* [PATCH 6.6 000/737] 6.6.120-rc1 review
@ 2026-01-09 11:32 Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 001/737] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
` (747 more replies)
0 siblings, 748 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.6.120 release.
There are 737 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.120-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.120-rc1
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "iommu/amd: Skip enabling command/event buffers for kdump"
Amitai Gottlieb <amitaig@hailo.ai>
firmware: arm_scmi: Fix unused notifier-block in unregister
Jiri Slaby (SUSE) <jirislaby@kernel.org>
tty: fix tty_port_tty_*hangup() kernel-doc
Ming Lei <ming.lei@redhat.com>
blk-mq: setup queue ->tag_set before initializing hctx
Sean Nyekjaer <sean@geanix.com>
pwm: stm32: Always program polarity
Alexis Lothoré <alexis.lothore@bootlin.com>
net: stmmac: make sure that ptp_rate is not 0 before configuring EST
Lizhi Xu <lizhi.xu@windriver.com>
ext4: filesystems without casefold feature cannot be mounted with siphash
Maximilian Immanuel Brandtner <maxbr@linux.ibm.com>
virtio_console: fix order of fields cols and rows
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter()
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/rxe: Remove the direct link to net_device
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
net: Allow to use SMP threads for backlog NAPI.
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
net: Remove conditional threaded-NAPI wakeup based on task state.
Peter Zijlstra (Intel) <peterz@infradead.org>
sched/fair: Proportional newidle balance
Peter Zijlstra <peterz@infradead.org>
sched/fair: Small cleanup to update_newidle_cost()
Peter Zijlstra <peterz@infradead.org>
sched/fair: Small cleanup to sched_balance_newidle()
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: SVM: Fix redundant updates of LBR MSR intercepts
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Fix and simplify LBR virtualization handling with nested
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: SVM: Introduce svm_recalc_lbr_msr_intercepts()
Chen-Yu Tsai <wenst@chromium.org>
media: mediatek: vcodec: Use spinlock for context list protection lock
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Remove vpu_vb_is_codecconfig
Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
media: amphion: Make some vpu_v4l2 functions static
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Add a frame flush mode for decoder
Dongli Zhang <dongli.zhang@oracle.com>
KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
David Hildenbrand <david@redhat.com>
powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
David Hildenbrand <david@redhat.com>
mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
David Hildenbrand <david@redhat.com>
mm/balloon_compaction: we cannot have isolated pages in the balloon list
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: verisilicon: Fix CPU stalls on G2 bus error
Benjamin Gaignard <benjamin.gaignard@collabora.com>
media: verisilicon: g2: Use common helpers to compute chroma and mv offsets
Benjamin Gaignard <benjamin.gaignard@collabora.com>
media: verisilicon: Store chroma and motion vectors offset
Chao Yu <chao@kernel.org>
f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
Chao Yu <chao@kernel.org>
f2fs: use global inline_xattr_slab instead of per-sb slab cache
Chao Yu <chao@kernel.org>
f2fs: fix to propagate error from f2fs_enable_checkpoint()
Chao Yu <chao@kernel.org>
f2fs: fix to avoid updating compression context during writeback
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: drop inode from the donation list when the last file is closed
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: keep POSIX_FADV_NOREUSE ranges
Chao Yu <chao@kernel.org>
f2fs: remove unused GC_FAILURE_PIN
Gyeyoung Baek <gye976@gmail.com>
genirq/irq_sim: Initialize work context pointers properly
Jingbo Xu <jefflexu@linux.alibaba.com>
mm: fix arithmetic for max_prop_frac when setting max_ratio
Jingbo Xu <jefflexu@linux.alibaba.com>
mm: fix arithmetic for bdi min_ratio
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
Dong Chenchen <dongchenchen2@huawei.com>
page_pool: Fix use-after-free in page_pool_recycle_in_ring
Florian Westphal <fw@strlen.de>
xfrm: state: fix out-of-bounds read during lookup
Ye Bin <yebin10@huawei.com>
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
Ye Bin <yebin10@huawei.com>
ext4: introduce ITAIL helper
Gabriel Krisman Bertazi <krisman@suse.de>
ext4: fix error message when rejecting the default hash
Hari Bathini <hbathini@linux.ibm.com>
powerpc/64s/radix/kfence: map __kfence_pool at page granularity
Chenghao Duan <duanchenghao@kylinos.cn>
LoongArch: Refactor register restoration in ftrace_common_return
Aurabindo Pillai <aurabindo.pillai@amd.com>
drm/amd/display: Fix null pointer deref in dcn20_resource.c
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
Michal Pecio <michal.pecio@gmail.com>
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Niklas Neronin <niklas.neronin@linux.intel.com>
usb: xhci: move link chain bit quirk checks into one helper function.
Łukasz Bartosik <ukaszb@chromium.org>
xhci: dbgtty: fix device unregister: fixup
Jiri Slaby (SUSE) <jirislaby@kernel.org>
tty: introduce and use tty_port_tty_vhangup() helper
Kory Maincent (TI.com) <kory.maincent@bootlin.com>
drm/tilcdc: Fix removal actions in case of failed probe
Philipp Stanner <pstanner@redhat.com>
drm/tilcdc: request and mapp iomem with devres
Johan Hovold <johan@kernel.org>
drm/mediatek: Fix probe resource leaks
Johan Hovold <johan@kernel.org>
drm/mediatek: Fix probe memory leak
Natalie Vock <natalie.vock@gmx.de>
drm/amdgpu: Forward VMID reservation errors
Paolo Abeni <pabeni@redhat.com>
mptcp: ensure context reset on disconnect()
Miaoqian Lin <linmq006@gmail.com>
net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration
Wentao Liang <vulab@iscas.ac.cn>
pmdomain: imx: Fix reference count leak in imx_gpc_probe()
Rob Herring <robh@kernel.org>
pmdomain: Use device_get_match_data()
Bijan Tabatabai <bijan311@gmail.com>
mm: consider non-anon swap cache folios in folio_expected_ref_count()
David Hildenbrand <david@redhat.com>
mm: simplify folio_expected_ref_count()
Jouni Malinen <jouni.malinen@oss.qualcomm.com>
wifi: mac80211: Discard Beacon frames to non-broadcast address
NeilBrown <neil@brown.name>
lockd: fix vfs_test_lock() calls
Paolo Abeni <pabeni@redhat.com>
mptcp: fallback earlier on simult connection
Jim Quinlan <james.quinlan@broadcom.com>
PCI: brcmstb: Fix disabling L0s capability
Joanne Koong <joannelkoong@gmail.com>
fuse: fix readahead reclaim deadlock
Joshua Rogers <linux@joshua.hu>
svcrdma: bound check rq_pages index in inline path
Nicolas Ferre <nicolas.ferre@microchip.com>
ARM: dts: microchip: sama7g5: fix uart fifo size to 32
Askar Safin <safinaskar@gmail.com>
gpiolib: acpi: Add quirk for Dell Precision 7780
Chuck Lever <chuck.lever@oracle.com>
NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
Chao Yu <chao@kernel.org>
f2fs: fix to avoid potential deadlock
Chao Yu <chao@kernel.org>
f2fs: use f2fs_err_ratelimited() to avoid redundant logs
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ignore unknown endpoint flags
Seunghwan Baek <sh8267.baek@samsung.com>
scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error
Johan Hovold <johan@kernel.org>
usb: ohci-nxp: fix device leak on probe failure
Zhang Zekun <zhangzekun11@huawei.com>
usb: ohci-nxp: Use helper function devm_clk_get_enabled()
xu xin <xu.xin16@zte.com.cn>
mm/ksm: fix exec/fork inheritance support for prctl
Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
wifi: mt76: Fix DTS power-limits on little endian systems
Josef Bacik <josef@toxicpanda.com>
btrfs: don't rewrite ret from inode_permission
Alexey Velichayshiy <a.velichayshiy@ispras.ru>
gfs2: fix freeze error handling
Ye Bin <yebin10@huawei.com>
jbd2: fix the inconsistency between checksum and data in memory for journal sb
Fedor Pchelkin <pchelkin@ispras.ru>
ext4: fix string copying in parse_apply_sb_mount_options()
Denis Arefev <arefev@swemel.ru>
ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
Junrui Luo <moonafterrain@outlook.com>
ALSA: wavefront: Clear substream pointers on close
Takashi Iwai <tiwai@suse.de>
ALSA: wavefront: Use guard() for spin locks
Junrui Luo <moonafterrain@outlook.com>
ALSA: wavefront: Fix integer overflow in sample size validation
Takashi Iwai <tiwai@suse.de>
ALSA: wavefront: Use standard print API
Kuniyuki Iwashima <kuniyu@google.com>
mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
tpm: Cap the number of PCR banks
Ming Lei <ming.lei@redhat.com>
blk-mq: add helper for checking if one CPU is mapped to specified hctx
Johan Hovold <johan@kernel.org>
usb: gadget: lpc32xx_udc: fix clock imbalance in error path
Lyude Paul <lyude@redhat.com>
drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb
Krzysztof Niemiec <krzysztof.niemiec@intel.com>
drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
Nikolay Kuratov <kniv@yandex-team.ru>
drm/msm/dpu: Add missing NULL pointer check for pingpong interface
René Rebe <rene@exactco.de>
drm/mgag200: Fix big-endian support
Simon Richter <Simon.Richter@hogyros.de>
drm/ttm: Avoid NULL pointer deref for evicted BOs
Miaoqian Lin <linmq006@gmail.com>
drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse()
Thomas Zimmermann <tzimmermann@suse.de>
drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma
Xiaolei Wang <xiaolei.wang@windriver.com>
net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
Deepanshu Kartikey <kartikey406@gmail.com>
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: usb: sr9700: fix incorrect command used to write single register
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
nfsd: Drop the client reference in client_states_open()
Hengqi Chen <hengqi.chen@gmail.com>
LoongArch: BPF: Sign extend kfunc call arguments
Hengqi Chen <hengqi.chen@gmail.com>
LoongArch: BPF: Zero-extend bpf_tail_call() index
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
fjes: Add missing iounmap in fjes_hw_init()
Guangshuo Li <lgs201920130244@gmail.com>
e1000: fix OOB in e1000_tbi_should_accept()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/cm: Fix leaking the multicast GID table reference
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
Chenghao Duan <duanchenghao@kylinos.cn>
samples/ftrace: Adjust LoongArch register restore order in direct calls
Kaushlendra Kumar <kaushlendra.kumar@intel.com>
tools/mm/page_owner_sort: fix timestamp comparison for stable sorting
Rong Zhang <i@rong.moe>
x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo
Matthew Wilcox (Oracle) <willy@infradead.org>
idr: fix idr_alloc() returning an ID out of range
Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
kasan: refactor pcpu kasan vmalloc unpoison
H. Peter Anvin <hpa@zytor.com>
compiler_types.h: add "auto" as a macro for "__auto_type"
Tiezhu Yang <yangtiezhu@loongson.cn>
LoongArch: Use unsigned long for _end and _text
WangYuli <wangyl5933@chinaunicom.cn>
LoongArch: Use __pmd()/__pte() for swap entry conversions
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Fix build errors for CONFIG_RANDSTRUCT
Qiang Ma <maqianga@uniontech.com>
LoongArch: Correct the calculation logic of thread_count
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Add new PCI ID for pci_fixup_vgadev()
Haoxiang Li <haoxiang_li2024@163.com>
media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
Ming Qian <ming.qian@oss.nxp.com>
media: amphion: Cancel message work before releasing the VPU core
Johan Hovold <johan@kernel.org>
media: vpif_display: fix section mismatch
Johan Hovold <johan@kernel.org>
media: vpif_capture: fix section mismatch
Haotian Zhang <vulab@iscas.ac.cn>
media: videobuf2: Fix device reference leak in vb2_dc_alloc error path
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
Duoming Zhou <duoming@zju.edu.cn>
media: TDA1997x: Remove redundant cancel_delayed_work in probe
Marek Szyprowski <m.szyprowski@samsung.com>
media: samsung: exynos4-is: fix potential ABBA deadlock on init
Miaoqian Lin <linmq006@gmail.com>
media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
Ivan Abramov <i.abramov@mt-integration.ru>
media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
Haotian Zhang <vulab@iscas.ac.cn>
media: cec: Fix debugfs leak on bus_register() failure
René Rebe <rene@exactco.de>
fbdev: tcx.c fix mem_map to correct smem_start offset
Thorsten Blum <thorsten.blum@linux.dev>
fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
Rene Rebe <rene@exactco.de>
fbdev: gbefb: fix to use physical address instead of dma address
Mikulas Patocka <mpatocka@redhat.com>
dm-bufio: align write boundary on physical block size
Uladzislau Rezki (Sony) <urezki@gmail.com>
dm-ebs: Mark full buffer dirty even on partial write
Mahesh Rao <mahesh.rao@altera.com>
firmware: stratix10-svc: Add mutex in stratix10 memory management
Ivan Abramov <i.abramov@mt-integration.ru>
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
David Hildenbrand <david@redhat.com>
powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
Sven Schnelle <svens@stackframe.org>
parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
Sven Schnelle <svens@stackframe.org>
parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
Haotian Zhang <vulab@iscas.ac.cn>
media: rc: st_rc: Fix reset control resource leak
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
mfd: max77620: Fix potential IRQ chip conflict when probing two devices
Johan Hovold <johan@kernel.org>
mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
Nathan Chancellor <nathan@kernel.org>
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: Enable chip before any communication
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: Allow LED 0 to be added to module bank
Donet Tom <donettom@linux.ibm.com>
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Dave Vasilevsky <dave@vasilevsky.ca>
powerpc, mm: Fix mprotect on book3s 32-bit
Siddharth Vadapalli <s-vadapalli@ti.com>
arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator
Lukas Wunner <lukas@wunner.de>
PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
Hans de Goede <johannes.goede@oss.qualcomm.com>
HID: logitech-dj: Remove duplicate error logging
Lu Baolu <baolu.lu@linux.intel.com>
iommu: disable SVA when CONFIG_X86 is set
Johan Hovold <johan@kernel.org>
iommu/tegra: fix device leak on probe_device()
Johan Hovold <johan@kernel.org>
iommu/sun50i: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/qcom: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/omap: fix device leaks on probe_device()
Johan Hovold <johan@kernel.org>
iommu/mediatek: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/mediatek-v1: fix device leaks on probe()
Johan Hovold <johan@kernel.org>
iommu/mediatek-v1: fix device leak on probe_device()
Johan Hovold <johan@kernel.org>
iommu/ipmmu-vmsa: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/exynos: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/apple-dart: fix device leak on of_xlate()
Jinhui Guo <guojinhui.liam@bytedance.com>
iommu/amd: Fix pci_segment memleak in alloc_pci_segment()
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6adm: the the copp device only during last instance
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: perform correct state check before closing
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix OF node leak on probe
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix clk prepare imbalance on probe failure
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix device leak on probe
Matthew Wilcox (Oracle) <willy@infradead.org>
ntfs: Do not overwrite uptodate pages
Yipeng Zou <zouyipeng@huawei.com>
selftests/ftrace: traceonoff_triggers: strip off names
Cong Zhang <cong.zhang@oss.qualcomm.com>
blk-mq: skip CPU offline notify on unmapped hctx
Ming Lei <ming.lei@redhat.com>
blk-mq: don't schedule block kworker on isolated CPUs
Thomas Fourier <fourier.thomas@gmail.com>
RDMA/bnxt_re: fix dma_free_coherent() pointer
Honggang LI <honggangli@163.com>
RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
Zilin Guan <zilin@seu.edu.cn>
ksmbd: Fix memory leak in get_file_all_info()
Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
RDMA/bnxt_re: Fix to use correct page size for PDE table
Alok Tiwari <alok.a.tiwari@oracle.com>
RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
Alok Tiwari <alok.a.tiwari@oracle.com>
RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
Jang Ingyu <ingyujang25@korea.ac.kr>
RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
Michael Margolin <mrgolin@amazon.com>
RDMA/efa: Remove possible negative shift
Michal Schmidt <mschmidt@redhat.com>
RDMA/irdma: avoid invalid read in irdma_net_event
Pwnverse <stanksal@purdue.edu>
net: rose: fix invalid array index in rose_kill_by_device()
Ido Schimmel <idosch@nvidia.com>
ipv4: Fix reference count leak when using error routes with nexthop objects
Will Rosenberg <whrosenb@asu.edu>
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Wei Fang <wei.fang@nxp.com>
net: stmmac: fix the crash issue for zero copy XDP_TX action
Anshumali Gaur <agaur@marvell.com>
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
Junrui Luo <moonafterrain@outlook.com>
platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
Bagas Sanjaya <bagasdotme@gmail.com>
net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
Deepanshu Kartikey <kartikey406@gmail.com>
net: usb: asix: validate PHY address before use
Jonas Gorski <jonas.gorski@gmail.com>
net: dsa: b53: skip multicast entries for fdb_dump()
Thomas Fourier <fourier.thomas@gmail.com>
firewire: nosy: Fix dma_free_coherent() size
Andrew Morton <akpm@linux-foundation.org>
genalloc.h: fix htmldocs warning
Yeoreum Yun <yeoreum.yun@arm.com>
smc91x: fix broken irq-context in PREEMPT_RT
Alice C. Munduruca <alice.munduruca@canonical.com>
selftests: net: fix "buffer overflow detected" for tap.c
Deepakkumar Karn <dkarn@redhat.com>
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Raju Rangoju <Raju.Rangoju@amd.com>
amd-xgbe: reset retries and mode on RX adapt failures
Jiri Pirko <jiri@resnulli.us>
team: fix check for port enabled in team_queue_override_port_prio_changed()
Junrui Luo <moonafterrain@outlook.com>
platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
Thomas Fourier <fourier.thomas@gmail.com>
platform/x86: msi-laptop: add missing sysfs_remove_group()
Eric Dumazet <edumazet@google.com>
ip6_gre: make ip6gre_header() robust
Toke Høiland-Jørgensen <toke@redhat.com>
net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
Jacky Chou <jacky_chou@aspeedtech.com>
net: mdio: aspeed: add dummy read to avoid read-after-write issue
Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Herbert Xu <herbert@gondor.apana.org.au>
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
Kohei Enju <enjuk@amazon.com>
iavf: fix off-by-one issues in iavf_config_rss_reg()
Przemyslaw Korba <przemyslaw.korba@intel.com>
i40e: fix scheduling in set_rx_mode
Aloka Dixit <aloka.dixit@oss.qualcomm.com>
wifi: mac80211: do not use old MBSSID elements
Dan Carpenter <dan.carpenter@linaro.org>
wifi: cfg80211: sme: store capped length in __cfg80211_connect_result()
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtw88: limit indirect IO under powered off for RTL8822CS
Johan Hovold <johan@kernel.org>
iommu/mediatek: fix use-after-free on probe deferral
Nicolas Ferre <nicolas.ferre@microchip.com>
ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (max16065) Use local variable to avoid TOCTOU
Ma Ke <make24@iscas.ac.cn>
i2c: amd-mp2: fix reference leak in MP2 PCI device
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
platform/x86: intel: chtwc_int33fe: don't dereference swnode args
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
rpmsg: glink: fix rpmsg device leak
Johan Hovold <johan@kernel.org>
soc: amlogic: canvas: fix device leak on lookup
Johan Hovold <johan@kernel.org>
soc: qcom: ocmem: fix device leak on lookup
Steven Rostedt <rostedt@goodmis.org>
tracing: Fix fixed array of synthetic event
Johan Hovold <johan@kernel.org>
amba: tegra-ahb: Fix device leak on SMMU enable
Guangshuo Li <lgs201920130244@gmail.com>
crypto: caam - Add check for kcalloc() in test_len()
Shivani Agarwal <shivani.agarwal@broadcom.com>
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Adrian Moreno <amorenoz@redhat.com>
selftests: openvswitch: Fix escape chars in regexp.
Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
Jens Axboe <axboe@kernel.dk>
io_uring/poll: correctly handle io_poll_add() return value on update
Wentao Guan <guanwentao@uniontech.com>
gpio: regmap: Fix memleak in error path in gpio_regmap_register()
Sven Schnelle <svens@linux.ibm.com>
s390/ipl: Clear SBP flag when bootprog is set
Filipe Manana <fdmanana@suse.com>
btrfs: don't log conflicting inode if it's a dir moved in the current transaction
Nysal Jan K.A. <nysal@linux.ibm.com>
powerpc/kexec: Enable SMT before waking offline CPUs
Joshua Rogers <linux@joshua.hu>
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
Joshua Rogers <linux@joshua.hu>
svcrdma: return 0 on success from svc_rdma_copy_inline_range
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
nfsd: Mark variable __maybe_unused to avoid W=1 build break
caoping <caoping@cmss.chinamobile.com>
net/handshake: restore destructor on submit failure
Amir Goldstein <amir73il@gmail.com>
fsnotify: do not generate ACCESS/MODIFY events on child for special files
René Rebe <rene@exactco.de>
r8169: fix RTL8117 Wake-on-Lan in DASH mode
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: runtime: Do not clear needs_force_resume with enabled runtime PM
Steven Rostedt <rostedt@goodmis.org>
tracing: Do not register unsupported perf events
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
xfs: fix a memory leak in xfs_buf_item_init()
Sean Christopherson <seanjc@google.com>
KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
Sean Christopherson <seanjc@google.com>
KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
Jim Mattson <jmattson@google.com>
KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
Jim Mattson <jmattson@google.com>
KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
fuqiang wang <fuqiang.wng@gmail.com>
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
fuqiang wang <fuqiang.wng@gmail.com>
KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
Sean Christopherson <seanjc@google.com>
KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
Ilya Dryomov <idryomov@gmail.com>
libceph: make decode_pool() more resilient against corrupted osdmaps
Helge Deller <deller@gmx.de>
parisc: Do not reprogram affinitiy on ASP chip
Zhichi Lin <zhichi.lin@vivo.com>
scs: fix a wrong parameter in __scs_magic
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Maxim Levitsky <mlevitsk@redhat.com>
KVM: x86: Don't clear async #PF queue when CR0.PG is disabled (e.g. on #SMI)
Prithvi Tambewagh <activprithvi@gmail.com>
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Jeongjun Park <aha310510@gmail.com>
media: vidtv: initialize local pointers upon transfer of memory ownership
Alison Schofield <alison.schofield@intel.com>
tools/testing/nvdimm: Use per-DIMM device handle
Chao Yu <chao@kernel.org>
f2fs: fix return value of f2fs_recover_fsync_data()
Xiaole He <hexiaole1994@126.com>
f2fs: fix age extent cache insertion skip on counter overflow
Deepanshu Kartikey <kartikey406@gmail.com>
f2fs: invalidate dentry cache on failed whiteout creation
Chao Yu <chao@kernel.org>
f2fs: fix to avoid updating zero-sized extent in extent cache
Jan Prusakowski <jprusakowski@google.com>
f2fs: ensure node page reads complete before f2fs_put_super() finishes
Andrey Vatoropin <a.vatoropin@crpt.ru>
scsi: target: Reset t_task_cdb pointer in error case
Dai Ngo <dai.ngo@oracle.com>
NFSD: use correct reservation type in nfsd4_scsi_fence_client
Junrui Luo <moonafterrain@outlook.com>
scsi: aic94xx: fix use-after-free in device removal path
Tony Battersby <tonyb@cybernetics.com>
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Miaoqian Lin <linmq006@gmail.com>
cpufreq: nforce2: fix reference count leak in nforce2
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpuidle: governors: teo: Drop misguided target residency check
Ma Ke <make24@iscas.ac.cn>
intel_th: Fix error handling in intel_th_output_open
Tianchu Chen <flynnnchen@tencent.com>
char: applicom: fix NULL pointer dereference in ac_ioctl
Haoxiang Li <haoxiang_li2024@163.com>
usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
Udipto Goswami <udipto.goswami@oss.qualcomm.com>
usb: dwc3: keep susphy enabled during exit to avoid controller faults
Miaoqian Lin <linmq006@gmail.com>
usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
Johan Hovold <johan@kernel.org>
usb: phy: isp1301: fix non-OF device reference imbalance
Duoming Zhou <duoming@zju.edu.cn>
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
Ma Ke <make24@iscas.ac.cn>
USB: lpc32xx_udc: Fix error handling in probe
Johan Hovold <johan@kernel.org>
phy: broadcom: bcm63xx-usbh: fix section mismatches
Colin Ian King <colin.i.king@gmail.com>
media: pvrusb2: Fix incorrect variable used in trace message
Jeongjun Park <aha310510@gmail.com>
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
Chen Changcheng <chenchangcheng@kylinos.cn>
usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
Paolo Abeni <pabeni@redhat.com>
mptcp: avoid deadlock on fallback while reinjecting
Paolo Abeni <pabeni@redhat.com>
mptcp: schedule rtx timer only after pushing data
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: v4l2-mem2mem: Fix outdated documentation
Byungchul Park <byungchul@sk.com>
jbd2: use a weaker annotation in journal handling
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key
Baokun Li <libaokun1@huawei.com>
ext4: align max orphan file size with e2fsprogs limit
Yongjian Sun <sunyongjian1@huawei.com>
ext4: fix incorrect group number assertion in mb_check_buddy
Haibo Chen <haibo.chen@nxp.com>
ext4: clear i_state_flags when alloc inode
Karina Yankevich <k.yankevich@omp.ru>
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Steven Rostedt <rostedt@goodmis.org>
ktest.pl: Fix uninitialized var in config-bisect.pl
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: fix mount failure for sparse runs in run_unpack()
Zheng Yejian <zhengyejian@huaweicloud.com>
kallsyms: Fix wrong "big" kernel symbol type read from procfs
Rene Rebe <rene@exactco.de>
floppy: fix for PAGE_SIZE != 4KB
Li Chen <chenl311@chinatelecom.cn>
block: rate-limit capacity change info log
Stefan Haberland <sth@linux.ibm.com>
s390/dasd: Fix gendisk parent after copy pair swap
Eric Biggers <ebiggers@kernel.org>
lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
Sarthak Garg <sarthak.garg@oss.qualcomm.com>
mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
Prithvi Tambewagh <activprithvi@gmail.com>
io_uring: fix filename leak in __io_openat_prep()
Jarkko Sakkinen <jarkko@kernel.org>
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Zilin Guan <zilin@seu.edu.cn>
cifs: Fix memory and information leak in smb3_reconfigure()
Stefano Garzarella <sgarzare@redhat.com>
vhost/vsock: improve RCU read sections around vhost_vsock_get()
Dan Carpenter <dan.carpenter@linaro.org>
block: rnbd-clt: Fix signedness bug in init_dev()
Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
Daniel Wagner <wagi@kernel.org>
nvme-fc: don't hold rport lock when putting ctrl
Jinhui Guo <guojinhui.liam@bytedance.com>
i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware
Ian Rogers <irogers@google.com>
libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map
Wenhua Lin <Wenhua.Lin@unisoc.com>
serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
Chen Changcheng <chenchangcheng@kylinos.cn>
usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: xhci: limit run_graceperiod for only usb 3.0 devices
Pei Xiao <xiaopei01@kylinos.cn>
iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains
Mark Pearson <mpearson-lenovo@squebb.ca>
usb: typec: ucsi: Handle incorrect num_connectors capability
Lizhi Xu <lizhi.xu@windriver.com>
usbip: Fix locking bug in RT-enabled kernels
Yuezhang Mo <Yuezhang.Mo@sony.com>
exfat: fix remount failure in different process environments
Encrow Thorne <jyc0019@gmail.com>
reset: fix BIT macro reference
Li Qiang <liqiang01@kylinos.cn>
via_wdt: fix critical boot hang due to unnamed resource allocation
Bernd Schubert <bschubert@ddn.com>
fuse: Invalidate the page cache after FOPEN_DIRECT_IO write
Bernd Schubert <bschubert@ddn.com>
fuse: Always flush the page cache before FOPEN_DIRECT_IO write
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
Ben Collins <bcollins@kernel.org>
powerpc/addnote: Fix overflow on 32-bit builds
Josua Mayer <josua@solid-run.com>
clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
Matthias Schiffer <matthias.schiffer@tq-group.com>
ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
Peng Fan <peng.fan@nxp.com>
firmware: imx: scu-irq: Init workqueue before request mbox channel
Jinhui Guo <guojinhui.liam@bytedance.com>
ipmi: Fix __scan_channels() failing to rescan channels
Jinhui Guo <guojinhui.liam@bytedance.com>
ipmi: Fix the race between __scan_channels() and deliver_response()
Shipei Qu <qu@darknavy.com>
ALSA: usb-mixer: us16x08: validate meter packet indices
Haotian Zhang <vulab@iscas.ac.cn>
ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
Haotian Zhang <vulab@iscas.ac.cn>
ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
Andrew Jeffery <andrew@codeconstruct.com.au>
dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml
Jared Kangas <jkangas@redhat.com>
mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
Christophe Leroy <christophe.leroy@csgroup.eu>
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Pengjie Zhang <zhangpengjie2@huawei.com>
ACPI: CPPC: Fix missing PCC check for guaranteed_perf
Pengjie Zhang <zhangpengjie2@huawei.com>
ACPI: PCC: Fix race condition by removing static qualifier
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_can_open(): fix error handling
Christoffer Sandberg <cs@tuxedo.de>
Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
Junjie Cao <junjie.cao@intel.com>
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Ping Cheng <pinglinux@gmail.com>
HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix buffer validation by including null terminator size in EA length
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: Fix refcount leak when invalid session is found on session lookup
Qianchang Zhao <pioooooooooip@gmail.com>
ksmbd: skip lock-range check on equal size to avoid size==0 underflow
Thomas Fourier <fourier.thomas@gmail.com>
block: rnbd-clt: Fix leaked ID in init_dev()
Anurag Dutta <a-dutta@ti.com>
spi: cadence-quadspi: Fix clock disable on probe failure path
Juergen Gross <jgross@suse.com>
x86/xen: Fix sparse warning in enlighten_pv.c
Brian Gerst <brgerst@gmail.com>
x86/xen: Move Xen upcall handler
Marijn Suijten <marijn.suijten@somainline.org>
drm/panel: sony-td4353-jdi: Enable prepare_prev_first
Haoxiang Li <haoxiang_li2024@163.com>
MIPS: Fix a reference leak bug in ip22_check_gio()
Alexey Simakov <bigalex934@gmail.com>
hwmon: (tmp401) fix overflow caused by default conversion rate value
Junrui Luo <moonafterrain@outlook.com>
hwmon: (ibmpex) fix use-after-free in high/low store
Jian Shen <shenjian15@huawei.com>
net: hns3: add VLAN id validation before using
Jian Shen <shenjian15@huawei.com>
net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
Jian Shen <shenjian15@huawei.com>
net: hns3: using the num_tqps in the vf driver to apply for resources
Wei Fang <wei.fang@nxp.com>
net: enetc: do not transmit redirected XDP frames when the link is down
Scott Mayhew <smayhew@redhat.com>
net/handshake: duplicate handshake cancellations leak socket
Shay Drory <shayd@nvidia.com>
net/mlx5: Serialize firmware reset with devlink
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: Skip HotPlug check on sync reset using hot reset
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Handle escaped percent properly
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Validate format string parameters
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: Drain firmware reset in shutdown callback
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: fw reset, clear reset requested on drain_fw_reset
Gal Pressman <gal@nvidia.com>
ethtool: Avoid overflowing userspace buffer on stats query
Jason Gunthorpe <jgg@ziepe.ca>
iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: remove redundant chain validation on register store
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: allow loads only when register is initialized
Florian Westphal <fw@strlen.de>
netfilter: nf_tables: pass context structure to nft_parse_register_load
Dan Carpenter <dan.carpenter@linaro.org>
nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
Victor Nogueira <victor@mojatatu.com>
net/sched: ets: Remove drr class from the active list if it changes to strict
Junrui Luo <moonafterrain@outlook.com>
caif: fix integer underflow in cffrml_receive()
Slavin Liu <slavin452@gmail.com>
ipvs: fix ipv4 null-ptr-deref in route error path
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_conncount: fix leaked ct in error paths
Alexey Simakov <bigalex934@gmail.com>
broadcom: b44: prevent uninitialized value usage
Ilya Maximets <i.maximets@ovn.org>
net: openvswitch: fix middle attribute validation in push_nsh() action
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_router: Fix neighbour use-after-free
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_router: Fix possible neighbour reference count leak
Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
Wang Liang <wangliang74@huawei.com>
netrom: Fix memory leak in nr_sendmsg()
Wei Fang <wei.fang@nxp.com>
net: fec: ERR007885 Workaround for XDP TX path
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix use of bio_chain
Gongwei Li <ligongwei@kylinos.cn>
Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
Chingbin Li <liqb365@163.com>
Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV
Qianchang Zhao <pioooooooooip@gmail.com>
ksmbd: vfs: fix race on m_flags in vfs_cache
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
ChenXiaoSong <chenxiaosong@kylinos.cn>
smb/server: fix return value of smb2_ioctl()
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: fix remote evict for read-only filesystems
Qu Wenruo <wqu@suse.com>
btrfs: scrub: always update btrfs_scrub_progress::last_physical
Hans de Goede <hansg@kernel.org>
wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix volume corruption issue for generic/073
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
hfsplus: Verify inode mode when loading from disk
Yang Chenzhi <yang.chenzhi@vivo.com>
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix volume corruption issue for generic/070
Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
ntfs: set dummy blocksize to read boot_block when mounting
Mikhail Malyshev <mike.malyshev@gmail.com>
kbuild: Use objtree for module signing key path
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Support timestamps prior to epoch
Song Liu <song@kernel.org>
livepatch: Match old_sympos 0 and 1 in klp_find_func()
Aboorva Devarajan <aboorvad@linux.ibm.com>
cpuidle: menu: Use residency threshold in polling state override decisions
Shuhao Fu <sfual@cse.ust.hk>
cpufreq: s5pv210: fix refcount leak
Hal Feng <hal.feng@starfivetech.com>
cpufreq: dt-platdev: Add JH7110S SOC to the allowlist
Sakari Ailus <sakari.ailus@linux.intel.com>
ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
ACPICA: Avoid walking the Namespace if start_node is NULL
Peter Zijlstra <peterz@infradead.org>
x86/ptrace: Always inline trivial accessors
Peter Zijlstra <peterz@infradead.org>
sched/fair: Revert max_newidle_lb_cost bump
Doug Berger <opendmb@gmail.com>
sched/deadline: only set free_cpus for online runqueues
George Kennedy <george.kennedy@oracle.com>
perf/x86/amd: Check event before enable to avoid GPF
Joanne Koong <joannelkoong@gmail.com>
iomap: account for unaligned end offsets when truncating read range
Joanne Koong <joannelkoong@gmail.com>
iomap: adjust read range correctly for non-block-aligned positions
Deepanshu Kartikey <kartikey406@gmail.com>
btrfs: fix memory leak of fs_devices in degraded seed device path
Ondrej Mosnacek <omosnace@redhat.com>
bpf, arm64: Do not audit capability check in do_jit()
Qu Wenruo <wqu@suse.com>
btrfs: fix a potential path leak in print_data_reloc_error()
Filipe Manana <fdmanana@suse.com>
btrfs: do not skip logging new dentries when logging a new name
Xin Long <lucien.xin@gmail.com>
ipv6: add exception routes to GC list in rt6_insert_exception
Eric Dumazet <edumazet@google.com>
ipv6: avoid possible NULL deref in modify_prefix_route()
Junrui Luo <moonafterrain@outlook.com>
ALSA: dice: fix buffer overflow in detect_stream_formats()
Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
usb: phy: Initialize struct usb_phy list_head
Haotien Hsu <haotienh@nvidia.com>
usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
Thangaraj Samynathan <thangaraj.s@microchip.com>
net: lan743x: Allocate rings outside ZONE_DMA
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Add machine_kexec_mask_interrupts() implementation
Dmitry Antipov <dmantipov@yandex.ru>
ocfs2: fix memory leak in ocfs2_merge_rec_left()
Dan Carpenter <dan.carpenter@linaro.org>
irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
efi/cper: Adjust infopfx size to accept an extra space
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
efi/cper: Add a new helper function to print bitmasks
Haotian Zhang <vulab@iscas.ac.cn>
dm log-writes: Add missing set_freezable() for freezable kthread
Alexey Simakov <bigalex934@gmail.com>
dm-raid: fix possible NULL dereference with undefined raid type
Mohamed Khalfella <mkhalfella@purestorage.com>
block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
Liyuan Pang <pangliyuan1@huawei.com>
ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad()
Junrui Luo <moonafterrain@outlook.com>
ALSA: firewire-motu: add bounds check in put_user loop for DSP events
Haotian Zhang <vulab@iscas.ac.cn>
rtc: gamecube: Check the return value of ioremap()
Andres J Rosa <andyrosa@gmail.com>
ALSA: uapi: Fix typo in asound.h comment
Dave Kleikamp <dave.kleikamp@oracle.com>
dma/pool: eliminate alloc_pages warning in atomic_pool_expand
Junrui Luo <moonafterrain@outlook.com>
ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
Israel Rukshin <israelr@nvidia.com>
nvme-auth: use kvfree() for memory allocated with kvcalloc()
shechenglong <shechenglong@xfusion.com>
block: fix comment for op_is_zone_mgmt() to include RESET_ALL
Cong Zhang <cong.zhang@oss.qualcomm.com>
blk-mq: Abort suspend when wakeup events are pending
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: ak5558: Disable regulator when error happens
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: ak4458: Disable regulator when error happens
Haotian Zhang <vulab@iscas.ac.cn>
ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure()
Anton Khirnov <anton@khirnov.net>
platform/x86: asus-wmi: use brightness_set_blocking() for kbd led
Armin Wolf <W_Armin@gmx.de>
fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix inheritance of the block sizes when automounting
Trond Myklebust <trond.myklebust@primarydata.com>
Expand the type of nfs_fattr->valid
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
Trond Myklebust <trond.myklebust@hammerspace.com>
Revert "nfs: ignore SB_RDONLY when mounting nfs"
Trond Myklebust <trond.myklebust@hammerspace.com>
Revert "nfs: clear SB_RDONLY before getting superblock"
Trond Myklebust <trond.myklebust@hammerspace.com>
Revert "nfs: ignore SB_RDONLY when remounting nfs"
Jonathan Curley <jcurley@purestorage.com>
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Initialise verifiers for visible dentries in nfs_atomic_open()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Initialise verifiers for visible dentries in readdir and lookup
Armin Wolf <W_Armin@gmx.de>
fs/nls: Fix utf16 to utf8 conversion
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Avoid changing nlink when file removes and attribute updates race
Eric Sandeen <sandeen@redhat.com>
9p: fix cache/debug options printing in v9fs_show_options
Abdun Nihaal <nihaal@cse.iitm.ac.in>
fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe()
Haotian Zhang <vulab@iscas.ac.cn>
pinctrl: single: Fix incorrect type for error return variable
Matthijs Kooijman <matthijs@stdin.nl>
pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling
Namhyung Kim <namhyung@kernel.org>
perf tools: Fix split kallsyms DSO counting
Xiang Mei <xmei5@asu.edu>
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
Johan Hovold <johan@kernel.org>
clk: keystone: fix compile testing
Yu Kuai <yukuai@fnnas.com>
md/raid5: fix IO hang when array is broken with IO inflight
Alexandru Gagniuc <mr.nuke.me@gmail.com>
remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs
Ivan Stepchenko <sid@itb.spb.ru>
mtd: lpddr_cmds: fix signed shifts in lpddr_cmds
Hangbin Liu <liuhangbin@gmail.com>
selftests: bonding: add delay before each xvlan_over_bond connectivity check
Etienne Champetier <champetier.etienne@gmail.com>
selftests: bonding: add ipvlan over bond testing
Benjamin Poirier <bpoirier@nvidia.com>
selftests: bonding: Add more missing config options
Jakub Kicinski <kuba@kernel.org>
selftests: bonding: add missing build configs
Haotian Zhang <vulab@iscas.ac.cn>
mtd: rawnand: renesas: Handle devm_pm_runtime_enable() errors
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
net: stmmac: fix rx limit check in stmmac_rx_zc()
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nft_connlimit: update the count if add was skipped
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_conncount: rework API to use sk_buff directly
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: check for maximum number of encapsulations in bridge vlan
Ilias Stamatis <ilstam@amazon.com>
Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()"
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
resource: introduce is_type_match() helper and use it
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
resource: replace open coded resource_intersection()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
resource: Reuse for_each_resource() macro
sparkhuang <huangshaobo3@xiaomi.com>
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
Marek Szyprowski <m.szyprowski@samsung.com>
ARM: dts: samsung: exynos4412-midas: turn off SDIO WLAN chip during system suspend
Marek Szyprowski <m.szyprowski@samsung.com>
ARM: dts: samsung: exynos4210-trats: turn off SDIO WLAN chip during system suspend
Marek Szyprowski <m.szyprowski@samsung.com>
ARM: dts: samsung: exynos4210-i9100: turn off SDIO WLAN chip during system suspend
Marek Szyprowski <m.szyprowski@samsung.com>
ARM: dts: samsung: universal_c210: turn off SDIO WLAN chip during system suspend
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: catpt: Fix error path in hw_params()
Alok Tiwari <alok.a.tiwari@oracle.com>
vdpa/pds: use %pe for ERR_PTR() in event handler registration
Michael S. Tsirkin <mst@redhat.com>
virtio: fix virtqueue_set_affinity() docs
Michael S. Tsirkin <mst@redhat.com>
virtio: fix whitespace in virtio_config_ops
Michael S. Tsirkin <mst@redhat.com>
virtio: fix typo in virtio_device_ready() comment
Alok Tiwari <alok.a.tiwari@oracle.com>
virtio_vdpa: fix misleading return in void function
Yongjian Sun <sunyongjian1@huawei.com>
ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation
Kemeng Shi <shikemeng@huaweicloud.com>
ext4: remove unused return value of __mb_check_buddy
Kevin Brodsky <kevin.brodsky@arm.com>
ublk: prevent invalid access with DEBUG
Caleb Sander Mateos <csander@purestorage.com>
ublk: complete command synchronously on error
Ming Lei <ming.lei@redhat.com>
ublk: make sure io cmd handled in submitter task context
René Rebe <rene@exactco.de>
ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4
Haotian Zhang <vulab@iscas.ac.cn>
hwmon: sy7636a: Fix regulator_enable resource leak on error path
Dan Carpenter <dan.carpenter@linaro.org>
drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: clear the channel status control memory
Jacob Moroni <jmoroni@google.com>
RDMA/irdma: Do not directly rely on IB_PD_UNSAFE_GLOBAL_RKEY
Sindhu Devale <sindhu.devale@intel.com>
RDMA/irdma: Add support to re-register a memory region
Krzysztof Czurylo <krzysztof.czurylo@intel.com>
RDMA/irdma: Fix data race in irdma_free_pble
Krzysztof Czurylo <krzysztof.czurylo@intel.com>
RDMA/irdma: Fix data race in irdma_sc_ccq_arm
Stephan Gerhold <stephan.gerhold@linaro.org>
iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal
Randy Dunlap <rdunlap@infradead.org>
backlight: lp855x: Fix lp855x.h kernel-doc warnings
Luca Ceresoli <luca.ceresoli@bootlin.com>
backlight: led-bl: Add devlink to supplier LEDs
Ria Thomas <ria.thomas@morsemicro.com>
wifi: ieee80211: correct FILS status codes
Christoph Hellwig <hch@lst.de>
iomap: always run error completions in user context
Christoph Hellwig <hch@lst.de>
iomap: factor out a iomap_dio_done helper
Timur Tabi <ttabi@nvidia.com>
drm/nouveau: restrict the flush page to a 32-bit address
Shawn Lin <shawn.lin@rock-chips.com>
PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition
Filipe Manana <fdmanana@suse.com>
btrfs: fix leaf leak in an error path in btrfs_del_items()
Jianglei Nie <niejianglei2021@163.com>
staging: fbtft: core: fix potential memory leak in fbtft_probe_common()
Dinh Nguyen <dinguyen@kernel.org>
firmware: stratix10-svc: fix make htmldocs warning for stratix10_svc
Zilin Guan <zilin@seu.edu.cn>
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Selvin Xavier <selvin.xavier@broadcom.com>
RDMA/bnxt_re: Fix the inline size for GenP7 devices
Fangyu Yu <fangyu.yu@linux.alibaba.com>
RISC-V: KVM: Fix guest page fault within HLV* instructions
Haotian Zhang <vulab@iscas.ac.cn>
crypto: ccree - Correctly handle return of sg_nents_for_len
Haotian Zhang <vulab@iscas.ac.cn>
crypto: starfive - Correctly handle return of sg_nents_for_len
Matt Bobrowski <mattbobrowski@google.com>
selftests/bpf: Improve reliability of test_perf_branches_no_hw()
Matt Bobrowski <mattbobrowski@google.com>
selftests/bpf: skip test_perf_branches_hw() on unsupported platforms
Gopi Krishna Menon <krishnagopi487@gmail.com>
usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
Jisheng Zhang <jszhang@kernel.org>
usb: dwc2: fix hang during suspend if set as peripheral
Jisheng Zhang <jszhang@kernel.org>
usb: dwc2: fix hang during shutdown if set as peripheral
Jisheng Zhang <jszhang@kernel.org>
usb: dwc2: disable platform lowlevel hw resources during shutdown
Oliver Neukum <oneukum@suse.com>
usb: chaoskey: fix locking for O_NONBLOCK
Zhao Yipeng <zhaoyipeng5@huawei.com>
ima: Handle error code returned by ima_filter_rule_match()
Seungjin Bae <eeodqql09@gmail.com>
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
Chen Ridong <chenridong@huawei.com>
cpuset: Treat cpusets in attaching as populated
Alexander Dahl <ada@thorsis.com>
net: phy: adin1100: Fix software power-down ready condition
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
phy: renesas: rcar-gen3-usb2: Fix an error handling path in rcar_gen3_phy_usb2_probe()
Haotian Zhang <vulab@iscas.ac.cn>
mfd: mt6358-irq: Fix missing irq_domain_remove() in error path
Haotian Zhang <vulab@iscas.ac.cn>
mfd: mt6397-irq: Fix missing irq_domain_remove() in error path
Chien Wong <m@xv97.com>
wifi: mac80211: fix CMAC functions not handling errors
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: remove RX_DROP_UNUSABLE
Zilin Guan <zilin@seu.edu.cn>
scsi: qla2xxx: Fix improper freeing of purex item
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: bcm2835: Make sure the channel is enabled after pwm_request()
Leo Yan <leo.yan@arm.com>
perf arm_spe: Fix memset subclass in operation
Leo Yan <leo.yan@arm.com>
perf arm-spe: Extend branch operations
Fernando Fernandez Mancera <fmancera@suse.de>
ipv6: clear RA flags when adding a static route
Kui-Feng Lee <thinker.li@gmail.com>
net/ipv6: Remove expired routes with a separated list of routes.
Jay Liu <jay.liu@mediatek.com>
drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue
Edward Adam Davis <eadavis@qq.com>
fs/ntfs3: Prevent memory leaks in add sub record
Edward Adam Davis <eadavis@qq.com>
fs/ntfs3: out1 also needs to put mi
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
powerpc/64s/hash: Restrict stress_hpt_struct memblock region to within RMA limit
Pu Lehui <pulehui@huawei.com>
bpf: Fix invalid prog->stats access when update_effective_progs fails
Jose Fernandez <josef@netflix.com>
bpf: Improve program stats run-time calculation
Abdun Nihaal <nihaal@cse.iitm.ac.in>
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
drm/msm/a2xx: stop over-complaining about the legacy firmware
Sergey Bashirov <sergeybashirov@gmail.com>
NFSD/blocklayout: Fix minlength check in proc_layoutget
Al Viro <viro@zeniv.linux.org.uk>
tracefs: fix a leak in eventfs_create_events_dir()
Haotian Zhang <vulab@iscas.ac.cn>
watchdog: starfive: Fix resource leak in probe error path
Haotian Zhang <vulab@iscas.ac.cn>
watchdog: wdat_wdt: Fix ACPI table leak in probe function
Martin KaFai Lau <martin.lau@kernel.org>
bpf: Check skb->transport_header is set in bpf_skb_check_mtu
Alexei Starovoitov <ast@kernel.org>
selftests/bpf: Fix failure paths in send_signal test
Menglong Dong <menglong8.dong@gmail.com>
bpf: Handle return value of ftrace_set_filter_ip in register_fentry
Rene Rebe <rene@exactco.de>
ps3disk: use memcpy_{from,to}_bvec index
FUKAUMI Naoki <naoki@radxa.com>
arm64: dts: rockchip: Add eeprom vcc-supply for Radxa ROCK 5A
FUKAUMI Naoki <naoki@radxa.com>
arm64: dts: rockchip: Move the EEPROM to correct I2C bus on Radxa ROCK 5A
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: keystone: Exit ks_pcie_probe() for invalid mode
Leon Hwang <leon.hwang@linux.dev>
bpf: Free special fields when update [lru_,]percpu_hash maps
Haotian Zhang <vulab@iscas.ac.cn>
leds: netxbig: Fix GPIO descriptor leak in error paths
Haotian Zhang <vulab@iscas.ac.cn>
scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls
Haotian Zhang <vulab@iscas.ac.cn>
ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint()
Dmitry Antipov <dmantipov@yandex.ru>
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
lib/vsprintf: Check pointer before dereferencing in time_and_date()
Haotian Zhang <vulab@iscas.ac.cn>
clk: renesas: r9a06g032: Fix memory leak in error path
Leo Yan <leo.yan@arm.com>
coresight: etm4x: Add context synchronization before enabling trace
Leo Yan <leo.yan@arm.com>
coresight: etm4x: Extract the trace unit controlling
Leo Yan <leo.yan@arm.com>
coresight: etm4x: Correct polling IDLE bit
Zheng Qixing <zhengqixing@huawei.com>
nbd: defer config unlock in nbd_genl_connect
Abdun Nihaal <nihaal@cse.iitm.ac.in>
wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper()
Long Li <leo.lilong@huawei.com>
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/32: Fix unpaired stwcx. on interrupt exit
Gautham R. Shenoy <gautham.shenoy@amd.com>
cpufreq/amd-pstate: Call cppc_set_auto_sel() only for online CPUs
Bean Huo <beanhuo@micron.com>
scsi: ufs: core: fix incorrect buffer duplication in ufshcd_read_string_desc()
Edward Adam Davis <eadavis@qq.com>
ntfs3: init run lock for extend inode
Jihed Chaibi <jihed.chaibi.dev@gmail.com>
ARM: dts: stm32: stm32mp157c-phycore: Fix STMPE811 touchscreen node properties
Ma Ke <make24@iscas.ac.cn>
RDMA/rtrs: server: Fix error handling in get_or_create_srv
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
dt-bindings: PCI: amlogic: Fix the register name of the DBI region
Johan Hovold <johan@kernel.org>
staging: most: remove broken i2c driver
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
staging: most: i2c: Drop explicit initialization of struct i2c_device_id::driver_data to 0
Mike McGowen <mike.mcgowen@microchip.com>
scsi: smartpqi: Fix device resources accessed after device removal
Haotian Zhang <vulab@iscas.ac.cn>
scsi: stex: Fix reboot_notifier leak in probe error path
Zheng Qixing <zhengqixing@huawei.com>
nbd: defer config put in recv_work
Gabor Juhos <j4g8y7@gmail.com>
regulator: core: disable supply if enabling main regulator fails
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Correct large PEBS flag check
Zhang Yi <yi.zhang@huawei.com>
ext4: correct the checking of quota files before moving extents
Haotian Zhang <vulab@iscas.ac.cn>
mfd: da9055: Fix missing regmap_del_irq_chip() in error path
Usama Arif <usamaarif642@gmail.com>
efi/libstub: Fix page table access in 5-level to 4-level paging transition
Usama Arif <usamaarif642@gmail.com>
x86/boot: Fix page table access in 5-level to 4-level paging transition
Jihed Chaibi <jihed.chaibi.dev@gmail.com>
ARM: dts: omap3: n900: Correct obsolete TWL4030 power compatible
Jihed Chaibi <jihed.chaibi.dev@gmail.com>
ARM: dts: omap3: beagle-xm: Correct obsolete TWL4030 power compatible
Yegor Yefremov <yegorslists@googlemail.com>
ARM: dts: am335x-netcom-plus-2xx: add missing GPIO labels
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: Fix timeout handling
Tingmao Wang <m@maowtm.org>
fs/9p: Don't open remote file with APPEND mode when writeback cache is used
Bart Van Assche <bvanassche@acm.org>
scsi: target: Do not write NUL characters into ASCII configfs output
Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
power: supply: apm_power: only unset own apm_get_power_status
Ivan Abramov <i.abramov@mt-integration.ru>
power: supply: wm831x: Check wm831x_set_bits() return value
Murad Masimov <m.masimov@mt-integration.ru>
power: supply: rt9467: Prevent using uninitialized local variable in rt9467_set_value_from_ranges()
Ivan Abramov <i.abramov@mt-integration.ru>
power: supply: rt9467: Return error on failure in rt9467_set_value_from_ranges()
Ivan Abramov <i.abramov@mt-integration.ru>
power: supply: cw2015: Check devm_delayed_work_autocancel() return code
Shuai Xue <xueshuai@linux.alibaba.com>
perf record: skip synthesize event when open evsel failed
Namhyung Kim <namhyung@kernel.org>
perf lock contention: Load kernel map before lookup
Ian Rogers <irogers@google.com>
perf maps: Add maps__load_first()
Kuan-Wei Chiu <visitorckw@gmail.com>
interconnect: debugfs: Fix incorrect error handling for NULL path
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
arm64: dts: qcom: msm8996: add interconnect paths to USB2 controller
Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
interconnect: qcom: msm8996: add missing link to SLAVE_USB_HS
Stanley Chu <yschu@nuvoton.com>
i3c: master: svc: Prevent incomplete IBI transaction
Frank Li <Frank.Li@nxp.com>
i3c: fix refcount inconsistency in i3c_master_register
Jarkko Nikula <jarkko.nikula@linux.intel.com>
i3c: master: Inherit DMA masks and parameters from parent device
Haotian Zhang <vulab@iscas.ac.cn>
pinctrl: stm32: fix hwspinlock resource leak in probe function
Haotian Zhang <vulab@iscas.ac.cn>
soc: qcom: smem: fix hwspinlock resource leak in probe error paths
Benjamin Berg <benjamin.berg@intel.com>
tools/nolibc/stdio: let perror work when NOLIBC_IGNORE_ERRNO is set
Tengda Wu <wutengda@huaweicloud.com>
x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()
Peter Zijlstra <peterz@infradead.org>
task_work: Fix NMI race condition
Haotian Zhang <vulab@iscas.ac.cn>
mtd: rawnand: lpc32xx_slc: fix GPIO descriptor leak on probe error and remove
Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
mtd: nand: relax ECC parameter validation check
Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
Revert "mtd: rawnand: marvell: fix layouts"
Wolfram Sang <wsa+renesas@sang-engineering.com>
ARM: dts: renesas: r9a06g032-rzn1d400-db: Drop invalid #cells properties
Wolfram Sang <wsa+renesas@sang-engineering.com>
ARM: dts: renesas: gose: Remove superfluous port property
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
Kuniyuki Iwashima <kuniyu@google.com>
sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Fix PTP for VSC8574 and VSC8572
Gergo Koteles <soyer@irl.hu>
arm64: dts: qcom: sdm845-oneplus: Correct gpio used for slider
Peng Fan <peng.fan@nxp.com>
firmware: imx: scu-irq: fix OF node leak in
Randolph Sapp <rs@ti.com>
arm64: dts: ti: k3-am62p: Fix memory ranges for GPU
Heiko Carstens <hca@linux.ibm.com>
s390/ap: Don't leak debug feature files if AP instructions are not available
Heiko Carstens <hca@linux.ibm.com>
s390/smp: Fix fallback CPU detection
Baochen Qiang <baochen.qiang@oss.qualcomm.com>
wifi: ath11k: fix peer HE MCS assignment
nieweiqiang <nieweiqiang@huawei.com>
crypto: hisilicon/qm - restore original qos values
Thorsten Blum <thorsten.blum@linux.dev>
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Luca Weiss <luca.weiss@fairphone.com>
clk: qcom: camcc-sm6350: Fix PLL config of PLL2
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
clk: qcom: camcc-sm6350: Specify Titan GDSC power domain as a parent to other
Li Qiang <liqiang01@kylinos.cn>
uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe
Geert Uytterhoeven <geert+renesas@glider.be>
PCI: rcar-gen2: Drop ARM dependency from PCI_RCAR_GEN2
Tim Harvey <tharvey@gateworks.com>
arm64: dts: imx8mp-venice-gw702x: remove off-board sdhc1
Tim Harvey <tharvey@gateworks.com>
arm64: dts: imx8mp-venice-gw702x: remove off-board uart
Tim Harvey <tharvey@gateworks.com>
arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl
Tim Harvey <tharvey@gateworks.com>
arm64: dts: freescale: imx8mp-venice-gw7905-2x: remove duplicate usdhc1 props
Francesco Lavra <flavra@baylibre.com>
iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member
Xuanqiang Luo <luoxuanqiang@kylinos.cn>
inet: Avoid ehash lookup race in inet_ehash_insert()
Xuanqiang Luo <luoxuanqiang@kylinos.cn>
rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu()
Sidharth Seela <sidharthseela@gmail.com>
ntfs3: Fix uninit buffer allocated by __getname()
Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Herbert Xu <herbert@gondor.apana.org.au>
crypto: authenc - Correctly pass EINPROGRESS back up to the caller
Johan Hovold <johan@kernel.org>
irqchip/qcom-irq-combiner: Fix section mismatch
Johan Hovold <johan@kernel.org>
irqchip/imx-mu-msi: Fix section mismatch
Johan Hovold <johan@kernel.org>
irqchip/irq-brcmstb-l2: Fix section mismatch
Johan Hovold <johan@kernel.org>
irqchip/irq-bcm7120-l2: Fix section mismatch
Johan Hovold <johan@kernel.org>
irqchip/irq-bcm7038-l1: Fix section mismatch
Fernand Sieber <sieberf@amazon.com>
sched/fair: Forfeit vruntime on yield
Josh Poimboeuf <jpoimboe@kernel.org>
objtool: Fix weak symbol detection
Dylan Hatch <dylanbhatch@google.com>
objtool: Fix standalone --hacks=jump_label
Mavroudis Chatzilazaridis <mavchatz@protonmail.com>
HID: logitech-hidpp: Do not assume FAP in hidpp_send_message_sync()
Marek Vasut <marek.vasut+renesas@mailbox.org>
clk: renesas: cpg-mssr: Read back reset registers to assure values latched
Thierry Bultel <thierry.bultel.yh@bp.renesas.com>
clk: renesas: Pass sub struct of cpg_mssr_priv to cpg_clk_register
Geert Uytterhoeven <geert+renesas@glider.be>
clk: renesas: Use str_on_off() helper
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
clk: renesas: rzg2l: Use %x format specifier to print CLK_ON_R()
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
clk: renesas: rzg2l: Remove critical area
Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
clk: renesas: rzg2l: Simplify the logic in rzg2l_mod_clock_endisable()
Marek Vasut <marek.vasut+renesas@mailbox.org>
clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle callback
Seungjin Bae <eeodqql09@gmail.com>
USB: Fix descriptor count when handling invalid MBIM extended descriptor
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/vgem-fence: Fix potential deadlock on release
Guido Günther <agx@sigxcpu.org>
drm/panel: visionox-rm69299: Don't clear all mode flags
Mainak Sen <msen@nvidia.com>
gpu: host1x: Fix race in syncpt alloc/free
Konstantin Andreev <andreev@swemel.ru>
smack: fix bug: unprivileged task can create labels
Navaneeth K <knavaneeth786@gmail.com>
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
Navaneeth K <knavaneeth786@gmail.com>
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Navaneeth K <knavaneeth786@gmail.com>
staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
comedi: check device's attached status in compat ioctls
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
comedi: multiq3: sanitize config options in multiq3_attach()
Ian Abbott <abbotti@mev.co.uk>
comedi: c6xdigio: Fix invalid PNP driver unregistration
Zenm Chen <zenmchen@gmail.com>
wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1
Linus Torvalds <torvalds@linux-foundation.org>
samples: work around glibc redefining some of our defines wrong
Huacai Chen <chenhuacai@kernel.org>
LoongArch: Mask all interrupts during kexec/kdump
Naoki Ueki <naoki25519@gmail.com>
HID: elecom: Add support for ELECOM M-XT3URBK (018F)
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally
Antheas Kapenekakis <lkml@antheas.dev>
platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list
Jia Ston <ston.jia@outlook.com>
platform/x86: huawei-wmi: add keys for HONOR models
April Grimoire <april@aprilg.moe>
HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list
Armin Wolf <W_Armin@gmx.de>
platform/x86: acer-wmi: Ignore backlight event
Praveen Talari <praveen.talari@oss.qualcomm.com>
pinctrl: qcom: msm: Fix deadlock in pinmux configuration
Keith Busch <kbusch@kernel.org>
nvme: fix admin request_queue lifetime
Mario Limonciello (AMD) <superm1@kernel.org>
HID: hid-input: Extend Elan ignore battery quirk to USB
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
bfs: Reconstruct file type when loading from disk
Lushih Hsieh <bruce@mail.kh.edu.tw>
ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series
Yiqi Sun <sunyiqixm@gmail.com>
smb: fix invalid username check in smb3_fs_context_parse_param()
Max Chou <max.chou@realtek.com>
Bluetooth: btrtl: Avoid loading the config file on security chips
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Use kref in vmw_bo_dirty
Robin Gong <yibin.gong@nxp.com>
spi: imx: keep dma request disabled before dma transfer setup
Alvaro Gamez Machado <alvaro.gamez@hazent.com>
spi: xilinx: increase number of retries before declaring stall
Song Liu <song@kernel.org>
ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct()
Johan Hovold <johan@kernel.org>
USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
Johan Hovold <johan@kernel.org>
USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
Magne Bruno <magne.bruno@addi-data.com>
serial: add support of CPCI cards
Johan Hovold <johan@kernel.org>
USB: serial: ftdi_sio: match on interface number for jtag
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: move Telit 0x10c7 composition in the right place
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion FE910C04 new compositions
Slark Xiao <slark_xiao@163.com>
USB: serial: option: add Foxconn T99W760
Omar Sandoval <osandov@fb.com>
KVM: SVM: Don't skip unrelated instruction if INT3/INTO is replaced
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Alexey Nepomnyashih <sdl@nppct.ru>
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Alexander Sverdlin <alexander.sverdlin@siemens.com>
locking/spinlock/debug: Fix data-race in do_raw_write_lock
Qianchang Zhao <pioooooooooip@gmail.com>
ksmbd: ipc: fix use-after-free in ipc_msg_send_request
Deepanshu Kartikey <kartikey406@gmail.com>
ext4: refresh inline data size before write operations
Ye Bin <yebin10@huawei.com>
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Bagas Sanjaya <bagasdotme@gmail.com>
Documentation: process: Also mention Sasha Levin as stable tree maintainer
Stefan Kalscheuer <stefan@stklcode.de>
leds: spi-byte: Use devm_led_classdev_register_ext()
Sabrina Dubroca <sd@queasysnail.net>
xfrm: flush all states in xfrm_state_fini
Sabrina Dubroca <sd@queasysnail.net>
xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
Sabrina Dubroca <sd@queasysnail.net>
Revert "xfrm: destroy xfrm_state synchronously on net exit path"
Sabrina Dubroca <sd@queasysnail.net>
xfrm: delete x->tunnel as we delete x
-------------
Diffstat:
.../devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +-
.../devicetree/bindings/pci/amlogic,axg-pcie.yaml | 6 +-
Documentation/driver-api/tty/tty_port.rst | 5 +-
Documentation/process/2.Process.rst | 6 +-
Makefile | 4 +-
arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +-
arch/arm/boot/dts/microchip/sama7g5.dtsi | 4 +-
arch/arm/boot/dts/renesas/r8a7793-gose.dts | 1 -
.../arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dts | 2 -
arch/arm/boot/dts/samsung/exynos4210-i9100.dts | 1 +
arch/arm/boot/dts/samsung/exynos4210-trats.dts | 1 +
.../boot/dts/samsung/exynos4210-universal_c210.dts | 1 +
arch/arm/boot/dts/samsung/exynos4412-midas.dtsi | 1 +
.../dts/st/stm32mp157c-phycore-stm32mp15-som.dtsi | 8 +-
.../boot/dts/ti/omap/am335x-netcom-plus-2xx.dts | 8 +-
arch/arm/boot/dts/ti/omap/omap3-beagle-xm.dts | 2 +-
arch/arm/boot/dts/ti/omap/omap3-n900.dts | 2 +-
arch/arm/include/asm/word-at-a-time.h | 10 +-
.../boot/dts/freescale/imx8mm-venice-gw72xx.dtsi | 11 -
.../boot/dts/freescale/imx8mp-venice-gw702x.dtsi | 51 ---
.../boot/dts/freescale/imx8mp-venice-gw72xx.dtsi | 11 -
arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +
.../arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 4 +-
arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts | 15 +-
arch/arm64/boot/dts/ti/k3-am62p.dtsi | 2 +-
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 12 +-
arch/arm64/net/bpf_jit_comp.c | 2 +-
arch/loongarch/include/asm/pgtable.h | 4 +-
arch/loongarch/kernel/machine_kexec.c | 24 ++
arch/loongarch/kernel/mcount_dyn.S | 14 +-
arch/loongarch/kernel/relocate.c | 4 +-
arch/loongarch/kernel/setup.c | 8 +-
arch/loongarch/kernel/switch.S | 4 +-
arch/loongarch/net/bpf_jit.c | 18 +
arch/loongarch/net/bpf_jit.h | 26 ++
arch/loongarch/pci/pci.c | 2 +
arch/mips/sgi-ip22/ip22-gio.c | 3 +-
arch/parisc/kernel/asm-offsets.c | 2 +
arch/parisc/kernel/entry.S | 16 +-
arch/powerpc/boot/addnote.c | 7 +-
arch/powerpc/include/asm/book3s/32/tlbflush.h | 5 +-
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 -
arch/powerpc/include/asm/kfence.h | 11 +-
arch/powerpc/kernel/entry_32.S | 10 +-
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/kexec/core_64.c | 19 ++
arch/powerpc/mm/book3s32/tlb.c | 9 +
arch/powerpc/mm/book3s64/hash_utils.c | 10 +-
arch/powerpc/mm/book3s64/internal.h | 2 -
arch/powerpc/mm/book3s64/mmu_context.c | 2 -
arch/powerpc/mm/book3s64/radix_pgtable.c | 84 ++++-
arch/powerpc/mm/book3s64/slb.c | 88 -----
arch/powerpc/mm/init-common.c | 3 +
arch/powerpc/mm/ptdump/hashpagetable.c | 6 +
arch/powerpc/platforms/pseries/cmm.c | 5 +-
arch/riscv/kvm/vcpu_insn.c | 22 ++
arch/s390/include/uapi/asm/ipl.h | 1 +
arch/s390/kernel/ipl.c | 48 ++-
arch/s390/kernel/smp.c | 1 +
arch/x86/boot/compressed/pgtable_64.c | 11 +-
arch/x86/crypto/blake2s-core.S | 4 +-
arch/x86/entry/common.c | 72 ----
arch/x86/events/amd/core.c | 7 +-
arch/x86/events/intel/core.c | 4 +-
arch/x86/include/asm/kvm_host.h | 9 +
arch/x86/include/asm/ptrace.h | 20 +-
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
arch/x86/kernel/dumpstack.c | 23 +-
arch/x86/kvm/lapic.c | 32 +-
arch/x86/kvm/svm/nested.c | 26 +-
arch/x86/kvm/svm/svm.c | 176 +++++-----
arch/x86/kvm/svm/svm.h | 8 +-
arch/x86/kvm/vmx/nested.c | 2 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/vmx/vmx.h | 1 +
arch/x86/kvm/x86.c | 46 ++-
arch/x86/xen/enlighten_pv.c | 69 ++++
block/blk-mq.c | 120 +++++--
block/genhd.c | 2 +-
crypto/af_alg.c | 5 +-
crypto/algif_hash.c | 3 +-
crypto/algif_rng.c | 3 +-
crypto/asymmetric_keys/asymmetric_type.c | 12 +-
crypto/authenc.c | 75 +++--
crypto/seqiv.c | 8 +-
drivers/acpi/acpi_pcc.c | 2 +-
drivers/acpi/acpica/nswalk.c | 9 +-
drivers/acpi/apei/ghes.c | 16 +-
drivers/acpi/cppc_acpi.c | 3 +-
drivers/acpi/processor_core.c | 2 +-
drivers/acpi/property.c | 9 +-
drivers/amba/tegra-ahb.c | 1 +
drivers/base/power/runtime.c | 22 +-
drivers/block/floppy.c | 2 +-
drivers/block/nbd.c | 5 +-
drivers/block/ps3disk.c | 4 +
drivers/block/rnbd/rnbd-clt.c | 13 +-
drivers/block/rnbd/rnbd-clt.h | 2 +-
drivers/block/ublk_drv.c | 35 +-
drivers/bluetooth/btrtl.c | 24 +-
drivers/bluetooth/btusb.c | 16 +-
drivers/bus/ti-sysc.c | 11 +-
drivers/char/applicom.c | 5 +-
drivers/char/ipmi/ipmi_msghandler.c | 20 +-
drivers/char/tpm/tpm-chip.c | 1 -
drivers/char/tpm/tpm1-cmd.c | 5 -
drivers/char/tpm/tpm2-cmd.c | 8 +-
drivers/char/virtio_console.c | 2 +-
drivers/clk/Makefile | 3 +-
drivers/clk/mvebu/cp110-system-controller.c | 20 ++
drivers/clk/qcom/camcc-sm6350.c | 13 +-
drivers/clk/renesas/r7s9210-cpg-mssr.c | 7 +-
drivers/clk/renesas/r8a77970-cpg-mssr.c | 8 +-
drivers/clk/renesas/r9a06g032-clocks.c | 6 +-
drivers/clk/renesas/rcar-gen2-cpg.c | 5 +-
drivers/clk/renesas/rcar-gen2-cpg.h | 3 +-
drivers/clk/renesas/rcar-gen3-cpg.c | 6 +-
drivers/clk/renesas/rcar-gen3-cpg.h | 3 +-
drivers/clk/renesas/rcar-gen4-cpg.c | 6 +-
drivers/clk/renesas/rcar-gen4-cpg.h | 3 +-
drivers/clk/renesas/renesas-cpg-mssr.c | 150 +++++----
drivers/clk/renesas/renesas-cpg-mssr.h | 20 +-
drivers/clk/renesas/rzg2l-cpg.c | 15 +-
drivers/clk/samsung/clk-exynos-clkout.c | 2 +-
drivers/comedi/comedi_fops.c | 42 ++-
drivers/comedi/drivers/c6xdigio.c | 46 ++-
drivers/comedi/drivers/multiq3.c | 9 +
drivers/comedi/drivers/pcl818.c | 5 +-
drivers/cpufreq/amd-pstate.c | 2 +-
drivers/cpufreq/cpufreq-dt-platdev.c | 1 +
drivers/cpufreq/cpufreq-nforce2.c | 3 +
drivers/cpufreq/s5pv210-cpufreq.c | 6 +-
drivers/cpuidle/governors/menu.c | 9 +-
drivers/cpuidle/governors/teo.c | 7 +-
drivers/crypto/caam/caamrng.c | 4 +-
drivers/crypto/ccree/cc_buffer_mgr.c | 6 +-
drivers/crypto/hisilicon/qm.c | 14 +-
drivers/crypto/starfive/jh7110-hash.c | 6 +-
drivers/firewire/nosy.c | 10 +-
drivers/firmware/arm_scmi/notify.c | 1 +
drivers/firmware/efi/cper-arm.c | 52 ++-
drivers/firmware/efi/cper.c | 60 ++++
drivers/firmware/efi/libstub/x86-5lvl.c | 4 +-
drivers/firmware/imx/imx-scu-irq.c | 8 +-
drivers/firmware/stratix10-svc.c | 12 +
drivers/gpio/gpio-regmap.c | 2 +-
drivers/gpio/gpiolib-acpi.c | 22 ++
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 8 +-
drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
.../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 9 +-
drivers/gpu/drm/gma500/fbdev.c | 43 ---
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 37 +-
drivers/gpu/drm/mediatek/mtk_disp_ccorr.c | 23 +-
drivers/gpu/drm/mediatek/mtk_dp.c | 1 +
drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 22 +-
drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h | 2 +-
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 +-
drivers/gpu/drm/mgag200/mgag200_mode.c | 25 ++
drivers/gpu/drm/msm/adreno/a2xx_gpu.c | 2 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
.../gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 10 +-
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
drivers/gpu/drm/nouveau/nvkm/subdev/fb/base.c | 2 +-
drivers/gpu/drm/panel/panel-sony-td4353-jdi.c | 2 +
drivers/gpu/drm/panel/panel-visionox-rm69299.c | 2 +-
drivers/gpu/drm/tilcdc/tilcdc_crtc.c | 2 +-
drivers/gpu/drm/tilcdc/tilcdc_drv.c | 72 ++--
drivers/gpu/drm/tilcdc/tilcdc_drv.h | 2 +-
drivers/gpu/drm/ttm/ttm_bo_vm.c | 6 +
drivers/gpu/drm/vgem/vgem_fence.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 +-
drivers/gpu/host1x/syncpt.c | 4 +-
drivers/hid/hid-apple.c | 1 +
drivers/hid/hid-elecom.c | 6 +-
drivers/hid/hid-ids.h | 3 +-
drivers/hid/hid-input.c | 23 +-
drivers/hid/hid-logitech-dj.c | 56 ++-
drivers/hid/hid-logitech-hidpp.c | 9 +-
drivers/hid/hid-quirks.c | 3 +-
drivers/hwmon/ibmpex.c | 9 +-
drivers/hwmon/max16065.c | 7 +-
drivers/hwmon/sy7636a-hwmon.c | 7 +-
drivers/hwmon/tmp401.c | 2 +-
drivers/hwmon/w83791d.c | 19 +-
drivers/hwmon/w83l786ng.c | 26 +-
drivers/hwtracing/coresight/coresight-etm4x-core.c | 130 ++++---
drivers/hwtracing/intel_th/core.c | 20 +-
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +-
drivers/i2c/busses/i2c-designware-core.h | 1 +
drivers/i2c/busses/i2c-designware-master.c | 7 +
drivers/i3c/master.c | 12 +-
drivers/i3c/master/svc-i3c-master.c | 22 +-
drivers/iio/adc/ti_am335x_adc.c | 2 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 2 +-
drivers/infiniband/core/addr.c | 33 +-
drivers/infiniband/core/cma.c | 3 +
drivers/infiniband/core/device.c | 6 +
drivers/infiniband/core/verbs.c | 2 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +-
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 8 +-
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
drivers/infiniband/hw/efa/efa_verbs.c | 4 -
drivers/infiniband/hw/irdma/cm.c | 2 +-
drivers/infiniband/hw/irdma/ctrl.c | 3 +
drivers/infiniband/hw/irdma/main.h | 2 +-
drivers/infiniband/hw/irdma/pble.c | 6 +-
drivers/infiniband/hw/irdma/utils.c | 3 +-
drivers/infiniband/hw/irdma/verbs.c | 241 ++++++++++---
drivers/infiniband/hw/irdma/verbs.h | 3 +
drivers/infiniband/sw/rxe/rxe.c | 22 +-
drivers/infiniband/sw/rxe/rxe.h | 3 +-
drivers/infiniband/sw/rxe/rxe_mcast.c | 22 +-
drivers/infiniband/sw/rxe/rxe_net.c | 25 +-
drivers/infiniband/sw/rxe/rxe_srq.c | 7 +-
drivers/infiniband/sw/rxe/rxe_verbs.c | 26 +-
drivers/infiniband/sw/rxe/rxe_verbs.h | 11 +-
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
drivers/input/serio/i8042-acpipnpio.h | 7 +
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
drivers/interconnect/debugfs-client.c | 7 +-
drivers/interconnect/qcom/msm8996.c | 1 +
drivers/iommu/amd/init.c | 43 ++-
drivers/iommu/apple-dart.c | 2 +
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 27 +-
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 +-
drivers/iommu/exynos-iommu.c | 9 +-
drivers/iommu/iommu-sva.c | 3 +
drivers/iommu/iommufd/selftest.c | 8 +-
drivers/iommu/ipmmu-vmsa.c | 2 +
drivers/iommu/mtk_iommu.c | 27 +-
drivers/iommu/mtk_iommu_v1.c | 25 +-
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 -
drivers/iommu/sun50i-iommu.c | 2 +
drivers/iommu/tegra-smmu.c | 5 +-
drivers/irqchip/irq-bcm7038-l1.c | 8 +-
drivers/irqchip/irq-bcm7120-l2.c | 17 +-
drivers/irqchip/irq-brcmstb-l2.c | 12 +-
drivers/irqchip/irq-imx-mu-msi.c | 14 +-
drivers/irqchip/irq-mchp-eic.c | 2 +-
drivers/irqchip/qcom-irq-combiner.c | 2 +-
drivers/isdn/capi/capi.c | 8 +-
drivers/leds/leds-lp50xx.c | 67 ++--
drivers/leds/leds-netxbig.c | 36 +-
drivers/leds/leds-spi-byte.c | 11 +-
drivers/macintosh/mac_hid.c | 3 +-
drivers/md/dm-bufio.c | 10 +-
drivers/md/dm-ebs-target.c | 2 +-
drivers/md/dm-log-writes.c | 1 +
drivers/md/dm-raid.c | 2 +
drivers/md/raid5.c | 6 +-
drivers/media/cec/core/cec-core.c | 1 +
.../media/common/videobuf2/videobuf2-dma-contig.c | 1 +
drivers/media/i2c/adv7604.c | 4 +-
drivers/media/i2c/adv7842.c | 11 +-
drivers/media/i2c/msp3400-kthreads.c | 2 +
drivers/media/i2c/tda1997x.c | 1 -
drivers/media/platform/amphion/vpu_malone.c | 35 +-
drivers/media/platform/amphion/vpu_v4l2.c | 28 +-
drivers/media/platform/amphion/vpu_v4l2.h | 18 -
.../mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 14 +-
.../mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c | 12 +-
.../mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h | 2 +-
.../platform/mediatek/vcodec/decoder/vdec_vpu_if.c | 5 +-
.../mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c | 12 +-
.../mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h | 2 +-
.../platform/mediatek/vcodec/encoder/venc_vpu_if.c | 5 +-
drivers/media/platform/renesas/rcar_drif.c | 1 +
.../media/platform/samsung/exynos4-is/media-dev.c | 10 +-
drivers/media/platform/ti/davinci/vpif_capture.c | 4 +-
drivers/media/platform/ti/davinci/vpif_display.c | 4 +-
drivers/media/platform/verisilicon/hantro.h | 2 +
drivers/media/platform/verisilicon/hantro_g2.c | 98 +++++-
.../platform/verisilicon/hantro_g2_hevc_dec.c | 35 +-
.../media/platform/verisilicon/hantro_g2_regs.h | 13 +
.../media/platform/verisilicon/hantro_g2_vp9_dec.c | 30 +-
drivers/media/platform/verisilicon/hantro_hw.h | 4 +
drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2 +
drivers/media/rc/st_rc.c | 2 +-
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +
drivers/media/usb/dvb-usb/dtv5100.c | 5 +
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
drivers/mfd/altera-sysmgr.c | 2 +
drivers/mfd/da9055-core.c | 1 +
drivers/mfd/max77620.c | 15 +-
drivers/mfd/mt6358-irq.c | 1 +
drivers/mfd/mt6397-irq.c | 1 +
drivers/misc/vmw_balloon.c | 3 +-
drivers/mmc/host/Kconfig | 4 +-
drivers/mmc/host/sdhci-msm.c | 27 +-
drivers/mtd/lpddr/lpddr_cmds.c | 8 +-
drivers/mtd/nand/raw/lpc32xx_slc.c | 2 +
drivers/mtd/nand/raw/marvell_nand.c | 13 +-
drivers/mtd/nand/raw/nand_base.c | 13 +-
drivers/mtd/nand/raw/renesas-nand-controller.c | 5 +-
drivers/net/can/usb/gs_usb.c | 2 +-
drivers/net/dsa/b53/b53_common.c | 3 +
drivers/net/dsa/sja1105/sja1105_static_config.c | 6 +-
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 +
drivers/net/ethernet/broadcom/b44.c | 3 +
drivers/net/ethernet/cadence/macb_main.c | 3 +-
drivers/net/ethernet/freescale/enetc/enetc.c | 3 +-
drivers/net/ethernet/freescale/fec_main.c | 7 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 +-
.../ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 +
drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 5 +
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 97 +++++-
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.h | 1 +
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 6 +
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 59 +++-
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h | 1 +
drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 +
drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 +
.../net/ethernet/mellanox/mlxsw/spectrum_router.c | 27 +-
drivers/net/ethernet/microchip/lan743x_main.c | 3 +-
drivers/net/ethernet/realtek/r8169_main.c | 5 +-
drivers/net/ethernet/smsc/smc91x.c | 10 +-
drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 5 +
.../net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 5 +
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 19 +-
drivers/net/fjes/fjes_hw.c | 12 +-
drivers/net/ipvlan/ipvlan_core.c | 3 +
drivers/net/mdio/mdio-aspeed.c | 7 +
drivers/net/phy/adin1100.c | 2 +-
drivers/net/phy/mediatek-ge-soc.c | 2 +-
drivers/net/phy/mscc/mscc_main.c | 6 +-
drivers/net/team/team.c | 2 +-
drivers/net/usb/asix_common.c | 5 +
drivers/net/usb/rtl8150.c | 2 +
drivers/net/usb/sr9700.c | 4 +-
drivers/net/wireless/ath/ath11k/mac.c | 4 +-
drivers/net/wireless/ath/ath11k/wmi.c | 7 +-
.../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 14 +
drivers/net/wireless/mediatek/mt76/eeprom.c | 37 +-
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 4 +-
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 9 +-
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 27 +-
drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 +
drivers/net/wireless/realtek/rtw88/sdio.c | 4 +-
drivers/net/wireless/st/cw1200/bh.c | 6 +-
drivers/nfc/pn533/usb.c | 2 +-
drivers/nvme/host/auth.c | 2 +-
drivers/nvme/host/core.c | 3 +-
drivers/nvme/host/fc.c | 6 +-
drivers/parisc/gsc.c | 4 +-
drivers/pci/controller/Kconfig | 7 +-
drivers/pci/controller/dwc/pci-keystone.c | 2 +
drivers/pci/controller/dwc/pcie-designware.h | 2 +-
drivers/pci/controller/pcie-brcmstb.c | 10 +-
drivers/pci/pci-driver.c | 4 +
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +-
drivers/phy/renesas/phy-rcar-gen3-usb2.c | 20 +-
drivers/pinctrl/pinctrl-single.c | 25 +-
drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
drivers/pinctrl/stm32/pinctrl-stm32.c | 2 +-
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
drivers/platform/x86/acer-wmi.c | 4 +
drivers/platform/x86/amd/pmc/pmc-quirks.c | 25 ++
drivers/platform/x86/asus-wmi.c | 8 +-
.../platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 +-
.../platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
.../x86/hp/hp-bioscfg/order-list-attributes.c | 5 +
.../x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +
.../platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
drivers/platform/x86/huawei-wmi.c | 4 +
drivers/platform/x86/ibm_rtl.c | 2 +-
drivers/platform/x86/intel/chtwc_int33fe.c | 29 +-
drivers/platform/x86/intel/hid.c | 12 +
drivers/platform/x86/msi-laptop.c | 3 +
drivers/pmdomain/actions/owl-sps.c | 16 +-
drivers/pmdomain/imx/gpc.c | 12 +-
drivers/pmdomain/rockchip/pm-domains.c | 13 +-
drivers/power/supply/apm_power.c | 3 +-
drivers/power/supply/cw2015_battery.c | 8 +-
drivers/power/supply/rt9467-charger.c | 6 +-
drivers/power/supply/wm831x_power.c | 10 +-
drivers/pwm/pwm-bcm2835.c | 28 +-
drivers/pwm/pwm-stm32.c | 3 +-
drivers/regulator/core.c | 37 +-
drivers/remoteproc/qcom_q6v5_wcss.c | 8 +-
drivers/rpmsg/qcom_glink_native.c | 8 +
drivers/rtc/rtc-gamecube.c | 4 +
drivers/s390/block/dasd_eckd.c | 8 +
drivers/s390/crypto/ap_bus.c | 8 +-
drivers/scsi/aic94xx/aic94xx_init.c | 3 +
drivers/scsi/qla2xxx/qla_def.h | 1 -
drivers/scsi/qla2xxx/qla_gbl.h | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 32 +-
drivers/scsi/qla2xxx/qla_mbx.c | 2 +
drivers/scsi/qla2xxx/qla_mid.c | 4 +-
drivers/scsi/qla2xxx/qla_nvme.c | 2 +-
drivers/scsi/qla2xxx/qla_os.c | 14 +-
drivers/scsi/sim710.c | 2 +
drivers/scsi/smartpqi/smartpqi_init.c | 19 ++
drivers/scsi/stex.c | 1 +
drivers/soc/amlogic/meson-canvas.c | 5 +-
drivers/soc/qcom/ocmem.c | 2 +-
drivers/soc/qcom/smem.c | 3 +-
drivers/spi/spi-cadence-quadspi.c | 4 +-
drivers/spi/spi-fsl-spi.c | 2 +-
drivers/spi/spi-imx.c | 15 +-
drivers/spi/spi-tegra210-quad.c | 22 +-
drivers/spi/spi-xilinx.c | 2 +-
drivers/staging/fbtft/fbtft-core.c | 4 +-
drivers/staging/greybus/uart.c | 7 +-
drivers/staging/most/Kconfig | 2 -
drivers/staging/most/Makefile | 1 -
drivers/staging/most/i2c/Kconfig | 13 -
drivers/staging/most/i2c/Makefile | 4 -
drivers/staging/most/i2c/i2c.c | 374 ---------------------
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 +-
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +-
drivers/target/target_core_configfs.c | 1 -
drivers/target/target_core_transport.c | 1 +
drivers/tty/serial/8250/8250_pci.c | 37 ++
drivers/tty/serial/serial_core.c | 7 +-
drivers/tty/serial/sprd_serial.c | 6 +
drivers/tty/tty_port.c | 17 +-
drivers/ufs/core/ufshcd.c | 7 +-
drivers/uio/uio_fsl_elbc_gpcm.c | 7 +
drivers/usb/class/cdc-acm.c | 7 +-
drivers/usb/core/message.c | 2 +-
drivers/usb/dwc2/platform.c | 16 +-
drivers/usb/dwc3/dwc3-of-simple.c | 7 +-
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
drivers/usb/gadget/legacy/raw_gadget.c | 3 +
drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +-
drivers/usb/gadget/udc/tegra-xudc.c | 6 -
drivers/usb/host/ohci-nxp.c | 20 +-
drivers/usb/host/xhci-dbgtty.c | 2 +-
drivers/usb/host/xhci-hub.c | 2 +-
drivers/usb/host/xhci-mem.c | 10 +-
drivers/usb/host/xhci-ring.c | 8 +-
drivers/usb/host/xhci.h | 16 +-
drivers/usb/misc/chaoskey.c | 16 +-
drivers/usb/phy/phy-fsl-usb.c | 1 +
drivers/usb/phy/phy-isp1301.c | 7 +-
drivers/usb/phy/phy.c | 4 +
drivers/usb/renesas_usbhs/pipe.c | 2 +
drivers/usb/serial/belkin_sa.c | 28 +-
drivers/usb/serial/ftdi_sio.c | 72 ++--
drivers/usb/serial/kobil_sct.c | 18 +-
drivers/usb/serial/option.c | 22 +-
drivers/usb/serial/usb-serial.c | 7 +-
drivers/usb/storage/unusual_uas.h | 2 +-
drivers/usb/typec/ucsi/ucsi.c | 6 +
drivers/usb/usbip/vhci_hcd.c | 6 +-
drivers/vdpa/pds/vdpa_dev.c | 2 +-
drivers/vhost/vsock.c | 15 +-
drivers/video/backlight/led_bl.c | 13 +
drivers/video/fbdev/gbefb.c | 5 +-
drivers/video/fbdev/pxafb.c | 12 +-
drivers/video/fbdev/ssd1307fb.c | 4 +-
drivers/video/fbdev/tcx.c | 2 +-
drivers/virtio/virtio_balloon.c | 4 +-
drivers/virtio/virtio_vdpa.c | 2 +-
drivers/watchdog/starfive-wdt.c | 4 +-
drivers/watchdog/via_wdt.c | 1 +
drivers/watchdog/wdat_wdt.c | 64 ++--
fs/9p/v9fs.c | 4 +-
fs/9p/vfs_file.c | 11 +-
fs/9p/vfs_inode.c | 3 +-
fs/9p/vfs_inode_dotl.c | 2 +-
fs/bfs/inode.c | 19 +-
fs/btrfs/ctree.c | 2 +-
fs/btrfs/inode.c | 1 +
fs/btrfs/ioctl.c | 4 +-
fs/btrfs/scrub.c | 5 +
fs/btrfs/tree-log.c | 46 ++-
fs/btrfs/volumes.c | 1 +
fs/exfat/super.c | 19 +-
fs/ext4/ext4.h | 1 +
fs/ext4/ialloc.c | 1 -
fs/ext4/inline.c | 14 +-
fs/ext4/inode.c | 6 +-
fs/ext4/mballoc.c | 58 ++--
fs/ext4/move_extent.c | 2 +-
fs/ext4/orphan.c | 4 +-
fs/ext4/super.c | 34 +-
fs/ext4/xattr.c | 38 +--
fs/ext4/xattr.h | 10 +
fs/f2fs/compress.c | 5 +-
fs/f2fs/data.c | 17 +
fs/f2fs/debug.c | 3 +
fs/f2fs/extent_cache.c | 5 +-
fs/f2fs/f2fs.h | 41 ++-
fs/f2fs/file.c | 92 ++++-
fs/f2fs/inode.c | 20 +-
fs/f2fs/namei.c | 6 +-
fs/f2fs/recovery.c | 23 +-
fs/f2fs/segment.c | 9 +-
fs/f2fs/super.c | 119 +++----
fs/f2fs/xattr.c | 30 +-
fs/f2fs/xattr.h | 10 +-
fs/fuse/file.c | 37 +-
fs/gfs2/glops.c | 3 +-
fs/gfs2/lops.c | 2 +-
fs/gfs2/super.c | 4 +-
fs/hfsplus/bnode.c | 4 +-
fs/hfsplus/dir.c | 7 +-
fs/hfsplus/inode.c | 32 +-
fs/iomap/buffered-io.c | 41 ++-
fs/iomap/direct-io.c | 79 +++--
fs/jbd2/journal.c | 20 +-
fs/jbd2/transaction.c | 21 +-
fs/lockd/svc4proc.c | 4 +-
fs/lockd/svclock.c | 21 +-
fs/lockd/svcproc.c | 5 +-
fs/locks.c | 12 +-
fs/nfs/client.c | 21 +-
fs/nfs/dir.c | 27 +-
fs/nfs/inode.c | 2 +-
fs/nfs/internal.h | 3 +-
fs/nfs/namespace.c | 11 +-
fs/nfs/nfs4client.c | 18 +-
fs/nfs/pnfs.c | 1 +
fs/nfs/super.c | 33 +-
fs/nfsd/blocklayout.c | 7 +-
fs/nfsd/export.c | 2 +-
fs/nfsd/nfs4state.c | 4 +-
fs/nfsd/nfs4xdr.c | 5 +
fs/nls/nls_base.c | 27 +-
fs/notify/fsnotify.c | 9 +-
fs/ntfs3/frecord.c | 43 ++-
fs/ntfs3/fsntfs.c | 9 +-
fs/ntfs3/inode.c | 2 +
fs/ntfs3/ntfs_fs.h | 9 +-
fs/ntfs3/run.c | 6 +-
fs/ntfs3/super.c | 5 +
fs/ocfs2/alloc.c | 1 -
fs/ocfs2/move_extents.c | 8 +-
fs/ocfs2/suballoc.c | 10 +
fs/smb/client/fs_context.c | 4 +-
fs/smb/server/mgmt/tree_connect.c | 18 +-
fs/smb/server/mgmt/tree_connect.h | 1 -
fs/smb/server/mgmt/user_session.c | 4 +-
fs/smb/server/smb2pdu.c | 20 +-
fs/smb/server/transport_ipc.c | 7 +-
fs/smb/server/vfs.c | 5 +-
fs/smb/server/vfs_cache.c | 88 +++--
fs/tracefs/event_inode.c | 3 +-
fs/xfs/xfs_buf_item.c | 1 +
include/linux/balloon_compaction.h | 43 +--
include/linux/blk_types.h | 5 +-
include/linux/compiler_types.h | 13 +
include/linux/cper.h | 12 +-
include/linux/filter.h | 16 +-
include/linux/genalloc.h | 1 +
include/linux/ieee80211.h | 4 +-
include/linux/if_bridge.h | 6 +-
include/linux/jbd2.h | 6 +
include/linux/kasan.h | 15 +
include/linux/mm.h | 10 +-
include/linux/nfs_fs_sb.h | 7 +-
include/linux/nfs_xdr.h | 54 +--
include/linux/platform_data/lp855x.h | 4 +-
include/linux/rculist_nulls.h | 59 ++++
include/linux/reset.h | 1 +
include/linux/sched/topology.h | 3 +
include/linux/tpm.h | 8 +-
include/linux/tty_port.h | 21 +-
include/linux/virtio_config.h | 6 +-
include/media/v4l2-mem2mem.h | 3 +-
include/net/ip6_fib.h | 46 ++-
include/net/netfilter/nf_conntrack_count.h | 15 +-
include/net/netfilter/nf_tables.h | 4 +-
include/net/sock.h | 13 +
include/net/xfrm.h | 13 +-
include/rdma/ib_verbs.h | 2 +
include/sound/snd_wavefront.h | 4 -
include/uapi/linux/mptcp.h | 1 +
include/uapi/sound/asound.h | 2 +-
io_uring/openclose.c | 2 +-
io_uring/poll.c | 9 +-
kernel/bpf/hashtab.c | 10 +-
kernel/bpf/syscall.c | 3 +
kernel/bpf/trampoline.c | 7 +-
kernel/cgroup/cpuset.c | 35 +-
kernel/dma/pool.c | 2 +-
kernel/irq/irq_sim.c | 2 +-
kernel/kallsyms.c | 5 +-
kernel/livepatch/core.c | 8 +-
kernel/locking/spinlock_debug.c | 4 +-
kernel/resource.c | 78 +++--
kernel/sched/core.c | 3 +
kernel/sched/cpudeadline.c | 34 +-
kernel/sched/cpudeadline.h | 4 +-
kernel/sched/deadline.c | 8 +-
kernel/sched/fair.c | 89 +++--
kernel/sched/features.h | 5 +
kernel/sched/sched.h | 7 +
kernel/sched/topology.c | 6 +
kernel/scs.c | 2 +-
kernel/task_work.c | 8 +-
kernel/trace/ftrace.c | 40 ++-
kernel/trace/trace_events.c | 2 +
kernel/trace/trace_events_synth.c | 1 -
lib/idr.c | 2 +
lib/vsprintf.c | 6 +-
mm/balloon_compaction.c | 9 +-
mm/damon/core-test.h | 110 +++++-
mm/damon/vaddr-test.h | 26 +-
mm/kasan/common.c | 17 +
mm/ksm.c | 18 +-
mm/page-writeback.c | 4 +-
mm/vmalloc.c | 4 +-
net/bluetooth/rfcomm/tty.c | 7 +-
net/bridge/br_ioctl.c | 36 +-
net/bridge/br_private.h | 4 +-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/caif/cffrml.c | 9 +-
net/ceph/osdmap.c | 116 +++----
net/core/dev.c | 172 +++++++---
net/core/dev_ioctl.c | 16 -
net/core/filter.c | 9 +-
net/core/page_pool.c | 27 +-
net/ethtool/ioctl.c | 30 +-
net/handshake/request.c | 8 +-
net/hsr/hsr_forward.c | 2 +
net/ipv4/fib_trie.c | 7 +-
net/ipv4/inet_hashtables.c | 8 +-
net/ipv4/ipcomp.c | 2 +
net/ipv4/netfilter/nft_dup_ipv4.c | 4 +-
net/ipv6/addrconf.c | 58 +++-
net/ipv6/calipso.c | 3 +-
net/ipv6/ip6_fib.c | 64 +++-
net/ipv6/ip6_gre.c | 9 +-
net/ipv6/ipcomp6.c | 2 +
net/ipv6/ndisc.c | 10 +-
net/ipv6/netfilter/nft_dup_ipv6.c | 4 +-
net/ipv6/route.c | 14 +-
net/ipv6/xfrm6_tunnel.c | 2 +-
net/key/af_key.c | 2 +-
net/mac80211/aes_cmac.c | 63 +++-
net/mac80211/aes_cmac.h | 8 +-
net/mac80211/cfg.c | 10 -
net/mac80211/drop.h | 33 +-
net/mac80211/rx.c | 57 ++--
net/mac80211/wep.c | 9 +-
net/mac80211/wpa.c | 62 ++--
net/mptcp/options.c | 10 +
net/mptcp/pm_netlink.c | 3 +-
net/mptcp/protocol.c | 36 +-
net/mptcp/protocol.h | 9 +-
net/mptcp/subflow.c | 10 +-
net/netfilter/ipvs/ip_vs_xmit.c | 3 +
net/netfilter/nf_conncount.c | 208 ++++++++----
net/netfilter/nf_tables_api.c | 52 ++-
net/netfilter/nft_bitwise.c | 4 +-
net/netfilter/nft_byteorder.c | 2 +-
net/netfilter/nft_cmp.c | 6 +-
net/netfilter/nft_connlimit.c | 34 +-
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_dup_netdev.c | 2 +-
net/netfilter/nft_dynset.c | 4 +-
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_flow_offload.c | 9 +-
net/netfilter/nft_fwd_netdev.c | 6 +-
net/netfilter/nft_hash.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 4 +-
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_nat.c | 8 +-
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_payload.c | 2 +-
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_redir.c | 4 +-
net/netfilter/nft_tproxy.c | 4 +-
net/netfilter/xt_connlimit.c | 14 +-
net/netrom/nr_out.c | 4 +-
net/nfc/core.c | 9 +-
net/openvswitch/conntrack.c | 16 +-
net/openvswitch/flow_netlink.c | 13 +-
net/openvswitch/vport-netdev.c | 17 +-
net/rose/af_rose.c | 2 +-
net/sched/sch_cake.c | 60 ++--
net/sched/sch_ets.c | 6 +-
net/sctp/socket.c | 5 +-
net/socket.c | 19 +-
net/sunrpc/auth_gss/svcauth_gss.c | 3 +-
net/sunrpc/xprtrdma/svc_rdma_rw.c | 5 +-
net/wireless/sme.c | 2 +-
net/xfrm/xfrm_ipcomp.c | 1 -
net/xfrm/xfrm_state.c | 125 ++++---
net/xfrm/xfrm_user.c | 2 +-
samples/ftrace/ftrace-direct-modify.c | 8 +-
samples/ftrace/ftrace-direct-multi-modify.c | 8 +-
samples/ftrace/ftrace-direct-multi.c | 4 +-
samples/ftrace/ftrace-direct-too.c | 4 +-
samples/ftrace/ftrace-direct.c | 4 +-
samples/vfs/test-statx.c | 6 +
samples/watch_queue/watch_test.c | 6 +
scripts/Makefile.modinst | 2 +-
security/integrity/ima/ima_policy.c | 2 +-
security/keys/trusted-keys/trusted_tpm2.c | 6 +-
security/smack/smack_lsm.c | 41 ++-
sound/firewire/dice/dice-extension.c | 4 +-
sound/firewire/motu/motu-hwdep.c | 7 +-
sound/isa/wavefront/wavefront.c | 61 ++--
sound/isa/wavefront/wavefront_fx.c | 36 +-
sound/isa/wavefront/wavefront_midi.c | 146 ++++----
sound/isa/wavefront/wavefront_synth.c | 216 ++++++------
sound/pci/hda/cs35l41_hda.c | 2 +
sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +-
sound/pcmcia/vx/vxpocket.c | 8 +-
sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +-
sound/soc/codecs/ak4458.c | 10 +-
sound/soc/codecs/ak5558.c | 10 +-
sound/soc/fsl/fsl_xcvr.c | 2 +-
sound/soc/intel/catpt/pcm.c | 4 +-
sound/soc/qcom/qdsp6/q6adm.c | 146 ++++----
sound/soc/qcom/qdsp6/q6apm-dai.c | 2 +
sound/soc/qcom/qdsp6/q6asm-dai.c | 7 +-
sound/soc/stm/stm32_sai.c | 14 +-
sound/soc/stm/stm32_sai_sub.c | 51 ++-
sound/usb/mixer_us16x08.c | 20 +-
sound/usb/quirks.c | 6 +
tools/include/nolibc/stdio.h | 4 +
tools/lib/perf/cpumap.c | 10 +-
tools/mm/page_owner_sort.c | 6 +-
tools/objtool/check.c | 3 +-
tools/objtool/elf.c | 8 +-
tools/perf/builtin-record.c | 2 +-
.../util/arm-spe-decoder/arm-spe-pkt-decoder.c | 37 +-
.../util/arm-spe-decoder/arm-spe-pkt-decoder.h | 26 +-
tools/perf/util/bpf_lock_contention.c | 6 +-
tools/perf/util/maps.c | 13 +
tools/perf/util/maps.h | 2 +
tools/perf/util/symbol.c | 4 +-
tools/testing/ktest/config-bisect.pl | 4 +-
tools/testing/nvdimm/test/nfit.c | 7 +-
tools/testing/radix-tree/idr-test.c | 21 ++
.../selftests/bpf/prog_tests/perf_branches.c | 22 +-
.../testing/selftests/bpf/prog_tests/send_signal.c | 5 +
.../selftests/bpf/progs/test_perf_branches.c | 3 +
.../testing/selftests/drivers/net/bonding/Makefile | 2 +-
.../selftests/drivers/net/bonding/bond_macvlan.sh | 99 ------
.../drivers/net/bonding/bond_macvlan_ipvlan.sh | 97 ++++++
tools/testing/selftests/drivers/net/bonding/config | 9 +
.../test.d/ftrace/func_traceonoff_triggers.tc | 5 +-
.../testing/selftests/net/openvswitch/ovs-dpctl.py | 16 +-
tools/testing/selftests/net/tap.c | 16 +-
754 files changed, 6987 insertions(+), 4373 deletions(-)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 001/737] xfrm: delete x->tunnel as we delete x
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 002/737] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
` (746 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit b441cf3f8c4b8576639d20c8eb4aa32917602ecd ]
The ipcomp fallback tunnels currently get deleted (from the various
lists and hashtables) as the last user state that needed that fallback
is destroyed (not deleted). If a reference to that user state still
exists, the fallback state will remain on the hashtables/lists,
triggering the WARN in xfrm_state_fini. Because of those remaining
references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path") is not complete.
We recently fixed one such situation in TCP due to defered freeing of
skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we
currently drop dst")). This can also happen due to IP reassembly: skbs
with a secpath remain on the reassembly queue until netns
destruction. If we can't guarantee that the queues are flushed by the
time xfrm_state_fini runs, there may still be references to a (user)
xfrm_state, preventing the timely deletion of the corresponding
fallback state.
Instead of chasing each instance of skbs holding a secpath one by one,
this patch fixes the issue directly within xfrm, by deleting the
fallback state as soon as the last user state depending on it has been
deleted. Destruction will still happen when the final reference is
dropped.
A separate lockdep class for the fallback state is required since
we're going to lock x->tunnel while x is locked.
Fixes: 9d4139c76905 ("netns xfrm: per-netns xfrm_state_all list")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xfrm.h | 1 -
net/ipv4/ipcomp.c | 2 ++
net/ipv6/ipcomp6.c | 2 ++
net/ipv6/xfrm6_tunnel.c | 2 +-
net/xfrm/xfrm_ipcomp.c | 1 -
net/xfrm/xfrm_state.c | 19 ++++++++-----------
6 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 84a1c8c861d29..f7a52b9b56acc 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -414,7 +414,6 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
void xfrm_flush_gc(void);
-void xfrm_state_delete_tunnel(struct xfrm_state *x);
struct xfrm_type {
struct module *owner;
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 5a4fb2539b08b..9a45aed508d19 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -54,6 +54,7 @@ static int ipcomp4_err(struct sk_buff *skb, u32 info)
}
/* We always hold one tunnel user reference to indicate a tunnel */
+static struct lock_class_key xfrm_state_lock_key;
static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -62,6 +63,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
t = xfrm_state_alloc(net);
if (!t)
goto out;
+ lockdep_set_class(&t->lock, &xfrm_state_lock_key);
t->id.proto = IPPROTO_IPIP;
t->id.spi = x->props.saddr.a4;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 72d4858dec18a..8607569de34f3 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -71,6 +71,7 @@ static int ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
return 0;
}
+static struct lock_class_key xfrm_state_lock_key;
static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -79,6 +80,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
t = xfrm_state_alloc(net);
if (!t)
goto out;
+ lockdep_set_class(&t->lock, &xfrm_state_lock_key);
t->id.proto = IPPROTO_IPV6;
t->id.spi = xfrm6_tunnel_alloc_spi(net, (xfrm_address_t *)&x->props.saddr);
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 1323f2f6928e2..1702b4de1c1ef 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -334,8 +334,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_flush_gc();
xfrm_state_flush(net, 0, false, true);
+ xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index 9c0fa0e1786a2..f2e70e918f114 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -315,7 +315,6 @@ void ipcomp_destroy(struct xfrm_state *x)
struct ipcomp_data *ipcd = x->data;
if (!ipcd)
return;
- xfrm_state_delete_tunnel(x);
mutex_lock(&ipcomp_resource_mutex);
ipcomp_free_data(ipcd);
mutex_unlock(&ipcomp_resource_mutex);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index ded559f557675..7c8aeec4fe274 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -736,6 +736,7 @@ void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
}
EXPORT_SYMBOL(__xfrm_state_destroy);
+static void xfrm_state_delete_tunnel(struct xfrm_state *x);
int __xfrm_state_delete(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -756,6 +757,8 @@ int __xfrm_state_delete(struct xfrm_state *x)
xfrm_dev_state_delete(x);
+ xfrm_state_delete_tunnel(x);
+
/* All xfrm_state objects are created by xfrm_state_alloc.
* The xfrm_state_alloc call gives a reference, and that
* is what we are dropping here.
@@ -859,10 +862,7 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
err = xfrm_state_delete(x);
xfrm_audit_state_delete(x, err ? 0 : 1,
task_valid);
- if (sync)
- xfrm_state_put_sync(x);
- else
- xfrm_state_put(x);
+ xfrm_state_put(x);
if (!err)
cnt++;
@@ -2798,20 +2798,17 @@ void xfrm_flush_gc(void)
}
EXPORT_SYMBOL(xfrm_flush_gc);
-/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
-void xfrm_state_delete_tunnel(struct xfrm_state *x)
+static void xfrm_state_delete_tunnel(struct xfrm_state *x)
{
if (x->tunnel) {
struct xfrm_state *t = x->tunnel;
- if (atomic_read(&t->tunnel_users) == 2)
+ if (atomic_dec_return(&t->tunnel_users) == 1)
xfrm_state_delete(t);
- atomic_dec(&t->tunnel_users);
- xfrm_state_put_sync(t);
+ xfrm_state_put(t);
x->tunnel = NULL;
}
}
-EXPORT_SYMBOL(xfrm_state_delete_tunnel);
u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
{
@@ -2989,8 +2986,8 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- flush_work(&xfrm_state_gc_work);
xfrm_state_flush(net, 0, false, true);
+ flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 002/737] Revert "xfrm: destroy xfrm_state synchronously on net exit path"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 001/737] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 003/737] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
` (745 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 2a198bbec6913ae1c90ec963750003c6213668c7 ]
This reverts commit f75a2804da391571563c4b6b29e7797787332673.
With all states (whether user or kern) removed from the hashtables
during deletion, there's no need for synchronous destruction of
states. xfrm6_tunnel states still need to have been destroyed (which
will be the case when its last user is deleted (not destroyed)) so
that xfrm6_tunnel_free_spi removes it from the per-netns hashtable
before the netns is destroyed.
This has the benefit of skipping one synchronize_rcu per state (in
__xfrm_state_destroy(sync=true)) when we exit a netns.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xfrm.h | 12 +++---------
net/ipv6/xfrm6_tunnel.c | 2 +-
net/key/af_key.c | 2 +-
net/xfrm/xfrm_state.c | 23 +++++++++--------------
net/xfrm/xfrm_user.c | 2 +-
5 files changed, 15 insertions(+), 26 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index f7a52b9b56acc..892fb8c31c322 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -809,7 +809,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
xfrm_pol_put(pols[i]);
}
-void __xfrm_state_destroy(struct xfrm_state *, bool);
+void __xfrm_state_destroy(struct xfrm_state *);
static inline void __xfrm_state_put(struct xfrm_state *x)
{
@@ -819,13 +819,7 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
static inline void xfrm_state_put(struct xfrm_state *x)
{
if (refcount_dec_and_test(&x->refcnt))
- __xfrm_state_destroy(x, false);
-}
-
-static inline void xfrm_state_put_sync(struct xfrm_state *x)
-{
- if (refcount_dec_and_test(&x->refcnt))
- __xfrm_state_destroy(x, true);
+ __xfrm_state_destroy(x);
}
static inline void xfrm_state_hold(struct xfrm_state *x)
@@ -1661,7 +1655,7 @@ struct xfrmk_spdinfo {
struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
int xfrm_state_delete(struct xfrm_state *x);
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
int xfrm_dev_policy_flush(struct net *net, struct net_device *dev,
bool task_valid);
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 1702b4de1c1ef..3645ab427e128 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_state_flush(net, 0, false, true);
+ xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d68d01804dc7b..6c4448908afed 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1765,7 +1765,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
if (proto == 0)
return -EINVAL;
- err = xfrm_state_flush(net, proto, true, false);
+ err = xfrm_state_flush(net, proto, true);
err2 = unicast_flush_resp(sk, hdr);
if (err || err2) {
if (err == -ESRCH) /* empty table - go quietly */
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 7c8aeec4fe274..b0e2958342ad2 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -521,7 +521,7 @@ void xfrm_state_free(struct xfrm_state *x)
}
EXPORT_SYMBOL(xfrm_state_free);
-static void ___xfrm_state_destroy(struct xfrm_state *x)
+static void xfrm_state_gc_destroy(struct xfrm_state *x)
{
hrtimer_cancel(&x->mtimer);
del_timer_sync(&x->rtimer);
@@ -559,7 +559,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
synchronize_rcu();
hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
- ___xfrm_state_destroy(x);
+ xfrm_state_gc_destroy(x);
}
static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
@@ -720,19 +720,14 @@ void xfrm_dev_state_free(struct xfrm_state *x)
}
#endif
-void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
+void __xfrm_state_destroy(struct xfrm_state *x)
{
WARN_ON(x->km.state != XFRM_STATE_DEAD);
- if (sync) {
- synchronize_rcu();
- ___xfrm_state_destroy(x);
- } else {
- spin_lock_bh(&xfrm_state_gc_lock);
- hlist_add_head(&x->gclist, &xfrm_state_gc_list);
- spin_unlock_bh(&xfrm_state_gc_lock);
- schedule_work(&xfrm_state_gc_work);
- }
+ spin_lock_bh(&xfrm_state_gc_lock);
+ hlist_add_head(&x->gclist, &xfrm_state_gc_list);
+ spin_unlock_bh(&xfrm_state_gc_lock);
+ schedule_work(&xfrm_state_gc_work);
}
EXPORT_SYMBOL(__xfrm_state_destroy);
@@ -840,7 +835,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
}
#endif
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
{
int i, err = 0, cnt = 0;
@@ -2986,7 +2981,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- xfrm_state_flush(net, 0, false, true);
+ xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1d91b42e79971..5b3ab4532aec2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2380,7 +2380,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_usersa_flush *p = nlmsg_data(nlh);
int err;
- err = xfrm_state_flush(net, p->proto, true, false);
+ err = xfrm_state_flush(net, p->proto, true);
if (err) {
if (err == -ESRCH) /* empty table */
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 003/737] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 001/737] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 002/737] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 004/737] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
` (744 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+999eb23467f83f9bf9bf,
Sabrina Dubroca, Steffen Klassert, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 10deb69864840ccf96b00ac2ab3a2055c0c04721 ]
In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I
missed the case where state creation fails between full
initialization (->init_state has been called) and being inserted on
the lists.
In this situation, ->init_state has been called, so for IPcomp
tunnels, the fallback tunnel has been created and added onto the
lists, but the user state never gets added, because we fail before
that. The user state doesn't go through __xfrm_state_delete, so we
don't call xfrm_state_delete_tunnel for those states, and we end up
leaking the FB tunnel.
There are several codepaths affected by this: the add/update paths, in
both net/key and xfrm, and the migrate code (xfrm_migrate,
xfrm_state_migrate). A "proper" rollback of the init_state work would
probably be doable in the add/update code, but for migrate it gets
more complicated as multiple states may be involved.
At some point, the new (not-inserted) state will be destroyed, so call
xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states
will have their fallback tunnel cleaned up during __xfrm_state_delete,
which solves the issue that b441cf3f8c4b (and other patches before it)
aimed at. All states (including FB tunnels) will be removed from the
lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).
Reported-by: syzbot+999eb23467f83f9bf9bf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
Fixes: b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index b0e2958342ad2..3d806492e1de9 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -521,6 +521,7 @@ void xfrm_state_free(struct xfrm_state *x)
}
EXPORT_SYMBOL(xfrm_state_free);
+static void xfrm_state_delete_tunnel(struct xfrm_state *x);
static void xfrm_state_gc_destroy(struct xfrm_state *x)
{
hrtimer_cancel(&x->mtimer);
@@ -535,6 +536,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
kfree(x->preplay_esn);
if (x->type_offload)
xfrm_put_type_offload(x->type_offload);
+ xfrm_state_delete_tunnel(x);
if (x->type) {
x->type->destructor(x);
xfrm_put_type(x->type);
@@ -731,7 +733,6 @@ void __xfrm_state_destroy(struct xfrm_state *x)
}
EXPORT_SYMBOL(__xfrm_state_destroy);
-static void xfrm_state_delete_tunnel(struct xfrm_state *x);
int __xfrm_state_delete(struct xfrm_state *x)
{
struct net *net = xs_net(x);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 004/737] xfrm: flush all states in xfrm_state_fini
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 003/737] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 005/737] leds: spi-byte: Use devm_led_classdev_register_ext() Greg Kroah-Hartman
` (743 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6641a61fe0e2e89ae8c5,
Sabrina Dubroca, Simon Horman, Steffen Klassert, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 42e42562c9cfcdacf000f1b42284a4fad24f8546 ]
While reverting commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path"), I incorrectly changed
xfrm_state_flush's "proto" argument back to IPSEC_PROTO_ANY. This
reverts some of the changes in commit dbb2483b2a46 ("xfrm: clean up
xfrm protocol checks"), and leads to some states not being removed
when we exit the netns.
Pass 0 instead of IPSEC_PROTO_ANY from both xfrm_state_fini
xfrm6_tunnel_net_exit, so that xfrm_state_flush deletes all states.
Fixes: 2a198bbec691 ("Revert "xfrm: destroy xfrm_state synchronously on net exit path"")
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
Tested-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/xfrm6_tunnel.c | 2 +-
net/xfrm/xfrm_state.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 3645ab427e128..775ae1171ef89 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -334,7 +334,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 3d806492e1de9..5396fe6b90c66 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2982,7 +2982,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 005/737] leds: spi-byte: Use devm_led_classdev_register_ext()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 004/737] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 006/737] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
` (742 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Kalscheuer, Lee Jones,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Kalscheuer <stefan@stklcode.de>
[ Upstream commit ccc35ff2fd2911986b716a87fe65e03fac2312c9 ]
Use extended classdev registration to generate generic device names from
color and function enums instead of reading only the label from the
device tree.
Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
Link: https://lore.kernel.org/r/20240204150726.29783-1-stefan@stklcode.de
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-spi-byte.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c
index afe9bff7c7c16..b04cf502e6035 100644
--- a/drivers/leds/leds-spi-byte.c
+++ b/drivers/leds/leds-spi-byte.c
@@ -83,7 +83,7 @@ static int spi_byte_probe(struct spi_device *spi)
struct device_node *child;
struct device *dev = &spi->dev;
struct spi_byte_led *led;
- const char *name = "leds-spi-byte::";
+ struct led_init_data init_data = {};
const char *state;
int ret;
@@ -96,12 +96,9 @@ static int spi_byte_probe(struct spi_device *spi)
if (!led)
return -ENOMEM;
- of_property_read_string(child, "label", &name);
- strscpy(led->name, name, sizeof(led->name));
led->spi = spi;
mutex_init(&led->mutex);
led->cdef = device_get_match_data(dev);
- led->ldev.name = led->name;
led->ldev.brightness = LED_OFF;
led->ldev.max_brightness = led->cdef->max_value - led->cdef->off_value;
led->ldev.brightness_set_blocking = spi_byte_brightness_set_blocking;
@@ -121,7 +118,11 @@ static int spi_byte_probe(struct spi_device *spi)
spi_byte_brightness_set_blocking(&led->ldev,
led->ldev.brightness);
- ret = devm_led_classdev_register(&spi->dev, &led->ldev);
+ init_data.fwnode = of_fwnode_handle(child);
+ init_data.devicename = "leds-spi-byte";
+ init_data.default_label = ":";
+
+ ret = devm_led_classdev_register_ext(&spi->dev, &led->ldev, &init_data);
if (ret) {
of_node_put(child);
mutex_destroy(&led->mutex);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 006/737] Documentation: process: Also mention Sasha Levin as stable tree maintainer
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 005/737] leds: spi-byte: Use devm_led_classdev_register_ext() Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 007/737] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
` (741 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Randy Dunlap,
Jonathan Corbet
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
commit ba2457109d5b47a90fe565b39524f7225fc23e60 upstream.
Sasha has also maintaining stable branch in conjunction with Greg
since cb5d21946d2a2f ("MAINTAINERS: Add Sasha as a stable branch
maintainer"). Mention him in 2.Process.rst.
Cc: stable@vger.kernel.org
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20251022034336.22839-1-bagasdotme@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/process/2.Process.rst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/Documentation/process/2.Process.rst
+++ b/Documentation/process/2.Process.rst
@@ -104,8 +104,10 @@ kernels go out with a handful of known r
of them are serious.
Once a stable release is made, its ongoing maintenance is passed off to the
-"stable team," currently Greg Kroah-Hartman. The stable team will release
-occasional updates to the stable release using the 5.x.y numbering scheme.
+"stable team," currently consists of Greg Kroah-Hartman and Sasha Levin. The
+stable team will release occasional updates to the stable release using the
+5.x.y numbering scheme.
+
To be considered for an update release, a patch must (1) fix a significant
bug, and (2) already be merged into the mainline for the next development
kernel. Kernels will typically receive stable updates for a little more
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 007/737] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 006/737] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 008/737] ext4: refresh inline data size before write operations Greg Kroah-Hartman
` (740 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 986835bf4d11032bba4ab8414d18fce038c61bb4 upstream.
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1274,14 +1274,23 @@ int jbd2_journal_get_create_access(handl
* committing transaction's lists, but it HAS to be in Forget state in
* that case: the transaction must have deleted the buffer for it to be
* reused here.
+ * In the case of file system data inconsistency, for example, if the
+ * block bitmap of a referenced block is not set, it can lead to the
+ * situation where a block being committed is allocated and used again.
+ * As a result, the following condition will not be satisfied, so here
+ * we directly trigger a JBD abort instead of immediately invoking
+ * bugon.
*/
spin_lock(&jh->b_state_lock);
- J_ASSERT_JH(jh, (jh->b_transaction == transaction ||
- jh->b_transaction == NULL ||
- (jh->b_transaction == journal->j_committing_transaction &&
- jh->b_jlist == BJ_Forget)));
+ if (!(jh->b_transaction == transaction || jh->b_transaction == NULL ||
+ (jh->b_transaction == journal->j_committing_transaction &&
+ jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) {
+ err = -EROFS;
+ spin_unlock(&jh->b_state_lock);
+ jbd2_journal_abort(journal, err);
+ goto out;
+ }
- J_ASSERT_JH(jh, jh->b_next_transaction == NULL);
J_ASSERT_JH(jh, buffer_locked(jh2bh(jh)));
if (jh->b_transaction == NULL) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 008/737] ext4: refresh inline data size before write operations
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 007/737] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 009/737] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
` (739 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f3185be57d7e8dda32b8, stable,
Deepanshu Kartikey, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 892e1cf17555735e9d021ab036c36bc7b58b0e3b upstream.
The cached ei->i_inline_size can become stale between the initial size
check and when ext4_update_inline_data()/ext4_create_inline_data() use
it. Although ext4_get_max_inline_size() reads the correct value at the
time of the check, concurrent xattr operations can modify i_inline_size
before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to
work with stale capacity values, leading to a BUG_ON() crash in
ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331!
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window:
1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
2. Size check passes for 50-byte write
3. [Another thread adds xattr, i_inline_size changes to 40]
4. ext4_write_lock_xattr() acquires lock
5. ext4_update_inline_data() uses stale i_inline_size = 60
6. Attempts to write 50 bytes but only 40 bytes actually available
7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
and ext4_create_inline_data() work with current values that are protected
from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
inline_data file while its xattrs are changing") which fixed i_inline_off
staleness. This patch addresses the related i_inline_size staleness issue.
Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8
Cc: stable@kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Message-ID: <20251020060936.474314-1-kartikey406@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -413,7 +413,12 @@ static int ext4_prepare_inline_data(hand
return -ENOSPC;
ext4_write_lock_xattr(inode, &no_expand);
-
+ /*
+ * ei->i_inline_size may have changed since the initial check
+ * if other xattrs were added. Recalculate to ensure
+ * ext4_update_inline_data() validates against current capacity.
+ */
+ (void) ext4_find_inline_data_nolock(inode);
if (ei->i_inline_off)
ret = ext4_update_inline_data(handle, inode, len);
else
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 009/737] ksmbd: ipc: fix use-after-free in ipc_msg_send_request
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 008/737] ext4: refresh inline data size before write operations Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 010/737] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
` (738 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianchang Zhao <pioooooooooip@gmail.com>
commit 1fab1fa091f5aa97265648b53ea031deedd26235 upstream.
ipc_msg_send_request() waits for a generic netlink reply using an
ipc_msg_table_entry on the stack. The generic netlink handler
(handle_generic_event()/handle_response()) fills entry->response under
ipc_msg_table_lock, but ipc_msg_send_request() used to validate and free
entry->response without holding the same lock.
Under high concurrency this allows a race where handle_response() is
copying data into entry->response while ipc_msg_send_request() has just
freed it, leading to a slab-use-after-free reported by KASAN in
handle_generic_event():
BUG: KASAN: slab-use-after-free in handle_generic_event+0x3c4/0x5f0 [ksmbd]
Write of size 12 at addr ffff888198ee6e20 by task pool/109349
...
Freed by task:
kvfree
ipc_msg_send_request [ksmbd]
ksmbd_rpc_open -> ksmbd_session_rpc_open [ksmbd]
Fix by:
- Taking ipc_msg_table_lock in ipc_msg_send_request() while validating
entry->response, freeing it when invalid, and removing the entry from
ipc_msg_table.
- Returning the final entry->response pointer to the caller only after
the hash entry is removed under the lock.
- Returning NULL in the error path, preserving the original API
semantics.
This makes all accesses to entry->response consistent with
handle_response(), which already updates and fills the response buffer
under ipc_msg_table_lock, and closes the race that allowed the UAF.
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/transport_ipc.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/smb/server/transport_ipc.c
+++ b/fs/smb/server/transport_ipc.c
@@ -520,12 +520,16 @@ static void *ipc_msg_send_request(struct
up_write(&ipc_msg_table_lock);
ret = ipc_msg_send(msg);
- if (ret)
+ if (ret) {
+ down_write(&ipc_msg_table_lock);
goto out;
+ }
ret = wait_event_interruptible_timeout(entry.wait,
entry.response != NULL,
IPC_WAIT_TIMEOUT);
+
+ down_write(&ipc_msg_table_lock);
if (entry.response) {
ret = ipc_validate_msg(&entry);
if (ret) {
@@ -534,7 +538,6 @@ static void *ipc_msg_send_request(struct
}
}
out:
- down_write(&ipc_msg_table_lock);
hash_del(&entry.ipc_table_hlist);
up_write(&ipc_msg_table_lock);
return entry.response;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 010/737] locking/spinlock/debug: Fix data-race in do_raw_write_lock
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 009/737] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 011/737] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
` (737 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Freihofer, Alexander Sverdlin,
Boqun Feng, Peter Zijlstra (Intel), Paul E. McKenney, Waiman Long
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit c14ecb555c3ee80eeb030a4e46d00e679537f03a upstream.
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been
converted to WRITE_ONCE(), but not debug_write_lock_before() part.
Do it now.
Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races")
Reported-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Waiman Long <longman@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/spinlock_debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/locking/spinlock_debug.c
+++ b/kernel/locking/spinlock_debug.c
@@ -183,8 +183,8 @@ void do_raw_read_unlock(rwlock_t *lock)
static inline void debug_write_lock_before(rwlock_t *lock)
{
RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic");
- RWLOCK_BUG_ON(lock->owner == current, lock, "recursion");
- RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(),
+ RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion");
+ RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(),
lock, "cpu recursion");
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 011/737] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 010/737] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 012/737] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
` (736 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexey Nepomnyashih, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Nepomnyashih <sdl@nppct.ru>
commit 0cd8feea8777f8d9b9a862b89c688b049a5c8475 upstream.
Fix a race between inline data destruction and block mapping.
The function ext4_destroy_inline_data_nolock() changes the inode data
layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.
At the same time, another thread may execute ext4_map_blocks(), which
tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()
or ext4_ind_map_blocks().
Without i_data_sem protection, ext4_ind_map_blocks() may receive inode
with EXT4_INODE_EXTENTS flag and triggering assert.
kernel BUG at fs/ext4/indirect.c:546!
EXT4-fs (loop2): unmounting filesystem.
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546
Call Trace:
<TASK>
ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681
_ext4_get_block+0x242/0x590 fs/ext4/inode.c:822
ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124
ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255
ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000
generic_perform_write+0x259/0x5d0 mm/filemap.c:3846
ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285
ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679
call_write_iter include/linux/fs.h:2271 [inline]
do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735
do_iter_write+0x186/0x710 fs/read_write.c:861
vfs_iter_write+0x70/0xa0 fs/read_write.c:902
iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
do_splice_from fs/splice.c:763 [inline]
direct_splice_actor+0x10f/0x170 fs/splice.c:950
splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896
do_splice_direct+0x1a9/0x280 fs/splice.c:1002
do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fixes: c755e251357a ("ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()")
Cc: stable@vger.kernel.org # v4.11+
Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
Message-ID: <20251104093326.697381-1-sdl@nppct.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -446,9 +446,13 @@ static int ext4_destroy_inline_data_nolo
if (!ei->i_inline_off)
return 0;
+ down_write(&ei->i_data_sem);
+
error = ext4_get_inode_loc(inode, &is.iloc);
- if (error)
+ if (error) {
+ up_write(&ei->i_data_sem);
return error;
+ }
error = ext4_xattr_ibody_find(inode, &i, &is);
if (error)
@@ -487,6 +491,7 @@ out:
brelse(is.iloc.bh);
if (error == -ENODATA)
error = 0;
+ up_write(&ei->i_data_sem);
return error;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 012/737] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 011/737] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 013/737] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
` (735 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fce5d9d5bd067d6fbe9b, stable,
Nikita Zhandarovich, Ian Abbott
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit a51f025b5038abd3d22eed2ede4cd46793d89565 upstream.
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
Reported-by: syzbot+fce5d9d5bd067d6fbe9b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b
Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023141457.398685-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/pcl818.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/comedi/drivers/pcl818.c
+++ b/drivers/comedi/drivers/pcl818.c
@@ -1111,10 +1111,9 @@ static void pcl818_detach(struct comedi_
{
struct pcl818_private *devpriv = dev->private;
- if (devpriv) {
- pcl818_ai_cancel(dev, dev->read_subdev);
+ if (devpriv)
pcl818_reset(dev);
- }
+
pcl818_free_dma(dev);
comedi_legacy_detach(dev);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 013/737] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 012/737] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 014/737] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
` (734 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Omar Sandoval, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Omar Sandoval <osandov@fb.com>
commit 4da3768e1820cf15cced390242d8789aed34f54d upstream.
When re-injecting a soft interrupt from an INT3, INT0, or (select) INTn
instruction, discard the exception and retry the instruction if the code
stream is changed (e.g. by a different vCPU) between when the CPU
executes the instruction and when KVM decodes the instruction to get the
next RIP.
As effectively predicted by commit 6ef88d6e36c2 ("KVM: SVM: Re-inject
INT3/INTO instead of retrying the instruction"), failure to verify that
the correct INTn instruction was decoded can effectively clobber guest
state due to decoding the wrong instruction and thus specifying the
wrong next RIP.
The bug most often manifests as "Oops: int3" panics on static branch
checks in Linux guests. Enabling or disabling a static branch in Linux
uses the kernel's "text poke" code patching mechanism. To modify code
while other CPUs may be executing that code, Linux (temporarily)
replaces the first byte of the original instruction with an int3 (opcode
0xcc), then patches in the new code stream except for the first byte,
and finally replaces the int3 with the first byte of the new code
stream. If a CPU hits the int3, i.e. executes the code while it's being
modified, then the guest kernel must look up the RIP to determine how to
handle the #BP, e.g. by emulating the new instruction. If the RIP is
incorrect, then this lookup fails and the guest kernel panics.
The bug reproduces almost instantly by hacking the guest kernel to
repeatedly check a static branch[1] while running a drgn script[2] on
the host to constantly swap out the memory containing the guest's TSS.
[1]: https://gist.github.com/osandov/44d17c51c28c0ac998ea0334edf90b5a
[2]: https://gist.github.com/osandov/10e45e45afa29b11e0c7209247afc00b
Fixes: 6ef88d6e36c2 ("KVM: SVM: Re-inject INT3/INTO instead of retrying the instruction")
Cc: stable@vger.kernel.org
Co-developed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Link: https://patch.msgid.link/1cc6dcdf36e3add7ee7c8d90ad58414eeb6c3d34.1762278762.git.osandov@fb.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/kvm_host.h | 9 +++++++++
arch/x86/kvm/svm/svm.c | 24 +++++++++++++-----------
arch/x86/kvm/x86.c | 21 +++++++++++++++++++++
3 files changed, 43 insertions(+), 11 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1950,6 +1950,11 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu);
* the gfn, i.e. retrying the instruction will hit a
* !PRESENT fault, which results in a new shadow page
* and sends KVM back to square one.
+ *
+ * EMULTYPE_SKIP_SOFT_INT - Set in combination with EMULTYPE_SKIP to only skip
+ * an instruction if it could generate a given software
+ * interrupt, which must be encoded via
+ * EMULTYPE_SET_SOFT_INT_VECTOR().
*/
#define EMULTYPE_NO_DECODE (1 << 0)
#define EMULTYPE_TRAP_UD (1 << 1)
@@ -1960,6 +1965,10 @@ u64 vcpu_tsc_khz(struct kvm_vcpu *vcpu);
#define EMULTYPE_PF (1 << 6)
#define EMULTYPE_COMPLETE_USER_EXIT (1 << 7)
#define EMULTYPE_WRITE_PF_TO_SP (1 << 8)
+#define EMULTYPE_SKIP_SOFT_INT (1 << 9)
+
+#define EMULTYPE_SET_SOFT_INT_VECTOR(v) ((u32)((v) & 0xff) << 16)
+#define EMULTYPE_GET_SOFT_INT_VECTOR(e) (((e) >> 16) & 0xff)
int kvm_emulate_instruction(struct kvm_vcpu *vcpu, int emulation_type);
int kvm_emulate_instruction_from_buffer(struct kvm_vcpu *vcpu,
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -370,6 +370,7 @@ static bool svm_can_emulate_instruction(
void *insn, int insn_len);
static int __svm_skip_emulated_instruction(struct kvm_vcpu *vcpu,
+ int emul_type,
bool commit_side_effects)
{
struct vcpu_svm *svm = to_svm(vcpu);
@@ -399,7 +400,7 @@ static int __svm_skip_emulated_instructi
if (unlikely(!commit_side_effects))
old_rflags = svm->vmcb->save.rflags;
- if (!kvm_emulate_instruction(vcpu, EMULTYPE_SKIP))
+ if (!kvm_emulate_instruction(vcpu, emul_type))
return 0;
if (unlikely(!commit_side_effects))
@@ -417,11 +418,13 @@ done:
static int svm_skip_emulated_instruction(struct kvm_vcpu *vcpu)
{
- return __svm_skip_emulated_instruction(vcpu, true);
+ return __svm_skip_emulated_instruction(vcpu, EMULTYPE_SKIP, true);
}
-static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu)
+static int svm_update_soft_interrupt_rip(struct kvm_vcpu *vcpu, u8 vector)
{
+ const int emul_type = EMULTYPE_SKIP | EMULTYPE_SKIP_SOFT_INT |
+ EMULTYPE_SET_SOFT_INT_VECTOR(vector);
unsigned long rip, old_rip = kvm_rip_read(vcpu);
struct vcpu_svm *svm = to_svm(vcpu);
@@ -437,7 +440,7 @@ static int svm_update_soft_interrupt_rip
* in use, the skip must not commit any side effects such as clearing
* the interrupt shadow or RFLAGS.RF.
*/
- if (!__svm_skip_emulated_instruction(vcpu, !nrips))
+ if (!__svm_skip_emulated_instruction(vcpu, emul_type, !nrips))
return -EIO;
rip = kvm_rip_read(vcpu);
@@ -473,7 +476,7 @@ static void svm_inject_exception(struct
kvm_deliver_exception_payload(vcpu, ex);
if (kvm_exception_is_soft(ex->vector) &&
- svm_update_soft_interrupt_rip(vcpu))
+ svm_update_soft_interrupt_rip(vcpu, ex->vector))
return;
svm->vmcb->control.event_inj = ex->vector
@@ -3668,11 +3671,12 @@ static bool svm_set_vnmi_pending(struct
static void svm_inject_irq(struct kvm_vcpu *vcpu, bool reinjected)
{
+ struct kvm_queued_interrupt *intr = &vcpu->arch.interrupt;
struct vcpu_svm *svm = to_svm(vcpu);
u32 type;
- if (vcpu->arch.interrupt.soft) {
- if (svm_update_soft_interrupt_rip(vcpu))
+ if (intr->soft) {
+ if (svm_update_soft_interrupt_rip(vcpu, intr->nr))
return;
type = SVM_EVTINJ_TYPE_SOFT;
@@ -3680,12 +3684,10 @@ static void svm_inject_irq(struct kvm_vc
type = SVM_EVTINJ_TYPE_INTR;
}
- trace_kvm_inj_virq(vcpu->arch.interrupt.nr,
- vcpu->arch.interrupt.soft, reinjected);
+ trace_kvm_inj_virq(intr->nr, intr->soft, reinjected);
++vcpu->stat.irq_injections;
- svm->vmcb->control.event_inj = vcpu->arch.interrupt.nr |
- SVM_EVTINJ_VALID | type;
+ svm->vmcb->control.event_inj = intr->nr | SVM_EVTINJ_VALID | type;
}
void svm_complete_interrupt_delivery(struct kvm_vcpu *vcpu, int delivery_mode,
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -8864,6 +8864,23 @@ static bool is_vmware_backdoor_opcode(st
return false;
}
+static bool is_soft_int_instruction(struct x86_emulate_ctxt *ctxt,
+ int emulation_type)
+{
+ u8 vector = EMULTYPE_GET_SOFT_INT_VECTOR(emulation_type);
+
+ switch (ctxt->b) {
+ case 0xcc:
+ return vector == BP_VECTOR;
+ case 0xcd:
+ return vector == ctxt->src.val;
+ case 0xce:
+ return vector == OF_VECTOR;
+ default:
+ return false;
+ }
+}
+
/*
* Decode an instruction for emulation. The caller is responsible for handling
* code breakpoints. Note, manually detecting code breakpoints is unnecessary
@@ -8954,6 +8971,10 @@ int x86_emulate_instruction(struct kvm_v
* injecting single-step #DBs.
*/
if (emulation_type & EMULTYPE_SKIP) {
+ if (emulation_type & EMULTYPE_SKIP_SOFT_INT &&
+ !is_soft_int_instruction(ctxt, emulation_type))
+ return 0;
+
if (ctxt->mode != X86EMUL_MODE_PROT64)
ctxt->eip = (u32)ctxt->_eip;
else
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 014/737] USB: serial: option: add Foxconn T99W760
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 013/737] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 015/737] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
` (733 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Slark Xiao, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slark Xiao <slark_xiao@163.com>
commit 7970b4969c4c99bcdaf105f9f39c6d2021f6d244 upstream.
T99W760 is designed based on Qualcomm SDX35 (5G redcap) chip. There are
three serial ports to be enumerated: Modem, NMEA and Diag.
test evidence as below:
T: Bus=03 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e123 Rev=05.15
S: Manufacturer=QCOM
S: Product=SDXBAAGHA-IDP _SN:39A8D3E4
S: SerialNumber=39a8d3e4
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
0&1: MBIM, 2:Modem, 3:GNSS(non-serial port), 4: NMEA, 5:Diag
Signed-off-by: Slark Xiao <slark_xiao@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2376,6 +2376,8 @@ static const struct usb_device_id option
.driver_info = RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0f0, 0xff), /* Foxconn T99W373 MBIM */
.driver_info = RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe123, 0xff), /* Foxconn T99W760 MBIM */
+ .driver_info = RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */
.driver_info = RSVD(5) | RSVD(6) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 015/737] USB: serial: option: add Telit Cinterion FE910C04 new compositions
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 014/737] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 016/737] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
` (732 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit c908039a29aa70870871f4848125b3d743f929bf upstream.
Add the following Telit Cinterion new compositions:
0x10c1: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c1 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c2 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c3: ECM + tty (AT/NMEA) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c3 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c5: RNDIS + tty (AT) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c5 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c6: MBIM + tty (AT) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c6 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c9: MBIM + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c9 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10cb: RNDIS + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb
T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10cb Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1433,10 +1433,24 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x60) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c0, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c1, 0xff), /* Telit FE910C04 (RNDIS) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c2, 0xff), /* Telit FE910C04 (MBIM) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c3, 0xff), /* Telit FE910C04 (ECM) */
+ .driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c4, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c5, 0xff), /* Telit FE910C04 (RNDIS) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */
+ .driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */
+ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10cb, 0xff), /* Telit FE910C04 (RNDIS) */
+ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x30), /* Telit FN990B (rmnet) */
.driver_info = NCTRL(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 016/737] USB: serial: option: move Telit 0x10c7 composition in the right place
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 015/737] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 017/737] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
` (731 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 072f2c49572547f4b0776fe2da6b8f61e4b34699 upstream.
Move Telit 0x10c7 composition right after 0x10c6 composition and
before 0x10c8 composition.
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1445,6 +1445,9 @@ static const struct usb_device_id option
.driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */
.driver_info = NCTRL(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */
@@ -1455,9 +1458,6 @@ static const struct usb_device_id option
.driver_info = NCTRL(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) },
- { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */
- .driver_info = NCTRL(4) },
- { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30), /* Telit FN990B (MBIM) */
.driver_info = NCTRL(6) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 017/737] USB: serial: ftdi_sio: match on interface number for jtag
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 016/737] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 018/737] serial: add support of CPCI cards Greg Kroah-Hartman
` (730 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4e31a5d0a9ee672f708fc993c1d5520643f769fd upstream.
Some FTDI devices have the first port reserved for JTAG and have been
using a dedicated quirk to prevent binding to it.
As can be inferred directly or indirectly from the commit messages,
almost all of these devices are dual port devices which means that the
more recently added macro for matching on interface number can be used
instead (and some such devices do so already).
This avoids probing interfaces that will never be bound and cleans up
the match table somewhat.
Note that the JTAG quirk is kept for quad port devices, which would
otherwise require three match entries.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 72 ++++++++++++++----------------------------
1 file changed, 24 insertions(+), 48 deletions(-)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -628,10 +628,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_IBS_PEDO_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_IBS_PROD_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_TAVIR_STK500_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_TIAO_UMPA_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TIAO_UMPA_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_NT_ORIONLXM_PID, 1) },
{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) },
@@ -842,24 +840,17 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
- { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, CYBER_CORTEX_AV_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_H_PID, 1) },
- { USB_DEVICE(FIC_VID, FIC_NEO1973_DEBUG_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FIC_VID, FIC_NEO1973_DEBUG_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_OOCDLINK_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TURTELIZER_PID, 1) },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) },
{ USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) },
@@ -901,17 +892,14 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(ATMEL_VID, STK541_PID) },
{ USB_DEVICE(DE_VID, STB_PID) },
{ USB_DEVICE(DE_VID, WHT_PID) },
- { USB_DEVICE(ADI_VID, ADI_GNICE_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(ADI_VID, ADI_GNICEPLUS_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICE_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICEPLUS_PID, 1) },
{ USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
USB_CLASS_VENDOR_SPEC,
USB_SUBCLASS_VENDOR_SPEC, 0x00) },
{ USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
{ USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
- { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(MARVELL_VID, MARVELL_SHEEVAPLUG_PID, 1) },
{ USB_DEVICE(LARSENBRUSGAARD_VID, LB_ALTITRACK_PID) },
{ USB_DEVICE(GN_OTOMETRICS_VID, AURICAL_USB_PID) },
{ USB_DEVICE(FTDI_VID, PI_C865_PID) },
@@ -934,10 +922,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(PI_VID, PI_1016_PID) },
{ USB_DEVICE(KONDO_VID, KONDO_USB_SERIAL_PID) },
{ USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
- { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, TI_XDS100V2_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, MARVELL_OPENRD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, TI_XDS100V2_PID, 1) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) },
@@ -946,18 +932,14 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, MJSG_SR_RADIO_PID) },
{ USB_DEVICE(FTDI_VID, MJSG_HD_RADIO_PID) },
{ USB_DEVICE(FTDI_VID, MJSG_XM_RADIO_PID) },
- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_ST_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_ST_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID, 1) },
{ USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH4_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
{ USB_DEVICE(FTDI_VID, SEGWAY_RMP200_PID) },
{ USB_DEVICE(FTDI_VID, ACCESIO_COM4SM_PID) },
- { USB_DEVICE(IONICS_VID, IONICS_PLUGCOMPUTER_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(IONICS_VID, IONICS_PLUGCOMPUTER_PID, 1) },
{ USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_24_MASTER_WING_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_PC_WING_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_USB_DMX_PID) },
@@ -972,15 +954,12 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
- { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(ST_VID, ST_STMCLT_2232_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ST_VID, ST_STMCLT_2232_PID, 1) },
{ USB_DEVICE(ST_VID, ST_STMCLT_4232_PID),
.driver_info = (kernel_ulong_t)&ftdi_stmclite_quirk },
{ USB_DEVICE(FTDI_VID, FTDI_RF_R106) },
- { USB_DEVICE(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID, 1) },
{ USB_DEVICE(FTDI_VID, FTDI_LUMEL_PD12_PID) },
/* Crucible Devices */
{ USB_DEVICE(FTDI_VID, FTDI_CT_COMET_PID) },
@@ -1055,8 +1034,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
{ USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
- { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(TI_VID, TI_CC3200_LAUNCHPAD_PID, 1) },
{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
{ USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
@@ -1076,10 +1054,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
{ USB_DEVICE_INTERFACE_NUMBER(UBLOX_VID, UBLOX_EVK_M101_PID, 2) },
/* FreeCalypso USB adapters */
- { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID, 1) },
/* GMC devices */
{ USB_DEVICE(GMC_VID, GMC_Z216C_PID) },
/* Altera USB Blaster 3 */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 018/737] serial: add support of CPCI cards
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 017/737] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 019/737] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
` (729 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Magne Bruno, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Magne Bruno <magne.bruno@addi-data.com>
commit 0e5a99e0e5f50353b86939ff6e424800d769c818 upstream.
Addi-Data GmbH is manufacturing multi-serial ports cards supporting CompactPCI (known as CPCI).
Those cards are identified with different DeviceIds. Those cards integrating standard UARTs
work the same way as PCI/PCIe models already supported in the serial driver.
Signed-off-by: Magne Bruno <magne.bruno@addi-data.com>
Link: https://patch.msgid.link/20251110162456.341029-1-magne.bruno@addi-data.com
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1971,6 +1971,11 @@ pci_moxa_setup(struct serial_private *pr
#define PCI_DEVICE_ID_MOXA_CP138E_A 0x1381
#define PCI_DEVICE_ID_MOXA_CP168EL_A 0x1683
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7500 0x7003
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG 0x7024
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG 0x7025
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG 0x7026
+
/* Unknown vendors/cards - this should not be in linux/pci_ids.h */
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
@@ -5868,6 +5873,38 @@ static const struct pci_device_id serial
0,
pbn_ADDIDATA_PCIe_8_3906250 },
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7500,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_4_115200 },
+
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_4_115200 },
+
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_2_115200 },
+
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_1_115200 },
+
{ PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835,
PCI_VENDOR_ID_IBM, 0x0299,
0, 0, pbn_b0_bt_2_115200 },
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 019/737] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 018/737] serial: add support of CPCI cards Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 020/737] USB: serial: kobil_sct: " Greg Kroah-Hartman
` (728 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b6e0b3016187446ddef9edac03cd9d544ac63f11 upstream.
Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC
should not deassert any lines that are not in the mask.
Fix this long-standing regression dating back to 2003 when the
tiocmset() callback was introduced.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/belkin_sa.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -436,7 +436,7 @@ static int belkin_sa_tiocmset(struct tty
struct belkin_sa_private *priv = usb_get_serial_port_data(port);
unsigned long control_state;
unsigned long flags;
- int retval;
+ int retval = 0;
int rts = 0;
int dtr = 0;
@@ -453,26 +453,32 @@ static int belkin_sa_tiocmset(struct tty
}
if (clear & TIOCM_RTS) {
control_state &= ~TIOCM_RTS;
- rts = 0;
+ rts = 1;
}
if (clear & TIOCM_DTR) {
control_state &= ~TIOCM_DTR;
- dtr = 0;
+ dtr = 1;
}
priv->control_state = control_state;
spin_unlock_irqrestore(&priv->lock, flags);
- retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, rts);
- if (retval < 0) {
- dev_err(&port->dev, "Set RTS error %d\n", retval);
- goto exit;
+ if (rts) {
+ retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST,
+ !!(control_state & TIOCM_RTS));
+ if (retval < 0) {
+ dev_err(&port->dev, "Set RTS error %d\n", retval);
+ goto exit;
+ }
}
- retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, dtr);
- if (retval < 0) {
- dev_err(&port->dev, "Set DTR error %d\n", retval);
- goto exit;
+ if (dtr) {
+ retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST,
+ !!(control_state & TIOCM_DTR));
+ if (retval < 0) {
+ dev_err(&port->dev, "Set DTR error %d\n", retval);
+ goto exit;
+ }
}
exit:
return retval;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 020/737] USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 019/737] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 021/737] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
` (727 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit d432df758f92c4c28aac409bc807fd1716167577 upstream.
Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC
should not deassert any lines that are not in the mask.
Fix this long-standing issue dating back to 2003 when the support for
these ioctls was added with the introduction of the tiocmset() callback.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/kobil_sct.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/usb/serial/kobil_sct.c
+++ b/drivers/usb/serial/kobil_sct.c
@@ -420,7 +420,7 @@ static int kobil_tiocmset(struct tty_str
struct usb_serial_port *port = tty->driver_data;
struct device *dev = &port->dev;
struct kobil_private *priv;
- int result;
+ int result = 0;
int dtr = 0;
int rts = 0;
@@ -437,12 +437,12 @@ static int kobil_tiocmset(struct tty_str
if (set & TIOCM_DTR)
dtr = 1;
if (clear & TIOCM_RTS)
- rts = 0;
+ rts = 1;
if (clear & TIOCM_DTR)
- dtr = 0;
+ dtr = 1;
- if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) {
- if (dtr != 0)
+ if (dtr && priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) {
+ if (set & TIOCM_DTR)
dev_dbg(dev, "%s - Setting DTR\n", __func__);
else
dev_dbg(dev, "%s - Clearing DTR\n", __func__);
@@ -450,13 +450,13 @@ static int kobil_tiocmset(struct tty_str
usb_sndctrlpipe(port->serial->dev, 0),
SUSBCRequest_SetStatusLinesOrQueues,
USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT,
- ((dtr != 0) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR),
+ ((set & TIOCM_DTR) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR),
0,
NULL,
0,
KOBIL_TIMEOUT);
- } else {
- if (rts != 0)
+ } else if (rts) {
+ if (set & TIOCM_RTS)
dev_dbg(dev, "%s - Setting RTS\n", __func__);
else
dev_dbg(dev, "%s - Clearing RTS\n", __func__);
@@ -464,7 +464,7 @@ static int kobil_tiocmset(struct tty_str
usb_sndctrlpipe(port->serial->dev, 0),
SUSBCRequest_SetStatusLinesOrQueues,
USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT,
- ((rts != 0) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS),
+ ((set & TIOCM_RTS) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS),
0,
NULL,
0,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 021/737] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 020/737] USB: serial: kobil_sct: " Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 022/737] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
` (726 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Jiri Olsa,
Alexei Starovoitov, Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Song Liu <song@kernel.org>
[ Upstream commit 3e9a18e1c3e931abecf501cbb23d28d69f85bb56 ]
ftrace_hash_ipmodify_enable() checks IPMODIFY and DIRECT ftrace_ops on
the same kernel function. When needed, ftrace_hash_ipmodify_enable()
calls ops->ops_func() to prepare the direct ftrace (BPF trampoline) to
share the same function as the IPMODIFY ftrace (livepatch).
ftrace_hash_ipmodify_enable() is called in register_ftrace_direct() path,
but not called in modify_ftrace_direct() path. As a result, the following
operations will break livepatch:
1. Load livepatch to a kernel function;
2. Attach fentry program to the kernel function;
3. Attach fexit program to the kernel function.
After 3, the kernel function being used will not be the livepatched
version, but the original version.
Fix this by adding __ftrace_hash_update_ipmodify() to
__modify_ftrace_direct() and adjust some logic around the call.
Signed-off-by: Song Liu <song@kernel.org>
Reviewed-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20251027175023.1521602-3-song@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/ftrace.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
index 44e31eebb7aaa..8f2d44e741510 100644
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1937,7 +1937,8 @@ static void ftrace_hash_rec_enable_modify(struct ftrace_ops *ops,
*/
static int __ftrace_hash_update_ipmodify(struct ftrace_ops *ops,
struct ftrace_hash *old_hash,
- struct ftrace_hash *new_hash)
+ struct ftrace_hash *new_hash,
+ bool update_target)
{
struct ftrace_page *pg;
struct dyn_ftrace *rec, *end = NULL;
@@ -1972,10 +1973,13 @@ static int __ftrace_hash_update_ipmodify(struct ftrace_ops *ops,
if (rec->flags & FTRACE_FL_DISABLED)
continue;
- /* We need to update only differences of filter_hash */
+ /*
+ * Unless we are updating the target of a direct function,
+ * we only need to update differences of filter_hash
+ */
in_old = !!ftrace_lookup_ip(old_hash, rec->ip);
in_new = !!ftrace_lookup_ip(new_hash, rec->ip);
- if (in_old == in_new)
+ if (!update_target && (in_old == in_new))
continue;
if (in_new) {
@@ -1986,7 +1990,16 @@ static int __ftrace_hash_update_ipmodify(struct ftrace_ops *ops,
if (is_ipmodify)
goto rollback;
- FTRACE_WARN_ON(rec->flags & FTRACE_FL_DIRECT);
+ /*
+ * If this is called by __modify_ftrace_direct()
+ * then it is only changing where the direct
+ * pointer is jumping to, and the record already
+ * points to a direct trampoline. If it isn't,
+ * then it is a bug to update ipmodify on a direct
+ * caller.
+ */
+ FTRACE_WARN_ON(!update_target &&
+ (rec->flags & FTRACE_FL_DIRECT));
/*
* Another ops with IPMODIFY is already
@@ -2043,7 +2056,7 @@ static int ftrace_hash_ipmodify_enable(struct ftrace_ops *ops)
if (ftrace_hash_empty(hash))
hash = NULL;
- return __ftrace_hash_update_ipmodify(ops, EMPTY_HASH, hash);
+ return __ftrace_hash_update_ipmodify(ops, EMPTY_HASH, hash, false);
}
/* Disabling always succeeds */
@@ -2054,7 +2067,7 @@ static void ftrace_hash_ipmodify_disable(struct ftrace_ops *ops)
if (ftrace_hash_empty(hash))
hash = NULL;
- __ftrace_hash_update_ipmodify(ops, hash, EMPTY_HASH);
+ __ftrace_hash_update_ipmodify(ops, hash, EMPTY_HASH, false);
}
static int ftrace_hash_ipmodify_update(struct ftrace_ops *ops,
@@ -2068,7 +2081,7 @@ static int ftrace_hash_ipmodify_update(struct ftrace_ops *ops,
if (ftrace_hash_empty(new_hash))
new_hash = NULL;
- return __ftrace_hash_update_ipmodify(ops, old_hash, new_hash);
+ return __ftrace_hash_update_ipmodify(ops, old_hash, new_hash, false);
}
static void print_ip_ins(const char *fmt, const unsigned char *p)
@@ -5531,7 +5544,7 @@ EXPORT_SYMBOL_GPL(unregister_ftrace_direct);
static int
__modify_ftrace_direct(struct ftrace_ops *ops, unsigned long addr)
{
- struct ftrace_hash *hash;
+ struct ftrace_hash *hash = ops->func_hash->filter_hash;
struct ftrace_func_entry *entry, *iter;
static struct ftrace_ops tmp_ops = {
.func = ftrace_stub,
@@ -5551,13 +5564,21 @@ __modify_ftrace_direct(struct ftrace_ops *ops, unsigned long addr)
if (err)
return err;
+ /*
+ * Call __ftrace_hash_update_ipmodify() here, so that we can call
+ * ops->ops_func for the ops. This is needed because the above
+ * register_ftrace_function_nolock() worked on tmp_ops.
+ */
+ err = __ftrace_hash_update_ipmodify(ops, hash, hash, true);
+ if (err)
+ goto out;
+
/*
* Now the ftrace_ops_list_func() is called to do the direct callers.
* We can safely change the direct functions attached to each entry.
*/
mutex_lock(&ftrace_lock);
- hash = ops->func_hash->filter_hash;
size = 1 << hash->size_bits;
for (i = 0; i < size; i++) {
hlist_for_each_entry(iter, &hash->buckets[i], hlist) {
@@ -5572,6 +5593,7 @@ __modify_ftrace_direct(struct ftrace_ops *ops, unsigned long addr)
mutex_unlock(&ftrace_lock);
+out:
/* Removing the tmp_ops will add the updated direct callers to the functions */
unregister_ftrace_function(&tmp_ops);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 022/737] spi: xilinx: increase number of retries before declaring stall
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 021/737] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 023/737] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
` (725 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alvaro Gamez Machado,
Ricardo Ribalda, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
[ Upstream commit 939edfaa10f1d22e6af6a84bf4bd96dc49c67302 ]
SPI devices using a (relative) slow frequency need a larger time.
For instance, microblaze running at 83.25MHz and performing a
3 bytes transaction using a 10MHz/16 = 625kHz needed this stall
value increased to at least 20. The SPI device is quite slow, but
also is the microblaze, so set this value to 32 to give it even
more margin.
Signed-off-by: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20251106134545.31942-1-alvaro.gamez@hazent.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-xilinx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-xilinx.c b/drivers/spi/spi-xilinx.c
index 8e6e3876aa9af..b5405d9974ba6 100644
--- a/drivers/spi/spi-xilinx.c
+++ b/drivers/spi/spi-xilinx.c
@@ -299,7 +299,7 @@ static int xilinx_spi_txrx_bufs(struct spi_device *spi, struct spi_transfer *t)
/* Read out all the data from the Rx FIFO */
rx_words = n_words;
- stalled = 10;
+ stalled = 32;
while (rx_words) {
if (rx_words == n_words && !(stalled--) &&
!(sr & XSPI_SR_TX_EMPTY_MASK) &&
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 023/737] spi: imx: keep dma request disabled before dma transfer setup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 022/737] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 024/737] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
` (724 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Song, Robin Gong, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robin Gong <yibin.gong@nxp.com>
[ Upstream commit 86d57d9c07d54e8cb385ffe800930816ccdba0c1 ]
Since sdma hardware configure postpone to transfer phase, have to disable
dma request before dma transfer setup because there is a hardware
limitation on sdma event enable(ENBLn) as below:
"It is thus essential for the Arm platform to program them before any DMA
request is triggered to the SDMA, otherwise an unpredictable combination
of channels may be started."
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Signed-off-by: Robin Gong <yibin.gong@nxp.com>
Link: https://patch.msgid.link/20251024055320.408482-1-carlos.song@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-imx.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index da4442954375b..76f8747c29432 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -503,9 +503,15 @@ static void mx51_ecspi_trigger(struct spi_imx_data *spi_imx)
{
u32 reg;
- reg = readl(spi_imx->base + MX51_ECSPI_CTRL);
- reg |= MX51_ECSPI_CTRL_XCH;
- writel(reg, spi_imx->base + MX51_ECSPI_CTRL);
+ if (spi_imx->usedma) {
+ reg = readl(spi_imx->base + MX51_ECSPI_DMA);
+ reg |= MX51_ECSPI_DMA_TEDEN | MX51_ECSPI_DMA_RXDEN;
+ writel(reg, spi_imx->base + MX51_ECSPI_DMA);
+ } else {
+ reg = readl(spi_imx->base + MX51_ECSPI_CTRL);
+ reg |= MX51_ECSPI_CTRL_XCH;
+ writel(reg, spi_imx->base + MX51_ECSPI_CTRL);
+ }
}
static void mx51_ecspi_disable(struct spi_imx_data *spi_imx)
@@ -699,7 +705,6 @@ static void mx51_setup_wml(struct spi_imx_data *spi_imx)
writel(MX51_ECSPI_DMA_RX_WML(spi_imx->wml - 1) |
MX51_ECSPI_DMA_TX_WML(tx_wml) |
MX51_ECSPI_DMA_RXT_WML(spi_imx->wml) |
- MX51_ECSPI_DMA_TEDEN | MX51_ECSPI_DMA_RXDEN |
MX51_ECSPI_DMA_RXTDEN, spi_imx->base + MX51_ECSPI_DMA);
}
@@ -1458,6 +1463,8 @@ static int spi_imx_dma_transfer(struct spi_imx_data *spi_imx,
reinit_completion(&spi_imx->dma_tx_completion);
dma_async_issue_pending(controller->dma_tx);
+ spi_imx->devtype_data->trigger(spi_imx);
+
transfer_timeout = spi_imx_calculate_timeout(spi_imx, transfer->len);
/* Wait SDMA to finish the data transfer.*/
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 024/737] drm/vmwgfx: Use kref in vmw_bo_dirty
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 023/737] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 025/737] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
` (723 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit c1962742ffff7e245f935903a4658eb6f94f6058 ]
Rather than using an ad hoc reference count use kref which is atomic
and has underflow warnings.
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20251030193640.153697-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
index 74ff2812d66a1..de2498749e276 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_page_dirty.c
@@ -51,22 +51,22 @@ enum vmw_bo_dirty_method {
/**
* struct vmw_bo_dirty - Dirty information for buffer objects
+ * @ref_count: Reference count for this structure. Must be first member!
* @start: First currently dirty bit
* @end: Last currently dirty bit + 1
* @method: The currently used dirty method
* @change_count: Number of consecutive method change triggers
- * @ref_count: Reference count for this structure
* @bitmap_size: The size of the bitmap in bits. Typically equal to the
* nuber of pages in the bo.
* @bitmap: A bitmap where each bit represents a page. A set bit means a
* dirty page.
*/
struct vmw_bo_dirty {
+ struct kref ref_count;
unsigned long start;
unsigned long end;
enum vmw_bo_dirty_method method;
unsigned int change_count;
- unsigned int ref_count;
unsigned long bitmap_size;
unsigned long bitmap[];
};
@@ -235,7 +235,7 @@ int vmw_bo_dirty_add(struct vmw_bo *vbo)
int ret;
if (dirty) {
- dirty->ref_count++;
+ kref_get(&dirty->ref_count);
return 0;
}
@@ -249,7 +249,7 @@ int vmw_bo_dirty_add(struct vmw_bo *vbo)
dirty->bitmap_size = num_pages;
dirty->start = dirty->bitmap_size;
dirty->end = 0;
- dirty->ref_count = 1;
+ kref_init(&dirty->ref_count);
if (num_pages < PAGE_SIZE / sizeof(pte_t)) {
dirty->method = VMW_BO_DIRTY_PAGETABLE;
} else {
@@ -288,10 +288,8 @@ void vmw_bo_dirty_release(struct vmw_bo *vbo)
{
struct vmw_bo_dirty *dirty = vbo->dirty;
- if (dirty && --dirty->ref_count == 0) {
- kvfree(dirty);
+ if (dirty && kref_put(&dirty->ref_count, (void *)kvfree))
vbo->dirty = NULL;
- }
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 025/737] Bluetooth: btrtl: Avoid loading the config file on security chips
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 024/737] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 026/737] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
` (722 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hilda Wu, Nial Ni, Max Chou,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Max Chou <max.chou@realtek.com>
[ Upstream commit cd8dbd9ef600435439bb0e70af0a1d9e2193aecb ]
For chips with security enabled, it's only possible to load firmware
with a valid signature pattern.
If key_id is not zero, it indicates a security chip, and the driver will
not load the config file.
- Example log for a security chip.
Bluetooth: hci0: RTL: examining hci_ver=0c hci_rev=000a
lmp_ver=0c lmp_subver=8922
Bluetooth: hci0: RTL: rom_version status=0 version=1
Bluetooth: hci0: RTL: btrtl_initialize: key id 1
Bluetooth: hci0: RTL: loading rtl_bt/rtl8922au_fw.bin
Bluetooth: hci0: RTL: cfg_sz 0, total sz 71301
Bluetooth: hci0: RTL: fw version 0x41c0c905
- Example log for a normal chip.
