to use with Linux generic GPIO API.
+ * If the GPIO cannot be translated or there is an error an ERR_PTR is
+ * returned.
+ */
+static struct gpio_desc *acpi_get_gpiod_from_data(struct fwnode_handle *fwnode,
+ const char *propname,
+ int index,
+ struct acpi_gpio_info *info)
+{
+ struct acpi_gpio_lookup lookup;
+ int ret;
+
+ if (!is_acpi_data_node(fwnode))
+ return ERR_PTR(-ENODEV);
+
+ if (!propname)
+ return ERR_PTR(-EINVAL);
+
+ memset(&lookup, 0, sizeof(lookup));
+ lookup.index = index;
+
+ ret = acpi_gpio_property_lookup(fwnode, propname, index, &lookup);
+ if (ret)
+ return ERR_PTR(ret);
+
+ ret = acpi_gpio_resource_lookup(&lookup, info);
+ return ret ? ERR_PTR(ret) : lookup.desc;
+}
+
+static bool acpi_can_fallback_to_crs(struct acpi_device *adev,
+ const char *con_id)
+{
+ /* If there is no ACPI device, there is no _CRS to fall back to */
+ if (!adev)
+ return false;
+
+ /* Never allow fallback if the device has properties */
+ if (acpi_dev_has_props(adev) || adev->driver_gpios)
+ return false;
+
+ return con_id == NULL;
+}
+
+static struct gpio_desc *
+__acpi_find_gpio(struct fwnode_handle *fwnode, const char *con_id, unsigned int idx,
+ bool can_fallback, struct acpi_gpio_info *info)
+{
+ struct acpi_device *adev = to_acpi_device_node(fwnode);
+ struct gpio_desc *desc;
+ char propname[32];
+
+ /* Try first from _DSD */
+ for_each_gpio_property_name(propname, con_id) {
+ if (adev)
+ desc = acpi_get_gpiod_by_index(adev,
+ propname, idx, info);
+ else
+ desc = acpi_get_gpiod_from_data(fwnode,
+ propname, idx, info);
+ if (PTR_ERR(desc) == -EPROBE_DEFER)
+ return ERR_CAST(desc);
+
+ if (!IS_ERR(desc))
+ return desc;
+ }
+
+ /* Then from plain _CRS GPIOs */
+ if (can_fallback)
+ return acpi_get_gpiod_by_index(adev, NULL, idx, info);
+
+ return ERR_PTR(-ENOENT);
+}
+
+struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode,
+ const char *con_id,
+ unsigned int idx,
+ enum gpiod_flags *dflags,
+ unsigned long *lookupflags)
+{
+ struct acpi_device *adev = to_acpi_device_node(fwnode);
+ bool can_fallback = acpi_can_fallback_to_crs(adev, con_id);
+ struct acpi_gpio_info info;
+ struct gpio_desc *desc;
+
+ desc = __acpi_find_gpio(fwnode, con_id, idx, can_fallback, &info);
+ if (IS_ERR(desc))
+ return desc;
+
+ if (info.gpioint &&
+ (*dflags == GPIOD_OUT_LOW || *dflags == GPIOD_OUT_HIGH)) {
+ dev_dbg(&adev->dev, "refusing GpioInt() entry when doing GPIOD_OUT_* lookup\n");
+ return ERR_PTR(-ENOENT);
+ }
+
+ acpi_gpio_update_gpiod_flags(dflags, &info);
+ acpi_gpio_update_gpiod_lookup_flags(lookupflags, &info);
+ return desc;
+}
+
+/**
+ * acpi_dev_gpio_irq_wake_get_by() - Find GpioInt and translate it to Linux IRQ number
+ * @adev: pointer to a ACPI device to get IRQ from
+ * @con_id: optional name of GpioInt resource
+ * @index: index of GpioInt resource (starting from %0)
+ * @wake_capable: Set to true if the IRQ is wake capable
+ *
+ * If the device has one or more GpioInt resources, this function can be
+ * used to translate from the GPIO offset in the resource to the Linux IRQ
+ * number.
+ *
+ * The function is idempotent, though each time it runs it will configure GPIO
+ * pin direction according to the flags in GpioInt resource.
+ *
+ * The function takes optional @con_id parameter. If the resource has
+ * a @con_id in a property, then only those will be taken into account.
+ *
+ * The GPIO is considered wake capable if the GpioInt resource specifies
+ * SharedAndWake or ExclusiveAndWake.
+ *
+ * Returns:
+ * Linux IRQ number (> 0) on success, negative errno on failure.
+ */
+int acpi_dev_gpio_irq_wake_get_by(struct acpi_device *adev, const char *con_id, int index,
+ bool *wake_capable)
+{
+ struct fwnode_handle *fwnode = acpi_fwnode_handle(adev);
+ int idx, i;
+ unsigned int irq_flags;
+ int ret;
+
+ for (i = 0, idx = 0; idx <= index; i++) {
+ struct acpi_gpio_info info;
+ struct gpio_desc *desc;
+
+ /* Ignore -EPROBE_DEFER, it only matters if idx matches */
+ desc = __acpi_find_gpio(fwnode, con_id, i, true, &info);
+ if (IS_ERR(desc) && PTR_ERR(desc) != -EPROBE_DEFER)
+ return PTR_ERR(desc);
+
+ if (info.gpioint && idx++ == index) {
+ unsigned long lflags = GPIO_LOOKUP_FLAGS_DEFAULT;
+ enum gpiod_flags dflags = GPIOD_ASIS;
+ char label[32];
+ int irq;
+
+ if (IS_ERR(desc))
+ return PTR_ERR(desc);
+
+ irq = gpiod_to_irq(desc);
+ if (irq < 0)
+ return irq;
+
+ acpi_gpio_update_gpiod_flags(&dflags, &info);
+ acpi_gpio_update_gpiod_lookup_flags(&lflags, &info);
+
+ snprintf(label, sizeof(label), "%pfwP GpioInt(%d)", fwnode, index);
+ ret = gpiod_set_consumer_name(desc, con_id ?: label);
+ if (ret)
+ return ret;
+
+ ret = gpiod_configure_flags(desc, label, lflags, dflags);
+ if (ret < 0)
+ return ret;
+
+ /* ACPI uses hundredths of milliseconds units */
+ ret = gpio_set_debounce_timeout(desc, info.debounce * 10);
+ if (ret)
+ return ret;
+
+ irq_flags = acpi_dev_get_irq_type(info.triggering,
+ info.polarity);
+
+ /*
+ * If the IRQ is not already in use then set type
+ * if specified and different than the current one.
+ */
+ if (can_request_irq(irq, irq_flags)) {
+ if (irq_flags != IRQ_TYPE_NONE &&
+ irq_flags != irq_get_trigger_type(irq))
+ irq_set_irq_type(irq, irq_flags);
+ } else {
+ dev_dbg(&adev->dev, "IRQ %d already in use\n", irq);
+ }
+
+ /* avoid suspend issues with GPIOs when systems are using S3 */
+ if (wake_capable && acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0)
+ *wake_capable = info.wake_capable;
+
+ return irq;
+ }
+
+ }
+ return -ENOENT;
+}
+EXPORT_SYMBOL_GPL(acpi_dev_gpio_irq_wake_get_by);
+
+static acpi_status
+acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address,
+ u32 bits, u64 *value, void *handler_context,
+ void *region_context)
+{
+ struct acpi_gpio_chip *achip = region_context;
+ struct gpio_chip *chip = achip->chip;
+ struct acpi_resource_gpio *agpio;
+ struct acpi_resource *ares;
+ u16 pin_index = address;
+ acpi_status status;
+ int length;
+ int i;
+
+ status = acpi_buffer_to_resource(achip->conn_info.connection,
+ achip->conn_info.length, &ares);
+ if (ACPI_FAILURE(status))
+ return status;
+
+ if (WARN_ON(ares->type != ACPI_RESOURCE_TYPE_GPIO)) {
+ ACPI_FREE(ares);
+ return AE_BAD_PARAMETER;
+ }
+
+ agpio = &ares->data.gpio;
+
+ if (WARN_ON(agpio->io_restriction == ACPI_IO_RESTRICT_INPUT &&
+ function == ACPI_WRITE)) {
+ ACPI_FREE(ares);
+ return AE_BAD_PARAMETER;
+ }
+
+ length = min_t(u16, agpio->pin_table_length, pin_index + bits);
+ for (i = pin_index; i < length; ++i) {
+ unsigned int pin = agpio->pin_table[i];
+ struct acpi_gpio_connection *conn;
+ struct gpio_desc *desc;
+ bool found;
+
+ mutex_lock(&achip->conn_lock);
+
+ found = false;
+ list_for_each_entry(conn, &achip->conns, node) {
+ if (conn->pin == pin) {
+ found = true;
+ desc = conn->desc;
+ break;
+ }
+ }
+
+ /*
+ * The same GPIO can be shared between operation region and
+ * event but only if the access here is ACPI_READ. In that
+ * case we "borrow" the event GPIO instead.
+ */
+ if (!found && agpio->shareable == ACPI_SHARED &&
+ function == ACPI_READ) {
+ struct acpi_gpio_event *event;
+
+ list_for_each_entry(event, &achip->events, node) {
+ if (event->pin == pin) {
+ desc = event->desc;
+ found = true;
+ break;
+ }
+ }
+ }
+
+ if (!found) {
+ desc = acpi_request_own_gpiod(chip, agpio, i, "ACPI:OpRegion");
+ if (IS_ERR(desc)) {
+ mutex_unlock(&achip->conn_lock);
+ status = AE_ERROR;
+ goto out;
+ }
+
+ conn = kzalloc(sizeof(*conn), GFP_KERNEL);
+ if (!conn) {
+ gpiochip_free_own_desc(desc);
+ mutex_unlock(&achip->conn_lock);
+ status = AE_NO_MEMORY;
+ goto out;
+ }
+
+ conn->pin = pin;
+ conn->desc = desc;
+ list_add_tail(&conn->node, &achip->conns);
+ }
+
+ mutex_unlock(&achip->conn_lock);
+
+ if (function == ACPI_WRITE)
+ gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i)));
+ else
+ *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i;
+ }
+
+out:
+ ACPI_FREE(ares);
+ return status;
+}
+
+static void acpi_gpiochip_request_regions(struct acpi_gpio_chip *achip)
+{
+ struct gpio_chip *chip = achip->chip;
+ acpi_handle handle = ACPI_HANDLE(chip->parent);
+ acpi_status status;
+
+ INIT_LIST_HEAD(&achip->conns);
+ mutex_init(&achip->conn_lock);
+ status = acpi_install_address_space_handler(handle, ACPI_ADR_SPACE_GPIO,
+ acpi_gpio_adr_space_handler,
+ NULL, achip);
+ if (ACPI_FAILURE(status))
+ dev_err(chip->parent,
+ "Failed to install GPIO OpRegion handler\n");
+}
+
+static void acpi_gpiochip_free_regions(struct acpi_gpio_chip *achip)
+{
+ struct gpio_chip *chip = achip->chip;
+ acpi_handle handle = ACPI_HANDLE(chip->parent);
+ struct acpi_gpio_connection *conn, *tmp;
+ acpi_status status;
+
+ status = acpi_remove_address_space_handler(handle, ACPI_ADR_SPACE_GPIO,
+ acpi_gpio_adr_space_handler);
+ if (ACPI_FAILURE(status)) {
+ dev_err(chip->parent,
+ "Failed to remove GPIO OpRegion handler\n");
+ return;
+ }
+
+ list_for_each_entry_safe_reverse(conn, tmp, &achip->conns, node) {
+ gpiochip_free_own_desc(conn->desc);
+ list_del(&conn->node);
+ kfree(conn);
+ }
+}
+
+static struct gpio_desc *
+acpi_gpiochip_parse_own_gpio(struct acpi_gpio_chip *achip,
+ struct fwnode_handle *fwnode,
+ const char **name,
+ unsigned long *lflags,
+ enum gpiod_flags *dflags)
+{
+ struct gpio_chip *chip = achip->chip;
+ struct gpio_desc *desc;
+ u32 gpios[2];
+ int ret;
+
+ *lflags = GPIO_LOOKUP_FLAGS_DEFAULT;
+ *dflags = GPIOD_ASIS;
+ *name = NULL;
+
+ ret = fwnode_property_read_u32_array(fwnode, "gpios", gpios,
+ ARRAY_SIZE(gpios));
+ if (ret < 0)
+ return ERR_PTR(ret);
+
+ desc = gpiochip_get_desc(chip, gpios[0]);
+ if (IS_ERR(desc))
+ return desc;
+
+ if (gpios[1])
+ *lflags |= GPIO_ACTIVE_LOW;
+
+ if (fwnode_property_present(fwnode, "input"))
+ *dflags |= GPIOD_IN;
+ else if (fwnode_property_present(fwnode, "output-low"))
+ *dflags |= GPIOD_OUT_LOW;
+ else if (fwnode_property_present(fwnode, "output-high"))
+ *dflags |= GPIOD_OUT_HIGH;
+ else
+ return ERR_PTR(-EINVAL);
+
+ fwnode_property_read_string(fwnode, "line-name", name);
+
+ return desc;
+}
+
+static void acpi_gpiochip_scan_gpios(struct acpi_gpio_chip *achip)
+{
+ struct gpio_chip *chip = achip->chip;
+ struct fwnode_handle *fwnode;
+
+ device_for_each_child_node(chip->parent, fwnode) {
+ unsigned long lflags;
+ enum gpiod_flags dflags;
+ struct gpio_desc *desc;
+ const char *name;
+ int ret;
+
+ if (!fwnode_property_present(fwnode, "gpio-hog"))
+ continue;
+
+ desc = acpi_gpiochip_parse_own_gpio(achip, fwnode, &name,
+ &lflags, &dflags);
+ if (IS_ERR(desc))
+ continue;
+
+ ret = gpiod_hog(desc, name, lflags, dflags);
+ if (ret) {
+ dev_err(chip->parent, "Failed to hog GPIO\n");
+ fwnode_handle_put(fwnode);
+ return;
+ }
+ }
+}
+
+void acpi_gpiochip_add(struct gpio_chip *chip)
+{
+ struct acpi_gpio_chip *acpi_gpio;
+ struct acpi_device *adev;
+ acpi_status status;
+
+ if (!chip || !chip->parent)
+ return;
+
+ adev = ACPI_COMPANION(chip->parent);
+ if (!adev)
+ return;
+
+ acpi_gpio = kzalloc(sizeof(*acpi_gpio), GFP_KERNEL);
+ if (!acpi_gpio) {
+ dev_err(chip->parent,
+ "Failed to allocate memory for ACPI GPIO chip\n");
+ return;
+ }
+
+ acpi_gpio->chip = chip;
+ INIT_LIST_HEAD(&acpi_gpio->events);
+ INIT_LIST_HEAD(&acpi_gpio->deferred_req_irqs_list_entry);
+
+ status = acpi_attach_data(adev->handle, acpi_gpio_chip_dh, acpi_gpio);
+ if (ACPI_FAILURE(status)) {
+ dev_err(chip->parent, "Failed to attach ACPI GPIO chip\n");
+ kfree(acpi_gpio);
+ return;
+ }
+
+ acpi_gpiochip_request_regions(acpi_gpio);
+ acpi_gpiochip_scan_gpios(acpi_gpio);
+ acpi_dev_clear_dependencies(adev);
+}
+
+void acpi_gpiochip_remove(struct gpio_chip *chip)
+{
+ struct acpi_gpio_chip *acpi_gpio;
+ acpi_handle handle;
+ acpi_status status;
+
+ if (!chip || !chip->parent)
+ return;
+
+ handle = ACPI_HANDLE(chip->parent);
+ if (!handle)
+ return;
+
+ status = acpi_get_data(handle, acpi_gpio_chip_dh, (void **)&acpi_gpio);
+ if (ACPI_FAILURE(status)) {
+ dev_warn(chip->parent, "Failed to retrieve ACPI GPIO chip\n");
+ return;
+ }
+
+ acpi_gpiochip_free_regions(acpi_gpio);
+
+ acpi_detach_data(handle, acpi_gpio_chip_dh);
+ kfree(acpi_gpio);
+}
+
+static int acpi_gpio_package_count(const union acpi_object *obj)
+{
+ const union acpi_object *element = obj->package.elements;
+ const union acpi_object *end = element + obj->package.count;
+ unsigned int count = 0;
+
+ while (element < end) {
+ switch (element->type) {
+ case ACPI_TYPE_LOCAL_REFERENCE:
+ element += 3;
+ fallthrough;
+ case ACPI_TYPE_INTEGER:
+ element++;
+ count++;
+ break;
+
+ default:
+ return -EPROTO;
+ }
+ }
+
+ return count;
+}
+
+static int acpi_find_gpio_count(struct acpi_resource *ares, void *data)
+{
+ unsigned int *count = data;
+
+ if (ares->type == ACPI_RESOURCE_TYPE_GPIO)
+ *count += ares->data.gpio.pin_table_length;
+
+ return 1;
+}
+
+/**
+ * acpi_gpio_count - count the GPIOs associated with a firmware node / function
+ * @fwnode: firmware node of the GPIO consumer
+ * @con_id: function within the GPIO consumer
+ *
+ * Returns:
+ * The number of GPIOs associated with a firmware node / function or %-ENOENT,
+ * if no GPIO has been assigned to the requested function.
+ */
+int acpi_gpio_count(const struct fwnode_handle *fwnode, const char *con_id)
+{
+ struct acpi_device *adev = to_acpi_device_node(fwnode);
+ const union acpi_object *obj;
+ const struct acpi_gpio_mapping *gm;
+ int count = -ENOENT;
+ int ret;
+ char propname[32];
+
+ /* Try first from _DSD */
+ for_each_gpio_property_name(propname, con_id) {
+ ret = acpi_dev_get_property(adev, propname, ACPI_TYPE_ANY, &obj);
+ if (ret == 0) {
+ if (obj->type == ACPI_TYPE_LOCAL_REFERENCE)
+ count = 1;
+ else if (obj->type == ACPI_TYPE_PACKAGE)
+ count = acpi_gpio_package_count(obj);
+ } else if (adev->driver_gpios) {
+ for (gm = adev->driver_gpios; gm->name; gm++)
+ if (strcmp(propname, gm->name) == 0) {
+ count = gm->size;
+ break;
+ }
+ }
+ if (count > 0)
+ break;
+ }
+
+ /* Then from plain _CRS GPIOs */
+ if (count < 0) {
+ struct list_head resource_list;
+ unsigned int crs_count = 0;
+
+ if (!acpi_can_fallback_to_crs(adev, con_id))
+ return count;
+
+ INIT_LIST_HEAD(&resource_list);
+ acpi_dev_get_resources(adev, &resource_list,
+ acpi_find_gpio_count, &crs_count);
+ acpi_dev_free_resource_list(&resource_list);
+ if (crs_count > 0)
+ count = crs_count;
+ }
+ return count ? count : -ENOENT;
+}
--- /dev/null
+++ b/drivers/gpio/gpiolib-acpi-quirks.c
@@ -0,0 +1,363 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * ACPI quirks for GPIO ACPI helpers
+ *
+ * Author: Hans de Goede <hdegoede@redhat.com>
+ */
+
+#include <linux/dmi.h>
+#include <linux/kstrtox.h>
+#include <linux/list.h>
+#include <linux/module.h>
+#include <linux/mutex.h>
+#include <linux/printk.h>
+#include <linux/string.h>
+#include <linux/types.h>
+
+#include "gpiolib-acpi.h"
+
+static int run_edge_events_on_boot = -1;
+module_param(run_edge_events_on_boot, int, 0444);
+MODULE_PARM_DESC(run_edge_events_on_boot,
+ "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
+
+static char *ignore_wake;
+module_param(ignore_wake, charp, 0444);
+MODULE_PARM_DESC(ignore_wake,
+ "controller@pin combos on which to ignore the ACPI wake flag "
+ "ignore_wake=controller@pin[,controller@pin[,...]]");
+
+static char *ignore_interrupt;
+module_param(ignore_interrupt, charp, 0444);
+MODULE_PARM_DESC(ignore_interrupt,
+ "controller@pin combos on which to ignore interrupt "
+ "ignore_interrupt=controller@pin[,controller@pin[,...]]");
+
+/*
+ * For GPIO chips which call acpi_gpiochip_request_interrupts() before late_init
+ * (so builtin drivers) we register the ACPI GpioInt IRQ handlers from a
+ * late_initcall_sync() handler, so that other builtin drivers can register their
+ * OpRegions before the event handlers can run. This list contains GPIO chips
+ * for which the acpi_gpiochip_request_irqs() call has been deferred.
+ */
+static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock);
+static LIST_HEAD(acpi_gpio_deferred_req_irqs_list);
+static bool acpi_gpio_deferred_req_irqs_done;
+
+bool acpi_gpio_add_to_deferred_list(struct list_head *list)
+{
+ bool defer;
+
+ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
+ defer = !acpi_gpio_deferred_req_irqs_done;
+ if (defer)
+ list_add(list, &acpi_gpio_deferred_req_irqs_list);
+ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+
+ return defer;
+}
+
+void acpi_gpio_remove_from_deferred_list(struct list_head *list)
+{
+ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
+ if (!list_empty(list))
+ list_del_init(list);
+ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+}
+
+int acpi_gpio_need_run_edge_events_on_boot(void)
+{
+ return run_edge_events_on_boot;
+}
+
+bool acpi_gpio_in_ignore_list(enum acpi_gpio_ignore_list list,
+ const char *controller_in, unsigned int pin_in)
+{
+ const char *ignore_list, *controller, *pin_str;
+ unsigned int pin;
+ char *endp;
+ int len;
+
+ switch (list) {
+ case ACPI_GPIO_IGNORE_WAKE:
+ ignore_list = ignore_wake;
+ break;
+ case ACPI_GPIO_IGNORE_INTERRUPT:
+ ignore_list = ignore_interrupt;
+ break;
+ default:
+ return false;
+ }
+
+ controller = ignore_list;
+ while (controller) {
+ pin_str = strchr(controller, '@');
+ if (!pin_str)
+ goto err;
+
+ len = pin_str - controller;
+ if (len == strlen(controller_in) &&
+ strncmp(controller, controller_in, len) == 0) {
+ pin = simple_strtoul(pin_str + 1, &endp, 10);
+ if (*endp != 0 && *endp != ',')
+ goto err;
+
+ if (pin == pin_in)
+ return true;
+ }
+
+ controller = strchr(controller, ',');
+ if (controller)
+ controller++;
+ }
+
+ return false;
+err:
+ pr_err_once("Error: Invalid value for gpiolib_acpi.ignore_...: %s\n", ignore_list);
+ return false;
+}
+
+/* Run deferred acpi_gpiochip_request_irqs() */
+static int __init acpi_gpio_handle_deferred_request_irqs(void)
+{
+ mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
+ acpi_gpio_process_deferred_list(&acpi_gpio_deferred_req_irqs_list);
+ acpi_gpio_deferred_req_irqs_done = true;
+ mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
+
+ return 0;
+}
+/* We must use _sync so that this runs after the first deferred_probe run */
+late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
+
+struct acpi_gpiolib_dmi_quirk {
+ bool no_edge_events_on_boot;
+ char *ignore_wake;
+ char *ignore_interrupt;
+};
+
+static const struct dmi_system_id gpiolib_acpi_quirks[] __initconst = {
+ {
+ /*
+ * The Minix Neo Z83-4 has a micro-USB-B id-pin handler for
+ * a non existing micro-USB-B connector which puts the HDMI
+ * DDC pins in GPIO mode, breaking HDMI support.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .no_edge_events_on_boot = true,
+ },
+ },
+ {
+ /*
+ * The Terra Pad 1061 has a micro-USB-B id-pin handler, which
+ * instead of controlling the actual micro-USB-B turns the 5V
+ * boost for its USB-A connector off. The actual micro-USB-B
+ * connector is wired for charging only.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .no_edge_events_on_boot = true,
+ },
+ },
+ {
+ /*
+ * The Dell Venue 10 Pro 5055, with Bay Trail SoC + TI PMIC uses an
+ * external embedded-controller connected via I2C + an ACPI GPIO
+ * event handler on INT33FFC:02 pin 12, causing spurious wakeups.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Venue 10 Pro 5055"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "INT33FC:02@12",
+ },
+ },
+ {
+ /*
+ * HP X2 10 models with Cherry Trail SoC + TI PMIC use an
+ * external embedded-controller connected via I2C + an ACPI GPIO
+ * event handler on INT33FF:01 pin 0, causing spurious wakeups.
+ * When suspending by closing the LID, the power to the USB
+ * keyboard is turned off, causing INT0002 ACPI events to
+ * trigger once the XHCI controller notices the keyboard is
+ * gone. So INT0002 events cause spurious wakeups too. Ignoring
+ * EC wakes breaks wakeup when opening the lid, the user needs
+ * to press the power-button to wakeup the system. The
+ * alternative is suspend simply not working, which is worse.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP x2 Detachable 10-p0XX"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "INT33FF:01@0,INT0002:00@2",
+ },
+ },
+ {
+ /*
+ * HP X2 10 models with Bay Trail SoC + AXP288 PMIC use an
+ * external embedded-controller connected via I2C + an ACPI GPIO
+ * event handler on INT33FC:02 pin 28, causing spurious wakeups.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
+ DMI_MATCH(DMI_BOARD_NAME, "815D"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "INT33FC:02@28",
+ },
+ },
+ {
+ /*
+ * HP X2 10 models with Cherry Trail SoC + AXP288 PMIC use an
+ * external embedded-controller connected via I2C + an ACPI GPIO
+ * event handler on INT33FF:01 pin 0, causing spurious wakeups.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "HP"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
+ DMI_MATCH(DMI_BOARD_NAME, "813E"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "INT33FF:01@0",
+ },
+ },
+ {
+ /*
+ * Interrupt storm caused from edge triggered floating pin
+ * Found in BIOS UX325UAZ.300
+ * https://bugzilla.kernel.org/show_bug.cgi?id=216208
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX325UAZ_UM325UAZ"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_interrupt = "AMDI0030:00@18",
+ },
+ },
+ {
+ /*
+ * Spurious wakeups from TP_ATTN# pin
+ * Found in BIOS 1.7.8
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/1722#note_1720627
+ */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "ELAN0415:00@9",
+ },
+ },
+ {
+ /*
+ * Spurious wakeups from TP_ATTN# pin
+ * Found in BIOS 1.7.8
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/1722#note_1720627
+ */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "ELAN0415:00@9",
+ },
+ },
+ {
+ /*
+ * Spurious wakeups from TP_ATTN# pin
+ * Found in BIOS 1.7.7
+ */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "NH5xAx"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "SYNA1202:00@16",
+ },
+ },
+ {
+ /*
+ * On the Peaq C1010 2-in-1 INT33FC:00 pin 3 is connected to
+ * a "dolby" button. At the ACPI level an _AEI event-handler
+ * is connected which sets an ACPI variable to 1 on both
+ * edges. This variable can be polled + cleared to 0 using
+ * WMI. But since the variable is set on both edges the WMI
+ * interface is pretty useless even when polling.
+ * So instead the x86-android-tablets code instantiates
+ * a gpio-keys platform device for it.
+ * Ignore the _AEI handler for the pin, so that it is not busy.
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "PEAQ"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "PEAQ PMM C1010 MD99187"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_interrupt = "INT33FC:00@3",
+ },
+ },
+ {
+ /*
+ * Spurious wakeups from TP_ATTN# pin
+ * Found in BIOS 0.35
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/3073
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "GPD"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "G1619-04"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "PNP0C50:00@8",
+ },
+ },
+ {
+ /*
+ * Spurious wakeups from GPIO 11
+ * Found in BIOS 1.04
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/3954
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "Acer Nitro V 14"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_interrupt = "AMDI0030:00@11",
+ },
+ },
+ {} /* Terminating entry */
+};
+
+static int __init acpi_gpio_setup_params(void)
+{
+ const struct acpi_gpiolib_dmi_quirk *quirk = NULL;
+ const struct dmi_system_id *id;
+
+ id = dmi_first_match(gpiolib_acpi_quirks);
+ if (id)
+ quirk = id->driver_data;
+
+ if (run_edge_events_on_boot < 0) {
+ if (quirk && quirk->no_edge_events_on_boot)
+ run_edge_events_on_boot = 0;
+ else
+ run_edge_events_on_boot = 1;
+ }
+
+ if (ignore_wake == NULL && quirk && quirk->ignore_wake)
+ ignore_wake = quirk->ignore_wake;
+
+ if (ignore_interrupt == NULL && quirk && quirk->ignore_interrupt)
+ ignore_interrupt = quirk->ignore_interrupt;
+
+ return 0;
+}
+
+/* Directly after dmi_setup() which runs as core_initcall() */
+postcore_initcall(acpi_gpio_setup_params);
--- a/drivers/gpio/gpiolib-acpi.c
+++ /dev/null
@@ -1,1765 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * ACPI helpers for GPIO API
- *
- * Copyright (C) 2012, Intel Corporation
- * Authors: Mathias Nyman <mathias.nyman@linux.intel.com>
- * Mika Westerberg <mika.westerberg@linux.intel.com>
- */
-
-#include <linux/acpi.h>
-#include <linux/dmi.h>
-#include <linux/errno.h>
-#include <linux/export.h>
-#include <linux/interrupt.h>
-#include <linux/irq.h>
-#include <linux/mutex.h>
-#include <linux/pinctrl/pinctrl.h>
-
-#include <linux/gpio/consumer.h>
-#include <linux/gpio/driver.h>
-#include <linux/gpio/machine.h>
-
-#include "gpiolib.h"
-#include "gpiolib-acpi.h"
-
-static int run_edge_events_on_boot = -1;
-module_param(run_edge_events_on_boot, int, 0444);
-MODULE_PARM_DESC(run_edge_events_on_boot,
- "Run edge _AEI event-handlers at boot: 0=no, 1=yes, -1=auto");
-
-static char *ignore_wake;
-module_param(ignore_wake, charp, 0444);
-MODULE_PARM_DESC(ignore_wake,
- "controller@pin combos on which to ignore the ACPI wake flag "
- "ignore_wake=controller@pin[,controller@pin[,...]]");
-
-static char *ignore_interrupt;
-module_param(ignore_interrupt, charp, 0444);
-MODULE_PARM_DESC(ignore_interrupt,
- "controller@pin combos on which to ignore interrupt "
- "ignore_interrupt=controller@pin[,controller@pin[,...]]");
-
-struct acpi_gpiolib_dmi_quirk {
- bool no_edge_events_on_boot;
- char *ignore_wake;
- char *ignore_interrupt;
-};
-
-/**
- * struct acpi_gpio_event - ACPI GPIO event handler data
- *
- * @node: list-entry of the events list of the struct acpi_gpio_chip
- * @handle: handle of ACPI method to execute when the IRQ triggers
- * @handler: handler function to pass to request_irq() when requesting the IRQ
- * @pin: GPIO pin number on the struct gpio_chip
- * @irq: Linux IRQ number for the event, for request_irq() / free_irq()
- * @irqflags: flags to pass to request_irq() when requesting the IRQ
- * @irq_is_wake: If the ACPI flags indicate the IRQ is a wakeup source
- * @irq_requested:True if request_irq() has been done
- * @desc: struct gpio_desc for the GPIO pin for this event
- */
-struct acpi_gpio_event {
- struct list_head node;
- acpi_handle handle;
- irq_handler_t handler;
- unsigned int pin;
- unsigned int irq;
- unsigned long irqflags;
- bool irq_is_wake;
- bool irq_requested;
- struct gpio_desc *desc;
-};
-
-struct acpi_gpio_connection {
- struct list_head node;
- unsigned int pin;
- struct gpio_desc *desc;
-};
-
-struct acpi_gpio_chip {
- /*
- * ACPICA requires that the first field of the context parameter
- * passed to acpi_install_address_space_handler() is large enough
- * to hold struct acpi_connection_info.
- */
- struct acpi_connection_info conn_info;
- struct list_head conns;
- struct mutex conn_lock;
- struct gpio_chip *chip;
- struct list_head events;
- struct list_head deferred_req_irqs_list_entry;
-};
-
-/**
- * struct acpi_gpio_info - ACPI GPIO specific information
- * @adev: reference to ACPI device which consumes GPIO resource
- * @flags: GPIO initialization flags
- * @gpioint: if %true this GPIO is of type GpioInt otherwise type is GpioIo
- * @pin_config: pin bias as provided by ACPI
- * @polarity: interrupt polarity as provided by ACPI
- * @triggering: triggering type as provided by ACPI
- * @wake_capable: wake capability as provided by ACPI
- * @debounce: debounce timeout as provided by ACPI
- * @quirks: Linux specific quirks as provided by struct acpi_gpio_mapping
- */
-struct acpi_gpio_info {
- struct acpi_device *adev;
- enum gpiod_flags flags;
- bool gpioint;
- int pin_config;
- int polarity;
- int triggering;
- bool wake_capable;
- unsigned int debounce;
- unsigned int quirks;
-};
-
-/*
- * For GPIO chips which call acpi_gpiochip_request_interrupts() before late_init
- * (so builtin drivers) we register the ACPI GpioInt IRQ handlers from a
- * late_initcall_sync() handler, so that other builtin drivers can register their
- * OpRegions before the event handlers can run. This list contains GPIO chips
- * for which the acpi_gpiochip_request_irqs() call has been deferred.
- */
-static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock);
-static LIST_HEAD(acpi_gpio_deferred_req_irqs_list);
-static bool acpi_gpio_deferred_req_irqs_done;
-
-static int acpi_gpiochip_find(struct gpio_chip *gc, const void *data)
-{
- /* First check the actual GPIO device */
- if (device_match_acpi_handle(&gc->gpiodev->dev, data))
- return true;
-
- /*
- * When the ACPI device is artificially split to the banks of GPIOs,
- * where each of them is represented by a separate GPIO device,
- * the firmware node of the physical device may not be shared among
- * the banks as they may require different values for the same property,
- * e.g., number of GPIOs in a certain bank. In such case the ACPI handle
- * of a GPIO device is NULL and can not be used. Hence we have to check
- * the parent device to be sure that there is no match before bailing
- * out.
- */
- if (gc->parent)
- return device_match_acpi_handle(gc->parent, data);
-
- return false;
-}
-
-/**
- * acpi_get_gpiod() - Translate ACPI GPIO pin to GPIO descriptor usable with GPIO API
- * @path: ACPI GPIO controller full path name, (e.g. "\\_SB.GPO1")
- * @pin: ACPI GPIO pin number (0-based, controller-relative)
- *
- * Returns:
- * GPIO descriptor to use with Linux generic GPIO API.
- * If the GPIO cannot be translated or there is an error an ERR_PTR is
- * returned.
- *
- * Specifically returns %-EPROBE_DEFER if the referenced GPIO
- * controller does not have GPIO chip registered at the moment. This is to
- * support probe deferral.
- */
-static struct gpio_desc *acpi_get_gpiod(char *path, unsigned int pin)
-{
- acpi_handle handle;
- acpi_status status;
-
- status = acpi_get_handle(NULL, path, &handle);
- if (ACPI_FAILURE(status))
- return ERR_PTR(-ENODEV);
-
- struct gpio_device *gdev __free(gpio_device_put) =
- gpio_device_find(handle, acpi_gpiochip_find);
- if (!gdev)
- return ERR_PTR(-EPROBE_DEFER);
-
- /*
- * FIXME: keep track of the reference to the GPIO device somehow
- * instead of putting it here.
- */
- return gpio_device_get_desc(gdev, pin);
-}
-
-static irqreturn_t acpi_gpio_irq_handler(int irq, void *data)
-{
- struct acpi_gpio_event *event = data;
-
- acpi_evaluate_object(event->handle, NULL, NULL, NULL);
-
- return IRQ_HANDLED;
-}
-
-static irqreturn_t acpi_gpio_irq_handler_evt(int irq, void *data)
-{
- struct acpi_gpio_event *event = data;
-
- acpi_execute_simple_method(event->handle, NULL, event->pin);
-
- return IRQ_HANDLED;
-}
-
-static void acpi_gpio_chip_dh(acpi_handle handle, void *data)
-{
- /* The address of this function is used as a key. */
-}
-
-bool acpi_gpio_get_irq_resource(struct acpi_resource *ares,
- struct acpi_resource_gpio **agpio)
-{
- struct acpi_resource_gpio *gpio;
-
- if (ares->type != ACPI_RESOURCE_TYPE_GPIO)
- return false;
-
- gpio = &ares->data.gpio;
- if (gpio->connection_type != ACPI_RESOURCE_GPIO_TYPE_INT)
- return false;
-
- *agpio = gpio;
- return true;
-}
-EXPORT_SYMBOL_GPL(acpi_gpio_get_irq_resource);
-
-/**
- * acpi_gpio_get_io_resource - Fetch details of an ACPI resource if it is a GPIO
- * I/O resource or return False if not.
- * @ares: Pointer to the ACPI resource to fetch
- * @agpio: Pointer to a &struct acpi_resource_gpio to store the output pointer
- *
- * Returns:
- * %true if GpioIo resource is found, %false otherwise.
- */
-bool acpi_gpio_get_io_resource(struct acpi_resource *ares,
- struct acpi_resource_gpio **agpio)
-{
- struct acpi_resource_gpio *gpio;
-
- if (ares->type != ACPI_RESOURCE_TYPE_GPIO)
- return false;
-
- gpio = &ares->data.gpio;
- if (gpio->connection_type != ACPI_RESOURCE_GPIO_TYPE_IO)
- return false;
-
- *agpio = gpio;
- return true;
-}
-EXPORT_SYMBOL_GPL(acpi_gpio_get_io_resource);
-
-static void acpi_gpiochip_request_irq(struct acpi_gpio_chip *acpi_gpio,
- struct acpi_gpio_event *event)
-{
- struct device *parent = acpi_gpio->chip->parent;
- int ret, value;
-
- ret = request_threaded_irq(event->irq, NULL, event->handler,
- event->irqflags | IRQF_ONESHOT, "ACPI:Event", event);
- if (ret) {
- dev_err(parent, "Failed to setup interrupt handler for %d\n", event->irq);
- return;
- }
-
- if (event->irq_is_wake)
- enable_irq_wake(event->irq);
-
- event->irq_requested = true;
-
- /* Make sure we trigger the initial state of edge-triggered IRQs */
- if (acpi_gpio_need_run_edge_events_on_boot() &&
- (event->irqflags & (IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING))) {
- value = gpiod_get_raw_value_cansleep(event->desc);
- if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
- ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
- event->handler(event->irq, event);
- }
-}
-
-static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio)
-{
- struct acpi_gpio_event *event;
-
- list_for_each_entry(event, &acpi_gpio->events, node)
- acpi_gpiochip_request_irq(acpi_gpio, event);
-}
-
-static enum gpiod_flags
-acpi_gpio_to_gpiod_flags(const struct acpi_resource_gpio *agpio, int polarity)
-{
- /* GpioInt() implies input configuration */
- if (agpio->connection_type == ACPI_RESOURCE_GPIO_TYPE_INT)
- return GPIOD_IN;
-
- switch (agpio->io_restriction) {
- case ACPI_IO_RESTRICT_INPUT:
- return GPIOD_IN;
- case ACPI_IO_RESTRICT_OUTPUT:
- /*
- * ACPI GPIO resources don't contain an initial value for the
- * GPIO. Therefore we deduce that value from the pull field
- * and the polarity instead. If the pin is pulled up we assume
- * default to be high, if it is pulled down we assume default
- * to be low, otherwise we leave pin untouched. For active low
- * polarity values will be switched. See also
- * Documentation/firmware-guide/acpi/gpio-properties.rst.
- */
- switch (agpio->pin_config) {
- case ACPI_PIN_CONFIG_PULLUP:
- return polarity == GPIO_ACTIVE_LOW ? GPIOD_OUT_LOW : GPIOD_OUT_HIGH;
- case ACPI_PIN_CONFIG_PULLDOWN:
- return polarity == GPIO_ACTIVE_LOW ? GPIOD_OUT_HIGH : GPIOD_OUT_LOW;
- default:
- break;
- }
- break;
- default:
- break;
- }
-
- /*
- * Assume that the BIOS has configured the direction and pull
- * accordingly.
- */
- return GPIOD_ASIS;
-}
-
-static struct gpio_desc *acpi_request_own_gpiod(struct gpio_chip *chip,
- struct acpi_resource_gpio *agpio,
- unsigned int index,
- const char *label)
-{
- int polarity = GPIO_ACTIVE_HIGH;
- enum gpiod_flags flags = acpi_gpio_to_gpiod_flags(agpio, polarity);
- unsigned int pin = agpio->pin_table[index];
- struct gpio_desc *desc;
- int ret;
-
- desc = gpiochip_request_own_desc(chip, pin, label, polarity, flags);
- if (IS_ERR(desc))
- return desc;
-
- /* ACPI uses hundredths of milliseconds units */
- ret = gpio_set_debounce_timeout(desc, agpio->debounce_timeout * 10);
- if (ret)
- dev_warn(chip->parent,
- "Failed to set debounce-timeout for pin 0x%04X, err %d\n",
- pin, ret);
-
- return desc;
-}
-
-bool acpi_gpio_add_to_deferred_list(struct list_head *list)
-{
- bool defer;
-
- mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
- defer = !acpi_gpio_deferred_req_irqs_done;
- if (defer)
- list_add(list, &acpi_gpio_deferred_req_irqs_list);
- mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
-
- return defer;
-}
-
-void acpi_gpio_remove_from_deferred_list(struct list_head *list)
-{
- mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
- if (!list_empty(list))
- list_del_init(list);
- mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
-}
-
-int acpi_gpio_need_run_edge_events_on_boot(void)
-{
- return run_edge_events_on_boot;
-}
-
-bool acpi_gpio_in_ignore_list(enum acpi_gpio_ignore_list list, const char *controller_in,
- unsigned int pin_in)
-{
- const char *ignore_list, *controller, *pin_str;
- unsigned int pin;
- char *endp;
- int len;
-
- switch (list) {
- case ACPI_GPIO_IGNORE_WAKE:
- ignore_list = ignore_wake;
- break;
- case ACPI_GPIO_IGNORE_INTERRUPT:
- ignore_list = ignore_interrupt;
- break;
- default:
- return false;
- }
-
- controller = ignore_list;
- while (controller) {
- pin_str = strchr(controller, '@');
- if (!pin_str)
- goto err;
-
- len = pin_str - controller;
- if (len == strlen(controller_in) &&
- strncmp(controller, controller_in, len) == 0) {
- pin = simple_strtoul(pin_str + 1, &endp, 10);
- if (*endp != 0 && *endp != ',')
- goto err;
-
- if (pin == pin_in)
- return true;
- }
-
- controller = strchr(controller, ',');
- if (controller)
- controller++;
- }
-
- return false;
-err:
- pr_err_once("Error: Invalid value for gpiolib_acpi.ignore_...: %s\n", ignore_list);
- return false;
-}
-
-static bool acpi_gpio_irq_is_wake(struct device *parent,
- const struct acpi_resource_gpio *agpio)
-{
- unsigned int pin = agpio->pin_table[0];
-
- if (agpio->wake_capable != ACPI_WAKE_CAPABLE)
- return false;
-
- if (acpi_gpio_in_ignore_list(ACPI_GPIO_IGNORE_WAKE, dev_name(parent), pin)) {
- dev_info(parent, "Ignoring wakeup on pin %u\n", pin);
- return false;
- }
-
- return true;
-}
-
-/* Always returns AE_OK so that we keep looping over the resources */
-static acpi_status acpi_gpiochip_alloc_event(struct acpi_resource *ares,
- void *context)
-{
- struct acpi_gpio_chip *acpi_gpio = context;
- struct gpio_chip *chip = acpi_gpio->chip;
- struct acpi_resource_gpio *agpio;
- acpi_handle handle, evt_handle;
- struct acpi_gpio_event *event;
- irq_handler_t handler = NULL;
- struct gpio_desc *desc;
- unsigned int pin;
- int ret, irq;
-
- if (!acpi_gpio_get_irq_resource(ares, &agpio))
- return AE_OK;
-
- handle = ACPI_HANDLE(chip->parent);
- pin = agpio->pin_table[0];
-
- if (pin <= 255) {
- char ev_name[8];
- sprintf(ev_name, "_%c%02X",
- agpio->triggering == ACPI_EDGE_SENSITIVE ? 'E' : 'L',
- pin);
- if (ACPI_SUCCESS(acpi_get_handle(handle, ev_name, &evt_handle)))
- handler = acpi_gpio_irq_handler;
- }
- if (!handler) {
- if (ACPI_SUCCESS(acpi_get_handle(handle, "_EVT", &evt_handle)))
- handler = acpi_gpio_irq_handler_evt;
- }
- if (!handler)
- return AE_OK;
-
- if (acpi_gpio_in_ignore_list(ACPI_GPIO_IGNORE_INTERRUPT, dev_name(chip->parent), pin)) {
- dev_info(chip->parent, "Ignoring interrupt on pin %u\n", pin);
- return AE_OK;
- }
-
- desc = acpi_request_own_gpiod(chip, agpio, 0, "ACPI:Event");
- if (IS_ERR(desc)) {
- dev_err(chip->parent,
- "Failed to request GPIO for pin 0x%04X, err %ld\n",
- pin, PTR_ERR(desc));
- return AE_OK;
- }
-
- ret = gpiochip_lock_as_irq(chip, pin);
- if (ret) {
- dev_err(chip->parent,
- "Failed to lock GPIO pin 0x%04X as interrupt, err %d\n",
- pin, ret);
- goto fail_free_desc;
- }
-
- irq = gpiod_to_irq(desc);
- if (irq < 0) {
- dev_err(chip->parent,
- "Failed to translate GPIO pin 0x%04X to IRQ, err %d\n",
- pin, irq);
- goto fail_unlock_irq;
- }
-
- event = kzalloc(sizeof(*event), GFP_KERNEL);
- if (!event)
- goto fail_unlock_irq;
-
- event->irqflags = IRQF_ONESHOT;
- if (agpio->triggering == ACPI_LEVEL_SENSITIVE) {
- if (agpio->polarity == ACPI_ACTIVE_HIGH)
- event->irqflags |= IRQF_TRIGGER_HIGH;
- else
- event->irqflags |= IRQF_TRIGGER_LOW;
- } else {
- switch (agpio->polarity) {
- case ACPI_ACTIVE_HIGH:
- event->irqflags |= IRQF_TRIGGER_RISING;
- break;
- case ACPI_ACTIVE_LOW:
- event->irqflags |= IRQF_TRIGGER_FALLING;
- break;
- default:
- event->irqflags |= IRQF_TRIGGER_RISING |
- IRQF_TRIGGER_FALLING;
- break;
- }
- }
-
- event->handle = evt_handle;
- event->handler = handler;
- event->irq = irq;
- event->irq_is_wake = acpi_gpio_irq_is_wake(chip->parent, agpio);
- event->pin = pin;
- event->desc = desc;
-
- list_add_tail(&event->node, &acpi_gpio->events);
-
- return AE_OK;
-
-fail_unlock_irq:
- gpiochip_unlock_as_irq(chip, pin);
-fail_free_desc:
- gpiochip_free_own_desc(desc);
-
- return AE_OK;
-}
-
-/**
- * acpi_gpiochip_request_interrupts() - Register isr for gpio chip ACPI events
- * @chip: GPIO chip
- *
- * ACPI5 platforms can use GPIO signaled ACPI events. These GPIO interrupts are
- * handled by ACPI event methods which need to be called from the GPIO
- * chip's interrupt handler. acpi_gpiochip_request_interrupts() finds out which
- * GPIO pins have ACPI event methods and assigns interrupt handlers that calls
- * the ACPI event methods for those pins.
- */
-void acpi_gpiochip_request_interrupts(struct gpio_chip *chip)
-{
- struct acpi_gpio_chip *acpi_gpio;
- acpi_handle handle;
- acpi_status status;
-
- if (!chip->parent || !chip->to_irq)
- return;
-
- handle = ACPI_HANDLE(chip->parent);
- if (!handle)
- return;
-
- status = acpi_get_data(handle, acpi_gpio_chip_dh, (void **)&acpi_gpio);
- if (ACPI_FAILURE(status))
- return;
-
- if (acpi_quirk_skip_gpio_event_handlers())
- return;
-
- acpi_walk_resources(handle, METHOD_NAME__AEI,
- acpi_gpiochip_alloc_event, acpi_gpio);
-
- if (acpi_gpio_add_to_deferred_list(&acpi_gpio->deferred_req_irqs_list_entry))
- return;
-
- acpi_gpiochip_request_irqs(acpi_gpio);
-}
-EXPORT_SYMBOL_GPL(acpi_gpiochip_request_interrupts);
-
-/**
- * acpi_gpiochip_free_interrupts() - Free GPIO ACPI event interrupts.
- * @chip: GPIO chip
- *
- * Free interrupts associated with GPIO ACPI event method for the given
- * GPIO chip.
- */
-void acpi_gpiochip_free_interrupts(struct gpio_chip *chip)
-{
- struct acpi_gpio_chip *acpi_gpio;
- struct acpi_gpio_event *event, *ep;
- acpi_handle handle;
- acpi_status status;
-
- if (!chip->parent || !chip->to_irq)
- return;
-
- handle = ACPI_HANDLE(chip->parent);
- if (!handle)
- return;
-
- status = acpi_get_data(handle, acpi_gpio_chip_dh, (void **)&acpi_gpio);
- if (ACPI_FAILURE(status))
- return;
-
- acpi_gpio_remove_from_deferred_list(&acpi_gpio->deferred_req_irqs_list_entry);
-
- list_for_each_entry_safe_reverse(event, ep, &acpi_gpio->events, node) {
- if (event->irq_requested) {
- if (event->irq_is_wake)
- disable_irq_wake(event->irq);
-
- free_irq(event->irq, event);
- }
-
- gpiochip_unlock_as_irq(chip, event->pin);
- gpiochip_free_own_desc(event->desc);
- list_del(&event->node);
- kfree(event);
- }
-}
-EXPORT_SYMBOL_GPL(acpi_gpiochip_free_interrupts);
-
-void __init acpi_gpio_process_deferred_list(struct list_head *list)
-{
- struct acpi_gpio_chip *acpi_gpio, *tmp;
-
- list_for_each_entry_safe(acpi_gpio, tmp, list, deferred_req_irqs_list_entry)
- acpi_gpiochip_request_irqs(acpi_gpio);
-}
-
-int acpi_dev_add_driver_gpios(struct acpi_device *adev,
- const struct acpi_gpio_mapping *gpios)
-{
- if (adev && gpios) {
- adev->driver_gpios = gpios;
- return 0;
- }
- return -EINVAL;
-}
-EXPORT_SYMBOL_GPL(acpi_dev_add_driver_gpios);
-
-void acpi_dev_remove_driver_gpios(struct acpi_device *adev)
-{
- if (adev)
- adev->driver_gpios = NULL;
-}
-EXPORT_SYMBOL_GPL(acpi_dev_remove_driver_gpios);
-
-static void acpi_dev_release_driver_gpios(void *adev)
-{
- acpi_dev_remove_driver_gpios(adev);
-}
-
-int devm_acpi_dev_add_driver_gpios(struct device *dev,
- const struct acpi_gpio_mapping *gpios)
-{
- struct acpi_device *adev = ACPI_COMPANION(dev);
- int ret;
-
- ret = acpi_dev_add_driver_gpios(adev, gpios);
- if (ret)
- return ret;
-
- return devm_add_action_or_reset(dev, acpi_dev_release_driver_gpios, adev);
-}
-EXPORT_SYMBOL_GPL(devm_acpi_dev_add_driver_gpios);
-
-static bool acpi_get_driver_gpio_data(struct acpi_device *adev,
- const char *name, int index,
- struct fwnode_reference_args *args,
- unsigned int *quirks)
-{
- const struct acpi_gpio_mapping *gm;
-
- if (!adev || !adev->driver_gpios)
- return false;
-
- for (gm = adev->driver_gpios; gm->name; gm++)
- if (!strcmp(name, gm->name) && gm->data && index < gm->size) {
- const struct acpi_gpio_params *par = gm->data + index;
-
- args->fwnode = acpi_fwnode_handle(adev);
- args->args[0] = par->crs_entry_index;
- args->args[1] = par->line_index;
- args->args[2] = par->active_low;
- args->nargs = 3;
-
- *quirks = gm->quirks;
- return true;
- }
-
- return false;
-}
-
-static int
-__acpi_gpio_update_gpiod_flags(enum gpiod_flags *flags, enum gpiod_flags update)
-{
- const enum gpiod_flags mask =
- GPIOD_FLAGS_BIT_DIR_SET | GPIOD_FLAGS_BIT_DIR_OUT |
- GPIOD_FLAGS_BIT_DIR_VAL;
- int ret = 0;
-
- /*
- * Check if the BIOS has IoRestriction with explicitly set direction
- * and update @flags accordingly. Otherwise use whatever caller asked
- * for.
- */
- if (update & GPIOD_FLAGS_BIT_DIR_SET) {
- enum gpiod_flags diff = *flags ^ update;
-
- /*
- * Check if caller supplied incompatible GPIO initialization
- * flags.
- *
- * Return %-EINVAL to notify that firmware has different
- * settings and we are going to use them.
- */
- if (((*flags & GPIOD_FLAGS_BIT_DIR_SET) && (diff & GPIOD_FLAGS_BIT_DIR_OUT)) ||
- ((*flags & GPIOD_FLAGS_BIT_DIR_OUT) && (diff & GPIOD_FLAGS_BIT_DIR_VAL)))
- ret = -EINVAL;
- *flags = (*flags & ~mask) | (update & mask);
- }
- return ret;
-}
-
-static int acpi_gpio_update_gpiod_flags(enum gpiod_flags *flags,
- struct acpi_gpio_info *info)
-{
- struct device *dev = &info->adev->dev;
- enum gpiod_flags old = *flags;
- int ret;
-
- ret = __acpi_gpio_update_gpiod_flags(&old, info->flags);
- if (info->quirks & ACPI_GPIO_QUIRK_NO_IO_RESTRICTION) {
- if (ret)
- dev_warn(dev, FW_BUG "GPIO not in correct mode, fixing\n");
- } else {
- if (ret)
- dev_dbg(dev, "Override GPIO initialization flags\n");
- *flags = old;
- }
-
- return ret;
-}
-
-static int acpi_gpio_update_gpiod_lookup_flags(unsigned long *lookupflags,
- struct acpi_gpio_info *info)
-{
- switch (info->pin_config) {
- case ACPI_PIN_CONFIG_PULLUP:
- *lookupflags |= GPIO_PULL_UP;
- break;
- case ACPI_PIN_CONFIG_PULLDOWN:
- *lookupflags |= GPIO_PULL_DOWN;
- break;
- case ACPI_PIN_CONFIG_NOPULL:
- *lookupflags |= GPIO_PULL_DISABLE;
- break;
- default:
- break;
- }
-
- if (info->polarity == GPIO_ACTIVE_LOW)
- *lookupflags |= GPIO_ACTIVE_LOW;
-
- return 0;
-}
-
-struct acpi_gpio_lookup {
- struct acpi_gpio_info info;
- int index;
- u16 pin_index;
- bool active_low;
- struct gpio_desc *desc;
- int n;
-};
-
-static int acpi_populate_gpio_lookup(struct acpi_resource *ares, void *data)
-{
- struct acpi_gpio_lookup *lookup = data;
-
- if (ares->type != ACPI_RESOURCE_TYPE_GPIO)
- return 1;
-
- if (!lookup->desc) {
- const struct acpi_resource_gpio *agpio = &ares->data.gpio;
- bool gpioint = agpio->connection_type == ACPI_RESOURCE_GPIO_TYPE_INT;
- struct gpio_desc *desc;
- u16 pin_index;
-
- if (lookup->info.quirks & ACPI_GPIO_QUIRK_ONLY_GPIOIO && gpioint)
- lookup->index++;
-
- if (lookup->n++ != lookup->index)
- return 1;
-
- pin_index = lookup->pin_index;
- if (pin_index >= agpio->pin_table_length)
- return 1;
-
- if (lookup->info.quirks & ACPI_GPIO_QUIRK_ABSOLUTE_NUMBER)
- desc = gpio_to_desc(agpio->pin_table[pin_index]);
- else
- desc = acpi_get_gpiod(agpio->resource_source.string_ptr,
- agpio->pin_table[pin_index]);
- lookup->desc = desc;
- lookup->info.pin_config = agpio->pin_config;
- lookup->info.debounce = agpio->debounce_timeout;
- lookup->info.gpioint = gpioint;
- lookup->info.wake_capable = acpi_gpio_irq_is_wake(&lookup->info.adev->dev, agpio);
-
- /*
- * Polarity and triggering are only specified for GpioInt
- * resource.
- * Note: we expect here:
- * - ACPI_ACTIVE_LOW == GPIO_ACTIVE_LOW
- * - ACPI_ACTIVE_HIGH == GPIO_ACTIVE_HIGH
- */
- if (lookup->info.gpioint) {
- lookup->info.polarity = agpio->polarity;
- lookup->info.triggering = agpio->triggering;
- } else {
- lookup->info.polarity = lookup->active_low;
- }
-
- lookup->info.flags = acpi_gpio_to_gpiod_flags(agpio, lookup->info.polarity);
- }
-
- return 1;
-}
-
-static int acpi_gpio_resource_lookup(struct acpi_gpio_lookup *lookup,
- struct acpi_gpio_info *info)
-{
- struct acpi_device *adev = lookup->info.adev;
- struct list_head res_list;
- int ret;
-
- INIT_LIST_HEAD(&res_list);
-
- ret = acpi_dev_get_resources(adev, &res_list,
- acpi_populate_gpio_lookup,
- lookup);
- if (ret < 0)
- return ret;
-
- acpi_dev_free_resource_list(&res_list);
-
- if (!lookup->desc)
- return -ENOENT;
-
- if (info)
- *info = lookup->info;
- return 0;
-}
-
-static int acpi_gpio_property_lookup(struct fwnode_handle *fwnode,
- const char *propname, int index,
- struct acpi_gpio_lookup *lookup)
-{
- struct fwnode_reference_args args;
- unsigned int quirks = 0;
- int ret;
-
- memset(&args, 0, sizeof(args));
- ret = __acpi_node_get_property_reference(fwnode, propname, index, 3,
- &args);
- if (ret) {
- struct acpi_device *adev;
-
- adev = to_acpi_device_node(fwnode);
- if (!acpi_get_driver_gpio_data(adev, propname, index, &args, &quirks))
- return ret;
- }
- /*
- * The property was found and resolved, so need to lookup the GPIO based
- * on returned args.
- */
- if (!to_acpi_device_node(args.fwnode))
- return -EINVAL;
- if (args.nargs != 3)
- return -EPROTO;
-
- lookup->index = args.args[0];
- lookup->pin_index = args.args[1];
- lookup->active_low = !!args.args[2];
-
- lookup->info.adev = to_acpi_device_node(args.fwnode);
- lookup->info.quirks = quirks;
-
- return 0;
-}
-
-/**
- * acpi_get_gpiod_by_index() - get a GPIO descriptor from device resources
- * @adev: pointer to a ACPI device to get GPIO from
- * @propname: Property name of the GPIO (optional)
- * @index: index of GpioIo/GpioInt resource (starting from %0)
- * @info: info pointer to fill in (optional)
- *
- * Function goes through ACPI resources for @adev and based on @index looks
- * up a GpioIo/GpioInt resource, translates it to the Linux GPIO descriptor,
- * and returns it. @index matches GpioIo/GpioInt resources only so if there
- * are total %3 GPIO resources, the index goes from %0 to %2.
- *
- * If @propname is specified the GPIO is looked using device property. In
- * that case @index is used to select the GPIO entry in the property value
- * (in case of multiple).
- *
- * Returns:
- * GPIO descriptor to use with Linux generic GPIO API.
- * If the GPIO cannot be translated or there is an error an ERR_PTR is
- * returned.
- *
- * Note: if the GPIO resource has multiple entries in the pin list, this
- * function only returns the first.
- */
-static struct gpio_desc *acpi_get_gpiod_by_index(struct acpi_device *adev,
- const char *propname,
- int index,
- struct acpi_gpio_info *info)
-{
- struct acpi_gpio_lookup lookup;
- int ret;
-
- memset(&lookup, 0, sizeof(lookup));
- lookup.index = index;
-
- if (propname) {
- dev_dbg(&adev->dev, "GPIO: looking up %s\n", propname);
-
- ret = acpi_gpio_property_lookup(acpi_fwnode_handle(adev),
- propname, index, &lookup);
- if (ret)
- return ERR_PTR(ret);
-
- dev_dbg(&adev->dev, "GPIO: _DSD returned %s %d %u %u\n",
- dev_name(&lookup.info.adev->dev), lookup.index,
- lookup.pin_index, lookup.active_low);
- } else {
- dev_dbg(&adev->dev, "GPIO: looking up %d in _CRS\n", index);
- lookup.info.adev = adev;
- }
-
- ret = acpi_gpio_resource_lookup(&lookup, info);
- return ret ? ERR_PTR(ret) : lookup.desc;
-}
-
-/**
- * acpi_get_gpiod_from_data() - get a GPIO descriptor from ACPI data node
- * @fwnode: pointer to an ACPI firmware node to get the GPIO information from
- * @propname: Property name of the GPIO
- * @index: index of GpioIo/GpioInt resource (starting from %0)
- * @info: info pointer to fill in (optional)
- *
- * This function uses the property-based GPIO lookup to get to the GPIO
- * resource with the relevant information from a data-only ACPI firmware node
- * and uses that to obtain the GPIO descriptor to return.
- *
- * Returns:
- * GPIO descriptor to use with Linux generic GPIO API.
- * If the GPIO cannot be translated or there is an error an ERR_PTR is
- * returned.
- */
-static struct gpio_desc *acpi_get_gpiod_from_data(struct fwnode_handle *fwnode,
- const char *propname,
- int index,
- struct acpi_gpio_info *info)
-{
- struct acpi_gpio_lookup lookup;
- int ret;
-
- if (!is_acpi_data_node(fwnode))
- return ERR_PTR(-ENODEV);
-
- if (!propname)
- return ERR_PTR(-EINVAL);
-
- memset(&lookup, 0, sizeof(lookup));
- lookup.index = index;
-
- ret = acpi_gpio_property_lookup(fwnode, propname, index, &lookup);
- if (ret)
- return ERR_PTR(ret);
-
- ret = acpi_gpio_resource_lookup(&lookup, info);
- return ret ? ERR_PTR(ret) : lookup.desc;
-}
-
-static bool acpi_can_fallback_to_crs(struct acpi_device *adev,
- const char *con_id)
-{
- /* If there is no ACPI device, there is no _CRS to fall back to */
- if (!adev)
- return false;
-
- /* Never allow fallback if the device has properties */
- if (acpi_dev_has_props(adev) || adev->driver_gpios)
- return false;
-
- return con_id == NULL;
-}
-
-static struct gpio_desc *
-__acpi_find_gpio(struct fwnode_handle *fwnode, const char *con_id, unsigned int idx,
- bool can_fallback, struct acpi_gpio_info *info)
-{
- struct acpi_device *adev = to_acpi_device_node(fwnode);
- struct gpio_desc *desc;
- char propname[32];
-
- /* Try first from _DSD */
- for_each_gpio_property_name(propname, con_id) {
- if (adev)
- desc = acpi_get_gpiod_by_index(adev,
- propname, idx, info);
- else
- desc = acpi_get_gpiod_from_data(fwnode,
- propname, idx, info);
- if (PTR_ERR(desc) == -EPROBE_DEFER)
- return ERR_CAST(desc);
-
- if (!IS_ERR(desc))
- return desc;
- }
-
- /* Then from plain _CRS GPIOs */
- if (can_fallback)
- return acpi_get_gpiod_by_index(adev, NULL, idx, info);
-
- return ERR_PTR(-ENOENT);
-}
-
-struct gpio_desc *acpi_find_gpio(struct fwnode_handle *fwnode,
- const char *con_id,
- unsigned int idx,
- enum gpiod_flags *dflags,
- unsigned long *lookupflags)
-{
- struct acpi_device *adev = to_acpi_device_node(fwnode);
- bool can_fallback = acpi_can_fallback_to_crs(adev, con_id);
- struct acpi_gpio_info info;
- struct gpio_desc *desc;
-
- desc = __acpi_find_gpio(fwnode, con_id, idx, can_fallback, &info);
- if (IS_ERR(desc))
- return desc;
-
- if (info.gpioint &&
- (*dflags == GPIOD_OUT_LOW || *dflags == GPIOD_OUT_HIGH)) {
- dev_dbg(&adev->dev, "refusing GpioInt() entry when doing GPIOD_OUT_* lookup\n");
- return ERR_PTR(-ENOENT);
- }
-
- acpi_gpio_update_gpiod_flags(dflags, &info);
- acpi_gpio_update_gpiod_lookup_flags(lookupflags, &info);
- return desc;
-}
-
-/**
- * acpi_dev_gpio_irq_wake_get_by() - Find GpioInt and translate it to Linux IRQ number
- * @adev: pointer to a ACPI device to get IRQ from
- * @con_id: optional name of GpioInt resource
- * @index: index of GpioInt resource (starting from %0)
- * @wake_capable: Set to true if the IRQ is wake capable
- *
- * If the device has one or more GpioInt resources, this function can be
- * used to translate from the GPIO offset in the resource to the Linux IRQ
- * number.
- *
- * The function is idempotent, though each time it runs it will configure GPIO
- * pin direction according to the flags in GpioInt resource.
- *
- * The function takes optional @con_id parameter. If the resource has
- * a @con_id in a property, then only those will be taken into account.
- *
- * The GPIO is considered wake capable if the GpioInt resource specifies
- * SharedAndWake or ExclusiveAndWake.
- *
- * Returns:
- * Linux IRQ number (> 0) on success, negative errno on failure.
- */
-int acpi_dev_gpio_irq_wake_get_by(struct acpi_device *adev, const char *con_id, int index,
- bool *wake_capable)
-{
- struct fwnode_handle *fwnode = acpi_fwnode_handle(adev);
- int idx, i;
- unsigned int irq_flags;
- int ret;
-
- for (i = 0, idx = 0; idx <= index; i++) {
- struct acpi_gpio_info info;
- struct gpio_desc *desc;
-
- /* Ignore -EPROBE_DEFER, it only matters if idx matches */
- desc = __acpi_find_gpio(fwnode, con_id, i, true, &info);
- if (IS_ERR(desc) && PTR_ERR(desc) != -EPROBE_DEFER)
- return PTR_ERR(desc);
-
- if (info.gpioint && idx++ == index) {
- unsigned long lflags = GPIO_LOOKUP_FLAGS_DEFAULT;
- enum gpiod_flags dflags = GPIOD_ASIS;
- char label[32];
- int irq;
-
- if (IS_ERR(desc))
- return PTR_ERR(desc);
-
- irq = gpiod_to_irq(desc);
- if (irq < 0)
- return irq;
-
- acpi_gpio_update_gpiod_flags(&dflags, &info);
- acpi_gpio_update_gpiod_lookup_flags(&lflags, &info);
-
- snprintf(label, sizeof(label), "%pfwP GpioInt(%d)", fwnode, index);
- ret = gpiod_set_consumer_name(desc, con_id ?: label);
- if (ret)
- return ret;
-
- ret = gpiod_configure_flags(desc, label, lflags, dflags);
- if (ret < 0)
- return ret;
-
- /* ACPI uses hundredths of milliseconds units */
- ret = gpio_set_debounce_timeout(desc, info.debounce * 10);
- if (ret)
- return ret;
-
- irq_flags = acpi_dev_get_irq_type(info.triggering,
- info.polarity);
-
- /*
- * If the IRQ is not already in use then set type
- * if specified and different than the current one.
- */
- if (can_request_irq(irq, irq_flags)) {
- if (irq_flags != IRQ_TYPE_NONE &&
- irq_flags != irq_get_trigger_type(irq))
- irq_set_irq_type(irq, irq_flags);
- } else {
- dev_dbg(&adev->dev, "IRQ %d already in use\n", irq);
- }
-
- /* avoid suspend issues with GPIOs when systems are using S3 */
- if (wake_capable && acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0)
- *wake_capable = info.wake_capable;
-
- return irq;
- }
-
- }
- return -ENOENT;
-}
-EXPORT_SYMBOL_GPL(acpi_dev_gpio_irq_wake_get_by);
-
-static acpi_status
-acpi_gpio_adr_space_handler(u32 function, acpi_physical_address address,
- u32 bits, u64 *value, void *handler_context,
- void *region_context)
-{
- struct acpi_gpio_chip *achip = region_context;
- struct gpio_chip *chip = achip->chip;
- struct acpi_resource_gpio *agpio;
- struct acpi_resource *ares;
- u16 pin_index = address;
- acpi_status status;
- int length;
- int i;
-
- status = acpi_buffer_to_resource(achip->conn_info.connection,
- achip->conn_info.length, &ares);
- if (ACPI_FAILURE(status))
- return status;
-
- if (WARN_ON(ares->type != ACPI_RESOURCE_TYPE_GPIO)) {
- ACPI_FREE(ares);
- return AE_BAD_PARAMETER;
- }
-
- agpio = &ares->data.gpio;
-
- if (WARN_ON(agpio->io_restriction == ACPI_IO_RESTRICT_INPUT &&
- function == ACPI_WRITE)) {
- ACPI_FREE(ares);
- return AE_BAD_PARAMETER;
- }
-
- length = min_t(u16, agpio->pin_table_length, pin_index + bits);
- for (i = pin_index; i < length; ++i) {
- unsigned int pin = agpio->pin_table[i];
- struct acpi_gpio_connection *conn;
- struct gpio_desc *desc;
- bool found;
-
- mutex_lock(&achip->conn_lock);
-
- found = false;
- list_for_each_entry(conn, &achip->conns, node) {
- if (conn->pin == pin) {
- found = true;
- desc = conn->desc;
- break;
- }
- }
-
- /*
- * The same GPIO can be shared between operation region and
- * event but only if the access here is ACPI_READ. In that
- * case we "borrow" the event GPIO instead.
- */
- if (!found && agpio->shareable == ACPI_SHARED &&
- function == ACPI_READ) {
- struct acpi_gpio_event *event;
-
- list_for_each_entry(event, &achip->events, node) {
- if (event->pin == pin) {
- desc = event->desc;
- found = true;
- break;
- }
- }
- }
-
- if (!found) {
- desc = acpi_request_own_gpiod(chip, agpio, i, "ACPI:OpRegion");
- if (IS_ERR(desc)) {
- mutex_unlock(&achip->conn_lock);
- status = AE_ERROR;
- goto out;
- }
-
- conn = kzalloc(sizeof(*conn), GFP_KERNEL);
- if (!conn) {
- gpiochip_free_own_desc(desc);
- mutex_unlock(&achip->conn_lock);
- status = AE_NO_MEMORY;
- goto out;
- }
-
- conn->pin = pin;
- conn->desc = desc;
- list_add_tail(&conn->node, &achip->conns);
- }
-
- mutex_unlock(&achip->conn_lock);
-
- if (function == ACPI_WRITE)
- gpiod_set_raw_value_cansleep(desc, !!(*value & BIT(i)));
- else
- *value |= (u64)gpiod_get_raw_value_cansleep(desc) << i;
- }
-
-out:
- ACPI_FREE(ares);
- return status;
-}
-
-static void acpi_gpiochip_request_regions(struct acpi_gpio_chip *achip)
-{
- struct gpio_chip *chip = achip->chip;
- acpi_handle handle = ACPI_HANDLE(chip->parent);
- acpi_status status;
-
- INIT_LIST_HEAD(&achip->conns);
- mutex_init(&achip->conn_lock);
- status = acpi_install_address_space_handler(handle, ACPI_ADR_SPACE_GPIO,
- acpi_gpio_adr_space_handler,
- NULL, achip);
- if (ACPI_FAILURE(status))
- dev_err(chip->parent,
- "Failed to install GPIO OpRegion handler\n");
-}
-
-static void acpi_gpiochip_free_regions(struct acpi_gpio_chip *achip)
-{
- struct gpio_chip *chip = achip->chip;
- acpi_handle handle = ACPI_HANDLE(chip->parent);
- struct acpi_gpio_connection *conn, *tmp;
- acpi_status status;
-
- status = acpi_remove_address_space_handler(handle, ACPI_ADR_SPACE_GPIO,
- acpi_gpio_adr_space_handler);
- if (ACPI_FAILURE(status)) {
- dev_err(chip->parent,
- "Failed to remove GPIO OpRegion handler\n");
- return;
- }
-
- list_for_each_entry_safe_reverse(conn, tmp, &achip->conns, node) {
- gpiochip_free_own_desc(conn->desc);
- list_del(&conn->node);
- kfree(conn);
- }
-}
-
-static struct gpio_desc *
-acpi_gpiochip_parse_own_gpio(struct acpi_gpio_chip *achip,
- struct fwnode_handle *fwnode,
- const char **name,
- unsigned long *lflags,
- enum gpiod_flags *dflags)
-{
- struct gpio_chip *chip = achip->chip;
- struct gpio_desc *desc;
- u32 gpios[2];
- int ret;
-
- *lflags = GPIO_LOOKUP_FLAGS_DEFAULT;
- *dflags = GPIOD_ASIS;
- *name = NULL;
-
- ret = fwnode_property_read_u32_array(fwnode, "gpios", gpios,
- ARRAY_SIZE(gpios));
- if (ret < 0)
- return ERR_PTR(ret);
-
- desc = gpiochip_get_desc(chip, gpios[0]);
- if (IS_ERR(desc))
- return desc;
-
- if (gpios[1])
- *lflags |= GPIO_ACTIVE_LOW;
-
- if (fwnode_property_present(fwnode, "input"))
- *dflags |= GPIOD_IN;
- else if (fwnode_property_present(fwnode, "output-low"))
- *dflags |= GPIOD_OUT_LOW;
- else if (fwnode_property_present(fwnode, "output-high"))
- *dflags |= GPIOD_OUT_HIGH;
- else
- return ERR_PTR(-EINVAL);
-
- fwnode_property_read_string(fwnode, "line-name", name);
-
- return desc;
-}
-
-static void acpi_gpiochip_scan_gpios(struct acpi_gpio_chip *achip)
-{
- struct gpio_chip *chip = achip->chip;
- struct fwnode_handle *fwnode;
-
- device_for_each_child_node(chip->parent, fwnode) {
- unsigned long lflags;
- enum gpiod_flags dflags;
- struct gpio_desc *desc;
- const char *name;
- int ret;
-
- if (!fwnode_property_present(fwnode, "gpio-hog"))
- continue;
-
- desc = acpi_gpiochip_parse_own_gpio(achip, fwnode, &name,
- &lflags, &dflags);
- if (IS_ERR(desc))
- continue;
-
- ret = gpiod_hog(desc, name, lflags, dflags);
- if (ret) {
- dev_err(chip->parent, "Failed to hog GPIO\n");
- fwnode_handle_put(fwnode);
- return;
- }
- }
-}
-
-void acpi_gpiochip_add(struct gpio_chip *chip)
-{
- struct acpi_gpio_chip *acpi_gpio;
- struct acpi_device *adev;
- acpi_status status;
-
- if (!chip || !chip->parent)
- return;
-
- adev = ACPI_COMPANION(chip->parent);
- if (!adev)
- return;
-
- acpi_gpio = kzalloc(sizeof(*acpi_gpio), GFP_KERNEL);
- if (!acpi_gpio) {
- dev_err(chip->parent,
- "Failed to allocate memory for ACPI GPIO chip\n");
- return;
- }
-
- acpi_gpio->chip = chip;
- INIT_LIST_HEAD(&acpi_gpio->events);
- INIT_LIST_HEAD(&acpi_gpio->deferred_req_irqs_list_entry);
-
- status = acpi_attach_data(adev->handle, acpi_gpio_chip_dh, acpi_gpio);
- if (ACPI_FAILURE(status)) {
- dev_err(chip->parent, "Failed to attach ACPI GPIO chip\n");
- kfree(acpi_gpio);
- return;
- }
-
- acpi_gpiochip_request_regions(acpi_gpio);
- acpi_gpiochip_scan_gpios(acpi_gpio);
- acpi_dev_clear_dependencies(adev);
-}
-
-void acpi_gpiochip_remove(struct gpio_chip *chip)
-{
- struct acpi_gpio_chip *acpi_gpio;
- acpi_handle handle;
- acpi_status status;
-
- if (!chip || !chip->parent)
- return;
-
- handle = ACPI_HANDLE(chip->parent);
- if (!handle)
- return;
-
- status = acpi_get_data(handle, acpi_gpio_chip_dh, (void **)&acpi_gpio);
- if (ACPI_FAILURE(status)) {
- dev_warn(chip->parent, "Failed to retrieve ACPI GPIO chip\n");
- return;
- }
-
- acpi_gpiochip_free_regions(acpi_gpio);
-
- acpi_detach_data(handle, acpi_gpio_chip_dh);
- kfree(acpi_gpio);
-}
-
-static int acpi_gpio_package_count(const union acpi_object *obj)
-{
- const union acpi_object *element = obj->package.elements;
- const union acpi_object *end = element + obj->package.count;
- unsigned int count = 0;
-
- while (element < end) {
- switch (element->type) {
- case ACPI_TYPE_LOCAL_REFERENCE:
- element += 3;
- fallthrough;
- case ACPI_TYPE_INTEGER:
- element++;
- count++;
- break;
-
- default:
- return -EPROTO;
- }
- }
-
- return count;
-}
-
-static int acpi_find_gpio_count(struct acpi_resource *ares, void *data)
-{
- unsigned int *count = data;
-
- if (ares->type == ACPI_RESOURCE_TYPE_GPIO)
- *count += ares->data.gpio.pin_table_length;
-
- return 1;
-}
-
-/**
- * acpi_gpio_count - count the GPIOs associated with a firmware node / function
- * @fwnode: firmware node of the GPIO consumer
- * @con_id: function within the GPIO consumer
- *
- * Returns:
- * The number of GPIOs associated with a firmware node / function or %-ENOENT,
- * if no GPIO has been assigned to the requested function.
- */
-int acpi_gpio_count(const struct fwnode_handle *fwnode, const char *con_id)
-{
- struct acpi_device *adev = to_acpi_device_node(fwnode);
- const union acpi_object *obj;
- const struct acpi_gpio_mapping *gm;
- int count = -ENOENT;
- int ret;
- char propname[32];
-
- /* Try first from _DSD */
- for_each_gpio_property_name(propname, con_id) {
- ret = acpi_dev_get_property(adev, propname, ACPI_TYPE_ANY, &obj);
- if (ret == 0) {
- if (obj->type == ACPI_TYPE_LOCAL_REFERENCE)
- count = 1;
- else if (obj->type == ACPI_TYPE_PACKAGE)
- count = acpi_gpio_package_count(obj);
- } else if (adev->driver_gpios) {
- for (gm = adev->driver_gpios; gm->name; gm++)
- if (strcmp(propname, gm->name) == 0) {
- count = gm->size;
- break;
- }
- }
- if (count > 0)
- break;
- }
-
- /* Then from plain _CRS GPIOs */
- if (count < 0) {
- struct list_head resource_list;
- unsigned int crs_count = 0;
-
- if (!acpi_can_fallback_to_crs(adev, con_id))
- return count;
-
- INIT_LIST_HEAD(&resource_list);
- acpi_dev_get_resources(adev, &resource_list,
- acpi_find_gpio_count, &crs_count);
- acpi_dev_free_resource_list(&resource_list);
- if (crs_count > 0)
- count = crs_count;
- }
- return count ? count : -ENOENT;
-}
-
-/* Run deferred acpi_gpiochip_request_irqs() */
-static int __init acpi_gpio_handle_deferred_request_irqs(void)
-{
- mutex_lock(&acpi_gpio_deferred_req_irqs_lock);
- acpi_gpio_process_deferred_list(&acpi_gpio_deferred_req_irqs_list);
- acpi_gpio_deferred_req_irqs_done = true;
- mutex_unlock(&acpi_gpio_deferred_req_irqs_lock);
-
- return 0;
-}
-/* We must use _sync so that this runs after the first deferred_probe run */
-late_initcall_sync(acpi_gpio_handle_deferred_request_irqs);
-
-static const struct dmi_system_id gpiolib_acpi_quirks[] __initconst = {
- {
- /*
- * The Minix Neo Z83-4 has a micro-USB-B id-pin handler for
- * a non existing micro-USB-B connector which puts the HDMI
- * DDC pins in GPIO mode, breaking HDMI support.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "MINIX"),
- DMI_MATCH(DMI_PRODUCT_NAME, "Z83-4"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .no_edge_events_on_boot = true,
- },
- },
- {
- /*
- * The Terra Pad 1061 has a micro-USB-B id-pin handler, which
- * instead of controlling the actual micro-USB-B turns the 5V
- * boost for its USB-A connector off. The actual micro-USB-B
- * connector is wired for charging only.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "Wortmann_AG"),
- DMI_MATCH(DMI_PRODUCT_NAME, "TERRA_PAD_1061"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .no_edge_events_on_boot = true,
- },
- },
- {
- /*
- * The Dell Venue 10 Pro 5055, with Bay Trail SoC + TI PMIC uses an
- * external embedded-controller connected via I2C + an ACPI GPIO
- * event handler on INT33FFC:02 pin 12, causing spurious wakeups.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
- DMI_MATCH(DMI_PRODUCT_NAME, "Venue 10 Pro 5055"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "INT33FC:02@12",
- },
- },
- {
- /*
- * HP X2 10 models with Cherry Trail SoC + TI PMIC use an
- * external embedded-controller connected via I2C + an ACPI GPIO
- * event handler on INT33FF:01 pin 0, causing spurious wakeups.
- * When suspending by closing the LID, the power to the USB
- * keyboard is turned off, causing INT0002 ACPI events to
- * trigger once the XHCI controller notices the keyboard is
- * gone. So INT0002 events cause spurious wakeups too. Ignoring
- * EC wakes breaks wakeup when opening the lid, the user needs
- * to press the power-button to wakeup the system. The
- * alternative is suspend simply not working, which is worse.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "HP"),
- DMI_MATCH(DMI_PRODUCT_NAME, "HP x2 Detachable 10-p0XX"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "INT33FF:01@0,INT0002:00@2",
- },
- },
- {
- /*
- * HP X2 10 models with Bay Trail SoC + AXP288 PMIC use an
- * external embedded-controller connected via I2C + an ACPI GPIO
- * event handler on INT33FC:02 pin 28, causing spurious wakeups.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"),
- DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
- DMI_MATCH(DMI_BOARD_NAME, "815D"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "INT33FC:02@28",
- },
- },
- {
- /*
- * HP X2 10 models with Cherry Trail SoC + AXP288 PMIC use an
- * external embedded-controller connected via I2C + an ACPI GPIO
- * event handler on INT33FF:01 pin 0, causing spurious wakeups.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "HP"),
- DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion x2 Detachable"),
- DMI_MATCH(DMI_BOARD_NAME, "813E"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "INT33FF:01@0",
- },
- },
- {
- /*
- * Interrupt storm caused from edge triggered floating pin
- * Found in BIOS UX325UAZ.300
- * https://bugzilla.kernel.org/show_bug.cgi?id=216208
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
- DMI_MATCH(DMI_PRODUCT_NAME, "ZenBook UX325UAZ_UM325UAZ"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_interrupt = "AMDI0030:00@18",
- },
- },
- {
- /*
- * Spurious wakeups from TP_ATTN# pin
- * Found in BIOS 1.7.8
- * https://gitlab.freedesktop.org/drm/amd/-/issues/1722#note_1720627
- */
- .matches = {
- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "ELAN0415:00@9",
- },
- },
- {
- /*
- * Spurious wakeups from TP_ATTN# pin
- * Found in BIOS 1.7.8
- * https://gitlab.freedesktop.org/drm/amd/-/issues/1722#note_1720627
- */
- .matches = {
- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "ELAN0415:00@9",
- },
- },
- {
- /*
- * Spurious wakeups from TP_ATTN# pin
- * Found in BIOS 1.7.7
- */
- .matches = {
- DMI_MATCH(DMI_BOARD_NAME, "NH5xAx"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "SYNA1202:00@16",
- },
- },
- {
- /*
- * On the Peaq C1010 2-in-1 INT33FC:00 pin 3 is connected to
- * a "dolby" button. At the ACPI level an _AEI event-handler
- * is connected which sets an ACPI variable to 1 on both
- * edges. This variable can be polled + cleared to 0 using
- * WMI. But since the variable is set on both edges the WMI
- * interface is pretty useless even when polling.
- * So instead the x86-android-tablets code instantiates
- * a gpio-keys platform device for it.
- * Ignore the _AEI handler for the pin, so that it is not busy.
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "PEAQ"),
- DMI_MATCH(DMI_PRODUCT_NAME, "PEAQ PMM C1010 MD99187"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_interrupt = "INT33FC:00@3",
- },
- },
- {
- /*
- * Spurious wakeups from TP_ATTN# pin
- * Found in BIOS 0.35
- * https://gitlab.freedesktop.org/drm/amd/-/issues/3073
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "GPD"),
- DMI_MATCH(DMI_PRODUCT_NAME, "G1619-04"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_wake = "PNP0C50:00@8",
- },
- },
- {
- /*
- * Spurious wakeups from GPIO 11
- * Found in BIOS 1.04
- * https://gitlab.freedesktop.org/drm/amd/-/issues/3954
- */
- .matches = {
- DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
- DMI_MATCH(DMI_PRODUCT_FAMILY, "Acer Nitro V 14"),
- },
- .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
- .ignore_interrupt = "AMDI0030:00@11",
- },
- },
- {} /* Terminating entry */
-};
-
-static int __init acpi_gpio_setup_params(void)
-{
- const struct acpi_gpiolib_dmi_quirk *quirk = NULL;
- const struct dmi_system_id *id;
-
- id = dmi_first_match(gpiolib_acpi_quirks);
- if (id)
- quirk = id->driver_data;
-
- if (run_edge_events_on_boot < 0) {
- if (quirk && quirk->no_edge_events_on_boot)
- run_edge_events_on_boot = 0;
- else
- run_edge_events_on_boot = 1;
- }
-
- if (ignore_wake == NULL && quirk && quirk->ignore_wake)
- ignore_wake = quirk->ignore_wake;
-
- if (ignore_interrupt == NULL && quirk && quirk->ignore_interrupt)
- ignore_interrupt = quirk->ignore_interrupt;
-
- return 0;
-}
-
-/* Directly after dmi_setup() which runs as core_initcall() */
-postcore_initcall(acpi_gpio_setup_params);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 520/567] gpiolib: acpi: Add a quirk for Acer Nitro V15
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 521/567] gpiolib: acpi: Add quirk for ASUS ProArt PX13 Greg Kroah-Hartman
` (60 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Mika Westerberg,
Andy Shevchenko, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 9ab29ed505557bd106e292184fa4917955eb8e6e ]
It is reported that on Acer Nitro V15 suspend only works properly if the
keyboard backlight is turned off. In looking through the issue Acer Nitro
V15 has a GPIO (#8) specified in _AEI but it has no matching notify device
in _EVT. The values for GPIO #8 change as keyboard backlight is turned on
and off.
This makes it seem that GPIO #8 is actually supposed to be solely for
keyboard backlight. Turning off the interrupt for this GPIO fixes the issue.
Add a quirk that does just that.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4169
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Acked-by: Mika Westerberg <westeri@kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Stable-dep-of: 2d967310c49e ("gpiolib: acpi: Add quirk for Dell Precision 7780")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi-quirks.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/gpio/gpiolib-acpi-quirks.c
+++ b/drivers/gpio/gpiolib-acpi-quirks.c
@@ -331,6 +331,19 @@ static const struct dmi_system_id gpioli
.ignore_interrupt = "AMDI0030:00@11",
},
},
+ {
+ /*
+ * Wakeup only works when keyboard backlight is turned off
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/4169
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Acer"),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "Acer Nitro V 15"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_interrupt = "AMDI0030:00@8",
+ },
+ },
{} /* Terminating entry */
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 521/567] gpiolib: acpi: Add quirk for ASUS ProArt PX13
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 520/567] gpiolib: acpi: Add a quirk for Acer Nitro V15 Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 522/567] gpiolib: acpi: Add quirk for Dell Precision 7780 Greg Kroah-Hartman
` (59 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Chaudhari,
Mario Limonciello (AMD), Mika Westerberg, Linus Walleij,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Mario Limonciello (AMD)" <superm1@kernel.org>
[ Upstream commit 23800ad1265f10c2bc6f42154ce4d20e59f2900e ]
The ASUS ProArt PX13 has a spurious wakeup event from the touchpad
a few moments after entering hardware sleep. This can be avoided
by preventing the touchpad from being a wake source.
Add to the wakeup ignore list.
Reported-by: Amit Chaudhari <amitchaudhari@mac.com>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4482
Tested-by: Amit Chaudhari <amitchaudhari@mac.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/20250814183430.3887973-1-superm1@kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Stable-dep-of: 2d967310c49e ("gpiolib: acpi: Add quirk for Dell Precision 7780")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi-quirks.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/gpio/gpiolib-acpi-quirks.c
+++ b/drivers/gpio/gpiolib-acpi-quirks.c
@@ -344,6 +344,20 @@ static const struct dmi_system_id gpioli
.ignore_interrupt = "AMDI0030:00@8",
},
},
+ {
+ /*
+ * Spurious wakeups from TP_ATTN# pin
+ * Found in BIOS 5.35
+ * https://gitlab.freedesktop.org/drm/amd/-/issues/4482
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "ProArt PX13"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "ASCP1A00:00@8",
+ },
+ },
{} /* Terminating entry */
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 522/567] gpiolib: acpi: Add quirk for Dell Precision 7780
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 521/567] gpiolib: acpi: Add quirk for ASUS ProArt PX13 Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 523/567] netfilter: nft_ct: add seqadj extension for natted connections Greg Kroah-Hartman
` (58 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Askar Safin,
Bartosz Golaszewski, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Askar Safin <safinaskar@gmail.com>
[ Upstream commit 2d967310c49ed93ac11cef408a55ddf15c3dd52e ]
Dell Precision 7780 often wakes up on its own from suspend. Sometimes
wake up happens immediately (i. e. within 7 seconds), sometimes it happens
after, say, 30 minutes.
Fixes: 1796f808e4bb ("HID: i2c-hid: acpi: Stop setting wakeup_capable")
Link: https://lore.kernel.org/linux-i2c/197ae95ffd8.dc819e60457077.7692120488609091556@zohomail.com/
Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Askar Safin <safinaskar@gmail.com>
Link: https://lore.kernel.org/r/20251206180414.3183334-2-safinaskar@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi-quirks.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/drivers/gpio/gpiolib-acpi-quirks.c
+++ b/drivers/gpio/gpiolib-acpi-quirks.c
@@ -358,6 +358,28 @@ static const struct dmi_system_id gpioli
.ignore_wake = "ASCP1A00:00@8",
},
},
+ {
+ /*
+ * Spurious wakeups, likely from touchpad controller
+ * Dell Precision 7780
+ * Found in BIOS 1.24.1
+ *
+ * Found in touchpad firmware, installed by Dell Touchpad Firmware Update Utility version 1160.4196.9, A01
+ * ( Dell-Touchpad-Firmware-Update-Utility_VYGNN_WIN64_1160.4196.9_A00.EXE ),
+ * released on 11 Jul 2024
+ *
+ * https://lore.kernel.org/linux-i2c/197ae95ffd8.dc819e60457077.7692120488609091556@zohomail.com/
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "Precision"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7780"),
+ DMI_MATCH(DMI_BOARD_NAME, "0C6JVW"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "VEN_0488:00@355",
+ },
+ },
{} /* Terminating entry */
};
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 523/567] netfilter: nft_ct: add seqadj extension for natted connections
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 522/567] gpiolib: acpi: Add quirk for Dell Precision 7780 Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 524/567] md/raid10: wait barrier before returning discard request with REQ_NOWAIT Greg Kroah-Hartman
` (57 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Melnychenko, Florian Westphal,
Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Melnychenko <a.melnychenko@vyos.io>
[ Upstream commit 90918e3b6404c2a37837b8f11692471b4c512de2 ]
Sequence adjustment may be required for FTP traffic with PASV/EPSV modes.
due to need to re-write packet payload (IP, port) on the ftp control
connection. This can require changes to the TCP length and expected
seq / ack_seq.
The easiest way to reproduce this issue is with PASV mode.
Example ruleset:
table inet ftp_nat {
ct helper ftp_helper {
type "ftp" protocol tcp
l3proto inet
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
tcp dport 21 ct state new ct helper set "ftp_helper"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
tcp dport 21 dnat ip prefix to ip daddr map {
192.168.100.1 : 192.168.13.2/32 }
}
chain postrouting {
type nat hook postrouting priority 100 ; policy accept;
tcp sport 21 snat ip prefix to ip saddr map {
192.168.13.2 : 192.168.100.1/32 }
}
}
Note that the ftp helper gets assigned *after* the dnat setup.
The inverse (nat after helper assign) is handled by an existing
check in nf_nat_setup_info() and will not show the problem.
Topoloy:
+-------------------+ +----------------------------------+
| FTP: 192.168.13.2 | <-> | NAT: 192.168.13.3, 192.168.100.1 |
+-------------------+ +----------------------------------+
|
+-----------------------+
| Client: 192.168.100.2 |
+-----------------------+
ftp nat changes do not work as expected in this case:
Connected to 192.168.100.1.
[..]
ftp> epsv
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering passive mode (192,168,100,1,209,129).
421 Service not available, remote server has closed connection.
Kernel logs:
Missing nfct_seqadj_ext_add() setup call
WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_seqadj.c:41
[..]
__nf_nat_mangle_tcp_packet+0x100/0x160 [nf_nat]
nf_nat_ftp+0x142/0x280 [nf_nat_ftp]
help+0x4d1/0x880 [nf_conntrack_ftp]
nf_confirm+0x122/0x2e0 [nf_conntrack]
nf_hook_slow+0x3c/0xb0
..
Fix this by adding the required extension when a conntrack helper is assigned
to a connection that has a nat binding.
Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support")
Signed-off-by: Andrii Melnychenko <a.melnychenko@vyos.io>
Signed-off-by: Florian Westphal <fw@strlen.de>
[Harshit: Clean cherry-pick, apply it to stable-6.12.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_ct.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -22,6 +22,7 @@
#include <net/netfilter/nf_conntrack_timeout.h>
#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
struct nft_ct_helper_obj {
struct nf_conntrack_helper *helper4;
@@ -1173,6 +1174,10 @@ static void nft_ct_helper_obj_eval(struc
if (help) {
rcu_assign_pointer(help->helper, to_assign);
set_bit(IPS_HELPER_BIT, &ct->status);
+
+ if ((ct->status & IPS_NAT_MASK) && !nfct_seqadj(ct))
+ if (!nfct_seqadj_ext_add(ct))
+ regs->verdict.code = NF_DROP;
}
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 524/567] md/raid10: wait barrier before returning discard request with REQ_NOWAIT
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 523/567] netfilter: nft_ct: add seqadj extension for natted connections Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 525/567] drm/panthor: Flush shmem writes before mapping buffers CPU-uncached Greg Kroah-Hartman
` (56 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiao Ni, Coly Li, Yu Kuai,
Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiao Ni <xni@redhat.com>
[ Upstream commit 3db4404435397a345431b45f57876a3df133f3b4 ]
raid10_handle_discard should wait barrier before returning a discard bio
which has REQ_NOWAIT. And there is no need to print warning calltrace
if a discard bio has REQ_NOWAIT flag. Quality engineer usually checks
dmesg and reports error if dmesg has warning/error calltrace.
Fixes: c9aa889b035f ("md: raid10 add nowait support")
Signed-off-by: Xiao Ni <xni@redhat.com>
Acked-by: Coly Li <colyli@kernel.org>
Link: https://lore.kernel.org/linux-raid/20250306094938.48952-1-xni@redhat.com
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
[Harshit: Clean backport to 6.12.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid10.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -1626,11 +1626,10 @@ static int raid10_handle_discard(struct
if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery))
return -EAGAIN;
- if (WARN_ON_ONCE(bio->bi_opf & REQ_NOWAIT)) {
+ if (!wait_barrier(conf, bio->bi_opf & REQ_NOWAIT)) {
bio_wouldblock_error(bio);
return 0;
}
- wait_barrier(conf, false);
/*
* Check reshape again to avoid reshape happens after checking
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 525/567] drm/panthor: Flush shmem writes before mapping buffers CPU-uncached
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 524/567] md/raid10: wait barrier before returning discard request with REQ_NOWAIT Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 526/567] net: ipv6: ioam6: use consistent dst names Greg Kroah-Hartman
` (55 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Brezillon, Steven Price,
Liviu Dudau, Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Brezillon <boris.brezillon@collabora.com>
[ Upstream commit 576c930e5e7dcb937648490611a83f1bf0171048 ]
The shmem layer zeroes out the new pages using cached mappings, and if
we don't CPU-flush we might leave dirty cachelines behind, leading to
potential data leaks and/or asynchronous buffer corruption when dirty
cachelines are evicted.
Fixes: 8a1cc07578bf ("drm/panthor: Add GEM logical block")
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Reviewed-by: Steven Price <steven.price@arm.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
Link: https://patch.msgid.link/20251107171214.1186299-1-boris.brezillon@collabora.com
[Harshit: Resolve conflicts due to missing commit: fe69a3918084
("drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs
code") in 6.12.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panthor/panthor_gem.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- a/drivers/gpu/drm/panthor/panthor_gem.c
+++ b/drivers/gpu/drm/panthor/panthor_gem.c
@@ -214,6 +214,23 @@ panthor_gem_create_with_handle(struct dr
bo->base.base.resv = bo->exclusive_vm_root_gem->resv;
}
+ /* If this is a write-combine mapping, we query the sgt to force a CPU
+ * cache flush (dma_map_sgtable() is called when the sgt is created).
+ * This ensures the zero-ing is visible to any uncached mapping created
+ * by vmap/mmap.
+ * FIXME: Ideally this should be done when pages are allocated, not at
+ * BO creation time.