Bluetooth: hci0: RTL: examining hci_ver=0c hci_rev=000a
lmp_ver=0c lmp_subver=8922
Bluetooth: hci0: RTL: rom_version status=0 version=1
Bluetooth: hci0: RTL: btrtl_initialize: key id 0
Bluetooth: hci0: RTL: loading rtl_bt/rtl8922au_fw.bin
Bluetooth: hci0: RTL: loading rtl_bt/rtl8922au_config.bin
Bluetooth: hci0: RTL: cfg_sz 6, total sz 71307
Bluetooth: hci0: RTL: fw version 0x41c0c905
Tested-by: Hilda Wu <hildawu@realtek.com>
Signed-off-by: Nial Ni <niall_ni@realsil.com.cn>
Signed-off-by: Max Chou <max.chou@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btrtl.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 24dae5440c036..3d995790a5071 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -49,7 +49,7 @@
#define RTL_CHIP_SUBVER (&(struct rtl_vendor_cmd) {{0x10, 0x38, 0x04, 0x28, 0x80}})
#define RTL_CHIP_REV (&(struct rtl_vendor_cmd) {{0x10, 0x3A, 0x04, 0x28, 0x80}})
-#define RTL_SEC_PROJ (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0x0D, 0x00, 0xb0}})
+#define RTL_SEC_PROJ (&(struct rtl_vendor_cmd) {{0x10, 0xA4, 0xAD, 0x00, 0xb0}})
#define RTL_PATCH_SNIPPETS 0x01
#define RTL_PATCH_DUMMY_HEADER 0x02
@@ -513,7 +513,6 @@ static int rtlbt_parse_firmware_v2(struct hci_dev *hdev,
{
struct rtl_epatch_header_v2 *hdr;
int rc;
- u8 reg_val[2];
u8 key_id;
u32 num_sections;
struct rtl_section *section;
@@ -528,14 +527,7 @@ static int rtlbt_parse_firmware_v2(struct hci_dev *hdev,
.len = btrtl_dev->fw_len - 7, /* Cut the tail */
};
- rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
- if (rc < 0)
- return -EIO;
- key_id = reg_val[0];
-
- rtl_dev_dbg(hdev, "%s: key id %u", __func__, key_id);
-
- btrtl_dev->key_id = key_id;
+ key_id = btrtl_dev->key_id;
hdr = rtl_iov_pull_data(&iov, sizeof(*hdr));
if (!hdr)
@@ -1049,6 +1041,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
u16 hci_rev, lmp_subver;
u8 hci_ver, lmp_ver, chip_type = 0;
int ret;
+ int rc;
+ u8 key_id;
u8 reg_val[2];
btrtl_dev = kzalloc(sizeof(*btrtl_dev), GFP_KERNEL);
@@ -1159,6 +1153,14 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
goto err_free;
}
+ rc = btrtl_vendor_read_reg16(hdev, RTL_SEC_PROJ, reg_val);
+ if (rc < 0)
+ goto err_free;
+
+ key_id = reg_val[0];
+ btrtl_dev->key_id = key_id;
+ rtl_dev_info(hdev, "%s: key id %u", __func__, key_id);
+
btrtl_dev->fw_len = -EIO;
if (lmp_subver == RTL_ROM_LMP_8852A && hci_rev == 0x000c) {
snprintf(fw_name, sizeof(fw_name), "%s_v2.bin",
@@ -1181,7 +1183,7 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
goto err_free;
}
- if (btrtl_dev->ic_info->cfg_name) {
+ if (btrtl_dev->ic_info->cfg_name && !btrtl_dev->key_id) {
if (postfix) {
snprintf(cfg_name, sizeof(cfg_name), "%s-%s.bin",
btrtl_dev->ic_info->cfg_name, postfix);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 026/737] smb: fix invalid username check in smb3_fs_context_parse_param()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 025/737] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 027/737] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
` (721 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yiqi Sun, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yiqi Sun <sunyiqixm@gmail.com>
[ Upstream commit ed6612165b74f09db00ef0abaf9831895ab28b7f ]
Since the maximum return value of strnlen(..., CIFS_MAX_USERNAME_LEN)
is CIFS_MAX_USERNAME_LEN, length check in smb3_fs_context_parse_param()
is always FALSE and invalid.
Fix the comparison in if statement.
Signed-off-by: Yiqi Sun <sunyiqixm@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/fs_context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index a64c0b0dbec78..6358f2483c869 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -1386,7 +1386,7 @@ static int smb3_fs_context_parse_param(struct fs_context *fc,
break;
}
- if (strnlen(param->string, CIFS_MAX_USERNAME_LEN) >
+ if (strnlen(param->string, CIFS_MAX_USERNAME_LEN) ==
CIFS_MAX_USERNAME_LEN) {
pr_warn("username too long\n");
goto cifs_parse_mount_err;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 027/737] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 026/737] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 028/737] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
` (720 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lushih Hsieh, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lushih Hsieh <bruce@mail.kh.edu.tw>
[ Upstream commit 21a9ab5b90b3716a631d559e62818029b4e7f5b7 ]
The PureAudio APA DAC and Lotus DAC5 series are USB Audio
2.0 Class devices that support native Direct Stream Digital (DSD)
playback via specific vendor protocols.
Without these quirks, the devices may only function in standard
PCM mode, or fail to correctly report their DSD format capabilities
to the ALSA framework, preventing native DSD playback under Linux.
This commit adds new quirk entries for the mentioned DAC models
based on their respective Vendor/Product IDs (VID:PID), for example:
0x16d0:0x0ab1 (APA DAC), 0x16d0:0xeca1 (DAC5 series), etc.
The quirk ensures correct DSD format handling by setting the required
SNDRV_PCM_FMTBIT_DSD_U32_BE format bit and defining the DSD-specific
Audio Class 2.0 (AC2.0) endpoint configurations. This allows the ALSA
DSD API to correctly address the device for high-bitrate DSD streams,
bypassing the need for DoP (DSD over PCM).
Test on APA DAC and Lotus DAC5 SE under Arch Linux.
Tested-by: Lushih Hsieh <bruce@mail.kh.edu.tw>
Signed-off-by: Lushih Hsieh <bruce@mail.kh.edu.tw>
Link: https://patch.msgid.link/20251114052053.54989-1-bruce@mail.kh.edu.tw
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 68238e62020b0..44274f39d6937 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1922,6 +1922,8 @@ u64 snd_usb_interface_dsd_format_quirks(struct snd_usb_audio *chip,
case USB_ID(0x16d0, 0x09d8): /* NuPrime IDA-8 */
case USB_ID(0x16d0, 0x09db): /* NuPrime Audio DAC-9 */
case USB_ID(0x16d0, 0x09dd): /* Encore mDSD */
+ case USB_ID(0x16d0, 0x0ab1): /* PureAudio APA DAC */
+ case USB_ID(0x16d0, 0xeca1): /* PureAudio Lotus DAC5, DAC5 SE, DAC5 Pro */
case USB_ID(0x1db5, 0x0003): /* Bryston BDA3 */
case USB_ID(0x20a0, 0x4143): /* WaveIO USB Audio 2.0 */
case USB_ID(0x22e1, 0xca01): /* HDTA Serenade DSD */
@@ -2189,6 +2191,10 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_IGNORE_CLOCK_SOURCE),
DEVICE_FLG(0x1686, 0x00dd, /* Zoom R16/24 */
QUIRK_FLAG_TX_LENGTH | QUIRK_FLAG_CTL_MSG_DELAY_1M),
+ DEVICE_FLG(0x16d0, 0x0ab1, /* PureAudio APA DAC */
+ QUIRK_FLAG_DSD_RAW),
+ DEVICE_FLG(0x16d0, 0xeca1, /* PureAudio Lotus DAC5, DAC5 SE and DAC5 Pro */
+ QUIRK_FLAG_DSD_RAW),
DEVICE_FLG(0x17aa, 0x1046, /* Lenovo ThinkStation P620 Rear Line-in, Line-out and Microphone */
QUIRK_FLAG_DISABLE_AUTOSUSPEND),
DEVICE_FLG(0x17aa, 0x104d, /* Lenovo ThinkStation P620 Internal Speaker + Front Headset */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 028/737] bfs: Reconstruct file type when loading from disk
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 027/737] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 029/737] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
` (719 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+895c23f6917da440ed0d,
Tetsuo Handa, Tigran Aivazian, Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 34ab4c75588c07cca12884f2bf6b0347c7a13872 ]
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted
or when the 32bits "attributes" field loaded from disk are corrupted.
A documentation says that BFS uses only lower 9 bits of the "mode" field.
But I can't find an explicit explanation that the unused upper 23 bits
(especially, the S_IFMT bits) are initialized with 0.
Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk.
Also, verify that the value of the "attributes" field loaded from disk is
either BFS_VREG or BFS_VDIR (because BFS supports only regular files and
the root directory).
Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://patch.msgid.link/fabce673-d5b9-4038-8287-0fd65d80203b@I-love.SAKURA.ne.jp
Reviewed-by: Tigran Aivazian <aivazian.tigran@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/bfs/inode.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c
index e6a76ae9eb444..42805e3dbdaec 100644
--- a/fs/bfs/inode.c
+++ b/fs/bfs/inode.c
@@ -60,7 +60,19 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
off = (ino - BFS_ROOT_INO) % BFS_INODES_PER_BLOCK;
di = (struct bfs_inode *)bh->b_data + off;
- inode->i_mode = 0x0000FFFF & le32_to_cpu(di->i_mode);
+ /*
+ * https://martin.hinner.info/fs/bfs/bfs-structure.html explains that
+ * BFS in SCO UnixWare environment used only lower 9 bits of di->i_mode
+ * value. This means that, although bfs_write_inode() saves whole
+ * inode->i_mode bits (which include S_IFMT bits and S_IS{UID,GID,VTX}
+ * bits), middle 7 bits of di->i_mode value can be garbage when these
+ * bits were not saved by bfs_write_inode().
+ * Since we can't tell whether middle 7 bits are garbage, use only
+ * lower 12 bits (i.e. tolerate S_IS{UID,GID,VTX} bits possibly being
+ * garbage) and reconstruct S_IFMT bits for Linux environment from
+ * di->i_vtype value.
+ */
+ inode->i_mode = 0x00000FFF & le32_to_cpu(di->i_mode);
if (le32_to_cpu(di->i_vtype) == BFS_VDIR) {
inode->i_mode |= S_IFDIR;
inode->i_op = &bfs_dir_inops;
@@ -70,6 +82,11 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
inode->i_op = &bfs_file_inops;
inode->i_fop = &bfs_file_operations;
inode->i_mapping->a_ops = &bfs_aops;
+ } else {
+ brelse(bh);
+ printf("Unknown vtype=%u %s:%08lx\n",
+ le32_to_cpu(di->i_vtype), inode->i_sb->s_id, ino);
+ goto error;
}
BFS_I(inode)->i_sblock = le32_to_cpu(di->i_sblock);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 029/737] HID: hid-input: Extend Elan ignore battery quirk to USB
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 028/737] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 030/737] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
` (718 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, André Barata,
Mario Limonciello (AMD), Jiri Kosina, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit 534ca75e8e3b713514b3f2da85dab96831cf5b2a ]
USB Elan devices have the same problem as the I2C ones with a fake
battery device showing up.
Reviewed-by: Hans de Goede <hansg@kernel.org>
Reported-by: André Barata <andretiagob@protonmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220722
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-input.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index f073d5621050a..fa3efe9701c96 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -386,10 +386,11 @@ static const struct hid_device_id hid_battery_quirks[] = {
{ HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_CHROMEBOOK_TROGDOR_POMPOM),
HID_BATTERY_QUIRK_AVOID_QUERY },
/*
- * Elan I2C-HID touchscreens seem to all report a non present battery,
- * set HID_BATTERY_QUIRK_IGNORE for all Elan I2C-HID devices.
+ * Elan HID touchscreens seem to all report a non present battery,
+ * set HID_BATTERY_QUIRK_IGNORE for all Elan I2C and USB HID devices.
*/
{ HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_BATTERY_QUIRK_IGNORE },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_BATTERY_QUIRK_IGNORE },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 030/737] nvme: fix admin request_queue lifetime
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 029/737] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 031/737] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
` (717 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Casey Chen, Christoph Hellwig,
Hannes Reinecke, Ming Lei, Chaitanya Kulkarni, Keith Busch,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 03b3bcd319b3ab5182bc9aaa0421351572c78ac0 ]
The namespaces can access the controller's admin request_queue, and
stale references on the namespaces may exist after tearing down the
controller. Ensure the admin request_queue is active by moving the
controller's 'put' to after all controller references have been released
to ensure no one is can access the request_queue. This fixes a reported
use-after-free bug:
BUG: KASAN: slab-use-after-free in blk_queue_enter+0x41c/0x4a0
Read of size 8 at addr ffff88c0a53819f8 by task nvme/3287
CPU: 67 UID: 0 PID: 3287 Comm: nvme Tainted: G E 6.13.2-ga1582f1a031e #15
Tainted: [E]=UNSIGNED_MODULE
Hardware name: Jabil /EGS 2S MB1, BIOS 1.00 06/18/2025
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x60
print_report+0xc4/0x620
? _raw_spin_lock_irqsave+0x70/0xb0
? _raw_read_unlock_irqrestore+0x30/0x30
? blk_queue_enter+0x41c/0x4a0
kasan_report+0xab/0xe0
? blk_queue_enter+0x41c/0x4a0
blk_queue_enter+0x41c/0x4a0
? __irq_work_queue_local+0x75/0x1d0
? blk_queue_start_drain+0x70/0x70
? irq_work_queue+0x18/0x20
? vprintk_emit.part.0+0x1cc/0x350
? wake_up_klogd_work_func+0x60/0x60
blk_mq_alloc_request+0x2b7/0x6b0
? __blk_mq_alloc_requests+0x1060/0x1060
? __switch_to+0x5b7/0x1060
nvme_submit_user_cmd+0xa9/0x330
nvme_user_cmd.isra.0+0x240/0x3f0
? force_sigsegv+0xe0/0xe0
? nvme_user_cmd64+0x400/0x400
? vfs_fileattr_set+0x9b0/0x9b0
? cgroup_update_frozen_flag+0x24/0x1c0
? cgroup_leave_frozen+0x204/0x330
? nvme_ioctl+0x7c/0x2c0
blkdev_ioctl+0x1a8/0x4d0
? blkdev_common_ioctl+0x1930/0x1930
? fdget+0x54/0x380
__x64_sys_ioctl+0x129/0x190
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7f765f703b0b
Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d dd 52 0f 00 f7 d8 64 89 01 48
RSP: 002b:00007ffe2cefe808 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffe2cefe860 RCX: 00007f765f703b0b
RDX: 00007ffe2cefe860 RSI: 00000000c0484e41 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000000
R10: 00007f765f611d50 R11: 0000000000000202 R12: 0000000000000003
R13: 00000000c0484e41 R14: 0000000000000001 R15: 00007ffe2cefea60
</TASK>
Reported-by: Casey Chen <cachen@purestorage.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 78d00e25a1790..f09ebcbe11798 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -4318,7 +4318,6 @@ EXPORT_SYMBOL_GPL(nvme_alloc_admin_tag_set);
void nvme_remove_admin_tag_set(struct nvme_ctrl *ctrl)
{
blk_mq_destroy_queue(ctrl->admin_q);
- blk_put_queue(ctrl->admin_q);
if (ctrl->ops->flags & NVME_F_FABRICS) {
blk_mq_destroy_queue(ctrl->fabrics_q);
blk_put_queue(ctrl->fabrics_q);
@@ -4463,6 +4462,8 @@ static void nvme_free_ctrl(struct device *dev)
container_of(dev, struct nvme_ctrl, ctrl_device);
struct nvme_subsystem *subsys = ctrl->subsys;
+ if (ctrl->admin_q)
+ blk_put_queue(ctrl->admin_q);
if (!subsys || ctrl->instance != subsys->instance)
ida_free(&nvme_instance_ida, ctrl->instance);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 031/737] pinctrl: qcom: msm: Fix deadlock in pinmux configuration
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 030/737] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 032/737] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
` (716 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prasad Sodagudi, Praveen Talari,
Bjorn Andersson, Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Praveen Talari <praveen.talari@oss.qualcomm.com>
[ Upstream commit 1c2e70397b4125022dba80f6111271a37fb36bae ]
Replace disable_irq() with disable_irq_nosync() in msm_pinmux_set_mux()
to prevent deadlock when wakeup IRQ is triggered on the same
GPIO being reconfigured.
The issue occurs when a wakeup IRQ is triggered on a GPIO and the IRQ
handler attempts to reconfigure the same GPIO's pinmux. In this scenario,
msm_pinmux_set_mux() calls disable_irq() which waits for the currently
running IRQ handler to complete, creating a circular dependency that
results in deadlock.
Using disable_irq_nosync() avoids waiting for the IRQ handler to
complete, preventing the deadlock condition while still properly
disabling the interrupt during pinmux reconfiguration.
Suggested-by: Prasad Sodagudi <prasad.sodagudi@oss.qualcomm.com>
Signed-off-by: Praveen Talari <praveen.talari@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
index 13dc8bc1d0cff..688f3d01f4af8 100644
--- a/drivers/pinctrl/qcom/pinctrl-msm.c
+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
@@ -214,7 +214,7 @@ static int msm_pinmux_set_mux(struct pinctrl_dev *pctldev,
*/
if (d && i != gpio_func &&
!test_and_set_bit(d->hwirq, pctrl->disabled_for_mux))
- disable_irq(irq);
+ disable_irq_nosync(irq);
raw_spin_lock_irqsave(&pctrl->lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 032/737] platform/x86: acer-wmi: Ignore backlight event
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 031/737] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 033/737] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
` (715 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bugaddr, Armin Wolf,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 444a9256f8d106e08a6bc2dc8ef28a8699e4b3ba ]
On the Acer Nitro AN515-58, the event 4 - 0 is send by the ACPI
firmware when the backlight up/down keys are pressed. Ignore this
event to avoid spamming the kernel log with error messages, as the
acpi-video driver already handles brightness up/down events.
Reported-by: Bugaddr <Bugaddr@protonmail.com>
Closes: https://bugaddr.tech/posts/2025-11-16-debugging-the-acer-nitro-5-an515-58-fn-f10-keyboard-backlight-bug-on-linux/#wmi-interface-issues
Tested-by: Bugaddr <Bugaddr@protonmail.com>
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20251117155938.3030-1-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/acer-wmi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
index 868faccfb8628..e7a43f824272f 100644
--- a/drivers/platform/x86/acer-wmi.c
+++ b/drivers/platform/x86/acer-wmi.c
@@ -86,6 +86,7 @@ MODULE_ALIAS("wmi:676AA15E-6A47-4D9F-A2CC-1E6D18D14026");
enum acer_wmi_event_ids {
WMID_HOTKEY_EVENT = 0x1,
+ WMID_BACKLIGHT_EVENT = 0x4,
WMID_ACCEL_OR_KBD_DOCK_EVENT = 0x5,
WMID_GAMING_TURBO_KEY_EVENT = 0x7,
WMID_AC_EVENT = 0x8,
@@ -1992,6 +1993,9 @@ static void acer_wmi_notify(u32 value, void *context)
sparse_keymap_report_event(acer_wmi_input_dev, scancode, 1, true);
}
break;
+ case WMID_BACKLIGHT_EVENT:
+ /* Already handled by acpi-video */
+ break;
case WMID_ACCEL_OR_KBD_DOCK_EVENT:
acer_gsensor_event();
acer_kbd_dock_event(&return_value);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 033/737] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 032/737] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 034/737] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
` (714 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, April Grimoire, Jiri Kosina,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: April Grimoire <april@aprilg.moe>
[ Upstream commit 743c81cdc98fd4fef62a89eb70efff994112c2d9 ]
SONiX AK870 PRO keyboard pretends to be an apple keyboard by VID:PID,
rendering function keys not treated properly. Despite being a
SONiX USB DEVICE, it uses a different name, so adding it to the list.
Signed-off-by: April Grimoire <april@aprilg.moe>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-apple.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c
index 7cf17c671da48..2b8021628d3c6 100644
--- a/drivers/hid/hid-apple.c
+++ b/drivers/hid/hid-apple.c
@@ -341,6 +341,7 @@ static const struct apple_key_translation swapped_fn_leftctrl_keys[] = {
static const struct apple_non_apple_keyboard non_apple_keyboards[] = {
{ "SONiX USB DEVICE" },
+ { "SONiX AK870 PRO" },
{ "Keychron" },
{ "AONE" },
{ "GANSS" },
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 034/737] platform/x86: huawei-wmi: add keys for HONOR models
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 033/737] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 035/737] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
` (713 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ston Jia, Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jia Ston <ston.jia@outlook.com>
[ Upstream commit 5c72329716d0858621021193330594d5d26bf44d ]
HONOR MagicBook X16/X14 models produced in 2025 cannot use the Print
Screen and YOYO keys properly, with the system reporting them as
unknown key presses (codes: 0x028b and 0x028e).
To resolve this, a key_entry is added for both the HONOR Print Screen
key and the HONOR YOYO key, ensuring they function correctly on these
models.
Signed-off-by: Ston Jia <ston.jia@outlook.com>
Link: https://patch.msgid.link/20251029051804.220111-1-ston.jia@outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/huawei-wmi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
index 0ef1c46b617b6..29ef391d33052 100644
--- a/drivers/platform/x86/huawei-wmi.c
+++ b/drivers/platform/x86/huawei-wmi.c
@@ -81,6 +81,10 @@ static const struct key_entry huawei_wmi_keymap[] = {
{ KE_KEY, 0x289, { KEY_WLAN } },
// Huawei |M| key
{ KE_KEY, 0x28a, { KEY_CONFIG } },
+ // HONOR YOYO key
+ { KE_KEY, 0x28b, { KEY_NOTIFICATION_CENTER } },
+ // HONOR print screen
+ { KE_KEY, 0x28e, { KEY_PRINT } },
// Keyboard backlit
{ KE_IGNORE, 0x293, { KEY_KBDILLUMTOGGLE } },
{ KE_IGNORE, 0x294, { KEY_KBDILLUMUP } },
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 035/737] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 034/737] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 036/737] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
` (712 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello,
Antheas Kapenekakis, Mario Limonciello (AMD), Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit f945afe01c6768dcfed7868c671a26e1164c2284 ]
The Lenovo Legion Go 2 takes a long time to resume from suspend.
This is due to it having an nvme resume handler that interferes
with IOMMU mappings. It is a common issue with older Lenovo
laptops. Adding it to that quirk list fixes this issue.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4618
Suggested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Link: https://patch.msgid.link/20251008135057.731928-1-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/amd/pmc/pmc-quirks.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
index 9fd2829ee2ab4..271cbeaa59af3 100644
--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
+++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
@@ -198,6 +198,23 @@ static const struct dmi_system_id fwbug_list[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "82ND"),
}
},
+ /* https://gitlab.freedesktop.org/drm/amd/-/issues/4618 */
+ {
+ .ident = "Lenovo Legion Go 2",
+ .driver_data = &quirk_s2idle_bug,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83N0"),
+ }
+ },
+ {
+ .ident = "Lenovo Legion Go 2",
+ .driver_data = &quirk_s2idle_bug,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "83N1"),
+ }
+ },
/* https://gitlab.freedesktop.org/drm/amd/-/issues/2684 */
{
.ident = "HP Laptop 15s-eq2xxx",
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 036/737] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 035/737] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 037/737] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
` (711 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antheas Kapenekakis,
Mario Limonciello (AMD), Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antheas Kapenekakis <lkml@antheas.dev>
[ Upstream commit c0ddc54016636dd8dedfaf1a3b482a95058e1db2 ]
The Xbox Ally features a Van Gogh SoC that has spurious interrupts
during resume. We get the following logs:
atkbd_receive_byte: 20 callbacks suppressed
atkbd serio0: Spurious ACK on isa0060/serio0. Some program might be trying to access hardware directly.
So, add the spurious_8042 quirk for it. It does not have a keyboard, so
this does not result in any functional loss.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4659
Signed-off-by: Antheas Kapenekakis <lkml@antheas.dev>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Link: https://patch.msgid.link/20251024152152.3981721-3-lkml@antheas.dev
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/amd/pmc/pmc-quirks.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/platform/x86/amd/pmc/pmc-quirks.c b/drivers/platform/x86/amd/pmc/pmc-quirks.c
index 271cbeaa59af3..a5031339dac8c 100644
--- a/drivers/platform/x86/amd/pmc/pmc-quirks.c
+++ b/drivers/platform/x86/amd/pmc/pmc-quirks.c
@@ -116,6 +116,14 @@ static const struct dmi_system_id fwbug_list[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "21A1"),
}
},
+ {
+ .ident = "ROG Xbox Ally RC73YA",
+ .driver_data = &quirk_spurious_8042,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "RC73YA"),
+ }
+ },
/* https://bugzilla.kernel.org/show_bug.cgi?id=218024 */
{
.ident = "V14 G4 AMN",
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 037/737] HID: elecom: Add support for ELECOM M-XT3URBK (018F)
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 036/737] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 038/737] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
` (710 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naoki Ueki, Jiri Kosina, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naoki Ueki <naoki25519@gmail.com>
[ Upstream commit cdcbb8e8d10f656642380ee13516290437b52b36 ]
The ELECOM M-XT3URBK trackball has an additional device ID (0x018F), which
shares the same report descriptor as the existing device (0x00FB). However,
the driver does not currently recognize this new ID, resulting in only five
buttons being functional.
This patch adds the new device ID so that all six buttons work properly.
Signed-off-by: Naoki Ueki <naoki25519@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-elecom.c | 6 ++++--
drivers/hid/hid-ids.h | 3 ++-
drivers/hid/hid-quirks.c | 3 ++-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-elecom.c b/drivers/hid/hid-elecom.c
index 4fa45ee77503b..f76fec79e8903 100644
--- a/drivers/hid/hid-elecom.c
+++ b/drivers/hid/hid-elecom.c
@@ -75,7 +75,8 @@ static __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc,
*/
mouse_button_fixup(hdev, rdesc, *rsize, 20, 28, 22, 14, 8);
break;
- case USB_DEVICE_ID_ELECOM_M_XT3URBK:
+ case USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB:
+ case USB_DEVICE_ID_ELECOM_M_XT3URBK_018F:
case USB_DEVICE_ID_ELECOM_M_XT3DRBK:
case USB_DEVICE_ID_ELECOM_M_XT4DRBK:
/*
@@ -117,7 +118,8 @@ static __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc,
static const struct hid_device_id elecom_devices[] = {
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XGL20DLBK) },
- { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_018F) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT4DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1URBK) },
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 6a538dca21a9a..ca9c70c8f3cf1 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -439,7 +439,8 @@
#define USB_VENDOR_ID_ELECOM 0x056e
#define USB_DEVICE_ID_ELECOM_BM084 0x0061
#define USB_DEVICE_ID_ELECOM_M_XGL20DLBK 0x00e6
-#define USB_DEVICE_ID_ELECOM_M_XT3URBK 0x00fb
+#define USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB 0x00fb
+#define USB_DEVICE_ID_ELECOM_M_XT3URBK_018F 0x018f
#define USB_DEVICE_ID_ELECOM_M_XT3DRBK 0x00fc
#define USB_DEVICE_ID_ELECOM_M_XT4DRBK 0x00fd
#define USB_DEVICE_ID_ELECOM_M_DT1URBK 0x00fe
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index fa946666969b8..2da21415e676c 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -405,7 +405,8 @@ static const struct hid_device_id hid_have_special_driver[] = {
#if IS_ENABLED(CONFIG_HID_ELECOM)
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) },
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XGL20DLBK) },
- { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_018F) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT4DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1URBK) },
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 038/737] LoongArch: Mask all interrupts during kexec/kdump
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 037/737] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 039/737] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
` (709 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tianyang Zhang, Huacai Chen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
[ Upstream commit 863a320dc6fd7c855f47da4bb82a8de2d9102ea2 ]
If the default state of the interrupt controllers in the first kernel
don't mask any interrupts, it may cause the second kernel to potentially
receive interrupts (which were previously allocated by the first kernel)
immediately after a CPU becomes online during its boot process. These
interrupts cannot be properly routed, leading to bad IRQ issues.
This patch calls machine_kexec_mask_interrupts() to mask all interrupts
during the kexec/kdump process.
Signed-off-by: Tianyang Zhang <zhangtianyang@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/kernel/machine_kexec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/loongarch/kernel/machine_kexec.c b/arch/loongarch/kernel/machine_kexec.c
index 30aa420610a06..e50c9a81ff1aa 100644
--- a/arch/loongarch/kernel/machine_kexec.c
+++ b/arch/loongarch/kernel/machine_kexec.c
@@ -249,6 +249,7 @@ void machine_crash_shutdown(struct pt_regs *regs)
#ifdef CONFIG_SMP
crash_smp_send_stop();
#endif
+ machine_kexec_mask_interrupts();
cpumask_set_cpu(crashing_cpu, &cpus_in_crash);
pr_info("Starting crashdump kernel...\n");
@@ -286,6 +287,7 @@ void machine_kexec(struct kimage *image)
/* We do not want to be bothered. */
local_irq_disable();
+ machine_kexec_mask_interrupts();
pr_notice("EFI boot flag 0x%lx\n", efi_boot);
pr_notice("Command line at 0x%lx\n", cmdline_ptr);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 039/737] samples: work around glibc redefining some of our defines wrong
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 038/737] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 040/737] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Greg Kroah-Hartman
` (708 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit a48f822908982353c3256e35a089e9e7d0d61580 ]
Apparently as of version 2.42, glibc headers define AT_RENAME_NOREPLACE
and some of the other flags for renameat2() and friends in <stdio.h>.
Which would all be fine, except for inexplicable reasons glibc decided
to define them _differently_ from the kernel definitions, which then
makes some of our sample code that includes both kernel headers and user
space headers unhappy, because the compiler will (correctly) complain
about redefining things.
Now, mixing kernel headers and user space headers is always a somewhat
iffy proposition due to namespacing issues, but it's kind of inevitable
in our sample and selftest code. And this is just glibc being stupid.
Those defines come from the kernel, glibc is exposing the kernel
interfaces, and glibc shouldn't make up some random new expressions for
these values.
It's not like glibc headers changed the actual result values, but they
arbitrarily just decided to use a different expression to describe those
values. The kernel just does
#define AT_RENAME_NOREPLACE 0x0001
while glibc does
# define RENAME_NOREPLACE (1 << 0)
# define AT_RENAME_NOREPLACE RENAME_NOREPLACE
instead. Same value in the end, but very different macro definition.
For absolutely no reason.
This has since been fixed in the glibc development tree, so eventually
we'll end up with the canonical expressions and no clashes. But in the
meantime the broken headers are in the glibc-2.42 release and have made
it out into distributions.
Do a minimal work-around to make the samples build cleanly by just
undefining the affected macros in between the user space header include
and the kernel header includes.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
samples/vfs/test-statx.c | 6 ++++++
samples/watch_queue/watch_test.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/samples/vfs/test-statx.c b/samples/vfs/test-statx.c
index 49c7a46cee073..424a6fa15723c 100644
--- a/samples/vfs/test-statx.c
+++ b/samples/vfs/test-statx.c
@@ -19,6 +19,12 @@
#include <time.h>
#include <sys/syscall.h>
#include <sys/types.h>
+
+// Work around glibc header silliness
+#undef AT_RENAME_NOREPLACE
+#undef AT_RENAME_EXCHANGE
+#undef AT_RENAME_WHITEOUT
+
#include <linux/stat.h>
#include <linux/fcntl.h>
#define statx foo
diff --git a/samples/watch_queue/watch_test.c b/samples/watch_queue/watch_test.c
index 8c6cb57d5cfc5..24cf7d7a19725 100644
--- a/samples/watch_queue/watch_test.c
+++ b/samples/watch_queue/watch_test.c
@@ -16,6 +16,12 @@
#include <errno.h>
#include <sys/ioctl.h>
#include <limits.h>
+
+// Work around glibc header silliness
+#undef AT_RENAME_NOREPLACE
+#undef AT_RENAME_EXCHANGE
+#undef AT_RENAME_WHITEOUT
+
#include <linux/watch_queue.h>
#include <linux/unistd.h>
#include <linux/keyctl.h>
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 040/737] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 039/737] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
@ 2026-01-09 11:32 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 041/737] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
` (707 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:32 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zenm Chen, Ping-Ke Shih
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zenm Chen <zenmchen@gmail.com>
commit b377dcd9a286a6f81922ae442cd1c743bc4a2b35 upstream.
Add USB ID 2001:3329 for D-Link AC13U rev. A1 which is a RTL8812CU-based
Wi-Fi adapter.
Compile tested only.
Cc: stable@vger.kernel.org # 6.6.x
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20250929035719.6172-2-zenmchen@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtw88/rtw8822cu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/wireless/realtek/rtw88/rtw8822cu.c
+++ b/drivers/net/wireless/realtek/rtw88/rtw8822cu.c
@@ -21,6 +21,8 @@ static const struct usb_device_id rtw_88
.driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x13b1, 0x0043, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, /* Alpha - Alpha */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3329, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&(rtw8822c_hw_spec) }, /* D-Link AC13U rev. A1 */
{},
};
MODULE_DEVICE_TABLE(usb, rtw_8822cu_id_table);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 041/737] comedi: c6xdigio: Fix invalid PNP driver unregistration
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-01-09 11:32 ` [PATCH 6.6 040/737] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 042/737] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
` (706 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6616bba359cec7a1def1, stable,
Ian Abbott
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 72262330f7b3ad2130e800cecf02adcce3c32c77 upstream.
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc05798eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8184238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc057be5fa0 RCX: 00007fc05798eec9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007fc057a11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc057be5fa0 R14: 00007fc057be5fa0 R15: 0000000000000003
</TASK>
-------------------------------------------
Reported-by: syzbot+6616bba359cec7a1def1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6616bba359cec7a1def1
Fixes: 2c89e159cd2f ("Staging: comedi: add c6xdigio driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023123141.6537-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 11 deletions(-)
--- a/drivers/comedi/drivers/c6xdigio.c
+++ b/drivers/comedi/drivers/c6xdigio.c
@@ -249,9 +249,6 @@ static int c6xdigio_attach(struct comedi
if (ret)
return ret;
- /* Make sure that PnP ports get activated */
- pnp_register_driver(&c6xdigio_pnp_driver);
-
s = &dev->subdevices[0];
/* pwm output subdevice */
s->type = COMEDI_SUBD_PWM;
@@ -278,19 +275,46 @@ static int c6xdigio_attach(struct comedi
return 0;
}
-static void c6xdigio_detach(struct comedi_device *dev)
-{
- comedi_legacy_detach(dev);
- pnp_unregister_driver(&c6xdigio_pnp_driver);
-}
-
static struct comedi_driver c6xdigio_driver = {
.driver_name = "c6xdigio",
.module = THIS_MODULE,
.attach = c6xdigio_attach,
- .detach = c6xdigio_detach,
+ .detach = comedi_legacy_detach,
};
-module_comedi_driver(c6xdigio_driver);
+
+static bool c6xdigio_pnp_registered = false;
+
+static int __init c6xdigio_module_init(void)
+{
+ int ret;
+
+ ret = comedi_driver_register(&c6xdigio_driver);
+ if (ret)
+ return ret;
+
+ if (IS_ENABLED(CONFIG_PNP)) {
+ /* Try to activate the PnP ports */
+ ret = pnp_register_driver(&c6xdigio_pnp_driver);
+ if (ret) {
+ pr_warn("failed to register pnp driver - err %d\n",
+ ret);
+ ret = 0; /* ignore the error. */
+ } else {
+ c6xdigio_pnp_registered = true;
+ }
+ }
+
+ return 0;
+}
+module_init(c6xdigio_module_init);
+
+static void __exit c6xdigio_module_exit(void)
+{
+ if (c6xdigio_pnp_registered)
+ pnp_unregister_driver(&c6xdigio_pnp_driver);
+ comedi_driver_unregister(&c6xdigio_driver);
+}
+module_exit(c6xdigio_module_exit);
MODULE_AUTHOR("Comedi https://www.comedi.org");
MODULE_DESCRIPTION("Comedi driver for the C6x_DIGIO DSP daughter card");
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 042/737] comedi: multiq3: sanitize config options in multiq3_attach()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 041/737] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 043/737] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
` (705 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7811bb68a317954a0347, stable,
Nikita Zhandarovich, Ian Abbott
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit f24c6e3a39fa355dabfb684c9ca82db579534e72 upstream.
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.
This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.
While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.
[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5254 [inline]
__schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
__schedule_loop kernel/sched/core.c:6944 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6959
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x953/0x13f0 fs/open.c:965
vfs_open+0x3b/0x340 fs/open.c:1097
...
Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347
Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/multiq3.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/comedi/drivers/multiq3.c
+++ b/drivers/comedi/drivers/multiq3.c
@@ -67,6 +67,11 @@
#define MULTIQ3_TRSFRCNTR_OL 0x10 /* xfer CNTR to OL (x and y) */
#define MULTIQ3_EFLAG_RESET 0x06 /* reset E bit of flag reg */
+/*
+ * Limit on the number of optional encoder channels
+ */
+#define MULTIQ3_MAX_ENC_CHANS 8
+
static void multiq3_set_ctrl(struct comedi_device *dev, unsigned int bits)
{
/*
@@ -312,6 +317,10 @@ static int multiq3_attach(struct comedi_
s->insn_read = multiq3_encoder_insn_read;
s->insn_config = multiq3_encoder_insn_config;
+ /* sanity check for number of encoder channels */
+ if (s->n_chan > MULTIQ3_MAX_ENC_CHANS)
+ s->n_chan = MULTIQ3_MAX_ENC_CHANS;
+
for (i = 0; i < s->n_chan; i++)
multiq3_encoder_reset(dev, i);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 043/737] comedi: check devices attached status in compat ioctls
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 042/737] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 044/737] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
` (704 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ab8008c24e84adee93ff, stable,
Ian Abbott, Nikita Zhandarovich
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee upstream.
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.
Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.
[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
<TASK>
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
__do_compat_sys_ioctl fs/ioctl.c:695 [inline]
__se_compat_sys_ioctl fs/ioctl.c:638 [inline]
__ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...
Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff
Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat")
Cc: stable <stable@kernel.org>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 42 ++++++++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -2971,7 +2971,12 @@ static int compat_chaninfo(struct file *
chaninfo.rangelist = compat_ptr(chaninfo32.rangelist);
mutex_lock(&dev->mutex);
- err = do_chaninfo_ioctl(dev, &chaninfo);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ err = -ENODEV;
+ } else {
+ err = do_chaninfo_ioctl(dev, &chaninfo);
+ }
mutex_unlock(&dev->mutex);
return err;
}
@@ -2992,7 +2997,12 @@ static int compat_rangeinfo(struct file
rangeinfo.range_ptr = compat_ptr(rangeinfo32.range_ptr);
mutex_lock(&dev->mutex);
- err = do_rangeinfo_ioctl(dev, &rangeinfo);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ err = -ENODEV;
+ } else {
+ err = do_rangeinfo_ioctl(dev, &rangeinfo);
+ }
mutex_unlock(&dev->mutex);
return err;
}
@@ -3068,7 +3078,12 @@ static int compat_cmd(struct file *file,
return rc;
mutex_lock(&dev->mutex);
- rc = do_cmd_ioctl(dev, &cmd, ©, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_cmd_ioctl(dev, &cmd, ©, file);
+ }
mutex_unlock(&dev->mutex);
if (copy) {
/* Special case: copy cmd back to user. */
@@ -3093,7 +3108,12 @@ static int compat_cmdtest(struct file *f
return rc;
mutex_lock(&dev->mutex);
- rc = do_cmdtest_ioctl(dev, &cmd, ©, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_cmdtest_ioctl(dev, &cmd, ©, file);
+ }
mutex_unlock(&dev->mutex);
if (copy) {
err = put_compat_cmd(compat_ptr(arg), &cmd);
@@ -3153,7 +3173,12 @@ static int compat_insnlist(struct file *
}
mutex_lock(&dev->mutex);
- rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file);
+ }
mutex_unlock(&dev->mutex);
kfree(insns);
return rc;
@@ -3172,7 +3197,12 @@ static int compat_insn(struct file *file
return rc;
mutex_lock(&dev->mutex);
- rc = do_insn_ioctl(dev, &insn, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_insn_ioctl(dev, &insn, file);
+ }
mutex_unlock(&dev->mutex);
return rc;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 044/737] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 043/737] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 045/737] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
` (703 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Navaneeth K, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 154828bf9559b9c8421fc2f0d7f7f76b3683aaed upstream.
The Information Element (IE) parser rtw_get_ie() trusted the length
byte of each IE without validating that the IE body (len bytes after
the 2-byte header) fits inside the remaining frame buffer. A malformed
frame can advertise an IE length larger than the available data, causing
the parser to increment its pointer beyond the buffer end. This results
in out-of-bounds reads or, depending on the pattern, an infinite loop.
Fix by validating that (offset + 2 + len) does not exceed the limit
before accepting the IE or advancing to the next element.
This prevents OOB reads and ensures the parser terminates safely on
malformed frames.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_ieee80211.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
+++ b/drivers/staging/rtl8723bs/core/rtw_ieee80211.c
@@ -139,22 +139,24 @@ u8 *rtw_get_ie(u8 *pbuf, signed int inde
signed int tmp, i;
u8 *p;
- if (limit < 1)
+ if (limit < 2)
return NULL;
p = pbuf;
i = 0;
*len = 0;
- while (1) {
+ while (i + 2 <= limit) {
+ tmp = *(p + 1);
+ if (i + 2 + tmp > limit)
+ break;
+
if (*p == index) {
- *len = *(p + 1);
+ *len = tmp;
return p;
}
- tmp = *(p + 1);
+
p += (tmp + 2);
i += (tmp + 2);
- if (i >= limit)
- break;
}
return NULL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 045/737] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 044/737] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 046/737] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
` (702 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Navaneeth K, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream.
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1034,6 +1034,9 @@ unsigned int OnAssocReq(struct adapter *
status = WLAN_STATUS_CHALLENGE_FAIL;
goto OnAssocReqFail;
} else {
+ if (ie_len > sizeof(supportRate))
+ ie_len = sizeof(supportRate);
+
memcpy(supportRate, p+2, ie_len);
supportRateNum = ie_len;
@@ -1041,7 +1044,7 @@ unsigned int OnAssocReq(struct adapter *
pkt_len - WLAN_HDR_A3_LEN - ie_offset);
if (p) {
- if (supportRateNum <= sizeof(supportRate)) {
+ if (supportRateNum + ie_len <= sizeof(supportRate)) {
memcpy(supportRate+supportRateNum, p+2, ie_len);
supportRateNum += ie_len;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 046/737] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 045/737] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 047/737] smack: fix bug: unprivileged task can create labels Greg Kroah-Hartman
` (701 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Navaneeth K, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 502ddcc405b69fa92e0add6c1714d654504f6fd7 upstream.
The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.
This prevents OOB reads caused by malformed beacon frames.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -580,9 +580,11 @@ unsigned int OnBeacon(struct adapter *pa
p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_);
if (p && ielen > 0) {
- if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D))
- /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
- *(p + 1) = ielen - 1;
+ if (p + 2 + ielen < pframe + len) {
+ if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D))
+ /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
+ *(p + 1) = ielen - 1;
+ }
}
if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 047/737] smack: fix bug: unprivileged task can create labels
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 046/737] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 048/737] gpu: host1x: Fix race in syncpt alloc/free Greg Kroah-Hartman
` (700 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Andreev, Casey Schaufler,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Andreev <andreev@swemel.ru>
[ Upstream commit c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 ]
If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.
This change ensures that the "relabel-self" list
is checked before importing the label.
Fixes: 38416e53936e ("Smack: limited capability for changing process label")
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++-------------
1 file changed, 27 insertions(+), 14 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index d272cf8160d53..8d38f4a813171 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3687,8 +3687,8 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
struct task_smack *tsp = smack_cred(current_cred());
struct cred *new;
struct smack_known *skp;
- struct smack_known_list_elem *sklep;
- int rc;
+ char *labelstr;
+ int rc = 0;
if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel))
return -EPERM;
@@ -3699,28 +3699,41 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (strcmp(name, "current") != 0)
return -EINVAL;
- skp = smk_import_entry(value, size);
- if (IS_ERR(skp))
- return PTR_ERR(skp);
+ labelstr = smk_parse_smack(value, size);
+ if (IS_ERR(labelstr))
+ return PTR_ERR(labelstr);
/*
* No process is ever allowed the web ("@") label
* and the star ("*") label.
*/
- if (skp == &smack_known_web || skp == &smack_known_star)
- return -EINVAL;
+ if (labelstr[1] == '\0' /* '@', '*' */) {
+ const char c = labelstr[0];
+
+ if (c == *smack_known_web.smk_known ||
+ c == *smack_known_star.smk_known) {
+ rc = -EPERM;
+ goto free_labelstr;
+ }
+ }
if (!smack_privileged(CAP_MAC_ADMIN)) {
- rc = -EPERM;
+ const struct smack_known_list_elem *sklep;
list_for_each_entry(sklep, &tsp->smk_relabel, list)
- if (sklep->smk_label == skp) {
- rc = 0;
- break;
- }
- if (rc)
- return rc;
+ if (strcmp(sklep->smk_label->smk_known, labelstr) == 0)
+ goto free_labelstr;
+ rc = -EPERM;
}
+free_labelstr:
+ kfree(labelstr);
+ if (rc)
+ return -EPERM;
+
+ skp = smk_import_entry(value, size);
+ if (IS_ERR(skp))
+ return PTR_ERR(skp);
+
new = prepare_creds();
if (new == NULL)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 048/737] gpu: host1x: Fix race in syncpt alloc/free
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 047/737] smack: fix bug: unprivileged task can create labels Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 049/737] drm/panel: visionox-rm69299: Dont clear all mode flags Greg Kroah-Hartman
` (699 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mainak Sen, Mikko Perttunen,
Thierry Reding, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mainak Sen <msen@nvidia.com>
[ Upstream commit c7d393267c497502fa737607f435f05dfe6e3d9b ]
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
Signed-off-by: Mainak Sen <msen@nvidia.com>
Fixes: f5ba33fb9690 ("gpu: host1x: Reserve VBLANK syncpoints at initialization")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20250707-host1x-syncpt-race-fix-v1-1-28b0776e70bc@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/host1x/syncpt.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/host1x/syncpt.c b/drivers/gpu/host1x/syncpt.c
index f63d14a57a1d9..acc7d82e0585e 100644
--- a/drivers/gpu/host1x/syncpt.c
+++ b/drivers/gpu/host1x/syncpt.c
@@ -345,8 +345,6 @@ static void syncpt_release(struct kref *ref)
sp->locked = false;
- mutex_lock(&sp->host->syncpt_mutex);
-
host1x_syncpt_base_free(sp->base);
kfree(sp->name);
sp->base = NULL;
@@ -369,7 +367,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp)
if (!sp)
return;
- kref_put(&sp->ref, syncpt_release);
+ kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex);
}
EXPORT_SYMBOL(host1x_syncpt_put);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 049/737] drm/panel: visionox-rm69299: Dont clear all mode flags
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 048/737] gpu: host1x: Fix race in syncpt alloc/free Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 050/737] drm/vgem-fence: Fix potential deadlock on release Greg Kroah-Hartman
` (698 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Guido Günther,
Dmitry Baryshkov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guido Günther <agx@sigxcpu.org>
[ Upstream commit 39144b611e9cd4f5814f4098c891b545dd70c536 ]
Don't clear all mode flags. We only want to maek sure we use HS mode
during unprepare.
Fixes: c7f66d32dd431 ("drm/panel: add support for rm69299 visionox panel")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Guido Günther <agx@sigxcpu.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250910-shift6mq-panel-v3-2-a7729911afb9@sigxcpu.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-visionox-rm69299.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-visionox-rm69299.c b/drivers/gpu/drm/panel/panel-visionox-rm69299.c
index 6e946e5a036ee..fa784b9998eb0 100644
--- a/drivers/gpu/drm/panel/panel-visionox-rm69299.c
+++ b/drivers/gpu/drm/panel/panel-visionox-rm69299.c
@@ -64,7 +64,7 @@ static int visionox_rm69299_unprepare(struct drm_panel *panel)
struct visionox_rm69299 *ctx = panel_to_ctx(panel);
int ret;
- ctx->dsi->mode_flags = 0;
+ ctx->dsi->mode_flags &= ~MIPI_DSI_MODE_LPM;
ret = mipi_dsi_dcs_write(ctx->dsi, MIPI_DCS_SET_DISPLAY_OFF, NULL, 0);
if (ret < 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 050/737] drm/vgem-fence: Fix potential deadlock on release
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 049/737] drm/panel: visionox-rm69299: Dont clear all mode flags Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 051/737] USB: Fix descriptor count when handling invalid MBIM extended descriptor Greg Kroah-Hartman
` (697 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janusz Krzysztofik,
Christian König, Maarten Lankhorst, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
[ Upstream commit 78b4d6463e9e69e5103f98b367f8984ad12cdc6f ]
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_run_list+0x33/0x60
[117.004491] irq_work_run+0x18/0x40
[117.004493] __sysvec_irq_work+0x35/0x170
[117.004494] sysvec_irq_work+0x47/0xc0
[117.004496] asm_sysvec_irq_work+0x1b/0x20
[117.004497] RIP: 0010:_raw_spin_unlock_irqrestore+0x57/0x80
[117.004499] Code: 00 75 1c 65 ff 0d d9 34 68 01 74 20 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc e8 7f 9d d3 fe fb 0f 1f 44 00 00 <eb> d7 0f 1f 44 00 00 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3
[117.004499] RSP: 0018:ffffc90000003cf0 EFLAGS: 00000246
[117.004500] RAX: 0000000000000000 RBX: ffff888155e94c40 RCX: 0000000000000000
[117.004501] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004502] RBP: ffffc90000003d00 R08: 0000000000000000 R09: 0000000000000000
[117.004502] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000246
[117.004502] R13: 0000000000000001 R14: 0000000000000246 R15: ffff888155e94c80
[117.004506] dma_fence_signal+0x49/0xb0
[117.004507] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004508] vgem_fence_timeout+0x12/0x20 [vgem]
[117.004509] call_timer_fn+0xa1/0x2a0
[117.004512] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004513] __run_timers+0x231/0x310
[117.004514] ? tmigr_handle_remote+0x2ac/0x560
[117.004517] timer_expire_remote+0x46/0x70
[117.004518] tmigr_handle_remote+0x433/0x560
[117.004520] ? __run_timers+0x239/0x310
[117.004521] ? run_timer_softirq+0x21/0xe0
[117.004522] ? lock_release+0xce/0x2a0
[117.004524] run_timer_softirq+0xcf/0xe0
[117.004525] handle_softirqs+0xd4/0x4d0
[117.004526] __irq_exit_rcu+0x13f/0x160
[117.004527] irq_exit_rcu+0xe/0x20
[117.004528] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004529] </IRQ>
[117.004529] <TASK>
[117.004529] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004530] RIP: 0010:cpuidle_enter_state+0x12b/0x8a0
[117.004532] Code: 48 0f a3 05 97 ce 0e 01 0f 82 2e 03 00 00 31 ff e8 8a 41 bd fe 80 7d d0 00 0f 85 11 03 00 00 e8 8b 06 d5 fe fb 0f 1f 44 00 00 <45> 85 f6 0f 88 67 02 00 00 4d 63 ee 49 83 fd 0a 0f 83 34 06 00 00
[117.004532] RSP: 0018:ffffffff83403d88 EFLAGS: 00000246
[117.004533] RAX: 0000000000000000 RBX: ffff88888f046440 RCX: 0000000000000000
[117.004533] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004534] RBP: ffffffff83403dd8 R08: 0000000000000000 R09: 0000000000000000
[117.004534] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff837cbe80
[117.004534] R13: 0000000000000004 R14: 0000000000000004 R15: 0000001ad1df466b
[117.004537] ? cpuidle_enter_state+0x125/0x8a0
[117.004538] ? sched_clock_noinstr+0x9/0x10
[117.004540] cpuidle_enter+0x2e/0x50
[117.004542] call_cpuidle+0x22/0x60
[117.004542] do_idle+0x1fd/0x260
[117.004544] cpu_startup_entry+0x29/0x30
[117.004546] rest_init+0x104/0x200
[117.004548] start_kernel+0x93d/0xbd0
[117.004550] ? load_ucode_intel_bsp+0x2a/0x90
[117.004551] ? sme_unmap_bootdata+0x14/0x80
[117.004554] x86_64_start_reservations+0x18/0x30
[117.004555] x86_64_start_kernel+0xfd/0x150
[117.004556] ? soft_restart_cpu+0x14/0x14
[117.004558] common_startup_64+0x13e/0x141
[117.004560] </TASK>
[117.004565] ------------[ cut here ]------------
[117.004692] WARNING: CPU: 0 PID: 0 at kernel/time/timer.c:1610 __timer_delete_sync+0x126/0x190
[117.004697] Modules linked in: vgem snd_hda_codec_intelhdmi snd_hda_codec_hdmi i915 prime_numbers ttm drm_buddy drm_display_helper cec rc_core i2c_algo_bit hid_sensor_custom hid_sensor_hub hid_generic intel_ishtp_hid hid intel_uncore_frequency intel_uncore_frequency_common x86_pkg_temp_thermal intel_powerclamp cmdlinepart ee1004 r8153_ecm spi_nor coretemp cdc_ether mei_pxp mei_hdcp usbnet mtd intel_rapl_msr wmi_bmof kvm_intel snd_hda_intel snd_intel_dspcfg processor_thermal_device_pci kvm snd_hda_codec processor_thermal_device irqbypass processor_thermal_wt_hint polyval_clmulni platform_temperature_control snd_hda_core ghash_clmulni_intel processor_thermal_rfim spi_pxa2xx_platform snd_hwdep aesni_intel processor_thermal_rapl dw_dmac snd_pcm dw_dmac_core intel_rapl_common r8152 rapl mii intel_cstate spi_pxa2xx_core i2c_i801 processor_thermal_wt_req snd_timer i2c_mux mei_me intel_ish_ipc processor_thermal_power_floor e1000e snd i2c_smbus spi_intel_pci processor_thermal_mbox mei soundcore intel_ishtp thunderbolt idma64
[117.004733] spi_intel int340x_thermal_zone igen6_edac binfmt_misc intel_skl_int3472_tps68470 intel_pmc_core tps68470_regulator video clk_tps68470 pmt_telemetry pmt_discovery nls_iso8859_1 pmt_class intel_pmc_ssram_telemetry intel_skl_int3472_discrete int3400_thermal intel_hid intel_skl_int3472_common acpi_thermal_rel intel_vsec wmi pinctrl_tigerlake acpi_tad sparse_keymap acpi_pad dm_multipath msr nvme_fabrics fuse efi_pstore nfnetlink autofs4
[117.004782] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004787] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004789] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004793] RIP: 0010:__timer_delete_sync+0x126/0x190
[117.004795] Code: 31 c0 45 31 c9 c3 cc cc cc cc 48 8b 75 d0 45 84 f6 74 63 49 c7 45 18 00 00 00 00 48 89 c7 e8 51 46 39 01 f3 90 e9 66 ff ff ff <0f> 0b e9 5f ff ff ff e8 ee e4 0c 00 49 8d 5d 28 45 31 c9 31 c9 4c
[117.004801] RSP: 0018:ffffc90000003a40 EFLAGS: 00010046
[117.004804] RAX: ffffffff815093fb RBX: ffff888138f86aa8 RCX: 0000000000000000
[117.004807] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004809] RBP: ffffc90000003a70 R08: 0000000000000000 R09: 0000000000000000
[117.004812] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff815093fb
[117.004814] R13: ffff888138f86a80 R14: 0000000000000000 R15: 0000000000000000
[117.004817] FS: 0000000000000000(0000) GS:ffff88890b0f7000(0000) knlGS:0000000000000000
[117.004820] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[117.004823] CR2: 00005db8131eb7f0 CR3: 0000000003448000 CR4: 0000000000f52ef0
[117.004826] PKRU: 55555554
[117.004827] Call Trace:
[117.004829] <IRQ>
[117.004831] timer_delete_sync+0x10/0x20
[117.004833] vgem_fence_release+0x19/0x30 [vgem]
[117.004836] dma_fence_release+0xc1/0x3b0
[117.004838] ? dma_fence_release+0xa1/0x3b0
[117.004841] dma_fence_chain_release+0xe7/0x130
[117.004844] dma_fence_release+0xc1/0x3b0
[117.004847] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004850] dma_fence_chain_irq_work+0x59/0x80
[117.004853] irq_work_single+0x75/0xa0
[117.004857] irq_work_run_list+0x33/0x60
[117.004860] irq_work_run+0x18/0x40
[117.004863] __sysvec_irq_work+0x35/0x170
[117.004865] sysvec_irq_work+0x47/0xc0
[117.004868] asm_sysvec_irq_work+0x1b/0x20
[117.004871] RIP: 0010:_raw_spin_unlock_irqrestore+0x57/0x80
[117.004874] Code: 00 75 1c 65 ff 0d d9 34 68 01 74 20 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc e8 7f 9d d3 fe fb 0f 1f 44 00 00 <eb> d7 0f 1f 44 00 00 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3
[117.004879] RSP: 0018:ffffc90000003cf0 EFLAGS: 00000246
[117.004882] RAX: 0000000000000000 RBX: ffff888155e94c40 RCX: 0000000000000000
[117.004884] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004887] RBP: ffffc90000003d00 R08: 0000000000000000 R09: 0000000000000000
[117.004890] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000246
[117.004892] R13: 0000000000000001 R14: 0000000000000246 R15: ffff888155e94c80
[117.004897] dma_fence_signal+0x49/0xb0
[117.004899] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004902] vgem_fence_timeout+0x12/0x20 [vgem]
[117.004904] call_timer_fn+0xa1/0x2a0
[117.004908] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004910] __run_timers+0x231/0x310
[117.004913] ? tmigr_handle_remote+0x2ac/0x560
[117.004917] timer_expire_remote+0x46/0x70
[117.004919] tmigr_handle_remote+0x433/0x560
[117.004923] ? __run_timers+0x239/0x310
[117.004925] ? run_timer_softirq+0x21/0xe0
[117.004928] ? lock_release+0xce/0x2a0
[117.004931] run_timer_softirq+0xcf/0xe0
[117.004933] handle_softirqs+0xd4/0x4d0
[117.004936] __irq_exit_rcu+0x13f/0x160
[117.004938] irq_exit_rcu+0xe/0x20
[117.004940] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004943] </IRQ>
[117.004944] <TASK>
[117.004946] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004949] RIP: 0010:cpuidle_enter_state+0x12b/0x8a0
[117.004953] Code: 48 0f a3 05 97 ce 0e 01 0f 82 2e 03 00 00 31 ff e8 8a 41 bd fe 80 7d d0 00 0f 85 11 03 00 00 e8 8b 06 d5 fe fb 0f 1f 44 00 00 <45> 85 f6 0f 88 67 02 00 00 4d 63 ee 49 83 fd 0a 0f 83 34 06 00 00
[117.004961] RSP: 0018:ffffffff83403d88 EFLAGS: 00000246
[117.004963] RAX: 0000000000000000 RBX: ffff88888f046440 RCX: 0000000000000000
[117.004966] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004968] RBP: ffffffff83403dd8 R08: 0000000000000000 R09: 0000000000000000
[117.004971] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff837cbe80
[117.004974] R13: 0000000000000004 R14: 0000000000000004 R15: 0000001ad1df466b
[117.004978] ? cpuidle_enter_state+0x125/0x8a0
[117.004981] ? sched_clock_noinstr+0x9/0x10
[117.004985] cpuidle_enter+0x2e/0x50
[117.004989] call_cpuidle+0x22/0x60
[117.004991] do_idle+0x1fd/0x260
[117.005001] cpu_startup_entry+0x29/0x30
[117.005004] rest_init+0x104/0x200
[117.005008] start_kernel+0x93d/0xbd0
[117.005011] ? load_ucode_intel_bsp+0x2a/0x90
[117.005014] ? sme_unmap_bootdata+0x14/0x80
[117.005017] x86_64_start_reservations+0x18/0x30
[117.005020] x86_64_start_kernel+0xfd/0x150
[117.005023] ? soft_restart_cpu+0x14/0x14
[117.005026] common_startup_64+0x13e/0x141
[117.005030] </TASK>
[117.005032] irq event stamp: 2282669
[117.005034] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.005038] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.005043] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.005047] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.005051] ---[ end trace 0000000000000000 ]---
Make the timer IRQ safe.
[1] https://patchwork.freedesktop.org/series/154987/#rev2
Fixes: 4077798484459 ("drm/vgem: Attach sw fences to exported vGEM dma-buf (ioctl)")
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20250926152628.2165080-2-janusz.krzysztofik@linux.intel.com
Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vgem/vgem_fence.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vgem/vgem_fence.c b/drivers/gpu/drm/vgem/vgem_fence.c
index e157541783959..d066345d5930b 100644
--- a/drivers/gpu/drm/vgem/vgem_fence.c
+++ b/drivers/gpu/drm/vgem/vgem_fence.c
@@ -94,7 +94,7 @@ static struct dma_fence *vgem_fence_create(struct vgem_file *vfile,
dma_fence_init(&fence->base, &vgem_fence_ops, &fence->lock,
dma_fence_context_alloc(1), 1);
- timer_setup(&fence->timer, vgem_fence_timeout, 0);
+ timer_setup(&fence->timer, vgem_fence_timeout, TIMER_IRQSAFE);
/* We force the fence to expire within 10s to prevent driver hangs */
mod_timer(&fence->timer, jiffies + VGEM_FENCE_TIMEOUT);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 051/737] USB: Fix descriptor count when handling invalid MBIM extended descriptor
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 050/737] drm/vgem-fence: Fix potential deadlock on release Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 052/737] clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle callback Greg Kroah-Hartman
` (696 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 5570ad1423ee60f6e972dadb63fb2e5f90a54cbe ]
In cdc_parse_cdc_header(), the check for the USB_CDC_MBIM_EXTENDED_TYPE
descriptor was using 'break' upon detecting an invalid length.
This was incorrect because 'break' only exits the switch statement,
causing the code to fall through to cnt++, thus incorrectly
incrementing the count of parsed descriptors for a descriptor that was
actually invalid and being discarded.
This patch changes 'break' to 'goto next_desc;' to ensure that the
logic skips the counter increment and correctly proceeds to the next
descriptor in the buffer. This maintains an accurate count of only
the successfully parsed descriptors.
Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20250928185611.764589-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/message.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 077dfe48d01c1..5a5dfbf995e3a 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2428,7 +2428,7 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
break;
case USB_CDC_MBIM_EXTENDED_TYPE:
if (elength < sizeof(struct usb_cdc_mbim_extended_desc))
- break;
+ goto next_desc;
hdr->usb_cdc_mbim_extended_desc =
(struct usb_cdc_mbim_extended_desc *)buffer;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 052/737] clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle callback
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 051/737] USB: Fix descriptor count when handling invalid MBIM extended descriptor Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 053/737] clk: renesas: rzg2l: Simplify the logic in rzg2l_mod_clock_endisable() Greg Kroah-Hartman
` (695 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
[ Upstream commit 62abfd7bedc2b3d86d4209a4146f9d2b5ae21fab ]
R-Car V4H Reference Manual R19UH0186EJ0130 Rev.1.30 Apr. 21, 2025 page
583 Figure 9.3.1(a) Software Reset flow (A) as well as flow (B) / (C)
indicate after reset has been asserted by writing a matching reset bit
into register SRCR, it is mandatory to wait 1ms.
This 1ms delay is documented on R-Car V4H and V4M, it is currently
unclear whether S4 is affected as well. This patch does apply the extra
delay on R-Car S4 as well.
Fix the reset driver to respect the additional delay when toggling
resets. Drivers which use separate reset_control_(de)assert() must
assure matching delay in their driver code.
Fixes: 0ab55cf18341 ("clk: renesas: cpg-mssr: Add support for R-Car V4H")
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20250918030552.331389-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/renesas-cpg-mssr.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c
index cb80d1bf6c7c6..55ac571c73884 100644
--- a/drivers/clk/renesas/renesas-cpg-mssr.c
+++ b/drivers/clk/renesas/renesas-cpg-mssr.c
@@ -612,8 +612,15 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
/* Reset module */
writel(bitmask, priv->base + priv->reset_regs[reg]);
- /* Wait for at least one cycle of the RCLK clock (@ ca. 32 kHz) */
- udelay(35);
+ /*
+ * On R-Car Gen4, delay after SRCR has been written is 1ms.
+ * On older SoCs, delay after SRCR has been written is 35us
+ * (one cycle of the RCLK clock @ ca. 32 kHz).
+ */
+ if (priv->reg_layout == CLK_REG_LAYOUT_RCAR_GEN4)
+ usleep_range(1000, 2000);
+ else
+ usleep_range(35, 1000);
/* Release module from reset state */
writel(bitmask, priv->base + priv->reset_clear_regs[reg]);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 053/737] clk: renesas: rzg2l: Simplify the logic in rzg2l_mod_clock_endisable()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 052/737] clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle callback Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 054/737] clk: renesas: rzg2l: Remove critical area Greg Kroah-Hartman
` (694 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
[ Upstream commit becf4a771a12b52dc5b3d2b089598d5603f3bbec ]
The bitmask << 16 is anyway set on both branches of if thus move it
before the if and set the lower bits of registers only in case clock is
enabled.
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20230912045157.177966-12-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: b91401af6c00 ("clk: renesas: cpg-mssr: Read back reset registers to assure values latched")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/rzg2l-cpg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
index 77eefb6ee4538..0b3b6097b33a0 100644
--- a/drivers/clk/renesas/rzg2l-cpg.c
+++ b/drivers/clk/renesas/rzg2l-cpg.c
@@ -992,10 +992,9 @@ static int rzg2l_mod_clock_endisable(struct clk_hw *hw, bool enable)
enable ? "ON" : "OFF");
spin_lock_irqsave(&priv->rmw_lock, flags);
+ value = bitmask << 16;
if (enable)
- value = (bitmask << 16) | bitmask;
- else
- value = bitmask << 16;
+ value |= bitmask;
writel(value, priv->base + CLK_ON_R(reg));
spin_unlock_irqrestore(&priv->rmw_lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 054/737] clk: renesas: rzg2l: Remove critical area
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 053/737] clk: renesas: rzg2l: Simplify the logic in rzg2l_mod_clock_endisable() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 055/737] clk: renesas: rzg2l: Use %x format specifier to print CLK_ON_R() Greg Kroah-Hartman
` (693 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
[ Upstream commit 5f710e3bc5987373737470f98798bbd49134a2e0 ]
The spinlock in rzg2l_mod_clock_endisable() is intended to protect
RMW-accesses to the hardware register. There is no need to protect
instructions that set temporary variables which will be written
afterwards to a hardware register. With this only one write to one
clock register is executed thus locking/unlocking rmw_lock is removed.
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20230929053915.1530607-7-claudiu.beznea@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: b91401af6c00 ("clk: renesas: cpg-mssr: Read back reset registers to assure values latched")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/rzg2l-cpg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
index 0b3b6097b33a0..b7fa4c7eb8016 100644
--- a/drivers/clk/renesas/rzg2l-cpg.c
+++ b/drivers/clk/renesas/rzg2l-cpg.c
@@ -978,7 +978,6 @@ static int rzg2l_mod_clock_endisable(struct clk_hw *hw, bool enable)
struct rzg2l_cpg_priv *priv = clock->priv;
unsigned int reg = clock->off;
struct device *dev = priv->dev;
- unsigned long flags;
u32 bitmask = BIT(clock->bit);
u32 value;
int error;
@@ -990,14 +989,12 @@ static int rzg2l_mod_clock_endisable(struct clk_hw *hw, bool enable)
dev_dbg(dev, "CLK_ON %u/%pC %s\n", CLK_ON_R(reg), hw->clk,
enable ? "ON" : "OFF");
- spin_lock_irqsave(&priv->rmw_lock, flags);
value = bitmask << 16;
if (enable)
value |= bitmask;
- writel(value, priv->base + CLK_ON_R(reg));
- spin_unlock_irqrestore(&priv->rmw_lock, flags);
+ writel(value, priv->base + CLK_ON_R(reg));
if (!enable)
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 055/737] clk: renesas: rzg2l: Use %x format specifier to print CLK_ON_R()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 054/737] clk: renesas: rzg2l: Remove critical area Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 056/737] clk: renesas: Use str_on_off() helper Greg Kroah-Hartman
` (692 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Claudiu Beznea, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
[ Upstream commit fd627207aaa782c1fd4224076b56a03a1059f516 ]
Use the %x format specifier to print CLK_ON_R(). This makes debugging
easier as the value printed will be hexadecimal like in the hardware
manual. Along with it add "0x" in front of the printed value.
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20231010132701.1658737-2-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: b91401af6c00 ("clk: renesas: cpg-mssr: Read back reset registers to assure values latched")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/rzg2l-cpg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
index b7fa4c7eb8016..ab71f9cd250b0 100644
--- a/drivers/clk/renesas/rzg2l-cpg.c
+++ b/drivers/clk/renesas/rzg2l-cpg.c
@@ -987,7 +987,7 @@ static int rzg2l_mod_clock_endisable(struct clk_hw *hw, bool enable)
return 0;
}
- dev_dbg(dev, "CLK_ON %u/%pC %s\n", CLK_ON_R(reg), hw->clk,
+ dev_dbg(dev, "CLK_ON 0x%x/%pC %s\n", CLK_ON_R(reg), hw->clk,
enable ? "ON" : "OFF");
value = bitmask << 16;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 056/737] clk: renesas: Use str_on_off() helper
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 055/737] clk: renesas: rzg2l: Use %x format specifier to print CLK_ON_R() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 057/737] clk: renesas: Pass sub struct of cpg_mssr_priv to cpg_clk_register Greg Kroah-Hartman
` (691 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit aff664cc8cbc5c28e5aa57dc4201c34497f3c871 ]
Use the str_on_off() helper instead of open-coding the same operation.
Note that this does change the case of the flags, which doesn't matter
much for debug messages.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/622f8554dcb815c8fc73511a1a118c1724570fa9.1745840497.git.geert+renesas@glider.be
Stable-dep-of: b91401af6c00 ("clk: renesas: cpg-mssr: Read back reset registers to assure values latched")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/renesas-cpg-mssr.c | 3 ++-
drivers/clk/renesas/rzg2l-cpg.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c
index 55ac571c73884..908bb9517cc1b 100644
--- a/drivers/clk/renesas/renesas-cpg-mssr.c
+++ b/drivers/clk/renesas/renesas-cpg-mssr.c
@@ -27,6 +27,7 @@
#include <linux/psci.h>
#include <linux/reset-controller.h>
#include <linux/slab.h>
+#include <linux/string_choices.h>
#include <dt-bindings/clock/renesas-cpg-mssr.h>
@@ -200,7 +201,7 @@ static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable)
int error;
dev_dbg(dev, "MSTP %u%02u/%pC %s\n", reg, bit, hw->clk,
- enable ? "ON" : "OFF");
+ str_on_off(enable));
spin_lock_irqsave(&priv->rmw_lock, flags);
if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) {
diff --git a/drivers/clk/renesas/rzg2l-cpg.c b/drivers/clk/renesas/rzg2l-cpg.c
index ab71f9cd250b0..4bba49215c710 100644
--- a/drivers/clk/renesas/rzg2l-cpg.c
+++ b/drivers/clk/renesas/rzg2l-cpg.c
@@ -27,6 +27,7 @@
#include <linux/pm_domain.h>
#include <linux/reset-controller.h>
#include <linux/slab.h>
+#include <linux/string_choices.h>
#include <linux/units.h>
#include <dt-bindings/clock/renesas-cpg-mssr.h>
@@ -988,7 +989,7 @@ static int rzg2l_mod_clock_endisable(struct clk_hw *hw, bool enable)
}
dev_dbg(dev, "CLK_ON 0x%x/%pC %s\n", CLK_ON_R(reg), hw->clk,
- enable ? "ON" : "OFF");
+ str_on_off(enable));
value = bitmask << 16;
if (enable)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 057/737] clk: renesas: Pass sub struct of cpg_mssr_priv to cpg_clk_register
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 056/737] clk: renesas: Use str_on_off() helper Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 058/737] clk: renesas: cpg-mssr: Read back reset registers to assure values latched Greg Kroah-Hartman
` (690 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Thierry Bultel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thierry Bultel <thierry.bultel.yh@bp.renesas.com>
[ Upstream commit 3d37ca1482c36975255f29911a529f84f1bc34a9 ]
In a subsequent patch, the registration callback will need more parameters
from cpg_mssr_priv (like another base address with clock controllers
with double register block, and also, notifiers and rmw_lock).
Instead of adding more parameters, move the needed parameters to a public
sub-struct.
Instead moving clks to this structure, which would have implied to add
an allocation (and cleanup) for it, keep the way the allocation is done
and just have a copy of the pointer in the public structure.
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Thierry Bultel <thierry.bultel.yh@bp.renesas.com>
Link: https://lore.kernel.org/20250515141828.43444-5-thierry.bultel.yh@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Stable-dep-of: b91401af6c00 ("clk: renesas: cpg-mssr: Read back reset registers to assure values latched")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r7s9210-cpg-mssr.c | 7 +-
drivers/clk/renesas/r8a77970-cpg-mssr.c | 8 +-
drivers/clk/renesas/rcar-gen2-cpg.c | 5 +-
drivers/clk/renesas/rcar-gen2-cpg.h | 3 +-
drivers/clk/renesas/rcar-gen3-cpg.c | 6 +-
drivers/clk/renesas/rcar-gen3-cpg.h | 3 +-
drivers/clk/renesas/rcar-gen4-cpg.c | 6 +-
drivers/clk/renesas/rcar-gen4-cpg.h | 3 +-
drivers/clk/renesas/renesas-cpg-mssr.c | 98 ++++++++++++-------------
drivers/clk/renesas/renesas-cpg-mssr.h | 20 ++++-
10 files changed, 88 insertions(+), 71 deletions(-)
diff --git a/drivers/clk/renesas/r7s9210-cpg-mssr.c b/drivers/clk/renesas/r7s9210-cpg-mssr.c
index a85227c248f31..733244687daa8 100644
--- a/drivers/clk/renesas/r7s9210-cpg-mssr.c
+++ b/drivers/clk/renesas/r7s9210-cpg-mssr.c
@@ -159,12 +159,13 @@ static void __init r7s9210_update_clk_table(struct clk *extal_clk,
static struct clk * __init rza2_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers)
+ struct cpg_mssr_pub *pub)
{
- struct clk *parent;
+ void __iomem *base = pub->base0;
+ struct clk **clks = pub->clks;
unsigned int mult = 1;
unsigned int div = 1;
+ struct clk *parent;
parent = clks[core->parent];
if (IS_ERR(parent))
diff --git a/drivers/clk/renesas/r8a77970-cpg-mssr.c b/drivers/clk/renesas/r8a77970-cpg-mssr.c
index 7e90e94c4b688..0c568a113c3fd 100644
--- a/drivers/clk/renesas/r8a77970-cpg-mssr.c
+++ b/drivers/clk/renesas/r8a77970-cpg-mssr.c
@@ -222,10 +222,11 @@ static int __init r8a77970_cpg_mssr_init(struct device *dev)
static struct clk * __init r8a77970_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers)
+ struct cpg_mssr_pub *pub)
{
const struct clk_div_table *table;
+ void __iomem *base = pub->base0;
+ struct clk **clks = pub->clks;
const struct clk *parent;
unsigned int shift;
@@ -239,8 +240,7 @@ static struct clk * __init r8a77970_cpg_clk_register(struct device *dev,
shift = 4;
break;
default:
- return rcar_gen3_cpg_clk_register(dev, core, info, clks, base,
- notifiers);
+ return rcar_gen3_cpg_clk_register(dev, core, info, pub);
}
parent = clks[core->parent];
diff --git a/drivers/clk/renesas/rcar-gen2-cpg.c b/drivers/clk/renesas/rcar-gen2-cpg.c
index edae874fa2b63..1a59a71eede21 100644
--- a/drivers/clk/renesas/rcar-gen2-cpg.c
+++ b/drivers/clk/renesas/rcar-gen2-cpg.c
@@ -274,10 +274,11 @@ static const struct soc_device_attribute cpg_quirks_match[] __initconst = {
struct clk * __init rcar_gen2_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers)
+ struct cpg_mssr_pub *pub)
{
const struct clk_div_table *table = NULL;
+ void __iomem *base = pub->base0;
+ struct clk **clks = pub->clks;
const struct clk *parent;
const char *parent_name;
unsigned int mult = 1;
diff --git a/drivers/clk/renesas/rcar-gen2-cpg.h b/drivers/clk/renesas/rcar-gen2-cpg.h
index bdcd4a38d48d0..3d4b127fdeaf4 100644
--- a/drivers/clk/renesas/rcar-gen2-cpg.h
+++ b/drivers/clk/renesas/rcar-gen2-cpg.h
@@ -32,8 +32,7 @@ struct rcar_gen2_cpg_pll_config {
struct clk *rcar_gen2_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers);
+ struct cpg_mssr_pub *pub);
int rcar_gen2_cpg_init(const struct rcar_gen2_cpg_pll_config *config,
unsigned int pll0_div, u32 mode);
diff --git a/drivers/clk/renesas/rcar-gen3-cpg.c b/drivers/clk/renesas/rcar-gen3-cpg.c
index d0129a6509411..47d52e2c996eb 100644
--- a/drivers/clk/renesas/rcar-gen3-cpg.c
+++ b/drivers/clk/renesas/rcar-gen3-cpg.c
@@ -346,9 +346,11 @@ static const struct soc_device_attribute cpg_quirks_match[] __initconst = {
struct clk * __init rcar_gen3_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers)
+ struct cpg_mssr_pub *pub)
{
+ struct raw_notifier_head *notifiers = &pub->notifiers;
+ void __iomem *base = pub->base0;
+ struct clk **clks = pub->clks;
const struct clk *parent;
unsigned int mult = 1;
unsigned int div = 1;
diff --git a/drivers/clk/renesas/rcar-gen3-cpg.h b/drivers/clk/renesas/rcar-gen3-cpg.h
index bfdc649bdf12c..d15a5d1df71c7 100644
--- a/drivers/clk/renesas/rcar-gen3-cpg.h
+++ b/drivers/clk/renesas/rcar-gen3-cpg.h
@@ -81,8 +81,7 @@ struct rcar_gen3_cpg_pll_config {
struct clk *rcar_gen3_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers);
+ struct cpg_mssr_pub *pub);
int rcar_gen3_cpg_init(const struct rcar_gen3_cpg_pll_config *config,
unsigned int clk_extalr, u32 mode);
diff --git a/drivers/clk/renesas/rcar-gen4-cpg.c b/drivers/clk/renesas/rcar-gen4-cpg.c
index c68d8b9870541..b7bc3e6860c79 100644
--- a/drivers/clk/renesas/rcar-gen4-cpg.c
+++ b/drivers/clk/renesas/rcar-gen4-cpg.c
@@ -330,9 +330,11 @@ static const struct clk_div_table cpg_rpcsrc_div_table[] = {
struct clk * __init rcar_gen4_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers)
+ struct cpg_mssr_pub *pub)
{
+ struct raw_notifier_head *notifiers = &pub->notifiers;
+ void __iomem *base = pub->base0;
+ struct clk **clks = pub->clks;
const struct clk *parent;
unsigned int mult = 1;
unsigned int div = 1;
diff --git a/drivers/clk/renesas/rcar-gen4-cpg.h b/drivers/clk/renesas/rcar-gen4-cpg.h
index 006537e29e4eb..f479c30a30e88 100644
--- a/drivers/clk/renesas/rcar-gen4-cpg.h
+++ b/drivers/clk/renesas/rcar-gen4-cpg.h
@@ -72,8 +72,7 @@ struct rcar_gen4_cpg_pll_config {
struct clk *rcar_gen4_cpg_clk_register(struct device *dev,
const struct cpg_core_clk *core, const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers);
+ struct cpg_mssr_pub *pub);
int rcar_gen4_cpg_init(const struct rcar_gen4_cpg_pll_config *config,
unsigned int clk_extalr, u32 mode);
diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c
index 908bb9517cc1b..c66b5e7359284 100644
--- a/drivers/clk/renesas/renesas-cpg-mssr.c
+++ b/drivers/clk/renesas/renesas-cpg-mssr.c
@@ -127,16 +127,14 @@ static const u16 srstclr_for_gen4[] = {
* struct cpg_mssr_priv - Clock Pulse Generator / Module Standby
* and Software Reset Private Data
*
+ * @pub: Data passed to clock registration callback
* @rcdev: Optional reset controller entity
* @dev: CPG/MSSR device
- * @base: CPG/MSSR register block base address
* @reg_layout: CPG/MSSR register layout
- * @rmw_lock: protects RMW register accesses
* @np: Device node in DT for this CPG/MSSR module
* @num_core_clks: Number of Core Clocks in clks[]
* @num_mod_clks: Number of Module Clocks in clks[]
* @last_dt_core_clk: ID of the last Core Clock exported to DT
- * @notifiers: Notifier chain to save/restore clock state for system resume
* @status_regs: Pointer to status registers array
* @control_regs: Pointer to control registers array
* @reset_regs: Pointer to reset registers array
@@ -146,20 +144,18 @@ static const u16 srstclr_for_gen4[] = {
* @clks: Array containing all Core and Module Clocks
*/
struct cpg_mssr_priv {
+ struct cpg_mssr_pub pub;
#ifdef CONFIG_RESET_CONTROLLER
struct reset_controller_dev rcdev;
#endif
struct device *dev;
- void __iomem *base;
enum clk_reg_layout reg_layout;
- spinlock_t rmw_lock;
struct device_node *np;
unsigned int num_core_clks;
unsigned int num_mod_clks;
unsigned int last_dt_core_clk;
- struct raw_notifier_head notifiers;
const u16 *status_regs;
const u16 *control_regs;
const u16 *reset_regs;
@@ -202,38 +198,39 @@ static int cpg_mstp_clock_endisable(struct clk_hw *hw, bool enable)
dev_dbg(dev, "MSTP %u%02u/%pC %s\n", reg, bit, hw->clk,
str_on_off(enable));
- spin_lock_irqsave(&priv->rmw_lock, flags);
+ spin_lock_irqsave(&priv->pub.rmw_lock, flags);
if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) {
- value = readb(priv->base + priv->control_regs[reg]);
+ value = readb(priv->pub.base0 + priv->control_regs[reg]);
if (enable)
value &= ~bitmask;
else
value |= bitmask;
- writeb(value, priv->base + priv->control_regs[reg]);
+ writeb(value, priv->pub.base0 + priv->control_regs[reg]);
/* dummy read to ensure write has completed */
- readb(priv->base + priv->control_regs[reg]);
- barrier_data(priv->base + priv->control_regs[reg]);
+ readb(priv->pub.base0 + priv->control_regs[reg]);
+ barrier_data(priv->pub.base0 + priv->control_regs[reg]);
+
} else {
- value = readl(priv->base + priv->control_regs[reg]);
+ value = readl(priv->pub.base0 + priv->control_regs[reg]);
if (enable)
value &= ~bitmask;
else
value |= bitmask;
- writel(value, priv->base + priv->control_regs[reg]);
+ writel(value, priv->pub.base0 + priv->control_regs[reg]);
}
- spin_unlock_irqrestore(&priv->rmw_lock, flags);
+ spin_unlock_irqrestore(&priv->pub.rmw_lock, flags);
if (!enable || priv->reg_layout == CLK_REG_LAYOUT_RZ_A)
return 0;
- error = readl_poll_timeout_atomic(priv->base + priv->status_regs[reg],
+ error = readl_poll_timeout_atomic(priv->pub.base0 + priv->status_regs[reg],
value, !(value & bitmask), 0, 10);
if (error)
dev_err(dev, "Failed to enable SMSTP %p[%d]\n",
- priv->base + priv->control_regs[reg], bit);
+ priv->pub.base0 + priv->control_regs[reg], bit);
return error;
}
@@ -252,12 +249,13 @@ static int cpg_mstp_clock_is_enabled(struct clk_hw *hw)
{
struct mstp_clock *clock = to_mstp_clock(hw);
struct cpg_mssr_priv *priv = clock->priv;
+ unsigned int reg = clock->index / 32;
u32 value;
if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A)
- value = readb(priv->base + priv->control_regs[clock->index / 32]);
+ value = readb(priv->pub.base0 + priv->control_regs[reg]);
else
- value = readl(priv->base + priv->status_regs[clock->index / 32]);
+ value = readl(priv->pub.base0 + priv->status_regs[reg]);
return !(value & BIT(clock->index % 32));
}
@@ -349,7 +347,7 @@ static void __init cpg_mssr_register_core_clk(const struct cpg_core_clk *core,
case CLK_TYPE_DIV6P1:
case CLK_TYPE_DIV6_RO:
WARN_DEBUG(core->parent >= priv->num_core_clks);
- parent = priv->clks[core->parent];
+ parent = priv->pub.clks[core->parent];
if (IS_ERR(parent)) {
clk = parent;
goto fail;
@@ -359,12 +357,12 @@ static void __init cpg_mssr_register_core_clk(const struct cpg_core_clk *core,
if (core->type == CLK_TYPE_DIV6_RO)
/* Multiply with the DIV6 register value */
- div *= (readl(priv->base + core->offset) & 0x3f) + 1;
+ div *= (readl(priv->pub.base0 + core->offset) & 0x3f) + 1;
if (core->type == CLK_TYPE_DIV6P1) {
clk = cpg_div6_register(core->name, 1, &parent_name,
- priv->base + core->offset,
- &priv->notifiers);
+ priv->pub.base0 + core->offset,
+ &priv->pub.notifiers);
} else {
clk = clk_register_fixed_factor(NULL, core->name,
parent_name, 0,
@@ -380,8 +378,7 @@ static void __init cpg_mssr_register_core_clk(const struct cpg_core_clk *core,
default:
if (info->cpg_clk_register)
clk = info->cpg_clk_register(dev, core, info,
- priv->clks, priv->base,
- &priv->notifiers);
+ &priv->pub);
else
dev_err(dev, "%s has unsupported core clock type %u\n",
core->name, core->type);
@@ -392,7 +389,7 @@ static void __init cpg_mssr_register_core_clk(const struct cpg_core_clk *core,
goto fail;
dev_dbg(dev, "Core clock %pC at %lu Hz\n", clk, clk_get_rate(clk));
- priv->clks[id] = clk;
+ priv->pub.clks[id] = clk;
return;
fail:
@@ -415,14 +412,14 @@ static void __init cpg_mssr_register_mod_clk(const struct mssr_mod_clk *mod,
WARN_DEBUG(id < priv->num_core_clks);
WARN_DEBUG(id >= priv->num_core_clks + priv->num_mod_clks);
WARN_DEBUG(mod->parent >= priv->num_core_clks + priv->num_mod_clks);
- WARN_DEBUG(PTR_ERR(priv->clks[id]) != -ENOENT);
+ WARN_DEBUG(PTR_ERR(priv->pub.clks[id]) != -ENOENT);
if (!mod->name) {
/* Skip NULLified clock */
return;
}
- parent = priv->clks[mod->parent];
+ parent = priv->pub.clks[mod->parent];
if (IS_ERR(parent)) {
clk = parent;
goto fail;
@@ -611,7 +608,7 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
dev_dbg(priv->dev, "reset %u%02u\n", reg, bit);
/* Reset module */
- writel(bitmask, priv->base + priv->reset_regs[reg]);
+ writel(bitmask, priv->pub.base0 + priv->reset_regs[reg]);
/*
* On R-Car Gen4, delay after SRCR has been written is 1ms.
@@ -624,7 +621,7 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
usleep_range(35, 1000);
/* Release module from reset state */
- writel(bitmask, priv->base + priv->reset_clear_regs[reg]);
+ writel(bitmask, priv->pub.base0 + priv->reset_clear_regs[reg]);
return 0;
}
@@ -638,7 +635,7 @@ static int cpg_mssr_assert(struct reset_controller_dev *rcdev, unsigned long id)
dev_dbg(priv->dev, "assert %u%02u\n", reg, bit);
- writel(bitmask, priv->base + priv->reset_regs[reg]);
+ writel(bitmask, priv->pub.base0 + priv->reset_regs[reg]);
return 0;
}
@@ -652,7 +649,7 @@ static int cpg_mssr_deassert(struct reset_controller_dev *rcdev,
dev_dbg(priv->dev, "deassert %u%02u\n", reg, bit);
- writel(bitmask, priv->base + priv->reset_clear_regs[reg]);
+ writel(bitmask, priv->pub.base0 + priv->reset_clear_regs[reg]);
return 0;
}
@@ -664,7 +661,7 @@ static int cpg_mssr_status(struct reset_controller_dev *rcdev,
unsigned int bit = id % 32;
u32 bitmask = BIT(bit);
- return !!(readl(priv->base + priv->reset_regs[reg]) & bitmask);
+ return !!(readl(priv->pub.base0 + priv->reset_regs[reg]) & bitmask);
}
static const struct reset_control_ops cpg_mssr_reset_ops = {
@@ -885,12 +882,12 @@ static int cpg_mssr_suspend_noirq(struct device *dev)
if (priv->smstpcr_saved[reg].mask)
priv->smstpcr_saved[reg].val =
priv->reg_layout == CLK_REG_LAYOUT_RZ_A ?
- readb(priv->base + priv->control_regs[reg]) :
- readl(priv->base + priv->control_regs[reg]);
+ readb(priv->pub.base0 + priv->control_regs[reg]) :
+ readl(priv->pub.base0 + priv->control_regs[reg]);
}
/* Save core clocks */
- raw_notifier_call_chain(&priv->notifiers, PM_EVENT_SUSPEND, NULL);
+ raw_notifier_call_chain(&priv->pub.notifiers, PM_EVENT_SUSPEND, NULL);
return 0;
}
@@ -907,7 +904,7 @@ static int cpg_mssr_resume_noirq(struct device *dev)
return 0;
/* Restore core clocks */
- raw_notifier_call_chain(&priv->notifiers, PM_EVENT_RESUME, NULL);
+ raw_notifier_call_chain(&priv->pub.notifiers, PM_EVENT_RESUME, NULL);
/* Restore module clocks */
for (reg = 0; reg < ARRAY_SIZE(priv->smstpcr_saved); reg++) {
@@ -916,29 +913,29 @@ static int cpg_mssr_resume_noirq(struct device *dev)
continue;
if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A)
- oldval = readb(priv->base + priv->control_regs[reg]);
+ oldval = readb(priv->pub.base0 + priv->control_regs[reg]);
else
- oldval = readl(priv->base + priv->control_regs[reg]);
+ oldval = readl(priv->pub.base0 + priv->control_regs[reg]);
newval = oldval & ~mask;
newval |= priv->smstpcr_saved[reg].val & mask;
if (newval == oldval)
continue;
if (priv->reg_layout == CLK_REG_LAYOUT_RZ_A) {
- writeb(newval, priv->base + priv->control_regs[reg]);
+ writeb(newval, priv->pub.base0 + priv->control_regs[reg]);
/* dummy read to ensure write has completed */
- readb(priv->base + priv->control_regs[reg]);
- barrier_data(priv->base + priv->control_regs[reg]);
+ readb(priv->pub.base0 + priv->control_regs[reg]);
+ barrier_data(priv->pub.base0 + priv->control_regs[reg]);
continue;
} else
- writel(newval, priv->base + priv->control_regs[reg]);
+ writel(newval, priv->pub.base0 + priv->control_regs[reg]);
/* Wait until enabled clocks are really enabled */
mask &= ~priv->smstpcr_saved[reg].val;
if (!mask)
continue;
- error = readl_poll_timeout_atomic(priv->base + priv->status_regs[reg],
+ error = readl_poll_timeout_atomic(priv->pub.base0 + priv->status_regs[reg],
oldval, !(oldval & mask), 0, 10);
if (error)
dev_warn(dev, "Failed to enable SMSTP%u[0x%x]\n", reg,
@@ -976,12 +973,13 @@ static int __init cpg_mssr_common_init(struct device *dev,
if (!priv)
return -ENOMEM;
+ priv->pub.clks = priv->clks;
priv->np = np;
priv->dev = dev;
- spin_lock_init(&priv->rmw_lock);
+ spin_lock_init(&priv->pub.rmw_lock);
- priv->base = of_iomap(np, 0);
- if (!priv->base) {
+ priv->pub.base0 = of_iomap(np, 0);
+ if (!priv->pub.base0) {
error = -ENOMEM;
goto out_err;
}
@@ -989,7 +987,7 @@ static int __init cpg_mssr_common_init(struct device *dev,
priv->num_core_clks = info->num_total_core_clks;
priv->num_mod_clks = info->num_hw_mod_clks;
priv->last_dt_core_clk = info->last_dt_core_clk;
- RAW_INIT_NOTIFIER_HEAD(&priv->notifiers);
+ RAW_INIT_NOTIFIER_HEAD(&priv->pub.notifiers);
priv->reg_layout = info->reg_layout;
if (priv->reg_layout == CLK_REG_LAYOUT_RCAR_GEN2_AND_GEN3) {
priv->status_regs = mstpsr;
@@ -1009,7 +1007,7 @@ static int __init cpg_mssr_common_init(struct device *dev,
}
for (i = 0; i < nclks; i++)
- priv->clks[i] = ERR_PTR(-ENOENT);
+ priv->pub.clks[i] = ERR_PTR(-ENOENT);
error = of_clk_add_provider(np, cpg_mssr_clk_src_twocell_get, priv);
if (error)
@@ -1020,8 +1018,8 @@ static int __init cpg_mssr_common_init(struct device *dev,
return 0;
out_err:
- if (priv->base)
- iounmap(priv->base);
+ if (priv->pub.base0)
+ iounmap(priv->pub.base0);
kfree(priv);
return error;
diff --git a/drivers/clk/renesas/renesas-cpg-mssr.h b/drivers/clk/renesas/renesas-cpg-mssr.h
index 80c5b462924ac..0a7b0b328d822 100644
--- a/drivers/clk/renesas/renesas-cpg-mssr.h
+++ b/drivers/clk/renesas/renesas-cpg-mssr.h
@@ -8,6 +8,8 @@
#ifndef __CLK_RENESAS_CPG_MSSR_H__
#define __CLK_RENESAS_CPG_MSSR_H__
+#include <linux/notifier.h>
+
/*
* Definitions of CPG Core Clocks
*
@@ -29,6 +31,21 @@ struct cpg_core_clk {
unsigned int offset;
};
+/**
+ * struct cpg_mssr_pub - data shared with device-specific clk registration code
+ *
+ * @base0: CPG/MSSR register block base0 address
+ * @notifiers: Notifier chain to save/restore clock state for system resume
+ * @rmw_lock: protects RMW register accesses
+ * @clks: pointer to clocks
+ */
+struct cpg_mssr_pub {
+ void __iomem *base0;
+ struct raw_notifier_head notifiers;
+ spinlock_t rmw_lock;
+ struct clk **clks;
+};
+
enum clk_types {
/* Generic */
CLK_TYPE_IN, /* External Clock Input */
@@ -153,8 +170,7 @@ struct cpg_mssr_info {
struct clk *(*cpg_clk_register)(struct device *dev,
const struct cpg_core_clk *core,
const struct cpg_mssr_info *info,
- struct clk **clks, void __iomem *base,
- struct raw_notifier_head *notifiers);
+ struct cpg_mssr_pub *pub);
};
extern const struct cpg_mssr_info r7s9210_cpg_mssr_info;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 058/737] clk: renesas: cpg-mssr: Read back reset registers to assure values latched
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 057/737] clk: renesas: Pass sub struct of cpg_mssr_priv to cpg_clk_register Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 059/737] HID: logitech-hidpp: Do not assume FAP in hidpp_send_message_sync() Greg Kroah-Hartman
` (689 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Marek Vasut, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut+renesas@mailbox.org>
[ Upstream commit b91401af6c00ffab003698bfabd4c166df30748b ]
On R-Car V4H, the PCIEC controller DBI read would generate an SError in
case the controller reset is released by writing SRSTCLR register first,
and immediately afterward reading some PCIEC controller DBI register.
The issue triggers in rcar_gen4_pcie_additional_common_init() on
dw_pcie_readl_dbi(dw, PCIE_PORT_LANE_SKEW), which on V4H is the first
read after reset_control_deassert(dw->core_rsts[DW_PCIE_PWR_RST].rstc).
The reset controller which contains the SRSTCLR register and the PCIEC
controller which contains the DBI register share the same root access
bus, but the bus then splits into separate segments before reaching each
IP. Even if the SRSTCLR write access was posted on the bus before the
DBI read access, it seems the DBI read access may reach the PCIEC
controller before the SRSTCLR write completed, and trigger the SError.
Mitigate the issue by adding a dummy SRSTCLR read, which assures the
SRSTCLR write completes fully and is latched into the reset controller,
before the PCIEC DBI read access can occur.
Fixes: 0ab55cf18341 ("clk: renesas: cpg-mssr: Add support for R-Car V4H")
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20250922162113.113223-1-marek.vasut+renesas@mailbox.org
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/renesas-cpg-mssr.c | 46 ++++++++++++--------------
1 file changed, 21 insertions(+), 25 deletions(-)
diff --git a/drivers/clk/renesas/renesas-cpg-mssr.c b/drivers/clk/renesas/renesas-cpg-mssr.c
index c66b5e7359284..0f558d94750f1 100644
--- a/drivers/clk/renesas/renesas-cpg-mssr.c
+++ b/drivers/clk/renesas/renesas-cpg-mssr.c
@@ -597,18 +597,32 @@ static int __init cpg_mssr_add_clk_domain(struct device *dev,
#define rcdev_to_priv(x) container_of(x, struct cpg_mssr_priv, rcdev)
-static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
- unsigned long id)
+static int cpg_mssr_reset_operate(struct reset_controller_dev *rcdev,
+ const char *func, bool set, unsigned long id)
{
struct cpg_mssr_priv *priv = rcdev_to_priv(rcdev);
unsigned int reg = id / 32;
unsigned int bit = id % 32;
+ const u16 off = set ? priv->reset_regs[reg] : priv->reset_clear_regs[reg];
u32 bitmask = BIT(bit);
- dev_dbg(priv->dev, "reset %u%02u\n", reg, bit);
+ if (func)
+ dev_dbg(priv->dev, "%s %u%02u\n", func, reg, bit);
+
+ writel(bitmask, priv->pub.base0 + off);
+ readl(priv->pub.base0 + off);
+ barrier_data(priv->pub.base0 + off);
+
+ return 0;
+}
+
+static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
+ unsigned long id)
+{
+ struct cpg_mssr_priv *priv = rcdev_to_priv(rcdev);
/* Reset module */
- writel(bitmask, priv->pub.base0 + priv->reset_regs[reg]);
+ cpg_mssr_reset_operate(rcdev, "reset", true, id);
/*
* On R-Car Gen4, delay after SRCR has been written is 1ms.
@@ -621,36 +635,18 @@ static int cpg_mssr_reset(struct reset_controller_dev *rcdev,
usleep_range(35, 1000);
/* Release module from reset state */
- writel(bitmask, priv->pub.base0 + priv->reset_clear_regs[reg]);
-
- return 0;
+ return cpg_mssr_reset_operate(rcdev, NULL, false, id);
}
static int cpg_mssr_assert(struct reset_controller_dev *rcdev, unsigned long id)
{
- struct cpg_mssr_priv *priv = rcdev_to_priv(rcdev);
- unsigned int reg = id / 32;
- unsigned int bit = id % 32;
- u32 bitmask = BIT(bit);
-
- dev_dbg(priv->dev, "assert %u%02u\n", reg, bit);
-
- writel(bitmask, priv->pub.base0 + priv->reset_regs[reg]);
- return 0;
+ return cpg_mssr_reset_operate(rcdev, "assert", true, id);
}
static int cpg_mssr_deassert(struct reset_controller_dev *rcdev,
unsigned long id)
{
- struct cpg_mssr_priv *priv = rcdev_to_priv(rcdev);
- unsigned int reg = id / 32;
- unsigned int bit = id % 32;
- u32 bitmask = BIT(bit);
-
- dev_dbg(priv->dev, "deassert %u%02u\n", reg, bit);
-
- writel(bitmask, priv->pub.base0 + priv->reset_clear_regs[reg]);
- return 0;
+ return cpg_mssr_reset_operate(rcdev, "deassert", false, id);
}
static int cpg_mssr_status(struct reset_controller_dev *rcdev,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 059/737] HID: logitech-hidpp: Do not assume FAP in hidpp_send_message_sync()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 058/737] clk: renesas: cpg-mssr: Read back reset registers to assure values latched Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 060/737] objtool: Fix standalone --hacks=jump_label Greg Kroah-Hartman
` (688 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mavroudis Chatzilazaridis,
Stuart Hayhurst, Jiri Kosina, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mavroudis Chatzilazaridis <mavchatz@protonmail.com>
[ Upstream commit aba7963544d47d82cdf36602a6678a093af0299d ]
Currently, hidpp_send_message_sync() retries sending the message when the
device returns a busy error code, specifically HIDPP20_ERROR_BUSY, which
has a different meaning under RAP. This ends up being a problem because
this function is used for both FAP and RAP messages.
This issue is not noticeable on older receivers with unreachable devices
since they return HIDPP_ERROR_RESOURCE_ERROR (0x09), which is not equal to
HIDPP20_ERROR_BUSY (0x08).
However, newer receivers return HIDPP_ERROR_UNKNOWN_DEVICE (0x08) which
happens to equal to HIDPP20_ERROR_BUSY, causing unnecessary retries when
the device is not actually busy.
This is resolved by checking if the error response is FAP or RAP and
picking the respective ERROR_BUSY code.
Fixes: 60165ab774cb ("HID: logitech-hidpp: rework one more time the retries attempts")
Signed-off-by: Mavroudis Chatzilazaridis <mavchatz@protonmail.com>
Tested-by: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-hidpp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 3a2c1e48aba20..5a2fe703cf57b 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -351,10 +351,15 @@ static int hidpp_send_message_sync(struct hidpp_device *hidpp,
do {
ret = __do_hidpp_send_message_sync(hidpp, message, response);
- if (ret != HIDPP20_ERROR_BUSY)
+ if (response->report_id == REPORT_ID_HIDPP_SHORT &&
+ ret != HIDPP_ERROR_BUSY)
+ break;
+ if ((response->report_id == REPORT_ID_HIDPP_LONG ||
+ response->report_id == REPORT_ID_HIDPP_VERY_LONG) &&
+ ret != HIDPP20_ERROR_BUSY)
break;
- dbg_hid("%s:got busy hidpp 2.0 error %02X, retrying\n", __func__, ret);
+ dbg_hid("%s:got busy hidpp error %02X, retrying\n", __func__, ret);
} while (--max_retries);
mutex_unlock(&hidpp->send_mutex);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 060/737] objtool: Fix standalone --hacks=jump_label
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 059/737] HID: logitech-hidpp: Do not assume FAP in hidpp_send_message_sync() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 061/737] objtool: Fix weak symbol detection Greg Kroah-Hartman
` (687 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dylan Hatch, Josh Poimboeuf,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dylan Hatch <dylanbhatch@google.com>
[ Upstream commit be8374a5ba7cbab6b97df94b4ffe0b92f5c8a6d2 ]
The objtool command line 'objtool --hacks=jump_label foo.o' on its own
should be expected to rewrite jump labels to NOPs. This means the
add_special_section_alts() code path needs to run when only this option
is provided.
This is mainly relevant in certain debugging situations, but could
potentially also fix kernel builds in which objtool is run with
--hacks=jump_label but without --orc, --stackval, --uaccess, or
--hacks=noinstr.
Fixes: de6fbcedf5ab ("objtool: Read special sections with alts only when specific options are selected")
Signed-off-by: Dylan Hatch <dylanbhatch@google.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index f8e676a6e6f8e..c021798ba8372 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -2619,7 +2619,8 @@ static int decode_sections(struct objtool_file *file)
* Must be before add_jump_destinations(), which depends on 'func'
* being set for alternatives, to enable proper sibling call detection.
*/
- if (opts.stackval || opts.orc || opts.uaccess || opts.noinstr) {
+ if (opts.stackval || opts.orc || opts.uaccess || opts.noinstr ||
+ opts.hack_jump_label) {
ret = add_special_section_alts(file);
if (ret)
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 061/737] objtool: Fix weak symbol detection
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 060/737] objtool: Fix standalone --hacks=jump_label Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 062/737] sched/fair: Forfeit vruntime on yield Greg Kroah-Hartman
` (686 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Mladek, Joe Lawrence,
Josh Poimboeuf, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit 72567c630d32bc31f671977f78228c80937ed80e ]
find_symbol_hole_containing() fails to find a symbol hole (aka stripped
weak symbol) if its section has no symbols before the hole. This breaks
weak symbol detection if -ffunction-sections is enabled.
Fix that by allowing the interval tree to contain section symbols, which
are always at offset zero for a given section.
Fixes a bunch of (-ffunction-sections) warnings like:
vmlinux.o: warning: objtool: .text.__x64_sys_io_setup+0x10: unreachable instruction
Fixes: 4adb23686795 ("objtool: Ignore extra-symbol code")
Acked-by: Petr Mladek <pmladek@suse.com>
Tested-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/elf.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/objtool/elf.c b/tools/objtool/elf.c
index 081befa4674b8..797507a90251b 100644
--- a/tools/objtool/elf.c
+++ b/tools/objtool/elf.c
@@ -110,7 +110,7 @@ struct symbol_hole {
};
/*
- * Find !section symbol where @offset is after it.
+ * Find the last symbol before @offset.
*/
static int symbol_hole_by_offset(const void *key, const struct rb_node *node)
{
@@ -121,8 +121,7 @@ static int symbol_hole_by_offset(const void *key, const struct rb_node *node)
return -1;
if (sh->key >= s->offset + s->len) {
- if (s->type != STT_SECTION)
- sh->sym = s;
+ sh->sym = s;
return 1;
}
@@ -410,7 +409,8 @@ static void elf_add_symbol(struct elf *elf, struct symbol *sym)
sym->len = sym->sym.st_size;
__sym_for_each(iter, &sym->sec->symbol_tree, sym->offset, sym->offset) {
- if (iter->offset == sym->offset && iter->type == sym->type)
+ if (iter->offset == sym->offset && iter->type == sym->type &&
+ iter->len == sym->len)
iter->alias = sym;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 062/737] sched/fair: Forfeit vruntime on yield
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 061/737] objtool: Fix weak symbol detection Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 063/737] irqchip/irq-bcm7038-l1: Fix section mismatch Greg Kroah-Hartman
` (685 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernand Sieber,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernand Sieber <sieberf@amazon.com>
[ Upstream commit 79104becf42baeeb4a3f2b106f954b9fc7c10a3c ]
If a task yields, the scheduler may decide to pick it again. The task in
turn may decide to yield immediately or shortly after, leading to a tight
loop of yields.
If there's another runnable task as this point, the deadline will be
increased by the slice at each loop. This can cause the deadline to runaway
pretty quickly, and subsequent elevated run delays later on as the task
doesn't get picked again. The reason the scheduler can pick the same task
again and again despite its deadline increasing is because it may be the
only eligible task at that point.
Fix this by making the task forfeiting its remaining vruntime and pushing
the deadline one slice ahead. This implements yield behavior more
authentically.
We limit the forfeiting to eligible tasks. This is because core scheduling
prefers running ineligible tasks rather than force idling. As such, without
the condition, we can end up on a yield loop which makes the vruntime
increase rapidly, leading to anomalous run delays later down the line.
Fixes: 147f3efaa24182 ("sched/fair: Implement an EEVDF-like scheduling policy")
Signed-off-by: Fernand Sieber <sieberf@amazon.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20250401123622.584018-1-sieberf@amazon.com
Link: https://lore.kernel.org/r/20250911095113.203439-1-sieberf@amazon.com
Link: https://lore.kernel.org/r/20250916140228.452231-1-sieberf@amazon.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 7f23b866c3d4c..cf3a51f323e32 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -8614,7 +8614,19 @@ static void yield_task_fair(struct rq *rq)
*/
rq_clock_skip_update(rq);
- se->deadline += calc_delta_fair(se->slice, se);
+ /*
+ * Forfeit the remaining vruntime, only if the entity is eligible. This
+ * condition is necessary because in core scheduling we prefer to run
+ * ineligible tasks rather than force idling. If this happens we may
+ * end up in a loop where the core scheduler picks the yielding task,
+ * which yields immediately again; without the condition the vruntime
+ * ends up quickly running away.
+ */
+ if (entity_eligible(cfs_rq, se)) {
+ se->vruntime = se->deadline;
+ se->deadline += calc_delta_fair(se->slice, se);
+ update_min_vruntime(cfs_rq);
+ }
}
static bool yield_to_task_fair(struct rq *rq, struct task_struct *p)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 063/737] irqchip/irq-bcm7038-l1: Fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 062/737] sched/fair: Forfeit vruntime on yield Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 064/737] irqchip/irq-bcm7120-l2: " Greg Kroah-Hartman
` (684 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thomas Gleixner,
Florian Fainelli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit e9db5332caaf4789ae3bafe72f61ad8e6e0c2d81 ]
Platform drivers can be probed after their init sections have been
discarded so the irqchip init callback must not live in init.
Fixes: c057c799e379 ("irqchip/irq-bcm7038-l1: Switch to IRQCHIP_PLATFORM_DRIVER")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-bcm7038-l1.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/irqchip/irq-bcm7038-l1.c b/drivers/irqchip/irq-bcm7038-l1.c
index 24ca1d656adc5..51d38a92ec200 100644
--- a/drivers/irqchip/irq-bcm7038-l1.c
+++ b/drivers/irqchip/irq-bcm7038-l1.c
@@ -219,9 +219,8 @@ static int bcm7038_l1_set_affinity(struct irq_data *d,
}
#endif
-static int __init bcm7038_l1_init_one(struct device_node *dn,
- unsigned int idx,
- struct bcm7038_l1_chip *intc)
+static int bcm7038_l1_init_one(struct device_node *dn, unsigned int idx,
+ struct bcm7038_l1_chip *intc)
{
struct resource res;
resource_size_t sz;
@@ -395,8 +394,7 @@ static const struct irq_domain_ops bcm7038_l1_domain_ops = {
.map = bcm7038_l1_map,
};
-static int __init bcm7038_l1_of_init(struct device_node *dn,
- struct device_node *parent)
+static int bcm7038_l1_of_init(struct device_node *dn, struct device_node *parent)
{
struct bcm7038_l1_chip *intc;
int idx, ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 064/737] irqchip/irq-bcm7120-l2: Fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 063/737] irqchip/irq-bcm7038-l1: Fix section mismatch Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 065/737] irqchip/irq-brcmstb-l2: " Greg Kroah-Hartman
` (683 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thomas Gleixner,
Florian Fainelli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit bfc0c5beab1fde843677923cf008f41d583c980a ]
Platform drivers can be probed after their init sections have been
discarded so the irqchip init callbacks must not live in init.
Fixes: 3ac268d5ed22 ("irqchip/irq-bcm7120-l2: Switch to IRQCHIP_PLATFORM_DRIVER")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-bcm7120-l2.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/drivers/irqchip/irq-bcm7120-l2.c b/drivers/irqchip/irq-bcm7120-l2.c
index 1e9dab6e0d86f..bb6e56629e532 100644
--- a/drivers/irqchip/irq-bcm7120-l2.c
+++ b/drivers/irqchip/irq-bcm7120-l2.c
@@ -147,8 +147,7 @@ static int bcm7120_l2_intc_init_one(struct device_node *dn,
return 0;
}
-static int __init bcm7120_l2_intc_iomap_7120(struct device_node *dn,
- struct bcm7120_l2_intc_data *data)
+static int bcm7120_l2_intc_iomap_7120(struct device_node *dn, struct bcm7120_l2_intc_data *data)
{
int ret;
@@ -181,8 +180,7 @@ static int __init bcm7120_l2_intc_iomap_7120(struct device_node *dn,
return 0;
}
-static int __init bcm7120_l2_intc_iomap_3380(struct device_node *dn,
- struct bcm7120_l2_intc_data *data)
+static int bcm7120_l2_intc_iomap_3380(struct device_node *dn, struct bcm7120_l2_intc_data *data)
{
unsigned int gc_idx;
@@ -212,10 +210,9 @@ static int __init bcm7120_l2_intc_iomap_3380(struct device_node *dn,
return 0;
}
-static int __init bcm7120_l2_intc_probe(struct device_node *dn,
- struct device_node *parent,
+static int bcm7120_l2_intc_probe(struct device_node *dn, struct device_node *parent,
int (*iomap_regs_fn)(struct device_node *,
- struct bcm7120_l2_intc_data *),
+ struct bcm7120_l2_intc_data *),
const char *intc_name)
{
unsigned int clr = IRQ_NOREQUEST | IRQ_NOPROBE | IRQ_NOAUTOEN;
@@ -343,15 +340,13 @@ static int __init bcm7120_l2_intc_probe(struct device_node *dn,
return ret;
}
-static int __init bcm7120_l2_intc_probe_7120(struct device_node *dn,
- struct device_node *parent)
+static int bcm7120_l2_intc_probe_7120(struct device_node *dn, struct device_node *parent)
{
return bcm7120_l2_intc_probe(dn, parent, bcm7120_l2_intc_iomap_7120,
"BCM7120 L2");
}
-static int __init bcm7120_l2_intc_probe_3380(struct device_node *dn,
- struct device_node *parent)
+static int bcm7120_l2_intc_probe_3380(struct device_node *dn, struct device_node *parent)
{
return bcm7120_l2_intc_probe(dn, parent, bcm7120_l2_intc_iomap_3380,
"BCM3380 L2");
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 065/737] irqchip/irq-brcmstb-l2: Fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 064/737] irqchip/irq-bcm7120-l2: " Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 066/737] irqchip/imx-mu-msi: " Greg Kroah-Hartman
` (682 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thomas Gleixner,
Florian Fainelli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit bbe1775924478e95372c2f896064ab6446000713 ]
Platform drivers can be probed after their init sections have been
discarded so the irqchip init callbacks must not live in init.
Fixes: 51d9db5c8fbb ("irqchip/irq-brcmstb-l2: Switch to IRQCHIP_PLATFORM_DRIVER")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-brcmstb-l2.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/drivers/irqchip/irq-brcmstb-l2.c b/drivers/irqchip/irq-brcmstb-l2.c
index 2b0b3175cea06..23a4708684591 100644
--- a/drivers/irqchip/irq-brcmstb-l2.c
+++ b/drivers/irqchip/irq-brcmstb-l2.c
@@ -157,10 +157,8 @@ static void brcmstb_l2_intc_resume(struct irq_data *d)
irq_gc_unlock_irqrestore(gc, flags);
}
-static int __init brcmstb_l2_intc_of_init(struct device_node *np,
- struct device_node *parent,
- const struct brcmstb_intc_init_params
- *init_params)
+static int brcmstb_l2_intc_of_init(struct device_node *np, struct device_node *parent,
+ const struct brcmstb_intc_init_params *init_params)
{
unsigned int clr = IRQ_NOREQUEST | IRQ_NOPROBE | IRQ_NOAUTOEN;
unsigned int set = 0;
@@ -276,14 +274,12 @@ static int __init brcmstb_l2_intc_of_init(struct device_node *np,
return ret;
}
-static int __init brcmstb_l2_edge_intc_of_init(struct device_node *np,
- struct device_node *parent)
+static int brcmstb_l2_edge_intc_of_init(struct device_node *np, struct device_node *parent)
{
return brcmstb_l2_intc_of_init(np, parent, &l2_edge_intc_init);
}
-static int __init brcmstb_l2_lvl_intc_of_init(struct device_node *np,
- struct device_node *parent)
+static int brcmstb_l2_lvl_intc_of_init(struct device_node *np, struct device_node *parent)
{
return brcmstb_l2_intc_of_init(np, parent, &l2_lvl_intc_init);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 066/737] irqchip/imx-mu-msi: Fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 065/737] irqchip/irq-brcmstb-l2: " Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 067/737] irqchip/qcom-irq-combiner: " Greg Kroah-Hartman
` (681 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 64acfd8e680ff8992c101fe19aadb112ce551072 ]
Platform drivers can be probed after their init sections have been
discarded so the irqchip init callbacks must not live in init.
Fixes: 70afdab904d2 ("irqchip: Add IMX MU MSI controller driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-imx-mu-msi.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/drivers/irqchip/irq-imx-mu-msi.c b/drivers/irqchip/irq-imx-mu-msi.c
index 90d41c1407acf..49e9742b1c55d 100644
--- a/drivers/irqchip/irq-imx-mu-msi.c
+++ b/drivers/irqchip/irq-imx-mu-msi.c
@@ -303,9 +303,8 @@ static const struct imx_mu_dcfg imx_mu_cfg_imx8ulp = {
},
};
-static int __init imx_mu_of_init(struct device_node *dn,
- struct device_node *parent,
- const struct imx_mu_dcfg *cfg)
+static int imx_mu_of_init(struct device_node *dn, struct device_node *parent,
+ const struct imx_mu_dcfg *cfg)
{
struct platform_device *pdev = of_find_device_by_node(dn);
struct device_link *pd_link_a;
@@ -423,20 +422,17 @@ static const struct dev_pm_ops imx_mu_pm_ops = {
imx_mu_runtime_resume, NULL)
};
-static int __init imx_mu_imx7ulp_of_init(struct device_node *dn,
- struct device_node *parent)
+static int imx_mu_imx7ulp_of_init(struct device_node *dn, struct device_node *parent)
{
return imx_mu_of_init(dn, parent, &imx_mu_cfg_imx7ulp);
}
-static int __init imx_mu_imx6sx_of_init(struct device_node *dn,
- struct device_node *parent)
+static int imx_mu_imx6sx_of_init(struct device_node *dn, struct device_node *parent)
{
return imx_mu_of_init(dn, parent, &imx_mu_cfg_imx6sx);
}
-static int __init imx_mu_imx8ulp_of_init(struct device_node *dn,
- struct device_node *parent)
+static int imx_mu_imx8ulp_of_init(struct device_node *dn, struct device_node *parent)
{
return imx_mu_of_init(dn, parent, &imx_mu_cfg_imx8ulp);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 067/737] irqchip/qcom-irq-combiner: Fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 066/737] irqchip/imx-mu-msi: " Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 068/737] crypto: authenc - Correctly pass EINPROGRESS back up to the caller Greg Kroah-Hartman
` (680 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9b685058ca936752285c5520d351b828312ac965 ]
Platform drivers can be probed after their init sections have been
discarded so the probe callback must not live in init.
Fixes: f20cc9b00c7b ("irqchip/qcom: Add IRQ combiner driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/qcom-irq-combiner.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/qcom-irq-combiner.c b/drivers/irqchip/qcom-irq-combiner.c
index 18e696dc7f4d6..9308088773be7 100644
--- a/drivers/irqchip/qcom-irq-combiner.c
+++ b/drivers/irqchip/qcom-irq-combiner.c
@@ -222,7 +222,7 @@ static int get_registers(struct platform_device *pdev, struct combiner *comb)
return 0;
}
-static int __init combiner_probe(struct platform_device *pdev)
+static int combiner_probe(struct platform_device *pdev)
{
struct combiner *combiner;
int nregs;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 068/737] crypto: authenc - Correctly pass EINPROGRESS back up to the caller
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 067/737] irqchip/qcom-irq-combiner: " Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 069/737] ntfs3: fix uninit memory after failed mi_read in mi_format_new Greg Kroah-Hartman
` (679 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Franzki, Mikulas Patocka,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 96feb73def02d175850daa0e7c2c90c876681b5c ]
When authenc is invoked with MAY_BACKLOG, it needs to pass EINPROGRESS
notifications back up to the caller when the underlying algorithm
returns EBUSY synchronously.
However, if the EBUSY comes from the second part of an authenc call,
i.e., it is asynchronous, both the EBUSY and the subsequent EINPROGRESS
notification must not be passed to the caller.
Implement this by passing a mask to the function that starts the
second half of authenc and using it to determine whether EBUSY
and EINPROGRESS should be passed to the caller.
This was a deficiency in the original implementation of authenc
because it was not expected to be used with MAY_BACKLOG.
Reported-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Fixes: 180ce7e81030 ("crypto: authenc - Add EINPROGRESS check")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/authenc.c | 75 ++++++++++++++++++++++++++++++++----------------
1 file changed, 50 insertions(+), 25 deletions(-)
diff --git a/crypto/authenc.c b/crypto/authenc.c
index 3326c7343e867..ebaa035a54f4b 100644
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -39,7 +39,7 @@ struct authenc_request_ctx {
static void authenc_request_complete(struct aead_request *req, int err)
{
- if (err != -EINPROGRESS)
+ if (err != -EINPROGRESS && err != -EBUSY)
aead_request_complete(req, err);
}
@@ -109,27 +109,42 @@ static int crypto_authenc_setkey(struct crypto_aead *authenc, const u8 *key,
return err;
}
-static void authenc_geniv_ahash_done(void *data, int err)
+static void authenc_geniv_ahash_finish(struct aead_request *req)
{
- struct aead_request *req = data;
struct crypto_aead *authenc = crypto_aead_reqtfm(req);
struct aead_instance *inst = aead_alg_instance(authenc);
struct authenc_instance_ctx *ictx = aead_instance_ctx(inst);
struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
- if (err)
- goto out;
-
scatterwalk_map_and_copy(ahreq->result, req->dst,
req->assoclen + req->cryptlen,
crypto_aead_authsize(authenc), 1);
+}
-out:
+static void authenc_geniv_ahash_done(void *data, int err)
+{
+ struct aead_request *req = data;
+
+ if (!err)
+ authenc_geniv_ahash_finish(req);
aead_request_complete(req, err);
}
-static int crypto_authenc_genicv(struct aead_request *req, unsigned int flags)
+/*
+ * Used when the ahash request was invoked in the async callback context
+ * of the previous skcipher request. Eat any EINPROGRESS notifications.
+ */
+static void authenc_geniv_ahash_done2(void *data, int err)
+{
+ struct aead_request *req = data;
+
+ if (!err)
+ authenc_geniv_ahash_finish(req);
+ authenc_request_complete(req, err);
+}
+
+static int crypto_authenc_genicv(struct aead_request *req, unsigned int mask)
{
struct crypto_aead *authenc = crypto_aead_reqtfm(req);
struct aead_instance *inst = aead_alg_instance(authenc);
@@ -138,6 +153,7 @@ static int crypto_authenc_genicv(struct aead_request *req, unsigned int flags)
struct crypto_ahash *auth = ctx->auth;
struct authenc_request_ctx *areq_ctx = aead_request_ctx(req);
struct ahash_request *ahreq = (void *)(areq_ctx->tail + ictx->reqoff);
+ unsigned int flags = aead_request_flags(req) & ~mask;
u8 *hash = areq_ctx->tail;
int err;
@@ -148,7 +164,8 @@ static int crypto_authenc_genicv(struct aead_request *req, unsigned int flags)
ahash_request_set_crypt(ahreq, req->dst, hash,
req->assoclen + req->cryptlen);
ahash_request_set_callback(ahreq, flags,
- authenc_geniv_ahash_done, req);
+ mask ? authenc_geniv_ahash_done2 :
+ authenc_geniv_ahash_done, req);
err = crypto_ahash_digest(ahreq);
if (err)
@@ -164,12 +181,11 @@ static void crypto_authenc_encrypt_done(void *data, int err)
{
struct aead_request *areq = data;
- if (err)
- goto out;
-
- err = crypto_authenc_genicv(areq, 0);
-
-out:
+ if (err) {
+ aead_request_complete(areq, err);
+ return;
+ }
+ err = crypto_authenc_genicv(areq, CRYPTO_TFM_REQ_MAY_SLEEP);
authenc_request_complete(areq, err);
}
@@ -222,11 +238,18 @@ static int crypto_authenc_encrypt(struct aead_request *req)
if (err)
return err;
- return crypto_authenc_genicv(req, aead_request_flags(req));
+ return crypto_authenc_genicv(req, 0);
+}
+
+static void authenc_decrypt_tail_done(void *data, int err)
+{
+ struct aead_request *req = data;
+
+ authenc_request_complete(req, err);
}
static int crypto_authenc_decrypt_tail(struct aead_request *req,
- unsigned int flags)
+ unsigned int mask)
{
struct crypto_aead *authenc = crypto_aead_reqtfm(req);
struct aead_instance *inst = aead_alg_instance(authenc);
@@ -237,6 +260,7 @@ static int crypto_authenc_decrypt_tail(struct aead_request *req,
struct skcipher_request *skreq = (void *)(areq_ctx->tail +
ictx->reqoff);
unsigned int authsize = crypto_aead_authsize(authenc);
+ unsigned int flags = aead_request_flags(req) & ~mask;
u8 *ihash = ahreq->result + authsize;
struct scatterlist *src, *dst;
@@ -253,7 +277,9 @@ static int crypto_authenc_decrypt_tail(struct aead_request *req,
skcipher_request_set_tfm(skreq, ctx->enc);
skcipher_request_set_callback(skreq, flags,
- req->base.complete, req->base.data);
+ mask ? authenc_decrypt_tail_done :
+ req->base.complete,
+ mask ? req : req->base.data);
skcipher_request_set_crypt(skreq, src, dst,
req->cryptlen - authsize, req->iv);
@@ -264,12 +290,11 @@ static void authenc_verify_ahash_done(void *data, int err)
{
struct aead_request *req = data;
- if (err)
- goto out;
-
- err = crypto_authenc_decrypt_tail(req, 0);
-
-out:
+ if (err) {
+ aead_request_complete(req, err);
+ return;
+ }
+ err = crypto_authenc_decrypt_tail(req, CRYPTO_TFM_REQ_MAY_SLEEP);
authenc_request_complete(req, err);
}
@@ -299,7 +324,7 @@ static int crypto_authenc_decrypt(struct aead_request *req)
if (err)
return err;
- return crypto_authenc_decrypt_tail(req, aead_request_flags(req));
+ return crypto_authenc_decrypt_tail(req, 0);
}
static int crypto_authenc_init_tfm(struct crypto_aead *tfm)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 069/737] ntfs3: fix uninit memory after failed mi_read in mi_format_new
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 068/737] crypto: authenc - Correctly pass EINPROGRESS back up to the caller Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 070/737] ntfs3: Fix uninit buffer allocated by __getname() Greg Kroah-Hartman
` (678 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7a2ba6b7b66340cff225,
Raphael Pinsonneault-Thibeault, Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
[ Upstream commit 73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 ]
Fix a KMSAN un-init bug found by syzkaller.
ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be
uptodate. We do not bring the buffer uptodate before setting it as
uptodate. If the buffer were to not be uptodate, it could mean adding a
buffer with un-init data to the mi record. Attempting to load that record
will trigger KMSAN.
Avoid this by setting the buffer as uptodate, if it’s not already, by
overwriting it.
Reported-by: syzbot+7a2ba6b7b66340cff225@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7a2ba6b7b66340cff225
Tested-by: syzbot+7a2ba6b7b66340cff225@syzkaller.appspotmail.com
Fixes: 4342306f0f0d5 ("fs/ntfs3: Add file operations and implementation")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/fsntfs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index e19b13db4f91e..446079b0866d4 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -1369,7 +1369,14 @@ int ntfs_get_bh(struct ntfs_sb_info *sbi, const struct runs_tree *run, u64 vbo,
}
if (buffer_locked(bh))
__wait_on_buffer(bh);
- set_buffer_uptodate(bh);
+
+ lock_buffer(bh);
+ if (!buffer_uptodate(bh))
+ {
+ memset(bh->b_data, 0, blocksize);
+ set_buffer_uptodate(bh);
+ }
+ unlock_buffer(bh);
} else {
bh = ntfs_bread(sb, block);
if (!bh) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 070/737] ntfs3: Fix uninit buffer allocated by __getname()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 069/737] ntfs3: fix uninit memory after failed mi_read in mi_format_new Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 071/737] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() Greg Kroah-Hartman
` (677 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+332bd4e9d148f11a87dc,
Sidharth Seela, Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sidharth Seela <sidharthseela@gmail.com>
[ Upstream commit 9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 ]
Fix uninit errors caused after buffer allocation given to 'de'; by
initializing the buffer with zeroes. The fix was found by using KMSAN.
Reported-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com
Fixes: 78ab59fee07f2 ("fs/ntfs3: Rework file operations")
Signed-off-by: Sidharth Seela <sidharthseela@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index a967babea8a59..f27e25776b730 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1758,6 +1758,7 @@ int ntfs_link_inode(struct inode *inode, struct dentry *dentry)
de = __getname();
if (!de)
return -ENOMEM;
+ memset(de, 0, PATH_MAX);
/* Mark rw ntfs as dirty. It will be cleared at umount. */
ntfs_set_state(sbi, NTFS_DIRTY_DIRTY);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 071/737] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 070/737] ntfs3: Fix uninit buffer allocated by __getname() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 072/737] inet: Avoid ehash lookup race in inet_ehash_insert() Greg Kroah-Hartman
` (676 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima,
Frederic Weisbecker, Eric Dumazet, Xuanqiang Luo, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
[ Upstream commit 9c4609225ec1cb551006d6a03c7c4ad8cb5584c0 ]
Add two functions to atomically replace RCU-protected hlist_nulls entries.
Keep using WRITE_ONCE() to assign values to ->next and ->pprev, as
mentioned in the patch below:
commit efd04f8a8b45 ("rcu: Use WRITE_ONCE() for assignments to ->next for
rculist_nulls")
commit 860c8802ace1 ("rcu: Use WRITE_ONCE() for assignments to ->pprev for
hlist_nulls")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
Link: https://patch.msgid.link/20251015020236.431822-2-xuanqiang.luo@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1532ed0d0753 ("inet: Avoid ehash lookup race in inet_ehash_insert()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/rculist_nulls.h | 59 +++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
index 89186c499dd47..c26cb83ca0711 100644
--- a/include/linux/rculist_nulls.h
+++ b/include/linux/rculist_nulls.h
@@ -52,6 +52,13 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
#define hlist_nulls_next_rcu(node) \
(*((struct hlist_nulls_node __rcu __force **)&(node)->next))
+/**
+ * hlist_nulls_pprev_rcu - returns the dereferenced pprev of @node.
+ * @node: element of the list.
+ */
+#define hlist_nulls_pprev_rcu(node) \
+ (*((struct hlist_nulls_node __rcu __force **)(node)->pprev))
+
/**
* hlist_nulls_del_rcu - deletes entry from hash list without re-initialization
* @n: the element to delete from the hash list.
@@ -152,6 +159,58 @@ static inline void hlist_nulls_add_fake(struct hlist_nulls_node *n)
n->next = (struct hlist_nulls_node *)NULLS_MARKER(NULL);
}
+/**
+ * hlist_nulls_replace_rcu - replace an old entry by a new one
+ * @old: the element to be replaced
+ * @new: the new element to insert
+ *
+ * Description:
+ * Replace the old entry with the new one in a RCU-protected hlist_nulls, while
+ * permitting racing traversals.
+ *
+ * The caller must take whatever precautions are necessary (such as holding
+ * appropriate locks) to avoid racing with another list-mutation primitive, such
+ * as hlist_nulls_add_head_rcu() or hlist_nulls_del_rcu(), running on this same
+ * list. However, it is perfectly legal to run concurrently with the _rcu
+ * list-traversal primitives, such as hlist_nulls_for_each_entry_rcu().
+ */
+static inline void hlist_nulls_replace_rcu(struct hlist_nulls_node *old,
+ struct hlist_nulls_node *new)
+{
+ struct hlist_nulls_node *next = old->next;
+
+ WRITE_ONCE(new->next, next);
+ WRITE_ONCE(new->pprev, old->pprev);
+ rcu_assign_pointer(hlist_nulls_pprev_rcu(new), new);
+ if (!is_a_nulls(next))
+ WRITE_ONCE(next->pprev, &new->next);
+}
+
+/**
+ * hlist_nulls_replace_init_rcu - replace an old entry by a new one and
+ * initialize the old
+ * @old: the element to be replaced
+ * @new: the new element to insert
+ *
+ * Description:
+ * Replace the old entry with the new one in a RCU-protected hlist_nulls, while
+ * permitting racing traversals, and reinitialize the old entry.
+ *
+ * Note: @old must be hashed.
+ *
+ * The caller must take whatever precautions are necessary (such as holding
+ * appropriate locks) to avoid racing with another list-mutation primitive, such
+ * as hlist_nulls_add_head_rcu() or hlist_nulls_del_rcu(), running on this same
+ * list. However, it is perfectly legal to run concurrently with the _rcu
+ * list-traversal primitives, such as hlist_nulls_for_each_entry_rcu().
+ */
+static inline void hlist_nulls_replace_init_rcu(struct hlist_nulls_node *old,
+ struct hlist_nulls_node *new)
+{
+ hlist_nulls_replace_rcu(old, new);
+ WRITE_ONCE(old->pprev, NULL);
+}
+
/**
* hlist_nulls_for_each_entry_rcu - iterate over rcu list of given type
* @tpos: the type * to use as a loop cursor.
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 072/737] inet: Avoid ehash lookup race in inet_ehash_insert()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 071/737] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 073/737] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member Greg Kroah-Hartman
` (675 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jiayuan Chen,
Xuanqiang Luo, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
[ Upstream commit 1532ed0d0753c83e72595f785f82b48c28bbe5dc ]
Since ehash lookups are lockless, if one CPU performs a lookup while
another concurrently deletes and inserts (removing reqsk and inserting sk),
the lookup may fail to find the socket, an RST may be sent.
The call trace map is drawn as follows:
CPU 0 CPU 1
----- -----
inet_ehash_insert()
spin_lock()
sk_nulls_del_node_init_rcu(osk)
__inet_lookup_established()
(lookup failed)
__sk_nulls_add_node_rcu(sk, list)
spin_unlock()
As both deletion and insertion operate on the same ehash chain, this patch
introduces a new sk_nulls_replace_node_init_rcu() helper functions to
implement atomic replacement.
Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251015020236.431822-3-xuanqiang.luo@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 13 +++++++++++++
net/ipv4/inet_hashtables.c | 8 ++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index f8e029cc48ccc..d516ed8050084 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -825,6 +825,19 @@ static inline bool sk_nulls_del_node_init_rcu(struct sock *sk)
return rc;
}
+static inline bool sk_nulls_replace_node_init_rcu(struct sock *old,
+ struct sock *new)
+{
+ if (sk_hashed(old)) {
+ hlist_nulls_replace_init_rcu(&old->sk_nulls_node,
+ &new->sk_nulls_node);
+ __sock_put(old);
+ return true;
+ }
+
+ return false;
+}
+
static inline void __sk_add_node(struct sock *sk, struct hlist_head *list)
{
hlist_add_head(&sk->sk_node, list);
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 60e81f6b1c6d4..7292f70176251 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -676,8 +676,11 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
spin_lock(lock);
if (osk) {
WARN_ON_ONCE(sk->sk_hash != osk->sk_hash);
- ret = sk_nulls_del_node_init_rcu(osk);
- } else if (found_dup_sk) {
+ ret = sk_nulls_replace_node_init_rcu(osk, sk);
+ goto unlock;
+ }
+
+ if (found_dup_sk) {
*found_dup_sk = inet_ehash_lookup_by_sk(sk, list);
if (*found_dup_sk)
ret = false;
@@ -686,6 +689,7 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
if (ret)
__sk_nulls_add_node_rcu(sk, list);
+unlock:
spin_unlock(lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 073/737] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 072/737] inet: Avoid ehash lookup race in inet_ehash_insert() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 074/737] arm64: dts: freescale: imx8mp-venice-gw7905-2x: remove duplicate usdhc1 props Greg Kroah-Hartman
` (674 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Lorenzo Bianconi,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
[ Upstream commit c6d702f2b77194b62fb2098c63bb7f2a87da142d ]
The `odr` field in struct st_lsm6dsx_sensor contains a data rate
value expressed in mHz, not in Hz.
Fixes: f8710f0357bc3 ("iio: imu: st_lsm6dsx: express odr in mHZ")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
index 35325d2e1ce6c..33b5c660103e4 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
@@ -381,7 +381,7 @@ enum st_lsm6dsx_fifo_mode {
* @id: Sensor identifier.
* @hw: Pointer to instance of struct st_lsm6dsx_hw.
* @gain: Configured sensor sensitivity.
- * @odr: Output data rate of the sensor [Hz].
+ * @odr: Output data rate of the sensor [mHz].
* @samples_to_discard: Number of samples to discard for filters settling time.
* @watermark: Sensor watermark level.
* @decimator: Sensor decimation factor.
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 074/737] arm64: dts: freescale: imx8mp-venice-gw7905-2x: remove duplicate usdhc1 props
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 073/737] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 075/737] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl Greg Kroah-Hartman
` (673 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Harvey, Peng Fan, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
[ Upstream commit 8b7e58ab4a02601a0e86e9f9701d4612038d8b29 ]
Remove the un-intended duplicate properties from usdhc1.
Fixes: 0d5b288c2110e ("arm64: dts: freescale: Add imx8mp-venice-gw7905-2x")
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
index 560c68e4da6dc..f541360cb5548 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
@@ -401,9 +401,6 @@ &usdhc1 {
bus-width = <4>;
non-removable;
status = "okay";
- bus-width = <4>;
- non-removable;
- status = "okay";
};
/* eMMC */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 075/737] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 074/737] arm64: dts: freescale: imx8mp-venice-gw7905-2x: remove duplicate usdhc1 props Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 076/737] arm64: dts: imx8mp-venice-gw702x: remove off-board uart Greg Kroah-Hartman
` (672 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Harvey, Peng Fan, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
[ Upstream commit d949b8d12d6e8fa119bca10d3157cd42e810f6f7 ]
The SDHC1 interface is not used on the imx8mm-venice-gw72xx. Remove the
unused pinctrl_usdhc1 iomux node.
Fixes: 6f30b27c5ef5 ("arm64: dts: imx8mm: Add Gateworks i.MX 8M Mini Development Kits")
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/freescale/imx8mm-venice-gw72xx.dtsi | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi
index 570992a52b759..7263bbf0f0520 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi
@@ -337,17 +337,6 @@ MX8MM_IOMUXC_UART4_TXD_UART4_DCE_TX 0x140
>;
};
- pinctrl_usdhc1: usdhc1grp {
- fsl,pins = <
- MX8MM_IOMUXC_SD1_CLK_USDHC1_CLK 0x190
- MX8MM_IOMUXC_SD1_CMD_USDHC1_CMD 0x1d0
- MX8MM_IOMUXC_SD1_DATA0_USDHC1_DATA0 0x1d0
- MX8MM_IOMUXC_SD1_DATA1_USDHC1_DATA1 0x1d0
- MX8MM_IOMUXC_SD1_DATA2_USDHC1_DATA2 0x1d0
- MX8MM_IOMUXC_SD1_DATA3_USDHC1_DATA3 0x1d0
- >;
- };
-
pinctrl_usdhc2: usdhc2grp {
fsl,pins = <
MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x190
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 076/737] arm64: dts: imx8mp-venice-gw702x: remove off-board uart
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 075/737] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 077/737] arm64: dts: imx8mp-venice-gw702x: remove off-board sdhc1 Greg Kroah-Hartman
` (671 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Harvey, Peng Fan, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
[ Upstream commit effe98060f70eb96e142f656e750d6af275ceac3 ]
UART1 and UART3 go to a connector for use on a baseboard and as such are
defined in the baseboard device-trees. Remove them from the gw702x SOM
device-tree.
Fixes: 0d5b288c2110 ("arm64: dts: freescale: Add imx8mp-venice-gw7905-2x")
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../dts/freescale/imx8mp-venice-gw702x.dtsi | 28 -------------------
1 file changed, 28 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
index f541360cb5548..ac5b3a8ce729b 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
@@ -373,13 +373,6 @@ &i2c3 {
status = "okay";
};
-/* off-board header */
-&uart1 {
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_uart1>;
- status = "okay";
-};
-
/* console */
&uart2 {
pinctrl-names = "default";
@@ -387,13 +380,6 @@ &uart2 {
status = "okay";
};
-/* off-board header */
-&uart3 {
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_uart3>;
- status = "okay";
-};
-
/* off-board */
&usdhc1 {
pinctrl-names = "default";
@@ -496,13 +482,6 @@ MX8MP_IOMUXC_I2C3_SDA__GPIO5_IO19 0x400001c2
>;
};
- pinctrl_uart1: uart1grp {
- fsl,pins = <
- MX8MP_IOMUXC_UART1_RXD__UART1_DCE_RX 0x140
- MX8MP_IOMUXC_UART1_TXD__UART1_DCE_TX 0x140
- >;
- };
-
pinctrl_uart2: uart2grp {
fsl,pins = <
MX8MP_IOMUXC_UART2_RXD__UART2_DCE_RX 0x140
@@ -510,13 +489,6 @@ MX8MP_IOMUXC_UART2_TXD__UART2_DCE_TX 0x140
>;
};
- pinctrl_uart3: uart3grp {
- fsl,pins = <
- MX8MP_IOMUXC_UART3_RXD__UART3_DCE_RX 0x140
- MX8MP_IOMUXC_UART3_TXD__UART3_DCE_TX 0x140
- >;
- };
-
pinctrl_usdhc1: usdhc1grp {
fsl,pins = <
MX8MP_IOMUXC_SD1_CLK__USDHC1_CLK 0x190
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 077/737] arm64: dts: imx8mp-venice-gw702x: remove off-board sdhc1
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 076/737] arm64: dts: imx8mp-venice-gw702x: remove off-board uart Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 078/737] PCI: rcar-gen2: Drop ARM dependency from PCI_RCAR_GEN2 Greg Kroah-Hartman
` (670 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Harvey, Peng Fan, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
[ Upstream commit 9db04b310ef99b546e4240c55842e81b06b78579 ]
SDHC1 on the GW702x SOM routes to a connector for use on a baseboard
and as such are defined in the baseboard device-trees.
Remove it from the gw702x SOM device-tree.
Fixes: 0d5b288c2110 ("arm64: dts: freescale: Add imx8mp-venice-gw7905-2x")
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../dts/freescale/imx8mp-venice-gw702x.dtsi | 20 -------------------
.../dts/freescale/imx8mp-venice-gw72xx.dtsi | 11 ----------
2 files changed, 31 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
index ac5b3a8ce729b..de21faeafd099 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw702x.dtsi
@@ -380,15 +380,6 @@ &uart2 {
status = "okay";
};
-/* off-board */
-&usdhc1 {
- pinctrl-names = "default";
- pinctrl-0 = <&pinctrl_usdhc1>;
- bus-width = <4>;
- non-removable;
- status = "okay";
-};
-
/* eMMC */
&usdhc3 {
pinctrl-names = "default", "state_100mhz", "state_200mhz";
@@ -489,17 +480,6 @@ MX8MP_IOMUXC_UART2_TXD__UART2_DCE_TX 0x140
>;
};
- pinctrl_usdhc1: usdhc1grp {
- fsl,pins = <
- MX8MP_IOMUXC_SD1_CLK__USDHC1_CLK 0x190
- MX8MP_IOMUXC_SD1_CMD__USDHC1_CMD 0x1d0
- MX8MP_IOMUXC_SD1_DATA0__USDHC1_DATA0 0x1d0
- MX8MP_IOMUXC_SD1_DATA1__USDHC1_DATA1 0x1d0
- MX8MP_IOMUXC_SD1_DATA2__USDHC1_DATA2 0x1d0
- MX8MP_IOMUXC_SD1_DATA3__USDHC1_DATA3 0x1d0
- >;
- };
-
pinctrl_usdhc3: usdhc3grp {
fsl,pins = <
MX8MP_IOMUXC_NAND_WE_B__USDHC3_CLK 0x190
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi
index f3bab22d5e683..fc1ee675c88de 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-venice-gw72xx.dtsi
@@ -310,17 +310,6 @@ MX8MP_IOMUXC_UART4_TXD__UART4_DCE_TX 0x140
>;
};
- pinctrl_usdhc1: usdhc1grp {
- fsl,pins = <
- MX8MP_IOMUXC_SD1_CLK__USDHC1_CLK 0x190
- MX8MP_IOMUXC_SD1_CMD__USDHC1_CMD 0x1d0
- MX8MP_IOMUXC_SD1_DATA0__USDHC1_DATA0 0x1d0
- MX8MP_IOMUXC_SD1_DATA1__USDHC1_DATA1 0x1d0
- MX8MP_IOMUXC_SD1_DATA2__USDHC1_DATA2 0x1d0
- MX8MP_IOMUXC_SD1_DATA3__USDHC1_DATA3 0x1d0
- >;
- };
-
pinctrl_usdhc2: usdhc2grp {
fsl,pins = <
MX8MP_IOMUXC_SD2_CLK__USDHC2_CLK 0x190
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 078/737] PCI: rcar-gen2: Drop ARM dependency from PCI_RCAR_GEN2
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 077/737] arm64: dts: imx8mp-venice-gw702x: remove off-board sdhc1 Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 079/737] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe Greg Kroah-Hartman
` (669 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Jarvinen, Geert Uytterhoeven,
Manivannan Sadhasivam, Bjorn Helgaas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit d312742f686582e6457070bcfd24bee8acfdf213 ]
Since the reliance on ARM-specific struct pci_sys_data was removed, this
driver can be compile-tested on other architectures.
While at it, make the help text a bit more generic, as some members of
the R-Car Gen2 family have a different number of internal PCI
controllers.
Fixes: 4a957563fe0231e0 ("PCI: rcar-gen2: Convert to use modern host bridge probe functions")
Suggested-by: Ilpo Jarvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: add rcar-gen2 to subject]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://patch.msgid.link/00f75d6732eacce93f04ffaeedc415d2db714cd6.1759480426.git.geert+renesas@glider.be
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/Kconfig | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/controller/Kconfig b/drivers/pci/controller/Kconfig
index c0c3f28249907..7736817d5daba 100644
--- a/drivers/pci/controller/Kconfig
+++ b/drivers/pci/controller/Kconfig
@@ -257,12 +257,11 @@ config PCIE_RCAR_EP
config PCI_RCAR_GEN2
bool "Renesas R-Car Gen2 Internal PCI controller"
- depends on ARCH_RENESAS || COMPILE_TEST
- depends on ARM
+ depends on (ARCH_RENESAS && ARM) || COMPILE_TEST
help
Say Y here if you want internal PCI support on R-Car Gen2 SoC.
- There are 3 internal PCI controllers available with a single
- built-in EHCI/OHCI host controller present on each one.
+ Each internal PCI controller contains a single built-in EHCI/OHCI
+ host controller.
config PCIE_ROCKCHIP
bool
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 079/737] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 078/737] PCI: rcar-gen2: Drop ARM dependency from PCI_RCAR_GEN2 Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 080/737] clk: qcom: camcc-sm6350: Specify Titan GDSC power domain as a parent to other Greg Kroah-Hartman
` (668 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Qiang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Qiang <liqiang01@kylinos.cn>
[ Upstream commit d48fb15e6ad142e0577428a8c5028136e10c7b3d ]
devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure.
Fixes: d57801c45f53e ("uio: uio_fsl_elbc_gpcm: use device-managed allocators")
Signed-off-by: Li Qiang <liqiang01@kylinos.cn>
Link: https://patch.msgid.link/20251015064020.56589-1-liqiang01@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/uio/uio_fsl_elbc_gpcm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/uio/uio_fsl_elbc_gpcm.c b/drivers/uio/uio_fsl_elbc_gpcm.c
index 82dda799f327d..a433bc84313fa 100644
--- a/drivers/uio/uio_fsl_elbc_gpcm.c
+++ b/drivers/uio/uio_fsl_elbc_gpcm.c
@@ -384,6 +384,11 @@ static int uio_fsl_elbc_gpcm_probe(struct platform_device *pdev)
/* set all UIO data */
info->mem[0].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%pOFn", node);
+ if (!info->mem[0].name) {
+ ret = -ENODEV;
+ goto out_err3;
+ }
+
info->mem[0].addr = res.start;
info->mem[0].size = resource_size(&res);
info->mem[0].memtype = UIO_MEM_PHYS;
@@ -423,6 +428,8 @@ static int uio_fsl_elbc_gpcm_probe(struct platform_device *pdev)
out_err2:
if (priv->shutdown)
priv->shutdown(info, true);
+
+out_err3:
iounmap(info->mem[0].internal_addr);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 080/737] clk: qcom: camcc-sm6350: Specify Titan GDSC power domain as a parent to other
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 079/737] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 081/737] clk: qcom: camcc-sm6350: Fix PLL config of PLL2 Greg Kroah-Hartman
` (667 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Imran Shaik,
Bryan ODonoghue, Vladimir Zapolskiy, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit a76ce61d7225934b0a52c8172a8cd944002a8c6f ]
When a consumer turns on/off a power domain dependent on another power
domain in hardware, the parent power domain shall be turned on/off by
the power domain provider as well, and to get it the power domain hardware
hierarchy shall be described in the CAMCC driver.
Establish the power domain hierarchy with a Titan GDSC set as a parent of
all other GDSC power domains provided by the SM6350 camera clock controller
to enforce a correct sequence of enabling and disabling power domains by
the consumers, this fixes the CAMCC as a supplier of power domains to CAMSS
IP and its driver.
Fixes: 80f5451d9a7c ("clk: qcom: Add camera clock controller driver for SM6350")
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Imran Shaik <imran.shaik@oss.qualcomm.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20251021234450.2271279-3-vladimir.zapolskiy@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/camcc-sm6350.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/clk/qcom/camcc-sm6350.c b/drivers/clk/qcom/camcc-sm6350.c
index eca36bd3ba5c9..79131e1699b81 100644
--- a/drivers/clk/qcom/camcc-sm6350.c
+++ b/drivers/clk/qcom/camcc-sm6350.c
@@ -1692,6 +1692,8 @@ static struct clk_branch camcc_sys_tmr_clk = {
},
};
+static struct gdsc titan_top_gdsc;
+
static struct gdsc bps_gdsc = {
.gdscr = 0x6004,
.en_rest_wait_val = 0x2,
@@ -1701,6 +1703,7 @@ static struct gdsc bps_gdsc = {
.name = "bps_gdsc",
},
.pwrsts = PWRSTS_OFF_ON,
+ .parent = &titan_top_gdsc.pd,
.flags = VOTABLE,
};
@@ -1713,6 +1716,7 @@ static struct gdsc ipe_0_gdsc = {
.name = "ipe_0_gdsc",
},
.pwrsts = PWRSTS_OFF_ON,
+ .parent = &titan_top_gdsc.pd,
.flags = VOTABLE,
};
@@ -1725,6 +1729,7 @@ static struct gdsc ife_0_gdsc = {
.name = "ife_0_gdsc",
},
.pwrsts = PWRSTS_OFF_ON,
+ .parent = &titan_top_gdsc.pd,
};
static struct gdsc ife_1_gdsc = {
@@ -1736,6 +1741,7 @@ static struct gdsc ife_1_gdsc = {
.name = "ife_1_gdsc",
},
.pwrsts = PWRSTS_OFF_ON,
+ .parent = &titan_top_gdsc.pd,
};
static struct gdsc ife_2_gdsc = {
@@ -1747,6 +1753,7 @@ static struct gdsc ife_2_gdsc = {
.name = "ife_2_gdsc",
},
.pwrsts = PWRSTS_OFF_ON,
+ .parent = &titan_top_gdsc.pd,
};
static struct gdsc titan_top_gdsc = {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 081/737] clk: qcom: camcc-sm6350: Fix PLL config of PLL2
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 080/737] clk: qcom: camcc-sm6350: Specify Titan GDSC power domain as a parent to other Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 082/737] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Greg Kroah-Hartman
` (666 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Taniya Das, Luca Weiss, Abel Vesa,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit ab0e13141d679fdffdd3463a272c5c1b10be1794 ]
The 'Agera' PLLs (with clk_agera_pll_configure) do not take some of the
parameters that are provided in the vendor driver. Instead the upstream
configuration should provide the final user_ctl value that is written to
the USER_CTL register.
Fix the config so that the PLL is configured correctly, and fixes
CAMCC_MCLK* being stuck off.
Fixes: 80f5451d9a7c ("clk: qcom: Add camera clock controller driver for SM6350")
Suggested-by: Taniya Das <taniya.das@oss.qualcomm.com>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
Reviewed-by: Taniya Das <taniya.das@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20251021-agera-pll-fixups-v1-1-8c1d8aff4afc@fairphone.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/camcc-sm6350.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/clk/qcom/camcc-sm6350.c b/drivers/clk/qcom/camcc-sm6350.c
index 79131e1699b81..83cee6994d160 100644
--- a/drivers/clk/qcom/camcc-sm6350.c
+++ b/drivers/clk/qcom/camcc-sm6350.c
@@ -144,15 +144,11 @@ static struct clk_alpha_pll_postdiv camcc_pll1_out_even = {
static const struct alpha_pll_config camcc_pll2_config = {
.l = 0x64,
.alpha = 0x0,
- .post_div_val = 0x3 << 8,
- .post_div_mask = 0x3 << 8,
- .aux_output_mask = BIT(1),
- .main_output_mask = BIT(0),
- .early_output_mask = BIT(3),
.config_ctl_val = 0x20000800,
.config_ctl_hi_val = 0x400003d2,
.test_ctl_val = 0x04000400,
.test_ctl_hi_val = 0x00004000,
+ .user_ctl_val = 0x0000030b,
};
static struct clk_alpha_pll camcc_pll2 = {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 082/737] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 081/737] clk: qcom: camcc-sm6350: Fix PLL config of PLL2 Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 083/737] crypto: hisilicon/qm - restore original qos values Greg Kroah-Hartman
` (665 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Lukas Wunner,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit df0845cf447ae1556c3440b8b155de0926cbaa56 ]
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Fixes: 7901c1a8effb ("KEYS: Implement binary asymmetric key ID handling")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/asymmetric_keys/asymmetric_type.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index 43af5fa510c09..7859b0692b42b 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -11,6 +11,7 @@
#include <crypto/public_key.h>
#include <linux/seq_file.h>
#include <linux/module.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/ctype.h>
#include <keys/system_keyring.h>
@@ -151,12 +152,17 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
size_t len_2)
{
struct asymmetric_key_id *kid;
-
- kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
- GFP_KERNEL);
+ size_t kid_sz;
+ size_t len;
+
+ if (check_add_overflow(len_1, len_2, &len))
+ return ERR_PTR(-EOVERFLOW);
+ if (check_add_overflow(sizeof(struct asymmetric_key_id), len, &kid_sz))
+ return ERR_PTR(-EOVERFLOW);
+ kid = kmalloc(kid_sz, GFP_KERNEL);
if (!kid)
return ERR_PTR(-ENOMEM);
- kid->len = len_1 + len_2;
+ kid->len = len;
memcpy(kid->data, val_1, len_1);
memcpy(kid->data + len_1, val_2, len_2);
return kid;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 083/737] crypto: hisilicon/qm - restore original qos values
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 082/737] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 084/737] wifi: ath11k: fix peer HE MCS assignment Greg Kroah-Hartman
` (664 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, nieweiqiang, Chenghai Huang,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: nieweiqiang <nieweiqiang@huawei.com>
[ Upstream commit e7066160f5b4187ad9869b712fa7a35d3d5be6b9 ]
When the new qos valus setting fails, restore to
the original qos values.
Fixes: 72b010dc33b9 ("crypto: hisilicon/qm - supports writing QoS int the host")
Signed-off-by: nieweiqiang <nieweiqiang@huawei.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/qm.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
index a2c6b28f4b84b..2c0ca68914e2f 100644
--- a/drivers/crypto/hisilicon/qm.c
+++ b/drivers/crypto/hisilicon/qm.c
@@ -3555,6 +3555,7 @@ static int qm_clear_vft_config(struct hisi_qm *qm)
static int qm_func_shaper_enable(struct hisi_qm *qm, u32 fun_index, u32 qos)
{
struct device *dev = &qm->pdev->dev;
+ struct qm_shaper_factor t_factor;
u32 ir = qos * QM_QOS_RATE;
int ret, total_vfs, i;
@@ -3562,6 +3563,7 @@ static int qm_func_shaper_enable(struct hisi_qm *qm, u32 fun_index, u32 qos)
if (fun_index > total_vfs)
return -EINVAL;
+ memcpy(&t_factor, &qm->factor[fun_index], sizeof(t_factor));
qm->factor[fun_index].func_qos = qos;
ret = qm_get_shaper_para(ir, &qm->factor[fun_index]);
@@ -3575,11 +3577,21 @@ static int qm_func_shaper_enable(struct hisi_qm *qm, u32 fun_index, u32 qos)
ret = qm_set_vft_common(qm, SHAPER_VFT, fun_index, i, 1);
if (ret) {
dev_err(dev, "type: %d, failed to set shaper vft!\n", i);
- return -EINVAL;
+ goto back_func_qos;
}
}
return 0;
+
+back_func_qos:
+ memcpy(&qm->factor[fun_index], &t_factor, sizeof(t_factor));
+ for (i--; i >= ALG_TYPE_0; i--) {
+ ret = qm_set_vft_common(qm, SHAPER_VFT, fun_index, i, 1);
+ if (ret)
+ dev_err(dev, "failed to restore shaper vft during rollback!\n");
+ }
+
+ return -EINVAL;
}
static u32 qm_get_shaper_vft_qos(struct hisi_qm *qm, u32 fun_index)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 084/737] wifi: ath11k: fix peer HE MCS assignment
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 083/737] crypto: hisilicon/qm - restore original qos values Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 085/737] s390/smp: Fix fallback CPU detection Greg Kroah-Hartman
` (663 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baochen Qiang,
Vasanthakumar Thiagarajan, Jeff Johnson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
[ Upstream commit 4a013ca2d490c73c40588d62712ffaa432046a04 ]
In ath11k_wmi_send_peer_assoc_cmd(), peer's transmit MCS is sent to
firmware as receive MCS while peer's receive MCS sent as transmit MCS,
which goes against firmwire's definition.
While connecting to a misbehaved AP that advertises 0xffff (meaning not
supported) for 160 MHz transmit MCS map, firmware crashes due to 0xffff
is assigned to he_mcs->rx_mcs_set field.
Ext Tag: HE Capabilities
[...]
Supported HE-MCS and NSS Set
[...]
Rx and Tx MCS Maps 160 MHz
[...]
Tx HE-MCS Map 160 MHz: 0xffff
Swap the assignment to fix this issue.
As the HE rate control mask is meant to limit our own transmit MCS, it
needs to go via he_mcs->rx_mcs_set field. With the aforementioned swapping
done, change is needed as well to apply it to the peer's receive MCS.
Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Fixes: 61fe43e7216d ("ath11k: add support for setting fixed HE rate/gi/ltf")
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20251017-ath11k-mcs-assignment-v1-2-da40825c1783@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/mac.c | 4 ++--
drivers/net/wireless/ath/ath11k/wmi.c | 7 +++++--
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 2921be9bd530c..0937d725d4d0b 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -2424,10 +2424,10 @@ static void ath11k_peer_assoc_h_he(struct ath11k *ar,
he_tx_mcs = v;
}
v = le16_to_cpu(he_cap->he_mcs_nss_supp.rx_mcs_160);
+ v = ath11k_peer_assoc_h_he_limit(v, he_mcs_mask);
arg->peer_he_rx_mcs_set[WMI_HECAP_TXRX_MCS_NSS_IDX_160] = v;
v = le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_160);
- v = ath11k_peer_assoc_h_he_limit(v, he_mcs_mask);
arg->peer_he_tx_mcs_set[WMI_HECAP_TXRX_MCS_NSS_IDX_160] = v;
arg->peer_he_mcs_count++;
@@ -2437,10 +2437,10 @@ static void ath11k_peer_assoc_h_he(struct ath11k *ar,
default:
v = le16_to_cpu(he_cap->he_mcs_nss_supp.rx_mcs_80);
+ v = ath11k_peer_assoc_h_he_limit(v, he_mcs_mask);
arg->peer_he_rx_mcs_set[WMI_HECAP_TXRX_MCS_NSS_IDX_80] = v;
v = le16_to_cpu(he_cap->he_mcs_nss_supp.tx_mcs_80);
- v = ath11k_peer_assoc_h_he_limit(v, he_mcs_mask);
arg->peer_he_tx_mcs_set[WMI_HECAP_TXRX_MCS_NSS_IDX_80] = v;
arg->peer_he_mcs_count++;
diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 16687223bdcba..f491aeb22a883 100644
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -2044,8 +2044,11 @@ int ath11k_wmi_send_peer_assoc_cmd(struct ath11k *ar,
FIELD_PREP(WMI_TLV_LEN,
sizeof(*he_mcs) - TLV_HDR_SIZE);
- he_mcs->rx_mcs_set = param->peer_he_tx_mcs_set[i];
- he_mcs->tx_mcs_set = param->peer_he_rx_mcs_set[i];
+ /* firmware interprets mcs->rx_mcs_set field as peer's
+ * RX capability
+ */
+ he_mcs->rx_mcs_set = param->peer_he_rx_mcs_set[i];
+ he_mcs->tx_mcs_set = param->peer_he_tx_mcs_set[i];
ptr += sizeof(*he_mcs);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 085/737] s390/smp: Fix fallback CPU detection
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 084/737] wifi: ath11k: fix peer HE MCS assignment Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 086/737] s390/ap: Dont leak debug feature files if AP instructions are not available Greg Kroah-Hartman
` (662 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Egorenkov, Mete Durlu,
Heiko Carstens, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 07a75d08cfa1b883a6e1256666e5f0617ee99231 ]
In case SCLP CPU detection does not work a fallback mechanism using SIGP is
in place. Since a cleanup this does not work correctly anymore: new CPUs
are only considered if their type matches the boot CPU.
Before the cleanup the information if a CPU type should be considered was
also part of a structure generated by the fallback mechanism and indicated
that a CPU type should not be considered when adding CPUs.
Since the rework a global SCLP state is used instead. If the global SCLP
state indicates that the CPU type should be considered and the fallback
mechanism is used, there may be a mismatch with CPU types if CPUs are
added. This can lead to a system with only a single CPU even tough there
are many more CPUs.
Address this by simply copying the boot cpu type into the generated data
structure from the fallback mechanism.
Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Fixes: d08d94306e90 ("s390/smp: cleanup core vs. cpu in the SCLP interface")
Reviewed-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/smp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
index c63be2efd6895..1970c90775973 100644
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
@@ -759,6 +759,7 @@ static void __ref smp_get_core_info(struct sclp_core_info *info, int early)
continue;
info->core[info->configured].core_id =
address >> smp_cpu_mt_shift;
+ info->core[info->configured].type = boot_core_type;
info->configured++;
}
info->combined = info->configured;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 086/737] s390/ap: Dont leak debug feature files if AP instructions are not available
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 085/737] s390/smp: Fix fallback CPU detection Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 087/737] arm64: dts: ti: k3-am62p: Fix memory ranges for GPU Greg Kroah-Hartman
` (661 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harald Freudenberger, Heiko Carstens,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 020d5dc57874e58d3ebae398f3fe258f029e3d06 ]
If no AP instructions are available the AP bus module leaks registered
debug feature files. Change function call order to fix this.
Fixes: cccd85bfb7bf ("s390/zcrypt: Rework debug feature invocations.")
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/crypto/ap_bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
index 93351452184ab..97cbf233a543d 100644
--- a/drivers/s390/crypto/ap_bus.c
+++ b/drivers/s390/crypto/ap_bus.c
@@ -2235,15 +2235,15 @@ static int __init ap_module_init(void)
{
int rc;
- rc = ap_debug_init();
- if (rc)
- return rc;
-
if (!ap_instructions_available()) {
pr_warn("The hardware system does not support AP instructions\n");
return -ENODEV;
}
+ rc = ap_debug_init();
+ if (rc)
+ return rc;
+
/* init ap_queue hashtable */
hash_init(ap_queues);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 087/737] arm64: dts: ti: k3-am62p: Fix memory ranges for GPU
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 086/737] s390/ap: Dont leak debug feature files if AP instructions are not available Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 088/737] firmware: imx: scu-irq: fix OF node leak in Greg Kroah-Hartman
` (660 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randolph Sapp, Michael Walle,
Vignesh Raghavendra, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randolph Sapp <rs@ti.com>
[ Upstream commit 76546090b1726118cd6fb3db7159fc2a3fdda8a0 ]
Update the memory region listed in the k3-am62p.dtsi for the BXS-4-64
GPU to match the Main Memory Map described in the TRM [1].