+ */
+ if (shmem->map_wc) {
+ struct sg_table *sgt;
+
+ sgt = drm_gem_shmem_get_pages_sgt(shmem);
+ if (IS_ERR(sgt)) {
+ ret = PTR_ERR(sgt);
+ goto out_put_gem;
+ }
+ }
+
/*
* Allocate an id of idr table where the obj is registered
* and handle has the id what user can see.
@@ -222,6 +239,7 @@ panthor_gem_create_with_handle(struct dr
if (!ret)
*size = bo->base.base.size;
+out_put_gem:
/* drop reference from allocate - handle holds it now. */
drm_gem_object_put(&shmem->base);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 526/567] net: ipv6: ioam6: use consistent dst names
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 525/567] drm/panthor: Flush shmem writes before mapping buffers CPU-uncached Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 527/567] ipv6: adopt dst_dev() helper Greg Kroah-Hartman
` (54 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Iurman, Paolo Abeni,
Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Iurman <justin.iurman@uliege.be>
[ Upstream commit d55acb9732d981c7a8e07dd63089a77d2938e382 ]
Be consistent and use the same terminology as other lwt users: orig_dst
is the dst_entry before the transformation, while dst is either the
dst_entry in the cache or the dst_entry after the transformation
Signed-off-by: Justin Iurman <justin.iurman@uliege.be>
Link: https://patch.msgid.link/20250415112554.23823-2-justin.iurman@uliege.be
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[Harshit: Backport to 6.12.y]
Stable-dep-of: 99a2ace61b21 ("net: use dst_dev_rcu() in sk_setup_caps()")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ioam6_iptunnel.c | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -338,7 +338,8 @@ static int ioam6_do_encap(struct net *ne
static int ioam6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- struct dst_entry *dst = skb_dst(skb), *cache_dst = NULL;
+ struct dst_entry *orig_dst = skb_dst(skb);
+ struct dst_entry *dst = NULL;
struct ioam6_lwt *ilwt;
int err = -EINVAL;
u32 pkt_cnt;
@@ -346,7 +347,7 @@ static int ioam6_output(struct net *net,
if (skb->protocol != htons(ETH_P_IPV6))
goto drop;
- ilwt = ioam6_lwt_state(dst->lwtstate);
+ ilwt = ioam6_lwt_state(orig_dst->lwtstate);
/* Check for insertion frequency (i.e., "k over n" insertions) */
pkt_cnt = atomic_fetch_inc(&ilwt->pkt_cnt);
@@ -354,7 +355,7 @@ static int ioam6_output(struct net *net,
goto out;
local_bh_disable();
- cache_dst = dst_cache_get(&ilwt->cache);
+ dst = dst_cache_get(&ilwt->cache);
local_bh_enable();
switch (ilwt->mode) {
@@ -364,7 +365,7 @@ do_inline:
if (ipv6_hdr(skb)->nexthdr == NEXTHDR_HOP)
goto out;
- err = ioam6_do_inline(net, skb, &ilwt->tuninfo, cache_dst);
+ err = ioam6_do_inline(net, skb, &ilwt->tuninfo, dst);
if (unlikely(err))
goto drop;
@@ -374,7 +375,7 @@ do_encap:
/* Encapsulation (ip6ip6) */
err = ioam6_do_encap(net, skb, &ilwt->tuninfo,
ilwt->has_tunsrc, &ilwt->tunsrc,
- &ilwt->tundst, cache_dst);
+ &ilwt->tundst, dst);
if (unlikely(err))
goto drop;
@@ -392,7 +393,7 @@ do_encap:
goto drop;
}
- if (unlikely(!cache_dst)) {
+ if (unlikely(!dst)) {
struct ipv6hdr *hdr = ipv6_hdr(skb);
struct flowi6 fl6;
@@ -403,20 +404,20 @@ do_encap:
fl6.flowi6_mark = skb->mark;
fl6.flowi6_proto = hdr->nexthdr;
- cache_dst = ip6_route_output(net, NULL, &fl6);
- if (cache_dst->error) {
- err = cache_dst->error;
+ dst = ip6_route_output(net, NULL, &fl6);
+ if (dst->error) {
+ err = dst->error;
goto drop;
}
/* cache only if we don't create a dst reference loop */
- if (dst->lwtstate != cache_dst->lwtstate) {
+ if (orig_dst->lwtstate != dst->lwtstate) {
local_bh_disable();
- dst_cache_set_ip6(&ilwt->cache, cache_dst, &fl6.saddr);
+ dst_cache_set_ip6(&ilwt->cache, dst, &fl6.saddr);
local_bh_enable();
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(cache_dst->dev));
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
if (unlikely(err))
goto drop;
}
@@ -424,16 +425,16 @@ do_encap:
/* avoid lwtunnel_output() reentry loop when destination is the same
* after transformation (e.g., with the inline mode)
*/
- if (dst->lwtstate != cache_dst->lwtstate) {
+ if (orig_dst->lwtstate != dst->lwtstate) {
skb_dst_drop(skb);
- skb_dst_set(skb, cache_dst);
+ skb_dst_set(skb, dst);
return dst_output(net, sk, skb);
}
out:
- dst_release(cache_dst);
- return dst->lwtstate->orig_output(net, sk, skb);
+ dst_release(dst);
+ return orig_dst->lwtstate->orig_output(net, sk, skb);
drop:
- dst_release(cache_dst);
+ dst_release(dst);
kfree_skb(skb);
return err;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 527/567] ipv6: adopt dst_dev() helper
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 526/567] net: ipv6: ioam6: use consistent dst names Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 528/567] net: use dst_dev_rcu() in sk_setup_caps() Greg Kroah-Hartman
` (53 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1caf27297215a5241f9bfc9c07336349d9034ee3 ]
Use the new helper as a step to deal with potential dst->dev races.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20250630121934.3399505-9-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Harshit: Backport to 6.12.y, pulled this is a prerequisite]
Stable-dep-of: 99a2ace61b21 ("net: use dst_dev_rcu() in sk_setup_caps()")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/ip6_route.h | 4 ++--
net/ipv6/exthdrs.c | 2 +-
net/ipv6/icmp.c | 4 +++-
net/ipv6/ila/ila_lwt.c | 2 +-
net/ipv6/ioam6_iptunnel.c | 4 ++--
net/ipv6/ip6_gre.c | 8 +++++---
net/ipv6/ip6_output.c | 19 ++++++++++---------
net/ipv6/ip6_tunnel.c | 4 ++--
net/ipv6/ip6_udp_tunnel.c | 2 +-
net/ipv6/ip6_vti.c | 2 +-
net/ipv6/ndisc.c | 6 ++++--
net/ipv6/netfilter/nf_dup_ipv6.c | 2 +-
net/ipv6/output_core.c | 2 +-
net/ipv6/route.c | 20 ++++++++++++--------
net/ipv6/rpl_iptunnel.c | 4 ++--
net/ipv6/seg6_iptunnel.c | 20 +++++++++++---------
net/ipv6/seg6_local.c | 2 +-
17 files changed, 60 insertions(+), 47 deletions(-)
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -274,7 +274,7 @@ static inline unsigned int ip6_skb_dst_m
unsigned int mtu;
if (np && READ_ONCE(np->pmtudisc) >= IPV6_PMTUDISC_PROBE) {
- mtu = READ_ONCE(dst->dev->mtu);
+ mtu = READ_ONCE(dst_dev(dst)->mtu);
mtu -= lwtunnel_headroom(dst->lwtstate, mtu);
} else {
mtu = dst_mtu(dst);
@@ -337,7 +337,7 @@ static inline unsigned int ip6_dst_mtu_m
mtu = IPV6_MIN_MTU;
rcu_read_lock();
- idev = __in6_dev_get(dst->dev);
+ idev = __in6_dev_get(dst_dev(dst));
if (idev)
mtu = READ_ONCE(idev->cnf.mtu6);
rcu_read_unlock();
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -306,7 +306,7 @@ static int ipv6_destopt_rcv(struct sk_bu
if (!pskb_may_pull(skb, skb_transport_offset(skb) + 8) ||
!pskb_may_pull(skb, (skb_transport_offset(skb) +
((skb_transport_header(skb)[1] + 1) << 3)))) {
- __IP6_INC_STATS(dev_net(dst->dev), idev,
+ __IP6_INC_STATS(dev_net(dst_dev(dst)), idev,
IPSTATS_MIB_INHDRERRORS);
fail_and_free:
kfree_skb(skb);
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -196,6 +196,7 @@ static bool icmpv6_xrlim_allow(struct so
struct flowi6 *fl6, bool apply_ratelimit)
{
struct net *net = sock_net(sk);
+ struct net_device *dev;
struct dst_entry *dst;
bool res = false;
@@ -208,10 +209,11 @@ static bool icmpv6_xrlim_allow(struct so
* this lookup should be more aggressive (not longer than timeout).
*/
dst = ip6_route_output(net, sk, fl6);
+ dev = dst_dev(dst);
if (dst->error) {
IP6_INC_STATS(net, ip6_dst_idev(dst),
IPSTATS_MIB_OUTNOROUTES);
- } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
+ } else if (dev && (dev->flags & IFF_LOOPBACK)) {
res = true;
} else {
struct rt6_info *rt = dst_rt6_info(dst);
--- a/net/ipv6/ila/ila_lwt.c
+++ b/net/ipv6/ila/ila_lwt.c
@@ -70,7 +70,7 @@ static int ila_output(struct net *net, s
*/
memset(&fl6, 0, sizeof(fl6));
- fl6.flowi6_oif = orig_dst->dev->ifindex;
+ fl6.flowi6_oif = dst_dev(orig_dst)->ifindex;
fl6.flowi6_iif = LOOPBACK_IFINDEX;
fl6.daddr = *rt6_nexthop(dst_rt6_info(orig_dst),
&ip6h->daddr);
--- a/net/ipv6/ioam6_iptunnel.c
+++ b/net/ipv6/ioam6_iptunnel.c
@@ -328,7 +328,7 @@ static int ioam6_do_encap(struct net *ne
if (has_tunsrc)
memcpy(&hdr->saddr, tunsrc, sizeof(*tunsrc));
else
- ipv6_dev_get_saddr(net, dst->dev, &hdr->daddr,
+ ipv6_dev_get_saddr(net, dst_dev(dst), &hdr->daddr,
IPV6_PREFER_SRC_PUBLIC, &hdr->saddr);
skb_postpush_rcsum(skb, hdr, len);
@@ -417,7 +417,7 @@ do_encap:
local_bh_enable();
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst_dev(dst)));
if (unlikely(err))
goto drop;
}
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1084,9 +1084,11 @@ static netdev_tx_t ip6erspan_tunnel_xmit
htonl(atomic_fetch_inc(&t->o_seqno)));
/* TooBig packet may have updated dst->dev's mtu */
- if (!t->parms.collect_md && dst && dst_mtu(dst) > dst->dev->mtu)
- dst->ops->update_pmtu(dst, NULL, skb, dst->dev->mtu, false);
-
+ if (!t->parms.collect_md && dst) {
+ mtu = READ_ONCE(dst_dev(dst)->mtu);
+ if (dst_mtu(dst) > mtu)
+ dst->ops->update_pmtu(dst, NULL, skb, mtu, false);
+ }
err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
NEXTHDR_GRE);
if (err != 0) {
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -60,7 +60,7 @@
static int ip6_finish_output2(struct net *net, struct sock *sk, struct sk_buff *skb)
{
struct dst_entry *dst = skb_dst(skb);
- struct net_device *dev = dst->dev;
+ struct net_device *dev = dst_dev(dst);
struct inet6_dev *idev = ip6_dst_idev(dst);
unsigned int hh_len = LL_RESERVED_SPACE(dev);
const struct in6_addr *daddr, *nexthop;
@@ -271,7 +271,7 @@ int ip6_xmit(const struct sock *sk, stru
const struct ipv6_pinfo *np = inet6_sk(sk);
struct in6_addr *first_hop = &fl6->daddr;
struct dst_entry *dst = skb_dst(skb);
- struct net_device *dev = dst->dev;
+ struct net_device *dev = dst_dev(dst);
struct inet6_dev *idev = ip6_dst_idev(dst);
struct hop_jumbo_hdr *hop_jumbo;
int hoplen = sizeof(*hop_jumbo);
@@ -503,7 +503,8 @@ int ip6_forward(struct sk_buff *skb)
struct dst_entry *dst = skb_dst(skb);
struct ipv6hdr *hdr = ipv6_hdr(skb);
struct inet6_skb_parm *opt = IP6CB(skb);
- struct net *net = dev_net(dst->dev);
+ struct net *net = dev_net(dst_dev(dst));
+ struct net_device *dev;
struct inet6_dev *idev;
SKB_DR(reason);
u32 mtu;
@@ -591,12 +592,12 @@ int ip6_forward(struct sk_buff *skb)
goto drop;
}
dst = skb_dst(skb);
-
+ dev = dst_dev(dst);
/* IPv6 specs say nothing about it, but it is clear that we cannot
send redirects to source routed frames.
We don't send redirects to frames decapsulated from IPsec.
*/
- if (IP6CB(skb)->iif == dst->dev->ifindex &&
+ if (IP6CB(skb)->iif == dev->ifindex &&
opt->srcrt == 0 && !skb_sec_path(skb)) {
struct in6_addr *target = NULL;
struct inet_peer *peer;
@@ -644,7 +645,7 @@ int ip6_forward(struct sk_buff *skb)
if (ip6_pkt_too_big(skb, mtu)) {
/* Again, force OUTPUT device used as source address */
- skb->dev = dst->dev;
+ skb->dev = dev;
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
__IP6_INC_STATS(net, idev, IPSTATS_MIB_INTOOBIGERRORS);
__IP6_INC_STATS(net, ip6_dst_idev(dst),
@@ -653,7 +654,7 @@ int ip6_forward(struct sk_buff *skb)
return -EMSGSIZE;
}
- if (skb_cow(skb, dst->dev->hard_header_len)) {
+ if (skb_cow(skb, dev->hard_header_len)) {
__IP6_INC_STATS(net, ip6_dst_idev(dst),
IPSTATS_MIB_OUTDISCARDS);
goto drop;
@@ -666,7 +667,7 @@ int ip6_forward(struct sk_buff *skb)
hdr->hop_limit--;
return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD,
- net, NULL, skb, skb->dev, dst->dev,
+ net, NULL, skb, skb->dev, dev,
ip6_forward_finish);
error:
@@ -1093,7 +1094,7 @@ static struct dst_entry *ip6_sk_dst_chec
#ifdef CONFIG_IPV6_SUBTREES
ip6_rt_check(&rt->rt6i_src, &fl6->saddr, np->saddr_cache) ||
#endif
- (fl6->flowi6_oif && fl6->flowi6_oif != dst->dev->ifindex)) {
+ (fl6->flowi6_oif && fl6->flowi6_oif != dst_dev(dst)->ifindex)) {
dst_release(dst);
dst = NULL;
}
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1179,7 +1179,7 @@ route_lookup:
ndst = dst;
}
- tdev = dst->dev;
+ tdev = dst_dev(dst);
if (tdev == dev) {
DEV_STATS_INC(dev, collisions);
@@ -1255,7 +1255,7 @@ route_lookup:
/* Calculate max headroom for all the headers and adjust
* needed_headroom if necessary.
*/
- max_headroom = LL_RESERVED_SPACE(dst->dev) + sizeof(struct ipv6hdr)
+ max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct ipv6hdr)
+ dst->header_len + t->hlen;
ip_tunnel_adj_headroom(dev, max_headroom);
--- a/net/ipv6/ip6_udp_tunnel.c
+++ b/net/ipv6/ip6_udp_tunnel.c
@@ -168,7 +168,7 @@ struct dst_entry *udp_tunnel6_dst_lookup
netdev_dbg(dev, "no route to %pI6\n", &fl6.daddr);
return ERR_PTR(-ENETUNREACH);
}
- if (dst->dev == dev) { /* is this necessary? */
+ if (dst_dev(dst) == dev) { /* is this necessary? */
netdev_dbg(dev, "circular route to %pI6\n", &fl6.daddr);
dst_release(dst);
return ERR_PTR(-ELOOP);
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -497,7 +497,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
(const struct in6_addr *)&x->id.daddr))
goto tx_err_link_failure;
- tdev = dst->dev;
+ tdev = dst_dev(dst);
if (tdev == dev) {
DEV_STATS_INC(dev, collisions);
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -473,6 +473,7 @@ void ndisc_send_skb(struct sk_buff *skb,
{
struct icmp6hdr *icmp6h = icmp6_hdr(skb);
struct dst_entry *dst = skb_dst(skb);
+ struct net_device *dev;
struct inet6_dev *idev;
struct net *net;
struct sock *sk;
@@ -507,11 +508,12 @@ void ndisc_send_skb(struct sk_buff *skb,
ip6_nd_hdr(skb, saddr, daddr, READ_ONCE(inet6_sk(sk)->hop_limit), skb->len);
- idev = __in6_dev_get(dst->dev);
+ dev = dst_dev(dst);
+ idev = __in6_dev_get(dev);
IP6_INC_STATS(net, idev, IPSTATS_MIB_OUTREQUESTS);
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
- net, sk, skb, NULL, dst->dev,
+ net, sk, skb, NULL, dev,
dst_output);
if (!err) {
ICMP6MSGOUT_INC_STATS(net, idev, type);
--- a/net/ipv6/netfilter/nf_dup_ipv6.c
+++ b/net/ipv6/netfilter/nf_dup_ipv6.c
@@ -38,7 +38,7 @@ static bool nf_dup_ipv6_route(struct net
}
skb_dst_drop(skb);
skb_dst_set(skb, dst);
- skb->dev = dst->dev;
+ skb->dev = dst_dev(dst);
skb->protocol = htons(ETH_P_IPV6);
return true;
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -105,7 +105,7 @@ int ip6_dst_hoplimit(struct dst_entry *d
{
int hoplimit = dst_metric_raw(dst, RTAX_HOPLIMIT);
if (hoplimit == 0) {
- struct net_device *dev = dst->dev;
+ struct net_device *dev = dst_dev(dst);
struct inet6_dev *idev;
rcu_read_lock();
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -228,13 +228,13 @@ static struct neighbour *ip6_dst_neigh_l
const struct rt6_info *rt = dst_rt6_info(dst);
return ip6_neigh_lookup(rt6_nexthop(rt, &in6addr_any),
- dst->dev, skb, daddr);
+ dst_dev(dst), skb, daddr);
}
static void ip6_confirm_neigh(const struct dst_entry *dst, const void *daddr)
{
const struct rt6_info *rt = dst_rt6_info(dst);
- struct net_device *dev = dst->dev;
+ struct net_device *dev = dst_dev(dst);
daddr = choose_neigh_daddr(rt6_nexthop(rt, &in6addr_any), NULL, daddr);
if (!daddr)
@@ -2945,7 +2945,7 @@ static void __ip6_rt_update_pmtu(struct
if (res.f6i->nh) {
struct fib6_nh_match_arg arg = {
- .dev = dst->dev,
+ .dev = dst_dev(dst),
.gw = &rt6->rt6i_gateway,
};
@@ -3240,7 +3240,7 @@ EXPORT_SYMBOL_GPL(ip6_sk_redirect);
static unsigned int ip6_default_advmss(const struct dst_entry *dst)
{
- struct net_device *dev = dst->dev;
+ struct net_device *dev = dst_dev(dst);
unsigned int mtu = dst_mtu(dst);
struct net *net;
@@ -4264,7 +4264,7 @@ static void rt6_do_redirect(struct dst_e
if (res.f6i->nh) {
struct fib6_nh_match_arg arg = {
- .dev = dst->dev,
+ .dev = dst_dev(dst),
.gw = &rt->rt6i_gateway,
};
@@ -4551,13 +4551,14 @@ int ipv6_route_ioctl(struct net *net, un
static int ip6_pkt_drop(struct sk_buff *skb, u8 code, int ipstats_mib_noroutes)
{
struct dst_entry *dst = skb_dst(skb);
- struct net *net = dev_net(dst->dev);
+ struct net_device *dev = dst_dev(dst);
+ struct net *net = dev_net(dev);
struct inet6_dev *idev;
SKB_DR(reason);
int type;
if (netif_is_l3_master(skb->dev) ||
- dst->dev == net->loopback_dev)
+ dev == net->loopback_dev)
idev = __in6_dev_get_safely(dev_get_by_index_rcu(net, IP6CB(skb)->iif));
else
idev = ip6_dst_idev(dst);
@@ -5775,11 +5776,14 @@ static int rt6_fill_node(struct net *net
* each as a nexthop within RTA_MULTIPATH.
*/
if (rt6) {
+ struct net_device *dev;
+
if (rt6_flags & RTF_GATEWAY &&
nla_put_in6_addr(skb, RTA_GATEWAY, &rt6->rt6i_gateway))
goto nla_put_failure;
- if (dst->dev && nla_put_u32(skb, RTA_OIF, dst->dev->ifindex))
+ dev = dst_dev(dst);
+ if (dev && nla_put_u32(skb, RTA_OIF, dev->ifindex))
goto nla_put_failure;
if (dst->lwtstate &&
--- a/net/ipv6/rpl_iptunnel.c
+++ b/net/ipv6/rpl_iptunnel.c
@@ -242,7 +242,7 @@ static int rpl_output(struct net *net, s
local_bh_enable();
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst_dev(dst)));
if (unlikely(err))
goto drop;
}
@@ -297,7 +297,7 @@ static int rpl_input(struct sk_buff *skb
local_bh_enable();
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst_dev(dst)));
if (unlikely(err))
goto drop;
} else {
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -128,7 +128,8 @@ static int __seg6_do_srh_encap(struct sk
int proto, struct dst_entry *cache_dst)
{
struct dst_entry *dst = skb_dst(skb);
- struct net *net = dev_net(dst->dev);
+ struct net_device *dev = dst_dev(dst);
+ struct net *net = dev_net(dev);
struct ipv6hdr *hdr, *inner_hdr;
struct ipv6_sr_hdr *isrh;
int hdrlen, tot_len, err;
@@ -181,7 +182,7 @@ static int __seg6_do_srh_encap(struct sk
isrh->nexthdr = proto;
hdr->daddr = isrh->segments[isrh->first_segment];
- set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr);
+ set_tun_src(net, dev, &hdr->daddr, &hdr->saddr);
#ifdef CONFIG_IPV6_SEG6_HMAC
if (sr_has_hmac(isrh)) {
@@ -212,7 +213,8 @@ static int seg6_do_srh_encap_red(struct
{
__u8 first_seg = osrh->first_segment;
struct dst_entry *dst = skb_dst(skb);
- struct net *net = dev_net(dst->dev);
+ struct net_device *dev = dst_dev(dst);
+ struct net *net = dev_net(dev);
struct ipv6hdr *hdr, *inner_hdr;
int hdrlen = ipv6_optlen(osrh);
int red_tlv_offset, tlv_offset;
@@ -270,7 +272,7 @@ static int seg6_do_srh_encap_red(struct
if (skip_srh) {
hdr->nexthdr = proto;
- set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr);
+ set_tun_src(net, dev, &hdr->daddr, &hdr->saddr);
goto out;
}
@@ -306,7 +308,7 @@ static int seg6_do_srh_encap_red(struct
srcaddr:
isrh->nexthdr = proto;
- set_tun_src(net, dst->dev, &hdr->daddr, &hdr->saddr);
+ set_tun_src(net, dev, &hdr->daddr, &hdr->saddr);
#ifdef CONFIG_IPV6_SEG6_HMAC
if (unlikely(!skip_srh && sr_has_hmac(isrh))) {
@@ -507,7 +509,7 @@ static int seg6_input_core(struct net *n
local_bh_enable();
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst_dev(dst)));
if (unlikely(err))
goto drop;
} else {
@@ -518,7 +520,7 @@ static int seg6_input_core(struct net *n
if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT,
dev_net(skb->dev), NULL, skb, NULL,
- skb_dst(skb)->dev, seg6_input_finish);
+ skb_dst_dev(skb), seg6_input_finish);
return seg6_input_finish(dev_net(skb->dev), NULL, skb);
drop:
@@ -593,7 +595,7 @@ static int seg6_output_core(struct net *
local_bh_enable();
}
- err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst_dev(dst)));
if (unlikely(err))
goto drop;
}
@@ -603,7 +605,7 @@ static int seg6_output_core(struct net *
if (static_branch_unlikely(&nf_hooks_lwtunnel_enabled))
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk, skb,
- NULL, skb_dst(skb)->dev, dst_output);
+ NULL, dst_dev(dst), dst_output);
return dst_output(net, sk, skb);
drop:
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -310,7 +310,7 @@ seg6_lookup_any_nexthop(struct sk_buff *
if (!local_delivery)
dev_flags |= IFF_LOOPBACK;
- if (dst && (dst->dev->flags & dev_flags) && !dst->error) {
+ if (dst && (dst_dev(dst)->flags & dev_flags) && !dst->error) {
dst_release(dst);
dst = NULL;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 528/567] net: use dst_dev_rcu() in sk_setup_caps()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 527/567] ipv6: adopt dst_dev() helper Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 529/567] usbnet: Fix using smp_processor_id() in preemptible code warnings Greg Kroah-Hartman
` (52 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David Ahern,
Jakub Kicinski, Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 99a2ace61b211b0be861b07fbaa062fca4b58879 ]
Use RCU to protect accesses to dst->dev from sk_setup_caps()
and sk_dst_gso_max_size().
Also use dst_dev_rcu() in ip6_dst_mtu_maybe_forward(),
and ip_dst_mtu_maybe_forward().
ip4_dst_hoplimit() can use dst_dev_net_rcu().
Fixes: 4a6ce2b6f2ec ("net: introduce a new function dst_dev_put()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20250828195823.3958522-6-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[Harshit: Backport to 6.12.y, resolve conflict due to missing commit:
22d6c9eebf2e ("net: Unexport shared functions for DCCP.") in 6.12.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/ip.h | 6 ++++--
include/net/ip6_route.h | 2 +-
include/net/route.h | 2 +-
net/core/sock.c | 16 ++++++++++------
4 files changed, 16 insertions(+), 10 deletions(-)
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -470,12 +470,14 @@ static inline unsigned int ip_dst_mtu_ma
bool forwarding)
{
const struct rtable *rt = dst_rtable(dst);
+ const struct net_device *dev;
unsigned int mtu, res;
struct net *net;
rcu_read_lock();
- net = dev_net_rcu(dst_dev(dst));
+ dev = dst_dev_rcu(dst);
+ net = dev_net_rcu(dev);
if (READ_ONCE(net->ipv4.sysctl_ip_fwd_use_pmtu) ||
ip_mtu_locked(dst) ||
!forwarding) {
@@ -489,7 +491,7 @@ static inline unsigned int ip_dst_mtu_ma
if (mtu)
goto out;
- mtu = READ_ONCE(dst_dev(dst)->mtu);
+ mtu = READ_ONCE(dev->mtu);
if (unlikely(ip_mtu_locked(dst))) {
if (rt->rt_uses_gateway && mtu > 576)
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -337,7 +337,7 @@ static inline unsigned int ip6_dst_mtu_m
mtu = IPV6_MIN_MTU;
rcu_read_lock();
- idev = __in6_dev_get(dst_dev(dst));
+ idev = __in6_dev_get(dst_dev_rcu(dst));
if (idev)
mtu = READ_ONCE(idev->cnf.mtu6);
rcu_read_unlock();
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -369,7 +369,7 @@ static inline int ip4_dst_hoplimit(const
const struct net *net;
rcu_read_lock();
- net = dev_net_rcu(dst_dev(dst));
+ net = dst_dev_net_rcu(dst);
hoplimit = READ_ONCE(net->ipv4.sysctl_ip_default_ttl);
rcu_read_unlock();
}
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2524,7 +2524,7 @@ void sk_free_unlock_clone(struct sock *s
}
EXPORT_SYMBOL_GPL(sk_free_unlock_clone);
-static u32 sk_dst_gso_max_size(struct sock *sk, struct dst_entry *dst)
+static u32 sk_dst_gso_max_size(struct sock *sk, const struct net_device *dev)
{
bool is_ipv6 = false;
u32 max_size;
@@ -2534,8 +2534,8 @@ static u32 sk_dst_gso_max_size(struct so
!ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr));
#endif
/* pairs with the WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */
- max_size = is_ipv6 ? READ_ONCE(dst_dev(dst)->gso_max_size) :
- READ_ONCE(dst_dev(dst)->gso_ipv4_max_size);
+ max_size = is_ipv6 ? READ_ONCE(dev->gso_max_size) :
+ READ_ONCE(dev->gso_ipv4_max_size);
if (max_size > GSO_LEGACY_MAX_SIZE && !sk_is_tcp(sk))
max_size = GSO_LEGACY_MAX_SIZE;
@@ -2544,9 +2544,12 @@ static u32 sk_dst_gso_max_size(struct so
void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
{
+ const struct net_device *dev;
u32 max_segs = 1;
- sk->sk_route_caps = dst_dev(dst)->features;
+ rcu_read_lock();
+ dev = dst_dev_rcu(dst);
+ sk->sk_route_caps = dev->features;
if (sk_is_tcp(sk)) {
struct inet_connection_sock *icsk = inet_csk(sk);
@@ -2562,13 +2565,14 @@ void sk_setup_caps(struct sock *sk, stru
sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
} else {
sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
- sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst);
+ sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dev);
/* pairs with the WRITE_ONCE() in netif_set_gso_max_segs() */
- max_segs = max_t(u32, READ_ONCE(dst_dev(dst)->gso_max_segs), 1);
+ max_segs = max_t(u32, READ_ONCE(dev->gso_max_segs), 1);
}
}
sk->sk_gso_max_segs = max_segs;
sk_dst_set(sk, dst);
+ rcu_read_unlock();
}
EXPORT_SYMBOL_GPL(sk_setup_caps);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 529/567] usbnet: Fix using smp_processor_id() in preemptible code warnings
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 528/567] net: use dst_dev_rcu() in sk_setup_caps() Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 530/567] serial: core: Fix serial device initialization Greg Kroah-Hartman
` (51 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Zqiang, Paolo Abeni,
Harshit Mogalapalli
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zqiang <qiang.zhang@linux.dev>
[ Upstream commit 327cd4b68b4398b6c24f10eb2b2533ffbfc10185 ]
Syzbot reported the following warning:
BUG: using smp_processor_id() in preemptible [00000000] code: dhcpcd/2879
caller is usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
CPU: 1 UID: 0 PID: 2879 Comm: dhcpcd Not tainted 6.15.0-rc4-syzkaller-00098-g615dca38c2ea #0 PREEMPT(voluntary)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
check_preemption_disabled+0xd0/0xe0 lib/smp_processor_id.c:49
usbnet_skb_return+0x74/0x490 drivers/net/usb/usbnet.c:331
usbnet_resume_rx+0x4b/0x170 drivers/net/usb/usbnet.c:708
usbnet_change_mtu+0x1be/0x220 drivers/net/usb/usbnet.c:417
__dev_set_mtu net/core/dev.c:9443 [inline]
netif_set_mtu_ext+0x369/0x5c0 net/core/dev.c:9496
netif_set_mtu+0xb0/0x160 net/core/dev.c:9520
dev_set_mtu+0xae/0x170 net/core/dev_api.c:247
dev_ifsioc+0xa31/0x18d0 net/core/dev_ioctl.c:572
dev_ioctl+0x223/0x10e0 net/core/dev_ioctl.c:821
sock_do_ioctl+0x19d/0x280 net/socket.c:1204
sock_ioctl+0x42f/0x6a0 net/socket.c:1311
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
For historical and portability reasons, the netif_rx() is usually
run in the softirq or interrupt context, this commit therefore add
local_bh_disable/enable() protection in the usbnet_resume_rx().
Fixes: 43daa96b166c ("usbnet: Stop RX Q on MTU change")
Link: https://syzkaller.appspot.com/bug?id=81f55dfa587ee544baaaa5a359a060512228c1e1
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Zqiang <qiang.zhang@linux.dev>
Link: https://patch.msgid.link/20251011070518.7095-1-qiang.zhang@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[Harshit: Resolved conflicts due to missing commit: 2c04d279e857 ("net:
usb: Convert tasklet API to new bottom half workqueue mechanism") in
6.12.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -702,6 +702,7 @@ void usbnet_resume_rx(struct usbnet *dev
struct sk_buff *skb;
int num = 0;
+ local_bh_disable();
clear_bit(EVENT_RX_PAUSED, &dev->flags);
while ((skb = skb_dequeue(&dev->rxq_pause)) != NULL) {
@@ -710,6 +711,7 @@ void usbnet_resume_rx(struct usbnet *dev
}
tasklet_schedule(&dev->bh);
+ local_bh_enable();
netif_dbg(dev, rx_status, dev->net,
"paused rx queue disabled, %d skbs requeued\n", num);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 530/567] serial: core: Fix serial device initialization
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 529/567] usbnet: Fix using smp_processor_id() in preemptible code warnings Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 531/567] tty: fix tty_port_tty_*hangup() kernel-doc Greg Kroah-Hartman
` (50 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Cosmin Tanislav,
Alexander Stein, Michael Walle, Marek Szyprowski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
commit f54151148b969fb4b62bec8093d255306d20df30 upstream.
During restoring sysfs fwnode information the information of_node_reused
was dropped. This was previously set by device_set_of_node_from_dev().
Add it back manually
Fixes: 24ec03cc5512 ("serial: core: Restore sysfs fwnode information")
Cc: stable <stable@kernel.org>
Suggested-by: Cosmin Tanislav <demonsingur@gmail.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Tested-by: Michael Walle <mwalle@kernel.org>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Cosmin Tanislav <demonsingur@gmail.com>
Link: https://patch.msgid.link/20251219152813.1893982-1-alexander.stein@ew.tq-group.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/serial_base_bus.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/serial_base_bus.c
+++ b/drivers/tty/serial/serial_base_bus.c
@@ -74,6 +74,7 @@ static int serial_base_device_init(struc
dev->parent = parent_dev;
dev->bus = &serial_base_bus_type;
dev->release = release;
+ dev->of_node_reused = true;
device_set_node(dev, fwnode_handle_get(dev_fwnode(parent_dev)));
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 531/567] tty: fix tty_port_tty_*hangup() kernel-doc
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 530/567] serial: core: Fix serial device initialization Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 532/567] x86/microcode/AMD: Select which microcode patch to load Greg Kroah-Hartman
` (49 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE),
Ilpo Järvinen, Jonathan Corbet, linux-doc
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
commit 6241b49540a65a6d5274fa938fd3eb4cbfe2e076 upstream.
The commit below added a new helper, but omitted to move (and add) the
corressponding kernel-doc. Do it now.
Signed-off-by: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Fixes: 2b5eac0f8c6e ("tty: introduce and use tty_port_tty_vhangup() helper")
Link: https://lore.kernel.org/all/b23d566c-09dc-7374-cc87-0ad4660e8b2e@linux.intel.com/
Reported-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Link: https://lore.kernel.org/r/20250624080641.509959-6-jirislaby@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/driver-api/tty/tty_port.rst | 5 +++--
drivers/tty/tty_port.c | 5 -----
include/linux/tty_port.h | 9 +++++++++
3 files changed, 12 insertions(+), 7 deletions(-)
--- a/Documentation/driver-api/tty/tty_port.rst
+++ b/Documentation/driver-api/tty/tty_port.rst
@@ -42,9 +42,10 @@ TTY Refcounting
TTY Helpers
-----------
+.. kernel-doc:: include/linux/tty_port.h
+ :identifiers: tty_port_tty_hangup tty_port_tty_vhangup
.. kernel-doc:: drivers/tty/tty_port.c
- :identifiers: tty_port_tty_hangup tty_port_tty_wakeup
-
+ :identifiers: tty_port_tty_wakeup
Modem Signals
-------------
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -411,11 +411,6 @@ void tty_port_hangup(struct tty_port *po
}
EXPORT_SYMBOL(tty_port_hangup);
-/**
- * tty_port_tty_hangup - helper to hang up a tty
- * @port: tty port
- * @check_clocal: hang only ttys with %CLOCAL unset?
- */
void __tty_port_tty_hangup(struct tty_port *port, bool check_clocal, bool async)
{
struct tty_struct *tty = tty_port_tty_get(port);
--- a/include/linux/tty_port.h
+++ b/include/linux/tty_port.h
@@ -254,11 +254,20 @@ static inline int tty_port_users(struct
return port->count + port->blocked_open;
}
+/**
+ * tty_port_tty_hangup - helper to hang up a tty asynchronously
+ * @port: tty port
+ * @check_clocal: hang only ttys with %CLOCAL unset?
+ */
static inline void tty_port_tty_hangup(struct tty_port *port, bool check_clocal)
{
__tty_port_tty_hangup(port, check_clocal, true);
}
+/**
+ * tty_port_tty_vhangup - helper to hang up a tty synchronously
+ * @port: tty port
+ */
static inline void tty_port_tty_vhangup(struct tty_port *port)
{
__tty_port_tty_hangup(port, false, false);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 532/567] x86/microcode/AMD: Select which microcode patch to load
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 531/567] tty: fix tty_port_tty_*hangup() kernel-doc Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 533/567] media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio Greg Kroah-Hartman
` (48 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Borislav Petkov (AMD), Waiman Long
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Borislav Petkov (AMD) <bp@alien8.de>
commit 8d171045069c804e5ffaa18be590c42c6af0cf3f upstream.
All microcode patches up to the proper BIOS Entrysign fix are loaded
only after the sha256 signature carried in the driver has been verified.
Microcode patches after the Entrysign fix has been applied, do not need
that signature verification anymore.
In order to not abandon machines which haven't received the BIOS update
yet, add the capability to select which microcode patch to load.
The corresponding microcode container supplied through firmware-linux
has been modified to carry two patches per CPU type
(family/model/stepping) so that the proper one gets selected.
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Waiman Long <longman@redhat.com>
Link: https://patch.msgid.link/20251027133818.4363-1-bp@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/microcode/amd.c | 104 +++++++++++++++++++++++-------------
1 file changed, 67 insertions(+), 37 deletions(-)
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -174,50 +174,61 @@ static u32 cpuid_to_ucode_rev(unsigned i
return p.ucode_rev;
}
+static u32 get_cutoff_revision(u32 rev)
+{
+ switch (rev >> 8) {
+ case 0x80012: return 0x8001277; break;
+ case 0x80082: return 0x800820f; break;
+ case 0x83010: return 0x830107c; break;
+ case 0x86001: return 0x860010e; break;
+ case 0x86081: return 0x8608108; break;
+ case 0x87010: return 0x8701034; break;
+ case 0x8a000: return 0x8a0000a; break;
+ case 0xa0010: return 0xa00107a; break;
+ case 0xa0011: return 0xa0011da; break;
+ case 0xa0012: return 0xa001243; break;
+ case 0xa0082: return 0xa00820e; break;
+ case 0xa1011: return 0xa101153; break;
+ case 0xa1012: return 0xa10124e; break;
+ case 0xa1081: return 0xa108109; break;
+ case 0xa2010: return 0xa20102f; break;
+ case 0xa2012: return 0xa201212; break;
+ case 0xa4041: return 0xa404109; break;
+ case 0xa5000: return 0xa500013; break;
+ case 0xa6012: return 0xa60120a; break;
+ case 0xa7041: return 0xa704109; break;
+ case 0xa7052: return 0xa705208; break;
+ case 0xa7080: return 0xa708009; break;
+ case 0xa70c0: return 0xa70C009; break;
+ case 0xaa001: return 0xaa00116; break;
+ case 0xaa002: return 0xaa00218; break;
+ case 0xb0021: return 0xb002146; break;
+ case 0xb0081: return 0xb008111; break;
+ case 0xb1010: return 0xb101046; break;
+ case 0xb2040: return 0xb204031; break;
+ case 0xb4040: return 0xb404031; break;
+ case 0xb4041: return 0xb404101; break;
+ case 0xb6000: return 0xb600031; break;
+ case 0xb6080: return 0xb608031; break;
+ case 0xb7000: return 0xb700031; break;
+ default: break;
+
+ }
+ return 0;
+}
+
static bool need_sha_check(u32 cur_rev)
{
+ u32 cutoff;
+
if (!cur_rev) {
cur_rev = cpuid_to_ucode_rev(bsp_cpuid_1_eax);
pr_info_once("No current revision, generating the lowest one: 0x%x\n", cur_rev);
}
- switch (cur_rev >> 8) {
- case 0x80012: return cur_rev <= 0x8001277; break;
- case 0x80082: return cur_rev <= 0x800820f; break;
- case 0x83010: return cur_rev <= 0x830107c; break;
- case 0x86001: return cur_rev <= 0x860010e; break;
- case 0x86081: return cur_rev <= 0x8608108; break;
- case 0x87010: return cur_rev <= 0x8701034; break;
- case 0x8a000: return cur_rev <= 0x8a0000a; break;
- case 0xa0010: return cur_rev <= 0xa00107a; break;
- case 0xa0011: return cur_rev <= 0xa0011da; break;
- case 0xa0012: return cur_rev <= 0xa001243; break;
- case 0xa0082: return cur_rev <= 0xa00820e; break;
- case 0xa1011: return cur_rev <= 0xa101153; break;
- case 0xa1012: return cur_rev <= 0xa10124e; break;
- case 0xa1081: return cur_rev <= 0xa108109; break;
- case 0xa2010: return cur_rev <= 0xa20102f; break;
- case 0xa2012: return cur_rev <= 0xa201212; break;
- case 0xa4041: return cur_rev <= 0xa404109; break;
- case 0xa5000: return cur_rev <= 0xa500013; break;
- case 0xa6012: return cur_rev <= 0xa60120a; break;
- case 0xa7041: return cur_rev <= 0xa704109; break;
- case 0xa7052: return cur_rev <= 0xa705208; break;
- case 0xa7080: return cur_rev <= 0xa708009; break;
- case 0xa70c0: return cur_rev <= 0xa70C009; break;
- case 0xaa001: return cur_rev <= 0xaa00116; break;
- case 0xaa002: return cur_rev <= 0xaa00218; break;
- case 0xb0021: return cur_rev <= 0xb002146; break;
- case 0xb0081: return cur_rev <= 0xb008111; break;
- case 0xb1010: return cur_rev <= 0xb101046; break;
- case 0xb2040: return cur_rev <= 0xb204031; break;
- case 0xb4040: return cur_rev <= 0xb404031; break;
- case 0xb4041: return cur_rev <= 0xb404101; break;
- case 0xb6000: return cur_rev <= 0xb600031; break;
- case 0xb6080: return cur_rev <= 0xb608031; break;
- case 0xb7000: return cur_rev <= 0xb700031; break;
- default: break;
- }
+ cutoff = get_cutoff_revision(cur_rev);
+ if (cutoff)
+ return cur_rev <= cutoff;
pr_info("You should not be seeing this. Please send the following couple of lines to x86-<at>-kernel.org\n");
pr_info("CPUID(1).EAX: 0x%x, current revision: 0x%x\n", bsp_cpuid_1_eax, cur_rev);
@@ -468,6 +479,7 @@ static int verify_patch(const u8 *buf, s
{
u8 family = x86_family(bsp_cpuid_1_eax);
struct microcode_header_amd *mc_hdr;
+ u32 cur_rev, cutoff, patch_rev;
unsigned int ret;
u32 sh_psize;
u16 proc_id;
@@ -511,6 +523,24 @@ static int verify_patch(const u8 *buf, s
if (patch_fam != family)
return 1;
+ cur_rev = get_patch_level();
+
+ /* No cutoff revision means old/unaffected by signing algorithm weakness => matches */
+ cutoff = get_cutoff_revision(cur_rev);
+ if (!cutoff)
+ goto ok;
+
+ patch_rev = mc_hdr->patch_id;
+
+ if (cur_rev <= cutoff && patch_rev <= cutoff)
+ goto ok;
+
+ if (cur_rev > cutoff && patch_rev > cutoff)
+ goto ok;
+
+ return 1;
+ok:
+
return 0;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 533/567] media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 532/567] x86/microcode/AMD: Select which microcode patch to load Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 534/567] wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend Greg Kroah-Hartman
` (47 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Jacopo Mondi,
Sakari Ailus, Hans Verkuil, Jai Luthra
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
commit 9ef6e4db152c34580cc52792f32485c193945395 upstream.
Commit 0af46fbc333d ("media: i2c: imx219: Calculate crop rectangle
dynamically") meant that the 1920x1080 mode switched from using no
binning to using vertical binning but no horizontal binning, which
resulted in stretched pixels.
Until proper controls are available to independently select horizontal
and vertical binning, restore the original 1:1 pixel aspect ratio by
forcing binning to be uniform in both directions.
Cc: stable@vger.kernel.org
Fixes: 0af46fbc333d ("media: i2c: imx219: Calculate crop rectangle dynamically")
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Reviewed-by: Jacopo Mondi <jacopo.mondi@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Jai Luthra <jai.luthra@ideasonboard.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/imx219.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/media/i2c/imx219.c
+++ b/drivers/media/i2c/imx219.c
@@ -843,7 +843,7 @@ static int imx219_set_pad_format(struct
const struct imx219_mode *mode;
struct v4l2_mbus_framefmt *format;
struct v4l2_rect *crop;
- unsigned int bin_h, bin_v;
+ unsigned int bin_h, bin_v, binning;
mode = v4l2_find_nearest_size(supported_modes,
ARRAY_SIZE(supported_modes),
@@ -862,9 +862,12 @@ static int imx219_set_pad_format(struct
bin_h = min(IMX219_PIXEL_ARRAY_WIDTH / format->width, 2U);
bin_v = min(IMX219_PIXEL_ARRAY_HEIGHT / format->height, 2U);
+ /* Ensure bin_h and bin_v are same to avoid 1:2 or 2:1 stretching */
+ binning = min(bin_h, bin_v);
+
crop = v4l2_subdev_state_get_crop(state, 0);
- crop->width = format->width * bin_h;
- crop->height = format->height * bin_v;
+ crop->width = format->width * binning;
+ crop->height = format->height * binning;
crop->left = (IMX219_NATIVE_WIDTH - crop->width) / 2;
crop->top = (IMX219_NATIVE_HEIGHT - crop->height) / 2;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 534/567] wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 533/567] media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 535/567] wifi: mt76: mt7925: fix CLC command timeout when suspend/resume Greg Kroah-Hartman
` (46 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Felix Fietkau, Jan Kiszka
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
[ Upstream commit 1b97fc8443aea01922560de9f24a6383e6eb6ae8 ]
Before entering suspend, we need to ensure that all MCU command are
completed. In some cases, such as with regd_notifier, there is a
chance that CLC commands, will be executed before suspend.
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Link: https://patch.msgid.link/3af7b4e5bf7437832b016e32743657d1d55b1f9d.1735910288.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/init.c | 4 ++++
drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 3 +++
2 files changed, 7 insertions(+)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/init.c
@@ -81,11 +81,14 @@ mt7925_regd_notifier(struct wiphy *wiphy
mdev->region = req->dfs_region;
dev->country_ie_env = req->country_ie_env;
+ dev->regd_in_progress = true;
mt792x_mutex_acquire(dev);
mt7925_mcu_set_clc(dev, req->alpha2, req->country_ie_env);
mt7925_mcu_set_channel_domain(hw->priv);
mt7925_set_tx_sar_pwr(hw, NULL);
mt792x_mutex_release(dev);
+ dev->regd_in_progress = false;
+ wake_up(&dev->wait);
}
static void mt7925_mac_init_basic_rates(struct mt792x_dev *dev)
@@ -235,6 +238,7 @@ int mt7925_register_device(struct mt792x
spin_lock_init(&dev->pm.wake.lock);
mutex_init(&dev->pm.mutex);
init_waitqueue_head(&dev->pm.wait);
+ init_waitqueue_head(&dev->wait);
spin_lock_init(&dev->pm.txq_lock);
INIT_DELAYED_WORK(&dev->mphy.mac_work, mt792x_mac_work);
INIT_DELAYED_WORK(&dev->phy.scan_work, mt7925_scan_work);
--- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
@@ -455,6 +455,9 @@ static int mt7925_pci_suspend(struct dev
if (err < 0)
goto restore_suspend;
+ wait_event_timeout(dev->wait,
+ !dev->regd_in_progress, 5 * HZ);
+
/* always enable deep sleep during suspend to reduce
* power consumption
*/
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 535/567] wifi: mt76: mt7925: fix CLC command timeout when suspend/resume
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 534/567] wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 536/567] wifi: mt76: mt7925: add handler to hif suspend/resume event Greg Kroah-Hartman
` (45 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Felix Fietkau, Jan Kiszka
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
[ Upstream commit a0f721b8d986b62b4de316444f2b2e356d17e3b5 ]
When enter suspend/resume while in a connected state, the upper layer
will trigger disconnection before entering suspend, and at the same time,
it will trigger regd_notifier() and update CLC, causing the CLC event to
not be received due to suspend, resulting in a command timeout.
Therefore, the update of CLC is postponed until resume, to ensure data
consistency and avoid the occurrence of command timeout.
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Link: https://patch.msgid.link/bab00a2805d0533fd8beaa059222659858a9dcb5.1735910455.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7925/init.c | 20 +++++++++++++++++---
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 1 +
drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 3 +++
3 files changed, 21 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/init.c
@@ -59,6 +59,18 @@ static int mt7925_thermal_init(struct mt
mt7925_hwmon_groups);
return PTR_ERR_OR_ZERO(hwmon);
}
+
+void mt7925_regd_update(struct mt792x_dev *dev)
+{
+ struct mt76_dev *mdev = &dev->mt76;
+ struct ieee80211_hw *hw = mdev->hw;
+
+ mt7925_mcu_set_clc(dev, mdev->alpha2, dev->country_ie_env);
+ mt7925_mcu_set_channel_domain(hw->priv);
+ mt7925_set_tx_sar_pwr(hw, NULL);
+}
+EXPORT_SYMBOL_GPL(mt7925_regd_update);
+
static void
mt7925_regd_notifier(struct wiphy *wiphy,
struct regulatory_request *req)
@@ -66,6 +78,7 @@ mt7925_regd_notifier(struct wiphy *wiphy
struct ieee80211_hw *hw = wiphy_to_ieee80211_hw(wiphy);
struct mt792x_dev *dev = mt792x_hw_dev(hw);
struct mt76_dev *mdev = &dev->mt76;
+ struct mt76_connac_pm *pm = &dev->pm;
/* allow world regdom at the first boot only */
if (!memcmp(req->alpha2, "00", 2) &&
@@ -81,11 +94,12 @@ mt7925_regd_notifier(struct wiphy *wiphy
mdev->region = req->dfs_region;
dev->country_ie_env = req->country_ie_env;
+ if (pm->suspended)
+ return;
+
dev->regd_in_progress = true;
mt792x_mutex_acquire(dev);
- mt7925_mcu_set_clc(dev, req->alpha2, req->country_ie_env);
- mt7925_mcu_set_channel_domain(hw->priv);
- mt7925_set_tx_sar_pwr(hw, NULL);
+ mt7925_regd_update(dev);
mt792x_mutex_release(dev);
dev->regd_in_progress = false;
wake_up(&dev->wait);
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
@@ -218,6 +218,7 @@ int mt7925_mcu_chip_config(struct mt792x
int mt7925_mcu_set_rxfilter(struct mt792x_dev *dev, u32 fif,
u8 bit_op, u32 bit_map);
+void mt7925_regd_update(struct mt792x_dev *dev);
int mt7925_mac_init(struct mt792x_dev *dev);
int mt7925_mac_sta_add(struct mt76_dev *mdev, struct ieee80211_vif *vif,
struct ieee80211_sta *sta);
--- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
@@ -554,11 +554,14 @@ static int mt7925_pci_resume(struct devi
local_bh_enable();
err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+ if (err < 0)
+ goto failed;
/* restore previous ds setting */
if (!pm->ds_enable)
mt7925_mcu_set_deep_sleep(dev, false);
+ mt7925_regd_update(dev);
failed:
pm->suspended = false;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 536/567] wifi: mt76: mt7925: add handler to hif suspend/resume event
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 535/567] wifi: mt76: mt7925: fix CLC command timeout when suspend/resume Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 537/567] idpf: add support for SW triggered interrupts Greg Kroah-Hartman
` (44 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Quan Zhou, Felix Fietkau, Jan Kiszka
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quan Zhou <quan.zhou@mediatek.com>
[ Upstream commit 8f6571ad470feb242dcef36e53f7cf1bba03780f ]
When the system suspend or resume, the WiFi driver sends
an hif_ctrl command to the firmware and waits for an event.
Due to changes in the event format reported by the chip, the
current mt7925's driver does not account for these changes,
resulting in command timeout. Add flow to handle hif_ctrl
event to avoid command timeout. We also exented API
mt76_connac_mcu_set_hif_suspend for connac3 this time.
Signed-off-by: Quan Zhou <quan.zhou@mediatek.com>
Link: https://patch.msgid.link/3a0844ff5162142c4a9f3cf7104f75076ddd3b87.1735910562.git.quan.zhou@mediatek.com
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 -
drivers/net/wireless/mediatek/mt76/mt7615/pci.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7615/sdio.c | 4 -
drivers/net/wireless/mediatek/mt76/mt7615/usb.c | 4 -
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 -
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h | 3 -
drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 4 -
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 49 ++++++++++++++++++-
drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 20 +++++++
drivers/net/wireless/mediatek/mt76/mt7925/pci.c | 29 ++++++++---
drivers/net/wireless/mediatek/mt76/mt7925/usb.c | 20 +++++--
drivers/net/wireless/mediatek/mt76/mt792x.h | 2
14 files changed, 127 insertions(+), 34 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/mt7615/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/main.c
@@ -1249,7 +1249,7 @@ static int mt7615_suspend(struct ieee802
phy->mt76);
if (!mt7615_dev_running(dev))
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true);
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true, true);
mt7615_mutex_release(dev);
@@ -1271,7 +1271,7 @@ static int mt7615_resume(struct ieee8021
if (!running) {
int err;
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false, true);
if (err < 0) {
mt7615_mutex_release(dev);
return err;
--- a/drivers/net/wireless/mediatek/mt76/mt7615/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/pci.c
@@ -83,7 +83,7 @@ static int mt7615_pci_suspend(struct pci
hif_suspend = !test_bit(MT76_STATE_SUSPEND, &dev->mphy.state) &&
mt7615_firmware_offload(dev);
if (hif_suspend) {
- err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+ err = mt76_connac_mcu_set_hif_suspend(mdev, true, true);
if (err)
return err;
}
@@ -131,7 +131,7 @@ restore:
}
napi_enable(&mdev->tx_napi);
if (hif_suspend)
- mt76_connac_mcu_set_hif_suspend(mdev, false);
+ mt76_connac_mcu_set_hif_suspend(mdev, false, true);
return err;
}
@@ -175,7 +175,7 @@ static int mt7615_pci_resume(struct pci_
if (!test_bit(MT76_STATE_SUSPEND, &dev->mphy.state) &&
mt7615_firmware_offload(dev))
- err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+ err = mt76_connac_mcu_set_hif_suspend(mdev, false, true);
return err;
}
--- a/drivers/net/wireless/mediatek/mt76/mt7615/sdio.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/sdio.c
@@ -191,7 +191,7 @@ static int mt7663s_suspend(struct device
mt7615_firmware_offload(mdev)) {
int err;
- err = mt76_connac_mcu_set_hif_suspend(&mdev->mt76, true);
+ err = mt76_connac_mcu_set_hif_suspend(&mdev->mt76, true, true);
if (err < 0)
return err;
}
@@ -230,7 +230,7 @@ static int mt7663s_resume(struct device
if (!test_bit(MT76_STATE_SUSPEND, &mdev->mphy.state) &&
mt7615_firmware_offload(mdev))
- err = mt76_connac_mcu_set_hif_suspend(&mdev->mt76, false);
+ err = mt76_connac_mcu_set_hif_suspend(&mdev->mt76, false, true);
return err;
}
--- a/drivers/net/wireless/mediatek/mt76/mt7615/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/usb.c
@@ -225,7 +225,7 @@ static int mt7663u_suspend(struct usb_in
mt7615_firmware_offload(dev)) {
int err;
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true);
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true, true);
if (err < 0)
return err;
}
@@ -253,7 +253,7 @@ static int mt7663u_resume(struct usb_int
if (!test_bit(MT76_STATE_SUSPEND, &dev->mphy.state) &&
mt7615_firmware_offload(dev))
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false, true);
return err;
}
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
@@ -2527,7 +2527,7 @@ mt76_connac_mcu_set_wow_ctrl(struct mt76
}
EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_wow_ctrl);
-int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend)
+int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend, bool wait_resp)
{
struct {
struct {
@@ -2559,7 +2559,7 @@ int mt76_connac_mcu_set_hif_suspend(stru
req.hdr.hif_type = 0;
return mt76_mcu_send_msg(dev, MCU_UNI_CMD(HIF_CTRL), &req,
- sizeof(req), true);
+ sizeof(req), wait_resp);
}
EXPORT_SYMBOL_GPL(mt76_connac_mcu_set_hif_suspend);
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
@@ -1049,6 +1049,7 @@ enum {
/* unified event table */
enum {
MCU_UNI_EVENT_RESULT = 0x01,
+ MCU_UNI_EVENT_HIF_CTRL = 0x03,
MCU_UNI_EVENT_FW_LOG_2_HOST = 0x04,
MCU_UNI_EVENT_ACCESS_REG = 0x6,
MCU_UNI_EVENT_IE_COUNTDOWN = 0x09,
@@ -1989,7 +1990,7 @@ int mt76_connac_mcu_set_suspend_mode(str
struct ieee80211_vif *vif,
bool enable, u8 mdtim,
bool wow_suspend);
-int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend);
+int mt76_connac_mcu_set_hif_suspend(struct mt76_dev *dev, bool suspend, bool wait_resp);
void mt76_connac_mcu_set_suspend_iter(void *priv, u8 *mac,
struct ieee80211_vif *vif);
int mt76_connac_sta_state_dp(struct mt76_dev *dev,
--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
@@ -435,7 +435,7 @@ static int mt7921_pci_suspend(struct dev
if (err < 0)
goto restore_suspend;
- err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+ err = mt76_connac_mcu_set_hif_suspend(mdev, true, true);
if (err)
goto restore_suspend;
@@ -481,7 +481,7 @@ restore_napi:
if (!pm->ds_enable)
mt76_connac_mcu_set_deep_sleep(&dev->mt76, false);
- mt76_connac_mcu_set_hif_suspend(mdev, false);
+ mt76_connac_mcu_set_hif_suspend(mdev, false, true);
restore_suspend:
pm->suspended = false;
@@ -532,7 +532,7 @@ static int mt7921_pci_resume(struct devi
if (!pm->ds_enable)
mt76_connac_mcu_set_deep_sleep(&dev->mt76, false);
- err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+ err = mt76_connac_mcu_set_hif_suspend(mdev, false, true);
if (err < 0)
goto failed;
--- a/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/sdio.c
@@ -240,7 +240,7 @@ static int mt7921s_suspend(struct device
mt76s_txqs_empty(&dev->mt76), 5 * HZ);
/* It is supposed that SDIO bus is idle at the point */
- err = mt76_connac_mcu_set_hif_suspend(mdev, true);
+ err = mt76_connac_mcu_set_hif_suspend(mdev, true, true);
if (err)
goto restore_worker;
@@ -258,7 +258,7 @@ static int mt7921s_suspend(struct device
restore_txrx_worker:
mt76_worker_enable(&mdev->sdio.net_worker);
mt76_worker_enable(&mdev->sdio.txrx_worker);
- mt76_connac_mcu_set_hif_suspend(mdev, false);
+ mt76_connac_mcu_set_hif_suspend(mdev, false, true);
restore_worker:
mt76_worker_enable(&mdev->tx_worker);
@@ -302,7 +302,7 @@ static int mt7921s_resume(struct device
if (!pm->ds_enable)
mt76_connac_mcu_set_deep_sleep(mdev, false);
- err = mt76_connac_mcu_set_hif_suspend(mdev, false);
+ err = mt76_connac_mcu_set_hif_suspend(mdev, false, true);
failed:
pm->suspended = false;
--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
@@ -263,7 +263,7 @@ static int mt7921u_suspend(struct usb_in
pm->suspended = true;
flush_work(&dev->reset_work);
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true);
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true, true);
if (err)
goto failed;
@@ -313,7 +313,7 @@ static int mt7921u_resume(struct usb_int
if (err < 0)
goto failed;
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
+ err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false, true);
failed:
pm->suspended = false;
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
@@ -39,7 +39,6 @@ int mt7925_mcu_parse_response(struct mt7
} else if (cmd == MCU_UNI_CMD(DEV_INFO_UPDATE) ||
cmd == MCU_UNI_CMD(BSS_INFO_UPDATE) ||
cmd == MCU_UNI_CMD(STA_REC_UPDATE) ||
- cmd == MCU_UNI_CMD(HIF_CTRL) ||
cmd == MCU_UNI_CMD(OFFLOAD) ||
cmd == MCU_UNI_CMD(SUSPEND)) {
struct mt7925_mcu_uni_event *event;
@@ -342,6 +341,51 @@ static void mt7925_mcu_roc_handle_grant(
}
static void
+mt7925_mcu_handle_hif_ctrl_basic(struct mt792x_dev *dev, struct tlv *tlv)
+{
+ struct mt7925_mcu_hif_ctrl_basic_tlv *basic;
+
+ basic = (struct mt7925_mcu_hif_ctrl_basic_tlv *)tlv;
+
+ if (basic->hifsuspend) {
+ if (basic->hif_tx_traffic_status == HIF_TRAFFIC_IDLE &&
+ basic->hif_rx_traffic_status == HIF_TRAFFIC_IDLE)
+ /* success */
+ dev->hif_idle = true;
+ else
+ /* busy */
+ /* invalid */
+ dev->hif_idle = false;
+ } else {
+ dev->hif_resumed = true;
+ }
+ wake_up(&dev->wait);
+}
+
+static void
+mt7925_mcu_uni_hif_ctrl_event(struct mt792x_dev *dev, struct sk_buff *skb)
+{
+ struct tlv *tlv;
+ u32 tlv_len;
+
+ skb_pull(skb, sizeof(struct mt7925_mcu_rxd) + 4);
+ tlv = (struct tlv *)skb->data;
+ tlv_len = skb->len;
+
+ while (tlv_len > 0 && le16_to_cpu(tlv->len) <= tlv_len) {
+ switch (le16_to_cpu(tlv->tag)) {
+ case UNI_EVENT_HIF_CTRL_BASIC:
+ mt7925_mcu_handle_hif_ctrl_basic(dev, tlv);
+ break;
+ default:
+ break;
+ }
+ tlv_len -= le16_to_cpu(tlv->len);
+ tlv = (struct tlv *)((char *)(tlv) + le16_to_cpu(tlv->len));
+ }
+}
+
+static void
mt7925_mcu_uni_roc_event(struct mt792x_dev *dev, struct sk_buff *skb)
{
struct tlv *tlv;
@@ -487,6 +531,9 @@ mt7925_mcu_uni_rx_unsolicited_event(stru
rxd = (struct mt7925_mcu_rxd *)skb->data;
switch (rxd->eid) {
+ case MCU_UNI_EVENT_HIF_CTRL:
+ mt7925_mcu_uni_hif_ctrl_event(dev, skb);
+ break;
case MCU_UNI_EVENT_FW_LOG_2_HOST:
mt7925_mcu_uni_debug_msg_event(dev, skb);
break;
--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
@@ -27,6 +27,26 @@
#define MCU_UNI_EVENT_ROC 0x27
+#define HIF_TRAFFIC_IDLE 0x2
+
+enum {
+ UNI_EVENT_HIF_CTRL_BASIC = 0,
+ UNI_EVENT_HIF_CTRL_TAG_NUM
+};
+
+struct mt7925_mcu_hif_ctrl_basic_tlv {
+ __le16 tag;
+ __le16 len;
+ u8 cid;
+ u8 pad[3];
+ u32 status;
+ u8 hif_type;
+ u8 hif_tx_traffic_status;
+ u8 hif_rx_traffic_status;
+ u8 hifsuspend;
+ u8 rsv[4];
+} __packed;
+
enum {
UNI_ROC_ACQUIRE,
UNI_ROC_ABORT,
--- a/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/pci.c
@@ -442,9 +442,10 @@ static int mt7925_pci_suspend(struct dev
struct mt76_dev *mdev = pci_get_drvdata(pdev);
struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76);
struct mt76_connac_pm *pm = &dev->pm;
- int i, err;
+ int i, err, ret;
pm->suspended = true;
+ dev->hif_resumed = false;
flush_work(&dev->reset_work);
cancel_delayed_work_sync(&pm->ps_work);
cancel_work_sync(&pm->wake_work);
@@ -463,9 +464,13 @@ static int mt7925_pci_suspend(struct dev
*/
mt7925_mcu_set_deep_sleep(dev, true);
- err = mt76_connac_mcu_set_hif_suspend(mdev, true);
- if (err)
+ mt76_connac_mcu_set_hif_suspend(mdev, true, false);
+ ret = wait_event_timeout(dev->wait,
+ dev->hif_idle, 3 * HZ);
+ if (!ret) {
+ err = -ETIMEDOUT;
goto restore_suspend;
+ }
napi_disable(&mdev->tx_napi);
mt76_worker_disable(&mdev->tx_worker);
@@ -506,8 +511,11 @@ restore_napi:
if (!pm->ds_enable)
mt7925_mcu_set_deep_sleep(dev, false);
- mt76_connac_mcu_set_hif_suspend(mdev, false);
-
+ mt76_connac_mcu_set_hif_suspend(mdev, false, false);
+ ret = wait_event_timeout(dev->wait,
+ dev->hif_resumed, 3 * HZ);
+ if (!ret)
+ err = -ETIMEDOUT;
restore_suspend:
pm->suspended = false;
@@ -523,8 +531,9 @@ static int mt7925_pci_resume(struct devi
struct mt76_dev *mdev = pci_get_drvdata(pdev);
struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76);
struct mt76_connac_pm *pm = &dev->pm;
- int i, err;
+ int i, err, ret;
+ dev->hif_idle = false;
err = mt792x_mcu_drv_pmctrl(dev);
if (err < 0)
goto failed;
@@ -553,9 +562,13 @@ static int mt7925_pci_resume(struct devi
napi_schedule(&mdev->tx_napi);
local_bh_enable();
- err = mt76_connac_mcu_set_hif_suspend(mdev, false);
- if (err < 0)
+ mt76_connac_mcu_set_hif_suspend(mdev, false, false);
+ ret = wait_event_timeout(dev->wait,
+ dev->hif_resumed, 3 * HZ);
+ if (!ret) {
+ err = -ETIMEDOUT;
goto failed;
+ }
/* restore previous ds setting */
if (!pm->ds_enable)
--- a/drivers/net/wireless/mediatek/mt76/mt7925/usb.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7925/usb.c
@@ -246,14 +246,19 @@ static int mt7925u_suspend(struct usb_in
{
struct mt792x_dev *dev = usb_get_intfdata(intf);
struct mt76_connac_pm *pm = &dev->pm;
- int err;
+ int err, ret;
pm->suspended = true;
+ dev->hif_resumed = false;
flush_work(&dev->reset_work);
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, true);
- if (err)
+ mt76_connac_mcu_set_hif_suspend(&dev->mt76, true, false);
+ ret = wait_event_timeout(dev->wait,
+ dev->hif_idle, 3 * HZ);
+ if (!ret) {
+ err = -ETIMEDOUT;
goto failed;
+ }
mt76u_stop_rx(&dev->mt76);
mt76u_stop_tx(&dev->mt76);
@@ -274,8 +279,9 @@ static int mt7925u_resume(struct usb_int
struct mt792x_dev *dev = usb_get_intfdata(intf);
struct mt76_connac_pm *pm = &dev->pm;
bool reinit = true;
- int err, i;
+ int err, i, ret;
+ dev->hif_idle = false;
for (i = 0; i < 10; i++) {
u32 val = mt76_rr(dev, MT_WF_SW_DEF_CR_USB_MCU_EVENT);
@@ -301,7 +307,11 @@ static int mt7925u_resume(struct usb_int
if (err < 0)
goto failed;
- err = mt76_connac_mcu_set_hif_suspend(&dev->mt76, false);
+ mt76_connac_mcu_set_hif_suspend(&dev->mt76, false, false);
+ ret = wait_event_timeout(dev->wait,
+ dev->hif_resumed, 3 * HZ);
+ if (!ret)
+ err = -ETIMEDOUT;
failed:
pm->suspended = false;
--- a/drivers/net/wireless/mediatek/mt76/mt792x.h
+++ b/drivers/net/wireless/mediatek/mt76/mt792x.h
@@ -216,6 +216,8 @@ struct mt792x_dev {
bool has_eht:1;
bool regd_in_progress:1;
bool aspm_supported:1;
+ bool hif_idle:1;
+ bool hif_resumed:1;
wait_queue_head_t wait;
struct work_struct init_work;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 537/567] idpf: add support for SW triggered interrupts
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 536/567] wifi: mt76: mt7925: add handler to hif suspend/resume event Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 538/567] idpf: trigger SW interrupt when exiting wb_on_itr mode Greg Kroah-Hartman
` (43 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Madhu Chittim, Joshua Hay,
Krishneil Singh, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit 93433c1d919775f8ac0f7893692f42e6731a5373 ]
SW triggered interrupts are guaranteed to fire after their timer
expires, unlike Tx and Rx interrupts which will only fire after the
timer expires _and_ a descriptor write back is available to be processed
by the driver.
Add the necessary fields, defines, and initializations to enable a SW
triggered interrupt in the vector's dyn_ctl register.
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_dev.c | 3 +++
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 8 +++++++-
drivers/net/ethernet/intel/idpf/idpf_vf_dev.c | 3 +++
3 files changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_dev.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_dev.c
@@ -101,6 +101,9 @@ static int idpf_intr_reg_init(struct idp
intr->dyn_ctl_itridx_s = PF_GLINT_DYN_CTL_ITR_INDX_S;
intr->dyn_ctl_intrvl_s = PF_GLINT_DYN_CTL_INTERVAL_S;
intr->dyn_ctl_wb_on_itr_m = PF_GLINT_DYN_CTL_WB_ON_ITR_M;
+ intr->dyn_ctl_swint_trig_m = PF_GLINT_DYN_CTL_SWINT_TRIG_M;
+ intr->dyn_ctl_sw_itridx_ena_m =
+ PF_GLINT_DYN_CTL_SW_ITR_INDX_ENA_M;
spacing = IDPF_ITR_IDX_SPACING(reg_vals[vec_id].itrn_index_spacing,
IDPF_PF_ITR_IDX_SPACING);
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -354,6 +354,8 @@ struct idpf_vec_regs {
* @dyn_ctl_itridx_m: Mask for ITR index
* @dyn_ctl_intrvl_s: Register bit offset for ITR interval
* @dyn_ctl_wb_on_itr_m: Mask for WB on ITR feature
+ * @dyn_ctl_sw_itridx_ena_m: Mask for SW ITR index
+ * @dyn_ctl_swint_trig_m: Mask for dyn_ctl SW triggered interrupt enable
* @rx_itr: RX ITR register
* @tx_itr: TX ITR register
* @icr_ena: Interrupt cause register offset
@@ -367,6 +369,8 @@ struct idpf_intr_reg {
u32 dyn_ctl_itridx_m;
u32 dyn_ctl_intrvl_s;
u32 dyn_ctl_wb_on_itr_m;
+ u32 dyn_ctl_sw_itridx_ena_m;
+ u32 dyn_ctl_swint_trig_m;
void __iomem *rx_itr;
void __iomem *tx_itr;
void __iomem *icr_ena;
@@ -437,7 +441,7 @@ struct idpf_q_vector {
cpumask_var_t affinity_mask;
__cacheline_group_end_aligned(cold);
};
-libeth_cacheline_set_assert(struct idpf_q_vector, 112,
+libeth_cacheline_set_assert(struct idpf_q_vector, 120,
24 + sizeof(struct napi_struct) +
2 * sizeof(struct dim),
8 + sizeof(cpumask_var_t));
@@ -471,6 +475,8 @@ struct idpf_tx_queue_stats {
#define IDPF_ITR_IS_DYNAMIC(itr_mode) (itr_mode)
#define IDPF_ITR_TX_DEF IDPF_ITR_20K
#define IDPF_ITR_RX_DEF IDPF_ITR_20K
+/* Index used for 'SW ITR' update in DYN_CTL register */
+#define IDPF_SW_ITR_UPDATE_IDX 2
/* Index used for 'No ITR' update in DYN_CTL register */
#define IDPF_NO_ITR_UPDATE_IDX 3
#define IDPF_ITR_IDX_SPACING(spacing, dflt) (spacing ? spacing : dflt)
--- a/drivers/net/ethernet/intel/idpf/idpf_vf_dev.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_vf_dev.c
@@ -101,6 +101,9 @@ static int idpf_vf_intr_reg_init(struct
intr->dyn_ctl_itridx_s = VF_INT_DYN_CTLN_ITR_INDX_S;
intr->dyn_ctl_intrvl_s = VF_INT_DYN_CTLN_INTERVAL_S;
intr->dyn_ctl_wb_on_itr_m = VF_INT_DYN_CTLN_WB_ON_ITR_M;
+ intr->dyn_ctl_swint_trig_m = VF_INT_DYN_CTLN_SWINT_TRIG_M;
+ intr->dyn_ctl_sw_itridx_ena_m =
+ VF_INT_DYN_CTLN_SW_ITR_INDX_ENA_M;
spacing = IDPF_ITR_IDX_SPACING(reg_vals[vec_id].itrn_index_spacing,
IDPF_VF_ITR_IDX_SPACING);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 538/567] idpf: trigger SW interrupt when exiting wb_on_itr mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 537/567] idpf: add support for SW triggered interrupts Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 539/567] idpf: add support for Tx refillqs in flow scheduling mode Greg Kroah-Hartman
` (42 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Madhu Chittim, Joshua Hay,
Krishneil Singh, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit 0c1683c681681c14f4389e3bfa8de10baf242ba8 ]
There is a race condition between exiting wb_on_itr and completion write
backs. For example, we are in wb_on_itr mode and a Tx completion is
generated by HW, ready to be written back, as we are re-enabling
interrupts:
HW SW
| |
| | idpf_tx_splitq_clean_all
| | napi_complete_done
| |
| tx_completion_wb | idpf_vport_intr_update_itr_ena_irq
That tx_completion_wb happens before the vector is fully re-enabled.
Continuing with this example, it is a UDP stream and the
tx_completion_wb is the last one in the flow (there are no rx packets).
Because the HW generated the completion before the interrupt is fully
enabled, the HW will not fire the interrupt once the timer expires and
the write back will not happen. NAPI poll won't be called. We have
indicated we're back in interrupt mode but nothing else will trigger the
interrupt. Therefore, the completion goes unprocessed, triggering a Tx
timeout.
To mitigate this, fire a SW triggered interrupt upon exiting wb_on_itr.
This interrupt will catch the rogue completion and avoid the timeout.
Add logic to set the appropriate bits in the vector's dyn_ctl register.
Fixes: 9c4a27da0ecc ("idpf: enable WB_ON_ITR")
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 29 ++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -3502,21 +3502,31 @@ static void idpf_vport_intr_dis_irq_all(
/**
* idpf_vport_intr_buildreg_itr - Enable default interrupt generation settings
* @q_vector: pointer to q_vector
- * @type: itr index
- * @itr: itr value
*/
-static u32 idpf_vport_intr_buildreg_itr(struct idpf_q_vector *q_vector,
- const int type, u16 itr)
+static u32 idpf_vport_intr_buildreg_itr(struct idpf_q_vector *q_vector)
{
- u32 itr_val;
+ u32 itr_val = q_vector->intr_reg.dyn_ctl_intena_m;
+ int type = IDPF_NO_ITR_UPDATE_IDX;
+ u16 itr = 0;
+
+ if (q_vector->wb_on_itr) {
+ /*
+ * Trigger a software interrupt when exiting wb_on_itr, to make
+ * sure we catch any pending write backs that might have been
+ * missed due to interrupt state transition.
+ */
+ itr_val |= q_vector->intr_reg.dyn_ctl_swint_trig_m |
+ q_vector->intr_reg.dyn_ctl_sw_itridx_ena_m;
+ type = IDPF_SW_ITR_UPDATE_IDX;
+ itr = IDPF_ITR_20K;
+ }
itr &= IDPF_ITR_MASK;
/* Don't clear PBA because that can cause lost interrupts that
* came in while we were cleaning/polling
*/
- itr_val = q_vector->intr_reg.dyn_ctl_intena_m |
- (type << q_vector->intr_reg.dyn_ctl_itridx_s) |
- (itr << (q_vector->intr_reg.dyn_ctl_intrvl_s - 1));
+ itr_val |= (type << q_vector->intr_reg.dyn_ctl_itridx_s) |
+ (itr << (q_vector->intr_reg.dyn_ctl_intrvl_s - 1));
return itr_val;
}
@@ -3614,9 +3624,8 @@ void idpf_vport_intr_update_itr_ena_irq(
/* net_dim() updates ITR out-of-band using a work item */
idpf_net_dim(q_vector);
+ intval = idpf_vport_intr_buildreg_itr(q_vector);
q_vector->wb_on_itr = false;
- intval = idpf_vport_intr_buildreg_itr(q_vector,
- IDPF_NO_ITR_UPDATE_IDX, 0);
writel(intval, q_vector->intr_reg.dyn_ctl);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 539/567] idpf: add support for Tx refillqs in flow scheduling mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 538/567] idpf: trigger SW interrupt when exiting wb_on_itr mode Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 540/567] idpf: improve when to set RE bit logic Greg Kroah-Hartman
` (41 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hay, Madhu Chittim,
Samuel Salin, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit cb83b559bea39f207ee214ee2972657e8576ed18 ]
Changes from original commit:
- Adjusted idpf_tx_queue assert size to align with 6.12 struct definition
In certain production environments, it is possible for completion tags
to collide, meaning N packets with the same completion tag are in flight
at the same time. In this environment, any given Tx queue is effectively
used to send both slower traffic and higher throughput traffic
simultaneously. This is the result of a customer's specific
configuration in the device pipeline, the details of which Intel cannot
provide. This configuration results in a small number of out-of-order
completions, i.e., a small number of packets in flight. The existing
guardrails in the driver only protect against a large number of packets
in flight. The slower flow completions are delayed which causes the
out-of-order completions. The fast flow will continue sending traffic
and generating tags. Because tags are generated on the fly, the fast
flow eventually uses the same tag for a packet that is still in flight
from the slower flow. The driver has no idea which packet it should
clean when it processes the completion with that tag, but it will look
for the packet on the buffer ring before the hash table. If the slower
flow packet completion is processed first, it will end up cleaning the
fast flow packet on the ring prematurely. This leaves the descriptor
ring in a bad state resulting in a crash or Tx timeout.
In summary, generating a tag when a packet is sent can lead to the same
tag being associated with multiple packets. This can lead to resource
leaks, crashes, and/or Tx timeouts.
Before we can replace the tag generation, we need a new mechanism for
the send path to know what tag to use next. The driver will allocate and
initialize a refillq for each TxQ with all of the possible free tag
values. During send, the driver grabs the next free tag from the refillq
from next_to_clean. While cleaning the packet, the clean routine posts
the tag back to the refillq's next_to_use to indicate that it is now
free to use.
This mechanism works exactly the same way as the existing Rx refill
queues, which post the cleaned buffer IDs back to the buffer queue to be
reposted to HW. Since we're using the refillqs for both Rx and Tx now,
genericize some of the existing refillq support.
Note: the refillqs will not be used yet. This is only demonstrating how
they will be used to pass free tags back to the send path.
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 93 +++++++++++++++++++++++++---
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 8 +-
2 files changed, 91 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -158,6 +158,9 @@ static void idpf_tx_desc_rel(struct idpf
if (!txq->desc_ring)
return;
+ if (txq->refillq)
+ kfree(txq->refillq->ring);
+
dmam_free_coherent(txq->dev, txq->size, txq->desc_ring, txq->dma);
txq->desc_ring = NULL;
txq->next_to_use = 0;
@@ -263,6 +266,7 @@ static int idpf_tx_desc_alloc(const stru
struct idpf_tx_queue *tx_q)
{
struct device *dev = tx_q->dev;
+ struct idpf_sw_queue *refillq;
int err;
err = idpf_tx_buf_alloc_all(tx_q);
@@ -286,6 +290,29 @@ static int idpf_tx_desc_alloc(const stru
tx_q->next_to_clean = 0;
idpf_queue_set(GEN_CHK, tx_q);
+ if (!idpf_queue_has(FLOW_SCH_EN, tx_q))
+ return 0;
+
+ refillq = tx_q->refillq;
+ refillq->desc_count = tx_q->desc_count;
+ refillq->ring = kcalloc(refillq->desc_count, sizeof(u32),
+ GFP_KERNEL);
+ if (!refillq->ring) {
+ err = -ENOMEM;
+ goto err_alloc;
+ }
+
+ for (unsigned int i = 0; i < refillq->desc_count; i++)
+ refillq->ring[i] =
+ FIELD_PREP(IDPF_RFL_BI_BUFID_M, i) |
+ FIELD_PREP(IDPF_RFL_BI_GEN_M,
+ idpf_queue_has(GEN_CHK, refillq));
+
+ /* Go ahead and flip the GEN bit since this counts as filling
+ * up the ring, i.e. we already ring wrapped.
+ */
+ idpf_queue_change(GEN_CHK, refillq);
+
return 0;
err_alloc:
@@ -622,18 +649,18 @@ static int idpf_rx_hdr_buf_alloc_all(str
}
/**
- * idpf_rx_post_buf_refill - Post buffer id to refill queue
+ * idpf_post_buf_refill - Post buffer id to refill queue
* @refillq: refill queue to post to
* @buf_id: buffer id to post
*/
-static void idpf_rx_post_buf_refill(struct idpf_sw_queue *refillq, u16 buf_id)
+static void idpf_post_buf_refill(struct idpf_sw_queue *refillq, u16 buf_id)
{
u32 nta = refillq->next_to_use;
/* store the buffer ID and the SW maintained GEN bit to the refillq */
refillq->ring[nta] =
- FIELD_PREP(IDPF_RX_BI_BUFID_M, buf_id) |
- FIELD_PREP(IDPF_RX_BI_GEN_M,
+ FIELD_PREP(IDPF_RFL_BI_BUFID_M, buf_id) |
+ FIELD_PREP(IDPF_RFL_BI_GEN_M,
idpf_queue_has(GEN_CHK, refillq));
if (unlikely(++nta == refillq->desc_count)) {
@@ -1014,6 +1041,11 @@ static void idpf_txq_group_rel(struct id
struct idpf_txq_group *txq_grp = &vport->txq_grps[i];
for (j = 0; j < txq_grp->num_txq; j++) {
+ if (flow_sch_en) {
+ kfree(txq_grp->txqs[j]->refillq);
+ txq_grp->txqs[j]->refillq = NULL;
+ }
+
kfree(txq_grp->txqs[j]);
txq_grp->txqs[j] = NULL;
}
@@ -1425,6 +1457,13 @@ static int idpf_txq_group_alloc(struct i
}
idpf_queue_set(FLOW_SCH_EN, q);
+
+ q->refillq = kzalloc(sizeof(*q->refillq), GFP_KERNEL);
+ if (!q->refillq)
+ goto err_alloc;
+
+ idpf_queue_set(GEN_CHK, q->refillq);
+ idpf_queue_set(RFL_GEN_CHK, q->refillq);
}
if (!split)
@@ -1973,6 +2012,8 @@ static void idpf_tx_handle_rs_completion
compl_tag = le16_to_cpu(desc->q_head_compl_tag.compl_tag);
+ idpf_post_buf_refill(txq->refillq, compl_tag);
+
/* If we didn't clean anything on the ring, this packet must be
* in the hash table. Go clean it there.
*/
@@ -2333,6 +2374,37 @@ static unsigned int idpf_tx_splitq_bump_
}
/**
+ * idpf_tx_get_free_buf_id - get a free buffer ID from the refill queue
+ * @refillq: refill queue to get buffer ID from
+ * @buf_id: return buffer ID
+ *
+ * Return: true if a buffer ID was found, false if not
+ */
+static bool idpf_tx_get_free_buf_id(struct idpf_sw_queue *refillq,
+ u16 *buf_id)
+{
+ u32 ntc = refillq->next_to_clean;
+ u32 refill_desc;
+
+ refill_desc = refillq->ring[ntc];
+
+ if (unlikely(idpf_queue_has(RFL_GEN_CHK, refillq) !=
+ !!(refill_desc & IDPF_RFL_BI_GEN_M)))
+ return false;
+
+ *buf_id = FIELD_GET(IDPF_RFL_BI_BUFID_M, refill_desc);
+
+ if (unlikely(++ntc == refillq->desc_count)) {
+ idpf_queue_change(RFL_GEN_CHK, refillq);
+ ntc = 0;
+ }
+
+ refillq->next_to_clean = ntc;
+
+ return true;
+}
+
+/**
* idpf_tx_splitq_map - Build the Tx flex descriptor
* @tx_q: queue to send buffer on
* @params: pointer to splitq params struct
@@ -2702,6 +2774,13 @@ static netdev_tx_t idpf_tx_splitq_frame(
}
if (idpf_queue_has(FLOW_SCH_EN, tx_q)) {
+ if (unlikely(!idpf_tx_get_free_buf_id(tx_q->refillq,
+ &tx_params.compl_tag))) {
+ u64_stats_update_begin(&tx_q->stats_sync);
+ u64_stats_inc(&tx_q->q_stats.q_busy);
+ u64_stats_update_end(&tx_q->stats_sync);
+ }
+
tx_params.dtype = IDPF_TX_DESC_DTYPE_FLEX_FLOW_SCHE;
tx_params.eop_cmd = IDPF_TXD_FLEX_FLOW_CMD_EOP;
/* Set the RE bit to catch any packets that may have not been
@@ -3220,7 +3299,7 @@ payload:
skip_data:
rx_buf->page = NULL;
- idpf_rx_post_buf_refill(refillq, buf_id);
+ idpf_post_buf_refill(refillq, buf_id);
IDPF_RX_BUMP_NTC(rxq, ntc);
/* skip if it is non EOP desc */
@@ -3328,10 +3407,10 @@ static void idpf_rx_clean_refillq(struct
bool failure;
if (idpf_queue_has(RFL_GEN_CHK, refillq) !=
- !!(refill_desc & IDPF_RX_BI_GEN_M))
+ !!(refill_desc & IDPF_RFL_BI_GEN_M))
break;
- buf_id = FIELD_GET(IDPF_RX_BI_BUFID_M, refill_desc);
+ buf_id = FIELD_GET(IDPF_RFL_BI_BUFID_M, refill_desc);
failure = idpf_rx_update_bufq_desc(bufq, buf_id, buf_desc);
if (failure)
break;
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -107,8 +107,8 @@ do { \
*/
#define IDPF_TX_SPLITQ_RE_MIN_GAP 64
-#define IDPF_RX_BI_GEN_M BIT(16)
-#define IDPF_RX_BI_BUFID_M GENMASK(15, 0)
+#define IDPF_RFL_BI_GEN_M BIT(16)
+#define IDPF_RFL_BI_BUFID_M GENMASK(15, 0)
#define IDPF_RXD_EOF_SPLITQ VIRTCHNL2_RX_FLEX_DESC_ADV_STATUS0_EOF_M
#define IDPF_RXD_EOF_SINGLEQ VIRTCHNL2_RX_BASE_DESC_STATUS_EOF_M
@@ -635,6 +635,7 @@ libeth_cacheline_set_assert(struct idpf_
* @cleaned_pkts: Number of packets cleaned for the above said case
* @tx_max_bufs: Max buffers that can be transmitted with scatter-gather
* @stash: Tx buffer stash for Flow-based scheduling mode
+ * @refillq: Pointer to refill queue
* @compl_tag_bufid_m: Completion tag buffer id mask
* @compl_tag_cur_gen: Used to keep track of current completion tag generation
* @compl_tag_gen_max: To determine when compl_tag_cur_gen should be reset
@@ -682,6 +683,7 @@ struct idpf_tx_queue {
u16 tx_max_bufs;
struct idpf_txq_stash *stash;
+ struct idpf_sw_queue *refillq;
u16 compl_tag_bufid_m;
u16 compl_tag_cur_gen;
@@ -700,7 +702,7 @@ struct idpf_tx_queue {
__cacheline_group_end_aligned(cold);
};
libeth_cacheline_set_assert(struct idpf_tx_queue, 64,
- 88 + sizeof(struct u64_stats_sync),
+ 96 + sizeof(struct u64_stats_sync),
24);
/**
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 540/567] idpf: improve when to set RE bit logic
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 539/567] idpf: add support for Tx refillqs in flow scheduling mode Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 541/567] idpf: simplify and fix splitq Tx packet rollback error path Greg Kroah-Hartman
` (40 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luigi Rizzo, Brian Vazquez,
Joshua Hay, Madhu Chittim, Samuel Salin, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit f2d18e16479cac7a708d77cbfb4220a9114a71fc ]
Track the gap between next_to_use and the last RE index. Set RE again
if the gap is large enough to ensure RE bit is set frequently. This is
critical before removing the stashing mechanisms because the
opportunistic descriptor ring cleaning from the out-of-order completions
will go away. Previously the descriptors would be "cleaned" by both the
descriptor (RE) completion and the out-of-order completions. Without the
latter, we must ensure the RE bit is set more frequently. Otherwise,
it's theoretically possible for the descriptor ring next_to_clean to
never advance. The previous implementation was dependent on the start
of a packet falling on a 64th index in the descriptor ring, which is not
guaranteed with large packets.
Signed-off-by: Luigi Rizzo <lrizzo@google.com>
Signed-off-by: Brian Vazquez <brianvv@google.com>
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 20 +++++++++++++++++++-
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 6 ++++--
2 files changed, 23 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -313,6 +313,8 @@ static int idpf_tx_desc_alloc(const stru
*/
idpf_queue_change(GEN_CHK, refillq);
+ tx_q->last_re = tx_q->desc_count - IDPF_TX_SPLITQ_RE_MIN_GAP;
+
return 0;
err_alloc:
@@ -2709,6 +2711,21 @@ netdev_tx_t idpf_tx_drop_skb(struct idpf
}
/**
+ * idpf_tx_splitq_need_re - check whether RE bit needs to be set
+ * @tx_q: pointer to Tx queue
+ *
+ * Return: true if RE bit needs to be set, false otherwise
+ */
+static bool idpf_tx_splitq_need_re(struct idpf_tx_queue *tx_q)
+{
+ int gap = tx_q->next_to_use - tx_q->last_re;
+
+ gap += (gap < 0) ? tx_q->desc_count : 0;
+
+ return gap >= IDPF_TX_SPLITQ_RE_MIN_GAP;
+}
+
+/**
* idpf_tx_splitq_frame - Sends buffer on Tx ring using flex descriptors
* @skb: send buffer
* @tx_q: queue to send buffer on
@@ -2788,9 +2805,10 @@ static netdev_tx_t idpf_tx_splitq_frame(
* MIN_RING size to ensure it will be set at least once each
* time around the ring.
*/
- if (!(tx_q->next_to_use % IDPF_TX_SPLITQ_RE_MIN_GAP)) {
+ if (idpf_tx_splitq_need_re(tx_q)) {
tx_params.eop_cmd |= IDPF_TXD_FLEX_FLOW_CMD_RE;
tx_q->txq_grp->num_completions_pending++;
+ tx_q->last_re = tx_q->next_to_use;
}
if (skb->ip_summed == CHECKSUM_PARTIAL)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -623,6 +623,8 @@ libeth_cacheline_set_assert(struct idpf_
* @netdev: &net_device corresponding to this queue
* @next_to_use: Next descriptor to use
* @next_to_clean: Next descriptor to clean
+ * @last_re: last descriptor index that RE bit was set
+ * @tx_max_bufs: Max buffers that can be transmitted with scatter-gather
* @cleaned_bytes: Splitq only, TXQ only: When a TX completion is received on
* the TX completion queue, it can be for any TXQ associated
* with that completion queue. This means we can clean up to
@@ -633,7 +635,6 @@ libeth_cacheline_set_assert(struct idpf_
* only once at the end of the cleaning routine.
* @clean_budget: singleq only, queue cleaning budget
* @cleaned_pkts: Number of packets cleaned for the above said case
- * @tx_max_bufs: Max buffers that can be transmitted with scatter-gather
* @stash: Tx buffer stash for Flow-based scheduling mode
* @refillq: Pointer to refill queue
* @compl_tag_bufid_m: Completion tag buffer id mask
@@ -674,6 +675,8 @@ struct idpf_tx_queue {
__cacheline_group_begin_aligned(read_write);
u16 next_to_use;
u16 next_to_clean;
+ u16 last_re;
+ u16 tx_max_bufs;
union {
u32 cleaned_bytes;
@@ -681,7 +684,6 @@ struct idpf_tx_queue {
};
u16 cleaned_pkts;
- u16 tx_max_bufs;
struct idpf_txq_stash *stash;
struct idpf_sw_queue *refillq;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 541/567] idpf: simplify and fix splitq Tx packet rollback error path
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 540/567] idpf: improve when to set RE bit logic Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 542/567] idpf: replace flow scheduling buffer ring with buffer pool Greg Kroah-Hartman
` (39 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hay, Madhu Chittim,
Samuel Salin, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit b61dfa9bc4430ad82b96d3a7c1c485350f91b467 ]
Move (and rename) the existing rollback logic to singleq.c since that
will be the only consumer. Create a simplified splitq specific rollback
function to loop through and unmap tx_bufs based on the completion tag.
This is critical before replacing the Tx buffer ring with the buffer
pool since the previous rollback indexing will not work to unmap the
chained buffers from the pool.
Cache the next_to_use index before any portion of the packet is put on
the descriptor ring. In case of an error, the rollback will bump tail to
the correct next_to_use value. Because the splitq path now supports
different types of context descriptors (and potentially multiple in the
future), this will take care of rolling back any and all context
descriptors encoded on the ring for the erroneous packet. The previous
rollback logic was broken for PTP packets since it would not account for
the PTP context descriptor.
Fixes: 1a49cf814fe1 ("idpf: add Tx timestamp flows")
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c | 57 ++++++++++++
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 91 ++++++++------------
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 5 -
3 files changed, 95 insertions(+), 58 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
@@ -180,6 +180,58 @@ static int idpf_tx_singleq_csum(struct s
}
/**
+ * idpf_tx_singleq_dma_map_error - handle TX DMA map errors
+ * @txq: queue to send buffer on
+ * @skb: send buffer
+ * @first: original first buffer info buffer for packet
+ * @idx: starting point on ring to unwind
+ */
+static void idpf_tx_singleq_dma_map_error(struct idpf_tx_queue *txq,
+ struct sk_buff *skb,
+ struct idpf_tx_buf *first, u16 idx)
+{
+ struct libeth_sq_napi_stats ss = { };
+ struct libeth_cq_pp cp = {
+ .dev = txq->dev,
+ .ss = &ss,
+ };
+
+ u64_stats_update_begin(&txq->stats_sync);
+ u64_stats_inc(&txq->q_stats.dma_map_errs);
+ u64_stats_update_end(&txq->stats_sync);
+
+ /* clear dma mappings for failed tx_buf map */
+ for (;;) {
+ struct idpf_tx_buf *tx_buf;
+
+ tx_buf = &txq->tx_buf[idx];
+ libeth_tx_complete(tx_buf, &cp);
+ if (tx_buf == first)
+ break;
+ if (idx == 0)
+ idx = txq->desc_count;
+ idx--;
+ }
+
+ if (skb_is_gso(skb)) {
+ union idpf_tx_flex_desc *tx_desc;
+
+ /* If we failed a DMA mapping for a TSO packet, we will have
+ * used one additional descriptor for a context
+ * descriptor. Reset that here.
+ */
+ tx_desc = &txq->flex_tx[idx];
+ memset(tx_desc, 0, sizeof(*tx_desc));
+ if (idx == 0)
+ idx = txq->desc_count;
+ idx--;
+ }
+
+ /* Update tail in case netdev_xmit_more was previously true */
+ idpf_tx_buf_hw_update(txq, idx, false);
+}
+
+/**
* idpf_tx_singleq_map - Build the Tx base descriptor
* @tx_q: queue to send buffer on
* @first: first buffer info buffer to use
@@ -219,8 +271,9 @@ static void idpf_tx_singleq_map(struct i
for (frag = &skb_shinfo(skb)->frags[0];; frag++) {
unsigned int max_data = IDPF_TX_MAX_DESC_DATA_ALIGNED;
- if (dma_mapping_error(tx_q->dev, dma))
- return idpf_tx_dma_map_error(tx_q, skb, first, i);
+ if (unlikely(dma_mapping_error(tx_q->dev, dma)))
+ return idpf_tx_singleq_dma_map_error(tx_q, skb,
+ first, i);
/* record length, and DMA address */
dma_unmap_len_set(tx_buf, len, size);
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -2308,57 +2308,6 @@ unsigned int idpf_tx_desc_count_required
}
/**
- * idpf_tx_dma_map_error - handle TX DMA map errors
- * @txq: queue to send buffer on
- * @skb: send buffer
- * @first: original first buffer info buffer for packet
- * @idx: starting point on ring to unwind
- */
-void idpf_tx_dma_map_error(struct idpf_tx_queue *txq, struct sk_buff *skb,
- struct idpf_tx_buf *first, u16 idx)
-{
- struct libeth_sq_napi_stats ss = { };
- struct libeth_cq_pp cp = {
- .dev = txq->dev,
- .ss = &ss,
- };
-
- u64_stats_update_begin(&txq->stats_sync);
- u64_stats_inc(&txq->q_stats.dma_map_errs);
- u64_stats_update_end(&txq->stats_sync);
-
- /* clear dma mappings for failed tx_buf map */
- for (;;) {
- struct idpf_tx_buf *tx_buf;
-
- tx_buf = &txq->tx_buf[idx];
- libeth_tx_complete(tx_buf, &cp);
- if (tx_buf == first)
- break;
- if (idx == 0)
- idx = txq->desc_count;
- idx--;
- }
-
- if (skb_is_gso(skb)) {
- union idpf_tx_flex_desc *tx_desc;
-
- /* If we failed a DMA mapping for a TSO packet, we will have
- * used one additional descriptor for a context
- * descriptor. Reset that here.