[1] https://www.ti.com/lit/ug/spruj83b/spruj83b.pdf
Fixes: 29075cc09f43 ("arm64: dts: ti: Introduce AM62P5 family of SoCs")
Signed-off-by: Randolph Sapp <rs@ti.com>
Reviewed-by: Michael Walle <mwalle@kernel.org>
Link: https://patch.msgid.link/20250919193341.707660-2-rs@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am62p.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am62p.dtsi b/arch/arm64/boot/dts/ti/k3-am62p.dtsi
index dc0a8e94e9ace..0e0241e746fb1 100644
--- a/arch/arm64/boot/dts/ti/k3-am62p.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am62p.dtsi
@@ -59,7 +59,7 @@ cbass_main: bus@f0000 {
<0x00 0x01000000 0x00 0x01000000 0x00 0x01b28400>, /* First peripheral window */
<0x00 0x08000000 0x00 0x08000000 0x00 0x00200000>, /* Main CPSW */
<0x00 0x0e000000 0x00 0x0e000000 0x00 0x01d20000>, /* Second peripheral window */
- <0x00 0x0fd00000 0x00 0x0fd00000 0x00 0x00020000>, /* GPU */
+ <0x00 0x0fd80000 0x00 0x0fd80000 0x00 0x00080000>, /* GPU */
<0x00 0x20000000 0x00 0x20000000 0x00 0x0a008000>, /* Third peripheral window */
<0x00 0x30040000 0x00 0x30040000 0x00 0x00080000>, /* PRUSS-M */
<0x00 0x30101000 0x00 0x30101000 0x00 0x00010100>, /* CSI window */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 088/737] firmware: imx: scu-irq: fix OF node leak in
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 087/737] arm64: dts: ti: k3-am62p: Fix memory ranges for GPU Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 089/737] arm64: dts: qcom: sdm845-oneplus: Correct gpio used for slider Greg Kroah-Hartman
` (659 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Peng Fan, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit ee67247843a2b62d1473cfa4df300e69b5190ccf ]
imx_scu_enable_general_irq_channel() calls of_parse_phandle_with_args(),
but does not release the OF node reference. Add a of_node_put() call
to release the reference.
Fixes: 851826c7566e ("firmware: imx: enable imx scu general irq function")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/imx-scu-irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/imx/imx-scu-irq.c b/drivers/firmware/imx/imx-scu-irq.c
index 6125cccc9ba79..f2b902e95b738 100644
--- a/drivers/firmware/imx/imx-scu-irq.c
+++ b/drivers/firmware/imx/imx-scu-irq.c
@@ -226,8 +226,10 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
- "#mbox-cells", 0, &spec))
+ "#mbox-cells", 0, &spec)) {
i = of_alias_get_id(spec.np, "mu");
+ of_node_put(spec.np);
+ }
/* use mu1 as general mu irq channel if failed */
if (i < 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 089/737] arm64: dts: qcom: sdm845-oneplus: Correct gpio used for slider
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 088/737] firmware: imx: scu-irq: fix OF node leak in Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 090/737] phy: mscc: Fix PTP for VSC8574 and VSC8572 Greg Kroah-Hartman
` (658 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gergo Koteles, David Heidelberg,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gergo Koteles <soyer@irl.hu>
[ Upstream commit d7ec7d34237498fab7a6afed8da4b7139b0e387c ]
The previous GPIO numbers were wrong. Update them to the correct
ones and fix the label.
Fixes: 288ef8a42612 ("arm64: dts: sdm845: add oneplus6/6t devices")
Signed-off-by: Gergo Koteles <soyer@irl.hu>
Signed-off-by: David Heidelberg <david@ixit.cz>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250927-slider-correct-v1-1-fb8cc7fdcedf@ixit.cz
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
index 9322b92a1e682..bccc52e01da38 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-oneplus-common.dtsi
@@ -780,8 +780,8 @@ hall_sensor_default: hall-sensor-default-state {
bias-disable;
};
- tri_state_key_default: tri-state-key-default-state {
- pins = "gpio40", "gpio42", "gpio26";
+ alert_slider_default: alert-slider-default-state {
+ pins = "gpio126", "gpio52", "gpio24";
function = "gpio";
drive-strength = <2>;
bias-disable;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 090/737] phy: mscc: Fix PTP for VSC8574 and VSC8572
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 089/737] arm64: dts: qcom: sdm845-oneplus: Correct gpio used for slider Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 091/737] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock() Greg Kroah-Hartman
` (657 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit ea5df88aeca112aac69e6c32e3dd1433a113b0c9 ]
The PTP initialization is two-step. First part are the function
vsc8584_ptp_probe_once() and vsc8584_ptp_probe() at probe time which
initialize the locks, queues, creates the PTP device. The second part is
the function vsc8584_ptp_init() at config_init() time which initialize
PTP in the HW.
For VSC8574 and VSC8572, the PTP initialization is incomplete. It is
missing the first part but it makes the second part. Meaning that the
ptp_clock_register() is never called.
There is no crash without the first part when enabling PTP but this is
unexpected because some PHys have PTP functionality exposed by the
driver and some don't even though they share the same PTP clock PTP.
Fixes: 774626fa440e ("net: phy: mscc: Add PTP support for 2 more VSC PHYs")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20251023191350.190940-3-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index 3a932b30f4358..0a4aa8e08827a 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2595,7 +2595,7 @@ static struct phy_driver vsc85xx_driver[] = {
.suspend = &genphy_suspend,
.resume = &genphy_resume,
.remove = &vsc85xx_remove,
- .probe = &vsc8574_probe,
+ .probe = &vsc8584_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
.get_tunable = &vsc85xx_get_tunable,
@@ -2616,12 +2616,12 @@ static struct phy_driver vsc85xx_driver[] = {
.config_aneg = &vsc85xx_config_aneg,
.aneg_done = &genphy_aneg_done,
.read_status = &vsc85xx_read_status,
- .handle_interrupt = vsc85xx_handle_interrupt,
+ .handle_interrupt = vsc8584_handle_interrupt,
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
.remove = &vsc85xx_remove,
- .probe = &vsc8574_probe,
+ .probe = &vsc8584_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
.get_tunable = &vsc85xx_get_tunable,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 091/737] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 090/737] phy: mscc: Fix PTP for VSC8574 and VSC8572 Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 092/737] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure Greg Kroah-Hartman
` (656 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Xin Long,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 622e8838a29845316668ec2e7648428878df7f9a ]
SCTP_DBG_OBJCNT_INC() is called only when sctp_init_sock()
returns 0 after successfully allocating sctp_sk(sk)->ep.
OTOH, SCTP_DBG_OBJCNT_DEC() is called in sctp_close().
The code seems to expect that the socket is always exposed
to userspace once SCTP_DBG_OBJCNT_INC() is incremented, but
there is a path where the assumption is not true.
In sctp_accept(), sctp_sock_migrate() could fail after
sctp_init_sock().
Then, sk_common_release() does not call inet_release() nor
sctp_close(). Instead, it calls sk->sk_prot->destroy().
Let's move SCTP_DBG_OBJCNT_DEC() from sctp_close() to
sctp_destroy_sock().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20251023231751.4168390-2-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index adc04e88f349f..852c4f66eab5d 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1553,8 +1553,6 @@ static void sctp_close(struct sock *sk, long timeout)
spin_unlock_bh(&net->sctp.addr_wq_lock);
sock_put(sk);
-
- SCTP_DBG_OBJCNT_DEC(sock);
}
/* Handle EPIPE error. */
@@ -5106,9 +5104,12 @@ static void sctp_destroy_sock(struct sock *sk)
sp->do_auto_asconf = 0;
list_del(&sp->auto_asconf_list);
}
+
sctp_endpoint_free(sp->ep);
+
sk_sockets_allocated_dec(sk);
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+ SCTP_DBG_OBJCNT_DEC(sock);
}
/* Triggered when there are no references on the socket anymore */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 092/737] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 091/737] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 093/737] ARM: dts: renesas: gose: Remove superfluous port property Greg Kroah-Hartman
` (655 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Yi, Zhu Yanjun, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
[ Upstream commit 503a5e4690ae14c18570141bc0dcf7501a8419b0 ]
A NULL pointer dereference can occur in rxe_srq_chk_attr() when
ibv_modify_srq() is invoked twice in succession under certain error
conditions. The first call may fail in rxe_queue_resize(), which leads
rxe_srq_from_attr() to set srq->rq.queue = NULL. The second call then
triggers a crash (null deref) when accessing
srq->rq.queue->buf->index_mask.
Call Trace:
<TASK>
rxe_modify_srq+0x170/0x480 [rdma_rxe]
? __pfx_rxe_modify_srq+0x10/0x10 [rdma_rxe]
? uverbs_try_lock_object+0x4f/0xa0 [ib_uverbs]
? rdma_lookup_get_uobject+0x1f0/0x380 [ib_uverbs]
ib_uverbs_modify_srq+0x204/0x290 [ib_uverbs]
? __pfx_ib_uverbs_modify_srq+0x10/0x10 [ib_uverbs]
? tryinc_node_nr_active+0xe6/0x150
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x2c0/0x470 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
? uverbs_fill_udata+0xed/0x4f0 [ib_uverbs]
ib_uverbs_run_method+0x55a/0x6e0 [ib_uverbs]
? __pfx_ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x10/0x10 [ib_uverbs]
ib_uverbs_cmd_verbs+0x54d/0x800 [ib_uverbs]
? __pfx_ib_uverbs_cmd_verbs+0x10/0x10 [ib_uverbs]
? __pfx___raw_spin_lock_irqsave+0x10/0x10
? __pfx_do_vfs_ioctl+0x10/0x10
? ioctl_has_perm.constprop.0.isra.0+0x2c7/0x4c0
? __pfx_ioctl_has_perm.constprop.0.isra.0+0x10/0x10
ib_uverbs_ioctl+0x13e/0x220 [ib_uverbs]
? __pfx_ib_uverbs_ioctl+0x10/0x10 [ib_uverbs]
__x64_sys_ioctl+0x138/0x1c0
do_syscall_64+0x82/0x250
? fdget_pos+0x58/0x4c0
? ksys_write+0xf3/0x1c0
? __pfx_ksys_write+0x10/0x10
? do_syscall_64+0xc8/0x250
? __pfx_vm_mmap_pgoff+0x10/0x10
? fget+0x173/0x230
? fput+0x2a/0x80
? ksys_mmap_pgoff+0x224/0x4c0
? do_syscall_64+0xc8/0x250
? do_user_addr_fault+0x37b/0xfe0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
? clear_bhb_loop+0x50/0xa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Tested-by: Liu Yi <asatsuyu.liu@gmail.com>
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://patch.msgid.link/20251027215203.1321-1-yanjun.zhu@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_srq.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_srq.c b/drivers/infiniband/sw/rxe/rxe_srq.c
index 3661cb627d28a..2a234f26ac104 100644
--- a/drivers/infiniband/sw/rxe/rxe_srq.c
+++ b/drivers/infiniband/sw/rxe/rxe_srq.c
@@ -171,7 +171,7 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq,
udata, mi, &srq->rq.producer_lock,
&srq->rq.consumer_lock);
if (err)
- goto err_free;
+ return err;
srq->rq.max_wr = attr->max_wr;
}
@@ -180,11 +180,6 @@ int rxe_srq_from_attr(struct rxe_dev *rxe, struct rxe_srq *srq,
srq->limit = attr->srq_limit;
return 0;
-
-err_free:
- rxe_queue_cleanup(q);
- srq->rq.queue = NULL;
- return err;
}
void rxe_srq_cleanup(struct rxe_pool_elem *elem)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 093/737] ARM: dts: renesas: gose: Remove superfluous port property
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 092/737] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 094/737] ARM: dts: renesas: r9a06g032-rzn1d400-db: Drop invalid #cells properties Greg Kroah-Hartman
` (654 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 00df14f34615630f92f97c9d6790bd9d25c4242d ]
'bus-width' is defined for the corresponding vin input port already.
No need to declare it in the output port again. Fixes:
arch/arm/boot/dts/renesas/r8a7793-gose.dtb: composite-in@20 (adi,adv7180cp): ports:port@3:endpoint: Unevaluated properties are not allowed ('bus-width' was unexpected)
from schema $id: http://devicetree.org/schemas/media/i2c/adi,adv7180.yaml#
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20250929093616.17679-2-wsa+renesas@sang-engineering.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/renesas/r8a7793-gose.dts | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm/boot/dts/renesas/r8a7793-gose.dts b/arch/arm/boot/dts/renesas/r8a7793-gose.dts
index 9358fc7d0e9f6..e92de3ab33b5a 100644
--- a/arch/arm/boot/dts/renesas/r8a7793-gose.dts
+++ b/arch/arm/boot/dts/renesas/r8a7793-gose.dts
@@ -355,7 +355,6 @@ adv7180_in: endpoint {
port@3 {
reg = <3>;
adv7180_out: endpoint {
- bus-width = <8>;
remote-endpoint = <&vin1ep>;
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 094/737] ARM: dts: renesas: r9a06g032-rzn1d400-db: Drop invalid #cells properties
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 093/737] ARM: dts: renesas: gose: Remove superfluous port property Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 095/737] Revert "mtd: rawnand: marvell: fix layouts" Greg Kroah-Hartman
` (653 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit ca7fffb6e92a7c93604ea2bae0e1c89b20750937 ]
The 'ethernet-ports' node in the SoC DTSI handles them already. Fixes:
arch/arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dtb: switch@44050000 (renesas,r9a06g032-a5psw): Unevaluated properties are not allowed ('#address-cells', '#size-cells' were unexpected)
from schema $id: http://devicetree.org/schemas/net/dsa/renesas,rzn1-a5psw.yaml#
Fixes: 5b6d7c3c5861ad4a ("ARM: dts: r9a06g032-rzn1d400-db: Add switch description")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251007104624.19786-2-wsa+renesas@sang-engineering.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dts | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dts b/arch/arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dts
index 31cdca3e623cd..5fa7acce47149 100644
--- a/arch/arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dts
+++ b/arch/arm/boot/dts/renesas/r9a06g032-rzn1d400-db.dts
@@ -126,8 +126,6 @@ &rtc0 {
&switch {
status = "okay";
- #address-cells = <1>;
- #size-cells = <0>;
pinctrl-names = "default";
pinctrl-0 = <&pins_eth3>, <&pins_eth4>, <&pins_mdio1>;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 095/737] Revert "mtd: rawnand: marvell: fix layouts"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 094/737] ARM: dts: renesas: r9a06g032-rzn1d400-db: Drop invalid #cells properties Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 096/737] mtd: nand: relax ECC parameter validation check Greg Kroah-Hartman
` (652 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aryan Srivastava, Miquel Raynal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
[ Upstream commit fbd72cb463fdea3a0c900dd5d6e813cdebc3a73c ]
This reverts commit e6a30d0c48a1e8a68f1cc413bee65302ab03ddfb.
This change resulted in the 8bit ECC layouts having the incorrect amount
of read/write chunks, the last spare bytes chunk would always be missed.
Fixes: e6a30d0c48a1 ("mtd: rawnand: marvell: fix layouts")
Signed-off-by: Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/marvell_nand.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c
index 93d8c6da555b9..b841a81cb1282 100644
--- a/drivers/mtd/nand/raw/marvell_nand.c
+++ b/drivers/mtd/nand/raw/marvell_nand.c
@@ -290,13 +290,16 @@ static const struct marvell_hw_ecc_layout marvell_nfc_layouts[] = {
MARVELL_LAYOUT( 2048, 512, 4, 1, 1, 2048, 32, 30, 0, 0, 0),
MARVELL_LAYOUT( 2048, 512, 8, 2, 1, 1024, 0, 30,1024,32, 30),
MARVELL_LAYOUT( 2048, 512, 8, 2, 1, 1024, 0, 30,1024,64, 30),
- MARVELL_LAYOUT( 2048, 512, 16, 4, 4, 512, 0, 30, 0, 32, 30),
+ MARVELL_LAYOUT( 2048, 512, 12, 3, 2, 704, 0, 30,640, 0, 30),
+ MARVELL_LAYOUT( 2048, 512, 16, 5, 4, 512, 0, 30, 0, 32, 30),
MARVELL_LAYOUT( 4096, 512, 4, 2, 2, 2048, 32, 30, 0, 0, 0),
- MARVELL_LAYOUT( 4096, 512, 8, 4, 4, 1024, 0, 30, 0, 64, 30),
- MARVELL_LAYOUT( 4096, 512, 16, 8, 8, 512, 0, 30, 0, 32, 30),
+ MARVELL_LAYOUT( 4096, 512, 8, 5, 4, 1024, 0, 30, 0, 64, 30),
+ MARVELL_LAYOUT( 4096, 512, 12, 6, 5, 704, 0, 30,576, 32, 30),
+ MARVELL_LAYOUT( 4096, 512, 16, 9, 8, 512, 0, 30, 0, 32, 30),
MARVELL_LAYOUT( 8192, 512, 4, 4, 4, 2048, 0, 30, 0, 0, 0),
- MARVELL_LAYOUT( 8192, 512, 8, 8, 8, 1024, 0, 30, 0, 160, 30),
- MARVELL_LAYOUT( 8192, 512, 16, 16, 16, 512, 0, 30, 0, 32, 30),
+ MARVELL_LAYOUT( 8192, 512, 8, 9, 8, 1024, 0, 30, 0, 160, 30),
+ MARVELL_LAYOUT( 8192, 512, 12, 12, 11, 704, 0, 30,448, 64, 30),
+ MARVELL_LAYOUT( 8192, 512, 16, 17, 16, 512, 0, 30, 0, 32, 30),
};
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 096/737] mtd: nand: relax ECC parameter validation check
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 095/737] Revert "mtd: rawnand: marvell: fix layouts" Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 097/737] mtd: rawnand: lpc32xx_slc: fix GPIO descriptor leak on probe error and remove Greg Kroah-Hartman
` (651 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aryan Srivastava, Miquel Raynal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
[ Upstream commit 050553c683f21eebd7d1020df9b2ec852e2a9e4e ]
Due to the custom handling and layouts of certain nand controllers this
validity check will always fail for certain layouts. The check
inherently depends on even chunk sizing and this is not always the
case.
Modify the check to only print a warning, instead of failing to
init the attached NAND. This allows various 8 bit and 12 ECC strength
layouts to be used.
Fixes: 68c18dae6888 ("mtd: rawnand: marvell: add missing layouts")
Signed-off-by: Aryan Srivastava <aryan.srivastava@alliedtelesis.co.nz>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/nand_base.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c
index 7c3e3d70be8b0..fe0b298f8425e 100644
--- a/drivers/mtd/nand/raw/nand_base.c
+++ b/drivers/mtd/nand/raw/nand_base.c
@@ -6450,11 +6450,14 @@ static int nand_scan_tail(struct nand_chip *chip)
ecc->steps = mtd->writesize / ecc->size;
if (!base->ecc.ctx.nsteps)
base->ecc.ctx.nsteps = ecc->steps;
- if (ecc->steps * ecc->size != mtd->writesize) {
- WARN(1, "Invalid ECC parameters\n");
- ret = -EINVAL;
- goto err_nand_manuf_cleanup;
- }
+
+ /*
+ * Validity check: Warn if ECC parameters are not compatible with page size.
+ * Due to the custom handling of ECC blocks in certain controllers the check
+ * may result in an expected failure.
+ */
+ if (ecc->steps * ecc->size != mtd->writesize)
+ pr_warn("ECC parameters may be invalid in reference to underlying NAND chip\n");
if (!ecc->total) {
ecc->total = ecc->steps * ecc->bytes;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 097/737] mtd: rawnand: lpc32xx_slc: fix GPIO descriptor leak on probe error and remove
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 096/737] mtd: nand: relax ECC parameter validation check Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 098/737] task_work: Fix NMI race condition Greg Kroah-Hartman
` (650 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Miquel Raynal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit cdf44f1add4ec9ee80569d5a43e6e9bba0d74c7a ]
The driver calls gpiod_get_optional() in the probe function but
never calls gpiod_put() in the remove function or in the probe
error path. This leads to a GPIO descriptor resource leak.
The lpc32xx_mlc.c driver in the same directory handles this
correctly by calling gpiod_put() on both paths.
Add gpiod_put() in the remove function and in the probe error path
to fix the resource leak.
Fixes: 6b923db2867c ("mtd: rawnand: lpc32xx_slc: switch to using gpiod API")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/lpc32xx_slc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mtd/nand/raw/lpc32xx_slc.c b/drivers/mtd/nand/raw/lpc32xx_slc.c
index 1c5fa855b9f2d..8abad092b0580 100644
--- a/drivers/mtd/nand/raw/lpc32xx_slc.c
+++ b/drivers/mtd/nand/raw/lpc32xx_slc.c
@@ -933,6 +933,7 @@ static int lpc32xx_nand_probe(struct platform_device *pdev)
dma_release_channel(host->dma_chan);
enable_wp:
lpc32xx_wp_enable(host);
+ gpiod_put(host->wp_gpio);
return res;
}
@@ -958,6 +959,7 @@ static void lpc32xx_nand_remove(struct platform_device *pdev)
writel(tmp, SLC_CTRL(host->io_base));
lpc32xx_wp_enable(host);
+ gpiod_put(host->wp_gpio);
}
static int lpc32xx_nand_resume(struct platform_device *pdev)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 098/737] task_work: Fix NMI race condition
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 097/737] mtd: rawnand: lpc32xx_slc: fix GPIO descriptor leak on probe error and remove Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 099/737] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() Greg Kroah-Hartman
` (649 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf,
Peter Zijlstra (Intel), Steven Rostedt (Google), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit ef1ea98c8fffe227e5319215d84a53fa2a4bcebc ]
__schedule()
// disable irqs
<NMI>
task_work_add(current, work, TWA_NMI_CURRENT);
</NMI>
// current = next;
// enable irqs
<IRQ>
task_work_set_notify_irq()
test_and_set_tsk_thread_flag(current,
TIF_NOTIFY_RESUME); // wrong task!
</IRQ>
// original task skips task work on its next return to user (or exit!)
Fixes: 466e4d801cd4 ("task_work: Add TWA_NMI_CURRENT as an additional notify mode.")
Reported-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Link: https://patch.msgid.link/20250924080118.425949403@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/task_work.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/task_work.c b/kernel/task_work.c
index c969f1f26be58..48ab6275e6e7e 100644
--- a/kernel/task_work.c
+++ b/kernel/task_work.c
@@ -9,7 +9,12 @@ static struct callback_head work_exited; /* all we need is ->next == NULL */
#ifdef CONFIG_IRQ_WORK
static void task_work_set_notify_irq(struct irq_work *entry)
{
- test_and_set_tsk_thread_flag(current, TIF_NOTIFY_RESUME);
+ /*
+ * no-op IPI
+ *
+ * TWA_NMI_CURRENT will already have set the TIF flag, all
+ * this interrupt does it tickle the return-to-user path.
+ */
}
static DEFINE_PER_CPU(struct irq_work, irq_work_NMI_resume) =
IRQ_WORK_INIT_HARD(task_work_set_notify_irq);
@@ -98,6 +103,7 @@ int task_work_add(struct task_struct *task, struct callback_head *work,
break;
#ifdef CONFIG_IRQ_WORK
case TWA_NMI_CURRENT:
+ set_tsk_thread_flag(current, TIF_NOTIFY_RESUME);
irq_work_queue(this_cpu_ptr(&irq_work_NMI_resume));
break;
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 099/737] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 098/737] task_work: Fix NMI race condition Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 100/737] tools/nolibc/stdio: let perror work when NOLIBC_IGNORE_ERRNO is set Greg Kroah-Hartman
` (648 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tengda Wu, Borislav Petkov (AMD),
Andrey Ryabinin, Josh Poimboeuf, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tengda Wu <wutengda@huaweicloud.com>
[ Upstream commit ced37e9ceae50e4cb6cd058963bd315ec9afa651 ]
When triggering a stack dump via sysrq (echo t > /proc/sysrq-trigger),
KASAN may report false-positive out-of-bounds access:
BUG: KASAN: out-of-bounds in __show_regs+0x4b/0x340
Call Trace:
dump_stack_lvl
print_address_description.constprop.0
print_report
__show_regs
show_trace_log_lvl
sched_show_task
show_state_filter
sysrq_handle_showstate
__handle_sysrq
write_sysrq_trigger
proc_reg_write
vfs_write
ksys_write
do_syscall_64
entry_SYSCALL_64_after_hwframe
The issue occurs as follows:
Task A (walk other tasks' stacks) Task B (running)
1. echo t > /proc/sysrq-trigger
show_trace_log_lvl
regs = unwind_get_entry_regs()
show_regs_if_on_stack(regs)
2. The stack value pointed by
`regs` keeps changing, and
so are the tags in its
KASAN shadow region.
__show_regs(regs)
regs->ax, regs->bx, ...
3. hit KASAN redzones, OOB
When task A walks task B's stack without suspending it, the continuous changes
in task B's stack (and corresponding KASAN shadow tags) may cause task A to
hit KASAN redzones when accessing obsolete values on the stack, resulting in
false positive reports.
Simply stopping the task before unwinding is not a viable fix, as it would
alter the state intended to inspect. This is especially true for diagnosing
misbehaving tasks (e.g., in a hard lockup), where stopping might fail or hide
the root cause by changing the call stack.
Therefore, fix this by disabling KASAN checks during asynchronous stack
unwinding, which is identified when the unwinding task does not match the
current task (task != current).
[ bp: Align arguments on function's opening brace. ]
Fixes: 3b3fa11bc700 ("x86/dumpstack: Print any pt_regs found on the stack")
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://patch.msgid.link/all/20251023090632.269121-1-wutengda@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/dumpstack.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 52dc5839d1e8e..0667d947d82bb 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -183,8 +183,8 @@ static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs,
* in false positive reports. Disable instrumentation to avoid those.
*/
__no_kmsan_checks
-static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
- unsigned long *stack, const char *log_lvl)
+static void __show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ unsigned long *stack, const char *log_lvl)
{
struct unwind_state state;
struct stack_info stack_info = {0};
@@ -305,6 +305,25 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
}
}
+static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ unsigned long *stack, const char *log_lvl)
+{
+ /*
+ * Disable KASAN to avoid false positives during walking another
+ * task's stacks, as values on these stacks may change concurrently
+ * with task execution.
+ */
+ bool disable_kasan = task && task != current;
+
+ if (disable_kasan)
+ kasan_disable_current();
+
+ __show_trace_log_lvl(task, regs, stack, log_lvl);
+
+ if (disable_kasan)
+ kasan_enable_current();
+}
+
void show_stack(struct task_struct *task, unsigned long *sp,
const char *loglvl)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 100/737] tools/nolibc/stdio: let perror work when NOLIBC_IGNORE_ERRNO is set
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 099/737] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() Greg Kroah-Hartman
@ 2026-01-09 11:33 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 101/737] soc: qcom: smem: fix hwspinlock resource leak in probe error paths Greg Kroah-Hartman
` (647 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:33 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Thomas Weißschuh,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit c485ca3aff2442adea4c08ceb5183e671ebed22a ]
There is no errno variable when NOLIBC_IGNORE_ERRNO is defined. As such,
simply print the message with "unknown error" rather than the integer
value of errno.
Fixes: acab7bcdb1bc ("tools/nolibc/stdio: add perror() to report the errno value")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/stdio.h | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/include/nolibc/stdio.h b/tools/include/nolibc/stdio.h
index cae402c11e575..36952314eef6f 100644
--- a/tools/include/nolibc/stdio.h
+++ b/tools/include/nolibc/stdio.h
@@ -352,7 +352,11 @@ int printf(const char *fmt, ...)
static __attribute__((unused))
void perror(const char *msg)
{
+#ifdef NOLIBC_IGNORE_ERRNO
+ fprintf(stderr, "%s%sunknown error\n", (msg && *msg) ? msg : "", (msg && *msg) ? ": " : "");
+#else
fprintf(stderr, "%s%serrno=%d\n", (msg && *msg) ? msg : "", (msg && *msg) ? ": " : "", errno);
+#endif
}
static __attribute__((unused))
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 101/737] soc: qcom: smem: fix hwspinlock resource leak in probe error paths
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-01-09 11:33 ` [PATCH 6.6 100/737] tools/nolibc/stdio: let perror work when NOLIBC_IGNORE_ERRNO is set Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 102/737] pinctrl: stm32: fix hwspinlock resource leak in probe function Greg Kroah-Hartman
` (646 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Konrad Dybcio,
Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit dc5db35073a19f6d3c30bea367b551c1a784ef8f ]
The hwspinlock acquired via hwspin_lock_request_specific() is not
released on several error paths. This results in resource leakage
when probe fails.
Switch to devm_hwspin_lock_request_specific() to automatically
handle cleanup on probe failure. Remove the manual hwspin_lock_free()
in qcom_smem_remove() as devm handles it automatically.
Fixes: 20bb6c9de1b7 ("soc: qcom: smem: map only partitions used by local HOST")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20251029022733.255-1-vulab@iscas.ac.cn
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/smem.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/soc/qcom/smem.c b/drivers/soc/qcom/smem.c
index aead7dd482ea3..5217ff0a434f5 100644
--- a/drivers/soc/qcom/smem.c
+++ b/drivers/soc/qcom/smem.c
@@ -1164,7 +1164,7 @@ static int qcom_smem_probe(struct platform_device *pdev)
return hwlock_id;
}
- smem->hwlock = hwspin_lock_request_specific(hwlock_id);
+ smem->hwlock = devm_hwspin_lock_request_specific(&pdev->dev, hwlock_id);
if (!smem->hwlock)
return -ENXIO;
@@ -1217,7 +1217,6 @@ static int qcom_smem_remove(struct platform_device *pdev)
{
platform_device_unregister(__smem->socinfo);
- hwspin_lock_free(__smem->hwlock);
__smem = NULL;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 102/737] pinctrl: stm32: fix hwspinlock resource leak in probe function
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 101/737] soc: qcom: smem: fix hwspinlock resource leak in probe error paths Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 103/737] i3c: master: Inherit DMA masks and parameters from parent device Greg Kroah-Hartman
` (645 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Antonio Borneo,
Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 002679f79ed605e543fbace465557317cd307c9a ]
In stm32_pctl_probe(), hwspin_lock_request_specific() is called to
request a hwspinlock, but the acquired lock is not freed on multiple
error paths after this call. This causes resource leakage when the
function fails to initialize properly.
Use devm_hwspin_lock_request_specific() instead of
hwspin_lock_request_specific() to automatically manage the hwspinlock
resource lifecycle.
Fixes: 97cfb6cd34f2 ("pinctrl: stm32: protect configuration registers with a hwspinlock")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Antonio Borneo <antonio.borneo@foss.st.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index 67c2791ee246f..ac96523e07b8d 100644
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1550,7 +1550,7 @@ int stm32_pctl_probe(struct platform_device *pdev)
if (hwlock_id == -EPROBE_DEFER)
return hwlock_id;
} else {
- pctl->hwlock = hwspin_lock_request_specific(hwlock_id);
+ pctl->hwlock = devm_hwspin_lock_request_specific(dev, hwlock_id);
}
spin_lock_init(&pctl->irqmux_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 103/737] i3c: master: Inherit DMA masks and parameters from parent device
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 102/737] pinctrl: stm32: fix hwspinlock resource leak in probe function Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 104/737] i3c: fix refcount inconsistency in i3c_master_register Greg Kroah-Hartman
` (644 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jarkko Nikula, Alexandre Belloni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
[ Upstream commit 0c35691551387e060e6ae7a6652b4101270c73cf ]
Copy the DMA masks and parameters for an I3C master device from parent
device so that the master device has them set for the DMA buffer and
mapping API.
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20230921055704.1087277-2-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 9d4f219807d5 ("i3c: fix refcount inconsistency in i3c_master_register")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index b6995e767850b..29e591bcc0646 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2775,6 +2775,10 @@ int i3c_master_register(struct i3c_master_controller *master,
device_initialize(&master->dev);
dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
+ master->dev.dma_mask = parent->dma_mask;
+ master->dev.coherent_dma_mask = parent->coherent_dma_mask;
+ master->dev.dma_parms = parent->dma_parms;
+
ret = of_populate_i3c_bus(master);
if (ret)
goto err_put_dev;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 104/737] i3c: fix refcount inconsistency in i3c_master_register
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 103/737] i3c: master: Inherit DMA masks and parameters from parent device Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 105/737] i3c: master: svc: Prevent incomplete IBI transaction Greg Kroah-Hartman
` (643 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Frank Li,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit 9d4f219807d5ac11fb1d596e4ddb09336b040067 ]
In `i3c_master_register`, a possible refcount inconsistency has been
identified, causing possible resource leak.
Function `of_node_get` increases the refcount of `parent->of_node`. If
function `i3c_bus_init` fails, the function returns immediately without
a corresponding decrease, resulting in an inconsistent refcounter.
Move call i3c_bus_init() after device_initialize() to let callback
i3c_masterdev_release() release of_node.
Reported-by: Shuhao Fu <sfual@cse.ust.hk>
Closes: https://lore.kernel.org/linux-i3c/aO2tjp_FsV_WohPG@osx.local/T/#m2c05a982beeb14e7bf039c1d8db856734bf234c7
Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20251016143814.2551256-1-Frank.Li@nxp.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 29e591bcc0646..060f70e4d52d7 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2768,10 +2768,6 @@ int i3c_master_register(struct i3c_master_controller *master,
INIT_LIST_HEAD(&master->boardinfo.i2c);
INIT_LIST_HEAD(&master->boardinfo.i3c);
- ret = i3c_bus_init(i3cbus, master->dev.of_node);
- if (ret)
- return ret;
-
device_initialize(&master->dev);
dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
@@ -2779,6 +2775,10 @@ int i3c_master_register(struct i3c_master_controller *master,
master->dev.coherent_dma_mask = parent->coherent_dma_mask;
master->dev.dma_parms = parent->dma_parms;
+ ret = i3c_bus_init(i3cbus, master->dev.of_node);
+ if (ret)
+ goto err_put_dev;
+
ret = of_populate_i3c_bus(master);
if (ret)
goto err_put_dev;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 105/737] i3c: master: svc: Prevent incomplete IBI transaction
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 104/737] i3c: fix refcount inconsistency in i3c_master_register Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 106/737] interconnect: qcom: msm8996: add missing link to SLAVE_USB_HS Greg Kroah-Hartman
` (642 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanley Chu, Frank Li, Miquel Raynal,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanley Chu <yschu@nuvoton.com>
[ Upstream commit 3a36273e5a07dda0ccec193800f3b78c3c0380af ]
If no free IBI slot is available, svc_i3c_master_handle_ibi returns
immediately. This causes the STOP condition to be missed because the
EmitStop request is sent when the transfer is not complete. To resolve
this, svc_i3c_master_handle_ibi must wait for the transfer to complete
before returning.
Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
Signed-off-by: Stanley Chu <yschu@nuvoton.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20251027034715.708243-1-yschu@nuvoton.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/svc-i3c-master.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
index 277884b5e1ca4..3222b8f56a926 100644
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -358,21 +358,27 @@ static int svc_i3c_master_handle_ibi(struct svc_i3c_master *master,
int ret, val;
u8 *buf;
- slot = i3c_generic_ibi_get_free_slot(data->ibi_pool);
- if (!slot)
- return -ENOSPC;
-
- slot->len = 0;
- buf = slot->data;
-
+ /*
+ * Wait for transfer to complete before returning. Otherwise, the EmitStop
+ * request might be sent when the transfer is not complete.
+ */
ret = readl_relaxed_poll_timeout(master->regs + SVC_I3C_MSTATUS, val,
SVC_I3C_MSTATUS_COMPLETE(val), 0, 1000);
if (ret) {
dev_err(master->dev, "Timeout when polling for COMPLETE\n");
- i3c_generic_ibi_recycle_slot(data->ibi_pool, slot);
return ret;
}
+ slot = i3c_generic_ibi_get_free_slot(data->ibi_pool);
+ if (!slot) {
+ dev_dbg(master->dev, "No free ibi slot, drop the data\n");
+ writel(SVC_I3C_MDATACTRL_FLUSHRB, master->regs + SVC_I3C_MDATACTRL);
+ return -ENOSPC;
+ }
+
+ slot->len = 0;
+ buf = slot->data;
+
while (SVC_I3C_MSTATUS_RXPEND(readl(master->regs + SVC_I3C_MSTATUS)) &&
slot->len < SVC_I3C_FIFO_SIZE) {
mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 106/737] interconnect: qcom: msm8996: add missing link to SLAVE_USB_HS
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 105/737] i3c: master: svc: Prevent incomplete IBI transaction Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 107/737] arm64: dts: qcom: msm8996: add interconnect paths to USB2 controller Greg Kroah-Hartman
` (641 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Georgi Djakov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 8cf9b43f6b4d90e19a9341edefdd46842d4adb55 ]
>From the initial submission the interconnect driver missed the link from
SNOC_PNOC to the USB 2 configuration space. Add missing link in order to
let the platform configure and utilize this path.
Fixes: 7add937f5222 ("interconnect: qcom: Add MSM8996 interconnect provider driver")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20251002-fix-msm8996-icc-v1-1-a36a05d1f869@oss.qualcomm.com
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/interconnect/qcom/msm8996.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/interconnect/qcom/msm8996.c b/drivers/interconnect/qcom/msm8996.c
index 88683dfa468f6..84811fe32782f 100644
--- a/drivers/interconnect/qcom/msm8996.c
+++ b/drivers/interconnect/qcom/msm8996.c
@@ -550,6 +550,7 @@ static struct qcom_icc_node mas_venus_vmem = {
static const u16 mas_snoc_pnoc_links[] = {
MSM8996_SLAVE_BLSP_1,
MSM8996_SLAVE_BLSP_2,
+ MSM8996_SLAVE_USB_HS,
MSM8996_SLAVE_SDCC_1,
MSM8996_SLAVE_SDCC_2,
MSM8996_SLAVE_SDCC_4,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 107/737] arm64: dts: qcom: msm8996: add interconnect paths to USB2 controller
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 106/737] interconnect: qcom: msm8996: add missing link to SLAVE_USB_HS Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 108/737] interconnect: debugfs: Fix incorrect error handling for NULL path Greg Kroah-Hartman
` (640 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Konrad Dybcio,
Bjorn Andersson, Georgi Djakov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit 242f7558e7bf54cb63c06506f7b0630dd67d45a4 ]
Add the missing interconnects to the USB2 host. The Fixes tag points to
the commit which broke probing of the USB host on that platform.
Fixes: 130733a10079 ("interconnect: qcom: msm8996: Promote to core_initcall")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Acked-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20251002-fix-msm8996-icc-v1-2-a36a05d1f869@oss.qualcomm.com
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
index 70ef8c83e7b9f..473d72d2c7b1a 100644
--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
@@ -3432,6 +3432,9 @@ usb2: usb@76f8800 {
<&gcc GCC_USB20_MASTER_CLK>;
assigned-clock-rates = <19200000>, <60000000>;
+ interconnects = <&pnoc MASTER_USB_HS &bimc SLAVE_EBI_CH0>,
+ <&bimc MASTER_AMPSS_M0 &pnoc SLAVE_USB_HS>;
+ interconnect-names = "usb-ddr", "apps-usb";
power-domains = <&gcc USB30_GDSC>;
qcom,select-utmi-as-pipe-clk;
status = "disabled";
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 108/737] interconnect: debugfs: Fix incorrect error handling for NULL path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 107/737] arm64: dts: qcom: msm8996: add interconnect paths to USB2 controller Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 109/737] perf maps: Add maps__load_first() Greg Kroah-Hartman
` (639 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Georgi Djakov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit 6bfe104fd0f94d0248af22c256ce725ee087157b ]
The icc_commit_set() function, used by the debugfs interface, checks
the validity of the global cur_path pointer using IS_ERR_OR_NULL().
However, in the specific case where cur_path is NULL, while
IS_ERR_OR_NULL(NULL) correctly evaluates to true, the subsequent call
to PTR_ERR(NULL) returns 0.
This causes the function to return a success code (0) instead of an
error, misleading the user into believing their bandwidth request was
successfully committed when, in fact, no operation was performed.
Fix this by adding an explicit check to return -EINVAL if cur_path is
NULL. This prevents silent failures and ensures that an invalid
operational sequence is immediately and clearly reported as an error.
Fixes: 770c69f037c1 ("interconnect: Add debugfs test client")
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Link: https://lore.kernel.org/r/20251010151447.2289779-1-visitorckw@gmail.com
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/interconnect/debugfs-client.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/interconnect/debugfs-client.c b/drivers/interconnect/debugfs-client.c
index bc3fd8a7b9eb4..778deeb4a7e8a 100644
--- a/drivers/interconnect/debugfs-client.c
+++ b/drivers/interconnect/debugfs-client.c
@@ -117,7 +117,12 @@ static int icc_commit_set(void *data, u64 val)
mutex_lock(&debugfs_lock);
- if (IS_ERR_OR_NULL(cur_path)) {
+ if (!cur_path) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ if (IS_ERR(cur_path)) {
ret = PTR_ERR(cur_path);
goto out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 109/737] perf maps: Add maps__load_first()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 108/737] interconnect: debugfs: Fix incorrect error handling for NULL path Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 110/737] perf lock contention: Load kernel map before lookup Greg Kroah-Hartman
` (638 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Andi Kleen, Athira Rajeev, Changbin Du,
Colin Ian King, Dmitrii Dolgov, German Gomez, Guilherme Amadio,
Huacai Chen, Ingo Molnar, James Clark, Jiri Olsa, K Prateek Nayak,
Kajol Jain, Kan Liang, Leo Yan, Li Dong, Liam Howlett,
Mark Rutland, Masami Hiramatsu, Miguel Ojeda, Ming Wang,
Namhyung Kim, Nick Terrell, Paolo Bonzini, Peter Zijlstra,
Ravi Bangoria, Sandipan Das, Sean Christopherson,
Steinar H. Gunderson, Vincent Whitchurch, Wenyu Liu, Yang Jihong,
Arnaldo Carvalho de Melo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit e77b0236cd0cd1572c6a9b25097b207eab799e74 ]
Avoid bpf_lock_contention_read touching the internal maps data structure
by adding a helper function. As access is done directly on the map in
maps, hold the read lock to stop it being removed.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Cc: Changbin Du <changbin.du@huawei.com>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Dmitrii Dolgov <9erthalion6@gmail.com>
Cc: German Gomez <german.gomez@arm.com>
Cc: Guilherme Amadio <amadio@gentoo.org>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Clark <james.clark@arm.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: K Prateek Nayak <kprateek.nayak@amd.com>
Cc: Kajol Jain <kjain@linux.ibm.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Li Dong <lidong@vivo.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Ming Wang <wangming01@loongson.cn>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nick Terrell <terrelln@fb.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Sandipan Das <sandipan.das@amd.com>
Cc: Sean Christopherson <seanjc@google.com>
Cc: Steinar H. Gunderson <sesse@google.com>
Cc: Vincent Whitchurch <vincent.whitchurch@axis.com>
Cc: Wenyu Liu <liuwenyu7@huawei.com>
Cc: Yang Jihong <yangjihong1@huawei.com>
Link: https://lore.kernel.org/r/20231207011722.1220634-20-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Stable-dep-of: 553d18c98a89 ("perf lock contention: Load kernel map before lookup")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/bpf_lock_contention.c | 2 +-
tools/perf/util/maps.c | 13 +++++++++++++
tools/perf/util/maps.h | 2 ++
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/bpf_lock_contention.c b/tools/perf/util/bpf_lock_contention.c
index e7dddf0127bce..a73f39540a3d4 100644
--- a/tools/perf/util/bpf_lock_contention.c
+++ b/tools/perf/util/bpf_lock_contention.c
@@ -285,7 +285,7 @@ int lock_contention_read(struct lock_contention *con)
}
/* make sure it loads the kernel map */
- map__load(maps__first(machine->kmaps)->map);
+ maps__load_first(machine->kmaps);
prev_key = NULL;
while (!bpf_map_get_next_key(fd, prev_key, &key)) {
diff --git a/tools/perf/util/maps.c b/tools/perf/util/maps.c
index 9a011aed4b754..9c7618b7d5e92 100644
--- a/tools/perf/util/maps.c
+++ b/tools/perf/util/maps.c
@@ -713,3 +713,16 @@ int maps__merge_in(struct maps *kmaps, struct map *new_map)
}
return err;
}
+
+void maps__load_first(struct maps *maps)
+{
+ struct map_rb_node *first;
+
+ down_read(maps__lock(maps));
+
+ first = maps__first(maps);
+ if (first)
+ map__load(first->map);
+
+ up_read(maps__lock(maps));
+}
diff --git a/tools/perf/util/maps.h b/tools/perf/util/maps.h
index a689149be8c43..d9f65f9e6d092 100644
--- a/tools/perf/util/maps.h
+++ b/tools/perf/util/maps.h
@@ -145,4 +145,6 @@ void __maps__sort_by_name(struct maps *maps);
void maps__fixup_end(struct maps *maps);
+void maps__load_first(struct maps *maps);
+
#endif // __PERF_MAPS_H
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 110/737] perf lock contention: Load kernel map before lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 109/737] perf maps: Add maps__load_first() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 111/737] perf record: skip synthesize event when open evsel failed Greg Kroah-Hartman
` (637 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
[ Upstream commit 553d18c98a896094b99a01765b9698b204183d49 ]
On some machines, it caused troubles when it tried to find kernel
symbols. I think it's because kernel modules and kallsyms are messed
up during load and split.
Basically we want to make sure the kernel map is loaded and the code has
it in the lock_contention_read(). But recently we added more lookups in
the lock_contention_prepare() which is called before _read().
Also the kernel map (kallsyms) may not be the first one in the group
like on ARM. Let's use machine__kernel_map() rather than just loading
the first map.
Reviewed-by: Ian Rogers <irogers@google.com>
Fixes: 688d2e8de231c54e ("perf lock contention: Add -l/--lock-addr option")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/bpf_lock_contention.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/perf/util/bpf_lock_contention.c b/tools/perf/util/bpf_lock_contention.c
index a73f39540a3d4..aa4c7baf20f57 100644
--- a/tools/perf/util/bpf_lock_contention.c
+++ b/tools/perf/util/bpf_lock_contention.c
@@ -24,6 +24,9 @@ int lock_contention_prepare(struct lock_contention *con)
struct evlist *evlist = con->evlist;
struct target *target = con->target;
+ /* make sure it loads the kernel map before lookup */
+ map__load(machine__kernel_map(con->machine));
+
skel = lock_contention_bpf__open();
if (!skel) {
pr_err("Failed to open lock-contention BPF skeleton\n");
@@ -284,9 +287,6 @@ int lock_contention_read(struct lock_contention *con)
bpf_prog_test_run_opts(prog_fd, &opts);
}
- /* make sure it loads the kernel map */
- maps__load_first(machine->kmaps);
-
prev_key = NULL;
while (!bpf_map_get_next_key(fd, prev_key, &key)) {
s64 ls_key;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 111/737] perf record: skip synthesize event when open evsel failed
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 110/737] perf lock contention: Load kernel map before lookup Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 112/737] power: supply: cw2015: Check devm_delayed_work_autocancel() return code Greg Kroah-Hartman
` (636 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuai Xue, Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuai Xue <xueshuai@linux.alibaba.com>
[ Upstream commit 163e5f2b96632b7fb2eaa965562aca0dbdf9f996 ]
When using perf record with the `--overwrite` option, a segmentation fault
occurs if an event fails to open. For example:
perf record -e cycles-ct -F 1000 -a --overwrite
Error:
cycles-ct:H: PMU Hardware doesn't support sampling/overflow-interrupts. Try 'perf stat'
perf: Segmentation fault
#0 0x6466b6 in dump_stack debug.c:366
#1 0x646729 in sighandler_dump_stack debug.c:378
#2 0x453fd1 in sigsegv_handler builtin-record.c:722
#3 0x7f8454e65090 in __restore_rt libc-2.32.so[54090]
#4 0x6c5671 in __perf_event__synthesize_id_index synthetic-events.c:1862
#5 0x6c5ac0 in perf_event__synthesize_id_index synthetic-events.c:1943
#6 0x458090 in record__synthesize builtin-record.c:2075
#7 0x45a85a in __cmd_record builtin-record.c:2888
#8 0x45deb6 in cmd_record builtin-record.c:4374
#9 0x4e5e33 in run_builtin perf.c:349
#10 0x4e60bf in handle_internal_command perf.c:401
#11 0x4e6215 in run_argv perf.c:448
#12 0x4e653a in main perf.c:555
#13 0x7f8454e4fa72 in __libc_start_main libc-2.32.so[3ea72]
#14 0x43a3ee in _start ??:0
The --overwrite option implies --tail-synthesize, which collects non-sample
events reflecting the system status when recording finishes. However, when
evsel opening fails (e.g., unsupported event 'cycles-ct'), session->evlist
is not initialized and remains NULL. The code unconditionally calls
record__synthesize() in the error path, which iterates through the NULL
evlist pointer and causes a segfault.
To fix it, move the record__synthesize() call inside the error check block, so
it's only called when there was no error during recording, ensuring that evlist
is properly initialized.
Fixes: 4ea648aec019 ("perf record: Add --tail-synthesize option")
Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-record.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
index 81f77c0505fde..ddaf38f92898f 100644
--- a/tools/perf/builtin-record.c
+++ b/tools/perf/builtin-record.c
@@ -2776,11 +2776,11 @@ static int __cmd_record(struct record *rec, int argc, const char **argv)
rec->bytes_written += off_cpu_write(rec->session);
record__read_lost_samples(rec);
- record__synthesize(rec, true);
/* this will be recalculated during process_buildids() */
rec->samples = 0;
if (!err) {
+ record__synthesize(rec, true);
if (!rec->timestamp_filename) {
record__finish_output(rec);
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 112/737] power: supply: cw2015: Check devm_delayed_work_autocancel() return code
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 111/737] perf record: skip synthesize event when open evsel failed Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 113/737] power: supply: rt9467: Return error on failure in rt9467_set_value_from_ranges() Greg Kroah-Hartman
` (635 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Sebastian Reichel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
[ Upstream commit 92ec7e7b86ec0aff9cd7db64d9dce50a0ea7c542 ]
Since devm_delayed_work_autocancel() may fail, add return code check and
exit cw_bat_probe() on error.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 0cb172a4918e ("power: supply: cw2015: Use device managed API to simplify the code")
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Link: https://patch.msgid.link/20251008120711.556021-1-i.abramov@mt-integration.ru
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/cw2015_battery.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/power/supply/cw2015_battery.c b/drivers/power/supply/cw2015_battery.c
index 434e3233c9f8c..f777665cf0687 100644
--- a/drivers/power/supply/cw2015_battery.c
+++ b/drivers/power/supply/cw2015_battery.c
@@ -702,7 +702,13 @@ static int cw_bat_probe(struct i2c_client *client)
if (!cw_bat->battery_workqueue)
return -ENOMEM;
- devm_delayed_work_autocancel(&client->dev, &cw_bat->battery_delay_work, cw_bat_work);
+ ret = devm_delayed_work_autocancel(&client->dev, &cw_bat->battery_delay_work, cw_bat_work);
+ if (ret) {
+ dev_err_probe(&client->dev, ret,
+ "Failed to register delayed work\n");
+ return ret;
+ }
+
queue_delayed_work(cw_bat->battery_workqueue,
&cw_bat->battery_delay_work, msecs_to_jiffies(10));
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 113/737] power: supply: rt9467: Return error on failure in rt9467_set_value_from_ranges()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 112/737] power: supply: cw2015: Check devm_delayed_work_autocancel() return code Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 114/737] power: supply: rt9467: Prevent using uninitialized local variable " Greg Kroah-Hartman
` (634 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Sebastian Reichel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
[ Upstream commit 8b27fe2d8d2380118c343629175385ff587e2fe4 ]
The return value of rt9467_set_value_from_ranges() when setting AICL VTH is
not checked, even though it may fail.
Log error and return from rt9467_run_aicl() on fail.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 6f7f70e3a8dd ("power: supply: rt9467: Add Richtek RT9467 charger driver")
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Link: https://patch.msgid.link/20251009144725.562278-1-i.abramov@mt-integration.ru
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/rt9467-charger.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/power/supply/rt9467-charger.c b/drivers/power/supply/rt9467-charger.c
index fdfdc83ab0458..1462d630e399c 100644
--- a/drivers/power/supply/rt9467-charger.c
+++ b/drivers/power/supply/rt9467-charger.c
@@ -588,6 +588,10 @@ static int rt9467_run_aicl(struct rt9467_chg_data *data)
aicl_vth = mivr_vth + RT9467_AICLVTH_GAP_uV;
ret = rt9467_set_value_from_ranges(data, F_AICL_VTH,
RT9467_RANGE_AICL_VTH, aicl_vth);
+ if (ret) {
+ dev_err(data->dev, "Failed to set AICL VTH\n");
+ return ret;
+ }
/* Trigger AICL function */
ret = regmap_field_write(data->rm_field[F_AICL_MEAS], 1);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 114/737] power: supply: rt9467: Prevent using uninitialized local variable in rt9467_set_value_from_ranges()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 113/737] power: supply: rt9467: Return error on failure in rt9467_set_value_from_ranges() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 115/737] power: supply: wm831x: Check wm831x_set_bits() return value Greg Kroah-Hartman
` (633 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murad Masimov, Sebastian Reichel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murad Masimov <m.masimov@mt-integration.ru>
[ Upstream commit 15aca30cc6c69806054b896a2ccf7577239cb878 ]
There is a typo in rt9467_set_value_from_ranges() that can cause leaving local
variable sel with an undefined value which is then used in regmap_field_write().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 6f7f70e3a8dd ("power: supply: rt9467: Add Richtek RT9467 charger driver")
Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
Link: https://patch.msgid.link/20251009145308.1830893-1-m.masimov@mt-integration.ru
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/rt9467-charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/rt9467-charger.c b/drivers/power/supply/rt9467-charger.c
index 1462d630e399c..1e16593267511 100644
--- a/drivers/power/supply/rt9467-charger.c
+++ b/drivers/power/supply/rt9467-charger.c
@@ -376,7 +376,7 @@ static int rt9467_set_value_from_ranges(struct rt9467_chg_data *data,
if (rsel == RT9467_RANGE_VMIVR) {
ret = linear_range_get_selector_high(range, value, &sel, &found);
if (ret)
- value = range->max_sel;
+ sel = range->max_sel;
} else {
linear_range_get_selector_within(range, value, &sel);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 115/737] power: supply: wm831x: Check wm831x_set_bits() return value
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 114/737] power: supply: rt9467: Prevent using uninitialized local variable " Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 116/737] power: supply: apm_power: only unset own apm_get_power_status Greg Kroah-Hartman
` (632 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Sebastian Reichel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
[ Upstream commit ea14bae6df18942bccb467fcf5ff33ca677b8253 ]
Since wm831x_set_bits() may return error, log failure and exit from
wm831x_usb_limit_change() in such case.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 626b6cd5f52e ("power: wm831x_power: Support USB charger current limit management")
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Link: https://patch.msgid.link/20251009170553.566561-1-i.abramov@mt-integration.ru
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/wm831x_power.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/power/supply/wm831x_power.c b/drivers/power/supply/wm831x_power.c
index 82e31066c746e..bbae77982d086 100644
--- a/drivers/power/supply/wm831x_power.c
+++ b/drivers/power/supply/wm831x_power.c
@@ -144,6 +144,7 @@ static int wm831x_usb_limit_change(struct notifier_block *nb,
struct wm831x_power,
usb_notify);
unsigned int i, best;
+ int ret;
/* Find the highest supported limit */
best = 0;
@@ -156,8 +157,13 @@ static int wm831x_usb_limit_change(struct notifier_block *nb,
dev_dbg(wm831x_power->wm831x->dev,
"Limiting USB current to %umA", wm831x_usb_limits[best]);
- wm831x_set_bits(wm831x_power->wm831x, WM831X_POWER_STATE,
- WM831X_USB_ILIM_MASK, best);
+ ret = wm831x_set_bits(wm831x_power->wm831x, WM831X_POWER_STATE,
+ WM831X_USB_ILIM_MASK, best);
+ if (ret < 0) {
+ dev_err(wm831x_power->wm831x->dev,
+ "Failed to set USB current limit: %d\n", ret);
+ return ret;
+ }
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 116/737] power: supply: apm_power: only unset own apm_get_power_status
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 115/737] power: supply: wm831x: Check wm831x_set_bits() return value Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 117/737] scsi: target: Do not write NUL characters into ASCII configfs output Greg Kroah-Hartman
` (631 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahelenia Ziemiańska,
Sebastian Reichel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
[ Upstream commit bd44ea12919ac4e83c9f3997240fe58266aa8799 ]
Mirroring drivers/macintosh/apm_emu.c, this means that
modprobe apm_power && modprobe $anotherdriver && modprobe -r apm_power
leaves $anotherdriver's apm_get_power_status instead of deleting it.
Fixes: 3788ec932bfd ("[BATTERY] APM emulation driver for class batteries")
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
Link: https://patch.msgid.link/xczpgox57hxbunkcbdl5fxhc4gnsajsipldfidi7355afezk64@tarta.nabijaczleweli.xyz
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/apm_power.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/power/supply/apm_power.c b/drivers/power/supply/apm_power.c
index 9d1a7fbcaed42..50b9636945599 100644
--- a/drivers/power/supply/apm_power.c
+++ b/drivers/power/supply/apm_power.c
@@ -365,7 +365,8 @@ static int __init apm_battery_init(void)
static void __exit apm_battery_exit(void)
{
- apm_get_power_status = NULL;
+ if (apm_get_power_status == apm_battery_apm_get_power_status)
+ apm_get_power_status = NULL;
}
module_init(apm_battery_init);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 117/737] scsi: target: Do not write NUL characters into ASCII configfs output
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 116/737] power: supply: apm_power: only unset own apm_get_power_status Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 118/737] fs/9p: Dont open remote file with APPEND mode when writeback cache is used Greg Kroah-Hartman
` (630 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit c03b55f235e283cae49c88b9602fd11096b92eba ]
NUL characters are not allowed in ASCII configfs output. Hence this
patch.
Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20251027184639.3501254-2-bvanassche@acm.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_configfs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index eddcfd09c05b8..6ec98dfd1f31c 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -2736,7 +2736,6 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page)
cur_len = snprintf(buf, LU_GROUP_NAME_BUF, "%s/%s\n",
config_item_name(&hba->hba_group.cg_item),
config_item_name(&dev->dev_group.cg_item));
- cur_len++; /* Extra byte for NULL terminator */
if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) {
pr_warn("Ran out of lu_gp_show_attr"
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 118/737] fs/9p: Dont open remote file with APPEND mode when writeback cache is used
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 117/737] scsi: target: Do not write NUL characters into ASCII configfs output Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 119/737] spi: tegra210-quad: Fix timeout handling Greg Kroah-Hartman
` (629 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tingmao Wang, Dominique Martinet,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tingmao Wang <m@maowtm.org>
[ Upstream commit a63dd8fd137933551bfd9aeeeaa942f04c7aad65 ]
When page cache is used, writebacks are done on a page granularity, and it
is expected that the underlying filesystem (such as v9fs) should respect
the write position. However, currently v9fs will passthrough O_APPEND to
the server even on cached mode. This causes data corruption if a sync or
fstat gets between two writes to the same file.
This patch removes the APPEND flag from the open request we send to the
server when writeback caching is involved. I believe keeping server-side
APPEND is probably fine for uncached mode (even if two fds are opened, one
without O_APPEND and one with it, this should still be fine since they
would use separate fid for the writes).
Signed-off-by: Tingmao Wang <m@maowtm.org>
Fixes: 4eb3117888a9 ("fs/9p: Rework cache modes and add new options to Documentation")
Message-ID: <20251102235631.8724-1-m@maowtm.org>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/9p/vfs_file.c | 11 ++++++++---
fs/9p/vfs_inode.c | 3 +--
fs/9p/vfs_inode_dotl.c | 2 +-
3 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 8566ddad49ad5..655e7bf602f1e 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -43,14 +43,18 @@ int v9fs_file_open(struct inode *inode, struct file *file)
struct v9fs_session_info *v9ses;
struct p9_fid *fid;
int omode;
+ int o_append;
p9_debug(P9_DEBUG_VFS, "inode: %p file: %p\n", inode, file);
v9ses = v9fs_inode2v9ses(inode);
- if (v9fs_proto_dotl(v9ses))
+ if (v9fs_proto_dotl(v9ses)) {
omode = v9fs_open_to_dotl_flags(file->f_flags);
- else
+ o_append = P9_DOTL_APPEND;
+ } else {
omode = v9fs_uflags2omode(file->f_flags,
v9fs_proto_dotu(v9ses));
+ o_append = P9_OAPPEND;
+ }
fid = file->private_data;
if (!fid) {
fid = v9fs_fid_clone(file_dentry(file));
@@ -58,9 +62,10 @@ int v9fs_file_open(struct inode *inode, struct file *file)
return PTR_ERR(fid);
if ((v9ses->cache & CACHE_WRITEBACK) && (omode & P9_OWRITE)) {
- int writeback_omode = (omode & ~P9_OWRITE) | P9_ORDWR;
+ int writeback_omode = (omode & ~(P9_OWRITE | o_append)) | P9_ORDWR;
p9_debug(P9_DEBUG_CACHE, "write-only file with writeback enabled, try opening O_RDWR\n");
+
err = p9_client_open(fid, writeback_omode);
if (err < 0) {
p9_debug(P9_DEBUG_CACHE, "could not open O_RDWR, disabling caches\n");
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
index aba0625de48ae..e084caf467d10 100644
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -824,7 +824,7 @@ v9fs_vfs_atomic_open(struct inode *dir, struct dentry *dentry,
p9_omode = v9fs_uflags2omode(flags, v9fs_proto_dotu(v9ses));
if ((v9ses->cache & CACHE_WRITEBACK) && (p9_omode & P9_OWRITE)) {
- p9_omode = (p9_omode & ~P9_OWRITE) | P9_ORDWR;
+ p9_omode = (p9_omode & ~(P9_OWRITE | P9_OAPPEND)) | P9_ORDWR;
p9_debug(P9_DEBUG_CACHE,
"write-only file with writeback enabled, creating w/ O_RDWR\n");
}
@@ -1458,4 +1458,3 @@ static const struct inode_operations v9fs_symlink_inode_operations = {
.getattr = v9fs_vfs_getattr,
.setattr = v9fs_vfs_setattr,
};
-
diff --git a/fs/9p/vfs_inode_dotl.c b/fs/9p/vfs_inode_dotl.c
index 91bcee2ab3c49..96e791c2b7b44 100644
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -288,7 +288,7 @@ v9fs_vfs_atomic_open_dotl(struct inode *dir, struct dentry *dentry,
}
if ((v9ses->cache & CACHE_WRITEBACK) && (p9_omode & P9_OWRITE)) {
- p9_omode = (p9_omode & ~P9_OWRITE) | P9_ORDWR;
+ p9_omode = (p9_omode & ~(P9_OWRITE | P9_DOTL_APPEND)) | P9_ORDWR;
p9_debug(P9_DEBUG_CACHE,
"write-only file with writeback enabled, creating w/ O_RDWR\n");
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 119/737] spi: tegra210-quad: Fix timeout handling
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 118/737] fs/9p: Dont open remote file with APPEND mode when writeback cache is used Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 120/737] ARM: dts: am335x-netcom-plus-2xx: add missing GPIO labels Greg Kroah-Hartman
` (628 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thierry Reding, Vishwaroop A,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit b4e002d8a7cee3b1d70efad0e222567f92a73000 ]
When the CPU that the QSPI interrupt handler runs on (typically CPU 0)
is excessively busy, it can lead to rare cases of the IRQ thread not
running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and
the message that they correspond to is marked as failed, which leaves
the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this
condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new
interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a
hard IRQ handler. Ideally we would also want to signal that the IRQ
thread no longer needs to be run after the timeout is hit to avoid the
extra check for a valid transfer.
Fixes: 921fc1838fb0 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller")
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20251028155703.4151791-2-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index e9afebd724237..d9a487274b530 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -999,8 +999,10 @@ static void tegra_qspi_handle_error(struct tegra_qspi *tqspi)
dev_err(tqspi->dev, "error in transfer, fifo status 0x%08x\n", tqspi->status_reg);
tegra_qspi_dump_regs(tqspi);
tegra_qspi_flush_fifos(tqspi, true);
- if (device_reset(tqspi->dev) < 0)
+ if (device_reset(tqspi->dev) < 0) {
dev_warn_once(tqspi->dev, "device reset failed\n");
+ tegra_qspi_mask_clear_irq(tqspi);
+ }
}
static void tegra_qspi_transfer_end(struct spi_device *spi)
@@ -1145,9 +1147,11 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
}
/* Reset controller if timeout happens */
- if (device_reset(tqspi->dev) < 0)
+ if (device_reset(tqspi->dev) < 0) {
dev_warn_once(tqspi->dev,
"device reset failed\n");
+ tegra_qspi_mask_clear_irq(tqspi);
+ }
ret = -EIO;
goto exit;
}
@@ -1169,11 +1173,13 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
tegra_qspi_transfer_end(spi);
spi_transfer_delay_exec(xfer);
}
+ tqspi->curr_xfer = NULL;
transfer_phase++;
}
ret = 0;
exit:
+ tqspi->curr_xfer = NULL;
msg->status = ret;
return ret;
@@ -1257,6 +1263,8 @@ static int tegra_qspi_non_combined_seq_xfer(struct tegra_qspi *tqspi,
msg->actual_length += xfer->len + dummy_bytes;
complete_xfer:
+ tqspi->curr_xfer = NULL;
+
if (ret < 0) {
tegra_qspi_transfer_end(spi);
spi_transfer_delay_exec(xfer);
@@ -1353,6 +1361,7 @@ static irqreturn_t handle_cpu_based_xfer(struct tegra_qspi *tqspi)
tegra_qspi_calculate_curr_xfer_param(tqspi, t);
tegra_qspi_start_cpu_based_transfer(tqspi, t);
exit:
+ tqspi->curr_xfer = NULL;
spin_unlock_irqrestore(&tqspi->lock, flags);
return IRQ_HANDLED;
}
@@ -1436,6 +1445,15 @@ static irqreturn_t tegra_qspi_isr_thread(int irq, void *context_data)
{
struct tegra_qspi *tqspi = context_data;
+ /*
+ * Occasionally the IRQ thread takes a long time to wake up (usually
+ * when the CPU that it's running on is excessively busy) and we have
+ * already reached the timeout before and cleaned up the timed out
+ * transfer. Avoid any processing in that case and bail out early.
+ */
+ if (!tqspi->curr_xfer)
+ return IRQ_NONE;
+
tqspi->status_reg = tegra_qspi_readl(tqspi, QSPI_FIFO_STATUS);
if (tqspi->cur_direction & DATA_DIR_TX)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 120/737] ARM: dts: am335x-netcom-plus-2xx: add missing GPIO labels
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 119/737] spi: tegra210-quad: Fix timeout handling Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 121/737] ARM: dts: omap3: beagle-xm: Correct obsolete TWL4030 power compatible Greg Kroah-Hartman
` (627 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yegor Yefremov, Kevin Hilman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yegor Yefremov <yegorslists@googlemail.com>
[ Upstream commit d0c4b1723c419a18cb434903c7754954ecb51d35 ]
Fixes: 8e9d75fd2ec2 ("ARM: dts: am335x-netcom: add GPIO names for NetCom Plus 2-port devices")
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
Link: https://lore.kernel.org/r/20251007103851.3765678-1-yegorslists@googlemail.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/ti/omap/am335x-netcom-plus-2xx.dts | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/ti/omap/am335x-netcom-plus-2xx.dts b/arch/arm/boot/dts/ti/omap/am335x-netcom-plus-2xx.dts
index 76751a324ad75..441d4696b94d9 100644
--- a/arch/arm/boot/dts/ti/omap/am335x-netcom-plus-2xx.dts
+++ b/arch/arm/boot/dts/ti/omap/am335x-netcom-plus-2xx.dts
@@ -222,10 +222,10 @@ &gpio3 {
"ModeA1",
"ModeA2",
"ModeA3",
- "NC",
- "NC",
- "NC",
- "NC",
+ "ModeB0",
+ "ModeB1",
+ "ModeB2",
+ "ModeB3",
"NC",
"NC",
"NC",
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 121/737] ARM: dts: omap3: beagle-xm: Correct obsolete TWL4030 power compatible
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 120/737] ARM: dts: am335x-netcom-plus-2xx: add missing GPIO labels Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 122/737] ARM: dts: omap3: n900: " Greg Kroah-Hartman
` (626 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jihed Chaibi, Kevin Hilman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
[ Upstream commit f7f3bc18300a230e0f1bfb17fc8889435c1e47f5 ]
The "ti,twl4030-power-beagleboard-xm" compatible string is obsolete and
is not supported by any in-kernel driver. Currently, the kernel falls
back to the second entry, "ti,twl4030-power-idle-osc-off", to bind a
driver to this node.
Make this fallback explicit by removing the obsolete board-specific
compatible. This preserves the existing functionality while making the
DTS compliant with the new, stricter 'ti,twl.yaml' binding.
Fixes: 9188883fd66e9 ("ARM: dts: Enable twl4030 off-idle configuration for selected omaps")
Signed-off-by: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
Link: https://lore.kernel.org/r/20250914192516.164629-3-jihed.chaibi.dev@gmail.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/ti/omap/omap3-beagle-xm.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/ti/omap/omap3-beagle-xm.dts b/arch/arm/boot/dts/ti/omap/omap3-beagle-xm.dts
index 08ee0f8ea68fd..71b39a923d37c 100644
--- a/arch/arm/boot/dts/ti/omap/omap3-beagle-xm.dts
+++ b/arch/arm/boot/dts/ti/omap/omap3-beagle-xm.dts
@@ -291,7 +291,7 @@ codec {
};
twl_power: power {
- compatible = "ti,twl4030-power-beagleboard-xm", "ti,twl4030-power-idle-osc-off";
+ compatible = "ti,twl4030-power-idle-osc-off";
ti,use_poweroff;
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 122/737] ARM: dts: omap3: n900: Correct obsolete TWL4030 power compatible
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 121/737] ARM: dts: omap3: beagle-xm: Correct obsolete TWL4030 power compatible Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 123/737] x86/boot: Fix page table access in 5-level to 4-level paging transition Greg Kroah-Hartman
` (625 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jihed Chaibi, Kevin Hilman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
[ Upstream commit 3862123e9b56663c7a3e4a308e6e65bffe44f646 ]
The "ti,twl4030-power-n900" compatible string is obsolete and is not
supported by any in-kernel driver. Currently, the kernel falls back to
the second entry, "ti,twl4030-power-idle-osc-off", to bind a driver to
this node.
Make this fallback explicit by removing the obsolete board-specific
compatible. This preserves the existing functionality while making the
DTS compliant with the new, stricter 'ti,twl.yaml' binding.
Fixes: daebabd578647 ("mfd: twl4030-power: Fix PM idle pin configuration to not conflict with regulators")
Signed-off-by: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
Link: https://lore.kernel.org/r/20250914192516.164629-4-jihed.chaibi.dev@gmail.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/ti/omap/omap3-n900.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/ti/omap/omap3-n900.dts b/arch/arm/boot/dts/ti/omap/omap3-n900.dts
index 036e472b77beb..98f259dbcb0d5 100644
--- a/arch/arm/boot/dts/ti/omap/omap3-n900.dts
+++ b/arch/arm/boot/dts/ti/omap/omap3-n900.dts
@@ -508,7 +508,7 @@ twl_audio: audio {
};
twl_power: power {
- compatible = "ti,twl4030-power-n900", "ti,twl4030-power-idle-osc-off";
+ compatible = "ti,twl4030-power-idle-osc-off";
ti,use_poweroff;
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 123/737] x86/boot: Fix page table access in 5-level to 4-level paging transition
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 122/737] ARM: dts: omap3: n900: " Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 124/737] efi/libstub: " Greg Kroah-Hartman
` (624 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael van der Westhuizen,
Tobias Fleig, Kiryl Shutsemau, Usama Arif, Borislav Petkov (AMD),
Ard Biesheuvel, Dave Hansen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usamaarif642@gmail.com>
[ Upstream commit eb2266312507d7b757859e2227aa5c4ba6280ebe ]
When transitioning from 5-level to 4-level paging, the existing code
incorrectly accesses page table entries by directly dereferencing CR3 and
applying PAGE_MASK. This approach has several issues:
- __native_read_cr3() returns the raw CR3 register value, which on x86_64
includes not just the physical address but also flags. Bits above the
physical address width of the system i.e. above __PHYSICAL_MASK_SHIFT) are
also not masked.
- The PGD entry is masked by PAGE_SIZE which doesn't take into account the
higher bits such as _PAGE_BIT_NOPTISHADOW.
Replace this with proper accessor functions:
- native_read_cr3_pa(): Uses CR3_ADDR_MASK to additionally mask metadata out
of CR3 (like SME or LAM bits). All remaining bits are real address bits or
reserved and must be 0.
- mask pgd value with PTE_PFN_MASK instead of PAGE_MASK, accounting for flags
above bit 51 (_PAGE_BIT_NOPTISHADOW in particular). Bits below 51, but above
the max physical address are reserved and must be 0.
Fixes: e9d0e6330eb8 ("x86/boot/compressed/64: Prepare new top-level page table for trampoline")
Reported-by: Michael van der Westhuizen <rmikey@meta.com>
Reported-by: Tobias Fleig <tfleig@meta.com>
Co-developed-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Usama Arif <usamaarif642@gmail.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lore.kernel.org/r/a482fd68-ce54-472d-8df1-33d6ac9f6bb5@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/boot/compressed/pgtable_64.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c
index 15354673d3aa7..dc21b0d89d667 100644
--- a/arch/x86/boot/compressed/pgtable_64.c
+++ b/arch/x86/boot/compressed/pgtable_64.c
@@ -2,6 +2,7 @@
#include "misc.h"
#include <asm/bootparam_utils.h>
#include <asm/e820/types.h>
+#include <asm/pgtable.h>
#include <asm/processor.h>
#include "pgtable.h"
#include "../string.h"
@@ -175,9 +176,10 @@ asmlinkage void configure_5level_paging(struct boot_params *bp, void *pgtable)
* For 4- to 5-level paging transition, set up current CR3 as
* the first and the only entry in a new top-level page table.
*/
- *trampoline_32bit = __native_read_cr3() | _PAGE_TABLE_NOENC;
+ *trampoline_32bit = native_read_cr3_pa() | _PAGE_TABLE_NOENC;
} else {
- unsigned long src;
+ u64 *new_cr3;
+ pgd_t *pgdp;
/*
* For 5- to 4-level paging transition, copy page table pointed
@@ -187,8 +189,9 @@ asmlinkage void configure_5level_paging(struct boot_params *bp, void *pgtable)
* We cannot just point to the page table from trampoline as it
* may be above 4G.
*/
- src = *(unsigned long *)__native_read_cr3() & PAGE_MASK;
- memcpy(trampoline_32bit, (void *)src, PAGE_SIZE);
+ pgdp = (pgd_t *)native_read_cr3_pa();
+ new_cr3 = (u64 *)(native_pgd_val(pgdp[0]) & PTE_PFN_MASK);
+ memcpy(trampoline_32bit, new_cr3, PAGE_SIZE);
}
toggle_la57(trampoline_32bit);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 124/737] efi/libstub: Fix page table access in 5-level to 4-level paging transition
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 123/737] x86/boot: Fix page table access in 5-level to 4-level paging transition Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 125/737] mfd: da9055: Fix missing regmap_del_irq_chip() in error path Greg Kroah-Hartman
` (623 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael van der Westhuizen,
Tobias Fleig, Kiryl Shutsemau, Usama Arif, Borislav Petkov (AMD),
Ard Biesheuvel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Usama Arif <usamaarif642@gmail.com>
[ Upstream commit 84361123413efc84b06f3441c6c827b95d902732 ]
When transitioning from 5-level to 4-level paging, the existing code
incorrectly accesses page table entries by directly dereferencing CR3 and
applying PAGE_MASK. This approach has several issues:
- __native_read_cr3() returns the raw CR3 register value, which on x86_64
includes not just the physical address but also flags Bits above the
physical address width of the system (i.e. above __PHYSICAL_MASK_SHIFT) are
also not masked.
- The pgd value is masked by PAGE_SIZE which doesn't take into account the
higher bits such as _PAGE_BIT_NOPTISHADOW.
Replace this with proper accessor functions:
- native_read_cr3_pa(): Uses CR3_ADDR_MASK to additionally mask metadata out
of CR3 (like SME or LAM bits). All remaining bits are real address bits or
reserved and must be 0.
- mask pgd value with PTE_PFN_MASK instead of PAGE_MASK, accounting for flags
above bit 51 (_PAGE_BIT_NOPTISHADOW in particular). Bits below 51, but above
the max physical address are reserved and must be 0.
Fixes: cb1c9e02b0c1 ("x86/efistub: Perform 4/5 level paging switch from the stub")
Reported-by: Michael van der Westhuizen <rmikey@meta.com>
Reported-by: Tobias Fleig <tfleig@meta.com>
Co-developed-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Usama Arif <usamaarif642@gmail.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://patch.msgid.link/20251103141002.2280812-3-usamaarif642@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/libstub/x86-5lvl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/efi/libstub/x86-5lvl.c b/drivers/firmware/efi/libstub/x86-5lvl.c
index 479dd445acdcf..267b1c5312540 100644
--- a/drivers/firmware/efi/libstub/x86-5lvl.c
+++ b/drivers/firmware/efi/libstub/x86-5lvl.c
@@ -66,7 +66,7 @@ void efi_5level_switch(void)
bool have_la57 = native_read_cr4() & X86_CR4_LA57;
bool need_toggle = want_la57 ^ have_la57;
u64 *pgt = (void *)la57_toggle + PAGE_SIZE;
- u64 *cr3 = (u64 *)__native_read_cr3();
+ pgd_t *cr3 = (pgd_t *)native_read_cr3_pa();
u64 *new_cr3;
if (!la57_toggle || !need_toggle)
@@ -82,7 +82,7 @@ void efi_5level_switch(void)
new_cr3[0] = (u64)cr3 | _PAGE_TABLE_NOENC;
} else {
/* take the new root table pointer from the current entry #0 */
- new_cr3 = (u64 *)(cr3[0] & PAGE_MASK);
+ new_cr3 = (u64 *)(native_pgd_val(cr3[0]) & PTE_PFN_MASK);
/* copy the new root table if it is not 32-bit addressable */
if ((u64)new_cr3 > U32_MAX)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 125/737] mfd: da9055: Fix missing regmap_del_irq_chip() in error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 124/737] efi/libstub: " Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 126/737] ext4: correct the checking of quota files before moving extents Greg Kroah-Hartman
` (622 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Lee Jones,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 1b58acfd067ca16116b9234cd6b2d30cc8ab7502 ]
When da9055_device_init() fails after regmap_add_irq_chip()
succeeds but mfd_add_devices() fails, the error handling path
only calls mfd_remove_devices() but forgets to call
regmap_del_irq_chip(). This results in a resource leak.
Fix this by adding regmap_del_irq_chip() to the error path so
that resources are released properly.
Fixes: 2896434cf272 ("mfd: DA9055 core driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251010011737.1078-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/da9055-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/da9055-core.c b/drivers/mfd/da9055-core.c
index 768302e05baa1..bdf6401d32d76 100644
--- a/drivers/mfd/da9055-core.c
+++ b/drivers/mfd/da9055-core.c
@@ -388,6 +388,7 @@ int da9055_device_init(struct da9055 *da9055)
err:
mfd_remove_devices(da9055->dev);
+ regmap_del_irq_chip(da9055->chip_irq, da9055->irq_data);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 126/737] ext4: correct the checking of quota files before moving extents
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 125/737] mfd: da9055: Fix missing regmap_del_irq_chip() in error path Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 127/737] perf/x86/intel: Correct large PEBS flag check Greg Kroah-Hartman
` (621 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Jan Kara, Theodore Tso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit a2e5a3cea4b18f6e2575acc444a5e8cce1fc8260 ]
The move extent operation should return -EOPNOTSUPP if any of the inodes
is a quota inode, rather than requiring both to be quota inodes.
Fixes: 02749a4c2082 ("ext4: add ext4_is_quota_file()")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251013015128.499308-2-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/move_extent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index c566161127cd7..a3b0acca02ca5 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -486,7 +486,7 @@ mext_check_arguments(struct inode *orig_inode,
return -ETXTBSY;
}
- if (ext4_is_quota_file(orig_inode) && ext4_is_quota_file(donor_inode)) {
+ if (ext4_is_quota_file(orig_inode) || ext4_is_quota_file(donor_inode)) {
ext4_debug("ext4 move extent: The argument files should not be quota files [ino:orig %lu, donor %lu]\n",
orig_inode->i_ino, donor_inode->i_ino);
return -EOPNOTSUPP;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 127/737] perf/x86/intel: Correct large PEBS flag check
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 126/737] ext4: correct the checking of quota files before moving extents Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 128/737] regulator: core: disable supply if enabling main regulator fails Greg Kroah-Hartman
` (620 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Peter Zijlstra (Intel),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
[ Upstream commit 5e4e355ae7cdeb0fef5dbe908866e1f895abfacc ]
current large PEBS flag check only checks if sample_regs_user contains
unsupported GPRs but doesn't check if sample_regs_intr contains
unsupported GPRs.
Of course, currently PEBS HW supports to sample all perf supported GPRs,
the missed check doesn't cause real issue. But it won't be true any more
after the subsequent patches support to sample SSP register. SSP
sampling is not supported by adaptive PEBS HW and it would be supported
until arch-PEBS HW. So correct this issue.
Fixes: a47ba4d77e12 ("perf/x86: Enable free running PEBS for REGS_USER/INTR")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20251029102136.61364-5-dapeng1.mi@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
index 87ea4339e03a2..8d1ec1d888da7 100644
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3808,7 +3808,9 @@ static unsigned long intel_pmu_large_pebs_flags(struct perf_event *event)
if (!event->attr.exclude_kernel)
flags &= ~PERF_SAMPLE_REGS_USER;
if (event->attr.sample_regs_user & ~PEBS_GP_REGS)
- flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR);
+ flags &= ~PERF_SAMPLE_REGS_USER;
+ if (event->attr.sample_regs_intr & ~PEBS_GP_REGS)
+ flags &= ~PERF_SAMPLE_REGS_INTR;
return flags;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 128/737] regulator: core: disable supply if enabling main regulator fails
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 127/737] perf/x86/intel: Correct large PEBS flag check Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 129/737] nbd: defer config put in recv_work Greg Kroah-Hartman
` (619 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit fb1ebb10468da414d57153ddebaab29c38ef1a78 ]
For 'always-on' and 'boot-on' regulators, the set_machine_constraints()
may enable supply before enabling the main regulator, however if the
latter fails, the function returns with an error but the supply remains
enabled.
When this happens, the regulator_register() function continues on the
error path where it puts the supply regulator. Since enabling the supply
is not balanced with a disable call, a warning similar to the following
gets issued from _regulator_put():
[ 1.603889] WARNING: CPU: 2 PID: 44 at _regulator_put+0x8c/0xa0
[ 1.603908] Modules linked in:
[ 1.603926] CPU: 2 UID: 0 PID: 44 Comm: kworker/u16:3 Not tainted 6.18.0-rc4 #0 NONE
[ 1.603938] Hardware name: Qualcomm Technologies, Inc. IPQ9574/AP-AL02-C7 (DT)
[ 1.603945] Workqueue: async async_run_entry_fn
[ 1.603958] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.603967] pc : _regulator_put+0x8c/0xa0
[ 1.603976] lr : _regulator_put+0x7c/0xa0
...
[ 1.604140] Call trace:
[ 1.604145] _regulator_put+0x8c/0xa0 (P)
[ 1.604156] regulator_register+0x2ec/0xbf0
[ 1.604166] devm_regulator_register+0x60/0xb0
[ 1.604178] rpm_reg_probe+0x120/0x208
[ 1.604187] platform_probe+0x64/0xa8
...
In order to avoid this, change the set_machine_constraints() function to
disable the supply if enabling the main regulator fails.
Fixes: 05f224ca6693 ("regulator: core: Clean enabling always-on regulators + their supplies")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://patch.msgid.link/20251107-regulator-disable-supply-v1-1-c95f0536f1b5@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 1d49612eeb7e5..465f4f870162f 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1653,6 +1653,8 @@ static int set_machine_constraints(struct regulator_dev *rdev)
* and we have control then make sure it is enabled.
*/
if (rdev->constraints->always_on || rdev->constraints->boot_on) {
+ bool supply_enabled = false;
+
/* If we want to enable this regulator, make sure that we know
* the supplying regulator.
*/
@@ -1672,11 +1674,14 @@ static int set_machine_constraints(struct regulator_dev *rdev)
rdev->supply = NULL;
return ret;
}
+ supply_enabled = true;
}
ret = _regulator_do_enable(rdev);
if (ret < 0 && ret != -EINVAL) {
rdev_err(rdev, "failed to enable: %pe\n", ERR_PTR(ret));
+ if (supply_enabled)
+ regulator_disable(rdev->supply);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 129/737] nbd: defer config put in recv_work
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 128/737] regulator: core: disable supply if enabling main regulator fails Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 130/737] scsi: stex: Fix reboot_notifier leak in probe error path Greg Kroah-Hartman
` (618 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+56fbf4c7ddf65e95c7cc,
Zheng Qixing, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Qixing <zhengqixing@huawei.com>
[ Upstream commit 9517b82d8d422d426a988b213fdd45c6b417b86d ]
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
nbd_genl_connect // conf_ref=2 (connect and recv_work A)
nbd_open // conf_ref=3
recv_work A done // conf_ref=2
NBD_CLEAR_SOCK // conf_ref=1
nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
close nbd // conf_ref=1
recv_work B
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK:
nbd_genl_connect // conf_ref=2
nbd_open // conf_ref=3
NBD_CLEAR_SOCK // conf_ref=2
close nbd
nbd_release
config_put // conf_ref=1
recv_work
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=1 (trigger recv_work)
open nbd // nbd_refs=2
NBD_CLEAR_SOCK
close nbd
nbd_release
nbd_disconnect_and_put
flush_workqueue // recv_work done
nbd_config_put
nbd_put // nbd_refs=1
nbd_put // nbd_refs=0
queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=2 (trigger recv_work)
open nbd // nbd_refs=3
NBD_CLEAR_SOCK // conf_refs=2
close nbd
nbd_release
nbd_config_put // conf_refs=1
nbd_put // nbd_refs=2
recv_work done // conf_refs=0, nbd_refs=1
rmmod // nbd_refs=0
Reported-by: syzbot+56fbf4c7ddf65e95c7cc@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6907edce.a70a0220.37351b.0014.GAE@google.com/T/
Fixes: 87aac3a80af5 ("nbd: make the config put is called before the notifying the waiter")
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 27a05b1521f69..9e190d220e98f 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -912,9 +912,9 @@ static void recv_work(struct work_struct *work)
nbd_mark_nsock_dead(nbd, nsock, 1);
mutex_unlock(&nsock->tx_lock);
- nbd_config_put(nbd);
atomic_dec(&config->recv_threads);
wake_up(&config->recv_wq);
+ nbd_config_put(nbd);
kfree(args);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 130/737] scsi: stex: Fix reboot_notifier leak in probe error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 129/737] nbd: defer config put in recv_work Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 131/737] scsi: smartpqi: Fix device resources accessed after device removal Greg Kroah-Hartman
` (617 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 20da637eb545b04753e20c675cfe97b04c7b600b ]
In stex_probe(), register_reboot_notifier() is called at the beginning,
but if any subsequent initialization step fails, the function returns
without unregistering the notifier, resulting in a resource leak.
Add unregister_reboot_notifier() in the out_disable error path to ensure
proper cleanup on all failure paths.
Fixes: 61b745fa63db ("scsi: stex: Add S6 support")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251104094847.270-1-vulab@iscas.ac.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/stex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
index 8ffb75be99bc8..879b090fb39ea 100644
--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -1846,6 +1846,7 @@ static int stex_probe(struct pci_dev *pdev, const struct pci_device_id *id)
out_scsi_host_put:
scsi_host_put(host);
out_disable:
+ unregister_reboot_notifier(&stex_notifier);
pci_disable_device(pdev);
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 131/737] scsi: smartpqi: Fix device resources accessed after device removal
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 130/737] scsi: stex: Fix reboot_notifier leak in probe error path Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 132/737] staging: most: i2c: Drop explicit initialization of struct i2c_device_id::driver_data to 0 Greg Kroah-Hartman
` (616 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Teel, Scott Benesh,
Mike McGowen, Don Brace, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike McGowen <mike.mcgowen@microchip.com>
[ Upstream commit b518e86d1a70a88f6592a7c396cf1b93493d1aab ]
Correct possible race conditions during device removal.
Previously, a scheduled work item to reset a LUN could still execute
after the device was removed, leading to use-after-free and other
resource access issues.
This race condition occurs because the abort handler may schedule a LUN
reset concurrently with device removal via sdev_destroy(), leading to
use-after-free and improper access to freed resources.
- Check in the device reset handler if the device is still present in
the controller's SCSI device list before running; if not, the reset
is skipped.
- Cancel any pending TMF work that has not started in sdev_destroy().
- Ensure device freeing in sdev_destroy() is done while holding the
LUN reset mutex to avoid races with ongoing resets.
Fixes: 2d80f4054f7f ("scsi: smartpqi: Update deleting a LUN via sysfs")
Reviewed-by: Scott Teel <scott.teel@microchip.com>
Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
Signed-off-by: Mike McGowen <mike.mcgowen@microchip.com>
Signed-off-by: Don Brace <don.brace@microchip.com>
Link: https://patch.msgid.link/20251106163823.786828-3-don.brace@microchip.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/smartpqi/smartpqi_init.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index 0af2d366c85f9..0cdeb7aa55020 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -6366,10 +6366,22 @@ static int pqi_device_reset(struct pqi_ctrl_info *ctrl_info, struct pqi_scsi_dev
static int pqi_device_reset_handler(struct pqi_ctrl_info *ctrl_info, struct pqi_scsi_dev *device, u8 lun, struct scsi_cmnd *scmd, u8 scsi_opcode)
{
+ unsigned long flags;
int rc;
mutex_lock(&ctrl_info->lun_reset_mutex);
+ spin_lock_irqsave(&ctrl_info->scsi_device_list_lock, flags);
+ if (pqi_find_scsi_dev(ctrl_info, device->bus, device->target, device->lun) == NULL) {
+ dev_warn(&ctrl_info->pci_dev->dev,
+ "skipping reset of scsi %d:%d:%d:%u, device has been removed\n",
+ ctrl_info->scsi_host->host_no, device->bus, device->target, device->lun);
+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags);
+ mutex_unlock(&ctrl_info->lun_reset_mutex);
+ return 0;
+ }
+ spin_unlock_irqrestore(&ctrl_info->scsi_device_list_lock, flags);
+
dev_err(&ctrl_info->pci_dev->dev,
"resetting scsi %d:%d:%d:%u SCSI cmd at %p due to cmd opcode 0x%02x\n",
ctrl_info->scsi_host->host_no, device->bus, device->target, lun, scmd, scsi_opcode);
@@ -6549,7 +6561,9 @@ static void pqi_slave_destroy(struct scsi_device *sdev)
{
struct pqi_ctrl_info *ctrl_info;
struct pqi_scsi_dev *device;
+ struct pqi_tmf_work *tmf_work;
int mutex_acquired;
+ unsigned int lun;
unsigned long flags;
ctrl_info = shost_to_hba(sdev->host);
@@ -6576,8 +6590,13 @@ static void pqi_slave_destroy(struct scsi_device *sdev)
mutex_unlock(&ctrl_info->scan_mutex);
+ for (lun = 0, tmf_work = device->tmf_work; lun < PQI_MAX_LUNS_PER_DEVICE; lun++, tmf_work++)
+ cancel_work_sync(&tmf_work->work_struct);
+
+ mutex_lock(&ctrl_info->lun_reset_mutex);
pqi_dev_info(ctrl_info, "removed", device);
pqi_free_device(device);
+ mutex_unlock(&ctrl_info->lun_reset_mutex);
}
static int pqi_getpciinfo_ioctl(struct pqi_ctrl_info *ctrl_info, void __user *arg)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 132/737] staging: most: i2c: Drop explicit initialization of struct i2c_device_id::driver_data to 0
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 131/737] scsi: smartpqi: Fix device resources accessed after device removal Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 133/737] staging: most: remove broken i2c driver Greg Kroah-Hartman
` (615 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit b5b7a2c92332b6f799e81f256aed6a93a0e037fd ]
These drivers don't use the driver_data member of struct i2c_device_id,
so don't explicitly initialize this member.
This prepares putting driver_data in an anonymous union which requires
either no initialization or named designators. But it's also a nice
cleanup on its own.
While touching the initializer, also remove the comma after the sentinel
entry.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Link: https://lore.kernel.org/r/20240920153430.503212-15-u.kleine-koenig@baylibre.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 495df2da6944 ("staging: most: remove broken i2c driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/most/i2c/i2c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/most/i2c/i2c.c b/drivers/staging/most/i2c/i2c.c
index ce869280a056b..184b2dd11fc34 100644
--- a/drivers/staging/most/i2c/i2c.c
+++ b/drivers/staging/most/i2c/i2c.c
@@ -352,8 +352,8 @@ static void i2c_remove(struct i2c_client *client)
}
static const struct i2c_device_id i2c_id[] = {
- { "most_i2c", 0 },
- { }, /* Terminating entry */
+ { "most_i2c" },
+ { } /* Terminating entry */
};
MODULE_DEVICE_TABLE(i2c, i2c_id);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 133/737] staging: most: remove broken i2c driver
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 132/737] staging: most: i2c: Drop explicit initialization of struct i2c_device_id::driver_data to 0 Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 134/737] dt-bindings: PCI: amlogic: Fix the register name of the DBI region Greg Kroah-Hartman
` (614 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Gromm, Johan Hovold,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 495df2da6944477d282d5cc0c13174d06e25b310 ]
The MOST I2C driver has been completely broken for five years without
anyone noticing so remove the driver from staging.
Specifically, commit 723de0f9171e ("staging: most: remove device from
interface structure") started requiring drivers to set the interface
device pointer before registration, but the I2C driver was never updated
which results in a NULL pointer dereference if anyone ever tries to
probe it.
Fixes: 723de0f9171e ("staging: most: remove device from interface structure")
Cc: Christian Gromm <christian.gromm@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251029093442.29256-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/most/Kconfig | 2 -
drivers/staging/most/Makefile | 1 -
drivers/staging/most/i2c/Kconfig | 13 --
drivers/staging/most/i2c/Makefile | 4 -
drivers/staging/most/i2c/i2c.c | 374 ------------------------------
5 files changed, 394 deletions(-)
delete mode 100644 drivers/staging/most/i2c/Kconfig
delete mode 100644 drivers/staging/most/i2c/Makefile
delete mode 100644 drivers/staging/most/i2c/i2c.c
diff --git a/drivers/staging/most/Kconfig b/drivers/staging/most/Kconfig
index 6f420cbcdcfff..e89658df6f124 100644
--- a/drivers/staging/most/Kconfig
+++ b/drivers/staging/most/Kconfig
@@ -24,6 +24,4 @@ source "drivers/staging/most/video/Kconfig"
source "drivers/staging/most/dim2/Kconfig"
-source "drivers/staging/most/i2c/Kconfig"
-
endif
diff --git a/drivers/staging/most/Makefile b/drivers/staging/most/Makefile
index 8b3fc5a7af514..e45084df7803a 100644
--- a/drivers/staging/most/Makefile
+++ b/drivers/staging/most/Makefile
@@ -3,4 +3,3 @@
obj-$(CONFIG_MOST_NET) += net/
obj-$(CONFIG_MOST_VIDEO) += video/
obj-$(CONFIG_MOST_DIM2) += dim2/
-obj-$(CONFIG_MOST_I2C) += i2c/
diff --git a/drivers/staging/most/i2c/Kconfig b/drivers/staging/most/i2c/Kconfig
deleted file mode 100644
index ff64283cbad18..0000000000000
--- a/drivers/staging/most/i2c/Kconfig
+++ /dev/null
@@ -1,13 +0,0 @@
-# SPDX-License-Identifier: GPL-2.0
-#
-# MOST I2C configuration
-#
-
-config MOST_I2C
- tristate "I2C"
- depends on I2C
- help
- Say Y here if you want to connect via I2C to network transceiver.
-
- To compile this driver as a module, choose M here: the
- module will be called most_i2c.
diff --git a/drivers/staging/most/i2c/Makefile b/drivers/staging/most/i2c/Makefile
deleted file mode 100644
index 71099dd0f85b9..0000000000000
--- a/drivers/staging/most/i2c/Makefile
+++ /dev/null
@@ -1,4 +0,0 @@
-# SPDX-License-Identifier: GPL-2.0
-obj-$(CONFIG_MOST_I2C) += most_i2c.o
-
-most_i2c-objs := i2c.o
diff --git a/drivers/staging/most/i2c/i2c.c b/drivers/staging/most/i2c/i2c.c
deleted file mode 100644
index 184b2dd11fc34..0000000000000
--- a/drivers/staging/most/i2c/i2c.c
+++ /dev/null
@@ -1,374 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-/*
- * i2c.c - Hardware Dependent Module for I2C Interface
- *
- * Copyright (C) 2013-2015, Microchip Technology Germany II GmbH & Co. KG
- */
-
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-
-#include <linux/init.h>
-#include <linux/module.h>
-#include <linux/slab.h>
-#include <linux/i2c.h>
-#include <linux/interrupt.h>
-#include <linux/err.h>
-#include <linux/most.h>
-
-enum { CH_RX, CH_TX, NUM_CHANNELS };
-
-#define MAX_BUFFERS_CONTROL 32
-#define MAX_BUF_SIZE_CONTROL 256
-
-/**
- * list_first_mbo - get the first mbo from a list
- * @ptr: the list head to take the mbo from.
- */
-#define list_first_mbo(ptr) \
- list_first_entry(ptr, struct mbo, list)
-
-static unsigned int polling_rate;
-module_param(polling_rate, uint, 0644);
-MODULE_PARM_DESC(polling_rate, "Polling rate [Hz]. Default = 0 (use IRQ)");
-
-struct hdm_i2c {
- struct most_interface most_iface;
- struct most_channel_capability capabilities[NUM_CHANNELS];
- struct i2c_client *client;
- struct rx {
- struct delayed_work dwork;
- struct list_head list;
- bool int_disabled;
- unsigned int delay;
- } rx;
- char name[64];
-};
-
-static inline struct hdm_i2c *to_hdm(struct most_interface *iface)
-{
- return container_of(iface, struct hdm_i2c, most_iface);
-}
-
-static irqreturn_t most_irq_handler(int, void *);
-static void pending_rx_work(struct work_struct *);
-
-/**
- * configure_channel - called from MOST core to configure a channel
- * @most_iface: interface the channel belongs to
- * @ch_idx: channel to be configured
- * @channel_config: structure that holds the configuration information
- *
- * Return 0 on success, negative on failure.
- *
- * Receives configuration information from MOST core and initialize the
- * corresponding channel.
- */
-static int configure_channel(struct most_interface *most_iface,
- int ch_idx,
- struct most_channel_config *channel_config)
-{
- int ret;
- struct hdm_i2c *dev = to_hdm(most_iface);
- unsigned int delay, pr;
-
- BUG_ON(ch_idx < 0 || ch_idx >= NUM_CHANNELS);
-
- if (channel_config->data_type != MOST_CH_CONTROL) {
- pr_err("bad data type for channel %d\n", ch_idx);
- return -EPERM;
- }
-
- if (channel_config->direction != dev->capabilities[ch_idx].direction) {
- pr_err("bad direction for channel %d\n", ch_idx);
- return -EPERM;
- }
-
- if (channel_config->direction == MOST_CH_RX) {
- if (!polling_rate) {
- if (dev->client->irq <= 0) {
- pr_err("bad irq: %d\n", dev->client->irq);
- return -ENOENT;
- }
- dev->rx.int_disabled = false;
- ret = request_irq(dev->client->irq, most_irq_handler, 0,
- dev->client->name, dev);
- if (ret) {
- pr_err("request_irq(%d) failed: %d\n",
- dev->client->irq, ret);
- return ret;
- }
- } else {
- delay = msecs_to_jiffies(MSEC_PER_SEC / polling_rate);
- dev->rx.delay = delay ? delay : 1;
- pr = MSEC_PER_SEC / jiffies_to_msecs(dev->rx.delay);
- pr_info("polling rate is %u Hz\n", pr);
- }
- }
-
- return 0;
-}
-
-/**
- * enqueue - called from MOST core to enqueue a buffer for data transfer
- * @most_iface: intended interface
- * @ch_idx: ID of the channel the buffer is intended for
- * @mbo: pointer to the buffer object
- *
- * Return 0 on success, negative on failure.
- *
- * Transmit the data over I2C if it is a "write" request or push the buffer into
- * list if it is an "read" request
- */
-static int enqueue(struct most_interface *most_iface,
- int ch_idx, struct mbo *mbo)
-{
- struct hdm_i2c *dev = to_hdm(most_iface);
- int ret;
-
- BUG_ON(ch_idx < 0 || ch_idx >= NUM_CHANNELS);
-
- if (ch_idx == CH_RX) {
- /* RX */
- if (!polling_rate)
- disable_irq(dev->client->irq);
- cancel_delayed_work_sync(&dev->rx.dwork);
- list_add_tail(&mbo->list, &dev->rx.list);
- if (dev->rx.int_disabled || polling_rate)
- pending_rx_work(&dev->rx.dwork.work);
- if (!polling_rate)
- enable_irq(dev->client->irq);
- } else {
- /* TX */
- ret = i2c_master_send(dev->client, mbo->virt_address,
- mbo->buffer_length);
- if (ret <= 0) {
- mbo->processed_length = 0;
- mbo->status = MBO_E_INVAL;
- } else {
- mbo->processed_length = mbo->buffer_length;
- mbo->status = MBO_SUCCESS;
- }
- mbo->complete(mbo);
- }
-
- return 0;
-}
-
-/**
- * poison_channel - called from MOST core to poison buffers of a channel
- * @most_iface: pointer to the interface the channel to be poisoned belongs to
- * @ch_idx: corresponding channel ID
- *
- * Return 0 on success, negative on failure.
- *
- * If channel direction is RX, complete the buffers in list with
- * status MBO_E_CLOSE
- */
-static int poison_channel(struct most_interface *most_iface,
- int ch_idx)
-{
- struct hdm_i2c *dev = to_hdm(most_iface);
- struct mbo *mbo;
-
- BUG_ON(ch_idx < 0 || ch_idx >= NUM_CHANNELS);
-
- if (ch_idx == CH_RX) {
- if (!polling_rate)
- free_irq(dev->client->irq, dev);
- cancel_delayed_work_sync(&dev->rx.dwork);
-
- while (!list_empty(&dev->rx.list)) {
- mbo = list_first_mbo(&dev->rx.list);
- list_del(&mbo->list);
-
- mbo->processed_length = 0;
- mbo->status = MBO_E_CLOSE;
- mbo->complete(mbo);
- }
- }
-
- return 0;
-}
-
-static void do_rx_work(struct hdm_i2c *dev)
-{
- struct mbo *mbo;
- unsigned char msg[MAX_BUF_SIZE_CONTROL];
- int ret;
- u16 pml, data_size;
-
- /* Read PML (2 bytes) */
- ret = i2c_master_recv(dev->client, msg, 2);
- if (ret <= 0) {
- pr_err("Failed to receive PML\n");
- return;
- }
-
- pml = (msg[0] << 8) | msg[1];
- if (!pml)
- return;
-
- data_size = pml + 2;
-
- /* Read the whole message, including PML */
- ret = i2c_master_recv(dev->client, msg, data_size);
- if (ret <= 0) {
- pr_err("Failed to receive a Port Message\n");
- return;
- }
-
- mbo = list_first_mbo(&dev->rx.list);
- list_del(&mbo->list);
-
- mbo->processed_length = min(data_size, mbo->buffer_length);
- memcpy(mbo->virt_address, msg, mbo->processed_length);
- mbo->status = MBO_SUCCESS;
- mbo->complete(mbo);
-}
-
-/**
- * pending_rx_work - Read pending messages through I2C
- * @work: definition of this work item
- *
- * Invoked by the Interrupt Service Routine, most_irq_handler()
- */
-static void pending_rx_work(struct work_struct *work)
-{
- struct hdm_i2c *dev = container_of(work, struct hdm_i2c, rx.dwork.work);
-
- if (list_empty(&dev->rx.list))
- return;
-
- do_rx_work(dev);
-
- if (polling_rate) {
- schedule_delayed_work(&dev->rx.dwork, dev->rx.delay);
- } else {
- dev->rx.int_disabled = false;
- enable_irq(dev->client->irq);
- }
-}
-
-/*
- * most_irq_handler - Interrupt Service Routine
- * @irq: irq number
- * @_dev: private data
- *
- * Schedules a delayed work
- *
- * By default the interrupt line behavior is Active Low. Once an interrupt is
- * generated by the device, until driver clears the interrupt (by reading
- * the PMP message), device keeps the interrupt line in low state. Since i2c
- * read is done in work queue, the interrupt line must be disabled temporarily
- * to avoid ISR being called repeatedly. Re-enable the interrupt in workqueue,
- * after reading the message.
- *
- * Note: If we use the interrupt line in Falling edge mode, there is a
- * possibility to miss interrupts when ISR is getting executed.
- *
- */
-static irqreturn_t most_irq_handler(int irq, void *_dev)
-{
- struct hdm_i2c *dev = _dev;
-
- disable_irq_nosync(irq);
- dev->rx.int_disabled = true;
- schedule_delayed_work(&dev->rx.dwork, 0);
-
- return IRQ_HANDLED;
-}
-
-/*
- * i2c_probe - i2c probe handler
- * @client: i2c client device structure
- * @id: i2c client device id
- *
- * Return 0 on success, negative on failure.
- *
- * Register the i2c client device as a MOST interface
- */
-static int i2c_probe(struct i2c_client *client)
-{
- struct hdm_i2c *dev;
- int ret, i;
-
- dev = kzalloc(sizeof(*dev), GFP_KERNEL);
- if (!dev)
- return -ENOMEM;
-
- /* ID format: i2c-<bus>-<address> */
- snprintf(dev->name, sizeof(dev->name), "i2c-%d-%04x",
- client->adapter->nr, client->addr);
-
- for (i = 0; i < NUM_CHANNELS; i++) {
- dev->capabilities[i].data_type = MOST_CH_CONTROL;
- dev->capabilities[i].num_buffers_packet = MAX_BUFFERS_CONTROL;
- dev->capabilities[i].buffer_size_packet = MAX_BUF_SIZE_CONTROL;
- }
- dev->capabilities[CH_RX].direction = MOST_CH_RX;
- dev->capabilities[CH_RX].name_suffix = "rx";
- dev->capabilities[CH_TX].direction = MOST_CH_TX;
- dev->capabilities[CH_TX].name_suffix = "tx";
-
- dev->most_iface.interface = ITYPE_I2C;
- dev->most_iface.description = dev->name;
- dev->most_iface.num_channels = NUM_CHANNELS;
- dev->most_iface.channel_vector = dev->capabilities;
- dev->most_iface.configure = configure_channel;
- dev->most_iface.enqueue = enqueue;
- dev->most_iface.poison_channel = poison_channel;
-
- INIT_LIST_HEAD(&dev->rx.list);
-
- INIT_DELAYED_WORK(&dev->rx.dwork, pending_rx_work);
-
- dev->client = client;
- i2c_set_clientdata(client, dev);
-
- ret = most_register_interface(&dev->most_iface);
- if (ret) {
- pr_err("Failed to register i2c as a MOST interface\n");
- kfree(dev);
- return ret;
- }
-
- return 0;
-}
-
-/*
- * i2c_remove - i2c remove handler
- * @client: i2c client device structure
- *
- * Return 0 on success.
- *
- * Unregister the i2c client device as a MOST interface
- */
-static void i2c_remove(struct i2c_client *client)
-{
- struct hdm_i2c *dev = i2c_get_clientdata(client);
-
- most_deregister_interface(&dev->most_iface);
- kfree(dev);
-}
-
-static const struct i2c_device_id i2c_id[] = {
- { "most_i2c" },
- { } /* Terminating entry */
-};
-
-MODULE_DEVICE_TABLE(i2c, i2c_id);
-
-static struct i2c_driver i2c_driver = {
- .driver = {
- .name = "hdm_i2c",
- },
- .probe = i2c_probe,
- .remove = i2c_remove,
- .id_table = i2c_id,
-};
-
-module_i2c_driver(i2c_driver);
-
-MODULE_AUTHOR("Andrey Shvetsov <andrey.shvetsov@k2l.de>");
-MODULE_DESCRIPTION("I2C Hardware Dependent Module");
-MODULE_LICENSE("GPL");
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 134/737] dt-bindings: PCI: amlogic: Fix the register name of the DBI region
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 133/737] staging: most: remove broken i2c driver Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 135/737] RDMA/rtrs: server: Fix error handling in get_or_create_srv Greg Kroah-Hartman
` (613 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Manivannan Sadhasivam, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 4813dea9e272ba0a57c50b8d51d440dd8e3ccdd7 ]
Binding incorrectly specifies the 'DBI' region as 'ELBI'. DBI is a must
have region for DWC controllers as it has the Root Port and controller
specific registers, while ELBI has optional registers.
Hence, fix the binding. Though this is an ABI break, this change is needed
to accurately describe the PCI memory map.
Fixes: 7cd210391101 ("dt-bindings: PCI: meson: add DT bindings for Amlogic Meson PCIe controller")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://patch.msgid.link/20251101-pci-meson-fix-v1-1-c50dcc56ed6a@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml b/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
index a5bd90bc0712e..9c3b8e65c42a3 100644
--- a/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
+++ b/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
@@ -36,13 +36,13 @@ properties:
reg:
items:
- - description: External local bus interface registers
+ - description: Data Bus Interface registers
- description: Meson designed configuration registers
- description: PCIe configuration space
reg-names:
items:
- - const: elbi
+ - const: dbi
- const: cfg
- const: config
@@ -113,7 +113,7 @@ examples:
pcie: pcie@f9800000 {
compatible = "amlogic,axg-pcie", "snps,dw-pcie";
reg = <0xf9800000 0x400000>, <0xff646000 0x2000>, <0xf9f00000 0x100000>;
- reg-names = "elbi", "cfg", "config";
+ reg-names = "dbi", "cfg", "config";
interrupts = <GIC_SPI 177 IRQ_TYPE_EDGE_RISING>;
clocks = <&pclk>, <&clk_port>, <&clk_phy>;
clock-names = "pclk", "port", "general";
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 135/737] RDMA/rtrs: server: Fix error handling in get_or_create_srv
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 134/737] dt-bindings: PCI: amlogic: Fix the register name of the DBI region Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 136/737] ARM: dts: stm32: stm32mp157c-phycore: Fix STMPE811 touchscreen node properties Greg Kroah-Hartman
` (612 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Jack Wang, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
[ Upstream commit a338d6e849ab31f32c08b4fcac11c0c72afbb150 ]
After device_initialize() is called, use put_device() to release the
device according to kernel device management rules. While direct
kfree() work in this case, using put_device() is more correct.
Found by code review.
Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251110005158.13394-1-make24@iscas.ac.cn
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
index 84d1654148d76..5dbf315630c1a 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -1443,7 +1443,7 @@ static struct rtrs_srv_sess *get_or_create_srv(struct rtrs_srv_ctx *ctx,
kfree(srv->chunks);
err_free_srv:
- kfree(srv);
+ put_device(&srv->dev);
return ERR_PTR(-ENOMEM);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 136/737] ARM: dts: stm32: stm32mp157c-phycore: Fix STMPE811 touchscreen node properties
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 135/737] RDMA/rtrs: server: Fix error handling in get_or_create_srv Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 137/737] ntfs3: init run lock for extend inode Greg Kroah-Hartman
` (611 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jihed Chaibi, Alexandre Torgue,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
[ Upstream commit e40b061cd379f4897e705d17cf1b4572ad0f3963 ]
Move st,adc-freq, st,mod-12b, st,ref-sel, and st,sample-time properties
from the touchscreen subnode to the parent touch@44 node. These properties
are defined in the st,stmpe.yaml schema for the parent node, not the
touchscreen subnode, resolving the validation error about unevaluated
properties.
Fixes: 27538a18a4fcc ("ARM: dts: stm32: add STM32MP1-based Phytec SoM")
Signed-off-by: Jihed Chaibi <jihed.chaibi.dev@gmail.com>
Link: https://lore.kernel.org/r/20250915224611.169980-1-jihed.chaibi.dev@gmail.com
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/st/stm32mp157c-phycore-stm32mp15-som.dtsi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/st/stm32mp157c-phycore-stm32mp15-som.dtsi b/arch/arm/boot/dts/st/stm32mp157c-phycore-stm32mp15-som.dtsi
index 4e8b2d2b30c7a..7dfe1fbfbfedc 100644
--- a/arch/arm/boot/dts/st/stm32mp157c-phycore-stm32mp15-som.dtsi
+++ b/arch/arm/boot/dts/st/stm32mp157c-phycore-stm32mp15-som.dtsi
@@ -185,13 +185,13 @@ touch@44 {
interrupt-parent = <&gpioi>;
vio-supply = <&v3v3>;
vcc-supply = <&v3v3>;
+ st,sample-time = <4>;
+ st,mod-12b = <1>;
+ st,ref-sel = <0>;
+ st,adc-freq = <1>;
touchscreen {
compatible = "st,stmpe-ts";
- st,sample-time = <4>;
- st,mod-12b = <1>;
- st,ref-sel = <0>;
- st,adc-freq = <1>;
st,ave-ctrl = <1>;
st,touch-det-delay = <2>;
st,settling = <2>;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 137/737] ntfs3: init run lock for extend inode
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 136/737] ARM: dts: stm32: stm32mp157c-phycore: Fix STMPE811 touchscreen node properties Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 138/737] scsi: ufs: core: fix incorrect buffer duplication in ufshcd_read_string_desc() Greg Kroah-Hartman
` (610 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bdeb22a4b9a09ab9aa45,
Edward Adam Davis, Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit be99c62ac7e7af514e4b13f83c891a3cccefaa48 ]
After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.
Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.
Add the run_lock initialization when loading $Extend.
syzbot reported:
INFO: trying to register non-static key.
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
__lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
Fixes: 4e8011ffec79 ("ntfs3: pretend $Extend records as regular files")
Reported-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
Tested-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index f27e25776b730..76326299ba368 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -465,6 +465,7 @@ static struct inode *ntfs_read_mft(struct inode *inode,
/* Records in $Extend are not a files or general directories. */
inode->i_op = &ntfs_file_inode_operations;
mode = S_IFREG;
+ init_rwsem(&ni->file.run_lock);
} else {
err = -EINVAL;
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 138/737] scsi: ufs: core: fix incorrect buffer duplication in ufshcd_read_string_desc()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 137/737] ntfs3: init run lock for extend inode Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 139/737] cpufreq/amd-pstate: Call cppc_set_auto_sel() only for online CPUs Greg Kroah-Hartman
` (609 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Altman, Bart Van Assche,
Bean Huo, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bean Huo <beanhuo@micron.com>
[ Upstream commit d794b499f948801f54d67ddbc34a6eac5a6d150a ]
The function ufshcd_read_string_desc() was duplicating memory starting
from the beginning of struct uc_string_id, which included the length and
type fields. As a result, the allocated buffer contained unwanted
metadata in addition to the string itself.
The correct behavior is to duplicate only the Unicode character array in
the structure. Update the code so that only the actual string content is
copied into the new buffer.
Fixes: 5f57704dbcfe ("scsi: ufs: Use kmemdup in ufshcd_read_string_desc()")
Reviewed-by: Avri Altman <avri.altman@sandisk.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Bean Huo <beanhuo@micron.com>
Link: https://patch.msgid.link/20251107230518.4060231-3-beanhuo@iokpp.de
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 01a7c1720ce15..9d6a47abe4bc6 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -3738,7 +3738,7 @@ int ufshcd_read_string_desc(struct ufs_hba *hba, u8 desc_index,
str[ret++] = '\0';
} else {
- str = kmemdup(uc_str, uc_str->len, GFP_KERNEL);
+ str = kmemdup(uc_str->uc, uc_str->len, GFP_KERNEL);
if (!str) {
ret = -ENOMEM;
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 139/737] cpufreq/amd-pstate: Call cppc_set_auto_sel() only for online CPUs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 138/737] scsi: ufs: core: fix incorrect buffer duplication in ufshcd_read_string_desc() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 140/737] powerpc/32: Fix unpaired stwcx. on interrupt exit Greg Kroah-Hartman
` (608 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello (AMD) (kernel.org),
Gautham R. Shenoy, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham R. Shenoy <gautham.shenoy@amd.com>
[ Upstream commit bb31fef0d03ed17d587b40e3458786be408fb9df ]
amd_pstate_change_mode_without_dvr_change() calls cppc_set_auto_sel()
for all the present CPUs.
However, this callpath eventually calls cppc_set_reg_val() which
accesses the per-cpu cpc_desc_ptr object. This object is initialized
only for online CPUs via acpi_soft_cpu_online() -->
__acpi_processor_start() --> acpi_cppc_processor_probe().
Hence, restrict calling cppc_set_auto_sel() to only the online CPUs.
Fixes: 3ca7bc818d8c ("cpufreq: amd-pstate: Add guided mode control support via sysfs")
Suggested-by: Mario Limonciello (AMD) (kernel.org) <superm1@kernel.org>
Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd-pstate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpufreq/amd-pstate.c b/drivers/cpufreq/amd-pstate.c
index a64baa97e3583..7e7fa04188cf6 100644
--- a/drivers/cpufreq/amd-pstate.c
+++ b/drivers/cpufreq/amd-pstate.c
@@ -1100,7 +1100,7 @@ static int amd_pstate_change_mode_without_dvr_change(int mode)
if (boot_cpu_has(X86_FEATURE_CPPC) || cppc_state == AMD_PSTATE_ACTIVE)
return 0;
- for_each_present_cpu(cpu) {
+ for_each_online_cpu(cpu) {
cppc_set_auto_sel(cpu, (cppc_state == AMD_PSTATE_PASSIVE) ? 0 : 1);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 140/737] powerpc/32: Fix unpaired stwcx. on interrupt exit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 139/737] cpufreq/amd-pstate: Call cppc_set_auto_sel() only for online CPUs Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 141/737] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse Greg Kroah-Hartman
` (607 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 10e1c77c3636d815db802ceef588522c2d2d947c ]
Commit b96bae3ae2cb ("powerpc/32: Replace ASM exception exit by C
exception exit from ppc64") erroneouly copied to powerpc/32 the logic
from powerpc/64 based on feature CPU_FTR_STCX_CHECKS_ADDRESS which is
always 0 on powerpc/32.
Re-instate the logic implemented by commit b64f87c16f3c ("[POWERPC]
Avoid unpaired stwcx. on some processors") which is based on
CPU_FTR_NEED_PAIRED_STWCX feature.
Fixes: b96bae3ae2cb ("powerpc/32: Replace ASM exception exit by C exception exit from ppc64")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/6040b5dbcf5cdaa1cd919fcf0790f12974ea6e5a.1757666244.git.christophe.leroy@csgroup.eu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/entry_32.S | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
index 7eda33a24bb45..ba1670311bb04 100644
--- a/arch/powerpc/kernel/entry_32.S
+++ b/arch/powerpc/kernel/entry_32.S
@@ -269,10 +269,9 @@ interrupt_return:
mtspr SPRN_SRR1,r12
BEGIN_FTR_SECTION
+ lwarx r0,0,r1
+END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX)
stwcx. r0,0,r1 /* to clear the reservation */
-FTR_SECTION_ELSE
- lwarx r0,0,r1
-ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
lwz r3,_CCR(r1)
lwz r4,_LINK(r1)
@@ -315,10 +314,9 @@ ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
mtspr SPRN_SRR1,r12
BEGIN_FTR_SECTION
+ lwarx r0,0,r1
+END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX)
stwcx. r0,0,r1 /* to clear the reservation */
-FTR_SECTION_ELSE
- lwarx r0,0,r1
-ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
lwz r3,_LINK(r1)
lwz r4,_CTR(r1)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 141/737] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 140/737] powerpc/32: Fix unpaired stwcx. on interrupt exit Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 142/737] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() Greg Kroah-Hartman
` (606 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Madhavan Srinivasan,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
[ Upstream commit 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f ]
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
Fixes: 99b089c3c38a ("Input: Mac button emulation - implement as an input filter")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250819091035.2263329-1-leo.lilong@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/macintosh/mac_hid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/macintosh/mac_hid.c b/drivers/macintosh/mac_hid.c
index d8c4d5664145d..44e332ee99d38 100644
--- a/drivers/macintosh/mac_hid.c
+++ b/drivers/macintosh/mac_hid.c
@@ -186,13 +186,14 @@ static int mac_hid_toggle_emumouse(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
int *valp = table->data;
- int old_val = *valp;
+ int old_val;
int rc;
rc = mutex_lock_killable(&mac_hid_emumouse_mutex);
if (rc)
return rc;
+ old_val = *valp;
rc = proc_dointvec(table, write, buffer, lenp, ppos);
if (rc == 0 && write && *valp != old_val) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 142/737] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 141/737] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 143/737] nbd: defer config unlock in nbd_genl_connect Greg Kroah-Hartman
` (605 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 5e88e864118c20e63a1571d0ff0a152e5d684959 ]
In one of the error paths, the memory allocated for skb_rx is not freed.
Fix that by freeing it before returning.
Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20251110175316.106591-1-nihaal@cse.iitm.ac.in
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/bh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/st/cw1200/bh.c b/drivers/net/wireless/st/cw1200/bh.c
index 3b4ded2ac801c..37232ee220375 100644
--- a/drivers/net/wireless/st/cw1200/bh.c
+++ b/drivers/net/wireless/st/cw1200/bh.c
@@ -317,10 +317,12 @@ static int cw1200_bh_rx_helper(struct cw1200_common *priv,
if (wsm_id & 0x0400) {
int rc = wsm_release_tx_buffer(priv, 1);
- if (WARN_ON(rc < 0))
+ if (WARN_ON(rc < 0)) {
+ dev_kfree_skb(skb_rx);
return rc;
- else if (rc > 0)
+ } else if (rc > 0) {
*tx = 1;
+ }
}
/* cw1200_wsm_rx takes care on SKB livetime */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 143/737] nbd: defer config unlock in nbd_genl_connect
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 142/737] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 144/737] coresight: etm4x: Correct polling IDLE bit Greg Kroah-Hartman
` (604 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Qixing, Yu Kuai, Jens Axboe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Qixing <zhengqixing@huawei.com>
[ Upstream commit 1649714b930f9ea6233ce0810ba885999da3b5d4 ]
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface")
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
Reviewed-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 9e190d220e98f..8b7f306ec976f 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -2147,12 +2147,13 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
ret = nbd_start_device(nbd);
out:
- mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
+ mutex_unlock(&nbd->config_lock);
+
nbd_config_put(nbd);
if (put_dev)
nbd_put(nbd);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 144/737] coresight: etm4x: Correct polling IDLE bit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 143/737] nbd: defer config unlock in nbd_genl_connect Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 145/737] coresight: etm4x: Extract the trace unit controlling Greg Kroah-Hartman
` (603 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Mike Leach, James Clark,
Leo Yan, Suzuki K Poulose, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 4dc4e22f9536341255f5de6047977a80ff47eaef ]
Since commit 4ff6039ffb79 ("coresight-etm4x: add isb() before reading
the TRCSTATR"), the code has incorrectly been polling the PMSTABLE bit
instead of the IDLE bit.
This commit corrects the typo.
Fixes: 4ff6039ffb79 ("coresight-etm4x: add isb() before reading the TRCSTATR")
Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Tested-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20251111-arm_coresight_power_management_fix-v6-4-f55553b6c8b3@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwtracing/coresight/coresight-etm4x-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index e4d8d446ea4d3..cc35175abd504 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -1805,7 +1805,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata)
state->trcpdcr = etm4x_read32(csa, TRCPDCR);
/* wait for TRCSTATR.IDLE to go up */
- if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) {
+ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 1)) {
dev_err(etm_dev,
"timeout while waiting for Idle Trace Status\n");
etm4_os_unlock(drvdata);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 145/737] coresight: etm4x: Extract the trace unit controlling
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 144/737] coresight: etm4x: Correct polling IDLE bit Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 146/737] coresight: etm4x: Add context synchronization before enabling trace Greg Kroah-Hartman
` (602 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Mike Leach, James Clark,
Suzuki K Poulose, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 40f682ae5086366d51e29e66eb8a344501245d0d ]
The trace unit is controlled in the ETM hardware enabling and disabling.
The sequential changes for support AUX pause and resume will reuse the
same operations.
Extract the operations in the etm4_{enable|disable}_trace_unit()
functions. A minor improvement in etm4_enable_trace_unit() is for
returning the timeout error to callers.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250401180708.385396-2-leo.yan@arm.com
Stable-dep-of: 64eb04ae5452 ("coresight: etm4x: Add context synchronization before enabling trace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../coresight/coresight-etm4x-core.c | 103 +++++++++++-------
1 file changed, 62 insertions(+), 41 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index cc35175abd504..a53816f24cd94 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -422,6 +422,44 @@ static int etm4x_wait_status(struct csdev_access *csa, int pos, int val)
return coresight_timeout(csa, TRCSTATR, pos, val);
}
+static int etm4_enable_trace_unit(struct etmv4_drvdata *drvdata)
+{
+ struct coresight_device *csdev = drvdata->csdev;
+ struct device *etm_dev = &csdev->dev;
+ struct csdev_access *csa = &csdev->access;
+
+ /*
+ * ETE mandates that the TRCRSR is written to before
+ * enabling it.
+ */
+ if (etm4x_is_ete(drvdata))
+ etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
+
+ etm4x_allow_trace(drvdata);
+ /* Enable the trace unit */
+ etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
+
+ /* Synchronize the register updates for sysreg access */
+ if (!csa->io_mem)
+ isb();
+
+ /* wait for TRCSTATR.IDLE to go back down to '0' */
+ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0)) {
+ dev_err(etm_dev,
+ "timeout while waiting for Idle Trace Status\n");
+ return -ETIME;
+ }
+
+ /*
+ * As recommended by section 4.3.7 ("Synchronization when using the
+ * memory-mapped interface") of ARM IHI 0064D
+ */
+ dsb(sy);
+ isb();
+
+ return 0;
+}
+
static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
{
int i, rc;
@@ -531,33 +569,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
etm4x_relaxed_write32(csa, trcpdcr | TRCPDCR_PU, TRCPDCR);
}
- /*
- * ETE mandates that the TRCRSR is written to before
- * enabling it.
- */
- if (etm4x_is_ete(drvdata))
- etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
-
- etm4x_allow_trace(drvdata);
- /* Enable the trace unit */
- etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
-
- /* Synchronize the register updates for sysreg access */
- if (!csa->io_mem)
- isb();
-
- /* wait for TRCSTATR.IDLE to go back down to '0' */
- if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0))
- dev_err(etm_dev,
- "timeout while waiting for Idle Trace Status\n");
-
- /*
- * As recommended by section 4.3.7 ("Synchronization when using the
- * memory-mapped interface") of ARM IHI 0064D
- */
- dsb(sy);
- isb();
-
+ rc = etm4_enable_trace_unit(drvdata);
done:
etm4_cs_lock(drvdata, csa);
@@ -886,25 +898,12 @@ static int etm4_enable(struct coresight_device *csdev, struct perf_event *event,
return ret;
}
-static void etm4_disable_hw(void *info)
+static void etm4_disable_trace_unit(struct etmv4_drvdata *drvdata)
{
u32 control;
- struct etmv4_drvdata *drvdata = info;
- struct etmv4_config *config = &drvdata->config;
struct coresight_device *csdev = drvdata->csdev;
struct device *etm_dev = &csdev->dev;
struct csdev_access *csa = &csdev->access;
- int i;
-
- etm4_cs_unlock(drvdata, csa);
- etm4_disable_arch_specific(drvdata);
-
- if (!drvdata->skip_power_up) {
- /* power can be removed from the trace unit now */
- control = etm4x_relaxed_read32(csa, TRCPDCR);
- control &= ~TRCPDCR_PU;
- etm4x_relaxed_write32(csa, control, TRCPDCR);
- }
control = etm4x_relaxed_read32(csa, TRCPRGCTLR);
@@ -945,6 +944,28 @@ static void etm4_disable_hw(void *info)
* of ARM IHI 0064H.b.
*/
isb();
+}
+
+static void etm4_disable_hw(void *info)
+{
+ u32 control;
+ struct etmv4_drvdata *drvdata = info;
+ struct etmv4_config *config = &drvdata->config;
+ struct coresight_device *csdev = drvdata->csdev;
+ struct csdev_access *csa = &csdev->access;
+ int i;
+
+ etm4_cs_unlock(drvdata, csa);
+ etm4_disable_arch_specific(drvdata);
+
+ if (!drvdata->skip_power_up) {
+ /* power can be removed from the trace unit now */
+ control = etm4x_relaxed_read32(csa, TRCPDCR);
+ control &= ~TRCPDCR_PU;
+ etm4x_relaxed_write32(csa, control, TRCPDCR);
+ }
+
+ etm4_disable_trace_unit(drvdata);
/* read the status of the single shot comparators */
for (i = 0; i < drvdata->nr_ss_cmp; i++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 146/737] coresight: etm4x: Add context synchronization before enabling trace
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 145/737] coresight: etm4x: Extract the trace unit controlling Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 147/737] clk: renesas: r9a06g032: Fix memory leak in error path Greg Kroah-Hartman
` (601 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Leach, Yeoreun Yun, James Clark,
Leo Yan, Suzuki K Poulose, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 64eb04ae545294e105ad91714dc3167a0b660731 ]
According to the software usage PKLXF in Arm ARM (ARM DDI 0487 L.a), a
Context synchronization event is required before enabling the trace
unit.
An ISB is added to meet this requirement, particularly for guarding the
operations in the flow:
etm4x_allow_trace()
`> kvm_tracing_set_el1_configuration()
`> write_sysreg_s(trfcr_while_in_guest, SYS_TRFCR_EL12)
Improved the barrier comments to provide more accurate information.
Fixes: 1ab3bb9df5e3 ("coresight: etm4x: Add necessary synchronization for sysreg access")
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Reviewed-by: Yeoreun Yun <yeoreum.yun@arm.com>
Tested-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20251111-arm_coresight_power_management_fix-v6-5-f55553b6c8b3@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../coresight/coresight-etm4x-core.c | 27 ++++++++++++++++---
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index a53816f24cd94..c5928f63475a0 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -436,10 +436,24 @@ static int etm4_enable_trace_unit(struct etmv4_drvdata *drvdata)
etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
etm4x_allow_trace(drvdata);
+
+ /*
+ * According to software usage PKLXF in Arm ARM (ARM DDI 0487 L.a),
+ * execute a Context synchronization event to guarantee the trace unit
+ * will observe the new values of the System registers.
+ */
+ if (!csa->io_mem)
+ isb();
+
/* Enable the trace unit */
etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
- /* Synchronize the register updates for sysreg access */
+ /*
+ * As recommended by section 4.3.7 ("Synchronization when using system
+ * instructions to progrom the trace unit") of ARM IHI 0064H.b, the
+ * self-hosted trace analyzer must perform a Context synchronization
+ * event between writing to the TRCPRGCTLR and reading the TRCSTATR.
+ */
if (!csa->io_mem)
isb();
@@ -916,11 +930,16 @@ static void etm4_disable_trace_unit(struct etmv4_drvdata *drvdata)
*/
etm4x_prohibit_trace(drvdata);
/*
- * Make sure everything completes before disabling, as recommended
- * by section 7.3.77 ("TRCVICTLR, ViewInst Main Control Register,
- * SSTATUS") of ARM IHI 0064D
+ * Prevent being speculative at the point of disabling the trace unit,
+ * as recommended by section 7.3.77 ("TRCVICTLR, ViewInst Main Control
+ * Register, SSTATUS") of ARM IHI 0064D
*/
dsb(sy);
+ /*
+ * According to software usage VKHHY in Arm ARM (ARM DDI 0487 L.a),
+ * execute a Context synchronization event to guarantee no new
+ * program-flow trace is generated.
+ */
isb();
/* Trace synchronization barrier, is a nop if not supported */
tsb_csync();
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 147/737] clk: renesas: r9a06g032: Fix memory leak in error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 146/737] coresight: etm4x: Add context synchronization before enabling trace Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 148/737] lib/vsprintf: Check pointer before dereferencing in time_and_date() Greg Kroah-Hartman
` (600 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Geert Uytterhoeven,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit f8def051bbcf8677f64701e9699bf6d11e2780cd ]
The current code uses of_iomap() to map registers but never calls
iounmap() on any error path after the mapping. This causes a memory
leak when probe fails after successful ioremap, for example when
of_clk_add_provider() or r9a06g032_add_clk_domain() fails.
Replace of_iomap() with devm_of_iomap() to automatically unmap the
region on probe failure. Update the error check accordingly to use
IS_ERR() and PTR_ERR() since devm_of_iomap() returns ERR_PTR on error.
Fixes: 4c3d88526eba ("clk: renesas: Renesas R9A06G032 clock driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251030061603.1954-1-vulab@iscas.ac.cn
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a06g032-clocks.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c
index 55db63c7041a6..cdc820b7e6ea9 100644
--- a/drivers/clk/renesas/r9a06g032-clocks.c
+++ b/drivers/clk/renesas/r9a06g032-clocks.c
@@ -1316,9 +1316,9 @@ static int __init r9a06g032_clocks_probe(struct platform_device *pdev)
if (IS_ERR(mclk))
return PTR_ERR(mclk);
- clocks->reg = of_iomap(np, 0);
- if (WARN_ON(!clocks->reg))
- return -ENOMEM;
+ clocks->reg = devm_of_iomap(dev, np, 0, NULL);
+ if (IS_ERR(clocks->reg))
+ return PTR_ERR(clocks->reg);
r9a06g032_init_h2mode(clocks);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 148/737] lib/vsprintf: Check pointer before dereferencing in time_and_date()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 147/737] clk: renesas: r9a06g032: Fix memory leak in error path Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 149/737] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() Greg Kroah-Hartman
` (599 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Petr Mladek,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 372a12bd5df0199aa234eaf8ef31ed7ecd61d40f ]
The pointer may be invalid when gets to the printf(). In particular
the time_and_date() dereferencing it in some cases without checking.
Move the check from rtc_str() to time_and_date() to cover all cases.
Fixes: 7daac5b2fdf8 ("lib/vsprintf: Print time64_t in human readable format")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/20251110132118.4113976-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/vsprintf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index f4ab2750cfc12..fc5ffc1b16903 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1859,9 +1859,6 @@ char *rtc_str(char *buf, char *end, const struct rtc_time *tm,
bool found = true;
int count = 2;
- if (check_pointer(&buf, end, tm, spec))
- return buf;
-
switch (fmt[count]) {
case 'd':
have_t = false;
@@ -1927,6 +1924,9 @@ static noinline_for_stack
char *time_and_date(char *buf, char *end, void *ptr, struct printf_spec spec,
const char *fmt)
{
+ if (check_pointer(&buf, end, ptr, spec))
+ return buf;
+
switch (fmt[1]) {
case 'R':
return rtc_str(buf, end, (const struct rtc_time *)ptr, spec, fmt);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 149/737] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 148/737] lib/vsprintf: Check pointer before dereferencing in time_and_date() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 150/737] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() Greg Kroah-Hartman
` (598 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
syzbot+727d161855d11d81e411, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d ]
In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just
to avoid crashing the whole kernel due to a filesystem corruption.
Fixes: 8f603e567aa7 ("Ocfs2/move_extents: move a range of extent.")
Link: https://lkml.kernel.org/r/20251009102349.181126-2-dmantipov@yandex.ru
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Closes: https://syzkaller.appspot.com/bug?extid=727d161855d11d81e411
Reported-by: syzbot+727d161855d11d81e411@syzkaller.appspotmail.com
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/move_extents.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 2f34074f0078b..d97ec93ff4c26 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,13 @@ static int __ocfs2_move_extent(handle_t *handle,
rec = &el->l_recs[index];
- BUG_ON(ext_flags != rec->e_flags);
+ if (ext_flags != rec->e_flags) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+ (unsigned long long)ino, index, rec->e_flags, cpos);
+ goto out;
+ }
+
/*
* after moving/defraging to new location, the extent is not going
* to be refcounted anymore.
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 150/737] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 149/737] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 151/737] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls Greg Kroah-Hartman
` (597 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Sakari Ailus,
Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 593ee49222a0d751062fd9a5e4a963ade4ec028a ]
acpi_fwnode_graph_parse_endpoint() calls fwnode_get_parent() to obtain the
parent fwnode but returns without calling fwnode_handle_put() on it. This
potentially leads to a fwnode refcount leak and prevents the parent node
from being released properly.
Call fwnode_handle_put() on the parent fwnode before returning to prevent
the leak from occurring.
Fixes: 3b27d00e7b6d ("device property: Move fwnode graph ops to firmware specific locations")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20251111075000.1828-1-vulab@iscas.ac.cn
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/property.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
index d02b332744e64..1b8f3958b0edb 100644
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -1622,6 +1622,7 @@ static int acpi_fwnode_graph_parse_endpoint(const struct fwnode_handle *fwnode,
if (fwnode_property_read_u32(fwnode, "reg", &endpoint->id))
fwnode_property_read_u32(fwnode, "endpoint", &endpoint->id);
+ fwnode_handle_put(port_fwnode);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 151/737] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 150/737] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 152/737] leds: netxbig: Fix GPIO descriptor leak in error paths Greg Kroah-Hartman
` (596 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit acd194d9b5bac419e04968ffa44351afabb50bac ]
The driver calls ioport_map() to map I/O ports in sim710_probe_common()
but never calls ioport_unmap() to release the mapping. This causes
resource leaks in both the error path when request_irq() fails and in
the normal device removal path via sim710_device_remove().
Add ioport_unmap() calls in the out_release error path and in
sim710_device_remove().
Fixes: 56fece20086e ("[PATCH] finally fix 53c700 to use the generic iomem infrastructure")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251029032555.1476-1-vulab@iscas.ac.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sim710.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sim710.c b/drivers/scsi/sim710.c
index e519df68d603d..70c75ab1453a1 100644
--- a/drivers/scsi/sim710.c
+++ b/drivers/scsi/sim710.c
@@ -133,6 +133,7 @@ static int sim710_probe_common(struct device *dev, unsigned long base_addr,
out_put_host:
scsi_host_put(host);
out_release:
+ ioport_unmap(hostdata->base);
release_region(base_addr, 64);
out_free:
kfree(hostdata);
@@ -148,6 +149,7 @@ static int sim710_device_remove(struct device *dev)
scsi_remove_host(host);
NCR_700_release(host);
+ ioport_unmap(hostdata->base);
kfree(hostdata);
free_irq(host->irq, host);
release_region(host->base, 64);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 152/737] leds: netxbig: Fix GPIO descriptor leak in error paths
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 151/737] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 153/737] bpf: Free special fields when update [lru_,]percpu_hash maps Greg Kroah-Hartman
` (595 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Elfring, Haotian Zhang,
Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 03865dd8af52eb16c38062df2ed30a91b604780e ]
The function netxbig_gpio_ext_get() acquires GPIO descriptors but
fails to release them when errors occur mid-way through initialization.
The cleanup callback registered by devm_add_action_or_reset() only
runs on success, leaving acquired GPIOs leaked on error paths.
Add goto-based error handling to release all acquired GPIOs before
returning errors.
Fixes: 9af512e81964 ("leds: netxbig: Convert to use GPIO descriptors")
Suggested-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251031021620.781-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-netxbig.c | 36 ++++++++++++++++++++++++++----------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/drivers/leds/leds-netxbig.c b/drivers/leds/leds-netxbig.c
index 6692de0af68f1..ea0801b9cb010 100644
--- a/drivers/leds/leds-netxbig.c
+++ b/drivers/leds/leds-netxbig.c
@@ -364,6 +364,9 @@ static int netxbig_gpio_ext_get(struct device *dev,
if (!addr)
return -ENOMEM;
+ gpio_ext->addr = addr;
+ gpio_ext->num_addr = 0;
+
/*
* We cannot use devm_ managed resources with these GPIO descriptors
* since they are associated with the "GPIO extension device" which
@@ -375,45 +378,58 @@ static int netxbig_gpio_ext_get(struct device *dev,
gpiod = gpiod_get_index(gpio_ext_dev, "addr", i,
GPIOD_OUT_LOW);
if (IS_ERR(gpiod))
- return PTR_ERR(gpiod);
+ goto err_set_code;
gpiod_set_consumer_name(gpiod, "GPIO extension addr");
addr[i] = gpiod;
+ gpio_ext->num_addr++;
}
- gpio_ext->addr = addr;
- gpio_ext->num_addr = num_addr;
ret = gpiod_count(gpio_ext_dev, "data");
if (ret < 0) {
dev_err(dev,
"Failed to count GPIOs in DT property data-gpios\n");
- return ret;
+ goto err_free_addr;
}
num_data = ret;
data = devm_kcalloc(dev, num_data, sizeof(*data), GFP_KERNEL);
- if (!data)
- return -ENOMEM;
+ if (!data) {
+ ret = -ENOMEM;
+ goto err_free_addr;
+ }
+
+ gpio_ext->data = data;
+ gpio_ext->num_data = 0;
for (i = 0; i < num_data; i++) {
gpiod = gpiod_get_index(gpio_ext_dev, "data", i,
GPIOD_OUT_LOW);
if (IS_ERR(gpiod))
- return PTR_ERR(gpiod);
+ goto err_free_data;
gpiod_set_consumer_name(gpiod, "GPIO extension data");
data[i] = gpiod;
+ gpio_ext->num_data++;
}
- gpio_ext->data = data;
- gpio_ext->num_data = num_data;
gpiod = gpiod_get(gpio_ext_dev, "enable", GPIOD_OUT_LOW);
if (IS_ERR(gpiod)) {
dev_err(dev,
"Failed to get GPIO from DT property enable-gpio\n");
- return PTR_ERR(gpiod);
+ goto err_free_data;
}
gpiod_set_consumer_name(gpiod, "GPIO extension enable");
gpio_ext->enable = gpiod;
return devm_add_action_or_reset(dev, netxbig_gpio_ext_remove, gpio_ext);
+
+err_free_data:
+ for (i = 0; i < gpio_ext->num_data; i++)
+ gpiod_put(gpio_ext->data[i]);
+err_set_code:
+ ret = PTR_ERR(gpiod);
+err_free_addr:
+ for (i = 0; i < gpio_ext->num_addr; i++)
+ gpiod_put(gpio_ext->addr[i]);
+ return ret;
}
static int netxbig_leds_get_of_pdata(struct device *dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 153/737] bpf: Free special fields when update [lru_,]percpu_hash maps
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 152/737] leds: netxbig: Fix GPIO descriptor leak in error paths Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 154/737] PCI: keystone: Exit ks_pcie_probe() for invalid mode Greg Kroah-Hartman
` (594 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leon Hwang, Yonghong Song,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Hwang <leon.hwang@linux.dev>
[ Upstream commit 6af6e49a76c9af7d42eb923703e7648cb2bf401a ]
As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing
calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' could cause the
memory referenced by BPF_KPTR_{REF,PERCPU} fields to be held until the
map gets freed.
Fix this by calling 'bpf_obj_free_fields()' after
'copy_map_value[,_long]()' in 'pcpu_copy_value()'.
Fixes: 65334e64a493 ("bpf: Support kptrs in percpu hashmap and percpu LRU hashmap")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20251105151407.12723-2-leon.hwang@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/hashtab.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 8a3eadf17f785..8bac6ae1204dc 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -957,15 +957,21 @@ static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr,
void *value, bool onallcpus)
{
+ void *ptr;
+
if (!onallcpus) {
/* copy true value_size bytes */
- copy_map_value(&htab->map, this_cpu_ptr(pptr), value);
+ ptr = this_cpu_ptr(pptr);
+ copy_map_value(&htab->map, ptr, value);
+ bpf_obj_free_fields(htab->map.record, ptr);
} else {
u32 size = round_up(htab->map.value_size, 8);
int off = 0, cpu;
for_each_possible_cpu(cpu) {
- copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value + off);
+ ptr = per_cpu_ptr(pptr, cpu);
+ copy_map_value_long(&htab->map, ptr, value + off);
+ bpf_obj_free_fields(htab->map.record, ptr);
off += size;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 154/737] PCI: keystone: Exit ks_pcie_probe() for invalid mode
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 153/737] bpf: Free special fields when update [lru_,]percpu_hash maps Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 155/737] arm64: dts: rockchip: Move the EEPROM to correct I2C bus on Radxa ROCK 5A Greg Kroah-Hartman
` (593 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Manivannan Sadhasivam, Bjorn Helgaas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
[ Upstream commit 95d9c3f0e4546eaec0977f3b387549a8463cd49f ]
Commit under Fixes introduced support for PCIe EP mode on AM654x platforms.
When the mode happens to be either "DW_PCIE_RC_TYPE" or "DW_PCIE_EP_TYPE",
the PCIe Controller is configured accordingly. However, when the mode is
neither of them, an error message is displayed, but the driver probe
succeeds. Since this "invalid" mode is not associated with a functional
PCIe Controller, the probe should fail.
Fix the behavior by exiting "ks_pcie_probe()" with the return value of
"-EINVAL" in addition to displaying the existing error message when the
mode is invalid.
Fixes: 23284ad677a9 ("PCI: keystone: Add support for PCIe EP in AM654x Platforms")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20251029080547.1253757-4-s-vadapalli@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pci-keystone.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
index 9055ce34c636b..7dcb9a9f385ee 100644
--- a/drivers/pci/controller/dwc/pci-keystone.c
+++ b/drivers/pci/controller/dwc/pci-keystone.c
@@ -1341,6 +1341,8 @@ static int ks_pcie_probe(struct platform_device *pdev)
break;
default:
dev_err(dev, "INVALID device type %d\n", mode);
+ ret = -EINVAL;
+ goto err_get_sync;
}
ks_pcie_enable_error_irq(ks_pcie);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 155/737] arm64: dts: rockchip: Move the EEPROM to correct I2C bus on Radxa ROCK 5A
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 154/737] PCI: keystone: Exit ks_pcie_probe() for invalid mode Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 156/737] arm64: dts: rockchip: Add eeprom vcc-supply for " Greg Kroah-Hartman
` (592 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, FUKAUMI Naoki, Heiko Stuebner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: FUKAUMI Naoki <naoki@radxa.com>
[ Upstream commit 92e6e0b0e595afdda6296c760551ad3ffe9d5231 ]
The BL24C16 EEPROM chip found on Radxa ROCK 5A is connected to the
i2c0 bus, [1] so move the eeprom node from the i2c2 bus to the i2c0
bus.
[1] Link: https://dl.radxa.com/rock5/5a/docs/hw/radxa_rock5a_V1.1_sch.pdf p.19
Fixes: 89c880808cff8 ("arm64: dts: rockchip: add I2C EEPROM to rock-5a")
Signed-off-by: FUKAUMI Naoki <naoki@radxa.com>
Link: https://patch.msgid.link/20251112035133.28753-2-naoki@radxa.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts b/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts
index 68763714f7f7b..f60243e2b3c39 100644
--- a/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts
@@ -184,6 +184,12 @@ regulator-state-mem {
regulator-off-in-suspend;
};
};
+
+ eeprom: eeprom@50 {
+ compatible = "belling,bl24c16a", "atmel,24c16";
+ reg = <0x50>;
+ pagesize = <16>;
+ };
};
&i2c2 {
@@ -205,12 +211,6 @@ regulator-state-mem {
regulator-off-in-suspend;
};
};
-
- eeprom: eeprom@50 {
- compatible = "belling,bl24c16a", "atmel,24c16";
- reg = <0x50>;
- pagesize = <16>;
- };
};
&i2c3 {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 156/737] arm64: dts: rockchip: Add eeprom vcc-supply for Radxa ROCK 5A
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 155/737] arm64: dts: rockchip: Move the EEPROM to correct I2C bus on Radxa ROCK 5A Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 157/737] ps3disk: use memcpy_{from,to}_bvec index Greg Kroah-Hartman
` (591 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, FUKAUMI Naoki, Heiko Stuebner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: FUKAUMI Naoki <naoki@radxa.com>
[ Upstream commit 3069ff1930aa71e125874c780ffaa6caeda5800a ]
The VCC supply for the BL24C16 EEPROM chip found on Radxa ROCK 5A is
vcc_3v3_pmu, which is routed to vcc_3v3_s3 via a zero-ohm resistor. [1]
Describe this supply.
[1] https://dl.radxa.com/rock5/5a/docs/hw/radxa_rock5a_V1.1_sch.pdf p.4, p.19
Fixes: 89c880808cff8 ("arm64: dts: rockchip: add I2C EEPROM to rock-5a")
Signed-off-by: FUKAUMI Naoki <naoki@radxa.com>
Link: https://patch.msgid.link/20251112035133.28753-3-naoki@radxa.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts b/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts
index f60243e2b3c39..cd8bd50b35778 100644
--- a/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3588s-rock-5a.dts
@@ -189,6 +189,7 @@ eeprom: eeprom@50 {
compatible = "belling,bl24c16a", "atmel,24c16";
reg = <0x50>;
pagesize = <16>;
+ vcc-supply = <&vcc_3v3_pmu>;
};
};
@@ -518,7 +519,7 @@ regulator-state-mem {
};
};
- vcc_3v3_s3: dcdc-reg8 {
+ vcc_3v3_pmu: vcc_3v3_s3: dcdc-reg8 {
regulator-name = "vcc_3v3_s3";
regulator-always-on;
regulator-boot-on;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 157/737] ps3disk: use memcpy_{from,to}_bvec index
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 156/737] arm64: dts: rockchip: Add eeprom vcc-supply for " Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 158/737] bpf: Handle return value of ftrace_set_filter_ip in register_fentry Greg Kroah-Hartman
` (590 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Christoph Hellwig,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
[ Upstream commit 79bd8c9814a273fa7ba43399e1c07adec3fc95db ]
With 6e0a48552b8c (ps3disk: use memcpy_{from,to}_bvec) converting
ps3disk to new bvec helpers, incrementing the offset was accidently
lost, corrupting consecutive buffers. Restore index for non-corrupted
data transfers.
Fixes: 6e0a48552b8c (ps3disk: use memcpy_{from,to}_bvec)
Signed-off-by: René Rebe <rene@exactco.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ps3disk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/block/ps3disk.c b/drivers/block/ps3disk.c
index 36d7b36c60c76..79d3779e1c7ad 100644
--- a/drivers/block/ps3disk.c
+++ b/drivers/block/ps3disk.c
@@ -85,10 +85,14 @@ static void ps3disk_scatter_gather(struct ps3_storage_device *dev,
struct bio_vec bvec;
rq_for_each_segment(bvec, req, iter) {
+ dev_dbg(&dev->sbd.core, "%s:%u: %u sectors from %llu\n",
+ __func__, __LINE__, bio_sectors(iter.bio),
+ iter.bio->bi_iter.bi_sector);
if (gather)
memcpy_from_bvec(dev->bounce_buf + offset, &bvec);
else
memcpy_to_bvec(&bvec, dev->bounce_buf + offset);
+ offset += bvec.bv_len;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 158/737] bpf: Handle return value of ftrace_set_filter_ip in register_fentry
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 157/737] ps3disk: use memcpy_{from,to}_bvec index Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 159/737] selftests/bpf: Fix failure paths in send_signal test Greg Kroah-Hartman
` (589 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Menglong Dong, Song Liu,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Menglong Dong <menglong8.dong@gmail.com>
[ Upstream commit fea3f5e83c5cd80a76d97343023a2f2e6bd862bf ]
The error that returned by ftrace_set_filter_ip() in register_fentry() is
not handled properly. Just fix it.
Fixes: 00963a2e75a8 ("bpf: Support bpf_trampoline on functions with IPMODIFY (e.g. livepatch)")
Signed-off-by: Menglong Dong <dongml2@chinatelecom.cn>
Acked-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20251110120705.1553694-1-dongml2@chinatelecom.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/trampoline.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index b6024fc903490..f8a58b4130701 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -216,7 +216,9 @@ static int register_fentry(struct bpf_trampoline *tr, void *new_addr)
}
if (tr->func.ftrace_managed) {
- ftrace_set_filter_ip(tr->fops, (unsigned long)ip, 0, 1);
+ ret = ftrace_set_filter_ip(tr->fops, (unsigned long)ip, 0, 1);
+ if (ret)
+ return ret;
ret = register_ftrace_direct(tr->fops, (long)new_addr);
} else {
ret = bpf_arch_text_poke(ip, BPF_MOD_CALL, NULL, new_addr);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 159/737] selftests/bpf: Fix failure paths in send_signal test
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 158/737] bpf: Handle return value of ftrace_set_filter_ip in register_fentry Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 160/737] bpf: Check skb->transport_header is set in bpf_skb_check_mtu Greg Kroah-Hartman
` (588 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Starovoitov, Andrii Nakryiko,
Eduard Zingerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@kernel.org>
[ Upstream commit c13339039891dbdfa6c1972f0483bd07f610b776 ]
When test_send_signal_kern__open_and_load() fails parent closes the
pipe which cases ASSERT_EQ(read(pipe_p2c...)) to fail, but child
continues and enters infinite loop, while parent is stuck in wait(NULL).
Other error paths have similar issue, so kill the child before waiting on it.
The bug was discovered while compiling all of selftests with -O1 instead of -O2
which caused progs/test_send_signal_kern.c to fail to load.
Fixes: ab8b7f0cb358 ("tools/bpf: Add self tests for bpf_send_signal_thread()")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20251113171153.2583-1-alexei.starovoitov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/send_signal.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/send_signal.c b/tools/testing/selftests/bpf/prog_tests/send_signal.c
index 9adcda7f1fedc..61c9035000149 100644
--- a/tools/testing/selftests/bpf/prog_tests/send_signal.c
+++ b/tools/testing/selftests/bpf/prog_tests/send_signal.c
@@ -145,6 +145,11 @@ static void test_send_signal_common(struct perf_event_attr *attr,
skel_open_load_failure:
close(pipe_c2p[0]);
close(pipe_p2c[1]);
+ /*
+ * Child is either about to exit cleanly or stuck in case of errors.
+ * Nudge it to exit.
+ */
+ kill(pid, SIGKILL);
wait(NULL);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 160/737] bpf: Check skb->transport_header is set in bpf_skb_check_mtu
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 159/737] selftests/bpf: Fix failure paths in send_signal test Greg Kroah-Hartman
@ 2026-01-09 11:34 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 161/737] watchdog: wdat_wdt: Fix ACPI table leak in probe function Greg Kroah-Hartman
` (587 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:34 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesper Dangaard Brouer, Kaiyan Mei,
Yinhao Hu, Martin KaFai Lau, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin KaFai Lau <martin.lau@kernel.org>
[ Upstream commit d946f3c98328171fa50ddb908593cf833587f725 ]
The bpf_skb_check_mtu helper needs to use skb->transport_header when
the BPF_MTU_CHK_SEGS flag is used:
bpf_skb_check_mtu(skb, ifindex, &mtu_len, 0, BPF_MTU_CHK_SEGS)
The transport_header is not always set. There is a WARN_ON_ONCE
report when CONFIG_DEBUG_NET is enabled + skb->gso_size is set +
bpf_prog_test_run is used:
WARNING: CPU: 1 PID: 2216 at ./include/linux/skbuff.h:3071
skb_gso_validate_network_len
bpf_skb_check_mtu
bpf_prog_3920e25740a41171_tc_chk_segs_flag # A test in the next patch
bpf_test_run
bpf_prog_test_run_skb
For a normal ingress skb (not test_run), skb_reset_transport_header
is performed but there is plan to avoid setting it as described in
commit 2170a1f09148 ("net: no longer reset transport_header in __netif_receive_skb_core()").
This patch fixes the bpf helper by checking
skb_transport_header_was_set(). The check is done just before
skb->transport_header is used, to avoid breaking the existing bpf prog.
The WARN_ON_ONCE is limited to bpf_prog_test_run, so targeting bpf-next.
Fixes: 34b2021cc616 ("bpf: Add BPF-helper for MTU checking")
Cc: Jesper Dangaard Brouer <hawk@kernel.org>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://lore.kernel.org/r/20251112232331.1566074-1-martin.lau@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 0564ee6ac8731..da1a617b7db94 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6295,9 +6295,12 @@ BPF_CALL_5(bpf_skb_check_mtu, struct sk_buff *, skb,
*/
if (skb_is_gso(skb)) {
ret = BPF_MTU_CHK_RET_SUCCESS;
- if (flags & BPF_MTU_CHK_SEGS &&
- !skb_gso_validate_network_len(skb, mtu))
- ret = BPF_MTU_CHK_RET_SEGS_TOOBIG;
+ if (flags & BPF_MTU_CHK_SEGS) {
+ if (!skb_transport_header_was_set(skb))
+ return -EINVAL;
+ if (!skb_gso_validate_network_len(skb, mtu))
+ ret = BPF_MTU_CHK_RET_SEGS_TOOBIG;
+ }
}
out:
*mtu_len = mtu;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 161/737] watchdog: wdat_wdt: Fix ACPI table leak in probe function
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-01-09 11:34 ` [PATCH 6.6 160/737] bpf: Check skb->transport_header is set in bpf_skb_check_mtu Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 162/737] watchdog: starfive: Fix resource leak in probe error path Greg Kroah-Hartman
` (586 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Haotian Zhang,
Wim Van Sebroeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 25c0b472eab8379683d4eef681185c104bed8ffd ]
wdat_wdt_probe() calls acpi_get_table() to obtain the WDAT ACPI table but
never calls acpi_put_table() on any paths. This causes a permanent ACPI
table memory leak.
Add a single cleanup path which calls acpi_put_table() to ensure
the ACPI table is always released.
Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog")
Suggested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/wdat_wdt.c | 64 +++++++++++++++++++++++++------------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/drivers/watchdog/wdat_wdt.c b/drivers/watchdog/wdat_wdt.c
index 0ba99bed59fc4..02fbe05c37a08 100644
--- a/drivers/watchdog/wdat_wdt.c
+++ b/drivers/watchdog/wdat_wdt.c
@@ -326,19 +326,27 @@ static int wdat_wdt_probe(struct platform_device *pdev)
return -ENODEV;
wdat = devm_kzalloc(dev, sizeof(*wdat), GFP_KERNEL);
- if (!wdat)
- return -ENOMEM;
+ if (!wdat) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
regs = devm_kcalloc(dev, pdev->num_resources, sizeof(*regs),
GFP_KERNEL);
- if (!regs)
- return -ENOMEM;
+ if (!regs) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
/* WDAT specification wants to have >= 1ms period */
- if (tbl->timer_period < 1)
- return -EINVAL;
- if (tbl->min_count > tbl->max_count)
- return -EINVAL;
+ if (tbl->timer_period < 1) {
+ ret = -EINVAL;
+ goto out_put_table;
+ }
+ if (tbl->min_count > tbl->max_count) {
+ ret = -EINVAL;
+ goto out_put_table;
+ }
wdat->period = tbl->timer_period;
wdat->wdd.min_timeout = DIV_ROUND_UP(wdat->period * tbl->min_count, 1000);
@@ -355,15 +363,20 @@ static int wdat_wdt_probe(struct platform_device *pdev)
res = &pdev->resource[i];
if (resource_type(res) == IORESOURCE_MEM) {
reg = devm_ioremap_resource(dev, res);
- if (IS_ERR(reg))
- return PTR_ERR(reg);
+ if (IS_ERR(reg)) {
+ ret = PTR_ERR(reg);
+ goto out_put_table;
+ }
} else if (resource_type(res) == IORESOURCE_IO) {
reg = devm_ioport_map(dev, res->start, 1);
- if (!reg)
- return -ENOMEM;
+ if (!reg) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
} else {
dev_err(dev, "Unsupported resource\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_put_table;
}
regs[i] = reg;
@@ -385,8 +398,10 @@ static int wdat_wdt_probe(struct platform_device *pdev)
}
instr = devm_kzalloc(dev, sizeof(*instr), GFP_KERNEL);
- if (!instr)
- return -ENOMEM;
+ if (!instr) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
INIT_LIST_HEAD(&instr->node);
instr->entry = entries[i];
@@ -417,7 +432,8 @@ static int wdat_wdt_probe(struct platform_device *pdev)
if (!instr->reg) {
dev_err(dev, "I/O resource not found\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_put_table;
}
instructions = wdat->instructions[action];
@@ -425,8 +441,10 @@ static int wdat_wdt_probe(struct platform_device *pdev)
instructions = devm_kzalloc(dev,
sizeof(*instructions),
GFP_KERNEL);
- if (!instructions)
- return -ENOMEM;
+ if (!instructions) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
INIT_LIST_HEAD(instructions);
wdat->instructions[action] = instructions;
@@ -443,7 +461,7 @@ static int wdat_wdt_probe(struct platform_device *pdev)
ret = wdat_wdt_enable_reboot(wdat);
if (ret)
- return ret;
+ goto out_put_table;
platform_set_drvdata(pdev, wdat);
@@ -460,12 +478,16 @@ static int wdat_wdt_probe(struct platform_device *pdev)
ret = wdat_wdt_set_timeout(&wdat->wdd, timeout);
if (ret)
- return ret;
+ goto out_put_table;
watchdog_set_nowayout(&wdat->wdd, nowayout);
watchdog_stop_on_reboot(&wdat->wdd);
watchdog_stop_on_unregister(&wdat->wdd);
- return devm_watchdog_register_device(dev, &wdat->wdd);
+ ret = devm_watchdog_register_device(dev, &wdat->wdd);
+
+out_put_table:
+ acpi_put_table((struct acpi_table_header *)tbl);
+ return ret;
}
static int wdat_wdt_suspend_noirq(struct device *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 162/737] watchdog: starfive: Fix resource leak in probe error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 161/737] watchdog: wdat_wdt: Fix ACPI table leak in probe function Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 163/737] tracefs: fix a leak in eventfs_create_events_dir() Greg Kroah-Hartman
` (585 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Wim Van Sebroeck,
Guenter Roeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 5bcc5786a0cfa9249ccbe539833040a6285d0de3 ]
If pm_runtime_put_sync() fails after watchdog_register_device()
succeeds, the probe function jumps to err_exit without
unregistering the watchdog device. This leaves the watchdog
registered in the subsystem while the driver fails to load,
resulting in a resource leak.
Add a new error label err_unregister_wdt to properly unregister
the watchdog device.
Fixes: 8bc22a2f1bf0 ("watchdog: starfive: Check pm_runtime_enabled() before decrementing usage counter")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/starfive-wdt.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/watchdog/starfive-wdt.c b/drivers/watchdog/starfive-wdt.c
index e4b344db38030..0606142ffc5e2 100644
--- a/drivers/watchdog/starfive-wdt.c
+++ b/drivers/watchdog/starfive-wdt.c
@@ -498,12 +498,14 @@ static int starfive_wdt_probe(struct platform_device *pdev)
if (pm_runtime_enabled(&pdev->dev)) {
ret = pm_runtime_put_sync(&pdev->dev);
if (ret)
- goto err_exit;
+ goto err_unregister_wdt;
}
}
return 0;
+err_unregister_wdt:
+ watchdog_unregister_device(&wdt->wdd);
err_exit:
starfive_wdt_disable_clock(wdt);
pm_runtime_disable(&pdev->dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 163/737] tracefs: fix a leak in eventfs_create_events_dir()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 162/737] watchdog: starfive: Fix resource leak in probe error path Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 164/737] NFSD/blocklayout: Fix minlength check in proc_layoutget Greg Kroah-Hartman
` (584 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google), Al Viro,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit 798a401660a151633cb171738a72a8f1efb9b0b4 ]
If we have LOCKDOWN_TRACEFS, the function bails out - *after*
having locked the parent directory and without bothering to
undo that. Just check it before tracefs_start_creating()...