- */
- tx_desc = &txq->flex_tx[idx];
- memset(tx_desc, 0, sizeof(struct idpf_flex_tx_ctx_desc));
- if (idx == 0)
- idx = txq->desc_count;
- idx--;
- }
-
- /* Update tail in case netdev_xmit_more was previously true */
- idpf_tx_buf_hw_update(txq, idx, false);
-}
-
-/**
* idpf_tx_splitq_bump_ntu - adjust NTU and generation
* @txq: the tx ring to wrap
* @ntu: ring index to bump
@@ -2407,6 +2356,37 @@ static bool idpf_tx_get_free_buf_id(stru
}
/**
+ * idpf_tx_splitq_pkt_err_unmap - Unmap buffers and bump tail in case of error
+ * @txq: Tx queue to unwind
+ * @params: pointer to splitq params struct
+ * @first: starting buffer for packet to unmap
+ */
+static void idpf_tx_splitq_pkt_err_unmap(struct idpf_tx_queue *txq,
+ struct idpf_tx_splitq_params *params,
+ struct idpf_tx_buf *first)
+{
+ struct libeth_sq_napi_stats ss = { };
+ struct idpf_tx_buf *tx_buf = first;
+ struct libeth_cq_pp cp = {
+ .dev = txq->dev,
+ .ss = &ss,
+ };
+ u32 idx = 0;
+
+ u64_stats_update_begin(&txq->stats_sync);
+ u64_stats_inc(&txq->q_stats.dma_map_errs);
+ u64_stats_update_end(&txq->stats_sync);
+
+ do {
+ libeth_tx_complete(tx_buf, &cp);
+ idpf_tx_clean_buf_ring_bump_ntc(txq, idx, tx_buf);
+ } while (idpf_tx_buf_compl_tag(tx_buf) == params->compl_tag);
+
+ /* Update tail in case netdev_xmit_more was previously true. */
+ idpf_tx_buf_hw_update(txq, params->prev_ntu, false);
+}
+
+/**
* idpf_tx_splitq_map - Build the Tx flex descriptor
* @tx_q: queue to send buffer on
* @params: pointer to splitq params struct
@@ -2450,8 +2430,9 @@ static void idpf_tx_splitq_map(struct id
for (frag = &skb_shinfo(skb)->frags[0];; frag++) {
unsigned int max_data = IDPF_TX_MAX_DESC_DATA_ALIGNED;
- if (dma_mapping_error(tx_q->dev, dma))
- return idpf_tx_dma_map_error(tx_q, skb, first, i);
+ if (unlikely(dma_mapping_error(tx_q->dev, dma)))
+ return idpf_tx_splitq_pkt_err_unmap(tx_q, params,
+ first);
first->nr_frags++;
idpf_tx_buf_compl_tag(tx_buf) = params->compl_tag;
@@ -2735,7 +2716,9 @@ static bool idpf_tx_splitq_need_re(struc
static netdev_tx_t idpf_tx_splitq_frame(struct sk_buff *skb,
struct idpf_tx_queue *tx_q)
{
- struct idpf_tx_splitq_params tx_params = { };
+ struct idpf_tx_splitq_params tx_params = {
+ .prev_ntu = tx_q->next_to_use,
+ };
struct idpf_tx_buf *first;
unsigned int count;
int tso;
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -194,6 +194,7 @@ struct idpf_tx_offload_params {
* @compl_tag: Associated tag for completion
* @td_tag: Descriptor tunneling tag
* @offload: Offload parameters
+ * @prev_ntu: stored TxQ next_to_use in case of rollback
*/
struct idpf_tx_splitq_params {
enum idpf_tx_desc_dtype_value dtype;
@@ -204,6 +205,8 @@ struct idpf_tx_splitq_params {
};
struct idpf_tx_offload_params offload;
+
+ u16 prev_ntu;
};
enum idpf_tx_ctx_desc_eipt_offload {
@@ -1050,8 +1053,6 @@ void idpf_tx_buf_hw_update(struct idpf_t
bool xmit_more);
unsigned int idpf_size_to_txd_count(unsigned int size);
netdev_tx_t idpf_tx_drop_skb(struct idpf_tx_queue *tx_q, struct sk_buff *skb);
-void idpf_tx_dma_map_error(struct idpf_tx_queue *txq, struct sk_buff *skb,
- struct idpf_tx_buf *first, u16 ring_idx);
unsigned int idpf_tx_desc_count_required(struct idpf_tx_queue *txq,
struct sk_buff *skb);
void idpf_tx_timeout(struct net_device *netdev, unsigned int txqueue);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 542/567] idpf: replace flow scheduling buffer ring with buffer pool
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 541/567] idpf: simplify and fix splitq Tx packet rollback error path Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 543/567] idpf: stop Tx if there are insufficient buffer resources Greg Kroah-Hartman
` (38 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luigi Rizzo, Brian Vazquez,
Joshua Hay, Madhu Chittim, Aleksandr Loktionov, Samuel Salin,
Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit 5f417d551324d2894168b362f2429d120ab06243 ]
Replace the TxQ buffer ring with one large pool/array of buffers (only
for flow scheduling). This eliminates the tag generation and makes it
impossible for a tag to be associated with more than one packet.
The completion tag passed to HW through the descriptor is the index into
the array. That same completion tag is posted back to the driver in the
completion descriptor, and used to index into the array to quickly
retrieve the buffer during cleaning. In this way, the tags are treated
as a fix sized resource. If all tags are in use, no more packets can be
sent on that particular queue (until some are freed up). The tag pool
size is 64K since the completion tag width is 16 bits.
For each packet, the driver pulls a free tag from the refillq to get the
next free buffer index. When cleaning is complete, the tag is posted
back to the refillq. A multi-frag packet spans multiple buffers in the
driver, therefore it uses multiple buffer indexes/tags from the pool.
Each frag pulls from the refillq to get the next free buffer index.
These are tracked in a next_buf field that replaces the completion tag
field in the buffer struct. This chains the buffers together so that the
packet can be cleaned from the starting completion tag taken from the
completion descriptor, then from the next_buf field for each subsequent
buffer.
In case of a dma_mapping_error occurs or the refillq runs out of free
buf_ids, the packet will execute the rollback error path. This unmaps
any buffers previously mapped for the packet. Since several free
buf_ids could have already been pulled from the refillq, we need to
restore its original state as well. Otherwise, the buf_ids/tags
will be leaked and not used again until the queue is reallocated.
Descriptor completions only advance the descriptor ring index to "clean"
the descriptors. The packet completions only clean the buffers
associated with the given packet completion tag and do not update the
descriptor ring index.
When operating in queue based scheduling mode, the array still acts as a
ring and will only have TxQ descriptor count entries. The tx_bufs are
still associated 1:1 with the descriptor ring entries and we can use the
conventional indexing mechanisms.
Fixes: c2d548cad150 ("idpf: add TX splitq napi poll support")
Signed-off-by: Luigi Rizzo <lrizzo@google.com>
Signed-off-by: Brian Vazquez <brianvv@google.com>
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 209 ++++++++++++----------------
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 10 +
2 files changed, 106 insertions(+), 113 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -12,6 +12,7 @@ struct idpf_tx_stash {
struct libeth_sqe buf;
};
+#define idpf_tx_buf_next(buf) (*(u32 *)&(buf)->priv)
#define idpf_tx_buf_compl_tag(buf) (*(u32 *)&(buf)->priv)
LIBETH_SQE_CHECK_PRIV(u32);
@@ -110,7 +111,7 @@ static void idpf_tx_buf_rel_all(struct i
return;
/* Free all the Tx buffer sk_buffs */
- for (i = 0; i < txq->desc_count; i++)
+ for (i = 0; i < txq->buf_pool_size; i++)
libeth_tx_complete(&txq->tx_buf[i], &cp);
kfree(txq->tx_buf);
@@ -218,14 +219,17 @@ static void idpf_tx_desc_rel_all(struct
static int idpf_tx_buf_alloc_all(struct idpf_tx_queue *tx_q)
{
struct idpf_buf_lifo *buf_stack;
- int buf_size;
int i;
/* Allocate book keeping buffers only. Buffers to be supplied to HW
* are allocated by kernel network stack and received as part of skb
*/
- buf_size = sizeof(struct idpf_tx_buf) * tx_q->desc_count;
- tx_q->tx_buf = kzalloc(buf_size, GFP_KERNEL);
+ if (idpf_queue_has(FLOW_SCH_EN, tx_q))
+ tx_q->buf_pool_size = U16_MAX;
+ else
+ tx_q->buf_pool_size = tx_q->desc_count;
+ tx_q->tx_buf = kcalloc(tx_q->buf_pool_size, sizeof(*tx_q->tx_buf),
+ GFP_KERNEL);
if (!tx_q->tx_buf)
return -ENOMEM;
@@ -294,7 +298,7 @@ static int idpf_tx_desc_alloc(const stru
return 0;
refillq = tx_q->refillq;
- refillq->desc_count = tx_q->desc_count;
+ refillq->desc_count = tx_q->buf_pool_size;
refillq->ring = kcalloc(refillq->desc_count, sizeof(u32),
GFP_KERNEL);
if (!refillq->ring) {
@@ -1841,6 +1845,12 @@ static bool idpf_tx_splitq_clean(struct
struct idpf_tx_buf *tx_buf;
bool clean_complete = true;
+ if (descs_only) {
+ /* Bump ring index to mark as cleaned. */
+ tx_q->next_to_clean = end;
+ return true;
+ }
+
tx_desc = &tx_q->flex_tx[ntc];
next_pending_desc = &tx_q->flex_tx[end];
tx_buf = &tx_q->tx_buf[ntc];
@@ -1907,83 +1917,40 @@ do { \
} while (0)
/**
- * idpf_tx_clean_buf_ring - clean flow scheduling TX queue buffers
+ * idpf_tx_clean_bufs - clean flow scheduling TX queue buffers
* @txq: queue to clean
- * @compl_tag: completion tag of packet to clean (from completion descriptor)
+ * @buf_id: packet's starting buffer ID, from completion descriptor
* @cleaned: pointer to stats struct to track cleaned packets/bytes
* @budget: Used to determine if we are in netpoll
*
- * Cleans all buffers associated with the input completion tag either from the
- * TX buffer ring or from the hash table if the buffers were previously
- * stashed. Returns the byte/segment count for the cleaned packet associated
- * this completion tag.
- */
-static bool idpf_tx_clean_buf_ring(struct idpf_tx_queue *txq, u16 compl_tag,
- struct libeth_sq_napi_stats *cleaned,
- int budget)
+ * Clean all buffers associated with the packet starting at buf_id. Returns the
+ * byte/segment count for the cleaned packet.
+ */
+static bool idpf_tx_clean_bufs(struct idpf_tx_queue *txq, u32 buf_id,
+ struct libeth_sq_napi_stats *cleaned,
+ int budget)
{
- u16 idx = compl_tag & txq->compl_tag_bufid_m;
struct idpf_tx_buf *tx_buf = NULL;
struct libeth_cq_pp cp = {
.dev = txq->dev,
.ss = cleaned,
.napi = budget,
};
- u16 ntc, orig_idx = idx;
-
- tx_buf = &txq->tx_buf[idx];
-
- if (unlikely(tx_buf->type <= LIBETH_SQE_CTX ||
- idpf_tx_buf_compl_tag(tx_buf) != compl_tag))
- return false;
- if (tx_buf->type == LIBETH_SQE_SKB)
+ tx_buf = &txq->tx_buf[buf_id];
+ if (tx_buf->type == LIBETH_SQE_SKB) {
libeth_tx_complete(tx_buf, &cp);
+ idpf_post_buf_refill(txq->refillq, buf_id);
+ }
- idpf_tx_clean_buf_ring_bump_ntc(txq, idx, tx_buf);
+ while (idpf_tx_buf_next(tx_buf) != IDPF_TXBUF_NULL) {
+ buf_id = idpf_tx_buf_next(tx_buf);
- while (idpf_tx_buf_compl_tag(tx_buf) == compl_tag) {
+ tx_buf = &txq->tx_buf[buf_id];
libeth_tx_complete(tx_buf, &cp);
- idpf_tx_clean_buf_ring_bump_ntc(txq, idx, tx_buf);
+ idpf_post_buf_refill(txq->refillq, buf_id);
}
- /*
- * It's possible the packet we just cleaned was an out of order
- * completion, which means we can stash the buffers starting from
- * the original next_to_clean and reuse the descriptors. We need
- * to compare the descriptor ring next_to_clean packet's "first" buffer
- * to the "first" buffer of the packet we just cleaned to determine if
- * this is the case. Howevever, next_to_clean can point to either a
- * reserved buffer that corresponds to a context descriptor used for the
- * next_to_clean packet (TSO packet) or the "first" buffer (single
- * packet). The orig_idx from the packet we just cleaned will always
- * point to the "first" buffer. If next_to_clean points to a reserved
- * buffer, let's bump ntc once and start the comparison from there.
- */
- ntc = txq->next_to_clean;
- tx_buf = &txq->tx_buf[ntc];
-
- if (tx_buf->type == LIBETH_SQE_CTX)
- idpf_tx_clean_buf_ring_bump_ntc(txq, ntc, tx_buf);
-
- /*
- * If ntc still points to a different "first" buffer, clean the
- * descriptor ring and stash all of the buffers for later cleaning. If
- * we cannot stash all of the buffers, next_to_clean will point to the
- * "first" buffer of the packet that could not be stashed and cleaning
- * will start there next time.
- */
- if (unlikely(tx_buf != &txq->tx_buf[orig_idx] &&
- !idpf_tx_splitq_clean(txq, orig_idx, budget, cleaned,
- true)))
- return true;
-
- /*
- * Otherwise, update next_to_clean to reflect the cleaning that was
- * done above.
- */
- txq->next_to_clean = idx;
-
return true;
}
@@ -2014,12 +1981,10 @@ static void idpf_tx_handle_rs_completion
compl_tag = le16_to_cpu(desc->q_head_compl_tag.compl_tag);
- idpf_post_buf_refill(txq->refillq, compl_tag);
-
/* If we didn't clean anything on the ring, this packet must be
* in the hash table. Go clean it there.
*/
- if (!idpf_tx_clean_buf_ring(txq, compl_tag, cleaned, budget))
+ if (!idpf_tx_clean_bufs(txq, compl_tag, cleaned, budget))
idpf_tx_clean_stashed_bufs(txq, compl_tag, cleaned, budget);
}
@@ -2332,7 +2297,7 @@ static unsigned int idpf_tx_splitq_bump_
* Return: true if a buffer ID was found, false if not
*/
static bool idpf_tx_get_free_buf_id(struct idpf_sw_queue *refillq,
- u16 *buf_id)
+ u32 *buf_id)
{
u32 ntc = refillq->next_to_clean;
u32 refill_desc;
@@ -2365,25 +2330,34 @@ static void idpf_tx_splitq_pkt_err_unmap
struct idpf_tx_splitq_params *params,
struct idpf_tx_buf *first)
{
+ struct idpf_sw_queue *refillq = txq->refillq;
struct libeth_sq_napi_stats ss = { };
struct idpf_tx_buf *tx_buf = first;
struct libeth_cq_pp cp = {
.dev = txq->dev,
.ss = &ss,
};
- u32 idx = 0;
u64_stats_update_begin(&txq->stats_sync);
u64_stats_inc(&txq->q_stats.dma_map_errs);
u64_stats_update_end(&txq->stats_sync);
- do {
+ libeth_tx_complete(tx_buf, &cp);
+ while (idpf_tx_buf_next(tx_buf) != IDPF_TXBUF_NULL) {
+ tx_buf = &txq->tx_buf[idpf_tx_buf_next(tx_buf)];
libeth_tx_complete(tx_buf, &cp);
- idpf_tx_clean_buf_ring_bump_ntc(txq, idx, tx_buf);
- } while (idpf_tx_buf_compl_tag(tx_buf) == params->compl_tag);
+ }
/* Update tail in case netdev_xmit_more was previously true. */
idpf_tx_buf_hw_update(txq, params->prev_ntu, false);
+
+ if (!refillq)
+ return;
+
+ /* Restore refillq state to avoid leaking tags. */
+ if (params->prev_refill_gen != idpf_queue_has(RFL_GEN_CHK, refillq))
+ idpf_queue_change(RFL_GEN_CHK, refillq);
+ refillq->next_to_clean = params->prev_refill_ntc;
}
/**
@@ -2407,6 +2381,7 @@ static void idpf_tx_splitq_map(struct id
struct netdev_queue *nq;
struct sk_buff *skb;
skb_frag_t *frag;
+ u32 next_buf_id;
u16 td_cmd = 0;
dma_addr_t dma;
@@ -2424,18 +2399,16 @@ static void idpf_tx_splitq_map(struct id
tx_buf = first;
first->nr_frags = 0;
- params->compl_tag =
- (tx_q->compl_tag_cur_gen << tx_q->compl_tag_gen_s) | i;
-
for (frag = &skb_shinfo(skb)->frags[0];; frag++) {
unsigned int max_data = IDPF_TX_MAX_DESC_DATA_ALIGNED;
- if (unlikely(dma_mapping_error(tx_q->dev, dma)))
+ if (unlikely(dma_mapping_error(tx_q->dev, dma))) {
+ idpf_tx_buf_next(tx_buf) = IDPF_TXBUF_NULL;
return idpf_tx_splitq_pkt_err_unmap(tx_q, params,
first);
+ }
first->nr_frags++;
- idpf_tx_buf_compl_tag(tx_buf) = params->compl_tag;
tx_buf->type = LIBETH_SQE_FRAG;
/* record length, and DMA address */
@@ -2491,29 +2464,14 @@ static void idpf_tx_splitq_map(struct id
max_data);
if (unlikely(++i == tx_q->desc_count)) {
- tx_buf = tx_q->tx_buf;
tx_desc = &tx_q->flex_tx[0];
i = 0;
tx_q->compl_tag_cur_gen =
IDPF_TX_ADJ_COMPL_TAG_GEN(tx_q);
} else {
- tx_buf++;
tx_desc++;
}
- /* Since this packet has a buffer that is going to span
- * multiple descriptors, it's going to leave holes in
- * to the TX buffer ring. To ensure these holes do not
- * cause issues in the cleaning routines, we will clear
- * them of any stale data and assign them the same
- * completion tag as the current packet. Then when the
- * packet is being cleaned, the cleaning routines will
- * simply pass over these holes and finish cleaning the
- * rest of the packet.
- */
- tx_buf->type = LIBETH_SQE_EMPTY;
- idpf_tx_buf_compl_tag(tx_buf) = params->compl_tag;
-
/* Adjust the DMA offset and the remaining size of the
* fragment. On the first iteration of this loop,
* max_data will be >= 12K and <= 16K-1. On any
@@ -2538,15 +2496,26 @@ static void idpf_tx_splitq_map(struct id
idpf_tx_splitq_build_desc(tx_desc, params, td_cmd, size);
if (unlikely(++i == tx_q->desc_count)) {
- tx_buf = tx_q->tx_buf;
tx_desc = &tx_q->flex_tx[0];
i = 0;
tx_q->compl_tag_cur_gen = IDPF_TX_ADJ_COMPL_TAG_GEN(tx_q);
} else {
- tx_buf++;
tx_desc++;
}
+ if (idpf_queue_has(FLOW_SCH_EN, tx_q)) {
+ if (unlikely(!idpf_tx_get_free_buf_id(tx_q->refillq,
+ &next_buf_id))) {
+ idpf_tx_buf_next(tx_buf) = IDPF_TXBUF_NULL;
+ return idpf_tx_splitq_pkt_err_unmap(tx_q, params,
+ first);
+ }
+ } else {
+ next_buf_id = i;
+ }
+ idpf_tx_buf_next(tx_buf) = next_buf_id;
+ tx_buf = &tx_q->tx_buf[next_buf_id];
+
size = skb_frag_size(frag);
data_len -= size;
@@ -2561,6 +2530,7 @@ static void idpf_tx_splitq_map(struct id
/* write last descriptor with RS and EOP bits */
first->rs_idx = i;
+ idpf_tx_buf_next(tx_buf) = IDPF_TXBUF_NULL;
td_cmd |= params->eop_cmd;
idpf_tx_splitq_build_desc(tx_desc, params, td_cmd, size);
i = idpf_tx_splitq_bump_ntu(tx_q, i);
@@ -2664,8 +2634,6 @@ idpf_tx_splitq_get_ctx_desc(struct idpf_
struct idpf_flex_tx_ctx_desc *desc;
int i = txq->next_to_use;
- txq->tx_buf[i].type = LIBETH_SQE_CTX;
-
/* grab the next descriptor */
desc = &txq->flex_ctx[i];
txq->next_to_use = idpf_tx_splitq_bump_ntu(txq, i);
@@ -2721,6 +2689,7 @@ static netdev_tx_t idpf_tx_splitq_frame(
};
struct idpf_tx_buf *first;
unsigned int count;
+ u32 buf_id;
int tso;
count = idpf_tx_desc_count_required(tx_q, skb);
@@ -2760,26 +2729,28 @@ static netdev_tx_t idpf_tx_splitq_frame(
u64_stats_update_end(&tx_q->stats_sync);
}
- /* record the location of the first descriptor for this packet */
- first = &tx_q->tx_buf[tx_q->next_to_use];
- first->skb = skb;
+ if (idpf_queue_has(FLOW_SCH_EN, tx_q)) {
+ struct idpf_sw_queue *refillq = tx_q->refillq;
- if (tso) {
- first->packets = tx_params.offload.tso_segs;
- first->bytes = skb->len +
- ((first->packets - 1) * tx_params.offload.tso_hdr_len);
- } else {
- first->packets = 1;
- first->bytes = max_t(unsigned int, skb->len, ETH_ZLEN);
- }
+ /* Save refillq state in case of a packet rollback. Otherwise,
+ * the tags will be leaked since they will be popped from the
+ * refillq but never reposted during cleaning.
+ */
+ tx_params.prev_refill_gen =
+ idpf_queue_has(RFL_GEN_CHK, refillq);
+ tx_params.prev_refill_ntc = refillq->next_to_clean;
- if (idpf_queue_has(FLOW_SCH_EN, tx_q)) {
if (unlikely(!idpf_tx_get_free_buf_id(tx_q->refillq,
- &tx_params.compl_tag))) {
- u64_stats_update_begin(&tx_q->stats_sync);
- u64_stats_inc(&tx_q->q_stats.q_busy);
- u64_stats_update_end(&tx_q->stats_sync);
+ &buf_id))) {
+ if (tx_params.prev_refill_gen !=
+ idpf_queue_has(RFL_GEN_CHK, refillq))
+ idpf_queue_change(RFL_GEN_CHK, refillq);
+ refillq->next_to_clean = tx_params.prev_refill_ntc;
+
+ tx_q->next_to_use = tx_params.prev_ntu;
+ return idpf_tx_drop_skb(tx_q, skb);
}
+ tx_params.compl_tag = buf_id;
tx_params.dtype = IDPF_TX_DESC_DTYPE_FLEX_FLOW_SCHE;
tx_params.eop_cmd = IDPF_TXD_FLEX_FLOW_CMD_EOP;
@@ -2798,6 +2769,8 @@ static netdev_tx_t idpf_tx_splitq_frame(
tx_params.offload.td_cmd |= IDPF_TXD_FLEX_FLOW_CMD_CS_EN;
} else {
+ buf_id = tx_q->next_to_use;
+
tx_params.dtype = IDPF_TX_DESC_DTYPE_FLEX_L2TAG1_L2TAG2;
tx_params.eop_cmd = IDPF_TXD_LAST_DESC_CMD;
@@ -2805,6 +2778,18 @@ static netdev_tx_t idpf_tx_splitq_frame(
tx_params.offload.td_cmd |= IDPF_TX_FLEX_DESC_CMD_CS_EN;
}
+ first = &tx_q->tx_buf[buf_id];
+ first->skb = skb;
+
+ if (tso) {
+ first->packets = tx_params.offload.tso_segs;
+ first->bytes = skb->len +
+ ((first->packets - 1) * tx_params.offload.tso_hdr_len);
+ } else {
+ first->packets = 1;
+ first->bytes = max_t(unsigned int, skb->len, ETH_ZLEN);
+ }
+
idpf_tx_splitq_map(tx_q, &tx_params, first);
return NETDEV_TX_OK;
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -136,6 +136,8 @@ do { \
((++(txq)->compl_tag_cur_gen) >= (txq)->compl_tag_gen_max ? \
0 : (txq)->compl_tag_cur_gen)
+#define IDPF_TXBUF_NULL U32_MAX
+
#define IDPF_TXD_LAST_DESC_CMD (IDPF_TX_DESC_CMD_EOP | IDPF_TX_DESC_CMD_RS)
#define IDPF_TX_FLAGS_TSO BIT(0)
@@ -195,6 +197,8 @@ struct idpf_tx_offload_params {
* @td_tag: Descriptor tunneling tag
* @offload: Offload parameters
* @prev_ntu: stored TxQ next_to_use in case of rollback
+ * @prev_refill_ntc: stored refillq next_to_clean in case of packet rollback
+ * @prev_refill_gen: stored refillq generation bit in case of packet rollback
*/
struct idpf_tx_splitq_params {
enum idpf_tx_desc_dtype_value dtype;
@@ -207,6 +211,8 @@ struct idpf_tx_splitq_params {
struct idpf_tx_offload_params offload;
u16 prev_ntu;
+ u16 prev_refill_ntc;
+ bool prev_refill_gen;
};
enum idpf_tx_ctx_desc_eipt_offload {
@@ -649,6 +655,7 @@ libeth_cacheline_set_assert(struct idpf_
* @size: Length of descriptor ring in bytes
* @dma: Physical address of ring
* @q_vector: Backreference to associated vector
+ * @buf_pool_size: Total number of idpf_tx_buf
*/
struct idpf_tx_queue {
__cacheline_group_begin_aligned(read_mostly);
@@ -704,11 +711,12 @@ struct idpf_tx_queue {
dma_addr_t dma;
struct idpf_q_vector *q_vector;
+ u32 buf_pool_size;
__cacheline_group_end_aligned(cold);
};
libeth_cacheline_set_assert(struct idpf_tx_queue, 64,
96 + sizeof(struct u64_stats_sync),
- 24);
+ 32);
/**
* struct idpf_buf_queue - software structure representing a buffer queue
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 543/567] idpf: stop Tx if there are insufficient buffer resources
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 542/567] idpf: replace flow scheduling buffer ring with buffer pool Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 544/567] idpf: remove obsolete stashing code Greg Kroah-Hartman
` (37 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hay, Madhu Chittim,
Samuel Salin, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit 0c3f135e840d4a2ba4253e15d530ec61bc30718e ]
The Tx refillq logic will cause packets to be silently dropped if there
are not enough buffer resources available to send a packet in flow
scheduling mode. Instead, determine how many buffers are needed along
with number of descriptors. Make sure there are enough of both resources
to send the packet, and stop the queue if not.
Fixes: 7292af042bcf ("idpf: fix a race in txq wakeup")
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c | 4 -
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 47 +++++++++++++-------
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 15 +++++-
3 files changed, 47 insertions(+), 19 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
@@ -415,11 +415,11 @@ netdev_tx_t idpf_tx_singleq_frame(struct
{
struct idpf_tx_offload_params offload = { };
struct idpf_tx_buf *first;
+ u32 count, buf_count = 1;
int csum, tso, needed;
- unsigned int count;
__be16 protocol;
- count = idpf_tx_desc_count_required(tx_q, skb);
+ count = idpf_tx_res_count_required(tx_q, skb, &buf_count);
if (unlikely(!count))
return idpf_tx_drop_skb(tx_q, skb);
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -2160,15 +2160,22 @@ void idpf_tx_splitq_build_flow_desc(unio
desc->flow.qw1.compl_tag = cpu_to_le16(params->compl_tag);
}
-/* Global conditions to tell whether the txq (and related resources)
- * has room to allow the use of "size" descriptors.
+/**
+ * idpf_tx_splitq_has_room - check if enough Tx splitq resources are available
+ * @tx_q: the queue to be checked
+ * @descs_needed: number of descriptors required for this packet
+ * @bufs_needed: number of Tx buffers required for this packet
+ *
+ * Return: 0 if no room available, 1 otherwise
*/
-static int idpf_txq_has_room(struct idpf_tx_queue *tx_q, u32 size)
+static int idpf_txq_has_room(struct idpf_tx_queue *tx_q, u32 descs_needed,
+ u32 bufs_needed)
{
- if (IDPF_DESC_UNUSED(tx_q) < size ||
+ if (IDPF_DESC_UNUSED(tx_q) < descs_needed ||
IDPF_TX_COMPLQ_PENDING(tx_q->txq_grp) >
IDPF_TX_COMPLQ_OVERFLOW_THRESH(tx_q->txq_grp->complq) ||
- IDPF_TX_BUF_RSV_LOW(tx_q))
+ IDPF_TX_BUF_RSV_LOW(tx_q) ||
+ idpf_tx_splitq_get_free_bufs(tx_q->refillq) < bufs_needed)
return 0;
return 1;
}
@@ -2177,14 +2184,21 @@ static int idpf_txq_has_room(struct idpf
* idpf_tx_maybe_stop_splitq - 1st level check for Tx splitq stop conditions
* @tx_q: the queue to be checked
* @descs_needed: number of descriptors required for this packet
+ * @bufs_needed: number of buffers needed for this packet
*
- * Returns 0 if stop is not needed
+ * Return: 0 if stop is not needed
*/
static int idpf_tx_maybe_stop_splitq(struct idpf_tx_queue *tx_q,
- unsigned int descs_needed)
+ u32 descs_needed,
+ u32 bufs_needed)
{
+ /* Since we have multiple resources to check for splitq, our
+ * start,stop_thrs becomes a boolean check instead of a count
+ * threshold.
+ */
if (netif_subqueue_maybe_stop(tx_q->netdev, tx_q->idx,
- idpf_txq_has_room(tx_q, descs_needed),
+ idpf_txq_has_room(tx_q, descs_needed,
+ bufs_needed),
1, 1))
return 0;
@@ -2226,14 +2240,16 @@ void idpf_tx_buf_hw_update(struct idpf_t
}
/**
- * idpf_tx_desc_count_required - calculate number of Tx descriptors needed
+ * idpf_tx_res_count_required - get number of Tx resources needed for this pkt
* @txq: queue to send buffer on
* @skb: send buffer
+ * @bufs_needed: (output) number of buffers needed for this skb.
*
- * Returns number of data descriptors needed for this skb.
+ * Return: number of data descriptors and buffers needed for this skb.
*/
-unsigned int idpf_tx_desc_count_required(struct idpf_tx_queue *txq,
- struct sk_buff *skb)
+unsigned int idpf_tx_res_count_required(struct idpf_tx_queue *txq,
+ struct sk_buff *skb,
+ u32 *bufs_needed)
{
const struct skb_shared_info *shinfo;
unsigned int count = 0, i;
@@ -2244,6 +2260,7 @@ unsigned int idpf_tx_desc_count_required
return count;
shinfo = skb_shinfo(skb);
+ *bufs_needed += shinfo->nr_frags;
for (i = 0; i < shinfo->nr_frags; i++) {
unsigned int size;
@@ -2688,11 +2705,11 @@ static netdev_tx_t idpf_tx_splitq_frame(
.prev_ntu = tx_q->next_to_use,
};
struct idpf_tx_buf *first;
- unsigned int count;
+ u32 count, buf_count = 1;
u32 buf_id;
int tso;
- count = idpf_tx_desc_count_required(tx_q, skb);
+ count = idpf_tx_res_count_required(tx_q, skb, &buf_count);
if (unlikely(!count))
return idpf_tx_drop_skb(tx_q, skb);
@@ -2702,7 +2719,7 @@ static netdev_tx_t idpf_tx_splitq_frame(
/* Check for splitq specific TX resources */
count += (IDPF_TX_DESCS_PER_CACHE_LINE + tso);
- if (idpf_tx_maybe_stop_splitq(tx_q, count)) {
+ if (idpf_tx_maybe_stop_splitq(tx_q, count, buf_count)) {
idpf_tx_buf_hw_update(tx_q, tx_q->next_to_use, false);
return NETDEV_TX_BUSY;
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -1034,6 +1034,17 @@ static inline void idpf_vport_intr_set_w
reg->dyn_ctl);
}
+/**
+ * idpf_tx_splitq_get_free_bufs - get number of free buf_ids in refillq
+ * @refillq: pointer to refillq containing buf_ids
+ */
+static inline u32 idpf_tx_splitq_get_free_bufs(struct idpf_sw_queue *refillq)
+{
+ return (refillq->next_to_use > refillq->next_to_clean ?
+ 0 : refillq->desc_count) +
+ refillq->next_to_use - refillq->next_to_clean - 1;
+}
+
int idpf_vport_singleq_napi_poll(struct napi_struct *napi, int budget);
void idpf_vport_init_num_qs(struct idpf_vport *vport,
struct virtchnl2_create_vport *vport_msg);
@@ -1061,8 +1072,8 @@ void idpf_tx_buf_hw_update(struct idpf_t
bool xmit_more);
unsigned int idpf_size_to_txd_count(unsigned int size);
netdev_tx_t idpf_tx_drop_skb(struct idpf_tx_queue *tx_q, struct sk_buff *skb);
-unsigned int idpf_tx_desc_count_required(struct idpf_tx_queue *txq,
- struct sk_buff *skb);
+unsigned int idpf_tx_res_count_required(struct idpf_tx_queue *txq,
+ struct sk_buff *skb, u32 *buf_count);
void idpf_tx_timeout(struct net_device *netdev, unsigned int txqueue);
netdev_tx_t idpf_tx_singleq_frame(struct sk_buff *skb,
struct idpf_tx_queue *tx_q);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 544/567] idpf: remove obsolete stashing code
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 543/567] idpf: stop Tx if there are insufficient buffer resources Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 545/567] hrtimers: Make hrtimer_update_function() less expensive Greg Kroah-Hartman
` (36 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hay, Madhu Chittim,
Aleksandr Loktionov, Samuel Salin, Tony Nguyen
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit 6c4e68480238274f84aa50d54da0d9e262df6284 ]
Changes from original commit:
- Adjusted idpf_tx_queue assert size to align with 6.12 struct definition
With the new Tx buffer management scheme, there is no need for all of
the stashing mechanisms, the hash table, the reserve buffer stack, etc.
Remove all of that.
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 309 +---------------------------
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 47 ----
2 files changed, 22 insertions(+), 334 deletions(-)
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -7,13 +7,7 @@
#include "idpf.h"
#include "idpf_virtchnl.h"
-struct idpf_tx_stash {
- struct hlist_node hlist;
- struct libeth_sqe buf;
-};
-
#define idpf_tx_buf_next(buf) (*(u32 *)&(buf)->priv)
-#define idpf_tx_buf_compl_tag(buf) (*(u32 *)&(buf)->priv)
LIBETH_SQE_CHECK_PRIV(u32);
/**
@@ -40,36 +34,6 @@ static bool idpf_chk_linearize(const str
}
/**
- * idpf_buf_lifo_push - push a buffer pointer onto stack
- * @stack: pointer to stack struct
- * @buf: pointer to buf to push
- *
- * Returns 0 on success, negative on failure
- **/
-static int idpf_buf_lifo_push(struct idpf_buf_lifo *stack,
- struct idpf_tx_stash *buf)
-{
- if (unlikely(stack->top == stack->size))
- return -ENOSPC;
-
- stack->bufs[stack->top++] = buf;
-
- return 0;
-}
-
-/**
- * idpf_buf_lifo_pop - pop a buffer pointer from stack
- * @stack: pointer to stack struct
- **/
-static struct idpf_tx_stash *idpf_buf_lifo_pop(struct idpf_buf_lifo *stack)
-{
- if (unlikely(!stack->top))
- return NULL;
-
- return stack->bufs[--stack->top];
-}
-
-/**
* idpf_tx_timeout - Respond to a Tx Hang
* @netdev: network interface device structure
* @txqueue: TX queue
@@ -97,14 +61,11 @@ void idpf_tx_timeout(struct net_device *
static void idpf_tx_buf_rel_all(struct idpf_tx_queue *txq)
{
struct libeth_sq_napi_stats ss = { };
- struct idpf_buf_lifo *buf_stack;
- struct idpf_tx_stash *stash;
struct libeth_cq_pp cp = {
.dev = txq->dev,
.ss = &ss,
};
- struct hlist_node *tmp;
- u32 i, tag;
+ u32 i;
/* Buffers already cleared, nothing to do */
if (!txq->tx_buf)
@@ -116,33 +77,6 @@ static void idpf_tx_buf_rel_all(struct i
kfree(txq->tx_buf);
txq->tx_buf = NULL;
-
- if (!idpf_queue_has(FLOW_SCH_EN, txq))
- return;
-
- buf_stack = &txq->stash->buf_stack;
- if (!buf_stack->bufs)
- return;
-
- /*
- * If a Tx timeout occurred, there are potentially still bufs in the
- * hash table, free them here.
- */
- hash_for_each_safe(txq->stash->sched_buf_hash, tag, tmp, stash,
- hlist) {
- if (!stash)
- continue;
-
- libeth_tx_complete(&stash->buf, &cp);
- hash_del(&stash->hlist);
- idpf_buf_lifo_push(buf_stack, stash);
- }
-
- for (i = 0; i < buf_stack->size; i++)
- kfree(buf_stack->bufs[i]);
-
- kfree(buf_stack->bufs);
- buf_stack->bufs = NULL;
}
/**
@@ -218,9 +152,6 @@ static void idpf_tx_desc_rel_all(struct
*/
static int idpf_tx_buf_alloc_all(struct idpf_tx_queue *tx_q)
{
- struct idpf_buf_lifo *buf_stack;
- int i;
-
/* Allocate book keeping buffers only. Buffers to be supplied to HW
* are allocated by kernel network stack and received as part of skb
*/
@@ -233,29 +164,6 @@ static int idpf_tx_buf_alloc_all(struct
if (!tx_q->tx_buf)
return -ENOMEM;
- if (!idpf_queue_has(FLOW_SCH_EN, tx_q))
- return 0;
-
- buf_stack = &tx_q->stash->buf_stack;
-
- /* Initialize tx buf stack for out-of-order completions if
- * flow scheduling offload is enabled
- */
- buf_stack->bufs = kcalloc(tx_q->desc_count, sizeof(*buf_stack->bufs),
- GFP_KERNEL);
- if (!buf_stack->bufs)
- return -ENOMEM;
-
- buf_stack->size = tx_q->desc_count;
- buf_stack->top = tx_q->desc_count;
-
- for (i = 0; i < tx_q->desc_count; i++) {
- buf_stack->bufs[i] = kzalloc(sizeof(*buf_stack->bufs[i]),
- GFP_KERNEL);
- if (!buf_stack->bufs[i])
- return -ENOMEM;
- }
-
return 0;
}
@@ -369,8 +277,6 @@ static int idpf_tx_desc_alloc_all(struct
for (i = 0; i < vport->num_txq_grp; i++) {
for (j = 0; j < vport->txq_grps[i].num_txq; j++) {
struct idpf_tx_queue *txq = vport->txq_grps[i].txqs[j];
- u8 gen_bits = 0;
- u16 bufidx_mask;
err = idpf_tx_desc_alloc(vport, txq);
if (err) {
@@ -379,34 +285,6 @@ static int idpf_tx_desc_alloc_all(struct
i);
goto err_out;
}
-
- if (!idpf_is_queue_model_split(vport->txq_model))
- continue;
-
- txq->compl_tag_cur_gen = 0;
-
- /* Determine the number of bits in the bufid
- * mask and add one to get the start of the
- * generation bits
- */
- bufidx_mask = txq->desc_count - 1;
- while (bufidx_mask >> 1) {
- txq->compl_tag_gen_s++;
- bufidx_mask = bufidx_mask >> 1;
- }
- txq->compl_tag_gen_s++;
-
- gen_bits = IDPF_TX_SPLITQ_COMPL_TAG_WIDTH -
- txq->compl_tag_gen_s;
- txq->compl_tag_gen_max = GETMAXVAL(gen_bits);
-
- /* Set bufid mask based on location of first
- * gen bit; it cannot simply be the descriptor
- * ring size-1 since we can have size values
- * where not all of those bits are set.
- */
- txq->compl_tag_bufid_m =
- GETMAXVAL(txq->compl_tag_gen_s);
}
if (!idpf_is_queue_model_split(vport->txq_model))
@@ -1061,9 +939,6 @@ static void idpf_txq_group_rel(struct id
kfree(txq_grp->complq);
txq_grp->complq = NULL;
-
- if (flow_sch_en)
- kfree(txq_grp->stashes);
}
kfree(vport->txq_grps);
vport->txq_grps = NULL;
@@ -1416,7 +1291,6 @@ static int idpf_txq_group_alloc(struct i
for (i = 0; i < vport->num_txq_grp; i++) {
struct idpf_txq_group *tx_qgrp = &vport->txq_grps[i];
struct idpf_adapter *adapter = vport->adapter;
- struct idpf_txq_stash *stashes;
int j;
tx_qgrp->vport = vport;
@@ -1429,15 +1303,6 @@ static int idpf_txq_group_alloc(struct i
goto err_alloc;
}
- if (split && flow_sch_en) {
- stashes = kcalloc(num_txq, sizeof(*stashes),
- GFP_KERNEL);
- if (!stashes)
- goto err_alloc;
-
- tx_qgrp->stashes = stashes;
- }
-
for (j = 0; j < tx_qgrp->num_txq; j++) {
struct idpf_tx_queue *q = tx_qgrp->txqs[j];
@@ -1457,11 +1322,6 @@ static int idpf_txq_group_alloc(struct i
if (!flow_sch_en)
continue;
- if (split) {
- q->stash = &stashes[j];
- hash_init(q->stash->sched_buf_hash);
- }
-
idpf_queue_set(FLOW_SCH_EN, q);
q->refillq = kzalloc(sizeof(*q->refillq), GFP_KERNEL);
@@ -1719,82 +1579,6 @@ static void idpf_tx_handle_sw_marker(str
wake_up(&vport->sw_marker_wq);
}
-/**
- * idpf_tx_clean_stashed_bufs - clean bufs that were stored for
- * out of order completions
- * @txq: queue to clean
- * @compl_tag: completion tag of packet to clean (from completion descriptor)
- * @cleaned: pointer to stats struct to track cleaned packets/bytes
- * @budget: Used to determine if we are in netpoll
- */
-static void idpf_tx_clean_stashed_bufs(struct idpf_tx_queue *txq,
- u16 compl_tag,
- struct libeth_sq_napi_stats *cleaned,
- int budget)
-{
- struct idpf_tx_stash *stash;
- struct hlist_node *tmp_buf;
- struct libeth_cq_pp cp = {
- .dev = txq->dev,
- .ss = cleaned,
- .napi = budget,
- };
-
- /* Buffer completion */
- hash_for_each_possible_safe(txq->stash->sched_buf_hash, stash, tmp_buf,
- hlist, compl_tag) {
- if (unlikely(idpf_tx_buf_compl_tag(&stash->buf) != compl_tag))
- continue;
-
- hash_del(&stash->hlist);
- libeth_tx_complete(&stash->buf, &cp);
-
- /* Push shadow buf back onto stack */
- idpf_buf_lifo_push(&txq->stash->buf_stack, stash);
- }
-}
-
-/**
- * idpf_stash_flow_sch_buffers - store buffer parameters info to be freed at a
- * later time (only relevant for flow scheduling mode)
- * @txq: Tx queue to clean
- * @tx_buf: buffer to store
- */
-static int idpf_stash_flow_sch_buffers(struct idpf_tx_queue *txq,
- struct idpf_tx_buf *tx_buf)
-{
- struct idpf_tx_stash *stash;
-
- if (unlikely(tx_buf->type <= LIBETH_SQE_CTX))
- return 0;
-
- stash = idpf_buf_lifo_pop(&txq->stash->buf_stack);
- if (unlikely(!stash)) {
- net_err_ratelimited("%s: No out-of-order TX buffers left!\n",
- netdev_name(txq->netdev));
-
- return -ENOMEM;
- }
-
- /* Store buffer params in shadow buffer */
- stash->buf.skb = tx_buf->skb;
- stash->buf.bytes = tx_buf->bytes;
- stash->buf.packets = tx_buf->packets;
- stash->buf.type = tx_buf->type;
- stash->buf.nr_frags = tx_buf->nr_frags;
- dma_unmap_addr_set(&stash->buf, dma, dma_unmap_addr(tx_buf, dma));
- dma_unmap_len_set(&stash->buf, len, dma_unmap_len(tx_buf, len));
- idpf_tx_buf_compl_tag(&stash->buf) = idpf_tx_buf_compl_tag(tx_buf);
-
- /* Add buffer to buf_hash table to be freed later */
- hash_add(txq->stash->sched_buf_hash, &stash->hlist,
- idpf_tx_buf_compl_tag(&stash->buf));
-
- tx_buf->type = LIBETH_SQE_EMPTY;
-
- return 0;
-}
-
#define idpf_tx_splitq_clean_bump_ntc(txq, ntc, desc, buf) \
do { \
if (unlikely(++(ntc) == (txq)->desc_count)) { \
@@ -1822,14 +1606,8 @@ do { \
* Separate packet completion events will be reported on the completion queue,
* and the buffers will be cleaned separately. The stats are not updated from
* this function when using flow-based scheduling.
- *
- * Furthermore, in flow scheduling mode, check to make sure there are enough
- * reserve buffers to stash the packet. If there are not, return early, which
- * will leave next_to_clean pointing to the packet that failed to be stashed.
- *
- * Return: false in the scenario above, true otherwise.
*/
-static bool idpf_tx_splitq_clean(struct idpf_tx_queue *tx_q, u16 end,
+static void idpf_tx_splitq_clean(struct idpf_tx_queue *tx_q, u16 end,
int napi_budget,
struct libeth_sq_napi_stats *cleaned,
bool descs_only)
@@ -1843,12 +1621,11 @@ static bool idpf_tx_splitq_clean(struct
.napi = napi_budget,
};
struct idpf_tx_buf *tx_buf;
- bool clean_complete = true;
if (descs_only) {
/* Bump ring index to mark as cleaned. */
tx_q->next_to_clean = end;
- return true;
+ return;
}
tx_desc = &tx_q->flex_tx[ntc];
@@ -1869,53 +1646,24 @@ static bool idpf_tx_splitq_clean(struct
break;
eop_idx = tx_buf->rs_idx;
+ libeth_tx_complete(tx_buf, &cp);
- if (descs_only) {
- if (IDPF_TX_BUF_RSV_UNUSED(tx_q) < tx_buf->nr_frags) {
- clean_complete = false;
- goto tx_splitq_clean_out;
- }
-
- idpf_stash_flow_sch_buffers(tx_q, tx_buf);
+ /* unmap remaining buffers */
+ while (ntc != eop_idx) {
+ idpf_tx_splitq_clean_bump_ntc(tx_q, ntc,
+ tx_desc, tx_buf);
- while (ntc != eop_idx) {
- idpf_tx_splitq_clean_bump_ntc(tx_q, ntc,
- tx_desc, tx_buf);
- idpf_stash_flow_sch_buffers(tx_q, tx_buf);
- }
- } else {
+ /* unmap any remaining paged data */
libeth_tx_complete(tx_buf, &cp);
-
- /* unmap remaining buffers */
- while (ntc != eop_idx) {
- idpf_tx_splitq_clean_bump_ntc(tx_q, ntc,
- tx_desc, tx_buf);
-
- /* unmap any remaining paged data */
- libeth_tx_complete(tx_buf, &cp);
- }
}
fetch_next_txq_desc:
idpf_tx_splitq_clean_bump_ntc(tx_q, ntc, tx_desc, tx_buf);
}
-tx_splitq_clean_out:
tx_q->next_to_clean = ntc;
-
- return clean_complete;
}
-#define idpf_tx_clean_buf_ring_bump_ntc(txq, ntc, buf) \
-do { \
- (buf)++; \
- (ntc)++; \
- if (unlikely((ntc) == (txq)->desc_count)) { \
- buf = (txq)->tx_buf; \
- ntc = 0; \
- } \
-} while (0)
-
/**
* idpf_tx_clean_bufs - clean flow scheduling TX queue buffers
* @txq: queue to clean
@@ -1926,7 +1674,7 @@ do { \
* Clean all buffers associated with the packet starting at buf_id. Returns the
* byte/segment count for the cleaned packet.
*/
-static bool idpf_tx_clean_bufs(struct idpf_tx_queue *txq, u32 buf_id,
+static void idpf_tx_clean_bufs(struct idpf_tx_queue *txq, u32 buf_id,
struct libeth_sq_napi_stats *cleaned,
int budget)
{
@@ -1950,8 +1698,6 @@ static bool idpf_tx_clean_bufs(struct id
libeth_tx_complete(tx_buf, &cp);
idpf_post_buf_refill(txq->refillq, buf_id);
}
-
- return true;
}
/**
@@ -1970,22 +1716,17 @@ static void idpf_tx_handle_rs_completion
struct libeth_sq_napi_stats *cleaned,
int budget)
{
- u16 compl_tag;
+ /* RS completion contains queue head for queue based scheduling or
+ * completion tag for flow based scheduling.
+ */
+ u16 rs_compl_val = le16_to_cpu(desc->q_head_compl_tag.q_head);
if (!idpf_queue_has(FLOW_SCH_EN, txq)) {
- u16 head = le16_to_cpu(desc->q_head_compl_tag.q_head);
-
- idpf_tx_splitq_clean(txq, head, budget, cleaned, false);
+ idpf_tx_splitq_clean(txq, rs_compl_val, budget, cleaned, false);
return;
}
- compl_tag = le16_to_cpu(desc->q_head_compl_tag.compl_tag);
-
- /* If we didn't clean anything on the ring, this packet must be
- * in the hash table. Go clean it there.
- */
- if (!idpf_tx_clean_bufs(txq, compl_tag, cleaned, budget))
- idpf_tx_clean_stashed_bufs(txq, compl_tag, cleaned, budget);
+ idpf_tx_clean_bufs(txq, rs_compl_val, cleaned, budget);
}
/**
@@ -2102,8 +1843,7 @@ fetch_next_desc:
/* Update BQL */
nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx);
- dont_wake = !complq_ok || IDPF_TX_BUF_RSV_LOW(tx_q) ||
- np->state != __IDPF_VPORT_UP ||
+ dont_wake = !complq_ok || np->state != __IDPF_VPORT_UP ||
!netif_carrier_ok(tx_q->netdev);
/* Check if the TXQ needs to and can be restarted */
__netif_txq_completed_wake(nq, tx_q->cleaned_pkts, tx_q->cleaned_bytes,
@@ -2174,7 +1914,6 @@ static int idpf_txq_has_room(struct idpf
if (IDPF_DESC_UNUSED(tx_q) < descs_needed ||
IDPF_TX_COMPLQ_PENDING(tx_q->txq_grp) >
IDPF_TX_COMPLQ_OVERFLOW_THRESH(tx_q->txq_grp->complq) ||
- IDPF_TX_BUF_RSV_LOW(tx_q) ||
idpf_tx_splitq_get_free_bufs(tx_q->refillq) < bufs_needed)
return 0;
return 1;
@@ -2298,10 +2037,8 @@ static unsigned int idpf_tx_splitq_bump_
{
ntu++;
- if (ntu == txq->desc_count) {
+ if (ntu == txq->desc_count)
ntu = 0;
- txq->compl_tag_cur_gen = IDPF_TX_ADJ_COMPL_TAG_GEN(txq);
- }
return ntu;
}
@@ -2483,8 +2220,6 @@ static void idpf_tx_splitq_map(struct id
if (unlikely(++i == tx_q->desc_count)) {
tx_desc = &tx_q->flex_tx[0];
i = 0;
- tx_q->compl_tag_cur_gen =
- IDPF_TX_ADJ_COMPL_TAG_GEN(tx_q);
} else {
tx_desc++;
}
@@ -2515,7 +2250,6 @@ static void idpf_tx_splitq_map(struct id
if (unlikely(++i == tx_q->desc_count)) {
tx_desc = &tx_q->flex_tx[0];
i = 0;
- tx_q->compl_tag_cur_gen = IDPF_TX_ADJ_COMPL_TAG_GEN(tx_q);
} else {
tx_desc++;
}
@@ -2771,10 +2505,9 @@ static netdev_tx_t idpf_tx_splitq_frame(
tx_params.dtype = IDPF_TX_DESC_DTYPE_FLEX_FLOW_SCHE;
tx_params.eop_cmd = IDPF_TXD_FLEX_FLOW_CMD_EOP;
- /* Set the RE bit to catch any packets that may have not been
- * stashed during RS completion cleaning. MIN_GAP is set to
- * MIN_RING size to ensure it will be set at least once each
- * time around the ring.
+ /* Set the RE bit to periodically "clean" the descriptor ring.
+ * MIN_GAP is set to MIN_RING size to ensure it will be set at
+ * least once each time around the ring.
*/
if (idpf_tx_splitq_need_re(tx_q)) {
tx_params.eop_cmd |= IDPF_TXD_FLEX_FLOW_CMD_RE;
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -117,10 +117,6 @@ do { \
((((txq)->next_to_clean > (txq)->next_to_use) ? 0 : (txq)->desc_count) + \
(txq)->next_to_clean - (txq)->next_to_use - 1)
-#define IDPF_TX_BUF_RSV_UNUSED(txq) ((txq)->stash->buf_stack.top)
-#define IDPF_TX_BUF_RSV_LOW(txq) (IDPF_TX_BUF_RSV_UNUSED(txq) < \
- (txq)->desc_count >> 2)
-
#define IDPF_TX_COMPLQ_OVERFLOW_THRESH(txcq) ((txcq)->desc_count >> 1)
/* Determine the absolute number of completions pending, i.e. the number of
* completions that are expected to arrive on the TX completion queue.
@@ -130,12 +126,6 @@ do { \
0 : U32_MAX) + \
(txq)->num_completions_pending - (txq)->complq->num_completions)
-#define IDPF_TX_SPLITQ_COMPL_TAG_WIDTH 16
-/* Adjust the generation for the completion tag and wrap if necessary */
-#define IDPF_TX_ADJ_COMPL_TAG_GEN(txq) \
- ((++(txq)->compl_tag_cur_gen) >= (txq)->compl_tag_gen_max ? \
- 0 : (txq)->compl_tag_cur_gen)
-
#define IDPF_TXBUF_NULL U32_MAX
#define IDPF_TXD_LAST_DESC_CMD (IDPF_TX_DESC_CMD_EOP | IDPF_TX_DESC_CMD_RS)
@@ -153,18 +143,6 @@ union idpf_tx_flex_desc {
#define idpf_tx_buf libeth_sqe
/**
- * struct idpf_buf_lifo - LIFO for managing OOO completions
- * @top: Used to know how many buffers are left
- * @size: Total size of LIFO
- * @bufs: Backing array
- */
-struct idpf_buf_lifo {
- u16 top;
- u16 size;
- struct idpf_tx_stash **bufs;
-};
-
-/**
* struct idpf_tx_offload_params - Offload parameters for a given packet
* @tx_flags: Feature flags enabled for this packet
* @hdr_offsets: Offset parameter for single queue model
@@ -492,17 +470,6 @@ struct idpf_tx_queue_stats {
#define IDPF_DIM_DEFAULT_PROFILE_IX 1
/**
- * struct idpf_txq_stash - Tx buffer stash for Flow-based scheduling mode
- * @buf_stack: Stack of empty buffers to store buffer info for out of order
- * buffer completions. See struct idpf_buf_lifo
- * @sched_buf_hash: Hash table to store buffers
- */
-struct idpf_txq_stash {
- struct idpf_buf_lifo buf_stack;
- DECLARE_HASHTABLE(sched_buf_hash, 12);
-} ____cacheline_aligned;
-
-/**
* struct idpf_rx_queue - software structure representing a receive queue
* @rx: universal receive descriptor array
* @single_buf: buffer descriptor array in singleq
@@ -644,11 +611,7 @@ libeth_cacheline_set_assert(struct idpf_
* only once at the end of the cleaning routine.
* @clean_budget: singleq only, queue cleaning budget
* @cleaned_pkts: Number of packets cleaned for the above said case
- * @stash: Tx buffer stash for Flow-based scheduling mode
* @refillq: Pointer to refill queue
- * @compl_tag_bufid_m: Completion tag buffer id mask
- * @compl_tag_cur_gen: Used to keep track of current completion tag generation
- * @compl_tag_gen_max: To determine when compl_tag_cur_gen should be reset
* @stats_sync: See struct u64_stats_sync
* @q_stats: See union idpf_tx_queue_stats
* @q_id: Queue id
@@ -677,7 +640,6 @@ struct idpf_tx_queue {
u16 desc_count;
u16 tx_min_pkt_len;
- u16 compl_tag_gen_s;
struct net_device *netdev;
__cacheline_group_end_aligned(read_mostly);
@@ -694,13 +656,8 @@ struct idpf_tx_queue {
};
u16 cleaned_pkts;
- struct idpf_txq_stash *stash;
struct idpf_sw_queue *refillq;
- u16 compl_tag_bufid_m;
- u16 compl_tag_cur_gen;
- u16 compl_tag_gen_max;
-
struct u64_stats_sync stats_sync;
struct idpf_tx_queue_stats q_stats;
__cacheline_group_end_aligned(read_write);
@@ -715,7 +672,7 @@ struct idpf_tx_queue {
__cacheline_group_end_aligned(cold);
};
libeth_cacheline_set_assert(struct idpf_tx_queue, 64,
- 96 + sizeof(struct u64_stats_sync),
+ 80 + sizeof(struct u64_stats_sync),
32);
/**
@@ -926,7 +883,6 @@ struct idpf_rxq_group {
* @vport: Vport back pointer
* @num_txq: Number of TX queues associated
* @txqs: Array of TX queue pointers
- * @stashes: array of OOO stashes for the queues
* @complq: Associated completion queue pointer, split queue only
* @num_completions_pending: Total number of completions pending for the
* completion queue, acculumated for all TX queues
@@ -941,7 +897,6 @@ struct idpf_txq_group {
u16 num_txq;
struct idpf_tx_queue *txqs[IDPF_LARGE_MAX_Q];
- struct idpf_txq_stash *stashes;
struct idpf_compl_queue *complq;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 545/567] hrtimers: Make hrtimer_update_function() less expensive
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 544/567] idpf: remove obsolete stashing code Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 546/567] gve: defer interrupt enabling until NAPI registration Greg Kroah-Hartman
` (35 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Thomas Gleixner
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 2ea97b76d6712bfb0408e5b81ffd7bc4551d3153 upstream.
The sanity checks in hrtimer_update_function() are expensive for high
frequency usage like in the io/uring code due to locking.
Hide the sanity checks behind CONFIG_PROVE_LOCKING, which has a decent
chance to be enabled on a regular basis for testing.
Fixes: 8f02e3563bb5 ("hrtimers: Introduce hrtimer_update_function()")
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/87ikpllali.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hrtimer.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/linux/hrtimer.h
+++ b/include/linux/hrtimer.h
@@ -348,6 +348,7 @@ static inline int hrtimer_callback_runni
static inline void hrtimer_update_function(struct hrtimer *timer,
enum hrtimer_restart (*function)(struct hrtimer *))
{
+#ifdef CONFIG_PROVE_LOCKING
guard(raw_spinlock_irqsave)(&timer->base->cpu_base->lock);
if (WARN_ON_ONCE(hrtimer_is_queued(timer)))
@@ -355,7 +356,7 @@ static inline void hrtimer_update_functi
if (WARN_ON_ONCE(!function))
return;
-
+#endif
timer->function = function;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 546/567] gve: defer interrupt enabling until NAPI registration
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 545/567] hrtimers: Make hrtimer_update_function() less expensive Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 547/567] ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode Greg Kroah-Hartman
` (34 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ankit Garg, Jordan Rhee,
Joshua Washington, Harshitha Ramamurthy, Paolo Abeni
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Garg <nktgrg@google.com>
commit 3d970eda003441f66551a91fda16478ac0711617 upstream.
Currently, interrupts are automatically enabled immediately upon
request. This allows interrupt to fire before the associated NAPI
context is fully initialized and cause failures like below:
[ 0.946369] Call Trace:
[ 0.946369] <IRQ>
[ 0.946369] __napi_poll+0x2a/0x1e0
[ 0.946369] net_rx_action+0x2f9/0x3f0
[ 0.946369] handle_softirqs+0xd6/0x2c0
[ 0.946369] ? handle_edge_irq+0xc1/0x1b0
[ 0.946369] __irq_exit_rcu+0xc3/0xe0
[ 0.946369] common_interrupt+0x81/0xa0
[ 0.946369] </IRQ>
[ 0.946369] <TASK>
[ 0.946369] asm_common_interrupt+0x22/0x40
[ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10
Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto
enablement and explicitly enable the interrupt in NAPI initialization
path (and disable it during NAPI teardown).
This ensures that interrupt lifecycle is strictly coupled with
readiness of NAPI context.
Cc: stable@vger.kernel.org
Fixes: 1dfc2e46117e ("gve: Refactor napi add and remove functions")
Signed-off-by: Ankit Garg <nktgrg@google.com>
Reviewed-by: Jordan Rhee <jordanrhee@google.com>
Reviewed-by: Joshua Washington <joshwash@google.com>
Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
Link: https://patch.msgid.link/20251219102945.2193617-1-hramamurthy@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_main.c | 2 +-
drivers/net/ethernet/google/gve/gve_utils.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/google/gve/gve_main.c
+++ b/drivers/net/ethernet/google/gve/gve_main.c
@@ -500,7 +500,7 @@ static int gve_alloc_notify_blocks(struc
block->priv = priv;
err = request_irq(priv->msix_vectors[msix_idx].vector,
gve_is_gqi(priv) ? gve_intr : gve_intr_dqo,
- 0, block->name, block);
+ IRQF_NO_AUTOEN, block->name, block);
if (err) {
dev_err(&priv->pdev->dev,
"Failed to receive msix vector %d\n", i);
--- a/drivers/net/ethernet/google/gve/gve_utils.c
+++ b/drivers/net/ethernet/google/gve/gve_utils.c
@@ -111,11 +111,13 @@ void gve_add_napi(struct gve_priv *priv,
struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx];
netif_napi_add(priv->dev, &block->napi, gve_poll);
+ enable_irq(block->irq);
}
void gve_remove_napi(struct gve_priv *priv, int ntfy_idx)
{
struct gve_notify_block *block = &priv->ntfy_blocks[ntfy_idx];
+ disable_irq(block->irq);
netif_napi_del(&block->napi);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 547/567] ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 546/567] gve: defer interrupt enabling until NAPI registration Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 548/567] block: handle zone management operations completions Greg Kroah-Hartman
` (33 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Tony Tang, Kuninori Morimoto,
Biju Das, Mark Brown
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 52a525011cb8e293799a085436f026f2958403f9 ]
The full duplex audio starts with half duplex mode and then switch to
full duplex mode (another FIFO reset) when both playback/capture
streams available leading to random audio left/right channel swap
issue. Fix this channel swap issue by detecting the full duplex
condition by populating struct dup variable in startup() callback
and synchronize starting both the play and capture at the same time
in rz_ssi_start().
Cc: stable@kernel.org
Fixes: 4f8cd05a4305 ("ASoC: sh: rz-ssi: Add full duplex support")
Co-developed-by: Tony Tang <tony.tang.ks@renesas.com>
Signed-off-by: Tony Tang <tony.tang.ks@renesas.com>
Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Link: https://patch.msgid.link/20251114073709.4376-2-biju.das.jz@bp.renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/sh/rz-ssi.c | 51 ++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 43 insertions(+), 8 deletions(-)
--- a/sound/soc/sh/rz-ssi.c
+++ b/sound/soc/sh/rz-ssi.c
@@ -132,6 +132,12 @@ struct rz_ssi_priv {
bool bckp_rise; /* Bit clock polarity (SSICR.BCKP) */
bool dma_rt;
+ struct {
+ bool tx_active;
+ bool rx_active;
+ bool one_stream_triggered;
+ } dup;
+
/* Full duplex communication support */
struct {
unsigned int rate;
@@ -352,13 +358,12 @@ static int rz_ssi_start(struct rz_ssi_pr
bool is_full_duplex;
u32 ssicr, ssifcr;
- is_full_duplex = rz_ssi_is_stream_running(&ssi->playback) ||
- rz_ssi_is_stream_running(&ssi->capture);
+ is_full_duplex = ssi->dup.tx_active && ssi->dup.rx_active;
ssicr = rz_ssi_reg_readl(ssi, SSICR);
ssifcr = rz_ssi_reg_readl(ssi, SSIFCR);
if (!is_full_duplex) {
ssifcr &= ~0xF;
- } else {
+ } else if (ssi->dup.one_stream_triggered) {
rz_ssi_reg_mask_setl(ssi, SSICR, SSICR_TEN | SSICR_REN, 0);
rz_ssi_set_idle(ssi);
ssifcr &= ~SSIFCR_FIFO_RST;
@@ -394,12 +399,16 @@ static int rz_ssi_start(struct rz_ssi_pr
SSISR_RUIRQ), 0);
strm->running = 1;
- if (is_full_duplex)
- ssicr |= SSICR_TEN | SSICR_REN;
- else
+ if (!is_full_duplex) {
ssicr |= is_play ? SSICR_TEN : SSICR_REN;
-
- rz_ssi_reg_writel(ssi, SSICR, ssicr);
+ rz_ssi_reg_writel(ssi, SSICR, ssicr);
+ } else if (ssi->dup.one_stream_triggered) {
+ ssicr |= SSICR_TEN | SSICR_REN;
+ rz_ssi_reg_writel(ssi, SSICR, ssicr);
+ ssi->dup.one_stream_triggered = false;
+ } else {
+ ssi->dup.one_stream_triggered = true;
+ }
return 0;
}
@@ -897,6 +906,30 @@ static int rz_ssi_dai_set_fmt(struct snd
return 0;
}
+static int rz_ssi_startup(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+{
+ struct rz_ssi_priv *ssi = snd_soc_dai_get_drvdata(dai);
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+ ssi->dup.tx_active = true;
+ else
+ ssi->dup.rx_active = true;
+
+ return 0;
+}
+
+static void rz_ssi_shutdown(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+{
+ struct rz_ssi_priv *ssi = snd_soc_dai_get_drvdata(dai);
+
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+ ssi->dup.tx_active = false;
+ else
+ ssi->dup.rx_active = false;
+}
+
static bool rz_ssi_is_valid_hw_params(struct rz_ssi_priv *ssi, unsigned int rate,
unsigned int channels,
unsigned int sample_width,
@@ -962,6 +995,8 @@ static int rz_ssi_dai_hw_params(struct s
}
static const struct snd_soc_dai_ops rz_ssi_dai_ops = {
+ .startup = rz_ssi_startup,
+ .shutdown = rz_ssi_shutdown,
.trigger = rz_ssi_dai_trigger,
.set_fmt = rz_ssi_dai_set_fmt,
.hw_params = rz_ssi_dai_hw_params,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 548/567] block: handle zone management operations completions
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 547/567] ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 549/567] soundwire: stream: extend sdw_alloc_stream() to take type parameter Greg Kroah-Hartman
` (32 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Christoph Hellwig,
Johannes Thumshirn, Chaitanya Kulkarni, Hannes Reinecke,
Martin K. Petersen, Jens Axboe, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit efae226c2ef19528ffd81d29ba0eecf1b0896ca2 ]
The functions blk_zone_wplug_handle_reset_or_finish() and
blk_zone_wplug_handle_reset_all() both modify the zone write pointer
offset of zone write plugs that are the target of a reset, reset all or
finish zone management operation. However, these functions do this
modification before the BIO is executed. So if the zone operation fails,
the modified zone write pointer offsets become invalid.
Avoid this by modifying the zone write pointer offset of a zone write
plug that is the target of a zone management operation when the
operation completes. To do so, modify blk_zone_bio_endio() to call the
new function blk_zone_mgmt_bio_endio() which in turn calls the functions
blk_zone_reset_all_bio_endio(), blk_zone_reset_bio_endio() or
blk_zone_finish_bio_endio() depending on the operation of the completed
BIO, to modify a zone write plug write pointer offset accordingly.
These functions are called only if the BIO execution was successful.
Fixes: dd291d77cc90 ("block: Introduce zone write plugging")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ adapted bdev_zone_is_seq() check to disk_zone_is_conv() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-zoned.c | 141 +++++++++++++++++++++++++++++++++++-------------------
block/blk.h | 14 +++++
2 files changed, 106 insertions(+), 49 deletions(-)
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -73,6 +73,11 @@ struct blk_zone_wplug {
struct gendisk *disk;
};
+static inline unsigned int disk_zone_wplugs_hash_size(struct gendisk *disk)
+{
+ return 1U << disk->zone_wplugs_hash_bits;
+}
+
/*
* Zone write plug flags bits:
* - BLK_ZONE_WPLUG_PLUGGED: Indicates that the zone write plug is plugged,
@@ -712,71 +717,91 @@ static int disk_zone_sync_wp_offset(stru
disk_report_zones_cb, &args);
}
-static bool blk_zone_wplug_handle_reset_or_finish(struct bio *bio,
- unsigned int wp_offset)
+static void blk_zone_reset_bio_endio(struct bio *bio)
{
struct gendisk *disk = bio->bi_bdev->bd_disk;
- sector_t sector = bio->bi_iter.bi_sector;
struct blk_zone_wplug *zwplug;
- unsigned long flags;
-
- /* Conventional zones cannot be reset nor finished. */
- if (disk_zone_is_conv(disk, sector)) {
- bio_io_error(bio);
- return true;
- }
-
- /*
- * No-wait reset or finish BIOs do not make much sense as the callers
- * issue these as blocking operations in most cases. To avoid issues
- * the BIO execution potentially failing with BLK_STS_AGAIN, warn about
- * REQ_NOWAIT being set and ignore that flag.
- */
- if (WARN_ON_ONCE(bio->bi_opf & REQ_NOWAIT))
- bio->bi_opf &= ~REQ_NOWAIT;
/*
- * If we have a zone write plug, set its write pointer offset to 0
- * (reset case) or to the zone size (finish case). This will abort all
- * BIOs plugged for the target zone. It is fine as resetting or
- * finishing zones while writes are still in-flight will result in the
+ * If we have a zone write plug, set its write pointer offset to 0.
+ * This will abort all BIOs plugged for the target zone. It is fine as
+ * resetting zones while writes are still in-flight will result in the
* writes failing anyway.
*/
- zwplug = disk_get_zone_wplug(disk, sector);
+ zwplug = disk_get_zone_wplug(disk, bio->bi_iter.bi_sector);
if (zwplug) {
+ unsigned long flags;
+
spin_lock_irqsave(&zwplug->lock, flags);
- disk_zone_wplug_set_wp_offset(disk, zwplug, wp_offset);
+ disk_zone_wplug_set_wp_offset(disk, zwplug, 0);
spin_unlock_irqrestore(&zwplug->lock, flags);
disk_put_zone_wplug(zwplug);
}
-
- return false;
}
-static bool blk_zone_wplug_handle_reset_all(struct bio *bio)
+static void blk_zone_reset_all_bio_endio(struct bio *bio)
{
struct gendisk *disk = bio->bi_bdev->bd_disk;
struct blk_zone_wplug *zwplug;
unsigned long flags;
- sector_t sector;
+ unsigned int i;
- /*
- * Set the write pointer offset of all zone write plugs to 0. This will
- * abort all plugged BIOs. It is fine as resetting zones while writes
- * are still in-flight will result in the writes failing anyway.
- */
- for (sector = 0; sector < get_capacity(disk);
- sector += disk->queue->limits.chunk_sectors) {
- zwplug = disk_get_zone_wplug(disk, sector);
- if (zwplug) {
+ /* Update the condition of all zone write plugs. */
+ rcu_read_lock();
+ for (i = 0; i < disk_zone_wplugs_hash_size(disk); i++) {
+ hlist_for_each_entry_rcu(zwplug, &disk->zone_wplugs_hash[i],
+ node) {
spin_lock_irqsave(&zwplug->lock, flags);
disk_zone_wplug_set_wp_offset(disk, zwplug, 0);
spin_unlock_irqrestore(&zwplug->lock, flags);
- disk_put_zone_wplug(zwplug);
}
}
+ rcu_read_unlock();
+}
- return false;
+static void blk_zone_finish_bio_endio(struct bio *bio)
+{
+ struct block_device *bdev = bio->bi_bdev;
+ struct gendisk *disk = bdev->bd_disk;
+ struct blk_zone_wplug *zwplug;
+
+ /*
+ * If we have a zone write plug, set its write pointer offset to the
+ * zone size. This will abort all BIOs plugged for the target zone. It
+ * is fine as resetting zones while writes are still in-flight will
+ * result in the writes failing anyway.
+ */
+ zwplug = disk_get_zone_wplug(disk, bio->bi_iter.bi_sector);
+ if (zwplug) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&zwplug->lock, flags);
+ disk_zone_wplug_set_wp_offset(disk, zwplug,
+ bdev_zone_sectors(bdev));
+ spin_unlock_irqrestore(&zwplug->lock, flags);
+ disk_put_zone_wplug(zwplug);
+ }
+}
+
+void blk_zone_mgmt_bio_endio(struct bio *bio)
+{
+ /* If the BIO failed, we have nothing to do. */
+ if (bio->bi_status != BLK_STS_OK)
+ return;
+
+ switch (bio_op(bio)) {
+ case REQ_OP_ZONE_RESET:
+ blk_zone_reset_bio_endio(bio);
+ return;
+ case REQ_OP_ZONE_RESET_ALL:
+ blk_zone_reset_all_bio_endio(bio);
+ return;
+ case REQ_OP_ZONE_FINISH:
+ blk_zone_finish_bio_endio(bio);
+ return;
+ default:
+ return;
+ }
}
static void disk_zone_wplug_schedule_bio_work(struct gendisk *disk,
@@ -1119,6 +1144,32 @@ static void blk_zone_wplug_handle_native
disk_put_zone_wplug(zwplug);
}
+static bool blk_zone_wplug_handle_zone_mgmt(struct bio *bio)
+{
+ struct gendisk *disk = bio->bi_bdev->bd_disk;
+
+ if (bio_op(bio) != REQ_OP_ZONE_RESET_ALL &&
+ disk_zone_is_conv(disk, bio->bi_iter.bi_sector)) {
+ /*
+ * Zone reset and zone finish operations do not apply to
+ * conventional zones.
+ */
+ bio_io_error(bio);
+ return true;
+ }
+
+ /*
+ * No-wait zone management BIOs do not make much sense as the callers
+ * issue these as blocking operations in most cases. To avoid issues
+ * with the BIO execution potentially failing with BLK_STS_AGAIN, warn
+ * about REQ_NOWAIT being set and ignore that flag.
+ */
+ if (WARN_ON_ONCE(bio->bi_opf & REQ_NOWAIT))
+ bio->bi_opf &= ~REQ_NOWAIT;
+
+ return false;
+}
+
/**
* blk_zone_plug_bio - Handle a zone write BIO with zone write plugging
* @bio: The BIO being submitted
@@ -1166,12 +1217,9 @@ bool blk_zone_plug_bio(struct bio *bio,
case REQ_OP_WRITE_ZEROES:
return blk_zone_wplug_handle_write(bio, nr_segs);
case REQ_OP_ZONE_RESET:
- return blk_zone_wplug_handle_reset_or_finish(bio, 0);
case REQ_OP_ZONE_FINISH:
- return blk_zone_wplug_handle_reset_or_finish(bio,
- bdev_zone_sectors(bdev));
case REQ_OP_ZONE_RESET_ALL:
- return blk_zone_wplug_handle_reset_all(bio);
+ return blk_zone_wplug_handle_zone_mgmt(bio);
default:
return false;
}
@@ -1328,11 +1376,6 @@ put_zwplug:
disk_put_zone_wplug(zwplug);
}
-static inline unsigned int disk_zone_wplugs_hash_size(struct gendisk *disk)
-{
- return 1U << disk->zone_wplugs_hash_bits;
-}
-
void disk_init_zone_resources(struct gendisk *disk)
{
spin_lock_init(&disk->zone_wplugs_lock);
--- a/block/blk.h
+++ b/block/blk.h
@@ -486,10 +486,24 @@ static inline void blk_zone_update_reque
bio_flagged(bio, BIO_EMULATES_ZONE_APPEND))
bio->bi_iter.bi_sector = rq->__sector;
}
+void blk_zone_mgmt_bio_endio(struct bio *bio);
void blk_zone_write_plug_bio_endio(struct bio *bio);
static inline void blk_zone_bio_endio(struct bio *bio)
{
/*
+ * Zone management BIOs may impact zone write plugs (e.g. a zone reset
+ * changes a zone write plug zone write pointer offset), but these
+ * operation do not go through zone write plugging as they may operate
+ * on zones that do not have a zone write
+ * plug. blk_zone_mgmt_bio_endio() handles the potential changes to zone
+ * write plugs that are present.
+ */
+ if (op_is_zone_mgmt(bio_op(bio))) {
+ blk_zone_mgmt_bio_endio(bio);
+ return;
+ }
+
+ /*
* For write BIOs to zoned devices, signal the completion of the BIO so
* that the next write BIO can be submitted by zone write plugging.
*/
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 549/567] soundwire: stream: extend sdw_alloc_stream() to take type parameter
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 548/567] block: handle zone management operations completions Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 550/567] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime Greg Kroah-Hartman
` (31 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart, Bard Liao,
Péter Ujfalusi, Liam Girdwood, Ranjani Sridharan, shumingf,
Vinod Koul, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
[ Upstream commit dc90bbefa792031d89fe2af9ad4a6febd6be96a9 ]
In the existing definition of sdw_stream_runtime, the 'type' member is
never set and defaults to PCM. To prepare for the BPT/BRA support, we
need to special-case streams and make use of the 'type'.
No functional change for now, the implicit PCM type is now explicit.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.dev>
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Tested-by: shumingf@realtek.com
Link: https://lore.kernel.org/r/20250227140615.8147-5-yung-chuan.liao@linux.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Stable-dep-of: bcba17279327 ("ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/driver-api/soundwire/stream.rst | 2 +-
drivers/soundwire/stream.c | 6 ++++--
include/linux/soundwire/sdw.h | 2 +-
sound/soc/qcom/sdw.c | 2 +-
4 files changed, 7 insertions(+), 5 deletions(-)
--- a/Documentation/driver-api/soundwire/stream.rst
+++ b/Documentation/driver-api/soundwire/stream.rst
@@ -291,7 +291,7 @@ per stream. From ASoC DPCM framework, th
.. code-block:: c
- int sdw_alloc_stream(char * stream_name);
+ int sdw_alloc_stream(char * stream_name, enum sdw_stream_type type);
The SoundWire core provides a sdw_startup_stream() helper function,
typically called during a dailink .startup() callback, which performs
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -1744,12 +1744,13 @@ static int set_stream(struct snd_pcm_sub
* sdw_alloc_stream() - Allocate and return stream runtime
*
* @stream_name: SoundWire stream name
+ * @type: stream type (could be PCM ,PDM or BPT)
*
* Allocates a SoundWire stream runtime instance.
* sdw_alloc_stream should be called only once per stream. Typically
* invoked from ALSA/ASoC machine/platform driver.
*/
-struct sdw_stream_runtime *sdw_alloc_stream(const char *stream_name)
+struct sdw_stream_runtime *sdw_alloc_stream(const char *stream_name, enum sdw_stream_type type)
{
struct sdw_stream_runtime *stream;
@@ -1761,6 +1762,7 @@ struct sdw_stream_runtime *sdw_alloc_str
INIT_LIST_HEAD(&stream->master_list);
stream->state = SDW_STREAM_ALLOCATED;
stream->m_rt_count = 0;
+ stream->type = type;
return stream;
}
@@ -1789,7 +1791,7 @@ int sdw_startup_stream(void *sdw_substre
if (!name)
return -ENOMEM;
- sdw_stream = sdw_alloc_stream(name);
+ sdw_stream = sdw_alloc_stream(name, SDW_STREAM_PCM);
if (!sdw_stream) {
dev_err(rtd->dev, "alloc stream failed for substream DAI %s\n", substream->name);
ret = -ENOMEM;
--- a/include/linux/soundwire/sdw.h
+++ b/include/linux/soundwire/sdw.h
@@ -1024,7 +1024,7 @@ struct sdw_stream_runtime {
int m_rt_count;
};
-struct sdw_stream_runtime *sdw_alloc_stream(const char *stream_name);
+struct sdw_stream_runtime *sdw_alloc_stream(const char *stream_name, enum sdw_stream_type type);
void sdw_release_stream(struct sdw_stream_runtime *stream);
int sdw_compute_params(struct sdw_bus *bus);
--- a/sound/soc/qcom/sdw.c
+++ b/sound/soc/qcom/sdw.c
@@ -27,7 +27,7 @@ int qcom_snd_sdw_startup(struct snd_pcm_
struct snd_soc_dai *codec_dai;
int ret, i;
- sruntime = sdw_alloc_stream(cpu_dai->name);
+ sruntime = sdw_alloc_stream(cpu_dai->name, SDW_STREAM_PCM);
if (!sruntime)
return -ENOMEM;
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 550/567] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 549/567] soundwire: stream: extend sdw_alloc_stream() to take type parameter Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 551/567] ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width Greg Kroah-Hartman
` (30 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Stable,
Srinivas Kandagatla, Mark Brown, Sasha Levin, Steev Klimaszewski
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
[ Upstream commit bcba17279327c6e85dee6a97014dc642e2dc93cc ]
For some reason we endedup allocating sdw_stream_runtime for every cpu dai,
this has two issues.
1. we never set snd_soc_dai_set_stream for non soundwire dai, which
means there is no way that we can free this, resulting in memory leak
2. startup and shutdown callbacks can be called without
hw_params callback called. This combination results in memory leak
because machine driver sruntime array pointer is only set in hw_params
callback.
Fix this by
1. adding a helper function to get sdw_runtime for substream
which can be used by shutdown callback to get hold of sruntime to free.
2. only allocate sdw_runtime for soundwire dais.
Fixes: d32bac9cb09c ("ASoC: qcom: Add helper for allocating Soundwire stream runtime")
Cc: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Steev Klimaszewski <threeway@gmail.com> # Thinkpad X13s
Link: https://patch.msgid.link/20251022143349.1081513-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/sc7280.c | 2
sound/soc/qcom/sc8280xp.c | 2
sound/soc/qcom/sdw.c | 105 +++++++++++++++++++++++++---------------------
sound/soc/qcom/sdw.h | 1
sound/soc/qcom/sm8250.c | 2
sound/soc/qcom/x1e80100.c | 2
6 files changed, 64 insertions(+), 50 deletions(-)
--- a/sound/soc/qcom/sc7280.c
+++ b/sound/soc/qcom/sc7280.c
@@ -317,7 +317,7 @@ static void sc7280_snd_shutdown(struct s
struct snd_soc_card *card = rtd->card;
struct sc7280_snd_data *data = snd_soc_card_get_drvdata(card);
struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
- struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id];
+ struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream);
switch (cpu_dai->id) {
case MI2S_PRIMARY:
--- a/sound/soc/qcom/sc8280xp.c
+++ b/sound/soc/qcom/sc8280xp.c
@@ -69,7 +69,7 @@ static void sc8280xp_snd_shutdown(struct
struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream);
struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
struct sc8280xp_snd_data *pdata = snd_soc_card_get_drvdata(rtd->card);
- struct sdw_stream_runtime *sruntime = pdata->sruntime[cpu_dai->id];
+ struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream);
pdata->sruntime[cpu_dai->id] = NULL;
sdw_release_stream(sruntime);
--- a/sound/soc/qcom/sdw.c
+++ b/sound/soc/qcom/sdw.c
@@ -7,6 +7,37 @@
#include <sound/soc.h>
#include "sdw.h"
+static bool qcom_snd_is_sdw_dai(int id)
+{
+ switch (id) {
+ case WSA_CODEC_DMA_RX_0:
+ case WSA_CODEC_DMA_TX_0:
+ case WSA_CODEC_DMA_RX_1:
+ case WSA_CODEC_DMA_TX_1:
+ case WSA_CODEC_DMA_TX_2:
+ case RX_CODEC_DMA_RX_0:
+ case TX_CODEC_DMA_TX_0:
+ case RX_CODEC_DMA_RX_1:
+ case TX_CODEC_DMA_TX_1:
+ case RX_CODEC_DMA_RX_2:
+ case TX_CODEC_DMA_TX_2:
+ case RX_CODEC_DMA_RX_3:
+ case TX_CODEC_DMA_TX_3:
+ case RX_CODEC_DMA_RX_4:
+ case TX_CODEC_DMA_TX_4:
+ case RX_CODEC_DMA_RX_5:
+ case TX_CODEC_DMA_TX_5:
+ case RX_CODEC_DMA_RX_6:
+ case RX_CODEC_DMA_RX_7:
+ case SLIMBUS_0_RX...SLIMBUS_6_TX:
+ return true;
+ default:
+ break;
+ }
+
+ return false;
+}
+
/**
* qcom_snd_sdw_startup() - Helper to start Soundwire stream for SoC audio card
* @substream: The PCM substream from audio, as passed to snd_soc_ops->startup()
@@ -27,6 +58,9 @@ int qcom_snd_sdw_startup(struct snd_pcm_
struct snd_soc_dai *codec_dai;
int ret, i;
+ if (!qcom_snd_is_sdw_dai(cpu_dai->id))
+ return 0;
+
sruntime = sdw_alloc_stream(cpu_dai->name, SDW_STREAM_PCM);
if (!sruntime)
return -ENOMEM;
@@ -61,19 +95,8 @@ int qcom_snd_sdw_prepare(struct snd_pcm_
if (!sruntime)
return 0;
- switch (cpu_dai->id) {
- case WSA_CODEC_DMA_RX_0:
- case WSA_CODEC_DMA_RX_1:
- case RX_CODEC_DMA_RX_0:
- case RX_CODEC_DMA_RX_1:
- case TX_CODEC_DMA_TX_0:
- case TX_CODEC_DMA_TX_1:
- case TX_CODEC_DMA_TX_2:
- case TX_CODEC_DMA_TX_3:
- break;
- default:
+ if (!qcom_snd_is_sdw_dai(cpu_dai->id))
return 0;
- }
if (*stream_prepared)
return 0;
@@ -101,9 +124,7 @@ int qcom_snd_sdw_prepare(struct snd_pcm_
}
EXPORT_SYMBOL_GPL(qcom_snd_sdw_prepare);
-int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream,
- struct snd_pcm_hw_params *params,
- struct sdw_stream_runtime **psruntime)
+struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *substream)
{
struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream);
struct snd_soc_dai *codec_dai;
@@ -111,21 +132,23 @@ int qcom_snd_sdw_hw_params(struct snd_pc
struct sdw_stream_runtime *sruntime;
int i;
- switch (cpu_dai->id) {
- case WSA_CODEC_DMA_RX_0:
- case RX_CODEC_DMA_RX_0:
- case RX_CODEC_DMA_RX_1:
- case TX_CODEC_DMA_TX_0:
- case TX_CODEC_DMA_TX_1:
- case TX_CODEC_DMA_TX_2:
- case TX_CODEC_DMA_TX_3:
- for_each_rtd_codec_dais(rtd, i, codec_dai) {
- sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream);
- if (sruntime != ERR_PTR(-ENOTSUPP))
- *psruntime = sruntime;
- }
- break;
+ if (!qcom_snd_is_sdw_dai(cpu_dai->id))
+ return NULL;
+
+ for_each_rtd_codec_dais(rtd, i, codec_dai) {
+ sruntime = snd_soc_dai_get_stream(codec_dai, substream->stream);
+ if (sruntime != ERR_PTR(-ENOTSUPP))
+ return sruntime;
}
+ return NULL;
+}
+EXPORT_SYMBOL_GPL(qcom_snd_sdw_get_stream);
+
+int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream,
+ struct snd_pcm_hw_params *params,
+ struct sdw_stream_runtime **psruntime)
+{
+ *psruntime = qcom_snd_sdw_get_stream(substream);
return 0;
@@ -138,23 +161,13 @@ int qcom_snd_sdw_hw_free(struct snd_pcm_
struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream);
struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
- switch (cpu_dai->id) {
- case WSA_CODEC_DMA_RX_0:
- case WSA_CODEC_DMA_RX_1:
- case RX_CODEC_DMA_RX_0:
- case RX_CODEC_DMA_RX_1:
- case TX_CODEC_DMA_TX_0:
- case TX_CODEC_DMA_TX_1:
- case TX_CODEC_DMA_TX_2:
- case TX_CODEC_DMA_TX_3:
- if (sruntime && *stream_prepared) {
- sdw_disable_stream(sruntime);
- sdw_deprepare_stream(sruntime);
- *stream_prepared = false;
- }
- break;
- default:
- break;
+ if (!qcom_snd_is_sdw_dai(cpu_dai->id))
+ return 0;
+
+ if (sruntime && *stream_prepared) {
+ sdw_disable_stream(sruntime);
+ sdw_deprepare_stream(sruntime);
+ *stream_prepared = false;
}
return 0;
--- a/sound/soc/qcom/sdw.h
+++ b/sound/soc/qcom/sdw.h
@@ -10,6 +10,7 @@ int qcom_snd_sdw_startup(struct snd_pcm_
int qcom_snd_sdw_prepare(struct snd_pcm_substream *substream,
struct sdw_stream_runtime *runtime,
bool *stream_prepared);
+struct sdw_stream_runtime *qcom_snd_sdw_get_stream(struct snd_pcm_substream *stream);
int qcom_snd_sdw_hw_params(struct snd_pcm_substream *substream,
struct snd_pcm_hw_params *params,
struct sdw_stream_runtime **psruntime);
--- a/sound/soc/qcom/sm8250.c
+++ b/sound/soc/qcom/sm8250.c
@@ -86,7 +86,7 @@ static void sm2450_snd_shutdown(struct s
struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream);
struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
struct sm8250_snd_data *data = snd_soc_card_get_drvdata(rtd->card);
- struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id];
+ struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream);
data->sruntime[cpu_dai->id] = NULL;
sdw_release_stream(sruntime);
--- a/sound/soc/qcom/x1e80100.c
+++ b/sound/soc/qcom/x1e80100.c
@@ -55,7 +55,7 @@ static void x1e80100_snd_shutdown(struct
struct snd_soc_pcm_runtime *rtd = snd_soc_substream_to_rtd(substream);
struct snd_soc_dai *cpu_dai = snd_soc_rtd_to_cpu(rtd, 0);
struct x1e80100_snd_data *data = snd_soc_card_get_drvdata(rtd->card);
- struct sdw_stream_runtime *sruntime = data->sruntime[cpu_dai->id];
+ struct sdw_stream_runtime *sruntime = qcom_snd_sdw_get_stream(substream);
data->sruntime[cpu_dai->id] = NULL;
sdw_release_stream(sruntime);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 551/567] ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 550/567] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 552/567] PCI: brcmstb: Reuse pcie_cfg_data structure Greg Kroah-Hartman
` (29 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Kuninori Morimoto, Biju Das,
Mark Brown, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 2bae7beda19f3b2dc6ab2062c94df19c27923712 ]
The strm->sample_width is not filled during rz_ssi_dai_hw_params(). This
wrong value is used for caching sample_width in struct hw_params_cache.
Fix this issue by replacing 'strm->sample_width'->'params_width(params)'
in rz_ssi_dai_hw_params(). After this drop the variable sample_width
from struct rz_ssi_stream as it is unused.
Cc: stable@kernel.org
Fixes: 4f8cd05a4305 ("ASoC: sh: rz-ssi: Add full duplex support")
Reviewed-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Link: https://patch.msgid.link/20251114073709.4376-3-biju.das.jz@bp.renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/sh/rz-ssi.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
--- a/sound/soc/sh/rz-ssi.c
+++ b/sound/soc/sh/rz-ssi.c
@@ -12,6 +12,7 @@
#include <linux/module.h>
#include <linux/pm_runtime.h>
#include <linux/reset.h>
+#include <sound/pcm_params.h>
#include <sound/soc.h>
/* REGISTER OFFSET */
@@ -85,7 +86,6 @@ struct rz_ssi_stream {
int fifo_sample_size; /* sample capacity of SSI FIFO */
int dma_buffer_pos; /* The address for the next DMA descriptor */
int period_counter; /* for keeping track of periods transferred */
- int sample_width;
int buffer_pos; /* current frame position in the buffer */
int running; /* 0=stopped, 1=running */
@@ -231,10 +231,7 @@ static inline bool rz_ssi_is_stream_runn
static void rz_ssi_stream_init(struct rz_ssi_stream *strm,
struct snd_pcm_substream *substream)
{
- struct snd_pcm_runtime *runtime = substream->runtime;
-
rz_ssi_set_substream(strm, substream);
- strm->sample_width = samples_to_bytes(runtime, 1);
strm->dma_buffer_pos = 0;
strm->period_counter = 0;
strm->buffer_pos = 0;
@@ -960,9 +957,9 @@ static int rz_ssi_dai_hw_params(struct s
struct snd_soc_dai *dai)
{
struct rz_ssi_priv *ssi = snd_soc_dai_get_drvdata(dai);
- struct rz_ssi_stream *strm = rz_ssi_stream_get(ssi, substream);
unsigned int sample_bits = hw_param_interval(params,
SNDRV_PCM_HW_PARAM_SAMPLE_BITS)->min;
+ unsigned int sample_width = params_width(params);
unsigned int channels = params_channels(params);
unsigned int rate = params_rate(params);
@@ -980,16 +977,14 @@ static int rz_ssi_dai_hw_params(struct s
if (rz_ssi_is_stream_running(&ssi->playback) ||
rz_ssi_is_stream_running(&ssi->capture)) {
- if (rz_ssi_is_valid_hw_params(ssi, rate, channels,
- strm->sample_width, sample_bits))
+ if (rz_ssi_is_valid_hw_params(ssi, rate, channels, sample_width, sample_bits))
return 0;
dev_err(ssi->dev, "Full duplex needs same HW params\n");
return -EINVAL;
}
- rz_ssi_cache_hw_params(ssi, rate, channels, strm->sample_width,
- sample_bits);
+ rz_ssi_cache_hw_params(ssi, rate, channels, sample_width, sample_bits);
return rz_ssi_clk_setup(ssi, rate, channels);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 552/567] PCI: brcmstb: Reuse pcie_cfg_data structure
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 551/567] ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 553/567] PCI: brcmstb: Set MLW based on "num-lanes" DT property if present Greg Kroah-Hartman
` (28 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanimir Varbanov, Florian Fainelil,
Jim Quinlan, Ivan T. Ivanov, Krzysztof Wilczyński,
Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanimir Varbanov <svarbanov@suse.de>
[ Upstream commit 10dbedad3c8188ce8b68559d43b7aaee7dafba25 ]
Instead of copying fields from the pcie_cfg_data structure to
brcm_pcie, reference it directly.
Signed-off-by: Stanimir Varbanov <svarbanov@suse.de>
Reviewed-by: Florian Fainelil <florian.fainelli@broadcom.com>
Reviewed-by: Jim Quinlan <james.quinlan@broadcom.com>
Tested-by: Ivan T. Ivanov <iivanov@suse.de>
Link: https://lore.kernel.org/r/20250224083559.47645-6-svarbanov@suse.de
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Stable-dep-of: 9583f9d22991 ("PCI: brcmstb: Fix disabling L0s capability")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 72 +++++++++++++++-------------------
1 file changed, 32 insertions(+), 40 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -191,11 +191,11 @@
#define SSC_STATUS_PLL_LOCK_MASK 0x800
#define PCIE_BRCM_MAX_MEMC 3
-#define IDX_ADDR(pcie) ((pcie)->reg_offsets[EXT_CFG_INDEX])
-#define DATA_ADDR(pcie) ((pcie)->reg_offsets[EXT_CFG_DATA])
-#define PCIE_RGR1_SW_INIT_1(pcie) ((pcie)->reg_offsets[RGR1_SW_INIT_1])
-#define HARD_DEBUG(pcie) ((pcie)->reg_offsets[PCIE_HARD_DEBUG])
-#define INTR2_CPU_BASE(pcie) ((pcie)->reg_offsets[PCIE_INTR2_CPU_BASE])
+#define IDX_ADDR(pcie) ((pcie)->cfg->offsets[EXT_CFG_INDEX])
+#define DATA_ADDR(pcie) ((pcie)->cfg->offsets[EXT_CFG_DATA])
+#define PCIE_RGR1_SW_INIT_1(pcie) ((pcie)->cfg->offsets[RGR1_SW_INIT_1])
+#define HARD_DEBUG(pcie) ((pcie)->cfg->offsets[PCIE_HARD_DEBUG])
+#define INTR2_CPU_BASE(pcie) ((pcie)->cfg->offsets[PCIE_INTR2_CPU_BASE])
/* Rescal registers */
#define PCIE_DVT_PMU_PCIE_PHY_CTRL 0xc700
@@ -276,8 +276,6 @@ struct brcm_pcie {
int gen;
u64 msi_target_addr;
struct brcm_msi *msi;
- const int *reg_offsets;
- enum pcie_soc_base soc_base;
struct reset_control *rescal;
struct reset_control *perst_reset;
struct reset_control *bridge_reset;
@@ -285,17 +283,14 @@ struct brcm_pcie {
int num_memc;
u64 memc_size[PCIE_BRCM_MAX_MEMC];
u32 hw_rev;
- int (*perst_set)(struct brcm_pcie *pcie, u32 val);
- int (*bridge_sw_init_set)(struct brcm_pcie *pcie, u32 val);
struct subdev_regulators *sr;
bool ep_wakeup_capable;
- bool has_phy;
- u8 num_inbound_wins;
+ const struct pcie_cfg_data *cfg;
};
static inline bool is_bmips(const struct brcm_pcie *pcie)
{
- return pcie->soc_base == BCM7435 || pcie->soc_base == BCM7425;
+ return pcie->cfg->soc_base == BCM7435 || pcie->cfg->soc_base == BCM7425;
}
/*
@@ -855,7 +850,7 @@ static int brcm_pcie_get_inbound_wins(st
* security considerations, and is not implemented in our modern
* SoCs.