Fixes: e24709454c45 "tracefs/eventfs: Add missing lockdown checks"
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/tracefs/event_inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
index 73a08db3b7a85..4190e61550449 100644
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -827,7 +827,7 @@ struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry
const struct eventfs_entry *entries,
int size, void *data)
{
- struct dentry *dentry = tracefs_start_creating(name, parent);
+ struct dentry *dentry;
struct eventfs_root_inode *rei;
struct eventfs_inode *ei;
struct tracefs_inode *ti;
@@ -838,6 +838,7 @@ struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry
if (security_locked_down(LOCKDOWN_TRACEFS))
return NULL;
+ dentry = tracefs_start_creating(name, parent);
if (IS_ERR(dentry))
return ERR_CAST(dentry);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 164/737] NFSD/blocklayout: Fix minlength check in proc_layoutget
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 163/737] tracefs: fix a leak in eventfs_create_events_dir() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 165/737] drm/msm/a2xx: stop over-complaining about the legacy firmware Greg Kroah-Hartman
` (583 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Bashirov, Christoph Hellwig,
Chuck Lever, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 3524b021b0ec620a76c89aee78e9d4b4130fb711 ]
The extent returned by the file system may have a smaller offset than
the segment offset requested by the client. In this case, the minimum
segment length must be checked against the requested range. Otherwise,
the client may not be able to continue the read/write operation.
Fixes: 8650b8a05850 ("nfsd: pNFS block layout driver")
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/blocklayout.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/blocklayout.c b/fs/nfsd/blocklayout.c
index 59f119cce3dc6..3a9415fd77546 100644
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -23,6 +23,7 @@ nfsd4_block_proc_layoutget(struct inode *inode, const struct svc_fh *fhp,
{
struct nfsd4_layout_seg *seg = &args->lg_seg;
struct super_block *sb = inode->i_sb;
+ u64 length;
u32 block_size = i_blocksize(inode);
struct pnfs_block_extent *bex;
struct iomap iomap;
@@ -53,7 +54,8 @@ nfsd4_block_proc_layoutget(struct inode *inode, const struct svc_fh *fhp,
goto out_error;
}
- if (iomap.length < args->lg_minlength) {
+ length = iomap.offset + iomap.length - seg->offset;
+ if (length < args->lg_minlength) {
dprintk("pnfsd: extent smaller than minlength\n");
goto out_layoutunavailable;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 165/737] drm/msm/a2xx: stop over-complaining about the legacy firmware
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 164/737] NFSD/blocklayout: Fix minlength check in proc_layoutget Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 166/737] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() Greg Kroah-Hartman
` (582 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Rob Clark,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
[ Upstream commit a3a22373fce576560757f5616eb48dbf85891d9c ]
If the rootfs have a legacy A200 firmware, currently the driver will
complain each time the hw is reinited (which can happen a lot). E.g.
with GL testsuite the hw is reinited after each test, spamming the
console.
Make sure that the message is printed only once: when we detect the
firmware that doesn't support protection.
Fixes: 302295070d3c ("drm/msm/a2xx: support loading legacy (iMX) firmware")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/688098/
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a2xx_gpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/adreno/a2xx_gpu.c b/drivers/gpu/drm/msm/adreno/a2xx_gpu.c
index 0d8133f3174be..535c89ce5d62e 100644
--- a/drivers/gpu/drm/msm/adreno/a2xx_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/a2xx_gpu.c
@@ -234,7 +234,7 @@ static int a2xx_hw_init(struct msm_gpu *gpu)
* word (0x20xxxx for A200, 0x220xxx for A220, 0x225xxx for A225).
* Older firmware files, which lack protection support, have 0 instead.
*/
- if (ptr[1] == 0) {
+ if (ptr[1] == 0 && !a2xx_gpu->protection_disabled) {
dev_warn(gpu->dev->dev,
"Legacy firmware detected, disabling protection support\n");
a2xx_gpu->protection_disabled = true;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 166/737] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 165/737] drm/msm/a2xx: stop over-complaining about the legacy firmware Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 167/737] bpf: Improve program stats run-time calculation Greg Kroah-Hartman
` (581 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 9b5b9c042b30befc5b37e4539ace95af70843473 ]
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
Fixes: f653211197f3 ("Add rtl8180 wireless driver")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20251114094527.79842-1-nihaal@cse.iitm.ac.in
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
index f6c25a52b69a9..fa8d8e216bd0f 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
@@ -1023,9 +1023,6 @@ static int rtl8180_init_rx_ring(struct ieee80211_hw *dev)
dma_addr_t *mapping;
entry = priv->rx_ring + priv->rx_ring_sz*i;
if (!skb) {
- dma_free_coherent(&priv->pdev->dev,
- priv->rx_ring_sz * 32,
- priv->rx_ring, priv->rx_ring_dma);
wiphy_err(dev->wiphy, "Cannot allocate RX skb\n");
return -ENOMEM;
}
@@ -1037,9 +1034,7 @@ static int rtl8180_init_rx_ring(struct ieee80211_hw *dev)
if (dma_mapping_error(&priv->pdev->dev, *mapping)) {
kfree_skb(skb);
- dma_free_coherent(&priv->pdev->dev,
- priv->rx_ring_sz * 32,
- priv->rx_ring, priv->rx_ring_dma);
+ priv->rx_buf[i] = NULL;
wiphy_err(dev->wiphy, "Cannot map DMA for RX skb\n");
return -ENOMEM;
}
@@ -1130,7 +1125,7 @@ static int rtl8180_start(struct ieee80211_hw *dev)
ret = rtl8180_init_rx_ring(dev);
if (ret)
- return ret;
+ goto err_free_rings;
for (i = 0; i < (dev->queues + 1); i++)
if ((ret = rtl8180_init_tx_ring(dev, i, 16)))
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 167/737] bpf: Improve program stats run-time calculation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 166/737] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 168/737] bpf: Fix invalid prog->stats access when update_effective_progs fails Greg Kroah-Hartman
` (580 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jose Fernandez, Daniel Borkmann,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jose Fernandez <josef@netflix.com>
[ Upstream commit ce09cbdd988887662546a1175bcfdfc6c8fdd150 ]
This patch improves the run-time calculation for program stats by
capturing the duration as soon as possible after the program returns.
Previously, the duration included u64_stats_t operations. While the
instrumentation overhead is part of the total time spent when stats are
enabled, distinguishing between the program's native execution time and
the time spent due to instrumentation is crucial for accurate
performance analysis.
By making this change, the patch facilitates more precise optimization
of BPF programs, enabling users to understand their performance in
environments without stats enabled.
I used a virtualized environment to measure the run-time over one minute
for a basic raw_tracepoint/sys_enter program, which just increments a
local counter. Although the virtualization introduced some performance
degradation that could affect the results, I observed approximately a
16% decrease in average run-time reported by stats with this change
(310 -> 260 nsec).
Signed-off-by: Jose Fernandez <josef@netflix.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240402034010.25060-1-josef@netflix.com
Stable-dep-of: 7dc211c1159d ("bpf: Fix invalid prog->stats access when update_effective_progs fails")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/filter.h | 6 ++++--
kernel/bpf/trampoline.c | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index ad5a3d68b5552..f9fb83be935d4 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -599,14 +599,16 @@ static __always_inline u32 __bpf_prog_run(const struct bpf_prog *prog,
cant_migrate();
if (static_branch_unlikely(&bpf_stats_enabled_key)) {
struct bpf_prog_stats *stats;
- u64 start = sched_clock();
+ u64 duration, start = sched_clock();
unsigned long flags;
ret = dfunc(ctx, prog->insnsi, prog->bpf_func);
+
+ duration = sched_clock() - start;
stats = this_cpu_ptr(prog->stats);
flags = u64_stats_update_begin_irqsave(&stats->syncp);
u64_stats_inc(&stats->cnt);
- u64_stats_add(&stats->nsecs, sched_clock() - start);
+ u64_stats_add(&stats->nsecs, duration);
u64_stats_update_end_irqrestore(&stats->syncp, flags);
} else {
ret = dfunc(ctx, prog->insnsi, prog->bpf_func);
diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
index f8a58b4130701..e48791442acc5 100644
--- a/kernel/bpf/trampoline.c
+++ b/kernel/bpf/trampoline.c
@@ -870,12 +870,13 @@ static void notrace update_prog_stats(struct bpf_prog *prog,
* Hence check that 'start' is valid.
*/
start > NO_START_TIME) {
+ u64 duration = sched_clock() - start;
unsigned long flags;
stats = this_cpu_ptr(prog->stats);
flags = u64_stats_update_begin_irqsave(&stats->syncp);
u64_stats_inc(&stats->cnt);
- u64_stats_add(&stats->nsecs, sched_clock() - start);
+ u64_stats_add(&stats->nsecs, duration);
u64_stats_update_end_irqrestore(&stats->syncp, flags);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 168/737] bpf: Fix invalid prog->stats access when update_effective_progs fails
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 167/737] bpf: Improve program stats run-time calculation Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 169/737] powerpc/64s/hash: Restrict stress_hpt_struct memblock region to within RMA limit Greg Kroah-Hartman
` (579 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pu Lehui, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pu Lehui <pulehui@huawei.com>
[ Upstream commit 7dc211c1159d991db609bdf4b0fb9033c04adcbc ]
Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:
__cgroup_bpf_detach
update_effective_progs
compute_effective_progs
bpf_prog_array_alloc <-- fault inject
purge_effective_progs
/* change to dummy_bpf_prog */
array->items[index] = &dummy_bpf_prog.prog
---softirq start---
__do_softirq
...
__cgroup_bpf_run_filter_skb
__bpf_prog_run_save_cb
bpf_prog_run
stats = this_cpu_ptr(prog->stats)
/* invalid memory access */
flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---
static_branch_dec(&cgroup_bpf_enabled_key[atype])
The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.
To fix it, skip updating stats when stats is NULL.
Fixes: 492ecee892c2 ("bpf: enable program stats")
Signed-off-by: Pu Lehui <pulehui@huawei.com>
Link: https://lore.kernel.org/r/20251115102343.2200727-1-pulehui@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/filter.h | 12 +++++++-----
kernel/bpf/syscall.c | 3 +++
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index f9fb83be935d4..30fe140d48888 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -605,11 +605,13 @@ static __always_inline u32 __bpf_prog_run(const struct bpf_prog *prog,
ret = dfunc(ctx, prog->insnsi, prog->bpf_func);
duration = sched_clock() - start;
- stats = this_cpu_ptr(prog->stats);
- flags = u64_stats_update_begin_irqsave(&stats->syncp);
- u64_stats_inc(&stats->cnt);
- u64_stats_add(&stats->nsecs, duration);
- u64_stats_update_end_irqrestore(&stats->syncp, flags);
+ if (likely(prog->stats)) {
+ stats = this_cpu_ptr(prog->stats);
+ flags = u64_stats_update_begin_irqsave(&stats->syncp);
+ u64_stats_inc(&stats->cnt);
+ u64_stats_add(&stats->nsecs, duration);
+ u64_stats_update_end_irqrestore(&stats->syncp, flags);
+ }
} else {
ret = dfunc(ctx, prog->insnsi, prog->bpf_func);
}
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 98f3f206d112e..63cf5a221081b 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2224,6 +2224,9 @@ void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog)
struct bpf_prog_stats *stats;
unsigned int flags;
+ if (unlikely(!prog->stats))
+ return;
+
stats = this_cpu_ptr(prog->stats);
flags = u64_stats_update_begin_irqsave(&stats->syncp);
u64_stats_inc(&stats->misses);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 169/737] powerpc/64s/hash: Restrict stress_hpt_struct memblock region to within RMA limit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 168/737] bpf: Fix invalid prog->stats access when update_effective_progs fails Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 170/737] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format Greg Kroah-Hartman
` (578 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit 17b45ccf09882e0c808ad2cf62acdc90ad968746 ]
When HV=0 & IR/DR=0, the Hash MMU is said to be in Virtual Real
Addressing Mode during early boot. During this, we should ensure that
memory region allocations for stress_hpt_struct should happen from
within RMA region as otherwise the boot might get stuck while doing
memset of this region.
History behind why do we have RMA region limitation is better explained
in these 2 patches [1] & [2]. This patch ensures that memset to
stress_hpt_struct during early boot does not cross ppc64_rma_size
boundary.
[1]: https://lore.kernel.org/all/20190710052018.14628-1-sjitindarsingh@gmail.com/
[2]: https://lore.kernel.org/all/87wp54usvj.fsf@linux.vnet.ibm.com/
Fixes: 6b34a099faa12 ("powerpc/64s/hash: add stress_hpt kernel boot option to increase hash faults")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/ada1173933ea7617a994d6ee3e54ced8797339fc.1761834163.git.ritesh.list@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/book3s64/hash_utils.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/mm/book3s64/hash_utils.c b/arch/powerpc/mm/book3s64/hash_utils.c
index ad2afa08e62ed..4f09d295e5188 100644
--- a/arch/powerpc/mm/book3s64/hash_utils.c
+++ b/arch/powerpc/mm/book3s64/hash_utils.c
@@ -1032,11 +1032,14 @@ static void __init htab_initialize(void)
unsigned long table;
unsigned long pteg_count;
unsigned long prot;
- phys_addr_t base = 0, size = 0, end;
+ phys_addr_t base = 0, size = 0, end, limit = MEMBLOCK_ALLOC_ANYWHERE;
u64 i;
DBG(" -> htab_initialize()\n");
+ if (firmware_has_feature(FW_FEATURE_LPAR))
+ limit = ppc64_rma_size;
+
if (mmu_has_feature(MMU_FTR_1T_SEGMENT)) {
mmu_kernel_ssize = MMU_SEGSIZE_1T;
mmu_highuser_ssize = MMU_SEGSIZE_1T;
@@ -1052,7 +1055,7 @@ static void __init htab_initialize(void)
// Too early to use nr_cpu_ids, so use NR_CPUS
tmp = memblock_phys_alloc_range(sizeof(struct stress_hpt_struct) * NR_CPUS,
__alignof__(struct stress_hpt_struct),
- 0, MEMBLOCK_ALLOC_ANYWHERE);
+ MEMBLOCK_LOW_LIMIT, limit);
memset((void *)tmp, 0xff, sizeof(struct stress_hpt_struct) * NR_CPUS);
stress_hpt_struct = __va(tmp);
@@ -1086,7 +1089,6 @@ static void __init htab_initialize(void)
mmu_hash_ops.hpte_clear_all();
#endif
} else {
- unsigned long limit = MEMBLOCK_ALLOC_ANYWHERE;
#ifdef CONFIG_PPC_CELL
/*
@@ -1102,7 +1104,7 @@ static void __init htab_initialize(void)
table = memblock_phys_alloc_range(htab_size_bytes,
htab_size_bytes,
- 0, limit);
+ MEMBLOCK_LOW_LIMIT, limit);
if (!table)
panic("ERROR: Failed to allocate %pa bytes below %pa\n",
&htab_size_bytes, &limit);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 170/737] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 169/737] powerpc/64s/hash: Restrict stress_hpt_struct memblock region to within RMA limit Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 171/737] fs/ntfs3: out1 also needs to put mi Greg Kroah-Hartman
` (577 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit eae40a6da63faa9fb63ff61f8fa2b3b57da78a84 ]
HPTE format was changed since Power9 (ISA 3.0) onwards. While dumping
kernel hash page tables, nothing gets printed on powernv P9+. This patch
utilizes the helpers added in the patch tagged as fixes, to convert new
format to old format and dump the hptes. This fix is only needed for
native_find() (powernv), since pseries continues to work fine with the
old format.
Fixes: 6b243fcfb5f1e ("powerpc/64: Simplify adaptation to new ISA v3.00 HPTE format")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/4c2bb9e5b3cfbc0dd80b61b67cdd3ccfc632684c.1761834163.git.ritesh.list@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/ptdump/hashpagetable.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/powerpc/mm/ptdump/hashpagetable.c b/arch/powerpc/mm/ptdump/hashpagetable.c
index 9a601587836b2..ee5e1dfe7932a 100644
--- a/arch/powerpc/mm/ptdump/hashpagetable.c
+++ b/arch/powerpc/mm/ptdump/hashpagetable.c
@@ -216,6 +216,8 @@ static int native_find(unsigned long ea, int psize, bool primary, u64 *v, u64
vpn = hpt_vpn(ea, vsid, ssize);
hash = hpt_hash(vpn, shift, ssize);
want_v = hpte_encode_avpn(vpn, psize, ssize);
+ if (cpu_has_feature(CPU_FTR_ARCH_300))
+ want_v = hpte_old_to_new_v(want_v);
/* to check in the secondary hash table, we invert the hash */
if (!primary)
@@ -229,6 +231,10 @@ static int native_find(unsigned long ea, int psize, bool primary, u64 *v, u64
/* HPTE matches */
*v = be64_to_cpu(hptep->v);
*r = be64_to_cpu(hptep->r);
+ if (cpu_has_feature(CPU_FTR_ARCH_300)) {
+ *v = hpte_new_to_old_v(*v, *r);
+ *r = hpte_new_to_old_r(*r);
+ }
return 0;
}
++hpte_group;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 171/737] fs/ntfs3: out1 also needs to put mi
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 170/737] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 172/737] fs/ntfs3: Prevent memory leaks in add sub record Greg Kroah-Hartman
` (576 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis,
Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 4d78d1173a653acdaf7500a32b8dc530ca4ad075 ]
After ntfs_look_free_mft() executes successfully, all subsequent code
that fails to execute must put mi.
Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/frecord.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 5c45fec832b00..6ff10042a15f2 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -1067,9 +1067,9 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
out2:
ni_remove_mi(ni, mi);
- mi_put(mi);
out1:
+ mi_put(mi);
ntfs_mark_rec_free(sbi, rno, is_mft);
out:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 172/737] fs/ntfs3: Prevent memory leaks in add sub record
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 171/737] fs/ntfs3: out1 also needs to put mi Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 173/737] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue Greg Kroah-Hartman
` (575 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3932ccb896e06f7414c9,
Edward Adam Davis, Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ccc4e86d1c24260c18ae94541198c3711c140da6 ]
If a rb node with the same ino already exists in the rb tree, the newly
alloced mft_inode in ni_add_subrecord() will not have its memory cleaned
up, which leads to the memory leak issue reported by syzbot.
The best option to avoid this issue is to put the newly alloced mft node
when a rb node with the same ino already exists in the rb tree and return
the rb node found in the rb tree to the parent layer.
syzbot reported:
BUG: memory leak
unreferenced object 0xffff888110bef280 (size 128):
backtrace (crc 126a088f):
ni_add_subrecord+0x31/0x180 fs/ntfs3/frecord.c:317
ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
BUG: memory leak
unreferenced object 0xffff888109093400 (size 1024):
backtrace (crc 7197c55e):
mi_init+0x2b/0x50 fs/ntfs3/record.c:105
mi_format_new+0x40/0x220 fs/ntfs3/record.c:422
Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Reported-by: syzbot+3932ccb896e06f7414c9@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/frecord.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 6ff10042a15f2..18e41faef8e68 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -378,8 +378,10 @@ bool ni_add_subrecord(struct ntfs_inode *ni, CLST rno, struct mft_inode **mi)
mi_get_ref(&ni->mi, &m->mrec->parent_ref);
- ni_add_mi(ni, m);
- *mi = m;
+ *mi = ni_ins_mi(ni, &ni->mi_tree, m->rno, &m->node);
+ if (*mi != m)
+ mi_put(m);
+
return true;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 173/737] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 172/737] fs/ntfs3: Prevent memory leaks in add sub record Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 174/737] net/ipv6: Remove expired routes with a separated list of routes Greg Kroah-Hartman
` (574 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno, Jay Liu,
Chun-Kuang Hu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jay Liu <jay.liu@mediatek.com>
[ Upstream commit 20ac36b71c53b8c36c6903b5ca87c75226700a97 ]
if matrixbit is 11,
The range of color matrix is from 0 to (BIT(12) - 1).
Values from 0 to (BIT(11) - 1) represent positive numbers,
values from BIT(11) to (BIT(12) - 1) represent negative numbers.
For example, -1 need converted to 8191.
so convert S31.32 to HW Q2.11 format by drm_color_ctm_s31_32_to_qm_n,
and set int_bits to 2.
Fixes: 738ed4156fba ("drm/mediatek: Add matrix_bits private data for ccorr")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Jay Liu <jay.liu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250921055416.25588-2-jay.liu@mediatek.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_disp_ccorr.c | 23 +----------------------
1 file changed, 1 insertion(+), 22 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c b/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c
index 4234ff7485e88..2126cb95ae920 100644
--- a/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c
+++ b/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c
@@ -80,27 +80,6 @@ void mtk_ccorr_stop(struct device *dev)
writel_relaxed(0x0, ccorr->regs + DISP_CCORR_EN);
}
-/* Converts a DRM S31.32 value to the HW S1.n format. */
-static u16 mtk_ctm_s31_32_to_s1_n(u64 in, u32 n)
-{
- u16 r;
-
- /* Sign bit. */
- r = in & BIT_ULL(63) ? BIT(n + 1) : 0;
-
- if ((in & GENMASK_ULL(62, 33)) > 0) {
- /* identity value 0x100000000 -> 0x400(mt8183), */
- /* identity value 0x100000000 -> 0x800(mt8192), */
- /* if bigger this, set it to max 0x7ff. */
- r |= GENMASK(n, 0);
- } else {
- /* take the n+1 most important bits. */
- r |= (in >> (32 - n)) & GENMASK(n, 0);
- }
-
- return r;
-}
-
void mtk_ccorr_ctm_set(struct device *dev, struct drm_crtc_state *state)
{
struct mtk_disp_ccorr *ccorr = dev_get_drvdata(dev);
@@ -119,7 +98,7 @@ void mtk_ccorr_ctm_set(struct device *dev, struct drm_crtc_state *state)
input = ctm->matrix;
for (i = 0; i < ARRAY_SIZE(coeffs); i++)
- coeffs[i] = mtk_ctm_s31_32_to_s1_n(input[i], matrix_bits);
+ coeffs[i] = drm_color_ctm_s31_32_to_qm_n(input[i], 2, matrix_bits);
mtk_ddp_write(cmdq_pkt, coeffs[0] << 16 | coeffs[1],
&ccorr->cmdq_reg, ccorr->regs, DISP_CCORR_COEF_0);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 174/737] net/ipv6: Remove expired routes with a separated list of routes.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 173/737] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 175/737] ipv6: clear RA flags when adding a static route Greg Kroah-Hartman
` (573 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Ahern, Kui-Feng Lee,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kui-Feng Lee <thinker.li@gmail.com>
[ Upstream commit 5eb902b8e7193cdcb33242af0a56502e6b5206e9 ]
FIB6 GC walks trees of fib6_tables to remove expired routes. Walking a tree
can be expensive if the number of routes in a table is big, even if most of
them are permanent. Checking routes in a separated list of routes having
expiration will avoid this potential issue.
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: f72514b3c569 ("ipv6: clear RA flags when adding a static route")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip6_fib.h | 46 ++++++++++++++++++++++++++++++++-
net/ipv6/addrconf.c | 41 ++++++++++++++++++++++++-----
net/ipv6/ip6_fib.c | 60 +++++++++++++++++++++++++++++++++++++++----
net/ipv6/ndisc.c | 10 +++++++-
net/ipv6/route.c | 13 ++++++++--
5 files changed, 154 insertions(+), 16 deletions(-)
diff --git a/include/net/ip6_fib.h b/include/net/ip6_fib.h
index 1121d614942c8..f4c5b705418c0 100644
--- a/include/net/ip6_fib.h
+++ b/include/net/ip6_fib.h
@@ -179,6 +179,9 @@ struct fib6_info {
refcount_t fib6_ref;
unsigned long expires;
+
+ struct hlist_node gc_link;
+
struct dst_metrics *fib6_metrics;
#define fib6_pmtu fib6_metrics->metrics[RTAX_MTU-1]
@@ -249,12 +252,18 @@ static inline bool fib6_requires_src(const struct fib6_info *rt)
return rt->fib6_src.plen > 0;
}
+/* The callers should hold f6i->fib6_table->tb6_lock if a route has ever
+ * been added to a table before.
+ */
static inline void fib6_clean_expires(struct fib6_info *f6i)
{
f6i->fib6_flags &= ~RTF_EXPIRES;
f6i->expires = 0;
}
+/* The callers should hold f6i->fib6_table->tb6_lock if a route has ever
+ * been added to a table before.
+ */
static inline void fib6_set_expires(struct fib6_info *f6i,
unsigned long expires)
{
@@ -335,8 +344,10 @@ static inline bool fib6_info_hold_safe(struct fib6_info *f6i)
static inline void fib6_info_release(struct fib6_info *f6i)
{
- if (f6i && refcount_dec_and_test(&f6i->fib6_ref))
+ if (f6i && refcount_dec_and_test(&f6i->fib6_ref)) {
+ DEBUG_NET_WARN_ON_ONCE(!hlist_unhashed(&f6i->gc_link));
call_rcu(&f6i->rcu, fib6_info_destroy_rcu);
+ }
}
enum fib6_walk_state {
@@ -390,6 +401,7 @@ struct fib6_table {
struct inet_peer_base tb6_peers;
unsigned int flags;
unsigned int fib_seq;
+ struct hlist_head tb6_gc_hlist; /* GC candidates */
#define RT6_TABLE_HAS_DFLT_ROUTER BIT(0)
};
@@ -506,6 +518,38 @@ void fib6_gc_cleanup(void);
int fib6_init(void);
+/* Add the route to the gc list if it is not already there
+ *
+ * The callers should hold f6i->fib6_table->tb6_lock.
+ */
+static inline void fib6_add_gc_list(struct fib6_info *f6i)
+{
+ /* If fib6_node is null, the f6i is not in (or removed from) the
+ * table.
+ *
+ * There is a gap between finding the f6i from the table and
+ * calling this function without the protection of the tb6_lock.
+ * This check makes sure the f6i is not added to the gc list when
+ * it is not on the table.
+ */
+ if (!rcu_dereference_protected(f6i->fib6_node,
+ lockdep_is_held(&f6i->fib6_table->tb6_lock)))
+ return;
+
+ if (hlist_unhashed(&f6i->gc_link))
+ hlist_add_head(&f6i->gc_link, &f6i->fib6_table->tb6_gc_hlist);
+}
+
+/* Remove the route from the gc list if it is on the list.
+ *
+ * The callers should hold f6i->fib6_table->tb6_lock.
+ */
+static inline void fib6_remove_gc_list(struct fib6_info *f6i)
+{
+ if (!hlist_unhashed(&f6i->gc_link))
+ hlist_del_init(&f6i->gc_link);
+}
+
struct ipv6_route_iter {
struct seq_net_private p;
struct fib6_walker w;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 0e49ee83533b5..b606d77fe7fce 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1268,6 +1268,7 @@ static void
cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires,
bool del_rt, bool del_peer)
{
+ struct fib6_table *table;
struct fib6_info *f6i;
f6i = addrconf_get_prefix_route(del_peer ? &ifp->peer_addr : &ifp->addr,
@@ -1277,8 +1278,15 @@ cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long expires,
if (del_rt)
ip6_del_rt(dev_net(ifp->idev->dev), f6i, false);
else {
- if (!(f6i->fib6_flags & RTF_EXPIRES))
+ if (!(f6i->fib6_flags & RTF_EXPIRES)) {
+ table = f6i->fib6_table;
+ spin_lock_bh(&table->tb6_lock);
+
fib6_set_expires(f6i, expires);
+ fib6_add_gc_list(f6i);
+
+ spin_unlock_bh(&table->tb6_lock);
+ }
fib6_info_release(f6i);
}
}
@@ -2736,6 +2744,7 @@ EXPORT_SYMBOL_GPL(addrconf_prefix_rcv_add_addr);
void addrconf_prefix_rcv(struct net_device *dev, u8 *opt, int len, bool sllao)
{
struct prefix_info *pinfo;
+ struct fib6_table *table;
__u32 valid_lft;
__u32 prefered_lft;
int addr_type, err;
@@ -2812,11 +2821,20 @@ void addrconf_prefix_rcv(struct net_device *dev, u8 *opt, int len, bool sllao)
if (valid_lft == 0) {
ip6_del_rt(net, rt, false);
rt = NULL;
- } else if (addrconf_finite_timeout(rt_expires)) {
- /* not infinity */
- fib6_set_expires(rt, jiffies + rt_expires);
} else {
- fib6_clean_expires(rt);
+ table = rt->fib6_table;
+ spin_lock_bh(&table->tb6_lock);
+
+ if (addrconf_finite_timeout(rt_expires)) {
+ /* not infinity */
+ fib6_set_expires(rt, jiffies + rt_expires);
+ fib6_add_gc_list(rt);
+ } else {
+ fib6_clean_expires(rt);
+ fib6_remove_gc_list(rt);
+ }
+
+ spin_unlock_bh(&table->tb6_lock);
}
} else if (valid_lft) {
clock_t expires = 0;
@@ -4770,6 +4788,7 @@ static int modify_prefix_route(struct inet6_ifaddr *ifp,
unsigned long expires, u32 flags,
bool modify_peer)
{
+ struct fib6_table *table;
struct fib6_info *f6i;
u32 prio;
@@ -4790,10 +4809,18 @@ static int modify_prefix_route(struct inet6_ifaddr *ifp,
ifp->rt_priority, ifp->idev->dev,
expires, flags, GFP_KERNEL);
} else {
- if (!expires)
+ table = f6i->fib6_table;
+ spin_lock_bh(&table->tb6_lock);
+
+ if (!expires) {
fib6_clean_expires(f6i);
- else
+ fib6_remove_gc_list(f6i);
+ } else {
fib6_set_expires(f6i, expires);
+ fib6_add_gc_list(f6i);
+ }
+
+ spin_unlock_bh(&table->tb6_lock);
fib6_info_release(f6i);
}
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index c44136cbbaa1f..ab84e2dd682f8 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -160,6 +160,8 @@ struct fib6_info *fib6_info_alloc(gfp_t gfp_flags, bool with_fib6_nh)
INIT_LIST_HEAD(&f6i->fib6_siblings);
refcount_set(&f6i->fib6_ref, 1);
+ INIT_HLIST_NODE(&f6i->gc_link);
+
return f6i;
}
@@ -246,6 +248,7 @@ static struct fib6_table *fib6_alloc_table(struct net *net, u32 id)
net->ipv6.fib6_null_entry);
table->tb6_root.fn_flags = RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO;
inet_peer_base_init(&table->tb6_peers);
+ INIT_HLIST_HEAD(&table->tb6_gc_hlist);
}
return table;
@@ -1063,6 +1066,9 @@ static void fib6_purge_rt(struct fib6_info *rt, struct fib6_node *fn,
lockdep_is_held(&table->tb6_lock));
}
}
+
+ fib6_clean_expires(rt);
+ fib6_remove_gc_list(rt);
}
/*
@@ -1123,10 +1129,13 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
WRITE_ONCE(rt->fib6_nsiblings, 0);
if (!(iter->fib6_flags & RTF_EXPIRES))
return -EEXIST;
- if (!(rt->fib6_flags & RTF_EXPIRES))
+ if (!(rt->fib6_flags & RTF_EXPIRES)) {
fib6_clean_expires(iter);
- else
+ fib6_remove_gc_list(iter);
+ } else {
fib6_set_expires(iter, rt->expires);
+ fib6_add_gc_list(iter);
+ }
if (rt->fib6_pmtu)
fib6_metric_set(iter, RTAX_MTU,
@@ -1491,6 +1500,10 @@ int fib6_add(struct fib6_node *root, struct fib6_info *rt,
if (rt->nh)
list_add(&rt->nh_list, &rt->nh->f6i_list);
__fib6_update_sernum_upto_root(rt, fib6_new_sernum(info->nl_net));
+
+ if (rt->fib6_flags & RTF_EXPIRES)
+ fib6_add_gc_list(rt);
+
fib6_start_gc(info->nl_net, rt);
}
@@ -2294,9 +2307,8 @@ static void fib6_flush_trees(struct net *net)
* Garbage collection
*/
-static int fib6_age(struct fib6_info *rt, void *arg)
+static int fib6_age(struct fib6_info *rt, struct fib6_gc_args *gc_args)
{
- struct fib6_gc_args *gc_args = arg;
unsigned long now = jiffies;
/*
@@ -2321,6 +2333,42 @@ static int fib6_age(struct fib6_info *rt, void *arg)
return 0;
}
+static void fib6_gc_table(struct net *net,
+ struct fib6_table *tb6,
+ struct fib6_gc_args *gc_args)
+{
+ struct fib6_info *rt;
+ struct hlist_node *n;
+ struct nl_info info = {
+ .nl_net = net,
+ .skip_notify = false,
+ };
+
+ hlist_for_each_entry_safe(rt, n, &tb6->tb6_gc_hlist, gc_link)
+ if (fib6_age(rt, gc_args) == -1)
+ fib6_del(rt, &info);
+}
+
+static void fib6_gc_all(struct net *net, struct fib6_gc_args *gc_args)
+{
+ struct fib6_table *table;
+ struct hlist_head *head;
+ unsigned int h;
+
+ rcu_read_lock();
+ for (h = 0; h < FIB6_TABLE_HASHSZ; h++) {
+ head = &net->ipv6.fib_table_hash[h];
+ hlist_for_each_entry_rcu(table, head, tb6_hlist) {
+ spin_lock_bh(&table->tb6_lock);
+
+ fib6_gc_table(net, table, gc_args);
+
+ spin_unlock_bh(&table->tb6_lock);
+ }
+ }
+ rcu_read_unlock();
+}
+
void fib6_run_gc(unsigned long expires, struct net *net, bool force)
{
struct fib6_gc_args gc_args;
@@ -2336,7 +2384,7 @@ void fib6_run_gc(unsigned long expires, struct net *net, bool force)
net->ipv6.sysctl.ip6_rt_gc_interval;
gc_args.more = 0;
- fib6_clean_all(net, fib6_age, &gc_args);
+ fib6_gc_all(net, &gc_args);
now = jiffies;
net->ipv6.ip6_rt_last_gc = now;
@@ -2396,6 +2444,7 @@ static int __net_init fib6_net_init(struct net *net)
net->ipv6.fib6_main_tbl->tb6_root.fn_flags =
RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO;
inet_peer_base_init(&net->ipv6.fib6_main_tbl->tb6_peers);
+ INIT_HLIST_HEAD(&net->ipv6.fib6_main_tbl->tb6_gc_hlist);
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
net->ipv6.fib6_local_tbl = kzalloc(sizeof(*net->ipv6.fib6_local_tbl),
@@ -2408,6 +2457,7 @@ static int __net_init fib6_net_init(struct net *net)
net->ipv6.fib6_local_tbl->tb6_root.fn_flags =
RTN_ROOT | RTN_TL_ROOT | RTN_RTINFO;
inet_peer_base_init(&net->ipv6.fib6_local_tbl->tb6_peers);
+ INIT_HLIST_HEAD(&net->ipv6.fib6_local_tbl->tb6_gc_hlist);
#endif
fib6_tables_init(net);
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 8d853971f2f68..d8e5e2833eded 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1241,6 +1241,7 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
struct ndisc_options ndopts;
struct fib6_info *rt = NULL;
struct inet6_dev *in6_dev;
+ struct fib6_table *table;
u32 defrtr_usr_metric;
unsigned int pref = 0;
__u32 old_if_flags;
@@ -1413,8 +1414,15 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
inet6_rt_notify(RTM_NEWROUTE, rt, &nlinfo, NLM_F_REPLACE);
}
- if (rt)
+ if (rt) {
+ table = rt->fib6_table;
+ spin_lock_bh(&table->tb6_lock);
+
fib6_set_expires(rt, jiffies + (HZ * lifetime));
+ fib6_add_gc_list(rt);
+
+ spin_unlock_bh(&table->tb6_lock);
+ }
if (in6_dev->cnf.accept_ra_min_hop_limit < 256 &&
ra_msg->icmph.icmp6_hop_limit) {
if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) {
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index eb9e505f71f97..929f92b555113 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -971,6 +971,7 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
struct net *net = dev_net(dev);
struct route_info *rinfo = (struct route_info *) opt;
struct in6_addr prefix_buf, *prefix;
+ struct fib6_table *table;
unsigned int pref;
unsigned long lifetime;
struct fib6_info *rt;
@@ -1029,10 +1030,18 @@ int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
(rt->fib6_flags & ~RTF_PREF_MASK) | RTF_PREF(pref);
if (rt) {
- if (!addrconf_finite_timeout(lifetime))
+ table = rt->fib6_table;
+ spin_lock_bh(&table->tb6_lock);
+
+ if (!addrconf_finite_timeout(lifetime)) {
fib6_clean_expires(rt);
- else
+ fib6_remove_gc_list(rt);
+ } else {
fib6_set_expires(rt, jiffies + HZ * lifetime);
+ fib6_add_gc_list(rt);
+ }
+
+ spin_unlock_bh(&table->tb6_lock);
fib6_info_release(rt);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 175/737] ipv6: clear RA flags when adding a static route
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 174/737] net/ipv6: Remove expired routes with a separated list of routes Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Greg Kroah-Hartman
` (572 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Garri Djavadyan,
Fernando Fernandez Mancera, David Ahern, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit f72514b3c5698e4b900b25345e09f9ed33123de6 ]
When an IPv6 Router Advertisement (RA) is received for a prefix, the
kernel creates the corresponding on-link route with flags RTF_ADDRCONF
and RTF_PREFIX_RT configured and RTF_EXPIRES if lifetime is set.
If later a user configures a static IPv6 address on the same prefix the
kernel clears the RTF_EXPIRES flag but it doesn't clear the RTF_ADDRCONF
and RTF_PREFIX_RT. When the next RA for that prefix is received, the
kernel sees the route as RA-learned and wrongly configures back the
lifetime. This is problematic because if the route expires, the static
address won't have the corresponding on-link route.
This fix clears the RTF_ADDRCONF and RTF_PREFIX_RT flags preventing that
the lifetime is configured when the next RA arrives. If the static
address is deleted, the route becomes RA-learned again.
Fixes: 14ef37b6d00e ("ipv6: fix route lookup in addrconf_prefix_rcv()")
Reported-by: Garri Djavadyan <g.djavadyan@gmail.com>
Closes: https://lore.kernel.org/netdev/ba807d39aca5b4dcf395cc11dca61a130a52cfd3.camel@gmail.com/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20251115095939.6967-1-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_fib.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index ab84e2dd682f8..646ff1276aff2 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1136,6 +1136,10 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
fib6_set_expires(iter, rt->expires);
fib6_add_gc_list(iter);
}
+ if (!(rt->fib6_flags & (RTF_ADDRCONF | RTF_PREFIX_RT))) {
+ iter->fib6_flags &= ~RTF_ADDRCONF;
+ iter->fib6_flags &= ~RTF_PREFIX_RT;
+ }
if (rt->fib6_pmtu)
fib6_metric_set(iter, RTAX_MTU,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 175/737] ipv6: clear RA flags when adding a static route Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 177/737] perf arm_spe: Fix memset subclass in operation Greg Kroah-Hartman
` (571 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ian Rogers, James Clark, Leo Yan,
Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 64d86c03e1441742216b6332bdfabfb6ede31662 ]
In Arm ARM (ARM DDI 0487, L.a), the section "D18.2.7 Operation Type
packet", the branch subclass is extended for Call Return (CR), Guarded
control stack data access (GCS).
This commit adds support CR and GCS operations. The IND (indirect)
operation is defined only in bit [1], its macro is updated accordingly.
Move the COND (Conditional) macro into the same group with other
operations for better maintenance.
Reviewed-by: Ian Rogers <irogers@google.com>
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Link: https://lore.kernel.org/r/20250304111240.3378214-8-leo.yan@arm.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Stable-dep-of: 33e1fffea492 ("perf arm_spe: Fix memset subclass in operation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c | 12 +++++++++---
.../perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h | 11 ++++++++---
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
index a454c6737563d..7b45fcf2454be 100644
--- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
+++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
@@ -410,10 +410,16 @@ static int arm_spe_pkt_desc_op_type(const struct arm_spe_pkt *packet,
if (payload & SPE_OP_PKT_COND)
arm_spe_pkt_out_string(&err, &buf, &buf_len, " COND");
-
- if (SPE_OP_PKT_IS_INDIRECT_BRANCH(payload))
+ if (payload & SPE_OP_PKT_INDIRECT_BRANCH)
arm_spe_pkt_out_string(&err, &buf, &buf_len, " IND");
-
+ if (payload & SPE_OP_PKT_GCS)
+ arm_spe_pkt_out_string(&err, &buf, &buf_len, " GCS");
+ if (SPE_OP_PKT_CR_BL(payload))
+ arm_spe_pkt_out_string(&err, &buf, &buf_len, " CR-BL");
+ if (SPE_OP_PKT_CR_RET(payload))
+ arm_spe_pkt_out_string(&err, &buf, &buf_len, " CR-RET");
+ if (SPE_OP_PKT_CR_NON_BL_RET(payload))
+ arm_spe_pkt_out_string(&err, &buf, &buf_len, " CR-NON-BL-RET");
break;
default:
/* Unknown index */
diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h
index 464a912b221cd..32d760ede7013 100644
--- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h
+++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h
@@ -7,6 +7,7 @@
#ifndef INCLUDE__ARM_SPE_PKT_DECODER_H__
#define INCLUDE__ARM_SPE_PKT_DECODER_H__
+#include <linux/bitfield.h>
#include <stddef.h>
#include <stdint.h>
@@ -116,8 +117,6 @@ enum arm_spe_events {
#define SPE_OP_PKT_IS_OTHER_SVE_OP(v) (((v) & (BIT(7) | BIT(3) | BIT(0))) == 0x8)
-#define SPE_OP_PKT_COND BIT(0)
-
#define SPE_OP_PKT_LDST_SUBCLASS_GET(v) ((v) & GENMASK_ULL(7, 1))
#define SPE_OP_PKT_LDST_SUBCLASS_GP_REG 0x0
#define SPE_OP_PKT_LDST_SUBCLASS_SIMD_FP 0x4
@@ -148,7 +147,13 @@ enum arm_spe_events {
#define SPE_OP_PKT_SVE_PRED BIT(2)
#define SPE_OP_PKT_SVE_FP BIT(1)
-#define SPE_OP_PKT_IS_INDIRECT_BRANCH(v) (((v) & GENMASK_ULL(7, 1)) == 0x2)
+#define SPE_OP_PKT_CR_MASK GENMASK_ULL(4, 3)
+#define SPE_OP_PKT_CR_BL(v) (FIELD_GET(SPE_OP_PKT_CR_MASK, (v)) == 1)
+#define SPE_OP_PKT_CR_RET(v) (FIELD_GET(SPE_OP_PKT_CR_MASK, (v)) == 2)
+#define SPE_OP_PKT_CR_NON_BL_RET(v) (FIELD_GET(SPE_OP_PKT_CR_MASK, (v)) == 3)
+#define SPE_OP_PKT_GCS BIT(2)
+#define SPE_OP_PKT_INDIRECT_BRANCH BIT(1)
+#define SPE_OP_PKT_COND BIT(0)
const char *arm_spe_pkt_name(enum arm_spe_pkt_type);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 177/737] perf arm_spe: Fix memset subclass in operation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-27 18:38 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
2026-01-09 11:35 ` [PATCH 6.6 178/737] pwm: bcm2835: Make sure the channel is enabled after pwm_request() Greg Kroah-Hartman
` (570 subsequent siblings)
747 siblings, 1 reply; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers, James Clark,
Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 33e1fffea492b7158a168914dc0da6aedf78d08e ]
The operation subclass is extracted from bits [7..1] of the payload.
Since bit [0] is not parsed, there is no chance to match the memset type
(0x25). As a result, the memset payload is never parsed successfully.
Instead of extracting a unified bit field, change to extract the
specific bits for each operation subclass.
Fixes: 34fb60400e32 ("perf arm-spe: Add raw decoding for SPEv1.3 MTE and MOPS load/store")
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../arm-spe-decoder/arm-spe-pkt-decoder.c | 25 ++++++-------------
.../arm-spe-decoder/arm-spe-pkt-decoder.h | 15 ++++++-----
2 files changed, 14 insertions(+), 26 deletions(-)
diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
index 7b45fcf2454be..573e7447fb422 100644
--- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
+++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.c
@@ -368,31 +368,20 @@ static int arm_spe_pkt_desc_op_type(const struct arm_spe_pkt *packet,
arm_spe_pkt_out_string(&err, &buf, &buf_len, " AR");
}
- switch (SPE_OP_PKT_LDST_SUBCLASS_GET(payload)) {
- case SPE_OP_PKT_LDST_SUBCLASS_SIMD_FP:
+ if (SPE_OP_PKT_LDST_SUBCLASS_SIMD_FP(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " SIMD-FP");
- break;
- case SPE_OP_PKT_LDST_SUBCLASS_GP_REG:
+ else if (SPE_OP_PKT_LDST_SUBCLASS_GP_REG(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " GP-REG");
- break;
- case SPE_OP_PKT_LDST_SUBCLASS_UNSPEC_REG:
+ else if (SPE_OP_PKT_LDST_SUBCLASS_UNSPEC_REG(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " UNSPEC-REG");
- break;
- case SPE_OP_PKT_LDST_SUBCLASS_NV_SYSREG:
+ else if (SPE_OP_PKT_LDST_SUBCLASS_NV_SYSREG(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " NV-SYSREG");
- break;
- case SPE_OP_PKT_LDST_SUBCLASS_MTE_TAG:
+ else if (SPE_OP_PKT_LDST_SUBCLASS_MTE_TAG(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " MTE-TAG");
- break;
- case SPE_OP_PKT_LDST_SUBCLASS_MEMCPY:
+ else if (SPE_OP_PKT_LDST_SUBCLASS_MEMCPY(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " MEMCPY");
- break;
- case SPE_OP_PKT_LDST_SUBCLASS_MEMSET:
+ else if (SPE_OP_PKT_LDST_SUBCLASS_MEMSET(payload))
arm_spe_pkt_out_string(&err, &buf, &buf_len, " MEMSET");
- break;
- default:
- break;
- }
if (SPE_OP_PKT_IS_LDST_SVE(payload)) {
/* SVE effective vector length */
diff --git a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h
index 32d760ede7013..0d947df9dd6ec 100644
--- a/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h
+++ b/tools/perf/util/arm-spe-decoder/arm-spe-pkt-decoder.h
@@ -117,14 +117,13 @@ enum arm_spe_events {
#define SPE_OP_PKT_IS_OTHER_SVE_OP(v) (((v) & (BIT(7) | BIT(3) | BIT(0))) == 0x8)
-#define SPE_OP_PKT_LDST_SUBCLASS_GET(v) ((v) & GENMASK_ULL(7, 1))
-#define SPE_OP_PKT_LDST_SUBCLASS_GP_REG 0x0
-#define SPE_OP_PKT_LDST_SUBCLASS_SIMD_FP 0x4
-#define SPE_OP_PKT_LDST_SUBCLASS_UNSPEC_REG 0x10
-#define SPE_OP_PKT_LDST_SUBCLASS_NV_SYSREG 0x30
-#define SPE_OP_PKT_LDST_SUBCLASS_MTE_TAG 0x14
-#define SPE_OP_PKT_LDST_SUBCLASS_MEMCPY 0x20
-#define SPE_OP_PKT_LDST_SUBCLASS_MEMSET 0x25
+#define SPE_OP_PKT_LDST_SUBCLASS_GP_REG(v) (((v) & GENMASK_ULL(7, 1)) == 0x0)
+#define SPE_OP_PKT_LDST_SUBCLASS_SIMD_FP(v) (((v) & GENMASK_ULL(7, 1)) == 0x4)
+#define SPE_OP_PKT_LDST_SUBCLASS_UNSPEC_REG(v) (((v) & GENMASK_ULL(7, 1)) == 0x10)
+#define SPE_OP_PKT_LDST_SUBCLASS_NV_SYSREG(v) (((v) & GENMASK_ULL(7, 1)) == 0x30)
+#define SPE_OP_PKT_LDST_SUBCLASS_MTE_TAG(v) (((v) & GENMASK_ULL(7, 1)) == 0x14)
+#define SPE_OP_PKT_LDST_SUBCLASS_MEMCPY(v) (((v) & GENMASK_ULL(7, 1)) == 0x20)
+#define SPE_OP_PKT_LDST_SUBCLASS_MEMSET(v) (((v) & GENMASK_ULL(7, 0)) == 0x25)
#define SPE_OP_PKT_IS_LDST_ATOMIC(v) (((v) & (GENMASK_ULL(7, 5) | BIT(1))) == 0x2)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 178/737] pwm: bcm2835: Make sure the channel is enabled after pwm_request()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 177/737] perf arm_spe: Fix memset subclass in operation Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 179/737] scsi: qla2xxx: Fix improper freeing of purex item Greg Kroah-Hartman
` (569 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Florian Fainelli, Uwe Kleine-König, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit cda323dbda76600bf9761970d58517648f0de67d ]
The .free callback cleared among others the enable bit PWENx in the
control register. When the PWM is requested later again this bit isn't
restored but the core assumes the PWM is enabled and thus skips a
request to configure the same state as before.
To fix that don't touch the hardware configuration in .free(). For
symmetry also drop .request() and configure the mode completely in
.apply().
Fixes: e5a06dc5ac1f ("pwm: Add BCM2835 PWM driver")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20251118174303.1761577-2-u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-bcm2835.c | 28 +++-------------------------
1 file changed, 3 insertions(+), 25 deletions(-)
diff --git a/drivers/pwm/pwm-bcm2835.c b/drivers/pwm/pwm-bcm2835.c
index bdfc2a5ec0d69..5a51ba9b26d92 100644
--- a/drivers/pwm/pwm-bcm2835.c
+++ b/drivers/pwm/pwm-bcm2835.c
@@ -35,29 +35,6 @@ static inline struct bcm2835_pwm *to_bcm2835_pwm(struct pwm_chip *chip)
return container_of(chip, struct bcm2835_pwm, chip);
}
-static int bcm2835_pwm_request(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct bcm2835_pwm *pc = to_bcm2835_pwm(chip);
- u32 value;
-
- value = readl(pc->base + PWM_CONTROL);
- value &= ~(PWM_CONTROL_MASK << PWM_CONTROL_SHIFT(pwm->hwpwm));
- value |= (PWM_MODE << PWM_CONTROL_SHIFT(pwm->hwpwm));
- writel(value, pc->base + PWM_CONTROL);
-
- return 0;
-}
-
-static void bcm2835_pwm_free(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct bcm2835_pwm *pc = to_bcm2835_pwm(chip);
- u32 value;
-
- value = readl(pc->base + PWM_CONTROL);
- value &= ~(PWM_CONTROL_MASK << PWM_CONTROL_SHIFT(pwm->hwpwm));
- writel(value, pc->base + PWM_CONTROL);
-}
-
static int bcm2835_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
const struct pwm_state *state)
{
@@ -109,6 +86,9 @@ static int bcm2835_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
/* set polarity */
val = readl(pc->base + PWM_CONTROL);
+ val &= ~(PWM_CONTROL_MASK << PWM_CONTROL_SHIFT(pwm->hwpwm));
+ val |= PWM_MODE << PWM_CONTROL_SHIFT(pwm->hwpwm);
+
if (state->polarity == PWM_POLARITY_NORMAL)
val &= ~(PWM_POLARITY << PWM_CONTROL_SHIFT(pwm->hwpwm));
else
@@ -126,8 +106,6 @@ static int bcm2835_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
}
static const struct pwm_ops bcm2835_pwm_ops = {
- .request = bcm2835_pwm_request,
- .free = bcm2835_pwm_free,
.apply = bcm2835_pwm_apply,
.owner = THIS_MODULE,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 179/737] scsi: qla2xxx: Fix improper freeing of purex item
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 178/737] pwm: bcm2835: Make sure the channel is enabled after pwm_request() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 180/737] wifi: mac80211: remove RX_DROP_UNUSABLE Greg Kroah-Hartman
` (568 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Himanshu Madhani,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 78b1a242fe612a755f2158fd206ee6bb577d18ca ]
In qla2xxx_process_purls_iocb(), an item is allocated via
qla27xx_copy_multiple_pkt(), which internally calls
qla24xx_alloc_purex_item().
The qla24xx_alloc_purex_item() function may return a pre-allocated item
from a per-adapter pool for small allocations, instead of dynamically
allocating memory with kzalloc().
An error handling path in qla2xxx_process_purls_iocb() incorrectly uses
kfree() to release the item. If the item was from the pre-allocated
pool, calling kfree() on it is a bug that can lead to memory corruption.
Fix this by using the correct deallocation function,
qla24xx_free_purex_item(), which properly handles both dynamically
allocated and pre-allocated items.
Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Response Support for NVMe")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
Link: https://patch.msgid.link/20251113151246.762510-1-zilin@seu.edu.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_nvme.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qla2xxx/qla_nvme.c b/drivers/scsi/qla2xxx/qla_nvme.c
index 080670cb2aa51..38cb3281c6350 100644
--- a/drivers/scsi/qla2xxx/qla_nvme.c
+++ b/drivers/scsi/qla2xxx/qla_nvme.c
@@ -1293,7 +1293,7 @@ void qla2xxx_process_purls_iocb(void **pkt, struct rsp_que **rsp)
a.reason = FCNVME_RJT_RC_LOGIC;
a.explanation = FCNVME_RJT_EXP_NONE;
xmt_reject = true;
- kfree(item);
+ qla24xx_free_purex_item(item);
goto out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 180/737] wifi: mac80211: remove RX_DROP_UNUSABLE
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 179/737] scsi: qla2xxx: Fix improper freeing of purex item Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 181/737] wifi: mac80211: fix CMAC functions not handling errors Greg Kroah-Hartman
` (567 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit dccc9aa7ee84a9bed7a4840608829eba66f84cb9 ]
Convert all instances of RX_DROP_UNUSABLE to indicate a
better reason, and then remove RX_DROP_UNUSABLE.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Stable-dep-of: 353cda30d30e ("wifi: mac80211: fix CMAC functions not handling errors")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/drop.h | 33 +++++++++++++++++++++++++++-
net/mac80211/rx.c | 52 ++++++++++++++++++++++-----------------------
net/mac80211/wep.c | 9 ++++----
net/mac80211/wpa.c | 42 ++++++++++++++++++------------------
4 files changed, 84 insertions(+), 52 deletions(-)
diff --git a/net/mac80211/drop.h b/net/mac80211/drop.h
index 1570fac8411f4..725a07a5b6145 100644
--- a/net/mac80211/drop.h
+++ b/net/mac80211/drop.h
@@ -21,6 +21,38 @@ typedef unsigned int __bitwise ieee80211_rx_result;
R(RX_DROP_U_MIC_FAIL) \
R(RX_DROP_U_REPLAY) \
R(RX_DROP_U_BAD_MMIE) \
+ R(RX_DROP_U_DUP) \
+ R(RX_DROP_U_SPURIOUS) \
+ R(RX_DROP_U_DECRYPT_FAIL) \
+ R(RX_DROP_U_NO_KEY_ID) \
+ R(RX_DROP_U_BAD_CIPHER) \
+ R(RX_DROP_U_OOM) \
+ R(RX_DROP_U_NONSEQ_PN) \
+ R(RX_DROP_U_BAD_KEY_COLOR) \
+ R(RX_DROP_U_BAD_4ADDR) \
+ R(RX_DROP_U_BAD_AMSDU) \
+ R(RX_DROP_U_BAD_AMSDU_CIPHER) \
+ R(RX_DROP_U_INVALID_8023) \
+ R(RX_DROP_U_RUNT_ACTION) \
+ R(RX_DROP_U_UNPROT_ACTION) \
+ R(RX_DROP_U_ACTION_UNKNOWN_SRC) \
+ R(RX_DROP_U_REJECTED_ACTION_RESPONSE) \
+ R(RX_DROP_U_EXPECT_DEFRAG_PROT) \
+ R(RX_DROP_U_WEP_DEC_FAIL) \
+ R(RX_DROP_U_NO_IV) \
+ R(RX_DROP_U_NO_ICV) \
+ R(RX_DROP_U_AP_RX_GROUPCAST) \
+ R(RX_DROP_U_SHORT_MMIC) \
+ R(RX_DROP_U_MMIC_FAIL) \
+ R(RX_DROP_U_SHORT_TKIP) \
+ R(RX_DROP_U_TKIP_FAIL) \
+ R(RX_DROP_U_SHORT_CCMP) \
+ R(RX_DROP_U_SHORT_CCMP_MIC) \
+ R(RX_DROP_U_SHORT_GCMP) \
+ R(RX_DROP_U_SHORT_GCMP_MIC) \
+ R(RX_DROP_U_SHORT_CMAC) \
+ R(RX_DROP_U_SHORT_CMAC256) \
+ R(RX_DROP_U_SHORT_GMAC) \
/* this line for the trailing \ - add before this */
/* having two enums allows for checking ieee80211_rx_result use with sparse */
@@ -46,7 +78,6 @@ enum mac80211_drop_reason {
RX_CONTINUE = (__force ieee80211_rx_result)___RX_CONTINUE,
RX_QUEUED = (__force ieee80211_rx_result)___RX_QUEUED,
RX_DROP_MONITOR = (__force ieee80211_rx_result)___RX_DROP_MONITOR,
- RX_DROP_UNUSABLE = (__force ieee80211_rx_result)___RX_DROP_UNUSABLE,
#define DEF(x) x = (__force ieee80211_rx_result)___ ## x,
MAC80211_DROP_REASONS_MONITOR(DEF)
MAC80211_DROP_REASONS_UNUSABLE(DEF)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index e6a0a65d4d43a..d27303b9f3a9b 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1436,7 +1436,7 @@ ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
rx->sta->last_seq_ctrl[rx->seqno_idx] == hdr->seq_ctrl)) {
I802_DEBUG_INC(rx->local->dot11FrameDuplicateCount);
rx->link_sta->rx_stats.num_duplicates++;
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_DUP;
} else if (!(status->flag & RX_FLAG_AMSDU_MORE)) {
rx->sta->last_seq_ctrl[rx->seqno_idx] = hdr->seq_ctrl;
}
@@ -1490,7 +1490,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
cfg80211_rx_spurious_frame(rx->sdata->dev,
hdr->addr2,
GFP_ATOMIC))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SPURIOUS;
return RX_DROP_MONITOR;
}
@@ -1883,7 +1883,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
int keyidx;
- ieee80211_rx_result result = RX_DROP_UNUSABLE;
+ ieee80211_rx_result result = RX_DROP_U_DECRYPT_FAIL;
struct ieee80211_key *sta_ptk = NULL;
struct ieee80211_key *ptk_idx = NULL;
int mmie_keyidx = -1;
@@ -1933,7 +1933,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
keyid = ieee80211_get_keyid(rx->skb);
if (unlikely(keyid < 0))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_NO_KEY_ID;
ptk_idx = rcu_dereference(rx->sta->ptk[keyid]);
}
@@ -2038,7 +2038,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
keyidx = ieee80211_get_keyid(rx->skb);
if (unlikely(keyidx < 0))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_NO_KEY_ID;
/* check per-station GTK first, if multicast packet */
if (is_multicast_ether_addr(hdr->addr1) && rx->link_sta)
@@ -2104,7 +2104,7 @@ ieee80211_rx_h_decrypt(struct ieee80211_rx_data *rx)
result = ieee80211_crypto_gcmp_decrypt(rx);
break;
default:
- result = RX_DROP_UNUSABLE;
+ result = RX_DROP_U_BAD_CIPHER;
}
/* the hdr variable is invalid after the decrypt handlers */
@@ -2249,7 +2249,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
I802_DEBUG_INC(rx->local->rx_handlers_fragments);
if (skb_linearize(rx->skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
/*
* skb_linearize() might change the skb->data and
@@ -2312,11 +2312,11 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
if (!requires_sequential_pn(rx, fc))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_NONSEQ_PN;
/* Prevent mixed key and fragment cache attacks */
if (entry->key_color != rx->key->color)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_KEY_COLOR;
memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
@@ -2327,7 +2327,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
rpn = rx->ccm_gcm.pn;
if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_REPLAY;
memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
} else if (entry->is_protected &&
(!rx->key ||
@@ -2338,11 +2338,11 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
* if for TKIP Michael MIC should protect us, and WEP is a
* lost cause anyway.
*/
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_EXPECT_DEFRAG_PROT;
} else if (entry->is_protected && rx->key &&
entry->key_color != rx->key->color &&
(status->flag & RX_FLAG_DECRYPTED)) {
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_KEY_COLOR;
}
skb_pull(rx->skb, ieee80211_hdrlen(fc));
@@ -2361,7 +2361,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
GFP_ATOMIC))) {
I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
__skb_queue_purge(&entry->skb_list);
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
}
}
while ((skb = __skb_dequeue(&entry->skb_list))) {
@@ -2910,10 +2910,10 @@ ieee80211_rx_mesh_data(struct ieee80211_sub_if_data *sdata, struct sta_info *sta
skb = NULL;
if (skb_cow_head(fwd_skb, hdrlen - sizeof(struct ethhdr)))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
if (skb_linearize(fwd_skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
}
fwd_hdr = skb_push(fwd_skb, hdrlen - sizeof(struct ethhdr));
@@ -3010,7 +3010,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx, u8 data_offset)
rx->sdata->vif.addr,
rx->sdata->vif.type,
data_offset, true))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_AMSDU;
if (rx->sta->amsdu_mesh_control < 0) {
s8 valid = -1;
@@ -3085,21 +3085,21 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
switch (rx->sdata->vif.type) {
case NL80211_IFTYPE_AP_VLAN:
if (!rx->sdata->u.vlan.sta)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_4ADDR;
break;
case NL80211_IFTYPE_STATION:
if (!rx->sdata->u.mgd.use_4addr)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_4ADDR;
break;
case NL80211_IFTYPE_MESH_POINT:
break;
default:
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_4ADDR;
}
}
if (is_multicast_ether_addr(hdr->addr1) || !rx->sta)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_AMSDU;
if (rx->key) {
/*
@@ -3112,7 +3112,7 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
case WLAN_CIPHER_SUITE_WEP40:
case WLAN_CIPHER_SUITE_WEP104:
case WLAN_CIPHER_SUITE_TKIP:
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_BAD_AMSDU_CIPHER;
default:
break;
}
@@ -3154,7 +3154,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
err = __ieee80211_data_to_8023(rx, &port_control);
if (unlikely(err))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_INVALID_8023;
res = ieee80211_rx_mesh_data(rx->sdata, rx->sta, rx->skb);
if (res != RX_CONTINUE)
@@ -3386,7 +3386,7 @@ ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
/* drop too small action frames */
if (ieee80211_is_action(mgmt->frame_control) &&
rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_RUNT_ACTION;
if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
ieee80211_is_beacon(mgmt->frame_control) &&
@@ -3408,7 +3408,7 @@ ieee80211_rx_h_mgmt_check(struct ieee80211_rx_data *rx)
}
if (ieee80211_drop_unencrypted_mgmt(rx))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_UNPROT_ACTION;
return RX_CONTINUE;
}
@@ -3480,7 +3480,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
if (!rx->sta && mgmt->u.action.category != WLAN_CATEGORY_PUBLIC &&
mgmt->u.action.category != WLAN_CATEGORY_SELF_PROTECTED &&
mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_ACTION_UNKNOWN_SRC;
switch (mgmt->u.action.category) {
case WLAN_CATEGORY_HT:
@@ -3885,7 +3885,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
/* do not return rejected action frames */
if (mgmt->u.action.category & 0x80)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_REJECTED_ACTION_RESPONSE;
nskb = skb_copy_expand(rx->skb, local->hw.extra_tx_headroom, 0,
GFP_ATOMIC);
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index 9a6e11d7b4db6..5c01e121481ab 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -3,6 +3,7 @@
* Software WEP encryption implementation
* Copyright 2002, Jouni Malinen <jkmaline@cc.hut.fi>
* Copyright 2003, Instant802 Networks, Inc.
+ * Copyright (C) 2023 Intel Corporation
*/
#include <linux/netdevice.h>
@@ -250,18 +251,18 @@ ieee80211_crypto_wep_decrypt(struct ieee80211_rx_data *rx)
if (!(status->flag & RX_FLAG_DECRYPTED)) {
if (skb_linearize(rx->skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
if (ieee80211_wep_decrypt(rx->local, rx->skb, rx->key))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_WEP_DEC_FAIL;
} else if (!(status->flag & RX_FLAG_IV_STRIPPED)) {
if (!pskb_may_pull(rx->skb, ieee80211_hdrlen(fc) +
IEEE80211_WEP_IV_LEN))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_NO_IV;
ieee80211_wep_remove_iv(rx->local, rx->skb, rx->key);
/* remove ICV */
if (!(status->flag & RX_FLAG_ICV_STRIPPED) &&
pskb_trim(rx->skb, rx->skb->len - IEEE80211_WEP_ICV_LEN))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_NO_ICV;
}
return RX_CONTINUE;
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 2d8e38b3bcb50..94dae7cb6dbd3 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -3,7 +3,7 @@
* Copyright 2002-2004, Instant802 Networks, Inc.
* Copyright 2008, Jouni Malinen <j@w1.fi>
* Copyright (C) 2016-2017 Intel Deutschland GmbH
- * Copyright (C) 2020-2022 Intel Corporation
+ * Copyright (C) 2020-2023 Intel Corporation
*/
#include <linux/netdevice.h>
@@ -142,7 +142,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
* group keys and only the AP is sending real multicast
* frames in the BSS.
*/
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_AP_RX_GROUPCAST;
}
if (status->flag & RX_FLAG_MMIC_ERROR)
@@ -150,10 +150,10 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
hdrlen = ieee80211_hdrlen(hdr->frame_control);
if (skb->len < hdrlen + MICHAEL_MIC_LEN)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_MMIC;
if (skb_linearize(rx->skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
hdr = (void *)skb->data;
data = skb->data + hdrlen;
@@ -188,7 +188,7 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
NL80211_KEYTYPE_PAIRWISE,
rx->key ? rx->key->conf.keyidx : -1,
NULL, GFP_ATOMIC);
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_MMIC_FAIL;
}
static int tkip_encrypt_skb(struct ieee80211_tx_data *tx, struct sk_buff *skb)
@@ -276,11 +276,11 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
return RX_CONTINUE;
if (!rx->sta || skb->len - hdrlen < 12)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_TKIP;
/* it may be possible to optimize this a bit more */
if (skb_linearize(rx->skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
hdr = (void *)skb->data;
/*
@@ -298,7 +298,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
&rx->tkip.iv32,
&rx->tkip.iv16);
if (res != TKIP_DECRYPT_OK)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_TKIP_FAIL;
/* Trim ICV */
if (!(status->flag & RX_FLAG_ICV_STRIPPED))
@@ -523,12 +523,12 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
if (status->flag & RX_FLAG_DECRYPTED) {
if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_CCMP_HDR_LEN))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_CCMP;
if (status->flag & RX_FLAG_MIC_STRIPPED)
mic_len = 0;
} else {
if (skb_linearize(rx->skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
}
/* reload hdr - skb might have been reallocated */
@@ -536,7 +536,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - mic_len;
if (!rx->sta || data_len < 0)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_CCMP;
if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
int res;
@@ -574,7 +574,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx,
/* Remove CCMP header and MIC */
if (pskb_trim(skb, skb->len - mic_len))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_CCMP_MIC;
memmove(skb->data + IEEE80211_CCMP_HDR_LEN, skb->data, hdrlen);
skb_pull(skb, IEEE80211_CCMP_HDR_LEN);
@@ -719,12 +719,12 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
if (status->flag & RX_FLAG_DECRYPTED) {
if (!pskb_may_pull(rx->skb, hdrlen + IEEE80211_GCMP_HDR_LEN))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_GCMP;
if (status->flag & RX_FLAG_MIC_STRIPPED)
mic_len = 0;
} else {
if (skb_linearize(rx->skb))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
}
/* reload hdr - skb might have been reallocated */
@@ -732,7 +732,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
data_len = skb->len - hdrlen - IEEE80211_GCMP_HDR_LEN - mic_len;
if (!rx->sta || data_len < 0)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_GCMP;
if (!(status->flag & RX_FLAG_PN_VALIDATED)) {
int res;
@@ -771,7 +771,7 @@ ieee80211_crypto_gcmp_decrypt(struct ieee80211_rx_data *rx)
/* Remove GCMP header and MIC */
if (pskb_trim(skb, skb->len - mic_len))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_GCMP_MIC;
memmove(skb->data + IEEE80211_GCMP_HDR_LEN, skb->data, hdrlen);
skb_pull(skb, IEEE80211_GCMP_HDR_LEN);
@@ -924,7 +924,7 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
/* management frames are already linear */
if (skb->len < 24 + sizeof(*mmie))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_CMAC;
mmie = (struct ieee80211_mmie *)
(skb->data + skb->len - sizeof(*mmie));
@@ -974,13 +974,13 @@ ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
/* management frames are already linear */
if (skb->len < 24 + sizeof(*mmie))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_CMAC256;
mmie = (struct ieee80211_mmie_16 *)
(skb->data + skb->len - sizeof(*mmie));
if (mmie->element_id != WLAN_EID_MMIE ||
mmie->length != sizeof(*mmie) - 2)
- return RX_DROP_UNUSABLE; /* Invalid MMIE */
+ return RX_DROP_U_BAD_MMIE; /* Invalid MMIE */
bip_ipn_swap(ipn, mmie->sequence_number);
@@ -1073,7 +1073,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
/* management frames are already linear */
if (skb->len < 24 + sizeof(*mmie))
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_SHORT_GMAC;
mmie = (struct ieee80211_mmie_16 *)
(skb->data + skb->len - sizeof(*mmie));
@@ -1097,7 +1097,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct ieee80211_rx_data *rx)
mic = kmalloc(GMAC_MIC_LEN, GFP_ATOMIC);
if (!mic)
- return RX_DROP_UNUSABLE;
+ return RX_DROP_U_OOM;
if (ieee80211_aes_gmac(key->u.aes_gmac.tfm, aad, nonce,
skb->data + 24, skb->len - 24,
mic) < 0 ||
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 181/737] wifi: mac80211: fix CMAC functions not handling errors
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 180/737] wifi: mac80211: remove RX_DROP_UNUSABLE Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 182/737] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path Greg Kroah-Hartman
` (566 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chien Wong, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chien Wong <m@xv97.com>
[ Upstream commit 353cda30d30e5dc7cacf8de5d2546724708ae3bb ]
The called hash functions could fail thus we should check return values.
Fixes: 26717828b75d ("mac80211: aes-cmac: switch to shash CMAC driver")
Signed-off-by: Chien Wong <m@xv97.com>
Link: https://patch.msgid.link/20251113140511.48658-2-m@xv97.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/aes_cmac.c | 63 +++++++++++++++++++++++++++++------------
net/mac80211/aes_cmac.h | 8 +++---
net/mac80211/wpa.c | 20 +++++++------
3 files changed, 61 insertions(+), 30 deletions(-)
diff --git a/net/mac80211/aes_cmac.c b/net/mac80211/aes_cmac.c
index 48c04f89de20a..65989c7dfc680 100644
--- a/net/mac80211/aes_cmac.c
+++ b/net/mac80211/aes_cmac.c
@@ -22,50 +22,77 @@
static const u8 zero[CMAC_TLEN_256];
-void ieee80211_aes_cmac(struct crypto_shash *tfm, const u8 *aad,
- const u8 *data, size_t data_len, u8 *mic)
+int ieee80211_aes_cmac(struct crypto_shash *tfm, const u8 *aad,
+ const u8 *data, size_t data_len, u8 *mic)
{
+ int err;
SHASH_DESC_ON_STACK(desc, tfm);
u8 out[AES_BLOCK_SIZE];
const __le16 *fc;
desc->tfm = tfm;
- crypto_shash_init(desc);
- crypto_shash_update(desc, aad, AAD_LEN);
+ err = crypto_shash_init(desc);
+ if (err)
+ return err;
+ err = crypto_shash_update(desc, aad, AAD_LEN);
+ if (err)
+ return err;
fc = (const __le16 *)aad;
if (ieee80211_is_beacon(*fc)) {
/* mask Timestamp field to zero */
- crypto_shash_update(desc, zero, 8);
- crypto_shash_update(desc, data + 8, data_len - 8 - CMAC_TLEN);
+ err = crypto_shash_update(desc, zero, 8);
+ if (err)
+ return err;
+ err = crypto_shash_update(desc, data + 8,
+ data_len - 8 - CMAC_TLEN);
+ if (err)
+ return err;
} else {
- crypto_shash_update(desc, data, data_len - CMAC_TLEN);
+ err = crypto_shash_update(desc, data,
+ data_len - CMAC_TLEN);
+ if (err)
+ return err;
}
- crypto_shash_finup(desc, zero, CMAC_TLEN, out);
-
+ err = crypto_shash_finup(desc, zero, CMAC_TLEN, out);
+ if (err)
+ return err;
memcpy(mic, out, CMAC_TLEN);
+
+ return 0;
}
-void ieee80211_aes_cmac_256(struct crypto_shash *tfm, const u8 *aad,
- const u8 *data, size_t data_len, u8 *mic)
+int ieee80211_aes_cmac_256(struct crypto_shash *tfm, const u8 *aad,
+ const u8 *data, size_t data_len, u8 *mic)
{
+ int err;
SHASH_DESC_ON_STACK(desc, tfm);
const __le16 *fc;
desc->tfm = tfm;
- crypto_shash_init(desc);
- crypto_shash_update(desc, aad, AAD_LEN);
+ err = crypto_shash_init(desc);
+ if (err)
+ return err;
+ err = crypto_shash_update(desc, aad, AAD_LEN);
+ if (err)
+ return err;
fc = (const __le16 *)aad;
if (ieee80211_is_beacon(*fc)) {
/* mask Timestamp field to zero */
- crypto_shash_update(desc, zero, 8);
- crypto_shash_update(desc, data + 8,
- data_len - 8 - CMAC_TLEN_256);
+ err = crypto_shash_update(desc, zero, 8);
+ if (err)
+ return err;
+ err = crypto_shash_update(desc, data + 8,
+ data_len - 8 - CMAC_TLEN_256);
+ if (err)
+ return err;
} else {
- crypto_shash_update(desc, data, data_len - CMAC_TLEN_256);
+ err = crypto_shash_update(desc, data, data_len - CMAC_TLEN_256);
+ if (err)
+ return err;
}
- crypto_shash_finup(desc, zero, CMAC_TLEN_256, mic);
+ return crypto_shash_finup(desc, zero, CMAC_TLEN_256, mic);
}
struct crypto_shash *ieee80211_aes_cmac_key_setup(const u8 key[],
diff --git a/net/mac80211/aes_cmac.h b/net/mac80211/aes_cmac.h
index 76817446fb838..f74150542142a 100644
--- a/net/mac80211/aes_cmac.h
+++ b/net/mac80211/aes_cmac.h
@@ -11,10 +11,10 @@
struct crypto_shash *ieee80211_aes_cmac_key_setup(const u8 key[],
size_t key_len);
-void ieee80211_aes_cmac(struct crypto_shash *tfm, const u8 *aad,
- const u8 *data, size_t data_len, u8 *mic);
-void ieee80211_aes_cmac_256(struct crypto_shash *tfm, const u8 *aad,
- const u8 *data, size_t data_len, u8 *mic);
+int ieee80211_aes_cmac(struct crypto_shash *tfm, const u8 *aad,
+ const u8 *data, size_t data_len, u8 *mic);
+int ieee80211_aes_cmac_256(struct crypto_shash *tfm, const u8 *aad,
+ const u8 *data, size_t data_len, u8 *mic);
void ieee80211_aes_cmac_key_free(struct crypto_shash *tfm);
#endif /* AES_CMAC_H */
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 94dae7cb6dbd3..6223014e480c7 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -859,8 +859,9 @@ ieee80211_crypto_aes_cmac_encrypt(struct ieee80211_tx_data *tx)
/*
* MIC = AES-128-CMAC(IGTK, AAD || Management Frame Body || MMIE, 64)
*/
- ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
- skb->data + 24, skb->len - 24, mmie->mic);
+ if (ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mmie->mic))
+ return TX_DROP;
return TX_CONTINUE;
}
@@ -902,8 +903,9 @@ ieee80211_crypto_aes_cmac_256_encrypt(struct ieee80211_tx_data *tx)
/* MIC = AES-256-CMAC(IGTK, AAD || Management Frame Body || MMIE, 128)
*/
- ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
- skb->data + 24, skb->len - 24, mmie->mic);
+ if (ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mmie->mic))
+ return TX_DROP;
return TX_CONTINUE;
}
@@ -942,8 +944,9 @@ ieee80211_crypto_aes_cmac_decrypt(struct ieee80211_rx_data *rx)
if (!(status->flag & RX_FLAG_DECRYPTED)) {
/* hardware didn't decrypt/verify MIC */
bip_aad(skb, aad);
- ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
- skb->data + 24, skb->len - 24, mic);
+ if (ieee80211_aes_cmac(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mic))
+ return RX_DROP_U_DECRYPT_FAIL;
if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
key->u.aes_cmac.icverrors++;
return RX_DROP_U_MIC_FAIL;
@@ -992,8 +995,9 @@ ieee80211_crypto_aes_cmac_256_decrypt(struct ieee80211_rx_data *rx)
if (!(status->flag & RX_FLAG_DECRYPTED)) {
/* hardware didn't decrypt/verify MIC */
bip_aad(skb, aad);
- ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
- skb->data + 24, skb->len - 24, mic);
+ if (ieee80211_aes_cmac_256(key->u.aes_cmac.tfm, aad,
+ skb->data + 24, skb->len - 24, mic))
+ return RX_DROP_U_DECRYPT_FAIL;
if (crypto_memneq(mic, mmie->mic, sizeof(mmie->mic))) {
key->u.aes_cmac.icverrors++;
return RX_DROP_U_MIC_FAIL;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 182/737] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 181/737] wifi: mac80211: fix CMAC functions not handling errors Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 183/737] mfd: mt6358-irq: " Greg Kroah-Hartman
` (565 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Lee Jones,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit b4b1bd1f330fdd13706382be6c90ce9f58cee3f5 ]
If devm_request_threaded_irq() fails after irq_domain_create_linear()
succeeds in mt6397_irq_init(), the function returns without removing
the created IRQ domain, leading to a resource leak.
Call irq_domain_remove() in the error path after a successful
irq_domain_create_linear() to properly release the IRQ domain.
Fixes: a4872e80ce7d ("mfd: mt6397: Extract IRQ related code from core driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251118121500.605-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mt6397-irq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/mt6397-irq.c b/drivers/mfd/mt6397-irq.c
index 886745b5b607c..1e83f7c7ce145 100644
--- a/drivers/mfd/mt6397-irq.c
+++ b/drivers/mfd/mt6397-irq.c
@@ -208,6 +208,7 @@ int mt6397_irq_init(struct mt6397_chip *chip)
if (ret) {
dev_err(chip->dev, "failed to register irq=%d; err: %d\n",
chip->irq, ret);
+ irq_domain_remove(chip->irq_domain);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 183/737] mfd: mt6358-irq: Fix missing irq_domain_remove() in error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 182/737] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 184/737] phy: renesas: rcar-gen3-usb2: Fix an error handling path in rcar_gen3_phy_usb2_probe() Greg Kroah-Hartman
` (564 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Lee Jones,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 384bd58bf7095e4c4c8fcdbcede316ef342c630c ]
If devm_request_threaded_irq() fails after irq_domain_add_linear()
succeeds in mt6358_irq_init(), the function returns without removing
the created IRQ domain, leading to a resource leak.
Call irq_domain_remove() in the error path after a successful
irq_domain_add_linear() to properly release the IRQ domain.
Fixes: 2b91c28f2abd ("mfd: Add support for the MediaTek MT6358 PMIC")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251118121427.583-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mt6358-irq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/mt6358-irq.c b/drivers/mfd/mt6358-irq.c
index 49830b526ee88..10a0952615a17 100644
--- a/drivers/mfd/mt6358-irq.c
+++ b/drivers/mfd/mt6358-irq.c
@@ -286,6 +286,7 @@ int mt6358_irq_init(struct mt6397_chip *chip)
if (ret) {
dev_err(chip->dev, "Failed to register IRQ=%d, ret=%d\n",
chip->irq, ret);
+ irq_domain_remove(chip->irq_domain);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 184/737] phy: renesas: rcar-gen3-usb2: Fix an error handling path in rcar_gen3_phy_usb2_probe()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 183/737] mfd: mt6358-irq: " Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 185/737] net: phy: adin1100: Fix software power-down ready condition Greg Kroah-Hartman
` (563 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Biju Das,
Geert Uytterhoeven, Wolfram Sang, Claudiu Beznea, Vinod Koul,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 662bb179d3381c7c069e44bb177396bcaee31cc8 ]
If an error occurs after the reset_control_deassert(),
reset_control_assert() must be called, as already done in the remove
function.
Use devm_add_action_or_reset() to add the missing call and simplify the
.remove() function accordingly.
While at it, drop struct rcar_gen3_chan::rstc as it is not used aymore.
[claudiu.beznea: removed "struct reset_control *rstc = data;" from
rcar_gen3_reset_assert(), dropped struct rcar_gen3_chan::rstc]
Fixes: 4eae16375357 ("phy: renesas: rcar-gen3-usb2: Add support to initialize the bus")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://patch.msgid.link/20251023135810.1688415-3-claudiu.beznea.uj@bp.renesas.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/renesas/phy-rcar-gen3-usb2.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/phy/renesas/phy-rcar-gen3-usb2.c b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
index 9a6391361a0be..89a9693c9f577 100644
--- a/drivers/phy/renesas/phy-rcar-gen3-usb2.c
+++ b/drivers/phy/renesas/phy-rcar-gen3-usb2.c
@@ -117,7 +117,6 @@ struct rcar_gen3_chan {
struct extcon_dev *extcon;
struct rcar_gen3_phy rphys[NUM_OF_PHYS];
struct regulator *vbus;
- struct reset_control *rstc;
struct work_struct work;
spinlock_t lock; /* protects access to hardware and driver data structure. */
enum usb_dr_mode dr_mode;
@@ -658,21 +657,31 @@ static enum usb_dr_mode rcar_gen3_get_dr_mode(struct device_node *np)
return candidate;
}
+static void rcar_gen3_reset_assert(void *data)
+{
+ reset_control_assert(data);
+}
+
static int rcar_gen3_phy_usb2_init_bus(struct rcar_gen3_chan *channel)
{
struct device *dev = channel->dev;
+ struct reset_control *rstc;
int ret;
u32 val;
- channel->rstc = devm_reset_control_array_get_shared(dev);
- if (IS_ERR(channel->rstc))
- return PTR_ERR(channel->rstc);
+ rstc = devm_reset_control_array_get_shared(dev);
+ if (IS_ERR(rstc))
+ return PTR_ERR(rstc);
ret = pm_runtime_resume_and_get(dev);
if (ret)
return ret;
- ret = reset_control_deassert(channel->rstc);
+ ret = reset_control_deassert(rstc);
+ if (ret)
+ goto rpm_put;
+
+ ret = devm_add_action_or_reset(dev, rcar_gen3_reset_assert, rstc);
if (ret)
goto rpm_put;
@@ -814,7 +823,6 @@ static void rcar_gen3_phy_usb2_remove(struct platform_device *pdev)
if (channel->is_otg_channel)
device_remove_file(&pdev->dev, &dev_attr_role);
- reset_control_assert(channel->rstc);
pm_runtime_disable(&pdev->dev);
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 185/737] net: phy: adin1100: Fix software power-down ready condition
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 184/737] phy: renesas: rcar-gen3-usb2: Fix an error handling path in rcar_gen3_phy_usb2_probe() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 186/737] cpuset: Treat cpusets in attaching as populated Greg Kroah-Hartman
` (562 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Dahl,
Russell King (Oracle), Nuno Sá, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Dahl <ada@thorsis.com>
[ Upstream commit bccaf1fe08f2c9f96f6bc38391d41e67f6bf38e3 ]
Value CRSM_SFT_PD written to Software Power-Down Control Register
(CRSM_SFT_PD_CNTRL) is 0x01 and therefor different to value
CRSM_SFT_PD_RDY (0x02) read from System Status Register (CRSM_STAT) for
confirmation powerdown has been reached.
The condition could have only worked when disabling powerdown
(both 0x00), but never when enabling it (0x01 != 0x02).
Result is a timeout, like so:
$ ifdown eth0
macb f802c000.ethernet eth0: Link is Down
ADIN1100 f802c000.ethernet-ffffffff:01: adin_set_powerdown_mode failed: -110
ADIN1100 f802c000.ethernet-ffffffff:01: adin_set_powerdown_mode failed: -110
Fixes: 7eaf9132996a ("net: phy: adin1100: Add initial support for ADIN1100 industrial PHY")
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Acked-by: Nuno Sá <nuno.sa@analog.com>
Link: https://patch.msgid.link/20251119124737.280939-2-ada@thorsis.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/adin1100.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/phy/adin1100.c b/drivers/net/phy/adin1100.c
index 7619d6185801c..2f47b7020e12b 100644
--- a/drivers/net/phy/adin1100.c
+++ b/drivers/net/phy/adin1100.c
@@ -148,7 +148,7 @@ static int adin_set_powerdown_mode(struct phy_device *phydev, bool en)
return ret;
return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1, ADIN_CRSM_STAT, ret,
- (ret & ADIN_CRSM_SFT_PD_RDY) == val,
+ !!(ret & ADIN_CRSM_SFT_PD_RDY) == en,
1000, 30000, true);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 186/737] cpuset: Treat cpusets in attaching as populated
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 185/737] net: phy: adin1100: Fix software power-down ready condition Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-12 2:42 ` [PATCH] " Chen Ridong
2026-01-09 11:35 ` [PATCH 6.6 187/737] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Greg Kroah-Hartman
` (561 subsequent siblings)
747 siblings, 1 reply; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Ridong, Waiman Long, Tejun Heo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ridong <chenridong@huawei.com>
[ Upstream commit b1bcaed1e39a9e0dfbe324a15d2ca4253deda316 ]
Currently, the check for whether a partition is populated does not
account for tasks in the cpuset of attaching. This is a corner case
that can leave a task stuck in a partition with no effective CPUs.
The race condition occurs as follows:
cpu0 cpu1
//cpuset A with cpu N
migrate task p to A
cpuset_can_attach
// with effective cpus
// check ok
// cpuset_mutex is not held // clear cpuset.cpus.exclusive
// making effective cpus empty
update_exclusive_cpumask
// tasks_nocpu_error check ok
// empty effective cpus, partition valid
cpuset_attach
...
// task p stays in A, with non-effective cpus.
To fix this issue, this patch introduces cs_is_populated, which considers
tasks in the attaching cpuset. This new helper is used in validate_change
and partition_is_populated.
Fixes: e2d59900d936 ("cgroup/cpuset: Allow no-task partition to have empty cpuset.cpus.effective")
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Reviewed-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cpuset.c | 35 +++++++++++++++++++++++++++--------
1 file changed, 27 insertions(+), 8 deletions(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index eadb028916c81..f61dde0497f39 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -453,6 +453,15 @@ static inline bool is_in_v2_mode(void)
(cpuset_cgrp_subsys.root->flags & CGRP_ROOT_CPUSET_V2_MODE);
}
+static inline bool cpuset_is_populated(struct cpuset *cs)
+{
+ lockdep_assert_held(&cpuset_mutex);
+
+ /* Cpusets in the process of attaching should be considered as populated */
+ return cgroup_is_populated(cs->css.cgroup) ||
+ cs->attach_in_progress;
+}
+
/**
* partition_is_populated - check if partition has tasks
* @cs: partition root to be checked
@@ -465,21 +474,31 @@ static inline bool is_in_v2_mode(void)
static inline bool partition_is_populated(struct cpuset *cs,
struct cpuset *excluded_child)
{
- struct cgroup_subsys_state *css;
- struct cpuset *child;
+ struct cpuset *cp;
+ struct cgroup_subsys_state *pos_css;
- if (cs->css.cgroup->nr_populated_csets)
+ /*
+ * We cannot call cs_is_populated(cs) directly, as
+ * nr_populated_domain_children may include populated
+ * csets from descendants that are partitions.
+ */
+ if (cs->css.cgroup->nr_populated_csets ||
+ cs->attach_in_progress)
return true;
if (!excluded_child && !cs->nr_subparts_cpus)
return cgroup_is_populated(cs->css.cgroup);
rcu_read_lock();
- cpuset_for_each_child(child, css, cs) {
- if (child == excluded_child)
+ cpuset_for_each_descendant_pre(cp, pos_css, cs) {
+ if (cp == cs || cp == excluded_child)
continue;
- if (is_partition_valid(child))
+
+ if (is_partition_valid(cp)) {
+ pos_css = css_rightmost_descendant(pos_css);
continue;
- if (cgroup_is_populated(child->css.cgroup)) {
+ }
+
+ if (cpuset_is_populated(cp)) {
rcu_read_unlock();
return true;
}
@@ -751,7 +770,7 @@ static int validate_change(struct cpuset *cur, struct cpuset *trial)
* be changed to have empty cpus_allowed or mems_allowed.
*/
ret = -ENOSPC;
- if ((cgroup_is_populated(cur->css.cgroup) || cur->attach_in_progress)) {
+ if (cpuset_is_populated(cur)) {
if (!cpumask_empty(cur->cpus_allowed) &&
cpumask_empty(trial->cpus_allowed))
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 187/737] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 186/737] cpuset: Treat cpusets in attaching as populated Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 188/737] ima: Handle error code returned by ima_filter_rule_match() Greg Kroah-Hartman
` (560 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit b647d2574e4583c2e3b0ab35568f60c88e910840 ]
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20251118013258.1789949-2-eeodqql09@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/realtek/rtl818x/rtl8187/dev.c | 27 +++++++++++++------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index f6528469022bf..70df4c0b939ca 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -338,14 +338,16 @@ static void rtl8187_rx_cb(struct urb *urb)
spin_unlock_irqrestore(&priv->rx_queue.lock, f);
skb_put(skb, urb->actual_length);
- if (unlikely(urb->status)) {
- dev_kfree_skb_irq(skb);
- return;
- }
+ if (unlikely(urb->status))
+ goto free_skb;
if (!priv->is_rtl8187b) {
- struct rtl8187_rx_hdr *hdr =
- (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+ struct rtl8187_rx_hdr *hdr;
+
+ if (skb->len < sizeof(struct rtl8187_rx_hdr))
+ goto free_skb;
+
+ hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
flags = le32_to_cpu(hdr->flags);
/* As with the RTL8187B below, the AGC is used to calculate
* signal strength. In this case, the scaling
@@ -355,8 +357,12 @@ static void rtl8187_rx_cb(struct urb *urb)
rx_status.antenna = (hdr->signal >> 7) & 1;
rx_status.mactime = le64_to_cpu(hdr->mac_time);
} else {
- struct rtl8187b_rx_hdr *hdr =
- (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+ struct rtl8187b_rx_hdr *hdr;
+
+ if (skb->len < sizeof(struct rtl8187b_rx_hdr))
+ goto free_skb;
+
+ hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
/* The Realtek datasheet for the RTL8187B shows that the RX
* header contains the following quantities: signal quality,
* RSSI, AGC, the received power in dB, and the measured SNR.
@@ -409,6 +415,11 @@ static void rtl8187_rx_cb(struct urb *urb)
skb_unlink(skb, &priv->rx_queue);
dev_kfree_skb_irq(skb);
}
+ return;
+
+free_skb:
+ dev_kfree_skb_irq(skb);
+ return;
}
static int rtl8187_init_urbs(struct ieee80211_hw *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 188/737] ima: Handle error code returned by ima_filter_rule_match()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 187/737] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 189/737] usb: chaoskey: fix locking for O_NONBLOCK Greg Kroah-Hartman
` (559 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhao Yipeng, Roberto Sassu,
Mimi Zohar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Yipeng <zhaoyipeng5@huawei.com>
[ Upstream commit 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 ]
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.
This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace:
selinux_audit_rule_match+0x310/0x3b8
security_audit_rule_match+0x60/0xa0
ima_match_rules+0x2e4/0x4a0
ima_match_policy+0x9c/0x1e8
ima_get_action+0x48/0x60
process_measurement+0xf8/0xa98
ima_bprm_check+0x98/0xd8
security_bprm_check+0x5c/0x78
search_binary_handler+0x6c/0x318
exec_binprm+0x58/0x1b8
bprm_execve+0xb8/0x130
do_execveat_common.isra.0+0x1a8/0x258
__arm64_sys_execve+0x48/0x68
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
Fixes: 4af4662fa4a9d ("integrity: IMA policy")
Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index f3f46c6186c08..afbf963cb7483 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -672,7 +672,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
goto retry;
}
}
- if (!rc) {
+ if (rc <= 0) {
result = false;
goto out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 189/737] usb: chaoskey: fix locking for O_NONBLOCK
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 188/737] ima: Handle error code returned by ima_filter_rule_match() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 190/737] usb: dwc2: disable platform lowlevel hw resources during shutdown Greg Kroah-Hartman
` (558 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit a2fa8a12e6bc9d89c0505b8dd7ae38ec173d25de ]
A failure to take a lock with O_NONBLOCK needs to result
in -EAGAIN. Change it.
Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20251030093918.2248104-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/misc/chaoskey.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
index 225863321dc47..45cff32656c6e 100644
--- a/drivers/usb/misc/chaoskey.c
+++ b/drivers/usb/misc/chaoskey.c
@@ -444,9 +444,19 @@ static ssize_t chaoskey_read(struct file *file,
goto bail;
mutex_unlock(&dev->rng_lock);
- result = mutex_lock_interruptible(&dev->lock);
- if (result)
- goto bail;
+ if (file->f_flags & O_NONBLOCK) {
+ result = mutex_trylock(&dev->lock);
+ if (result == 0) {
+ result = -EAGAIN;
+ goto bail;
+ } else {
+ result = 0;
+ }
+ } else {
+ result = mutex_lock_interruptible(&dev->lock);
+ if (result)
+ goto bail;
+ }
if (dev->valid == dev->used) {
result = _chaoskey_fill(dev);
if (result < 0) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 190/737] usb: dwc2: disable platform lowlevel hw resources during shutdown
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 189/737] usb: chaoskey: fix locking for O_NONBLOCK Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 191/737] usb: dwc2: fix hang during shutdown if set as peripheral Greg Kroah-Hartman
` (557 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Minas Harutyunyan,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit 7481a97c5f49f10c7490bb990d0e863f23b9bb71 ]
On some SoC platforms, in shutdown stage, most components' power is cut
off, but there's still power supply to the so called always-on
domain, so if the dwc2's regulator is from the always-on domain, we
need to explicitly disable it to save power.
Disable platform lowlevel hw resources such as phy, clock and
regulators etc. in device shutdown hook to reduce non-necessary power
consumption when the platform enters shutdown stage.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Acked-by: Minas Harutyunyan <hminas@synopsys.com>
Link: https://lore.kernel.org/r/20250629094655.747-1-jszhang@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: b6ebcfdcac40 ("usb: dwc2: fix hang during shutdown if set as peripheral")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc2/platform.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
index c1b7209b94836..79ce88b5f07d9 100644
--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -371,6 +371,9 @@ static void dwc2_driver_shutdown(struct platform_device *dev)
dwc2_disable_global_interrupts(hsotg);
synchronize_irq(hsotg->irq);
+
+ if (hsotg->ll_hw_enabled)
+ dwc2_lowlevel_hw_disable(hsotg);
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 191/737] usb: dwc2: fix hang during shutdown if set as peripheral
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 190/737] usb: dwc2: disable platform lowlevel hw resources during shutdown Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 192/737] usb: dwc2: fix hang during suspend " Greg Kroah-Hartman
` (556 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit b6ebcfdcac40a27953f052e4269ce75a18825ffc ]
dwc2 on most platforms needs phy controller, clock and power supply.
All of them must be enabled/activated to properly operate. If dwc2
is configured as peripheral mode, then all the above three hardware
resources are disabled at the end of the probe:
/* Gadget code manages lowlevel hw on its own */
if (hsotg->dr_mode == USB_DR_MODE_PERIPHERAL)
dwc2_lowlevel_hw_disable(hsotg);
But dwc2_driver_shutdown() tries to disable the interrupts on HW IP
level. This would result in hang during shutdown if dwc2 is configured
as peripheral mode.
Fix this hang by only disable and sync irq when lowlevel hw is enabled.
Fixes: 4fdf228cdf69 ("usb: dwc2: Fix shutdown callback in platform")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://patch.msgid.link/20251104002503.17158-2-jszhang@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc2/platform.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
index 79ce88b5f07d9..fad6f68f86bd6 100644
--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -369,11 +369,11 @@ static void dwc2_driver_shutdown(struct platform_device *dev)
{
struct dwc2_hsotg *hsotg = platform_get_drvdata(dev);
- dwc2_disable_global_interrupts(hsotg);
- synchronize_irq(hsotg->irq);
-
- if (hsotg->ll_hw_enabled)
+ if (hsotg->ll_hw_enabled) {
+ dwc2_disable_global_interrupts(hsotg);
+ synchronize_irq(hsotg->irq);
dwc2_lowlevel_hw_disable(hsotg);
+ }
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 192/737] usb: dwc2: fix hang during suspend if set as peripheral
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 191/737] usb: dwc2: fix hang during shutdown if set as peripheral Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 193/737] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Greg Kroah-Hartman
` (555 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit 2b94b054ac4974ad2f89f7f7461840c851933adb ]
dwc2 on most platforms needs phy controller, clock and power supply.
All of them must be enabled/activated to properly operate. If dwc2
is configured as peripheral mode, then all the above three hardware
resources are disabled at the end of the probe:
/* Gadget code manages lowlevel hw on its own */
if (hsotg->dr_mode == USB_DR_MODE_PERIPHERAL)
dwc2_lowlevel_hw_disable(hsotg);
But the dwc2_suspend() tries to read the dwc2's reg to check whether
is_device_mode or not, this would result in hang during suspend if dwc2
is configured as peripheral mode.
Fix this hang by bypassing suspend/resume if lowlevel hw isn't
enabled.
Fixes: 09a75e857790 ("usb: dwc2: refactor common low-level hw code to platform.c")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://patch.msgid.link/20251104002503.17158-3-jszhang@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc2/platform.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
index fad6f68f86bd6..e80982c817d7d 100644
--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -649,9 +649,13 @@ static int dwc2_driver_probe(struct platform_device *dev)
static int __maybe_unused dwc2_suspend(struct device *dev)
{
struct dwc2_hsotg *dwc2 = dev_get_drvdata(dev);
- bool is_device_mode = dwc2_is_device_mode(dwc2);
+ bool is_device_mode;
int ret = 0;
+ if (!dwc2->ll_hw_enabled)
+ return 0;
+
+ is_device_mode = dwc2_is_device_mode(dwc2);
if (is_device_mode)
dwc2_hsotg_suspend(dwc2);
@@ -702,6 +706,9 @@ static int __maybe_unused dwc2_resume(struct device *dev)
struct dwc2_hsotg *dwc2 = dev_get_drvdata(dev);
int ret = 0;
+ if (!dwc2->ll_hw_enabled)
+ return 0;
+
if (dwc2->phy_off_for_suspend && dwc2->ll_hw_enabled) {
ret = __dwc2_lowlevel_hw_enable(dwc2);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 193/737] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 192/737] usb: dwc2: fix hang during suspend " Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 194/737] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms Greg Kroah-Hartman
` (554 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d8fd35fa6177afa8c92b,
Gopi Krishna Menon, Andrey Konovalov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gopi Krishna Menon <krishnagopi487@gmail.com>
[ Upstream commit a5160af78be7fcf3ade6caab0a14e349560c96d7 ]
The previous commit removed the PAGE_SIZE limit on transfer length of
raw_io buffer in order to avoid any problems with emulating USB devices
whose full configuration descriptor exceeds PAGE_SIZE in length. However
this also removes the upperbound on user supplied length, allowing very
large values to be passed to the allocator.
syzbot on fuzzing the transfer length with very large value (1.81GB)
results in kmalloc() to fall back to the page allocator, which triggers
a kernel warning as the page allocator cannot handle allocations more
than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
Since there is no limit imposed on the size of buffer for both control
and non control transfers, cap the raw_io transfer length to
KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
prevent any warnings from the page allocator.
Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://patch.msgid.link/20251028165659.50962-1-krishnagopi487@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 2deab4a6030d7..8aa1a8408ae33 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -39,6 +39,7 @@ MODULE_LICENSE("GPL");
static DEFINE_IDA(driver_id_numbers);
#define DRIVER_DRIVER_NAME_LENGTH_MAX 32
+#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
#define RAW_EVENT_QUEUE_SIZE 16
@@ -620,6 +621,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
return ERR_PTR(-EINVAL);
if (!usb_raw_io_flags_valid(io->flags))
return ERR_PTR(-EINVAL);
+ if (io->length > USB_RAW_IO_LENGTH_MAX)
+ return ERR_PTR(-EINVAL);
if (get_from_user)
data = memdup_user(ptr + sizeof(*io), io->length);
else {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 194/737] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 193/737] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 195/737] selftests/bpf: Improve reliability of test_perf_branches_no_hw() Greg Kroah-Hartman
` (553 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Bobrowski, Song Liu,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Bobrowski <mattbobrowski@google.com>
[ Upstream commit 27746aaf1b20172f0859546c4a3e82eca459f680 ]
Gracefully skip the test_perf_branches_hw subtest on platforms that
do not support LBR or require specialized perf event attributes
to enable branch sampling.
For example, AMD's Milan (Zen 3) supports BRS rather than traditional
LBR. This requires specific configurations (attr.type = PERF_TYPE_RAW,
attr.config = RETIRED_TAKEN_BRANCH_INSTRUCTIONS) that differ from the
generic setup used within this test. Notably, it also probably doesn't
hold much value to special case perf event configurations for selected
micro architectures.
Fixes: 67306f84ca78c ("selftests/bpf: Add bpf_read_branch_records() selftest")
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Acked-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20251120142059.2836181-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/perf_branches.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/perf_branches.c b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
index bc24f83339d64..06c7986131d96 100644
--- a/tools/testing/selftests/bpf/prog_tests/perf_branches.c
+++ b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
@@ -116,11 +116,11 @@ static void test_perf_branches_hw(void)
pfd = syscall(__NR_perf_event_open, &attr, -1, 0, -1, PERF_FLAG_FD_CLOEXEC);
/*
- * Some setups don't support branch records (virtual machines, !x86),
- * so skip test in this case.
+ * Some setups don't support LBR (virtual machines, !x86, AMD Milan Zen
+ * 3 which only supports BRS), so skip test in this case.
*/
if (pfd < 0) {
- if (errno == ENOENT || errno == EOPNOTSUPP) {
+ if (errno == ENOENT || errno == EOPNOTSUPP || errno == EINVAL) {
printf("%s:SKIP:no PERF_SAMPLE_BRANCH_STACK\n",
__func__);
test__skip();
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 195/737] selftests/bpf: Improve reliability of test_perf_branches_no_hw()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 194/737] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 196/737] crypto: starfive - Correctly handle return of sg_nents_for_len Greg Kroah-Hartman
` (552 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Bobrowski, Jiri Olsa,
Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Bobrowski <mattbobrowski@google.com>
[ Upstream commit ae24fc8a16b0481ea8c5acbc66453c49ec0431c4 ]
Currently, test_perf_branches_no_hw() relies on the busy loop within
test_perf_branches_common() being slow enough to allow at least one
perf event sample tick to occur before starting to tear down the
backing perf event BPF program. With a relatively small fixed
iteration count of 1,000,000, this is not guaranteed on modern fast
CPUs, resulting in the test run to subsequently fail with the
following:
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_perf_branches_common:PASS:test_perf_branches_load 0 nsec
test_perf_branches_common:PASS:attach_perf_event 0 nsec
test_perf_branches_common:PASS:set_affinity 0 nsec
check_good_sample:PASS:output not valid 0 nsec
check_good_sample:PASS:read_branches_size 0 nsec
check_good_sample:PASS:read_branches_stack 0 nsec
check_good_sample:PASS:read_branches_stack 0 nsec
check_good_sample:PASS:read_branches_global 0 nsec
check_good_sample:PASS:read_branches_global 0 nsec
check_good_sample:PASS:read_branches_size 0 nsec
test_perf_branches_no_hw:PASS:perf_event_open 0 nsec
test_perf_branches_common:PASS:test_perf_branches_load 0 nsec
test_perf_branches_common:PASS:attach_perf_event 0 nsec
test_perf_branches_common:PASS:set_affinity 0 nsec
check_bad_sample:FAIL:output not valid no valid sample from prog
Summary: 0/1 PASSED, 0 SKIPPED, 1 FAILED
Successfully unloaded bpf_testmod.ko.
On a modern CPU (i.e. one with a 3.5 GHz clock rate), executing 1
million increments of a volatile integer can take significantly less
than 1 millisecond. If the spin loop and detachment of the perf event
BPF program elapses before the first 1 ms sampling interval elapses,
the perf event will never end up firing. Fix this by bumping the loop
iteration counter a little within test_perf_branches_common(), along
with ensuring adding another loop termination condition which is
directly influenced by the backing perf event BPF program
executing. Notably, a concious decision was made to not adjust the
sample_freq value as that is just not a reliable way to go about
fixing the problem. It effectively still leaves the race window open.
Fixes: 67306f84ca78c ("selftests/bpf: Add bpf_read_branch_records() selftest")
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Reviewed-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20251119143540.2911424-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/prog_tests/perf_branches.c | 16 ++++++++++++++--
.../selftests/bpf/progs/test_perf_branches.c | 3 +++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/perf_branches.c b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
index 06c7986131d96..0a7ef770c487c 100644
--- a/tools/testing/selftests/bpf/prog_tests/perf_branches.c
+++ b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
@@ -15,6 +15,10 @@ static void check_good_sample(struct test_perf_branches *skel)
int pbe_size = sizeof(struct perf_branch_entry);
int duration = 0;
+ if (CHECK(!skel->bss->run_cnt, "invalid run_cnt",
+ "checked sample validity before prog run"))
+ return;
+
if (CHECK(!skel->bss->valid, "output not valid",
"no valid sample from prog"))
return;
@@ -45,6 +49,10 @@ static void check_bad_sample(struct test_perf_branches *skel)
int written_stack = skel->bss->written_stack_out;
int duration = 0;
+ if (CHECK(!skel->bss->run_cnt, "invalid run_cnt",
+ "checked sample validity before prog run"))
+ return;
+
if (CHECK(!skel->bss->valid, "output not valid",
"no valid sample from prog"))
return;
@@ -83,8 +91,12 @@ static void test_perf_branches_common(int perf_fd,
err = pthread_setaffinity_np(pthread_self(), sizeof(cpu_set), &cpu_set);
if (CHECK(err, "set_affinity", "cpu #0, err %d\n", err))
goto out_destroy;
- /* spin the loop for a while (random high number) */
- for (i = 0; i < 1000000; ++i)
+
+ /* Spin the loop for a while by using a high iteration count, and by
+ * checking whether the specific run count marker has been explicitly
+ * incremented at least once by the backing perf_event BPF program.
+ */
+ for (i = 0; i < 100000000 && !*(volatile int *)&skel->bss->run_cnt; ++i)
++j;
test_perf_branches__detach(skel);
diff --git a/tools/testing/selftests/bpf/progs/test_perf_branches.c b/tools/testing/selftests/bpf/progs/test_perf_branches.c
index a1ccc831c882f..05ac9410cd68c 100644
--- a/tools/testing/selftests/bpf/progs/test_perf_branches.c
+++ b/tools/testing/selftests/bpf/progs/test_perf_branches.c
@@ -8,6 +8,7 @@
#include <bpf/bpf_tracing.h>
int valid = 0;
+int run_cnt = 0;
int required_size_out = 0;
int written_stack_out = 0;
int written_global_out = 0;
@@ -24,6 +25,8 @@ int perf_branches(void *ctx)
__u64 entries[4 * 3] = {0};
int required_size, written_stack, written_global;
+ ++run_cnt;
+
/* write to stack */
written_stack = bpf_read_branch_records(ctx, entries, sizeof(entries), 0);
/* ignore spurious events */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 196/737] crypto: starfive - Correctly handle return of sg_nents_for_len
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 195/737] selftests/bpf: Improve reliability of test_perf_branches_no_hw() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 197/737] crypto: ccree " Greg Kroah-Hartman
` (551 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit e9eb52037a529fbb307c290e9951a62dd728b03d ]
The return value of sg_nents_for_len was assigned to an unsigned long
in starfive_hash_digest, causing negative error codes to be converted
to large positive integers.
Add error checking for sg_nents_for_len and return immediately on
failure to prevent potential buffer overflows.
Fixes: 7883d1b28a2b ("crypto: starfive - Add hash and HMAC support")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/starfive/jh7110-hash.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/starfive/jh7110-hash.c b/drivers/crypto/starfive/jh7110-hash.c
index cc7650198d703..e973e73f866ba 100644
--- a/drivers/crypto/starfive/jh7110-hash.c
+++ b/drivers/crypto/starfive/jh7110-hash.c
@@ -358,6 +358,7 @@ static int starfive_hash_digest(struct ahash_request *req)
struct starfive_cryp_ctx *ctx = crypto_ahash_ctx(tfm);
struct starfive_cryp_request_ctx *rctx = ahash_request_ctx(req);
struct starfive_cryp_dev *cryp = ctx->cryp;
+ int sg_len;
memset(rctx, 0, sizeof(struct starfive_cryp_request_ctx));
@@ -366,7 +367,10 @@ static int starfive_hash_digest(struct ahash_request *req)
rctx->in_sg = req->src;
rctx->blksize = crypto_tfm_alg_blocksize(crypto_ahash_tfm(tfm));
rctx->digsize = crypto_ahash_digestsize(tfm);
- rctx->in_sg_len = sg_nents_for_len(rctx->in_sg, rctx->total);
+ sg_len = sg_nents_for_len(rctx->in_sg, rctx->total);
+ if (sg_len < 0)
+ return sg_len;
+ rctx->in_sg_len = sg_len;
ctx->rctx = rctx;
if (starfive_hash_check_aligned(rctx->in_sg, rctx->total, rctx->blksize))
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 197/737] crypto: ccree - Correctly handle return of sg_nents_for_len
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 196/737] crypto: starfive - Correctly handle return of sg_nents_for_len Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 198/737] RISC-V: KVM: Fix guest page fault within HLV* instructions Greg Kroah-Hartman
` (550 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 8700ce07c5c6bf27afa7b59a8d9cf58d783a7d5c ]
Fix error handling in cc_map_hash_request_update where sg_nents_for_len
return value was assigned to u32, converting negative errors to large
positive values before passing to sg_copy_to_buffer.
Check sg_nents_for_len return value and propagate errors before
assigning to areq_ctx->in_nents.
Fixes: b7ec8530687a ("crypto: ccree - use std api when possible")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccree/cc_buffer_mgr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_buffer_mgr.c b/drivers/crypto/ccree/cc_buffer_mgr.c
index bcca55bff910e..286e0d4b8f95e 100644
--- a/drivers/crypto/ccree/cc_buffer_mgr.c
+++ b/drivers/crypto/ccree/cc_buffer_mgr.c
@@ -1235,6 +1235,7 @@ int cc_map_hash_request_update(struct cc_drvdata *drvdata, void *ctx,
int rc = 0;
u32 dummy = 0;
u32 mapped_nents = 0;
+ int sg_nents;
dev_dbg(dev, " update params : curr_buff=%pK curr_buff_cnt=0x%X nbytes=0x%X src=%pK curr_index=%u\n",
curr_buff, *curr_buff_cnt, nbytes, src, areq_ctx->buff_index);
@@ -1248,7 +1249,10 @@ int cc_map_hash_request_update(struct cc_drvdata *drvdata, void *ctx,
if (total_in_len < block_size) {
dev_dbg(dev, " less than one block: curr_buff=%pK *curr_buff_cnt=0x%X copy_to=%pK\n",
curr_buff, *curr_buff_cnt, &curr_buff[*curr_buff_cnt]);
- areq_ctx->in_nents = sg_nents_for_len(src, nbytes);
+ sg_nents = sg_nents_for_len(src, nbytes);
+ if (sg_nents < 0)
+ return sg_nents;
+ areq_ctx->in_nents = sg_nents;
sg_copy_to_buffer(src, areq_ctx->in_nents,
&curr_buff[*curr_buff_cnt], nbytes);
*curr_buff_cnt += nbytes;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 198/737] RISC-V: KVM: Fix guest page fault within HLV* instructions
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 197/737] crypto: ccree " Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 199/737] RDMA/bnxt_re: Fix the inline size for GenP7 devices Greg Kroah-Hartman
` (549 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fangyu Yu, Anup Patel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fangyu Yu <fangyu.yu@linux.alibaba.com>
[ Upstream commit 974555d6e417974e63444266e495a06d06c23af5 ]
When executing HLV* instructions at the HS mode, a guest page fault
may occur when a g-stage page table migration between triggering the
virtual instruction exception and executing the HLV* instruction.
This may be a corner case, and one simpler way to handle this is to
re-execute the instruction where the virtual instruction exception
occurred, and the guest page fault will be automatically handled.
Fixes: b91f0e4cb8a3 ("RISC-V: KVM: Factor-out instruction emulation into separate sources")
Signed-off-by: Fangyu Yu <fangyu.yu@linux.alibaba.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20251121133543.46822-1-fangyu.yu@linux.alibaba.com
Signed-off-by: Anup Patel <anup@brainfault.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kvm/vcpu_insn.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/arch/riscv/kvm/vcpu_insn.c b/arch/riscv/kvm/vcpu_insn.c
index 7a6abed41bc17..703d1e0fce774 100644
--- a/arch/riscv/kvm/vcpu_insn.c
+++ b/arch/riscv/kvm/vcpu_insn.c
@@ -396,6 +396,22 @@ static int system_opcode_insn(struct kvm_vcpu *vcpu, struct kvm_run *run,
return (rc <= 0) ? rc : 1;
}
+static bool is_load_guest_page_fault(unsigned long scause)
+{
+ /**
+ * If a g-stage page fault occurs, the direct approach
+ * is to let the g-stage page fault handler handle it
+ * naturally, however, calling the g-stage page fault
+ * handler here seems rather strange.
+ * Considering this is a corner case, we can directly
+ * return to the guest and re-execute the same PC, this
+ * will trigger a g-stage page fault again and then the
+ * regular g-stage page fault handler will populate
+ * g-stage page table.
+ */
+ return (scause == EXC_LOAD_GUEST_PAGE_FAULT);
+}
+
/**
* kvm_riscv_vcpu_virtual_insn -- Handle virtual instruction trap
*
@@ -421,6 +437,8 @@ int kvm_riscv_vcpu_virtual_insn(struct kvm_vcpu *vcpu, struct kvm_run *run,
ct->sepc,
&utrap);
if (utrap.scause) {
+ if (is_load_guest_page_fault(utrap.scause))
+ return 1;
utrap.sepc = ct->sepc;
kvm_riscv_vcpu_trap_redirect(vcpu, &utrap);
return 1;
@@ -476,6 +494,8 @@ int kvm_riscv_vcpu_mmio_load(struct kvm_vcpu *vcpu, struct kvm_run *run,
insn = kvm_riscv_vcpu_unpriv_read(vcpu, true, ct->sepc,
&utrap);
if (utrap.scause) {
+ if (is_load_guest_page_fault(utrap.scause))
+ return 1;
/* Redirect trap if we failed to read instruction */
utrap.sepc = ct->sepc;
kvm_riscv_vcpu_trap_redirect(vcpu, &utrap);
@@ -602,6 +622,8 @@ int kvm_riscv_vcpu_mmio_store(struct kvm_vcpu *vcpu, struct kvm_run *run,
insn = kvm_riscv_vcpu_unpriv_read(vcpu, true, ct->sepc,
&utrap);
if (utrap.scause) {
+ if (is_load_guest_page_fault(utrap.scause))
+ return 1;
/* Redirect trap if we failed to read instruction */
utrap.sepc = ct->sepc;
kvm_riscv_vcpu_trap_redirect(vcpu, &utrap);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 199/737] RDMA/bnxt_re: Fix the inline size for GenP7 devices
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 198/737] RISC-V: KVM: Fix guest page fault within HLV* instructions Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 200/737] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Greg Kroah-Hartman
` (548 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kashyap Desai, Kalesh AP,
Selvin Xavier, Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvin Xavier <selvin.xavier@broadcom.com>
[ Upstream commit 6afe40ff484a1155b71158b911c65299496e35c3 ]
Inline size supported by the device is based on the number
of SGEs supported by the adapter. Change the inline
size calculation based on that.
Fixes: de1d364c3815 ("RDMA/bnxt_re: Add support for Variable WQE in Genp7 adapters")
Reviewed-by: Kashyap Desai <kashyap.desai@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
Link: https://patch.msgid.link/1763624215-10382-1-git-send-email-selvin.xavier@broadcom.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_sp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_sp.c b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
index 74c3f6b26c4d3..0b713c1821c3b 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c
@@ -161,7 +161,7 @@ int bnxt_qplib_get_dev_attr(struct bnxt_qplib_rcfw *rcfw,
attr->max_srq_wqes = le32_to_cpu(sb->max_srq_wr) - 1;
attr->max_srq_sges = sb->max_srq_sge;
attr->max_pkey = 1;
- attr->max_inline_data = le32_to_cpu(sb->max_inline_data);
+ attr->max_inline_data = attr->max_qp_sges * sizeof(struct sq_sge);
if (!bnxt_qplib_is_chip_gen_p7(rcfw->res->cctx))
attr->l2_db_size = (sb->l2_db_space_size + 1) *
(0x01 << RCFW_DBR_BASE_PAGE_SHIFT);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 200/737] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 199/737] RDMA/bnxt_re: Fix the inline size for GenP7 devices Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 201/737] firmware: stratix10-svc: fix make htmldocs warning for stratix10_svc Greg Kroah-Hartman
` (547 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Lorenzo Bianconi,
Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 53d1548612670aa8b5d89745116cc33d9d172863 ]
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
Fixes: 99c457d902cf9 ("mt76: mt7615: move mt7615_mcu_set_bmc to mt7615_mcu_ops")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251113062415.103611-1-zilin@seu.edu.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
index e92040616a1f3..94adb22f8570f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -870,8 +870,10 @@ mt7615_mcu_wtbl_sta_add(struct mt7615_phy *phy, struct ieee80211_vif *vif,
wtbl_hdr = mt76_connac_mcu_alloc_wtbl_req(&dev->mt76, &msta->wcid,
WTBL_RESET_AND_SET, NULL,
&wskb);
- if (IS_ERR(wtbl_hdr))
+ if (IS_ERR(wtbl_hdr)) {
+ dev_kfree_skb(sskb);
return PTR_ERR(wtbl_hdr);
+ }
if (enable) {
mt76_connac_mcu_wtbl_generic_tlv(&dev->mt76, wskb, vif, sta,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 201/737] firmware: stratix10-svc: fix make htmldocs warning for stratix10_svc
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 200/737] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 202/737] staging: fbtft: core: fix potential memory leak in fbtft_probe_common() Greg Kroah-Hartman
` (546 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Dinh Nguyen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dinh Nguyen <dinguyen@kernel.org>
[ Upstream commit 377441d53a2df61b105e823b335010cd4f1a6e56 ]
Fix this warning that was generated from "make htmldocs":
WARNING: drivers/firmware/stratix10-svc.c:58 struct member 'intel_svc_fcs'
not described in 'stratix10_svc'
Fixes: e6281c26674e ("firmware: stratix10-svc: Add support for FCS")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lore.kernel.org/linux-next/20251106145941.37920e97@canb.auug.org.au/
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://patch.msgid.link/20251114185815.358423-1-dinguyen@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/stratix10-svc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
index 766ced12345c3..a133ac5fb0373 100644
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -52,6 +52,7 @@ struct stratix10_svc_chan;
/**
* struct stratix10_svc - svc private data
* @stratix10_svc_rsu: pointer to stratix10 RSU device
+ * @intel_svc_fcs: pointer to the FCS device
*/
struct stratix10_svc {
struct platform_device *stratix10_svc_rsu;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 202/737] staging: fbtft: core: fix potential memory leak in fbtft_probe_common()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 201/737] firmware: stratix10-svc: fix make htmldocs warning for stratix10_svc Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 203/737] btrfs: fix leaf leak in an error path in btrfs_del_items() Greg Kroah-Hartman
` (545 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianglei Nie, Andy Shevchenko,
Abdun Nihaal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianglei Nie <niejianglei2021@163.com>
[ Upstream commit 47d3949a9b04cbcb0e10abae30c2b53e98706e11 ]
fbtft_probe_common() allocates a memory chunk for "info" with
fbtft_framebuffer_alloc(). When "display->buswidth == 0" is true, the
function returns without releasing the "info", which will lead to a
memory leak.
Fix it by calling fbtft_framebuffer_release() when "display->buswidth
== 0" is true.
Fixes: c296d5f9957c ("staging: fbtft: core support")
Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Link: https://patch.msgid.link/20251112192235.2088654-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/fbtft/fbtft-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index dce721f440c5e..5dfe2d7a73e37 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -1225,8 +1225,8 @@ int fbtft_probe_common(struct fbtft_display *display,
par->pdev = pdev;
if (display->buswidth == 0) {
- dev_err(dev, "buswidth is not set\n");
- return -EINVAL;
+ ret = dev_err_probe(dev, -EINVAL, "buswidth is not set\n");
+ goto out_release;
}
/* write register functions */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 203/737] btrfs: fix leaf leak in an error path in btrfs_del_items()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 202/737] staging: fbtft: core: fix potential memory leak in fbtft_probe_common() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 204/737] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition Greg Kroah-Hartman
` (544 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Filipe Manana,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit e7dd1182fcedee7c6097c9f49eba8de94a4364e3 ]
If the call to btrfs_del_leaf() fails we return without decrementing the
extra ref we took on the leaf, therefore leaking it. Fix this by ensuring
we drop the ref count before returning the error.
Fixes: 751a27615dda ("btrfs: do not BUG_ON() on tree mod log failures at btrfs_del_ptr()")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index 31b1b448efc2e..a26c6e9d562d6 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -4743,9 +4743,9 @@ int btrfs_del_items(struct btrfs_trans_handle *trans, struct btrfs_root *root,
if (btrfs_header_nritems(leaf) == 0) {
path->slots[1] = slot;
ret = btrfs_del_leaf(trans, root, path, leaf);
+ free_extent_buffer(leaf);
if (ret < 0)
return ret;
- free_extent_buffer(leaf);
ret = 0;
} else {
/* if we're still in the path, make sure
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 204/737] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 203/737] btrfs: fix leaf leak in an error path in btrfs_del_items() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 205/737] drm/nouveau: restrict the flush page to a 32-bit address Greg Kroah-Hartman
` (543 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Manivannan Sadhasivam,
Bjorn Helgaas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit bcc9a4a0bca3aee4303fa4a20302e57b24ac8f68 ]
As per DesignWare Cores PCI Express Controller Databook, section 5.50,
SII: Debug Signals, cxpl_debug_info[63:0]:
[5:0] smlh_ltssm_state: LTSSM current state. Encoding is same as the
dedicated smlh_ltssm_state output.
The mask should be 6 bits, from 0 to 5. Hence, fix the mask definition.
Fixes: 23fe5bd4be90 ("PCI: keystone: Cleanup ks_pcie_link_up()")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
[mani: reworded description]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/1763122140-203068-1-git-send-email-shawn.lin@rock-chips.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
index ef0b2efa9f93e..fec9473869bce 100644
--- a/drivers/pci/controller/dwc/pcie-designware.h
+++ b/drivers/pci/controller/dwc/pcie-designware.h
@@ -92,7 +92,7 @@
#define PORT_LINK_MODE_8_LANES PORT_LINK_MODE(0xf)
#define PCIE_PORT_DEBUG0 0x728
-#define PORT_LOGIC_LTSSM_STATE_MASK 0x1f
+#define PORT_LOGIC_LTSSM_STATE_MASK 0x3f
#define PORT_LOGIC_LTSSM_STATE_L0 0x11
#define PCIE_PORT_DEBUG1 0x72C
#define PCIE_PORT_DEBUG1_LINK_UP BIT(4)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 205/737] drm/nouveau: restrict the flush page to a 32-bit address
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 204/737] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 206/737] iomap: factor out a iomap_dio_done helper Greg Kroah-Hartman
` (542 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Timur Tabi, Lyude Paul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Timur Tabi <ttabi@nvidia.com>
[ Upstream commit 04d98b3452331fa53ec3b698b66273af6ef73288 ]
The flush page DMA address is stored in a special register that is not
associated with the GPU's standard DMA range. For example, on Turing,
the GPU's MMU can handle 47-bit addresses, but the flush page address
register is limited to 40 bits.
At the point during device initialization when the flush page is
allocated, the DMA mask is still at its default of 32 bits. So even
though it's unlikely that the flush page could exist above a 40-bit
address, the dma_map_page() call could fail, e.g. if IOMMU is disabled
and the address is above 32 bits. The simplest way to achieve all
constraints is to allocate the page in the DMA32 zone. Since the flush
page is literally just a page, this is an acceptable limitation. The
alternative is to temporarily set the DMA mask to 40 (or 52 for Hopper
and later) bits, but that could have unforseen side effects.
In situations where the flush page is allocated above 32 bits and IOMMU
is disabled, you will get an error like this:
nouveau 0000:65:00.0: DMA addr 0x0000000107c56000+4096 overflow (mask ffffffff, bus limit 0).
Fixes: 5728d064190e ("drm/nouveau/fb: handle sysmem flush page from common code")
Signed-off-by: Timur Tabi <ttabi@nvidia.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://patch.msgid.link/20251113230323.1271726-1-ttabi@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/nouveau/nvkm/subdev/fb/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/fb/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/fb/base.c
index 8a286a9349ac6..7ce1b65e2c1c2 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/fb/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/fb/base.c
@@ -279,7 +279,7 @@ nvkm_fb_ctor(const struct nvkm_fb_func *func, struct nvkm_device *device,
mutex_init(&fb->tags.mutex);
if (func->sysmem.flush_page_init) {
- fb->sysmem.flush_page = alloc_page(GFP_KERNEL | __GFP_ZERO);
+ fb->sysmem.flush_page = alloc_page(GFP_KERNEL | GFP_DMA32 | __GFP_ZERO);
if (!fb->sysmem.flush_page)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 206/737] iomap: factor out a iomap_dio_done helper
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 205/737] drm/nouveau: restrict the flush page to a 32-bit address Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 207/737] iomap: always run error completions in user context Greg Kroah-Hartman
` (541 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit ae2f33a519af3730cacd1c787ebe1f7475df5ba8 ]
Split out the struct iomap-dio level final completion from
iomap_dio_bio_end_io into a helper to clean up the code and make it
reusable.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250206064035.2323428-7-hch@lst.de
Reviewed-by: "Darrick J. Wong" <djwong@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: ddb4873286e0 ("iomap: always run error completions in user context")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/direct-io.c | 76 ++++++++++++++++++++++----------------------
1 file changed, 38 insertions(+), 38 deletions(-)
diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
index bcd3f8cf5ea42..1b0f06e7e58de 100644
--- a/fs/iomap/direct-io.c
+++ b/fs/iomap/direct-io.c
@@ -156,43 +156,31 @@ static inline void iomap_dio_set_error(struct iomap_dio *dio, int ret)
cmpxchg(&dio->error, 0, ret);
}
-void iomap_dio_bio_end_io(struct bio *bio)
+/*
+ * Called when dio->ref reaches zero from an I/O completion.
+ */
+static void iomap_dio_done(struct iomap_dio *dio)
{
- struct iomap_dio *dio = bio->bi_private;
- bool should_dirty = (dio->flags & IOMAP_DIO_DIRTY);
struct kiocb *iocb = dio->iocb;
- if (bio->bi_status)
- iomap_dio_set_error(dio, blk_status_to_errno(bio->bi_status));
- if (!atomic_dec_and_test(&dio->ref))
- goto release_bio;
-
- /*
- * Synchronous dio, task itself will handle any completion work
- * that needs after IO. All we need to do is wake the task.
- */
if (dio->wait_for_completion) {
+ /*
+ * Synchronous I/O, task itself will handle any completion work
+ * that needs after IO. All we need to do is wake the task.
+ */
struct task_struct *waiter = dio->submit.waiter;
WRITE_ONCE(dio->submit.waiter, NULL);
blk_wake_io_task(waiter);
- goto release_bio;
- }
-
- /*
- * Flagged with IOMAP_DIO_INLINE_COMP, we can complete it inline
- */
- if (dio->flags & IOMAP_DIO_INLINE_COMP) {
+ } else if (dio->flags & IOMAP_DIO_INLINE_COMP) {
WRITE_ONCE(iocb->private, NULL);
iomap_dio_complete_work(&dio->aio.work);
- goto release_bio;
- }
-
- /*
- * If this dio is flagged with IOMAP_DIO_CALLER_COMP, then schedule
- * our completion that way to avoid an async punt to a workqueue.
- */
- if (dio->flags & IOMAP_DIO_CALLER_COMP) {
+ } else if (dio->flags & IOMAP_DIO_CALLER_COMP) {
+ /*
+ * If this dio is flagged with IOMAP_DIO_CALLER_COMP, then
+ * schedule our completion that way to avoid an async punt to a
+ * workqueue.
+ */
/* only polled IO cares about private cleared */
iocb->private = dio;
iocb->dio_complete = iomap_dio_deferred_complete;
@@ -210,19 +198,31 @@ void iomap_dio_bio_end_io(struct bio *bio)
* issuer.
*/
iocb->ki_complete(iocb, 0);
- goto release_bio;
+ } else {
+ struct inode *inode = file_inode(iocb->ki_filp);
+
+ /*
+ * Async DIO completion that requires filesystem level
+ * completion work gets punted to a work queue to complete as
+ * the operation may require more IO to be issued to finalise
+ * filesystem metadata changes or guarantee data integrity.
+ */
+ INIT_WORK(&dio->aio.work, iomap_dio_complete_work);
+ queue_work(inode->i_sb->s_dio_done_wq, &dio->aio.work);
}
+}
+
+void iomap_dio_bio_end_io(struct bio *bio)
+{
+ struct iomap_dio *dio = bio->bi_private;
+ bool should_dirty = (dio->flags & IOMAP_DIO_DIRTY);
+
+ if (bio->bi_status)
+ iomap_dio_set_error(dio, blk_status_to_errno(bio->bi_status));
+
+ if (atomic_dec_and_test(&dio->ref))
+ iomap_dio_done(dio);
- /*
- * Async DIO completion that requires filesystem level completion work
- * gets punted to a work queue to complete as the operation may require
- * more IO to be issued to finalise filesystem metadata changes or
- * guarantee data integrity.
- */
- INIT_WORK(&dio->aio.work, iomap_dio_complete_work);
- queue_work(file_inode(iocb->ki_filp)->i_sb->s_dio_done_wq,
- &dio->aio.work);
-release_bio:
if (should_dirty) {
bio_check_pages_dirty(bio);
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 207/737] iomap: always run error completions in user context
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 206/737] iomap: factor out a iomap_dio_done helper Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 208/737] wifi: ieee80211: correct FILS status codes Greg Kroah-Hartman
` (540 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Jan Kara,
Chaitanya Kulkarni, Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit ddb4873286e03e193c5a3bebb5fc6fa820e9ee3a ]
At least zonefs expects error completions to be able to sleep. Because
error completions aren't performance critical, just defer them to workqueue
context unconditionally.
Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://patch.msgid.link/20251113170633.1453259-3-hch@lst.de
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/direct-io.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
index 1b0f06e7e58de..8158ab18e1ae8 100644
--- a/fs/iomap/direct-io.c
+++ b/fs/iomap/direct-io.c
@@ -172,7 +172,18 @@ static void iomap_dio_done(struct iomap_dio *dio)
WRITE_ONCE(dio->submit.waiter, NULL);
blk_wake_io_task(waiter);
- } else if (dio->flags & IOMAP_DIO_INLINE_COMP) {
+ return;
+ }
+
+ /*
+ * Always run error completions in user context. These are not
+ * performance critical and some code relies on taking sleeping locks
+ * for error handling.
+ */
+ if (dio->error)
+ dio->flags &= ~IOMAP_DIO_INLINE_COMP;
+
+ if (dio->flags & IOMAP_DIO_INLINE_COMP) {
WRITE_ONCE(iocb->private, NULL);
iomap_dio_complete_work(&dio->aio.work);
} else if (dio->flags & IOMAP_DIO_CALLER_COMP) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 208/737] wifi: ieee80211: correct FILS status codes
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 207/737] iomap: always run error completions in user context Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 209/737] backlight: led-bl: Add devlink to supplier LEDs Greg Kroah-Hartman
` (539 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ria Thomas, Jeff Johnson,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ria Thomas <ria.thomas@morsemicro.com>
[ Upstream commit 24d4da5c2565313c2ad3c43449937a9351a64407 ]
The FILS status codes are set to 108/109, but the IEEE 802.11-2020
spec defines them as 112/113. Update the enum so it matches the
specification and keeps the kernel consistent with standard values.
Fixes: a3caf7440ded ("cfg80211: Add support for FILS shared key authentication offload")
Signed-off-by: Ria Thomas <ria.thomas@morsemicro.com>
Reviewed-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Link: https://patch.msgid.link/20251124125637.3936154-1-ria.thomas@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 0ff10007eb1a5..38e3e81b880fb 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -3297,8 +3297,8 @@ enum ieee80211_statuscode {
WLAN_STATUS_DENIED_WITH_SUGGESTED_BAND_AND_CHANNEL = 99,
WLAN_STATUS_DENIED_DUE_TO_SPECTRUM_MANAGEMENT = 103,
/* 802.11ai */
- WLAN_STATUS_FILS_AUTHENTICATION_FAILURE = 108,
- WLAN_STATUS_UNKNOWN_AUTHENTICATION_SERVER = 109,
+ WLAN_STATUS_FILS_AUTHENTICATION_FAILURE = 112,
+ WLAN_STATUS_UNKNOWN_AUTHENTICATION_SERVER = 113,
WLAN_STATUS_SAE_HASH_TO_ELEMENT = 126,
WLAN_STATUS_SAE_PK = 127,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 209/737] backlight: led-bl: Add devlink to supplier LEDs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 208/737] wifi: ieee80211: correct FILS status codes Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 210/737] backlight: lp855x: Fix lp855x.h kernel-doc warnings Greg Kroah-Hartman
` (538 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Ceresoli,
Daniel Thompson (RISCstar), Herve Codina, Alexander Sverdlin,
Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit 9341d6698f4cfdfc374fb6944158d111ebe16a9d ]
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
Fixes: ae232e45acf9 ("backlight: add led-backlight driver")
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
Tested-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://patch.msgid.link/20250519-led-backlight-add-devlink-to-supplier-class-device-v6-1-845224aeb2ce@bootlin.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/led_bl.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/video/backlight/led_bl.c b/drivers/video/backlight/led_bl.c
index 0e53e427a91dc..9089d17200ec7 100644
--- a/drivers/video/backlight/led_bl.c
+++ b/drivers/video/backlight/led_bl.c
@@ -209,6 +209,19 @@ static int led_bl_probe(struct platform_device *pdev)
return PTR_ERR(priv->bl_dev);
}
+ for (i = 0; i < priv->nb_leds; i++) {
+ struct device_link *link;
+
+ link = device_link_add(&pdev->dev, priv->leds[i]->dev->parent,
+ DL_FLAG_AUTOREMOVE_CONSUMER);
+ if (!link) {
+ dev_err(&pdev->dev, "Failed to add devlink (consumer %s, supplier %s)\n",
+ dev_name(&pdev->dev), dev_name(priv->leds[i]->dev->parent));
+ backlight_device_unregister(priv->bl_dev);
+ return -EINVAL;
+ }
+ }
+
for (i = 0; i < priv->nb_leds; i++) {
mutex_lock(&priv->leds[i]->led_access);
led_sysfs_disable(priv->leds[i]);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 210/737] backlight: lp855x: Fix lp855x.h kernel-doc warnings
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 209/737] backlight: led-bl: Add devlink to supplier LEDs Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 211/737] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal Greg Kroah-Hartman
` (537 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 2d45db63260c6ae3cf007361e04a1c41bd265084 ]
Add a missing struct short description and a missing leading " *" to
lp855x.h to avoid kernel-doc warnings:
Warning: include/linux/platform_data/lp855x.h:126 missing initial short
description on line:
* struct lp855x_platform_data
Warning: include/linux/platform_data/lp855x.h:131 bad line:
Only valid when mode is PWM_BASED.
Fixes: 7be865ab8634 ("backlight: new backlight driver for LP855x devices")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Link: https://patch.msgid.link/20251111060916.1995920-1-rdunlap@infradead.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/platform_data/lp855x.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/platform_data/lp855x.h b/include/linux/platform_data/lp855x.h
index ab222dd05bbc2..3b4a891acefe9 100644
--- a/include/linux/platform_data/lp855x.h
+++ b/include/linux/platform_data/lp855x.h
@@ -124,12 +124,12 @@ struct lp855x_rom_data {
};
/**
- * struct lp855x_platform_data
+ * struct lp855x_platform_data - lp855 platform-specific data
* @name : Backlight driver name. If it is not defined, default name is set.
* @device_control : value of DEVICE CONTROL register
* @initial_brightness : initial value of backlight brightness
* @period_ns : platform specific pwm period value. unit is nano.
- Only valid when mode is PWM_BASED.
+ * Only valid when mode is PWM_BASED.
* @size_program : total size of lp855x_rom_data
* @rom_data : list of new eeprom/eprom registers
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 211/737] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 210/737] backlight: lp855x: Fix lp855x.h kernel-doc warnings Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 212/737] RDMA/irdma: Fix data race in irdma_sc_ccq_arm Greg Kroah-Hartman
` (536 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Will Deacon,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
[ Upstream commit 5583a55e074b33ccd88ac0542fd7cd656a7e2c8c ]
Some platforms (e.g. SC8280XP and X1E) support more than 128 stream
matching groups. This is more than what is defined as maximum by the ARM
SMMU architecture specification. Commit 122611347326 ("iommu/arm-smmu-qcom:
Limit the SMR groups to 128") disabled use of the additional groups because
they don't exhibit the same behavior as the architecture supported ones.
It seems like this is just another quirk of the hypervisor: When running
bare-metal without the hypervisor, the additional groups appear to behave
just like all others. The boot firmware uses some of the additional groups,
so ignoring them in this situation leads to stream match conflicts whenever
we allocate a new SMR group for the same SID.
The workaround exists primarily because the bypass quirk detection fails
when using a S2CR register from the additional matching groups, so let's
perform the test with the last reliable S2CR (127) and then limit the
number of SMR groups only if we detect that we are running below the
hypervisor (because of the bypass quirk).
Fixes: 122611347326 ("iommu/arm-smmu-qcom: Limit the SMR groups to 128")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 27 ++++++++++++++--------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
index 3d03136697963..62e2ab488c1be 100644
--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
@@ -295,17 +295,19 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
/*
* Some platforms support more than the Arm SMMU architected maximum of
- * 128 stream matching groups. For unknown reasons, the additional
- * groups don't exhibit the same behavior as the architected registers,
- * so limit the groups to 128 until the behavior is fixed for the other
- * groups.
+ * 128 stream matching groups. The additional registers appear to have
+ * the same behavior as the architected registers in the hardware.
+ * However, on some firmware versions, the hypervisor does not
+ * correctly trap and emulate accesses to the additional registers,
+ * resulting in unexpected behavior.
+ *
+ * If there are more than 128 groups, use the last reliable group to
+ * detect if we need to apply the bypass quirk.
*/
- if (smmu->num_mapping_groups > 128) {
- dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n");
- smmu->num_mapping_groups = 128;
- }
-
- last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
+ if (smmu->num_mapping_groups > 128)
+ last_s2cr = ARM_SMMU_GR0_S2CR(127);
+ else
+ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
/*
* With some firmware versions writes to S2CR of type FAULT are
@@ -328,6 +330,11 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
reg = FIELD_PREP(ARM_SMMU_CBAR_TYPE, CBAR_TYPE_S1_TRANS_S2_BYPASS);
arm_smmu_gr1_write(smmu, ARM_SMMU_GR1_CBAR(qsmmu->bypass_cbndx), reg);
+
+ if (smmu->num_mapping_groups > 128) {
+ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n");
+ smmu->num_mapping_groups = 128;
+ }
}
for (i = 0; i < smmu->num_mapping_groups; i++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 212/737] RDMA/irdma: Fix data race in irdma_sc_ccq_arm
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 211/737] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 213/737] RDMA/irdma: Fix data race in irdma_free_pble Greg Kroah-Hartman
` (535 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Czurylo, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
[ Upstream commit a521928164433de44fed5aaf5f49aeb3f1fb96f5 ]
Adds a lock around irdma_sc_ccq_arm body to prevent inter-thread data race.
Fixes data race in irdma_sc_ccq_arm() reported by KCSAN:
BUG: KCSAN: data-race in irdma_sc_ccq_arm [irdma] / irdma_sc_ccq_arm [irdma]
read to 0xffff9d51b4034220 of 8 bytes by task 255 on cpu 11:
irdma_sc_ccq_arm+0x36/0xd0 [irdma]
irdma_cqp_ce_handler+0x300/0x310 [irdma]
cqp_compl_worker+0x2a/0x40 [irdma]
process_one_work+0x402/0x7e0
worker_thread+0xb3/0x6d0
kthread+0x178/0x1a0
ret_from_fork+0x2c/0x50
write to 0xffff9d51b4034220 of 8 bytes by task 89 on cpu 3:
irdma_sc_ccq_arm+0x7e/0xd0 [irdma]
irdma_cqp_ce_handler+0x300/0x310 [irdma]
irdma_wait_event+0xd4/0x3e0 [irdma]
irdma_handle_cqp_op+0xa5/0x220 [irdma]
irdma_hw_flush_wqes+0xb1/0x300 [irdma]
irdma_flush_wqes+0x22e/0x3a0 [irdma]
irdma_cm_disconn_true+0x4c7/0x5d0 [irdma]
irdma_disconnect_worker+0x35/0x50 [irdma]
process_one_work+0x402/0x7e0
worker_thread+0xb3/0x6d0
kthread+0x178/0x1a0
ret_from_fork+0x2c/0x50
value changed: 0x0000000000024000 -> 0x0000000000034000
Fixes: 3f49d6842569 ("RDMA/irdma: Implement HW Admin Queue OPs")
Signed-off-by: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Link: https://patch.msgid.link/20251125025350.180-2-tatyana.e.nikolova@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/ctrl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/hw/irdma/ctrl.c b/drivers/infiniband/hw/irdma/ctrl.c
index 8a6200e55c542..ebbece4f09a22 100644
--- a/drivers/infiniband/hw/irdma/ctrl.c
+++ b/drivers/infiniband/hw/irdma/ctrl.c
@@ -3316,11 +3316,13 @@ int irdma_sc_cqp_destroy(struct irdma_sc_cqp *cqp)
*/
void irdma_sc_ccq_arm(struct irdma_sc_cq *ccq)
{
+ unsigned long flags;
u64 temp_val;
u16 sw_cq_sel;
u8 arm_next_se;
u8 arm_seq_num;
+ spin_lock_irqsave(&ccq->dev->cqp_lock, flags);
get_64bit_val(ccq->cq_uk.shadow_area, 32, &temp_val);
sw_cq_sel = (u16)FIELD_GET(IRDMA_CQ_DBSA_SW_CQ_SELECT, temp_val);
arm_next_se = (u8)FIELD_GET(IRDMA_CQ_DBSA_ARM_NEXT_SE, temp_val);
@@ -3331,6 +3333,7 @@ void irdma_sc_ccq_arm(struct irdma_sc_cq *ccq)
FIELD_PREP(IRDMA_CQ_DBSA_ARM_NEXT_SE, arm_next_se) |
FIELD_PREP(IRDMA_CQ_DBSA_ARM_NEXT, 1);
set_64bit_val(ccq->cq_uk.shadow_area, 32, temp_val);
+ spin_unlock_irqrestore(&ccq->dev->cqp_lock, flags);
dma_wmb(); /* make sure shadow area is updated before arming */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 213/737] RDMA/irdma: Fix data race in irdma_free_pble
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 212/737] RDMA/irdma: Fix data race in irdma_sc_ccq_arm Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 214/737] RDMA/irdma: Add support to re-register a memory region Greg Kroah-Hartman
` (534 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Czurylo, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
[ Upstream commit 81f44409fb4f027d1e6d54edbeba5156ad94b214 ]
Protects pble_rsrc counters with mutex to prevent data race.
Fixes the following data race in irdma_free_pble reported by KCSAN:
BUG: KCSAN: data-race in irdma_free_pble [irdma] / irdma_free_pble [irdma]
write to 0xffff91430baa0078 of 8 bytes by task 16956 on cpu 5:
irdma_free_pble+0x3b/0xb0 [irdma]
irdma_dereg_mr+0x108/0x110 [irdma]
ib_dereg_mr_user+0x74/0x160 [ib_core]
uverbs_free_mr+0x26/0x30 [ib_uverbs]
destroy_hw_idr_uobject+0x4a/0x90 [ib_uverbs]
uverbs_destroy_uobject+0x7b/0x330 [ib_uverbs]
uobj_destroy+0x61/0xb0 [ib_uverbs]
ib_uverbs_run_method+0x1f2/0x380 [ib_uverbs]
ib_uverbs_cmd_verbs+0x365/0x440 [ib_uverbs]
ib_uverbs_ioctl+0x111/0x190 [ib_uverbs]
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x44/0xa0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
read to 0xffff91430baa0078 of 8 bytes by task 16953 on cpu 2:
irdma_free_pble+0x23/0xb0 [irdma]
irdma_dereg_mr+0x108/0x110 [irdma]
ib_dereg_mr_user+0x74/0x160 [ib_core]
uverbs_free_mr+0x26/0x30 [ib_uverbs]
destroy_hw_idr_uobject+0x4a/0x90 [ib_uverbs]
uverbs_destroy_uobject+0x7b/0x330 [ib_uverbs]
uobj_destroy+0x61/0xb0 [ib_uverbs]
ib_uverbs_run_method+0x1f2/0x380 [ib_uverbs]
ib_uverbs_cmd_verbs+0x365/0x440 [ib_uverbs]
ib_uverbs_ioctl+0x111/0x190 [ib_uverbs]
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x44/0xa0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
value changed: 0x0000000000005a62 -> 0x0000000000005a68
Fixes: e8c4dbc2fcac ("RDMA/irdma: Add PBLE resource manager")
Signed-off-by: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Link: https://patch.msgid.link/20251125025350.180-3-tatyana.e.nikolova@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/pble.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/pble.c b/drivers/infiniband/hw/irdma/pble.c
index fa096557adc83..c7bcdc1bf9319 100644
--- a/drivers/infiniband/hw/irdma/pble.c
+++ b/drivers/infiniband/hw/irdma/pble.c
@@ -498,12 +498,14 @@ int irdma_get_pble(struct irdma_hmc_pble_rsrc *pble_rsrc,
void irdma_free_pble(struct irdma_hmc_pble_rsrc *pble_rsrc,
struct irdma_pble_alloc *palloc)
{
- pble_rsrc->freedpbles += palloc->total_cnt;
-
if (palloc->level == PBLE_LEVEL_2)
free_lvl2(pble_rsrc, palloc);
else
irdma_prm_return_pbles(&pble_rsrc->pinfo,
&palloc->level1.chunkinfo);
+
+ mutex_lock(&pble_rsrc->pble_mutex_lock);
+ pble_rsrc->freedpbles += palloc->total_cnt;
pble_rsrc->stats_alloc_freed++;
+ mutex_unlock(&pble_rsrc->pble_mutex_lock);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 214/737] RDMA/irdma: Add support to re-register a memory region
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 213/737] RDMA/irdma: Fix data race in irdma_free_pble Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 215/737] RDMA/irdma: Do not directly rely on IB_PD_UNSAFE_GLOBAL_RKEY Greg Kroah-Hartman
` (533 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sindhu Devale, Shiraz Saleem,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sindhu Devale <sindhu.devale@intel.com>
[ Upstream commit 5ac388db27c443dadfbb0b8b23fa7ccf429d901a ]
Add support for reregister MR verb API by doing a de-register
followed by a register MR with the new attributes. Reuse resources
like iwmr handle and HW stag where possible.
Signed-off-by: Sindhu Devale <sindhu.devale@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Link: https://lore.kernel.org/r/20231004151306.228-1-shiraz.saleem@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Stable-dep-of: 71d3bdae5eab ("RDMA/irdma: Do not directly rely on IB_PD_UNSAFE_GLOBAL_RKEY")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/verbs.c | 232 ++++++++++++++++++++++------
drivers/infiniband/hw/irdma/verbs.h | 2 +
2 files changed, 191 insertions(+), 43 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index 29540b2b2373c..aece20f105918 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2661,8 +2661,11 @@ static int irdma_hw_alloc_stag(struct irdma_device *iwdev,
cqp_info->in.u.alloc_stag.scratch = (uintptr_t)cqp_request;
status = irdma_handle_cqp_op(iwdev->rf, cqp_request);
irdma_put_cqp_request(&iwdev->rf->cqp, cqp_request);
+ if (status)
+ return status;
- return status;
+ iwmr->is_hwreg = 1;
+ return 0;
}
/**
@@ -2828,14 +2831,18 @@ static int irdma_hwreg_mr(struct irdma_device *iwdev, struct irdma_mr *iwmr,
ret = irdma_handle_cqp_op(iwdev->rf, cqp_request);
irdma_put_cqp_request(&iwdev->rf->cqp, cqp_request);
+ if (!ret)
+ iwmr->is_hwreg = 1;
+
return ret;
}
-static int irdma_reg_user_mr_type_mem(struct irdma_mr *iwmr, int access)
+static int irdma_reg_user_mr_type_mem(struct irdma_mr *iwmr, int access,
+ bool create_stag)
{
struct irdma_device *iwdev = to_iwdev(iwmr->ibmr.device);
struct irdma_pbl *iwpbl = &iwmr->iwpbl;
- u32 stag;
+ u32 stag = 0;
u8 lvl;
int err;
@@ -2854,15 +2861,18 @@ static int irdma_reg_user_mr_type_mem(struct irdma_mr *iwmr, int access)
}
}
- stag = irdma_create_stag(iwdev);
- if (!stag) {
- err = -ENOMEM;
- goto free_pble;
+ if (create_stag) {
+ stag = irdma_create_stag(iwdev);
+ if (!stag) {
+ err = -ENOMEM;
+ goto free_pble;
+ }
+
+ iwmr->stag = stag;
+ iwmr->ibmr.rkey = stag;
+ iwmr->ibmr.lkey = stag;
}
- iwmr->stag = stag;
- iwmr->ibmr.rkey = stag;
- iwmr->ibmr.lkey = stag;
err = irdma_hwreg_mr(iwdev, iwmr, access);
if (err)
goto err_hwreg;
@@ -2870,7 +2880,8 @@ static int irdma_reg_user_mr_type_mem(struct irdma_mr *iwmr, int access)
return 0;
err_hwreg:
- irdma_free_stag(iwdev, stag);
+ if (stag)
+ irdma_free_stag(iwdev, stag);
free_pble:
if (iwpbl->pble_alloc.level != PBLE_LEVEL_0 && iwpbl->pbl_allocated)
@@ -3050,7 +3061,7 @@ static struct ib_mr *irdma_reg_user_mr(struct ib_pd *pd, u64 start, u64 len,
goto error;
break;
case IRDMA_MEMREG_TYPE_MEM:
- err = irdma_reg_user_mr_type_mem(iwmr, access);
+ err = irdma_reg_user_mr_type_mem(iwmr, access, true);
if (err)
goto error;
@@ -3094,7 +3105,7 @@ static struct ib_mr *irdma_reg_user_mr_dmabuf(struct ib_pd *pd, u64 start,
goto err_release;
}
- err = irdma_reg_user_mr_type_mem(iwmr, access);
+ err = irdma_reg_user_mr_type_mem(iwmr, access, true);
if (err)
goto err_iwmr;
@@ -3109,6 +3120,161 @@ static struct ib_mr *irdma_reg_user_mr_dmabuf(struct ib_pd *pd, u64 start,
return ERR_PTR(err);
}
+static int irdma_hwdereg_mr(struct ib_mr *ib_mr)
+{
+ struct irdma_device *iwdev = to_iwdev(ib_mr->device);
+ struct irdma_mr *iwmr = to_iwmr(ib_mr);
+ struct irdma_pd *iwpd = to_iwpd(ib_mr->pd);
+ struct irdma_dealloc_stag_info *info;
+ struct irdma_pbl *iwpbl = &iwmr->iwpbl;
+ struct irdma_cqp_request *cqp_request;
+ struct cqp_cmds_info *cqp_info;
+ int status;
+
+ /* Skip HW MR de-register when it is already de-registered
+ * during an MR re-reregister and the re-registration fails
+ */
+ if (!iwmr->is_hwreg)
+ return 0;
+
+ cqp_request = irdma_alloc_and_get_cqp_request(&iwdev->rf->cqp, true);
+ if (!cqp_request)
+ return -ENOMEM;
+
+ cqp_info = &cqp_request->info;
+ info = &cqp_info->in.u.dealloc_stag.info;
+ memset(info, 0, sizeof(*info));
+ info->pd_id = iwpd->sc_pd.pd_id;
+ info->stag_idx = ib_mr->rkey >> IRDMA_CQPSQ_STAG_IDX_S;
+ info->mr = true;
+ if (iwpbl->pbl_allocated)
+ info->dealloc_pbl = true;
+
+ cqp_info->cqp_cmd = IRDMA_OP_DEALLOC_STAG;
+ cqp_info->post_sq = 1;
+ cqp_info->in.u.dealloc_stag.dev = &iwdev->rf->sc_dev;
+ cqp_info->in.u.dealloc_stag.scratch = (uintptr_t)cqp_request;
+ status = irdma_handle_cqp_op(iwdev->rf, cqp_request);
+ irdma_put_cqp_request(&iwdev->rf->cqp, cqp_request);
+ if (status)
+ return status;
+
+ iwmr->is_hwreg = 0;
+ return 0;
+}
+
+/*
+ * irdma_rereg_mr_trans - Re-register a user MR for a change translation.
+ * @iwmr: ptr of iwmr
+ * @start: virtual start address
+ * @len: length of mr
+ * @virt: virtual address
+ *
+ * Re-register a user memory region when a change translation is requested.
+ * Re-register a new region while reusing the stag from the original registration.
+ */
+static int irdma_rereg_mr_trans(struct irdma_mr *iwmr, u64 start, u64 len,
+ u64 virt)
+{
+ struct irdma_device *iwdev = to_iwdev(iwmr->ibmr.device);
+ struct irdma_pbl *iwpbl = &iwmr->iwpbl;
+ struct ib_pd *pd = iwmr->ibmr.pd;
+ struct ib_umem *region;
+ int err;
+
+ region = ib_umem_get(pd->device, start, len, iwmr->access);
+ if (IS_ERR(region))
+ return PTR_ERR(region);
+
+ iwmr->region = region;
+ iwmr->ibmr.iova = virt;
+ iwmr->ibmr.pd = pd;
+ iwmr->page_size = ib_umem_find_best_pgsz(region,
+ iwdev->rf->sc_dev.hw_attrs.page_size_cap,
+ virt);
+ if (unlikely(!iwmr->page_size)) {
+ err = -EOPNOTSUPP;
+ goto err;
+ }
+
+ iwmr->len = region->length;
+ iwpbl->user_base = virt;
+ iwmr->page_cnt = ib_umem_num_dma_blocks(region, iwmr->page_size);
+
+ err = irdma_reg_user_mr_type_mem(iwmr, iwmr->access, false);
+ if (err)
+ goto err;
+
+ return 0;
+
+err:
+ ib_umem_release(region);
+ return err;
+}
+
+/*
+ * irdma_rereg_user_mr - Re-Register a user memory region(MR)
+ * @ibmr: ib mem to access iwarp mr pointer
+ * @flags: bit mask to indicate which of the attr's of MR modified
+ * @start: virtual start address
+ * @len: length of mr
+ * @virt: virtual address
+ * @new_access: bit mask of access flags
+ * @new_pd: ptr of pd
+ * @udata: user data
+ *
+ * Return:
+ * NULL - Success, existing MR updated
+ * ERR_PTR - error occurred
+ */
+static struct ib_mr *irdma_rereg_user_mr(struct ib_mr *ib_mr, int flags,
+ u64 start, u64 len, u64 virt,
+ int new_access, struct ib_pd *new_pd,
+ struct ib_udata *udata)
+{
+ struct irdma_device *iwdev = to_iwdev(ib_mr->device);
+ struct irdma_mr *iwmr = to_iwmr(ib_mr);
+ struct irdma_pbl *iwpbl = &iwmr->iwpbl;
+ int ret;
+
+ if (len > iwdev->rf->sc_dev.hw_attrs.max_mr_size)
+ return ERR_PTR(-EINVAL);
+
+ if (flags & ~(IB_MR_REREG_TRANS | IB_MR_REREG_PD | IB_MR_REREG_ACCESS))
+ return ERR_PTR(-EOPNOTSUPP);
+
+ ret = irdma_hwdereg_mr(ib_mr);
+ if (ret)
+ return ERR_PTR(ret);
+
+ if (flags & IB_MR_REREG_ACCESS)
+ iwmr->access = new_access;
+
+ if (flags & IB_MR_REREG_PD) {
+ iwmr->ibmr.pd = new_pd;
+ iwmr->ibmr.device = new_pd->device;
+ }
+
+ if (flags & IB_MR_REREG_TRANS) {
+ if (iwpbl->pbl_allocated) {
+ irdma_free_pble(iwdev->rf->pble_rsrc,
+ &iwpbl->pble_alloc);
+ iwpbl->pbl_allocated = false;
+ }
+ if (iwmr->region) {
+ ib_umem_release(iwmr->region);
+ iwmr->region = NULL;
+ }
+
+ ret = irdma_rereg_mr_trans(iwmr, start, len, virt);
+ } else
+ ret = irdma_hwreg_mr(iwdev, iwmr, iwmr->access);
+ if (ret)
+ return ERR_PTR(ret);
+
+ return NULL;
+}
+
/**
* irdma_reg_phys_mr - register kernel physical memory
* @pd: ibpd pointer
@@ -3216,16 +3382,10 @@ static void irdma_del_memlist(struct irdma_mr *iwmr,
*/
static int irdma_dereg_mr(struct ib_mr *ib_mr, struct ib_udata *udata)
{
- struct ib_pd *ibpd = ib_mr->pd;
- struct irdma_pd *iwpd = to_iwpd(ibpd);
struct irdma_mr *iwmr = to_iwmr(ib_mr);
struct irdma_device *iwdev = to_iwdev(ib_mr->device);
- struct irdma_dealloc_stag_info *info;
struct irdma_pbl *iwpbl = &iwmr->iwpbl;
- struct irdma_pble_alloc *palloc = &iwpbl->pble_alloc;
- struct irdma_cqp_request *cqp_request;
- struct cqp_cmds_info *cqp_info;
- int status;
+ int ret;
if (iwmr->type != IRDMA_MEMREG_TYPE_MEM) {
if (iwmr->region) {
@@ -3239,33 +3399,18 @@ static int irdma_dereg_mr(struct ib_mr *ib_mr, struct ib_udata *udata)
goto done;
}
- cqp_request = irdma_alloc_and_get_cqp_request(&iwdev->rf->cqp, true);
- if (!cqp_request)
- return -ENOMEM;
-
- cqp_info = &cqp_request->info;
- info = &cqp_info->in.u.dealloc_stag.info;
- memset(info, 0, sizeof(*info));
- info->pd_id = iwpd->sc_pd.pd_id;
- info->stag_idx = ib_mr->rkey >> IRDMA_CQPSQ_STAG_IDX_S;
- info->mr = true;
- if (iwpbl->pbl_allocated)
- info->dealloc_pbl = true;
-
- cqp_info->cqp_cmd = IRDMA_OP_DEALLOC_STAG;
- cqp_info->post_sq = 1;
- cqp_info->in.u.dealloc_stag.dev = &iwdev->rf->sc_dev;
- cqp_info->in.u.dealloc_stag.scratch = (uintptr_t)cqp_request;
- status = irdma_handle_cqp_op(iwdev->rf, cqp_request);
- irdma_put_cqp_request(&iwdev->rf->cqp, cqp_request);
- if (status)
- return status;
+ ret = irdma_hwdereg_mr(ib_mr);
+ if (ret)
+ return ret;
irdma_free_stag(iwdev, iwmr->stag);
done:
if (iwpbl->pbl_allocated)
- irdma_free_pble(iwdev->rf->pble_rsrc, palloc);
- ib_umem_release(iwmr->region);
+ irdma_free_pble(iwdev->rf->pble_rsrc, &iwpbl->pble_alloc);
+
+ if (iwmr->region)
+ ib_umem_release(iwmr->region);
+
kfree(iwmr);
return 0;
@@ -4595,6 +4740,7 @@ static const struct ib_device_ops irdma_dev_ops = {
.query_qp = irdma_query_qp,
.reg_user_mr = irdma_reg_user_mr,
.reg_user_mr_dmabuf = irdma_reg_user_mr_dmabuf,
+ .rereg_user_mr = irdma_rereg_user_mr,
.req_notify_cq = irdma_req_notify_cq,
.resize_cq = irdma_resize_cq,
INIT_RDMA_OBJ_SIZE(ib_pd, irdma_pd, ibpd),
diff --git a/drivers/infiniband/hw/irdma/verbs.h b/drivers/infiniband/hw/irdma/verbs.h
index bb9ab945938e0..533b4597c407f 100644
--- a/drivers/infiniband/hw/irdma/verbs.h
+++ b/drivers/infiniband/hw/irdma/verbs.h
@@ -100,6 +100,8 @@ struct irdma_mr {
struct ib_mw ibmw;
};
struct ib_umem *region;
+ int access;
+ u8 is_hwreg;
u16 type;
u32 page_cnt;
u64 page_size;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 215/737] RDMA/irdma: Do not directly rely on IB_PD_UNSAFE_GLOBAL_RKEY
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 214/737] RDMA/irdma: Add support to re-register a memory region Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 216/737] ASoC: fsl_xcvr: clear the channel status control memory Greg Kroah-Hartman
` (532 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacob Moroni, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacob Moroni <jmoroni@google.com>
[ Upstream commit 71d3bdae5eab21cf8991a6f3cd914caa31d5a51f ]
The HW disables bounds checking for MRs with a length of zero, so
the driver will only allow a zero length MR if the "all_memory"
flag is set, and this flag is only set if IB_PD_UNSAFE_GLOBAL_RKEY
is set for the PD.
This means that the "get_dma_mr" method will currently fail unless
the IB_PD_UNSAFE_GLOBAL_RKEY flag is set. This has not been an issue
because the "get_dma_mr" method is only ever invoked if the device
does not support the local DMA key or if IB_PD_UNSAFE_GLOBAL_RKEY
is set, and so far, all IRDMA HW supports the local DMA lkey.
However, some new HW does not support the local DMA lkey, so the
"get_dma_mr" method needs to work without IB_PD_UNSAFE_GLOBAL_RKEY
being set.
To support HW that does not allow the local DMA lkey, the logic has
been changed to pass an explicit flag to indicate when a dma_mr is
being created so that the zero length will be allowed.
Also, the "all_memory" flag has been forced to false for normal MR
allocation since these MRs are never supposed to provide global
unsafe rkey semantics anyway; only the MR created with "get_dma_mr"
should support this.
Fixes: bb6d73d9add6 ("RDMA/irdma: Prevent zero-length STAG registration")
Signed-off-by: Jacob Moroni <jmoroni@google.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Link: https://patch.msgid.link/20251125025350.180-7-tatyana.e.nikolova@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/cm.c | 2 +-
drivers/infiniband/hw/irdma/main.h | 2 +-
drivers/infiniband/hw/irdma/verbs.c | 15 ++++++++-------
drivers/infiniband/hw/irdma/verbs.h | 3 ++-
4 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/cm.c b/drivers/infiniband/hw/irdma/cm.c
index 1916daa8c3323..b3f14816251b4 100644
--- a/drivers/infiniband/hw/irdma/cm.c
+++ b/drivers/infiniband/hw/irdma/cm.c
@@ -3708,7 +3708,7 @@ int irdma_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
iwpd = iwqp->iwpd;
tagged_offset = (uintptr_t)iwqp->ietf_mem.va;
ibmr = irdma_reg_phys_mr(&iwpd->ibpd, iwqp->ietf_mem.pa, buf_len,
- IB_ACCESS_LOCAL_WRITE, &tagged_offset);
+ IB_ACCESS_LOCAL_WRITE, &tagged_offset, false);
if (IS_ERR(ibmr)) {
ret = -ENOMEM;
goto error;
diff --git a/drivers/infiniband/hw/irdma/main.h b/drivers/infiniband/hw/irdma/main.h
index cbf0db72e1088..28963e19d9555 100644
--- a/drivers/infiniband/hw/irdma/main.h
+++ b/drivers/infiniband/hw/irdma/main.h
@@ -535,7 +535,7 @@ void irdma_copy_ip_htonl(__be32 *dst, u32 *src);
u16 irdma_get_vlan_ipv4(u32 *addr);
void irdma_get_vlan_mac_ipv6(u32 *addr, u16 *vlan_id, u8 *mac);
struct ib_mr *irdma_reg_phys_mr(struct ib_pd *ib_pd, u64 addr, u64 size,
- int acc, u64 *iova_start);
+ int acc, u64 *iova_start, bool dma_mr);
int irdma_upload_qp_context(struct irdma_qp *iwqp, bool freeze, bool raw);
void irdma_cqp_ce_handler(struct irdma_pci_f *rf, struct irdma_sc_cq *cq);
int irdma_ah_cqp_op(struct irdma_pci_f *rf, struct irdma_sc_ah *sc_ah, u8 cmd,
diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index aece20f105918..b52e0716d23fc 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -2653,7 +2653,6 @@ static int irdma_hw_alloc_stag(struct irdma_device *iwdev,
info->stag_idx = iwmr->stag >> IRDMA_CQPSQ_STAG_IDX_S;
info->pd_id = iwpd->sc_pd.pd_id;
info->total_len = iwmr->len;
- info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY;
info->remote_access = true;
cqp_info->cqp_cmd = IRDMA_OP_ALLOC_STAG;
cqp_info->post_sq = 1;
@@ -2664,7 +2663,7 @@ static int irdma_hw_alloc_stag(struct irdma_device *iwdev,
if (status)
return status;
- iwmr->is_hwreg = 1;
+ iwmr->is_hwreg = true;
return 0;
}
@@ -2805,7 +2804,7 @@ static int irdma_hwreg_mr(struct irdma_device *iwdev, struct irdma_mr *iwmr,
stag_info->total_len = iwmr->len;
stag_info->access_rights = irdma_get_mr_access(access);
stag_info->pd_id = iwpd->sc_pd.pd_id;
- stag_info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY;
+ stag_info->all_memory = iwmr->dma_mr;
if (stag_info->access_rights & IRDMA_ACCESS_FLAGS_ZERO_BASED)
stag_info->addr_type = IRDMA_ADDR_TYPE_ZERO_BASED;
else
@@ -2832,7 +2831,7 @@ static int irdma_hwreg_mr(struct irdma_device *iwdev, struct irdma_mr *iwmr,
irdma_put_cqp_request(&iwdev->rf->cqp, cqp_request);
if (!ret)
- iwmr->is_hwreg = 1;
+ iwmr->is_hwreg = true;
return ret;
}
@@ -3159,7 +3158,7 @@ static int irdma_hwdereg_mr(struct ib_mr *ib_mr)
if (status)
return status;
- iwmr->is_hwreg = 0;
+ iwmr->is_hwreg = false;
return 0;
}
@@ -3282,9 +3281,10 @@ static struct ib_mr *irdma_rereg_user_mr(struct ib_mr *ib_mr, int flags,
* @size: size of memory to register
* @access: Access rights
* @iova_start: start of virtual address for physical buffers
+ * @dma_mr: Flag indicating whether this region is a PD DMA MR
*/
struct ib_mr *irdma_reg_phys_mr(struct ib_pd *pd, u64 addr, u64 size, int access,
- u64 *iova_start)
+ u64 *iova_start, bool dma_mr)
{
struct irdma_device *iwdev = to_iwdev(pd->device);
struct irdma_pbl *iwpbl;
@@ -3301,6 +3301,7 @@ struct ib_mr *irdma_reg_phys_mr(struct ib_pd *pd, u64 addr, u64 size, int access
iwpbl = &iwmr->iwpbl;
iwpbl->iwmr = iwmr;
iwmr->type = IRDMA_MEMREG_TYPE_MEM;
+ iwmr->dma_mr = dma_mr;
iwpbl->user_base = *iova_start;
stag = irdma_create_stag(iwdev);
if (!stag) {
@@ -3339,7 +3340,7 @@ static struct ib_mr *irdma_get_dma_mr(struct ib_pd *pd, int acc)
{
u64 kva = 0;
- return irdma_reg_phys_mr(pd, 0, 0, acc, &kva);
+ return irdma_reg_phys_mr(pd, 0, 0, acc, &kva, true);
}
/**
diff --git a/drivers/infiniband/hw/irdma/verbs.h b/drivers/infiniband/hw/irdma/verbs.h
index 533b4597c407f..97abd45a5cee2 100644
--- a/drivers/infiniband/hw/irdma/verbs.h
+++ b/drivers/infiniband/hw/irdma/verbs.h
@@ -101,7 +101,8 @@ struct irdma_mr {
};
struct ib_umem *region;
int access;
- u8 is_hwreg;
+ bool is_hwreg:1;
+ bool dma_mr:1;
u16 type;
u32 page_cnt;
u64 page_size;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 216/737] ASoC: fsl_xcvr: clear the channel status control memory
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 215/737] RDMA/irdma: Do not directly rely on IB_PD_UNSAFE_GLOBAL_RKEY Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 217/737] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() Greg Kroah-Hartman
` (531 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 73b97d46dde64fa184d47865d4a532d818c3a007 ]
memset_io() writes memory byte by byte with __raw_writeb() on the arm
platform if the size is word. but XCVR data RAM memory can't be accessed
with byte address, so with memset_io() the channel status control memory
is not really cleared, use writel_relaxed() instead.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251126064509.1900974-1-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 1d7791c7fb4ec..90a0a24c05d84 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -1195,7 +1195,7 @@ static irqreturn_t irq0_isr(int irq, void *devid)
bitrev32(val);
}
/* clear CS control register */
- memset_io(reg_ctrl, 0, sizeof(val));
+ writel_relaxed(0, reg_ctrl);
}
} else {
regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_0,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 217/737] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 216/737] ASoC: fsl_xcvr: clear the channel status control memory Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 218/737] hwmon: sy7636a: Fix regulator_enable resource leak on error path Greg Kroah-Hartman
` (530 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Alex Hung,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 1a79482699b4d1e43948d14f0c7193dc1dcad858 ]
The .H_SYNC_POLARITY and .V_SYNC_POLARITY variables are 1 bit bitfields
of a u32. The ATOM_HSYNC_POLARITY define is 0x2 and the
ATOM_VSYNC_POLARITY is 0x4. When we do a bitwise negate of 0, 2, or 4
then the last bit is always 1 so this code always sets .H_SYNC_POLARITY
and .V_SYNC_POLARITY to true.
This code is instead intended to check if the ATOM_HSYNC_POLARITY or
ATOM_VSYNC_POLARITY flags are set and reverse the result. In other
words, it's supposed to be a logical negate instead of a bitwise negate.
Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index 384ddb28e6f6d..c0a705888cb5b 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -1477,10 +1477,10 @@ static enum bp_result get_embedded_panel_info_v2_1(
/* not provided by VBIOS */
info->lcd_timing.misc_info.HORIZONTAL_CUT_OFF = 0;
- info->lcd_timing.misc_info.H_SYNC_POLARITY = ~(uint32_t) (lvds->lcd_timing.miscinfo
- & ATOM_HSYNC_POLARITY);
- info->lcd_timing.misc_info.V_SYNC_POLARITY = ~(uint32_t) (lvds->lcd_timing.miscinfo
- & ATOM_VSYNC_POLARITY);
+ info->lcd_timing.misc_info.H_SYNC_POLARITY = !(lvds->lcd_timing.miscinfo &
+ ATOM_HSYNC_POLARITY);
+ info->lcd_timing.misc_info.V_SYNC_POLARITY = !(lvds->lcd_timing.miscinfo &
+ ATOM_VSYNC_POLARITY);
/* not provided by VBIOS */
info->lcd_timing.misc_info.VERTICAL_CUT_OFF = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 218/737] hwmon: sy7636a: Fix regulator_enable resource leak on error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 217/737] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 219/737] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 Greg Kroah-Hartman
` (529 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Haotian Zhang,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 2f88425ef590b7fcc2324334b342e048edc144a9 ]
In sy7636a_sensor_probe(), regulator_enable() is called but if
devm_hwmon_device_register_with_info() fails, the function returns
without calling regulator_disable(), leaving the regulator enabled
and leaking the reference count.
Switch to devm_regulator_get_enable() to automatically
manage the regulator resource.
Fixes: de34a4053250 ("hwmon: sy7636a: Add temperature driver for sy7636a")
Suggested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://lore.kernel.org/r/20251126162602.2086-1-vulab@iscas.ac.cn
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/sy7636a-hwmon.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/hwmon/sy7636a-hwmon.c b/drivers/hwmon/sy7636a-hwmon.c
index a12fc0ce70e76..d51daaf63d632 100644
--- a/drivers/hwmon/sy7636a-hwmon.c
+++ b/drivers/hwmon/sy7636a-hwmon.c
@@ -66,18 +66,13 @@ static const struct hwmon_chip_info sy7636a_chip_info = {
static int sy7636a_sensor_probe(struct platform_device *pdev)
{
struct regmap *regmap = dev_get_regmap(pdev->dev.parent, NULL);
- struct regulator *regulator;
struct device *hwmon_dev;
int err;
if (!regmap)
return -EPROBE_DEFER;
- regulator = devm_regulator_get(&pdev->dev, "vcom");
- if (IS_ERR(regulator))
- return PTR_ERR(regulator);
-
- err = regulator_enable(regulator);
+ err = devm_regulator_get_enable(&pdev->dev, "vcom");
if (err)
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 219/737] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 218/737] hwmon: sy7636a: Fix regulator_enable resource leak on error path Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 220/737] ublk: make sure io cmd handled in submitter task context Greg Kroah-Hartman
` (528 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit 17e7972979e147cc51d4a165e6b6b0f93273ca68 ]
On all AMD AM4 systems I have seen, e.g ASUS X470-i, Pro WS X570 Ace
and equivalent Gigabyte, amd-pstate does not initialize when the
x2apic is enabled in the BIOS. Kernel debug messages include:
[ 0.315438] acpi LNXCPU:00: Failed to get CPU physical ID.
[ 0.354756] ACPI CPPC: No CPC descriptor for CPU:0
[ 0.714951] amd_pstate: the _CPC object is not present in SBIOS or ACPI disabled
I tracked this down to map_x2apic_id() checking device_declaration
passed in via the type argument of acpi_get_phys_id() via
map_madt_entry() while map_lapic_id() does not.
It appears these BIOSes use Processor statements for declaring the CPUs
in the ACPI namespace instead of processor device objects (which should
have been used). CPU declarations via Processor statements were
deprecated in ACPI 6.0 that was released 10 years ago. They should not
be used any more in any contemporary platform firmware.
I tried to contact Asus support multiple times, but never received a
reply nor did any BIOS update ever change this.
Fix amd-pstate w/ x2apic on am4 by allowing map_x2apic_id() to work with
CPUs declared via Processor statements for IDs less than 255, which is
consistent with ACPI 5.0 that still allowed Processor statements to be
used for declaring CPUs.
Fixes: 7237d3de78ff ("x86, ACPI: add support for x2apic ACPI extensions")
Signed-off-by: René Rebe <rene@exactco.de>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20251126.165513.1373131139292726554.rene@exactco.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/processor_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/processor_core.c b/drivers/acpi/processor_core.c
index 7dd6dbaa98c34..dea60d694343f 100644
--- a/drivers/acpi/processor_core.c
+++ b/drivers/acpi/processor_core.c
@@ -54,7 +54,7 @@ static int map_x2apic_id(struct acpi_subtable_header *entry,
if (!(apic->lapic_flags & ACPI_MADT_ENABLED))
return -ENODEV;
- if (device_declaration && (apic->uid == acpi_id)) {
+ if (apic->uid == acpi_id && (device_declaration || acpi_id < 255)) {
*apic_id = apic->local_apic_id;
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 220/737] ublk: make sure io cmd handled in submitter task context
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 219/737] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 Greg Kroah-Hartman
@ 2026-01-09 11:35 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 221/737] ublk: complete command synchronously on error Greg Kroah-Hartman
` (527 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:35 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Lei, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit 3421c7f68bba52281bbb38bc76c18dc03cb689e4 ]
In well-done ublk server implementation, ublk io command won't be
linked into any link chain. Meantime they are always handled in no-wait
style, so basically io cmd is always handled in submitter task context.
However, the server may set IOSQE_ASYNC, or io command is linked to one
chain mistakenly, then we may still run into io-wq context and
ctx->uring_lock isn't held.
So in case of IO_URING_F_UNLOCKED, schedule this command by
io_uring_cmd_complete_in_task to force running it in submitter task. Then
ublk_ch_uring_cmd_local() is guaranteed to run with context uring_lock held,
and we needn't to worry about sync among submission code path any more.
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20231009093324.957829-3-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: c6a45ee7607d ("ublk: prevent invalid access with DEBUG")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ublk_drv.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index ec6d7a08104d9..6419f304fa5e2 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -1857,7 +1857,8 @@ static inline struct request *__ublk_check_and_get_req(struct ublk_device *ub,
return NULL;
}
-static int ublk_ch_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
+static inline int ublk_ch_uring_cmd_local(struct io_uring_cmd *cmd,
+ unsigned int issue_flags)
{
/*
* Not necessary for async retry, but let's keep it simple and always
@@ -1871,9 +1872,28 @@ static int ublk_ch_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
.addr = READ_ONCE(ub_src->addr)
};
+ WARN_ON_ONCE(issue_flags & IO_URING_F_UNLOCKED);
+
return __ublk_ch_uring_cmd(cmd, issue_flags, &ub_cmd);
}
+static void ublk_ch_uring_cmd_cb(struct io_uring_cmd *cmd,
+ unsigned int issue_flags)
+{
+ ublk_ch_uring_cmd_local(cmd, issue_flags);
+}
+
+static int ublk_ch_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
+{
+ /* well-implemented server won't run into unlocked */
+ if (unlikely(issue_flags & IO_URING_F_UNLOCKED)) {
+ io_uring_cmd_complete_in_task(cmd, ublk_ch_uring_cmd_cb);
+ return -EIOCBQUEUED;
+ }
+
+ return ublk_ch_uring_cmd_local(cmd, issue_flags);
+}
+
static inline bool ublk_check_ubuf_dir(const struct request *req,
int ubuf_dir)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 221/737] ublk: complete command synchronously on error
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-01-09 11:35 ` [PATCH 6.6 220/737] ublk: make sure io cmd handled in submitter task context Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 222/737] ublk: prevent invalid access with DEBUG Greg Kroah-Hartman
` (526 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos, Ming Lei,
Keith Busch, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Sander Mateos <csander@purestorage.com>
[ Upstream commit 603f9be21c1894e462416e3324962d6c9c2b95f8 ]
In case of an error, ublk's ->uring_cmd() functions currently return
-EIOCBQUEUED and immediately call io_uring_cmd_done(). -EIOCBQUEUED and
io_uring_cmd_done() are intended for asynchronous completions. For
synchronous completions, the ->uring_cmd() function can just return the
negative return code directly. This skips io_uring_cmd_del_cancelable(),
and deferring the completion to task work. So return the error code
directly from __ublk_ch_uring_cmd() and ublk_ctrl_uring_cmd().
Update ublk_ch_uring_cmd_cb(), which currently ignores the return value
from __ublk_ch_uring_cmd(), to call io_uring_cmd_done() for synchronous
completions.
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Link: https://lore.kernel.org/r/20250225212456.2902549-1-csander@purestorage.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: c6a45ee7607d ("ublk: prevent invalid access with DEBUG")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ublk_drv.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 6419f304fa5e2..88d566f0ffa64 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -1821,10 +1821,9 @@ static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd,
return -EIOCBQUEUED;
out:
- io_uring_cmd_done(cmd, ret, 0, issue_flags);
pr_devel("%s: complete: cmd op %d, tag %d ret %x io_flags %x\n",
__func__, cmd_op, tag, ret, io->flags);
- return -EIOCBQUEUED;
+ return ret;
}
static inline struct request *__ublk_check_and_get_req(struct ublk_device *ub,
@@ -1880,7 +1879,10 @@ static inline int ublk_ch_uring_cmd_local(struct io_uring_cmd *cmd,
static void ublk_ch_uring_cmd_cb(struct io_uring_cmd *cmd,
unsigned int issue_flags)
{
- ublk_ch_uring_cmd_local(cmd, issue_flags);
+ int ret = ublk_ch_uring_cmd_local(cmd, issue_flags);
+
+ if (ret != -EIOCBQUEUED)
+ io_uring_cmd_done(cmd, ret, 0, issue_flags);
}
static int ublk_ch_uring_cmd(struct io_uring_cmd *cmd, unsigned int issue_flags)
@@ -2948,10 +2950,9 @@ static int ublk_ctrl_uring_cmd(struct io_uring_cmd *cmd,
if (ub)
ublk_put_device(ub);
out:
- io_uring_cmd_done(cmd, ret, 0, issue_flags);
pr_devel("%s: cmd done ret %d cmd_op %x, dev id %d qid %d\n",
__func__, ret, cmd->cmd_op, header->dev_id, header->queue_id);
- return -EIOCBQUEUED;
+ return ret;
}
static const struct file_operations ublk_ctl_fops = {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 222/737] ublk: prevent invalid access with DEBUG
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 221/737] ublk: complete command synchronously on error Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 223/737] ext4: remove unused return value of __mb_check_buddy Greg Kroah-Hartman
` (525 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Brodsky, Caleb Sander Mateos,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kevin Brodsky <kevin.brodsky@arm.com>
[ Upstream commit c6a45ee7607de3a350008630f4369b1b5ac80884 ]
ublk_ch_uring_cmd_local() may jump to the out label before
initialising the io pointer. This will cause trouble if DEBUG is
defined, because the pr_devel() call dereferences io. Clang reports:
drivers/block/ublk_drv.c:2403:6: error: variable 'io' is used uninitialized whenever 'if' condition is true [-Werror,-Wsometimes-uninitialized]
2403 | if (tag >= ub->dev_info.queue_depth)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/block/ublk_drv.c:2492:32: note: uninitialized use occurs here
2492 | __func__, cmd_op, tag, ret, io->flags);
|
Fix this by initialising io to NULL and checking it before
dereferencing it.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ublk_drv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 88d566f0ffa64..563b2a94d4c3c 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -1709,7 +1709,7 @@ static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd,
{
struct ublk_device *ub = cmd->file->private_data;
struct ublk_queue *ubq;
- struct ublk_io *io;
+ struct ublk_io *io = NULL;
u32 cmd_op = cmd->cmd_op;
unsigned tag = ub_cmd->tag;
int ret = -EINVAL;
@@ -1822,7 +1822,7 @@ static int __ublk_ch_uring_cmd(struct io_uring_cmd *cmd,
out:
pr_devel("%s: complete: cmd op %d, tag %d ret %x io_flags %x\n",
- __func__, cmd_op, tag, ret, io->flags);
+ __func__, cmd_op, tag, ret, io ? io->flags : 0);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 223/737] ext4: remove unused return value of __mb_check_buddy
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 222/737] ublk: prevent invalid access with DEBUG Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 224/737] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation Greg Kroah-Hartman
` (524 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Jan Kara, Theodore Tso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit 133de5a0d8f8e32b34feaa8beae7a189482f1856 ]
Remove unused return value of __mb_check_buddy.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240105092102.496631-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: d9ee3ff810f1 ("ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index c5f642096ab4e..9721ae0ff92ed 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -676,7 +676,7 @@ do { \
} \
} while (0)
-static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
+static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
const char *function, int line)
{
struct super_block *sb = e4b->bd_sb;
@@ -695,7 +695,7 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
void *buddy2;
if (e4b->bd_info->bb_check_counter++ % 10)
- return 0;
+ return;
while (order > 1) {
buddy = mb_find_buddy(e4b, order, &max);
@@ -757,7 +757,7 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
grp = ext4_get_group_info(sb, e4b->bd_group);
if (!grp)
- return NULL;
+ return;
list_for_each(cur, &grp->bb_prealloc_list) {
ext4_group_t groupnr;
struct ext4_prealloc_space *pa;
@@ -767,7 +767,6 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
for (i = 0; i < pa->pa_len; i++)
MB_CHECK_ASSERT(mb_test_bit(k + i, buddy));
}
- return 0;
}
#undef MB_CHECK_ASSERT
#define mb_check_buddy(e4b) __mb_check_buddy(e4b, \
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 224/737] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 223/737] ext4: remove unused return value of __mb_check_buddy Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 225/737] virtio_vdpa: fix misleading return in void function Greg Kroah-Hartman
` (523 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Yongjian Sun, Baokun Li,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
[ Upstream commit d9ee3ff810f1cc0e253c9f2b17b668b973cb0e06 ]
When the MB_CHECK_ASSERT macro is enabled, we found that the
current validation logic in __mb_check_buddy has a gap in
detecting certain invalid buddy states, particularly related
to order-0 (bitmap) bits.
The original logic consists of three steps:
1. Validates higher-order buddies: if a higher-order bit is
set, at most one of the two corresponding lower-order bits
may be free; if a higher-order bit is clear, both lower-order
bits must be allocated (and their bitmap bits must be 0).
2. For any set bit in order-0, ensures all corresponding
higher-order bits are not free.
3. Verifies that all preallocated blocks (pa) in the group
have pa_pstart within bounds and their bitmap bits marked as
allocated.
However, this approach fails to properly validate cases where
order-0 bits are incorrectly cleared (0), allowing some invalid
configurations to pass:
corrupt integral
order 3 1 1
order 2 1 1 1 1
order 1 1 1 1 1 1 1 1 1
order 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Here we get two adjacent free blocks at order-0 with inconsistent
higher-order state, and the right one shows the correct scenario.
The root cause is insufficient validation of order-0 zero bits.
To fix this and improve completeness without significant performance
cost, we refine the logic:
1. Maintain the top-down higher-order validation, but we no longer
check the cases where the higher-order bit is 0, as this case will
be covered in step 2.
2. Enhance order-0 checking by examining pairs of bits:
- If either bit in a pair is set (1), all corresponding
higher-order bits must not be free.
- If both bits are clear (0), then exactly one of the
corresponding higher-order bits must be free
3. Keep the preallocation (pa) validation unchanged.
This change closes the validation gap, ensuring illegal buddy states
involving order-0 are correctly detected, while removing redundant
checks and maintaining efficiency.
Fixes: c9de560ded61f ("ext4: Add multi block allocator for ext4")
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251106060614.631382-3-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 49 +++++++++++++++++++++++++++++++----------------
1 file changed, 32 insertions(+), 17 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 9721ae0ff92ed..5304497c60e1f 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -676,6 +676,24 @@ do { \
} \
} while (0)
+/*
+ * Perform buddy integrity check with the following steps:
+ *
+ * 1. Top-down validation (from highest order down to order 1, excluding order-0 bitmap):
+ * For each pair of adjacent orders, if a higher-order bit is set (indicating a free block),
+ * at most one of the two corresponding lower-order bits may be clear (free).
+ *
+ * 2. Order-0 (bitmap) validation, performed on bit pairs:
+ * - If either bit in a pair is set (1, allocated), then all corresponding higher-order bits
+ * must not be free (0).
+ * - If both bits in a pair are clear (0, free), then exactly one of the corresponding
+ * higher-order bits must be free (0).
+ *
+ * 3. Preallocation (pa) list validation:
+ * For each preallocated block (pa) in the group:
+ * - Verify that pa_pstart falls within the bounds of this block group.
+ * - Ensure the corresponding bit(s) in the order-0 bitmap are marked as allocated (1).
+ */
static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
const char *function, int line)
{
@@ -717,15 +735,6 @@ static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
continue;
}
- /* both bits in buddy2 must be 1 */
- MB_CHECK_ASSERT(mb_test_bit(i << 1, buddy2));
- MB_CHECK_ASSERT(mb_test_bit((i << 1) + 1, buddy2));
-
- for (j = 0; j < (1 << order); j++) {
- k = (i * (1 << order)) + j;
- MB_CHECK_ASSERT(
- !mb_test_bit(k, e4b->bd_bitmap));
- }
count++;
}
MB_CHECK_ASSERT(e4b->bd_info->bb_counters[order] == count);
@@ -741,15 +750,21 @@ static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
fragments++;
fstart = i;
}
- continue;
+ } else {
+ fstart = -1;
}
- fstart = -1;
- /* check used bits only */
- for (j = 0; j < e4b->bd_blkbits + 1; j++) {
- buddy2 = mb_find_buddy(e4b, j, &max2);
- k = i >> j;
- MB_CHECK_ASSERT(k < max2);
- MB_CHECK_ASSERT(mb_test_bit(k, buddy2));
+ if (!(i & 1)) {
+ int in_use, zero_bit_count = 0;
+
+ in_use = mb_test_bit(i, buddy) || mb_test_bit(i + 1, buddy);
+ for (j = 1; j < e4b->bd_blkbits + 2; j++) {
+ buddy2 = mb_find_buddy(e4b, j, &max2);
+ k = i >> j;
+ MB_CHECK_ASSERT(k < max2);
+ if (!mb_test_bit(k, buddy2))
+ zero_bit_count++;
+ }
+ MB_CHECK_ASSERT(zero_bit_count == !in_use);
}
}
MB_CHECK_ASSERT(!EXT4_MB_GRP_NEED_INIT(e4b->bd_info));
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 225/737] virtio_vdpa: fix misleading return in void function
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 224/737] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 226/737] virtio: fix typo in virtio_device_ready() comment Greg Kroah-Hartman
` (522 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Michael S. Tsirkin,
Jason Wang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e40b6abe0b1247d43bc61942aa7534fca7209e44 ]
virtio_vdpa_set_status() is declared as returning void, but it used
"return vdpa_set_status()" Since vdpa_set_status() also returns
void, the return statement is unnecessary and misleading.
Remove it.
Fixes: c043b4a8cf3b ("virtio: introduce a vDPA based transport")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Message-Id: <20251001191653.1713923-1-alok.a.tiwari@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/virtio/virtio_vdpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/virtio/virtio_vdpa.c b/drivers/virtio/virtio_vdpa.c
index 06ce6d8c2e004..6855cc22ea96e 100644
--- a/drivers/virtio/virtio_vdpa.c
+++ b/drivers/virtio/virtio_vdpa.c
@@ -93,7 +93,7 @@ static void virtio_vdpa_set_status(struct virtio_device *vdev, u8 status)
{
struct vdpa_device *vdpa = vd_get_vdpa(vdev);
- return vdpa_set_status(vdpa, status);
+ vdpa_set_status(vdpa, status);
}
static void virtio_vdpa_reset(struct virtio_device *vdev)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 226/737] virtio: fix typo in virtio_device_ready() comment
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 225/737] virtio_vdpa: fix misleading return in void function Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 227/737] virtio: fix whitespace in virtio_config_ops Greg Kroah-Hartman
` (521 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Michael S. Tsirkin,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael S. Tsirkin <mst@redhat.com>
[ Upstream commit 361173f95ae4b726ebbbf0bd594274f5576c4abc ]
"coherenct" -> "coherent"
Fixes: 8b4ec69d7e09 ("virtio: harden vring IRQ")
Message-Id: <db286e9a65449347f6584e68c9960fd5ded2b4b0.1763026134.git.mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/virtio_config.h b/include/linux/virtio_config.h
index 2b3438de2c4d4..84a9fd21df3e8 100644
--- a/include/linux/virtio_config.h
+++ b/include/linux/virtio_config.h
@@ -288,7 +288,7 @@ void virtio_device_ready(struct virtio_device *dev)
* specific set_status() method.
*
* A well behaved device will only notify a virtqueue after
- * DRIVER_OK, this means the device should "see" the coherenct
+ * DRIVER_OK, this means the device should "see" the coherent
* memory write that set vq->broken as false which is done by
* the driver when it sees DRIVER_OK, then the following
* driver's vring_interrupt() will see vq->broken as false so
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 227/737] virtio: fix whitespace in virtio_config_ops
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 226/737] virtio: fix typo in virtio_device_ready() comment Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 228/737] virtio: fix virtqueue_set_affinity() docs Greg Kroah-Hartman
` (520 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Michael S. Tsirkin,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael S. Tsirkin <mst@redhat.com>
[ Upstream commit 7831791e77a1cd29528d4dc336ce14466aef5ba6 ]
The finalize_features documentation uses a tab between words.
Use space instead.
Fixes: d16c0cd27331 ("docs: driver-api: virtio: virtio on Linux")
Message-Id: <39d7685c82848dc6a876d175e33a1407f6ab3fc1.1763026134.git.mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/virtio_config.h b/include/linux/virtio_config.h
index 84a9fd21df3e8..f106d3177476b 100644
--- a/include/linux/virtio_config.h
+++ b/include/linux/virtio_config.h
@@ -71,7 +71,7 @@ typedef void vq_callback_t(struct virtqueue *);
* vdev: the virtio_device
* This sends the driver feature bits to the device: it can change
* the dev->feature bits if it wants.
- * Note that despite the name this can be called any number of
+ * Note that despite the name this can be called any number of
* times.
* Returns 0 on success or error status
* @bus_name: return the bus name associated with the device (optional)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 228/737] virtio: fix virtqueue_set_affinity() docs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 227/737] virtio: fix whitespace in virtio_config_ops Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 229/737] vdpa/pds: use %pe for ERR_PTR() in event handler registration Greg Kroah-Hartman
` (519 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Michael S. Tsirkin,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael S. Tsirkin <mst@redhat.com>
[ Upstream commit 43236d8bbafff94b423afecc4a692dd90602d426 ]
Rewrite the comment for better grammar and clarity.
Fixes: 75a0a52be3c2 ("virtio: introduce an API to set affinity for a virtqueue")
Message-Id: <e317e91bd43b070e5eaec0ebbe60c5749d02e2dd.1763026134.git.mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/virtio_config.h b/include/linux/virtio_config.h
index f106d3177476b..7528255068fd8 100644
--- a/include/linux/virtio_config.h
+++ b/include/linux/virtio_config.h
@@ -310,7 +310,7 @@ const char *virtio_bus_name(struct virtio_device *vdev)
* @vq: the virtqueue
* @cpu_mask: the cpu mask
*
- * Pay attention the function are best-effort: the affinity hint may not be set
+ * Note that this function is best-effort: the affinity hint may not be set
* due to config support, irq type and sharing.
*
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 229/737] vdpa/pds: use %pe for ERR_PTR() in event handler registration
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 228/737] virtio: fix virtqueue_set_affinity() docs Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 230/737] ASoC: Intel: catpt: Fix error path in hw_params() Greg Kroah-Hartman
` (518 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Brett Creeley,
Michael S. Tsirkin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 731ca4a4cc52fd5c5ae309edcfd2d7e54ece3321 ]
Use %pe instead of %ps when printing ERR_PTR() values. %ps is intended
for string pointers, while %pe correctly prints symbolic error names
for error pointers returned via ERR_PTR().
This shows the returned error value more clearly.
Fixes: 67f27b8b3a34 ("pds_vdpa: subscribe to the pds_core events")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Reviewed-by: Brett Creeley <brett.creeley@amd.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20251018174705.1511982-1-alok.a.tiwari@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/pds/vdpa_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/vdpa/pds/vdpa_dev.c b/drivers/vdpa/pds/vdpa_dev.c
index 25c0fe5ec3d5d..744739a708b25 100644
--- a/drivers/vdpa/pds/vdpa_dev.c
+++ b/drivers/vdpa/pds/vdpa_dev.c
@@ -51,7 +51,7 @@ static int pds_vdpa_register_event_handler(struct pds_vdpa_device *pdsv)
err = pdsc_register_notify(nb);
if (err) {
nb->notifier_call = NULL;
- dev_err(dev, "failed to register pds event handler: %ps\n",
+ dev_err(dev, "failed to register pds event handler: %pe\n",
ERR_PTR(err));
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 230/737] ASoC: Intel: catpt: Fix error path in hw_params()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 229/737] vdpa/pds: use %pe for ERR_PTR() in event handler registration Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 231/737] ARM: dts: samsung: universal_c210: turn off SDIO WLAN chip during system suspend Greg Kroah-Hartman
` (517 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cezary Rojewski, Andy Shevchenko,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 86a5b621be658fc8fe594ca6db317d64de30cce1 ]
Do not leave any resources hanging on the DSP side if
applying user settings fails.
Fixes: 768a3a3b327d ("ASoC: Intel: catpt: Optimize applying user settings")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20251126095523.3925364-4-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/catpt/pcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/catpt/pcm.c b/sound/soc/intel/catpt/pcm.c
index f1a5cb825ff1f..10d1c15857bfa 100644
--- a/sound/soc/intel/catpt/pcm.c
+++ b/sound/soc/intel/catpt/pcm.c
@@ -417,8 +417,10 @@ static int catpt_dai_hw_params(struct snd_pcm_substream *substream,
return CATPT_IPC_ERROR(ret);
ret = catpt_dai_apply_usettings(dai, stream);
- if (ret)
+ if (ret) {
+ catpt_ipc_free_stream(cdev, stream->info.stream_hw_id);
return ret;
+ }
stream->allocated = true;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 231/737] ARM: dts: samsung: universal_c210: turn off SDIO WLAN chip during system suspend
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 230/737] ASoC: Intel: catpt: Fix error path in hw_params() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 232/737] ARM: dts: samsung: exynos4210-i9100: " Greg Kroah-Hartman
` (516 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 97aee67e2406ea381408915e606c5f86448f3949 ]
Commit 8c3170628a9c ("wifi: brcmfmac: keep power during suspend if board
requires it") changed default behavior of the BRCMFMAC driver, which now
keeps SDIO card powered during system suspend to enable optional support
for WOWL. This feature is not supported by the legacy Exynos4 based
boards and leads to WLAN disfunction after system suspend/resume cycle.
Fix this by annotating SDIO host used by WLAN chip with
'cap-power-off-card' property, which should have been there from the
beginning.
Fixes: f1b0ffaa686f ("ARM: dts: exynos: Enable WLAN support for the UniversalC210 board")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://patch.msgid.link/20251126102618.3103517-2-m.szyprowski@samsung.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/samsung/exynos4210-universal_c210.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/samsung/exynos4210-universal_c210.dts b/arch/arm/boot/dts/samsung/exynos4210-universal_c210.dts
index bdc30f8cf748f..91490693432b6 100644
--- a/arch/arm/boot/dts/samsung/exynos4210-universal_c210.dts
+++ b/arch/arm/boot/dts/samsung/exynos4210-universal_c210.dts
@@ -610,6 +610,7 @@ &sdhci_3 {
#size-cells = <0>;
non-removable;
+ cap-power-off-card;
bus-width = <4>;
mmc-pwrseq = <&wlan_pwrseq>;
vmmc-supply = <&ldo5_reg>;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 232/737] ARM: dts: samsung: exynos4210-i9100: turn off SDIO WLAN chip during system suspend
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 231/737] ARM: dts: samsung: universal_c210: turn off SDIO WLAN chip during system suspend Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 233/737] ARM: dts: samsung: exynos4210-trats: " Greg Kroah-Hartman
` (515 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 863d69923bdb6f414d0a3f504f1dfaeacbc00b09 ]
Commit 8c3170628a9c ("wifi: brcmfmac: keep power during suspend if board
requires it") changed default behavior of the BRCMFMAC driver, which now
keeps SDIO card powered during system suspend to enable optional support
for WOWL. This feature is not supported by the legacy Exynos4 based
boards and leads to WLAN disfunction after system suspend/resume cycle.
Fix this by annotating SDIO host used by WLAN chip with
'cap-power-off-card' property, which should have been there from the
beginning.
Fixes: 8620cc2f99b7 ("ARM: dts: exynos: Add devicetree file for the Galaxy S2")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://patch.msgid.link/20251126102618.3103517-3-m.szyprowski@samsung.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/samsung/exynos4210-i9100.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/samsung/exynos4210-i9100.dts b/arch/arm/boot/dts/samsung/exynos4210-i9100.dts
index a076a1dfe41f8..d7adf2bd8f87e 100644
--- a/arch/arm/boot/dts/samsung/exynos4210-i9100.dts
+++ b/arch/arm/boot/dts/samsung/exynos4210-i9100.dts
@@ -815,6 +815,7 @@ &sdhci_3 {
#size-cells = <0>;
non-removable;
+ cap-power-off-card;
bus-width = <4>;
mmc-pwrseq = <&wlan_pwrseq>;
vmmc-supply = <&vtf_reg>;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 233/737] ARM: dts: samsung: exynos4210-trats: turn off SDIO WLAN chip during system suspend
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 232/737] ARM: dts: samsung: exynos4210-i9100: " Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 234/737] ARM: dts: samsung: exynos4412-midas: " Greg Kroah-Hartman
` (514 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 97cc9c346b2c9cde075b9420fc172137d2427711 ]
Commit 8c3170628a9c ("wifi: brcmfmac: keep power during suspend if board
requires it") changed default behavior of the BRCMFMAC driver, which now
keeps SDIO card powered during system suspend to enable optional support
for WOWL. This feature is not supported by the legacy Exynos4 based
boards and leads to WLAN disfunction after system suspend/resume cycle.
Fix this by annotating SDIO host used by WLAN chip with
'cap-power-off-card' property, which should have been there from the
beginning.
Fixes: a19f6efc01df ("ARM: dts: exynos: Enable WLAN support for the Trats board")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://patch.msgid.link/20251126102618.3103517-4-m.szyprowski@samsung.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/samsung/exynos4210-trats.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/samsung/exynos4210-trats.dts b/arch/arm/boot/dts/samsung/exynos4210-trats.dts
index 95e0e01b6ff6b..6bd902cb8f4ad 100644
--- a/arch/arm/boot/dts/samsung/exynos4210-trats.dts
+++ b/arch/arm/boot/dts/samsung/exynos4210-trats.dts
@@ -518,6 +518,7 @@ &sdhci_3 {
#size-cells = <0>;
non-removable;
+ cap-power-off-card;
bus-width = <4>;
mmc-pwrseq = <&wlan_pwrseq>;
vmmc-supply = <&tflash_reg>;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 234/737] ARM: dts: samsung: exynos4412-midas: turn off SDIO WLAN chip during system suspend
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 233/737] ARM: dts: samsung: exynos4210-trats: " Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 235/737] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Greg Kroah-Hartman
` (513 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski,
Krzysztof Kozlowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 2ff147fdfa99b8cbb8c2833e685fde7c42580ae6 ]
Commit 8c3170628a9c ("wifi: brcmfmac: keep power during suspend if board
requires it") changed default behavior of the BRCMFMAC driver, which now
keeps SDIO card powered during system suspend to enable optional support
for WOWL. This feature is not supported by the legacy Exynos4 based
boards and leads to WLAN disfunction after system suspend/resume cycle.
Fix this by annotating SDIO host used by WLAN chip with
'cap-power-off-card' property, which should have been there from the
beginning.
Fixes: f77cbb9a3e5d ("ARM: dts: exynos: Add bcm4334 device node to Trats2")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://patch.msgid.link/20251126102618.3103517-5-m.szyprowski@samsung.com
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/samsung/exynos4412-midas.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/samsung/exynos4412-midas.dtsi b/arch/arm/boot/dts/samsung/exynos4412-midas.dtsi
index 7daf25865551b..a77e57645f217 100644
--- a/arch/arm/boot/dts/samsung/exynos4412-midas.dtsi
+++ b/arch/arm/boot/dts/samsung/exynos4412-midas.dtsi
@@ -1440,6 +1440,7 @@ &sdhci_3 {
#address-cells = <1>;
#size-cells = <0>;
non-removable;
+ cap-power-off-card;
bus-width = <4>;
mmc-pwrseq = <&wlan_pwrseq>;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 235/737] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 234/737] ARM: dts: samsung: exynos4412-midas: " Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 236/737] resource: Reuse for_each_resource() macro Greg Kroah-Hartman
` (512 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sparkhuang, Charles Keepax,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: sparkhuang <huangshaobo3@xiaomi.com>
[ Upstream commit 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d ]
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
Fixes: a06ccd9c3785f ("regulator: core: Add ability to create a lookup alias for supply")
Signed-off-by: sparkhuang <huangshaobo3@xiaomi.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20251127025716.5440-1-huangshaobo3@xiaomi.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 465f4f870162f..23cdf220ca7db 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1970,6 +1970,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply)
{
struct regulator_supply_alias *map;
+ mutex_lock(®ulator_list_mutex);
map = regulator_find_supply_alias(*dev, *supply);
if (map) {
dev_dbg(*dev, "Mapping supply %s to %s,%s\n",
@@ -1978,6 +1979,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply)
*dev = map->alias_dev;
*supply = map->alias_supply;
}
+ mutex_unlock(®ulator_list_mutex);
}
static int regulator_match(struct device *dev, const void *data)
@@ -2456,22 +2458,26 @@ int regulator_register_supply_alias(struct device *dev, const char *id,
const char *alias_id)
{
struct regulator_supply_alias *map;
+ struct regulator_supply_alias *new_map;
- map = regulator_find_supply_alias(dev, id);
- if (map)
- return -EEXIST;
-
- map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL);
- if (!map)
+ new_map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL);
+ if (!new_map)
return -ENOMEM;
- map->src_dev = dev;
- map->src_supply = id;
- map->alias_dev = alias_dev;
- map->alias_supply = alias_id;
-
- list_add(&map->list, ®ulator_supply_alias_list);
+ mutex_lock(®ulator_list_mutex);
+ map = regulator_find_supply_alias(dev, id);
+ if (map) {
+ mutex_unlock(®ulator_list_mutex);
+ kfree(new_map);
+ return -EEXIST;
+ }
+ new_map->src_dev = dev;
+ new_map->src_supply = id;
+ new_map->alias_dev = alias_dev;
+ new_map->alias_supply = alias_id;
+ list_add(&new_map->list, ®ulator_supply_alias_list);
+ mutex_unlock(®ulator_list_mutex);
pr_info("Adding alias for supply %s,%s -> %s,%s\n",
id, dev_name(dev), alias_id, dev_name(alias_dev));
@@ -2491,11 +2497,13 @@ void regulator_unregister_supply_alias(struct device *dev, const char *id)
{
struct regulator_supply_alias *map;
+ mutex_lock(®ulator_list_mutex);
map = regulator_find_supply_alias(dev, id);
if (map) {
list_del(&map->list);
kfree(map);
}
+ mutex_unlock(®ulator_list_mutex);
}
EXPORT_SYMBOL_GPL(regulator_unregister_supply_alias);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 236/737] resource: Reuse for_each_resource() macro
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 235/737] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 237/737] resource: replace open coded resource_intersection() Greg Kroah-Hartman
` (511 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 441f0dd8fa035a2c7cfe972047bb905d3be05c1b ]
We have a few places where for_each_resource() is open coded.
Replace that by the macro. This makes code easier to read and
understand.
With this, compile r_next() only for CONFIG_PROC_FS=y.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20230912165312.402422-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 6fb3acdebf65 ("Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()"")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/resource.c | 34 +++++++++++++++++++---------------
1 file changed, 19 insertions(+), 15 deletions(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index 6506839f8a811..79fba72cb7d2e 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -77,13 +77,6 @@ static struct resource *next_resource_skip_children(struct resource *p)
(_p) = (_skip_children) ? next_resource_skip_children(_p) : \
next_resource(_p))
-static void *r_next(struct seq_file *m, void *v, loff_t *pos)
-{
- struct resource *p = v;
- (*pos)++;
- return (void *)next_resource(p);
-}
-
#ifdef CONFIG_PROC_FS
enum { MAX_IORES_LEVEL = 5 };
@@ -91,14 +84,26 @@ enum { MAX_IORES_LEVEL = 5 };
static void *r_start(struct seq_file *m, loff_t *pos)
__acquires(resource_lock)
{
- struct resource *p = pde_data(file_inode(m->file));
- loff_t l = 0;
+ struct resource *root = pde_data(file_inode(m->file));
+ struct resource *p;
+ loff_t l = *pos;
+
read_lock(&resource_lock);
- for (p = p->child; p && l < *pos; p = r_next(m, p, &l))
- ;
+ for_each_resource(root, p, false) {
+ if (l-- == 0)
+ break;
+ }
+
return p;
}
+static void *r_next(struct seq_file *m, void *v, loff_t *pos)
+{
+ struct resource *p = v;
+ (*pos)++;
+ return (void *)next_resource(p);
+}
+
static void r_stop(struct seq_file *m, void *v)
__releases(resource_lock)
{
@@ -336,7 +341,7 @@ static int find_next_iomem_res(resource_size_t start, resource_size_t end,
read_lock(&resource_lock);
- for (p = iomem_resource.child; p; p = next_resource(p)) {
+ for_each_resource(&iomem_resource, p, false) {
/* If we passed the resource we are looking for, stop */
if (p->start > end) {
p = NULL;
@@ -1684,13 +1689,12 @@ __setup("reserve=", reserve_setup);
*/
int iomem_map_sanity_check(resource_size_t addr, unsigned long size)
{
- struct resource *p = &iomem_resource;
resource_size_t end = addr + size - 1;
+ struct resource *p;
int err = 0;
- loff_t l;
read_lock(&resource_lock);
- for (p = p->child; p ; p = r_next(NULL, p, &l)) {
+ for_each_resource(&iomem_resource, p, false) {
/*
* We can probably skip the resources without
* IORESOURCE_IO attribute?
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 237/737] resource: replace open coded resource_intersection()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 236/737] resource: Reuse for_each_resource() macro Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 238/737] resource: introduce is_type_match() helper and use it Greg Kroah-Hartman
` (510 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rasmus Villemoes,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 5c1edea773c98707fbb23d1df168bcff52f61e4b ]
Patch series "resource: A couple of cleanups".
A couple of ad-hoc cleanups since there was a recent development of
the code in question. No functional changes intended.
This patch (of 2):
__region_intersects() uses open coded resource_intersection(). Replace it
with existing API which also make more clear what we are checking.
Link: https://lkml.kernel.org/r/20240925154355.1170859-1-andriy.shevchenko@linux.intel.com
Link: https://lkml.kernel.org/r/20240925154355.1170859-2-andriy.shevchenko@linux.intel.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 6fb3acdebf65 ("Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()"")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/resource.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index 79fba72cb7d2e..dcc3b564c0537 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -498,17 +498,16 @@ static int __region_intersects(struct resource *parent, resource_size_t start,
size_t size, unsigned long flags,
unsigned long desc)
{
- resource_size_t ostart, oend;
int type = 0; int other = 0;
struct resource *p, *dp;
+ struct resource res, o;
bool is_type, covered;
- struct resource res;
res.start = start;
res.end = start + size - 1;
for (p = parent->child; p ; p = p->sibling) {
- if (!resource_overlaps(p, &res))
+ if (!resource_intersection(p, &res, &o))
continue;
is_type = (p->flags & flags) == flags &&
(desc == IORES_DESC_NONE || desc == p->desc);
@@ -529,8 +528,6 @@ static int __region_intersects(struct resource *parent, resource_size_t start,
* |-- "System RAM" --||-- "CXL Window 0a" --|
*/
covered = false;
- ostart = max(res.start, p->start);
- oend = min(res.end, p->end);
for_each_resource(p, dp, false) {
if (!resource_overlaps(dp, &res))
continue;
@@ -539,17 +536,17 @@ static int __region_intersects(struct resource *parent, resource_size_t start,
if (is_type) {
type++;
/*
- * Range from 'ostart' to 'dp->start'
+ * Range from 'o.start' to 'dp->start'
* isn't covered by matched resource.
*/
- if (dp->start > ostart)
+ if (dp->start > o.start)
break;
- if (dp->end >= oend) {
+ if (dp->end >= o.end) {
covered = true;
break;
}
/* Remove covered range */
- ostart = max(ostart, dp->end + 1);
+ o.start = max(o.start, dp->end + 1);
}
}
if (!covered)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 238/737] resource: introduce is_type_match() helper and use it
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 237/737] resource: replace open coded resource_intersection() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 239/737] Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()" Greg Kroah-Hartman
` (509 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Rasmus Villemoes,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit ba1eccc114ffc62c4495a5e15659190fa2c42308 ]
There are already a couple of places where we may replace a few lines of
code by calling a helper, which increases readability while deduplicating
the code.
Introduce is_type_match() helper and use it.
Link: https://lkml.kernel.org/r/20240925154355.1170859-3-andriy.shevchenko@linux.intel.com
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 6fb3acdebf65 ("Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()"")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/resource.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index dcc3b564c0537..67410132b40e1 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -310,6 +310,11 @@ int release_resource(struct resource *old)
EXPORT_SYMBOL(release_resource);
+static bool is_type_match(struct resource *p, unsigned long flags, unsigned long desc)
+{
+ return (p->flags & flags) == flags && (desc == IORES_DESC_NONE || desc == p->desc);
+}
+
/**
* find_next_iomem_res - Finds the lowest iomem resource that covers part of
* [@start..@end].
@@ -352,13 +357,9 @@ static int find_next_iomem_res(resource_size_t start, resource_size_t end,
if (p->end < start)
continue;
- if ((p->flags & flags) != flags)
- continue;
- if ((desc != IORES_DESC_NONE) && (desc != p->desc))
- continue;
-
/* Found a match, break */
- break;
+ if (is_type_match(p, flags, desc))
+ break;
}
if (p) {
@@ -501,7 +502,7 @@ static int __region_intersects(struct resource *parent, resource_size_t start,
int type = 0; int other = 0;
struct resource *p, *dp;
struct resource res, o;
- bool is_type, covered;
+ bool covered;
res.start = start;
res.end = start + size - 1;
@@ -509,9 +510,7 @@ static int __region_intersects(struct resource *parent, resource_size_t start,
for (p = parent->child; p ; p = p->sibling) {
if (!resource_intersection(p, &res, &o))
continue;
- is_type = (p->flags & flags) == flags &&
- (desc == IORES_DESC_NONE || desc == p->desc);
- if (is_type) {
+ if (is_type_match(p, flags, desc)) {
type++;
continue;
}
@@ -531,9 +530,7 @@ static int __region_intersects(struct resource *parent, resource_size_t start,
for_each_resource(p, dp, false) {
if (!resource_overlaps(dp, &res))
continue;
- is_type = (dp->flags & flags) == flags &&
- (desc == IORES_DESC_NONE || desc == dp->desc);
- if (is_type) {
+ if (is_type_match(dp, flags, desc)) {
type++;
/*
* Range from 'o.start' to 'dp->start'
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 239/737] Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 238/737] resource: introduce is_type_match() helper and use it Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 240/737] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Greg Kroah-Hartman
` (508 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilias Stamatis,
David Hildenbrand (Red Hat), Andriy Shevchenko, Baoquan He,
Huang, Ying, Nadav Amit, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilias Stamatis <ilstam@amazon.com>
[ Upstream commit 6fb3acdebf65a72df0a95f9fd2c901ff2bc9a3a2 ]
Commit 97523a4edb7b ("kernel/resource: remove first_lvl / siblings_only
logic") removed an optimization introduced by commit 756398750e11
("resource: avoid unnecessary lookups in find_next_iomem_res()"). That
was not called out in the message of the first commit explicitly so it's
not entirely clear whether removing the optimization happened
inadvertently or not.
As the original commit message of the optimization explains there is no
point considering the children of a subtree in find_next_iomem_res() if
the top level range does not match.
Reinstating the optimization results in performance improvements in
systems where /proc/iomem is ~5k lines long. Calling mmap() on /dev/mem
in such platforms takes 700-1500μs without the optimisation and 10-50μs
with the optimisation.
Note that even though commit 97523a4edb7b removed the 'sibling_only'
parameter from next_resource(), newer kernels have basically reinstated it
under the name 'skip_children'.
Link: https://lore.kernel.org/all/20251124165349.3377826-1-ilstam@amazon.com/T/#u
Fixes: 97523a4edb7b ("kernel/resource: remove first_lvl / siblings_only logic")
Signed-off-by: Ilias Stamatis <ilstam@amazon.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Andriy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: "Huang, Ying" <huang.ying.caritas@gmail.com>
Cc: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/resource.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/kernel/resource.c b/kernel/resource.c
index 67410132b40e1..dca8581eb3992 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -336,6 +336,8 @@ static int find_next_iomem_res(resource_size_t start, resource_size_t end,
unsigned long flags, unsigned long desc,
struct resource *res)
{
+ /* Skip children until we find a top level range that matches */
+ bool skip_children = true;
struct resource *p;
if (!res)
@@ -346,7 +348,7 @@ static int find_next_iomem_res(resource_size_t start, resource_size_t end,
read_lock(&resource_lock);
- for_each_resource(&iomem_resource, p, false) {
+ for_each_resource(&iomem_resource, p, skip_children) {
/* If we passed the resource we are looking for, stop */
if (p->start > end) {
p = NULL;
@@ -357,6 +359,12 @@ static int find_next_iomem_res(resource_size_t start, resource_size_t end,
if (p->end < start)
continue;
+ /*
+ * We found a top level range that matches what we are looking
+ * for. Time to start checking children too.
+ */
+ skip_children = false;
+
/* Found a match, break */
if (is_type_match(p, flags, desc))
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 240/737] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 239/737] Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()" Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 241/737] netfilter: nf_conncount: rework API to use sk_buff directly Greg Kroah-Hartman
` (507 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 634f3853cc98d73bdec8918010ee29b06981583e ]
Add a sanity check to skip path discovery if the maximum number of
encapsulation is reached. While at it, check for underflow too.
Fixes: 26267bf9bb57 ("netfilter: flowtable: bridge vlan hardware offload and switchdev")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_flow_offload.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 1894032a7971c..75dddcaa9aa37 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -140,12 +140,19 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
info->ingress_vlans |= BIT(info->num_encaps - 1);
break;
case DEV_PATH_BR_VLAN_TAG:
+ if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) {
+ info->indev = NULL;
+ break;
+ }
info->encap[info->num_encaps].id = path->bridge.vlan_id;
info->encap[info->num_encaps].proto = path->bridge.vlan_proto;
info->num_encaps++;
break;
case DEV_PATH_BR_VLAN_UNTAG:
- info->num_encaps--;
+ if (WARN_ON_ONCE(info->num_encaps-- == 0)) {
+ info->indev = NULL;
+ break;
+ }
break;
case DEV_PATH_BR_VLAN_KEEP:
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 241/737] netfilter: nf_conncount: rework API to use sk_buff directly
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 240/737] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 242/737] netfilter: nft_connlimit: update the count if add was skipped Greg Kroah-Hartman
` (506 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit be102eb6a0e7c03db00e50540622f4e43b2d2844 ]
When using nf_conncount infrastructure for non-confirmed connections a
duplicated track is possible due to an optimization introduced since
commit d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC").
In order to fix this introduce a new conncount API that receives
directly an sk_buff struct. It fetches the tuple and zone and the
corresponding ct from it. It comes with both existing conncount variants
nf_conncount_count_skb() and nf_conncount_add_skb(). In addition remove
the old API and adjust all the users to use the new one.
This way, for each sk_buff struct it is possible to check if there is a
ct present and already confirmed. If so, skip the add operation.
Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_conntrack_count.h | 17 +-
net/netfilter/nf_conncount.c | 177 ++++++++++++++-------
net/netfilter/nft_connlimit.c | 21 +--
net/netfilter/xt_connlimit.c | 14 +-
net/openvswitch/conntrack.c | 16 +-
5 files changed, 142 insertions(+), 103 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index e227d997fc716..115bb7e572f7d 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -20,15 +20,14 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family
void nf_conncount_destroy(struct net *net, unsigned int family,
struct nf_conncount_data *data);
-unsigned int nf_conncount_count(struct net *net,
- struct nf_conncount_data *data,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone);
-
-int nf_conncount_add(struct net *net, struct nf_conncount_list *list,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone);
+unsigned int nf_conncount_count_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_data *data,
+ const u32 *key);
+
+int nf_conncount_add_skb(struct net *net, const struct sk_buff *skb,
+ u16 l3num, struct nf_conncount_list *list);
void nf_conncount_list_init(struct nf_conncount_list *list);
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 6156c0751056c..7a8a6f72ff198 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -122,15 +122,65 @@ find_or_evict(struct net *net, struct nf_conncount_list *list,
return ERR_PTR(-EAGAIN);
}
+static bool get_ct_or_tuple_from_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conn **ct,
+ struct nf_conntrack_tuple *tuple,
+ const struct nf_conntrack_zone **zone,
+ bool *refcounted)
+{
+ const struct nf_conntrack_tuple_hash *h;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *found_ct;
+
+ found_ct = nf_ct_get(skb, &ctinfo);
+ if (found_ct && !nf_ct_is_template(found_ct)) {
+ *tuple = found_ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ *zone = nf_ct_zone(found_ct);
+ *ct = found_ct;
+ return true;
+ }
+
+ if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), l3num, net, tuple))
+ return false;
+
+ if (found_ct)
+ *zone = nf_ct_zone(found_ct);
+
+ h = nf_conntrack_find_get(net, *zone, tuple);
+ if (!h)
+ return true;
+
+ found_ct = nf_ct_tuplehash_to_ctrack(h);
+ *refcounted = true;
+ *ct = found_ct;
+
+ return true;
+}
+
static int __nf_conncount_add(struct net *net,
- struct nf_conncount_list *list,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_list *list)
{
+ const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
const struct nf_conntrack_tuple_hash *found;
struct nf_conncount_tuple *conn, *conn_n;
+ struct nf_conntrack_tuple tuple;
+ struct nf_conn *ct = NULL;
struct nf_conn *found_ct;
unsigned int collect = 0;
+ bool refcounted = false;
+
+ if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
+ return -ENOENT;
+
+ if (ct && nf_ct_is_confirmed(ct)) {
+ if (refcounted)
+ nf_ct_put(ct);
+ return 0;
+ }
if ((u32)jiffies == list->last_gc)
goto add_new_node;
@@ -144,10 +194,10 @@ static int __nf_conncount_add(struct net *net,
if (IS_ERR(found)) {
/* Not found, but might be about to be confirmed */
if (PTR_ERR(found) == -EAGAIN) {
- if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
+ if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
nf_ct_zone_id(zone, zone->dir))
- return 0; /* already exists */
+ goto out_put; /* already exists */
} else {
collect++;
}
@@ -156,7 +206,7 @@ static int __nf_conncount_add(struct net *net,
found_ct = nf_ct_tuplehash_to_ctrack(found);
- if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
+ if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
nf_ct_zone_equal(found_ct, zone, zone->dir)) {
/*
* We should not see tuples twice unless someone hooks
@@ -165,7 +215,7 @@ static int __nf_conncount_add(struct net *net,
* Attempt to avoid a re-add in this case.
*/
nf_ct_put(found_ct);
- return 0;
+ goto out_put;
} else if (already_closed(found_ct)) {
/*
* we do not care about connections which are
@@ -188,31 +238,35 @@ static int __nf_conncount_add(struct net *net,
if (conn == NULL)
return -ENOMEM;
- conn->tuple = *tuple;
+ conn->tuple = tuple;
conn->zone = *zone;
conn->cpu = raw_smp_processor_id();
conn->jiffies32 = (u32)jiffies;
list_add_tail(&conn->node, &list->head);
list->count++;
list->last_gc = (u32)jiffies;
+
+out_put:
+ if (refcounted)
+ nf_ct_put(ct);
return 0;
}
-int nf_conncount_add(struct net *net,
- struct nf_conncount_list *list,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+int nf_conncount_add_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_list *list)
{
int ret;
/* check the saved connections */
spin_lock_bh(&list->list_lock);
- ret = __nf_conncount_add(net, list, tuple, zone);
+ ret = __nf_conncount_add(net, skb, l3num, list);
spin_unlock_bh(&list->list_lock);
return ret;
}
-EXPORT_SYMBOL_GPL(nf_conncount_add);
+EXPORT_SYMBOL_GPL(nf_conncount_add_skb);
void nf_conncount_list_init(struct nf_conncount_list *list)
{
@@ -309,19 +363,22 @@ static void schedule_gc_worker(struct nf_conncount_data *data, int tree)
static unsigned int
insert_tree(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
struct nf_conncount_data *data,
struct rb_root *root,
unsigned int hash,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+ const u32 *key)
{
struct nf_conncount_rb *gc_nodes[CONNCOUNT_GC_MAX_NODES];
+ const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
+ bool do_gc = true, refcounted = false;
+ unsigned int count = 0, gc_count = 0;
struct rb_node **rbnode, *parent;
- struct nf_conncount_rb *rbconn;
+ struct nf_conntrack_tuple tuple;
struct nf_conncount_tuple *conn;
- unsigned int count = 0, gc_count = 0;
- bool do_gc = true;
+ struct nf_conncount_rb *rbconn;
+ struct nf_conn *ct = NULL;
spin_lock_bh(&nf_conncount_locks[hash]);
restart:
@@ -340,7 +397,7 @@ insert_tree(struct net *net,
} else {
int ret;
- ret = nf_conncount_add(net, &rbconn->list, tuple, zone);
+ ret = nf_conncount_add_skb(net, skb, l3num, &rbconn->list);
if (ret)
count = 0; /* hotdrop */
else
@@ -364,30 +421,35 @@ insert_tree(struct net *net,
goto restart;
}
- /* expected case: match, insert new node */
- rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
- if (rbconn == NULL)
- goto out_unlock;
+ if (get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted)) {
+ /* expected case: match, insert new node */
+ rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
+ if (rbconn == NULL)
+ goto out_unlock;
- conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
- if (conn == NULL) {
- kmem_cache_free(conncount_rb_cachep, rbconn);
- goto out_unlock;
- }
+ conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
+ if (conn == NULL) {
+ kmem_cache_free(conncount_rb_cachep, rbconn);
+ goto out_unlock;
+ }
- conn->tuple = *tuple;
- conn->zone = *zone;
- conn->cpu = raw_smp_processor_id();
- conn->jiffies32 = (u32)jiffies;
- memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+ conn->tuple = tuple;
+ conn->zone = *zone;
+ conn->cpu = raw_smp_processor_id();
+ conn->jiffies32 = (u32)jiffies;
+ memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+
+ nf_conncount_list_init(&rbconn->list);
+ list_add(&conn->node, &rbconn->list.head);
+ count = 1;
+ rbconn->list.count = count;
- nf_conncount_list_init(&rbconn->list);
- list_add(&conn->node, &rbconn->list.head);
- count = 1;
- rbconn->list.count = count;
+ rb_link_node_rcu(&rbconn->node, parent, rbnode);
+ rb_insert_color(&rbconn->node, root);
- rb_link_node_rcu(&rbconn->node, parent, rbnode);
- rb_insert_color(&rbconn->node, root);
+ if (refcounted)
+ nf_ct_put(ct);
+ }
out_unlock:
spin_unlock_bh(&nf_conncount_locks[hash]);
return count;
@@ -395,10 +457,10 @@ insert_tree(struct net *net,
static unsigned int
count_tree(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
struct nf_conncount_data *data,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+ const u32 *key)
{
struct rb_root *root;
struct rb_node *parent;
@@ -422,7 +484,7 @@ count_tree(struct net *net,
} else {
int ret;
- if (!tuple) {
+ if (!skb) {
nf_conncount_gc_list(net, &rbconn->list);
return rbconn->list.count;
}
@@ -437,7 +499,7 @@ count_tree(struct net *net,
}
/* same source network -> be counted! */
- ret = __nf_conncount_add(net, &rbconn->list, tuple, zone);
+ ret = __nf_conncount_add(net, skb, l3num, &rbconn->list);
spin_unlock_bh(&rbconn->list.list_lock);
if (ret)
return 0; /* hotdrop */
@@ -446,10 +508,10 @@ count_tree(struct net *net,
}
}
- if (!tuple)
+ if (!skb)
return 0;
- return insert_tree(net, data, root, hash, key, tuple, zone);
+ return insert_tree(net, skb, l3num, data, root, hash, key);
}
static void tree_gc_worker(struct work_struct *work)
@@ -511,18 +573,19 @@ static void tree_gc_worker(struct work_struct *work)
}
/* Count and return number of conntrack entries in 'net' with particular 'key'.
- * If 'tuple' is not null, insert it into the accounting data structure.
- * Call with RCU read lock.
+ * If 'skb' is not null, insert the corresponding tuple into the accounting
+ * data structure. Call with RCU read lock.
*/
-unsigned int nf_conncount_count(struct net *net,
- struct nf_conncount_data *data,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+unsigned int nf_conncount_count_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_data *data,
+ const u32 *key)
{
- return count_tree(net, data, key, tuple, zone);
+ return count_tree(net, skb, l3num, data, key);
+
}
-EXPORT_SYMBOL_GPL(nf_conncount_count);
+EXPORT_SYMBOL_GPL(nf_conncount_count_skb);
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
unsigned int keylen)
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 92b984fa8175c..d998e27713ac7 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -24,26 +24,11 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
const struct nft_pktinfo *pkt,
const struct nft_set_ext *ext)
{
- const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
- const struct nf_conntrack_tuple *tuple_ptr;
- struct nf_conntrack_tuple tuple;
- enum ip_conntrack_info ctinfo;
- const struct nf_conn *ct;
unsigned int count;
+ int err;
- tuple_ptr = &tuple;
-
- ct = nf_ct_get(pkt->skb, &ctinfo);
- if (ct != NULL) {
- tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
- zone = nf_ct_zone(ct);
- } else if (!nf_ct_get_tuplepr(pkt->skb, skb_network_offset(pkt->skb),
- nft_pf(pkt), nft_net(pkt), &tuple)) {
- regs->verdict.code = NF_DROP;
- return;
- }
-
- if (nf_conncount_add(nft_net(pkt), priv->list, tuple_ptr, zone)) {
+ err = nf_conncount_add_skb(nft_net(pkt), pkt->skb, nft_pf(pkt), priv->list);
+ if (err) {
regs->verdict.code = NF_DROP;
return;
}
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index d1d0fa6c8061e..b3e4be6e1e436 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -31,8 +31,6 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct net *net = xt_net(par);
const struct xt_connlimit_info *info = par->matchinfo;
- struct nf_conntrack_tuple tuple;
- const struct nf_conntrack_tuple *tuple_ptr = &tuple;
const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
enum ip_conntrack_info ctinfo;
const struct nf_conn *ct;
@@ -40,13 +38,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
u32 key[5];
ct = nf_ct_get(skb, &ctinfo);
- if (ct != NULL) {
- tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ if (ct)
zone = nf_ct_zone(ct);
- } else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
- xt_family(par), net, &tuple)) {
- goto hotdrop;
- }
if (xt_family(par) == NFPROTO_IPV6) {
const struct ipv6hdr *iph = ipv6_hdr(skb);
@@ -69,10 +62,9 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
key[1] = zone->id;
}
- connections = nf_conncount_count(net, info->data, key, tuple_ptr,
- zone);
+ connections = nf_conncount_count_skb(net, skb, xt_family(par), info->data, key);
if (connections == 0)
- /* kmalloc failed, drop it entirely */
+ /* kmalloc failed or tuple couldn't be found, drop it entirely */
goto hotdrop;
return (connections > info->limit) ^ !!(info->flags & XT_CONNLIMIT_INVERT);
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 3b980bf2770bb..32485b3677375 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -904,8 +904,8 @@ static u32 ct_limit_get(const struct ovs_ct_limit_info *info, u16 zone)
}
static int ovs_ct_check_limit(struct net *net,
- const struct ovs_conntrack_info *info,
- const struct nf_conntrack_tuple *tuple)
+ const struct sk_buff *skb,
+ const struct ovs_conntrack_info *info)
{
struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
const struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info;
@@ -918,8 +918,9 @@ static int ovs_ct_check_limit(struct net *net,
if (per_zone_limit == OVS_CT_LIMIT_UNLIMITED)
return 0;
- connections = nf_conncount_count(net, ct_limit_info->data,
- &conncount_key, tuple, &info->zone);
+ connections = nf_conncount_count_skb(net, skb, info->family,
+ ct_limit_info->data,
+ &conncount_key);
if (connections > per_zone_limit)
return -ENOMEM;
@@ -948,8 +949,7 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
if (static_branch_unlikely(&ovs_ct_limit_enabled)) {
if (!nf_ct_is_confirmed(ct)) {
- err = ovs_ct_check_limit(net, info,
- &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+ err = ovs_ct_check_limit(net, skb, info);
if (err) {
net_warn_ratelimited("openvswitch: zone: %u "
"exceeds conntrack limit\n",
@@ -1744,8 +1744,8 @@ static int __ovs_ct_limit_get_zone_limit(struct net *net,
zone_limit.limit = limit;
nf_ct_zone_init(&ct_zone, zone_id, NF_CT_DEFAULT_ZONE_DIR, 0);
- zone_limit.count = nf_conncount_count(net, data, &conncount_key, NULL,
- &ct_zone);
+ zone_limit.count = nf_conncount_count_skb(net, NULL, 0, data,
+ &conncount_key);
return nla_put_nohdr(reply, sizeof(zone_limit), &zone_limit);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 242/737] netfilter: nft_connlimit: update the count if add was skipped
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 241/737] netfilter: nf_conncount: rework API to use sk_buff directly Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 243/737] net: stmmac: fix rx limit check in stmmac_rx_zc() Greg Kroah-Hartman
` (505 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 69894e5b4c5e28cda5f32af33d4a92b7a4b93b0e ]
Connlimit expression can be used for all kind of packets and not only
for packets with connection state new. See this ruleset as example:
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 22 ct count over 4 counter
}
}
Currently, if the connection count goes over the limit the counter will
count the packets. When a connection is closed, the connection count
won't decrement as it should because it is only updated for new
connections due to an optimization on __nf_conncount_add() that prevents
updating the list if the connection is duplicated.
To solve this problem, check whether the connection was skipped and if
so, update the list. Adjust count_tree() too so the same fix is applied
for xt_connlimit.
Fixes: 976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
Closes: https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 12 ++++++++----
net/netfilter/nft_connlimit.c | 13 +++++++++++--
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 7a8a6f72ff198..97b631a81484d 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -179,7 +179,7 @@ static int __nf_conncount_add(struct net *net,
if (ct && nf_ct_is_confirmed(ct)) {
if (refcounted)
nf_ct_put(ct);
- return 0;
+ return -EEXIST;
}
if ((u32)jiffies == list->last_gc)
@@ -398,7 +398,7 @@ insert_tree(struct net *net,
int ret;
ret = nf_conncount_add_skb(net, skb, l3num, &rbconn->list);
- if (ret)
+ if (ret && ret != -EEXIST)
count = 0; /* hotdrop */
else
count = rbconn->list.count;
@@ -501,10 +501,14 @@ count_tree(struct net *net,
/* same source network -> be counted! */
ret = __nf_conncount_add(net, skb, l3num, &rbconn->list);
spin_unlock_bh(&rbconn->list.list_lock);
- if (ret)
+ if (ret && ret != -EEXIST) {
return 0; /* hotdrop */
- else
+ } else {
+ /* -EEXIST means add was skipped, update the list */
+ if (ret == -EEXIST)
+ nf_conncount_gc_list(net, &rbconn->list);
return rbconn->list.count;
+ }
}
}
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index d998e27713ac7..83a7d5769396c 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -29,8 +29,17 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
err = nf_conncount_add_skb(nft_net(pkt), pkt->skb, nft_pf(pkt), priv->list);
if (err) {
- regs->verdict.code = NF_DROP;
- return;
+ if (err == -EEXIST) {
+ /* Call gc to update the list count if any connection has
+ * been closed already. This is useful for softlimit
+ * connections like limiting bandwidth based on a number
+ * of open connections.
+ */
+ nf_conncount_gc_list(nft_net(pkt), priv->list);
+ } else {
+ regs->verdict.code = NF_DROP;
+ return;
+ }
}
count = priv->list->count;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 243/737] net: stmmac: fix rx limit check in stmmac_rx_zc()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 242/737] netfilter: nft_connlimit: update the count if add was skipped Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 244/737] mtd: rawnand: renesas: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
` (504 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev,
Russell King (Oracle), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 8048168df56e225c94e50b04cb7b0514135d7a1c ]
The extra "count >= limit" check in stmmac_rx_zc() is redundant and
has no effect because the value of "count" doesn't change after the
while condition at this point.
However, it can change after "read_again:" label:
while (count < limit) {
...
if (count >= limit)
break;
read_again:
...
/* XSK pool expects RX frame 1:1 mapped to XSK buffer */
if (likely(status & rx_not_ls)) {
xsk_buff_free(buf->xdp);
buf->xdp = NULL;
dirty++;
count++;
goto read_again;
}
...
This patch addresses the same issue previously resolved in stmmac_rx()
by commit fa02de9e7588 ("net: stmmac: fix rx budget limit check").
The fix is the same: move the check after the label to ensure that it
bounds the goto loop.
Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20251126104327.175590-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 56a61599d0b6f..255c959886752 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -5141,10 +5141,10 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
len = 0;
}
+read_again:
if (count >= limit)
break;
-read_again:
buf1_len = 0;
entry = next_entry;
buf = &rx_q->buf_pool[entry];
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 244/737] mtd: rawnand: renesas: Handle devm_pm_runtime_enable() errors
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 243/737] net: stmmac: fix rx limit check in stmmac_rx_zc() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 245/737] selftests: bonding: add missing build configs Greg Kroah-Hartman
` (503 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Geert Uytterhoeven,
Miquel Raynal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit a3623e1ae1ed6be4d49b2ccb9996a9d2b65c1828 ]
devm_pm_runtime_enable() can fail due to memory allocation failures.
The current code ignores its return value and proceeds with
pm_runtime_resume_and_get(), which may operate on incorrectly
initialized runtime PM state.
Check the return value of devm_pm_runtime_enable() and return the
error code if it fails.
Fixes: 6a2277a0ebe7 ("mtd: rawnand: renesas: Use runtime PM instead of the raw clock API")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/renesas-nand-controller.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/nand/raw/renesas-nand-controller.c b/drivers/mtd/nand/raw/renesas-nand-controller.c
index a9e79f0acbe2a..46af7666b3c96 100644
--- a/drivers/mtd/nand/raw/renesas-nand-controller.c
+++ b/drivers/mtd/nand/raw/renesas-nand-controller.c
@@ -1342,7 +1342,10 @@ static int rnandc_probe(struct platform_device *pdev)
if (IS_ERR(rnandc->regs))
return PTR_ERR(rnandc->regs);
- devm_pm_runtime_enable(&pdev->dev);
+ ret = devm_pm_runtime_enable(&pdev->dev);
+ if (ret)
+ return ret;
+
ret = pm_runtime_resume_and_get(&pdev->dev);
if (ret < 0)
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 245/737] selftests: bonding: add missing build configs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 244/737] mtd: rawnand: renesas: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 246/737] selftests: bonding: Add more missing config options Greg Kroah-Hartman
` (502 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 03fb8565c880d57952d9b4ba0b36468bae52b554 ]
bonding tests also try to create bridge, veth and dummy
interfaces. These are not currently listed in config.
Fixes: bbb774d921e2 ("net: Add tests for bonding and team address list management")
Fixes: c078290a2b76 ("selftests: include bonding tests into the kselftest infra")
Acked-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/r/20240116020201.1883023-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 2c28ee720ad1 ("selftests: bonding: add delay before each xvlan_over_bond connectivity check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/drivers/net/bonding/config | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config
index 70638fa50b2cc..f85b16fc5128c 100644
--- a/tools/testing/selftests/drivers/net/bonding/config
+++ b/tools/testing/selftests/drivers/net/bonding/config
@@ -1,2 +1,5 @@
CONFIG_BONDING=y
+CONFIG_BRIDGE=y
+CONFIG_DUMMY=y
CONFIG_MACVLAN=y
+CONFIG_VETH=y
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 246/737] selftests: bonding: Add more missing config options
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 245/737] selftests: bonding: add missing build configs Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 247/737] selftests: bonding: add ipvlan over bond testing Greg Kroah-Hartman
` (501 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Benjamin Poirier,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Poirier <bpoirier@nvidia.com>
[ Upstream commit dd2d40acdbb2b9e6bcddd5424b0e00c1760ecf26 ]
As a followup to commit 03fb8565c880 ("selftests: bonding: add missing
build configs"), add more networking-specific config options which are
needed for bonding tests.
For testing, I used the minimal config generated by virtme-ng and I added
the options in the config file. All bonding tests passed.
Fixes: bbb774d921e2 ("net: Add tests for bonding and team address list management") # for ipv6
Fixes: 6cbe791c0f4e ("kselftest: bonding: add num_grat_arp test") # for tc options
Fixes: 222c94ec0ad4 ("selftests: bonding: add tests for ether type changes") # for nlmon
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Benjamin Poirier <bpoirier@nvidia.com>
Link: https://lore.kernel.org/r/20240116154926.202164-1-bpoirier@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: 2c28ee720ad1 ("selftests: bonding: add delay before each xvlan_over_bond connectivity check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/drivers/net/bonding/config | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config
index f85b16fc5128c..899d7fb6ea8e9 100644
--- a/tools/testing/selftests/drivers/net/bonding/config
+++ b/tools/testing/selftests/drivers/net/bonding/config
@@ -1,5 +1,10 @@
CONFIG_BONDING=y
CONFIG_BRIDGE=y
CONFIG_DUMMY=y
+CONFIG_IPV6=y
CONFIG_MACVLAN=y
+CONFIG_NET_ACT_GACT=y
+CONFIG_NET_CLS_FLOWER=y
+CONFIG_NET_SCH_INGRESS=y
+CONFIG_NLMON=y
CONFIG_VETH=y
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 247/737] selftests: bonding: add ipvlan over bond testing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 246/737] selftests: bonding: Add more missing config options Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 248/737] selftests: bonding: add delay before each xvlan_over_bond connectivity check Greg Kroah-Hartman
` (500 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Etienne Champetier, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Etienne Champetier <champetier.etienne@gmail.com>
[ Upstream commit 08ac69b24507ab06871c18adc421c9d4f1008c61 ]
This rework bond_macvlan.sh into bond_macvlan_ipvlan.sh
We only test bridge mode for macvlan and l2 mode
]# ./bond_macvlan_ipvlan.sh
TEST: active-backup/macvlan_bridge: IPv4: client->server [ OK ]
...
TEST: active-backup/ipvlan_l2: IPv4: client->server [ OK ]
...
TEST: balance-tlb/macvlan_bridge: IPv4: client->server [ OK ]
...
TEST: balance-tlb/ipvlan_l2: IPv4: client->server [ OK ]
...
TEST: balance-alb/macvlan_bridge: IPv4: client->server [ OK ]
...
TEST: balance-alb/ipvlan_l2: IPv4: client->server [ OK ]
...
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Link: https://patch.msgid.link/20250109032819.326528-3-champetier.etienne@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 2c28ee720ad1 ("selftests: bonding: add delay before each xvlan_over_bond connectivity check")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/drivers/net/bonding/Makefile | 2 +-
.../drivers/net/bonding/bond_macvlan.sh | 99 -------------------
.../net/bonding/bond_macvlan_ipvlan.sh | 96 ++++++++++++++++++
.../selftests/drivers/net/bonding/config | 1 +
4 files changed, 98 insertions(+), 100 deletions(-)
delete mode 100755 tools/testing/selftests/drivers/net/bonding/bond_macvlan.sh
create mode 100755 tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh
diff --git a/tools/testing/selftests/drivers/net/bonding/Makefile b/tools/testing/selftests/drivers/net/bonding/Makefile
index 8a72bb7de70f4..770aa7345aacd 100644
--- a/tools/testing/selftests/drivers/net/bonding/Makefile
+++ b/tools/testing/selftests/drivers/net/bonding/Makefile
@@ -10,7 +10,7 @@ TEST_PROGS := \
mode-2-recovery-updelay.sh \
bond_options.sh \
bond-eth-type-change.sh \
- bond_macvlan.sh
+ bond_macvlan_ipvlan.sh
TEST_FILES := \
lag_lib.sh \
diff --git a/tools/testing/selftests/drivers/net/bonding/bond_macvlan.sh b/tools/testing/selftests/drivers/net/bonding/bond_macvlan.sh
deleted file mode 100755
index b609fb6231f48..0000000000000
--- a/tools/testing/selftests/drivers/net/bonding/bond_macvlan.sh
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/bin/bash
-# SPDX-License-Identifier: GPL-2.0
-#
-# Test macvlan over balance-alb
-
-lib_dir=$(dirname "$0")
-source ${lib_dir}/bond_topo_2d1c.sh
-
-m1_ns="m1-$(mktemp -u XXXXXX)"
-m2_ns="m1-$(mktemp -u XXXXXX)"
-m1_ip4="192.0.2.11"
-m1_ip6="2001:db8::11"
-m2_ip4="192.0.2.12"
-m2_ip6="2001:db8::12"
-
-cleanup()
-{
- ip -n ${m1_ns} link del macv0
- ip netns del ${m1_ns}
- ip -n ${m2_ns} link del macv0
- ip netns del ${m2_ns}
-
- client_destroy
- server_destroy
- gateway_destroy
-}
-
-check_connection()
-{
- local ns=${1}
- local target=${2}
- local message=${3:-"macvlan_over_bond"}
- RET=0
-
-
- ip netns exec ${ns} ping ${target} -c 4 -i 0.1 &>/dev/null
- check_err $? "ping failed"
- log_test "$mode: $message"
-}
-
-macvlan_over_bond()
-{
- local param="$1"
- RET=0
-
- # setup new bond mode
- bond_reset "${param}"
-
- ip -n ${s_ns} link add link bond0 name macv0 type macvlan mode bridge
- ip -n ${s_ns} link set macv0 netns ${m1_ns}
- ip -n ${m1_ns} link set dev macv0 up
- ip -n ${m1_ns} addr add ${m1_ip4}/24 dev macv0
- ip -n ${m1_ns} addr add ${m1_ip6}/24 dev macv0
-
- ip -n ${s_ns} link add link bond0 name macv0 type macvlan mode bridge
- ip -n ${s_ns} link set macv0 netns ${m2_ns}
- ip -n ${m2_ns} link set dev macv0 up
- ip -n ${m2_ns} addr add ${m2_ip4}/24 dev macv0
- ip -n ${m2_ns} addr add ${m2_ip6}/24 dev macv0
-
- sleep 2
-
- check_connection "${c_ns}" "${s_ip4}" "IPv4: client->server"
- check_connection "${c_ns}" "${s_ip6}" "IPv6: client->server"
- check_connection "${c_ns}" "${m1_ip4}" "IPv4: client->macvlan_1"
- check_connection "${c_ns}" "${m1_ip6}" "IPv6: client->macvlan_1"
- check_connection "${c_ns}" "${m2_ip4}" "IPv4: client->macvlan_2"
- check_connection "${c_ns}" "${m2_ip6}" "IPv6: client->macvlan_2"
- check_connection "${m1_ns}" "${m2_ip4}" "IPv4: macvlan_1->macvlan_2"
- check_connection "${m1_ns}" "${m2_ip6}" "IPv6: macvlan_1->macvlan_2"
-
-
- sleep 5
-
- check_connection "${s_ns}" "${c_ip4}" "IPv4: server->client"
- check_connection "${s_ns}" "${c_ip6}" "IPv6: server->client"
- check_connection "${m1_ns}" "${c_ip4}" "IPv4: macvlan_1->client"
- check_connection "${m1_ns}" "${c_ip6}" "IPv6: macvlan_1->client"
- check_connection "${m2_ns}" "${c_ip4}" "IPv4: macvlan_2->client"
- check_connection "${m2_ns}" "${c_ip6}" "IPv6: macvlan_2->client"
- check_connection "${m2_ns}" "${m1_ip4}" "IPv4: macvlan_2->macvlan_2"
- check_connection "${m2_ns}" "${m1_ip6}" "IPv6: macvlan_2->macvlan_2"
-
- ip -n ${c_ns} neigh flush dev eth0
-}
-
-trap cleanup EXIT
-
-setup_prepare
-ip netns add ${m1_ns}
-ip netns add ${m2_ns}
-
-modes="active-backup balance-tlb balance-alb"
-
-for mode in $modes; do
- macvlan_over_bond "mode $mode"
-done
-
-exit $EXIT_STATUS
diff --git a/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh b/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh
new file mode 100755
index 0000000000000..c4711272fe45d
--- /dev/null
+++ b/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Test macvlan/ipvlan over bond
+
+lib_dir=$(dirname "$0")
+source ${lib_dir}/bond_topo_2d1c.sh
+
+xvlan1_ns="xvlan1-$(mktemp -u XXXXXX)"
+xvlan2_ns="xvlan2-$(mktemp -u XXXXXX)"
+xvlan1_ip4="192.0.2.11"
+xvlan1_ip6="2001:db8::11"
+xvlan2_ip4="192.0.2.12"
+xvlan2_ip6="2001:db8::12"
+
+cleanup()
+{
+ client_destroy
+ server_destroy
+ gateway_destroy
+
+ ip netns del ${xvlan1_ns}
+ ip netns del ${xvlan2_ns}
+}
+
+check_connection()
+{
+ local ns=${1}
+ local target=${2}
+ local message=${3}
+ RET=0
+
+ ip netns exec ${ns} ping ${target} -c 4 -i 0.1 &>/dev/null
+ check_err $? "ping failed"
+ log_test "${bond_mode}/${xvlan_type}_${xvlan_mode}: ${message}"
+}
+
+xvlan_over_bond()
+{
+ local param="$1"
+ local xvlan_type="$2"
+ local xvlan_mode="$3"
+ RET=0
+
+ # setup new bond mode
+ bond_reset "${param}"
+
+ ip -n ${s_ns} link add link bond0 name ${xvlan_type}0 type ${xvlan_type} mode ${xvlan_mode}
+ ip -n ${s_ns} link set ${xvlan_type}0 netns ${xvlan1_ns}
+ ip -n ${xvlan1_ns} link set dev ${xvlan_type}0 up
+ ip -n ${xvlan1_ns} addr add ${xvlan1_ip4}/24 dev ${xvlan_type}0
+ ip -n ${xvlan1_ns} addr add ${xvlan1_ip6}/24 dev ${xvlan_type}0
+
+ ip -n ${s_ns} link add link bond0 name ${xvlan_type}0 type ${xvlan_type} mode ${xvlan_mode}
+ ip -n ${s_ns} link set ${xvlan_type}0 netns ${xvlan2_ns}
+ ip -n ${xvlan2_ns} link set dev ${xvlan_type}0 up
+ ip -n ${xvlan2_ns} addr add ${xvlan2_ip4}/24 dev ${xvlan_type}0
+ ip -n ${xvlan2_ns} addr add ${xvlan2_ip6}/24 dev ${xvlan_type}0
+
+ sleep 2
+
+ check_connection "${c_ns}" "${s_ip4}" "IPv4: client->server"
+ check_connection "${c_ns}" "${s_ip6}" "IPv6: client->server"
+ check_connection "${c_ns}" "${xvlan1_ip4}" "IPv4: client->${xvlan_type}_1"
+ check_connection "${c_ns}" "${xvlan1_ip6}" "IPv6: client->${xvlan_type}_1"
+ check_connection "${c_ns}" "${xvlan2_ip4}" "IPv4: client->${xvlan_type}_2"
+ check_connection "${c_ns}" "${xvlan2_ip6}" "IPv6: client->${xvlan_type}_2"
+ check_connection "${xvlan1_ns}" "${xvlan2_ip4}" "IPv4: ${xvlan_type}_1->${xvlan_type}_2"
+ check_connection "${xvlan1_ns}" "${xvlan2_ip6}" "IPv6: ${xvlan_type}_1->${xvlan_type}_2"
+
+ check_connection "${s_ns}" "${c_ip4}" "IPv4: server->client"
+ check_connection "${s_ns}" "${c_ip6}" "IPv6: server->client"
+ check_connection "${xvlan1_ns}" "${c_ip4}" "IPv4: ${xvlan_type}_1->client"
+ check_connection "${xvlan1_ns}" "${c_ip6}" "IPv6: ${xvlan_type}_1->client"
+ check_connection "${xvlan2_ns}" "${c_ip4}" "IPv4: ${xvlan_type}_2->client"
+ check_connection "${xvlan2_ns}" "${c_ip6}" "IPv6: ${xvlan_type}_2->client"
+ check_connection "${xvlan2_ns}" "${xvlan1_ip4}" "IPv4: ${xvlan_type}_2->${xvlan_type}_1"
+ check_connection "${xvlan2_ns}" "${xvlan1_ip6}" "IPv6: ${xvlan_type}_2->${xvlan_type}_1"
+
+ ip -n ${c_ns} neigh flush dev eth0
+}
+
+trap cleanup EXIT
+
+setup_prepare
+ip netns add ${xvlan1_ns}
+ip netns add ${xvlan2_ns}
+
+bond_modes="active-backup balance-tlb balance-alb"
+
+for bond_mode in ${bond_modes}; do
+ xvlan_over_bond "mode ${bond_mode}" macvlan bridge
+ xvlan_over_bond "mode ${bond_mode}" ipvlan l2
+done
+
+exit $EXIT_STATUS
diff --git a/tools/testing/selftests/drivers/net/bonding/config b/tools/testing/selftests/drivers/net/bonding/config
index 899d7fb6ea8e9..dad4e5fda4db3 100644
--- a/tools/testing/selftests/drivers/net/bonding/config
+++ b/tools/testing/selftests/drivers/net/bonding/config
@@ -3,6 +3,7 @@ CONFIG_BRIDGE=y
CONFIG_DUMMY=y
CONFIG_IPV6=y
CONFIG_MACVLAN=y
+CONFIG_IPVLAN=y
CONFIG_NET_ACT_GACT=y
CONFIG_NET_CLS_FLOWER=y
CONFIG_NET_SCH_INGRESS=y
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 248/737] selftests: bonding: add delay before each xvlan_over_bond connectivity check
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 247/737] selftests: bonding: add ipvlan over bond testing Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 249/737] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds Greg Kroah-Hartman
` (499 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Hangbin Liu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 2c28ee720ad14f58eb88a97ec3efe7c5c315ea5d ]
Jakub reported increased flakiness in bond_macvlan_ipvlan.sh on regular
kernel, while the tests consistently pass on a debug kernel. This suggests
a timing-sensitive issue.
To mitigate this, introduce a short sleep before each xvlan_over_bond
connectivity check. The delay helps ensure neighbor and route cache
have fully converged before verifying connectivity.
The sleep interval is kept minimal since check_connection() is invoked
nearly 100 times during the test.
Fixes: 246af950b940 ("selftests: bonding: add macvlan over bond testing")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://lore.kernel.org/netdev/20251114082014.750edfad@kernel.org
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Link: https://patch.msgid.link/20251127143310.47740-1-liuhangbin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh b/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh
index c4711272fe45d..559f300f965aa 100755
--- a/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh
+++ b/tools/testing/selftests/drivers/net/bonding/bond_macvlan_ipvlan.sh
@@ -30,6 +30,7 @@ check_connection()
local message=${3}
RET=0
+ sleep 0.25
ip netns exec ${ns} ping ${target} -c 4 -i 0.1 &>/dev/null
check_err $? "ping failed"
log_test "${bond_mode}/${xvlan_type}_${xvlan_mode}: ${message}"
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 249/737] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 248/737] selftests: bonding: add delay before each xvlan_over_bond connectivity check Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 250/737] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs Greg Kroah-Hartman
` (498 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Stepchenko, Miquel Raynal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Stepchenko <sid@itb.spb.ru>
[ Upstream commit c909fec69f84b39e63876c69b9df2c178c6b76ba ]
There are several places where a value of type 'int' is shifted by
lpddr->chipshift. lpddr->chipshift is derived from QINFO geometry and
might reach 31 when QINFO reports a 2 GiB size - the maximum supported by
LPDDR(1) compliant chips. This may cause unexpected sign-extensions when
casting the integer value to the type of 'unsigned long'.
Use '1UL << lpddr->chipshift' and cast 'j' to unsigned long before
shifting so the computation is performed at the destination width.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c68264711ca6 ("[MTD] LPDDR Command set driver")
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/lpddr/lpddr_cmds.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mtd/lpddr/lpddr_cmds.c b/drivers/mtd/lpddr/lpddr_cmds.c
index 3c3939bc2dadc..2a2318230936e 100644
--- a/drivers/mtd/lpddr/lpddr_cmds.c
+++ b/drivers/mtd/lpddr/lpddr_cmds.c
@@ -79,7 +79,7 @@ struct mtd_info *lpddr_cmdset(struct map_info *map)
mutex_init(&shared[i].lock);
for (j = 0; j < lpddr->qinfo->HWPartsNum; j++) {
*chip = lpddr->chips[i];
- chip->start += j << lpddr->chipshift;
+ chip->start += (unsigned long)j << lpddr->chipshift;
chip->oldstate = chip->state = FL_READY;
chip->priv = &shared[i];
/* those should be reset too since
@@ -559,7 +559,7 @@ static int lpddr_point(struct mtd_info *mtd, loff_t adr, size_t len,
break;
if ((len + ofs - 1) >> lpddr->chipshift)
- thislen = (1<<lpddr->chipshift) - ofs;
+ thislen = (1UL << lpddr->chipshift) - ofs;
else
thislen = len;
/* get the chip */
@@ -575,7 +575,7 @@ static int lpddr_point(struct mtd_info *mtd, loff_t adr, size_t len,
len -= thislen;
ofs = 0;
- last_end += 1 << lpddr->chipshift;
+ last_end += 1UL << lpddr->chipshift;
chipnum++;
chip = &lpddr->chips[chipnum];
}
@@ -601,7 +601,7 @@ static int lpddr_unpoint (struct mtd_info *mtd, loff_t adr, size_t len)
break;
if ((len + ofs - 1) >> lpddr->chipshift)
- thislen = (1<<lpddr->chipshift) - ofs;
+ thislen = (1UL << lpddr->chipshift) - ofs;
else
thislen = len;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 250/737] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 249/737] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 251/737] md/raid5: fix IO hang when array is broken with IO inflight Greg Kroah-Hartman
` (497 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandru Gagniuc, Bjorn Andersson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[ Upstream commit 7e81fa8d809ed1e67ae9ecd52d20a20c2c65d877 ]
The "qcom,halt-regs" consists of a phandle reference followed by the
three offsets within syscon for halt registers. Thus, we need to
request 4 integers from of_property_read_variable_u32_array(), with
the halt_reg ofsets at indexes 1, 2, and 3. Offset 0 is the phandle.
With MAX_HALT_REG at 3, of_property_read_variable_u32_array() returns
-EOVERFLOW, causing .probe() to fail.
Increase MAX_HALT_REG to 4, and update the indexes accordingly.
Fixes: 0af65b9b915e ("remoteproc: qcom: wcss: Add non pas wcss Q6 support for QCS404")
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Link: https://lore.kernel.org/r/20251129013207.3981517-1-mr.nuke.me@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_wcss.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/remoteproc/qcom_q6v5_wcss.c b/drivers/remoteproc/qcom_q6v5_wcss.c
index cff1fa07d1def..f80d701225a18 100644
--- a/drivers/remoteproc/qcom_q6v5_wcss.c
+++ b/drivers/remoteproc/qcom_q6v5_wcss.c
@@ -85,7 +85,7 @@
#define TCSR_WCSS_CLK_MASK 0x1F
#define TCSR_WCSS_CLK_ENABLE 0x14
-#define MAX_HALT_REG 3
+#define MAX_HALT_REG 4
enum {
WCSS_IPQ8074,
WCSS_QCS404,
@@ -863,9 +863,9 @@ static int q6v5_wcss_init_mmio(struct q6v5_wcss *wcss,
return -EINVAL;
}
- wcss->halt_q6 = halt_reg[0];
- wcss->halt_wcss = halt_reg[1];
- wcss->halt_nc = halt_reg[2];
+ wcss->halt_q6 = halt_reg[1];
+ wcss->halt_wcss = halt_reg[2];
+ wcss->halt_nc = halt_reg[3];
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 251/737] md/raid5: fix IO hang when array is broken with IO inflight
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 250/737] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 252/737] clk: keystone: fix compile testing Greg Kroah-Hartman
` (496 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Li Nan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai@fnnas.com>
[ Upstream commit a913d1f6a7f607c110aeef8b58c8988f47a4b24e ]
Following test can cause IO hang:
mdadm -CvR /dev/md0 -l10 -n4 /dev/sd[abcd] --assume-clean --chunk=64K --bitmap=none
sleep 5
echo 1 > /sys/block/sda/device/delete
echo 1 > /sys/block/sdb/device/delete
echo 1 > /sys/block/sdc/device/delete
echo 1 > /sys/block/sdd/device/delete
dd if=/dev/md0 of=/dev/null bs=8k count=1 iflag=direct
Root cause:
1) all disks removed, however all rdevs in the array is still in sync,
IO will be issued normally.
2) IO failure from sda, and set badblocks failed, sda will be faulty
and MD_SB_CHANGING_PENDING will be set.
3) error recovery try to recover this IO from other disks, IO will be
issued to sdb, sdc, and sdd.
4) IO failure from sdb, and set badblocks failed again, now array is
broken and will become read-only.
5) IO failure from sdc and sdd, however, stripe can't be handled anymore
because MD_SB_CHANGING_PENDING is set:
handle_stripe
handle_stripe
if (test_bit MD_SB_CHANGING_PENDING)
set_bit STRIPE_HANDLE
goto finish
// skip handling failed stripe
release_stripe
if (test_bit STRIPE_HANDLE)
list_add_tail conf->hand_list
6) later raid5d can't handle failed stripe as well:
raid5d
md_check_recovery
md_update_sb
if (!md_is_rdwr())
// can't clear pending bit
return
if (test_bit MD_SB_CHANGING_PENDING)
break;
// can't handle failed stripe
Since MD_SB_CHANGING_PENDING can never be cleared for read-only array,
fix this problem by skip this checking for read-only array.
Link: https://lore.kernel.org/linux-raid/20251117085557.770572-3-yukuai@fnnas.com
Fixes: d87f064f5874 ("md: never update metadata when array is read-only.")
Signed-off-by: Yu Kuai <yukuai@fnnas.com>
Reviewed-by: Li Nan <linan122@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid5.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
index f69e4a6a8a592..aad2b8c0c5418 100644
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -5002,7 +5002,8 @@ static void handle_stripe(struct stripe_head *sh)
goto finish;
if (s.handle_bad_blocks ||
- test_bit(MD_SB_CHANGE_PENDING, &conf->mddev->sb_flags)) {
+ (md_is_rdwr(conf->mddev) &&
+ test_bit(MD_SB_CHANGE_PENDING, &conf->mddev->sb_flags))) {
set_bit(STRIPE_HANDLE, &sh->state);
goto finish;
}
@@ -6829,7 +6830,8 @@ static void raid5d(struct md_thread *thread)
int batch_size, released;
unsigned int offset;
- if (test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags))
+ if (md_is_rdwr(mddev) &&
+ test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags))
break;
released = release_stripe_list(conf, conf->temp_inactive_list);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 252/737] clk: keystone: fix compile testing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 251/737] md/raid5: fix IO hang when array is broken with IO inflight Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 253/737] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop Greg Kroah-Hartman
` (495 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Stephen Boyd,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit b276445e98fe28609688fb85b89a81b803910e63 ]
Some keystone clock drivers can be selected when COMPILE_TEST is
enabled but since commit b745c0794e2f ("clk: keystone: Add sci-clk
driver support") they are never actually built.
Enable compile testing by allowing the build system to process the
keystone drivers.
Fixes: b745c0794e2f ("clk: keystone: Add sci-clk driver support")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/Makefile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/clk/Makefile b/drivers/clk/Makefile
index 18969cbd4bb1e..8d572021977fd 100644
--- a/drivers/clk/Makefile
+++ b/drivers/clk/Makefile
@@ -95,8 +95,7 @@ obj-$(CONFIG_ARCH_HISI) += hisilicon/
obj-y += imgtec/
obj-y += imx/
obj-y += ingenic/
-obj-$(CONFIG_ARCH_K3) += keystone/
-obj-$(CONFIG_ARCH_KEYSTONE) += keystone/
+obj-y += keystone/
obj-y += mediatek/
obj-$(CONFIG_ARCH_MESON) += meson/
obj-y += microchip/
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 253/737] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 252/737] clk: keystone: fix compile testing Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 254/737] perf tools: Fix split kallsyms DSO counting Greg Kroah-Hartman
` (494 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei,
Toke Høiland-Jørgensen, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 9fefc78f7f02d71810776fdeb119a05a946a27cc ]
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
Fixes: 15de71d06a40 ("net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit")
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20251128001415.377823-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 58 ++++++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 26 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 85984c91cf51f..14e06f474b6ca 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1609,7 +1609,6 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free)
__qdisc_drop(skb, to_free);
sch->q.qlen--;
- qdisc_tree_reduce_backlog(sch, 1, len);
cake_heapify(q, 0);
@@ -1755,14 +1754,14 @@ static void cake_reconfigure(struct Qdisc *sch);
static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct sk_buff **to_free)
{
+ u32 idx, tin, prev_qlen, prev_backlog, drop_id;
struct cake_sched_data *q = qdisc_priv(sch);
- int len = qdisc_pkt_len(skb);
- int ret;
+ int len = qdisc_pkt_len(skb), ret;
struct sk_buff *ack = NULL;
ktime_t now = ktime_get();
struct cake_tin_data *b;
struct cake_flow *flow;
- u32 idx, tin;
+ bool same_flow = false;
/* choose flow to insert into */
idx = cake_classify(sch, &b, skb, q->flow_mode, &ret);
@@ -1835,6 +1834,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
consume_skb(skb);
} else {
/* not splitting */
+ int ack_pkt_len = 0;
+
cobalt_set_enqueue_time(skb, now);
get_cobalt_cb(skb)->adjusted_len = cake_overhead(q, skb);
flow_queue_add(flow, skb);
@@ -1845,13 +1846,13 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (ack) {
b->ack_drops++;
sch->qstats.drops++;
- b->bytes += qdisc_pkt_len(ack);
- len -= qdisc_pkt_len(ack);
+ ack_pkt_len = qdisc_pkt_len(ack);
+ b->bytes += ack_pkt_len;
q->buffer_used += skb->truesize - ack->truesize;
if (q->rate_flags & CAKE_FLAG_INGRESS)
cake_advance_shaper(q, b, ack, now, true);
- qdisc_tree_reduce_backlog(sch, 1, qdisc_pkt_len(ack));
+ qdisc_tree_reduce_backlog(sch, 1, ack_pkt_len);
consume_skb(ack);
} else {
sch->q.qlen++;
@@ -1860,11 +1861,11 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* stats */
b->packets++;
- b->bytes += len;
- b->backlogs[idx] += len;
- b->tin_backlog += len;
- sch->qstats.backlog += len;
- q->avg_window_bytes += len;
+ b->bytes += len - ack_pkt_len;
+ b->backlogs[idx] += len - ack_pkt_len;
+ b->tin_backlog += len - ack_pkt_len;
+ sch->qstats.backlog += len - ack_pkt_len;
+ q->avg_window_bytes += len - ack_pkt_len;
}
if (q->overflow_timeout)
@@ -1939,24 +1940,29 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (q->buffer_used > q->buffer_max_used)
q->buffer_max_used = q->buffer_used;
- if (q->buffer_used > q->buffer_limit) {
- bool same_flow = false;
- u32 dropped = 0;
- u32 drop_id;
+ if (q->buffer_used <= q->buffer_limit)
+ return NET_XMIT_SUCCESS;
- while (q->buffer_used > q->buffer_limit) {
- dropped++;
- drop_id = cake_drop(sch, to_free);
+ prev_qlen = sch->q.qlen;
+ prev_backlog = sch->qstats.backlog;
- if ((drop_id >> 16) == tin &&
- (drop_id & 0xFFFF) == idx)
- same_flow = true;
- }
- b->drop_overlimit += dropped;
+ while (q->buffer_used > q->buffer_limit) {
+ drop_id = cake_drop(sch, to_free);
+ if ((drop_id >> 16) == tin &&
+ (drop_id & 0xFFFF) == idx)
+ same_flow = true;
+ }
+
+ prev_qlen -= sch->q.qlen;
+ prev_backlog -= sch->qstats.backlog;
+ b->drop_overlimit += prev_qlen;
- if (same_flow)
- return NET_XMIT_CN;
+ if (same_flow) {
+ qdisc_tree_reduce_backlog(sch, prev_qlen - 1,
+ prev_backlog - len);
+ return NET_XMIT_CN;
}
+ qdisc_tree_reduce_backlog(sch, prev_qlen, prev_backlog);
return NET_XMIT_SUCCESS;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 254/737] perf tools: Fix split kallsyms DSO counting
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 253/737] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 255/737] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling Greg Kroah-Hartman
` (493 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
[ Upstream commit ad0b9c4865b98dc37f4d606d26b1c19808796805 ]
It's counted twice as it's increased after calling maps__insert(). I
guess we want to increase it only after it's added properly.
Reviewed-by: Ian Rogers <irogers@google.com>
Fixes: 2e538c4a1847291cf ("perf tools: Improve kernel/modules symbol lookup")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
index ea24f21aafc3e..18556b7a76563 100644
--- a/tools/perf/util/symbol.c
+++ b/tools/perf/util/symbol.c
@@ -905,11 +905,11 @@ static int maps__split_kallsyms(struct maps *kmaps, struct dso *dso, u64 delta,
if (dso->kernel == DSO_SPACE__KERNEL_GUEST)
snprintf(dso_name, sizeof(dso_name),
"[guest.kernel].%d",
- kernel_range++);
+ kernel_range);
else
snprintf(dso_name, sizeof(dso_name),
"[kernel].%d",
- kernel_range++);
+ kernel_range);
ndso = dso__new(dso_name);
if (ndso == NULL)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 255/737] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 254/737] perf tools: Fix split kallsyms DSO counting Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 256/737] pinctrl: single: Fix incorrect type for error return variable Greg Kroah-Hartman
` (492 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthijs Kooijman, Haojian Zhuang,
Tony Lindgren, Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthijs Kooijman <matthijs@stdin.nl>
[ Upstream commit b5fe46efc147516a908d2d31bf40eb858ab76d51 ]
The pinctrl-single driver handles pin_config_set by looking up the
requested setting in a DT-defined lookup table, which defines what bits
correspond to each setting. There is no way to add
PIN_CONFIG_BIAS_DISABLE entries to the table, since there is instead
code to disable the bias by applying the disable values of both the
pullup and pulldown entries in the table.
However, this code is inside the table-lookup loop, so it would only
execute if there is an entry for PIN_CONFIG_BIAS_DISABLE in the table,
which can never exist, so this code never runs.
This commit lifts the offending code out of the loop, so it just
executes directly whenever PIN_CONFIG_BIAS_DISABLE is requested,
skippipng the table lookup loop.
This also introduces a new `param` variable to make the code slightly
more readable.
This bug seems to have existed when this code was first merged in commit
9dddb4df90d13 ("pinctrl: single: support generic pinconf"). Earlier
versions of this patch did have an entry for PIN_CONFIG_BIAS_DISABLE in
the lookup table, but that was removed, which is probably how this bug
was introduced.
Signed-off-by: Matthijs Kooijman <matthijs@stdin.nl>
Reviewed-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Message-ID: <20240319110633.230329-1-matthijs@stdin.nl>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Stable-dep-of: 61d1bb53547d ("pinctrl: single: Fix incorrect type for error return variable")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-single.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
index 7684039be10cb..5c6d5add6ecac 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -556,21 +556,30 @@ static int pcs_pinconf_set(struct pinctrl_dev *pctldev,
unsigned offset = 0, shift = 0, i, data, ret;
u32 arg;
int j;
+ enum pin_config_param param;
ret = pcs_get_function(pctldev, pin, &func);
if (ret)
return ret;
for (j = 0; j < num_configs; j++) {
+ param = pinconf_to_config_param(configs[j]);
+
+ /* BIAS_DISABLE has no entry in the func->conf table */
+ if (param == PIN_CONFIG_BIAS_DISABLE) {
+ /* This just disables all bias entries */
+ pcs_pinconf_clear_bias(pctldev, pin);
+ continue;
+ }
+
for (i = 0; i < func->nconfs; i++) {
- if (pinconf_to_config_param(configs[j])
- != func->conf[i].param)
+ if (param != func->conf[i].param)
continue;
offset = pin * (pcs->width / BITS_PER_BYTE);
data = pcs->read(pcs->base + offset);
arg = pinconf_to_config_argument(configs[j]);
- switch (func->conf[i].param) {
+ switch (param) {
/* 2 parameters */
case PIN_CONFIG_INPUT_SCHMITT:
case PIN_CONFIG_DRIVE_STRENGTH:
@@ -582,9 +591,6 @@ static int pcs_pinconf_set(struct pinctrl_dev *pctldev,
data |= (arg << shift) & func->conf[i].mask;
break;
/* 4 parameters */
- case PIN_CONFIG_BIAS_DISABLE:
- pcs_pinconf_clear_bias(pctldev, pin);
- break;
case PIN_CONFIG_BIAS_PULL_DOWN:
case PIN_CONFIG_BIAS_PULL_UP:
if (arg) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 256/737] pinctrl: single: Fix incorrect type for error return variable
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 255/737] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 257/737] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() Greg Kroah-Hartman
` (491 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 61d1bb53547d42c6bdaec9da4496beb3a1a05264 ]
pcs_pinconf_get() and pcs_pinconf_set() declare ret as unsigned int,
but assign it the return values of pcs_get_function() that may return
negative error codes. This causes negative error codes to be
converted to large positive values.
Change ret from unsigned int to int in both functions.
Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-single.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
index 5c6d5add6ecac..2ee0ee3b6ed14 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -489,7 +489,8 @@ static int pcs_pinconf_get(struct pinctrl_dev *pctldev,
struct pcs_device *pcs = pinctrl_dev_get_drvdata(pctldev);
struct pcs_function *func;
enum pin_config_param param;
- unsigned offset = 0, data = 0, i, j, ret;
+ unsigned offset = 0, data = 0, i, j;
+ int ret;
ret = pcs_get_function(pctldev, pin, &func);
if (ret)
@@ -553,9 +554,9 @@ static int pcs_pinconf_set(struct pinctrl_dev *pctldev,
{
struct pcs_device *pcs = pinctrl_dev_get_drvdata(pctldev);
struct pcs_function *func;
- unsigned offset = 0, shift = 0, i, data, ret;
+ unsigned offset = 0, shift = 0, i, data;
u32 arg;
- int j;
+ int j, ret;
enum pin_config_param param;
ret = pcs_get_function(pctldev, pin, &func);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 257/737] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 256/737] pinctrl: single: Fix incorrect type for error return variable Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 258/737] 9p: fix cache/debug options printing in v9fs_show_options Greg Kroah-Hartman
` (490 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Helge Deller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 164312662ae9764b83b84d97afb25c42eb2be473 ]
The page allocated for vmem using __get_free_pages() is not freed on the
error paths after it. Fix that by adding a corresponding __free_pages()
call to the error path.
Fixes: facd94bc458a ("fbdev: ssd1307fb: Allocate page aligned video memory.")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/ssd1307fb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/ssd1307fb.c b/drivers/video/fbdev/ssd1307fb.c
index 1a4f90ea7d5a8..bf8ec4861b45c 100644
--- a/drivers/video/fbdev/ssd1307fb.c
+++ b/drivers/video/fbdev/ssd1307fb.c
@@ -688,7 +688,7 @@ static int ssd1307fb_probe(struct i2c_client *client)
if (!ssd1307fb_defio) {
dev_err(dev, "Couldn't allocate deferred io.\n");
ret = -ENOMEM;
- goto fb_alloc_error;
+ goto fb_defio_error;
}
ssd1307fb_defio->delay = HZ / refreshrate;
@@ -766,6 +766,8 @@ static int ssd1307fb_probe(struct i2c_client *client)
regulator_disable(par->vbat_reg);
reset_oled_error:
fb_deferred_io_cleanup(info);
+fb_defio_error:
+ __free_pages(vmem, get_order(vmem_size));
fb_alloc_error:
framebuffer_release(info);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 258/737] 9p: fix cache/debug options printing in v9fs_show_options
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 257/737] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 259/737] NFS: Avoid changing nlink when file removes and attribute updates race Greg Kroah-Hartman
` (489 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Sandeen, Remi Pommarel,
Dominique Martinet, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Sandeen <sandeen@redhat.com>
[ Upstream commit f0445613314f474c1a0ec6fa8a5cd153a618f1b6 ]
commit 4eb3117888a92 changed the cache= option to accept either string
shortcuts or bitfield values. It also changed /proc/mounts to emit the
option as the hexadecimal numeric value rather than the shortcut string.
However, by printing "cache=%x" without the leading 0x, shortcuts such
as "cache=loose" will emit "cache=f" and 'f' is not a string that is
parseable by kstrtoint(), so remounting may fail if a remount with
"cache=f" is attempted.
debug=%x has had the same problem since options have been displayed in
c4fac9100456 ("9p: Implement show_options")
Fix these by adding the 0x prefix to the hexadecimal value shown in
/proc/mounts.
Fixes: 4eb3117888a92 ("fs/9p: Rework cache modes and add new options to Documentation")
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Message-ID: <54b93378-dcf1-4b04-922d-c8b4393da299@redhat.com>
[Dominique: use %#x at Al Viro's suggestion, also handle debug]
Tested-by: Remi Pommarel <repk@triplefau.lt>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/9p/v9fs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/9p/v9fs.c b/fs/9p/v9fs.c
index be61810cb7798..159a2aae849b9 100644
--- a/fs/9p/v9fs.c
+++ b/fs/9p/v9fs.c
@@ -101,7 +101,7 @@ int v9fs_show_options(struct seq_file *m, struct dentry *root)
struct v9fs_session_info *v9ses = root->d_sb->s_fs_info;
if (v9ses->debug)
- seq_printf(m, ",debug=%x", v9ses->debug);
+ seq_printf(m, ",debug=%#x", v9ses->debug);
if (!uid_eq(v9ses->dfltuid, V9FS_DEFUID))
seq_printf(m, ",dfltuid=%u",
from_kuid_munged(&init_user_ns, v9ses->dfltuid));
@@ -117,7 +117,7 @@ int v9fs_show_options(struct seq_file *m, struct dentry *root)
if (v9ses->nodev)
seq_puts(m, ",nodevmap");
if (v9ses->cache)
- seq_printf(m, ",cache=%x", v9ses->cache);
+ seq_printf(m, ",cache=%#x", v9ses->cache);
#ifdef CONFIG_9P_FSCACHE
if (v9ses->cachetag && (v9ses->cache & CACHE_FSCACHE))
seq_printf(m, ",cachetag=%s", v9ses->cachetag);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 259/737] NFS: Avoid changing nlink when file removes and attribute updates race
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 258/737] 9p: fix cache/debug options printing in v9fs_show_options Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 260/737] fs/nls: Fix utf16 to utf8 conversion Greg Kroah-Hartman
` (488 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aiden Lambert, Trond Myklebust,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ]
If a file removal races with another operation that updates its
attributes, then skip the change to nlink, and just mark the attributes
as being stale.
Reported-by: Aiden Lambert <alambert48@gatech.edu>
Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 385baf871800c..70f55df9e4f95 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1901,13 +1901,15 @@ static int nfs_dentry_delete(const struct dentry *dentry)
}
/* Ensure that we revalidate inode->i_nlink */
-static void nfs_drop_nlink(struct inode *inode)
+static void nfs_drop_nlink(struct inode *inode, unsigned long gencount)
{
+ struct nfs_inode *nfsi = NFS_I(inode);
+
spin_lock(&inode->i_lock);
/* drop the inode if we're reasonably sure this is the last link */
- if (inode->i_nlink > 0)
+ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount)
drop_nlink(inode);
- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter();
+ nfsi->attr_gencount = nfs_inc_attr_generation_counter();
nfs_set_cache_invalid(
inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME |
NFS_INO_INVALID_NLINK);
@@ -1921,8 +1923,9 @@ static void nfs_drop_nlink(struct inode *inode)
static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode)
{
if (dentry->d_flags & DCACHE_NFSFS_RENAMED) {
+ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount);
nfs_complete_unlink(dentry, inode);
- nfs_drop_nlink(inode);
+ nfs_drop_nlink(inode, gencount);
}
iput(inode);
}
@@ -2475,9 +2478,11 @@ static int nfs_safe_remove(struct dentry *dentry)
trace_nfs_remove_enter(dir, dentry);
if (inode != NULL) {
+ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount);
+
error = NFS_PROTO(dir)->remove(dir, dentry);
if (error == 0)
- nfs_drop_nlink(inode);
+ nfs_drop_nlink(inode, gencount);
} else
error = NFS_PROTO(dir)->remove(dir, dentry);
if (error == -ENOENT)
@@ -2682,6 +2687,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
{
struct inode *old_inode = d_inode(old_dentry);
struct inode *new_inode = d_inode(new_dentry);
+ unsigned long new_gencount = 0;
struct dentry *dentry = NULL;
struct rpc_task *task;
bool must_unblock = false;
@@ -2734,6 +2740,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
} else {
block_revalidate(new_dentry);
must_unblock = true;
+ new_gencount = NFS_I(new_inode)->attr_gencount;
spin_unlock(&new_dentry->d_lock);
}
@@ -2773,7 +2780,7 @@ int nfs_rename(struct mnt_idmap *idmap, struct inode *old_dir,
new_dir, new_dentry, error);
if (!error) {
if (new_inode != NULL)
- nfs_drop_nlink(new_inode);
+ nfs_drop_nlink(new_inode, new_gencount);
/*
* The d_move() should be here instead of in an async RPC completion
* handler because we need the proper locks to move the dentry. If
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 260/737] fs/nls: Fix utf16 to utf8 conversion
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 259/737] NFS: Avoid changing nlink when file removes and attribute updates race Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 261/737] NFS: Initialise verifiers for visible dentries in readdir and lookup Greg Kroah-Hartman
` (487 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 25524b6190295577e4918c689644451365e6466d ]
Currently the function responsible for converting between utf16 and
utf8 strings will ignore any characters that cannot be converted. This
however also includes multi-byte characters that do not fit into the
provided string buffer.
This can cause problems if such a multi-byte character is followed by
a single-byte character. In such a case the multi-byte character might
be ignored when the provided string buffer is too small, but the
single-byte character might fit and is thus still copied into the
resulting string.
Fix this by stop filling the provided string buffer once a character
does not fit. In order to be able to do this extend utf32_to_utf8()
to return useful errno codes instead of -1.
Fixes: 74675a58507e ("NLS: update handling of Unicode")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nls/nls_base.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
index a026dbd3593f6..7eacded3c17d1 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout)
l = u;
if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR)
- return -1;
+ return -EILSEQ;
nc = 0;
for (t = utf8_table; t->cmask && maxout; t++, maxout--) {
@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout)
return nc;
}
}
- return -1;
+ return -EOVERFLOW;
}
EXPORT_SYMBOL(utf32_to_utf8);
@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian,
inlen--;
}
size = utf32_to_utf8(u, op, maxout);
- if (size == -1) {
- /* Ignore character and move on */
+ if (size < 0) {
+ if (size == -EILSEQ) {
+ /* Ignore character and move on */
+ continue;
+ }
+ /*
+ * Stop filling the buffer with data once a character
+ * does not fit anymore.
+ */
+ break;
} else {
op += size;
maxout -= size;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 261/737] NFS: Initialise verifiers for visible dentries in readdir and lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 260/737] fs/nls: Fix utf16 to utf8 conversion Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 262/737] NFS: Initialise verifiers for visible dentries in nfs_atomic_open() Greg Kroah-Hartman
` (486 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Stoler, Trond Myklebust,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 9bd545539b233725a3416801f7c374bff0327d6e ]
Ensure that the verifiers are initialised before calling
d_splice_alias() in both nfs_prime_dcache() and nfs_lookup().
Reported-by: Michael Stoler <michael.stoler@vastdata.com>
Fixes: a1147b8281bd ("NFS: Fix up directory verifier races")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 70f55df9e4f95..d47e908ef411c 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -785,16 +785,17 @@ void nfs_prime_dcache(struct dentry *parent, struct nfs_entry *entry,
goto out;
}
+ nfs_set_verifier(dentry, dir_verifier);
inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr);
alias = d_splice_alias(inode, dentry);
d_lookup_done(dentry);
if (alias) {
if (IS_ERR(alias))
goto out;
+ nfs_set_verifier(alias, dir_verifier);
dput(dentry);
dentry = alias;
}
- nfs_set_verifier(dentry, dir_verifier);
trace_nfs_readdir_lookup(d_inode(parent), dentry, 0);
out:
dput(dentry);
@@ -2000,13 +2001,14 @@ struct dentry *nfs_lookup(struct inode *dir, struct dentry * dentry, unsigned in
nfs_lookup_advise_force_readdirplus(dir, flags);
no_entry:
+ nfs_set_verifier(dentry, dir_verifier);
res = d_splice_alias(inode, dentry);
if (res != NULL) {
if (IS_ERR(res))
goto out;
+ nfs_set_verifier(res, dir_verifier);
dentry = res;
}
- nfs_set_verifier(dentry, dir_verifier);
out:
trace_nfs_lookup_exit(dir, dentry, flags, PTR_ERR_OR_ZERO(res));
nfs_free_fattr(fattr);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 262/737] NFS: Initialise verifiers for visible dentries in nfs_atomic_open()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 261/737] NFS: Initialise verifiers for visible dentries in readdir and lookup Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 263/737] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Greg Kroah-Hartman
` (485 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Stoler, Trond Myklebust,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ]
Ensure that the verifiers are initialised before calling
d_splice_alias() in nfs_atomic_open().
Reported-by: Michael Stoler <michael.stoler@vastdata.com>
Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index d47e908ef411c..32e922a20d0d4 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2149,12 +2149,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
d_drop(dentry);
switch (err) {
case -ENOENT:
- d_splice_alias(NULL, dentry);
if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE))
dir_verifier = inode_peek_iversion_raw(dir);
else
dir_verifier = nfs_save_change_attribute(dir);
nfs_set_verifier(dentry, dir_verifier);
+ d_splice_alias(NULL, dentry);
break;
case -EISDIR:
case -ENOTDIR:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 263/737] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 262/737] NFS: Initialise verifiers for visible dentries in nfs_atomic_open() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 264/737] Revert "nfs: ignore SB_RDONLY when remounting nfs" Greg Kroah-Hartman
` (484 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Curley, Trond Myklebust,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Curley <jcurley@purestorage.com>
[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ]
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid")
Signed-off-by: Jonathan Curley <jcurley@purestorage.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/pnfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index b40c20bd364b0..0737d9a15d862 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -465,6 +465,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo,
struct pnfs_layout_segment *lseg, *next;
set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags);
+ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags);
list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list)
pnfs_clear_lseg_state(lseg, lseg_list);
pnfs_clear_layoutreturn_info(lo);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 264/737] Revert "nfs: ignore SB_RDONLY when remounting nfs"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 263/737] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 265/737] Revert "nfs: clear SB_RDONLY before getting superblock" Greg Kroah-Hartman
` (483 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alkis Georgopoulos, Li Lingfeng,
Trond Myklebust, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ]
This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a.
Silently ignoring the "ro" and "rw" mount options causes user confusion,
and regressions.
Reported-by: Alkis Georgopoulos<alkisg@gmail.com>
Cc: Li Lingfeng <lilingfeng3@huawei.com>
Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 4e72ee57fc8fc..59bf4b2c0f86e 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1020,16 +1020,6 @@ int nfs_reconfigure(struct fs_context *fc)
sync_filesystem(sb);
- /*
- * The SB_RDONLY flag has been removed from the superblock during
- * mounts to prevent interference between different filesystems.
- * Similarly, it is also necessary to ignore the SB_RDONLY flag
- * during reconfiguration; otherwise, it may also result in the
- * creation of redundant superblocks when mounting a directory with
- * different rw and ro flags multiple times.
- */
- fc->sb_flags_mask &= ~SB_RDONLY;
-
/*
* Userspace mount programs that send binary options generally send
* them populated with default values. We have no way to know which
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 265/737] Revert "nfs: clear SB_RDONLY before getting superblock"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 264/737] Revert "nfs: ignore SB_RDONLY when remounting nfs" Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 266/737] Revert "nfs: ignore SB_RDONLY when mounting nfs" Greg Kroah-Hartman
` (482 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alkis Georgopoulos, Li Lingfeng,
Trond Myklebust, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ]
This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18.
Silently ignoring the "ro" and "rw" mount options causes user confusion,
and regressions.
Reported-by: Alkis Georgopoulos<alkisg@gmail.com>
Cc: Li Lingfeng <lilingfeng3@huawei.com>
Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 59bf4b2c0f86e..e1bcad5906ae7 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1277,17 +1277,8 @@ int nfs_get_tree_common(struct fs_context *fc)
if (IS_ERR(server))
return PTR_ERR(server);
- /*
- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
- * superblock among each filesystem that mounts sub-directories
- * belonging to a single exported root path.
- * To prevent interference between different filesystems, the
- * SB_RDONLY flag should be removed from the superblock.
- */
if (server->flags & NFS_MOUNT_UNSHARED)
compare_super = NULL;
- else
- fc->sb_flags &= ~SB_RDONLY;
/* -o noac implies -o sync */
if (server->flags & NFS_MOUNT_NOAC)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 266/737] Revert "nfs: ignore SB_RDONLY when mounting nfs"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 265/737] Revert "nfs: clear SB_RDONLY before getting superblock" Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 267/737] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags Greg Kroah-Hartman
` (481 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alkis Georgopoulos, Li Lingfeng,
Trond Myklebust, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ]
This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3.
Silently ignoring the "ro" and "rw" mount options causes user confusion,
and regressions.
Reported-by: Alkis Georgopoulos<alkisg@gmail.com>
Cc: Li Lingfeng <lilingfeng3@huawei.com>
Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index bde81e0abf0ae..161c8fffbc1d9 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -12,7 +12,7 @@
#include <linux/nfs_page.h>
#include <linux/wait_bit.h>
-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS)
+#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS)
extern const struct export_operations nfs_export_ops;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 267/737] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 266/737] Revert "nfs: ignore SB_RDONLY when mounting nfs" Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 268/737] Expand the type of nfs_fattr->valid Greg Kroah-Hartman
` (480 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Trond Myklebust,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ]
When a filesystem is being automounted, it needs to preserve the
user-set superblock mount options, such as the "ro" flag.
Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
Fixes: f2aedb713c28 ("NFS: Add fs_context support.")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/namespace.c | 6 ++++++
fs/nfs/super.c | 4 ----
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index e7494cdd957e5..40d7163bca870 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
struct vfsmount *mnt = ERR_PTR(-ENOMEM);
struct nfs_server *server = NFS_SB(path->dentry->d_sb);
struct nfs_client *client = server->nfs_client;
+ unsigned long s_flags = path->dentry->d_sb->s_flags;
int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout);
int ret;
@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path)
fc->net_ns = get_net(client->cl_net);
}
+ /* Inherit the flags covered by NFS_SB_MASK */
+ fc->sb_flags_mask |= NFS_SB_MASK;
+ fc->sb_flags &= ~NFS_SB_MASK;
+ fc->sb_flags |= s_flags & NFS_SB_MASK;
+
/* for submounts we want the same server; referrals will reassign */
memcpy(&ctx->nfs_server._address, &client->cl_addr, client->cl_addrlen);
ctx->nfs_server.addrlen = client->cl_addrlen;
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index e1bcad5906ae7..2115b0d8ccae7 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1284,10 +1284,6 @@ int nfs_get_tree_common(struct fs_context *fc)
if (server->flags & NFS_MOUNT_NOAC)
fc->sb_flags |= SB_SYNCHRONOUS;
- if (ctx->clone_data.sb)
- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS)
- fc->sb_flags |= SB_SYNCHRONOUS;
-
/* Get a superblock - note that we may end up sharing one that already exists */
fc->s_fs_info = server;
s = sget_fc(fc, compare_super, nfs_set_super);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 268/737] Expand the type of nfs_fattr->valid
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 267/737] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 269/737] NFS: Fix inheritance of the block sizes when automounting Greg Kroah-Hartman
` (479 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Lance Shelton,
Benjamin Coddington, Jeff Layton, Trond Myklebust, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
[ Upstream commit ce60ab3964782df9ba34f0a64c0bc766dd508bde ]
We need to be able to track more than 32 attributes per inode.
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Lance Shelton <lance.shelton@hammerspace.com>
Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/1e3405fca54efd0be7c91c1da77917b94f5dfcc4.1748515333.git.bcodding@redhat.com
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Stable-dep-of: 2b092175f5e3 ("NFS: Fix inheritance of the block sizes when automounting")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/inode.c | 2 +-
include/linux/nfs_fs_sb.h | 2 +-
include/linux/nfs_xdr.h | 54 +++++++++++++++++++--------------------
3 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 5cd5e4226db36..0d7facfdafb95 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -2086,7 +2086,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
bool attr_changed = false;
bool have_delegation;
- dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%x)\n",
+ dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%llx)\n",
__func__, inode->i_sb->s_id, inode->i_ino,
nfs_display_fhandle_hash(NFS_FH(inode)),
atomic_read(&inode->i_count), fattr->valid);
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 374b1b208bd89..ac2d720a164f6 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -157,8 +157,8 @@ struct nfs_server {
#define NFS_MOUNT_TRUNK_DISCOVERY 0x04000000
#define NFS_MOUNT_SHUTDOWN 0x08000000
- unsigned int fattr_valid; /* Valid attributes */
unsigned int caps; /* server capabilities */
+ __u64 fattr_valid; /* Valid attributes */
unsigned int rsize; /* read size */
unsigned int rpages; /* read size (in pages) */
unsigned int wsize; /* write size */
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index 12bbb5c636646..e2a99bf46cdf8 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -45,7 +45,7 @@ struct nfs4_threshold {
};
struct nfs_fattr {
- unsigned int valid; /* which fields are valid */
+ __u64 valid; /* which fields are valid */
umode_t mode;
__u32 nlink;
kuid_t uid;
@@ -80,32 +80,32 @@ struct nfs_fattr {
struct nfs4_label *label;
};
-#define NFS_ATTR_FATTR_TYPE (1U << 0)
-#define NFS_ATTR_FATTR_MODE (1U << 1)
-#define NFS_ATTR_FATTR_NLINK (1U << 2)
-#define NFS_ATTR_FATTR_OWNER (1U << 3)
-#define NFS_ATTR_FATTR_GROUP (1U << 4)
-#define NFS_ATTR_FATTR_RDEV (1U << 5)
-#define NFS_ATTR_FATTR_SIZE (1U << 6)
-#define NFS_ATTR_FATTR_PRESIZE (1U << 7)
-#define NFS_ATTR_FATTR_BLOCKS_USED (1U << 8)
-#define NFS_ATTR_FATTR_SPACE_USED (1U << 9)
-#define NFS_ATTR_FATTR_FSID (1U << 10)
-#define NFS_ATTR_FATTR_FILEID (1U << 11)
-#define NFS_ATTR_FATTR_ATIME (1U << 12)
-#define NFS_ATTR_FATTR_MTIME (1U << 13)
-#define NFS_ATTR_FATTR_CTIME (1U << 14)
-#define NFS_ATTR_FATTR_PREMTIME (1U << 15)
-#define NFS_ATTR_FATTR_PRECTIME (1U << 16)
-#define NFS_ATTR_FATTR_CHANGE (1U << 17)
-#define NFS_ATTR_FATTR_PRECHANGE (1U << 18)
-#define NFS_ATTR_FATTR_V4_LOCATIONS (1U << 19)
-#define NFS_ATTR_FATTR_V4_REFERRAL (1U << 20)
-#define NFS_ATTR_FATTR_MOUNTPOINT (1U << 21)
-#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID (1U << 22)
-#define NFS_ATTR_FATTR_OWNER_NAME (1U << 23)
-#define NFS_ATTR_FATTR_GROUP_NAME (1U << 24)
-#define NFS_ATTR_FATTR_V4_SECURITY_LABEL (1U << 25)
+#define NFS_ATTR_FATTR_TYPE BIT_ULL(0)
+#define NFS_ATTR_FATTR_MODE BIT_ULL(1)
+#define NFS_ATTR_FATTR_NLINK BIT_ULL(2)
+#define NFS_ATTR_FATTR_OWNER BIT_ULL(3)
+#define NFS_ATTR_FATTR_GROUP BIT_ULL(4)
+#define NFS_ATTR_FATTR_RDEV BIT_ULL(5)
+#define NFS_ATTR_FATTR_SIZE BIT_ULL(6)
+#define NFS_ATTR_FATTR_PRESIZE BIT_ULL(7)
+#define NFS_ATTR_FATTR_BLOCKS_USED BIT_ULL(8)
+#define NFS_ATTR_FATTR_SPACE_USED BIT_ULL(9)
+#define NFS_ATTR_FATTR_FSID BIT_ULL(10)
+#define NFS_ATTR_FATTR_FILEID BIT_ULL(11)
+#define NFS_ATTR_FATTR_ATIME BIT_ULL(12)
+#define NFS_ATTR_FATTR_MTIME BIT_ULL(13)
+#define NFS_ATTR_FATTR_CTIME BIT_ULL(14)
+#define NFS_ATTR_FATTR_PREMTIME BIT_ULL(15)
+#define NFS_ATTR_FATTR_PRECTIME BIT_ULL(16)
+#define NFS_ATTR_FATTR_CHANGE BIT_ULL(17)
+#define NFS_ATTR_FATTR_PRECHANGE BIT_ULL(18)
+#define NFS_ATTR_FATTR_V4_LOCATIONS BIT_ULL(19)
+#define NFS_ATTR_FATTR_V4_REFERRAL BIT_ULL(20)
+#define NFS_ATTR_FATTR_MOUNTPOINT BIT_ULL(21)
+#define NFS_ATTR_FATTR_MOUNTED_ON_FILEID BIT_ULL(22)
+#define NFS_ATTR_FATTR_OWNER_NAME BIT_ULL(23)
+#define NFS_ATTR_FATTR_GROUP_NAME BIT_ULL(24)
+#define NFS_ATTR_FATTR_V4_SECURITY_LABEL BIT_ULL(25)
#define NFS_ATTR_FATTR (NFS_ATTR_FATTR_TYPE \
| NFS_ATTR_FATTR_MODE \
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 269/737] NFS: Fix inheritance of the block sizes when automounting
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 268/737] Expand the type of nfs_fattr->valid Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 270/737] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() Greg Kroah-Hartman
` (478 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 2b092175f5e301cdaa935093edfef2be9defb6df ]
Only inherit the block sizes that were actually specified as mount
parameters for the parent mount.
Fixes: 62a55d088cd8 ("NFS: Additional refactoring for fs_context conversion")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/client.c | 21 +++++++++++++++++----
fs/nfs/internal.h | 1 -
fs/nfs/namespace.c | 5 ++++-
fs/nfs/nfs4client.c | 18 ++++++++++++++----
fs/nfs/super.c | 10 +++-------
include/linux/nfs_fs_sb.h | 5 +++++
6 files changed, 43 insertions(+), 17 deletions(-)
diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index 1bcdaee7e856f..de4922ce4ac79 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -759,10 +759,18 @@ static int nfs_init_server(struct nfs_server *server,
server->fattr_valid = NFS_ATTR_FATTR_V4;
}
- if (ctx->rsize)
+ if (ctx->bsize) {
+ server->bsize = ctx->bsize;
+ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE;
+ }
+ if (ctx->rsize) {
server->rsize = nfs_io_size(ctx->rsize, clp->cl_proto);
- if (ctx->wsize)
+ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE;
+ }
+ if (ctx->wsize) {
server->wsize = nfs_io_size(ctx->wsize, clp->cl_proto);
+ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE;
+ }
server->acregmin = ctx->acregmin * HZ;
server->acregmax = ctx->acregmax * HZ;
@@ -954,8 +962,13 @@ EXPORT_SYMBOL_GPL(nfs_probe_server);
void nfs_server_copy_userdata(struct nfs_server *target, struct nfs_server *source)
{
target->flags = source->flags;
- target->rsize = source->rsize;
- target->wsize = source->wsize;
+ target->automount_inherit = source->automount_inherit;
+ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE)
+ target->bsize = source->bsize;
+ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_RSIZE)
+ target->rsize = source->rsize;
+ if (source->automount_inherit & NFS_AUTOMOUNT_INHERIT_WSIZE)
+ target->wsize = source->wsize;
target->acregmin = source->acregmin;
target->acregmax = source->acregmax;
target->acdirmin = source->acdirmin;
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 161c8fffbc1d9..3d5ae22ed3a81 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -150,7 +150,6 @@ struct nfs_fs_context {
struct super_block *sb;
struct dentry *dentry;
struct nfs_fattr *fattr;
- unsigned int inherited_bsize;
} clone_data;
};
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 40d7163bca870..923b5c1eb47e9 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -190,6 +190,10 @@ struct vfsmount *nfs_d_automount(struct path *path)
ctx->nfs_mod = client->cl_nfs_mod;
__module_get(ctx->nfs_mod->owner);
+ /* Inherit block sizes if they were specified as mount parameters */
+ if (server->automount_inherit & NFS_AUTOMOUNT_INHERIT_BSIZE)
+ ctx->bsize = server->bsize;
+
ret = client->rpc_ops->submount(fc, server);
if (ret < 0) {
mnt = ERR_PTR(ret);
@@ -290,7 +294,6 @@ int nfs_do_submount(struct fs_context *fc)
return -ENOMEM;
ctx->internal = true;
- ctx->clone_data.inherited_bsize = ctx->clone_data.sb->s_blocksize_bits;
p = nfs_devname(dentry, buffer, 4096);
if (IS_ERR(p)) {
diff --git a/fs/nfs/nfs4client.c b/fs/nfs/nfs4client.c
index b14688da814d6..3f31d05e87ae1 100644
--- a/fs/nfs/nfs4client.c
+++ b/fs/nfs/nfs4client.c
@@ -1176,10 +1176,20 @@ static int nfs4_init_server(struct nfs_server *server, struct fs_context *fc)
if (error < 0)
return error;
- if (ctx->rsize)
- server->rsize = nfs_io_size(ctx->rsize, server->nfs_client->cl_proto);
- if (ctx->wsize)
- server->wsize = nfs_io_size(ctx->wsize, server->nfs_client->cl_proto);
+ if (ctx->bsize) {
+ server->bsize = ctx->bsize;
+ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_BSIZE;
+ }
+ if (ctx->rsize) {
+ server->rsize =
+ nfs_io_size(ctx->rsize, server->nfs_client->cl_proto);
+ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_RSIZE;
+ }
+ if (ctx->wsize) {
+ server->wsize =
+ nfs_io_size(ctx->wsize, server->nfs_client->cl_proto);
+ server->automount_inherit |= NFS_AUTOMOUNT_INHERIT_WSIZE;
+ }
server->acregmin = ctx->acregmin * HZ;
server->acregmax = ctx->acregmax * HZ;
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 2115b0d8ccae7..5c14c30a84c0e 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1060,8 +1060,9 @@ static void nfs_fill_super(struct super_block *sb, struct nfs_fs_context *ctx)
sb->s_blocksize = 0;
sb->s_xattr = server->nfs_client->cl_nfs_mod->xattr;
sb->s_op = server->nfs_client->cl_nfs_mod->sops;
- if (ctx->bsize)
- sb->s_blocksize = nfs_block_size(ctx->bsize, &sb->s_blocksize_bits);
+ if (server->bsize)
+ sb->s_blocksize =
+ nfs_block_size(server->bsize, &sb->s_blocksize_bits);
switch (server->nfs_client->rpc_ops->version) {
case 2:
@@ -1307,13 +1308,8 @@ int nfs_get_tree_common(struct fs_context *fc)
}
if (!s->s_root) {
- unsigned bsize = ctx->clone_data.inherited_bsize;
/* initial superblock/root creation */
nfs_fill_super(s, ctx);
- if (bsize) {
- s->s_blocksize_bits = bsize;
- s->s_blocksize = 1U << bsize;
- }
error = nfs_get_cache_cookie(s, ctx);
if (error < 0)
goto error_splat_super;
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index ac2d720a164f6..4ca77c50e489d 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -157,6 +157,11 @@ struct nfs_server {
#define NFS_MOUNT_TRUNK_DISCOVERY 0x04000000
#define NFS_MOUNT_SHUTDOWN 0x08000000
+ unsigned int automount_inherit; /* Properties inherited by automount */
+#define NFS_AUTOMOUNT_INHERIT_BSIZE 0x0001
+#define NFS_AUTOMOUNT_INHERIT_RSIZE 0x0002
+#define NFS_AUTOMOUNT_INHERIT_WSIZE 0x0004
+
unsigned int caps; /* server capabilities */
__u64 fattr_valid; /* Valid attributes */
unsigned int rsize; /* read size */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 270/737] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 269/737] NFS: Fix inheritance of the block sizes when automounting Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 271/737] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led Greg Kroah-Hartman
` (477 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Armin Wolf,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ]
After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"),
the return values of utf8_to_utf32() and utf32_to_utf8() are
inconsistent when encountering an error: utf8_to_utf32() returns -1,
while utf32_to_utf8() returns errno codes. Fix this inconsistency
by modifying utf8_to_utf32() to return errno codes as well.
Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion")
Suggested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nls/nls_base.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
index 7eacded3c17d1..f072eb6b563f6 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu)
l &= t->lmask;
if (l < t->lval || l > UNICODE_MAX ||
(l & SURROGATE_MASK) == SURROGATE_PAIR)
- return -1;
+ return -EILSEQ;
+
*pu = (unicode_t) l;
return nc;
}
if (inlen <= nc)
- return -1;
+ return -EOVERFLOW;
+
s++;
c = (*s ^ 0x80) & 0xFF;
if (c & 0xC0)
- return -1;
+ return -EILSEQ;
+
l = (l << 6) | c;
}
- return -1;
+ return -EILSEQ;
}
EXPORT_SYMBOL(utf8_to_utf32);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 271/737] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 270/737] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 272/737] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() Greg Kroah-Hartman
` (476 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Khirnov, Andy Shevchenko,
Denis Benato, Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Khirnov <anton@khirnov.net>
[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ]
kbd_led_set() can sleep, and so may not be used as the brightness_set()
callback.
Otherwise using this led with a trigger leads to system hangs
accompanied by:
BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003
CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1
Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024
Call Trace:
<TASK>
[...]
schedule_timeout+0xbd/0x100
__down_common+0x175/0x290
down_timeout+0x67/0x70
acpi_os_wait_semaphore+0x57/0x90
[...]
asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi]
led_trigger_event+0x3f/0x60
[...]
Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process")
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Denis Benato <benato.denis96@gmail.com>
Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/asus-wmi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index 2c894ea8aa817..b56be64fcc631 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -1405,14 +1405,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value)
kbd_led_update(asus);
}
-static void kbd_led_set(struct led_classdev *led_cdev,
- enum led_brightness value)
+static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value)
{
/* Prevent disabling keyboard backlight on module unregister */
if (led_cdev->flags & LED_UNREGISTERING)
- return;
+ return 0;
do_kbd_led_set(led_cdev, value);
+ return 0;
}
static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value)
@@ -1565,7 +1565,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus)
asus->kbd_led_wk = led_val;
asus->kbd_led.name = "asus::kbd_backlight";
asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED;
- asus->kbd_led.brightness_set = kbd_led_set;
+ asus->kbd_led.brightness_set_blocking = kbd_led_set;
asus->kbd_led.brightness_get = kbd_led_get;
asus->kbd_led.max_brightness = 3;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 272/737] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 271/737] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 273/737] ASoC: ak4458: Disable regulator when error happens Greg Kroah-Hartman
` (475 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ]
bcm63xx_soc_pcm_new() does not check the return value of
of_dma_configure(), which may fail with -EPROBE_DEFER or
other errors, allowing PCM setup to continue with incomplete
DMA configuration.
Add error checking for of_dma_configure() and return on failure.
Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c
index 2c600b017524f..760cb18870908 100644
--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c
+++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c
@@ -354,7 +354,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component,
i2s_priv = dev_get_drvdata(asoc_rtd_to_cpu(rtd, 0)->dev);
- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1);
+ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1);
+ if (ret)
+ return ret;
ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32));
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 273/737] ASoC: ak4458: Disable regulator when error happens
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 272/737] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 274/737] ASoC: ak5558: " Greg Kroah-Hartman
` (474 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ]
Disable regulator in runtime resume when error happens to balance
the reference count of regulator.
Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ak4458.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c
index 77678f85ad946..ec8771158ab25 100644
--- a/sound/soc/codecs/ak4458.c
+++ b/sound/soc/codecs/ak4458.c
@@ -681,7 +681,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev)
regcache_cache_only(ak4458->regmap, false);
regcache_mark_dirty(ak4458->regmap);
- return regcache_sync(ak4458->regmap);
+ ret = regcache_sync(ak4458->regmap);
+ if (ret)
+ goto err;
+
+ return 0;
+err:
+ regcache_cache_only(ak4458->regmap, true);
+ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies);
+ return ret;
}
#endif /* CONFIG_PM */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 274/737] ASoC: ak5558: Disable regulator when error happens
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 273/737] ASoC: ak4458: Disable regulator when error happens Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 275/737] blk-mq: Abort suspend when wakeup events are pending Greg Kroah-Hartman
` (473 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ]
Disable regulator in runtime resume when error happens to balance
the reference count of regulator.
Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ak5558.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c
index 442e2cb42df4f..aeec8dabfe3fd 100644
--- a/sound/soc/codecs/ak5558.c
+++ b/sound/soc/codecs/ak5558.c
@@ -372,7 +372,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev)
regcache_cache_only(ak5558->regmap, false);
regcache_mark_dirty(ak5558->regmap);
- return regcache_sync(ak5558->regmap);
+ ret = regcache_sync(ak5558->regmap);
+ if (ret)
+ goto err;
+
+ return 0;
+err:
+ regcache_cache_only(ak5558->regmap, true);
+ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies);
+ return ret;
}
static const struct dev_pm_ops ak5558_pm = {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 275/737] blk-mq: Abort suspend when wakeup events are pending
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 274/737] ASoC: ak5558: " Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 276/737] block: fix comment for op_is_zone_mgmt() to include RESET_ALL Greg Kroah-Hartman
` (472 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cong Zhang, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Zhang <cong.zhang@oss.qualcomm.com>
[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ]
During system suspend, wakeup capable IRQs for block device can be
delayed, which can cause blk_mq_hctx_notify_offline() to hang
indefinitely while waiting for pending request to complete.
Skip the request waiting loop and abort suspend when wakeup events are
pending to prevent the deadlock.
Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 5da948b07058b..4895c8a33d392 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -24,6 +24,7 @@
#include <linux/sched/sysctl.h>
#include <linux/sched/topology.h>
#include <linux/sched/signal.h>
+#include <linux/suspend.h>
#include <linux/delay.h>
#include <linux/crash_dump.h>
#include <linux/prefetch.h>
@@ -3548,6 +3549,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
{
struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node,
struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
if (!cpumask_test_cpu(cpu, hctx->cpumask) ||
!blk_mq_last_cpu_in_hctx(cpu, hctx))
@@ -3569,12 +3571,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
* frozen and there are no requests.
*/
if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) {
- while (blk_mq_hctx_has_requests(hctx))
+ while (blk_mq_hctx_has_requests(hctx)) {
+ /*
+ * The wakeup capable IRQ handler of block device is
+ * not called during suspend. Skip the loop by checking
+ * pm_wakeup_pending to prevent the deadlock and improve
+ * suspend latency.
+ */
+ if (pm_wakeup_pending()) {
+ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state);
+ ret = -EBUSY;
+ break;
+ }
msleep(5);
+ }
percpu_ref_put(&hctx->queue->q_usage_counter);
}
- return 0;
+ return ret;
}
static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 276/737] block: fix comment for op_is_zone_mgmt() to include RESET_ALL
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 275/737] blk-mq: Abort suspend when wakeup events are pending Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 277/737] nvme-auth: use kvfree() for memory allocated with kvcalloc() Greg Kroah-Hartman
` (471 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, shechenglong, Damien Le Moal,
Johannes Thumshirn, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: shechenglong <shechenglong@xfusion.com>
[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ]
REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt()
has returned true for it.
Update the comment to remove the misleading exception note so
the documentation matches the implementation.
Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL")
Signed-off-by: shechenglong <shechenglong@xfusion.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/blk_types.h | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
index d328b318e44b1..b8ef39ca3d74f 100644
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -508,10 +508,7 @@ static inline bool op_is_discard(blk_opf_t op)
}
/*
- * Check if a bio or request operation is a zone management operation, with
- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case
- * due to its different handling in the block layer and device response in
- * case of command failure.
+ * Check if a bio or request operation is a zone management operation.
*/
static inline bool op_is_zone_mgmt(enum req_op op)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 277/737] nvme-auth: use kvfree() for memory allocated with kvcalloc()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 276/737] block: fix comment for op_is_zone_mgmt() to include RESET_ALL Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 278/737] ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events Greg Kroah-Hartman
` (470 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Israel Rukshin, Max Gurtovoy,
Christoph Hellwig, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Israel Rukshin <israelr@nvidia.com>
[ Upstream commit bb9f4cca7c031de6f0e85f7ba24abf0172829f85 ]
Memory allocated by kvcalloc() may come from vmalloc or kmalloc,
so use kvfree() instead of kfree() for proper deallocation.
Fixes: aa36d711e945 ("nvme-auth: convert dhchap_auth_list to an array")
Signed-off-by: Israel Rukshin <israelr@nvidia.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/auth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index 811541ce206bf..f1b0a8e7af896 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -997,7 +997,7 @@ void nvme_auth_free(struct nvme_ctrl *ctrl)
if (ctrl->dhchap_ctxs) {
for (i = 0; i < ctrl_max_dhchaps(ctrl); i++)
nvme_auth_free_dhchap(&ctrl->dhchap_ctxs[i]);
- kfree(ctrl->dhchap_ctxs);
+ kvfree(ctrl->dhchap_ctxs);
}
if (ctrl->host_key) {
nvme_auth_free_key(ctrl->host_key);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 278/737] ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 277/737] nvme-auth: use kvfree() for memory allocated with kvcalloc() Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 279/737] dma/pool: eliminate alloc_pages warning in atomic_pool_expand Greg Kroah-Hartman
` (469 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 210d77cca3d0494ed30a5c628b20c1d95fa04fb1 ]
The DSP event handling code in hwdep_read() could write more bytes to
the user buffer than requested, when a user provides a buffer smaller
than the event header size (8 bytes).
Fix by using min_t() to clamp the copy size, This ensures we never copy
more than the user requested.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78810656377E79E58350D951AFD9A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/firewire/motu/motu-hwdep.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c
index a220ac0c8eb83..28885c8004aea 100644
--- a/sound/firewire/motu/motu-hwdep.c
+++ b/sound/firewire/motu/motu-hwdep.c
@@ -83,10 +83,11 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
event.motu_register_dsp_change.type = SNDRV_FIREWIRE_EVENT_MOTU_REGISTER_DSP_CHANGE;
event.motu_register_dsp_change.count =
(consumed - sizeof(event.motu_register_dsp_change)) / 4;
- if (copy_to_user(buf, &event, sizeof(event.motu_register_dsp_change)))
+ if (copy_to_user(buf, &event,
+ min_t(long, count, sizeof(event.motu_register_dsp_change))))
return -EFAULT;
- count = consumed;
+ count = min_t(long, count, consumed);
} else {
spin_unlock_irq(&motu->lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 279/737] dma/pool: eliminate alloc_pages warning in atomic_pool_expand
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 278/737] ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 280/737] ALSA: uapi: Fix typo in asound.h comment Greg Kroah-Hartman
` (468 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Kleikamp, Robin Murphy,
Marek Szyprowski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Kleikamp <dave.kleikamp@oracle.com>
[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ]
atomic_pool_expand iteratively tries the allocation while decrementing
the page order. There is no need to issue a warning if an attempted
allocation fails.
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone")
[mszyprow: fixed typo]
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c
index 6b0be9598a973..b3b9c7ec5fc54 100644
--- a/kernel/dma/pool.c
+++ b/kernel/dma/pool.c
@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size,
page = dma_alloc_from_contiguous(NULL, 1 << order,
order, false);
if (!page)
- page = alloc_pages(gfp, order);
+ page = alloc_pages(gfp | __GFP_NOWARN, order);
} while (!page && order-- > 0);
if (!page)
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 280/737] ALSA: uapi: Fix typo in asound.h comment
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 279/737] dma/pool: eliminate alloc_pages warning in atomic_pool_expand Greg Kroah-Hartman
@ 2026-01-09 11:36 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 281/737] rtc: gamecube: Check the return value of ioremap() Greg Kroah-Hartman
` (467 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:36 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andres J Rosa, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andres J Rosa <andyrosa@gmail.com>
[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ]
Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment.
Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames")
Signed-off-by: Andres J Rosa <andyrosa@gmail.com>
Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/sound/asound.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h
index f9939da411227..10966a9250cd9 100644
--- a/include/uapi/sound/asound.h
+++ b/include/uapi/sound/asound.h
@@ -60,7 +60,7 @@ struct snd_cea_861_aud_if {
unsigned char db2_sf_ss; /* sample frequency and size */
unsigned char db3; /* not used, all zeros */
unsigned char db4_ca; /* channel allocation code */
- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */
+ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */
};
/****************************************************************************
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 281/737] rtc: gamecube: Check the return value of ioremap()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-01-09 11:36 ` [PATCH 6.6 280/737] ALSA: uapi: Fix typo in asound.h comment Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 282/737] ALSA: firewire-motu: add bounds check in put_user loop for DSP events Greg Kroah-Hartman
` (466 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Link Mauve,
Alexandre Belloni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit d1220e47e4bd2be8b84bc158f4dea44f2f88b226 ]
The function ioremap() in gamecube_rtc_read_offset_from_sram() can fail
and return NULL, which is dereferenced without checking, leading to a
NULL pointer dereference.
Add a check for the return value of ioremap() and return -ENOMEM on
failure.
Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Link Mauve <kernel@linkmauve.fr>
Link: https://patch.msgid.link/20251126080625.1752-1-vulab@iscas.ac.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-gamecube.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/rtc/rtc-gamecube.c b/drivers/rtc/rtc-gamecube.c
index c828bc8e05b9c..045d5d45ab4b0 100644
--- a/drivers/rtc/rtc-gamecube.c
+++ b/drivers/rtc/rtc-gamecube.c
@@ -242,6 +242,10 @@ static int gamecube_rtc_read_offset_from_sram(struct priv *d)
}
hw_srnprot = ioremap(res.start, resource_size(&res));
+ if (!hw_srnprot) {
+ pr_err("failed to ioremap hw_srnprot\n");
+ return -ENOMEM;
+ }
old = ioread32be(hw_srnprot);
/* TODO: figure out why we use this magic constant. I obtained it by
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 282/737] ALSA: firewire-motu: add bounds check in put_user loop for DSP events
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 281/737] rtc: gamecube: Check the return value of ioremap() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 283/737] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() Greg Kroah-Hartman
` (465 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Junrui Luo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 298e753880b6ea99ac30df34959a7a03b0878eed ]
In the DSP event handling code, a put_user() loop copies event data.
When the user buffer size is not aligned to 4 bytes, it could overwrite
beyond the buffer boundary.
Fix by adding a bounds check before put_user().
Suggested-by: Takashi Iwai <tiwai@suse.de>
Fixes: 634ec0b2906e ("ALSA: firewire-motu: notify event for parameter change in register DSP model")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788112C72AF8A1C8C448B4B8AFA3A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/firewire/motu/motu-hwdep.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/firewire/motu/motu-hwdep.c b/sound/firewire/motu/motu-hwdep.c
index 28885c8004aea..8519a9f9ce2c0 100644
--- a/sound/firewire/motu/motu-hwdep.c
+++ b/sound/firewire/motu/motu-hwdep.c
@@ -75,7 +75,7 @@ static long hwdep_read(struct snd_hwdep *hwdep, char __user *buf, long count,
while (consumed < count &&
snd_motu_register_dsp_message_parser_copy_event(motu, &ev)) {
ptr = (u32 __user *)(buf + consumed);
- if (put_user(ev, ptr))
+ if (consumed + sizeof(ev) > count || put_user(ev, ptr))
return -EFAULT;
consumed += sizeof(ev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 283/737] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 282/737] ALSA: firewire-motu: add bounds check in put_user loop for DSP events Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 284/737] block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock Greg Kroah-Hartman
` (464 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xie Yuanbin, Liyuan Pang,
Russell King (Oracle), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liyuan Pang <pangliyuan1@huawei.com>
[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ]
In the inline assembly inside load_unaligned_zeropad(), the "addr" is
constrained as input-only operand. The compiler assumes that on exit
from the asm statement these operands contain the same values as they
had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior.
Use a temporary variable "tmp" to handle it, instead of modifying the
input-only operand, just like what arm64's load_unaligned_zeropad()
does.
Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs")
Co-developed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Liyuan Pang <pangliyuan1@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/include/asm/word-at-a-time.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h
index 352ab213520d2..2e6d0b4349f47 100644
--- a/arch/arm/include/asm/word-at-a-time.h
+++ b/arch/arm/include/asm/word-at-a-time.h
@@ -66,7 +66,7 @@ static inline unsigned long find_zero(unsigned long mask)
*/
static inline unsigned long load_unaligned_zeropad(const void *addr)
{
- unsigned long ret, offset;
+ unsigned long ret, tmp;
/* Load word from unaligned pointer addr */
asm(
@@ -74,9 +74,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr)
"2:\n"
" .pushsection .text.fixup,\"ax\"\n"
" .align 2\n"
- "3: and %1, %2, #0x3\n"
- " bic %2, %2, #0x3\n"
- " ldr %0, [%2]\n"
+ "3: bic %1, %2, #0x3\n"
+ " ldr %0, [%1]\n"
+ " and %1, %2, #0x3\n"
" lsl %1, %1, #0x3\n"
#ifndef __ARMEB__
" lsr %0, %0, %1\n"
@@ -89,7 +89,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr)
" .align 3\n"
" .long 1b, 3b\n"
" .popsection"
- : "=&r" (ret), "=&r" (offset)
+ : "=&r" (ret), "=&r" (tmp)
: "r" (addr), "Qo" (*(unsigned long *)addr));
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 284/737] block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 283/737] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 285/737] dm-raid: fix possible NULL dereference with undefined raid type Greg Kroah-Hartman
` (463 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mohamed Khalfella, Ming Lei,
Bart Van Assche, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohamed Khalfella <mkhalfella@purestorage.com>
[ Upstream commit 59e25ef2b413c72da6686d431e7759302cfccafa ]
blk_mq_{add,del}_queue_tag_set() functions add and remove queues from
tagset, the functions make sure that tagset and queues are marked as
shared when two or more queues are attached to the same tagset.
Initially a tagset starts as unshared and when the number of added
queues reaches two, blk_mq_add_queue_tag_set() marks it as shared along
with all the queues attached to it. When the number of attached queues
drops to 1 blk_mq_del_queue_tag_set() need to mark both the tagset and
the remaining queues as unshared.
Both functions need to freeze current queues in tagset before setting on
unsetting BLK_MQ_F_TAG_QUEUE_SHARED flag. While doing so, both functions
hold set->tag_list_lock mutex, which makes sense as we do not want
queues to be added or deleted in the process. This used to work fine
until commit 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset")
made the nvme driver quiesce tagset instead of quiscing individual
queues. blk_mq_quiesce_tagset() does the job and quiesce the queues in
set->tag_list while holding set->tag_list_lock also.
This results in deadlock between two threads with these stacktraces:
__schedule+0x47c/0xbb0
? timerqueue_add+0x66/0xb0
schedule+0x1c/0xa0
schedule_preempt_disabled+0xa/0x10
__mutex_lock.constprop.0+0x271/0x600
blk_mq_quiesce_tagset+0x25/0xc0
nvme_dev_disable+0x9c/0x250
nvme_timeout+0x1fc/0x520
blk_mq_handle_expired+0x5c/0x90
bt_iter+0x7e/0x90
blk_mq_queue_tag_busy_iter+0x27e/0x550
? __blk_mq_complete_request_remote+0x10/0x10
? __blk_mq_complete_request_remote+0x10/0x10
? __call_rcu_common.constprop.0+0x1c0/0x210
blk_mq_timeout_work+0x12d/0x170
process_one_work+0x12e/0x2d0
worker_thread+0x288/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
__schedule+0x47c/0xbb0
? xas_find+0x161/0x1a0
schedule+0x1c/0xa0
blk_mq_freeze_queue_wait+0x3d/0x70
? destroy_sched_domains_rcu+0x30/0x30
blk_mq_update_tag_set_shared+0x44/0x80
blk_mq_exit_queue+0x141/0x150
del_gendisk+0x25a/0x2d0
nvme_ns_remove+0xc9/0x170
nvme_remove_namespaces+0xc7/0x100
nvme_remove+0x62/0x150
pci_device_remove+0x23/0x60
device_release_driver_internal+0x159/0x200
unbind_store+0x99/0xa0
kernfs_fop_write_iter+0x112/0x1e0
vfs_write+0x2b1/0x3d0
ksys_write+0x4e/0xb0
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The top stacktrace is showing nvme_timeout() called to handle nvme
command timeout. timeout handler is trying to disable the controller and
as a first step, it needs to blk_mq_quiesce_tagset() to tell blk-mq not
to call queue callback handlers. The thread is stuck waiting for
set->tag_list_lock as it tries to walk the queues in set->tag_list.
The lock is held by the second thread in the bottom stack which is
waiting for one of queues to be frozen. The queue usage counter will
drop to zero after nvme_timeout() finishes, and this will not happen
because the thread will wait for this mutex forever.
Given that [un]quiescing queue is an operation that does not need to
sleep, update blk_mq_[un]quiesce_tagset() to use RCU instead of taking
set->tag_list_lock, update blk_mq_{add,del}_queue_tag_set() to use RCU
safe list operations. Also, delete INIT_LIST_HEAD(&q->tag_set_list)
in blk_mq_del_queue_tag_set() because we can not re-initialize it while
the list is being traversed under RCU. The deleted queue will not be
added/deleted to/from a tagset and it will be freed in blk_free_queue()
after the end of RCU grace period.
Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
Fixes: 98d81f0df70c ("nvme: use blk_mq_[un]quiesce_tagset")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 4895c8a33d392..01fe1e7156690 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -280,12 +280,12 @@ void blk_mq_quiesce_tagset(struct blk_mq_tag_set *set)
{
struct request_queue *q;
- mutex_lock(&set->tag_list_lock);
- list_for_each_entry(q, &set->tag_list, tag_set_list) {
+ rcu_read_lock();
+ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) {
if (!blk_queue_skip_tagset_quiesce(q))
blk_mq_quiesce_queue_nowait(q);
}
- mutex_unlock(&set->tag_list_lock);
+ rcu_read_unlock();
blk_mq_wait_quiesce_done(set);
}
@@ -295,12 +295,12 @@ void blk_mq_unquiesce_tagset(struct blk_mq_tag_set *set)
{
struct request_queue *q;
- mutex_lock(&set->tag_list_lock);
- list_for_each_entry(q, &set->tag_list, tag_set_list) {
+ rcu_read_lock();
+ list_for_each_entry_rcu(q, &set->tag_list, tag_set_list) {
if (!blk_queue_skip_tagset_quiesce(q))
blk_mq_unquiesce_queue(q);
}
- mutex_unlock(&set->tag_list_lock);
+ rcu_read_unlock();
}
EXPORT_SYMBOL_GPL(blk_mq_unquiesce_tagset);
@@ -4117,7 +4117,7 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q)
struct blk_mq_tag_set *set = q->tag_set;
mutex_lock(&set->tag_list_lock);
- list_del(&q->tag_set_list);
+ list_del_rcu(&q->tag_set_list);
if (list_is_singular(&set->tag_list)) {
/* just transitioned to unshared */
set->flags &= ~BLK_MQ_F_TAG_QUEUE_SHARED;
@@ -4125,7 +4125,6 @@ static void blk_mq_del_queue_tag_set(struct request_queue *q)
blk_mq_update_tag_set_shared(set, false);
}
mutex_unlock(&set->tag_list_lock);
- INIT_LIST_HEAD(&q->tag_set_list);
}
static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set,
@@ -4144,7 +4143,7 @@ static void blk_mq_add_queue_tag_set(struct blk_mq_tag_set *set,
}
if (set->flags & BLK_MQ_F_TAG_QUEUE_SHARED)
queue_set_hctx_shared(q, true);
- list_add_tail(&q->tag_set_list, &set->tag_list);
+ list_add_tail_rcu(&q->tag_set_list, &set->tag_list);
mutex_unlock(&set->tag_list_lock);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 285/737] dm-raid: fix possible NULL dereference with undefined raid type
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 284/737] block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 286/737] dm log-writes: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
` (462 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Simakov, Mikulas Patocka,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ]
rs->raid_type is assigned from get_raid_type_by_ll(), which may return
NULL. This NULL value could be dereferenced later in the condition
'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'.
Add a fail-fast check to return early with an error if raid_type is NULL,
similar to other uses of this function.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-raid.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index f23edd79df45e..0c4ab6865182b 100644
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -2259,6 +2259,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev)
mddev->reshape_position = le64_to_cpu(sb->reshape_position);
rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout);
+ if (!rs->raid_type)
+ return -EINVAL;
}
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 286/737] dm log-writes: Add missing set_freezable() for freezable kthread
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 285/737] dm-raid: fix possible NULL dereference with undefined raid type Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 287/737] efi/cper: Add a new helper function to print bitmasks Greg Kroah-Hartman
` (461 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ]
The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(),
rendering the freeze attempt ineffective since kernel threads are
non-freezable by default. This prevents proper thread suspension during
system suspend/hibernate.
Add set_freezable() to explicitly mark the thread as freezable.
Fixes: 0e9cebe72459 ("dm: add log writes target")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-log-writes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c
index f17a6cf2284ec..dabfc856443a9 100644
--- a/drivers/md/dm-log-writes.c
+++ b/drivers/md/dm-log-writes.c
@@ -432,6 +432,7 @@ static int log_writes_kthread(void *arg)
struct log_writes_c *lc = arg;
sector_t sector = 0;
+ set_freezable();
while (!kthread_should_stop()) {
bool super = false;
bool logging_enabled;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 287/737] efi/cper: Add a new helper function to print bitmasks
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 286/737] dm log-writes: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 288/737] efi/cper: Adjust infopfx size to accept an extra space Greg Kroah-Hartman
` (460 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron,
Mauro Carvalho Chehab, Borislav Petkov (AMD), Ard Biesheuvel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
Add a helper function to print a string with names associated
to each bit field.
A typical example is:
const char * const bits[] = {
"bit 3 name",
"bit 4 name",
"bit 5 name",
};
char str[120];
unsigned int bitmask = BIT(3) | BIT(5);
#define MASK GENMASK(5,3)
cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
bits, ARRAY_SIZE(bits));
The above code fills string "str" with "bit 3 name|bit 5 name".
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
include/linux/cper.h | 2 ++
2 files changed, 62 insertions(+)
diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
index 35c37f667781c..cd34ef9384f1e 100644
--- a/drivers/firmware/efi/cper.c
+++ b/drivers/firmware/efi/cper.c
@@ -12,6 +12,7 @@
* Specification version 2.4.
*/
+#include <linux/bitmap.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/time.h>
@@ -106,6 +107,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
printk("%s\n", buf);
}
+/**
+ * cper_bits_to_str - return a string for set bits
+ * @buf: buffer to store the output string
+ * @buf_size: size of the output string buffer
+ * @bits: bit mask
+ * @strs: string array, indexed by bit position
+ * @strs_size: size of the string array: @strs
+ *
+ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
+ * add the corresponding string describing the bit in @strs to @buf.
+ *
+ * A typical example is::
+ *
+ * const char * const bits[] = {
+ * "bit 3 name",
+ * "bit 4 name",
+ * "bit 5 name",
+ * };
+ * char str[120];
+ * unsigned int bitmask = BIT(3) | BIT(5);
+ * #define MASK GENMASK(5,3)
+ *
+ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ * bits, ARRAY_SIZE(bits));
+ *
+ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
+ *
+ * Return: number of bytes stored or an error code if lower than zero.
+ */
+int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
+ const char * const strs[], unsigned int strs_size)
+{
+ int len = buf_size;
+ char *str = buf;
+ int i, size;
+
+ *buf = '\0';
+
+ for_each_set_bit(i, &bits, strs_size) {
+ if (!(bits & BIT_ULL(i)))
+ continue;
+
+ if (*buf && len > 0) {
+ *str = '|';
+ len--;
+ str++;
+ }
+
+ size = strscpy(str, strs[i], len);
+ if (size < 0)
+ return size;
+
+ len -= size;
+ str += size;
+ }
+ return len - buf_size;
+}
+EXPORT_SYMBOL_GPL(cper_bits_to_str);
+
static const char * const proc_type_strs[] = {
"IA32/X64",
"IA64",
diff --git a/include/linux/cper.h b/include/linux/cper.h
index c1a7dc3251215..f792e4b3df907 100644
--- a/include/linux/cper.h
+++ b/include/linux/cper.h
@@ -561,6 +561,8 @@ const char *cper_mem_err_type_str(unsigned int);
const char *cper_mem_err_status_str(u64 status);
void cper_print_bits(const char *prefix, unsigned int bits,
const char * const strs[], unsigned int strs_size);
+int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
+ const char * const strs[], unsigned int strs_size);
void cper_mem_err_pack(const struct cper_sec_mem_err *,
struct cper_mem_err_compact *);
const char *cper_mem_err_unpack(struct trace_seq *,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 288/737] efi/cper: Adjust infopfx size to accept an extra space
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 287/737] efi/cper: Add a new helper function to print bitmasks Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 289/737] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs Greg Kroah-Hartman
` (459 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mauro Carvalho Chehab,
Jonathan Cameron, Borislav Petkov (AMD), Ard Biesheuvel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
Compiling with W=1 with werror enabled produces an error:
drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
| ^
drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As the logic there adds an space at the end of infopx buffer.
Add an extra space to avoid such warning.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/cper-arm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
index fa9c1c3bf168b..eb7ee6af55f23 100644
--- a/drivers/firmware/efi/cper-arm.c
+++ b/drivers/firmware/efi/cper-arm.c
@@ -240,7 +240,7 @@ void cper_print_proc_arm(const char *pfx,
int i, len, max_ctx_type;
struct cper_arm_err_info *err_info;
struct cper_arm_ctx_info *ctx_info;
- char newpfx[64], infopfx[64];
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 289/737] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 288/737] efi/cper: Adjust infopfx size to accept an extra space Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 290/737] irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() Greg Kroah-Hartman
` (458 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mauro Carvalho Chehab,
Jonathan Cameron, Borislav Petkov (AMD), Ard Biesheuvel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
was defined simply as:
Type at byte offset 4:
- Cache error
- TLB Error
- Bus Error
- Micro-architectural Error
All other values are reserved
Yet, there was no information about how this would be encoded.
Spec 2.9A errata corrected it by defining:
- Bit 1 - Cache Error
- Bit 2 - TLB Error
- Bit 3 - Bus Error
- Bit 4 - Micro-architectural Error
All other values are reserved
That actually aligns with the values already defined on older
versions at N.2.4.1. Generic Processor Error Section.
Spec 2.10 also preserve the same encoding as 2.9A.
Adjust CPER and GHES handling code for both generic and ARM
processors to properly handle UEFI 2.9A and 2.10 encoding.
Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 16 +++++++----
drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
include/linux/cper.h | 10 +++----
3 files changed, 39 insertions(+), 37 deletions(-)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index ec364c2541124..e768dfd345fb2 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -22,6 +22,7 @@
#include <linux/moduleparam.h>
#include <linux/init.h>
#include <linux/acpi.h>
+#include <linux/bitfield.h>
#include <linux/io.h>
#include <linux/interrupt.h>
#include <linux/timer.h>
@@ -528,6 +529,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
{
struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
int flags = sync ? MF_ACTION_REQUIRED : 0;
+ char error_type[120];
bool queued = false;
int sec_sev, i;
char *p;
@@ -541,9 +543,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
p = (char *)(err + 1);
for (i = 0; i < err->err_info_num; i++) {
struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
+ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
- const char *error_type = "unknown error";
/*
* The field (err_info->error_info & BIT(26)) is fixed to set to
@@ -557,12 +558,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
continue;
}
- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
- error_type = cper_proc_error_type_strs[err_info->type];
+ cper_bits_to_str(error_type, sizeof(error_type),
+ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
+ cper_proc_error_type_strs,
+ ARRAY_SIZE(cper_proc_error_type_strs));
pr_warn_ratelimited(FW_WARN GHES_PFX
- "Unhandled processor error type: %s\n",
- error_type);
+ "Unhandled processor error type 0x%02x: %s%s\n",
+ err_info->type, error_type,
+ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
p += err_info->length;
}
diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
index eb7ee6af55f23..52d18490b59e3 100644
--- a/drivers/firmware/efi/cper-arm.c
+++ b/drivers/firmware/efi/cper-arm.c
@@ -93,15 +93,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
bool time_out, access_mode;
- /* If the type is unknown, bail. */
- if (type > CPER_ARM_MAX_TYPE)
- return;
-
/*
* Vendor type errors have error information values that are vendor
* specific.
*/
- if (type == CPER_ARM_VENDOR_ERROR)
+ if (type & CPER_ARM_VENDOR_ERROR)
return;
if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
@@ -116,43 +112,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
& CPER_ARM_ERR_OPERATION_MASK);
- switch (type) {
- case CPER_ARM_CACHE_ERROR:
+ if (type & CPER_ARM_CACHE_ERROR) {
if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
- printk("%soperation type: %s\n", pfx,
+ printk("%scache error, operation type: %s\n", pfx,
arm_cache_err_op_strs[op_type]);
}
- break;
- case CPER_ARM_TLB_ERROR:
+ }
+ if (type & CPER_ARM_TLB_ERROR) {
if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
- printk("%soperation type: %s\n", pfx,
+ printk("%sTLB error, operation type: %s\n", pfx,
arm_tlb_err_op_strs[op_type]);
}
- break;
- case CPER_ARM_BUS_ERROR:
+ }
+ if (type & CPER_ARM_BUS_ERROR) {
if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
- printk("%soperation type: %s\n", pfx,
+ printk("%sbus error, operation type: %s\n", pfx,
arm_bus_err_op_strs[op_type]);
}
- break;
}
}
if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
& CPER_ARM_ERR_LEVEL_MASK);
- switch (type) {
- case CPER_ARM_CACHE_ERROR:
+ if (type & CPER_ARM_CACHE_ERROR)
printk("%scache level: %d\n", pfx, level);
- break;
- case CPER_ARM_TLB_ERROR:
+
+ if (type & CPER_ARM_TLB_ERROR)
printk("%sTLB level: %d\n", pfx, level);
- break;
- case CPER_ARM_BUS_ERROR:
+
+ if (type & CPER_ARM_BUS_ERROR)
printk("%saffinity level at which the bus error occurred: %d\n",
pfx, level);
- break;
- }
}
if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
@@ -241,6 +232,7 @@ void cper_print_proc_arm(const char *pfx,
struct cper_arm_err_info *err_info;
struct cper_arm_ctx_info *ctx_info;
char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+ char error_type[120];
printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
@@ -289,9 +281,15 @@ void cper_print_proc_arm(const char *pfx,
newpfx);
}
- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
- cper_proc_error_type_strs[err_info->type] : "unknown");
+ cper_bits_to_str(error_type, sizeof(error_type),
+ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
+ cper_proc_error_type_strs,
+ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
+ error_type,
+ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+
if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
printk("%serror_info: 0x%016llx\n", newpfx,
err_info->error_info);
diff --git a/include/linux/cper.h b/include/linux/cper.h
index f792e4b3df907..ad1ed24730917 100644
--- a/include/linux/cper.h
+++ b/include/linux/cper.h
@@ -270,11 +270,11 @@ enum {
#define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
#define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
-#define CPER_ARM_CACHE_ERROR 0
-#define CPER_ARM_TLB_ERROR 1
-#define CPER_ARM_BUS_ERROR 2
-#define CPER_ARM_VENDOR_ERROR 3
-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
+#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
+#define CPER_ARM_CACHE_ERROR BIT(1)
+#define CPER_ARM_TLB_ERROR BIT(2)
+#define CPER_ARM_BUS_ERROR BIT(3)
+#define CPER_ARM_VENDOR_ERROR BIT(4)
#define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
#define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 290/737] irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 289/737] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 291/737] ocfs2: fix memory leak in ocfs2_merge_rec_left() Greg Kroah-Hartman
` (457 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Thomas Gleixner,
Claudiu Beznea, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 7dbc0d40d8347bd9de55c904f59ea44bcc8dedb7 ]
If irq_domain_translate_twocell() sets "hwirq" to >= MCHP_EIC_NIRQ (2) then
it results in an out of bounds access.
The code checks for invalid values, but doesn't set the error code. Return
-EINVAL in that case, instead of returning success.
Fixes: 00fa3461c86d ("irqchip/mchp-eic: Add support for the Microchip EIC")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Link: https://patch.msgid.link/aTfHmOz6IBpTIPU5@stanley.mountain
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-mchp-eic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-mchp-eic.c b/drivers/irqchip/irq-mchp-eic.c
index 5dcd94c000a26..8a5baa0987a4b 100644
--- a/drivers/irqchip/irq-mchp-eic.c
+++ b/drivers/irqchip/irq-mchp-eic.c
@@ -166,7 +166,7 @@ static int mchp_eic_domain_alloc(struct irq_domain *domain, unsigned int virq,
ret = irq_domain_translate_twocell(domain, fwspec, &hwirq, &type);
if (ret || hwirq >= MCHP_EIC_NIRQ)
- return ret;
+ return ret ?: -EINVAL;
switch (type) {
case IRQ_TYPE_EDGE_RISING:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 291/737] ocfs2: fix memory leak in ocfs2_merge_rec_left()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 290/737] irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 292/737] [PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation Greg Kroah-Hartman
` (456 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
syzbot+cfc7cab3bb6eaa7c4de2, Heming Zhao, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
move, thus allowing 'ocfs2_free_path()' to free it before return.
Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/alloc.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index e6191249169e6..af40f0da3a95c 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
* So we use the new rightmost path.
*/
ocfs2_mv_path(right_path, left_path);
- left_path = NULL;
} else
ocfs2_complete_edge_insert(handle, left_path,
right_path, subtree_index);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 292/737] [PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 291/737] ocfs2: fix memory leak in ocfs2_merge_rec_left() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 293/737] net: lan743x: Allocate rings outside ZONE_DMA Greg Kroah-Hartman
` (455 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianyang Zhang, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
Commit 863a320dc6fd7c855f47da4b ("LoongArch: Mask all interrupts during
kexec/kdump") is backported to LTS branches, but they lack a generic
machine_kexec_mask_interrupts() implementation, so add an arch-specific
one.
Signed-off-by: Tianyang Zhang <zhangtianyang@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/machine_kexec.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/arch/loongarch/kernel/machine_kexec.c
+++ b/arch/loongarch/kernel/machine_kexec.c
@@ -136,6 +136,28 @@ void kexec_reboot(void)
BUG();
}
+static void machine_kexec_mask_interrupts(void)
+{
+ unsigned int i;
+ struct irq_desc *desc;
+
+ for_each_irq_desc(i, desc) {
+ struct irq_chip *chip;
+
+ chip = irq_desc_get_chip(desc);
+ if (!chip)
+ continue;
+
+ if (chip->irq_eoi && irqd_irq_inprogress(&desc->irq_data))
+ chip->irq_eoi(&desc->irq_data);
+
+ if (chip->irq_mask)
+ chip->irq_mask(&desc->irq_data);
+
+ if (chip->irq_disable && !irqd_irq_disabled(&desc->irq_data))
+ chip->irq_disable(&desc->irq_data);
+ }
+}
#ifdef CONFIG_SMP
static void kexec_shutdown_secondary(void *regs)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 293/737] net: lan743x: Allocate rings outside ZONE_DMA
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 292/737] [PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 294/737] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt Greg Kroah-Hartman
` (454 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang, Liyin(CN),
Thangaraj Samynathan, Simon Horman, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thangaraj Samynathan <thangaraj.s@microchip.com>
commit 8a8f3f4991761a70834fe6719d09e9fd338a766e upstream.
The driver allocates ring elements using GFP_DMA flags. There is
no dependency from LAN743x hardware on memory allocation should be
in DMA_ZONE. Hence modifying the flags to use only GFP_ATOMIC. This
is consistent with other callers of lan743x_rx_init_ring_element().
Reported-by: Zhang, Liyin(CN) <Liyin.Zhang.CN@windriver.com>
Signed-off-by: Thangaraj Samynathan <thangaraj.s@microchip.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250415044509.6695-1-thangaraj.s@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microchip/lan743x_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -2633,8 +2633,7 @@ static int lan743x_rx_process_buffer(str
/* save existing skb, allocate new skb and map to dma */
skb = buffer_info->skb;
- if (lan743x_rx_init_ring_element(rx, rx->last_head,
- GFP_ATOMIC | GFP_DMA)) {
+ if (lan743x_rx_init_ring_element(rx, rx->last_head, GFP_ATOMIC)) {
/* failed to allocate next skb.
* Memory is very low.
* Drop this packet and reuse buffer.
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 294/737] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 293/737] net: lan743x: Allocate rings outside ZONE_DMA Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 295/737] usb: phy: Initialize struct usb_phy list_head Greg Kroah-Hartman
` (453 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haotien Hsu, Wayne Chang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotien Hsu <haotienh@nvidia.com>
commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream.
The driver previously skipped handling ClearFeature(ENDPOINT_HALT)
when the endpoint was already not halted. This prevented the
controller from resetting the data sequence number and reinitializing
the endpoint state.
According to USB 3.2 specification Rev. 1.1, section 9.4.5,
ClearFeature(ENDPOINT_HALT) must always reset the data sequence and
set the stream state machine to Disabled, regardless of whether the
endpoint was halted.
Remove the early return so that ClearFeature(ENDPOINT_HALT) always
resets the endpoint sequence state as required by the specification.
Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
Cc: stable <stable@kernel.org>
Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/tegra-xudc.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/usb/gadget/udc/tegra-xudc.c
+++ b/drivers/usb/gadget/udc/tegra-xudc.c
@@ -1554,12 +1554,6 @@ static int __tegra_xudc_ep_set_halt(stru
return -ENOTSUPP;
}
- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) {
- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index,
- halt ? "halted" : "not halted");
- return 0;
- }
-
if (halt) {
ep_halt(xudc, ep->index);
} else {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 295/737] usb: phy: Initialize struct usb_phy list_head
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 294/737] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 296/737] ALSA: dice: fix buffer overflow in detect_stream_formats() Greg Kroah-Hartman
` (452 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Diogo Ivo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream.
As part of the registration of a new 'struct usb_phy' with the USB PHY core
via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct
usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in
order for the new instance x to be stored in phy_list, a static list
kept internally by the core.
After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
when executing either of the registration functions above it is possible
that usb_add_extcon() fails, leading to either function returning before
the call to list_add_tail(), leaving x->head uninitialized.
Then, when a driver tries to undo the failed registration by calling
usb_remove_phy(struct usb_phy *x) there will be an unconditional call to
list_del(&x->head) acting on an uninitialized variable, and thus a
possible NULL pointer dereference.
Fix this by initializing x->head before usb_add_extcon() has a
chance to fail. Note that this was not needed before 7d21114dc6a2 since
list_add_phy() was executed unconditionally and it guaranteed that x->head
was initialized.
Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
Cc: stable <stable@kernel.org>
Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/phy/phy.c
+++ b/drivers/usb/phy/phy.c
@@ -672,6 +672,8 @@ int usb_add_phy(struct usb_phy *x, enum
return -EINVAL;
}
+ INIT_LIST_HEAD(&x->head);
+
usb_charger_init(x);
ret = usb_add_extcon(x);
if (ret)
@@ -722,6 +724,8 @@ int usb_add_phy_dev(struct usb_phy *x)
return -EINVAL;
}
+ INIT_LIST_HEAD(&x->head);
+
usb_charger_init(x);
ret = usb_add_extcon(x);
if (ret)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 296/737] ALSA: dice: fix buffer overflow in detect_stream_formats()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 295/737] usb: phy: Initialize struct usb_phy list_head Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 297/737] ipv6: avoid possible NULL deref in modify_prefix_route() Greg Kroah-Hartman
` (451 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Takashi Sakamoto, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream.
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
Cc: stable@vger.kernel.org
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/dice/dice-extension.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/firewire/dice/dice-extension.c
+++ b/sound/firewire/dice/dice-extension.c
@@ -116,7 +116,7 @@ static int detect_stream_formats(struct
break;
base_offset += EXT_APP_STREAM_ENTRIES;
- stream_count = be32_to_cpu(reg[0]);
+ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
err = read_stream_entries(dice, section_addr, base_offset,
stream_count, mode,
dice->tx_pcm_chs,
@@ -125,7 +125,7 @@ static int detect_stream_formats(struct
break;
base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
- stream_count = be32_to_cpu(reg[1]);
+ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
err = read_stream_entries(dice, section_addr, base_offset,
stream_count,
mode, dice->rx_pcm_chs,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 297/737] ipv6: avoid possible NULL deref in modify_prefix_route()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 296/737] ALSA: dice: fix buffer overflow in detect_stream_formats() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 298/737] ipv6: add exception routes to GC list in rt6_insert_exception Greg Kroah-Hartman
` (450 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1de74b0794c40c8eb300,
Eric Dumazet, Kui-Feng Lee, David Ahern, David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit a747e02430dfb3657141f99aa6b09331283fa493 upstream.
syzbot found a NULL deref [1] in modify_prefix_route(), caused by one
fib6_info without a fib6_table pointer set.
This can happen for net->ipv6.fib6_null_entry
[1]
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
CPU: 1 UID: 0 PID: 5837 Comm: syz-executor888 Not tainted 6.12.0-syzkaller-09567-g7eef7e306d3c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:__lock_acquire+0xe4/0x3c40 kernel/locking/lockdep.c:5089
Code: 08 84 d2 0f 85 15 14 00 00 44 8b 0d ca 98 f5 0e 45 85 c9 0f 84 b4 0e 00 00 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 96 2c 00 00 49 8b 04 24 48 3d a0 07 7f 93 0f 84
RSP: 0018:ffffc900035d7268 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000006 RSI: 1ffff920006bae5f RDI: 0000000000000030
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90608e17 R11: 0000000000000001 R12: 0000000000000030
R13: ffff888036334880 R14: 0000000000000000 R15: 0000000000000000
FS: 0000555579e90380(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc59cc4278 CR3: 0000000072b54000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5849
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
_raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
spin_lock_bh include/linux/spinlock.h:356 [inline]
modify_prefix_route+0x30b/0x8b0 net/ipv6/addrconf.c:4831
inet6_addr_modify net/ipv6/addrconf.c:4923 [inline]
inet6_rtm_newaddr+0x12c7/0x1ab0 net/ipv6/addrconf.c:5055
rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6920
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2541
netlink_unicast_kernel net/netlink/af_netlink.c:1321 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1347
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1891
sock_sendmsg_nosec net/socket.c:711 [inline]
__sock_sendmsg net/socket.c:726 [inline]
____sys_sendmsg+0xaaf/0xc90 net/socket.c:2583
___sys_sendmsg+0x135/0x1e0 net/socket.c:2637
__sys_sendmsg+0x16e/0x220 net/socket.c:2669
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd1dcef8b79
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc59cc4378 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd1dcef8b79
RDX: 0000000000040040 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 00000000000113fd R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 00007ffc59cc438c
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Fixes: 5eb902b8e719 ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: syzbot+1de74b0794c40c8eb300@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/67461f7f.050a0220.1286eb.0021.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
CC: Kui-Feng Lee <thinker.li@gmail.com>
Cc: David Ahern <dsahern@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/addrconf.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4784,7 +4784,7 @@ inet6_rtm_deladdr(struct sk_buff *skb, s
ifm->ifa_prefixlen, extack);
}
-static int modify_prefix_route(struct inet6_ifaddr *ifp,
+static int modify_prefix_route(struct net *net, struct inet6_ifaddr *ifp,
unsigned long expires, u32 flags,
bool modify_peer)
{
@@ -4808,7 +4808,9 @@ static int modify_prefix_route(struct in
ifp->prefix_len,
ifp->rt_priority, ifp->idev->dev,
expires, flags, GFP_KERNEL);
- } else {
+ return 0;
+ }
+ if (f6i != net->ipv6.fib6_null_entry) {
table = f6i->fib6_table;
spin_lock_bh(&table->tb6_lock);
@@ -4821,9 +4823,8 @@ static int modify_prefix_route(struct in
}
spin_unlock_bh(&table->tb6_lock);
-
- fib6_info_release(f6i);
}
+ fib6_info_release(f6i);
return 0;
}
@@ -4902,7 +4903,7 @@ static int inet6_addr_modify(struct net
int rc = -ENOENT;
if (had_prefixroute)
- rc = modify_prefix_route(ifp, expires, flags, false);
+ rc = modify_prefix_route(net, ifp, expires, flags, false);
/* prefix route could have been deleted; if so restore it */
if (rc == -ENOENT) {
@@ -4912,7 +4913,7 @@ static int inet6_addr_modify(struct net
}
if (had_prefixroute && !ipv6_addr_any(&ifp->peer_addr))
- rc = modify_prefix_route(ifp, expires, flags, true);
+ rc = modify_prefix_route(net, ifp, expires, flags, true);
if (rc == -ENOENT && !ipv6_addr_any(&ifp->peer_addr)) {
addrconf_prefix_route(&ifp->peer_addr, ifp->prefix_len,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 298/737] ipv6: add exception routes to GC list in rt6_insert_exception
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 297/737] ipv6: avoid possible NULL deref in modify_prefix_route() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 299/737] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
` (449 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianlin Shi, Xin Long, David Ahern,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit cfe82469a00f0c0983bf4652de3a2972637dfc56 upstream.
Commit 5eb902b8e719 ("net/ipv6: Remove expired routes with a separated list
of routes.") introduced a separated list for managing route expiration via
the GC timer.
However, it missed adding exception routes (created by ip6_rt_update_pmtu()
and rt6_do_redirect()) to this GC list. As a result, these exceptions were
never considered for expiration and removal, leading to stale entries
persisting in the routing table.
This patch fixes the issue by calling fib6_add_gc_list() in
rt6_insert_exception(), ensuring that exception routes are properly tracked
and garbage collected when expired.
Fixes: 5eb902b8e719 ("net/ipv6: Remove expired routes with a separated list of routes.")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/837e7506ffb63f47faa2b05d9b85481aad28e1a4.1744134377.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/route.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1772,6 +1772,7 @@ out:
if (!err) {
spin_lock_bh(&f6i->fib6_table->tb6_lock);
fib6_update_sernum(net, f6i);
+ fib6_add_gc_list(f6i);
spin_unlock_bh(&f6i->fib6_table->tb6_lock);
fib6_force_start_gc(net);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 299/737] btrfs: do not skip logging new dentries when logging a new name
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 298/737] ipv6: add exception routes to GC list in rt6_insert_exception Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 300/737] btrfs: fix a potential path leak in print_data_reloc_error() Greg Kroah-Hartman
` (448 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vyacheslav Kovalevsky, Boris Burkov,
Filipe Manana, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 5630f7557de61264ccb4f031d4734a1a97eaed16 ]
When we are logging a directory and the log context indicates that we
are logging a new name for some other file (that is or was inside that
directory), we skip logging the inodes for new dentries in the directory.
This is ok most of the time, but if after the rename or link operation
that triggered the logging of that directory, we have an explicit fsync
of that directory without the directory inode being evicted and reloaded,
we end up never logging the inodes for the new dentries that we found
during the new name logging, as the next directory fsync will only process
dentries that were added after the last time we logged the directory (we
are doing an incremental directory logging).
So make sure we always log new dentries for a directory even if we are
in a context of logging a new name.
We started skipping logging inodes for new dentries as of commit
c48792c6ee7a ("btrfs: do not log new dentries when logging that a new name
exists") and it was fine back then, because when logging a directory we
always iterated over all the directory entries (for leaves changed in the
current transaction) so a subsequent fsync would always log anything that
was previously skipped while logging a directory when logging a new name
(with btrfs_log_new_name()). But later support for incrementally logging
a directory was added in commit dc2872247ec0 ("btrfs: keep track of the
last logged keys when logging a directory"), to avoid checking all dir
items every time we log a directory, so the check to skip dentry logging
added in the first commit should have been removed when the incremental
support for logging a directory was added.
A test case for fstests will follow soon.
Reported-by: Vyacheslav Kovalevsky <slava.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/84c4e713-85d6-42b9-8dcf-0722ed26cb05@gmail.com/
Fixes: dc2872247ec0 ("btrfs: keep track of the last logged keys when logging a directory")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-log.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 256116a6e07c6..ca01f2daac6e4 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -5526,14 +5526,6 @@ static int log_new_dir_dentries(struct btrfs_trans_handle *trans,
struct btrfs_inode *curr_inode = start_inode;
int ret = 0;
- /*
- * If we are logging a new name, as part of a link or rename operation,
- * don't bother logging new dentries, as we just want to log the names
- * of an inode and that any new parents exist.
- */
- if (ctx->logging_new_name)
- return 0;
-
path = btrfs_alloc_path();
if (!path)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 300/737] btrfs: fix a potential path leak in print_data_reloc_error()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 299/737] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 301/737] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
` (447 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 313ef70a9f0f637a09d9ef45222f5bdcf30a354b ]
Inside print_data_reloc_error(), if extent_from_logical() failed we
return immediately.
However there are the following cases where extent_from_logical() can
return error but still holds a path:
- btrfs_search_slot() returned 0
- No backref item found in extent tree
- No flags_ret provided
This is not possible in this call site though.
So for the above two cases, we can return without releasing the path,
causing extent buffer leaks.
Fixes: b9a9a85059cd ("btrfs: output affected files when relocation fails")
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index b1be3e0fe7282..68bb5079aef74 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -266,6 +266,7 @@ static void print_data_reloc_error(const struct btrfs_inode *inode, u64 file_off
if (ret < 0) {
btrfs_err_rl(fs_info, "failed to lookup extent item for logical %llu: %d",
logical, ret);
+ btrfs_release_path(&path);
return;
}
eb = path.nodes[0];
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 301/737] bpf, arm64: Do not audit capability check in do_jit()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 300/737] btrfs: fix a potential path leak in print_data_reloc_error() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 302/737] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
` (446 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 189e5deb944a6f9c7992355d60bffd8ec2e54a9c ]
Analogically to the x86 commit 881a9c9cb785 ("bpf: Do not audit
capability check in do_jit()"), change the capable() call to
ns_capable_noaudit() in order to avoid spurious SELinux denials in audit
log.
The commit log from that commit applies here as well:
"""
The failure of this check only results in a security mitigation being
applied, slightly affecting performance of the compiled BPF program. It
doesn't result in a failed syscall, an thus auditing a failed LSM
permission check for it is unwanted. For example with SELinux, it causes
a denial to be reported for confined processes running as root, which
tends to be flagged as a problem to be fixed in the policy. Yet
dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
desirable, as it would allow/silence also other checks - either going
against the principle of least privilege or making debugging potentially
harder.
Fix it by changing it from capable() to ns_capable_noaudit(), which
instructs the LSMs to not audit the resulting denials.
"""
Fixes: f300769ead03 ("arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Link: https://lore.kernel.org/r/20251204125916.441021-1-omosnace@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index d8012d1a2e152..f11de7484ced8 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -666,7 +666,7 @@ static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx)
arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
return;
- if (capable(CAP_SYS_ADMIN))
+ if (ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN))
return;
if (supports_clearbhb(SCOPE_SYSTEM)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 302/737] btrfs: fix memory leak of fs_devices in degraded seed device path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 301/737] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 303/737] iomap: adjust read range correctly for non-block-aligned positions Greg Kroah-Hartman
` (445 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+eadd98df8bceb15d7fed,
Qu Wenruo, Deepanshu Kartikey, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b57f2ddd28737db6ff0e9da8467f0ab9d707e997 ]
In open_seed_devices(), when find_fsid() fails and we're in DEGRADED
mode, a new fs_devices is allocated via alloc_fs_devices() but is never
added to the seed_list before returning. This contrasts with the normal
path where fs_devices is properly added via list_add().
If any error occurs later in read_one_dev() or btrfs_read_chunk_tree(),
the cleanup code iterates seed_list to free seed devices, but this
orphaned fs_devices is never found and never freed, causing a memory
leak. Any devices allocated via add_missing_dev() and attached to this
fs_devices are also leaked.
Fix this by adding the newly allocated fs_devices to seed_list in the
degraded path, consistent with the normal path.
Fixes: 5f37583569442 ("Btrfs: move the missing device to its own fs device list")
Reported-by: syzbot+eadd98df8bceb15d7fed@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
Tested-by: syzbot+eadd98df8bceb15d7fed@syzkaller.appspotmail.com
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 1eb543602ff12..8207b0b4c43a0 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -6966,6 +6966,7 @@ static struct btrfs_fs_devices *open_seed_devices(struct btrfs_fs_info *fs_info,
fs_devices->seeding = true;
fs_devices->opened = 1;
+ list_add(&fs_devices->seed_list, &fs_info->fs_devices->seed_list);
return fs_devices;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 303/737] iomap: adjust read range correctly for non-block-aligned positions
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 302/737] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 304/737] iomap: account for unaligned end offsets when truncating read range Greg Kroah-Hartman
` (444 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, syzbot, Brian Foster,
Christoph Hellwig, Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit 7aa6bc3e8766990824f66ca76c19596ce10daf3e ]
iomap_adjust_read_range() assumes that the position and length passed in
are block-aligned. This is not always the case however, as shown in the
syzbot generated case for erofs. This causes too many bytes to be
skipped for uptodate blocks, which results in returning the incorrect
position and length to read in. If all the blocks are uptodate, this
underflows length and returns a position beyond the folio.
Fix the calculation to also take into account the block offset when
calculating how many bytes can be skipped for uptodate blocks.
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Tested-by: syzbot@syzkaller.appspotmail.com
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 7ffdf0d037fae..13a5f4422c797 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -211,17 +211,24 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
* to avoid reading in already uptodate ranges.
*/
if (ifs) {
- unsigned int i;
+ unsigned int i, blocks_skipped;
/* move forward for each leading block marked uptodate */
- for (i = first; i <= last; i++) {
+ for (i = first; i <= last; i++)
if (!ifs_block_is_uptodate(ifs, i))
break;
- *pos += block_size;
- poff += block_size;
- plen -= block_size;
- first++;
+
+ blocks_skipped = i - first;
+ if (blocks_skipped) {
+ unsigned long block_offset = *pos & (block_size - 1);
+ unsigned bytes_skipped =
+ (blocks_skipped << block_bits) - block_offset;
+
+ *pos += bytes_skipped;
+ poff += bytes_skipped;
+ plen -= bytes_skipped;
}
+ first = i;
/* truncate len if we find any trailing uptodate block(s) */
while (++i <= last) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 304/737] iomap: account for unaligned end offsets when truncating read range
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 303/737] iomap: adjust read range correctly for non-block-aligned positions Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 305/737] perf/x86/amd: Check event before enable to avoid GPF Greg Kroah-Hartman
` (443 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Christoph Hellwig,
Darrick J. Wong, Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit 9d875e0eef8ec15b6b1da0cb9a0f8ed13efee89e ]
The end position to start truncating from may be at an offset into a
block, which under the current logic would result in overtruncation.
Adjust the calculation to account for unaligned end offsets.
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Link: https://patch.msgid.link/20251111193658.3495942-3-joannelkoong@gmail.com
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 13a5f4422c797..7e9480150d61e 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -188,6 +188,22 @@ static void ifs_free(struct folio *folio)
kfree(ifs);
}
+/*
+ * Calculate how many bytes to truncate based off the number of blocks to
+ * truncate and the end position to start truncating from.
+ */
+static size_t iomap_bytes_to_truncate(loff_t end_pos, unsigned block_bits,
+ unsigned blocks_truncated)
+{
+ unsigned block_size = 1 << block_bits;
+ unsigned block_offset = end_pos & (block_size - 1);
+
+ if (!block_offset)
+ return blocks_truncated << block_bits;
+
+ return ((blocks_truncated - 1) << block_bits) + block_offset;
+}
+
/*
* Calculate the range inside the folio that we actually need to read.
*/
@@ -233,7 +249,8 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
/* truncate len if we find any trailing uptodate block(s) */
while (++i <= last) {
if (ifs_block_is_uptodate(ifs, i)) {
- plen -= (last - i + 1) * block_size;
+ plen -= iomap_bytes_to_truncate(*pos + plen,
+ block_bits, last - i + 1);
last = i - 1;
break;
}
@@ -249,7 +266,8 @@ static void iomap_adjust_read_range(struct inode *inode, struct folio *folio,
unsigned end = offset_in_folio(folio, isize - 1) >> block_bits;
if (first <= end && last > end)
- plen -= (last - end) * block_size;
+ plen -= iomap_bytes_to_truncate(*pos + plen, block_bits,
+ last - end);
}
*offp = poff;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 305/737] perf/x86/amd: Check event before enable to avoid GPF
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 304/737] iomap: account for unaligned end offsets when truncating read range Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 306/737] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
` (442 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, George Kennedy,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: George Kennedy <george.kennedy@oracle.com>
[ Upstream commit 866cf36bfee4fba6a492d2dcc5133f857e3446b0 ]
On AMD machines cpuc->events[idx] can become NULL in a subtle race
condition with NMI->throttle->x86_pmu_stop().
Check event for NULL in amd_pmu_enable_all() before enable to avoid a GPF.
This appears to be an AMD only issue.
Syzkaller reported a GPF in amd_pmu_enable_all.
INFO: NMI handler (perf_event_nmi_handler) took too long to run: 13.143
msecs
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000034: 0000 PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x00000000000001a0-0x00000000000001a7]
CPU: 0 UID: 0 PID: 328415 Comm: repro_36674776 Not tainted 6.12.0-rc1-syzk
RIP: 0010:x86_pmu_enable_event (arch/x86/events/perf_event.h:1195
arch/x86/events/core.c:1430)
RSP: 0018:ffff888118009d60 EFLAGS: 00010012
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000034 RSI: 0000000000000000 RDI: 00000000000001a0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
R13: ffff88811802a440 R14: ffff88811802a240 R15: ffff8881132d8601
FS: 00007f097dfaa700(0000) GS:ffff888118000000(0000) GS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200001c0 CR3: 0000000103d56000 CR4: 00000000000006f0
Call Trace:
<IRQ>
amd_pmu_enable_all (arch/x86/events/amd/core.c:760 (discriminator 2))
x86_pmu_enable (arch/x86/events/core.c:1360)
event_sched_out (kernel/events/core.c:1191 kernel/events/core.c:1186
kernel/events/core.c:2346)
__perf_remove_from_context (kernel/events/core.c:2435)
event_function (kernel/events/core.c:259)
remote_function (kernel/events/core.c:92 (discriminator 1)
kernel/events/core.c:72 (discriminator 1))
__flush_smp_call_function_queue (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207 ./include/trace/events/csd.h:64
kernel/smp.c:135 kernel/smp.c:540)
__sysvec_call_function_single (./arch/x86/include/asm/jump_label.h:27
./include/linux/jump_label.h:207
./arch/x86/include/asm/trace/irq_vectors.h:99 arch/x86/kernel/smp.c:272)
sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 47)
arch/x86/kernel/smp.c:266 (discriminator 47))
</IRQ>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/amd/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/amd/core.c b/arch/x86/events/amd/core.c
index aa8fc2cf1bde7..211f429750f5f 100644
--- a/arch/x86/events/amd/core.c
+++ b/arch/x86/events/amd/core.c
@@ -745,7 +745,12 @@ static void amd_pmu_enable_all(int added)
if (!test_bit(idx, cpuc->active_mask))
continue;
- amd_pmu_enable_event(cpuc->events[idx]);
+ /*
+ * FIXME: cpuc->events[idx] can become NULL in a subtle race
+ * condition with NMI->throttle->x86_pmu_stop().
+ */
+ if (cpuc->events[idx])
+ amd_pmu_enable_event(cpuc->events[idx]);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 306/737] sched/deadline: only set free_cpus for online runqueues
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 305/737] perf/x86/amd: Check event before enable to avoid GPF Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 307/737] sched/fair: Revert max_newidle_lb_cost bump Greg Kroah-Hartman
` (441 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Peter Zijlstra (Intel),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 382748c05e58a9f1935f5a653c352422375566ea ]
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpudeadline.c | 34 +++++++++-------------------------
kernel/sched/cpudeadline.h | 4 +---
kernel/sched/deadline.c | 8 ++++----
3 files changed, 14 insertions(+), 32 deletions(-)
diff --git a/kernel/sched/cpudeadline.c b/kernel/sched/cpudeadline.c
index 95baa12a10293..59d7b4f48c086 100644
--- a/kernel/sched/cpudeadline.c
+++ b/kernel/sched/cpudeadline.c
@@ -165,12 +165,13 @@ int cpudl_find(struct cpudl *cp, struct task_struct *p,
* cpudl_clear - remove a CPU from the cpudl max-heap
* @cp: the cpudl max-heap context
* @cpu: the target CPU
+ * @online: the online state of the deadline runqueue
*
* Notes: assumes cpu_rq(cpu)->lock is locked
*
* Returns: (void)
*/
-void cpudl_clear(struct cpudl *cp, int cpu)
+void cpudl_clear(struct cpudl *cp, int cpu, bool online)
{
int old_idx, new_cpu;
unsigned long flags;
@@ -183,7 +184,7 @@ void cpudl_clear(struct cpudl *cp, int cpu)
if (old_idx == IDX_INVALID) {
/*
* Nothing to remove if old_idx was invalid.
- * This could happen if a rq_offline_dl is
+ * This could happen if rq_online_dl or rq_offline_dl is
* called for a CPU without -dl tasks running.
*/
} else {
@@ -194,9 +195,12 @@ void cpudl_clear(struct cpudl *cp, int cpu)
cp->elements[new_cpu].idx = old_idx;
cp->elements[cpu].idx = IDX_INVALID;
cpudl_heapify(cp, old_idx);
-
- cpumask_set_cpu(cpu, cp->free_cpus);
}
+ if (likely(online))
+ __cpumask_set_cpu(cpu, cp->free_cpus);
+ else
+ __cpumask_clear_cpu(cpu, cp->free_cpus);
+
raw_spin_unlock_irqrestore(&cp->lock, flags);
}
@@ -227,7 +231,7 @@ void cpudl_set(struct cpudl *cp, int cpu, u64 dl)
cp->elements[new_idx].cpu = cpu;
cp->elements[cpu].idx = new_idx;
cpudl_heapify_up(cp, new_idx);
- cpumask_clear_cpu(cpu, cp->free_cpus);
+ __cpumask_clear_cpu(cpu, cp->free_cpus);
} else {
cp->elements[old_idx].dl = dl;
cpudl_heapify(cp, old_idx);
@@ -236,26 +240,6 @@ void cpudl_set(struct cpudl *cp, int cpu, u64 dl)
raw_spin_unlock_irqrestore(&cp->lock, flags);
}
-/*
- * cpudl_set_freecpu - Set the cpudl.free_cpus
- * @cp: the cpudl max-heap context
- * @cpu: rd attached CPU
- */
-void cpudl_set_freecpu(struct cpudl *cp, int cpu)
-{
- cpumask_set_cpu(cpu, cp->free_cpus);
-}
-
-/*
- * cpudl_clear_freecpu - Clear the cpudl.free_cpus
- * @cp: the cpudl max-heap context
- * @cpu: rd attached CPU
- */
-void cpudl_clear_freecpu(struct cpudl *cp, int cpu)
-{
- cpumask_clear_cpu(cpu, cp->free_cpus);
-}
-
/*
* cpudl_init - initialize the cpudl structure
* @cp: the cpudl max-heap context
diff --git a/kernel/sched/cpudeadline.h b/kernel/sched/cpudeadline.h
index 0adeda93b5fb5..ecff718d94aea 100644
--- a/kernel/sched/cpudeadline.h
+++ b/kernel/sched/cpudeadline.h
@@ -18,9 +18,7 @@ struct cpudl {
#ifdef CONFIG_SMP
int cpudl_find(struct cpudl *cp, struct task_struct *p, struct cpumask *later_mask);
void cpudl_set(struct cpudl *cp, int cpu, u64 dl);
-void cpudl_clear(struct cpudl *cp, int cpu);
+void cpudl_clear(struct cpudl *cp, int cpu, bool online);
int cpudl_init(struct cpudl *cp);
-void cpudl_set_freecpu(struct cpudl *cp, int cpu);
-void cpudl_clear_freecpu(struct cpudl *cp, int cpu);
void cpudl_cleanup(struct cpudl *cp);
#endif /* CONFIG_SMP */
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 5bb9735e19d2f..91459b664014d 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1469,7 +1469,7 @@ static void dec_dl_deadline(struct dl_rq *dl_rq, u64 deadline)
if (!dl_rq->dl_nr_running) {
dl_rq->earliest_dl.curr = 0;
dl_rq->earliest_dl.next = 0;
- cpudl_clear(&rq->rd->cpudl, rq->cpu);
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, rq->online);
cpupri_set(&rq->rd->cpupri, rq->cpu, rq->rt.highest_prio.curr);
} else {
struct rb_node *leftmost = rb_first_cached(&dl_rq->root);
@@ -2550,9 +2550,10 @@ static void rq_online_dl(struct rq *rq)
if (rq->dl.overloaded)
dl_set_overload(rq);
- cpudl_set_freecpu(&rq->rd->cpudl, rq->cpu);
if (rq->dl.dl_nr_running > 0)
cpudl_set(&rq->rd->cpudl, rq->cpu, rq->dl.earliest_dl.curr);
+ else
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, true);
}
/* Assumes rq->lock is held */
@@ -2561,8 +2562,7 @@ static void rq_offline_dl(struct rq *rq)
if (rq->dl.overloaded)
dl_clear_overload(rq);
- cpudl_clear(&rq->rd->cpudl, rq->cpu);
- cpudl_clear_freecpu(&rq->rd->cpudl, rq->cpu);
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, false);
}
void __init init_sched_dl_class(void)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 307/737] sched/fair: Revert max_newidle_lb_cost bump
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 306/737] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 308/737] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
` (440 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Salisbury, Adam Li,
Dietmar Eggemann, Hazem Mohamed Abuelfotoh,
Peter Zijlstra (Intel), Chris Mason, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit d206fbad9328ddb68ebabd7cf7413392acd38081 ]
Many people reported regressions on their database workloads due to:
155213a2aed4 ("sched/fair: Bump sd->max_newidle_lb_cost when newidle balance fails")
For instance Adam Li reported a 6% regression on SpecJBB.
Conversely this will regress schbench again; on my machine from 2.22
Mrps/s down to 2.04 Mrps/s.
Reported-by: Joseph Salisbury <joseph.salisbury@oracle.com>
Reported-by: Adam Li <adamli@os.amperecomputing.com>
Reported-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Reported-by: Hazem Mohamed Abuelfotoh <abuehaze@amazon.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Chris Mason <clm@meta.com>
Link: https://lkml.kernel.org/r/20250626144017.1510594-2-clm@fb.com
Link: https://lkml.kernel.org/r/006c9df2-b691-47f1-82e6-e233c3f91faf@oracle.com
Link: https://patch.msgid.link/20251107161739.406147760@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 19 +++----------------
1 file changed, 3 insertions(+), 16 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index cf3a51f323e32..38cc72d203c07 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -11722,14 +11722,8 @@ static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost)
/*
* Track max cost of a domain to make sure to not delay the
* next wakeup on the CPU.
- *
- * sched_balance_newidle() bumps the cost whenever newidle
- * balance fails, and we don't want things to grow out of
- * control. Use the sysctl_sched_migration_cost as the upper
- * limit, plus a litle extra to avoid off by ones.
*/
- sd->max_newidle_lb_cost =
- min(cost, sysctl_sched_migration_cost + 200);
+ sd->max_newidle_lb_cost = cost;
sd->last_decay_max_lb_cost = jiffies;
} else if (time_after(jiffies, sd->last_decay_max_lb_cost + HZ)) {
/*
@@ -12415,17 +12409,10 @@ static int sched_balance_newidle(struct rq *this_rq, struct rq_flags *rf)
t1 = sched_clock_cpu(this_cpu);
domain_cost = t1 - t0;
+ update_newidle_cost(sd, domain_cost);
+
curr_cost += domain_cost;
t0 = t1;
-
- /*
- * Failing newidle means it is not effective;
- * bump the cost so we end up doing less of it.
- */
- if (!pulled_task)
- domain_cost = (3 * sd->max_newidle_lb_cost) / 2;
-
- update_newidle_cost(sd, domain_cost);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 308/737] x86/ptrace: Always inline trivial accessors
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 307/737] sched/fair: Revert max_newidle_lb_cost bump Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 309/737] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
` (439 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Ingo Molnar,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 1fe4002cf7f23d70c79bda429ca2a9423ebcfdfa ]
A KASAN build bloats these single load/store helpers such that
it fails to inline them:
vmlinux.o: error: objtool: irqentry_exit+0x5e8: call to instruction_pointer_set() with UACCESS enabled
Make sure the compiler isn't allowed to do stupid.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://patch.msgid.link/20251031105435.GU4068168@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/ptrace.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index 5a83fbd9bc0b4..eb5b1e2aa7000 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -187,12 +187,12 @@ convert_ip_to_linear(struct task_struct *child, struct pt_regs *regs);
extern void send_sigtrap(struct pt_regs *regs, int error_code, int si_code);
-static inline unsigned long regs_return_value(struct pt_regs *regs)
+static __always_inline unsigned long regs_return_value(struct pt_regs *regs)
{
return regs->ax;
}
-static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
+static __always_inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
{
regs->ax = rc;
}
@@ -277,34 +277,34 @@ static __always_inline bool ip_within_syscall_gap(struct pt_regs *regs)
}
#endif
-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
+static __always_inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
{
return regs->sp;
}
-static inline unsigned long instruction_pointer(struct pt_regs *regs)
+static __always_inline unsigned long instruction_pointer(struct pt_regs *regs)
{
return regs->ip;
}
-static inline void instruction_pointer_set(struct pt_regs *regs,
- unsigned long val)
+static __always_inline
+void instruction_pointer_set(struct pt_regs *regs, unsigned long val)
{
regs->ip = val;
}
-static inline unsigned long frame_pointer(struct pt_regs *regs)
+static __always_inline unsigned long frame_pointer(struct pt_regs *regs)
{
return regs->bp;
}
-static inline unsigned long user_stack_pointer(struct pt_regs *regs)
+static __always_inline unsigned long user_stack_pointer(struct pt_regs *regs)
{
return regs->sp;
}
-static inline void user_stack_pointer_set(struct pt_regs *regs,
- unsigned long val)
+static __always_inline
+void user_stack_pointer_set(struct pt_regs *regs, unsigned long val)
{
regs->sp = val;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 309/737] ACPICA: Avoid walking the Namespace if start_node is NULL
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 308/737] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 310/737] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
` (438 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cryolitia PukNgae, WangYuli,
Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
[ Upstream commit 9d6c58dae8f6590c746ac5d0012ffe14a77539f0 ]
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
Link: https://github.com/acpica/acpica/commit/1c1b57b9eba4554cb132ee658dd942c0210ed20d
Link: https://gist.github.com/Cryolitia/a860ffc97437dcd2cd988371d5b73ed7 [1]
Link: https://github.com/denis-bb/honor-fmb-p-dsdt [2]
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Reviewed-by: WangYuli <wangyl5933@chinaunicom.cn>
[ rjw: Subject adjustment, changelog edits ]
Link: https://patch.msgid.link/20251125-acpica-v1-1-99e63b1b25f8@linux.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/nswalk.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/acpica/nswalk.c b/drivers/acpi/acpica/nswalk.c
index eee396a77baec..1b000ccbf8e1f 100644
--- a/drivers/acpi/acpica/nswalk.c
+++ b/drivers/acpi/acpica/nswalk.c
@@ -169,9 +169,12 @@ acpi_ns_walk_namespace(acpi_object_type type,
if (start_node == ACPI_ROOT_OBJECT) {
start_node = acpi_gbl_root_node;
- if (!start_node) {
- return_ACPI_STATUS(AE_NO_NAMESPACE);
- }
+ }
+
+ /* Avoid walking the namespace if the StartNode is NULL */
+
+ if (!start_node) {
+ return_ACPI_STATUS(AE_NO_NAMESPACE);
}
/* Null child means "get first node" */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 310/737] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 309/737] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 311/737] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Greg Kroah-Hartman
` (437 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Jonathan Cameron, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
[ Upstream commit 5d010473cdeaabf6a2d3a9e2aed2186c1b73c213 ]
Calling fwnode_get_next_child_node() in ACPI implementation of the fwnode
property API is somewhat problematic as the latter is used in the
impelementation of the former. Instead of using
fwnode_get_next_child_node() in acpi_graph_get_next_endpoint(), call
acpi_get_next_subnode() directly instead.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Link: https://patch.msgid.link/20251001104320.1272752-3-sakari.ailus@linux.intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/property.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
index 1b8f3958b0edb..6bb85c12b5a02 100644
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -1370,7 +1370,7 @@ static struct fwnode_handle *acpi_graph_get_next_endpoint(
if (!prev) {
do {
- port = fwnode_get_next_child_node(fwnode, port);
+ port = acpi_get_next_subnode(fwnode, port);
/*
* The names of the port nodes begin with "port@"
* followed by the number of the port node and they also
@@ -1388,13 +1388,13 @@ static struct fwnode_handle *acpi_graph_get_next_endpoint(
if (!port)
return NULL;
- endpoint = fwnode_get_next_child_node(port, prev);
+ endpoint = acpi_get_next_subnode(port, prev);
while (!endpoint) {
- port = fwnode_get_next_child_node(fwnode, port);
+ port = acpi_get_next_subnode(fwnode, port);
if (!port)
break;
if (is_acpi_graph_node(port, "port"))
- endpoint = fwnode_get_next_child_node(port, NULL);
+ endpoint = acpi_get_next_subnode(port, NULL);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 311/737] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 310/737] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 312/737] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
` (436 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hal Feng, Heinrich Schuchardt,
Viresh Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hal Feng <hal.feng@starfivetech.com>
[ Upstream commit 6e7970cab51d01b8f7c56f120486c571c22e1b80 ]
Add the compatible strings for supporting the generic
cpufreq driver on the StarFive JH7110S SoC.
Signed-off-by: Hal Feng <hal.feng@starfivetech.com>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/cpufreq-dt-platdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/cpufreq/cpufreq-dt-platdev.c b/drivers/cpufreq/cpufreq-dt-platdev.c
index c58c1defd7458..8b53388280d73 100644
--- a/drivers/cpufreq/cpufreq-dt-platdev.c
+++ b/drivers/cpufreq/cpufreq-dt-platdev.c
@@ -87,6 +87,7 @@ static const struct of_device_id allowlist[] __initconst = {
{ .compatible = "st-ericsson,u9540", },
{ .compatible = "starfive,jh7110", },
+ { .compatible = "starfive,jh7110s", },
{ .compatible = "ti,omap2", },
{ .compatible = "ti,omap4", },
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 312/737] cpufreq: s5pv210: fix refcount leak
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 311/737] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 313/737] cpuidle: menu: Use residency threshold in polling state override decisions Greg Kroah-Hartman
` (435 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Viresh Kumar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
[ Upstream commit 2de5cb96060a1664880d65b120e59485a73588a8 ]
In function `s5pv210_cpu_init`, a possible refcount inconsistency has
been identified, causing a resource leak.
Why it is a bug:
1. For every clk_get, there should be a matching clk_put on every
successive error handling path.
2. After calling `clk_get(dmc1_clk)`, variable `dmc1_clk` will not be
freed even if any error happens.
How it is fixed: For every failed path, an extra goto label is added to
ensure `dmc1_clk` will be freed regardlessly.
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/s5pv210-cpufreq.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/s5pv210-cpufreq.c b/drivers/cpufreq/s5pv210-cpufreq.c
index 76c888ed8d160..d2fa42beae9c2 100644
--- a/drivers/cpufreq/s5pv210-cpufreq.c
+++ b/drivers/cpufreq/s5pv210-cpufreq.c
@@ -518,7 +518,7 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
if (policy->cpu != 0) {
ret = -EINVAL;
- goto out_dmc1;
+ goto out;
}
/*
@@ -530,7 +530,7 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
if ((mem_type != LPDDR) && (mem_type != LPDDR2)) {
pr_err("CPUFreq doesn't support this memory type\n");
ret = -EINVAL;
- goto out_dmc1;
+ goto out;
}
/* Find current refresh counter and frequency each DMC */
@@ -544,6 +544,8 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
cpufreq_generic_init(policy, s5pv210_freq_table, 40000);
return 0;
+out:
+ clk_put(dmc1_clk);
out_dmc1:
clk_put(dmc0_clk);
out_dmc0:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 313/737] cpuidle: menu: Use residency threshold in polling state override decisions
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 312/737] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 314/737] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
` (434 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Loehle, Aboorva Devarajan,
Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aboorva Devarajan <aboorvad@linux.ibm.com>
[ Upstream commit 07d815701274d156ad8c7c088a52e01642156fb8 ]
On virtualized PowerPC (pseries) systems, where only one polling state
(Snooze) and one deep state (CEDE) are available, selecting CEDE when
the predicted idle duration is less than the target residency of CEDE
state can hurt performance. In such cases, the entry/exit overhead of
CEDE outweighs the power savings, leading to unnecessary state
transitions and higher latency.
Menu governor currently contains a special-case rule that prioritizes
the first non-polling state over polling, even when its target residency
is much longer than the predicted idle duration. On PowerPC/pseries,
where the gap between the polling state (Snooze) and the first non-polling
state (CEDE) is large, this behavior causes performance regressions.
Refine that special case by adding an extra requirement: the first
non-polling state can only be chosen if its target residency is below
the defined RESIDENCY_THRESHOLD_NS. If this condition is not satisfied,
polling is allowed instead, avoiding suboptimal non-polling state
entries.
This change is limited to the single special-case rule for the first
non-polling state. The general non-polling state selection logic in the
menu governor remains unchanged.
Performance improvement observed with pgbench on PowerPC (pseries)
system:
+---------------------------+------------+------------+------------+
| Metric | Baseline | Patched | Change (%) |
+---------------------------+------------+------------+------------+
| Transactions/sec (TPS) | 495,210 | 536,982 | +8.45% |
| Avg latency (ms) | 0.163 | 0.150 | -7.98% |
+---------------------------+------------+------------+------------+
CPUIdle state usage:
+--------------+--------------+-------------+
| Metric | Baseline | Patched |
+--------------+--------------+-------------+
| Total usage | 12,735,820 | 13,918,442 |
| Above usage | 11,401,520 | 1,598,210 |
| Below usage | 20,145 | 702,395 |
+--------------+--------------+-------------+
Above/Total and Below/Total usage percentages:
+------------------------+-----------+---------+
| Metric | Baseline | Patched |
+------------------------+-----------+---------+
| Above % (Above/Total) | 89.56% | 11.49% |
| Below % (Below/Total) | 0.16% | 5.05% |
| Total cpuidle miss (%) | 89.72% | 16.54% |
+------------------------+-----------+---------+
The results indicate that restricting CEDE selection to cases where
its residency matches the predicted idle time reduces mispredictions,
lowers unnecessary state transitions, and improves overall throughput.
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Signed-off-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
[ rjw: Changelog edits, rebase ]
Link: https://patch.msgid.link/20251006013954.17972-1-aboorvad@linux.ibm.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
| 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--git a/drivers/cpuidle/governors/menu.c b/drivers/cpuidle/governors/menu.c
index 8c591dde61023..27010eee6d1bc 100644
--- a/drivers/cpuidle/governors/menu.c
+++ b/drivers/cpuidle/governors/menu.c
@@ -354,12 +354,13 @@ static int menu_select(struct cpuidle_driver *drv, struct cpuidle_device *dev,
}
/*
- * Use a physical idle state, not busy polling, unless a timer
- * is going to trigger soon enough or the exit latency of the
- * idle state in question is greater than the predicted idle
- * duration.
+ * Use a physical idle state instead of busy polling so long as
+ * its target residency is below the residency threshold, its
+ * exit latency is not greater than the predicted idle duration,
+ * and the next timer doesn't expire soon.
*/
if ((drv->states[idx].flags & CPUIDLE_FLAG_POLLING) &&
+ s->target_residency_ns < RESIDENCY_THRESHOLD_NS &&
s->target_residency_ns <= data->next_timer_ns &&
s->exit_latency_ns <= predicted_ns) {
predicted_ns = s->target_residency_ns;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 314/737] livepatch: Match old_sympos 0 and 1 in klp_find_func()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 313/737] cpuidle: menu: Use residency threshold in polling state override decisions Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 315/737] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
` (433 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Josh Poimboeuf,
Petr Mladek, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Song Liu <song@kernel.org>
[ Upstream commit 139560e8b973402140cafeb68c656c1374bd4c20 ]
When there is only one function of the same name, old_sympos of 0 and 1
are logically identical. Match them in klp_find_func().
This is to avoid a corner case with different toolchain behavior.
In this specific issue, two versions of kpatch-build were used to
build livepatch for the same kernel. One assigns old_sympos == 0 for
unique local functions, the other assigns old_sympos == 1 for unique
local functions. Both versions work fine by themselves. (PS: This
behavior change was introduced in a downstream version of kpatch-build.
This change does not exist in upstream kpatch-build.)
However, during livepatch upgrade (with the replace flag set) from a
patch built with one version of kpatch-build to the same fix built with
the other version of kpatch-build, livepatching fails with errors like:
[ 14.218706] sysfs: cannot create duplicate filename 'xxx/somefunc,1'
...
[ 14.219466] Call Trace:
[ 14.219468] <TASK>
[ 14.219469] dump_stack_lvl+0x47/0x60
[ 14.219474] sysfs_warn_dup.cold+0x17/0x27
[ 14.219476] sysfs_create_dir_ns+0x95/0xb0
[ 14.219479] kobject_add_internal+0x9e/0x260
[ 14.219483] kobject_add+0x68/0x80
[ 14.219485] ? kstrdup+0x3c/0xa0
[ 14.219486] klp_enable_patch+0x320/0x830
[ 14.219488] patch_init+0x443/0x1000 [ccc_0_6]
[ 14.219491] ? 0xffffffffa05eb000
[ 14.219492] do_one_initcall+0x2e/0x190
[ 14.219494] do_init_module+0x67/0x270
[ 14.219496] init_module_from_file+0x75/0xa0
[ 14.219499] idempotent_init_module+0x15a/0x240
[ 14.219501] __x64_sys_finit_module+0x61/0xc0
[ 14.219503] do_syscall_64+0x5b/0x160
[ 14.219505] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 14.219507] RIP: 0033:0x7f545a4bd96d
...
[ 14.219516] kobject: kobject_add_internal failed for somefunc,1 with
-EEXIST, don't try to register things with the same name ...
This happens because klp_find_func() thinks somefunc with old_sympos==0
is not the same as somefunc with old_sympos==1, and klp_add_object_nops
adds another xxx/func,1 to the list of functions to patch.
Signed-off-by: Song Liu <song@kernel.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
[pmladek@suse.com: Fixed some typos.]
Reviewed-by: Petr Mladek <pmladek@suse.com>
Tested-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/livepatch/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index ecbc9b6aba3a1..81fd438697446 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -90,8 +90,14 @@ static struct klp_func *klp_find_func(struct klp_object *obj,
struct klp_func *func;
klp_for_each_func(obj, func) {
+ /*
+ * Besides identical old_sympos, also consider old_sympos
+ * of 0 and 1 are identical.
+ */
if ((strcmp(old_func->old_name, func->old_name) == 0) &&
- (old_func->old_sympos == func->old_sympos)) {
+ ((old_func->old_sympos == func->old_sympos) ||
+ (old_func->old_sympos == 0 && func->old_sympos == 1) ||
+ (old_func->old_sympos == 1 && func->old_sympos == 0))) {
return func;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 315/737] fs/ntfs3: Support timestamps prior to epoch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 314/737] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 316/737] kbuild: Use objtree for module signing key path Greg Kroah-Hartman
` (432 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 5180138604323895b5c291eca6aa7c20be494ade ]
Before it used an unsigned 64-bit type, which prevented proper handling
of timestamps earlier than 1970-01-01. Switch to a signed 64-bit type to
support pre-epoch timestamps. The issue was caught by xfstests.
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/ntfs_fs.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index 72810d8f62ee9..31f57ee9a1a9b 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -990,11 +990,12 @@ static inline __le64 kernel2nt(const struct timespec64 *ts)
*/
static inline void nt2kernel(const __le64 tm, struct timespec64 *ts)
{
- u64 t = le64_to_cpu(tm) - _100ns2seconds * SecondsToStartOf1970;
+ s32 t32;
+ /* use signed 64 bit to support timestamps prior to epoch. xfstest 258. */
+ s64 t = le64_to_cpu(tm) - _100ns2seconds * SecondsToStartOf1970;
- // WARNING: do_div changes its first argument(!)
- ts->tv_nsec = do_div(t, _100ns2seconds) * 100;
- ts->tv_sec = t;
+ ts->tv_sec = div_s64_rem(t, _100ns2seconds, &t32);
+ ts->tv_nsec = t32 * 100;
}
static inline struct ntfs_sb_info *ntfs_sb(struct super_block *sb)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 316/737] kbuild: Use objtree for module signing key path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 315/737] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 317/737] ntfs: set dummy blocksize to read boot_block when mounting Greg Kroah-Hartman
` (431 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikhail Malyshev, Nathan Chancellor,
Nicolas Schier, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikhail Malyshev <mike.malyshev@gmail.com>
[ Upstream commit af61da281f52aba0c5b090bafb3a31c5739850ff ]
When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
module signing fails because the private key path uses $(srctree)
while the public key path uses $(objtree). Since signing keys are
generated in the build directory during kernel compilation, both
paths should use $(objtree) for consistency.
This causes SSL errors like:
SSL error:02001002:system library:fopen:No such file or directory
sign-file: /kernel-src/certs/signing_key.pem
The issue occurs because:
- sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
- cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
But both keys are generated in $(objtree) during the build.
This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
external modules") which fixed the scripts path and public key path,
but missed the private key path inconsistency.
Fixes out-of-tree module signing for configurations with separate
source and build directories (e.g., O=/kernel-out).
Signed-off-by: Mikhail Malyshev <mike.malyshev@gmail.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nicolas Schier <nsc@kernel.org>
Link: https://patch.msgid.link/20251015163452.3754286-1-mike.malyshev@gmail.com
Signed-off-by: Nicolas Schier <nsc@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/Makefile.modinst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/Makefile.modinst b/scripts/Makefile.modinst
index 0afd75472679f..3e8b069a04ff0 100644
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -96,7 +96,7 @@ endif
# Don't stop modules_install even if we can't sign external modules.
#
ifeq ($(filter pkcs11:%, $(CONFIG_MODULE_SIG_KEY)),)
-sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(srctree)/)$(CONFIG_MODULE_SIG_KEY)
+sig-key := $(if $(wildcard $(CONFIG_MODULE_SIG_KEY)),,$(objtree)/)$(CONFIG_MODULE_SIG_KEY)
else
sig-key := $(CONFIG_MODULE_SIG_KEY)
endif
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 317/737] ntfs: set dummy blocksize to read boot_block when mounting
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 316/737] kbuild: Use objtree for module signing key path Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 318/737] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
` (430 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f4f84b57a01d6b8364ad,
Pedro Demarchi Gomes, Konstantin Komarov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
[ Upstream commit d1693a7d5a38acf6424235a6070bcf5b186a360d ]
When mounting, sb->s_blocksize is used to read the boot_block without
being defined or validated. Set a dummy blocksize before attempting to
read the boot_block.
The issue can be triggered with the following syz reproducer:
mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x0)
r4 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000040), 0x121403, 0x0)
ioctl$FS_IOC_SETFLAGS(r4, 0x40081271, &(0x7f0000000980)=0x4000)
mount(&(0x7f0000000140)=@nullb, &(0x7f0000000040)='./cgroup\x00',
&(0x7f0000000000)='ntfs3\x00', 0x2208004, 0x0)
syz_clone(0x88200200, 0x0, 0x0, 0x0, 0x0, 0x0)
Here, the ioctl sets the bdev block size to 16384. During mount,
get_tree_bdev_flags() calls sb_set_blocksize(sb, block_size(bdev)),
but since block_size(bdev) > PAGE_SIZE, sb_set_blocksize() leaves
sb->s_blocksize at zero.
Later, ntfs_init_from_boot() attempts to read the boot_block while
sb->s_blocksize is still zero, which triggers the bug.
Reported-by: syzbot+f4f84b57a01d6b8364ad@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f4f84b57a01d6b8364ad
Signed-off-by: Pedro Demarchi Gomes <pedrodemargomes@gmail.com>
[almaz.alexandrovich@paragon-software.com: changed comment style, added
return value handling]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/super.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index c14b55cdea85c..0b96d0f995c61 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -885,6 +885,11 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size,
sbi->volume.blocks = dev_size >> PAGE_SHIFT;
+ /* Set dummy blocksize to read boot_block. */
+ if (!sb_min_blocksize(sb, PAGE_SIZE)) {
+ return -EINVAL;
+ }
+
read_boot:
bh = ntfs_bread(sb, boot_block);
if (!bh)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 318/737] hfsplus: fix volume corruption issue for generic/070
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 317/737] ntfs: set dummy blocksize to read boot_block when mounting Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 319/737] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
` (429 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit ed490f36f439b877393c12a2113601e4145a5a56 ]
The xfstests' test-case generic/070 leaves HFS+ volume
in corrupted state:
sudo ./check generic/070
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.17.0-rc1+ #4 SMP PREEMPT_DYNAMIC Wed Oct 1 15:02:44 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/070 _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
(see xfstests-dev/results//generic/070.full for details)
Ran: generic/070
Failures: generic/070
Failed 1 of 1 tests
sudo fsck.hfsplus -d /dev/loop50
** /dev/loop50
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking non-journaled HFS Plus Volume.
The volume name is test
** Checking extents overflow file.
Unused node is not erased (node = 1)
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0004
CBTStat = 0x0000 CatStat = 0x00000000
** Repairing volume.
** Rechecking volume.
** Checking non-journaled HFS Plus Volume.
The volume name is test
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume test was repaired successfully.
It is possible to see that fsck.hfsplus detected not
erased and unused node for the case of extents overflow file.
The HFS+ logic has special method that defines if the node
should be erased:
bool hfs_bnode_need_zeroout(struct hfs_btree *tree)
{
struct super_block *sb = tree->inode->i_sb;
struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);
const u32 volume_attr = be32_to_cpu(sbi->s_vhdr->attributes);
return tree->cnid == HFSPLUS_CAT_CNID &&
volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
}
However, it is possible to see that this method works
only for the case of catalog file. But debugging of the issue
has shown that HFSPLUS_VOL_UNUSED_NODE_FIX attribute has been
requested for the extents overflow file too:
catalog file
kernel: hfsplus: node 4, num_recs 0, flags 0x10
kernel: hfsplus: tree->cnid 4, volume_attr 0x80000800
extents overflow file
kernel: hfsplus: node 1, num_recs 0, flags 0x10
kernel: hfsplus: tree->cnid 3, volume_attr 0x80000800
This patch modifies the hfs_bnode_need_zeroout() by checking
only volume_attr but not the b-tree ID because node zeroing
can be requested for all HFS+ b-tree types.
sudo ./check generic/070
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.18.0-rc3+ #79 SMP PREEMPT_DYNAMIC Fri Oct 31 16:07:42 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/070 33s ... 34s
Ran: generic/070
Passed all 1 tests
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251101001229.247432-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 407d5152eb411..aa095e6fb20e8 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -704,6 +704,5 @@ bool hfs_bnode_need_zeroout(struct hfs_btree *tree)
struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);
const u32 volume_attr = be32_to_cpu(sbi->s_vhdr->attributes);
- return tree->cnid == HFSPLUS_CAT_CNID &&
- volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
+ return volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 319/737] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 318/737] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 320/737] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
` (428 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+005d2a9ecd9fbf525f6a,
Yang Chenzhi, Viacheslav Dubeyko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Chenzhi <yang.chenzhi@vivo.com>
[ Upstream commit 152af114287851583cf7e0abc10129941f19466a ]
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
Reported-by: syzbot+005d2a9ecd9fbf525f6a@syzkaller.appspotmail.com
Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250829093912.611853-1-yang.chenzhi@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index aa095e6fb20e8..c0089849be50e 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -481,6 +481,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else {
+ hfs_bnode_get(node2);
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 320/737] hfsplus: Verify inode mode when loading from disk
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 319/737] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 321/737] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
` (427 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Viacheslav Dubeyko, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 005d4b0d33f6b4a23d382b7930f7a96b95b01f39 ]
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Link: https://developer.apple.com/library/archive/technotes/tn/tn1150.html#HFSPlusPermissions [1]
Link: https://developer.apple.com/library/archive/technotes/tn/tn1150.html#ReservedAndPadFields [2]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/04ded9f9-73fb-496c-bfa5-89c4f5d1d7bb@I-love.SAKURA.ne.jp
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/inode.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index 73ff191ff2adc..2619e5371ec9c 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -183,13 +183,29 @@ const struct dentry_operations hfsplus_dentry_operations = {
.d_compare = hfsplus_compare_dentry,
};
-static void hfsplus_get_perms(struct inode *inode,
- struct hfsplus_perm *perms, int dir)
+static int hfsplus_get_perms(struct inode *inode,
+ struct hfsplus_perm *perms, int dir)
{
struct hfsplus_sb_info *sbi = HFSPLUS_SB(inode->i_sb);
u16 mode;
mode = be16_to_cpu(perms->mode);
+ if (dir) {
+ if (mode && !S_ISDIR(mode))
+ goto bad_type;
+ } else if (mode) {
+ switch (mode & S_IFMT) {
+ case S_IFREG:
+ case S_IFLNK:
+ case S_IFCHR:
+ case S_IFBLK:
+ case S_IFIFO:
+ case S_IFSOCK:
+ break;
+ default:
+ goto bad_type;
+ }
+ }
i_uid_write(inode, be32_to_cpu(perms->owner));
if ((test_bit(HFSPLUS_SB_UID, &sbi->flags)) || (!i_uid_read(inode) && !mode))
@@ -215,6 +231,10 @@ static void hfsplus_get_perms(struct inode *inode,
inode->i_flags |= S_APPEND;
else
inode->i_flags &= ~S_APPEND;
+ return 0;
+bad_type:
+ pr_err("invalid file type 0%04o for inode %lu\n", mode, inode->i_ino);
+ return -EIO;
}
static int hfsplus_file_open(struct inode *inode, struct file *file)
@@ -519,7 +539,9 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
}
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_folder));
- hfsplus_get_perms(inode, &folder->permissions, 1);
+ res = hfsplus_get_perms(inode, &folder->permissions, 1);
+ if (res)
+ goto out;
set_nlink(inode, 1);
inode->i_size = 2 + be32_to_cpu(folder->valence);
inode->i_atime = hfsp_mt2ut(folder->access_date);
@@ -547,7 +569,9 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
hfsplus_inode_read_fork(inode, HFSPLUS_IS_RSRC(inode) ?
&file->rsrc_fork : &file->data_fork);
- hfsplus_get_perms(inode, &file->permissions, 0);
+ res = hfsplus_get_perms(inode, &file->permissions, 0);
+ if (res)
+ goto out;
set_nlink(inode, 1);
if (S_ISREG(inode->i_mode)) {
if (file->permissions.dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 321/737] hfsplus: fix volume corruption issue for generic/073
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 320/737] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 322/737] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Greg Kroah-Hartman
` (426 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 24e17a29cf7537f0947f26a50f85319abd723c6c ]
The xfstests' test-case generic/073 leaves HFS+ volume
in corrupted state:
sudo ./check generic/073
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.17.0-rc1+ #4 SMP PREEMPT_DYNAMIC Wed Oct 1 15:02:44 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/073 _check_generic_filesystem: filesystem on /dev/loop51 is inconsistent
(see XFSTESTS-2/xfstests-dev/results//generic/073.full for details)
Ran: generic/073
Failures: generic/073
Failed 1 of 1 tests
sudo fsck.hfsplus -d /dev/loop51
** /dev/loop51
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking non-journaled HFS Plus Volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
Invalid directory item count
(It should be 1 instead of 0)
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
CBTStat = 0x0000 CatStat = 0x00004000
** Repairing volume.
** Rechecking volume.
** Checking non-journaled HFS Plus Volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume untitled was repaired successfully.
The test is doing these steps on final phase:
mv $SCRATCH_MNT/testdir_1/bar $SCRATCH_MNT/testdir_2/bar
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/testdir_1
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo
So, we move file bar from testdir_1 into testdir_2 folder. It means that HFS+
logic decrements the number of entries in testdir_1 and increments number of
entries in testdir_2. Finally, we do fsync only for testdir_1 and foo but not
for testdir_2. As a result, this is the reason why fsck.hfsplus detects the
volume corruption afterwards.
This patch fixes the issue by means of adding the
hfsplus_cat_write_inode() call for old_dir and new_dir in
hfsplus_rename() after the successful ending of
hfsplus_rename_cat(). This method makes modification of in-core
inode objects for old_dir and new_dir but it doesn't save these
modifications in Catalog File's entries. It was expected that
hfsplus_write_inode() will save these modifications afterwards.
However, because generic/073 does fsync only for testdir_1 and foo
then testdir_2 modification hasn't beed saved into Catalog File's
entry and it was flushed without this modification. And it was
detected by fsck.hfsplus. Now, hfsplus_rename() stores in Catalog
File all modified entries and correct state of Catalog File will
be flushed during hfsplus_file_fsync() call. Finally, it makes
fsck.hfsplus happy.
sudo ./check generic/073
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.18.0-rc3+ #93 SMP PREEMPT_DYNAMIC Wed Nov 12 14:37:49 PST 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/073 32s ... 32s
Ran: generic/073
Passed all 1 tests
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251112232522.814038-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/dir.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index f5c4b3e31a1c2..33154c720a4e9 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -552,8 +552,13 @@ static int hfsplus_rename(struct mnt_idmap *idmap,
res = hfsplus_rename_cat((u32)(unsigned long)old_dentry->d_fsdata,
old_dir, &old_dentry->d_name,
new_dir, &new_dentry->d_name);
- if (!res)
+ if (!res) {
new_dentry->d_fsdata = old_dentry->d_fsdata;
+
+ res = hfsplus_cat_write_inode(old_dir);
+ if (!res)
+ res = hfsplus_cat_write_inode(new_dir);
+ }
return res;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 322/737] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 321/737] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 323/737] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
` (425 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arend van Spriel, Hans de Goede,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hansg@kernel.org>
[ Upstream commit a8e5a110c0c38e08e5dd66356cd1156e91cf88e1 ]
The Acer A1 840 tablet contains quite generic names in the sys_vendor and
product_name DMI strings, without this patch brcmfmac will try to load:
brcmfmac43340-sdio.Insyde-BayTrail.txt as nvram file which is a bit
too generic.
Add a DMI quirk so that a unique and clearly identifiable nvram file name
is used on the Acer A1 840 tablet.
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Hans de Goede <hansg@kernel.org>
Link: https://patch.msgid.link/20251103100314.353826-1-hansg@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/broadcom/brcm80211/brcmfmac/dmi.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
index c3a602197662b..abe7f6501e5ed 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
@@ -24,6 +24,10 @@ static const struct brcmf_dmi_data acepc_t8_data = {
BRCM_CC_4345_CHIP_ID, 6, "acepc-t8"
};
+static const struct brcmf_dmi_data acer_a1_840_data = {
+ BRCM_CC_43340_CHIP_ID, 2, "acer-a1-840"
+};
+
/* The Chuwi Hi8 Pro uses the same Ampak AP6212 module as the Chuwi Vi8 Plus
* and the nvram for the Vi8 Plus is already in linux-firmware, so use that.
*/
@@ -91,6 +95,16 @@ static const struct dmi_system_id dmi_platform_data[] = {
},
.driver_data = (void *)&acepc_t8_data,
},
+ {
+ /* Acer Iconia One 8 A1-840 (non FHD version) */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Insyde"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "BayTrail"),
+ /* Above strings are too generic also match BIOS date */
+ DMI_MATCH(DMI_BIOS_DATE, "04/01/2014"),
+ },
+ .driver_data = (void *)&acer_a1_840_data,
+ },
{
/* Chuwi Hi8 Pro with D2D3_Hi8Pro.233 BIOS */
.matches = {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 323/737] btrfs: scrub: always update btrfs_scrub_progress::last_physical
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 322/737] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 324/737] gfs2: fix remote evict for read-only filesystems Greg Kroah-Hartman
` (424 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 54df8b80cc63aa0f22c4590cad11542731ed43ff ]
[BUG]
When a scrub failed immediately without any byte scrubbed, the returned
btrfs_scrub_progress::last_physical will always be 0, even if there is a
non-zero @start passed into btrfs_scrub_dev() for resume cases.
This will reset the progress and make later scrub resume start from the
beginning.
[CAUSE]
The function btrfs_scrub_dev() accepts a @progress parameter to copy its
updated progress to the caller, there are cases where we either don't
touch progress::last_physical at all or copy 0 into last_physical:
- last_physical not updated at all
If some error happened before scrubbing any super block or chunk, we
will not copy the progress, leaving the @last_physical untouched.
E.g. failed to allocate @sctx, scrubbing a missing device or even
there is already a running scrub and so on.
All those cases won't touch @progress at all, resulting the
last_physical untouched and will be left as 0 for most cases.
- Error out before scrubbing any bytes
In those case we allocated @sctx, and sctx->stat.last_physical is all
zero (initialized by kvzalloc()).
Unfortunately some critical errors happened during
scrub_enumerate_chunks() or scrub_supers() before any stripe is really
scrubbed.
In that case although we will copy sctx->stat back to @progress, since
no byte is really scrubbed, last_physical will be overwritten to 0.
[FIX]
Make sure the parameter @progress always has its @last_physical member
updated to @start parameter inside btrfs_scrub_dev().
At the very beginning of the function, set @progress->last_physical to
@start, so that even if we error out without doing progress copying,
last_physical is still at @start.
Then after we got @sctx allocated, set sctx->stat.last_physical to
@start, this will make sure even if we didn't get any byte scrubbed, at
the progress copying stage the @last_physical is not left as zero.
This should resolve the resume progress reset problem.
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/scrub.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index a69dce114c5ba..3338e2e7a9a02 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -2858,6 +2858,10 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
unsigned int nofs_flag;
bool need_commit = false;
+ /* Set the basic fallback @last_physical before we got a sctx. */
+ if (progress)
+ progress->last_physical = start;
+
if (btrfs_fs_closing(fs_info))
return -EAGAIN;
@@ -2876,6 +2880,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
sctx = scrub_setup_ctx(fs_info, is_dev_replace);
if (IS_ERR(sctx))
return PTR_ERR(sctx);
+ sctx->stat.last_physical = start;
ret = scrub_workers_get(fs_info);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 324/737] gfs2: fix remote evict for read-only filesystems
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 323/737] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 325/737] smb/server: fix return value of smb2_ioctl() Greg Kroah-Hartman
` (423 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 64c10ed9274bc46416f502afea48b4ae11279669 ]
When a node tries to delete an inode, it first requests exclusive access
to the iopen glock. This triggers demote requests on all remote nodes
currently holding the iopen glock. To satisfy those requests, the
remote nodes evict the inode in question, or they poke the corresponding
inode glock to signal that the inode is still in active use.
This behavior doesn't depend on whether or not a filesystem is
read-only, so remove the incorrect read-only check.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/glops.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
index 1c854d4e2d491..4a169c60bce65 100644
--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -640,8 +640,7 @@ static void iopen_go_callback(struct gfs2_glock *gl, bool remote)
struct gfs2_inode *ip = gl->gl_object;
struct gfs2_sbd *sdp = gl->gl_name.ln_sbd;
- if (!remote || sb_rdonly(sdp->sd_vfs) ||
- test_bit(SDF_KILL, &sdp->sd_flags))
+ if (!remote || test_bit(SDF_KILL, &sdp->sd_flags))
return;
if (gl->gl_demote_state == LM_ST_UNLOCKED &&
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 325/737] smb/server: fix return value of smb2_ioctl()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 324/737] gfs2: fix remote evict for read-only filesystems Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 326/737] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Greg Kroah-Hartman
` (422 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
[ Upstream commit 269df046c1e15ab34fa26fd90db9381f022a0963 ]
__process_request() will not print error messages if smb2_ioctl()
always returns 0.
Fix this by returning the correct value at the end of function.
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index a819f198c3337..8fa68c3b24f3f 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -8094,7 +8094,7 @@ int smb2_ioctl(struct ksmbd_work *work)
id = req->VolatileFileId;
if (req->Flags != cpu_to_le32(SMB2_0_IOCTL_IS_FSCTL)) {
- rsp->hdr.Status = STATUS_NOT_SUPPORTED;
+ ret = -EOPNOTSUPP;
goto out;
}
@@ -8114,8 +8114,9 @@ int smb2_ioctl(struct ksmbd_work *work)
case FSCTL_DFS_GET_REFERRALS:
case FSCTL_DFS_GET_REFERRALS_EX:
/* Not support DFS yet */
+ ret = -EOPNOTSUPP;
rsp->hdr.Status = STATUS_FS_DRIVER_REQUIRED;
- goto out;
+ goto out2;
case FSCTL_CREATE_OR_GET_OBJECT_ID:
{
struct file_object_buf_type1_ioctl_rsp *obj_buf;
@@ -8405,8 +8406,10 @@ int smb2_ioctl(struct ksmbd_work *work)
rsp->hdr.Status = STATUS_BUFFER_TOO_SMALL;
else if (ret < 0 || rsp->hdr.Status == 0)
rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+
+out2:
smb2_set_err_rsp(work);
- return 0;
+ return ret;
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 326/737] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 325/737] smb/server: fix return value of smb2_ioctl() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 327/737] ksmbd: vfs: fix race on m_flags in vfs_cache Greg Kroah-Hartman
` (421 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit b39a1833cc4a2755b02603eec3a71a85e9dff926 ]
Under high concurrency, A tree-connection object (tcon) is freed on
a disconnect path while another path still holds a reference and later
executes *_put()/write on it.
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/mgmt/tree_connect.c | 18 ++++--------------
fs/smb/server/mgmt/tree_connect.h | 1 -
fs/smb/server/smb2pdu.c | 3 ---
3 files changed, 4 insertions(+), 18 deletions(-)
diff --git a/fs/smb/server/mgmt/tree_connect.c b/fs/smb/server/mgmt/tree_connect.c
index 94a52a75014a4..9bde1b58f9c46 100644
--- a/fs/smb/server/mgmt/tree_connect.c
+++ b/fs/smb/server/mgmt/tree_connect.c
@@ -77,7 +77,6 @@ ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name)
tree_conn->t_state = TREE_NEW;
status.tree_conn = tree_conn;
atomic_set(&tree_conn->refcount, 1);
- init_waitqueue_head(&tree_conn->refcount_q);
ret = xa_err(xa_store(&sess->tree_conns, tree_conn->id, tree_conn,
GFP_KERNEL));
@@ -99,14 +98,8 @@ ksmbd_tree_conn_connect(struct ksmbd_work *work, const char *share_name)
void ksmbd_tree_connect_put(struct ksmbd_tree_connect *tcon)
{
- /*
- * Checking waitqueue to releasing tree connect on
- * tree disconnect. waitqueue_active is safe because it
- * uses atomic operation for condition.
- */
- if (!atomic_dec_return(&tcon->refcount) &&
- waitqueue_active(&tcon->refcount_q))
- wake_up(&tcon->refcount_q);
+ if (atomic_dec_and_test(&tcon->refcount))
+ kfree(tcon);
}
int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess,
@@ -118,14 +111,11 @@ int ksmbd_tree_conn_disconnect(struct ksmbd_session *sess,
xa_erase(&sess->tree_conns, tree_conn->id);
write_unlock(&sess->tree_conns_lock);
- if (!atomic_dec_and_test(&tree_conn->refcount))
- wait_event(tree_conn->refcount_q,
- atomic_read(&tree_conn->refcount) == 0);
-
ret = ksmbd_ipc_tree_disconnect_request(sess->id, tree_conn->id);
ksmbd_release_tree_conn_id(sess, tree_conn->id);
ksmbd_share_config_put(tree_conn->share_conf);
- kfree(tree_conn);
+ if (atomic_dec_and_test(&tree_conn->refcount))
+ kfree(tree_conn);
return ret;
}
diff --git a/fs/smb/server/mgmt/tree_connect.h b/fs/smb/server/mgmt/tree_connect.h
index a42cdd0510411..f0023d86716f2 100644
--- a/fs/smb/server/mgmt/tree_connect.h
+++ b/fs/smb/server/mgmt/tree_connect.h
@@ -33,7 +33,6 @@ struct ksmbd_tree_connect {
int maximal_access;
bool posix_extensions;
atomic_t refcount;
- wait_queue_head_t refcount_q;
unsigned int t_state;
};
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 8fa68c3b24f3f..77b06fd984be6 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2183,7 +2183,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
goto err_out;
}
- WARN_ON_ONCE(atomic_dec_and_test(&tcon->refcount));
tcon->t_state = TREE_DISCONNECTED;
write_unlock(&sess->tree_conns_lock);
@@ -2193,8 +2192,6 @@ int smb2_tree_disconnect(struct ksmbd_work *work)
goto err_out;
}
- work->tcon = NULL;
-
rsp->StructureSize = cpu_to_le16(4);
err = ksmbd_iov_pin_rsp(work, rsp,
sizeof(struct smb2_tree_disconnect_rsp));
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 327/737] ksmbd: vfs: fix race on m_flags in vfs_cache
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 326/737] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 328/737] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Greg Kroah-Hartman
` (420 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianchang Zhao <pioooooooooip@gmail.com>
[ Upstream commit 991f8a79db99b14c48d20d2052c82d65b9186cad ]
ksmbd maintains delete-on-close and pending-delete state in
ksmbd_inode->m_flags. In vfs_cache.c this field is accessed under
inconsistent locking: some paths read and modify m_flags under
ci->m_lock while others do so without taking the lock at all.
Examples:
- ksmbd_query_inode_status() and __ksmbd_inode_close() use
ci->m_lock when checking or updating m_flags.
- ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete() and ksmbd_fd_set_delete_on_close()
used to read and modify m_flags without ci->m_lock.
This creates a potential data race on m_flags when multiple threads
open, close and delete the same file concurrently. In the worst case
delete-on-close and pending-delete bits can be lost or observed in an
inconsistent state, leading to confusing delete semantics (files that
stay on disk after delete-on-close, or files that disappear while still
in use).
Fix it by:
- Making ksmbd_query_inode_status() look at m_flags under ci->m_lock
after dropping inode_hash_lock.
- Adding ci->m_lock protection to all helpers that read or modify
m_flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(),
ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()).
- Keeping the existing ci->m_lock protection in __ksmbd_inode_close(),
and moving the actual unlink/xattr removal outside the lock.
This unifies the locking around m_flags and removes the data race while
preserving the existing delete-on-close behaviour.
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/vfs_cache.c | 88 +++++++++++++++++++++++++++------------
1 file changed, 62 insertions(+), 26 deletions(-)
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index 002f0864abee6..2fcb7ca33a63c 100644
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -105,40 +105,62 @@ int ksmbd_query_inode_status(struct dentry *dentry)
read_lock(&inode_hash_lock);
ci = __ksmbd_inode_lookup(dentry);
- if (ci) {
- ret = KSMBD_INODE_STATUS_OK;
- if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
- ret = KSMBD_INODE_STATUS_PENDING_DELETE;
- atomic_dec(&ci->m_count);
- }
read_unlock(&inode_hash_lock);
+ if (!ci)
+ return ret;
+
+ down_read(&ci->m_lock);
+ if (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS))
+ ret = KSMBD_INODE_STATUS_PENDING_DELETE;
+ else
+ ret = KSMBD_INODE_STATUS_OK;
+ up_read(&ci->m_lock);
+
+ atomic_dec(&ci->m_count);
return ret;
}
bool ksmbd_inode_pending_delete(struct ksmbd_file *fp)
{
- return (fp->f_ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
+ struct ksmbd_inode *ci = fp->f_ci;
+ int ret;
+
+ down_read(&ci->m_lock);
+ ret = (ci->m_flags & (S_DEL_PENDING | S_DEL_ON_CLS));
+ up_read(&ci->m_lock);
+
+ return ret;
}
void ksmbd_set_inode_pending_delete(struct ksmbd_file *fp)
{
- fp->f_ci->m_flags |= S_DEL_PENDING;
+ struct ksmbd_inode *ci = fp->f_ci;
+
+ down_write(&ci->m_lock);
+ ci->m_flags |= S_DEL_PENDING;
+ up_write(&ci->m_lock);
}
void ksmbd_clear_inode_pending_delete(struct ksmbd_file *fp)
{
- fp->f_ci->m_flags &= ~S_DEL_PENDING;
+ struct ksmbd_inode *ci = fp->f_ci;
+
+ down_write(&ci->m_lock);
+ ci->m_flags &= ~S_DEL_PENDING;
+ up_write(&ci->m_lock);
}
void ksmbd_fd_set_delete_on_close(struct ksmbd_file *fp,
int file_info)
{
- if (ksmbd_stream_fd(fp)) {
- fp->f_ci->m_flags |= S_DEL_ON_CLS_STREAM;
- return;
- }
+ struct ksmbd_inode *ci = fp->f_ci;
- fp->f_ci->m_flags |= S_DEL_ON_CLS;
+ down_write(&ci->m_lock);
+ if (ksmbd_stream_fd(fp))
+ ci->m_flags |= S_DEL_ON_CLS_STREAM;
+ else
+ ci->m_flags |= S_DEL_ON_CLS;
+ up_write(&ci->m_lock);
}
static void ksmbd_inode_hash(struct ksmbd_inode *ci)
@@ -250,27 +272,41 @@ static void __ksmbd_inode_close(struct ksmbd_file *fp)
struct file *filp;
filp = fp->filp;
- if (ksmbd_stream_fd(fp) && (ci->m_flags & S_DEL_ON_CLS_STREAM)) {
- ci->m_flags &= ~S_DEL_ON_CLS_STREAM;
- err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp),
- &filp->f_path,
- fp->stream.name,
- true);
- if (err)
- pr_err("remove xattr failed : %s\n",
- fp->stream.name);
+
+ if (ksmbd_stream_fd(fp)) {
+ bool remove_stream_xattr = false;
+
+ down_write(&ci->m_lock);
+ if (ci->m_flags & S_DEL_ON_CLS_STREAM) {
+ ci->m_flags &= ~S_DEL_ON_CLS_STREAM;
+ remove_stream_xattr = true;
+ }
+ up_write(&ci->m_lock);
+
+ if (remove_stream_xattr) {
+ err = ksmbd_vfs_remove_xattr(file_mnt_idmap(filp),
+ &filp->f_path,
+ fp->stream.name,
+ true);
+ if (err)
+ pr_err("remove xattr failed : %s\n",
+ fp->stream.name);
+ }
}
if (atomic_dec_and_test(&ci->m_count)) {
+ bool do_unlink = false;
+
down_write(&ci->m_lock);
if (ci->m_flags & (S_DEL_ON_CLS | S_DEL_PENDING)) {
ci->m_flags &= ~(S_DEL_ON_CLS | S_DEL_PENDING);
- up_write(&ci->m_lock);
- ksmbd_vfs_unlink(filp);
- down_write(&ci->m_lock);
+ do_unlink = true;
}
up_write(&ci->m_lock);
+ if (do_unlink)
+ ksmbd_vfs_unlink(filp);
+
ksmbd_inode_free(ci);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 328/737] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 327/737] ksmbd: vfs: fix race on m_flags in vfs_cache Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 329/737] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
` (419 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chingbin Li, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chingbin Li <liqb365@163.com>
[ Upstream commit 8dbbb5423c0802ec21266765de80fd491868fab1 ]
Add VID 2b89 & PID 6275 for Realtek RTL8761BUV USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 6 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=2b89 ProdID=6275 Rev= 2.00
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00E04C239987
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Chingbin Li <liqb365@163.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 74d264b64b534..798537ee56a5f 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -735,6 +735,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x2b89, 0x8761), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x2b89, 0x6275), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Additional Realtek 8821AE Bluetooth devices */
{ USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK },
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 329/737] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 328/737] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 330/737] gfs2: Fix use of bio_chain Greg Kroah-Hartman
` (418 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gongwei Li, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gongwei Li <ligongwei@kylinos.cn>
[ Upstream commit 525459da4bd62a81142fea3f3d52188ceb4d8907 ]
Add VID 13d3 & PID 3533 for Realtek RTL8821CE USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3533 Rev= 1.10
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Gongwei Li <ligongwei@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 798537ee56a5f..7bc7ee4eebd30 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -498,6 +498,8 @@ static const struct usb_device_id quirks_table[] = {
/* Realtek 8821CE Bluetooth devices */
{ USB_DEVICE(0x13d3, 0x3529), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x13d3, 0x3533), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8822CE Bluetooth devices */
{ USB_DEVICE(0x0bda, 0xb00c), .driver_info = BTUSB_REALTEK |
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 330/737] gfs2: Fix use of bio_chain
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 329/737] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 331/737] net: fec: ERR007885 Workaround for XDP TX path Greg Kroah-Hartman
` (417 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Zhang, Andreas Gruenbacher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit 8a157e0a0aa5143b5d94201508c0ca1bb8cfb941 ]
In gfs2_chain_bio(), the call to bio_chain() has its arguments swapped.
The result is leaked bios and incorrect synchronization (only the last
bio will actually be waited for). This code is only used during mount
and filesystem thaw, so the bug normally won't be noticeable.
Reported-by: Stephen Zhang <starzhangzsd@gmail.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/lops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
index 483f698070622..b25b741e3c96a 100644
--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -492,7 +492,7 @@ static struct bio *gfs2_chain_bio(struct bio *prev, unsigned int nr_iovecs)
new = bio_alloc(prev->bi_bdev, nr_iovecs, prev->bi_opf, GFP_NOIO);
bio_clone_blkg_association(new, prev);
new->bi_iter.bi_sector = bio_end_sector(prev);
- bio_chain(new, prev);
+ bio_chain(prev, new);
submit_bio(prev);
return new;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 331/737] net: fec: ERR007885 Workaround for XDP TX path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 330/737] gfs2: Fix use of bio_chain Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 332/737] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
` (416 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wei Fang, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit e8e032cd24dda7cceaa27bc2eb627f82843f0466 ]
The ERR007885 will lead to a TDAR race condition for mutliQ when the
driver sets TDAR and the UDMA clears TDAR simultaneously or in a small
window (2-4 cycles). And it will cause the udma_tx and udma_tx_arbiter
state machines to hang. Therefore, the commit 53bb20d1faba ("net: fec:
add variable reg_desc_active to speed things up") and the commit
a179aad12bad ("net: fec: ERR007885 Workaround for conventional TX") have
added the workaround to fix the potential issue for the conventional TX
path. Similarly, the XDP TX path should also have the potential hang
issue, so add the workaround for XDP TX path.
Fixes: 6d6b39f180b8 ("net: fec: add initial XDP support")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20251128025915.2486943-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index ee0306ab97714..7efe4e81cf320 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3935,7 +3935,12 @@ static int fec_enet_txq_xmit_frame(struct fec_enet_private *fep,
txq->bd.cur = bdp;
/* Trigger transmission start */
- writel(0, txq->bd.reg_desc_active);
+ if (!(fep->quirks & FEC_QUIRK_ERR007885) ||
+ !readl(txq->bd.reg_desc_active) ||
+ !readl(txq->bd.reg_desc_active) ||
+ !readl(txq->bd.reg_desc_active) ||
+ !readl(txq->bd.reg_desc_active))
+ writel(0, txq->bd.reg_desc_active);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 332/737] netrom: Fix memory leak in nr_sendmsg()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 331/737] net: fec: ERR007885 Workaround for XDP TX path Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 333/737] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
` (415 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d7abc36bbbb6d7d40b58,
Wang Liang, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit 613d12dd794e078be8ff3cf6b62a6b9acf7f4619 ]
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58
Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Link: https://patch.msgid.link/20251129041315.1550766-1-wangliang74@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netrom/nr_out.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
index 5e531394a724b..2b3cbceb0b52d 100644
--- a/net/netrom/nr_out.c
+++ b/net/netrom/nr_out.c
@@ -43,8 +43,10 @@ void nr_output(struct sock *sk, struct sk_buff *skb)
frontlen = skb_headroom(skb);
while (skb->len > 0) {
- if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL)
+ if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL) {
+ kfree_skb(skb);
return;
+ }
skb_reserve(skbn, frontlen);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 333/737] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 332/737] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 334/737] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
` (414 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zdi-disclosures, Victor Nogueira,
Jamal Hadi Salim, Davide Caratti, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit ce052b9402e461a9aded599f5b47e76bc727f7de ]
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent 1:2 || true
tc -s qdisc ls dev $DEV
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 1 strict 1
```
KASAN report
```
==================================================================
BUG: KASAN: slab-use-after-free in ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
Read of size 8 at addr ffff8880502fc018 by task ping/12308
>
CPU: 0 UID: 0 PID: 12308 Comm: ping Not tainted 6.18.0-rc4-dirty #1 PREEMPT(full)
Hardware name: QEMU Ubuntu 25.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack kernel/lib/dump_stack.c:94
dump_stack_lvl+0x100/0x190 kernel/lib/dump_stack.c:120
print_address_description kernel/mm/kasan/report.c:378
print_report+0x156/0x4c9 kernel/mm/kasan/report.c:482
kasan_report+0xdf/0x110 kernel/mm/kasan/report.c:595
ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
dequeue_skb kernel/net/sched/sch_generic.c:294
qdisc_restart kernel/net/sched/sch_generic.c:399
__qdisc_run+0x1c9/0x1b00 kernel/net/sched/sch_generic.c:417
__dev_xmit_skb kernel/net/core/dev.c:4221
__dev_queue_xmit+0x2848/0x4410 kernel/net/core/dev.c:4729
dev_queue_xmit kernel/./include/linux/netdevice.h:3365
[...]
Allocated by task 17115:
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
poison_kmalloc_redzone kernel/mm/kasan/common.c:400
__kasan_kmalloc+0xaa/0xb0 kernel/mm/kasan/common.c:417
kasan_kmalloc kernel/./include/linux/kasan.h:262
__do_kmalloc_node kernel/mm/slub.c:5642
__kmalloc_node_noprof+0x34e/0x990 kernel/mm/slub.c:5648
kmalloc_node_noprof kernel/./include/linux/slab.h:987
qdisc_alloc+0xb8/0xc30 kernel/net/sched/sch_generic.c:950
qdisc_create_dflt+0x93/0x490 kernel/net/sched/sch_generic.c:1012
ets_class_graft+0x4fd/0x800 kernel/net/sched/sch_ets.c:261
qdisc_graft+0x3e4/0x1780 kernel/net/sched/sch_api.c:1196
[...]
Freed by task 9905:
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x70 kernel/mm/kasan/generic.c:587
kasan_save_free_info kernel/mm/kasan/kasan.h:406
poison_slab_object kernel/mm/kasan/common.c:252
__kasan_slab_free+0x5f/0x80 kernel/mm/kasan/common.c:284
kasan_slab_free kernel/./include/linux/kasan.h:234
slab_free_hook kernel/mm/slub.c:2539
slab_free kernel/mm/slub.c:6630
kfree+0x144/0x700 kernel/mm/slub.c:6837
rcu_do_batch kernel/kernel/rcu/tree.c:2605
rcu_core+0x7c0/0x1500 kernel/kernel/rcu/tree.c:2861
handle_softirqs+0x1ea/0x8a0 kernel/kernel/softirq.c:622
__do_softirq kernel/kernel/softirq.c:656
[...]
Commentary:
1. Maher Azzouzi working with Trend Micro Zero Day Initiative was reported as
the person who found the issue. I requested to get a proper email to add to the
reported-by tag but got no response. For this reason i will credit the person
i exchanged emails with i.e zdi-disclosures@trendmicro.com
2. Neither i nor Victor who did a much more thorough testing was able to
reproduce a UAF with the PoC or other approaches we tried. We were both able to
reproduce a null ptr deref. After exchange with zdi-disclosures@trendmicro.com
they sent a small change to be made to the code to add an extra delay which
was able to simulate the UAF. i.e, this:
qdisc_put(q->classes[i].qdisc);
mdelay(90);
q->classes[i].qdisc = NULL;
I was informed by Thomas Gleixner(tglx@linutronix.de) that adding delays was
acceptable approach for demonstrating the bug, quote:
"Adding such delays is common exploit validation practice"
The equivalent delay could happen "by virt scheduling the vCPU out, SMIs,
NMIs, PREEMPT_RT enabled kernel"
3. I asked the OP to test and report back but got no response and after a
few days gave up and proceeded to submit this fix.
Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'")
Reported-by: zdi-disclosures@trendmicro.com
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/20251128151919.576920-1-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index 9873f4ae90c3a..b732d09ede99a 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -652,7 +652,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+ if (cl_is_active(&q->classes[i]))
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 334/737] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 333/737] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 335/737] mlxsw: spectrum_router: Fix possible neighbour reference count leak Greg Kroah-Hartman
` (413 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Skorodumov, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
[ Upstream commit 0c57ff008a11f24f7f05fa760222692a00465fec ]
Packets with pkt_type == PACKET_LOOPBACK are captured by
handle_frame() function, but they don't have L2 header.
We should not process them in handle_mode_l2().
This doesn't affect old L2 functionality, since handling
was anyway incorrect.
Handle them the same way as in br_handle_frame():
just pass the skb.
To observe invalid behaviour, just start "ping -b" on bcast address
of port-interface.
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
Link: https://patch.msgid.link/20251202103906.4087675-1-skorodumov.dmitry@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipvlan/ipvlan_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index ca62188a317ad..83bd65a227709 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -737,6 +737,9 @@ static rx_handler_result_t ipvlan_handle_mode_l2(struct sk_buff **pskb,
struct ethhdr *eth = eth_hdr(skb);
rx_handler_result_t ret = RX_HANDLER_PASS;
+ if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
+ return RX_HANDLER_PASS;
+
if (is_multicast_ether_addr(eth->h_dest)) {
if (ipvlan_external_frame(skb, port)) {
struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 335/737] mlxsw: spectrum_router: Fix possible neighbour reference count leak
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 334/737] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 336/737] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
` (412 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Ido Schimmel,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit b6b638bda240395dff49a87403b2e32493e56d2a ]
mlxsw_sp_router_schedule_work() takes a reference on a neighbour,
expecting a work item to release it later on. However, we might fail to
schedule the work item, in which case the neighbour reference count will
be leaked.
Fix by taking the reference just before scheduling the work item. Note
that mlxsw_sp_router_schedule_work() can receive a NULL neighbour
pointer, but neigh_clone() handles that correctly.
Spotted during code review, did not actually observe the reference count
leak.
Fixes: 151b89f6025a ("mlxsw: spectrum_router: Reuse work neighbor initialization in work scheduler")
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/ec2934ae4aca187a8d8c9329a08ce93cca411378.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 0534b10e29c5c..f5c34218ba85b 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -2857,6 +2857,11 @@ static int mlxsw_sp_router_schedule_work(struct net *net,
if (!net_work)
return NOTIFY_BAD;
+ /* Take a reference to ensure the neighbour won't be destructed until
+ * we drop the reference in the work item.
+ */
+ neigh_clone(n);
+
INIT_WORK(&net_work->work, cb);
net_work->mlxsw_sp = router->mlxsw_sp;
net_work->n = n;
@@ -2880,11 +2885,6 @@ static int mlxsw_sp_router_schedule_neigh_work(struct mlxsw_sp_router *router,
struct net *net;
net = neigh_parms_net(n->parms);
-
- /* Take a reference to ensure the neighbour won't be destructed until we
- * drop the reference in delayed work.
- */
- neigh_clone(n);
return mlxsw_sp_router_schedule_work(net, router, n,
mlxsw_sp_router_neigh_event_work);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 336/737] mlxsw: spectrum_router: Fix neighbour use-after-free
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 335/737] mlxsw: spectrum_router: Fix possible neighbour reference count leak Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 337/737] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
` (411 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Petr Machata,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8b0e69763ef948fb872a7767df4be665d18f5fd4 ]
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Fixes: 6cf3c971dc84 ("mlxsw: spectrum_router: Add private neigh table")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/92d75e21d95d163a41b5cea67a15cd33f547cba6.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/mellanox/mlxsw/spectrum_router.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index f5c34218ba85b..4cd79473ace54 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -2264,6 +2264,7 @@ mlxsw_sp_neigh_entry_alloc(struct mlxsw_sp *mlxsw_sp, struct neighbour *n,
if (!neigh_entry)
return NULL;
+ neigh_hold(n);
neigh_entry->key.n = n;
neigh_entry->rif = rif;
INIT_LIST_HEAD(&neigh_entry->nexthop_list);
@@ -2273,6 +2274,7 @@ mlxsw_sp_neigh_entry_alloc(struct mlxsw_sp *mlxsw_sp, struct neighbour *n,
static void mlxsw_sp_neigh_entry_free(struct mlxsw_sp_neigh_entry *neigh_entry)
{
+ neigh_release(neigh_entry->key.n);
kfree(neigh_entry);
}
@@ -4203,6 +4205,8 @@ mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
if (err)
goto err_neigh_entry_insert;
+ neigh_release(old_n);
+
read_lock_bh(&n->lock);
nud_state = n->nud_state;
dead = n->dead;
@@ -4211,14 +4215,10 @@ mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
list_for_each_entry(nh, &neigh_entry->nexthop_list,
neigh_list_node) {
- neigh_release(old_n);
- neigh_clone(n);
__mlxsw_sp_nexthop_neigh_update(nh, !entry_connected);
mlxsw_sp_nexthop_group_refresh(mlxsw_sp, nh->nhgi->nh_grp);
}
- neigh_release(n);
-
return 0;
err_neigh_entry_insert:
@@ -4311,6 +4311,11 @@ static int mlxsw_sp_nexthop_neigh_init(struct mlxsw_sp *mlxsw_sp,
}
}
+ /* Release the reference taken by neigh_lookup() / neigh_create() since
+ * neigh_entry already holds one.
+ */
+ neigh_release(n);
+
/* If that is the first nexthop connected to that neigh, add to
* nexthop_neighs_list
*/
@@ -4337,11 +4342,9 @@ static void mlxsw_sp_nexthop_neigh_fini(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_nexthop *nh)
{
struct mlxsw_sp_neigh_entry *neigh_entry = nh->neigh_entry;
- struct neighbour *n;
if (!neigh_entry)
return;
- n = neigh_entry->key.n;
__mlxsw_sp_nexthop_neigh_update(nh, true);
list_del(&nh->neigh_list_node);
@@ -4355,8 +4358,6 @@ static void mlxsw_sp_nexthop_neigh_fini(struct mlxsw_sp *mlxsw_sp,
if (!neigh_entry->connected && list_empty(&neigh_entry->nexthop_list))
mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry);
-
- neigh_release(n);
}
static bool mlxsw_sp_ipip_netdev_ul_up(struct net_device *ol_dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 337/737] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 336/737] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 338/737] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
` (410 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Petr Machata,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8ac1dacec458f55f871f7153242ed6ab60373b90 ]
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Fixes: f38656d06725 ("mlxsw: spectrum_mr: Protect multicast route list with a lock")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/f996feecfd59fde297964bfc85040b6d83ec6089.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
index 5afe6b155ef0d..81935f87bfcd7 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
@@ -440,7 +440,9 @@ int mlxsw_sp_mr_route_add(struct mlxsw_sp_mr_table *mr_table,
rhashtable_remove_fast(&mr_table->route_ht,
&mr_orig_route->ht_node,
mlxsw_sp_mr_route_ht_params);
+ mutex_lock(&mr_table->route_list_lock);
list_del(&mr_orig_route->node);
+ mutex_unlock(&mr_table->route_list_lock);
mlxsw_sp_mr_route_destroy(mr_table, mr_orig_route);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 338/737] net: openvswitch: fix middle attribute validation in push_nsh() action
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 337/737] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 339/737] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
` (409 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junvy Yang, Ilya Maximets,
Aaron Conole, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e ]
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
Reported-by: Junvy Yang <zhuque@tencent.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Eelco Chaudron echaudro@redhat.com
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20251204105334.900379-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 836e8e705d40e..1d9a44d6216af 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2788,13 +2788,20 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
return err;
}
-static bool validate_push_nsh(const struct nlattr *attr, bool log)
+static bool validate_push_nsh(const struct nlattr *a, bool log)
{
+ struct nlattr *nsh_key = nla_data(a);
struct sw_flow_match match;
struct sw_flow_key key;
+ /* There must be one and only one NSH header. */
+ if (!nla_ok(nsh_key, nla_len(a)) ||
+ nla_total_size(nla_len(nsh_key)) != nla_len(a) ||
+ nla_type(nsh_key) != OVS_KEY_ATTR_NSH)
+ return false;
+
ovs_match_init(&match, &key, true, NULL);
- return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ return !nsh_key_put_from_nlattr(nsh_key, &match, false, true, log);
}
/* Return false if there are any non-masked bits set.
@@ -3351,7 +3358,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
return -EINVAL;
}
mac_proto = MAC_PROTO_NONE;
- if (!validate_push_nsh(nla_data(a), log))
+ if (!validate_push_nsh(a, log))
return -EINVAL;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 339/737] broadcom: b44: prevent uninitialized value usage
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 338/737] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 340/737] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
` (408 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Andrew Lunn,
Alexey Simakov, Michael Chan, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 50b3db3e11864cb4e18ff099cfb38e11e7f87a68 ]
On execution path with raised B44_FLAG_EXTERNAL_PHY, b44_readphy()
leaves bmcr value uninitialized and it is used later in the code.
Add check of this flag at the beginning of the b44_nway_reset() and
exit early of the function with restarting autonegotiation if an
external PHY is used.
Fixes: 753f492093da ("[B44]: port to native ssb support")
Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20251205155815.4348-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/b44.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/b44.c b/drivers/net/ethernet/broadcom/b44.c
index 1be6d14030bcf..ba40549536e46 100644
--- a/drivers/net/ethernet/broadcom/b44.c
+++ b/drivers/net/ethernet/broadcom/b44.c
@@ -1789,6 +1789,9 @@ static int b44_nway_reset(struct net_device *dev)
u32 bmcr;
int r;
+ if (bp->flags & B44_FLAG_EXTERNAL_PHY)
+ return phy_ethtool_nway_reset(dev);
+
spin_lock_irq(&bp->lock);
b44_readphy(bp, MII_BMCR, &bmcr);
b44_readphy(bp, MII_BMCR, &bmcr);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 340/737] netfilter: nf_conncount: fix leaked ct in error paths
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 339/737] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
@ 2026-01-09 11:37 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 341/737] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
` (407 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:37 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 2e2a720766886190a6d35c116794693aabd332b6 ]
There are some situations where ct might be leaked as error paths are
skipping the refcounted check and return immediately. In order to solve
it make sure that the check is always called.
Fixes: be102eb6a0e7 ("netfilter: nf_conncount: rework API to use sk_buff directly")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 97b631a81484d..c00b8e522c5a7 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -172,14 +172,14 @@ static int __nf_conncount_add(struct net *net,
struct nf_conn *found_ct;
unsigned int collect = 0;
bool refcounted = false;
+ int err = 0;
if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
return -ENOENT;
if (ct && nf_ct_is_confirmed(ct)) {
- if (refcounted)
- nf_ct_put(ct);
- return -EEXIST;
+ err = -EEXIST;
+ goto out_put;
}
if ((u32)jiffies == list->last_gc)
@@ -231,12 +231,16 @@ static int __nf_conncount_add(struct net *net,
}
add_new_node:
- if (WARN_ON_ONCE(list->count > INT_MAX))
- return -EOVERFLOW;
+ if (WARN_ON_ONCE(list->count > INT_MAX)) {
+ err = -EOVERFLOW;
+ goto out_put;
+ }
conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
- if (conn == NULL)
- return -ENOMEM;
+ if (conn == NULL) {
+ err = -ENOMEM;
+ goto out_put;
+ }
conn->tuple = tuple;
conn->zone = *zone;
@@ -249,7 +253,7 @@ static int __nf_conncount_add(struct net *net,
out_put:
if (refcounted)
nf_ct_put(ct);
- return 0;
+ return err;
}
int nf_conncount_add_skb(struct net *net,
@@ -446,11 +450,10 @@ insert_tree(struct net *net,
rb_link_node_rcu(&rbconn->node, parent, rbnode);
rb_insert_color(&rbconn->node, root);
-
- if (refcounted)
- nf_ct_put(ct);
}
out_unlock:
+ if (refcounted)
+ nf_ct_put(ct);
spin_unlock_bh(&nf_conncount_locks[hash]);
return count;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 341/737] ipvs: fix ipv4 null-ptr-deref in route error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-01-09 11:37 ` [PATCH 6.6 340/737] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 342/737] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
` (406 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slavin Liu, Julian Anastasov,
Florian Westphal, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slavin Liu <slavin452@gmail.com>
[ Upstream commit ad891bb3d079a46a821bf2b8867854645191bab0 ]
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Slavin Liu <slavin452@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 0103c4a4d10a5..2877706f0162f 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -409,6 +409,9 @@ __ip_vs_get_out_rt(struct netns_ipvs *ipvs, int skb_af, struct sk_buff *skb,
return -1;
err_unreach:
+ if (!skb->dev)
+ skb->dev = skb_dst(skb)->dev;
+
dst_link_failure(skb);
return -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 342/737] caif: fix integer underflow in cffrml_receive()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 341/737] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 343/737] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
` (405 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Simon Horman, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 8a11ff0948b5ad09b71896b7ccc850625f9878d1 ]
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/caif/cffrml.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
index 6651a8dc62e04..d4d63586053ad 100644
--- a/net/caif/cffrml.c
+++ b/net/caif/cffrml.c
@@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
len = le16_to_cpu(tmp);
/* Subtract for FCS on length if FCS is not used. */
- if (!this->dofcs)
+ if (!this->dofcs) {
+ if (len < 2) {
+ ++cffrml_rcv_error;
+ pr_err("Invalid frame length (%d)\n", len);
+ cfpkt_destroy(pkt);
+ return -EPROTO;
+ }
len -= 2;
+ }
if (cfpkt_setlen(pkt, len) < 0) {
++cffrml_rcv_error;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 343/737] net/sched: ets: Remove drr class from the active list if it changes to strict
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 342/737] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 344/737] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
` (404 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Victor Nogueira,
Petr Machata, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
[ Upstream commit b1e125ae425aba9b45252e933ca8df52a843ec70 ]
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Fixes: cd9b50adc6bb9 ("net/sched: ets: fix crash when flipping from 'strict' to 'quantum'")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20251208190125.1868423-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index b732d09ede99a..6ff619277ffd9 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -664,6 +664,10 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
q->classes[i].deficit = quanta[i];
}
}
+ for (i = q->nstrict; i < nstrict; i++) {
+ if (cl_is_active(&q->classes[i]))
+ list_del_init(&q->classes[i].alist);
+ }
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 344/737] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 343/737] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 345/737] netfilter: nf_tables: pass context structure to nft_parse_register_load Greg Kroah-Hartman
` (403 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 885bebac9909994050bbbeed0829c727e42bd1b7 ]
Set the error code if "transferred != sizeof(cmd)" instead of
returning success.
Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aTfIJ9tZPmeUF4W1@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/pn533/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
index a187f0e0b0f7d..9e079be43583e 100644
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -407,7 +407,7 @@ static int pn533_acr122_poweron_rdr(struct pn533_usb_phy *phy)
if (rc || (transferred != sizeof(cmd))) {
nfc_err(&phy->udev->dev,
"Reader power on cmd error %d\n", rc);
- return rc;
+ return rc ?: -EINVAL;
}
rc = usb_submit_urb(phy->in_urb, GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 345/737] netfilter: nf_tables: pass context structure to nft_parse_register_load
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 344/737] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 346/737] netfilter: nf_tables: allow loads only when register is initialized Greg Kroah-Hartman
` (402 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7ea0522ef81a335c2d3a0ab1c8a4fab9a23c4a03 ]
Mechanical transformation, no logical changes intended.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: a67fd55f6a09 ("netfilter: nf_tables: remove redundant chain validation on register store")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 3 ++-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/ipv4/netfilter/nft_dup_ipv4.c | 4 ++--
net/ipv6/netfilter/nft_dup_ipv6.c | 4 ++--
net/netfilter/nf_tables_api.c | 3 ++-
net/netfilter/nft_bitwise.c | 4 ++--
net/netfilter/nft_byteorder.c | 2 +-
net/netfilter/nft_cmp.c | 6 +++---
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_dup_netdev.c | 2 +-
net/netfilter/nft_dynset.c | 4 ++--
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fwd_netdev.c | 6 +++---
net/netfilter/nft_hash.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 4 ++--
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_nat.c | 8 ++++----
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_payload.c | 2 +-
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_redir.c | 4 ++--
net/netfilter/nft_tproxy.c | 4 ++--
24 files changed, 40 insertions(+), 38 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 32606d5430605..917edb4380e58 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -254,7 +254,8 @@ static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
-int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
+int nft_parse_register_load(const struct nft_ctx *ctx,
+ const struct nlattr *attr, u8 *sreg, u32 len);
int nft_parse_register_store(const struct nft_ctx *ctx,
const struct nlattr *attr, u8 *dreg,
const struct nft_data *data,
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index affb740c8685e..d12a221366d60 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -142,7 +142,7 @@ static int nft_meta_bridge_set_init(const struct nft_ctx *ctx,
}
priv->len = len;
- err = nft_parse_register_load(tb[NFTA_META_SREG], &priv->sreg, len);
+ err = nft_parse_register_load(ctx, tb[NFTA_META_SREG], &priv->sreg, len);
if (err < 0)
return err;
diff --git a/net/ipv4/netfilter/nft_dup_ipv4.c b/net/ipv4/netfilter/nft_dup_ipv4.c
index a522c3a3be523..ef5dd88107ddb 100644
--- a/net/ipv4/netfilter/nft_dup_ipv4.c
+++ b/net/ipv4/netfilter/nft_dup_ipv4.c
@@ -40,13 +40,13 @@ static int nft_dup_ipv4_init(const struct nft_ctx *ctx,
if (tb[NFTA_DUP_SREG_ADDR] == NULL)
return -EINVAL;
- err = nft_parse_register_load(tb[NFTA_DUP_SREG_ADDR], &priv->sreg_addr,
+ err = nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_ADDR], &priv->sreg_addr,
sizeof(struct in_addr));
if (err < 0)
return err;
if (tb[NFTA_DUP_SREG_DEV])
- err = nft_parse_register_load(tb[NFTA_DUP_SREG_DEV],
+ err = nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_DEV],
&priv->sreg_dev, sizeof(int));
return err;
diff --git a/net/ipv6/netfilter/nft_dup_ipv6.c b/net/ipv6/netfilter/nft_dup_ipv6.c
index c82f3fdd4a65d..492a811828a71 100644
--- a/net/ipv6/netfilter/nft_dup_ipv6.c
+++ b/net/ipv6/netfilter/nft_dup_ipv6.c
@@ -38,13 +38,13 @@ static int nft_dup_ipv6_init(const struct nft_ctx *ctx,
if (tb[NFTA_DUP_SREG_ADDR] == NULL)
return -EINVAL;
- err = nft_parse_register_load(tb[NFTA_DUP_SREG_ADDR], &priv->sreg_addr,
+ err = nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_ADDR], &priv->sreg_addr,
sizeof(struct in6_addr));
if (err < 0)
return err;
if (tb[NFTA_DUP_SREG_DEV])
- err = nft_parse_register_load(tb[NFTA_DUP_SREG_DEV],
+ err = nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_DEV],
&priv->sreg_dev, sizeof(int));
return err;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 80443b4eaeff0..7bccfb1a8a725 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10912,7 +10912,8 @@ static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
return 0;
}
-int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
+int nft_parse_register_load(const struct nft_ctx *ctx,
+ const struct nlattr *attr, u8 *sreg, u32 len)
{
u32 reg;
int err;
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index ca857afbf0616..7de95674fd8c4 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -171,7 +171,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
priv->len = len;
- err = nft_parse_register_load(tb[NFTA_BITWISE_SREG], &priv->sreg,
+ err = nft_parse_register_load(ctx, tb[NFTA_BITWISE_SREG], &priv->sreg,
priv->len);
if (err < 0)
return err;
@@ -365,7 +365,7 @@ static int nft_bitwise_fast_init(const struct nft_ctx *ctx,
struct nft_bitwise_fast_expr *priv = nft_expr_priv(expr);
int err;
- err = nft_parse_register_load(tb[NFTA_BITWISE_SREG], &priv->sreg,
+ err = nft_parse_register_load(ctx, tb[NFTA_BITWISE_SREG], &priv->sreg,
sizeof(u32));
if (err < 0)
return err;
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index f6e791a681015..2f82a444d21bf 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -139,7 +139,7 @@ static int nft_byteorder_init(const struct nft_ctx *ctx,
priv->len = len;
- err = nft_parse_register_load(tb[NFTA_BYTEORDER_SREG], &priv->sreg,
+ err = nft_parse_register_load(ctx, tb[NFTA_BYTEORDER_SREG], &priv->sreg,
priv->len);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index cd4652259095c..2605f43737bc9 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -83,7 +83,7 @@ static int nft_cmp_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
if (err < 0)
return err;
- err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
+ err = nft_parse_register_load(ctx, tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
if (err < 0)
return err;
@@ -222,7 +222,7 @@ static int nft_cmp_fast_init(const struct nft_ctx *ctx,
if (err < 0)
return err;
- err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
+ err = nft_parse_register_load(ctx, tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
if (err < 0)
return err;
@@ -323,7 +323,7 @@ static int nft_cmp16_fast_init(const struct nft_ctx *ctx,
if (err < 0)
return err;
- err = nft_parse_register_load(tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
+ err = nft_parse_register_load(ctx, tb[NFTA_CMP_SREG], &priv->sreg, desc.len);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index ab1214da99ff3..3ec63852d058f 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -608,7 +608,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
}
priv->len = len;
- err = nft_parse_register_load(tb[NFTA_CT_SREG], &priv->sreg, len);
+ err = nft_parse_register_load(ctx, tb[NFTA_CT_SREG], &priv->sreg, len);
if (err < 0)
goto err1;
diff --git a/net/netfilter/nft_dup_netdev.c b/net/netfilter/nft_dup_netdev.c
index e5739a59ebf10..0573f96ce0791 100644
--- a/net/netfilter/nft_dup_netdev.c
+++ b/net/netfilter/nft_dup_netdev.c
@@ -40,7 +40,7 @@ static int nft_dup_netdev_init(const struct nft_ctx *ctx,
if (tb[NFTA_DUP_SREG_DEV] == NULL)
return -EINVAL;
- return nft_parse_register_load(tb[NFTA_DUP_SREG_DEV], &priv->sreg_dev,
+ return nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_DEV], &priv->sreg_dev,
sizeof(int));
}
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index a81bd69b059b3..9a0aaeed23602 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -214,7 +214,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
return err;
}
- err = nft_parse_register_load(tb[NFTA_DYNSET_SREG_KEY], &priv->sreg_key,
+ err = nft_parse_register_load(ctx, tb[NFTA_DYNSET_SREG_KEY], &priv->sreg_key,
set->klen);
if (err < 0)
return err;
@@ -225,7 +225,7 @@ static int nft_dynset_init(const struct nft_ctx *ctx,
if (set->dtype == NFT_DATA_VERDICT)
return -EOPNOTSUPP;
- err = nft_parse_register_load(tb[NFTA_DYNSET_SREG_DATA],
+ err = nft_parse_register_load(ctx, tb[NFTA_DYNSET_SREG_DATA],
&priv->sreg_data, set->dlen);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index cfa90ab660cfe..1d4c9632072c8 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -586,7 +586,7 @@ static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
priv->flags = flags;
priv->op = op;
- return nft_parse_register_load(tb[NFTA_EXTHDR_SREG], &priv->sreg,
+ return nft_parse_register_load(ctx, tb[NFTA_EXTHDR_SREG], &priv->sreg,
priv->len);
}
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index fa9e4ae00b16a..42ba31dfc0359 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -52,7 +52,7 @@ static int nft_fwd_netdev_init(const struct nft_ctx *ctx,
if (tb[NFTA_FWD_SREG_DEV] == NULL)
return -EINVAL;
- return nft_parse_register_load(tb[NFTA_FWD_SREG_DEV], &priv->sreg_dev,
+ return nft_parse_register_load(ctx, tb[NFTA_FWD_SREG_DEV], &priv->sreg_dev,
sizeof(int));
}
@@ -178,12 +178,12 @@ static int nft_fwd_neigh_init(const struct nft_ctx *ctx,
return -EOPNOTSUPP;
}
- err = nft_parse_register_load(tb[NFTA_FWD_SREG_DEV], &priv->sreg_dev,
+ err = nft_parse_register_load(ctx, tb[NFTA_FWD_SREG_DEV], &priv->sreg_dev,
sizeof(int));
if (err < 0)
return err;
- return nft_parse_register_load(tb[NFTA_FWD_SREG_ADDR], &priv->sreg_addr,
+ return nft_parse_register_load(ctx, tb[NFTA_FWD_SREG_ADDR], &priv->sreg_addr,
addr_len);
}
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index 92d47e4692046..c91f2bef58694 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -91,7 +91,7 @@ static int nft_jhash_init(const struct nft_ctx *ctx,
priv->len = len;
- err = nft_parse_register_load(tb[NFTA_HASH_SREG], &priv->sreg, len);
+ err = nft_parse_register_load(ctx, tb[NFTA_HASH_SREG], &priv->sreg, len);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index dd5441f92fdb0..aeaf6988efd67 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -113,7 +113,7 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
if (IS_ERR(set))
return PTR_ERR(set);
- err = nft_parse_register_load(tb[NFTA_LOOKUP_SREG], &priv->sreg,
+ err = nft_parse_register_load(ctx, tb[NFTA_LOOKUP_SREG], &priv->sreg,
set->klen);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index eee05394c5339..868bd4d735555 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -51,13 +51,13 @@ static int nft_masq_init(const struct nft_ctx *ctx,
priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS]));
if (tb[NFTA_MASQ_REG_PROTO_MIN]) {
- err = nft_parse_register_load(tb[NFTA_MASQ_REG_PROTO_MIN],
+ err = nft_parse_register_load(ctx, tb[NFTA_MASQ_REG_PROTO_MIN],
&priv->sreg_proto_min, plen);
if (err < 0)
return err;
if (tb[NFTA_MASQ_REG_PROTO_MAX]) {
- err = nft_parse_register_load(tb[NFTA_MASQ_REG_PROTO_MAX],
+ err = nft_parse_register_load(ctx, tb[NFTA_MASQ_REG_PROTO_MAX],
&priv->sreg_proto_max,
plen);
if (err < 0)
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index dec76d28a0ac6..8c8eb14d647b0 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -655,7 +655,7 @@ int nft_meta_set_init(const struct nft_ctx *ctx,
}
priv->len = len;
- err = nft_parse_register_load(tb[NFTA_META_SREG], &priv->sreg, len);
+ err = nft_parse_register_load(ctx, tb[NFTA_META_SREG], &priv->sreg, len);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 3d3e639a7a837..6e21f72c5b574 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -213,13 +213,13 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
priv->family = family;
if (tb[NFTA_NAT_REG_ADDR_MIN]) {
- err = nft_parse_register_load(tb[NFTA_NAT_REG_ADDR_MIN],
+ err = nft_parse_register_load(ctx, tb[NFTA_NAT_REG_ADDR_MIN],
&priv->sreg_addr_min, alen);
if (err < 0)
return err;
if (tb[NFTA_NAT_REG_ADDR_MAX]) {
- err = nft_parse_register_load(tb[NFTA_NAT_REG_ADDR_MAX],
+ err = nft_parse_register_load(ctx, tb[NFTA_NAT_REG_ADDR_MAX],
&priv->sreg_addr_max,
alen);
if (err < 0)
@@ -233,13 +233,13 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
plen = sizeof_field(struct nf_nat_range, min_proto.all);
if (tb[NFTA_NAT_REG_PROTO_MIN]) {
- err = nft_parse_register_load(tb[NFTA_NAT_REG_PROTO_MIN],
+ err = nft_parse_register_load(ctx, tb[NFTA_NAT_REG_PROTO_MIN],
&priv->sreg_proto_min, plen);
if (err < 0)
return err;
if (tb[NFTA_NAT_REG_PROTO_MAX]) {
- err = nft_parse_register_load(tb[NFTA_NAT_REG_PROTO_MAX],
+ err = nft_parse_register_load(ctx, tb[NFTA_NAT_REG_PROTO_MAX],
&priv->sreg_proto_max,
plen);
if (err < 0)
diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
index 08a27433e2f5f..1ee17098de0c4 100644
--- a/net/netfilter/nft_objref.c
+++ b/net/netfilter/nft_objref.c
@@ -173,7 +173,7 @@ static int nft_objref_map_init(const struct nft_ctx *ctx,
if (!(set->flags & NFT_SET_OBJECT))
return -EINVAL;
- err = nft_parse_register_load(tb[NFTA_OBJREF_SET_SREG], &priv->sreg,
+ err = nft_parse_register_load(ctx, tb[NFTA_OBJREF_SET_SREG], &priv->sreg,
set->klen);
if (err < 0)
return err;
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 2db38c06bedeb..7dfc5343dae46 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -984,7 +984,7 @@ static int nft_payload_set_init(const struct nft_ctx *ctx,
}
priv->csum_type = csum_type;
- return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg,
+ return nft_parse_register_load(ctx, tb[NFTA_PAYLOAD_SREG], &priv->sreg,
priv->len);
}
diff --git a/net/netfilter/nft_queue.c b/net/netfilter/nft_queue.c
index b8ebb187814f2..344fe311878fe 100644
--- a/net/netfilter/nft_queue.c
+++ b/net/netfilter/nft_queue.c
@@ -135,7 +135,7 @@ static int nft_queue_sreg_init(const struct nft_ctx *ctx,
struct nft_queue *priv = nft_expr_priv(expr);
int err;
- err = nft_parse_register_load(tb[NFTA_QUEUE_SREG_QNUM],
+ err = nft_parse_register_load(ctx, tb[NFTA_QUEUE_SREG_QNUM],
&priv->sreg_qnum, sizeof(u32));
if (err < 0)
return err;
diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c
index 51ae64cd268f4..ea382f7bbd78d 100644
--- a/net/netfilter/nft_range.c
+++ b/net/netfilter/nft_range.c
@@ -83,7 +83,7 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr
goto err2;
}
- err = nft_parse_register_load(tb[NFTA_RANGE_SREG], &priv->sreg,
+ err = nft_parse_register_load(ctx, tb[NFTA_RANGE_SREG], &priv->sreg,
desc_from.len);
if (err < 0)
goto err2;
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 9051863509f31..95eedad85c835 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -50,13 +50,13 @@ static int nft_redir_init(const struct nft_ctx *ctx,
plen = sizeof_field(struct nf_nat_range, min_proto.all);
if (tb[NFTA_REDIR_REG_PROTO_MIN]) {
- err = nft_parse_register_load(tb[NFTA_REDIR_REG_PROTO_MIN],
+ err = nft_parse_register_load(ctx, tb[NFTA_REDIR_REG_PROTO_MIN],
&priv->sreg_proto_min, plen);
if (err < 0)
return err;
if (tb[NFTA_REDIR_REG_PROTO_MAX]) {
- err = nft_parse_register_load(tb[NFTA_REDIR_REG_PROTO_MAX],
+ err = nft_parse_register_load(ctx, tb[NFTA_REDIR_REG_PROTO_MAX],
&priv->sreg_proto_max,
plen);
if (err < 0)
diff --git a/net/netfilter/nft_tproxy.c b/net/netfilter/nft_tproxy.c
index ed344af2a439b..50481280abd26 100644
--- a/net/netfilter/nft_tproxy.c
+++ b/net/netfilter/nft_tproxy.c
@@ -254,14 +254,14 @@ static int nft_tproxy_init(const struct nft_ctx *ctx,
}
if (tb[NFTA_TPROXY_REG_ADDR]) {
- err = nft_parse_register_load(tb[NFTA_TPROXY_REG_ADDR],
+ err = nft_parse_register_load(ctx, tb[NFTA_TPROXY_REG_ADDR],
&priv->sreg_addr, alen);
if (err < 0)
return err;
}
if (tb[NFTA_TPROXY_REG_PORT]) {
- err = nft_parse_register_load(tb[NFTA_TPROXY_REG_PORT],
+ err = nft_parse_register_load(ctx, tb[NFTA_TPROXY_REG_PORT],
&priv->sreg_port, sizeof(u16));
if (err < 0)
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 346/737] netfilter: nf_tables: allow loads only when register is initialized
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 345/737] netfilter: nf_tables: pass context structure to nft_parse_register_load Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 347/737] netfilter: nf_tables: remove redundant chain validation on register store Greg Kroah-Hartman
` (401 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 14fb07130c7ddd257e30079b87499b3f89097b09 ]
Reject rules where a load occurs from a register that has not seen a store
early in the same rule.
commit 4c905f6740a3 ("netfilter: nf_tables: initialize registers in
nft_do_chain()")
had to add a unconditional memset to the nftables register space to avoid
leaking stack information to userspace.
This memset shows up in benchmarks. After this change, this commit can
be reverted again.
Note that this breaks userspace compatibility, because theoretically
you can do
rule 1: reg2 := meta load iif, reg2 == 1 jump ...
rule 2: reg2 == 2 jump ... // read access with no store in this rule
... after this change this is rejected.
Neither nftables nor iptables-nft generate such rules, each rule is
always standalone.
This resuts in a small increase of nft_ctx structure by sizeof(long).
To cope with hypothetical rulesets like the example above one could emit
on-demand "reg[x] = 0" store when generating the datapath blob in
nf_tables_commit_chain_prepare().
A patch that does this is linked to below.
For now, lets disable this. In nf_tables, a rule is the smallest
unit that can be replaced from userspace, i.e. a hypothetical ruleset
that relies on earlier initialisations of registers can't be changed
at will as register usage would need to be coordinated.
Link: https://lore.kernel.org/netfilter-devel/20240627135330.17039-4-fw@strlen.de/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: a67fd55f6a09 ("netfilter: nf_tables: remove redundant chain validation on register store")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 1 +
net/netfilter/nf_tables_api.c | 38 +++++++++++++++++++++++++++----
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 917edb4380e58..a8fcbdb37a7f9 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -221,6 +221,7 @@ struct nft_ctx {
u8 family;
u8 level;
bool report;
+ DECLARE_BITMAP(reg_inited, NFT_REG32_NUM);
};
enum nft_data_desc_flags {
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7bccfb1a8a725..8b8895e4372d9 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -146,6 +146,8 @@ static void nft_ctx_init(struct nft_ctx *ctx,
ctx->report = nlmsg_report(nlh);
ctx->flags = nlh->nlmsg_flags;
ctx->seq = nlh->nlmsg_seq;
+
+ bitmap_zero(ctx->reg_inited, NFT_REG32_NUM);
}
static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
@@ -10915,8 +10917,8 @@ static int nft_validate_register_load(enum nft_registers reg, unsigned int len)
int nft_parse_register_load(const struct nft_ctx *ctx,
const struct nlattr *attr, u8 *sreg, u32 len)
{
- u32 reg;
- int err;
+ int err, invalid_reg;
+ u32 reg, next_register;
err = nft_parse_register(attr, ®);
if (err < 0)
@@ -10926,11 +10928,36 @@ int nft_parse_register_load(const struct nft_ctx *ctx,
if (err < 0)
return err;
+ next_register = DIV_ROUND_UP(len, NFT_REG32_SIZE) + reg;
+
+ /* Can't happen: nft_validate_register_load() should have failed */
+ if (WARN_ON_ONCE(next_register > NFT_REG32_NUM))
+ return -EINVAL;
+
+ /* find first register that did not see an earlier store. */
+ invalid_reg = find_next_zero_bit(ctx->reg_inited, NFT_REG32_NUM, reg);
+
+ /* invalid register within the range that we're loading from? */
+ if (invalid_reg < next_register)
+ return -ENODATA;
+
*sreg = reg;
return 0;
}
EXPORT_SYMBOL_GPL(nft_parse_register_load);
+static void nft_saw_register_store(const struct nft_ctx *__ctx,
+ int reg, unsigned int len)
+{
+ unsigned int registers = DIV_ROUND_UP(len, NFT_REG32_SIZE);
+ struct nft_ctx *ctx = (struct nft_ctx *)__ctx;
+
+ if (WARN_ON_ONCE(len == 0 || reg < 0))
+ return;
+
+ bitmap_set(ctx->reg_inited, reg, registers);
+}
+
static int nft_validate_register_store(const struct nft_ctx *ctx,
enum nft_registers reg,
const struct nft_data *data,
@@ -10952,7 +10979,7 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
return err;
}
- return 0;
+ break;
default:
if (type != NFT_DATA_VALUE)
return -EINVAL;
@@ -10965,8 +10992,11 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
sizeof_field(struct nft_regs, data))
return -ERANGE;
- return 0;
+ break;
}
+
+ nft_saw_register_store(ctx, reg, len);
+ return 0;
}
int nft_parse_register_store(const struct nft_ctx *ctx,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 347/737] netfilter: nf_tables: remove redundant chain validation on register store
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 346/737] netfilter: nf_tables: allow loads only when register is initialized Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 348/737] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Greg Kroah-Hartman
` (400 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Florian Westphal,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit a67fd55f6a09f4119b7232c19e0f348fe31ab0db ]
This validation predates the introduction of the state machine that
determines when to enter slow path validation for error reporting.
Currently, table validation is perform when:
- new rule contains expressions that need validation.
- new set element with jump/goto verdict.
Validation on register store skips most checks with no basechains, still
this walks the graph searching for loops and ensuring expressions are
called from the right hook. Remove this.
Fixes: a654de8fdc18 ("netfilter: nf_tables: fix chain dependency validation")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8b8895e4372d9..394ee65e1d35f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10964,21 +10964,10 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
enum nft_data_types type,
unsigned int len)
{
- int err;
-
switch (reg) {
case NFT_REG_VERDICT:
if (type != NFT_DATA_VERDICT)
return -EINVAL;
-
- if (data != NULL &&
- (data->verdict.code == NFT_GOTO ||
- data->verdict.code == NFT_JUMP)) {
- err = nft_chain_validate(ctx, data->verdict.chain);
- if (err < 0)
- return err;
- }
-
break;
default:
if (type != NFT_DATA_VALUE)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 348/737] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 347/737] netfilter: nf_tables: remove redundant chain validation on register store Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 349/737] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
` (399 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Samiullah Khawaja, Kevin Tian,
Yi Liu, syzbot+57fdb0cf6a0c5d1f15a2, Jason Gunthorpe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit e6a973af11135439de32ece3b9cbe3bfc043bea8 ]
syzkaller found it could overflow math in the test infrastructure and
cause a WARN_ON by corrupting the reserved interval tree. This only
effects test kernels with CONFIG_IOMMUFD_TEST.
Validate the user input length in the test ioctl.
Fixes: f4b20bb34c83 ("iommufd: Add kernel support for testing iommufd")
Link: https://patch.msgid.link/r/0-v1-cd99f6049ba5+51-iommufd_syz_add_resv_jgg@nvidia.com
Reviewed-by: Samiullah Khawaja <skhawaja@google.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Tested-by: Yi Liu <yi.l.liu@intel.com>
Reported-by: syzbot+57fdb0cf6a0c5d1f15a2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69368129.a70a0220.38f243.008f.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/iommufd/selftest.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommufd/selftest.c b/drivers/iommu/iommufd/selftest.c
index 00b794d74e03b..8025ff65ed4de 100644
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -512,14 +512,20 @@ static int iommufd_test_add_reserved(struct iommufd_ucmd *ucmd,
unsigned int mockpt_id,
unsigned long start, size_t length)
{
+ unsigned long last;
struct iommufd_ioas *ioas;
int rc;
+ if (!length)
+ return -EINVAL;
+ if (check_add_overflow(start, length - 1, &last))
+ return -EOVERFLOW;
+
ioas = iommufd_get_ioas(ucmd->ictx, mockpt_id);
if (IS_ERR(ioas))
return PTR_ERR(ioas);
down_write(&ioas->iopt.iova_rwsem);
- rc = iopt_reserve_iova(&ioas->iopt, start, start + length - 1, NULL);
+ rc = iopt_reserve_iova(&ioas->iopt, start, last, NULL);
up_write(&ioas->iopt.iova_rwsem);
iommufd_put_object(&ioas->obj);
return rc;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 349/737] ethtool: Avoid overflowing userspace buffer on stats query
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 348/737] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 350/737] net/mlx5: fw reset, clear reset requested on drain_fw_reset Greg Kroah-Hartman
` (398 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Gal Pressman, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 7b07be1ff1cb6c49869910518650e8d0abc7d25f ]
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20251208121901.3203692-1-gal@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 4486cbe2faf0c..eaeb514b7e5f6 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -1955,7 +1955,10 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
return -ENOMEM;
WARN_ON_ONCE(!ret);
- gstrings.len = ret;
+ if (gstrings.len && gstrings.len != ret)
+ gstrings.len = 0;
+ else
+ gstrings.len = ret;
if (gstrings.len) {
data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
@@ -2070,10 +2073,13 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
if (copy_from_user(&stats, useraddr, sizeof(stats)))
return -EFAULT;
- stats.n_stats = n_stats;
+ if (stats.n_stats && stats.n_stats != n_stats)
+ stats.n_stats = 0;
+ else
+ stats.n_stats = n_stats;
- if (n_stats) {
- data = vzalloc(array_size(n_stats, sizeof(u64)));
+ if (stats.n_stats) {
+ data = vzalloc(array_size(stats.n_stats, sizeof(u64)));
if (!data)
return -ENOMEM;
ops->get_ethtool_stats(dev, &stats, data);
@@ -2085,7 +2091,9 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
if (copy_to_user(useraddr, &stats, sizeof(stats)))
goto out;
useraddr += sizeof(stats);
- if (n_stats && copy_to_user(useraddr, data, array_size(n_stats, sizeof(u64))))
+ if (stats.n_stats &&
+ copy_to_user(useraddr, data,
+ array_size(stats.n_stats, sizeof(u64))))
goto out;
ret = 0;
@@ -2121,6 +2129,10 @@ static int ethtool_get_phy_stats_phydev(struct phy_device *phydev,
return -EOPNOTSUPP;
n_stats = phy_ops->get_sset_count(phydev);
+ if (stats->n_stats && stats->n_stats != n_stats) {
+ stats->n_stats = 0;
+ return 0;
+ }
ret = ethtool_vzalloc_stats_array(n_stats, data);
if (ret)
@@ -2141,6 +2153,10 @@ static int ethtool_get_phy_stats_ethtool(struct net_device *dev,
return -EOPNOTSUPP;
n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
+ if (stats->n_stats && stats->n_stats != n_stats) {
+ stats->n_stats = 0;
+ return 0;
+ }
ret = ethtool_vzalloc_stats_array(n_stats, data);
if (ret)
@@ -2177,7 +2193,9 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
}
useraddr += sizeof(stats);
- if (copy_to_user(useraddr, data, array_size(stats.n_stats, sizeof(u64))))
+ if (stats.n_stats &&
+ copy_to_user(useraddr, data,
+ array_size(stats.n_stats, sizeof(u64))))
ret = -EFAULT;
out:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 350/737] net/mlx5: fw reset, clear reset requested on drain_fw_reset
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 349/737] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 351/737] net/mlx5: Drain firmware reset in shutdown callback Greg Kroah-Hartman
` (397 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Shay Drori,
Tariq Toukan, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit 89a898d63f6f588acf5c104c65c94a38b68c69a6 ]
drain_fw_reset() waits for ongoing firmware reset events and blocks new
event handling, but does not clear the reset requested flag, and may
keep sync reset polling.
To fix it, call mlx5_sync_reset_clear_reset_requested() to clear the
flag, stop sync reset polling, and resume health polling, ensuring
health issues are still detected after the firmware reset drain.
Fixes: 16d42d313350 ("net/mlx5: Drain fw_reset when removing device")
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Shay Drori <shayd@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-2-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
index 4d64d179b5dd7..dc7afc9e7777d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
@@ -804,7 +804,8 @@ void mlx5_drain_fw_reset(struct mlx5_core_dev *dev)
cancel_work_sync(&fw_reset->reset_reload_work);
cancel_work_sync(&fw_reset->reset_now_work);
cancel_work_sync(&fw_reset->reset_abort_work);
- cancel_delayed_work(&fw_reset->reset_timeout_work);
+ if (test_bit(MLX5_FW_RESET_FLAGS_RESET_REQUESTED, &fw_reset->reset_flags))
+ mlx5_sync_reset_clear_reset_requested(dev, true);
}
static const struct devlink_param mlx5_fw_reset_devlink_params[] = {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 351/737] net/mlx5: Drain firmware reset in shutdown callback
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 350/737] net/mlx5: fw reset, clear reset requested on drain_fw_reset Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 352/737] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
` (396 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Shay Drori,
Tariq Toukan, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit 5846a365fc6476b02d6766963cf0985520f0385f ]
Invoke drain_fw_reset() in the shutdown callback to ensure all
firmware reset handling is completed before shutdown proceeds.
Fixes: 16d42d313350 ("net/mlx5: Drain fw_reset when removing device")
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Reviewed-by: Shay Drori <shayd@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-3-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 8a11e410f7c13..df6eeb0f57bcd 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -2164,6 +2164,7 @@ static void shutdown(struct pci_dev *pdev)
mlx5_core_info(dev, "Shutdown was called\n");
set_bit(MLX5_BREAK_FW_WAIT, &dev->intf_state);
+ mlx5_drain_fw_reset(dev);
mlx5_drain_health_wq(dev);
err = mlx5_try_fast_unload(dev);
if (err)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 352/737] net/mlx5: fw_tracer, Validate format string parameters
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 351/737] net/mlx5: Drain firmware reset in shutdown callback Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 353/737] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
` (395 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Moshe Shemesh,
Breno Leitao, Tariq Toukan, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit b35966042d20b14e2d83330049f77deec5229749 ]
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reported-by: Breno Leitao <leitao@debian.org>
Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5slqvelp@t3s3erottr6s/
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-4-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 83 ++++++++++++++++---
.../mellanox/mlx5/core/diag/fw_tracer.h | 1 +
2 files changed, 74 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index 85d3bfa0780c6..197c306d350bf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -33,6 +33,7 @@
#include "lib/eq.h"
#include "fw_tracer.h"
#include "fw_tracer_tracepoint.h"
+#include <linux/ctype.h>
static int mlx5_query_mtrc_caps(struct mlx5_fw_tracer *tracer)
{
@@ -358,6 +359,43 @@ static const char *VAL_PARM = "%llx";
static const char *REPLACE_64_VAL_PARM = "%x%x";
static const char *PARAM_CHAR = "%";
+static bool mlx5_is_valid_spec(const char *str)
+{
+ /* Parse format specifiers to find the actual type.
+ * Structure: %[flags][width][.precision][length]type
+ * Skip flags, width, precision & length.
+ */
+ while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l')
+ str++;
+
+ /* Check if it's a valid integer/hex specifier:
+ * Valid formats: %x, %d, %i, %u, etc.
+ */
+ if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' &&
+ *str != 'u' && *str != 'c')
+ return false;
+
+ return true;
+}
+
+static bool mlx5_tracer_validate_params(const char *str)
+{
+ const char *substr = str;
+
+ if (!str)
+ return false;
+
+ substr = strstr(substr, PARAM_CHAR);
+ while (substr) {
+ if (!mlx5_is_valid_spec(substr + 1))
+ return false;
+
+ substr = strstr(substr + 1, PARAM_CHAR);
+ }
+
+ return true;
+}
+
static int mlx5_tracer_message_hash(u32 message_id)
{
return jhash_1word(message_id, 0) & (MESSAGE_HASH_SIZE - 1);
@@ -419,6 +457,10 @@ static int mlx5_tracer_get_num_of_params(char *str)
char *substr, *pstr = str;
int num_of_params = 0;
+ /* Validate that all parameters are valid before processing */
+ if (!mlx5_tracer_validate_params(str))
+ return -EINVAL;
+
/* replace %llx with %x%x */
substr = strstr(pstr, VAL_PARM);
while (substr) {
@@ -570,14 +612,17 @@ void mlx5_tracer_print_trace(struct tracer_string_format *str_frmt,
{
char tmp[512];
- snprintf(tmp, sizeof(tmp), str_frmt->string,
- str_frmt->params[0],
- str_frmt->params[1],
- str_frmt->params[2],
- str_frmt->params[3],
- str_frmt->params[4],
- str_frmt->params[5],
- str_frmt->params[6]);
+ if (str_frmt->invalid_string)
+ snprintf(tmp, sizeof(tmp), "BAD_FORMAT: %s", str_frmt->string);
+ else
+ snprintf(tmp, sizeof(tmp), str_frmt->string,
+ str_frmt->params[0],
+ str_frmt->params[1],
+ str_frmt->params[2],
+ str_frmt->params[3],
+ str_frmt->params[4],
+ str_frmt->params[5],
+ str_frmt->params[6]);
trace_mlx5_fw(dev->tracer, trace_timestamp, str_frmt->lost,
str_frmt->event_id, tmp);
@@ -609,6 +654,13 @@ static int mlx5_tracer_handle_raw_string(struct mlx5_fw_tracer *tracer,
return 0;
}
+static void mlx5_tracer_handle_bad_format_string(struct mlx5_fw_tracer *tracer,
+ struct tracer_string_format *cur_string)
+{
+ cur_string->invalid_string = true;
+ list_add_tail(&cur_string->list, &tracer->ready_strings_list);
+}
+
static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
struct tracer_event *tracer_event)
{
@@ -619,12 +671,18 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
if (!cur_string)
return mlx5_tracer_handle_raw_string(tracer, tracer_event);
- cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
- cur_string->last_param_num = 0;
cur_string->event_id = tracer_event->event_id;
cur_string->tmsn = tracer_event->string_event.tmsn;
cur_string->timestamp = tracer_event->string_event.timestamp;
cur_string->lost = tracer_event->lost_event;
+ cur_string->last_param_num = 0;
+ cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
+ if (cur_string->num_of_params < 0) {
+ pr_debug("%s Invalid format string parameters\n",
+ __func__);
+ mlx5_tracer_handle_bad_format_string(tracer, cur_string);
+ return 0;
+ }
if (cur_string->num_of_params == 0) /* trace with no params */
list_add_tail(&cur_string->list, &tracer->ready_strings_list);
} else {
@@ -634,6 +692,11 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
__func__, tracer_event->string_event.tmsn);
return mlx5_tracer_handle_raw_string(tracer, tracer_event);
}
+ if (cur_string->num_of_params < 0) {
+ pr_debug("%s string parameter of invalid string, dumping\n",
+ __func__);
+ return 0;
+ }
cur_string->last_param_num += 1;
if (cur_string->last_param_num > TRACER_MAX_PARAMS) {
pr_debug("%s Number of params exceeds the max (%d)\n",
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
index 5c548bb74f07b..30d0bcba88479 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
@@ -125,6 +125,7 @@ struct tracer_string_format {
struct list_head list;
u32 timestamp;
bool lost;
+ bool invalid_string;
};
enum mlx5_fw_tracer_ownership_state {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 353/737] net/mlx5: fw_tracer, Handle escaped percent properly
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 352/737] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 354/737] net/mlx5: Skip HotPlug check on sync reset using hot reset Greg Kroah-Hartman
` (394 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Breno Leitao,
Moshe Shemesh, Tariq Toukan, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit c0289f67f7d6a0dfba0e92cfe661a5c70c8c6e92 ]
The firmware tracer's format string validation and parameter counting
did not properly handle escaped percent signs (%%). This caused
fw_tracer to count more parameters when trace format strings contained
literal percent characters.
To fix it, allow %% to pass string validation and skip %% sequences when
counting parameters since they represent literal percent signs rather
than format specifiers.
Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5slqvelp@t3s3erottr6s/
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-5-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 20 +++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index 197c306d350bf..0a33ab5f53fd3 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -368,11 +368,11 @@ static bool mlx5_is_valid_spec(const char *str)
while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l')
str++;
- /* Check if it's a valid integer/hex specifier:
+ /* Check if it's a valid integer/hex specifier or %%:
* Valid formats: %x, %d, %i, %u, etc.
*/
if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' &&
- *str != 'u' && *str != 'c')
+ *str != 'u' && *str != 'c' && *str != '%')
return false;
return true;
@@ -390,7 +390,11 @@ static bool mlx5_tracer_validate_params(const char *str)
if (!mlx5_is_valid_spec(substr + 1))
return false;
- substr = strstr(substr + 1, PARAM_CHAR);
+ if (*(substr + 1) == '%')
+ substr = strstr(substr + 2, PARAM_CHAR);
+ else
+ substr = strstr(substr + 1, PARAM_CHAR);
+
}
return true;
@@ -469,11 +473,15 @@ static int mlx5_tracer_get_num_of_params(char *str)
substr = strstr(pstr, VAL_PARM);
}
- /* count all the % characters */
+ /* count all the % characters, but skip %% (escaped percent) */
substr = strstr(str, PARAM_CHAR);
while (substr) {
- num_of_params += 1;
- str = substr + 1;
+ if (*(substr + 1) != '%') {
+ num_of_params += 1;
+ str = substr + 1;
+ } else {
+ str = substr + 2;
+ }
substr = strstr(str, PARAM_CHAR);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 354/737] net/mlx5: Skip HotPlug check on sync reset using hot reset
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 353/737] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 355/737] net/mlx5: Serialize firmware reset with devlink Greg Kroah-Hartman
` (393 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Moshe Shemesh, Saeed Mahameed,
Jacob Keller, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Moshe Shemesh <moshe@nvidia.com>
[ Upstream commit 48bb52b0bc6693afb17a6024bab925b25fec44a1 ]
Sync reset request is nacked by the driver when PCIe bridge connected to
mlx5 device has HotPlug interrupt enabled. However, when using reset
method of hot reset this check can be skipped as Hotplug is supported on
this reset method.
Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://patch.msgid.link/20240911201757.1505453-12-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 367e501f8b09 ("net/mlx5: Serialize firmware reset with devlink")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
index dc7afc9e7777d..bdcd9e5306331 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
@@ -396,7 +396,8 @@ static int mlx5_check_dev_ids(struct mlx5_core_dev *dev, u16 dev_id)
return 0;
}
-static bool mlx5_is_reset_now_capable(struct mlx5_core_dev *dev)
+static bool mlx5_is_reset_now_capable(struct mlx5_core_dev *dev,
+ u8 reset_method)
{
u16 dev_id;
int err;
@@ -412,9 +413,11 @@ static bool mlx5_is_reset_now_capable(struct mlx5_core_dev *dev)
}
#if IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)
- err = mlx5_check_hotplug_interrupt(dev);
- if (err)
- return false;
+ if (reset_method != MLX5_MFRL_REG_PCI_RESET_METHOD_HOT_RESET) {
+ err = mlx5_check_hotplug_interrupt(dev);
+ if (err)
+ return false;
+ }
#endif
err = pci_read_config_word(dev->pdev, PCI_DEVICE_ID, &dev_id);
@@ -435,7 +438,7 @@ static void mlx5_sync_reset_request_event(struct work_struct *work)
mlx5_core_warn(dev, "Failed reading MFRL, err %d\n", err);
if (err || test_bit(MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST, &fw_reset->reset_flags) ||
- !mlx5_is_reset_now_capable(dev)) {
+ !mlx5_is_reset_now_capable(dev, fw_reset->reset_method)) {
err = mlx5_fw_reset_set_reset_sync_nack(dev);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Nack %s",
err ? "Failed" : "Sent");
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 355/737] net/mlx5: Serialize firmware reset with devlink
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 354/737] net/mlx5: Skip HotPlug check on sync reset using hot reset Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 356/737] net/handshake: duplicate handshake cancellations leak socket Greg Kroah-Hartman
` (392 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Mateusz Berezecki,
Moshe Shemesh, Tariq Toukan, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit 367e501f8b095eca08d2eb0ba4ccea5b5e82c169 ]
The firmware reset mechanism can be triggered by asynchronous events,
which may race with other devlink operations like devlink reload or
devlink dev eswitch set, potentially leading to inconsistent states.
This patch addresses the race by using the devl_lock to serialize the
firmware reset against other devlink operations. When a reset is
requested, the driver attempts to acquire the lock. If successful, it
sets a flag to block devlink reload or eswitch changes, ACKs the reset
to firmware and then releases the lock. If the lock is already held by
another operation, the driver NACKs the firmware reset request,
indicating that the reset cannot proceed.
Firmware reset does not keep the devl_lock and instead uses an internal
firmware reset bit. This is because firmware resets can be triggered by
asynchronous events, and processed in different threads. It is illegal
and unsafe to acquire a lock in one thread and attempt to release it in
another, as lock ownership is intrinsically thread-specific.
This change ensures that firmware resets and other devlink operations
are mutually exclusive during the critical reset request phase,
preventing race conditions.
Fixes: 38b9f903f22b ("net/mlx5: Handle sync reset request event")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Mateusz Berezecki <mberezecki@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-6-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/devlink.c | 5 +++
.../mellanox/mlx5/core/eswitch_offloads.c | 6 +++
.../ethernet/mellanox/mlx5/core/fw_reset.c | 45 +++++++++++++++++--
.../ethernet/mellanox/mlx5/core/fw_reset.h | 1 +
4 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
index 8489b5087d9c6..b2532b1c9565a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
@@ -144,6 +144,11 @@ static int mlx5_devlink_reload_down(struct devlink *devlink, bool netns_change,
bool sf_dev_allocated;
int ret = 0;
+ if (mlx5_fw_reset_in_progress(dev)) {
+ NL_SET_ERR_MSG_MOD(extack, "Can't reload during firmware reset");
+ return -EBUSY;
+ }
+
if (mlx5_dev_is_lightweight(dev)) {
if (action != DEVLINK_RELOAD_ACTION_DRIVER_REINIT)
return -EOPNOTSUPP;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
index 86fb8197594f5..c218593dc40f4 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c
@@ -51,6 +51,7 @@
#include "devlink.h"
#include "lag/lag.h"
#include "en/tc/post_meter.h"
+#include "fw_reset.h"
/* There are two match-all miss flows, one for unicast dst mac and
* one for multicast.
@@ -3716,6 +3717,11 @@ int mlx5_devlink_eswitch_mode_set(struct devlink *devlink, u16 mode,
if (IS_ERR(esw))
return PTR_ERR(esw);
+ if (mlx5_fw_reset_in_progress(esw->dev)) {
+ NL_SET_ERR_MSG_MOD(extack, "Can't change eswitch mode during firmware reset");
+ return -EBUSY;
+ }
+
if (esw_mode_from_devlink(mode, &mlx5_mode))
return -EINVAL;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
index bdcd9e5306331..f7e139279f5f8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.c
@@ -15,6 +15,7 @@ enum {
MLX5_FW_RESET_FLAGS_DROP_NEW_REQUESTS,
MLX5_FW_RESET_FLAGS_RELOAD_REQUIRED,
MLX5_FW_RESET_FLAGS_UNLOAD_EVENT,
+ MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS,
};
struct mlx5_fw_reset {
@@ -125,6 +126,16 @@ int mlx5_fw_reset_query(struct mlx5_core_dev *dev, u8 *reset_level, u8 *reset_ty
return mlx5_reg_mfrl_query(dev, reset_level, reset_type, NULL, NULL);
}
+bool mlx5_fw_reset_in_progress(struct mlx5_core_dev *dev)
+{
+ struct mlx5_fw_reset *fw_reset = dev->priv.fw_reset;
+
+ if (!fw_reset)
+ return false;
+
+ return test_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
+}
+
static int mlx5_fw_reset_get_reset_method(struct mlx5_core_dev *dev,
u8 *reset_method)
{
@@ -240,6 +251,8 @@ static void mlx5_fw_reset_complete_reload(struct mlx5_core_dev *dev)
BIT(DEVLINK_RELOAD_ACTION_FW_ACTIVATE));
devl_unlock(devlink);
}
+
+ clear_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
}
static void mlx5_stop_sync_reset_poll(struct mlx5_core_dev *dev)
@@ -431,27 +444,48 @@ static void mlx5_sync_reset_request_event(struct work_struct *work)
struct mlx5_fw_reset *fw_reset = container_of(work, struct mlx5_fw_reset,
reset_request_work);
struct mlx5_core_dev *dev = fw_reset->dev;
+ bool nack_request = false;
+ struct devlink *devlink;
int err;
err = mlx5_fw_reset_get_reset_method(dev, &fw_reset->reset_method);
- if (err)
+ if (err) {
+ nack_request = true;
mlx5_core_warn(dev, "Failed reading MFRL, err %d\n", err);
+ } else if (!mlx5_is_reset_now_capable(dev, fw_reset->reset_method) ||
+ test_bit(MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST,
+ &fw_reset->reset_flags)) {
+ nack_request = true;
+ }
- if (err || test_bit(MLX5_FW_RESET_FLAGS_NACK_RESET_REQUEST, &fw_reset->reset_flags) ||
- !mlx5_is_reset_now_capable(dev, fw_reset->reset_method)) {
+ devlink = priv_to_devlink(dev);
+ /* For external resets, try to acquire devl_lock. Skip if devlink reset is
+ * pending (lock already held)
+ */
+ if (nack_request ||
+ (!test_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP,
+ &fw_reset->reset_flags) &&
+ !devl_trylock(devlink))) {
err = mlx5_fw_reset_set_reset_sync_nack(dev);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Nack %s",
err ? "Failed" : "Sent");
return;
}
+
if (mlx5_sync_reset_set_reset_requested(dev))
- return;
+ goto unlock;
+
+ set_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
err = mlx5_fw_reset_set_reset_sync_ack(dev);
if (err)
mlx5_core_warn(dev, "PCI Sync FW Update Reset Ack Failed. Error code: %d\n", err);
else
mlx5_core_warn(dev, "PCI Sync FW Update Reset Ack. Device reset is expected.\n");
+
+unlock:
+ if (!test_bit(MLX5_FW_RESET_FLAGS_PENDING_COMP, &fw_reset->reset_flags))
+ devl_unlock(devlink);
}
static int mlx5_pci_link_toggle(struct mlx5_core_dev *dev, u16 dev_id)
@@ -685,6 +719,8 @@ static void mlx5_sync_reset_abort_event(struct work_struct *work)
if (mlx5_sync_reset_clear_reset_requested(dev, true))
return;
+
+ clear_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Aborted.\n");
}
@@ -721,6 +757,7 @@ static void mlx5_sync_reset_timeout_work(struct work_struct *work)
if (mlx5_sync_reset_clear_reset_requested(dev, true))
return;
+ clear_bit(MLX5_FW_RESET_FLAGS_RESET_IN_PROGRESS, &fw_reset->reset_flags);
mlx5_core_warn(dev, "PCI Sync FW Update Reset Timeout.\n");
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h
index d5b28525c960d..2d96b2adc1cdf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fw_reset.h
@@ -10,6 +10,7 @@ int mlx5_fw_reset_query(struct mlx5_core_dev *dev, u8 *reset_level, u8 *reset_ty
int mlx5_fw_reset_set_reset_sync(struct mlx5_core_dev *dev, u8 reset_type_sel,
struct netlink_ext_ack *extack);
int mlx5_fw_reset_set_live_patch(struct mlx5_core_dev *dev);
+bool mlx5_fw_reset_in_progress(struct mlx5_core_dev *dev);
int mlx5_fw_reset_wait_reset_done(struct mlx5_core_dev *dev);
void mlx5_sync_reset_unload_flow(struct mlx5_core_dev *dev, bool locked);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 356/737] net/handshake: duplicate handshake cancellations leak socket
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 355/737] net/mlx5: Serialize firmware reset with devlink Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 357/737] net: enetc: do not transmit redirected XDP frames when the link is down Greg Kroah-Hartman
` (391 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Scott Mayhew,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
[ Upstream commit 15564bd67e2975002f2a8e9defee33e321d3183f ]
When a handshake request is cancelled it is removed from the
handshake_net->hn_requests list, but it is still present in the
handshake_rhashtbl until it is destroyed.
If a second cancellation request arrives for the same handshake request,
then remove_pending() will return false... and assuming
HANDSHAKE_F_REQ_COMPLETED isn't set in req->hr_flags, we'll continue
processing through the out_true label, where we put another reference on
the sock and a refcount underflow occurs.
This can happen for example if a handshake times out - particularly if
the SUNRPC client sends the AUTH_TLS probe to the server but doesn't
follow it up with the ClientHello due to a problem with tlshd. When the
timeout is hit on the server, the server will send a FIN, which triggers
a cancellation request via xs_reset_transport(). When the timeout is
hit on the client, another cancellation request happens via
xs_tls_handshake_sync().
Add a test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED) in the pending cancel
path so duplicate cancels can be detected.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Suggested-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Link: https://patch.msgid.link/20251209193015.3032058-1-smayhew@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/handshake/request.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/handshake/request.c b/net/handshake/request.c
index 94d5cef3e048b..0ac126b0add60 100644
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -325,7 +325,11 @@ bool handshake_req_cancel(struct sock *sk)
hn = handshake_pernet(net);
if (hn && remove_pending(hn, req)) {
- /* Request hadn't been accepted */
+ /* Request hadn't been accepted - mark cancelled */
+ if (test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED, &req->hr_flags)) {
+ trace_handshake_cancel_busy(net, req, sk);
+ return false;
+ }
goto out_true;
}
if (test_and_set_bit(HANDSHAKE_F_REQ_COMPLETED, &req->hr_flags)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 357/737] net: enetc: do not transmit redirected XDP frames when the link is down
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 356/737] net/handshake: duplicate handshake cancellations leak socket Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 358/737] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
` (390 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Frank Li, Hariprasad Kelam,
Vladimir Oltean, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 2939203ffee818f1e5ebd60bbb85a174d63aab9c ]
In the current implementation, the enetc_xdp_xmit() always transmits
redirected XDP frames even if the link is down, but the frames cannot
be transmitted from TX BD rings when the link is down, so the frames
are still kept in the TX BD rings. If the XDP program is uninstalled,
users will see the following warning logs.
fsl_enetc 0000:00:00.0 eno0: timeout for tx ring #6 clear
More worse, the TX BD ring cannot work properly anymore, because the
HW PIR and CIR are not equal after the re-initialization of the TX
BD ring. At this point, the BDs between CIR and PIR are invalid,
which will cause a hardware malfunction.
Another reason is that there is internal context in the ring prefetch
logic that will retain the state from the first incarnation of the ring
and continue prefetching from the stale location when we re-initialize
the ring. The internal context is only reset by an FLR. That is to say,
for LS1028A ENETC, software cannot set the HW CIR and PIR when
initializing the TX BD ring.
It does not make sense to transmit redirected XDP frames when the link is
down. Add a link status check to prevent transmission in this condition.
This fixes part of the issue, but more complex cases remain. For example,
the TX BD ring may still contain unsent frames when the link goes down.
Those situations require additional patches, which will build on this
one.
Fixes: 9d2b68cc108d ("net: enetc: add support for XDP_REDIRECT")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/20251211020919.121113-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
index 7accf3a3e9f0d..e3ab6f4f8dbba 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc.c
@@ -1429,7 +1429,8 @@ int enetc_xdp_xmit(struct net_device *ndev, int num_frames,
int xdp_tx_bd_cnt, i, k;
int xdp_tx_frm_cnt = 0;
- if (unlikely(test_bit(ENETC_TX_DOWN, &priv->flags)))
+ if (unlikely(test_bit(ENETC_TX_DOWN, &priv->flags) ||
+ !netif_carrier_ok(ndev)))
return -ENETDOWN;
enetc_lock_mdio();
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 358/737] net: hns3: using the num_tqps in the vf driver to apply for resources
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 357/737] net: enetc: do not transmit redirected XDP frames when the link is down Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 359/737] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
` (389 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit c2a16269742e176fccdd0ef9c016a233491a49ad ]
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-2-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index 68a9aeeed3da0..c7e5b83ac4a84 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -333,12 +333,12 @@ static int hclgevf_knic_setup(struct hclgevf_dev *hdev)
new_tqps = kinfo->rss_size * num_tc;
kinfo->num_tqps = min(new_tqps, hdev->num_tqps);
- kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, kinfo->num_tqps,
+ kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, hdev->num_tqps,
sizeof(struct hnae3_queue *), GFP_KERNEL);
if (!kinfo->tqp)
return -ENOMEM;
- for (i = 0; i < kinfo->num_tqps; i++) {
+ for (i = 0; i < hdev->num_tqps; i++) {
hdev->htqp[i].q.handle = &hdev->nic;
hdev->htqp[i].q.tqp_index = i;
kinfo->tqp[i] = &hdev->htqp[i].q;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 359/737] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 358/737] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 360/737] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
` (388 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit d180c11aa8a6fa735f9ac2c72c61364a9afc2ba7 ]
Currently, rss_size = num_tqps / tc_num. If tc_num is 1, then num_tqps
equals rss_size. However, if the tc_num is greater than 1, then rss_size
will be less than num_tqps, causing the tqp_index check for subsequent TCs
using rss_size to always fail.
This patch uses the num_tqps to check whether tqp_index is out of range,
instead of rss_size.
Fixes: 326334aad024 ("net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-3-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index 61e155c4d441e..a961e90a85a67 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -193,10 +193,10 @@ static int hclge_get_ring_chain_from_mbx(
return -EINVAL;
for (i = 0; i < ring_num; i++) {
- if (req->msg.param[i].tqp_index >= vport->nic.kinfo.rss_size) {
+ if (req->msg.param[i].tqp_index >= vport->nic.kinfo.num_tqps) {
dev_err(&hdev->pdev->dev, "tqp index(%u) is out of range(0-%u)\n",
req->msg.param[i].tqp_index,
- vport->nic.kinfo.rss_size - 1U);
+ vport->nic.kinfo.num_tqps - 1U);
return -EINVAL;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 360/737] net: hns3: add VLAN id validation before using
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 359/737] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 361/737] hwmon: (ibmpex) fix use-after-free in high/low store Greg Kroah-Hartman
` (387 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit 6ef935e65902bfed53980ad2754b06a284ea8ac1 ]
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-4-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 2fa64099e8be2..2df0c6305b908 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -10479,6 +10479,9 @@ int hclge_set_vlan_filter(struct hnae3_handle *handle, __be16 proto,
bool writen_to_tbl = false;
int ret = 0;
+ if (vlan_id >= VLAN_N_VID)
+ return -EINVAL;
+
/* When device is resetting or reset failed, firmware is unable to
* handle mailbox. Just record the vlan id, and remove it after
* reset finished.
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 361/737] hwmon: (ibmpex) fix use-after-free in high/low store
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 360/737] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 362/737] hwmon: (tmp401) fix overflow caused by default conversion rate value Greg Kroah-Hartman
` (386 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Guenter Roeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 6946c726c3f4c36f0f049e6f97e88c510b15f65d ]
The ibmpex_high_low_store() function retrieves driver data using
dev_get_drvdata() and uses it without validation. This creates a race
condition where the sysfs callback can be invoked after the data
structure is freed, leading to use-after-free.
Fix by adding a NULL check after dev_get_drvdata(), and reordering
operations in the deletion path to prevent TOCTOU.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/r/MEYPR01MB7886BE2F51BFE41875B74B60AFA0A@MEYPR01MB7886.ausprd01.prod.outlook.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/ibmpex.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c
index db066b368918..40fff7e95ea1 100644
--- a/drivers/hwmon/ibmpex.c
+++ b/drivers/hwmon/ibmpex.c
@@ -282,6 +282,9 @@ static ssize_t ibmpex_high_low_store(struct device *dev,
{
struct ibmpex_bmc_data *data = dev_get_drvdata(dev);
+ if (!data)
+ return -ENODEV;
+
ibmpex_reset_high_low_data(data);
return count;
@@ -514,6 +517,9 @@ static void ibmpex_bmc_delete(struct ibmpex_bmc_data *data)
{
int i, j;
+ hwmon_device_unregister(data->hwmon_dev);
+ dev_set_drvdata(data->bmc_device, NULL);
+
device_remove_file(data->bmc_device,
&sensor_dev_attr_reset_high_low.dev_attr);
device_remove_file(data->bmc_device, &sensor_dev_attr_name.dev_attr);
@@ -527,8 +533,7 @@ static void ibmpex_bmc_delete(struct ibmpex_bmc_data *data)
}
list_del(&data->list);
- dev_set_drvdata(data->bmc_device, NULL);
- hwmon_device_unregister(data->hwmon_dev);
+
ipmi_destroy_user(data->user);
kfree(data->sensors);
kfree(data);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 362/737] hwmon: (tmp401) fix overflow caused by default conversion rate value
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 361/737] hwmon: (ibmpex) fix use-after-free in high/low store Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 363/737] MIPS: Fix a reference leak bug in ip22_check_gio() Greg Kroah-Hartman
` (385 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Simakov, Guenter Roeck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 82f2aab35a1ab2e1460de06ef04c726460aed51c ]
The driver computes conversion intervals using the formula:
interval = (1 << (7 - rate)) * 125ms
where 'rate' is the sensor's conversion rate register value. According to
the datasheet, the power-on reset value of this register is 0x8, which
could be assigned to the register, after handling i2c general call.
Using this default value causes a result greater than the bit width of
left operand and an undefined behaviour in the calculation above, since
shifting by values larger than the bit width is undefined behaviour as
per C language standard.
Limit the maximum usable 'rate' value to 7 to prevent undefined
behaviour in calculations.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Note (groeck):
This does not matter in practice unless someone overwrites the chip
configuration from outside the driver while the driver is loaded.
The conversion time register is initialized with a value of 5 (500ms)
when the driver is loaded, and the driver never writes a bad value.
Fixes: ca53e7640de7 ("hwmon: (tmp401) Convert to _info API")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Link: https://lore.kernel.org/r/20251211164342.6291-1-bigalex934@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/tmp401.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/tmp401.c b/drivers/hwmon/tmp401.c
index 91f2314568cf..5cc932ef0460 100644
--- a/drivers/hwmon/tmp401.c
+++ b/drivers/hwmon/tmp401.c
@@ -408,7 +408,7 @@ static int tmp401_chip_read(struct device *dev, u32 attr, int channel, long *val
ret = regmap_read(data->regmap, TMP401_CONVERSION_RATE, ®val);
if (ret < 0)
return ret;
- *val = (1 << (7 - regval)) * 125;
+ *val = (1 << (7 - min(regval, 7))) * 125;
break;
case hwmon_chip_temp_reset_history:
*val = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 363/737] MIPS: Fix a reference leak bug in ip22_check_gio()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 362/737] hwmon: (tmp401) fix overflow caused by default conversion rate value Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 364/737] drm/panel: sony-td4353-jdi: Enable prepare_prev_first Greg Kroah-Hartman
` (384 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Thomas Bogendoerfer,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
[ Upstream commit 680ad315caaa2860df411cb378bf3614d96c7648 ]
If gio_device_register fails, gio_dev_put() is required to
drop the gio_dev device reference.
Fixes: e84de0c61905 ("MIPS: GIO bus support for SGI IP22/28")
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/sgi-ip22/ip22-gio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/mips/sgi-ip22/ip22-gio.c b/arch/mips/sgi-ip22/ip22-gio.c
index 81c9f0a8880b..7026b464b02e 100644
--- a/arch/mips/sgi-ip22/ip22-gio.c
+++ b/arch/mips/sgi-ip22/ip22-gio.c
@@ -373,7 +373,8 @@ static void ip22_check_gio(int slotno, unsigned long addr, int irq)
gio_dev->resource.flags = IORESOURCE_MEM;
gio_dev->irq = irq;
dev_set_name(&gio_dev->dev, "%d", slotno);
- gio_device_register(gio_dev);
+ if (gio_device_register(gio_dev))
+ gio_dev_put(gio_dev);
} else
printk(KERN_INFO "GIO: slot %d : Empty\n", slotno);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 364/737] drm/panel: sony-td4353-jdi: Enable prepare_prev_first
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 363/737] MIPS: Fix a reference leak bug in ip22_check_gio() Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 365/737] x86/xen: Move Xen upcall handler Greg Kroah-Hartman
` (383 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marijn Suijten, Douglas Anderson,
AngeloGioacchino Del Regno, Martin Botka, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marijn Suijten <marijn.suijten@somainline.org>
[ Upstream commit 2b973ca48ff3ef1952091c8f988d7796781836c8 ]
The DSI host must be enabled before our prepare function can run, which
has to send its init sequence over DSI. Without enabling the host first
the panel will not probe.
Fixes: 9e15123eca79 ("drm/msm/dsi: Stop unconditionally powering up DSI hosts at modeset")
Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Martin Botka <martin.botka@somainline.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20251130-sony-akari-fix-panel-v1-1-1d27c60a55f5@somainline.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-sony-td4353-jdi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c b/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c
index 1bde2f01786b..e7383a0e3d36 100644
--- a/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c
+++ b/drivers/gpu/drm/panel/panel-sony-td4353-jdi.c
@@ -283,6 +283,8 @@ static int sony_td4353_jdi_probe(struct mipi_dsi_device *dsi)
if (ret)
return dev_err_probe(dev, ret, "Failed to get backlight\n");
+ ctx->panel.prepare_prev_first = true;
+
drm_panel_add(&ctx->panel);
ret = mipi_dsi_attach(dsi);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 365/737] x86/xen: Move Xen upcall handler
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 364/737] drm/panel: sony-td4353-jdi: Enable prepare_prev_first Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 366/737] x86/xen: Fix sparse warning in enlighten_pv.c Greg Kroah-Hartman
` (382 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Gerst, Ingo Molnar,
Juergen Gross, Sohil Mehta, Andy Lutomirski, H. Peter Anvin,
Linus Torvalds, Josh Poimboeuf, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Gerst <brgerst@gmail.com>
[ Upstream commit 1ab7b5ed44ba9bce581e225f40219b793bc779d6 ]
Move the upcall handler to Xen-specific files.
No functional changes.
Signed-off-by: Brian Gerst <brgerst@gmail.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Sohil Mehta <sohil.mehta@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Link: https://lore.kernel.org/r/20250314151220.862768-2-brgerst@gmail.com
Stable-dep-of: e5aff444e3a7 ("x86/xen: Fix sparse warning in enlighten_pv.c")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/entry/common.c | 72 -------------------------------------
arch/x86/xen/enlighten_pv.c | 69 +++++++++++++++++++++++++++++++++++
2 files changed, 69 insertions(+), 72 deletions(-)
diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
index e72dac092245..3c88bdf96e7a 100644
--- a/arch/x86/entry/common.c
+++ b/arch/x86/entry/common.c
@@ -20,11 +20,6 @@
#include <linux/syscalls.h>
#include <linux/uaccess.h>
-#ifdef CONFIG_XEN_PV
-#include <xen/xen-ops.h>
-#include <xen/events.h>
-#endif
-
#include <asm/apic.h>
#include <asm/desc.h>
#include <asm/traps.h>
@@ -346,70 +341,3 @@ SYSCALL_DEFINE0(ni_syscall)
{
return -ENOSYS;
}
-
-#ifdef CONFIG_XEN_PV
-#ifndef CONFIG_PREEMPTION
-/*
- * Some hypercalls issued by the toolstack can take many 10s of
- * seconds. Allow tasks running hypercalls via the privcmd driver to
- * be voluntarily preempted even if full kernel preemption is
- * disabled.
- *
- * Such preemptible hypercalls are bracketed by
- * xen_preemptible_hcall_begin() and xen_preemptible_hcall_end()
- * calls.
- */
-DEFINE_PER_CPU(bool, xen_in_preemptible_hcall);
-EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall);
-
-/*
- * In case of scheduling the flag must be cleared and restored after
- * returning from schedule as the task might move to a different CPU.
- */
-static __always_inline bool get_and_clear_inhcall(void)
-{
- bool inhcall = __this_cpu_read(xen_in_preemptible_hcall);
-
- __this_cpu_write(xen_in_preemptible_hcall, false);
- return inhcall;
-}
-
-static __always_inline void restore_inhcall(bool inhcall)
-{
- __this_cpu_write(xen_in_preemptible_hcall, inhcall);
-}
-#else
-static __always_inline bool get_and_clear_inhcall(void) { return false; }
-static __always_inline void restore_inhcall(bool inhcall) { }
-#endif
-
-static void __xen_pv_evtchn_do_upcall(struct pt_regs *regs)
-{
- struct pt_regs *old_regs = set_irq_regs(regs);
-
- inc_irq_stat(irq_hv_callback_count);
-
- xen_evtchn_do_upcall();
-
- set_irq_regs(old_regs);
-}
-
-__visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs)
-{
- irqentry_state_t state = irqentry_enter(regs);
- bool inhcall;
-
- instrumentation_begin();
- run_sysvec_on_irqstack_cond(__xen_pv_evtchn_do_upcall, regs);
-
- inhcall = get_and_clear_inhcall();
- if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) {
- irqentry_exit_cond_resched();
- instrumentation_end();
- restore_inhcall(inhcall);
- } else {
- instrumentation_end();
- irqentry_exit(regs, state);
- }
-}
-#endif /* CONFIG_XEN_PV */
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index 3df7c96e7388..72b58fa4bc17 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -72,6 +72,7 @@
#include <asm/mwait.h>
#include <asm/pci_x86.h>
#include <asm/cpu.h>
+#include <asm/irq_stack.h>
#ifdef CONFIG_X86_IOPL_IOPERM
#include <asm/io_bitmap.h>
#endif
@@ -97,6 +98,44 @@ void *xen_initial_gdt;
static int xen_cpu_up_prepare_pv(unsigned int cpu);
static int xen_cpu_dead_pv(unsigned int cpu);
+#ifndef CONFIG_PREEMPTION
+/*
+ * Some hypercalls issued by the toolstack can take many 10s of
+ * seconds. Allow tasks running hypercalls via the privcmd driver to
+ * be voluntarily preempted even if full kernel preemption is
+ * disabled.
+ *
+ * Such preemptible hypercalls are bracketed by
+ * xen_preemptible_hcall_begin() and xen_preemptible_hcall_end()
+ * calls.
+ */
+DEFINE_PER_CPU(bool, xen_in_preemptible_hcall);
+EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall);
+
+/*
+ * In case of scheduling the flag must be cleared and restored after
+ * returning from schedule as the task might move to a different CPU.
+ */
+static __always_inline bool get_and_clear_inhcall(void)
+{
+ bool inhcall = __this_cpu_read(xen_in_preemptible_hcall);
+
+ __this_cpu_write(xen_in_preemptible_hcall, false);
+ return inhcall;
+}
+
+static __always_inline void restore_inhcall(bool inhcall)
+{
+ __this_cpu_write(xen_in_preemptible_hcall, inhcall);
+}
+
+#else
+
+static __always_inline bool get_and_clear_inhcall(void) { return false; }
+static __always_inline void restore_inhcall(bool inhcall) { }
+
+#endif
+
struct tls_descs {
struct desc_struct desc[3];
};
@@ -678,6 +717,36 @@ DEFINE_IDTENTRY_RAW(xenpv_exc_machine_check)
}
#endif
+static void __xen_pv_evtchn_do_upcall(struct pt_regs *regs)
+{
+ struct pt_regs *old_regs = set_irq_regs(regs);
+
+ inc_irq_stat(irq_hv_callback_count);
+
+ xen_evtchn_do_upcall();
+
+ set_irq_regs(old_regs);
+}
+
+__visible noinstr void xen_pv_evtchn_do_upcall(struct pt_regs *regs)
+{
+ irqentry_state_t state = irqentry_enter(regs);
+ bool inhcall;
+
+ instrumentation_begin();
+ run_sysvec_on_irqstack_cond(__xen_pv_evtchn_do_upcall, regs);
+
+ inhcall = get_and_clear_inhcall();
+ if (inhcall && !WARN_ON_ONCE(state.exit_rcu)) {
+ irqentry_exit_cond_resched();
+ instrumentation_end();
+ restore_inhcall(inhcall);
+ } else {
+ instrumentation_end();
+ irqentry_exit(regs, state);
+ }
+}
+
struct trap_array_entry {
void (*orig)(void);
void (*xen)(void);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 366/737] x86/xen: Fix sparse warning in enlighten_pv.c
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 365/737] x86/xen: Move Xen upcall handler Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 367/737] spi: cadence-quadspi: Fix clock disable on probe failure path Greg Kroah-Hartman
` (381 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Boris Ostrovsky,
Juergen Gross, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
[ Upstream commit e5aff444e3a7bdeef5ea796a2099fc3c60a070fa ]
The sparse tool issues a warning for arch/x76/xen/enlighten_pv.c:
arch/x86/xen/enlighten_pv.c:120:9: sparse: sparse: incorrect type
in initializer (different address spaces)
expected void const [noderef] __percpu *__vpp_verify
got bool *
This is due to the percpu variable xen_in_preemptible_hcall being
exported via EXPORT_SYMBOL_GPL() instead of EXPORT_PER_CPU_SYMBOL_GPL().
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202512140856.Ic6FetG6-lkp@intel.com/
Fixes: fdfd811ddde3 ("x86/xen: allow privcmd hypercalls to be preempted")
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Message-ID: <20251215115112.15072-1-jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/enlighten_pv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c
index 72b58fa4bc17..bfcd6ffc57df 100644
--- a/arch/x86/xen/enlighten_pv.c
+++ b/arch/x86/xen/enlighten_pv.c
@@ -110,7 +110,7 @@ static int xen_cpu_dead_pv(unsigned int cpu);
* calls.
*/
DEFINE_PER_CPU(bool, xen_in_preemptible_hcall);
-EXPORT_SYMBOL_GPL(xen_in_preemptible_hcall);
+EXPORT_PER_CPU_SYMBOL_GPL(xen_in_preemptible_hcall);
/*
* In case of scheduling the flag must be cleared and restored after
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 367/737] spi: cadence-quadspi: Fix clock disable on probe failure path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 366/737] x86/xen: Fix sparse warning in enlighten_pv.c Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 368/737] block: rnbd-clt: Fix leaked ID in init_dev() Greg Kroah-Hartman
` (380 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anurag Dutta, Nishanth Menon,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anurag Dutta <a-dutta@ti.com>
[ Upstream commit 1889dd2081975ce1f6275b06cdebaa8d154847a9 ]
When cqspi_request_mmap_dma() returns -EPROBE_DEFER after runtime PM
is enabled, the error path calls clk_disable_unprepare() on an already
disabled clock, causing an imbalance.
Use pm_runtime_get_sync() to increment the usage counter and resume the
device. This prevents runtime_suspend() from being invoked and causing
a double clock disable.
Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller")
Signed-off-by: Anurag Dutta <a-dutta@ti.com>
Tested-by: Nishanth Menon <nm@ti.com>
Link: https://patch.msgid.link/20251212072312.2711806-3-a-dutta@ti.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence-quadspi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
index 7b809644436e..eed88aba2cfe 100644
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -1885,7 +1885,9 @@ static int cqspi_probe(struct platform_device *pdev)
probe_reset_failed:
if (cqspi->is_jh7110)
cqspi_jh7110_disable_clk(pdev, cqspi);
- clk_disable_unprepare(cqspi->clk);
+
+ if (pm_runtime_get_sync(&pdev->dev) >= 0)
+ clk_disable_unprepare(cqspi->clk);
probe_clk_failed:
pm_runtime_put_sync(dev);
probe_pm_failed:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 368/737] block: rnbd-clt: Fix leaked ID in init_dev()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 367/737] spi: cadence-quadspi: Fix clock disable on probe failure path Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 369/737] ksmbd: skip lock-range check on equal size to avoid size==0 underflow Greg Kroah-Hartman
` (379 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jack Wang,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit c9b5645fd8ca10f310e41b07540f98e6a9720f40 ]
If kstrdup() fails in init_dev(), then the newly allocated ID is lost.
Fixes: 64e8a6ece1a5 ("block/rnbd-clt: Dynamically alloc buffer for pathname & blk_symlink_name")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/rnbd/rnbd-clt.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c
index b0550b68645d..0c3c63cf986b 100644
--- a/drivers/block/rnbd/rnbd-clt.c
+++ b/drivers/block/rnbd/rnbd-clt.c
@@ -1440,9 +1440,11 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
goto out_alloc;
}
- ret = ida_alloc_max(&index_ida, (1 << (MINORBITS - RNBD_PART_BITS)) - 1,
- GFP_KERNEL);
- if (ret < 0) {
+ dev->clt_device_id = ida_alloc_max(&index_ida,
+ (1 << (MINORBITS - RNBD_PART_BITS)) - 1,
+ GFP_KERNEL);
+ if (dev->clt_device_id < 0) {
+ ret = dev->clt_device_id;
pr_err("Failed to initialize device '%s' from session %s, allocating idr failed, err: %d\n",
pathname, sess->sessname, ret);
goto out_queues;
@@ -1451,10 +1453,9 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
dev->pathname = kstrdup(pathname, GFP_KERNEL);
if (!dev->pathname) {
ret = -ENOMEM;
- goto out_queues;
+ goto out_ida;
}
- dev->clt_device_id = ret;
dev->sess = sess;
dev->access_mode = access_mode;
dev->nr_poll_queues = nr_poll_queues;
@@ -1470,6 +1471,8 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
return dev;
+out_ida:
+ ida_free(&index_ida, dev->clt_device_id);
out_queues:
kfree(dev->hw_queues);
out_alloc:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 369/737] ksmbd: skip lock-range check on equal size to avoid size==0 underflow
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 368/737] block: rnbd-clt: Fix leaked ID in init_dev() Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 370/737] ksmbd: Fix refcount leak when invalid session is found on session lookup Greg Kroah-Hartman
` (378 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qianchang Zhao, Zhitong Liu,
Namjae Jeon, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qianchang Zhao <pioooooooooip@gmail.com>
commit 5d510ac31626ed157d2182149559430350cf2104 upstream.
When size equals the current i_size (including 0), the code used to call
check_lock_range(filp, i_size, size - 1, WRITE), which computes `size - 1`
and can underflow for size==0. Skip the equal case.
Cc: stable@vger.kernel.org
Reported-by: Qianchang Zhao <pioooooooooip@gmail.com>
Reported-by: Zhitong Liu <liuzhitong1993@gmail.com>
Signed-off-by: Qianchang Zhao <pioooooooooip@gmail.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/vfs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/smb/server/vfs.c
+++ b/fs/smb/server/vfs.c
@@ -333,6 +333,9 @@ static int check_lock_range(struct file
struct file_lock_context *ctx = locks_inode_context(file_inode(filp));
int error = 0;
+ if (start == end)
+ return 0;
+
if (!ctx || list_empty_careful(&ctx->flc_posix))
return 0;
@@ -834,7 +837,7 @@ int ksmbd_vfs_truncate(struct ksmbd_work
if (size < inode->i_size) {
err = check_lock_range(filp, size,
inode->i_size - 1, WRITE);
- } else {
+ } else if (size > inode->i_size) {
err = check_lock_range(filp, inode->i_size,
size - 1, WRITE);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 370/737] ksmbd: Fix refcount leak when invalid session is found on session lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 369/737] ksmbd: skip lock-range check on equal size to avoid size==0 underflow Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 371/737] ksmbd: fix buffer validation by including null terminator size in EA length Greg Kroah-Hartman
` (377 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre, Stanislas Polu,
Namjae Jeon, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit cafb57f7bdd57abba87725eb4e82bbdca4959644 upstream.
When a session is found but its state is not SMB2_SESSION_VALID, It
indicates that no valid session was found, but it is missing to decrement
the reference count acquired by the session lookup, which results in
a reference count leak. This patch fixes the issue by explicitly calling
ksmbd_user_session_put to release the reference to the session.
Cc: stable@vger.kernel.org
Reported-by: Alexandre <roger.andersen@protonmail.com>
Reported-by: Stanislas Polu <spolu@dust.tt>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/mgmt/user_session.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/smb/server/mgmt/user_session.c
+++ b/fs/smb/server/mgmt/user_session.c
@@ -312,8 +312,10 @@ struct ksmbd_session *ksmbd_session_look
sess = ksmbd_session_lookup(conn, id);
if (!sess && conn->binding)
sess = ksmbd_session_lookup_slowpath(id);
- if (sess && sess->state != SMB2_SESSION_VALID)
+ if (sess && sess->state != SMB2_SESSION_VALID) {
+ ksmbd_user_session_put(sess);
sess = NULL;
+ }
return sess;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 371/737] ksmbd: fix buffer validation by including null terminator size in EA length
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 370/737] ksmbd: Fix refcount leak when invalid session is found on session lookup Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 372/737] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
` (376 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roger, Stanislas Polu, Namjae Jeon,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
commit 95d7a890e4b03e198836d49d699408fd1867cb55 upstream.
The smb2_set_ea function, which handles Extended Attributes (EA),
was performing buffer validation checks that incorrectly omitted the size
of the null terminating character (+1 byte) for EA Name.
This patch fixes the issue by explicitly adding '+ 1' to EaNameLength where
the null terminator is expected to be present in the buffer, ensuring
the validation accurately reflects the total required buffer size.
Cc: stable@vger.kernel.org
Reported-by: Roger <roger.andersen@protonmail.com>
Reported-by: Stanislas Polu <spolu@dust.tt>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/server/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -2356,7 +2356,7 @@ static int smb2_set_ea(struct smb2_ea_in
int rc = 0;
unsigned int next = 0;
- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
+ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
le16_to_cpu(eabuf->EaValueLength))
return -EINVAL;
@@ -2433,7 +2433,7 @@ next:
break;
}
- if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength +
+ if (buf_len < sizeof(struct smb2_ea_info) + eabuf->EaNameLength + 1 +
le16_to_cpu(eabuf->EaValueLength)) {
rc = -EINVAL;
break;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 372/737] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 371/737] ksmbd: fix buffer validation by including null terminator size in EA length Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 373/737] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
` (375 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping Cheng, stable, Jiri Kosina
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ping Cheng <pinglinux@gmail.com>
commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream.
HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z
should be used to report ABS_DISTANCE for stylus and pen as described at:
Documentation/input/event-codes.rst#n226
* ABS_DISTANCE:
- Used to describe the distance of a tool from an interaction surface. This
event should only be emitted while the tool is hovering, meaning in close
proximity of the device and while the value of the BTN_TOUCH code is 0. If
the input device may be used freely in three dimensions, consider ABS_Z
instead.
- BTN_TOOL_<name> should be set to 1 when the tool comes into detectable
proximity and set to 0 when the tool leaves detectable proximity.
BTN_TOOL_<name> signals the type of tool that is currently detected by the
hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH.
This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped
by any HID usage in hid-generic driver.
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-input.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -864,7 +864,7 @@ static void hidinput_configure_usage(str
switch (usage->hid) {
/* These usage IDs map directly to the usage codes. */
- case HID_GD_X: case HID_GD_Y: case HID_GD_Z:
+ case HID_GD_X: case HID_GD_Y:
case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ:
if (field->flags & HID_MAIN_ITEM_RELATIVE)
map_rel(usage->hid & 0xf);
@@ -872,6 +872,22 @@ static void hidinput_configure_usage(str
map_abs_clear(usage->hid & 0xf);
break;
+ case HID_GD_Z:
+ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */
+ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
+ map_rel(usage->hid & 0xf);
+ } else {
+ if (field->application == HID_DG_PEN ||
+ field->physical == HID_DG_PEN ||
+ field->logical == HID_DG_STYLUS ||
+ field->physical == HID_DG_STYLUS ||
+ field->application == HID_DG_DIGITIZER)
+ map_abs_clear(ABS_DISTANCE);
+ else
+ map_abs_clear(usage->hid & 0xf);
+ }
+ break;
+
case HID_GD_WHEEL:
if (field->flags & HID_MAIN_ITEM_RELATIVE) {
set_bit(REL_WHEEL, input->relbit);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 373/737] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 372/737] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 374/737] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
` (374 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junjie Cao, Dmitry Torokhov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junjie Cao <junjie.cao@intel.com>
commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream.
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com
Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/ti_am335x_tsc.c
+++ b/drivers/input/touchscreen/ti_am335x_tsc.c
@@ -85,7 +85,7 @@ static int titsc_config_wires(struct tit
wire_order[i] = ts_dev->config_inp[i] & 0x0F;
if (WARN_ON(analog_line[i] > 7))
return -EINVAL;
- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins)))
+ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins)))
return -EINVAL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 374/737] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 373/737] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 375/737] can: gs_usb: gs_can_open(): fix error handling Greg Kroah-Hartman
` (373 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoffer Sandberg, Werner Sembach,
Dmitry Torokhov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream.
The device occasionally wakes up from suspend with missing input on the
internal keyboard and the following suspend attempt results in an instant
wake-up. The quirks fix both issues for this device.
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -1169,6 +1169,13 @@ static const struct dmi_system_id i8042_
.driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"),
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
/*
* A lot of modern Clevo barebones have touchpad and/or keyboard issues
* after suspend fixable with the forcenorestore quirk.
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 375/737] can: gs_usb: gs_can_open(): fix error handling
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 374/737] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 376/737] ACPI: PCC: Fix race condition by removing static qualifier Greg Kroah-Hartman
` (372 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 3e54d3b4a8437b6783d4145c86962a2aa51022f3 upstream.
Commit 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling")
added missing error handling to the gs_can_open() function.
The driver uses 2 USB anchors to track the allocated URBs: the TX URBs in
struct gs_can::tx_submitted for each netdev and the RX URBs in struct
gs_usb::rx_submitted for the USB device. gs_can_open() allocates the RX
URBs, while TX URBs are allocated during gs_can_start_xmit().
The cleanup in gs_can_open() kills all anchored dev->tx_submitted
URBs (which is not necessary since the netdev is not yet registered), but
misses the parent->rx_submitted URBs.
Fix the problem by killing the rx_submitted instead of the tx_submitted.
Fixes: 2603be9e8167 ("can: gs_usb: gs_can_open(): improve error handling")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251210-gs_usb-fix-error-handling-v1-1-d6a5a03f10bb@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/gs_usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -1071,7 +1071,7 @@ out_usb_free_urb:
usb_free_urb(urb);
out_usb_kill_anchored_urbs:
if (!parent->active_channels) {
- usb_kill_anchored_urbs(&dev->tx_submitted);
+ usb_kill_anchored_urbs(&parent->rx_submitted);
if (dev->feature & GS_CAN_FEATURE_HW_TIMESTAMP)
gs_usb_timestamp_stop(parent);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 376/737] ACPI: PCC: Fix race condition by removing static qualifier
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 375/737] can: gs_usb: gs_can_open(): fix error handling Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 377/737] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
` (371 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengjie Zhang, Sudeep Holla,
lihuisong, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengjie Zhang <zhangpengjie2@huawei.com>
commit f103fa127c93016bcd89b05d8e11dc1a84f6990d upstream.
Local variable 'ret' in acpi_pcc_address_space_setup() is currently
declared as 'static'. This can lead to race conditions in a
multithreaded environment.
Remove the 'static' qualifier to ensure that 'ret' will be allocated
directly on the stack as a local variable.
Fixes: a10b1c99e2dc ("ACPI: PCC: Setup PCC Opregion handler only if platform interrupt is available")
Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Acked-by: lihuisong@huawei.com
Cc: 6.2+ <stable@vger.kernel.org> # 6.2+
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20251210132634.2050033-1-zhangpengjie2@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/acpi_pcc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/acpi/acpi_pcc.c
+++ b/drivers/acpi/acpi_pcc.c
@@ -53,7 +53,7 @@ acpi_pcc_address_space_setup(acpi_handle
struct pcc_data *data;
struct acpi_pcc_info *ctx = handler_context;
struct pcc_mbox_chan *pcc_chan;
- static acpi_status ret;
+ acpi_status ret;
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 377/737] ACPI: CPPC: Fix missing PCC check for guaranteed_perf
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 376/737] ACPI: PCC: Fix race condition by removing static qualifier Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 378/737] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
` (370 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pengjie Zhang, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengjie Zhang <zhangpengjie2@huawei.com>
commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream.
The current implementation overlooks the 'guaranteed_perf'
register in this check.
If the Guaranteed Performance register is located in the PCC
subspace, the function currently attempts to read it without
acquiring the lock and without sending the CMD_READ doorbell
to the firmware. This can result in reading stale data.
Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance")
Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
[ rjw: Subject and changelog edits ]
Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -1299,7 +1299,8 @@ int cppc_get_perf_caps(int cpunum, struc
/* Are any of the regs PCC ?*/
if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) ||
CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) ||
- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) {
+ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) ||
+ CPC_IN_PCC(guaranteed_reg)) {
if (pcc_ss_id < 0) {
pr_debug("Invalid pcc_ss_id\n");
return -ENODEV;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 378/737] spi: fsl-cpm: Check length parity before switching to 16 bit mode
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 377/737] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 379/737] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
` (369 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Sverdlin Alexander,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
commit 1417927df8049a0194933861e9b098669a95c762 upstream.
Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
with even size") failed to make sure that the size is really even
before switching to 16 bit mode. Until recently the problem went
unnoticed because kernfs uses a pre-allocated bounce buffer of size
PAGE_SIZE for reading EEPROM.
But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
introduced an additional dynamically allocated bounce buffer whose size
is exactly the size of the transfer, leading to a buffer overrun in
the fsl-cpm driver when that size is odd.
Add the missing length parity verification and remain in 8 bit mode
when the length is not even.
Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Sverdlin Alexander <alexander.sverdlin@siemens.com>
Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -336,7 +336,7 @@ static int fsl_spi_prepare_message(struc
if (t->bits_per_word == 16 || t->bits_per_word == 32)
t->bits_per_word = 8; /* pretend its 8 bits */
if (t->bits_per_word == 8 && t->len >= 256 &&
- (mpc8xxx_spi->flags & SPI_CPM1))
+ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1))
t->bits_per_word = 16;
}
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 379/737] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 378/737] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 380/737] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Greg Kroah-Hartman
` (368 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jared Kangas, Haibo Chen,
Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jared Kangas <jkangas@redhat.com>
commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream.
MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on
ARCH_S32, which results in unmet dependencies when compiling strictly
for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to
ARCH_MXC in the driver's dependencies.
Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support")
Cc: stable@bvger.kernel.org
Signed-off-by: Jared Kangas <jkangas@redhat.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/Kconfig
+++ b/drivers/mmc/host/Kconfig
@@ -278,14 +278,14 @@ config MMC_SDHCI_ESDHC_MCF
config MMC_SDHCI_ESDHC_IMX
tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller"
- depends on ARCH_MXC || COMPILE_TEST
+ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST
depends on MMC_SDHCI_PLTFM
depends on OF
select MMC_SDHCI_IO_ACCESSORS
select MMC_CQHCI
help
This selects the Freescale eSDHC/uSDHC controller support
- found on i.MX25, i.MX35 i.MX5x and i.MX6x.
+ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G.
If you have a controller with this interface, say Y or M here.
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 380/737] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 379/737] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 381/737] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
` (367 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Jeffery, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jeffery <andrew@codeconstruct.com.au>
commit ed724ea1b82a800af4704311cb89e5ef1b4ea7ac upstream.
Enable use of common SDHCI-related properties such as sdhci-caps-mask as
found in the AST2600 EVB DTS.
Cc: stable@vger.kernel.org # v6.2+
Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml
+++ b/Documentation/devicetree/bindings/mmc/aspeed,sdhci.yaml
@@ -41,7 +41,7 @@ properties:
patternProperties:
"^sdhci@[0-9a-f]+$":
type: object
- $ref: mmc-controller.yaml
+ $ref: sdhci-common.yaml
unevaluatedProperties: false
properties:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 381/737] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 380/737] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 382/737] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
` (366 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2fa344348a579b779e05,
Shaurya Rane, Felix Maurer, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
commit 188e0fa5a679570ea35474575e724d8211423d17 upstream.
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Reviewed-by: Felix Maurer <fmaurer@redhat.com>
Tested-by: Felix Maurer <fmaurer@redhat.com>
Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_forward.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -176,6 +176,8 @@ struct sk_buff *prp_get_untagged_frame(s
__pskb_copy(frame->skb_prp,
skb_headroom(frame->skb_prp),
GFP_ATOMIC);
+ if (!frame->skb_std)
+ return NULL;
} else {
/* Unexpected */
WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n",
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 382/737] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 381/737] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 383/737] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
` (365 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 2a03b40deacbd293ac9aed0f9b11197dad54fe5f ]
When vxpocket_config() fails, vxpocket_probe() returns the error code
directly without freeing the sound card resources allocated by
snd_card_new(), which leads to a memory leak.
Add proper error handling to free the sound card and clear the
allocation bit when vxpocket_config() fails.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251215042652.695-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pcmcia/vx/vxpocket.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pcmcia/vx/vxpocket.c b/sound/pcmcia/vx/vxpocket.c
index 7a0f0e73ceb2..867a477d53ae 100644
--- a/sound/pcmcia/vx/vxpocket.c
+++ b/sound/pcmcia/vx/vxpocket.c
@@ -295,7 +295,13 @@ static int vxpocket_probe(struct pcmcia_device *p_dev)
vxp->p_dev = p_dev;
- return vxpocket_config(p_dev);
+ err = vxpocket_config(p_dev);
+ if (err < 0) {
+ card_alloc &= ~(1 << i);
+ snd_card_free(card);
+ return err;
+ }
+ return 0;
}
static void vxpocket_detach(struct pcmcia_device *link)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 383/737] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 382/737] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 384/737] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
` (364 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Haotian Zhang,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 5032347c04ba7ff9ba878f262e075d745c06a2a8 ]
When pdacf_config() fails, snd_pdacf_probe() returns the error code
directly without freeing the sound card resources allocated by
snd_card_new(), which leads to a memory leak.
Add proper error handling to free the sound card and clear the card
list entry when pdacf_config() fails.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251215090433.211-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pcmcia/pdaudiocf/pdaudiocf.c b/sound/pcmcia/pdaudiocf/pdaudiocf.c
index 8363ec08df5d..4468d81683ec 100644
--- a/sound/pcmcia/pdaudiocf/pdaudiocf.c
+++ b/sound/pcmcia/pdaudiocf/pdaudiocf.c
@@ -132,7 +132,13 @@ static int snd_pdacf_probe(struct pcmcia_device *link)
link->config_index = 1;
link->config_regs = PRESENT_OPTION;
- return pdacf_config(link);
+ err = pdacf_config(link);
+ if (err < 0) {
+ card_list[i] = NULL;
+ snd_card_free(card);
+ return err;
+ }
+ return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 384/737] ALSA: usb-mixer: us16x08: validate meter packet indices
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 383/737] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 385/737] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
` (363 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DARKNAVY (@DarkNavyOrg), Shipei Qu,
Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shipei Qu <qu@darknavy.com>
[ Upstream commit 5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e ]
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Closes: https://lore.kernel.org/tencent_21C112743C44C1A2517FF219@qq.com
Signed-off-by: Shipei Qu <qu@darknavy.com>
Link: https://patch.msgid.link/20251217024630.59576-1-qu@darknavy.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_us16x08.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
index 20ac32635f1f..d05cb54de788 100644
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -656,17 +656,25 @@ static void get_meter_levels_from_urb(int s,
u8 *meter_urb)
{
int val = MUC2(meter_urb, s) + (MUC3(meter_urb, s) << 8);
+ int ch = MUB2(meter_urb, s) - 1;
+
+ if (ch < 0)
+ return;
if (MUA0(meter_urb, s) == 0x61 && MUA1(meter_urb, s) == 0x02 &&
MUA2(meter_urb, s) == 0x04 && MUB0(meter_urb, s) == 0x62) {
- if (MUC0(meter_urb, s) == 0x72)
- store->meter_level[MUB2(meter_urb, s) - 1] = val;
- if (MUC0(meter_urb, s) == 0xb2)
- store->comp_level[MUB2(meter_urb, s) - 1] = val;
+ if (ch < SND_US16X08_MAX_CHANNELS) {
+ if (MUC0(meter_urb, s) == 0x72)
+ store->meter_level[ch] = val;
+ if (MUC0(meter_urb, s) == 0xb2)
+ store->comp_level[ch] = val;
+ }
}
if (MUA0(meter_urb, s) == 0x61 && MUA1(meter_urb, s) == 0x02 &&
- MUA2(meter_urb, s) == 0x02 && MUB0(meter_urb, s) == 0x62)
- store->master_level[MUB2(meter_urb, s) - 1] = val;
+ MUA2(meter_urb, s) == 0x02 && MUB0(meter_urb, s) == 0x62) {
+ if (ch < ARRAY_SIZE(store->master_level))
+ store->master_level[ch] = val;
+ }
}
/* Function to retrieve current meter values from the device.
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 385/737] ipmi: Fix the race between __scan_channels() and deliver_response()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 384/737] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 386/737] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
` (362 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Corey Minyard,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit 936750fdba4c45e13bbd17f261bb140dd55f5e93 ]
The race window between __scan_channels() and deliver_response() causes
the parameters of some channels to be set to 0.
1.[CPUA] __scan_channels() issues an IPMI request and waits with
wait_event() until all channels have been scanned.
wait_event() internally calls might_sleep(), which might
yield the CPU. (Moreover, an interrupt can preempt
wait_event() and force the task to yield the CPU.)
2.[CPUB] deliver_response() is invoked when the CPU receives the
IPMI response. After processing a IPMI response,
deliver_response() directly assigns intf->wchannels to
intf->channel_list and sets intf->channels_ready to true.
However, not all channels are actually ready for use.
3.[CPUA] Since intf->channels_ready is already true, wait_event()
never enters __wait_event(). __scan_channels() immediately
clears intf->null_user_handler and exits.
4.[CPUB] Once intf->null_user_handler is set to NULL, deliver_response()
ignores further IPMI responses, leaving the remaining
channels zero-initialized and unusable.
CPUA CPUB
------------------------------- -----------------------------
__scan_channels()
intf->null_user_handler
= channel_handler;
send_channel_info_cmd(intf,
0);
wait_event(intf->waitq,
intf->channels_ready);
do {
might_sleep();
deliver_response()
channel_handler()
intf->channel_list =
intf->wchannels + set;
intf->channels_ready = true;
send_channel_info_cmd(intf,
intf->curr_channel);
if (condition)
break;
__wait_event(wq_head,
condition);
} while(0)
intf->null_user_handler
= NULL;
deliver_response()
if (!msg->user)
if (intf->null_user_handler)
rv = -EINVAL;
return rv;
------------------------------- -----------------------------
Fix the race between __scan_channels() and deliver_response() by
deferring both the assignment intf->channel_list = intf->wchannels
and the flag intf->channels_ready = true until all channels have
been successfully scanned or until the IPMI request has failed.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Message-ID: <20250930074239.2353-2-guojinhui.liam@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index b7d8bf202ed2..4619ee5c744c 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -3414,8 +3414,6 @@ channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
intf->channels_ready = true;
wake_up(&intf->waitq);
} else {
- intf->channel_list = intf->wchannels + set;
- intf->channels_ready = true;
rv = send_channel_info_cmd(intf, intf->curr_channel);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 386/737] ipmi: Fix __scan_channels() failing to rescan channels
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 385/737] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 387/737] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
` (361 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Corey Minyard,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit 6bd30d8fc523fb880b4be548e8501bc0fe8f42d4 ]
channel_handler() sets intf->channels_ready to true but never
clears it, so __scan_channels() skips any rescan. When the BMC
firmware changes a rescan is required. Allow it by clearing
the flag before starting a new scan.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Message-ID: <20250930074239.2353-3-guojinhui.liam@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 4619ee5c744c..fc5f9d757b94 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -613,7 +613,8 @@ static void __ipmi_bmc_unregister(struct ipmi_smi *intf);
static int __ipmi_bmc_register(struct ipmi_smi *intf,
struct ipmi_device_id *id,
bool guid_set, guid_t *guid, int intf_num);
-static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id);
+static int __scan_channels(struct ipmi_smi *intf,
+ struct ipmi_device_id *id, bool rescan);
/*
@@ -2665,7 +2666,7 @@ static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
if (__ipmi_bmc_register(intf, &id, guid_set, &guid, intf_num))
need_waiter(intf); /* Retry later on an error. */
else
- __scan_channels(intf, &id);
+ __scan_channels(intf, &id, false);
if (!intf_set) {
@@ -2685,7 +2686,7 @@ static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
goto out_noprocessing;
} else if (memcmp(&bmc->fetch_id, &bmc->id, sizeof(bmc->id)))
/* Version info changes, scan the channels again. */
- __scan_channels(intf, &bmc->fetch_id);
+ __scan_channels(intf, &bmc->fetch_id, true);
bmc->dyn_id_expiry = jiffies + IPMI_DYN_DEV_ID_EXPIRY;
@@ -3435,10 +3436,17 @@ channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
/*
* Must be holding intf->bmc_reg_mutex to call this.
*/
-static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id)
+static int __scan_channels(struct ipmi_smi *intf,
+ struct ipmi_device_id *id,
+ bool rescan)
{
int rv;
+ if (rescan) {
+ /* Clear channels_ready to force channels rescan. */
+ intf->channels_ready = false;
+ }
+
if (ipmi_version_major(id) > 1
|| (ipmi_version_major(id) == 1
&& ipmi_version_minor(id) >= 5)) {
@@ -3641,7 +3649,7 @@ int ipmi_add_smi(struct module *owner,
}
mutex_lock(&intf->bmc_reg_mutex);
- rv = __scan_channels(intf, &id);
+ rv = __scan_channels(intf, &id, false);
mutex_unlock(&intf->bmc_reg_mutex);
if (rv)
goto out_err_bmc_reg;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 387/737] firmware: imx: scu-irq: Init workqueue before request mbox channel
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 386/737] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 388/737] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
` (360 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Peng Fan, Shawn Guo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 81fb53feb66a3aefbf6fcab73bb8d06f5b0c54ad ]
With mailbox channel requested, there is possibility that interrupts may
come in, so need to make sure the workqueue is initialized before
the queue is scheduled by mailbox rx callback.
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/imx-scu-irq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/imx/imx-scu-irq.c b/drivers/firmware/imx/imx-scu-irq.c
index f2b902e95b73..b9f6128d56f7 100644
--- a/drivers/firmware/imx/imx-scu-irq.c
+++ b/drivers/firmware/imx/imx-scu-irq.c
@@ -214,6 +214,8 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
cl->dev = dev;
cl->rx_callback = imx_scu_irq_callback;
+ INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
+
/* SCU general IRQ uses general interrupt channel 3 */
ch = mbox_request_channel_byname(cl, "gip3");
if (IS_ERR(ch)) {
@@ -223,8 +225,6 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
return ret;
}
- INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
-
if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
"#mbox-cells", 0, &spec)) {
i = of_alias_get_id(spec.np, "mu");
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 388/737] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 387/737] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 389/737] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
` (359 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Schiffer, Alexander Stein,
Kevin Hilman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <matthias.schiffer@tq-group.com>
[ Upstream commit 3f61783920504b2cf99330b372d82914bb004d8e ]
am33xx.dtsi has the same clock setup as am35xx.dtsi, setting
ti,no-reset-on-init and ti,no-idle on timer1_target and timer2_target,
so AM33 needs the same workaround as AM35 to avoid ti-sysc probe
failing on certain target modules.
Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20250825131114.2206804-1-alexander.stein@ew.tq-group.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/ti-sysc.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
index 46d7410f6f0f..b6a7d0d3f153 100644
--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -37,6 +37,7 @@ enum sysc_soc {
SOC_UNKNOWN,
SOC_2420,
SOC_2430,
+ SOC_AM33,
SOC_3430,
SOC_AM35,
SOC_3630,
@@ -2996,6 +2997,7 @@ static void ti_sysc_idle(struct work_struct *work)
static const struct soc_device_attribute sysc_soc_match[] = {
SOC_FLAG("OMAP242*", SOC_2420),
SOC_FLAG("OMAP243*", SOC_2430),
+ SOC_FLAG("AM33*", SOC_AM33),
SOC_FLAG("AM35*", SOC_AM35),
SOC_FLAG("OMAP3[45]*", SOC_3430),
SOC_FLAG("OMAP3[67]*", SOC_3630),
@@ -3201,10 +3203,15 @@ static int sysc_check_active_timer(struct sysc *ddata)
* can be dropped if we stop supporting old beagleboard revisions
* A to B4 at some point.
*/
- if (sysc_soc->soc == SOC_3430 || sysc_soc->soc == SOC_AM35)
+ switch (sysc_soc->soc) {
+ case SOC_AM33:
+ case SOC_3430:
+ case SOC_AM35:
error = -ENXIO;
- else
+ break;
+ default:
error = -EBUSY;
+ }
if ((ddata->cfg.quirks & SYSC_QUIRK_NO_RESET_ON_INIT) &&
(ddata->cfg.quirks & SYSC_QUIRK_NO_IDLE))
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 389/737] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 388/737] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 390/737] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
` (358 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josua Mayer, Andrew Lunn,
Gregory CLEMENT, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit f0e6bc0c3ef4b4afb299bd6912586cafd5d864e9 ]
CP110 based platforms rely on the bootloader for pci port
initialization.
TF-A actively prevents non-uboot re-configuration of pci lanes, and many
boards do not have software control over the pci card reset.
If a pci port had link at boot-time and the clock is stopped at a later
point, the link fails and can not be recovered.
PCI controller driver probe - and by extension ownership of a driver for
the pci clocks - may be delayed especially on large modular kernels,
causing the clock core to start disabling unused clocks.
Add the CLK_IGNORE_UNUSED flag to the three pci port's clocks to ensure
they are not stopped before the pci controller driver has taken
ownership and tested for an existing link.
This fixes failed pci link detection when controller driver probes late,
e.g. with arm64 defconfig and CONFIG_PHY_MVEBU_CP110_COMPHY=m.
Closes: https://lore.kernel.org/r/b71596c7-461b-44b6-89ab-3cfbd492639f@solid-run.com
Signed-off-by: Josua Mayer <josua@solid-run.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/mvebu/cp110-system-controller.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/clk/mvebu/cp110-system-controller.c b/drivers/clk/mvebu/cp110-system-controller.c
index 03c59bf22106..b47c86906046 100644
--- a/drivers/clk/mvebu/cp110-system-controller.c
+++ b/drivers/clk/mvebu/cp110-system-controller.c
@@ -110,6 +110,25 @@ static const char * const gate_base_names[] = {
[CP110_GATE_EIP197] = "eip197"
};
+static unsigned long gate_flags(const u8 bit_idx)
+{
+ switch (bit_idx) {
+ case CP110_GATE_PCIE_X1_0:
+ case CP110_GATE_PCIE_X1_1:
+ case CP110_GATE_PCIE_X4:
+ /*
+ * If a port had an active link at boot time, stopping
+ * the clock creates a failed state from which controller
+ * driver can not recover.
+ * Prevent stopping this clock till after a driver has taken
+ * ownership.
+ */
+ return CLK_IGNORE_UNUSED;
+ default:
+ return 0;
+ }
+};
+
struct cp110_gate_clk {
struct clk_hw hw;
struct regmap *regmap;
@@ -171,6 +190,7 @@ static struct clk_hw *cp110_register_gate(const char *name,
init.ops = &cp110_gate_ops;
init.parent_names = &parent_name;
init.num_parents = 1;
+ init.flags = gate_flags(bit_idx);
gate->regmap = regmap;
gate->bit_idx = bit_idx;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 390/737] powerpc/addnote: Fix overflow on 32-bit builds
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 389/737] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 391/737] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
` (357 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Collins, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Collins <bcollins@kernel.org>
[ Upstream commit 825ce89a3ef17f84cf2c0eacfa6b8dc9fd11d13f ]
The PUT_64[LB]E() macros need to cast the value to unsigned long long
like the GET_64[LB]E() macros. Caused lots of warnings when compiled
on 32-bit, and clobbered addresses (36-bit P4080).
Signed-off-by: Ben Collins <bcollins@kernel.org>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/2025042122-mustard-wrasse-694572@boujee-and-buff
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/boot/addnote.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
index 53b3b2621457..78704927453a 100644
--- a/arch/powerpc/boot/addnote.c
+++ b/arch/powerpc/boot/addnote.c
@@ -68,8 +68,8 @@ static int e_class = ELFCLASS32;
#define PUT_16BE(off, v)(buf[off] = ((v) >> 8) & 0xff, \
buf[(off) + 1] = (v) & 0xff)
#define PUT_32BE(off, v)(PUT_16BE((off), (v) >> 16L), PUT_16BE((off) + 2, (v)))
-#define PUT_64BE(off, v)((PUT_32BE((off), (v) >> 32L), \
- PUT_32BE((off) + 4, (v))))
+#define PUT_64BE(off, v)((PUT_32BE((off), (unsigned long long)(v) >> 32L), \
+ PUT_32BE((off) + 4, (unsigned long long)(v))))
#define GET_16LE(off) ((buf[off]) + (buf[(off)+1] << 8))
#define GET_32LE(off) (GET_16LE(off) + (GET_16LE((off)+2U) << 16U))
@@ -78,7 +78,8 @@ static int e_class = ELFCLASS32;
#define PUT_16LE(off, v) (buf[off] = (v) & 0xff, \
buf[(off) + 1] = ((v) >> 8) & 0xff)
#define PUT_32LE(off, v) (PUT_16LE((off), (v)), PUT_16LE((off) + 2, (v) >> 16L))
-#define PUT_64LE(off, v) (PUT_32LE((off), (v)), PUT_32LE((off) + 4, (v) >> 32L))
+#define PUT_64LE(off, v) (PUT_32LE((off), (unsigned long long)(v)), \
+ PUT_32LE((off) + 4, (unsigned long long)(v) >> 32L))
#define GET_16(off) (e_data == ELFDATA2MSB ? GET_16BE(off) : GET_16LE(off))
#define GET_32(off) (e_data == ELFDATA2MSB ? GET_32BE(off) : GET_32LE(off))
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 391/737] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 390/737] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 392/737] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
` (356 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 4f6aaade2a22ac428fa99ed716cf2b87e79c9837 ]
When qla2xxx is loaded with qlini_mode=disabled,
ha->flags.disable_msix_handshake is used before it is set, resulting in
the wrong interrupt handler being used on certain HBAs
(qla2xxx_msix_rsp_q_hs() is used when qla2xxx_msix_rsp_q() should be
used). The only difference between these two interrupt handlers is that
the _hs() version writes to a register to clear the "RISC" interrupt,
whereas the other version does not. So this bug results in the RISC
interrupt being cleared when it should not be. This occasionally causes
a different interrupt handler qla24xx_msix_default() for a different
vector to see ((stat & HSRX_RISC_INT) == 0) and ignore its interrupt,
which then causes problems like:
qla2xxx [0000:02:00.0]-d04c:6: MBX Command timeout for cmd 20,
iocontrol=8 jiffies=1090c0300 mb[0-3]=[0x4000 0x0 0x40 0xda] mb7 0x500
host_status 0x40000010 hccr 0x3f00
qla2xxx [0000:02:00.0]-101e:6: Mailbox cmd timeout occurred, cmd=0x20,
mb[0]=0x20. Scheduling ISP abort
(the cmd varies; sometimes it is 0x20, 0x22, 0x54, 0x5a, 0x5d, or 0x6a)
This problem can be reproduced with a 16 or 32 Gbps HBA by loading
qla2xxx with qlini_mode=disabled and running a high IOPS test while
triggering frequent RSCN database change events.
While analyzing the problem I discovered that even with
disable_msix_handshake forced to 0, it is not necessary to clear the
RISC interrupt from qla2xxx_msix_rsp_q_hs() (more below). So just
completely remove qla2xxx_msix_rsp_q_hs() and the logic for selecting
it, which also fixes the bug with qlini_mode=disabled.
The test below describes the justification for not needing
qla2xxx_msix_rsp_q_hs():
Force disable_msix_handshake to 0:
qla24xx_config_rings():
if (0 && (ha->fw_attributes & BIT_6) && (IS_MSIX_NACK_CAPABLE(ha)) &&
(ha->flags.msix_enabled)) {
In qla24xx_msix_rsp_q() and qla2xxx_msix_rsp_q_hs(), check:
(rd_reg_dword(®->host_status) & HSRX_RISC_INT)
Count the number of calls to each function with HSRX_RISC_INT set and
the number with HSRX_RISC_INT not set while performing some I/O.
If qla2xxx_msix_rsp_q_hs() clears the RISC interrupt (original code):
qla24xx_msix_rsp_q: 50% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 5% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
If qla2xxx_msix_rsp_q_hs() does not clear the RISC interrupt (patched
code):
qla24xx_msix_rsp_q: 100% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 9% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
In the case of the original code, qla24xx_msix_rsp_q() was seeing
HSRX_RISC_INT set only 50% of the time because qla2xxx_msix_rsp_q_hs()
was clearing it when it shouldn't have been. In the patched code,
qla24xx_msix_rsp_q() sees HSRX_RISC_INT set 100% of the time, which
makes sense if that interrupt handler needs to clear the RISC interrupt
(which it does). qla2xxx_msix_rsp_q_hs() sees HSRX_RISC_INT only 9% of
the time, which is just overlap from the other interrupt during the
high IOPS test.
Tested with SCST on:
QLE2742 FW:v9.08.02 (32 Gbps 2-port)
QLE2694L FW:v9.10.11 (16 Gbps 4-port)
QLE2694L FW:v9.08.02 (16 Gbps 4-port)
QLE2672 FW:v8.07.12 (16 Gbps 2-port)
both initiator and target mode
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/56d378eb-14ad-49c7-bae9-c649b6c7691e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_def.h | 1 -
drivers/scsi/qla2xxx/qla_gbl.h | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 32 +++-----------------------------
drivers/scsi/qla2xxx/qla_mid.c | 4 +---
4 files changed, 5 insertions(+), 34 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index 78a10d4979e9..4f7248643335 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3504,7 +3504,6 @@ struct isp_operations {
#define QLA_MSIX_RSP_Q 0x01
#define QLA_ATIO_VECTOR 0x02
#define QLA_MSIX_QPAIR_MULTIQ_RSP_Q 0x03
-#define QLA_MSIX_QPAIR_MULTIQ_RSP_Q_HS 0x04
#define QLA_MIDX_DEFAULT 0
#define QLA_MIDX_RSP_Q 1
diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index e556f57c91af..59f448e2e319 100644
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -768,7 +768,7 @@ extern int qla2x00_dfs_remove(scsi_qla_host_t *);
/* Globa function prototypes for multi-q */
extern int qla25xx_request_irq(struct qla_hw_data *, struct qla_qpair *,
- struct qla_msix_entry *, int);
+ struct qla_msix_entry *);
extern int qla25xx_init_req_que(struct scsi_qla_host *, struct req_que *);
extern int qla25xx_init_rsp_que(struct scsi_qla_host *, struct rsp_que *);
extern int qla25xx_create_req_que(struct qla_hw_data *, uint16_t, uint8_t,
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index d48007e18288..a85d3a40ee49 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -4473,32 +4473,6 @@ qla2xxx_msix_rsp_q(int irq, void *dev_id)
return IRQ_HANDLED;
}
-irqreturn_t
-qla2xxx_msix_rsp_q_hs(int irq, void *dev_id)
-{
- struct qla_hw_data *ha;
- struct qla_qpair *qpair;
- struct device_reg_24xx __iomem *reg;
- unsigned long flags;
-
- qpair = dev_id;
- if (!qpair) {
- ql_log(ql_log_info, NULL, 0x505b,
- "%s: NULL response queue pointer.\n", __func__);
- return IRQ_NONE;
- }
- ha = qpair->hw;
-
- reg = &ha->iobase->isp24;
- spin_lock_irqsave(&ha->hardware_lock, flags);
- wrt_reg_dword(®->hccr, HCCRX_CLR_RISC_INT);
- spin_unlock_irqrestore(&ha->hardware_lock, flags);
-
- queue_work(ha->wq, &qpair->q_work);
-
- return IRQ_HANDLED;
-}
-
/* Interrupt handling helpers. */
struct qla_init_msix_entry {
@@ -4511,7 +4485,6 @@ static const struct qla_init_msix_entry msix_entries[] = {
{ "rsp_q", qla24xx_msix_rsp_q },
{ "atio_q", qla83xx_msix_atio_q },
{ "qpair_multiq", qla2xxx_msix_rsp_q },
- { "qpair_multiq_hs", qla2xxx_msix_rsp_q_hs },
};
static const struct qla_init_msix_entry qla82xx_msix_entries[] = {
@@ -4798,9 +4771,10 @@ qla2x00_free_irqs(scsi_qla_host_t *vha)
}
int qla25xx_request_irq(struct qla_hw_data *ha, struct qla_qpair *qpair,
- struct qla_msix_entry *msix, int vector_type)
+ struct qla_msix_entry *msix)
{
- const struct qla_init_msix_entry *intr = &msix_entries[vector_type];
+ const struct qla_init_msix_entry *intr =
+ &msix_entries[QLA_MSIX_QPAIR_MULTIQ_RSP_Q];
scsi_qla_host_t *vha = pci_get_drvdata(ha->pdev);
int ret;
diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
index 79879c4743e6..9946899dd83b 100644
--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -899,9 +899,7 @@ qla25xx_create_rsp_que(struct qla_hw_data *ha, uint16_t options,
rsp->options, rsp->id, rsp->rsp_q_in,
rsp->rsp_q_out);
- ret = qla25xx_request_irq(ha, qpair, qpair->msix,
- ha->flags.disable_msix_handshake ?
- QLA_MSIX_QPAIR_MULTIQ_RSP_Q : QLA_MSIX_QPAIR_MULTIQ_RSP_Q_HS);
+ ret = qla25xx_request_irq(ha, qpair, qpair->msix);
if (ret)
goto que_failed;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 392/737] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 391/737] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 393/737] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
` (355 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 8f58fc64d559b5fda1b0a5e2a71422be61e79ab9 ]
When given the module parameter qlini_mode=exclusive, qla2xxx in
initiator mode is initially unable to successfully send SCSI commands to
devices it finds while scanning, resulting in an escalating series of
resets until an adapter reset clears the issue. Fix by checking the
active mode instead of the module parameter.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/1715ec14-ba9a-45dc-9cf2-d41aa6b81b5e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_os.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 0a3a5af67f0a..4c7cf581bc86 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3459,13 +3459,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
ha->mqenable = 0;
if (ha->mqenable) {
- bool startit = false;
-
- if (QLA_TGT_MODE_ENABLED())
- startit = false;
-
- if (ql2x_ini_mode == QLA2XXX_INI_MODE_ENABLED)
- startit = true;
+ bool startit = !!(host->active_mode & MODE_INITIATOR);
/* Create start of day qpairs for Block MQ */
for (i = 0; i < ha->max_qpairs; i++)
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 393/737] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 392/737] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 394/737] fuse: Always flush the page cache before FOPEN_DIRECT_IO write Greg Kroah-Hartman
` (354 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 957aa5974989fba4ae4f807ebcb27f12796edd4d ]
If a mailbox command completes immediately after
wait_for_completion_timeout() times out, ha->mbx_intr_comp could be left
in an inconsistent state, causing the next mailbox command not to wait
for the hardware. Fix by reinitializing the completion before use.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/11b6485e-0bfd-4784-8f99-c06a196dad94@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_mbx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index 13b6cb1b93ac..41435e98092a 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -253,6 +253,7 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
/* Issue set host interrupt command to send cmd out. */
ha->flags.mbox_int = 0;
clear_bit(MBX_INTERRUPT, &ha->mbx_cmd_flags);
+ reinit_completion(&ha->mbx_intr_comp);
/* Unlock mbx registers and wait for interrupt */
ql_dbg(ql_dbg_mbx, vha, 0x100f,
@@ -279,6 +280,7 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
"cmd=%x Timeout.\n", command);
spin_lock_irqsave(&ha->hardware_lock, flags);
clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
+ reinit_completion(&ha->mbx_intr_comp);
spin_unlock_irqrestore(&ha->hardware_lock, flags);
if (chip_reset != ha->chip_reset) {
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 394/737] fuse: Always flush the page cache before FOPEN_DIRECT_IO write
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 393/737] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 395/737] fuse: Invalidate the page cache after " Greg Kroah-Hartman
` (353 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Schubert, Miklos Szeredi,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bschubert@ddn.com>
[ Upstream commit 1ce120dcefc056ce8af2486cebbb77a458aad4c3 ]
This was done as condition on direct_io_allow_mmap, but I believe
this is not right, as a file might be open two times - once with
write-back enabled another time with FOPEN_DIRECT_IO.
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 2055af1ffaf3..1dd9ef5398d7 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1463,7 +1463,7 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
if (!ia)
return -ENOMEM;
- if (fopen_direct_io && fc->direct_io_allow_mmap) {
+ if (fopen_direct_io) {
res = filemap_write_and_wait_range(mapping, pos, pos + count - 1);
if (res) {
fuse_io_free(ia);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 395/737] fuse: Invalidate the page cache after FOPEN_DIRECT_IO write
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 394/737] fuse: Always flush the page cache before FOPEN_DIRECT_IO write Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 396/737] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
` (352 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bernd Schubert, Miklos Szeredi,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernd Schubert <bschubert@ddn.com>
[ Upstream commit b359af8275a982a458e8df6c6beab1415be1f795 ]
generic_file_direct_write() also does this and has a large
comment about.
Reproducer here is xfstest's generic/209, which is exactly to
have competing DIO write and cached IO read.
Signed-off-by: Bernd Schubert <bschubert@ddn.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/file.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 1dd9ef5398d7..ae62f47ef004 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1537,6 +1537,15 @@ ssize_t fuse_direct_io(struct fuse_io_priv *io, struct iov_iter *iter,
if (res > 0)
*ppos = pos;
+ if (res > 0 && write && fopen_direct_io) {
+ /*
+ * As in generic_file_direct_write(), invalidate after the
+ * write, to invalidate read-ahead cache that may have competed
+ * with the write.
+ */
+ invalidate_inode_pages2_range(mapping, idx_from, idx_to);
+ }
+
return res > 0 ? res : err;
}
EXPORT_SYMBOL_GPL(fuse_direct_io);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 396/737] via_wdt: fix critical boot hang due to unnamed resource allocation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 395/737] fuse: Invalidate the page cache after " Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 397/737] reset: fix BIT macro reference Greg Kroah-Hartman
` (351 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Qiang, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Qiang <liqiang01@kylinos.cn>
[ Upstream commit 7aa31ee9ec92915926e74731378c009c9cc04928 ]
The VIA watchdog driver uses allocate_resource() to reserve a MMIO
region for the watchdog control register. However, the allocated
resource was not given a name, which causes the kernel resource tree
to contain an entry marked as "<BAD>" under /proc/iomem on x86
platforms.
During boot, this unnamed resource can lead to a critical hang because
subsequent resource lookups and conflict checks fail to handle the
invalid entry properly.
Signed-off-by: Li Qiang <liqiang01@kylinos.cn>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/via_wdt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/watchdog/via_wdt.c b/drivers/watchdog/via_wdt.c
index eeb39f96e72e..c1ed3ce153cf 100644
--- a/drivers/watchdog/via_wdt.c
+++ b/drivers/watchdog/via_wdt.c
@@ -165,6 +165,7 @@ static int wdt_probe(struct pci_dev *pdev,
dev_err(&pdev->dev, "cannot enable PCI device\n");
return -ENODEV;
}
+ wdt_res.name = "via_wdt";
/*
* Allocate a MMIO region which contains watchdog control register
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 397/737] reset: fix BIT macro reference
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 396/737] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 398/737] exfat: fix remount failure in different process environments Greg Kroah-Hartman
` (350 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Troy Mitchell, Philipp Zabel,
Encrow Thorne, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Encrow Thorne <jyc0019@gmail.com>
[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ]
RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not
include bits.h. This causes compilation errors when including
reset.h standalone.
Include bits.h to make reset.h self-contained.
Suggested-by: Troy Mitchell <troy.mitchell@linux.dev>
Reviewed-by: Troy Mitchell <troy.mitchell@linux.dev>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Encrow Thorne <jyc0019@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/reset.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/reset.h b/include/linux/reset.h
index 514ddf003efc..4b31d683776e 100644
--- a/include/linux/reset.h
+++ b/include/linux/reset.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_RESET_H_
#define _LINUX_RESET_H_
+#include <linux/bits.h>
#include <linux/err.h>
#include <linux/errno.h>
#include <linux/types.h>
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 398/737] exfat: fix remount failure in different process environments
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 397/737] reset: fix BIT macro reference Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 399/737] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
` (349 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Yuezhang Mo,
Namjae Jeon, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
[ Upstream commit 51fc7b4ce10ccab8ea5e4876bcdc42cf5202a0ef ]
The kernel test robot reported that the exFAT remount operation
failed. The reason for the failure was that the process's umask
is different between mount and remount, causing fs_fmask and
fs_dmask are changed.
Potentially, both gid and uid may also be changed. Therefore, when
initializing fs_context for remount, inherit these mount options
from the options used during mount.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202511251637.81670f5c-lkp@intel.com
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exfat/super.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 957135f20cb6..da3e03b059cf 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -764,10 +764,21 @@ static int exfat_init_fs_context(struct fs_context *fc)
ratelimit_state_init(&sbi->ratelimit, DEFAULT_RATELIMIT_INTERVAL,
DEFAULT_RATELIMIT_BURST);
- sbi->options.fs_uid = current_uid();
- sbi->options.fs_gid = current_gid();
- sbi->options.fs_fmask = current->fs->umask;
- sbi->options.fs_dmask = current->fs->umask;
+ if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE && fc->root) {
+ struct super_block *sb = fc->root->d_sb;
+ struct exfat_mount_options *cur_opts = &EXFAT_SB(sb)->options;
+
+ sbi->options.fs_uid = cur_opts->fs_uid;
+ sbi->options.fs_gid = cur_opts->fs_gid;
+ sbi->options.fs_fmask = cur_opts->fs_fmask;
+ sbi->options.fs_dmask = cur_opts->fs_dmask;
+ } else {
+ sbi->options.fs_uid = current_uid();
+ sbi->options.fs_gid = current_gid();
+ sbi->options.fs_fmask = current->fs->umask;
+ sbi->options.fs_dmask = current->fs->umask;
+ }
+
sbi->options.allow_utime = -1;
sbi->options.iocharset = exfat_default_iocharset;
sbi->options.errors = EXFAT_ERRORS_RO;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 399/737] usbip: Fix locking bug in RT-enabled kernels
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 398/737] exfat: fix remount failure in different process environments Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 400/737] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
` (348 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+205ef33a3b636b4181fb,
Lizhi Xu, Shuah Khan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit 09bf21bf5249880f62fe759b53b14b4b52900c6c ]
Interrupts are disabled before entering usb_hcd_giveback_urb().
A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be
acquired with disabled interrupts.
Save the interrupt status and restore it after usb_hcd_giveback_urb().
syz reported:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
rt_spin_lock+0xc7/0x2c0 kernel/locking/spinlock_rt.c:57
spin_lock include/linux/spinlock_rt.h:44 [inline]
mon_bus_complete drivers/usb/mon/mon_main.c:134 [inline]
mon_complete+0x5c/0x200 drivers/usb/mon/mon_main.c:147
usbmon_urb_complete include/linux/usb/hcd.h:738 [inline]
__usb_hcd_giveback_urb+0x254/0x5e0 drivers/usb/core/hcd.c:1647
vhci_urb_enqueue+0xb4f/0xe70 drivers/usb/usbip/vhci_hcd.c:818
Reported-by: syzbot+205ef33a3b636b4181fb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=205ef33a3b636b4181fb
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916014143.1439759-1-lizhi.xu@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/usbip/vhci_hcd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index b22e0881bfaf..0bc4805cfa3e 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -830,15 +830,15 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
no_need_xmit:
usb_hcd_unlink_urb_from_ep(hcd, urb);
no_need_unlink:
- spin_unlock_irqrestore(&vhci->lock, flags);
if (!ret) {
/* usb_hcd_giveback_urb() should be called with
* irqs disabled
*/
- local_irq_disable();
+ spin_unlock(&vhci->lock);
usb_hcd_giveback_urb(hcd, urb, urb->status);
- local_irq_enable();
+ spin_lock(&vhci->lock);
}
+ spin_unlock_irqrestore(&vhci->lock, flags);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 400/737] usb: typec: ucsi: Handle incorrect num_connectors capability
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 399/737] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
@ 2026-01-09 11:38 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 401/737] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Greg Kroah-Hartman
` (347 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:38 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Heikki Krogerus,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Pearson <mpearson-lenovo@squebb.ca>
[ Upstream commit 30cd2cb1abf4c4acdb1ddb468c946f68939819fb ]
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250821185319.2585023-1-mpearson-lenovo@squebb.ca
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/ucsi/ucsi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index e5c001ee0cd7..b88f4e179a7a 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1428,6 +1428,12 @@ static int ucsi_init(struct ucsi *ucsi)
ret = -ENODEV;
goto err_reset;
}
+ /* Check if reserved bit set. This is out of spec but happens in buggy FW */
+ if (ucsi->cap.num_connectors & 0x80) {
+ dev_warn(ucsi->dev, "UCSI: Invalid num_connectors %d. Likely buggy FW\n",
+ ucsi->cap.num_connectors);
+ ucsi->cap.num_connectors &= 0x7f; // clear bit and carry on
+ }
/* Allocate the connectors. Released in ucsi_unregister() */
connector = kcalloc(ucsi->cap.num_connectors + 1, sizeof(*connector), GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 401/737] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-01-09 11:38 ` [PATCH 6.6 400/737] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 402/737] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
` (346 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Pei Xiao,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit c9fb952360d0c78bbe98239bd6b702f05c2dbb31 ]
FIELD_PREP() checks that a value fits into the available bitfield, add a
check for step_avg to fix gcc complains.
which gcc complains about:
drivers/iio/adc/ti_am335x_adc.c: In function 'tiadc_step_config':
include/linux/compiler_types.h:572:38: error: call to
'__compiletime_assert_491' declared with attribute error: FIELD_PREP: value
too large for the field include/linux/mfd/ti_am335x_tscadc.h:58:29: note:
in expansion of macro 'FIELD_PREP'
#define STEPCONFIG_AVG(val) FIELD_PREP(GENMASK(4, 2), (val))
^~~~~~~~~~
drivers/iio/adc/ti_am335x_adc.c:127:17: note: in expansion of macro 'STEPCONFIG_AVG'
stepconfig = STEPCONFIG_AVG(ffs(adc_dev->step_avg[i]) - 1)
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510102117.Jqxrw1vF-lkp@intel.com/
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ti_am335x_adc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ti_am335x_adc.c b/drivers/iio/adc/ti_am335x_adc.c
index 32f1f91e2720..9e009b035eb5 100644
--- a/drivers/iio/adc/ti_am335x_adc.c
+++ b/drivers/iio/adc/ti_am335x_adc.c
@@ -123,7 +123,7 @@ static void tiadc_step_config(struct iio_dev *indio_dev)
chan = adc_dev->channel_line[i];
- if (adc_dev->step_avg[i])
+ if (adc_dev->step_avg[i] && adc_dev->step_avg[i] <= STEPCONFIG_AVG_16)
stepconfig = STEPCONFIG_AVG(ffs(adc_dev->step_avg[i]) - 1) |
STEPCONFIG_FIFO1;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 402/737] usb: xhci: limit run_graceperiod for only usb 3.0 devices
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 401/737] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 403/737] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
` (345 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, Mathias Nyman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
[ Upstream commit 8d34983720155b8f05de765f0183d9b0e1345cc0 ]
run_graceperiod blocks usb 2.0 devices from auto suspending after
xhci_start for 500ms.
Log shows:
[ 13.387170] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.387177] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.387182] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.387188] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.387191] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.387193] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.387296] hub_event:5779: hub 3-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.393343] handle_port_status:2034: xhci-hcd PNP0D10:02: handle_port_status: starting usb5 port polling.
[ 13.393353] xhci_hub_control:1271: xhci-hcd PNP0D10:02: Get port status 5-1 read: 0x206e1, return 0x10101
[ 13.400047] hub_suspend:3903: hub 3-0:1.0: hub_suspend
[ 13.403077] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.403080] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.403085] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.403087] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.403090] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.403093] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.403095] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.405002] handle_port_status:1913: xhci-hcd PNP0D10:04: Port change event, 9-1, id 1, portsc: 0x6e1
[ 13.405016] hub_activate:1169: usb usb5-port1: status 0101 change 0001
[ 13.405026] xhci_clear_port_change_bit:658: xhci-hcd PNP0D10:02: clear port1 connect change, portsc: 0x6e1
[ 13.413275] hcd_bus_suspend:2250: usb usb3: bus auto-suspend, wakeup 1
[ 13.419081] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.419086] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.419095] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.419100] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.419106] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.419110] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.419112] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.420455] handle_port_status:2034: xhci-hcd PNP0D10:04: handle_port_status: starting usb9 port polling.
[ 13.420493] handle_port_status:1913: xhci-hcd PNP0D10:05: Port change event, 10-1, id 1, portsc: 0x6e1
[ 13.425332] hcd_bus_suspend:2279: usb usb3: suspend raced with wakeup event
[ 13.431931] handle_port_status:2034: xhci-hcd PNP0D10:05: handle_port_status: starting usb10 port polling.
[ 13.435080] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.435084] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.435092] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.435096] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.435102] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.435106] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
usb7 and other usb 2.0 root hub were rapidly toggling between suspend
and resume states. More, "suspend raced with wakeup event" confuses people.
So, limit run_graceperiod for only usb 3.0 devices
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20251119142417.2820519-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-hub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index d3d535ed00b5..61642c8d529f 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1669,7 +1669,7 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf)
* SS devices are only visible to roothub after link training completes.
* Keep polling roothubs for a grace period after xHC start
*/
- if (xhci->run_graceperiod) {
+ if (hcd->speed >= HCD_USB3 && xhci->run_graceperiod) {
if (time_before(jiffies, xhci->run_graceperiod))
status = 1;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 403/737] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 402/737] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 404/737] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
` (344 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Changcheng, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Changcheng <chenchangcheng@kylinos.cn>
[ Upstream commit 955a48a5353f4fe009704a9a4272a3adf627cd35 ]
The optical drive of EL-R12 has the same vid and pid as INIC-3069,
as follows:
T: Bus=02 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=13fd ProdID=3940 Rev= 3.10
S: Manufacturer=HL-DT-ST
S: Product= DVD+-RW GT80N
S: SerialNumber=423349524E4E38303338323439202020
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=144mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=02 Prot=50 Driver=usb-storage
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=0a(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
This will result in the optical drive device also adding
the quirks of US_FL_NO_ATA_1X. When performing an erase operation,
it will fail, and the reason for the failure is as follows:
[ 388.967742] sr 5:0:0:0: [sr0] tag#0 Send: scmd 0x00000000d20c33a7
[ 388.967742] sr 5:0:0:0: [sr0] tag#0 CDB: ATA command pass through(12)/Blank a1 11 00 00 00 00 00 00 00 00 00 00
[ 388.967773] sr 5:0:0:0: [sr0] tag#0 Done: SUCCESS Result: hostbyte=DID_TARGET_FAILURE driverbyte=DRIVER_OK cmd_age=0s
[ 388.967773] sr 5:0:0:0: [sr0] tag#0 CDB: ATA command pass through(12)/Blank a1 11 00 00 00 00 00 00 00 00 00 00
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 Sense Key : Illegal Request [current]
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 Add. Sense: Invalid field in cdb
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 scsi host busy 1 failed 0
[ 388.967803] sr 5:0:0:0: Notifying upper driver of completion (result 8100002)
[ 388.967834] sr 5:0:0:0: [sr0] tag#0 0 sectors total, 0 bytes done.
For the EL-R12 standard optical drive, all operational commands
and usage scenarios were tested without adding the IGNORE_RESIDUE quirks,
and no issues were encountered. It can be reasonably concluded
that removing the IGNORE_RESIDUE quirks has no impact.
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251121064020.29332-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/unusual_uas.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
index 1477e31d7763..b695f5ba9a40 100644
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160,
US_FL_NO_ATA_1X),
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
-UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
+UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
"Initio Corporation",
"INIC-3069",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 404/737] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 403/737] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 405/737] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Greg Kroah-Hartman
` (343 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wenhua Lin, Cixi Geng, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenhua Lin <Wenhua.Lin@unisoc.com>
[ Upstream commit 29e8a0c587e328ed458380a45d6028adf64d7487 ]
In sprd_clk_init(), when devm_clk_get() returns -EPROBE_DEFER
for either uart or source clock, we should propagate the
error instead of just warning and continuing with NULL clocks.
Currently the driver only emits a warning when clock acquisition
fails and proceeds with NULL clock pointers. This can lead to
issues later when the clocks are actually needed. More importantly,
when the clock provider is not ready yet and returns -EPROBE_DEFER,
we should return this error to allow deferred probing.
This change adds explicit checks for -EPROBE_DEFER after both:
1. devm_clk_get(uport->dev, uart)
2. devm_clk_get(uport->dev, source)
When -EPROBE_DEFER is encountered, the function now returns
-EPROBE_DEFER to let the driver framework retry probing
later when the clock dependencies are resolved.
Signed-off-by: Wenhua Lin <Wenhua.Lin@unisoc.com>
Link: https://patch.msgid.link/20251022030840.956589-1-Wenhua.Lin@unisoc.com
Reviewed-by: Cixi Geng <cixi.geng@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sprd_serial.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
index f328fa57231f..c6d2258d719b 100644
--- a/drivers/tty/serial/sprd_serial.c
+++ b/drivers/tty/serial/sprd_serial.c
@@ -1111,6 +1111,9 @@ static int sprd_clk_init(struct uart_port *uport)
clk_uart = devm_clk_get(uport->dev, "uart");
if (IS_ERR(clk_uart)) {
+ if (PTR_ERR(clk_uart) == -EPROBE_DEFER)
+ return -EPROBE_DEFER;
+
dev_warn(uport->dev, "uart%d can't get uart clock\n",
uport->line);
clk_uart = NULL;
@@ -1118,6 +1121,9 @@ static int sprd_clk_init(struct uart_port *uport)
clk_parent = devm_clk_get(uport->dev, "source");
if (IS_ERR(clk_parent)) {
+ if (PTR_ERR(clk_parent) == -EPROBE_DEFER)
+ return -EPROBE_DEFER;
+
dev_warn(uport->dev, "uart%d can't get source clock\n",
uport->line);
clk_parent = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 405/737] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 404/737] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 406/737] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Greg Kroah-Hartman
` (342 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Ian Rogers,
Thomas Richter, Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit a0a4173631bfcfd3520192c0a61cf911d6a52c3a ]
Passing an empty map to perf_cpu_map__max triggered a SEGV. Explicitly
test for the empty map.
Reported-by: Ingo Molnar <mingo@kernel.org>
Closes: https://lore.kernel.org/linux-perf-users/aSwt7yzFjVJCEmVp@gmail.com/
Tested-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ian Rogers <irogers@google.com>
Tested-by: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/perf/cpumap.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/tools/lib/perf/cpumap.c b/tools/lib/perf/cpumap.c
index 2a5a29217374..97f76d5457b9 100644
--- a/tools/lib/perf/cpumap.c
+++ b/tools/lib/perf/cpumap.c
@@ -367,10 +367,12 @@ struct perf_cpu perf_cpu_map__max(const struct perf_cpu_map *map)
.cpu = -1
};
- // cpu_map__trim_new() qsort()s it, cpu_map__default_new() sorts it as well.
- return __perf_cpu_map__nr(map) > 0
- ? __perf_cpu_map__cpu(map, __perf_cpu_map__nr(map) - 1)
- : result;
+ if (!map)
+ return result;
+
+ // The CPUs are always sorted and nr is always > 0 as 0 length map is
+ // encoded as NULL.
+ return __perf_cpu_map__cpu(map, __perf_cpu_map__nr(map) - 1);
}
/** Is 'b' a subset of 'a'. */
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 406/737] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 405/737] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 407/737] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
` (341 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Andy Shevchenko,
Mika Westerberg, Andi Shyti, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit d3429178ee51dd7155445d15a5ab87a45fae3c73 ]
When probing the I2C master, disable SMBus interrupts to prevent
storms caused by broken firmware mis-configuring IC_SMBUS=1; the
handler never services them and a mis-configured SMBUS Master
extend-clock timeout or SMBUS Slave extend-clock timeout can
flood the CPU.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251021075714.3712-2-guojinhui.liam@bytedance.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-designware-core.h | 1 +
drivers/i2c/busses/i2c-designware-master.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/i2c/busses/i2c-designware-core.h b/drivers/i2c/busses/i2c-designware-core.h
index e93870a0f9a4..f8feae20a7b2 100644
--- a/drivers/i2c/busses/i2c-designware-core.h
+++ b/drivers/i2c/busses/i2c-designware-core.h
@@ -79,6 +79,7 @@
#define DW_IC_TX_ABRT_SOURCE 0x80
#define DW_IC_ENABLE_STATUS 0x9c
#define DW_IC_CLR_RESTART_DET 0xa8
+#define DW_IC_SMBUS_INTR_MASK 0xcc
#define DW_IC_COMP_PARAM_1 0xf4
#define DW_IC_COMP_VERSION 0xf8
#define DW_IC_SDA_HOLD_MIN_VERS 0x3131312A /* "111*" == v1.11* */
diff --git a/drivers/i2c/busses/i2c-designware-master.c b/drivers/i2c/busses/i2c-designware-master.c
index e865869ccc50..56f124f32cac 100644
--- a/drivers/i2c/busses/i2c-designware-master.c
+++ b/drivers/i2c/busses/i2c-designware-master.c
@@ -184,6 +184,13 @@ static int i2c_dw_init_master(struct dw_i2c_dev *dev)
/* Disable the adapter */
__i2c_dw_disable(dev);
+ /*
+ * Mask SMBus interrupts to block storms from broken
+ * firmware that leaves IC_SMBUS=1; the handler never
+ * services them.
+ */
+ regmap_write(dev->map, DW_IC_SMBUS_INTR_MASK, 0);
+
/* Write standard speed timing parameters */
regmap_write(dev->map, DW_IC_SS_SCL_HCNT, dev->ss_hcnt);
regmap_write(dev->map, DW_IC_SS_SCL_LCNT, dev->ss_lcnt);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 407/737] nvme-fc: dont hold rport lock when putting ctrl
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 406/737] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 408/737] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
` (340 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Christoph Hellwig,
Daniel Wagner, Keith Busch, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit b71cbcf7d170e51148d5467820ae8a72febcb651 ]
nvme_fc_ctrl_put can acquire the rport lock when freeing the
ctrl object:
nvme_fc_ctrl_put
nvme_fc_ctrl_free
spin_lock_irqsave(rport->lock)
Thus we can't hold the rport lock when calling nvme_fc_ctrl_put.
Justin suggested use the safe list iterator variant because
nvme_fc_ctrl_put will also modify the rport->list.
Cc: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/fc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index 37fede155b92..2954f0a27474 100644
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -1462,14 +1462,14 @@ nvme_fc_match_disconn_ls(struct nvme_fc_rport *rport,
{
struct fcnvme_ls_disconnect_assoc_rqst *rqst =
&lsop->rqstbuf->rq_dis_assoc;
- struct nvme_fc_ctrl *ctrl, *ret = NULL;
+ struct nvme_fc_ctrl *ctrl, *tmp, *ret = NULL;
struct nvmefc_ls_rcv_op *oldls = NULL;
u64 association_id = be64_to_cpu(rqst->associd.association_id);
unsigned long flags;
spin_lock_irqsave(&rport->lock, flags);
- list_for_each_entry(ctrl, &rport->ctrl_list, ctrl_list) {
+ list_for_each_entry_safe(ctrl, tmp, &rport->ctrl_list, ctrl_list) {
if (!nvme_fc_ctrl_get(ctrl))
continue;
spin_lock(&ctrl->lock);
@@ -1482,7 +1482,9 @@ nvme_fc_match_disconn_ls(struct nvme_fc_rport *rport,
if (ret)
/* leave the ctrl get reference */
break;
+ spin_unlock_irqrestore(&rport->lock, flags);
nvme_fc_ctrl_put(ctrl);
+ spin_lock_irqsave(&rport->lock, flags);
}
spin_unlock_irqrestore(&rport->lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 408/737] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 407/737] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 409/737] block: rnbd-clt: Fix signedness bug in init_dev() Greg Kroah-Hartman
` (339 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chia-Lin Kao (AceLan), Hans de Goede,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
[ Upstream commit b169e1733cadb614e87f69d7a5ae1b186c50d313 ]
Dell Pro Rugged 10/12 tablets has a reliable VGBS method.
If VGBS is not called on boot, the on-screen keyboard won't appear if the
device is booted without a keyboard.
Call VGBS on boot on thess devices to get the initial state of
SW_TABLET_MODE in a reliable way.
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20251127070407.656463-1-acelan.kao@canonical.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index 36209997ba98..ac88119a73b8 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -163,6 +163,18 @@ static const struct dmi_system_id dmi_vgbs_allow_list[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "HP Elite Dragonfly G2 Notebook PC"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 10 Tablet RA00260"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 12 Tablet RA02260"),
+ },
+ },
{ }
};
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 409/737] block: rnbd-clt: Fix signedness bug in init_dev()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 408/737] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 410/737] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
` (338 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jens Axboe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 1ddb815fdfd45613c32e9bd1f7137428f298e541 ]
The "dev->clt_device_id" variable is set using ida_alloc_max() which
returns an int and in particular it returns negative error codes.
Change the type from u32 to int to fix the error checking.
Fixes: c9b5645fd8ca ("block: rnbd-clt: Fix leaked ID in init_dev()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/rnbd/rnbd-clt.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/rnbd/rnbd-clt.h b/drivers/block/rnbd/rnbd-clt.h
index a48e040abe63..fbc1ed766025 100644
--- a/drivers/block/rnbd/rnbd-clt.h
+++ b/drivers/block/rnbd/rnbd-clt.h
@@ -112,7 +112,7 @@ struct rnbd_clt_dev {
struct rnbd_queue *hw_queues;
u32 device_id;
/* local Idr index - used to track minor number allocations. */
- u32 clt_device_id;
+ int clt_device_id;
struct mutex lock;
enum rnbd_clt_dev_state dev_state;
refcount_t refcount;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 410/737] vhost/vsock: improve RCU read sections around vhost_vsock_get()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 409/737] block: rnbd-clt: Fix signedness bug in init_dev() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 411/737] cifs: Fix memory and information leak in smb3_reconfigure() Greg Kroah-Hartman
` (337 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stefanha, Stefano Garzarella,
Jason Wang, Michael S. Tsirkin, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
should only be called within an RCU read section, as mentioned in the
following comment in include/linux/rculist.h:
/**
* hlist_for_each_entry_rcu - iterate over rcu list of given type
* @pos: the type * to use as a loop cursor.
* @head: the head for your list.
* @member: the name of the hlist_node within the struct.
* @cond: optional lockdep expression if called from non-RCU protection.
*
* This list-traversal primitive may safely run concurrently with
* the _rcu list-mutation primitives such as hlist_add_head_rcu()
* as long as the traversal is guarded by rcu_read_lock().
*/
Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
vhost_vsock_reset_orphans(). In both cases, the current code is safe,
but we can make improvements to make it more robust.
About vhost_vsock_set_cid(), when building the kernel with
CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
WARNING: suspicious RCU usage
6.18.0-rc7 #62 Not tainted
-----------------------------
drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by rpc-libvirtd/3443:
#0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
stack backtrace:
CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
Call Trace:
<TASK>
dump_stack_lvl+0x75/0xb0
dump_stack+0x14/0x1a
lockdep_rcu_suspicious.cold+0x4e/0x97
vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
__x64_sys_ioctl+0x4f2/0xa00
x64_sys_call+0xed0/0x1da0
do_syscall_64+0x73/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
</TASK>
This is not a real problem, because the vhost_vsock_get() caller, i.e.
vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
table writers. Anyway, to prevent that warning, add lockdep_is_held()
condition to hash_for_each_possible_rcu() to verify that either the
caller is in an RCU read section or `vhost_vsock_mutex` is held when
CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
vhost_vsock_get() to better describe the locking requirements and the
scope of the returned pointer validity.
About vhost_vsock_reset_orphans(), currently this function is only
called via vsock_for_each_connected_socket(), which holds the
`vsock_table_lock` spinlock (which is also an RCU read-side critical
section). However, add an explicit RCU read lock there to make the code
more robust and explicit about the RCU requirements, and to prevent
issues if the calling context changes in the future or if
vhost_vsock_reset_orphans() is called from other contexts.
Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
Cc: stefanha@redhat.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
Message-ID: <20251126210313.GA499503@fedora>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vsock.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 2ec0d5260685..912e5153b1f8 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -64,14 +64,15 @@ static u32 vhost_transport_get_local_cid(void)
return VHOST_VSOCK_DEFAULT_HOST_CID;
}
-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
- * RCU read lock.
+/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
+ * The return value can only be dereferenced while within the section.
*/
static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
{
struct vhost_vsock *vsock;
- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
+ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
+ lockdep_is_held(&vhost_vsock_mutex)) {
u32 other_cid = vsock->guest_cid;
/* Skip instances that have no CID yet */
@@ -695,9 +696,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
* executing.
*/
+ rcu_read_lock();
+
/* If the peer is still valid, no need to reset connection */
- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
+ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
+ rcu_read_unlock();
return;
+ }
+
+ rcu_read_unlock();
/* If the close timeout is pending, let it expire. This avoids races
* with the timeout callback.
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 411/737] cifs: Fix memory and information leak in smb3_reconfigure()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 410/737] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 412/737] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
` (336 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, ChenXiaoSong,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d ]
In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the
function returns immediately without freeing and erasing the newly
allocated new_password and new_password2. This causes both a memory leak
and a potential information leak.
Fix this by calling kfree_sensitive() on both password buffers before
returning in this error case.
Fixes: 0f0e357902957 ("cifs: during remount, make sure passwords are in sync")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/fs_context.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/smb/client/fs_context.c b/fs/smb/client/fs_context.c
index 6358f2483c86..37b04c23ee89 100644
--- a/fs/smb/client/fs_context.c
+++ b/fs/smb/client/fs_context.c
@@ -979,6 +979,8 @@ static int smb3_reconfigure(struct fs_context *fc)
rc = smb3_sync_session_ctx_passwords(cifs_sb, ses);
if (rc) {
mutex_unlock(&ses->session_mutex);
+ kfree_sensitive(new_password);
+ kfree_sensitive(new_password2);
return rc;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 412/737] KEYS: trusted: Fix a memory leak in tpm2_load_cmd
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 411/737] cifs: Fix memory and information leak in smb3_reconfigure() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 413/737] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
` (335 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jarkko Sakkinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko@kernel.org>
commit 62cd5d480b9762ce70d720a81fa5b373052ae05f upstream.
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
Cc: stable@vger.kernel.org # v5.13+
Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/trusted-keys/trusted_tpm2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -375,6 +375,7 @@ static int tpm2_load_cmd(struct tpm_chip
struct trusted_key_options *options,
u32 *blob_handle)
{
+ u8 *blob_ref __free(kfree) = NULL;
struct tpm_buf buf;
unsigned int private_len;
unsigned int public_len;
@@ -388,6 +389,9 @@ static int tpm2_load_cmd(struct tpm_chip
/* old form */
blob = payload->blob;
payload->old_format = 1;
+ } else {
+ /* Bind for cleanup: */
+ blob_ref = blob;
}
/* new format carries keyhandle but old format doesn't */
@@ -446,8 +450,6 @@ static int tpm2_load_cmd(struct tpm_chip
(__be32 *) &buf.data[TPM_HEADER_SIZE]);
out:
- if (blob != payload->blob)
- kfree(blob);
tpm_buf_destroy(&buf);
if (rc > 0)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 413/737] io_uring: fix filename leak in __io_openat_prep()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 412/737] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 414/737] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
` (334 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+00e61c43eb5e4740438f,
Prithvi Tambewagh, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit b14fad555302a2104948feaff70503b64c80ac01 upstream.
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Fixes: b9445598d8c6 ("io_uring: openat directly into fixed fd table")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/openclose.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/openclose.c
+++ b/io_uring/openclose.c
@@ -65,13 +65,13 @@ static int __io_openat_prep(struct io_ki
open->filename = NULL;
return ret;
}
+ req->flags |= REQ_F_NEED_CLEANUP;
open->file_slot = READ_ONCE(sqe->file_index);
if (open->file_slot && (open->how.flags & O_CLOEXEC))
return -EINVAL;
open->nofile = rlimit(RLIMIT_NOFILE);
- req->flags |= REQ_F_NEED_CLEANUP;
if (io_openat_force_async(open))
req->flags |= REQ_F_FORCE_ASYNC;
return 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 414/737] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 413/737] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 415/737] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
` (333 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarthak Garg, Bjorn Andersson,
Adrian Hunter, Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarthak Garg <sarthak.garg@oss.qualcomm.com>
commit b1f856b1727c2eaa4be2c6d7cd7a8ed052bbeb87 upstream.
According to the hardware programming guide, the clock frequency must
remain below 52MHz during the transition to HS400 mode.
However,in the current implementation, the timing is set to HS400 (a
DDR mode) before adjusting the clock. This causes the clock to double
prematurely to 104MHz during the transition phase, violating the
specification and potentially resulting in CRC errors or CMD timeouts.
This change ensures that clock doubling is avoided during intermediate
transitions and is applied only when the card requires a 200MHz clock
for HS400 operation.
Signed-off-by: Sarthak Garg <sarthak.garg@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-msm.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -344,41 +344,43 @@ static void sdhci_msm_v5_variant_writel_
writel_relaxed(val, host->ioaddr + offset);
}
-static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host)
+static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host,
+ unsigned int clock,
+ unsigned int timing)
{
- struct mmc_ios ios = host->mmc->ios;
/*
* The SDHC requires internal clock frequency to be double the
* actual clock that will be set for DDR mode. The controller
* uses the faster clock(100/400MHz) for some of its parts and
* send the actual required clock (50/200MHz) to the card.
*/
- if (ios.timing == MMC_TIMING_UHS_DDR50 ||
- ios.timing == MMC_TIMING_MMC_DDR52 ||
- ios.timing == MMC_TIMING_MMC_HS400 ||
+ if (timing == MMC_TIMING_UHS_DDR50 ||
+ timing == MMC_TIMING_MMC_DDR52 ||
+ (timing == MMC_TIMING_MMC_HS400 &&
+ clock == MMC_HS200_MAX_DTR) ||
host->flags & SDHCI_HS400_TUNING)
return 2;
return 1;
}
static void msm_set_clock_rate_for_bus_mode(struct sdhci_host *host,
- unsigned int clock)
+ unsigned int clock,
+ unsigned int timing)
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
- struct mmc_ios curr_ios = host->mmc->ios;
struct clk *core_clk = msm_host->bulk_clks[0].clk;
unsigned long achieved_rate;
unsigned int desired_rate;
unsigned int mult;
int rc;
- mult = msm_get_clock_mult_for_bus_mode(host);
+ mult = msm_get_clock_mult_for_bus_mode(host, clock, timing);
desired_rate = clock * mult;
rc = dev_pm_opp_set_rate(mmc_dev(host->mmc), desired_rate);
if (rc) {
pr_err("%s: Failed to set clock at rate %u at timing %d\n",
- mmc_hostname(host->mmc), desired_rate, curr_ios.timing);
+ mmc_hostname(host->mmc), desired_rate, timing);
return;
}
@@ -397,7 +399,7 @@ static void msm_set_clock_rate_for_bus_m
msm_host->clk_rate = desired_rate;
pr_debug("%s: Setting clock at rate %lu at timing %d\n",
- mmc_hostname(host->mmc), achieved_rate, curr_ios.timing);
+ mmc_hostname(host->mmc), achieved_rate, timing);
}
/* Platform specific tuning */
@@ -1239,7 +1241,7 @@ static int sdhci_msm_execute_tuning(stru
*/
if (host->flags & SDHCI_HS400_TUNING) {
sdhci_msm_hc_select_mode(host);
- msm_set_clock_rate_for_bus_mode(host, ios.clock);
+ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing);
host->flags &= ~SDHCI_HS400_TUNING;
}
@@ -1864,6 +1866,7 @@ static void sdhci_msm_set_clock(struct s
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ struct mmc_ios ios = host->mmc->ios;
if (!clock) {
host->mmc->actual_clock = msm_host->clk_rate = 0;
@@ -1872,7 +1875,7 @@ static void sdhci_msm_set_clock(struct s
sdhci_msm_hc_select_mode(host);
- msm_set_clock_rate_for_bus_mode(host, clock);
+ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing);
out:
__sdhci_msm_set_clock(host, clock);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 415/737] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 414/737] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 416/737] s390/dasd: Fix gendisk parent after copy pair swap Greg Kroah-Hartman
` (332 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Eric Biggers
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 2f22115709fc7ebcfa40af3367a508fbbd2f71e9 upstream.
In the C code, the 'inc' argument to the assembly functions
blake2s_compress_ssse3() and blake2s_compress_avx512() is declared with
type u32, matching blake2s_compress(). The assembly code then reads it
from the 64-bit %rcx. However, the ABI doesn't guarantee zero-extension
to 64 bits, nor do gcc or clang guarantee it. Therefore, fix these
functions to read this argument from the 32-bit %ecx.
In theory, this bug could have caused the wrong 'inc' value to be used,
causing incorrect BLAKE2s hashes. In practice, probably not: I've fixed
essentially this same bug in many other assembly files too, but there's
never been a real report of it having caused a problem. In x86_64, all
writes to 32-bit registers are zero-extended to 64 bits. That results
in zero-extension in nearly all situations. I've only been able to
demonstrate a lack of zero-extension with a somewhat contrived example
involving truncation, e.g. when the C code has a u64 variable holding
0x1234567800000040 and passes it as a u32 expecting it to be truncated
to 0x40 (64). But that's not what the real code does, of course.
Fixes: ed0356eda153 ("crypto: blake2s - x86_64 SIMD implementation")
Cc: stable@vger.kernel.org
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251102234209.62133-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/crypto/blake2s-core.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/crypto/blake2s-core.S
+++ b/arch/x86/crypto/blake2s-core.S
@@ -54,7 +54,7 @@ SYM_FUNC_START(blake2s_compress_ssse3)
movdqa ROT16(%rip),%xmm12
movdqa ROR328(%rip),%xmm13
movdqu 0x20(%rdi),%xmm14
- movq %rcx,%xmm15
+ movd %ecx,%xmm15
leaq SIGMA+0xa0(%rip),%r8
jmp .Lbeginofloop
.align 32
@@ -179,7 +179,7 @@ SYM_FUNC_START(blake2s_compress_avx512)
vmovdqu (%rdi),%xmm0
vmovdqu 0x10(%rdi),%xmm1
vmovdqu 0x20(%rdi),%xmm4
- vmovq %rcx,%xmm5
+ vmovd %ecx,%xmm5
vmovdqa IV(%rip),%xmm14
vmovdqa IV+16(%rip),%xmm15
jmp .Lblake2s_compress_avx512_mainloop
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 416/737] s390/dasd: Fix gendisk parent after copy pair swap
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 415/737] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 417/737] block: rate-limit capacity change info log Greg Kroah-Hartman
` (331 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Hoeppner, Stefan Haberland,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Haberland <sth@linux.ibm.com>
commit c943bfc6afb8d0e781b9b7406f36caa8bbf95cb9 upstream.
After a copy pair swap the block device's "device" symlink points to
the secondary CCW device, but the gendisk's parent remained the
primary, leaving /sys/block/<dasdx> under the wrong parent.
Move the gendisk to the secondary's device with device_move(), keeping
the sysfs topology consistent after the swap.
Fixes: 413862caad6f ("s390/dasd: add copy pair swap capability")
Cc: stable@vger.kernel.org #6.1
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_eckd.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -6189,6 +6189,7 @@ static int dasd_eckd_copy_pair_swap(stru
struct dasd_copy_relation *copy;
struct dasd_block *block;
struct gendisk *gdp;
+ int rc;
copy = device->copy;
if (!copy)
@@ -6223,6 +6224,13 @@ static int dasd_eckd_copy_pair_swap(stru
/* swap blocklayer device link */
gdp = block->gdp;
dasd_add_link_to_gendisk(gdp, secondary);
+ rc = device_move(disk_to_dev(gdp), &secondary->cdev->dev, DPM_ORDER_NONE);
+ if (rc) {
+ dev_err(&primary->cdev->dev,
+ "copy_pair_swap: moving blockdevice parent %s->%s failed (%d)\n",
+ dev_name(&primary->cdev->dev),
+ dev_name(&secondary->cdev->dev), rc);
+ }
/* re-enable device */
dasd_device_remove_stop_bits(primary, DASD_STOPPED_PPRC);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 417/737] block: rate-limit capacity change info log
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 416/737] s390/dasd: Fix gendisk parent after copy pair swap Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 418/737] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
` (330 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Chen, Chaitanya Kulkarni,
Bart Van Assche, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Chen <chenl311@chinatelecom.cn>
commit 3179a5f7f86bcc3acd5d6fb2a29f891ef5615852 upstream.
loop devices under heavy stress-ng loop streessor can trigger many
capacity change events in a short time. Each event prints an info
message from set_capacity_and_notify(), flooding the console and
contributing to soft lockups on slow consoles.
Switch the printk in set_capacity_and_notify() to
pr_info_ratelimited() so frequent capacity changes do not spam
the log while still reporting occasional changes.
Cc: stable@vger.kernel.org
Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/genhd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -83,7 +83,7 @@ bool set_capacity_and_notify(struct gend
(disk->flags & GENHD_FL_HIDDEN))
return false;
- pr_info("%s: detected capacity change from %lld to %lld\n",
+ pr_info_ratelimited("%s: detected capacity change from %lld to %lld\n",
disk->disk_name, capacity, size);
/*
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 418/737] floppy: fix for PAGE_SIZE != 4KB
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 417/737] block: rate-limit capacity change info log Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 419/737] kallsyms: Fix wrong "big" kernel symbol type read from procfs Greg Kroah-Hartman
` (329 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
commit 82d20481024cbae2ea87fe8b86d12961bfda7169 upstream.
For years I wondered why the floppy driver does not just work on
sparc64, e.g:
root@SUNW_375_0066:# disktype /dev/fd0
disktype: Can't open /dev/fd0: No such device or address
[ 525.341906] disktype: attempt to access beyond end of device
fd0: rw=0, sector=0, nr_sectors = 16 limit=8
[ 525.341991] floppy: error 10 while reading block 0
Turns out floppy.c __floppy_read_block_0 tries to read one page for
the first test read to determine the disk size and thus fails if that
is greater than 4k. Adjust minimum MAX_DISK_SIZE to PAGE_SIZE to fix
floppy on sparc64 and likely all other PAGE_SIZE != 4KB configs.
Cc: stable@vger.kernel.org
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/floppy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -331,7 +331,7 @@ static bool initialized;
* This default is used whenever the current disk size is unknown.
* [Now it is rather a minimum]
*/
-#define MAX_DISK_SIZE 4 /* 3984 */
+#define MAX_DISK_SIZE (PAGE_SIZE / 1024)
/*
* globals used by 'result()'
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 419/737] kallsyms: Fix wrong "big" kernel symbol type read from procfs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 418/737] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 420/737] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
` (328 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Yejian, Gary Guo, Miguel Ojeda
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Yejian <zhengyejian@huaweicloud.com>
commit f3f9f42232dee596d15491ca3f611d02174db49c upstream.
Currently when the length of a symbol is longer than 0x7f characters,
its type shown in /proc/kallsyms can be incorrect.
I found this issue when reading the code, but it can be reproduced by
following steps:
1. Define a function which symbol length is 130 characters:
#define X13(x) x##x##x##x##x##x##x##x##x##x##x##x##x
static noinline void X13(x123456789)(void)
{
printk("hello world\n");
}
2. The type in vmlinux is 't':
$ nm vmlinux | grep x123456
ffffffff816290f0 t x123456789x123456789x123456789x12[...]
3. Then boot the kernel, the type shown in /proc/kallsyms becomes 'g'
instead of the expected 't':
# cat /proc/kallsyms | grep x123456
ffffffff816290f0 g x123456789x123456789x123456789x12[...]
The root cause is that, after commit 73bbb94466fd ("kallsyms: support
"big" kernel symbols"), ULEB128 was used to encode symbol name length.
That is, for "big" kernel symbols of which name length is longer than
0x7f characters, the length info is encoded into 2 bytes.
kallsyms_get_symbol_type() expects to read the first char of the
symbol name which indicates the symbol type. However, due to the
"big" symbol case not being handled, the symbol type read from
/proc/kallsyms may be wrong, so handle it properly.
Cc: stable@vger.kernel.org
Fixes: 73bbb94466fd ("kallsyms: support "big" kernel symbols")
Signed-off-by: Zheng Yejian <zhengyejian@huaweicloud.com>
Acked-by: Gary Guo <gary@garyguo.net>
Link: https://patch.msgid.link/20241011143853.3022643-1-zhengyejian@huaweicloud.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kallsyms.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/kernel/kallsyms.c
+++ b/kernel/kallsyms.c
@@ -103,8 +103,11 @@ static char kallsyms_get_symbol_type(uns
{
/*
* Get just the first code, look it up in the token table,
- * and return the first char from this token.
+ * and return the first char from this token. If MSB of length
+ * is 1, it is a "big" symbol, so needs an additional byte.
*/
+ if (kallsyms_names[off] & 0x80)
+ off++;
return kallsyms_token_table[kallsyms_token_index[kallsyms_names[off + 1]]];
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 420/737] fs/ntfs3: fix mount failure for sparse runs in run_unpack()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 419/737] kallsyms: Fix wrong "big" kernel symbol type read from procfs Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 421/737] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
` (327 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 801f614ba263cb37624982b27b4c82f3c3c597a9 upstream.
Some NTFS volumes failed to mount because sparse data runs were not
handled correctly during runlist unpacking. The code performed arithmetic
on the special SPARSE_LCN64 marker, leading to invalid LCN values and
mount errors.
Add an explicit check for the case described above, marking the run as
sparse without applying arithmetic.
Fixes: 736fc7bf5f68 ("fs: ntfs3: Fix integer overflow in run_unpack()")
Cc: stable@vger.kernel.org
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -984,8 +984,12 @@ int run_unpack(struct runs_tree *run, st
if (!dlcn)
return -EINVAL;
- if (check_add_overflow(prev_lcn, dlcn, &lcn))
+ /* Check special combination: 0 + SPARSE_LCN64. */
+ if (!prev_lcn && dlcn == SPARSE_LCN64) {
+ lcn = SPARSE_LCN64;
+ } else if (check_add_overflow(prev_lcn, dlcn, &lcn)) {
return -EINVAL;
+ }
prev_lcn = lcn;
} else
return -EINVAL;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 421/737] ktest.pl: Fix uninitialized var in config-bisect.pl
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 420/737] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 422/737] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
` (326 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, John W. Krahn,
Steven Rostedt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit d3042cbe84a060b4df764eb6c5300bbe20d125ca upstream.
The error path of copying the old config used the wrong variable in the
error message:
$ mkdir /tmp/build
$ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad
$ chmod 0 /tmp/build
$ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad good
cp /tmp/build//.config config-good.tmp ... [0 seconds] FAILED!
Use of uninitialized value $config in concatenation (.) or string at ./tools/testing/ktest/config-bisect.pl line 744.
failed to copy to config-good.tmp
When it should have shown:
failed to copy /tmp/build//.config to config-good.tmp
Cc: stable@vger.kernel.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
Fixes: 0f0db065999cf ("ktest: Add standalone config-bisect.pl program")
Link: https://patch.msgid.link/20251203180924.6862bd26@gandalf.local.home
Reported-by: "John W. Krahn" <jwkrahn@shaw.ca>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/config-bisect.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/testing/ktest/config-bisect.pl
+++ b/tools/testing/ktest/config-bisect.pl
@@ -741,9 +741,9 @@ if ($start) {
die "Can not find file $bad\n";
}
if ($val eq "good") {
- run_command "cp $output_config $good" or die "failed to copy $config to $good\n";
+ run_command "cp $output_config $good" or die "failed to copy $output_config to $good\n";
} elsif ($val eq "bad") {
- run_command "cp $output_config $bad" or die "failed to copy $config to $bad\n";
+ run_command "cp $output_config $bad" or die "failed to copy $output_config to $bad\n";
}
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 422/737] ext4: xattr: fix null pointer deref in ext4_raw_inode()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 421/737] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 423/737] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
` (325 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Karina Yankevich,
Sergey Shtylyov, Baokun Li, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karina Yankevich <k.yankevich@omp.ru>
commit b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 upstream.
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c8e008b60492 ("ext4: ignore xattrs past end")
Cc: stable@kernel.org
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Message-ID: <20251022093253.3546296-1-k.yankevich@omp.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1191,7 +1191,11 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
if (block_csum)
end = (void *)bh->b_data + bh->b_size;
else {
- ext4_get_inode_loc(parent, &iloc);
+ err = ext4_get_inode_loc(parent, &iloc);
+ if (err) {
+ EXT4_ERROR_INODE(parent, "parent inode loc (error %d)", err);
+ return;
+ }
end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 423/737] ext4: clear i_state_flags when alloc inode
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 422/737] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 424/737] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
` (324 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Baokun Li, Zhang Yi,
Jan Kara, Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit 4091c8206cfd2e3bb529ef260887296b90d9b6a2 upstream.
i_state_flags used on 32-bit archs, need to clear this flag when
alloc inode.
Find this issue when umount ext4, sometimes track the inode as orphan
accidently, cause ext4 mesg dump.
Fixes: acf943e9768e ("ext4: fix checks for orphan inodes")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251104-ext4-v1-1-73691a0800f9@nxp.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ialloc.c | 1 -
fs/ext4/inode.c | 1 -
fs/ext4/super.c | 1 +
3 files changed, 1 insertion(+), 2 deletions(-)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1299,7 +1299,6 @@ got:
sizeof(gen));
}
- ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
ext4_set_inode_state(inode, EXT4_STATE_NEW);
ei->i_extra_isize = sbi->s_want_extra_isize;
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4913,7 +4913,6 @@ struct inode *__ext4_iget(struct super_b
ei->i_projid = make_kprojid(&init_user_ns, i_projid);
set_nlink(inode, le16_to_cpu(raw_inode->i_links_count));
- ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
ei->i_inline_off = 0;
ei->i_dir_start_lookup = 0;
ei->i_dtime = le32_to_cpu(raw_inode->i_dtime);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1412,6 +1412,7 @@ static struct inode *ext4_alloc_inode(st
inode_set_iversion(&ei->vfs_inode, 1);
ei->i_flags = 0;
+ ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
spin_lock_init(&ei->i_raw_lock);
ei->i_prealloc_node = RB_ROOT;
atomic_set(&ei->i_prealloc_active, 0);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 424/737] ext4: fix incorrect group number assertion in mb_check_buddy
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 423/737] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 425/737] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
` (323 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongjian Sun, Baokun Li, Jan Kara,
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
commit 3f7a79d05c692c7cfec70bf104b1b3c3d0ce6247 upstream.
When the MB_CHECK_ASSERT macro is enabled, an assertion failure can
occur in __mb_check_buddy when checking preallocated blocks (pa) in
a block group:
Assertion failure in mb_free_blocks() : "groupnr == e4b->bd_group"
This happens when a pa at the very end of a block group (e.g.,
pa_pstart=32765, pa_len=3 in a group of 32768 blocks) becomes
exhausted - its pa_pstart is advanced by pa_len to 32768, which
lies in the next block group. If this exhausted pa (with pa_len == 0)
is still in the bb_prealloc_list during the buddy check, the assertion
incorrectly flags it as belonging to the wrong group. A possible
sequence is as follows:
ext4_mb_new_blocks
ext4_mb_release_context
pa->pa_pstart += EXT4_C2B(sbi, ac->ac_b_ex.fe_len)
pa->pa_len -= ac->ac_b_ex.fe_len
__mb_check_buddy
for each pa in group
ext4_get_group_no_and_offset
MB_CHECK_ASSERT(groupnr == e4b->bd_group)
To fix this, we modify the check to skip block group validation for
exhausted preallocations (where pa_len == 0). Such entries are in a
transitional state and will be removed from the list soon, so they
should not trigger an assertion. This change prevents the false
positive while maintaining the integrity of the checks for active
allocations.
Fixes: c9de560ded61f ("ext4: Add multi block allocator for ext4")
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251106060614.631382-2-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -777,6 +777,8 @@ static void __mb_check_buddy(struct ext4
ext4_group_t groupnr;
struct ext4_prealloc_space *pa;
pa = list_entry(cur, struct ext4_prealloc_space, pa_group_list);
+ if (!pa->pa_len)
+ continue;
ext4_get_group_no_and_offset(sb, pa->pa_pstart, &groupnr, &k);
MB_CHECK_ASSERT(groupnr == e4b->bd_group);
for (i = 0; i < pa->pa_len; i++)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 425/737] ext4: align max orphan file size with e2fsprogs limit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 424/737] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 426/737] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Greg Kroah-Hartman
` (322 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 7c11c56eb32eae96893eebafdbe3decadefe88ad upstream.
Kernel commit 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
limits the maximum supported orphan file size to 8 << 20.
However, in e2fsprogs, the orphan file size is set to 32–512 filesystem
blocks when creating a filesystem.
With 64k block size, formatting an ext4 fs >32G gives an orphan file bigger
than the kernel allows, so mount prints an error and fails:
EXT4-fs (vdb): orphan file too big: 8650752
EXT4-fs (vdb): mount failed
To prevent this issue and allow previously created 64KB filesystems to
mount, we updates the maximum allowed orphan file size in the kernel to
512 filesystem blocks.
Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251120134233.2994147-1-libaokun@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -8,6 +8,8 @@
#include "ext4.h"
#include "ext4_jbd2.h"
+#define EXT4_MAX_ORPHAN_FILE_BLOCKS 512
+
static int ext4_orphan_file_add(handle_t *handle, struct inode *inode)
{
int i, j, start;
@@ -589,7 +591,7 @@ int ext4_init_orphan_info(struct super_b
* consuming absurd amounts of memory when pinning blocks of orphan
* file in memory.
*/
- if (inode->i_size > 8 << 20) {
+ if (inode->i_size > (EXT4_MAX_ORPHAN_FILE_BLOCKS << inode->i_blkbits)) {
ext4_msg(sb, KERN_ERR, "orphan file too big: %llu",
(unsigned long long)inode->i_size);
ret = -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 426/737] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 425/737] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 427/737] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
` (321 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6e493c165d26d6fcbf72,
Tetsuo Handa, Jan Kara, Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 524c3853831cf4f7e1db579e487c757c3065165c upstream.
syzbot is reporting possibility of deadlock due to sharing lock_class_key
for jbd2_handle across ext4 and ocfs2. But this is a false positive, for
one disk partition can't have two filesystems at the same time.
Reported-by: syzbot+6e493c165d26d6fcbf72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6e493c165d26d6fcbf72
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot+6e493c165d26d6fcbf72@syzkaller.appspotmail.com
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <987110fc-5470-457a-a218-d286a09dd82f@I-love.SAKURA.ne.jp>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 6 ++++--
include/linux/jbd2.h | 6 ++++++
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1563,7 +1563,6 @@ static journal_t *journal_init_common(st
struct block_device *fs_dev,
unsigned long long start, int len, int blocksize)
{
- static struct lock_class_key jbd2_trans_commit_key;
journal_t *journal;
int err;
int n;
@@ -1572,6 +1571,7 @@ static journal_t *journal_init_common(st
if (!journal)
return ERR_PTR(-ENOMEM);
+ lockdep_register_key(&journal->jbd2_trans_commit_key);
journal->j_blocksize = blocksize;
journal->j_dev = bdev;
journal->j_fs_dev = fs_dev;
@@ -1601,7 +1601,7 @@ static journal_t *journal_init_common(st
journal->j_max_batch_time = 15000; /* 15ms */
atomic_set(&journal->j_reserved_credits, 0);
lockdep_init_map(&journal->j_trans_commit_map, "jbd2_handle",
- &jbd2_trans_commit_key, 0);
+ &journal->jbd2_trans_commit_key, 0);
/* The journal is marked for error until we succeed with recovery! */
journal->j_flags = JBD2_ABORT;
@@ -1648,6 +1648,7 @@ err_cleanup:
kfree(journal->j_wbuf);
jbd2_journal_destroy_revoke(journal);
journal_fail_superblock(journal);
+ lockdep_unregister_key(&journal->jbd2_trans_commit_key);
kfree(journal);
return ERR_PTR(err);
}
@@ -2229,6 +2230,7 @@ int jbd2_journal_destroy(journal_t *jour
crypto_free_shash(journal->j_chksum_driver);
kfree(journal->j_fc_wbuf);
kfree(journal->j_wbuf);
+ lockdep_unregister_key(&journal->jbd2_trans_commit_key);
kfree(journal);
return err;
--- a/include/linux/jbd2.h
+++ b/include/linux/jbd2.h
@@ -1266,6 +1266,12 @@ struct journal_s
*/
struct lockdep_map j_trans_commit_map;
#endif
+ /**
+ * @jbd2_trans_commit_key:
+ *
+ * "struct lock_class_key" for @j_trans_commit_map
+ */
+ struct lock_class_key jbd2_trans_commit_key;
/**
* @j_fc_cleanup_callback:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 427/737] jbd2: use a weaker annotation in journal handling
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 426/737] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 428/737] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
` (320 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Byungchul Park, Jan Kara, stable,
Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Byungchul Park <byungchul@sk.com>
commit 40a71b53d5a6d4ea17e4d54b99b2ac03a7f5e783 upstream.
jbd2 journal handling code doesn't want jbd2_might_wait_for_commit()
to be placed between start_this_handle() and stop_this_handle(). So it
marks the region with rwsem_acquire_read() and rwsem_release().
However, the annotation is too strong for that purpose. We don't have
to use more than try lock annotation for that.
rwsem_acquire_read() implies:
1. might be a waiter on contention of the lock.
2. enter to the critical section of the lock.
All we need in here is to act 2, not 1. So trylock version of
annotation is sufficient for that purpose. Now that dept partially
relies on lockdep annotaions, dept interpets rwsem_acquire_read() as a
potential wait and might report a deadlock by the wait.
Replace it with trylock version of annotation.
Signed-off-by: Byungchul Park <byungchul@sk.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Message-ID: <20251024073940.1063-1-byungchul@sk.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -445,7 +445,7 @@ repeat:
read_unlock(&journal->j_state_lock);
current->journal_info = handle;
- rwsem_acquire_read(&journal->j_trans_commit_map, 0, 0, _THIS_IP_);
+ rwsem_acquire_read(&journal->j_trans_commit_map, 0, 1, _THIS_IP_);
jbd2_journal_free_transaction(new_transaction);
/*
* Ensure that no allocations done while the transaction is open are
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 428/737] media: v4l2-mem2mem: Fix outdated documentation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 427/737] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 429/737] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
` (319 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
commit 082b86919b7a94de01d849021b4da820a6cb89dc upstream.
Commit cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in
v4l2_m2m_job_finish") deferred calls to .device_run() to a work queue to
avoid recursive calls when a job is finished right away from
.device_run(). It failed to update the v4l2_m2m_job_finish()
documentation that still states the function must not be called from
.device_run(). Fix it.
Fixes: cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish")
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/media/v4l2-mem2mem.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/include/media/v4l2-mem2mem.h
+++ b/include/media/v4l2-mem2mem.h
@@ -185,8 +185,7 @@ void v4l2_m2m_try_schedule(struct v4l2_m
* other instances to take control of the device.
*
* This function has to be called only after &v4l2_m2m_ops->device_run
- * callback has been called on the driver. To prevent recursion, it should
- * not be called directly from the &v4l2_m2m_ops->device_run callback though.
+ * callback has been called on the driver.
*/
void v4l2_m2m_job_finish(struct v4l2_m2m_dev *m2m_dev,
struct v4l2_m2m_ctx *m2m_ctx);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 429/737] mptcp: schedule rtx timer only after pushing data
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 428/737] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 430/737] mptcp: avoid deadlock on fallback while reinjecting Greg Kroah-Hartman
` (318 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 2ea6190f42d0416a4310e60a7fcb0b49fcbbd4fb upstream.
The MPTCP protocol usually schedule the retransmission timer only
when there is some chances for such retransmissions to happen.
With a notable exception: __mptcp_push_pending() currently schedule
such timer unconditionally, potentially leading to unnecessary rtx
timer expiration.
The issue is present since the blamed commit below but become easily
reproducible after commit 27b0e701d387 ("mptcp: drop bogus optimization
in __mptcp_check_push()")
Fixes: 33d41c9cd74c ("mptcp: more accurate timeout")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-3-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1630,7 +1630,7 @@ void __mptcp_push_pending(struct sock *s
struct mptcp_sendmsg_info info = {
.flags = flags,
};
- bool do_check_data_fin = false;
+ bool copied = false;
int push_count = 1;
while (mptcp_send_head(sk) && (push_count > 0)) {
@@ -1672,7 +1672,7 @@ void __mptcp_push_pending(struct sock *s
push_count--;
continue;
}
- do_check_data_fin = true;
+ copied = true;
}
}
}
@@ -1681,11 +1681,14 @@ void __mptcp_push_pending(struct sock *s
if (ssk)
mptcp_push_release(ssk, &info);
- /* ensure the rtx timer is running */
- if (!mptcp_rtx_timer_pending(sk))
- mptcp_reset_rtx_timer(sk);
- if (do_check_data_fin)
+ /* Avoid scheduling the rtx timer if no data has been pushed; the timer
+ * will be updated on positive acks by __mptcp_cleanup_una().
+ */
+ if (copied) {
+ if (!mptcp_rtx_timer_pending(sk))
+ mptcp_reset_rtx_timer(sk);
mptcp_check_send_data_fin(sk);
+ }
}
static void __mptcp_subflow_push_pending(struct sock *sk, struct sock *ssk, bool first)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 430/737] mptcp: avoid deadlock on fallback while reinjecting
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 429/737] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 431/737] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
` (317 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Paolo Abeni,
Matthieu Baerts (NGI0)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit ffb8c27b0539dd90262d1021488e7817fae57c42 upstream.
Jakub reported an MPTCP deadlock at fallback time:
WARNING: possible recursive locking detected
6.18.0-rc7-virtme #1 Not tainted
--------------------------------------------
mptcp_connect/20858 is trying to acquire lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_try_fallback+0xd8/0x280
but task is already holding lock:
ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&msk->fallback_lock);
lock(&msk->fallback_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by mptcp_connect/20858:
#0: ff1100001da18290 (sk_lock-AF_INET){+.+.}-{0:0}, at: mptcp_sendmsg+0x114/0x1bc0
#1: ff1100001db40fd0 (k-sk_lock-AF_INET#2){+.+.}-{0:0}, at: __mptcp_retrans+0x2cb/0xaa0
#2: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3}, at: __mptcp_retrans+0x352/0xaa0
stack backtrace:
CPU: 0 UID: 0 PID: 20858 Comm: mptcp_connect Not tainted 6.18.0-rc7-virtme #1 PREEMPT(full)
Hardware name: Bochs, BIOS Bochs 01/01/2011
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_deadlock_bug.cold+0xc0/0xcd
validate_chain+0x2ff/0x5f0
__lock_acquire+0x34c/0x740
lock_acquire.part.0+0xbc/0x260
_raw_spin_lock_bh+0x38/0x50
__mptcp_try_fallback+0xd8/0x280
mptcp_sendmsg_frag+0x16c2/0x3050
__mptcp_retrans+0x421/0xaa0
mptcp_release_cb+0x5aa/0xa70
release_sock+0xab/0x1d0
mptcp_sendmsg+0xd5b/0x1bc0
sock_write_iter+0x281/0x4d0
new_sync_write+0x3c5/0x6f0
vfs_write+0x65e/0xbb0
ksys_write+0x17e/0x200
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7fa5627cbc5e
Code: 4d 89 d8 e8 14 bd 00 00 4c 8b 5d f8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 11 c9 c3 0f 1f 80 00 00 00 00 48 8b 45 10 0f 05 <c9> c3 83 e2 39 83 fa 08 75 e7 e8 13 ff ff ff 0f 1f 00 f3 0f 1e fa
RSP: 002b:00007fff1fe14700 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007fa5627cbc5e
RDX: 0000000000001f9c RSI: 00007fff1fe16984 RDI: 0000000000000005
RBP: 00007fff1fe14710 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff1fe16920
R13: 0000000000002000 R14: 0000000000001f9c R15: 0000000000001f9c
The packet scheduler could attempt a reinjection after receiving an
MP_FAIL and before the infinite map has been transmitted, causing a
deadlock since MPTCP needs to do the reinjection atomically from WRT
fallback.
Address the issue explicitly avoiding the reinjection in the critical
scenario. Note that this is the only fallback critical section that
could potentially send packets and hit the double-lock.
Reported-by: Jakub Kicinski <kuba@kernel.org>
Closes: https://netdev-ctrl.bots.linux.dev/logs/vmksft/mptcp-dbg/results/412720/1-mptcp-join-sh/stderr
Fixes: f8a1d9b18c5e ("mptcp: make fallback action and fallback decision atomic")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-4-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2712,10 +2712,13 @@ static void __mptcp_retrans(struct sock
/*
* make the whole retrans decision, xmit, disallow
- * fallback atomic
+ * fallback atomic, note that we can't retrans even
+ * when an infinite fallback is in progress, i.e. new
+ * subflows are disallowed.
*/
spin_lock_bh(&msk->fallback_lock);
- if (__mptcp_check_fallback(msk)) {
+ if (__mptcp_check_fallback(msk) ||
+ !msk->allow_subflows) {
spin_unlock_bh(&msk->fallback_lock);
release_sock(ssk);
goto clear_scheduled;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 431/737] usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 430/737] mptcp: avoid deadlock on fallback while reinjecting Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 432/737] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
` (316 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Changcheng
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Changcheng <chenchangcheng@kylinos.cn>
commit 0831269b5f71594882accfceb02638124f88955d upstream.
We cannot determine which models require the NO_ATA_1X and
IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01
US_FL_NO_ATA_1X),
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
+UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309,
"Initio Corporation",
"INIC-3069",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 432/737] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 431/737] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 433/737] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
` (315 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream.
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
Cc: stable@vger.kernel.org
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us
}
index = (addr << 8) + wbuf[0];
+ if (rlen > sizeof(st->data)) {
+ warn("rlen = %x is too big!\n", rlen);
+ return -EINVAL;
+ }
+
memcpy(st->data, rbuf, rlen);
msleep(1); /* avoid I2C errors */
return usb_control_msg(d->udev, pipe, request,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 433/737] media: pvrusb2: Fix incorrect variable used in trace message
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 432/737] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 434/737] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
` (314 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream.
The pvr2_trace message is reporting an error about control read
transfers, however it is using the incorrect variable write_len
instead of read_lean. Fix this by using the correct variable
read_len.
Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
Cc: stable@vger.kernel.org
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -3622,7 +3622,7 @@ static int pvr2_send_request_ex(struct p
pvr2_trace(
PVR2_TRACE_ERROR_LEGS,
"Attempted to execute %d byte control-read transfer (limit=%d)",
- write_len,PVR2_CTL_BUFFSIZE);
+ read_len, PVR2_CTL_BUFFSIZE);
return -EINVAL;
}
if ((!write_len) && (!read_len)) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 434/737] phy: broadcom: bcm63xx-usbh: fix section mismatches
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 433/737] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 435/737] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
` (313 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Johan Hovold, Neil Armstrong, Vinod Koul
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function and match table must not live in init.
Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver")
Cc: stable@vger.kernel.org # 5.9
Cc: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c
+++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c
@@ -375,7 +375,7 @@ static struct phy *bcm63xx_usbh_phy_xlat
return of_phy_simple_xlate(dev, args);
}
-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev)
+static int bcm63xx_usbh_phy_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
struct bcm63xx_usbh_phy *usbh;
@@ -432,7 +432,7 @@ static int __init bcm63xx_usbh_phy_probe
return 0;
}
-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = {
+static const struct of_device_id bcm63xx_usbh_phy_ids[] = {
{ .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 },
{ .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 },
{ .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 },
@@ -443,7 +443,7 @@ static const struct of_device_id bcm63xx
};
MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids);
-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = {
+static struct platform_driver bcm63xx_usbh_phy_driver = {
.driver = {
.name = "bcm63xx-usbh-phy",
.of_match_table = bcm63xx_usbh_phy_ids,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 435/737] USB: lpc32xx_udc: Fix error handling in probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 434/737] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 436/737] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
` (312 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ma Ke
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
lpc32xx_udc_probe() acquires an i2c_client reference through
isp1301_get_client() but fails to release it in both error handling
paths and the normal removal path. This could result in a reference
count leak for the I2C device, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the probe failure path and in the remove function.
Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
says, 'The user must call put_device(&client->dev) once done with the
i2c client.'
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -3027,7 +3027,7 @@ static int lpc32xx_udc_probe(struct plat
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- return retval;
+ goto i2c_fail;
udc->board = &lpc32xx_usbddata;
@@ -3045,28 +3045,32 @@ static int lpc32xx_udc_probe(struct plat
/* Get IRQs */
for (i = 0; i < 4; i++) {
udc->udp_irq[i] = platform_get_irq(pdev, i);
- if (udc->udp_irq[i] < 0)
- return udc->udp_irq[i];
+ if (udc->udp_irq[i] < 0) {
+ retval = udc->udp_irq[i];
+ goto i2c_fail;
+ }
}
udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
- return PTR_ERR(udc->udp_baseaddr);
+ retval = PTR_ERR(udc->udp_baseaddr);
+ goto i2c_fail;
}
/* Get USB device clock */
udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
- return PTR_ERR(udc->usb_slv_clk);
+ retval = PTR_ERR(udc->usb_slv_clk);
+ goto i2c_fail;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- return retval;
+ goto i2c_fail;
}
/* Setup deferred workqueue data */
@@ -3168,6 +3172,8 @@ dma_alloc_fail:
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
+ if (udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
@@ -3193,6 +3199,9 @@ static int lpc32xx_udc_remove(struct pla
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
+ if (udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
+
clk_disable_unprepare(udc->usb_slv_clk);
return 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 436/737] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 435/737] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 437/737] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
` (311 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Duoming Zhou
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
The delayed work item otg_event is initialized in fsl_otg_conf() and
scheduled under two conditions:
1. When a host controller binds to the OTG controller.
2. When the USB ID pin state changes (cable insertion/removal).
A race condition occurs when the device is removed via fsl_otg_remove():
the fsl_otg instance may be freed while the delayed work is still pending
or executing. This leads to use-after-free when the work function
fsl_otg_event() accesses the already freed memory.
The problematic scenario:
(detach thread) | (delayed work)
fsl_otg_remove() |
kfree(fsl_otg_dev) //FREE| fsl_otg_event()
| og = container_of(...) //USE
| og-> //USE
Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
before deallocating the fsl_otg structure. This ensures the delayed work
is properly canceled and completes execution prior to memory deallocation.
This bug was identified through static analysis.
Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy-fsl-usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/phy/phy-fsl-usb.c
+++ b/drivers/usb/phy/phy-fsl-usb.c
@@ -987,6 +987,7 @@ static void fsl_otg_remove(struct platfo
{
struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
usb_remove_phy(&fsl_otg_dev->phy);
free_irq(fsl_otg_dev->irq, fsl_otg_dev);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 437/737] usb: phy: isp1301: fix non-OF device reference imbalance
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 436/737] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 438/737] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
` (310 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold,
Vladimir Zapolskiy
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream.
A recent change fixing a device reference leak in a UDC driver
introduced a potential use-after-free in the non-OF case as the
isp1301_get_client() helper only increases the reference count for the
returned I2C device in the OF case.
Increment the reference count also for non-OF so that the caller can
decrement it unconditionally.
Note that this is inherently racy just as using the returned I2C device
is since nothing is preventing the PHY driver from being unbound while
in use.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy-isp1301.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/phy/phy-isp1301.c
+++ b/drivers/usb/phy/phy-isp1301.c
@@ -149,7 +149,12 @@ struct i2c_client *isp1301_get_client(st
return client;
/* non-DT: only one ISP1301 chip supported */
- return isp1301_i2c_client;
+ if (isp1301_i2c_client) {
+ get_device(&isp1301_i2c_client->dev);
+ return isp1301_i2c_client;
+ }
+
+ return NULL;
}
EXPORT_SYMBOL_GPL(isp1301_get_client);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 438/737] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 437/737] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 439/737] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
` (309 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin, Thinh Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream.
When clk_bulk_prepare_enable() fails, the error path jumps to
err_resetc_assert, skipping clk_bulk_put_all() and leaking the
clock references acquired by clk_bulk_get_all().
Add err_clk_put_all label to properly release clock resources
in all error paths.
Found via static analysis and code review.
Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/dwc3/dwc3-of-simple.c
+++ b/drivers/usb/dwc3/dwc3-of-simple.c
@@ -71,11 +71,11 @@ static int dwc3_of_simple_probe(struct p
simple->num_clocks = ret;
ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks);
if (ret)
- goto err_resetc_assert;
+ goto err_clk_put_all;
ret = of_platform_populate(np, NULL, NULL, dev);
if (ret)
- goto err_clk_put;
+ goto err_clk_disable;
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
@@ -83,8 +83,9 @@ static int dwc3_of_simple_probe(struct p
return 0;
-err_clk_put:
+err_clk_disable:
clk_bulk_disable_unprepare(simple->num_clocks, simple->clks);
+err_clk_put_all:
clk_bulk_put_all(simple->num_clocks, simple->clks);
err_resetc_assert:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 439/737] usb: dwc3: keep susphy enabled during exit to avoid controller faults
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 438/737] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 440/737] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
` (308 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Udipto Goswami
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 upstream.
On some platforms, switching USB roles from host to device can trigger
controller faults due to premature PHY power-down. This occurs when the
PHY is disabled too early during teardown, causing synchronization
issues between the PHY and controller.
Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit()
ensures the PHY remains in a low-power state capable of handling
required commands during role switch.
Cc: stable <stable@kernel.org>
Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -4807,7 +4807,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
if (!dwc->gadget)
return;
- dwc3_enable_susphy(dwc, false);
+ dwc3_enable_susphy(dwc, true);
usb_del_gadget(dwc->gadget);
dwc3_gadget_free_endpoints(dwc);
usb_put_gadget(dwc->gadget);
--- a/drivers/usb/dwc3/host.c
+++ b/drivers/usb/dwc3/host.c
@@ -168,7 +168,7 @@ void dwc3_host_exit(struct dwc3 *dwc)
if (dwc->sys_wakeup)
device_init_wakeup(&dwc->xhci->dev, false);
- dwc3_enable_susphy(dwc, false);
+ dwc3_enable_susphy(dwc, true);
platform_device_unregister(dwc->xhci);
dwc->xhci = NULL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 440/737] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 439/737] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 441/737] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
` (307 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream.
usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths,
usbhsp_put_pipe() is required to clear pipe's flags to prevent
pipe exhaustion.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/pipe.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/renesas_usbhs/pipe.c
+++ b/drivers/usb/renesas_usbhs/pipe.c
@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
/* make sure pipe is not busy */
ret = usbhsp_pipe_barrier(pipe);
if (ret < 0) {
+ usbhsp_put_pipe(pipe);
dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe));
return NULL;
}
if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) {
+ usbhsp_put_pipe(pipe);
dev_err(dev, "can't setup pipe\n");
return NULL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 441/737] char: applicom: fix NULL pointer dereference in ac_ioctl
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 440/737] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 442/737] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
` (306 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianchu Chen, Arnd Bergmann, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen <flynnnchen@tencent.com>
commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/applicom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -836,7 +836,10 @@ static long ac_ioctl(struct file *file,
ret = -ENOTTY;
break;
}
- Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
+ if (cmd != 6)
+ Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
kfree(adgl);
mutex_unlock(&ac_mutex);
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 442/737] intel_th: Fix error handling in intel_th_output_open
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 441/737] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 443/737] cpuidle: governors: teo: Drop misguided target residency check Greg Kroah-Hartman
` (305 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ma Ke
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream.
intel_th_output_open() calls bus_find_device_by_devt() which
internally increments the device reference count via get_device(), but
this reference is not properly released in several error paths. When
device driver is unavailable, file operations cannot be obtained, or
the driver's open method fails, the function returns without calling
put_device(), leading to a permanent device reference count leak. This
prevents the device from being properly released and could cause
resource exhaustion over time.
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i
int err;
dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
- if (!dev || !dev->driver)
- return -ENODEV;
+ if (!dev || !dev->driver) {
+ err = -ENODEV;
+ goto out_no_device;
+ }
thdrv = to_intel_th_driver(dev->driver);
fops = fops_get(thdrv->fops);
- if (!fops)
- return -ENODEV;
+ if (!fops) {
+ err = -ENODEV;
+ goto out_put_device;
+ }
replace_fops(file, fops);
@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i
if (file->f_op->open) {
err = file->f_op->open(inode, file);
- return err;
+ if (err)
+ goto out_put_device;
}
return 0;
+
+out_put_device:
+ put_device(dev);
+out_no_device:
+ return err;
}
static const struct file_operations intel_th_output_fops = {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 443/737] cpuidle: governors: teo: Drop misguided target residency check
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 442/737] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 444/737] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
` (304 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Christian Loehle
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit a03b2011808ab02ccb7ab6b573b013b77fbb5921 upstream.
When the target residency of the current candidate idle state is
greater than the expected time till the closest timer (the sleep
length), it does not matter whether or not the tick has already been
stopped or if it is going to be stopped. The closest timer will
trigger anyway at its due time, so if an idle state with target
residency above the sleep length is selected, energy will be wasted
and there may be excess latency.
Of course, if the closest timer were canceled before it could trigger,
a deeper idle state would be more suitable, but this is not expected
to happen (generally speaking, hrtimers are not expected to be
canceled as a rule).
Accordingly, the teo_state_ok() check done in that case causes energy to
be wasted more often than it allows any energy to be saved (if it allows
any energy to be saved at all), so drop it and let the governor use the
teo_find_shallower_state() return value as the new candidate idle state
index.
Fixes: 21d28cd2fa5f ("cpuidle: teo: Do not call tick_nohz_get_sleep_length() upfront")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Christian Loehle <christian.loehle@arm.com>
Tested-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/5955081.DvuYhMxLoT@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpuidle/governors/teo.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/cpuidle/governors/teo.c
+++ b/drivers/cpuidle/governors/teo.c
@@ -595,11 +595,8 @@ static int teo_select(struct cpuidle_dri
* If the closest expected timer is before the terget residency of the
* candidate state, a shallower one needs to be found.
*/
- if (drv->states[idx].target_residency_ns > duration_ns) {
- i = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
- if (teo_state_ok(i, drv))
- idx = i;
- }
+ if (drv->states[idx].target_residency_ns > duration_ns)
+ idx = teo_find_shallower_state(drv, dev, idx, duration_ns, false);
/*
* If the selected state's target residency is below the tick length
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 444/737] cpufreq: nforce2: fix reference count leak in nforce2
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 443/737] cpuidle: governors: teo: Drop misguided target residency check Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 445/737] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
` (303 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Viresh Kumar
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream.
There are two reference count leaks in this driver:
1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count
of the PCI device, but pci_dev_put() is never called to release it,
thus leaking the reference.
2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the
nforce2_dev which is stored in a global variable, but the reference
is never released when the module is unloaded.
Fix both by:
- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading
the configuration.
- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the
global device reference.
Found via static analysis.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq-nforce2.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/cpufreq/cpufreq-nforce2.c
+++ b/drivers/cpufreq/cpufreq-nforce2.c
@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int
pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb);
fsb /= 1000000;
+ pci_dev_put(nforce2_sub5);
+
/* Check if PLL register is already set */
pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp);
@@ -432,6 +434,7 @@ static int __init nforce2_init(void)
static void __exit nforce2_exit(void)
{
cpufreq_unregister_driver(&nforce2_driver);
+ pci_dev_put(nforce2_dev);
}
module_init(nforce2_init);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 445/737] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 444/737] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 446/737] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
` (302 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream.
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
Cc: stable@vger.kernel.org
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_os.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1874,12 +1874,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
sp = req->outstanding_cmds[cnt];
if (sp) {
- if (qla2x00_chip_is_down(vha)) {
- req->outstanding_cmds[cnt] = NULL;
- sp->done(sp, res);
- continue;
- }
-
switch (sp->cmd_type) {
case TYPE_SRB:
qla2x00_abort_srb(qp, sp, res, &flags);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 446/737] scsi: aic94xx: fix use-after-free in device removal path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 445/737] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 447/737] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
` (301 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream.
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/aic94xx/aic94xx_init.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/scsi/aic94xx/aic94xx_init.c
+++ b/drivers/scsi/aic94xx/aic94xx_init.c
@@ -896,6 +896,9 @@ static void asd_pci_remove(struct pci_de
asd_disable_ints(asd_ha);
+ /* Ensure all scheduled tasklets complete before freeing resources */
+ tasklet_kill(&asd_ha->seq.dl_tasklet);
+
asd_remove_dev_attrs(asd_ha);
/* XXX more here as needed */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 447/737] NFSD: use correct reservation type in nfsd4_scsi_fence_client
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 446/737] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 448/737] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
` (300 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dai Ngo, Christoph Hellwig,
Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream.
The reservation type argument for the pr_preempt call should match the
one used in nfsd4_block_get_device_info_scsi.
Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support")
Cc: stable@vger.kernel.org
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/blocklayout.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -334,7 +334,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo
struct block_device *bdev = ls->ls_file->nf_file->f_path.mnt->mnt_sb->s_bdev;
bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY,
- nfsd4_scsi_pr_key(clp), 0, true);
+ nfsd4_scsi_pr_key(clp),
+ PR_EXCLUSIVE_ACCESS_REG_ONLY, true);
}
const struct nfsd4_layout_ops scsi_layout_ops = {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 448/737] scsi: target: Reset t_task_cdb pointer in error case
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 447/737] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 449/737] f2fs: ensure node page reads complete before f2fs_put_super() finishes Greg Kroah-Hartman
` (299 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Vatoropin, Mike Christie,
Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Vatoropin <a.vatoropin@crpt.ru>
commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream.
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_transport.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1524,6 +1524,7 @@ target_cmd_init_cdb(struct se_cmd *cmd,
if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp);
if (!cmd->t_task_cdb) {
+ cmd->t_task_cdb = &cmd->__t_task_cdb[0];
pr_err("Unable to allocate cmd->t_task_cdb"
" %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
scsi_command_size(cdb),
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 449/737] f2fs: ensure node page reads complete before f2fs_put_super() finishes
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 448/737] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 450/737] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
` (298 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jan Prusakowski, Chao Yu,
Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Prusakowski <jprusakowski@google.com>
commit 297baa4aa263ff8f5b3d246ee16a660d76aa82c4 upstream.
Xfstests generic/335, generic/336 sometimes crash with the following message:
F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1
------------[ cut here ]------------
kernel BUG at fs/f2fs/super.c:1939!
Oops: invalid opcode: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 609351 Comm: umount Tainted: G W 6.17.0-rc5-xfstests-g9dd1835ecda5 #1 PREEMPT(none)
Tainted: [W]=WARN
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:f2fs_put_super+0x3b3/0x3c0
Call Trace:
<TASK>
generic_shutdown_super+0x7e/0x190
kill_block_super+0x1a/0x40
kill_f2fs_super+0x9d/0x190
deactivate_locked_super+0x30/0xb0
cleanup_mnt+0xba/0x150
task_work_run+0x5c/0xa0
exit_to_user_mode_loop+0xb7/0xc0
do_syscall_64+0x1ae/0x1c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
---[ end trace 0000000000000000 ]---
It appears that sometimes it is possible that f2fs_put_super() is called before
all node page reads are completed.
Adding a call to f2fs_wait_on_all_pages() for F2FS_RD_NODE fixes the problem.
Cc: stable@kernel.org
Fixes: 20872584b8c0b ("f2fs: fix to drop all dirty meta/node pages during umount()")
Signed-off-by: Jan Prusakowski <jprusakowski@google.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1637,14 +1637,6 @@ static void f2fs_put_super(struct super_
truncate_inode_pages_final(META_MAPPING(sbi));
}
- for (i = 0; i < NR_COUNT_TYPE; i++) {
- if (!get_pages(sbi, i))
- continue;
- f2fs_err(sbi, "detect filesystem reference count leak during "
- "umount, type: %d, count: %lld", i, get_pages(sbi, i));
- f2fs_bug_on(sbi, 1);
- }
-
f2fs_bug_on(sbi, sbi->fsync_node_num);
f2fs_destroy_compress_inode(sbi);
@@ -1655,6 +1647,15 @@ static void f2fs_put_super(struct super_
iput(sbi->meta_inode);
sbi->meta_inode = NULL;
+ /* Should check the page counts after dropping all node/meta pages */
+ for (i = 0; i < NR_COUNT_TYPE; i++) {
+ if (!get_pages(sbi, i))
+ continue;
+ f2fs_err(sbi, "detect filesystem reference count leak during "
+ "umount, type: %d, count: %lld", i, get_pages(sbi, i));
+ f2fs_bug_on(sbi, 1);
+ }
+
/*
* iput() can update stat information, if f2fs_write_checkpoint()
* above failed with error.
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 450/737] f2fs: fix to avoid updating zero-sized extent in extent cache
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 449/737] f2fs: ensure node page reads complete before f2fs_put_super() finishes Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 451/737] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
` (297 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+24124df3170c3638b35f,
Chao Yu, Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec upstream.
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page")
Cc: stable@kernel.org
Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1584,8 +1584,11 @@ static int f2fs_do_zero_range(struct dno
f2fs_set_data_blkaddr(dn, NEW_ADDR);
}
- f2fs_update_read_extent_cache_range(dn, start, 0, index - start);
- f2fs_update_age_extent_cache_range(dn, start, index - start);
+ if (index > start) {
+ f2fs_update_read_extent_cache_range(dn, start, 0,
+ index - start);
+ f2fs_update_age_extent_cache_range(dn, start, index - start);
+ }
return ret;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 451/737] f2fs: invalidate dentry cache on failed whiteout creation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 450/737] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 452/737] f2fs: fix age extent cache insertion skip on counter overflow Greg Kroah-Hartman
` (296 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+632cf32276a9a564188d, Chao Yu,
Deepanshu Kartikey, Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream.
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d
Suggested-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1]
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/namei.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -1044,9 +1044,11 @@ static int f2fs_rename(struct mnt_idmap
if (whiteout) {
set_inode_flag(whiteout, FI_INC_LINK);
err = f2fs_add_link(old_dentry, whiteout);
- if (err)
+ if (err) {
+ d_invalidate(old_dentry);
+ d_invalidate(new_dentry);
goto put_out_dir;
-
+ }
spin_lock(&whiteout->i_lock);
whiteout->i_state &= ~I_LINKABLE;
spin_unlock(&whiteout->i_lock);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 452/737] f2fs: fix age extent cache insertion skip on counter overflow
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 451/737] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 453/737] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
` (295 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Xiaole He, Chao Yu,
Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaole He <hexiaole1994@126.com>
commit 27bf6a637b7613fc85fa6af468b7d612d78cd5c0 upstream.
The age extent cache uses last_blocks (derived from
allocated_data_blocks) to determine data age. However, there's a
conflict between the deletion
marker (last_blocks=0) and legitimate last_blocks=0 cases when
allocated_data_blocks overflows to 0 after reaching ULLONG_MAX.
In this case, valid extents are incorrectly skipped due to the
"if (!tei->last_blocks)" check in __update_extent_tree_range().
This patch fixes the issue by:
1. Reserving ULLONG_MAX as an invalid/deletion marker
2. Limiting allocated_data_blocks to range [0, ULLONG_MAX-1]
3. Using F2FS_EXTENT_AGE_INVALID for deletion scenarios
4. Adjusting overflow age calculation from ULLONG_MAX to (ULLONG_MAX-1)
Reproducer (using a patched kernel with allocated_data_blocks
initialized to ULLONG_MAX - 3 for quick testing):
Step 1: Mount and check initial state
# dd if=/dev/zero of=/tmp/test.img bs=1M count=100
# mkfs.f2fs -f /tmp/test.img
# mkdir -p /mnt/f2fs_test
# mount -t f2fs -o loop,age_extent_cache /tmp/test.img /mnt/f2fs_test
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551612 # ULLONG_MAX - 3
Inner Struct Count: tree: 1(0), node: 0
Step 2: Create files and write data to trigger overflow
# touch /mnt/f2fs_test/{1,2,3,4}.txt; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551613 # ULLONG_MAX - 2
Inner Struct Count: tree: 5(0), node: 1
# dd if=/dev/urandom of=/mnt/f2fs_test/1.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551614 # ULLONG_MAX - 1
Inner Struct Count: tree: 5(0), node: 2
# dd if=/dev/urandom of=/mnt/f2fs_test/2.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 18446744073709551615 # ULLONG_MAX
Inner Struct Count: tree: 5(0), node: 3
# dd if=/dev/urandom of=/mnt/f2fs_test/3.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 0 # Counter overflowed!
Inner Struct Count: tree: 5(0), node: 4
Step 3: Trigger the bug - next write should create node but gets skipped
# dd if=/dev/urandom of=/mnt/f2fs_test/4.txt bs=4K count=1; sync
# cat /sys/kernel/debug/f2fs/status | grep -A 4 "Block Age"
Allocated Data Blocks: 1
Inner Struct Count: tree: 5(0), node: 4
Expected: node: 5 (new extent node for 4.txt)
Actual: node: 4 (extent insertion was incorrectly skipped due to
last_blocks = allocated_data_blocks = 0 in __get_new_block_age)
After this fix, the extent node is correctly inserted and node count
becomes 5 as expected.
Fixes: 71644dff4811 ("f2fs: add block_age-based extent cache")
Cc: stable@kernel.org
Signed-off-by: Xiaole He <hexiaole1994@126.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/extent_cache.c | 5 +++--
fs/f2fs/f2fs.h | 6 ++++++
fs/f2fs/segment.c | 9 +++++++--
3 files changed, 16 insertions(+), 4 deletions(-)
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -755,7 +755,7 @@ static void __update_extent_tree_range(s
}
goto out_read_extent_cache;
update_age_extent_cache:
- if (!tei->last_blocks)
+ if (tei->last_blocks == F2FS_EXTENT_AGE_INVALID)
goto out_read_extent_cache;
__set_extent_info(&ei, fofs, len, 0, false,
@@ -859,7 +859,7 @@ static int __get_new_block_age(struct in
cur_age = cur_blocks - tei.last_blocks;
else
/* allocated_data_blocks overflow */
- cur_age = ULLONG_MAX - tei.last_blocks + cur_blocks;
+ cur_age = (ULLONG_MAX - 1) - tei.last_blocks + cur_blocks;
if (tei.age)
ei->age = __calculate_block_age(sbi, cur_age, tei.age);
@@ -1063,6 +1063,7 @@ void f2fs_update_age_extent_cache_range(
struct extent_info ei = {
.fofs = fofs,
.len = len,
+ .last_blocks = F2FS_EXTENT_AGE_INVALID,
};
if (!__may_extent_tree(dn->inode, EX_BLOCK_AGE))
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -626,6 +626,12 @@ enum extent_type {
NR_EXTENT_CACHES,
};
+/*
+ * Reserved value to mark invalid age extents, hence valid block range
+ * from 0 to ULLONG_MAX-1
+ */
+#define F2FS_EXTENT_AGE_INVALID ULLONG_MAX
+
struct extent_info {
unsigned int fofs; /* start offset in a file */
unsigned int len; /* length of the extent */
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -3542,8 +3542,13 @@ skip_new_segment:
locate_dirty_segment(sbi, GET_SEGNO(sbi, old_blkaddr));
locate_dirty_segment(sbi, GET_SEGNO(sbi, *new_blkaddr));
- if (IS_DATASEG(curseg->seg_type))
- atomic64_inc(&sbi->allocated_data_blocks);
+ if (IS_DATASEG(curseg->seg_type)) {
+ unsigned long long new_val;
+
+ new_val = atomic64_inc_return(&sbi->allocated_data_blocks);
+ if (unlikely(new_val == ULLONG_MAX))
+ atomic64_set(&sbi->allocated_data_blocks, 0);
+ }
up_write(&sit_i->sentry_lock);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 453/737] f2fs: fix return value of f2fs_recover_fsync_data()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 452/737] f2fs: fix age extent cache insertion skip on counter overflow Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 454/737] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
` (294 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream.
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
Cc: stable@kernel.org
Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4692,11 +4692,15 @@ try_onemore:
}
} else {
err = f2fs_recover_fsync_data(sbi, true);
-
- if (!f2fs_readonly(sb) && err > 0) {
- err = -EINVAL;
- f2fs_err(sbi, "Need to recover fsync data");
- goto free_meta;
+ if (err > 0) {
+ if (!f2fs_readonly(sb)) {
+ f2fs_err(sbi, "Need to recover fsync data");
+ err = -EINVAL;
+ goto free_meta;
+ } else {
+ f2fs_info(sbi, "drop all fsynced data");
+ err = 0;
+ }
}
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 454/737] tools/testing/nvdimm: Use per-DIMM device handle
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 453/737] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 455/737] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
` (293 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alison Schofield, Ira Weiny,
Dave Jiang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <alison.schofield@intel.com>
commit f59b701b4674f7955170b54c4167c5590f4714eb upstream.
KASAN reports a global-out-of-bounds access when running these nfit
tests: clear.sh, pmem-errors.sh, pfn-meta-errors.sh, btt-errors.sh,
daxdev-errors.sh, and inject-error.sh.
[] BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x769f/0x7840 [nfit_test]
[] Read of size 4 at addr ffffffffc03ea01c by task ndctl/1215
[] The buggy address belongs to the variable:
[] handle+0x1c/0x1df4 [nfit_test]
nfit_test_search_spa() uses handle[nvdimm->id] to retrieve a device
handle and triggers a KASAN error when it reads past the end of the
handle array. It should not be indexing the handle array at all.
The correct device handle is stored in per-DIMM test data. Each DIMM
has a struct nfit_mem that embeds a struct acpi_nfit_memdev that
describes the NFIT device handle. Use that device handle here.
Fixes: 10246dc84dfc ("acpi nfit: nfit_test supports translate SPA")
Cc: stable@vger.kernel.org
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>> ---
Link: https://patch.msgid.link/20251031234227.1303113-1-alison.schofield@intel.com
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/nvdimm/test/nfit.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -670,6 +670,7 @@ static int nfit_test_search_spa(struct n
.addr = spa->spa,
.region = NULL,
};
+ struct nfit_mem *nfit_mem;
u64 dpa;
ret = device_for_each_child(&bus->dev, &ctx,
@@ -687,8 +688,12 @@ static int nfit_test_search_spa(struct n
*/
nd_mapping = &nd_region->mapping[nd_region->ndr_mappings - 1];
nvdimm = nd_mapping->nvdimm;
+ nfit_mem = nvdimm_provider_data(nvdimm);
+ if (!nfit_mem)
+ return -EINVAL;
- spa->devices[0].nfit_device_handle = handle[nvdimm->id];
+ spa->devices[0].nfit_device_handle =
+ __to_nfit_memdev(nfit_mem)->device_handle;
spa->num_nvdimms = 1;
spa->devices[0].dpa = dpa;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 455/737] media: vidtv: initialize local pointers upon transfer of memory ownership
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 454/737] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 456/737] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
` (292 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1d9c0edea5907af239e0,
Jeongjun Park, Daniel Almeida, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 upstream.
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+1d9c0edea5907af239e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1d9c0edea5907af239e0
Fixes: 3be8037960bc ("media: vidtv: add error checks")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -461,12 +461,15 @@ int vidtv_channel_si_init(struct vidtv_m
/* assemble all programs and assign to PAT */
vidtv_psi_pat_program_assign(m->si.pat, programs);
+ programs = NULL;
/* assemble all services and assign to SDT */
vidtv_psi_sdt_service_assign(m->si.sdt, services);
+ services = NULL;
/* assemble all events and assign to EIT */
vidtv_psi_eit_event_assign(m->si.eit, events);
+ events = NULL;
m->si.pmt_secs = vidtv_psi_pmt_create_sec_for_each_pat_entry(m->si.pat,
m->pcr_pid);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 456/737] ocfs2: fix kernel BUG in ocfs2_find_victim_chain
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 455/737] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 457/737] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Greg Kroah-Hartman
` (291 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prithvi Tambewagh,
syzbot+96d38c6e1655c1420a72, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit 039bef30e320827bac8990c9f29d2a68cd8adb5f upstream.
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Link: https://lkml.kernel.org/r/20251201130711.143900-1-activprithvi@gmail.com
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Reported-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72
Tested-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/suballoc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1923,6 +1923,16 @@ static int ocfs2_claim_suballoc_bits(str
}
cl = (struct ocfs2_chain_list *) &fe->id2.i_chain;
+ if (!le16_to_cpu(cl->cl_next_free_rec) ||
+ le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(ac->ac_inode->i_sb,
+ "Chain allocator dinode %llu has invalid next "
+ "free chain record %u, but only %u total\n",
+ (unsigned long long)le64_to_cpu(fe->i_blkno),
+ le16_to_cpu(cl->cl_next_free_rec),
+ le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
victim = ocfs2_find_victim_chain(cl);
ac->ac_chain = victim;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 457/737] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI)
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 456/737] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 458/737] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
` (290 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
commit ab4e41eb9fabd4607304fa7cfe8ec9c0bd8e1552 upstream.
Fix an interaction between SMM and PV asynchronous #PFs where an #SMI can
cause KVM to drop an async #PF ready event, and thus result in guest tasks
becoming permanently stuck due to the task that encountered the #PF never
being resumed. Specifically, don't clear the completion queue when paging
is disabled, and re-check for completed async #PFs if/when paging is
enabled.
Prior to commit 2635b5c4a0e4 ("KVM: x86: interrupt based APF 'page ready'
event delivery"), flushing the APF queue without notifying the guest of
completed APF requests when paging is disabled was "necessary", in that
delivering a #PF to the guest when paging is disabled would likely confuse
and/or crash the guest. And presumably the original async #PF development
assumed that a guest would only disable paging when there was no intent to
ever re-enable paging.
That assumption fails in several scenarios, most visibly on an emulated
SMI, as entering SMM always disables CR0.PG (i.e. initially runs with
paging disabled). When the SMM handler eventually executes RSM, the
interrupted paging-enabled is restored, and the async #PF event is lost.
Similarly, invoking firmware, e.g. via EFI runtime calls, might require a
transition through paging modes and thus also disable paging with valid
entries in the competion queue.
To avoid dropping completion events, drop the "clear" entirely, and handle
paging-enable transitions in the same way KVM already handles APIC
enable/disable events: if a vCPU's APIC is disabled, APF completion events
are not kept pending and not injected while APIC is disabled. Once a
vCPU's APIC is re-enabled, KVM raises KVM_REQ_APF_READY so that the vCPU
recognizes any pending pending #APF ready events.
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251015033258.50974-4-mlevitsk@redhat.com
[sean: rework changelog to call out #PF injection, drop "real mode"
references, expand the code comment]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -855,6 +855,13 @@ bool kvm_require_dr(struct kvm_vcpu *vcp
}
EXPORT_SYMBOL_GPL(kvm_require_dr);
+static bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu)
+{
+ u64 mask = KVM_ASYNC_PF_ENABLED | KVM_ASYNC_PF_DELIVERY_AS_INT;
+
+ return (vcpu->arch.apf.msr_en_val & mask) == mask;
+}
+
static inline u64 pdptr_rsvd_bits(struct kvm_vcpu *vcpu)
{
return vcpu->arch.reserved_gpa_bits | rsvd_bits(5, 8) | rsvd_bits(1, 2);
@@ -947,15 +954,20 @@ void kvm_post_set_cr0(struct kvm_vcpu *v
}
if ((cr0 ^ old_cr0) & X86_CR0_PG) {
- kvm_clear_async_pf_completion_queue(vcpu);
- kvm_async_pf_hash_reset(vcpu);
-
/*
* Clearing CR0.PG is defined to flush the TLB from the guest's
* perspective.
*/
if (!(cr0 & X86_CR0_PG))
kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu);
+ /*
+ * Check for async #PF completion events when enabling paging,
+ * as the vCPU may have previously encountered async #PFs (it's
+ * entirely legal for the guest to toggle paging on/off without
+ * waiting for the async #PF queue to drain).
+ */
+ else if (kvm_pv_async_pf_enabled(vcpu))
+ kvm_make_request(KVM_REQ_APF_READY, vcpu);
}
if ((cr0 ^ old_cr0) & KVM_MMU_CR0_ROLE_BITS)
@@ -3398,13 +3410,6 @@ static int set_msr_mce(struct kvm_vcpu *
return 0;
}
-static inline bool kvm_pv_async_pf_enabled(struct kvm_vcpu *vcpu)
-{
- u64 mask = KVM_ASYNC_PF_ENABLED | KVM_ASYNC_PF_DELIVERY_AS_INT;
-
- return (vcpu->arch.apf.msr_en_val & mask) == mask;
-}
-
static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
{
gpa_t gpa = data & ~0x3f;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 458/737] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 457/737] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 459/737] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
` (289 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
commit 944edca81e7aea15f83cf9a13a6ab67f711e8abd upstream.
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
Fixes: 26a14267aff2 ("platform/chrome: Add ChromeOS EC ISHTP driver")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20251031033900.3577394-1-tzungbi@kernel.org
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/platform/chrome/cros_ec_ishtp.c
+++ b/drivers/platform/chrome/cros_ec_ishtp.c
@@ -715,6 +715,7 @@ static void cros_ec_ishtp_remove(struct
cancel_work_sync(&client_data->work_ishtp_reset);
cancel_work_sync(&client_data->work_ec_evt);
+ cros_ec_unregister(client_data->ec_dev);
cros_ish_deinit(cros_ish_cl);
ishtp_put_device(cl_device);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 459/737] scs: fix a wrong parameter in __scs_magic
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 458/737] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 460/737] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
` (288 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiyuan Xie, Zhichi Lin,
Sami Tolvanen, Will Deacon, Andrey Konovalov, Kees Cook,
Marco Elver, Yee Lee, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhichi Lin <zhichi.lin@vivo.com>
commit 08bd4c46d5e63b78e77f2605283874bbe868ab19 upstream.
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
to:
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
Link: https://lkml.kernel.org/r/20251011082222.12965-1-zhichi.lin@vivo.com
Fixes: 5bbaf9d1fcb9 ("scs: Add support for stack usage debugging")
Signed-off-by: Jiyuan Xie <xiejiyuan@vivo.com>
Signed-off-by: Zhichi Lin <zhichi.lin@vivo.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Will Deacon <will@kernel.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Marco Elver <elver@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: Yee Lee <yee.lee@mediatek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/scs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/scs.c
+++ b/kernel/scs.c
@@ -135,7 +135,7 @@ static void scs_check_usage(struct task_
if (!IS_ENABLED(CONFIG_DEBUG_STACK_USAGE))
return;
- for (p = task_scs(tsk); p < __scs_magic(tsk); ++p) {
+ for (p = task_scs(tsk); p < __scs_magic(task_scs(tsk)); ++p) {
if (!READ_ONCE_NOCHECK(*p))
break;
used += sizeof(*p);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 460/737] parisc: Do not reprogram affinitiy on ASP chip
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 459/737] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
@ 2026-01-09 11:39 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 461/737] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
` (287 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:39 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit dca7da244349eef4d78527cafc0bf80816b261f5 upstream.
The ASP chip is a very old variant of the GSP chip and is used e.g. in
HP 730 workstations. When trying to reprogram the affinity it will crash
with a HPMC as the relevant registers don't seem to be at the usual
location. Let's avoid the crash by checking the sversion. Also note,
that reprogramming isn't necessary either, as the HP730 is a just a
single-CPU machine.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/gsc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/parisc/gsc.c
+++ b/drivers/parisc/gsc.c
@@ -154,7 +154,9 @@ static int gsc_set_affinity_irq(struct i
gsc_dev->eim = ((u32) gsc_dev->gsc_irq.txn_addr) | gsc_dev->gsc_irq.txn_data;
/* switch IRQ's for devices below LASI/WAX to other CPU */
- gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR);
+ /* ASP chip (svers 0x70) does not support reprogramming */
+ if (gsc_dev->gsc->id.sversion != 0x70)
+ gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR);
irq_data_update_effective_affinity(d, &tmask);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 461/737] libceph: make decode_pool() more resilient against corrupted osdmaps
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-01-09 11:39 ` [PATCH 6.6 460/737] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 462/737] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
` (286 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov, Xiubo Li
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 8c738512714e8c0aa18f8a10c072d5b01c83db39 upstream.
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Tested-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 118 ++++++++++++++++++++++++------------------------------
1 file changed, 53 insertions(+), 65 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -806,51 +806,49 @@ static int decode_pool(void **p, void *e
ceph_decode_need(p, end, len, bad);
pool_end = *p + len;
+ ceph_decode_need(p, end, 4 + 4 + 4, bad);
pi->type = ceph_decode_8(p);
pi->size = ceph_decode_8(p);
pi->crush_ruleset = ceph_decode_8(p);
pi->object_hash = ceph_decode_8(p);
-
pi->pg_num = ceph_decode_32(p);
pi->pgp_num = ceph_decode_32(p);
- *p += 4 + 4; /* skip lpg* */
- *p += 4; /* skip last_change */
- *p += 8 + 4; /* skip snap_seq, snap_epoch */
+ /* lpg*, last_change, snap_seq, snap_epoch */
+ ceph_decode_skip_n(p, end, 8 + 4 + 8 + 4, bad);
/* skip snaps */
- num = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, num, bad);
while (num--) {
- *p += 8; /* snapid key */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* snapid key, pool snap (with versions) */
+ ceph_decode_skip_n(p, end, 8 + 2, bad);
+ ceph_decode_skip_string(p, end, bad);
}
- /* skip removed_snaps */
- num = ceph_decode_32(p);
- *p += num * (8 + 8);
+ /* removed_snaps */
+ ceph_decode_skip_map(p, end, 64, 64, bad);
+ ceph_decode_need(p, end, 8 + 8 + 4, bad);
*p += 8; /* skip auid */
pi->flags = ceph_decode_64(p);
*p += 4; /* skip crash_replay_interval */
if (ev >= 7)
- pi->min_size = ceph_decode_8(p);
+ ceph_decode_8_safe(p, end, pi->min_size, bad);
else
pi->min_size = pi->size - pi->size / 2;
if (ev >= 8)
- *p += 8 + 8; /* skip quota_max_* */
+ /* quota_max_* */
+ ceph_decode_skip_n(p, end, 8 + 8, bad);
if (ev >= 9) {
- /* skip tiers */
- num = ceph_decode_32(p);
- *p += num * 8;
+ /* tiers */
+ ceph_decode_skip_set(p, end, 64, bad);
+ ceph_decode_need(p, end, 8 + 1 + 8 + 8, bad);
*p += 8; /* skip tier_of */
*p += 1; /* skip cache_mode */
-
pi->read_tier = ceph_decode_64(p);
pi->write_tier = ceph_decode_64(p);
} else {
@@ -858,86 +856,76 @@ static int decode_pool(void **p, void *e
pi->write_tier = -1;
}
- if (ev >= 10) {
- /* skip properties */
- num = ceph_decode_32(p);
- while (num--) {
- len = ceph_decode_32(p);
- *p += len; /* key */
- len = ceph_decode_32(p);
- *p += len; /* val */
- }
- }
+ if (ev >= 10)
+ /* properties */
+ ceph_decode_skip_map(p, end, string, string, bad);
if (ev >= 11) {
- /* skip hit_set_params */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* hit_set_params (with versions) */
+ ceph_decode_skip_n(p, end, 2, bad);
+ ceph_decode_skip_string(p, end, bad);
- *p += 4; /* skip hit_set_period */
- *p += 4; /* skip hit_set_count */
+ /* hit_set_period, hit_set_count */
+ ceph_decode_skip_n(p, end, 4 + 4, bad);
}
if (ev >= 12)
- *p += 4; /* skip stripe_width */
+ /* stripe_width */
+ ceph_decode_skip_32(p, end, bad);
- if (ev >= 13) {
- *p += 8; /* skip target_max_bytes */
- *p += 8; /* skip target_max_objects */
- *p += 4; /* skip cache_target_dirty_ratio_micro */
- *p += 4; /* skip cache_target_full_ratio_micro */
- *p += 4; /* skip cache_min_flush_age */
- *p += 4; /* skip cache_min_evict_age */
- }
-
- if (ev >= 14) {
- /* skip erasure_code_profile */
- len = ceph_decode_32(p);
- *p += len;
- }
+ if (ev >= 13)
+ /* target_max_*, cache_target_*, cache_min_* */
+ ceph_decode_skip_n(p, end, 16 + 8 + 8, bad);
+
+ if (ev >= 14)
+ /* erasure_code_profile */
+ ceph_decode_skip_string(p, end, bad);
/*
* last_force_op_resend_preluminous, will be overridden if the
* map was encoded with RESEND_ON_SPLIT
*/
if (ev >= 15)
- pi->last_force_request_resend = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, pi->last_force_request_resend, bad);
else
pi->last_force_request_resend = 0;
if (ev >= 16)
- *p += 4; /* skip min_read_recency_for_promote */
+ /* min_read_recency_for_promote */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 17)
- *p += 8; /* skip expected_num_objects */
+ /* expected_num_objects */
+ ceph_decode_skip_64(p, end, bad);
if (ev >= 19)
- *p += 4; /* skip cache_target_dirty_high_ratio_micro */
+ /* cache_target_dirty_high_ratio_micro */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 20)
- *p += 4; /* skip min_write_recency_for_promote */
+ /* min_write_recency_for_promote */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 21)
- *p += 1; /* skip use_gmt_hitset */
+ /* use_gmt_hitset */
+ ceph_decode_skip_8(p, end, bad);
if (ev >= 22)
- *p += 1; /* skip fast_read */
+ /* fast_read */
+ ceph_decode_skip_8(p, end, bad);
- if (ev >= 23) {
- *p += 4; /* skip hit_set_grade_decay_rate */
- *p += 4; /* skip hit_set_search_last_n */
- }
+ if (ev >= 23)
+ /* hit_set_grade_decay_rate, hit_set_search_last_n */
+ ceph_decode_skip_n(p, end, 4 + 4, bad);
if (ev >= 24) {
- /* skip opts */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* opts (with versions) */
+ ceph_decode_skip_n(p, end, 2, bad);
+ ceph_decode_skip_string(p, end, bad);
}
if (ev >= 25)
- pi->last_force_request_resend = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, pi->last_force_request_resend, bad);
/* ignore the rest */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 462/737] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 461/737] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 463/737] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
` (285 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0ea9494be9c931ddbc084ad5e11fda91b554cf47 upstream.
WARN and don't restart the hrtimer if KVM's callback runs with the guest's
APIC timer in periodic mode but with a period of '0', as not advancing the
hrtimer's deadline would put the CPU into an infinite loop of hrtimer
events. Observing a period of '0' should be impossible, even when the
hrtimer is running on a different CPU than the vCPU, as KVM is supposed to
cancel the hrtimer before changing (or zeroing) the period, e.g. when
switching from periodic to one-shot.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251113205114.1647493-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2855,7 +2855,7 @@ static enum hrtimer_restart apic_timer_f
apic_timer_expired(apic, true);
- if (lapic_is_periodic(apic)) {
+ if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) {
advance_periodic_target_expiration(apic);
hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);
return HRTIMER_RESTART;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 463/737] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 462/737] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 464/737] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
` (284 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, fuqiang wang, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: fuqiang wang <fuqiang.wng@gmail.com>
commit 9633f180ce994ab293ce4924a9b7aaf4673aa114 upstream.
When restarting an hrtimer to emulate a the guest's APIC timer in periodic
mode, explicitly set the expiration using the target expiration computed
by advance_periodic_target_expiration() instead of adding the period to
the existing timer. This will allow making adjustments to the expiration,
e.g. to deal with expirations far in the past, without having to implement
the same logic in both advance_periodic_target_expiration() and
apic_timer_fn().
Cc: stable@vger.kernel.org
Signed-off-by: fuqiang wang <fuqiang.wng@gmail.com>
[sean: split to separate patch, write changelog]
Link: https://patch.msgid.link/20251113205114.1647493-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2857,7 +2857,7 @@ static enum hrtimer_restart apic_timer_f
if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) {
advance_periodic_target_expiration(apic);
- hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);
+ hrtimer_set_expires(&ktimer->timer, ktimer->target_expiration);
return HRTIMER_RESTART;
} else
return HRTIMER_NORESTART;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 464/737] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 463/737] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 465/737] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE Greg Kroah-Hartman
` (283 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, fuqiang wang, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: fuqiang wang <fuqiang.wng@gmail.com>
commit 18ab3fc8e880791aa9f7c000261320fc812b5465 upstream.
When advancing the target expiration for the guest's APIC timer in periodic
mode, set the expiration to "now" if the target expiration is in the past
(similar to what is done in update_target_expiration()). Blindly adding
the period to the previous target expiration can result in KVM generating
a practically unbounded number of hrtimer IRQs due to programming an
expired timer over and over. In extreme scenarios, e.g. if userspace
pauses/suspends a VM for an extended duration, this can even cause hard
lockups in the host.
Currently, the bug only affects Intel CPUs when using the hypervisor timer
(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,
a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the
HV timer only runs while the guest is active. As a result, if the vCPU
does not run for an extended duration, there will be a huge gap between
the target expiration and the current time the vCPU resumes running.
Because the target expiration is incremented by only one period on each
timer expiration, this leads to a series of timer expirations occurring
rapidly after the vCPU/VM resumes.
More critically, when the vCPU first triggers a periodic HV timer
expiration after resuming, advancing the expiration by only one period
will result in a target expiration in the past. As a result, the delta
may be calculated as a negative value. When the delta is converted into
an absolute value (tscdeadline is an unsigned u64), the resulting value
can overflow what the HV timer is capable of programming. I.e. the large
value will exceed the VMX Preemption Timer's maximum bit width of
cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the
HV timer to the software timer (hrtimers).
After switching to the software timer, periodic timer expiration callbacks
may be executed consecutively within a single clock interrupt handler,
because hrtimers honors KVM's request for an expiration in the past and
immediately re-invokes KVM's callback after reprogramming. And because
the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer
over and over until the target expiration is advanced to "now" can result
in a hard lockup.
E.g. the following hard lockup was triggered in the host when running a
Windows VM (only relevant because it used the APIC timer in periodic mode)
after resuming the VM from a long suspend (in the host).
NMI watchdog: Watchdog detected hard LOCKUP on cpu 45
...
RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]
...
RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046
RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc
RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500
RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0
R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0
R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8
FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0
PKRU: 55555554
Call Trace:
<IRQ>
apic_timer_fn+0x31/0x50 [kvm]
__hrtimer_run_queues+0x100/0x280
hrtimer_interrupt+0x100/0x210
? ttwu_do_wakeup+0x19/0x160
smp_apic_timer_interrupt+0x6a/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
Moreover, if the suspend duration of the virtual machine is not long enough
to trigger a hard lockup in this scenario, since commit 98c25ead5eda
("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM
will continue using the software timer until the guest reprograms the APIC
timer in some way. Since the periodic timer does not require frequent APIC
timer register programming, the guest may continue to use the software
timer in perpetuity.
Fixes: d8f2f498d9ed ("x86/kvm: fix LAPIC timer drift when guest uses periodic mode")
Cc: stable@vger.kernel.org
Signed-off-by: fuqiang wang <fuqiang.wng@gmail.com>
[sean: massage comments and changelog]
Link: https://patch.msgid.link/20251113205114.1647493-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2058,15 +2058,33 @@ static void advance_periodic_target_expi
ktime_t delta;
/*
- * Synchronize both deadlines to the same time source or
- * differences in the periods (caused by differences in the
- * underlying clocks or numerical approximation errors) will
- * cause the two to drift apart over time as the errors
- * accumulate.
+ * Use kernel time as the time source for both the hrtimer deadline and
+ * TSC-based deadline so that they stay synchronized. Computing each
+ * deadline independently will cause the two deadlines to drift apart
+ * over time as differences in the periods accumulate, e.g. due to
+ * differences in the underlying clocks or numerical approximation errors.
*/
apic->lapic_timer.target_expiration =
ktime_add_ns(apic->lapic_timer.target_expiration,
apic->lapic_timer.period);
+
+ /*
+ * If the new expiration is in the past, e.g. because userspace stopped
+ * running the VM for an extended duration, then force the expiration
+ * to "now" and don't try to play catch-up with the missed events. KVM
+ * will only deliver a single interrupt regardless of how many events
+ * are pending, i.e. restarting the timer with an expiration in the
+ * past will do nothing more than waste host cycles, and can even lead
+ * to a hard lockup in extreme cases.
+ */
+ if (ktime_before(apic->lapic_timer.target_expiration, now))
+ apic->lapic_timer.target_expiration = now;
+
+ /*
+ * Note, ensuring the expiration isn't in the past also prevents delta
+ * from going negative, which could cause the TSC deadline to become
+ * excessively large due to it an unsigned value.
+ */
delta = ktime_sub(apic->lapic_timer.target_expiration, now);
apic->lapic_timer.tscdeadline = kvm_read_l1_tsc(apic->vcpu, tscl) +
nsec_to_cycles(apic->vcpu, delta);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 465/737] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 464/737] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 466/737] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
` (282 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 3d80f4c93d3d26d0f9a0dd2844961a632eeea634 upstream.
When emulating L2 instructions, svm_check_intercept() checks whether a
write to CR0 should trigger a synthesized #VMEXIT with
SVM_EXIT_CR0_SEL_WRITE. However, it does not check whether L1 enabled
the intercept for SVM_EXIT_WRITE_CR0, which has higher priority
according to the APM (24593—Rev. 3.42—March 2024, Table 15-7):
When both selective and non-selective CR0-write intercepts are active at
the same time, the non-selective intercept takes priority. With respect
to exceptions, the priority of this intercept is the same as the generic
CR0-write intercept.
Make sure L1 does NOT intercept SVM_EXIT_WRITE_CR0 before checking if
SVM_EXIT_CR0_SEL_WRITE needs to be injected.
Opportunistically tweak the "not CR0" logic to explicitly bail early so
that it's more obvious that only CR0 has a selective intercept, and that
modifying icpt_info.exit_code is functionally necessary so that the call
to nested_svm_exit_handled() checks the correct exit code.
Fixes: cfec82cb7d31 ("KVM: SVM: Add intercept check for emulated cr accesses")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251024192918.3191141-4-yosry.ahmed@linux.dev
[sean: isolate non-CR0 write logic, tweak comments accordingly]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4548,15 +4548,29 @@ static int svm_check_intercept(struct kv
case SVM_EXIT_WRITE_CR0: {
unsigned long cr0, val;
- if (info->intercept == x86_intercept_cr_write)
+ /*
+ * Adjust the exit code accordingly if a CR other than CR0 is
+ * being written, and skip straight to the common handling as
+ * only CR0 has an additional selective intercept.
+ */
+ if (info->intercept == x86_intercept_cr_write && info->modrm_reg) {
icpt_info.exit_code += info->modrm_reg;
+ break;
+ }
- if (icpt_info.exit_code != SVM_EXIT_WRITE_CR0 ||
- info->intercept == x86_intercept_clts)
+ /*
+ * Convert the exit_code to SVM_EXIT_CR0_SEL_WRITE if a
+ * selective CR0 intercept is triggered (the common logic will
+ * treat the selective intercept as being enabled). Note, the
+ * unconditional intercept has higher priority, i.e. this is
+ * only relevant if *only* the selective intercept is enabled.
+ */
+ if (vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_CR0_WRITE) ||
+ !(vmcb12_is_intercept(&svm->nested.ctl, INTERCEPT_SELECTIVE_CR0)))
break;
- if (!(vmcb12_is_intercept(&svm->nested.ctl,
- INTERCEPT_SELECTIVE_CR0)))
+ /* CLTS never triggers INTERCEPT_SELECTIVE_CR0 */
+ if (info->intercept == x86_intercept_clts)
break;
cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 466/737] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 465/737] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 467/737] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
` (281 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 7c8b465a1c91f674655ea9cec5083744ec5f796a upstream.
Mark the VMCB_NPT bit as dirty in nested_vmcb02_prepare_save()
on every nested VMRUN.
If L1 changes the PAT MSR between two VMRUN instructions on the same
L1 vCPU, the g_pat field in the associated vmcb02 will change, and the
VMCB_NPT clean bit should be cleared.
Fixes: 4bb170a5430b ("KVM: nSVM: do not mark all VMCB02 fields dirty on nested vmexit")
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250922162935.621409-3-jmattson@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -544,6 +544,7 @@ static void nested_vmcb02_prepare_save(s
struct kvm_vcpu *vcpu = &svm->vcpu;
nested_vmcb02_compute_g_pat(svm);
+ vmcb_mark_dirty(vmcb02, VMCB_NPT);
/* Load the nested guest state */
if (svm->nested.vmcb12_gpa != svm->nested.last_vmcb12_gpa) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 467/737] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 466/737] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 468/737] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Greg Kroah-Hartman
` (280 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Rizzo, Yosry Ahmed,
Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 5674a76db0213f9db1e4d08e847ff649b46889c0 upstream.
When emulating L2 instructions, svm_check_intercept() checks whether a
write to CR0 should trigger a synthesized #VMEXIT with
SVM_EXIT_CR0_SEL_WRITE. For MOV-to-CR0, SVM_EXIT_CR0_SEL_WRITE is only
triggered if any bit other than CR0.MP and CR0.TS is updated. However,
according to the APM (24593—Rev. 3.42—March 2024, Table 15-7):
The LMSW instruction treats the selective CR0-write
intercept as a non-selective intercept (i.e., it intercepts
regardless of the value being written).
Skip checking the changed bits for x86_intercept_lmsw and always inject
SVM_EXIT_CR0_SEL_WRITE.
Fixes: cfec82cb7d31 ("KVM: SVM: Add intercept check for emulated cr accesses")
Cc: stable@vger.kernel.org
Reported-by: Matteo Rizzo <matteorizzo@google.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251024192918.3191141-3-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4573,20 +4573,20 @@ static int svm_check_intercept(struct kv
if (info->intercept == x86_intercept_clts)
break;
- cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
- val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
-
+ /* LMSW always triggers INTERCEPT_SELECTIVE_CR0 */
if (info->intercept == x86_intercept_lmsw) {
- cr0 &= 0xfUL;
- val &= 0xfUL;
- /* lmsw can't clear PE - catch this here */
- if (cr0 & X86_CR0_PE)
- val |= X86_CR0_PE;
+ icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+ break;
}
+ /*
+ * MOV-to-CR0 only triggers INTERCEPT_SELECTIVE_CR0 if any bit
+ * other than SVM_CR0_SELECTIVE_MASK is changed.
+ */
+ cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
+ val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
if (cr0 ^ val)
icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
-
break;
}
case SVM_EXIT_READ_DR0:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 468/737] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 467/737] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 469/737] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
` (279 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Rizzo, Jim Mattson,
Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit 93c9e107386dbe1243287a5b14ceca894de372b9 upstream.
Mark the VMCB_PERM_MAP bit as dirty in nested_vmcb02_prepare_control()
on every nested VMRUN.
If L1 changes MSR interception (INTERCEPT_MSR_PROT) between two VMRUN
instructions on the same L1 vCPU, the msrpm_base_pa in the associated
vmcb02 will change, and the VMCB_PERM_MAP clean bit should be cleared.
Fixes: 4bb170a5430b ("KVM: nSVM: do not mark all VMCB02 fields dirty on nested vmexit")
Reported-by: Matteo Rizzo <matteorizzo@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250922162935.621409-2-jmattson@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -676,6 +676,7 @@ static void nested_vmcb02_prepare_contro
vmcb02->control.nested_ctl = vmcb01->control.nested_ctl;
vmcb02->control.iopm_base_pa = vmcb01->control.iopm_base_pa;
vmcb02->control.msrpm_base_pa = vmcb01->control.msrpm_base_pa;
+ vmcb_mark_dirty(vmcb02, VMCB_PERM_MAP);
/* Done at vmrun: asid. */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 469/737] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 468/737] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 470/737] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
` (278 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f402ecd7a8b6446547076f4bd24bd5d4dcc94481 upstream.
Set exit_code_hi to -1u as a temporary band-aid to fix a long-standing
(effectively since KVM's inception) bug where KVM treats the exit code as
a 32-bit value, when in reality it's a 64-bit value. Per the APM, offset
0x70 is a single 64-bit value:
070h 63:0 EXITCODE
And a sane reading of the error values defined in "Table C-1. SVM Intercept
Codes" is that negative values use the full 64 bits:
–1 VMEXIT_INVALID Invalid guest state in VMCB.
–2 VMEXIT_BUSYBUSY bit was set in the VMSA
–3 VMEXIT_IDLE_REQUIREDThe sibling thread is not in an idle state
-4 VMEXIT_INVALID_PMC Invalid PMC state
And that interpretation is confirmed by testing on Milan and Turin (by
setting bits in CR0[63:32] to generate VMEXIT_INVALID on VMRUN).
Furthermore, Xen has treated exitcode as a 64-bit value since HVM support
was adding in 2006 (see Xen commit d1bd157fbc ("Big merge the HVM
full-virtualisation abstractions.")).
Cc: Jim Mattson <jmattson@google.com>
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251113225621.1688428-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -886,7 +886,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
if (!nested_vmcb_check_save(vcpu) ||
!nested_vmcb_check_controls(vcpu)) {
vmcb12->control.exit_code = SVM_EXIT_ERR;
- vmcb12->control.exit_code_hi = 0;
+ vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
vmcb12->control.exit_info_2 = 0;
goto out;
@@ -919,7 +919,7 @@ out_exit_err:
svm->soft_int_injected = false;
svm->vmcb->control.exit_code = SVM_EXIT_ERR;
- svm->vmcb->control.exit_code_hi = 0;
+ svm->vmcb->control.exit_code_hi = -1u;
svm->vmcb->control.exit_info_1 = 0;
svm->vmcb->control.exit_info_2 = 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 470/737] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 469/737] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 471/737] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
` (277 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit da01f64e7470988f8607776aa7afa924208863fb upstream.
Explicitly clear exit_code_hi in the VMCB when synthesizing "normal"
nested VM-Exits, as the full exit code is a 64-bit value (spoiler alert),
and all exit codes for non-failing VMRUN use only bits 31:0.
Cc: Jim Mattson <jmattson@google.com>
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251113225621.1688428-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 2 ++
arch/x86/kvm/svm/svm.h | 7 ++++---
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2645,6 +2645,7 @@ static bool check_selective_cr0_intercep
if (cr0 ^ val) {
svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+ svm->vmcb->control.exit_code_hi = 0;
ret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);
}
@@ -4647,6 +4648,7 @@ static int svm_check_intercept(struct kv
if (static_cpu_has(X86_FEATURE_NRIPS))
vmcb->control.next_rip = info->next_rip;
vmcb->control.exit_code = icpt_info.exit_code;
+ vmcb->control.exit_code_hi = 0;
vmexit = nested_svm_exit_handled(svm);
ret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -601,9 +601,10 @@ int nested_svm_vmexit(struct vcpu_svm *s
static inline int nested_svm_simple_vmexit(struct vcpu_svm *svm, u32 exit_code)
{
- svm->vmcb->control.exit_code = exit_code;
- svm->vmcb->control.exit_info_1 = 0;
- svm->vmcb->control.exit_info_2 = 0;
+ svm->vmcb->control.exit_code = exit_code;
+ svm->vmcb->control.exit_code_hi = 0;
+ svm->vmcb->control.exit_info_1 = 0;
+ svm->vmcb->control.exit_info_2 = 0;
return nested_svm_vmexit(svm);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 471/737] xfs: fix a memory leak in xfs_buf_item_init()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 470/737] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 472/737] tracing: Do not register unsupported perf events Greg Kroah-Hartman
` (276 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Christoph Hellwig,
Carlos Maiolino, Carlos Maiolino
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit fc40459de82543b565ebc839dca8f7987f16f62e upstream.
xfs_buf_item_get_format() may allocate memory for bip->bli_formats,
free the memory in the error path.
Fixes: c3d5f0c2fb85 ("xfs: complain if anyone tries to create a too-large buffer log item")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_buf_item.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -900,6 +900,7 @@ xfs_buf_item_init(
map_size = DIV_ROUND_UP(chunks, NBWORD);
if (map_size > XFS_BLF_DATAMAP_SIZE) {
+ xfs_buf_item_free_format(bip);
kmem_cache_free(xfs_buf_item_cache, bip);
xfs_err(mp,
"buffer item dirty bitmap (%u uints) too small to reflect %u bytes!",
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 472/737] tracing: Do not register unsupported perf events
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 471/737] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 473/737] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
` (275 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim, Ian Rogers,
Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit ef7f38df890f5dcd2ae62f8dbde191d72f3bebae upstream.
Synthetic events currently do not have a function to register perf events.
This leads to calling the tracepoint register functions with a NULL
function pointer which triggers:
------------[ cut here ]------------
WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272
Modules linked in: kvm_intel kvm irqbypass
CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:tracepoint_add_func+0x357/0x370
Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f
RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8
RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780
R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a
R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78
FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0
Call Trace:
<TASK>
tracepoint_probe_register+0x5d/0x90
synth_event_reg+0x3c/0x60
perf_trace_event_init+0x204/0x340
perf_trace_init+0x85/0xd0
perf_tp_event_init+0x2e/0x50
perf_try_init_event+0x6f/0x230
? perf_event_alloc+0x4bb/0xdc0
perf_event_alloc+0x65a/0xdc0
__se_sys_perf_event_open+0x290/0x9f0
do_syscall_64+0x93/0x7b0
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? trace_hardirqs_off+0x53/0xc0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Instead, have the code return -ENODEV, which doesn't warn and has perf
error out with:
# perf record -e synthetic:futex_wait
Error:
The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).
"dmesg | grep -i perf" may provide additional information.
Ideally perf should support synthetic events, but for now just fix the
warning. The support can come later.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://patch.msgid.link/20251216182440.147e4453@gandalf.local.home
Fixes: 4b147936fa509 ("tracing: Add support for 'synthetic' events")
Reported-by: Ian Rogers <irogers@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -689,6 +689,8 @@ int trace_event_reg(struct trace_event_c
#ifdef CONFIG_PERF_EVENTS
case TRACE_REG_PERF_REGISTER:
+ if (!call->class->perf_probe)
+ return -ENODEV;
return tracepoint_probe_register(call->tp,
call->class->perf_probe,
call);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 473/737] PM: runtime: Do not clear needs_force_resume with enabled runtime PM
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 472/737] tracing: Do not register unsupported perf events Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 474/737] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
` (274 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ed Tsai, Rafael J. Wysocki,
Ulf Hansson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 359afc8eb02a518fbdd0cbd462c8c2827c6cbec2 upstream.
Commit 89d9cec3b1e9 ("PM: runtime: Clear power.needs_force_resume in
pm_runtime_reinit()") added provisional clearing of power.needs_force_resume
to pm_runtime_reinit(), but it is done unconditionally which is a
mistake because pm_runtime_reinit() may race with driver probing
and removal [1].
To address this, notice that power.needs_force_resume should never
be set when runtime PM is enabled and so it only needs to be cleared
when runtime PM is disabled, and update pm_runtime_init() to only
clear that flag when runtime PM is disabled.
Fixes: 89d9cec3b1e9 ("PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()")
Reported-by: Ed Tsai <ed.tsai@mediatek.com>
Closes: https://lore.kernel.org/linux-pm/20251215122154.3180001-1-ed.tsai@mediatek.com/ [1]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: 6.17+ <stable@vger.kernel.org> # 6.17+
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://patch.msgid.link/12807571.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/runtime.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1827,16 +1827,18 @@ void pm_runtime_init(struct device *dev)
*/
void pm_runtime_reinit(struct device *dev)
{
- if (!pm_runtime_enabled(dev)) {
- if (dev->power.runtime_status == RPM_ACTIVE)
- pm_runtime_set_suspended(dev);
- if (dev->power.irq_safe) {
- spin_lock_irq(&dev->power.lock);
- dev->power.irq_safe = 0;
- spin_unlock_irq(&dev->power.lock);
- if (dev->parent)
- pm_runtime_put(dev->parent);
- }
+ if (pm_runtime_enabled(dev))
+ return;
+
+ if (dev->power.runtime_status == RPM_ACTIVE)
+ pm_runtime_set_suspended(dev);
+
+ if (dev->power.irq_safe) {
+ spin_lock_irq(&dev->power.lock);
+ dev->power.irq_safe = 0;
+ spin_unlock_irq(&dev->power.lock);
+ if (dev->parent)
+ pm_runtime_put(dev->parent);
}
/*
* Clear power.needs_force_resume in case it has been set by
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 474/737] r8169: fix RTL8117 Wake-on-Lan in DASH mode
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 473/737] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 475/737] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
` (273 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Heiner Kallweit,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit dd75c723ef566f7f009c047f47e0eee95fe348ab upstream.
Wake-on-Lan does currently not work for r8169 in DASH mode, e.g. the
ASUS Pro WS X570-ACE with RTL8168fp/RTL8117.
Fix by not returning early in rtl_prepare_power_down when dash_enabled.
While this fixes WoL, it still kills the OOB RTL8117 remote management
BMC connection. Fix by not calling rtl8168_driver_stop if WoL is enabled.
Fixes: 065c27c184d6 ("r8169: phy power ops")
Signed-off-by: René Rebe <rene@exactco.de>
Cc: stable@vger.kernel.org
Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://patch.msgid.link/20251202.194137.1647877804487085954.rene@exactco.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -2581,9 +2581,6 @@ static void rtl_wol_enable_rx(struct rtl
static void rtl_prepare_power_down(struct rtl8169_private *tp)
{
- if (tp->dash_enabled)
- return;
-
if (tp->mac_version == RTL_GIGA_MAC_VER_32 ||
tp->mac_version == RTL_GIGA_MAC_VER_33)
rtl_ephy_write(tp, 0x19, 0xff64);
@@ -4721,7 +4718,7 @@ static void rtl8169_down(struct rtl8169_
rtl_disable_exit_l1(tp);
rtl_prepare_power_down(tp);
- if (tp->dash_type != RTL_DASH_NONE)
+ if (tp->dash_type != RTL_DASH_NONE && !tp->saved_wolopts)
rtl8168_driver_stop(tp);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 475/737] fsnotify: do not generate ACCESS/MODIFY events on child for special files
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 474/737] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 476/737] net/handshake: restore destructor on submit failure Greg Kroah-Hartman
` (272 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sudheendra Raghav Neela,
Amir Goldstein, Jan Kara
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 635bc4def026a24e071436f4f356ea08c0eed6ff upstream.
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
Reported-by: Sudheendra Raghav Neela <sneela@tugraz.at>
CC: stable@vger.kernel.org
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fsnotify.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -224,8 +224,15 @@ int __fsnotify_parent(struct dentry *den
/*
* Include parent/name in notification either if some notification
* groups require parent info or the parent is interested in this event.
+ * The parent interest in ACCESS/MODIFY events does not apply to special
+ * files, where read/write are not on the filesystem of the parent and
+ * events can provide an undesirable side-channel for information
+ * exfiltration.
*/
- parent_interested = mask & p_mask & ALL_FSNOTIFY_EVENTS;
+ parent_interested = mask & p_mask & ALL_FSNOTIFY_EVENTS &&
+ !(data_type == FSNOTIFY_EVENT_PATH &&
+ d_is_special(dentry) &&
+ (mask & (FS_ACCESS | FS_MODIFY)));
if (parent_needed || parent_interested) {
/* When notifying parent, child should be passed as data */
WARN_ON_ONCE(inode != fsnotify_data_inode(data, data_type));
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 476/737] net/handshake: restore destructor on submit failure
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 475/737] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 477/737] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
` (271 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, caoping, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: caoping <caoping@cmss.chinamobile.com>
commit 6af2a01d65f89e73c1cbb9267f8880d83a88cee4 upstream.
handshake_req_submit() replaces sk->sk_destruct but never restores it when
submission fails before the request is hashed. handshake_sk_destruct() then
returns early and the original destructor never runs, leaking the socket.
Restore sk_destruct on the error path.
Fixes: 3b3009ea8abb ("net/handshake: Create a NETLINK service for handling handshake requests")
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: caoping <caoping@cmss.chinamobile.com>
Link: https://patch.msgid.link/20251204091058.1545151-1-caoping@cmss.chinamobile.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/handshake/request.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/handshake/request.c
+++ b/net/handshake/request.c
@@ -277,6 +277,8 @@ int handshake_req_submit(struct socket *
out_unlock:
spin_unlock(&hn->hn_lock);
out_err:
+ /* Restore original destructor so socket teardown still runs on failure */
+ req->hr_sk->sk_destruct = req->hr_odestruct;
trace_handshake_submit_err(net, req, req->hr_sk, ret);
handshake_req_destroy(req);
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 477/737] nfsd: Mark variable __maybe_unused to avoid W=1 build break
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 476/737] net/handshake: restore destructor on submit failure Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 478/737] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
` (270 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit ebae102897e760e9e6bc625f701dd666b2163bd1 upstream.
Clang is not happy about set but (in some cases) unused variable:
fs/nfsd/export.c:1027:17: error: variable 'inode' set but not used [-Werror,-Wunused-but-set-variable]
since it's used as a parameter to dprintk() which might be configured
a no-op. To avoid uglifying code with the specific ifdeffery just mark
the variable __maybe_unused.
The commit [1], which introduced this behaviour, is quite old and hence
the Fixes tag points to the first of the Git era.
Link: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0431923fb7a1 [1]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -1014,7 +1014,7 @@ exp_rootfh(struct net *net, struct auth_
{
struct svc_export *exp;
struct path path;
- struct inode *inode;
+ struct inode *inode __maybe_unused;
struct svc_fh fh;
int err;
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 478/737] svcrdma: return 0 on success from svc_rdma_copy_inline_range
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 477/737] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 479/737] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
` (269 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
commit 94972027ab55b200e031059fd6c7a649f8248020 upstream.
The function comment specifies 0 on success and -EINVAL on invalid
parameters. Make the tail return 0 after a successful copy loop.
Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -834,7 +834,7 @@ static int svc_rdma_copy_inline_range(st
offset += page_len;
}
- return -EINVAL;
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 479/737] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 478/737] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 480/737] powerpc/kexec: Enable SMT before waking offline CPUs Greg Kroah-Hartman
` (268 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
commit d4b69a6186b215d2dc1ebcab965ed88e8d41768d upstream.
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/auth_gss/svcauth_gss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1093,7 +1093,8 @@ static int gss_read_proxy_verf(struct sv
}
length = min_t(unsigned int, inlen, (char *)xdr->end - (char *)xdr->p);
- memcpy(page_address(in_token->pages[0]), xdr->p, length);
+ if (length)
+ memcpy(page_address(in_token->pages[0]), xdr->p, length);
inlen -= length;
to_offs = length;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 480/737] powerpc/kexec: Enable SMT before waking offline CPUs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 479/737] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 481/737] btrfs: dont log conflicting inode if its a dir moved in the current transaction Greg Kroah-Hartman
` (267 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sachin P Bappalige,
Srikar Dronamraju, Nysal Jan K.A., Samir M, Sourabh Jain,
Madhavan Srinivasan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nysal Jan K.A. <nysal@linux.ibm.com>
commit c2296a1e42418556efbeb5636c4fa6aa6106713a upstream.
If SMT is disabled or a partial SMT state is enabled, when a new kernel
image is loaded for kexec, on reboot the following warning is observed:
kexec: Waking offline cpu 228.
WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:223 kexec_prepare_cpus+0x1b0/0x1bc
[snip]
NIP kexec_prepare_cpus+0x1b0/0x1bc
LR kexec_prepare_cpus+0x1a0/0x1bc
Call Trace:
kexec_prepare_cpus+0x1a0/0x1bc (unreliable)
default_machine_kexec+0x160/0x19c
machine_kexec+0x80/0x88
kernel_kexec+0xd0/0x118
__do_sys_reboot+0x210/0x2c4
system_call_exception+0x124/0x320
system_call_vectored_common+0x15c/0x2ec
This occurs as add_cpu() fails due to cpu_bootable() returning false for
CPUs that fail the cpu_smt_thread_allowed() check or non primary
threads if SMT is disabled.
Fix the issue by enabling SMT and resetting the number of SMT threads to
the number of threads per core, before attempting to wake up all present
CPUs.
Fixes: 38253464bc82 ("cpu/SMT: Create topology_smt_thread_allowed()")
Reported-by: Sachin P Bappalige <sachinpb@linux.ibm.com>
Cc: stable@vger.kernel.org # v6.6+
Reviewed-by: Srikar Dronamraju <srikar@linux.ibm.com>
Signed-off-by: Nysal Jan K.A. <nysal@linux.ibm.com>
Tested-by: Samir M <samir@linux.ibm.com>
Reviewed-by: Sourabh Jain <sourabhjain@linux.ibm.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251028105516.26258-1-nysal@linux.ibm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/kexec/core_64.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/arch/powerpc/kexec/core_64.c
+++ b/arch/powerpc/kexec/core_64.c
@@ -200,6 +200,23 @@ static void kexec_prepare_cpus_wait(int
mb();
}
+
+/*
+ * The add_cpu() call in wake_offline_cpus() can fail as cpu_bootable()
+ * returns false for CPUs that fail the cpu_smt_thread_allowed() check
+ * or non primary threads if SMT is disabled. Re-enable SMT and set the
+ * number of SMT threads to threads per core.
+ */
+static void kexec_smt_reenable(void)
+{
+#if defined(CONFIG_SMP) && defined(CONFIG_HOTPLUG_SMT)
+ lock_device_hotplug();
+ cpu_smt_num_threads = threads_per_core;
+ cpu_smt_control = CPU_SMT_ENABLED;
+ unlock_device_hotplug();
+#endif
+}
+
/*
* We need to make sure each present CPU is online. The next kernel will scan
* the device tree and assume primary threads are online and query secondary
@@ -214,6 +231,8 @@ static void wake_offline_cpus(void)
{
int cpu = 0;
+ kexec_smt_reenable();
+
for_each_present_cpu(cpu) {
if (!cpu_online(cpu)) {
printk(KERN_INFO "kexec: Waking offline cpu %d.\n",
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 481/737] btrfs: dont log conflicting inode if its a dir moved in the current transaction
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 480/737] powerpc/kexec: Enable SMT before waking offline CPUs Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 482/737] s390/ipl: Clear SBP flag when bootprog is set Greg Kroah-Hartman
` (266 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vyacheslav Kovalevsky, Filipe Manana,
David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 266273eaf4d99475f1ae57f687b3e42bc71ec6f0 upstream.
We can't log a conflicting inode if it's a directory and it was moved
from one parent directory to another parent directory in the current
transaction, as this can result an attempt to have a directory with
two hard links during log replay, one for the old parent directory and
another for the new parent directory.
The following scenario triggers that issue:
1) We have directories "dir1" and "dir2" created in a past transaction.
Directory "dir1" has inode A as its parent directory;
2) We move "dir1" to some other directory;
3) We create a file with the name "dir1" in directory inode A;
4) We fsync the new file. This results in logging the inode of the new file
and the inode for the directory "dir1" that was previously moved in the
current transaction. So the log tree has the INODE_REF item for the
new location of "dir1";
5) We move the new file to some other directory. This results in updating
the log tree to included the new INODE_REF for the new location of the
file and removes the INODE_REF for the old location. This happens
during the rename when we call btrfs_log_new_name();
6) We fsync the file, and that persists the log tree changes done in the
previous step (btrfs_log_new_name() only updates the log tree in
memory);
7) We have a power failure;
8) Next time the fs is mounted, log replay happens and when processing
the inode for directory "dir1" we find a new INODE_REF and add that
link, but we don't remove the old link of the inode since we have
not logged the old parent directory of the directory inode "dir1".
As a result after log replay finishes when we trigger writeback of the
subvolume tree's extent buffers, the tree check will detect that we have
a directory a hard link count of 2 and we get a mount failure.
The errors and stack traces reported in dmesg/syslog are like this:
[ 3845.729764] BTRFS info (device dm-0): start tree-log replay
[ 3845.730304] page: refcount:3 mapcount:0 mapping:000000005c8a3027 index:0x1d00 pfn:0x11510c
[ 3845.731236] memcg:ffff9264c02f4e00
[ 3845.731751] aops:btree_aops [btrfs] ino:1
[ 3845.732300] flags: 0x17fffc00000400a(uptodate|private|writeback|node=0|zone=2|lastcpupid=0x1ffff)
[ 3845.733346] raw: 017fffc00000400a 0000000000000000 dead000000000122 ffff9264d978aea8
[ 3845.734265] raw: 0000000000001d00 ffff92650e6d4738 00000003ffffffff ffff9264c02f4e00
[ 3845.735305] page dumped because: eb page dump
[ 3845.735981] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=6 ino=257, invalid nlink: has 2 expect no more than 1 for dir
[ 3845.737786] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14881 owner 5
[ 3845.737789] BTRFS info (device dm-0): refs 4 lock_owner 0 current 30701
[ 3845.737792] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160
[ 3845.737794] inode generation 3 transid 9 size 16 nbytes 16384
[ 3845.737795] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737797] rdev 0 sequence 2 flags 0x0
[ 3845.737798] atime 1764259517.0
[ 3845.737800] ctime 1764259517.572889464
[ 3845.737801] mtime 1764259517.572889464
[ 3845.737802] otime 1764259517.0
[ 3845.737803] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12
[ 3845.737805] index 0 name_len 2
[ 3845.737807] item 2 key (256 DIR_ITEM 2363071922) itemoff 16077 itemsize 34
[ 3845.737808] location key (257 1 0) type 2
[ 3845.737810] transid 9 data_len 0 name_len 4
[ 3845.737811] item 3 key (256 DIR_ITEM 2676584006) itemoff 16043 itemsize 34
[ 3845.737813] location key (258 1 0) type 2
[ 3845.737814] transid 9 data_len 0 name_len 4
[ 3845.737815] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34
[ 3845.737816] location key (257 1 0) type 2
[ 3845.737818] transid 9 data_len 0 name_len 4
[ 3845.737819] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34
[ 3845.737820] location key (258 1 0) type 2
[ 3845.737821] transid 9 data_len 0 name_len 4
[ 3845.737822] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160
[ 3845.737824] inode generation 9 transid 10 size 6 nbytes 0
[ 3845.737825] block group 0 mode 40755 links 2 uid 0 gid 0
[ 3845.737826] rdev 0 sequence 1 flags 0x0
[ 3845.737827] atime 1764259517.572889464
[ 3845.737828] ctime 1764259517.572889464
[ 3845.737830] mtime 1764259517.572889464
[ 3845.737831] otime 1764259517.572889464
[ 3845.737832] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14
[ 3845.737833] index 2 name_len 4
[ 3845.737834] item 8 key (257 INODE_REF 258) itemoff 15787 itemsize 14
[ 3845.737836] index 2 name_len 4
[ 3845.737837] item 9 key (257 DIR_ITEM 2507850652) itemoff 15754 itemsize 33
[ 3845.737838] location key (259 1 0) type 1
[ 3845.737839] transid 10 data_len 0 name_len 3
[ 3845.737840] item 10 key (257 DIR_INDEX 2) itemoff 15721 itemsize 33
[ 3845.737842] location key (259 1 0) type 1
[ 3845.737843] transid 10 data_len 0 name_len 3
[ 3845.737844] item 11 key (258 INODE_ITEM 0) itemoff 15561 itemsize 160
[ 3845.737846] inode generation 9 transid 10 size 8 nbytes 0
[ 3845.737847] block group 0 mode 40755 links 1 uid 0 gid 0
[ 3845.737848] rdev 0 sequence 1 flags 0x0
[ 3845.737849] atime 1764259517.572889464
[ 3845.737850] ctime 1764259517.572889464
[ 3845.737851] mtime 1764259517.572889464
[ 3845.737852] otime 1764259517.572889464
[ 3845.737853] item 12 key (258 INODE_REF 256) itemoff 15547 itemsize 14
[ 3845.737855] index 3 name_len 4
[ 3845.737856] item 13 key (258 DIR_ITEM 1843588421) itemoff 15513 itemsize 34
[ 3845.737857] location key (257 1 0) type 2
[ 3845.737858] transid 10 data_len 0 name_len 4
[ 3845.737860] item 14 key (258 DIR_INDEX 2) itemoff 15479 itemsize 34
[ 3845.737861] location key (257 1 0) type 2
[ 3845.737862] transid 10 data_len 0 name_len 4
[ 3845.737863] item 15 key (259 INODE_ITEM 0) itemoff 15319 itemsize 160
[ 3845.737865] inode generation 10 transid 10 size 0 nbytes 0
[ 3845.737866] block group 0 mode 100600 links 1 uid 0 gid 0
[ 3845.737867] rdev 0 sequence 2 flags 0x0
[ 3845.737868] atime 1764259517.580874966
[ 3845.737869] ctime 1764259517.586121869
[ 3845.737870] mtime 1764259517.580874966
[ 3845.737872] otime 1764259517.580874966
[ 3845.737873] item 16 key (259 INODE_REF 257) itemoff 15306 itemsize 13
[ 3845.737874] index 2 name_len 3
[ 3845.737875] BTRFS error (device dm-0): block=30408704 write time tree block corruption detected
[ 3845.739448] ------------[ cut here ]------------
[ 3845.740092] WARNING: CPU: 5 PID: 30701 at fs/btrfs/disk-io.c:335 btree_csum_one_bio+0x25a/0x270 [btrfs]
[ 3845.741439] Modules linked in: btrfs dm_flakey crc32c_cryptoapi (...)
[ 3845.750626] CPU: 5 UID: 0 PID: 30701 Comm: mount Tainted: G W 6.18.0-rc6-btrfs-next-218+ #1 PREEMPT(full)
[ 3845.752414] Tainted: [W]=WARN
[ 3845.752828] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[ 3845.754499] RIP: 0010:btree_csum_one_bio+0x25a/0x270 [btrfs]
[ 3845.755460] Code: 31 f6 48 89 (...)
[ 3845.758685] RSP: 0018:ffffa8d9c5677678 EFLAGS: 00010246
[ 3845.759450] RAX: 0000000000000000 RBX: ffff92650e6d4738 RCX: 0000000000000000
[ 3845.760309] RDX: 0000000000000000 RSI: ffffffff9aab45b9 RDI: ffff9264c4748000
[ 3845.761239] RBP: ffff9264d4324000 R08: 0000000000000000 R09: ffffa8d9c5677468
[ 3845.762607] R10: ffff926bdc1fffa8 R11: 0000000000000003 R12: ffffa8d9c5677680
[ 3845.764099] R13: 0000000000004000 R14: ffff9264dd624000 R15: ffff9264d978aba8
[ 3845.765094] FS: 00007f751fa5a840(0000) GS:ffff926c42a82000(0000) knlGS:0000000000000000
[ 3845.766226] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3845.766970] CR2: 0000558df1815380 CR3: 000000010ed88003 CR4: 0000000000370ef0
[ 3845.768009] Call Trace:
[ 3845.768392] <TASK>
[ 3845.768714] btrfs_submit_bbio+0x6ee/0x7f0 [btrfs]
[ 3845.769640] ? write_one_eb+0x28e/0x340 [btrfs]
[ 3845.770588] btree_write_cache_pages+0x2f0/0x550 [btrfs]
[ 3845.771286] ? alloc_extent_state+0x19/0x100 [btrfs]
[ 3845.771967] ? merge_next_state+0x1a/0x90 [btrfs]
[ 3845.772586] ? set_extent_bit+0x233/0x8b0 [btrfs]
[ 3845.773198] ? xas_load+0x9/0xc0
[ 3845.773589] ? xas_find+0x14d/0x1a0
[ 3845.773969] do_writepages+0xc6/0x160
[ 3845.774367] filemap_fdatawrite_wbc+0x48/0x60
[ 3845.775003] __filemap_fdatawrite_range+0x5b/0x80
[ 3845.775902] btrfs_write_marked_extents+0x61/0x170 [btrfs]
[ 3845.776707] btrfs_write_and_wait_transaction+0x4e/0xc0 [btrfs]
[ 3845.777379] ? _raw_spin_unlock_irqrestore+0x23/0x40
[ 3845.777923] btrfs_commit_transaction+0x5ea/0xd20 [btrfs]
[ 3845.778551] ? _raw_spin_unlock+0x15/0x30
[ 3845.778986] ? release_extent_buffer+0x34/0x160 [btrfs]
[ 3845.779659] btrfs_recover_log_trees+0x7a3/0x7c0 [btrfs]
[ 3845.780416] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[ 3845.781499] open_ctree+0x10bb/0x15f0 [btrfs]
[ 3845.782194] btrfs_get_tree.cold+0xb/0x16c [btrfs]
[ 3845.782764] ? fscontext_read+0x15c/0x180
[ 3845.783202] ? rw_verify_area+0x50/0x180
[ 3845.783667] vfs_get_tree+0x25/0xd0
[ 3845.784047] vfs_cmd_create+0x59/0xe0
[ 3845.784458] __do_sys_fsconfig+0x4f6/0x6b0
[ 3845.784914] do_syscall_64+0x50/0x1220
[ 3845.785340] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 3845.785980] RIP: 0033:0x7f751fc7f4aa
[ 3845.786759] Code: 73 01 c3 48 (...)
[ 3845.789951] RSP: 002b:00007ffcdba45dc8 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[ 3845.791402] RAX: ffffffffffffffda RBX: 000055ccc8291c20 RCX: 00007f751fc7f4aa
[ 3845.792688] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[ 3845.794308] RBP: 000055ccc8292120 R08: 0000000000000000 R09: 0000000000000000
[ 3845.795829] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 3845.797183] R13: 00007f751fe11580 R14: 00007f751fe1326c R15: 00007f751fdf8a23
[ 3845.798633] </TASK>
[ 3845.799067] ---[ end trace 0000000000000000 ]---
[ 3845.800215] BTRFS: error (device dm-0) in btrfs_commit_transaction:2553: errno=-5 IO failure (Error while writing out transaction)
[ 3845.801860] BTRFS warning (device dm-0 state E): Skipping commit of aborted transaction.
[ 3845.802815] BTRFS error (device dm-0 state EA): Transaction aborted (error -5)
[ 3845.803728] BTRFS: error (device dm-0 state EA) in cleanup_transaction:2036: errno=-5 IO failure
[ 3845.805374] BTRFS: error (device dm-0 state EA) in btrfs_replay_log:2083: errno=-5 IO failure (Failed to recover log tree)
[ 3845.807919] BTRFS error (device dm-0 state EA): open_ctree failed: -5
Fix this by never logging a conflicting inode that is a directory and was
moved in the current transaction (its last_unlink_trans equals the current
transaction) and instead fallback to a transaction commit.
A test case for fstests will follow soon.
Reported-by: Vyacheslav Kovalevsky <slva.kovalevskiy.2014@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/7bbc9419-5c56-450a-b5a0-efeae7457113@gmail.com/
CC: stable@vger.kernel.org # 6.1+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -5704,6 +5704,33 @@ static int conflicting_inode_is_dir(stru
return ret;
}
+static bool can_log_conflicting_inode(const struct btrfs_trans_handle *trans,
+ const struct btrfs_inode *inode)
+{
+ if (!S_ISDIR(inode->vfs_inode.i_mode))
+ return true;
+
+ if (inode->last_unlink_trans < trans->transid)
+ return true;
+
+ /*
+ * If this is a directory and its unlink_trans is not from a past
+ * transaction then we must fallback to a transaction commit in order
+ * to avoid getting a directory with 2 hard links after log replay.
+ *
+ * This happens if a directory A is renamed, moved from one parent
+ * directory to another one, a new file is created in the old parent
+ * directory with the old name of our directory A, the new file is
+ * fsynced, then we moved the new file to some other parent directory
+ * and fsync again the new file. This results in a log tree where we
+ * logged that directory A existed, with the INODE_REF item for the
+ * new location but without having logged its old parent inode, so
+ * that on log replay we add a new link for the new location but the
+ * old link remains, resulting in a link count of 2.
+ */
+ return false;
+}
+
static int add_conflicting_inode(struct btrfs_trans_handle *trans,
struct btrfs_root *root,
struct btrfs_path *path,
@@ -5807,6 +5834,11 @@ static int add_conflicting_inode(struct
return 0;
}
+ if (!can_log_conflicting_inode(trans, inode)) {
+ btrfs_add_delayed_iput(inode);
+ return BTRFS_LOG_FORCE_COMMIT;
+ }
+
btrfs_add_delayed_iput(inode);
ino_elem = kmalloc(sizeof(*ino_elem), GFP_NOFS);
@@ -5871,6 +5903,12 @@ static int log_conflicting_inodes(struct
break;
}
+ if (!can_log_conflicting_inode(trans, inode)) {
+ btrfs_add_delayed_iput(inode);
+ ret = BTRFS_LOG_FORCE_COMMIT;
+ break;
+ }
+
/*
* Always log the directory, we cannot make this
* conditional on need_log_inode() because the directory
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 482/737] s390/ipl: Clear SBP flag when bootprog is set
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 481/737] btrfs: dont log conflicting inode if its a dir moved in the current transaction Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 483/737] gpio: regmap: Fix memleak in error path in gpio_regmap_register() Greg Kroah-Hartman
` (265 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Oberparleiter, Heiko Carstens,
Sven Schnelle
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@linux.ibm.com>
commit b1aa01d31249bd116b18c7f512d3e46b4b4ad83b upstream.
With z16 a new flag 'search boot program' was introduced for
list-directed IPL (SCSI, NVMe, ECKD DASD). If this flag is set,
e.g. via selecting the "Automatic" value for the "Boot program
selector" control on an HMC load panel, it is copied to the reipl
structure from the initial ipl structure. When a user now sets a
boot prog via sysfs, the flag is not cleared and the bootloader
will again automatically select the boot program, ignoring user
configuration.
To avoid that, clear the SBP flag when a bootprog sysfs file is
written.
Cc: stable@vger.kernel.org
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/include/uapi/asm/ipl.h | 1
arch/s390/kernel/ipl.c | 48 +++++++++++++++++++++++++++++----------
2 files changed, 37 insertions(+), 12 deletions(-)
--- a/arch/s390/include/uapi/asm/ipl.h
+++ b/arch/s390/include/uapi/asm/ipl.h
@@ -15,6 +15,7 @@ struct ipl_pl_hdr {
#define IPL_PL_FLAG_IPLPS 0x80
#define IPL_PL_FLAG_SIPL 0x40
#define IPL_PL_FLAG_IPLSR 0x20
+#define IPL_PL_FLAG_SBP 0x10
/* IPL Parameter Block header */
struct ipl_pb_hdr {
--- a/arch/s390/kernel/ipl.c
+++ b/arch/s390/kernel/ipl.c
@@ -260,6 +260,24 @@ static struct kobj_attribute sys_##_pref
sys_##_prefix##_##_name##_show, \
sys_##_prefix##_##_name##_store)
+#define DEFINE_IPL_ATTR_BOOTPROG_RW(_prefix, _name, _fmt_out, _fmt_in, _hdr, _value) \
+ IPL_ATTR_SHOW_FN(_prefix, _name, _fmt_out, (unsigned long long) _value) \
+static ssize_t sys_##_prefix##_##_name##_store(struct kobject *kobj, \
+ struct kobj_attribute *attr, \
+ const char *buf, size_t len) \
+{ \
+ unsigned long long value; \
+ if (sscanf(buf, _fmt_in, &value) != 1) \
+ return -EINVAL; \
+ (_value) = value; \
+ (_hdr).flags &= ~IPL_PL_FLAG_SBP; \
+ return len; \
+} \
+static struct kobj_attribute sys_##_prefix##_##_name##_attr = \
+ __ATTR(_name, 0644, \
+ sys_##_prefix##_##_name##_show, \
+ sys_##_prefix##_##_name##_store)
+
#define DEFINE_IPL_ATTR_STR_RW(_prefix, _name, _fmt_out, _fmt_in, _value)\
IPL_ATTR_SHOW_FN(_prefix, _name, _fmt_out, _value) \
static ssize_t sys_##_prefix##_##_name##_store(struct kobject *kobj, \
@@ -824,12 +842,13 @@ DEFINE_IPL_ATTR_RW(reipl_fcp, wwpn, "0x%
reipl_block_fcp->fcp.wwpn);
DEFINE_IPL_ATTR_RW(reipl_fcp, lun, "0x%016llx\n", "%llx\n",
reipl_block_fcp->fcp.lun);
-DEFINE_IPL_ATTR_RW(reipl_fcp, bootprog, "%lld\n", "%lld\n",
- reipl_block_fcp->fcp.bootprog);
DEFINE_IPL_ATTR_RW(reipl_fcp, br_lba, "%lld\n", "%lld\n",
reipl_block_fcp->fcp.br_lba);
DEFINE_IPL_ATTR_RW(reipl_fcp, device, "0.0.%04llx\n", "0.0.%llx\n",
reipl_block_fcp->fcp.devno);
+DEFINE_IPL_ATTR_BOOTPROG_RW(reipl_fcp, bootprog, "%lld\n", "%lld\n",
+ reipl_block_fcp->hdr,
+ reipl_block_fcp->fcp.bootprog);
static void reipl_get_ascii_loadparm(char *loadparm,
struct ipl_parameter_block *ibp)
@@ -982,10 +1001,11 @@ DEFINE_IPL_ATTR_RW(reipl_nvme, fid, "0x%
reipl_block_nvme->nvme.fid);
DEFINE_IPL_ATTR_RW(reipl_nvme, nsid, "0x%08llx\n", "%llx\n",
reipl_block_nvme->nvme.nsid);
-DEFINE_IPL_ATTR_RW(reipl_nvme, bootprog, "%lld\n", "%lld\n",
- reipl_block_nvme->nvme.bootprog);
DEFINE_IPL_ATTR_RW(reipl_nvme, br_lba, "%lld\n", "%lld\n",
reipl_block_nvme->nvme.br_lba);
+DEFINE_IPL_ATTR_BOOTPROG_RW(reipl_nvme, bootprog, "%lld\n", "%lld\n",
+ reipl_block_nvme->hdr,
+ reipl_block_nvme->nvme.bootprog);
static struct attribute *reipl_nvme_attrs[] = {
&sys_reipl_nvme_fid_attr.attr,
@@ -1112,8 +1132,9 @@ static struct bin_attribute *reipl_eckd_
};
DEFINE_IPL_CCW_ATTR_RW(reipl_eckd, device, reipl_block_eckd->eckd);
-DEFINE_IPL_ATTR_RW(reipl_eckd, bootprog, "%lld\n", "%lld\n",
- reipl_block_eckd->eckd.bootprog);
+DEFINE_IPL_ATTR_BOOTPROG_RW(reipl_eckd, bootprog, "%lld\n", "%lld\n",
+ reipl_block_eckd->hdr,
+ reipl_block_eckd->eckd.bootprog);
static struct attribute *reipl_eckd_attrs[] = {
&sys_reipl_eckd_device_attr.attr,
@@ -1641,12 +1662,13 @@ DEFINE_IPL_ATTR_RW(dump_fcp, wwpn, "0x%0
dump_block_fcp->fcp.wwpn);
DEFINE_IPL_ATTR_RW(dump_fcp, lun, "0x%016llx\n", "%llx\n",
dump_block_fcp->fcp.lun);
-DEFINE_IPL_ATTR_RW(dump_fcp, bootprog, "%lld\n", "%lld\n",
- dump_block_fcp->fcp.bootprog);
DEFINE_IPL_ATTR_RW(dump_fcp, br_lba, "%lld\n", "%lld\n",
dump_block_fcp->fcp.br_lba);
DEFINE_IPL_ATTR_RW(dump_fcp, device, "0.0.%04llx\n", "0.0.%llx\n",
dump_block_fcp->fcp.devno);
+DEFINE_IPL_ATTR_BOOTPROG_RW(dump_fcp, bootprog, "%lld\n", "%lld\n",
+ dump_block_fcp->hdr,
+ dump_block_fcp->fcp.bootprog);
static struct attribute *dump_fcp_attrs[] = {
&sys_dump_fcp_device_attr.attr,
@@ -1667,10 +1689,11 @@ DEFINE_IPL_ATTR_RW(dump_nvme, fid, "0x%0
dump_block_nvme->nvme.fid);
DEFINE_IPL_ATTR_RW(dump_nvme, nsid, "0x%08llx\n", "%llx\n",
dump_block_nvme->nvme.nsid);
-DEFINE_IPL_ATTR_RW(dump_nvme, bootprog, "%lld\n", "%llx\n",
- dump_block_nvme->nvme.bootprog);
DEFINE_IPL_ATTR_RW(dump_nvme, br_lba, "%lld\n", "%llx\n",
dump_block_nvme->nvme.br_lba);
+DEFINE_IPL_ATTR_BOOTPROG_RW(dump_nvme, bootprog, "%lld\n", "%llx\n",
+ dump_block_nvme->hdr,
+ dump_block_nvme->nvme.bootprog);
static struct attribute *dump_nvme_attrs[] = {
&sys_dump_nvme_fid_attr.attr,
@@ -1687,8 +1710,9 @@ static struct attribute_group dump_nvme_
/* ECKD dump device attributes */
DEFINE_IPL_CCW_ATTR_RW(dump_eckd, device, dump_block_eckd->eckd);
-DEFINE_IPL_ATTR_RW(dump_eckd, bootprog, "%lld\n", "%llx\n",
- dump_block_eckd->eckd.bootprog);
+DEFINE_IPL_ATTR_BOOTPROG_RW(dump_eckd, bootprog, "%lld\n", "%llx\n",
+ dump_block_eckd->hdr,
+ dump_block_eckd->eckd.bootprog);
IPL_ATTR_BR_CHR_SHOW_FN(dump, dump_block_eckd->eckd);
IPL_ATTR_BR_CHR_STORE_FN(dump, dump_block_eckd->eckd);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 483/737] gpio: regmap: Fix memleak in error path in gpio_regmap_register()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 482/737] s390/ipl: Clear SBP flag when bootprog is set Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 484/737] io_uring/poll: correctly handle io_poll_add() return value on update Greg Kroah-Hartman
` (264 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, WangYuli, Wentao Guan,
Andy Shevchenko, Bartosz Golaszewski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Guan <guanwentao@uniontech.com>
commit 52721cfc78c76b09c66e092b52617006390ae96a upstream.
Call gpiochip_remove() to free the resources allocated by
gpiochip_add_data() in error path.
Fixes: 553b75d4bfe9 ("gpio: regmap: Allow to allocate regmap-irq device")
Fixes: ae495810cffe ("gpio: regmap: add the .fixed_direction_output configuration parameter")
CC: stable@vger.kernel.org
Co-developed-by: WangYuli <wangyl5933@chinaunicom.cn>
Signed-off-by: WangYuli <wangyl5933@chinaunicom.cn>
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20251204101303.30353-1-guanwentao@uniontech.com
[Bartosz: reworked the commit message]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-regmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpio-regmap.c
+++ b/drivers/gpio/gpio-regmap.c
@@ -310,7 +310,7 @@ struct gpio_regmap *gpio_regmap_register
config->regmap_irq_line, config->regmap_irq_flags,
0, config->regmap_irq_chip, &gpio->irq_chip_data);
if (ret)
- goto err_free_bitmap;
+ goto err_remove_gpiochip;
irq_domain = regmap_irq_get_domain(gpio->irq_chip_data);
} else
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 484/737] io_uring/poll: correctly handle io_poll_add() return value on update
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 483/737] gpio: regmap: Fix memleak in error path in gpio_regmap_register() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 485/737] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
` (263 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot+641eec6b7af1f62f2b99,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
Commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e upstream.
When the core of io_uring was updated to handle completions
consistently and with fixed return codes, the POLL_REMOVE opcode
with updates got slightly broken. If a POLL_ADD is pending and
then POLL_REMOVE is used to update the events of that request, if that
update causes the POLL_ADD to now trigger, then that completion is lost
and a CQE is never posted.
Additionally, ensure that if an update does cause an existing POLL_ADD
to complete, that the completion value isn't always overwritten with
-ECANCELED. For that case, whatever io_poll_add() set the value to
should just be retained.
Cc: stable@vger.kernel.org
Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Tested-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/poll.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -1024,12 +1024,17 @@ found:
ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED);
/* successfully updated, don't complete poll request */
- if (!ret2 || ret2 == -EIOCBQUEUED)
+ if (ret2 == IOU_ISSUE_SKIP_COMPLETE)
goto out;
+ /* request completed as part of the update, complete it */
+ else if (ret2 == IOU_OK)
+ goto complete;
}
- req_set_fail(preq);
io_req_set_res(preq, -ECANCELED, 0);
+complete:
+ if (preq->cqe.res < 0)
+ req_set_fail(preq);
preq->io_task_work.func = io_req_task_complete;
io_req_task_work_add(preq);
out:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 485/737] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 484/737] io_uring/poll: correctly handle io_poll_add() return value on update Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 486/737] selftests: openvswitch: Fix escape chars in regexp Greg Kroah-Hartman
` (262 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harry Wentland, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3c41114dcdabb7b25f5bc33273c6db9c7af7f4a7 upstream.
This can get called from an atomic context.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4470
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8acdad9344cc7b4e7bc01f0dfea80093eb3768db)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_surface.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_surface.c
@@ -104,7 +104,7 @@ void enable_surface_flip_reporting(struc
struct dc_plane_state *dc_create_plane_state(struct dc *dc)
{
struct dc_plane_state *plane_state = kvzalloc(sizeof(*plane_state),
- GFP_KERNEL);
+ GFP_ATOMIC);
if (NULL == plane_state)
return NULL;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 486/737] selftests: openvswitch: Fix escape chars in regexp.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 485/737] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 487/737] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
` (261 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno, Aaron Conole,
Jakub Kicinski, Adrian Yip
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Moreno <amorenoz@redhat.com>
commit 3fde60afe1f84746c1177861bd27b3ebb00cb8f5 upstream.
Character sequences starting with `\` are interpreted by python as
escaped Unicode characters. However, they have other meaning in
regular expressions (e.g: "\d").
It seems Python >= 3.12 starts emitting a SyntaxWarning when these
escaped sequences are not recognized as valid Unicode characters.
An example of these warnings:
tools/testing/selftests/net/openvswitch/ovs-dpctl.py:505:
SyntaxWarning: invalid escape sequence '\d'
Fix all the warnings by flagging literals as raw strings.
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://lore.kernel.org/r/20240416090913.2028475-1-amorenoz@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Adrian Yip <adrian.ytw@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/openvswitch/ovs-dpctl.py | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
+++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
@@ -489,7 +489,7 @@ class ovsactions(nla):
actstr, reason = parse_extract_field(
actstr,
"drop(",
- "([0-9]+)",
+ r"([0-9]+)",
lambda x: int(x, 0),
False,
None,
@@ -502,9 +502,9 @@ class ovsactions(nla):
actstr = actstr[len("drop"): ]
return (totallen - len(actstr))
- elif parse_starts_block(actstr, "^(\d+)", False, True):
+ elif parse_starts_block(actstr, r"^(\d+)", False, True):
actstr, output = parse_extract_field(
- actstr, None, "(\d+)", lambda x: int(x), False, "0"
+ actstr, None, r"(\d+)", lambda x: int(x), False, "0"
)
self["attrs"].append(["OVS_ACTION_ATTR_OUTPUT", output])
parsed = True
@@ -512,7 +512,7 @@ class ovsactions(nla):
actstr, recircid = parse_extract_field(
actstr,
"recirc(",
- "([0-9a-fA-Fx]+)",
+ r"([0-9a-fA-Fx]+)",
lambda x: int(x, 0),
False,
0,
@@ -588,17 +588,17 @@ class ovsactions(nla):
actstr = actstr[3:]
actstr, ip_block_min = parse_extract_field(
- actstr, "=", "([0-9a-fA-F\.]+)", str, False
+ actstr, "=", r"([0-9a-fA-F\.]+)", str, False
)
actstr, ip_block_max = parse_extract_field(
- actstr, "-", "([0-9a-fA-F\.]+)", str, False
+ actstr, "-", r"([0-9a-fA-F\.]+)", str, False
)
actstr, proto_min = parse_extract_field(
- actstr, ":", "(\d+)", int, False
+ actstr, ":", r"(\d+)", int, False
)
actstr, proto_max = parse_extract_field(
- actstr, "-", "(\d+)", int, False
+ actstr, "-", r"(\d+)", int, False
)
if t is not None:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 487/737] crypto: af_alg - zero initialize memory allocated via sock_kmalloc
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 486/737] selftests: openvswitch: Fix escape chars in regexp Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 488/737] crypto: caam - Add check for kcalloc() in test_len() Greg Kroah-Hartman
` (260 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shivani Agarwal, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivani Agarwal <shivani.agarwal@broadcom.com>
commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 upstream.
Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.
The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.
A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:
67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:
https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.
Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations")
Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support")
Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")
Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Cc: stable@vger.kernel.org
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/af_alg.c | 5 ++---
crypto/algif_hash.c | 3 +--
crypto/algif_rng.c | 3 +--
3 files changed, 4 insertions(+), 7 deletions(-)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1211,15 +1211,14 @@ struct af_alg_async_req *af_alg_alloc_ar
if (unlikely(!areq))
return ERR_PTR(-ENOMEM);
+ memset(areq, 0, areqlen);
+
ctx->inflight = true;
areq->areqlen = areqlen;
areq->sk = sk;
areq->first_rsgl.sgl.sgt.sgl = areq->first_rsgl.sgl.sgl;
- areq->last_rsgl = NULL;
INIT_LIST_HEAD(&areq->rsgl_list);
- areq->tsgl = NULL;
- areq->tsgl_entries = 0;
return areq;
}
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -416,9 +416,8 @@ static int hash_accept_parent_nokey(void
if (!ctx)
return -ENOMEM;
- ctx->result = NULL;
+ memset(ctx, 0, len);
ctx->len = len;
- ctx->more = false;
crypto_init_wait(&ctx->wait);
ask->private = ctx;
--- a/crypto/algif_rng.c
+++ b/crypto/algif_rng.c
@@ -248,9 +248,8 @@ static int rng_accept_parent(void *priva
if (!ctx)
return -ENOMEM;
+ memset(ctx, 0, len);
ctx->len = len;
- ctx->addtl = NULL;
- ctx->addtl_len = 0;
/*
* No seeding done at that point -- if multiple accepts are
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 488/737] crypto: caam - Add check for kcalloc() in test_len()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 487/737] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 489/737] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
` (259 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 7cf6e0b69b0d90ab042163e5bbddda0dfcf8b6a7 upstream.
As kcalloc() may fail, check its return value to avoid a NULL pointer
dereference when passing the buffer to rng->read(). On allocation
failure, log the error and return since test_len() returns void.
Fixes: 2be0d806e25e ("crypto: caam - add a test for the RNG")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamrng.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/caam/caamrng.c b/drivers/crypto/caam/caamrng.c
index b3d14a7f4dd1..0eb43c862516 100644
--- a/drivers/crypto/caam/caamrng.c
+++ b/drivers/crypto/caam/caamrng.c
@@ -181,7 +181,9 @@ static inline void test_len(struct hwrng *rng, size_t len, bool wait)
struct device *dev = ctx->ctrldev;
buf = kcalloc(CAAM_RNG_MAX_FIFO_STORE_SIZE, sizeof(u8), GFP_KERNEL);
-
+ if (!buf) {
+ return;
+ }
while (len > 0) {
read_len = rng->read(rng, buf, len, wait);
--
2.52.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 489/737] amba: tegra-ahb: Fix device leak on SMMU enable
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 488/737] crypto: caam - Add check for kcalloc() in test_len() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 490/737] tracing: Fix fixed array of synthetic event Greg Kroah-Hartman
` (258 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thierry Reding
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream.
Make sure to drop the reference taken to the AHB platform device when
looking up its driver data while enabling the SMMU.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB")
Cc: stable@vger.kernel.org # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/amba/tegra-ahb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/amba/tegra-ahb.c
+++ b/drivers/amba/tegra-ahb.c
@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_
if (!dev)
return -EPROBE_DEFER;
ahb = dev_get_drvdata(dev);
+ put_device(dev);
val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL);
val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE;
gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 490/737] tracing: Fix fixed array of synthetic event
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 489/737] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 491/737] soc: qcom: ocmem: fix device leak on lookup Greg Kroah-Hartman
` (257 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Douglas Raillard, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 47ef834209e5981f443240d8a8b45bf680df22aa upstream.
The commit 4d38328eb442d ("tracing: Fix synth event printk format for str
fields") replaced "%.*s" with "%s" but missed removing the number size of
the dynamic and static strings. The commit e1a453a57bc7 ("tracing: Do not
add length to print format in synthetic events") fixed the dynamic part
but did not fix the static part. That is, with the commands:
# echo 's:wake_lat char[] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
# echo 'hist:keys=pid:ts=common_timestamp.usecs if !(common_flags & 0x18)' > /sys/kernel/tracing/events/sched/sched_waking/trigger
# echo 'hist:keys=next_pid:delta=common_timestamp.usecs-$ts:onmatch(sched.sched_waking).trace(wake_lat,next_comm,$delta)' > /sys/kernel/tracing/events/sched/sched_switch/trigger
That caused the output of:
<idle>-0 [001] d..5. 193.428167: wake_lat: wakee=(efault)sshd-sessiondelta=155
sshd-session-879 [001] d..5. 193.811080: wake_lat: wakee=(efault)kworker/u34:5delta=58
<idle>-0 [002] d..5. 193.811198: wake_lat: wakee=(efault)bashdelta=91
The commit e1a453a57bc7 fixed the part where the synthetic event had
"char[] wakee". But if one were to replace that with a static size string:
# echo 's:wake_lat char[16] wakee; u64 delta;' >> /sys/kernel/tracing/dynamic_events
Where "wakee" is defined as "char[16]" and not "char[]" making it a static
size, the code triggered the "(efaul)" again.
Remove the added STR_VAR_LEN_MAX size as the string is still going to be
nul terminated.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Douglas Raillard <douglas.raillard@arm.com>
Link: https://patch.msgid.link/20251204151935.5fa30355@gandalf.local.home
Fixes: e1a453a57bc7 ("tracing: Do not add length to print format in synthetic events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_synth.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -382,7 +382,6 @@ static enum print_line_t print_synth_eve
n_u64++;
} else {
trace_seq_printf(s, print_fmt, se->fields[i]->name,
- STR_VAR_LEN_MAX,
(char *)&entry->fields[n_u64].as_u64,
i == se->n_fields - 1 ? "" : " ");
n_u64 += STR_VAR_LEN_MAX / sizeof(u64);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 491/737] soc: qcom: ocmem: fix device leak on lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 490/737] tracing: Fix fixed array of synthetic event Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 492/737] soc: amlogic: canvas: " Greg Kroah-Hartman
` (256 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Miaoqian Lin,
Johan Hovold, Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream.
Make sure to drop the reference taken to the ocmem platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing
put_device() call in of_get_ocmem") fixed the leak in a lookup error
path, but the reference is still leaking on success.
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Cc: stable@vger.kernel.org # 5.5: 0ff027027e05
Cc: Brian Masney <bmasney@redhat.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/ocmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -204,9 +204,9 @@ struct ocmem *of_get_ocmem(struct device
of_node_put(devnode);
ocmem = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!ocmem) {
dev_err(dev, "Cannot get ocmem\n");
- put_device(&pdev->dev);
return ERR_PTR(-ENODEV);
}
return ocmem;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 492/737] soc: amlogic: canvas: fix device leak on lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 491/737] soc: qcom: ocmem: fix device leak on lookup Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 493/737] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
` (255 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Johan Hovold,
Martin Blumenstingl, Neil Armstrong
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 32200f4828de9d7e6db379909898e718747f4e18 upstream.
Make sure to drop the reference taken to the canvas platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing
put_device() call in meson_canvas_get()") fixed the leak in a lookup
error path, but the reference is still leaking on success.
Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver")
Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/amlogic/meson-canvas.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/soc/amlogic/meson-canvas.c
+++ b/drivers/soc/amlogic/meson-canvas.c
@@ -73,10 +73,9 @@ struct meson_canvas *meson_canvas_get(st
* current state, this driver probe cannot return -EPROBE_DEFER
*/
canvas = dev_get_drvdata(&canvas_pdev->dev);
- if (!canvas) {
- put_device(&canvas_pdev->dev);
+ put_device(&canvas_pdev->dev);
+ if (!canvas)
return ERR_PTR(-EINVAL);
- }
return canvas;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 493/737] rpmsg: glink: fix rpmsg device leak
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 492/737] soc: amlogic: canvas: " Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 494/737] platform/x86: intel: chtwc_int33fe: dont dereference swnode args Greg Kroah-Hartman
` (254 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Dmitry Baryshkov, Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream.
While testing rpmsg-char interface it was noticed that duplicate sysfs
entries are getting created and below warning is noticed.
Reason for this is that we are leaking rpmsg device pointer, setting it
null without actually unregistering device.
Any further attempts to unregister fail because rpdev is NULL,
resulting in a leak.
Fix this by unregistering rpmsg device before removing its reference
from rpmsg channel.
sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot
eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc:
glink-edge.adsp_apps.-1.-1'
[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not
tainted 6.16.0-rc4 #7 PREEMPT
[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT)
[ 114.115358] Workqueue: events qcom_glink_work
[ 114.115371] Call trace:8
[ 114.115374] show_stack+0x18/0x24 (C)
[ 114.115382] dump_stack_lvl+0x60/0x80
[ 114.115388] dump_stack+0x18/0x24
[ 114.115393] sysfs_warn_dup+0x64/0x80
[ 114.115402] sysfs_create_dir_ns+0xf4/0x120
[ 114.115409] kobject_add_internal+0x98/0x260
[ 114.115416] kobject_add+0x9c/0x108
[ 114.115421] device_add+0xc4/0x7a0
[ 114.115429] rpmsg_register_device+0x5c/0xb0
[ 114.115434] qcom_glink_work+0x4bc/0x820
[ 114.115438] process_one_work+0x148/0x284
[ 114.115446] worker_thread+0x2c4/0x3e0
[ 114.115452] kthread+0x12c/0x204
[ 114.115457] ret_from_fork+0x10/0x20
[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc:
glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with
the same name in the same directory.
[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1:
device_add failed: -17
Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/qcom_glink_native.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1317,6 +1317,7 @@ static void qcom_glink_destroy_ept(struc
{
struct glink_channel *channel = to_glink_channel(ept);
struct qcom_glink *glink = channel->glink;
+ struct rpmsg_channel_info chinfo;
unsigned long flags;
spin_lock_irqsave(&channel->recv_lock, flags);
@@ -1324,6 +1325,13 @@ static void qcom_glink_destroy_ept(struc
spin_unlock_irqrestore(&channel->recv_lock, flags);
/* Decouple the potential rpdev from the channel */
+ if (channel->rpdev) {
+ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name));
+ chinfo.src = RPMSG_ADDR_ANY;
+ chinfo.dst = RPMSG_ADDR_ANY;
+
+ rpmsg_unregister_device(glink->dev, &chinfo);
+ }
channel->rpdev = NULL;
qcom_glink_send_close_req(glink, channel);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 494/737] platform/x86: intel: chtwc_int33fe: dont dereference swnode args
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 493/737] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 495/737] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
` (253 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell,
Bartosz Golaszewski, Hans de Goede, Ilpo Järvinen,
Philipp Zabel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit 527250cd9092461f1beac3e4180a4481bffa01b5 upstream.
Members of struct software_node_ref_args should not be dereferenced
directly but set using the provided macros. Commit d7cdbbc93c56
("software node: allow referencing firmware nodes") changed the name of
the software node member and caused a build failure. Remove all direct
dereferences of the ref struct as a fix.
However, this driver also seems to abuse the software node interface by
waiting for a node with an arbitrary name "intel-xhci-usb-sw" to appear
in the system before setting up the reference for the I2C device, while
the actual software node already exists in the intel-xhci-usb-role-switch
module and should be used to set up a static reference. Add a FIXME for
a future improvement.
Fixes: d7cdbbc93c56 ("software node: allow referencing firmware nodes")
Fixes: 53c24c2932e5 ("platform/x86: intel_cht_int33fe: use inline reference properties")
Cc: stable@vger.kernel.org
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lore.kernel.org/all/20251121111534.7cdbfe5c@canb.auug.org.au/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Acked-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/chtwc_int33fe.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
--- a/drivers/platform/x86/intel/chtwc_int33fe.c
+++ b/drivers/platform/x86/intel/chtwc_int33fe.c
@@ -77,7 +77,7 @@ static const struct software_node max170
* software node.
*/
static struct software_node_ref_args fusb302_mux_refs[] = {
- { .node = NULL },
+ SOFTWARE_NODE_REFERENCE(NULL),
};
static const struct property_entry fusb302_properties[] = {
@@ -190,11 +190,6 @@ static void cht_int33fe_remove_nodes(str
{
software_node_unregister_node_group(node_group);
- if (fusb302_mux_refs[0].node) {
- fwnode_handle_put(software_node_fwnode(fusb302_mux_refs[0].node));
- fusb302_mux_refs[0].node = NULL;
- }
-
if (data->dp) {
data->dp->secondary = NULL;
fwnode_handle_put(data->dp);
@@ -202,7 +197,15 @@ static void cht_int33fe_remove_nodes(str
}
}
-static int cht_int33fe_add_nodes(struct cht_int33fe_data *data)
+static void cht_int33fe_put_swnode(void *data)
+{
+ struct fwnode_handle *fwnode = data;
+
+ fwnode_handle_put(fwnode);
+ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(NULL);
+}
+
+static int cht_int33fe_add_nodes(struct device *dev, struct cht_int33fe_data *data)
{
const struct software_node *mux_ref_node;
int ret;
@@ -212,17 +215,25 @@ static int cht_int33fe_add_nodes(struct
* until the mux driver has created software node for the mux device.
* It means we depend on the mux driver. This function will return
* -EPROBE_DEFER until the mux device is registered.
+ *
+ * FIXME: the relevant software node exists in intel-xhci-usb-role-switch
+ * and - if exported - could be used to set up a static reference.
*/
mux_ref_node = software_node_find_by_name(NULL, "intel-xhci-usb-sw");
if (!mux_ref_node)
return -EPROBE_DEFER;
+ ret = devm_add_action_or_reset(dev, cht_int33fe_put_swnode,
+ software_node_fwnode(mux_ref_node));
+ if (ret)
+ return ret;
+
/*
* Update node used in "usb-role-switch" property. Note that we
* rely on software_node_register_node_group() to use the original
* instance of properties instead of copying them.
*/
- fusb302_mux_refs[0].node = mux_ref_node;
+ fusb302_mux_refs[0] = SOFTWARE_NODE_REFERENCE(mux_ref_node);
ret = software_node_register_node_group(node_group);
if (ret)
@@ -345,7 +356,7 @@ static int cht_int33fe_typec_probe(struc
return fusb302_irq;
}
- ret = cht_int33fe_add_nodes(data);
+ ret = cht_int33fe_add_nodes(dev, data);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 495/737] i2c: amd-mp2: fix reference leak in MP2 PCI device
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 494/737] platform/x86: intel: chtwc_int33fe: dont dereference swnode args Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 496/737] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
` (252 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream.
In i2c_amd_probe(), amd_mp2_find_device() utilizes
driver_find_next_device() which internally calls driver_find_device()
to locate the matching device. driver_find_device() increments the
reference count of the found device by calling get_device(), but
amd_mp2_find_device() fails to call put_device() to decrement the
reference count before returning. This results in a reference count
leak of the PCI device each time i2c_amd_probe() is executed, which
may prevent the device from being properly released and cause a memory
leak.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c
+++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c
@@ -461,13 +461,16 @@ struct amd_mp2_dev *amd_mp2_find_device(
{
struct device *dev;
struct pci_dev *pci_dev;
+ struct amd_mp2_dev *mp2_dev;
dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL);
if (!dev)
return NULL;
pci_dev = to_pci_dev(dev);
- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
+ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
+ put_device(dev);
+ return mp2_dev;
}
EXPORT_SYMBOL_GPL(amd_mp2_find_device);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 496/737] hwmon: (max16065) Use local variable to avoid TOCTOU
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 495/737] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 497/737] hwmon: (w83791d) Convert macros to functions " Greg Kroah-Hartman
` (251 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream.
In max16065_current_show, data->curr_sense is read twice: once for the
error check and again for the calculation. Since
i2c_smbus_read_byte_data returns negative error codes on failure, if the
data changes to an error code between the check and the use, ADC_TO_CURR
results in an incorrect calculation.
Read data->curr_sense into a local variable to ensure consistency. Note
that data->curr_gain is constant and safe to access directly.
This aligns max16065_current_show with max16065_input_show, which
already uses a local variable for the same reason.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/max16065.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/hwmon/max16065.c
+++ b/drivers/hwmon/max16065.c
@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str
struct device_attribute *da, char *buf)
{
struct max16065_data *data = max16065_update_device(dev);
+ int curr_sense = data->curr_sense;
- if (unlikely(data->curr_sense < 0))
- return data->curr_sense;
+ if (unlikely(curr_sense < 0))
+ return curr_sense;
return sysfs_emit(buf, "%d\n",
- ADC_TO_CURR(data->curr_sense, data->curr_gain));
+ ADC_TO_CURR(curr_sense, data->curr_gain));
}
static ssize_t max16065_limit_store(struct device *dev,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 497/737] hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 496/737] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 498/737] hwmon: (w83l786ng) " Greg Kroah-Hartman
` (250 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream.
The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/w83791d.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/drivers/hwmon/w83791d.c
+++ b/drivers/hwmon/w83791d.c
@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div)
return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
}
-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
- ((val) == 255 ? 0 : \
- 1350000 / ((val) * (div))))
+static int fan_from_reg(int val, int div)
+{
+ if (val == 0)
+ return -1;
+ if (val == 255)
+ return 0;
+ return 1350000 / (val * div);
+}
/* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */
#define TEMP1_FROM_REG(val) ((val) * 1000)
@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device
struct w83791d_data *data = w83791d_update_device(dev); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", \
- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi
if (err)
return err;
+ mutex_lock(&data->update_lock);
/* Save fan_min */
- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
- mutex_lock(&data->update_lock);
data->fan_div[nr] = div_to_reg(nr, val);
switch (nr) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 498/737] hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 497/737] hwmon: (w83791d) Convert macros to functions " Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 499/737] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
` (249 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 07272e883fc61574b8367d44de48917f622cdd83 upstream.
The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments
multiple times. When used in lockless contexts involving shared driver
data, this causes Time-of-Check to Time-of-Use (TOCTOU) race
conditions.
Convert the macros to static functions. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/hwmon/w83l786ng.c
+++ b/drivers/hwmon/w83l786ng.c
@@ -76,15 +76,25 @@ FAN_TO_REG(long rpm, int div)
return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
}
-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
- ((val) == 255 ? 0 : \
- 1350000 / ((val) * (div))))
+static int fan_from_reg(int val, int div)
+{
+ if (val == 0)
+ return -1;
+ if (val == 255)
+ return 0;
+ return 1350000 / (val * div);
+}
/* for temp */
#define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \
: (val)) / 1000, 0, 0xff))
-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \
- (val) - 0x100 : (val)) * 1000)
+
+static int temp_from_reg(int val)
+{
+ if (val & 0x80)
+ return (val - 0x100) * 1000;
+ return val * 1000;
+}
/*
* The analog voltage inputs have 8mV LSB. Since the sysfs output is
@@ -280,7 +290,7 @@ static ssize_t show_##reg(struct device
int nr = to_sensor_dev_attr(attr)->index; \
struct w83l786ng_data *data = w83l786ng_update_device(dev); \
return sprintf(buf, "%d\n", \
- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
@@ -347,7 +357,7 @@ store_fan_div(struct device *dev, struct
/* Save fan_min */
mutex_lock(&data->update_lock);
- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
data->fan_div[nr] = DIV_TO_REG(val);
@@ -409,7 +419,7 @@ show_temp(struct device *dev, struct dev
int nr = sensor_attr->nr;
int index = sensor_attr->index;
struct w83l786ng_data *data = w83l786ng_update_device(dev);
- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index]));
+ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index]));
}
static ssize_t
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 499/737] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 498/737] hwmon: (w83l786ng) " Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 500/737] iommu/mediatek: fix use-after-free on probe deferral Greg Kroah-Hartman
` (248 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolas Ferre, Claudiu Beznea
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@microchip.com>
commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce upstream.
Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo
size of 32 data. Fix flexcom/spi nodes where this property is wrong.
Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions")
Cc: stable@vger.kernel.org # 5.8+
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/microchip/sama5d2.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/arm/boot/dts/microchip/sama5d2.dtsi
+++ b/arch/arm/boot/dts/microchip/sama5d2.dtsi
@@ -568,7 +568,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(12))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -639,7 +639,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(14))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -851,7 +851,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(16))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -922,7 +922,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(18))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -994,7 +994,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(20))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 500/737] iommu/mediatek: fix use-after-free on probe deferral
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 499/737] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 501/737] wifi: rtw88: limit indirect IO under powered off for RTL8822CS Greg Kroah-Hartman
` (247 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yong Wu, Robin Murphy, Johan Hovold,
AngeloGioacchino Del Regno, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit de83d4617f9fe059623e97acf7e1e10d209625b5 upstream.
The driver is dropping the references taken to the larb devices during
probe after successful lookup as well as on errors. This can
potentially lead to a use-after-free in case a larb device has not yet
been bound to its driver so that the iommu driver probe defers.
Fix this by keeping the references as expected while the iommu driver is
bound.
Fixes: 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse")
Cc: stable@vger.kernel.org
Cc: Yong Wu <yong.wu@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -1196,16 +1196,19 @@ static int mtk_iommu_mm_dts_parse(struct
}
component_match_add(dev, match, component_compare_dev, &plarbdev->dev);
- platform_device_put(plarbdev);
}
- if (!frst_avail_smicomm_node)
- return -EINVAL;
+ if (!frst_avail_smicomm_node) {
+ ret = -EINVAL;
+ goto err_larbdev_put;
+ }
pcommdev = of_find_device_by_node(frst_avail_smicomm_node);
of_node_put(frst_avail_smicomm_node);
- if (!pcommdev)
- return -ENODEV;
+ if (!pcommdev) {
+ ret = -ENODEV;
+ goto err_larbdev_put;
+ }
data->smicomm_dev = &pcommdev->dev;
link = device_link_add(data->smicomm_dev, dev,
@@ -1213,7 +1216,8 @@ static int mtk_iommu_mm_dts_parse(struct
platform_device_put(pcommdev);
if (!link) {
dev_err(dev, "Unable to link %s.\n", dev_name(data->smicomm_dev));
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_larbdev_put;
}
return 0;
@@ -1385,8 +1389,12 @@ out_sysfs_remove:
iommu_device_sysfs_remove(&data->iommu);
out_list_del:
list_del(&data->list);
- if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM))
+ if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) {
device_link_remove(data->smicomm_dev, dev);
+
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
+ }
out_runtime_disable:
pm_runtime_disable(dev);
return ret;
@@ -1406,6 +1414,9 @@ static void mtk_iommu_remove(struct plat
if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) {
device_link_remove(data->smicomm_dev, &pdev->dev);
component_master_del(&pdev->dev, &mtk_iommu_com_ops);
+
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
}
pm_runtime_disable(&pdev->dev);
for (i = 0; i < data->plat_data->banks_num; i++) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 501/737] wifi: rtw88: limit indirect IO under powered off for RTL8822CS
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 500/737] iommu/mediatek: fix use-after-free on probe deferral Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 502/737] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() Greg Kroah-Hartman
` (246 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Skvortsov, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ping-Ke Shih <pkshih@realtek.com>
[ Upstream commit f3ccdfda345ca9a624ea425840a926b8338c1e25 ]
The indirect IO is necessary for RTL8822CS, but not necessary for other
chips. Otherwiese, it throws errors and becomes unusable.
rtw88_8723cs mmc1:0001:1: WOW Firmware version 11.0.0, H2C version 0
rtw88_8723cs mmc1:0001:1: Firmware version 11.0.0, H2C version 0
rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
rtw88_8723cs mmc1:0001:1: sdio write8 failed (0x1c): -110
rtw88_8723cs mmc1:0001:1: sdio read32 failed (0xf0): -110
By vendor driver, only RTL8822CS and RTL8822ES need indirect IO, but
RTL8822ES isn't supported yet. Therefore, limit it to RTL8822CS only.
Reported-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Closes: https://lore.kernel.org/linux-wireless/07a32e2d6c764eb1bd9415b5a921a652@realtek.com/T/#m997b4522f7209ba629561c776bfd1d13ab24c1d4
Fixes: 58de1f91e033 ("wifi: rtw88: sdio: use indirect IO for device registers before power-on")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Tested-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Link: https://patch.msgid.link/1764034729-1251-1-git-send-email-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/sdio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw88/sdio.c b/drivers/net/wireless/realtek/rtw88/sdio.c
index df4248744d87..025a97526551 100644
--- a/drivers/net/wireless/realtek/rtw88/sdio.c
+++ b/drivers/net/wireless/realtek/rtw88/sdio.c
@@ -143,8 +143,10 @@ static u32 rtw_sdio_to_io_address(struct rtw_dev *rtwdev, u32 addr,
static bool rtw_sdio_use_direct_io(struct rtw_dev *rtwdev, u32 addr)
{
+ bool might_indirect_under_power_off = rtwdev->chip->id == RTW_CHIP_TYPE_8822C;
+
if (!test_bit(RTW_FLAG_POWERON, rtwdev->flags) &&
- !rtw_sdio_is_bus_addr(addr))
+ !rtw_sdio_is_bus_addr(addr) && might_indirect_under_power_off)
return false;
return !rtw_sdio_is_sdio30_supported(rtwdev) ||
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 502/737] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 501/737] wifi: rtw88: limit indirect IO under powered off for RTL8822CS Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 503/737] wifi: mac80211: do not use old MBSSID elements Greg Kroah-Hartman
` (245 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 2b77b9551d1184cb5af8271ff350e6e2c1b3db0d ]
The QGenie AI code review tool says we should store the capped length to
wdev->u.client.ssid_len. The AI is correct.
Fixes: 62b635dcd69c ("wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result()")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aTAbp5RleyH_lnZE@stanley.mountain
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/sme.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 5904c869085c..6f116ae5442b 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -925,7 +925,7 @@ void __cfg80211_connect_result(struct net_device *dev,
ssid_len = min(ssid->datalen, IEEE80211_MAX_SSID_LEN);
memcpy(wdev->u.client.ssid, ssid->data, ssid_len);
- wdev->u.client.ssid_len = ssid->datalen;
+ wdev->u.client.ssid_len = ssid_len;
break;
}
rcu_read_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 503/737] wifi: mac80211: do not use old MBSSID elements
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 502/737] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 504/737] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
` (244 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aloka Dixit, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
[ Upstream commit a519be2f5d958c5804f2cfd68f1f384291271fab ]
When userspace brings down and deletes a non-transmitted profile,
it is expected to send a new updated Beacon template for the
transmitted profile of that multiple BSSID (MBSSID) group which
does not include the removed profile in MBSSID element. This
update comes via NL80211_CMD_SET_BEACON.
Such updates work well as long as the group continues to have at
least one non-transmitted profile as NL80211_ATTR_MBSSID_ELEMS
is included in the new Beacon template.
But when the last non-trasmitted profile is removed, it still
gets included in Beacon templates sent to driver. This happens
because when no MBSSID elements are sent by the userspace,
ieee80211_assign_beacon() ends up using the element stored from
earlier Beacon template.
Do not copy old MBSSID elements, instead userspace should always
include these when applicable.
Fixes: 2b3171c6fe0a ("mac80211: MBSSID beacon handling in AP mode")
Signed-off-by: Aloka Dixit <aloka.dixit@oss.qualcomm.com>
Link: https://patch.msgid.link/20251215174656.2866319-2-aloka.dixit@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/cfg.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 1addfba4b285..16270bea49a2 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1147,7 +1147,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
size = sizeof(*new) + new_head_len + new_tail_len;
- /* new or old multiple BSSID elements? */
if (params->mbssid_ies) {
mbssid = params->mbssid_ies;
size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
@@ -1157,15 +1156,6 @@ ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
}
size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
mbssid->cnt);
- } else if (old && old->mbssid_ies) {
- mbssid = old->mbssid_ies;
- size += struct_size(new->mbssid_ies, elem, mbssid->cnt);
- if (old && old->rnr_ies) {
- rnr = old->rnr_ies;
- size += struct_size(new->rnr_ies, elem, rnr->cnt);
- }
- size += ieee80211_get_mbssid_beacon_len(mbssid, rnr,
- mbssid->cnt);
}
new = kzalloc(size, GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 504/737] i40e: fix scheduling in set_rx_mode
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 503/737] wifi: mac80211: do not use old MBSSID elements Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 505/737] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
` (243 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grzegorz Nitka, Jacob Keller,
Aleksandr Loktionov, Przemyslaw Korba, Tony Nguyen, Sasha Levin,
Rinitha S
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Przemyslaw Korba <przemyslaw.korba@intel.com>
[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
Add service task schedule to set_rx_mode.
In some cases there are error messages printed out in PTP application
(ptp4l):
ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
This happens when service task would not run immediately after
set_rx_mode, and we need it for setup tasks. This service task checks, if
PTP RX packets are hung in firmware, and propagate correct settings such
as multicast address for IEEE 1588 Precision Time Protocol.
RX timestamping depends on some of these filters set. Bug happens only
with high PTP packets frequency incoming, and not every run since
sometimes service task is being ran from a different place immediately
after starting ptp4l.
Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index affdbd3ee76c..8a0eb51fe974 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -2260,6 +2260,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
}
+ i40e_service_event_schedule(vsi->back);
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 505/737] iavf: fix off-by-one issues in iavf_config_rss_reg()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 504/737] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 506/737] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
` (242 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Aleksandr Loktionov,
Przemek Kitszel, Rafal Romanowski, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <enjuk@amazon.com>
[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
Signed-off-by: Kohei Enju <enjuk@amazon.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index fde8d7b80ca6..f6a748ae1c95 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -1750,11 +1750,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
u16 i;
dw = (u32 *)adapter->rss_key;
- for (i = 0; i <= adapter->rss_key_size / 4; i++)
+ for (i = 0; i < adapter->rss_key_size / 4; i++)
wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
dw = (u32 *)adapter->rss_lut;
- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
+ for (i = 0; i < adapter->rss_lut_size / 4; i++)
wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
iavf_flush(hw);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 506/737] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 505/737] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 507/737] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
` (241 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiumei Mu, Xin Long, Herbert Xu,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
As soon as crypto_aead_encrypt is called, the underlying request
may be freed by an asynchronous completion. Thus dereferencing
req->iv after it returns is invalid.
Instead of checking req->iv against info, create a new variable
unaligned_info and use it for that purpose instead.
Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
Reported-by: Xiumei Mu <xmu@redhat.com>
Reported-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/seqiv.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/crypto/seqiv.c b/crypto/seqiv.c
index 17e11d51ddc3..04928df0095b 100644
--- a/crypto/seqiv.c
+++ b/crypto/seqiv.c
@@ -50,6 +50,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
struct aead_request *subreq = aead_request_ctx(req);
crypto_completion_t compl;
+ bool unaligned_info;
void *data;
u8 *info;
unsigned int ivsize = 8;
@@ -79,8 +80,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
return err;
}
- if (unlikely(!IS_ALIGNED((unsigned long)info,
- crypto_aead_alignmask(geniv) + 1))) {
+ unaligned_info = !IS_ALIGNED((unsigned long)info,
+ crypto_aead_alignmask(geniv) + 1);
+ if (unlikely(unaligned_info)) {
info = kmemdup(req->iv, ivsize, req->base.flags &
CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
GFP_ATOMIC);
@@ -100,7 +102,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
err = crypto_aead_encrypt(subreq);
- if (unlikely(info != req->iv))
+ if (unlikely(unaligned_info))
seqiv_aead_encrypt_complete2(req, err);
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 507/737] Bluetooth: btusb: revert use of devm_kzalloc in btusb
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 506/737] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 508/737] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
` (240 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Pinsonneault-Thibeault,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 7bc7ee4eebd3..1309e9318bdb 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4342,7 +4342,7 @@ static int btusb_probe(struct usb_interface *intf,
return -ENODEV;
}
- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
+ data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
@@ -4365,8 +4365,10 @@ static int btusb_probe(struct usb_interface *intf,
}
}
- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
+ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
+ kfree(data);
return -ENODEV;
+ }
if (id->driver_info & BTUSB_AMP) {
data->cmdreq_type = USB_TYPE_CLASS | 0x01;
@@ -4421,8 +4423,10 @@ static int btusb_probe(struct usb_interface *intf,
data->recv_acl = hci_recv_frame;
hdev = hci_alloc_dev_priv(priv_size);
- if (!hdev)
+ if (!hdev) {
+ kfree(data);
return -ENOMEM;
+ }
hdev->bus = HCI_USB;
hci_set_drvdata(hdev, data);
@@ -4690,6 +4694,7 @@ static int btusb_probe(struct usb_interface *intf,
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
hci_free_dev(hdev);
+ kfree(data);
return err;
}
@@ -4738,6 +4743,7 @@ static void btusb_disconnect(struct usb_interface *intf)
}
hci_free_dev(hdev);
+ kfree(data);
}
#ifdef CONFIG_PM
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 508/737] net: mdio: aspeed: add dummy read to avoid read-after-write issue
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 507/737] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 509/737] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
` (239 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacky Chou, Andrew Lunn, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacky Chou <jacky_chou@aspeedtech.com>
[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
The Aspeed MDIO controller may return incorrect data when a read operation
follows immediately after a write. Due to a controller bug, the subsequent
read can latch stale data, causing the polling logic to terminate earlier
than expected.
To work around this hardware issue, insert a dummy read after each write
operation. This ensures that the next actual read returns the correct
data and prevents premature polling exit.
This workaround has been verified to stabilize MDIO transactions on
affected Aspeed platforms.
Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mdio/mdio-aspeed.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
index c727103c8b05..339198a4dbc0 100644
--- a/drivers/net/mdio/mdio-aspeed.c
+++ b/drivers/net/mdio/mdio-aspeed.c
@@ -63,6 +63,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+ /* Workaround for read-after-write issue.
+ * The controller may return stale data if a read follows immediately
+ * after a write. A dummy read forces the hardware to update its
+ * internal state, ensuring that the next real read returns correct data.
+ */
+ ioread32(ctx->base + ASPEED_MDIO_CTRL);
+
return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
!(ctrl & ASPEED_MDIO_CTRL_FIRE),
ASPEED_MDIO_INTERVAL_US,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 509/737] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 508/737] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 510/737] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
` (238 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno,
Toke Høiland-Jørgensen, Eelco Chaudron, Aaron Conole,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
The openvswitch teardown code will immediately call
ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
It will then start the dp_notify_work workqueue, which will later end up
calling the vport destroy() callback. This callback takes the RTNL to do
another ovs_netdev_detach_port(), which in this case is unnecessary.
This causes extra pressure on the RTNL, in some cases leading to
"unregister_netdevice: waiting for XX to become free" warnings on
teardown.
We can straight-forwardly avoid the extra RTNL lock acquisition by
checking the device flags before taking the lock, and skip the locking
altogether if the IFF_OVS_DATAPATH flag has already been unset.
Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
Tested-by: Adrian Moreno <amorenoz@redhat.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/vport-netdev.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 903537a5da22..3c41d53bb9e9 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -153,10 +153,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
static void netdev_destroy(struct vport *vport)
{
- rtnl_lock();
- if (netif_is_ovs_port(vport->dev))
- ovs_netdev_detach_dev(vport);
- rtnl_unlock();
+ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
+ * port has already been detached, so we can avoid taking the RTNL by
+ * checking this first.
+ */
+ if (netif_is_ovs_port(vport->dev)) {
+ rtnl_lock();
+ /* Check again while holding the lock to ensure we don't race
+ * with the netdev notifier and detach twice.
+ */
+ if (netif_is_ovs_port(vport->dev))
+ ovs_netdev_detach_dev(vport);
+ rtnl_unlock();
+ }
call_rcu(&vport->rcu, vport_netdev_free);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 510/737] ip6_gre: make ip6gre_header() robust
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 509/737] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 511/737] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
` (237 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+43a2ebcf2a64b1102d64,
Eric Dumazet, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_gre.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 289b83347d9d..63ac4a8e095b 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1382,9 +1382,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
{
struct ip6_tnl *t = netdev_priv(dev);
struct ipv6hdr *ipv6h;
+ int needed;
__be16 *p;
- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
+ needed = t->hlen + sizeof(*ipv6h);
+ if (skb_headroom(skb) < needed &&
+ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
+ 0, GFP_ATOMIC))
+ return -needed;
+
+ ipv6h = skb_push(skb, needed);
ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
t->fl.u.ip6.flowlabel,
true, &t->fl.u.ip6));
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 511/737] platform/x86: msi-laptop: add missing sysfs_remove_group()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 510/737] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 512/737] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
` (236 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ilpo Järvinen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
A sysfs group is created in msi_init() when old_ec_model is enabled, but
never removed. Remove the msipf_old_attribute_group in that case.
Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/msi-laptop.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
index f4c6c36e05a5..2a8839135492 100644
--- a/drivers/platform/x86/msi-laptop.c
+++ b/drivers/platform/x86/msi-laptop.c
@@ -1130,6 +1130,9 @@ static void __exit msi_cleanup(void)
sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
if (!quirks->old_ec_model && threeg_exists)
device_remove_file(&msipf_device->dev, &dev_attr_threeg);
+ if (quirks->old_ec_model)
+ sysfs_remove_group(&msipf_device->dev.kobj,
+ &msipf_old_attribute_group);
platform_device_unregister(msipf_device);
platform_driver_unregister(&msipf_driver);
backlight_device_unregister(msibl_device);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 512/737] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 511/737] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 513/737] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
` (235 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
The ibm_rtl_init() function searches for the signature but has a pointer
arithmetic error. The loop counter suggests searching at 4-byte intervals
but the implementation only advances by 1 byte per iteration.
Fix by properly advancing the pointer by sizeof(unsigned int) bytes
each iteration.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/ibm_rtl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
index 2ab7d9ac542d..5fb25a602533 100644
--- a/drivers/platform/x86/ibm_rtl.c
+++ b/drivers/platform/x86/ibm_rtl.c
@@ -272,7 +272,7 @@ static int __init ibm_rtl_init(void) {
/* search for the _RTL_ signature at the start of the table */
for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
struct ibm_rtl_table __iomem * tmp;
- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
+ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
phys_addr_t addr;
unsigned int plen;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 513/737] team: fix check for port enabled in team_queue_override_port_prio_changed()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 512/737] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 514/737] amd-xgbe: reset retries and mode on RX adapt failures Greg Kroah-Hartman
` (234 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+422806e5f4cce722a71f,
Jiri Pirko, Simon Horman, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@nvidia.com>
[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 1ce3bccd4ebd..9baa13808933 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -876,7 +876,7 @@ static void __team_queue_override_enabled_check(struct team *team)
static void team_queue_override_port_prio_changed(struct team *team,
struct team_port *port)
{
- if (!port->queue_id || team_port_enabled(port))
+ if (!port->queue_id || !team_port_enabled(port))
return;
__team_queue_override_port_del(team, port);
__team_queue_override_port_add(team, port);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 514/737] amd-xgbe: reset retries and mode on RX adapt failures
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 513/737] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 515/737] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
` (233 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raju Rangoju, Simon Horman,
Shyam Sundar S K, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raju Rangoju <Raju.Rangoju@amd.com>
[ Upstream commit df60c332caf95d70f967aeace826e7e2f0847361 ]
During the stress tests, early RX adaptation handshakes can fail, such
as missing the RX_ADAPT ACK or not receiving a coefficient update before
block lock is established. Continuing to retry RX adaptation in this
state is often ineffective if the current mode selection is not viable.
Resetting the RX adaptation retry counter when an RX_ADAPT request fails
to receive ACK or a coefficient update prior to block lock, and clearing
mode_set so the next bring-up performs a fresh mode selection rather
than looping on a likely invalid configuration.
Fixes: 4f3b20bfbb75 ("amd-xgbe: add support for rx-adaptation")
Signed-off-by: Raju Rangoju <Raju.Rangoju@amd.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
Link: https://patch.msgid.link/20251215151728.311713-1-Raju.Rangoju@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index 32e633d11348..6d2c401bb246 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -2036,6 +2036,7 @@ static void xgbe_set_rx_adap_mode(struct xgbe_prv_data *pdata,
{
if (pdata->rx_adapt_retries++ >= MAX_RX_ADAPT_RETRIES) {
pdata->rx_adapt_retries = 0;
+ pdata->mode_set = false;
return;
}
@@ -2082,6 +2083,7 @@ static void xgbe_rx_adaptation(struct xgbe_prv_data *pdata)
*/
netif_dbg(pdata, link, pdata->netdev, "Block_lock done");
pdata->rx_adapt_done = true;
+ pdata->rx_adapt_retries = 0;
pdata->mode_set = false;
return;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 515/737] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 514/737] amd-xgbe: reset retries and mode on RX adapt failures Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 516/737] selftests: net: fix "buffer overflow detected" for tap.c Greg Kroah-Hartman
` (232 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8dd915c7cb0490fc8c52,
Deepakkumar Karn, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepakkumar Karn <dkarn@redhat.com>
[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 278e6cb6f4d9..e40b0669d9f4 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
if (res == -ENODEV)
netif_device_detach(dev->netdev);
dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
+ kfree(req);
+ usb_free_urb(async_urb);
}
return res;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 516/737] selftests: net: fix "buffer overflow detected" for tap.c
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 515/737] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 517/737] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
` (231 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alice C. Munduruca, Cengiz Can,
Willem de Bruijn, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice C. Munduruca <alice.munduruca@canonical.com>
[ Upstream commit 472c5dd6b95c02b3e5d7395acf542150e91165e7 ]
When the selftest 'tap.c' is compiled with '-D_FORTIFY_SOURCE=3',
the strcpy() in rtattr_add_strsz() is replaced with a checked
version which causes the test to consistently fail when compiled
with toolchains for which this option is enabled by default.
TAP version 13
1..3
# Starting 3 tests from 1 test cases.
# RUN tap.test_packet_valid_udp_gso ...
*** buffer overflow detected ***: terminated
# test_packet_valid_udp_gso: Test terminated by assertion
# FAIL tap.test_packet_valid_udp_gso
not ok 1 tap.test_packet_valid_udp_gso
# RUN tap.test_packet_valid_udp_csum ...
*** buffer overflow detected ***: terminated
# test_packet_valid_udp_csum: Test terminated by assertion
# FAIL tap.test_packet_valid_udp_csum
not ok 2 tap.test_packet_valid_udp_csum
# RUN tap.test_packet_crash_tap_invalid_eth_proto ...
*** buffer overflow detected ***: terminated
# test_packet_crash_tap_invalid_eth_proto: Test terminated by assertion
# FAIL tap.test_packet_crash_tap_invalid_eth_proto
not ok 3 tap.test_packet_crash_tap_invalid_eth_proto
# FAILED: 0 / 3 tests passed.
# Totals: pass:0 fail:3 xfail:0 xpass:0 skip:0 error:0
A buffer overflow is detected by the fortified glibc __strcpy_chk()
since the __builtin_object_size() of `RTA_DATA(rta)` is incorrectly
reported as 1, even though there is ample space in its bounding
buffer `req`.
Additionally, given that IFLA_IFNAME also expects a null-terminated
string, callers of rtaddr_add_str{,sz}() could simply use the
rtaddr_add_strsz() variant. (which has been renamed to remove the
trailing `sz`) memset() has been used for this function since it
is unchecked and thus circumvents the issue discussed in the
previous paragraph.
Fixes: 2e64fe4624d1 ("selftests: add few test cases for tap driver")
Signed-off-by: Alice C. Munduruca <alice.munduruca@canonical.com>
Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20251216170641.250494-1-alice.munduruca@canonical.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/tap.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/tools/testing/selftests/net/tap.c b/tools/testing/selftests/net/tap.c
index 247c3b3ac1c9..51a209014f1c 100644
--- a/tools/testing/selftests/net/tap.c
+++ b/tools/testing/selftests/net/tap.c
@@ -56,18 +56,12 @@ static void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
static struct rtattr *rtattr_add_str(struct nlmsghdr *nh, unsigned short type,
const char *s)
{
- struct rtattr *rta = rtattr_add(nh, type, strlen(s));
+ unsigned int strsz = strlen(s) + 1;
+ struct rtattr *rta;
- memcpy(RTA_DATA(rta), s, strlen(s));
- return rta;
-}
-
-static struct rtattr *rtattr_add_strsz(struct nlmsghdr *nh, unsigned short type,
- const char *s)
-{
- struct rtattr *rta = rtattr_add(nh, type, strlen(s) + 1);
+ rta = rtattr_add(nh, type, strsz);
- strcpy(RTA_DATA(rta), s);
+ memcpy(RTA_DATA(rta), s, strsz);
return rta;
}
@@ -119,7 +113,7 @@ static int dev_create(const char *dev, const char *link_type,
link_info = rtattr_begin(&req.nh, IFLA_LINKINFO);
- rtattr_add_strsz(&req.nh, IFLA_INFO_KIND, link_type);
+ rtattr_add_str(&req.nh, IFLA_INFO_KIND, link_type);
if (fill_info_data) {
info_data = rtattr_begin(&req.nh, IFLA_INFO_DATA);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 517/737] smc91x: fix broken irq-context in PREEMPT_RT
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 516/737] selftests: net: fix "buffer overflow detected" for tap.c Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 518/737] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
` (230 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
When smc91x.c is built with PREEMPT_RT, the following splat occurs
in FVP_RevC:
[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
[ 13.062266] C
** replaying previous printk message **
[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
[ 13.062353] Hardware name: , BIOS
[ 13.062382] Workqueue: mld mld_ifc_work
[ 13.062469] Call trace:
[ 13.062494] show_stack+0x24/0x40 (C)
[ 13.062602] __dump_stack+0x28/0x48
[ 13.062710] dump_stack_lvl+0x7c/0xb0
[ 13.062818] dump_stack+0x18/0x34
[ 13.062926] process_scheduled_works+0x294/0x450
[ 13.063043] worker_thread+0x260/0x3d8
[ 13.063124] kthread+0x1c4/0x228
[ 13.063235] ret_from_fork+0x10/0x20
This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/smsc/smc91x.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
index 032eccf8eb42..7c2fdd02f1d3 100644
--- a/drivers/net/ethernet/smsc/smc91x.c
+++ b/drivers/net/ethernet/smsc/smc91x.c
@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev)
* any other concurrent access and C would always interrupt B. But life
* isn't that easy in a SMP world...
*/
-#define smc_special_trylock(lock, flags) \
-({ \
- int __ret; \
- local_irq_save(flags); \
- __ret = spin_trylock(lock); \
- if (!__ret) \
- local_irq_restore(flags); \
- __ret; \
-})
+#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
#define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
#define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
#else
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 518/737] genalloc.h: fix htmldocs warning
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 517/737] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 519/737] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
` (229 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Randy Dunlap,
Alexey Skidanov, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Morton <akpm@linux-foundation.org>
[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Alexey Skidanov <alexey.skidanov@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/genalloc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
index 0bd581003cd5..60de63e46b33 100644
--- a/include/linux/genalloc.h
+++ b/include/linux/genalloc.h
@@ -44,6 +44,7 @@ struct gen_pool;
* @nr: The number of zeroed bits we're looking for
* @data: optional additional data used by the callback
* @pool: the pool being allocated from
+ * @start_addr: start address of memory chunk
*/
typedef unsigned long (*genpool_algo_t)(unsigned long *map,
unsigned long size,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 519/737] firewire: nosy: Fix dma_free_coherent() size
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 518/737] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 520/737] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
` (228 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Christophe JAILLET,
Takashi Sakamoto, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
It looks like the buffer allocated and mapped in add_card() is done
with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firewire/nosy.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
index ea31ac7ac1ca..e59053738a43 100644
--- a/drivers/firewire/nosy.c
+++ b/drivers/firewire/nosy.c
@@ -36,6 +36,8 @@
static char driver_name[] = KBUILD_MODNAME;
+#define RCV_BUFFER_SIZE (16 * 1024)
+
/* this is the physical layout of a PCL, its size is 128 bytes */
struct pcl {
__le32 next;
@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
lynx->rcv_pcl, lynx->rcv_pcl_bus);
- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
- lynx->rcv_buffer_bus);
+ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
pci_disable_device(dev);
lynx_put(lynx);
}
-#define RCV_BUFFER_SIZE (16 * 1024)
-
static int
add_card(struct pci_dev *dev, const struct pci_device_id *unused)
{
@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
lynx->rcv_pcl, lynx->rcv_pcl_bus);
if (lynx->rcv_buffer)
- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
+ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 520/737] net: dsa: b53: skip multicast entries for fdb_dump()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 519/737] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
@ 2026-01-09 11:40 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 521/737] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
` (227 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:40 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Florian Fainelli,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
port_fdb_dump() is supposed to only add fdb entries, but we iterate over
the full ARL table, which also includes multicast entries.
So check if the entry is a multicast entry before passing it on to the
callback().
Additionally, the port of those entries is a bitmask, not a port number,
so any included entries would have even be for the wrong port.
Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index ffe8db7c2f1f..ee20f6487a02 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1846,6 +1846,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
if (!ent->is_valid)
return 0;
+ if (is_multicast_ether_addr(ent->mac))
+ return 0;
+
if (port != ent->port)
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 521/737] net: usb: asix: validate PHY address before use
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-01-09 11:40 ` [PATCH 6.6 520/737] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 522/737] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
` (226 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3d43c9066a5b54902232,
Deepanshu Kartikey, Andrew Lunn, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/asix_common.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
index 7fd763917ae2..6ab3486072cb 100644
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -335,6 +335,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
offset = (internal ? 1 : 0);
ret = buf[offset];
+ if (ret >= PHY_MAX_ADDR) {
+ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
+ return -ENODEV;
+ }
+
netdev_dbg(dev->net, "%s PHY address 0x%x\n",
internal ? "internal" : "external", ret);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 522/737] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 521/737] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 523/737] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing Greg Kroah-Hartman
` (225 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Nikolay Aleksandrov,
Ido Schimmel, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
Sphinx reports kernel-doc warning:
WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
Fix it by describing @tunnel_hash member.
Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_private.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index c8a4e3b39b0e..371a948d29cc 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -245,6 +245,7 @@ struct net_bridge_vlan {
* struct net_bridge_vlan_group
*
* @vlan_hash: VLAN entry rhashtable
+ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
* @vlan_list: sorted VLAN entry list
* @num_vlans: number of total VLAN entries
* @pvid: PVID VLAN id
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 523/737] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 522/737] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 524/737] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
` (224 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit e44c42c830b7ab36e3a3a86321c619f24def5206 ]
The hp_populate_*_elements_from_package() functions in the hp-bioscfg
driver contain out-of-bounds array access vulnerabilities.
These functions parse ACPI packages into internal data structures using
a for loop with index variable 'elem' that iterates through
enum_obj/integer_obj/order_obj/password_obj/string_obj arrays.
When processing multi-element fields like PREREQUISITES and
ENUM_POSSIBLE_VALUES, these functions read multiple consecutive array
elements using expressions like 'enum_obj[elem + reqs]' and
'enum_obj[elem + pos_values]' within nested loops.
The bug is that the bounds check only validated elem, but did not consider
the additional offset when accessing elem + reqs or elem + pos_values.
The fix changes the bounds check to validate the actual accessed index.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: e6c7b3e15559 ("platform/x86: hp-bioscfg: string-attributes")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB788173D7DD4EA2CB6383683DAFB0A@SYBPR01MB7881.ausprd01.prod.outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c | 4 ++--
drivers/platform/x86/hp/hp-bioscfg/int-attributes.c | 2 +-
drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 5 +++++
drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c | 5 +++++
drivers/platform/x86/hp/hp-bioscfg/string-attributes.c | 2 +-
5 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
index a2402d31c146..20de4596e301 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/enum-attributes.c
@@ -210,7 +210,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
case PREREQUISITES:
size = min_t(u32, enum_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
- if (elem >= enum_obj_count) {
+ if (elem + reqs >= enum_obj_count) {
pr_err("Error enum-objects package is too small\n");
return -EINVAL;
}
@@ -261,7 +261,7 @@ static int hp_populate_enumeration_elements_from_package(union acpi_object *enum
for (pos_values = 0; pos_values < size && pos_values < MAX_VALUES_SIZE;
pos_values++) {
- if (elem >= enum_obj_count) {
+ if (elem + pos_values >= enum_obj_count) {
pr_err("Error enum-objects package is too small\n");
return -EINVAL;
}
diff --git a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
index 86b7ac63fec2..875a807ccb89 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/int-attributes.c
@@ -228,7 +228,7 @@ static int hp_populate_integer_elements_from_package(union acpi_object *integer_
size = min_t(u32, integer_data->common.prerequisites_size, MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
- if (elem >= integer_obj_count) {
+ if (elem + reqs >= integer_obj_count) {
pr_err("Error elem-objects package is too small\n");
return -EINVAL;
}
diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
index 1ff09dfb7d7e..94a95ee57810 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
@@ -220,6 +220,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
size = min_t(u32, ordered_list_data->common.prerequisites_size,
MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
+ if (elem + reqs >= order_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+
ret = hp_convert_hexstr_to_str(order_obj[elem + reqs].string.pointer,
order_obj[elem + reqs].string.length,
&str_value, &value_len);
diff --git a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
index 03d0188804ba..6775a7ca74f5 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/passwdobj-attributes.c
@@ -309,6 +309,11 @@ static int hp_populate_password_elements_from_package(union acpi_object *passwor
MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
+ if (elem + reqs >= password_obj_count) {
+ pr_err("Error elem-objects package is too small\n");
+ return -EINVAL;
+ }
+
ret = hp_convert_hexstr_to_str(password_obj[elem + reqs].string.pointer,
password_obj[elem + reqs].string.length,
&str_value, &value_len);
diff --git a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
index f0c20070094d..5b3eac7f1685 100644
--- a/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/string-attributes.c
@@ -219,7 +219,7 @@ static int hp_populate_string_elements_from_package(union acpi_object *string_ob
MAX_PREREQUISITES_SIZE);
for (reqs = 0; reqs < size; reqs++) {
- if (elem >= string_obj_count) {
+ if (elem + reqs >= string_obj_count) {
pr_err("Error elem-objects package is too small\n");
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 524/737] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 523/737] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 525/737] net: stmmac: fix the crash issue for zero copy XDP_TX action Greg Kroah-Hartman
` (223 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anshumali Gaur, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshumali Gaur <agaur@marvell.com>
[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
Signed-off-by: Anshumali Gaur <agaur@marvell.com>
Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
index 532e84bc38c7..bd01c538f208 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
@@ -432,6 +432,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
*/
if (rx_count < pfvf->hw.rq_skid)
rx_count = pfvf->hw.rq_skid;
+
+ if (ring->rx_pending < 16) {
+ netdev_err(netdev,
+ "rx ring size %u invalid, min is 16\n",
+ ring->rx_pending);
+ return -EINVAL;
+ }
+
rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
/* Due pipelining impact minimum 2000 unused SQ CQE's
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 525/737] net: stmmac: fix the crash issue for zero copy XDP_TX action
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 524/737] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 526/737] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
` (222 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Fang, Hariprasad Kelam,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit a48e232210009be50591fdea8ba7c07b0f566a13 ]
There is a crash issue when running zero copy XDP_TX action, the crash
log is shown below.
[ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000
[ 216.187524] Internal error: Oops: 0000000096000144 [#1] SMP
[ 216.301694] Call trace:
[ 216.304130] dcache_clean_poc+0x20/0x38 (P)
[ 216.308308] __dma_sync_single_for_device+0x1bc/0x1e0
[ 216.313351] stmmac_xdp_xmit_xdpf+0x354/0x400
[ 216.317701] __stmmac_xdp_run_prog+0x164/0x368
[ 216.322139] stmmac_napi_poll_rxtx+0xba8/0xf00
[ 216.326576] __napi_poll+0x40/0x218
[ 216.408054] Kernel panic - not syncing: Oops: Fatal exception in interrupt
For XDP_TX action, the xdp_buff is converted to xdp_frame by
xdp_convert_buff_to_frame(). The memory type of the resulting xdp_frame
depends on the memory type of the xdp_buff. For page pool based xdp_buff
it produces xdp_frame with memory type MEM_TYPE_PAGE_POOL. For zero copy
XSK pool based xdp_buff it produces xdp_frame with memory type
MEM_TYPE_PAGE_ORDER0. However, stmmac_xdp_xmit_back() does not check the
memory type and always uses the page pool type, this leads to invalid
mappings and causes the crash. Therefore, check the xdp_buff memory type
in stmmac_xdp_xmit_back() to fix this issue.
Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
Link: https://patch.msgid.link/20251204071332.1907111-1-wei.fang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/stmmac_main.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 255c95988675..7a8861d77e04 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -87,6 +87,7 @@ MODULE_PARM_DESC(phyaddr, "Physical device address");
#define STMMAC_XDP_CONSUMED BIT(0)
#define STMMAC_XDP_TX BIT(1)
#define STMMAC_XDP_REDIRECT BIT(2)
+#define STMMAC_XSK_CONSUMED BIT(3)
static int flow_ctrl = FLOW_AUTO;
module_param(flow_ctrl, int, 0644);
@@ -4875,6 +4876,7 @@ static int stmmac_xdp_get_tx_queue(struct stmmac_priv *priv,
static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
struct xdp_buff *xdp)
{
+ bool zc = !!(xdp->rxq->mem.type == MEM_TYPE_XSK_BUFF_POOL);
struct xdp_frame *xdpf = xdp_convert_buff_to_frame(xdp);
int cpu = smp_processor_id();
struct netdev_queue *nq;
@@ -4891,9 +4893,18 @@ static int stmmac_xdp_xmit_back(struct stmmac_priv *priv,
/* Avoids TX time-out as we are sharing with slow path */
txq_trans_cond_update(nq);
- res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, false);
- if (res == STMMAC_XDP_TX)
+ /* For zero copy XDP_TX action, dma_map is true */
+ res = stmmac_xdp_xmit_xdpf(priv, queue, xdpf, zc);
+ if (res == STMMAC_XDP_TX) {
stmmac_flush_tx_descriptors(priv, queue);
+ } else if (res == STMMAC_XDP_CONSUMED && zc) {
+ /* xdp has been freed by xdp_convert_buff_to_frame(),
+ * no need to call xsk_buff_free() again, so return
+ * STMMAC_XSK_CONSUMED.
+ */
+ res = STMMAC_XSK_CONSUMED;
+ xdp_return_frame(xdpf);
+ }
__netif_tx_unlock(nq);
@@ -5239,6 +5250,8 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
break;
case STMMAC_XDP_CONSUMED:
xsk_buff_free(buf->xdp);
+ fallthrough;
+ case STMMAC_XSK_CONSUMED:
rx_dropped++;
break;
case STMMAC_XDP_TX:
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 526/737] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 525/737] net: stmmac: fix the crash issue for zero copy XDP_TX action Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 527/737] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
` (221 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moore, Will Rosenberg,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Rosenberg <whrosenb@asu.edu>
[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/calipso.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index 24666291c54a..72079ef2959b 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
/* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
pad = ((new_end & 4) + (end & 7)) & 7;
len_delta = new_end - (int)end + pad;
- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
+ ret_val = skb_cow(skb,
+ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
if (ret_val < 0)
return ret_val;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 527/737] ipv4: Fix reference count leak when using error routes with nexthop objects
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 526/737] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 528/737] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
` (220 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tetsuo Handa,
syzbot+881d65229ca4f9ae8c84, Ido Schimmel, David Ahern,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/fib_trie.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index fa54b36b241a..4d148d089232 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2059,10 +2059,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
continue;
}
- /* Do not flush error routes if network namespace is
- * not being dismantled
+ /* When not flushing the entire table, skip error
+ * routes that are not marked for deletion.
*/
- if (!flush_all && fib_props[fa->fa_type].error) {
+ if (!flush_all && fib_props[fa->fa_type].error &&
+ !(fi->fib_flags & RTNH_F_DEAD)) {
slen = fa->fa_slen;
continue;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 528/737] net: rose: fix invalid array index in rose_kill_by_device()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 527/737] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 529/737] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
` (219 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fatma Alwasmi, Pwnverse, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pwnverse <stanksal@purdue.edu>
[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Pwnverse <stanksal@purdue.edu>
Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/af_rose.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 614695444b6a..1cc5eaeb1c60 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -205,7 +205,7 @@ static void rose_kill_by_device(struct net_device *dev)
spin_unlock_bh(&rose_list_lock);
for (i = 0; i < cnt; i++) {
- sk = array[cnt];
+ sk = array[i];
rose = rose_sk(sk);
lock_sock(sk);
spin_lock_bh(&rose_list_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 529/737] RDMA/irdma: avoid invalid read in irdma_net_event
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 528/737] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 530/737] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
` (218 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jason Gunthorpe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index 6cd5cb85dafe..91ed7edcd788 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
void *ptr)
{
struct neighbour *neigh = ptr;
- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
+ struct net_device *real_dev, *netdev;
struct irdma_device *iwdev;
struct ib_device *ibdev;
__be32 *p;
@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
switch (event) {
case NETEVENT_NEIGH_UPDATE:
+ netdev = neigh->dev;
real_dev = rdma_vlan_dev_real_dev(netdev);
if (!real_dev)
real_dev = netdev;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 530/737] RDMA/efa: Remove possible negative shift
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 529/737] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 531/737] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
` (217 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Sela, Yonatan Nachum,
Michael Margolin, Gal Pressman, Jason Gunthorpe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Margolin <mrgolin@amazon.com>
[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
The page size used for device might in some cases be smaller than
PAGE_SIZE what results in a negative shift when calculating the number of
host pages in PAGE_SIZE for a debug log. Remove the debug line together
with the calculation.
Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
Reviewed-by: Tom Sela <tomsela@amazon.com>
Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
Signed-off-by: Michael Margolin <mrgolin@amazon.com>
Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
index 0f8ca99d0827..2a5b93ef4b33 100644
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -1224,13 +1224,9 @@ static int umem_to_page_list(struct efa_dev *dev,
u32 hp_cnt,
u8 hp_shift)
{
- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
struct ib_block_iter biter;
unsigned int hp_idx = 0;
- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
- hp_cnt, pages_in_hp);
-
rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 531/737] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 530/737] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 532/737] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
` (216 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jang Ingyu, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jang Ingyu <ingyujang25@korea.ac.kr>
[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
conditional statement. The constant was used directly instead of
being compared with net_type, causing the condition to always
evaluate to true.
Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index 6567d4375128..615b73f038bb 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -735,7 +735,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
(struct in6_addr *)dgid);
return 0;
} else if (net_type == RDMA_NETWORK_IPV6 ||
- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
+ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
*dgid = hdr->ibgrh.dgid;
*sgid = hdr->ibgrh.sgid;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 532/737] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 531/737] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 533/737] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
` (215 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Kalesh AP,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
!creq_db->reg.bar_id is incorrect and always false.
pci_resource_start() returns the BAR base address, and a value of 0
indicates that the BAR is unassigned. Update the condition to test
bar_base == 0 instead.
This ensures the driver detects and logs an error for an unassigned
RCFW communication BAR.
Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
index e82bd37158ad..2accda5a04a1 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
@@ -1116,7 +1116,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
creq_db->dbinfo.flags = 0;
creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
- if (!creq_db->reg.bar_id)
+ if (!creq_db->reg.bar_base)
dev_err(&pdev->dev,
"QPLIB: CREQ BAR region %d resc start is 0!",
creq_db->reg.bar_id);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 533/737] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 532/737] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 534/737] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
` (214 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Kalesh AP,
Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
The bnxt_re SEND path checks wr->send_flags to enable features such as
IP checksum offload. However, send_flags is a bitmask and may contain
multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
existing code uses a switch() statement that only matches when
send_flags is exactly IB_SEND_IP_CSUM.
As a result, checksum offload is not enabled when additional SEND
flags are present.
Replace the switch() with a bitmask test:
if (wr->send_flags & IB_SEND_IP_CSUM)
This ensures IP checksum offload is enabled correctly when multiple
SEND flags are used.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
index 31fff5885f1a..5a4644f7ad98 100644
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -2771,14 +2771,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
wqe.rawqp1.lflags |=
SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
}
- switch (wr->send_flags) {
- case IB_SEND_IP_CSUM:
+ if (wr->send_flags & IB_SEND_IP_CSUM)
wqe.rawqp1.lflags |=
SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
- break;
- default:
- break;
- }
fallthrough;
case IB_WR_SEND_WITH_INV:
rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 534/737] RDMA/bnxt_re: Fix to use correct page size for PDE table
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 533/737] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 535/737] ksmbd: Fix memory leak in get_file_all_info() Greg Kroah-Hartman
` (213 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damodharam Ammepalli, Kalesh AP,
Selvin Xavier, Leon Romanovsky, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
driver incorrectly is using the "pg_size" value passed to the function.
Fixed to use the right value 4K. Also, fixed the allocation size for
PBL table.
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 77da7cf34427..1c56a0107d1e 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -243,7 +243,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
if (npbl % BIT(MAX_PDL_LVL_SHIFT))
npde++;
/* Alloc PDE pages */
- sginfo.pgsize = npde * pg_size;
+ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
sginfo.npages = 1;
rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
if (rc)
@@ -251,7 +251,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
/* Alloc PBL pages */
sginfo.npages = npbl;
- sginfo.pgsize = PAGE_SIZE;
+ sginfo.pgsize = ROCE_PG_SIZE_4K;
rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
if (rc)
goto fail;
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 535/737] ksmbd: Fix memory leak in get_file_all_info()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 534/737] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 536/737] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
` (212 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Namjae Jeon,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 0c56693b06a68476ba113db6347e7897475f9e4c ]
In get_file_all_info(), if vfs_getattr() fails, the function returns
immediately without freeing the allocated filename, leading to a memory
leak.
Fix this by freeing the filename before returning in this error case.
Fixes: 5614c8c487f6a ("ksmbd: replace generic_fillattr with vfs_getattr")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/smb2pdu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c
index 3ed78decdca4..f4b3798279d9 100644
--- a/fs/smb/server/smb2pdu.c
+++ b/fs/smb/server/smb2pdu.c
@@ -4912,8 +4912,10 @@ static int get_file_all_info(struct ksmbd_work *work,
ret = vfs_getattr(&fp->filp->f_path, &stat, STATX_BASIC_STATS,
AT_STATX_SYNC_AS_STAT);
- if (ret)
+ if (ret) {
+ kfree(filename);
return ret;
+ }
ksmbd_debug(SMB, "filename = %s\n", filename);
delete_pending = ksmbd_inode_pending_delete(fp);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 536/737] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 535/737] ksmbd: Fix memory leak in get_file_all_info() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 537/737] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
` (211 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honggang LI, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Honggang LI <honggangli@163.com>
[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
are zero, the `min3` function will set clt_path::max_pages_per_mr to
zero.
`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
to `ib_alloc_mr`.
Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
Signed-off-by: Honggang LI <honggangli@163.com>
Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
index 82aa47efb807..eaf911e2ffa9 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
@@ -1465,6 +1465,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
max_pages_per_mr = ib_dev->attrs.max_mr_size;
do_div(max_pages_per_mr, (1ull << mr_page_shift));
+ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
clt_path->max_pages_per_mr =
min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
ib_dev->attrs.max_fast_reg_page_list_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 537/737] RDMA/bnxt_re: fix dma_free_coherent() pointer
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 536/737] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 538/737] blk-mq: dont schedule block kworker on isolated CPUs Greg Kroah-Hartman
` (210 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
The dma_free_coherent() should pass the same buffer to
dma_free_coherent() and not page-aligned.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 1c56a0107d1e..d2c8f21468dc 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
for (i = 0; i < pbl->pg_count; i++) {
if (pbl->pg_arr[i])
dma_free_coherent(&pdev->dev, pbl->pg_size,
- (void *)((unsigned long)
- pbl->pg_arr[i] &
- PAGE_MASK),
+ pbl->pg_arr[i],
pbl->pg_map_arr[i]);
else
dev_warn(&pdev->dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 538/737] blk-mq: dont schedule block kworker on isolated CPUs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 537/737] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 539/737] blk-mq: skip CPU offline notify on unmapped hctx Greg Kroah-Hartman
` (209 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Chen, Juri Lelli, Andrew Theurer,
Joe Mario, Sebastian Jug, Frederic Weisbecker, Bart Van Assche,
Tejun Heo, Ming Lei, Ewan D. Milne, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit a46c27026da10a126dd870f7b65380010bd20db5 ]
Kernel parameter of `isolcpus=` or 'nohz_full=' are used to isolate CPUs
for specific task, and it isn't expected to let block IO disturb these CPUs.
blk-mq kworker shouldn't be scheduled on isolated CPUs. Also if isolated
CPUs is run for blk-mq kworker, long block IO latency can be caused.
Kernel workqueue only respects CPU isolation for WQ_UNBOUND, for bound
WQ, the responsibility is on user because CPU is specified as WQ API
parameter, such as mod_delayed_work_on(cpu), queue_delayed_work_on(cpu)
and queue_work_on(cpu).
So not run blk-mq kworker on isolated CPUs by removing isolated CPUs
from hctx->cpumask. Meantime use queue map to check if all CPUs in this
hw queue are offline instead of hctx->cpumask, this way can avoid any
cost in fast IO code path, and is safe since hctx->cpumask are only
used in the two cases.
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Juri Lelli <juri.lelli@redhat.com>
Cc: Andrew Theurer <atheurer@redhat.com>
Cc: Joe Mario <jmario@redhat.com>
Cc: Sebastian Jug <sejug@redhat.com>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Bart Van Assche <bvanassche@acm.org>
Cc: Tejun Heo <tj@kernel.org>
Tesed-by: Joe Mario <jmario@redhat.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Link: https://lore.kernel.org/r/20240322021244.1056223-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 10845a105bbc ("blk-mq: skip CPU offline notify on unmapped hctx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 57 +++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 47 insertions(+), 10 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 01fe1e715669..a3cd5079557b 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -30,6 +30,7 @@
#include <linux/prefetch.h>
#include <linux/blk-crypto.h>
#include <linux/part_stat.h>
+#include <linux/sched/isolation.h>
#include <trace/events/block.h>
@@ -2193,6 +2194,15 @@ static inline int blk_mq_first_mapped_cpu(struct blk_mq_hw_ctx *hctx)
return cpu;
}
+/*
+ * ->next_cpu is always calculated from hctx->cpumask, so simply use
+ * it for speeding up the check
+ */
+static bool blk_mq_hctx_empty_cpumask(struct blk_mq_hw_ctx *hctx)
+{
+ return hctx->next_cpu >= nr_cpu_ids;
+}
+
/*
* It'd be great if the workqueue API had a way to pass
* in a mask and had some smarts for more clever placement.
@@ -2204,7 +2214,8 @@ static int blk_mq_hctx_next_cpu(struct blk_mq_hw_ctx *hctx)
bool tried = false;
int next_cpu = hctx->next_cpu;
- if (hctx->queue->nr_hw_queues == 1)
+ /* Switch to unbound if no allowable CPUs in this hctx */
+ if (hctx->queue->nr_hw_queues == 1 || blk_mq_hctx_empty_cpumask(hctx))
return WORK_CPU_UNBOUND;
if (--hctx->next_cpu_batch <= 0) {
@@ -3535,14 +3546,30 @@ static bool blk_mq_hctx_has_requests(struct blk_mq_hw_ctx *hctx)
return data.has_rq;
}
-static inline bool blk_mq_last_cpu_in_hctx(unsigned int cpu,
- struct blk_mq_hw_ctx *hctx)
+static bool blk_mq_hctx_has_online_cpu(struct blk_mq_hw_ctx *hctx,
+ unsigned int this_cpu)
{
- if (cpumask_first_and(hctx->cpumask, cpu_online_mask) != cpu)
- return false;
- if (cpumask_next_and(cpu, hctx->cpumask, cpu_online_mask) < nr_cpu_ids)
- return false;
- return true;
+ enum hctx_type type = hctx->type;
+ int cpu;
+
+ /*
+ * hctx->cpumask has to rule out isolated CPUs, but userspace still
+ * might submit IOs on these isolated CPUs, so use the queue map to
+ * check if all CPUs mapped to this hctx are offline
+ */
+ for_each_online_cpu(cpu) {
+ struct blk_mq_hw_ctx *h = blk_mq_map_queue_type(hctx->queue,
+ type, cpu);
+
+ if (h != hctx)
+ continue;
+
+ /* this hctx has at least one online CPU */
+ if (this_cpu != cpu)
+ return true;
+ }
+
+ return false;
}
static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
@@ -3551,8 +3578,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
struct blk_mq_hw_ctx, cpuhp_online);
int ret = 0;
- if (!cpumask_test_cpu(cpu, hctx->cpumask) ||
- !blk_mq_last_cpu_in_hctx(cpu, hctx))
+ if (blk_mq_hctx_has_online_cpu(hctx, cpu))
return 0;
/*
@@ -4045,6 +4071,8 @@ static void blk_mq_map_swqueue(struct request_queue *q)
}
queue_for_each_hw_ctx(q, hctx, i) {
+ int cpu;
+
/*
* If no software queues are mapped to this hardware queue,
* disable it and free the request entries.
@@ -4071,6 +4099,15 @@ static void blk_mq_map_swqueue(struct request_queue *q)
*/
sbitmap_resize(&hctx->ctx_map, hctx->nr_ctx);
+ /*
+ * Rule out isolated CPUs from hctx->cpumask to avoid
+ * running block kworker on isolated CPUs
+ */
+ for_each_cpu(cpu, hctx->cpumask) {
+ if (cpu_is_isolated(cpu))
+ cpumask_clear_cpu(cpu, hctx->cpumask);
+ }
+
/*
* Initialize batch roundrobin counts
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 539/737] blk-mq: skip CPU offline notify on unmapped hctx
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 538/737] blk-mq: dont schedule block kworker on isolated CPUs Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 540/737] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
` (208 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cong Zhang, Ming Lei, Jens Axboe,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Zhang <cong.zhang@oss.qualcomm.com>
[ Upstream commit 10845a105bbcb030647a729f1716c2309da71d33 ]
If an hctx has no software ctx mapped, blk_mq_map_swqueue() never
allocates tags and leaves hctx->tags NULL. The CPU hotplug offline
notifier can still run for that hctx, return early since hctx cannot
hold any requests.
Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index a3cd5079557b..427a36237da3 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3578,7 +3578,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
struct blk_mq_hw_ctx, cpuhp_online);
int ret = 0;
- if (blk_mq_hctx_has_online_cpu(hctx, cpu))
+ if (!hctx->nr_ctx || blk_mq_hctx_has_online_cpu(hctx, cpu))
return 0;
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 540/737] selftests/ftrace: traceonoff_triggers: strip off names
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 539/737] blk-mq: skip CPU offline notify on unmapped hctx Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 541/737] ntfs: Do not overwrite uptodate pages Greg Kroah-Hartman
` (207 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google), Yipeng Zou,
Masami Hiramatsu (Google), Shuah Khan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yipeng Zou <zouyipeng@huawei.com>
[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
The func_traceonoff_triggers.tc sometimes goes to fail
on my board, Kunpeng-920.
[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
=== Ftrace unit tests ===
[1] ftrace - test for function traceon/off triggers [FAIL]
[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
I look up the log, and it shows that the md5sum is different between csum1 and csum2.
++ cnt=611
++ sleep .1
+++ cnt_trace
+++ grep -v '^#' trace
+++ wc -l
++ cnt2=611
++ '[' 611 -ne 611 ']'
+++ cat tracing_on
++ on=0
++ '[' 0 '!=' 0 ']'
+++ md5sum trace
++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
++ sleep .1
+++ md5sum trace
++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
++ fail 'Tracing file is still changing'
++ echo Tracing file is still changing
Tracing file is still changing
++ exit_fail
++ exit 1
So I directly dump the trace file before md5sum, the diff shows that:
[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
And we can see that <...> filed be filled with names.
We can strip off the names there to fix that.
After strip off the names:
kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
index aee22289536b..1b57771dbfdf 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
fail "Tracing is not off"
fi
-csum1=`md5sum trace`
+# Cannot rely on names being around as they are only cached, strip them
+csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
sleep $SLEEP_TIME
-csum2=`md5sum trace`
+csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
if [ "$csum1" != "$csum2" ]; then
fail "Tracing file is still changing"
--
2.51.0
^ permalink raw reply related [flat|nested] 769+ messages in thread
* [PATCH 6.6 541/737] ntfs: Do not overwrite uptodate pages
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 540/737] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 542/737] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
` (206 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Konstantin Komarov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit 68f6bd128e75a032432eda9d16676ed2969a1096 upstream.
When reading a compressed file, we may read several pages in addition to
the one requested. The current code will overwrite pages in the page
cache with the data from disc which can definitely result in changes
that have been made being lost.
For example if we have four consecutie pages ABCD in the file compressed
into a single extent, on first access, we'll bring in ABCD. Then we
write to page B. Memory pressure results in the eviction of ACD.
When we attempt to write to page C, we will overwrite the data in page
B with the data currently on disk.
I haven't investigated the decompression code to check whether it's
OK to overwrite a clean page or whether it might be possible to see
corrupt data. Out of an abundance of caution, decline to overwrite
uptodate pages, not just dirty pages.
Fixes: 4342306f0f0d (fs/ntfs3: Add file operations and implementation)
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/frecord.c | 35 +++++++++++++++++++++++++++++------
1 file changed, 29 insertions(+), 6 deletions(-)
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -2075,6 +2075,29 @@ out:
return err;
}
+static struct page *ntfs_lock_new_page(struct address_space *mapping,
+ pgoff_t index, gfp_t gfp)
+{
+ struct folio *folio = __filemap_get_folio(mapping, index,
+ FGP_LOCK | FGP_ACCESSED | FGP_CREAT, gfp);
+ struct page *page;
+
+ if (IS_ERR(folio))
+ return ERR_CAST(folio);
+
+ if (!folio_test_uptodate(folio))
+ return folio_file_page(folio, index);
+
+ /* Use a temporary page to avoid data corruption */
+ folio_unlock(folio);
+ folio_put(folio);
+ page = alloc_page(gfp);
+ if (!page)
+ return ERR_PTR(-ENOMEM);
+ __SetPageLocked(page);
+ return page;
+}
+
/*
* ni_readpage_cmpr
*
@@ -2128,9 +2151,9 @@ int ni_readpage_cmpr(struct ntfs_inode *
if (i == idx)
continue;
- pg = find_or_create_page(mapping, index, gfp_mask);
- if (!pg) {
- err = -ENOMEM;
+ pg = ntfs_lock_new_page(mapping, index, gfp_mask);
+ if (IS_ERR(pg)) {
+ err = PTR_ERR(pg);
goto out1;
}
pages[i] = pg;
@@ -2232,13 +2255,13 @@ int ni_decompress_file(struct ntfs_inode
for (i = 0; i < pages_per_frame; i++, index++) {
struct page *pg;
- pg = find_or_create_page(mapping, index, gfp_mask);
- if (!pg) {
+ pg = ntfs_lock_new_page(mapping, index, gfp_mask);
+ if (IS_ERR(pg)) {
while (i--) {
unlock_page(pages[i]);
put_page(pages[i]);
}
- err = -ENOMEM;
+ err = PTR_ERR(pg);
goto out;
}
pages[i] = pg;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 542/737] ASoC: stm32: sai: fix device leak on probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 541/737] ntfs: Do not overwrite uptodate pages Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 543/737] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
` (205 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, olivier moysan, Wen Yang,
Johan Hovold, olivier moysan, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e26ff429eaf10c4ef1bc3dabd9bf27eb54b7e1f4 upstream.
Make sure to drop the reference taken when looking up the sync provider
device and its driver data during DAI probe on probe failures and on
unbind.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 7dd0d835582f ("ASoC: stm32: sai: simplify sync modes management")
Fixes: 1c3816a19487 ("ASoC: stm32: sai: add missing put_device()")
Cc: stable@vger.kernel.org # 4.16: 1c3816a19487
Cc: olivier moysan <olivier.moysan@st.com>
Cc: Wen Yang <yellowriver2010@hotmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -127,6 +127,7 @@ static int stm32_sai_set_sync(struct stm
}
sai_provider = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!sai_provider) {
dev_err(&sai_client->pdev->dev,
"SAI sync provider data not found\n");
@@ -143,7 +144,6 @@ static int stm32_sai_set_sync(struct stm
ret = stm32_sai_sync_conf_provider(sai_provider, synco);
error:
- put_device(&pdev->dev);
of_node_put(np_provider);
return ret;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 543/737] ASoC: stm32: sai: fix clk prepare imbalance on probe failure
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 542/737] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 544/737] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
` (204 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Johan Hovold,
olivier moysan, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 312ec2f0d9d1a5656f76d770bbf1d967e9289aa7 upstream.
Make sure to unprepare the parent clock also on probe failures (e.g.
probe deferral).
Fixes: a14bf98c045b ("ASoC: stm32: sai: fix possible circular locking")
Cc: stable@vger.kernel.org # 5.5
Cc: Olivier Moysan <olivier.moysan@st.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai_sub.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1501,14 +1501,21 @@ static int stm32_sai_sub_parse_of(struct
if (of_property_present(np, "#clock-cells")) {
ret = stm32_sai_add_mclk_provider(sai);
if (ret < 0)
- return ret;
+ goto err_unprepare_pclk;
} else {
sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK");
- if (IS_ERR(sai->sai_mclk))
- return PTR_ERR(sai->sai_mclk);
+ if (IS_ERR(sai->sai_mclk)) {
+ ret = PTR_ERR(sai->sai_mclk);
+ goto err_unprepare_pclk;
+ }
}
return 0;
+
+err_unprepare_pclk:
+ clk_unprepare(sai->pdata->pclk);
+
+ return ret;
}
static int stm32_sai_sub_probe(struct platform_device *pdev)
@@ -1552,26 +1559,33 @@ static int stm32_sai_sub_probe(struct pl
IRQF_SHARED, dev_name(&pdev->dev), sai);
if (ret) {
dev_err(&pdev->dev, "IRQ request returned %d\n", ret);
- return ret;
+ goto err_unprepare_pclk;
}
if (STM_SAI_PROTOCOL_IS_SPDIF(sai))
conf = &stm32_sai_pcm_config_spdif;
ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0);
- if (ret)
- return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ if (ret) {
+ ret = dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ goto err_unprepare_pclk;
+ }
ret = snd_soc_register_component(&pdev->dev, &stm32_component,
&sai->cpu_dai_drv, 1);
if (ret) {
snd_dmaengine_pcm_unregister(&pdev->dev);
- return ret;
+ goto err_unprepare_pclk;
}
pm_runtime_enable(&pdev->dev);
return 0;
+
+err_unprepare_pclk:
+ clk_unprepare(sai->pdata->pclk);
+
+ return ret;
}
static void stm32_sai_sub_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 544/737] ASoC: stm32: sai: fix OF node leak on probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 543/737] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 545/737] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr Greg Kroah-Hartman
` (203 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Johan Hovold,
olivier moysan, Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 23261f0de