*/
- if (pcie->soc_base != BCM7712)
+ if (pcie->cfg->soc_base != BCM7712)
add_inbound_win(b++, &n, 0, 0, 0);
resource_list_for_each_entry(entry, &bridge->dma_ranges) {
@@ -872,10 +867,10 @@ static int brcm_pcie_get_inbound_wins(st
* That being said, each BARs size must still be a power of
* two.
*/
- if (pcie->soc_base == BCM7712)
+ if (pcie->cfg->soc_base == BCM7712)
add_inbound_win(b++, &n, size, cpu_start, pcie_start);
- if (n > pcie->num_inbound_wins)
+ if (n > pcie->cfg->num_inbound_wins)
break;
}
@@ -889,7 +884,7 @@ static int brcm_pcie_get_inbound_wins(st
* that enables multiple memory controllers. As such, it can return
* now w/o doing special configuration.
*/
- if (pcie->soc_base == BCM7712)
+ if (pcie->cfg->soc_base == BCM7712)
return n;
ret = of_property_read_variable_u64_array(pcie->np, "brcm,scb-sizes", pcie->memc_size, 1,
@@ -1012,7 +1007,7 @@ static void set_inbound_win_registers(st
* 7712:
* All of their BARs need to be set.
*/
- if (pcie->soc_base == BCM7712) {
+ if (pcie->cfg->soc_base == BCM7712) {
/* BUS remap register settings */
reg_offset = brcm_ubus_reg_offset(i);
tmp = lower_32_bits(cpu_addr) & ~0xfff;
@@ -1036,15 +1031,15 @@ static int brcm_pcie_setup(struct brcm_p
int memc, ret;
/* Reset the bridge */
- ret = pcie->bridge_sw_init_set(pcie, 1);
+ ret = pcie->cfg->bridge_sw_init_set(pcie, 1);
if (ret)
return ret;
/* Ensure that PERST# is asserted; some bootloaders may deassert it. */
- if (pcie->soc_base == BCM2711) {
- ret = pcie->perst_set(pcie, 1);
+ if (pcie->cfg->soc_base == BCM2711) {
+ ret = pcie->cfg->perst_set(pcie, 1);
if (ret) {
- pcie->bridge_sw_init_set(pcie, 0);
+ pcie->cfg->bridge_sw_init_set(pcie, 0);
return ret;
}
}
@@ -1052,7 +1047,7 @@ static int brcm_pcie_setup(struct brcm_p
usleep_range(100, 200);
/* Take the bridge out of reset */
- ret = pcie->bridge_sw_init_set(pcie, 0);
+ ret = pcie->cfg->bridge_sw_init_set(pcie, 0);
if (ret)
return ret;
@@ -1072,9 +1067,9 @@ static int brcm_pcie_setup(struct brcm_p
*/
if (is_bmips(pcie))
burst = 0x1; /* 256 bytes */
- else if (pcie->soc_base == BCM2711)
+ else if (pcie->cfg->soc_base == BCM2711)
burst = 0x0; /* 128 bytes */
- else if (pcie->soc_base == BCM7278)
+ else if (pcie->cfg->soc_base == BCM7278)
burst = 0x3; /* 512 bytes */
else
burst = 0x2; /* 512 bytes */
@@ -1199,7 +1194,7 @@ static void brcm_extend_rbus_timeout(str
u32 timeout_us = 4000000; /* 4 seconds, our setting for L1SS */
/* 7712 does not have this (RGR1) timer */
- if (pcie->soc_base == BCM7712)
+ if (pcie->cfg->soc_base == BCM7712)
return;
/* Each unit in timeout register is 1/216,000,000 seconds */
@@ -1281,7 +1276,7 @@ static int brcm_pcie_start_link(struct b
brcm_pcie_set_gen(pcie, pcie->gen);
/* Unassert the fundamental reset */
- ret = pcie->perst_set(pcie, 0);
+ ret = pcie->cfg->perst_set(pcie, 0);
if (ret)
return ret;
@@ -1465,12 +1460,12 @@ static int brcm_phy_cntl(struct brcm_pci
static inline int brcm_phy_start(struct brcm_pcie *pcie)
{
- return pcie->has_phy ? brcm_phy_cntl(pcie, 1) : 0;
+ return pcie->cfg->has_phy ? brcm_phy_cntl(pcie, 1) : 0;
}
static inline int brcm_phy_stop(struct brcm_pcie *pcie)
{
- return pcie->has_phy ? brcm_phy_cntl(pcie, 0) : 0;
+ return pcie->cfg->has_phy ? brcm_phy_cntl(pcie, 0) : 0;
}
static int brcm_pcie_turn_off(struct brcm_pcie *pcie)
@@ -1481,7 +1476,7 @@ static int brcm_pcie_turn_off(struct brc
if (brcm_pcie_link_up(pcie))
brcm_pcie_enter_l23(pcie);
/* Assert fundamental reset */
- ret = pcie->perst_set(pcie, 1);
+ ret = pcie->cfg->perst_set(pcie, 1);
if (ret)
return ret;
@@ -1496,7 +1491,7 @@ static int brcm_pcie_turn_off(struct brc
writel(tmp, base + HARD_DEBUG(pcie));
/* Shutdown PCIe bridge */
- ret = pcie->bridge_sw_init_set(pcie, 1);
+ ret = pcie->cfg->bridge_sw_init_set(pcie, 1);
return ret;
}
@@ -1584,7 +1579,7 @@ static int brcm_pcie_resume_noirq(struct
goto err_reset;
/* Take bridge out of reset so we can access the SERDES reg */
- pcie->bridge_sw_init_set(pcie, 0);
+ pcie->cfg->bridge_sw_init_set(pcie, 0);
/* SERDES_IDDQ = 0 */
tmp = readl(base + HARD_DEBUG(pcie));
@@ -1805,12 +1800,7 @@ static int brcm_pcie_probe(struct platfo
pcie = pci_host_bridge_priv(bridge);
pcie->dev = &pdev->dev;
pcie->np = np;
- pcie->reg_offsets = data->offsets;
- pcie->soc_base = data->soc_base;
- pcie->perst_set = data->perst_set;
- pcie->bridge_sw_init_set = data->bridge_sw_init_set;
- pcie->has_phy = data->has_phy;
- pcie->num_inbound_wins = data->num_inbound_wins;
+ pcie->cfg = data;
pcie->base = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(pcie->base))
@@ -1845,7 +1835,7 @@ static int brcm_pcie_probe(struct platfo
if (ret)
return dev_err_probe(&pdev->dev, ret, "could not enable clock\n");
- pcie->bridge_sw_init_set(pcie, 0);
+ pcie->cfg->bridge_sw_init_set(pcie, 0);
if (pcie->swinit_reset) {
ret = reset_control_assert(pcie->swinit_reset);
@@ -1884,7 +1874,8 @@ static int brcm_pcie_probe(struct platfo
goto fail;
pcie->hw_rev = readl(pcie->base + PCIE_MISC_REVISION);
- if (pcie->soc_base == BCM4908 && pcie->hw_rev >= BRCM_PCIE_HW_REV_3_20) {
+ if (pcie->cfg->soc_base == BCM4908 &&
+ pcie->hw_rev >= BRCM_PCIE_HW_REV_3_20) {
dev_err(pcie->dev, "hardware revision with unsupported PERST# setup\n");
ret = -ENODEV;
goto fail;
@@ -1904,7 +1895,8 @@ static int brcm_pcie_probe(struct platfo
}
}
- bridge->ops = pcie->soc_base == BCM7425 ? &brcm7425_pcie_ops : &brcm_pcie_ops;
+ bridge->ops = pcie->cfg->soc_base == BCM7425 ?
+ &brcm7425_pcie_ops : &brcm_pcie_ops;
bridge->sysdata = pcie;
platform_set_drvdata(pdev, pcie);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 553/567] PCI: brcmstb: Set MLW based on "num-lanes" DT property if present
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 552/567] PCI: brcmstb: Reuse pcie_cfg_data structure Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 554/567] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
` (27 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Quinlan, Manivannan Sadhasivam,
Florian Fainelli, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Quinlan <james.quinlan@broadcom.com>
[ Upstream commit a364d10ffe361fb34c3838d33604da493045de1e ]
By default, the driver relies on the default hardware defined value for the
Max Link Width (MLW) capability. But if the "num-lanes" DT property is
present, assume that the chip's default capability information is incorrect
or undesired, and use the specified value instead.
Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
[mani: reworded the description and comments]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20250530224035.41886-3-james.quinlan@broadcom.com
Stable-dep-of: 9583f9d22991 ("PCI: brcmstb: Fix disabling L0s capability")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 27 ++++++++++++++++++++++++++-
1 file changed, 26 insertions(+), 1 deletion(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -46,6 +46,7 @@
#define PCIE_RC_CFG_PRIV1_ID_VAL3_CLASS_CODE_MASK 0xffffff
#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY 0x04dc
+#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_MAX_LINK_WIDTH_MASK 0x1f0
#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK 0xc00
#define PCIE_RC_CFG_PRIV1_ROOT_CAP 0x4f8
@@ -55,6 +56,9 @@
#define PCIE_RC_DL_MDIO_WR_DATA 0x1104
#define PCIE_RC_DL_MDIO_RD_DATA 0x1108
+#define PCIE_RC_PL_REG_PHY_CTL_1 0x1804
+#define PCIE_RC_PL_REG_PHY_CTL_1_REG_P2_POWERDOWN_ENA_NOSYNC_MASK 0x8
+
#define PCIE_MISC_MISC_CTRL 0x4008
#define PCIE_MISC_MISC_CTRL_PCIE_RCB_64B_MODE_MASK 0x80
#define PCIE_MISC_MISC_CTRL_PCIE_RCB_MPS_MODE_MASK 0x400
@@ -1025,7 +1029,7 @@ static int brcm_pcie_setup(struct brcm_p
void __iomem *base = pcie->base;
struct pci_host_bridge *bridge;
struct resource_entry *entry;
- u32 tmp, burst, aspm_support;
+ u32 tmp, burst, aspm_support, num_lanes, num_lanes_cap;
u8 num_out_wins = 0;
int num_inbound_wins = 0;
int memc, ret;
@@ -1133,6 +1137,27 @@ static int brcm_pcie_setup(struct brcm_p
PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK);
writel(tmp, base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
+ /* 'tmp' still holds the contents of PRIV1_LINK_CAPABILITY */
+ num_lanes_cap = u32_get_bits(tmp, PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_MAX_LINK_WIDTH_MASK);
+ num_lanes = 0;
+
+ /*
+ * Use hardware negotiated Max Link Width value by default. If the
+ * "num-lanes" DT property is present, assume that the chip's default
+ * link width capability information is incorrect/undesired and use the
+ * specified value instead.
+ */
+ if (!of_property_read_u32(pcie->np, "num-lanes", &num_lanes) &&
+ num_lanes && num_lanes <= 4 && num_lanes_cap != num_lanes) {
+ u32p_replace_bits(&tmp, num_lanes,
+ PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_MAX_LINK_WIDTH_MASK);
+ writel(tmp, base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
+ tmp = readl(base + PCIE_RC_PL_REG_PHY_CTL_1);
+ u32p_replace_bits(&tmp, 1,
+ PCIE_RC_PL_REG_PHY_CTL_1_REG_P2_POWERDOWN_ENA_NOSYNC_MASK);
+ writel(tmp, base + PCIE_RC_PL_REG_PHY_CTL_1);
+ }
+
/*
* For config space accesses on the RC, show the right class for
* a PCIe-PCIe bridge (the default setting is to be EP mode).
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 554/567] PCI: brcmstb: Fix disabling L0s capability
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 553/567] PCI: brcmstb: Set MLW based on "num-lanes" DT property if present Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 555/567] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
` (26 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Jim Quinlan,
Manivannan Sadhasivam, Florian Fainelli, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Quinlan <james.quinlan@broadcom.com>
[ Upstream commit 9583f9d22991d2cfb5cc59a2552040c4ae98d998 ]
caab002d5069 ("PCI: brcmstb: Disable L0s component of ASPM if requested")
set PCI_EXP_LNKCAP_ASPM_L1 and (optionally) PCI_EXP_LNKCAP_ASPM_L0S in
PCI_EXP_LNKCAP (aka PCIE_RC_CFG_PRIV1_LINK_CAPABILITY in brcmstb).
But instead of using PCI_EXP_LNKCAP_ASPM_L1 and PCI_EXP_LNKCAP_ASPM_L0S
directly, it used PCIE_LINK_STATE_L1 and PCIE_LINK_STATE_L0S, which are
Linux-created values that only coincidentally matched the PCIe spec.
b478e162f227 ("PCI/ASPM: Consolidate link state defines") later changed
them so they no longer matched the PCIe spec, so the bits ended up in the
wrong place in PCI_EXP_LNKCAP.
Use PCI_EXP_LNKCAP_ASPM_L0S to clear L0s support when there's an
'aspm-no-l0s' property. Rely on brcmstb hardware to advertise L0s and/or
L1 support otherwise.
Fixes: caab002d5069 ("PCI: brcmstb: Disable L0s component of ASPM if requested")
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Closes: https://lore.kernel.org/linux-pci/20250925194424.GA2197200@bhelgaas
Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
[mani: reworded subject and description, added closes tag and CCed stable]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251003170436.1446030-1-james.quinlan@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -47,7 +47,6 @@
#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY 0x04dc
#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_MAX_LINK_WIDTH_MASK 0x1f0
-#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK 0xc00
#define PCIE_RC_CFG_PRIV1_ROOT_CAP 0x4f8
#define PCIE_RC_CFG_PRIV1_ROOT_CAP_L1SS_MODE_MASK 0xf8
@@ -1029,7 +1028,7 @@ static int brcm_pcie_setup(struct brcm_p
void __iomem *base = pcie->base;
struct pci_host_bridge *bridge;
struct resource_entry *entry;
- u32 tmp, burst, aspm_support, num_lanes, num_lanes_cap;
+ u32 tmp, burst, num_lanes, num_lanes_cap;
u8 num_out_wins = 0;
int num_inbound_wins = 0;
int memc, ret;
@@ -1129,12 +1128,9 @@ static int brcm_pcie_setup(struct brcm_p
/* Don't advertise L0s capability if 'aspm-no-l0s' */
- aspm_support = PCIE_LINK_STATE_L1;
- if (!of_property_read_bool(pcie->np, "aspm-no-l0s"))
- aspm_support |= PCIE_LINK_STATE_L0S;
tmp = readl(base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
- u32p_replace_bits(&tmp, aspm_support,
- PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK);
+ if (of_property_read_bool(pcie->np, "aspm-no-l0s"))
+ tmp &= ~PCI_EXP_LNKCAP_ASPM_L0S;
writel(tmp, base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
/* 'tmp' still holds the contents of PRIV1_LINK_CAPABILITY */
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 555/567] mm/balloon_compaction: we cannot have isolated pages in the balloon list
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 554/567] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 556/567] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
` (25 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Zi Yan,
Lorenzo Stoakes, Alistair Popple, Al Viro, Arnd Bergmann,
Brendan Jackman, Byungchul Park, Chengming Zhou,
Christian Brauner, Christophe Leroy, Eugenio Pé rez,
Gregory Price, Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Harry Yoo, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit fb05f992b6bbb4702307d96f00703ee637b24dbf ]
Patch series "mm/migration: rework movable_ops page migration (part 1)",
v2.
In the future, as we decouple "struct page" from "struct folio", pages
that support "non-lru page migration" -- movable_ops page migration such
as memory balloons and zsmalloc -- will no longer be folios. They will
not have ->mapping, ->lru, and likely no refcount and no page lock. But
they will have a type and flags 🙂
This is the first part (other parts not written yet) of decoupling
movable_ops page migration from folio migration.
In this series, we get rid of the ->mapping usage, and start cleaning up
the code + separating it from folio migration.
Migration core will have to be further reworked to not treat movable_ops
pages like folios. This is the first step into that direction.
This patch (of 29):
The core will set PG_isolated only after mops->isolate_page() was called.
In case of the balloon, that is where we will remove it from the balloon
list. So we cannot have isolated pages in the balloon list.
Let's drop this unnecessary check.
Link: https://lkml.kernel.org/r/20250704102524.326966-2-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: Harry Yoo <harry.yoo@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/balloon_compaction.c | 6 ------
1 file changed, 6 deletions(-)
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -93,12 +93,6 @@ size_t balloon_page_list_dequeue(struct
if (!trylock_page(page))
continue;
- if (IS_ENABLED(CONFIG_BALLOON_COMPACTION) &&
- PageIsolated(page)) {
- /* raced with isolation */
- unlock_page(page);
- continue;
- }
balloon_page_delete(page);
__count_vm_event(BALLOON_DEFLATE);
list_add(&page->lru, pages);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 556/567] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 555/567] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 557/567] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
` (24 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Lorenzo Stoakes,
Alistair Popple, Al Viro, Arnd Bergmann, Brendan Jackman,
Byungchul Park, Chengming Zhou, Christian Brauner,
Christophe Leroy, Eugenio Pé rez, Gregory Price, Harry Yoo,
Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Zi Yan, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 15504b1163007bbfbd9a63460d5c14737c16e96d ]
Let's move the removal of the page from the balloon list into the single
caller, to remove the dependency on the PG_isolated flag and clarify
locking requirements.
Note that for now, balloon_page_delete() was used on two paths:
(1) Removing a page from the balloon for deflation through
balloon_page_list_dequeue()
(2) Removing an isolated page from the balloon for migration in the
per-driver migration handlers. Isolated pages were already removed from
the balloon list during isolation.
So instead of relying on the flag, we can just distinguish both cases
directly and handle it accordingly in the caller.
We'll shuffle the operations a bit such that they logically make more
sense (e.g., remove from the list before clearing flags).
In balloon migration functions we can now move the balloon_page_finalize()
out of the balloon lock and perform the finalization just before dropping
the balloon reference.
Document that the page lock is currently required when modifying the
movability aspects of a page; hopefully we can soon decouple this from the
page lock.
Link: https://lkml.kernel.org/r/20250704102524.326966-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 2 -
drivers/misc/vmw_balloon.c | 3 --
drivers/virtio/virtio_balloon.c | 4 ---
include/linux/balloon_compaction.h | 43 +++++++++++++----------------------
mm/balloon_compaction.c | 3 +-
5 files changed, 21 insertions(+), 34 deletions(-)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -532,7 +532,6 @@ static int cmm_migratepage(struct balloo
spin_lock_irqsave(&b_dev_info->pages_lock, flags);
balloon_page_insert(b_dev_info, newpage);
- balloon_page_delete(page);
b_dev_info->isolated_pages--;
spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
@@ -542,6 +541,7 @@ static int cmm_migratepage(struct balloo
*/
plpar_page_set_active(page);
+ balloon_page_finalize(page);
/* balloon page list reference */
put_page(page);
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -1778,8 +1778,7 @@ static int vmballoon_migratepage(struct
* @pages_lock . We keep holding @comm_lock since we will need it in a
* second.
*/
- balloon_page_delete(page);
-
+ balloon_page_finalize(page);
put_page(page);
/* Inflate */
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -866,15 +866,13 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
/* balloon's page migration 2nd step -- deflate "page" */
- spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
- balloon_page_delete(page);
- spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);
mutex_unlock(&vb->balloon_lock);
+ balloon_page_finalize(page);
put_page(page); /* balloon reference */
return MIGRATEPAGE_SUCCESS;
--- a/include/linux/balloon_compaction.h
+++ b/include/linux/balloon_compaction.h
@@ -98,27 +98,6 @@ static inline void balloon_page_insert(s
}
/*
- * balloon_page_delete - delete a page from balloon's page list and clear
- * the page->private assignement accordingly.
- * @page : page to be released from balloon's page list
- *
- * Caller must ensure the page is locked and the spin_lock protecting balloon
- * pages list is held before deleting a page from the balloon device.
- */
-static inline void balloon_page_delete(struct page *page)
-{
- __ClearPageOffline(page);
- __ClearPageMovable(page);
- set_page_private(page, 0);
- /*
- * No touch page.lru field once @page has been isolated
- * because VM is using the field.
- */
- if (!PageIsolated(page))
- list_del(&page->lru);
-}
-
-/*
* balloon_page_device - get the b_dev_info descriptor for the balloon device
* that enqueues the given page.
*/
@@ -141,12 +120,6 @@ static inline void balloon_page_insert(s
list_add(&page->lru, &balloon->pages);
}
-static inline void balloon_page_delete(struct page *page)
-{
- __ClearPageOffline(page);
- list_del(&page->lru);
-}
-
static inline gfp_t balloon_mapping_gfp_mask(void)
{
return GFP_HIGHUSER;
@@ -155,6 +128,22 @@ static inline gfp_t balloon_mapping_gfp_
#endif /* CONFIG_BALLOON_COMPACTION */
/*
+ * balloon_page_finalize - prepare a balloon page that was removed from the
+ * balloon list for release to the page allocator
+ * @page: page to be released to the page allocator
+ *
+ * Caller must ensure that the page is locked.
+ */
+static inline void balloon_page_finalize(struct page *page)
+{
+ if (IS_ENABLED(CONFIG_BALLOON_COMPACTION)) {
+ __ClearPageMovable(page);
+ set_page_private(page, 0);
+ }
+ __ClearPageOffline(page);
+}
+
+/*
* balloon_page_push - insert a page into a page list.
* @head : pointer to list
* @page : page to be added
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -93,7 +93,8 @@ size_t balloon_page_list_dequeue(struct
if (!trylock_page(page))
continue;
- balloon_page_delete(page);
+ list_del(&page->lru);
+ balloon_page_finalize(page);
__count_vm_event(BALLOON_DEFLATE);
list_add(&page->lru, pages);
unlock_page(page);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 557/567] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 556/567] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 558/567] media: mediatek: vcodec: Use spinlock for context list protection lock Greg Kroah-Hartman
` (23 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Ritesh Harjani (IBM), Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Andrew Morton, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 0da2ba35c0d532ca0fe7af698b17d74c4d084b9a ]
Let's properly adjust BALLOON_MIGRATE like the other drivers.
Note that the INFLATE/DEFLATE events are triggered from the core when
enqueueing/dequeueing pages.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20251021100606.148294-3-david@redhat.com
Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -532,6 +532,7 @@ static int cmm_migratepage(struct balloo
spin_lock_irqsave(&b_dev_info->pages_lock, flags);
balloon_page_insert(b_dev_info, newpage);
+ __count_vm_event(BALLOON_MIGRATE);
b_dev_info->isolated_pages--;
spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 558/567] media: mediatek: vcodec: Use spinlock for context list protection lock
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 557/567] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 559/567] media: amphion: Add a frame flush mode for decoder Greg Kroah-Hartman
` (22 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunfei Dong, Chen-Yu Tsai, Fei Shao,
Tomasz Figa, Nicolas Dufresne, Hans Verkuil, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit a5844227e0f030d2af2d85d4aed10c5eca6ca176 ]
Previously a mutex was added to protect the encoder and decoder context
lists from unexpected changes originating from the SCP IP block, causing
the context pointer to go invalid, resulting in a NULL pointer
dereference in the IPI handler.
Turns out on the MT8173, the VPU IPI handler is called from hard IRQ
context. This causes a big warning from the scheduler. This was first
reported downstream on the ChromeOS kernels, but is also reproducible
on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though
the actual capture format is not supported, the affected code paths
are triggered.
Since this lock just protects the context list and operations on it are
very fast, it should be OK to switch to a spinlock.
Fixes: 6467cda18c9f ("media: mediatek: vcodec: adding lock to protect decoder context list")
Fixes: afaaf3a0f647 ("media: mediatek: vcodec: adding lock to protect encoder context list")
Cc: Yunfei Dong <yunfei.dong@mediatek.com>
Cc: stable@vger.kernel.org
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Fei Shao <fshao@chromium.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ adapted file_to_dec_ctx() and file_to_enc_ctx() helper calls to equivalent fh_to_dec_ctx(file->private_data) and fh_to_enc_ctx(file->private_data) pattern ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 10 +++++---
drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c | 12 +++++-----
drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h | 2 -
drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c | 5 ++--
drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c | 12 +++++-----
drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h | 2 -
drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c | 5 ++--
7 files changed, 28 insertions(+), 20 deletions(-)
--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
+++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
@@ -47,30 +47,32 @@ static void mtk_vcodec_vpu_reset_dec_han
{
struct mtk_vcodec_dec_dev *dev = priv;
struct mtk_vcodec_dec_ctx *ctx;
+ unsigned long flags;
dev_err(&dev->plat_dev->dev, "Watchdog timeout!!");
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &dev->ctx_list, list) {
ctx->state = MTK_STATE_ABORT;
mtk_v4l2_vdec_dbg(0, ctx, "[%d] Change to state MTK_STATE_ABORT", ctx->id);
}
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
}
static void mtk_vcodec_vpu_reset_enc_handler(void *priv)
{
struct mtk_vcodec_enc_dev *dev = priv;
struct mtk_vcodec_enc_ctx *ctx;
+ unsigned long flags;
dev_err(&dev->plat_dev->dev, "Watchdog timeout!!");
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &dev->ctx_list, list) {
ctx->state = MTK_STATE_ABORT;
mtk_v4l2_vdec_dbg(0, ctx, "[%d] Change to state MTK_STATE_ABORT", ctx->id);
}
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
}
static const struct mtk_vcodec_fw_ops mtk_vcodec_vpu_msg = {
--- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c
@@ -198,6 +198,7 @@ static int fops_vcodec_open(struct file
struct mtk_vcodec_dec_ctx *ctx = NULL;
int ret = 0, i, hw_count;
struct vb2_queue *src_vq;
+ unsigned long flags;
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx)
@@ -268,9 +269,9 @@ static int fops_vcodec_open(struct file
ctx->dev->vdec_pdata->init_vdec_params(ctx);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_add(&ctx->list, &dev->ctx_list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
mtk_vcodec_dbgfs_create(ctx);
mutex_unlock(&dev->dev_mutex);
@@ -295,6 +296,7 @@ static int fops_vcodec_release(struct fi
{
struct mtk_vcodec_dec_dev *dev = video_drvdata(file);
struct mtk_vcodec_dec_ctx *ctx = fh_to_dec_ctx(file->private_data);
+ unsigned long flags;
mtk_v4l2_vdec_dbg(0, ctx, "[%d] decoder", ctx->id);
mutex_lock(&dev->dev_mutex);
@@ -313,9 +315,9 @@ static int fops_vcodec_release(struct fi
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
mtk_vcodec_dbgfs_remove(dev, ctx->id);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_del_init(&ctx->list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
kfree(ctx);
mutex_unlock(&dev->dev_mutex);
return 0;
@@ -408,7 +410,7 @@ static int mtk_vcodec_probe(struct platf
for (i = 0; i < MTK_VDEC_HW_MAX; i++)
mutex_init(&dev->dec_mutex[i]);
mutex_init(&dev->dev_mutex);
- mutex_init(&dev->dev_ctx_lock);
+ spin_lock_init(&dev->dev_ctx_lock);
spin_lock_init(&dev->irqlock);
snprintf(dev->v4l2_dev.name, sizeof(dev->v4l2_dev.name), "%s",
--- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
@@ -283,7 +283,7 @@ struct mtk_vcodec_dec_dev {
/* decoder hardware mutex lock */
struct mutex dec_mutex[MTK_VDEC_HW_MAX];
struct mutex dev_mutex;
- struct mutex dev_ctx_lock;
+ spinlock_t dev_ctx_lock;
struct workqueue_struct *decode_workqueue;
spinlock_t irqlock;
--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
@@ -75,16 +75,17 @@ static void handle_get_param_msg_ack(con
static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu)
{
struct mtk_vcodec_dec_ctx *ctx;
+ unsigned long flags;
int ret = false;
- mutex_lock(&dec_dev->dev_ctx_lock);
+ spin_lock_irqsave(&dec_dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &dec_dev->ctx_list, list) {
if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
ret = true;
break;
}
}
- mutex_unlock(&dec_dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dec_dev->dev_ctx_lock, flags);
return ret;
}
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c
@@ -117,6 +117,7 @@ static int fops_vcodec_open(struct file
struct mtk_vcodec_enc_ctx *ctx = NULL;
int ret = 0;
struct vb2_queue *src_vq;
+ unsigned long flags;
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx)
@@ -177,9 +178,9 @@ static int fops_vcodec_open(struct file
mtk_v4l2_venc_dbg(2, ctx, "Create instance [%d]@%p m2m_ctx=%p ",
ctx->id, ctx, ctx->m2m_ctx);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_add(&ctx->list, &dev->ctx_list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
mutex_unlock(&dev->dev_mutex);
mtk_v4l2_venc_dbg(0, ctx, "%s encoder [%d]", dev_name(&dev->plat_dev->dev),
@@ -204,6 +205,7 @@ static int fops_vcodec_release(struct fi
{
struct mtk_vcodec_enc_dev *dev = video_drvdata(file);
struct mtk_vcodec_enc_ctx *ctx = fh_to_enc_ctx(file->private_data);
+ unsigned long flags;
mtk_v4l2_venc_dbg(1, ctx, "[%d] encoder", ctx->id);
mutex_lock(&dev->dev_mutex);
@@ -214,9 +216,9 @@ static int fops_vcodec_release(struct fi
v4l2_fh_exit(&ctx->fh);
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_del_init(&ctx->list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
kfree(ctx);
mutex_unlock(&dev->dev_mutex);
return 0;
@@ -298,7 +300,7 @@ static int mtk_vcodec_probe(struct platf
mutex_init(&dev->enc_mutex);
mutex_init(&dev->dev_mutex);
- mutex_init(&dev->dev_ctx_lock);
+ spin_lock_init(&dev->dev_ctx_lock);
spin_lock_init(&dev->irqlock);
snprintf(dev->v4l2_dev.name, sizeof(dev->v4l2_dev.name), "%s",
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
@@ -206,7 +206,7 @@ struct mtk_vcodec_enc_dev {
/* encoder hardware mutex lock */
struct mutex enc_mutex;
struct mutex dev_mutex;
- struct mutex dev_ctx_lock;
+ spinlock_t dev_ctx_lock;
struct workqueue_struct *encode_workqueue;
int enc_irq;
--- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
@@ -45,16 +45,17 @@ static void handle_enc_encode_msg(struct
static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu)
{
struct mtk_vcodec_enc_ctx *ctx;
+ unsigned long flags;
int ret = false;
- mutex_lock(&enc_dev->dev_ctx_lock);
+ spin_lock_irqsave(&enc_dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &enc_dev->ctx_list, list) {
if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
ret = true;
break;
}
}
- mutex_unlock(&enc_dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&enc_dev->dev_ctx_lock, flags);
return ret;
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 559/567] media: amphion: Add a frame flush mode for decoder
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 558/567] media: mediatek: vcodec: Use spinlock for context list protection lock Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 560/567] media: amphion: Make some vpu_v4l2 functions static Greg Kroah-Hartman
` (21 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Sebastian Fricke, Hans Verkuil, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
[ Upstream commit 9ea16ba6eaf93f25f61855751f71e2e701709ddf ]
By default the amphion decoder will pre-parse 3 frames before starting
to decode the first frame. Alternatively, a block of flush padding data
can be appended to the frame, which will ensure that the decoder can
start decoding immediately after parsing the flush padding data, thus
potentially reducing decoding latency.
This mode was previously only enabled, when the display delay was set to
0. Allow the user to manually toggle the use of that mode via a module
parameter called low_latency, which enables the mode without
changing the display order.
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Stable-dep-of: 634c2cd17bd0 ("media: amphion: Remove vpu_vb_is_codecconfig")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_malone.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/amphion/vpu_malone.c
+++ b/drivers/media/platform/amphion/vpu_malone.c
@@ -25,6 +25,10 @@
#include "vpu_imx8q.h"
#include "vpu_malone.h"
+static bool low_latency;
+module_param(low_latency, bool, 0644);
+MODULE_PARM_DESC(low_latency, "Set low latency frame flush mode: 0 (disable) or 1 (enable)");
+
#define CMD_SIZE 25600
#define MSG_SIZE 25600
#define CODEC_SIZE 0x1000
@@ -1562,7 +1566,15 @@ static int vpu_malone_input_frame_data(s
vpu_malone_update_wptr(str_buf, wptr);
- if (disp_imm && !vpu_vb_is_codecconfig(vbuf)) {
+ /*
+ * Enable the low latency flush mode if display delay is set to 0
+ * or the low latency frame flush mode if it is set to 1.
+ * The low latency flush mode requires some padding data to be appended to each frame,
+ * but there must not be any padding data between the sequence header and the frame.
+ * This module is currently only supported for the H264 and HEVC formats,
+ * for other formats, vpu_malone_add_scode() will return 0.
+ */
+ if ((disp_imm || low_latency) && !vpu_vb_is_codecconfig(vbuf)) {
ret = vpu_malone_add_scode(inst->core->iface,
inst->id,
&inst->stream_buffer,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 560/567] media: amphion: Make some vpu_v4l2 functions static
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 559/567] media: amphion: Add a frame flush mode for decoder Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 561/567] media: amphion: Remove vpu_vb_is_codecconfig Greg Kroah-Hartman
` (20 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Ming Qian,
Hans Verkuil, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
[ Upstream commit 5d1e54bb4dc6741284a3ed587e994308ddee2f16 ]
Some functions defined in vpu_v4l2.c are never used outside of that
compilation unit. Make them static.
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Ming Qian <ming.qian@oss.nxp.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Stable-dep-of: 634c2cd17bd0 ("media: amphion: Remove vpu_vb_is_codecconfig")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_v4l2.c | 12 +++++++++---
drivers/media/platform/amphion/vpu_v4l2.h | 8 --------
2 files changed, 9 insertions(+), 11 deletions(-)
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -24,6 +24,11 @@
#include "vpu_msgs.h"
#include "vpu_helpers.h"
+static char *vpu_type_name(u32 type)
+{
+ return V4L2_TYPE_IS_OUTPUT(type) ? "output" : "capture";
+}
+
void vpu_inst_lock(struct vpu_inst *inst)
{
mutex_lock(&inst->lock);
@@ -42,7 +47,7 @@ dma_addr_t vpu_get_vb_phy_addr(struct vb
vb->planes[plane_no].data_offset;
}
-unsigned int vpu_get_vb_length(struct vb2_buffer *vb, u32 plane_no)
+static unsigned int vpu_get_vb_length(struct vb2_buffer *vb, u32 plane_no)
{
if (plane_no >= vb->num_planes)
return 0;
@@ -81,7 +86,7 @@ void vpu_v4l2_set_error(struct vpu_inst
vpu_inst_unlock(inst);
}
-int vpu_notify_eos(struct vpu_inst *inst)
+static int vpu_notify_eos(struct vpu_inst *inst)
{
static const struct v4l2_event ev = {
.id = 0,
@@ -562,7 +567,8 @@ static void vpu_vb2_buf_finish(struct vb
call_void_vop(inst, on_queue_empty, q->type);
}
-void vpu_vb2_buffers_return(struct vpu_inst *inst, unsigned int type, enum vb2_buffer_state state)
+static void vpu_vb2_buffers_return(struct vpu_inst *inst, unsigned int type,
+ enum vb2_buffer_state state)
{
struct vb2_v4l2_buffer *buf;
--- a/drivers/media/platform/amphion/vpu_v4l2.h
+++ b/drivers/media/platform/amphion/vpu_v4l2.h
@@ -26,15 +26,12 @@ void vpu_skip_frame(struct vpu_inst *ins
struct vb2_v4l2_buffer *vpu_find_buf_by_sequence(struct vpu_inst *inst, u32 type, u32 sequence);
struct vb2_v4l2_buffer *vpu_find_buf_by_idx(struct vpu_inst *inst, u32 type, u32 idx);
void vpu_v4l2_set_error(struct vpu_inst *inst);
-int vpu_notify_eos(struct vpu_inst *inst);
int vpu_notify_source_change(struct vpu_inst *inst);
int vpu_set_last_buffer_dequeued(struct vpu_inst *inst, bool eos);
-void vpu_vb2_buffers_return(struct vpu_inst *inst, unsigned int type, enum vb2_buffer_state state);
int vpu_get_num_buffers(struct vpu_inst *inst, u32 type);
bool vpu_is_source_empty(struct vpu_inst *inst);
dma_addr_t vpu_get_vb_phy_addr(struct vb2_buffer *vb, u32 plane_no);
-unsigned int vpu_get_vb_length(struct vb2_buffer *vb, u32 plane_no);
static inline struct vpu_format *vpu_get_format(struct vpu_inst *inst, u32 type)
{
if (V4L2_TYPE_IS_OUTPUT(type))
@@ -43,11 +40,6 @@ static inline struct vpu_format *vpu_get
return &inst->cap_format;
}
-static inline char *vpu_type_name(u32 type)
-{
- return V4L2_TYPE_IS_OUTPUT(type) ? "output" : "capture";
-}
-
static inline int vpu_vb_is_codecconfig(struct vb2_v4l2_buffer *vbuf)
{
#ifdef V4L2_BUF_FLAG_CODECCONFIG
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 561/567] media: amphion: Remove vpu_vb_is_codecconfig
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (559 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 560/567] media: amphion: Make some vpu_v4l2 functions static Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 562/567] vfio/pci: Disable qword access to the PCI ROM bar Greg Kroah-Hartman
` (19 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil, Sasha Levin
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
[ Upstream commit 634c2cd17bd021487c57b95973bddb14be8002ff ]
Currently the function vpu_vb_is_codecconfig() always returns 0.
Delete it and its related code.
Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_malone.c | 23 +++--------------------
drivers/media/platform/amphion/vpu_v4l2.c | 10 ----------
drivers/media/platform/amphion/vpu_v4l2.h | 10 ----------
3 files changed, 3 insertions(+), 40 deletions(-)
--- a/drivers/media/platform/amphion/vpu_malone.c
+++ b/drivers/media/platform/amphion/vpu_malone.c
@@ -1315,22 +1315,18 @@ static int vpu_malone_insert_scode_vc1_g
{
if (!scode->inst->total_input_count)
return 0;
- if (vpu_vb_is_codecconfig(to_vb2_v4l2_buffer(scode->vb)))
- scode->need_data = 0;
return 0;
}
static int vpu_malone_insert_scode_vc1_g_pic(struct malone_scode_t *scode)
{
- struct vb2_v4l2_buffer *vbuf;
u8 nal_hdr[MALONE_VC1_NAL_HEADER_LEN];
u32 *data = NULL;
int ret;
- vbuf = to_vb2_v4l2_buffer(scode->vb);
data = vb2_plane_vaddr(scode->vb, 0);
- if (scode->inst->total_input_count == 0 || vpu_vb_is_codecconfig(vbuf))
+ if (scode->inst->total_input_count == 0)
return 0;
if (MALONE_VC1_CONTAIN_NAL(*data))
return 0;
@@ -1351,8 +1347,6 @@ static int vpu_malone_insert_scode_vc1_l
int size = 0;
u8 rcv_seqhdr[MALONE_VC1_RCV_SEQ_HEADER_LEN];
- if (vpu_vb_is_codecconfig(to_vb2_v4l2_buffer(scode->vb)))
- scode->need_data = 0;
if (scode->inst->total_input_count)
return 0;
scode->need_data = 0;
@@ -1538,7 +1532,7 @@ static int vpu_malone_input_frame_data(s
scode.vb = vb;
scode.wptr = wptr;
scode.need_data = 1;
- if (vbuf->sequence == 0 || vpu_vb_is_codecconfig(vbuf))
+ if (vbuf->sequence == 0)
ret = vpu_malone_insert_scode(&scode, SCODE_SEQUENCE);
if (ret < 0)
@@ -1574,7 +1568,7 @@ static int vpu_malone_input_frame_data(s
* This module is currently only supported for the H264 and HEVC formats,
* for other formats, vpu_malone_add_scode() will return 0.
*/
- if ((disp_imm || low_latency) && !vpu_vb_is_codecconfig(vbuf)) {
+ if (disp_imm || low_latency) {
ret = vpu_malone_add_scode(inst->core->iface,
inst->id,
&inst->stream_buffer,
@@ -1621,7 +1615,6 @@ int vpu_malone_input_frame(struct vpu_sh
struct vpu_inst *inst, struct vb2_buffer *vb)
{
struct vpu_dec_ctrl *hc = shared->priv;
- struct vb2_v4l2_buffer *vbuf;
struct vpu_malone_str_buffer __iomem *str_buf = hc->str_buf[inst->id];
u32 disp_imm = hc->codec_param[inst->id].disp_imm;
u32 size;
@@ -1635,16 +1628,6 @@ int vpu_malone_input_frame(struct vpu_sh
return ret;
size = ret;
- /*
- * if buffer only contain codec data, and the timestamp is invalid,
- * don't put the invalid timestamp to resync
- * merge the data to next frame
- */
- vbuf = to_vb2_v4l2_buffer(vb);
- if (vpu_vb_is_codecconfig(vbuf)) {
- inst->extra_size += size;
- return 0;
- }
if (inst->extra_size) {
size += inst->extra_size;
inst->extra_size = 0;
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -349,16 +349,6 @@ struct vb2_v4l2_buffer *vpu_next_src_buf
if (!src_buf || vpu_get_buffer_state(src_buf) == VPU_BUF_STATE_IDLE)
return NULL;
- while (vpu_vb_is_codecconfig(src_buf)) {
- v4l2_m2m_src_buf_remove(inst->fh.m2m_ctx);
- vpu_set_buffer_state(src_buf, VPU_BUF_STATE_IDLE);
- v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
-
- src_buf = v4l2_m2m_next_src_buf(inst->fh.m2m_ctx);
- if (!src_buf || vpu_get_buffer_state(src_buf) == VPU_BUF_STATE_IDLE)
- return NULL;
- }
-
return src_buf;
}
--- a/drivers/media/platform/amphion/vpu_v4l2.h
+++ b/drivers/media/platform/amphion/vpu_v4l2.h
@@ -39,14 +39,4 @@ static inline struct vpu_format *vpu_get
else
return &inst->cap_format;
}
-
-static inline int vpu_vb_is_codecconfig(struct vb2_v4l2_buffer *vbuf)
-{
-#ifdef V4L2_BUF_FLAG_CODECCONFIG
- return (vbuf->flags & V4L2_BUF_FLAG_CODECCONFIG) ? 1 : 0;
-#else
- return 0;
-#endif
-}
-
#endif
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 562/567] vfio/pci: Disable qword access to the PCI ROM bar
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (560 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 561/567] media: amphion: Remove vpu_vb_is_codecconfig Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 563/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
` (18 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Farrah Chen, Kevin Tian,
Alex Williamson
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Tian <kevin.tian@intel.com>
[ Upstream commit dc85a46928c41423ad89869baf05a589e2975575 ]
Commit 2b938e3db335 ("vfio/pci: Enable iowrite64 and ioread64 for vfio
pci") enables qword access to the PCI bar resources. However certain
devices (e.g. Intel X710) are observed with problem upon qword accesses
to the rom bar, e.g. triggering PCI aer errors.
This is triggered by Qemu which caches the rom content by simply does a
pread() of the remaining size until it gets the full contents. The other
bars would only perform operations at the same access width as their
guest drivers.
Instead of trying to identify all broken devices, universally disable
qword access to the rom bar i.e. going back to the old way which worked
reliably for years.
Reported-by: Farrah Chen <farrah.chen@intel.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220740
Fixes: 2b938e3db335 ("vfio/pci: Enable iowrite64 and ioread64 for vfio pci")
Cc: stable@vger.kernel.org
Signed-off-by: Kevin Tian <kevin.tian@intel.com>
Tested-by: Farrah Chen <farrah.chen@intel.com>
Link: https://lore.kernel.org/r/20251218081650.555015-2-kevin.tian@intel.com
Signed-off-by: Alex Williamson <alex@shazbot.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vfio/pci/nvgrace-gpu/main.c | 4 ++--
drivers/vfio/pci/vfio_pci_rdwr.c | 24 ++++++++++++++++++------
include/linux/vfio_pci_core.h | 10 +++++++++-
3 files changed, 29 insertions(+), 9 deletions(-)
--- a/drivers/vfio/pci/nvgrace-gpu/main.c
+++ b/drivers/vfio/pci/nvgrace-gpu/main.c
@@ -482,7 +482,7 @@ nvgrace_gpu_map_and_read(struct nvgrace_
ret = vfio_pci_core_do_io_rw(&nvdev->core_device, false,
nvdev->resmem.ioaddr,
buf, offset, mem_count,
- 0, 0, false);
+ 0, 0, false, VFIO_PCI_IO_WIDTH_8);
}
return ret;
@@ -600,7 +600,7 @@ nvgrace_gpu_map_and_write(struct nvgrace
ret = vfio_pci_core_do_io_rw(&nvdev->core_device, false,
nvdev->resmem.ioaddr,
(char __user *)buf, pos, mem_count,
- 0, 0, true);
+ 0, 0, true, VFIO_PCI_IO_WIDTH_8);
}
return ret;
--- a/drivers/vfio/pci/vfio_pci_rdwr.c
+++ b/drivers/vfio/pci/vfio_pci_rdwr.c
@@ -141,7 +141,8 @@ VFIO_IORDWR(64)
ssize_t vfio_pci_core_do_io_rw(struct vfio_pci_core_device *vdev, bool test_mem,
void __iomem *io, char __user *buf,
loff_t off, size_t count, size_t x_start,
- size_t x_end, bool iswrite)
+ size_t x_end, bool iswrite,
+ enum vfio_pci_io_width max_width)
{
ssize_t done = 0;
int ret;
@@ -157,7 +158,7 @@ ssize_t vfio_pci_core_do_io_rw(struct vf
fillable = 0;
#if defined(ioread64) && defined(iowrite64)
- if (fillable >= 8 && !(off % 8)) {
+ if (fillable >= 8 && !(off % 8) && max_width >= 8) {
ret = vfio_pci_iordwr64(vdev, iswrite, test_mem,
io, buf, off, &filled);
if (ret)
@@ -165,13 +166,13 @@ ssize_t vfio_pci_core_do_io_rw(struct vf
} else
#endif
- if (fillable >= 4 && !(off % 4)) {
+ if (fillable >= 4 && !(off % 4) && max_width >= 4) {
ret = vfio_pci_iordwr32(vdev, iswrite, test_mem,
io, buf, off, &filled);
if (ret)
return ret;
- } else if (fillable >= 2 && !(off % 2)) {
+ } else if (fillable >= 2 && !(off % 2) && max_width >= 2) {
ret = vfio_pci_iordwr16(vdev, iswrite, test_mem,
io, buf, off, &filled);
if (ret)
@@ -242,6 +243,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_
void __iomem *io;
struct resource *res = &vdev->pdev->resource[bar];
ssize_t done;
+ enum vfio_pci_io_width max_width = VFIO_PCI_IO_WIDTH_8;
if (pci_resource_start(pdev, bar))
end = pci_resource_len(pdev, bar);
@@ -268,6 +270,16 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_
goto out;
}
x_end = end;
+
+ /*
+ * Certain devices (e.g. Intel X710) don't support qword
+ * access to the ROM bar. Otherwise PCI AER errors might be
+ * triggered.
+ *
+ * Disable qword access to the ROM bar universally, which
+ * worked reliably for years before qword access is enabled.
+ */
+ max_width = VFIO_PCI_IO_WIDTH_4;
} else {
int ret = vfio_pci_core_setup_barmap(vdev, bar);
if (ret) {
@@ -284,7 +296,7 @@ ssize_t vfio_pci_bar_rw(struct vfio_pci_
}
done = vfio_pci_core_do_io_rw(vdev, res->flags & IORESOURCE_MEM, io, buf, pos,
- count, x_start, x_end, iswrite);
+ count, x_start, x_end, iswrite, max_width);
if (done >= 0)
*ppos += done;
@@ -353,7 +365,7 @@ ssize_t vfio_pci_vga_rw(struct vfio_pci_
* to the memory enable bit in the command register.
*/
done = vfio_pci_core_do_io_rw(vdev, false, iomem, buf, off, count,
- 0, 0, iswrite);
+ 0, 0, iswrite, VFIO_PCI_IO_WIDTH_8);
vga_put(vdev->pdev, rsrc);
--- a/include/linux/vfio_pci_core.h
+++ b/include/linux/vfio_pci_core.h
@@ -102,6 +102,13 @@ struct vfio_pci_core_device {
struct rw_semaphore memory_lock;
};
+enum vfio_pci_io_width {
+ VFIO_PCI_IO_WIDTH_1 = 1,
+ VFIO_PCI_IO_WIDTH_2 = 2,
+ VFIO_PCI_IO_WIDTH_4 = 4,
+ VFIO_PCI_IO_WIDTH_8 = 8,
+};
+
/* Will be exported for vfio pci drivers usage */
int vfio_pci_core_register_dev_region(struct vfio_pci_core_device *vdev,
unsigned int type, unsigned int subtype,
@@ -137,7 +144,8 @@ pci_ers_result_t vfio_pci_core_aer_err_d
ssize_t vfio_pci_core_do_io_rw(struct vfio_pci_core_device *vdev, bool test_mem,
void __iomem *io, char __user *buf,
loff_t off, size_t count, size_t x_start,
- size_t x_end, bool iswrite);
+ size_t x_end, bool iswrite,
+ enum vfio_pci_io_width max_width);
bool vfio_pci_core_range_intersect_range(loff_t buf_start, size_t buf_cnt,
loff_t reg_start, size_t reg_cnt,
loff_t *buf_offset,
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 563/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (561 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 562/567] vfio/pci: Disable qword access to the PCI ROM bar Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 564/567] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Greg Kroah-Hartman
` (17 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit eded254cb69044bd4abde87394ea44909708d7c0 upstream.
damon_test_split_regions_of() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-9-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -278,15 +278,35 @@ static void damon_test_split_regions_of(
struct damon_target *t;
struct damon_region *r;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(0, 22);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
damon_split_regions_of(t, 2);
KUNIT_EXPECT_LE(test, damon_nr_regions(t), 2u);
damon_free_target(t);
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "second target alloc fail");
+ }
r = damon_new_region(0, 220);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "second region alloc fail");
+ }
damon_add_region(r, t);
damon_split_regions_of(t, 4);
KUNIT_EXPECT_LE(test, damon_nr_regions(t), 4u);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 564/567] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (562 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 563/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 565/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
` (16 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 28ab2265e9422ccd81e4beafc0ace90f78de04c4 upstream.
damon_test_new_filter() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-14-sj@kernel.org
Fixes: 2a158e956b98 ("mm/damon/core-test: add a test for damos_new_filter()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/core-kunit.h | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/damon/tests/core-kunit.h
+++ b/mm/damon/tests/core-kunit.h
@@ -505,6 +505,8 @@ static void damos_test_new_filter(struct
struct damos_filter *filter;
filter = damos_new_filter(DAMOS_FILTER_TYPE_ANON, true);
+ if (!filter)
+ kunit_skip(test, "filter alloc fail");
KUNIT_EXPECT_EQ(test, filter->type, DAMOS_FILTER_TYPE_ANON);
KUNIT_EXPECT_EQ(test, filter->matching, true);
KUNIT_EXPECT_PTR_EQ(test, filter->list.prev, &filter->list);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 565/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (563 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 564/567] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 566/567] iomap: allocate s_dio_done_wq for async reads as well Greg Kroah-Hartman
` (15 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 2b22d0fcc6320ba29b2122434c1d2f0785fb0a25 upstream.
damon_do_test_apply_three_regions() is assuming all dynamic memory
allocation in it will succeed. Those are indeed likely in the real use
cases since those allocations are too small to fail, but theoretically
those could fail. In the case, inappropriate memory access can happen.
Fix it by appropriately cleanup pre-allocated memory and skip the
execution of the remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-18-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/tests/vaddr-kunit.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/tests/vaddr-kunit.h
+++ b/mm/damon/tests/vaddr-kunit.h
@@ -136,8 +136,14 @@ static void damon_do_test_apply_three_re
int i;
t = damon_new_target();
+ if (!t)
+ kunit_skip(test, "target alloc fail");
for (i = 0; i < nr_regions / 2; i++) {
r = damon_new_region(regions[i * 2], regions[i * 2 + 1]);
+ if (!r) {
+ damon_destroy_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
}
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 566/567] iomap: allocate s_dio_done_wq for async reads as well
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (564 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 565/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 567/567] block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio() Greg Kroah-Hartman
` (14 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a2b9a4ed0d61b1efb3f5,
Christoph Hellwig, Dave Chinner, Darrick J. Wong,
Christian Brauner
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
commit 7fd8720dff2d9c70cf5a1a13b7513af01952ec02 upstream.
Since commit 222f2c7c6d14 ("iomap: always run error completions in user
context"), read error completions are deferred to s_dio_done_wq. This
means the workqueue also needs to be allocated for async reads.
Fixes: 222f2c7c6d14 ("iomap: always run error completions in user context")
Reported-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20251124140013.902853-1-hch@lst.de
Tested-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/iomap/direct-io.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/iomap/direct-io.c
+++ b/fs/iomap/direct-io.c
@@ -674,12 +674,12 @@ __iomap_dio_rw(struct kiocb *iocb, struc
}
goto out_free_dio;
}
+ }
- if (!wait_for_completion && !inode->i_sb->s_dio_done_wq) {
- ret = sb_init_dio_done_wq(inode->i_sb);
- if (ret < 0)
- goto out_free_dio;
- }
+ if (!wait_for_completion && !inode->i_sb->s_dio_done_wq) {
+ ret = sb_init_dio_done_wq(inode->i_sb);
+ if (ret < 0)
+ goto out_free_dio;
}
inode_dio_begin(inode);
^ permalink raw reply [flat|nested] 587+ messages in thread
* [PATCH 6.12 567/567] block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio()
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (565 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 566/567] iomap: allocate s_dio_done_wq for async reads as well Greg Kroah-Hartman
@ 2026-01-06 17:05 ` Greg Kroah-Hartman
2026-01-06 19:22 ` [PATCH 6.12 000/567] 6.12.64-rc1 review Brett A C Sheffield
` (13 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-06 17:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shinichiro Kawasaki, Damien Le Moal,
Christoph Hellwig, Jens Axboe
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit c2b8d20628ca789640f64074a642f9440eefc623 upstream.
For zoned block devices that do not need zone write plugs (e.g. most
device mapper devices that support zones), the disk hash table of zone
write plugs is NULL. For such devices, blk_zone_reset_all_bio_endio()
should not attempt to scan this has table as that causes a NULL pointer
dereference.
Fix this by checking that the disk does have zone write plugs using the
atomic counter. This is equivalent to checking for a non-NULL hash table
but has the advantage to also speed up the execution of
blk_zone_reset_all_bio_endio() for devices that do use zone write plugs
but do not have any plug in the hash table (e.g. a disk with only full
zones).
Fixes: efae226c2ef1 ("block: handle zone management operations completions")
Reported-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-zoned.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
--- a/block/blk-zoned.c
+++ b/block/blk-zoned.c
@@ -746,17 +746,20 @@ static void blk_zone_reset_all_bio_endio
unsigned long flags;
unsigned int i;
- /* Update the condition of all zone write plugs. */
- rcu_read_lock();
- for (i = 0; i < disk_zone_wplugs_hash_size(disk); i++) {
- hlist_for_each_entry_rcu(zwplug, &disk->zone_wplugs_hash[i],
- node) {
- spin_lock_irqsave(&zwplug->lock, flags);
- disk_zone_wplug_set_wp_offset(disk, zwplug, 0);
- spin_unlock_irqrestore(&zwplug->lock, flags);
+ if (atomic_read(&disk->nr_zone_wplugs)) {
+ /* Update the condition of all zone write plugs. */
+ rcu_read_lock();
+ for (i = 0; i < disk_zone_wplugs_hash_size(disk); i++) {
+ hlist_for_each_entry_rcu(zwplug,
+ &disk->zone_wplugs_hash[i],
+ node) {
+ spin_lock_irqsave(&zwplug->lock, flags);
+ disk_zone_wplug_set_wp_offset(disk, zwplug, 0);
+ spin_unlock_irqrestore(&zwplug->lock, flags);
+ }
}
+ rcu_read_unlock();
}
- rcu_read_unlock();
}
static void blk_zone_finish_bio_endio(struct bio *bio)
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (566 preceding siblings ...)
2026-01-06 17:05 ` [PATCH 6.12 567/567] block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio() Greg Kroah-Hartman
@ 2026-01-06 19:22 ` Brett A C Sheffield
2026-01-06 22:00 ` Pavel Machek
` (12 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Brett A C Sheffield @ 2026-01-06 19:22 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.12.64-rc1-g98ddcf2ac4d1 #1 SMP PREEMPT_DYNAMIC Tue Jan 6 19:09:11 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (567 preceding siblings ...)
2026-01-06 19:22 ` [PATCH 6.12 000/567] 6.12.64-rc1 review Brett A C Sheffield
@ 2026-01-06 22:00 ` Pavel Machek
2026-01-06 22:56 ` Shuah Khan
` (11 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Pavel Machek @ 2026-01-06 22:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
[-- Attachment #1: Type: text/plain, Size: 671 bytes --]
Hi1
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Could you update my email address? I'd like to keep testing and
@denx.de address is no longer suitable.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-6.12.y
Tested-by: Pavel Machek (CIP) <pavel@nabladev.com>
Thanks and best regards,
Pavel
--
In cooperation with Nabla.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (568 preceding siblings ...)
2026-01-06 22:00 ` Pavel Machek
@ 2026-01-06 22:56 ` Shuah Khan
2026-01-07 0:08 ` Peter Schneider
` (10 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Shuah Khan @ 2026-01-06 22:56 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 1/6/26 09:56, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.64-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup
2026-01-06 17:04 ` [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
@ 2026-01-07 0:04 ` Łukasz Bartosik
2026-01-08 9:12 ` Greg Kroah-Hartman
0 siblings, 1 reply; 587+ messages in thread
From: Łukasz Bartosik @ 2026-01-07 0:04 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, stable, Sasha Levin
On Tue, Jan 6, 2026 at 6:43 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 6.12-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Łukasz Bartosik <ukaszb@chromium.org>
>
> [ Upstream commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 ]
>
> This fixup replaces tty_vhangup() call with call to
> tty_port_tty_vhangup(). Both calls hangup tty device
> synchronously however tty_port_tty_vhangup() increases
> reference count during the hangup operation using
> scoped_guard(tty_port_tty).
>
> Cc: stable <stable@kernel.org>
> Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
> Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
> Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> drivers/usb/host/xhci-dbgtty.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- a/drivers/usb/host/xhci-dbgtty.c
> +++ b/drivers/usb/host/xhci-dbgtty.c
> @@ -522,7 +522,7 @@ static void xhci_dbc_tty_unregister_devi
> * Hang up the TTY. This wakes up any blocked
> * writers and causes subsequent writes to fail.
> */
> - tty_vhangup(port->port.tty);
> + tty_port_tty_vhangup(&port->port);
The function tty_port_tty_vhangup does not exist in the 6.12 kernel.
It was added later.
I sent updated patch
https://lore.kernel.org/stable/20260106235820.2995848-1-ukaszb@chromium.org/T/#mb46d870145474d04aaabeccc76aaf949b34bbf86
Thanks,
Łukasz
>
> tty_unregister_device(dbc_tty_driver, port->minor);
> xhci_dbc_tty_exit_port(port);
>
>
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (569 preceding siblings ...)
2026-01-06 22:56 ` Shuah Khan
@ 2026-01-07 0:08 ` Peter Schneider
2026-01-07 0:35 ` Florian Fainelli
` (9 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Peter Schneider @ 2026-01-07 0:08 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 06.01.2026 um 17:56 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (570 preceding siblings ...)
2026-01-07 0:08 ` Peter Schneider
@ 2026-01-07 0:35 ` Florian Fainelli
2026-01-07 10:28 ` Ron Economos
` (8 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Florian Fainelli @ 2026-01-07 0:35 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 1/6/26 08:56, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.64-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (571 preceding siblings ...)
2026-01-07 0:35 ` Florian Fainelli
@ 2026-01-07 10:28 ` Ron Economos
2026-01-07 11:49 ` Mark Brown
` (7 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Ron Economos @ 2026-01-07 10:28 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 1/6/26 08:56, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.64-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (572 preceding siblings ...)
2026-01-07 10:28 ` Ron Economos
@ 2026-01-07 11:49 ` Mark Brown
2026-01-07 11:53 ` Francesco Dolcini
` (6 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Mark Brown @ 2026-01-07 11:49 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Tue, Jan 06, 2026 at 05:56:22PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (573 preceding siblings ...)
2026-01-07 11:49 ` Mark Brown
@ 2026-01-07 11:53 ` Francesco Dolcini
2026-01-07 12:32 ` Jeffrin Thalakkottoor
` (5 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Francesco Dolcini @ 2026-01-07 11:53 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, Jan 06, 2026 at 05:56:22PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Compiled and tested on
- Verdin AM62
- Verdin iMX8MP
- Toradex SMARC iMX8MP
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Francesco
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (574 preceding siblings ...)
2026-01-07 11:53 ` Francesco Dolcini
@ 2026-01-07 12:32 ` Jeffrin Thalakkottoor
2026-01-07 13:44 ` Harshit Mogalapalli
` (4 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Jeffrin Thalakkottoor @ 2026-01-07 12:32 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
hello
Compiled and booted 6.12.64-rc1+
No typical new regressions from dmesg.
As per the dmidecode command.
Version: AMD Ryzen 3 3250U with Radeon Graphics
Processor Information
Socket Designation: FP5
Type: Central Processor
Family: Zen
Manufacturer: Advanced Micro Devices, Inc.
ID: 81 0F 81 00 FF FB 8B 17
Signature: Family 23, Model 24, Stepping 1
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (575 preceding siblings ...)
2026-01-07 12:32 ` Jeffrin Thalakkottoor
@ 2026-01-07 13:44 ` Harshit Mogalapalli
2026-01-07 15:26 ` Miguel Ojeda
` (3 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Harshit Mogalapalli @ 2026-01-07 13:44 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Hi Greg,
On 06/01/26 22:26, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
No problems seen on x86_64 and aarch64 with our testing.
Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Thanks,
Harshit
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (576 preceding siblings ...)
2026-01-07 13:44 ` Harshit Mogalapalli
@ 2026-01-07 15:26 ` Miguel Ojeda
2026-01-07 20:05 ` Brett Mastbergen
` (2 subsequent siblings)
580 siblings, 0 replies; 587+ messages in thread
From: Miguel Ojeda @ 2026-01-07 15:26 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Tue, 06 Jan 2026 17:56:22 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (577 preceding siblings ...)
2026-01-07 15:26 ` Miguel Ojeda
@ 2026-01-07 20:05 ` Brett Mastbergen
2026-01-07 20:13 ` Jon Hunter
2026-01-07 20:43 ` Hardik Garg
580 siblings, 0 replies; 587+ messages in thread
From: Brett Mastbergen @ 2026-01-07 20:05 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Tue, Jan 6, 2026 at 1:24 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.64-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Builds successfully. Boots and works on qemu and Intel Core i7-10810U
Tested-by: Brett Mastbergen <bmastbergen@ciq.com>
Thanks,
Brett
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (578 preceding siblings ...)
2026-01-07 20:05 ` Brett Mastbergen
@ 2026-01-07 20:13 ` Jon Hunter
2026-01-07 20:43 ` Hardik Garg
580 siblings, 0 replies; 587+ messages in thread
From: Jon Hunter @ 2026-01-07 20:13 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Tue, 06 Jan 2026 17:56:22 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.12.64 release.
> There are 567 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 08 Jan 2026 17:03:16 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.12.64-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.12.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.12:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
120 tests: 120 pass, 0 fail
Linux version: 6.12.64-rc1-g98ddcf2ac4d1
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 000/567] 6.12.64-rc1 review
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
` (579 preceding siblings ...)
2026-01-07 20:13 ` Jon Hunter
@ 2026-01-07 20:43 ` Hardik Garg
580 siblings, 0 replies; 587+ messages in thread
From: Hardik Garg @ 2026-01-07 20:43 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds
The kernel, bpf tool, perf tool, and kselftest builds fine for v6.12.64-rc1 on x86 and arm64 Azure VM.
Tested-by: Hardik Garg <hargar@linux.microsoft.com>
Thanks,
Hardik
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup
2026-01-07 0:04 ` Łukasz Bartosik
@ 2026-01-08 9:12 ` Greg Kroah-Hartman
2026-01-08 9:45 ` Łukasz Bartosik
0 siblings, 1 reply; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-08 9:12 UTC (permalink / raw)
To: Łukasz Bartosik; +Cc: stable, patches, stable, Sasha Levin
On Wed, Jan 07, 2026 at 01:04:37AM +0100, Łukasz Bartosik wrote:
> On Tue, Jan 6, 2026 at 6:43 PM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > 6.12-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Łukasz Bartosik <ukaszb@chromium.org>
> >
> > [ Upstream commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 ]
> >
> > This fixup replaces tty_vhangup() call with call to
> > tty_port_tty_vhangup(). Both calls hangup tty device
> > synchronously however tty_port_tty_vhangup() increases
> > reference count during the hangup operation using
> > scoped_guard(tty_port_tty).
> >
> > Cc: stable <stable@kernel.org>
> > Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
> > Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
> > Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > drivers/usb/host/xhci-dbgtty.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/drivers/usb/host/xhci-dbgtty.c
> > +++ b/drivers/usb/host/xhci-dbgtty.c
> > @@ -522,7 +522,7 @@ static void xhci_dbc_tty_unregister_devi
> > * Hang up the TTY. This wakes up any blocked
> > * writers and causes subsequent writes to fail.
> > */
> > - tty_vhangup(port->port.tty);
> > + tty_port_tty_vhangup(&port->port);
>
> The function tty_port_tty_vhangup does not exist in the 6.12 kernel.
> It was added later.
>
> I sent updated patch
> https://lore.kernel.org/stable/20260106235820.2995848-1-ukaszb@chromium.org/T/#mb46d870145474d04aaabeccc76aaf949b34bbf86
The patch before this one added that new api, so all is fine here.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup
2026-01-08 9:12 ` Greg Kroah-Hartman
@ 2026-01-08 9:45 ` Łukasz Bartosik
0 siblings, 0 replies; 587+ messages in thread
From: Łukasz Bartosik @ 2026-01-08 9:45 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: stable, patches, stable, Sasha Levin
On Thu, Jan 8, 2026 at 10:12 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> On Wed, Jan 07, 2026 at 01:04:37AM +0100, Łukasz Bartosik wrote:
> > On Tue, Jan 6, 2026 at 6:43 PM Greg Kroah-Hartman
> > <gregkh@linuxfoundation.org> wrote:
> > >
> > > 6.12-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Łukasz Bartosik <ukaszb@chromium.org>
> > >
> > > [ Upstream commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 ]
> > >
> > > This fixup replaces tty_vhangup() call with call to
> > > tty_port_tty_vhangup(). Both calls hangup tty device
> > > synchronously however tty_port_tty_vhangup() increases
> > > reference count during the hangup operation using
> > > scoped_guard(tty_port_tty).
> > >
> > > Cc: stable <stable@kernel.org>
> > > Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
> > > Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
> > > Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > > ---
> > > drivers/usb/host/xhci-dbgtty.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > --- a/drivers/usb/host/xhci-dbgtty.c
> > > +++ b/drivers/usb/host/xhci-dbgtty.c
> > > @@ -522,7 +522,7 @@ static void xhci_dbc_tty_unregister_devi
> > > * Hang up the TTY. This wakes up any blocked
> > > * writers and causes subsequent writes to fail.
> > > */
> > > - tty_vhangup(port->port.tty);
> > > + tty_port_tty_vhangup(&port->port);
> >
> > The function tty_port_tty_vhangup does not exist in the 6.12 kernel.
> > It was added later.
> >
> > I sent updated patch
> > https://lore.kernel.org/stable/20260106235820.2995848-1-ukaszb@chromium.org/T/#mb46d870145474d04aaabeccc76aaf949b34bbf86
>
> The patch before this one added that new api, so all is fine here.
>
Thank you for pointing that out.
Thanks,
Łukasz
> thanks,
>
> greg k-h
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file
2026-01-06 17:05 ` [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file Greg Kroah-Hartman
@ 2026-02-10 16:06 ` Ben Hutchings
2026-02-11 11:36 ` Greg Kroah-Hartman
0 siblings, 1 reply; 587+ messages in thread
From: Ben Hutchings @ 2026-02-10 16:06 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Hans de Goede, Mika Westerberg, Andy Shevchenko,
Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 757 bytes --]
On Tue, 2026-01-06 at 18:05 +0100, Greg Kroah-Hartman wrote:
> 6.12-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
>
> [ Upstream commit 92dc572852ddcae687590cb159189004d58e382e ]
>
> The gpiolib-acpi.c is huge enough even without DMI quirks.
> Move them to a separate file for a better maintenance.
>
> No functional change intended.
[...]
However, this did cause some documentation breakage. Please cherry-pick
commit ec0c0aab1524 ("gpiolib-acpi: Update file references in the
Documentation and MAINTAINERS") to fix that.
Ben.
--
Ben Hutchings
It's easier to fight for one's principles than to live up to them.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 587+ messages in thread
* Re: [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file
2026-02-10 16:06 ` Ben Hutchings
@ 2026-02-11 11:36 ` Greg Kroah-Hartman
0 siblings, 0 replies; 587+ messages in thread
From: Greg Kroah-Hartman @ 2026-02-11 11:36 UTC (permalink / raw)
To: Ben Hutchings
Cc: stable, patches, Hans de Goede, Mika Westerberg, Andy Shevchenko,
Sasha Levin
On Tue, Feb 10, 2026 at 05:06:50PM +0100, Ben Hutchings wrote:
> On Tue, 2026-01-06 at 18:05 +0100, Greg Kroah-Hartman wrote:
> > 6.12-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> >
> > [ Upstream commit 92dc572852ddcae687590cb159189004d58e382e ]
> >
> > The gpiolib-acpi.c is huge enough even without DMI quirks.
> > Move them to a separate file for a better maintenance.
> >
> > No functional change intended.
> [...]
>
> However, this did cause some documentation breakage. Please cherry-pick
> commit ec0c0aab1524 ("gpiolib-acpi: Update file references in the
> Documentation and MAINTAINERS") to fix that.
Thanks, the Fixes: tag in that commit is invalid, which is why I didn't
see it to pick this up, nice catch!
greg k-h
^ permalink raw reply [flat|nested] 587+ messages in thread
end of thread, other threads:[~2026-02-11 11:36 UTC | newest]
Thread overview: 587+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-06 16:56 [PATCH 6.12 000/567] 6.12.64-rc1 review Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 001/567] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 002/567] btrfs: fix a potential path leak in print_data_reloc_error() Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 003/567] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 004/567] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 005/567] shmem: fix recovery on rename failures Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 006/567] iomap: adjust read range correctly for non-block-aligned positions Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 007/567] iomap: account for unaligned end offsets when truncating read range Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 008/567] scripts/faddr2line: Fix "Argument list too long" error Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 009/567] perf/x86/amd: Check event before enable to avoid GPF Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 010/567] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 011/567] sched/fair: Revert max_newidle_lb_cost bump Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 012/567] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 013/567] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 014/567] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 015/567] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 016/567] ACPI: fan: Workaround for 64-bit firmware bug Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 017/567] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 018/567] cpuidle: menu: Use residency threshold in polling state override decisions Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 019/567] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 020/567] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 021/567] kbuild: Use objtree for module signing key path Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 022/567] ntfs: set dummy blocksize to read boot_block when mounting Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 023/567] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 024/567] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 025/567] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 026/567] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 027/567] fs/ntfs3: check for shutdown in fsync Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 028/567] wifi: rtl8xxxu: Fix HT40 channel config for RTL8192CU, RTL8723AU Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 029/567] wifi: cfg80211: stop radar detection in cfg80211_leave() Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 030/567] wifi: cfg80211: use cfg80211_leave() in iftype change Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 031/567] wifi: mt76: mt792x: fix wifi init fail by setting MCU_RUNNING after CLC load Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 032/567] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 033/567] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 034/567] gfs2: fix remote evict for read-only filesystems Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 035/567] gfs2: Fix "gfs2: Switch to wait_event in gfs2_quotad" Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 036/567] smb/server: fix return value of smb2_ioctl() Greg Kroah-Hartman
2026-01-06 16:56 ` [PATCH 6.12 037/567] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 038/567] ksmbd: vfs: fix race on m_flags in vfs_cache Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 039/567] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 040/567] Bluetooth: btusb: MT7922: Add VID/PID 0489/e170 Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 041/567] Bluetooth: btusb: MT7920: Add VID/PID 0489/e135 Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 042/567] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 043/567] Bluetooth: btusb: Add new VID/PID 0x0489/0xE12F for RTL8852BE-VT Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 044/567] gfs2: Fix use of bio_chain Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 045/567] net: fec: ERR007885 Workaround for XDP TX path Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 046/567] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 047/567] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 048/567] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 049/567] mlxsw: spectrum_router: Fix possible neighbour reference count leak Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 050/567] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 051/567] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 052/567] bnxt_en: Fix XDP_TX path Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 053/567] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 054/567] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 055/567] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 056/567] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 057/567] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 058/567] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 059/567] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 060/567] netfilter: nf_nat: remove bogus direction check Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 061/567] netfilter: nf_tables: remove redundant chain validation on register store Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 062/567] selftests: netfilter: packetdrill: avoid failure on HZ=100 kernel Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 063/567] iommufd/selftest: Add coverage for reporting max_pasid_log2 via IOMMU_HW_INFO Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 064/567] iommufd/selftest: Update hw_info coverage for an input data_type Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 065/567] iommufd/selftest: Make it clearer to gcc that the access is not out of bounds Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 066/567] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 067/567] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 068/567] net/mlx5: fw reset, clear reset requested on drain_fw_reset Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 069/567] net/mlx5: Drain firmware reset in shutdown callback Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 070/567] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 071/567] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 072/567] net/mlx5: Serialize firmware reset with devlink Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 073/567] net/handshake: duplicate handshake cancellations leak socket Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 074/567] net: enetc: do not transmit redirected XDP frames when the link is down Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 075/567] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 076/567] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 077/567] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 078/567] hwmon: (dell-smm) Limit fan multiplier to avoid overflow Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 079/567] hwmon: (ibmpex) fix use-after-free in high/low store Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 080/567] hwmon: (tmp401) fix overflow caused by default conversion rate value Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 081/567] drm/me/gsc: mei interrupt top half should be in irq disabled context Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 082/567] drm/xe: Restore engine registers before restarting schedulers after GT reset Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 083/567] MIPS: Fix a reference leak bug in ip22_check_gio() Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 084/567] drm/panel: sony-td4353-jdi: Enable prepare_prev_first Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 085/567] x86/xen: Move Xen upcall handler Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 086/567] x86/xen: Fix sparse warning in enlighten_pv.c Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 087/567] arm64: kdump: Fix elfcorehdr overlap caused by reserved memory processing reorder Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 088/567] spi: cadence-quadspi: Fix clock disable on probe failure path Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 089/567] block: rnbd-clt: Fix leaked ID in init_dev() Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 090/567] drm/xe: Limit num_syncs to prevent oversized allocations Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 091/567] drm/xe/oa: " Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 092/567] hwmon: (ltc4282): Fix reset_history file permissions Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 093/567] ksmbd: skip lock-range check on equal size to avoid size==0 underflow Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 094/567] ksmbd: Fix refcount leak when invalid session is found on session lookup Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 095/567] ksmbd: fix buffer validation by including null terminator size in EA length Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 096/567] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
2026-01-06 16:57 ` [PATCH 6.12 097/567] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 098/567] Input: lkkbd - disable pending work before freeing device Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 099/567] Input: alps - fix use-after-free bugs caused by dev3_register_work Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 100/567] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 101/567] xfs: dont leak a locked dquot when xfs_dquot_attach_buf fails Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 102/567] can: gs_usb: gs_can_open(): fix error handling Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 103/567] soc/tegra: fuse: Do not register SoC device on ACPI boot Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 104/567] ACPI: PCC: Fix race condition by removing static qualifier Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 105/567] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 106/567] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 107/567] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 108/567] mmc: sdhci-of-arasan: Increase CD stable timeout to 2 seconds Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 109/567] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 110/567] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 111/567] x86/fpu: Fix FPU state core dump truncation on CPUs with no extended xfeatures Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 112/567] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 113/567] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 114/567] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 115/567] ASoC: ak4458: remove the reset operation in probe and remove Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 116/567] nfsd: update percpu_ref to manage references on nfsd_net Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 117/567] nfsd: rename nfsd_serv_ prefixed methods and variables with nfsd_net_ Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 118/567] nfsd: fix memory leak in nfsd_create_serv error paths Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 119/567] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 120/567] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 121/567] scsi: ufs: host: mediatek: Fix shutdown/suspend race condition Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 122/567] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 123/567] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 124/567] scsi: smartpqi: Add support for Hurray Data new controller PCI device Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 125/567] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 126/567] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 127/567] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 128/567] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 129/567] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 130/567] fuse: Always flush the page cache before FOPEN_DIRECT_IO write Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 131/567] fuse: Invalidate the page cache after " Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 132/567] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 133/567] reset: fix BIT macro reference Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 134/567] exfat: fix remount failure in different process environments Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 135/567] exfat: zero out post-EOF page cache on file extension Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 136/567] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 137/567] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 138/567] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 139/567] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 140/567] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 141/567] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 142/567] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 143/567] clk: qcom: dispcc-sm7150: Fix dispcc_mdss_pclk0_clk_src Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 144/567] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 145/567] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 146/567] nvme-fabrics: add ENOKEY to no retry criteria for authentication failures Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 147/567] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 148/567] MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 149/567] scsi: scsi_debug: Fix atomic write enable module param description Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 150/567] block: rnbd-clt: Fix signedness bug in init_dev() Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 151/567] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 152/567] cifs: Fix memory and information leak in smb3_reconfigure() Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 153/567] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 154/567] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 155/567] x86/mce: Do not clear banks poll bit in mce_poll_banks on AMD SMCA systems Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 156/567] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
2026-01-06 16:58 ` [PATCH 6.12 157/567] perf: arm_cspmu: fix error handling in arm_cspmu_impl_unregister() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 158/567] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 159/567] s390/dasd: Fix gendisk parent after copy pair swap Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 160/567] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 161/567] block: rate-limit capacity change info log Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 162/567] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 163/567] kallsyms: Fix wrong "big" kernel symbol type read from procfs Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 164/567] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 165/567] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 166/567] tpm: Cap the number of PCR banks Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 167/567] ext4: fix string copying in parse_apply_sb_mount_options() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 168/567] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 169/567] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 170/567] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 171/567] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 172/567] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 173/567] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 174/567] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 175/567] selftests: mptcp: pm: ensure unknown flags are ignored Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 176/567] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 177/567] mptcp: avoid deadlock on fallback while reinjecting Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 178/567] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 179/567] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 180/567] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 181/567] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 182/567] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 183/567] usb: typec: altmodes/displayport: Drop the device reference in dp_altmode_probe() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 184/567] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 185/567] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 186/567] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 187/567] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 188/567] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 189/567] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 190/567] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 191/567] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 192/567] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 193/567] mei: gsc: add dependency on Xe driver Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 194/567] serial: sh-sci: Check that the DMA cookie is valid Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 195/567] cpuidle: governors: teo: Drop misguided target residency check Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 196/567] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 197/567] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 198/567] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 199/567] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 200/567] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 201/567] scsi: mpi3mr: Read missing IOCFacts flag for reply queue full overflow Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 202/567] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 203/567] f2fs: ensure node page reads complete before f2fs_put_super() finishes Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 204/567] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 205/567] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 206/567] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 207/567] f2fs: fix age extent cache insertion skip on counter overflow Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 208/567] f2fs: fix uninitialized one_time_gc in victim_sel_policy Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 209/567] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 210/567] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 211/567] KVM: Disallow toggling KVM_MEM_GUEST_MEMFD on an existing memslot Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 212/567] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 213/567] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 214/567] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 215/567] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 216/567] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
2026-01-06 16:59 ` [PATCH 6.12 217/567] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 218/567] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 219/567] powerpc: Add reloc_offset() to font bitmap pointer used for bootx_printf() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 220/567] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 221/567] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 222/567] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 223/567] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 224/567] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 225/567] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 226/567] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 227/567] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 228/567] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 229/567] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 230/567] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 231/567] xfs: fix stupid compiler warning Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 232/567] xfs: fix a UAF problem in xattr repair Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 233/567] tracing: Do not register unsupported perf events Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 234/567] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 235/567] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 236/567] net: phy: marvell-88q2xxx: Fix clamped value in mv88q2xxx_hwmon_write Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 237/567] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 238/567] net/handshake: restore destructor on submit failure Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 239/567] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 240/567] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 241/567] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 242/567] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 243/567] svcrdma: use rc_pageoff for memcpy byte offset Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 244/567] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 245/567] powerpc/kexec: Enable SMT before waking offline CPUs Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 246/567] btrfs: dont log conflicting inode if its a dir moved in the current transaction Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 247/567] s390/ipl: Clear SBP flag when bootprog is set Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 248/567] gpio: regmap: Fix memleak in error path in gpio_regmap_register() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 249/567] io_uring/poll: correctly handle io_poll_add() return value on update Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 250/567] io_uring: fix min_wait wakeups for SQPOLL Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 251/567] Revert "drm/amd/display: Fix pbn to kbps Conversion" Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 252/567] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 253/567] drm/amd/display: Fix scratch registers offsets for DCN35 Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 254/567] drm/amd/display: Fix scratch registers offsets for DCN351 Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 255/567] drm/displayid: pass iter to drm_find_displayid_extension() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 256/567] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 257/567] ALSA: wavefront: Use guard() for spin locks Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 258/567] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 259/567] pinctrl: renesas: rzg2l: Fix ISEL restore on resume Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 260/567] hsr: hold rcu and dev lock for hsr_get_port_ndev Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 261/567] sched/rt: Fix race in push_rt_task Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 262/567] KVM: arm64: Initialize HCR_EL2.E2H early Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 263/567] KVM: arm64: Initialize SCTLR_EL1 in __kvm_hyp_init_cpu() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 264/567] arm64: Revamp HCR_EL2.E2H RES1 detection Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 265/567] dt-bindings: PCI: qcom,pcie-sc7280: Add missing required power-domains and resets Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 266/567] dt-bindings: PCI: qcom,pcie-sc8280xp: " Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 267/567] dt-bindings: PCI: qcom,pcie-sm8150: " Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 268/567] dt-bindings: PCI: qcom,pcie-sm8250: " Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 269/567] dt-bindings: PCI: qcom,pcie-sm8350: " Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 270/567] dt-bindings: PCI: qcom,pcie-sm8450: " Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 271/567] dt-bindings: PCI: qcom,pcie-sm8550: " Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 272/567] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 273/567] crypto: caam - Add check for kcalloc() in test_len() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 274/567] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 275/567] virtio: vdpa: Fix reference count leak in octep_sriov_enable() Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 276/567] tracing: Fix fixed array of synthetic event Greg Kroah-Hartman
2026-01-06 17:00 ` [PATCH 6.12 277/567] soc: samsung: exynos-pmu: fix device leak on regmap lookup Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 278/567] soc: qcom: pbs: fix device leak on lookup Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 279/567] soc: qcom: ocmem: " Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 280/567] soc: apple: mailbox: " Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 281/567] soc: amlogic: canvas: " Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 282/567] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 283/567] platform/x86: intel: chtwc_int33fe: dont dereference swnode args Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 284/567] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 285/567] interconnect: qcom: sdx75: Drop QPIC interconnect and BCM nodes Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 286/567] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 287/567] hwmon: (max6697) fix regmap leak on probe failure Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 288/567] hwmon: (w83791d) Convert macros to functions to avoid TOCTOU Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 289/567] hwmon: (w83l786ng) " Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 290/567] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 291/567] x86/msi: Make irq_retrigger() functional for posted MSI Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 292/567] iommu/mediatek: fix use-after-free on probe deferral Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 293/567] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 294/567] wifi: rtw88: limit indirect IO under powered off for RTL8822CS Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 295/567] wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 296/567] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 297/567] wifi: mac80211: do not use old MBSSID elements Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 298/567] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 299/567] i40e: validate ring_len parameter against hardware-specific values Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 300/567] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 301/567] idpf: reduce mbx_task schedule delay to 300us Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 302/567] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 303/567] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 304/567] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 305/567] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 306/567] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 307/567] platform/mellanox: mlxbf-pmc: Remove trailing whitespaces from event names Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 308/567] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 309/567] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 310/567] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 311/567] net: dsa: fix missing put_device() in dsa_tree_find_first_conduit() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 312/567] amd-xgbe: reset retries and mode on RX adapt failures Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 313/567] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 314/567] selftests: net: fix "buffer overflow detected" for tap.c Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 315/567] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 316/567] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 317/567] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 318/567] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 319/567] kbuild: fix compilation of dtb specified on command-line without make rule Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 320/567] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 321/567] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 322/567] vfio/pds: Fix memory leak in pds_vfio_dirty_enable() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 323/567] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 324/567] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 325/567] net: stmmac: fix the crash issue for zero copy XDP_TX action Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 326/567] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 327/567] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 328/567] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 329/567] ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 330/567] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 331/567] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 332/567] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 333/567] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 334/567] RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 335/567] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 336/567] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
2026-01-06 17:01 ` [PATCH 6.12 337/567] md: Fix static checker warning in analyze_sbs Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 338/567] md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 339/567] ksmbd: Fix memory leak in get_file_all_info() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 340/567] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 341/567] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 342/567] blk-mq: skip CPU offline notify on unmapped hctx Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 343/567] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 344/567] ntfs: Do not overwrite uptodate pages Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 345/567] ASoC: codecs: wcd939x: fix regmap leak on probe failure Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 346/567] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 347/567] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 348/567] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 349/567] ASoC: codecs: lpass-tx-macro: fix SM6115 support Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 350/567] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 351/567] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 352/567] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 353/567] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 354/567] iommu/amd: Fix pci_segment memleak in alloc_pci_segment() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 355/567] iommu/amd: Propagate the error code returned by __modify_irte_ga() in modify_irte_ga() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 356/567] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 357/567] iommu/exynos: " Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 358/567] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 359/567] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 360/567] iommu/mediatek-v1: fix device leaks on probe() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 361/567] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 362/567] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 363/567] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 364/567] iommu/sun50i: " Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 365/567] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 366/567] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 367/567] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 368/567] fgraph: Initialize ftrace_ops->private for function graph ops Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 369/567] fgraph: Check ftrace_pids_enabled on registration for early filtering Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 370/567] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 371/567] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 372/567] powerpc, mm: Fix mprotect on book3s 32-bit Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 373/567] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 374/567] leds: leds-cros_ec: Skip LEDs without color components Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 375/567] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 376/567] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 377/567] leds: leds-lp50xx: Enable chip before any communication Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 378/567] block: Clear BLK_ZONE_WPLUG_PLUGGED when aborting plugged BIOs Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 379/567] clk: samsung: exynos-clkout: Assign .num before accessing .hws Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 380/567] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 381/567] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 382/567] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 383/567] media: verisilicon: Fix CPU stalls on G2 bus error Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 384/567] mtd: mtdpart: ignore error -ENOENT from parsers on subpartitions Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 385/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIQ chips Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 386/567] mtd: spi-nor: winbond: Add support for W25Q01NWxxIM chips Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 387/567] mtd: spi-nor: winbond: Add support for W25Q02NWxxIM chips Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 388/567] mtd: spi-nor: winbond: Add support for W25H512NWxxAM chips Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 389/567] mtd: spi-nor: winbond: Add support for W25H01NWxxAM chips Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 390/567] mtd: spi-nor: winbond: Add support for W25H02NWxxAM chips Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 391/567] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 392/567] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 393/567] perf/x86/amd/uncore: Fix the return value of amd_uncore_df_event_init() on error Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 394/567] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 395/567] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 396/567] firmware: stratix10-svc: Add mutex in stratix10 memory management Greg Kroah-Hartman
2026-01-06 17:02 ` [PATCH 6.12 397/567] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 398/567] dm-bufio: align write boundary on physical block size Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 399/567] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 400/567] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 401/567] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 402/567] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 403/567] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 404/567] media: platform: mtk-mdp3: fix device leaks at probe Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 405/567] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 406/567] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 407/567] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 408/567] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 409/567] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 410/567] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 411/567] media: vpif_display: " Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 412/567] media: amphion: Cancel message work before releasing the VPU core Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 413/567] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 414/567] media: i2c: adv7842: " Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 415/567] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 416/567] LoongArch: Add new PCI ID for pci_fixup_vgadev() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 417/567] LoongArch: Correct the calculation logic of thread_count Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 418/567] LoongArch: Fix build errors for CONFIG_RANDSTRUCT Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 419/567] LoongArch: Use __pmd()/__pte() for swap entry conversions Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 420/567] LoongArch: Use unsigned long for _end and _text Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 421/567] mm/damon/tests/sysfs-kunit: handle alloc failures on damon_sysfs_test_add_targets() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 422/567] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 423/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 424/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 425/567] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 426/567] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 427/567] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 428/567] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 429/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 430/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 431/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 432/567] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 433/567] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 434/567] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 435/567] compiler_types.h: add "auto" as a macro for "__auto_type" Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 436/567] mm/kasan: fix incorrect unpoisoning in vrealloc for KASAN Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 437/567] kasan: refactor pcpu kasan vmalloc unpoison Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 438/567] kasan: unpoison vms[area] addresses with a common tag Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 439/567] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 440/567] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 441/567] mm/page_owner: fix memory leak in page_owner_stack_fops->release() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 442/567] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 443/567] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 444/567] samples/ftrace: Adjust LoongArch register restore order in direct calls Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 445/567] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 446/567] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 447/567] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 448/567] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 449/567] LoongArch: Refactor register restoration in ftrace_common_return Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 450/567] LoongArch: BPF: Zero-extend bpf_tail_call() index Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 451/567] LoongArch: BPF: Sign extend kfunc call arguments Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 452/567] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 453/567] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 454/567] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 455/567] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 456/567] Revert "drm/amd: Skip power ungate during suspend for VPE" Greg Kroah-Hartman
2026-01-06 17:03 ` [PATCH 6.12 457/567] drm/amdgpu/gmc12: add amdgpu_vm_handle_fault() handling Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 458/567] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 459/567] drm/amdgpu/gmc11: add amdgpu_vm_handle_fault() handling Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 460/567] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 461/567] drm/buddy: Optimize free block management with RB tree Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 462/567] drm/buddy: Separate clear and dirty free block trees Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 463/567] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 464/567] drm/edid: add DRM_EDID_IDENT_INIT() to initialize struct drm_edid_ident Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 465/567] drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 466/567] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 467/567] drm/mediatek: Fix probe resource leaks Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 468/567] drm/mediatek: Fix probe memory leak Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 469/567] drm/mediatek: Fix probe device leaks Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 470/567] drm/amdkfd: Export the cwsr_size and ctl_stack_size to userspace Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 471/567] drm/amdkfd: bump minimum vgpr size for gfx1151 Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 472/567] drm/amdkfd: Trap handler support for expert scheduling mode Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 473/567] drm/i915: Fix format string truncation warning Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 474/567] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 475/567] drm/mgag200: Fix big-endian support Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 476/567] drm/xe/bo: Dont include the CCS metadata in the dma-buf sg-table Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 477/567] drm/xe/oa: Disallow 0 OA property values Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 478/567] drm/xe: Adjust long-running workload timeslices to reasonable values Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 479/567] drm/xe: Use usleep_range for accurate long-running workload timeslicing Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 480/567] drm/xe: Drop preempt-fences when destroying imported dma-bufs Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 481/567] drm/msm/dpu: Add missing NULL pointer check for pingpong interface Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 482/567] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 483/567] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 484/567] drm/imagination: Disallow exporting of PM/FW protected objects Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 485/567] lib/crypto: riscv/chacha: Avoid s0/fp register Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 486/567] gfs2: fix freeze error handling Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 487/567] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 488/567] sched/eevdf: Fix min_vruntime vs avg_vruntime Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 489/567] erofs: fix unexpected EIO under memory pressure Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 490/567] sched_ext: Fix incorrect sched_class settings for per-cpu migration tasks Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 491/567] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 492/567] tty: introduce and use tty_port_tty_vhangup() helper Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 493/567] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
2026-01-07 0:04 ` Łukasz Bartosik
2026-01-08 9:12 ` Greg Kroah-Hartman
2026-01-08 9:45 ` Łukasz Bartosik
2026-01-06 17:04 ` [PATCH 6.12 494/567] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 495/567] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 496/567] f2fs: drop inode from the donation list when the last file is closed Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 497/567] f2fs: fix to avoid updating compression context during writeback Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 498/567] serial: core: fix OF node leak Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 499/567] serial: core: Restore sysfs fwnode information Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 500/567] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 501/567] mm/ksm: fix exec/fork inheritance support for prctl Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 502/567] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 503/567] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 504/567] block: freeze queue when updating zone resources Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 505/567] tpm2-sessions: Fix tpm2_read_public range checks Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 506/567] sched_ext: Factor out local_dsq_post_enq() from dispatch_enqueue() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 507/567] sched_ext: Fix missing post-enqueue handling in move_local_task_to_local_dsq() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 508/567] drm/displayid: add quirk to ignore DisplayID checksum errors Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 509/567] hrtimers: Introduce hrtimer_update_function() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 510/567] serial: xilinx_uartps: Use helper function hrtimer_update_function() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 511/567] serial: xilinx_uartps: fix rs485 delay_rts_after_send Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 512/567] f2fs: clear SBI_POR_DOING before initing inmem curseg Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 513/567] f2fs: add timeout in f2fs_enable_checkpoint() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 514/567] f2fs: dump more information for f2fs_{enable,disable}_checkpoint() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 515/567] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 516/567] gpiolib: acpi: Switch to use enum in acpi_gpio_in_ignore_list() Greg Kroah-Hartman
2026-01-06 17:04 ` [PATCH 6.12 517/567] gpiolib: acpi: Handle deferred list via new API Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 518/567] gpiolib: acpi: Add acpi_gpio_need_run_edge_events_on_boot() getter Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 519/567] gpiolib: acpi: Move quirks to a separate file Greg Kroah-Hartman
2026-02-10 16:06 ` Ben Hutchings
2026-02-11 11:36 ` Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 520/567] gpiolib: acpi: Add a quirk for Acer Nitro V15 Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 521/567] gpiolib: acpi: Add quirk for ASUS ProArt PX13 Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 522/567] gpiolib: acpi: Add quirk for Dell Precision 7780 Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 523/567] netfilter: nft_ct: add seqadj extension for natted connections Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 524/567] md/raid10: wait barrier before returning discard request with REQ_NOWAIT Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 525/567] drm/panthor: Flush shmem writes before mapping buffers CPU-uncached Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 526/567] net: ipv6: ioam6: use consistent dst names Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 527/567] ipv6: adopt dst_dev() helper Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 528/567] net: use dst_dev_rcu() in sk_setup_caps() Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 529/567] usbnet: Fix using smp_processor_id() in preemptible code warnings Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 530/567] serial: core: Fix serial device initialization Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 531/567] tty: fix tty_port_tty_*hangup() kernel-doc Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 532/567] x86/microcode/AMD: Select which microcode patch to load Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 533/567] media: i2c: imx219: Fix 1920x1080 mode to use 1:1 pixel aspect ratio Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 534/567] wifi: mt76: mt7925: fix the unfinished command of regd_notifier before suspend Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 535/567] wifi: mt76: mt7925: fix CLC command timeout when suspend/resume Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 536/567] wifi: mt76: mt7925: add handler to hif suspend/resume event Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 537/567] idpf: add support for SW triggered interrupts Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 538/567] idpf: trigger SW interrupt when exiting wb_on_itr mode Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 539/567] idpf: add support for Tx refillqs in flow scheduling mode Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 540/567] idpf: improve when to set RE bit logic Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 541/567] idpf: simplify and fix splitq Tx packet rollback error path Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 542/567] idpf: replace flow scheduling buffer ring with buffer pool Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 543/567] idpf: stop Tx if there are insufficient buffer resources Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 544/567] idpf: remove obsolete stashing code Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 545/567] hrtimers: Make hrtimer_update_function() less expensive Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 546/567] gve: defer interrupt enabling until NAPI registration Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 547/567] ASoC: renesas: rz-ssi: Fix channel swap issue in full duplex mode Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 548/567] block: handle zone management operations completions Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 549/567] soundwire: stream: extend sdw_alloc_stream() to take type parameter Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 550/567] ASoC: qcom: sdw: fix memory leak for sdw_stream_runtime Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 551/567] ASoC: renesas: rz-ssi: Fix rz_ssi_priv::hw_params_cache::sample_width Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 552/567] PCI: brcmstb: Reuse pcie_cfg_data structure Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 553/567] PCI: brcmstb: Set MLW based on "num-lanes" DT property if present Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 554/567] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 555/567] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 556/567] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 557/567] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 558/567] media: mediatek: vcodec: Use spinlock for context list protection lock Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 559/567] media: amphion: Add a frame flush mode for decoder Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 560/567] media: amphion: Make some vpu_v4l2 functions static Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 561/567] media: amphion: Remove vpu_vb_is_codecconfig Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 562/567] vfio/pci: Disable qword access to the PCI ROM bar Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 563/567] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 564/567] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 565/567] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 566/567] iomap: allocate s_dio_done_wq for async reads as well Greg Kroah-Hartman
2026-01-06 17:05 ` [PATCH 6.12 567/567] block: fix NULL pointer dereference in blk_zone_reset_all_bio_endio() Greg Kroah-Hartman
2026-01-06 19:22 ` [PATCH 6.12 000/567] 6.12.64-rc1 review Brett A C Sheffield
2026-01-06 22:00 ` Pavel Machek
2026-01-06 22:56 ` Shuah Khan
2026-01-07 0:08 ` Peter Schneider
2026-01-07 0:35 ` Florian Fainelli
2026-01-07 10:28 ` Ron Economos
2026-01-07 11:49 ` Mark Brown
2026-01-07 11:53 ` Francesco Dolcini
2026-01-07 12:32 ` Jeffrin Thalakkottoor
2026-01-07 13:44 ` Harshit Mogalapalli
2026-01-07 15:26 ` Miguel Ojeda
2026-01-07 20:05 ` Brett Mastbergen
2026-01-07 20:13 ` Jon Hunter
2026-01-07 20:43 ` Hardik Garg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox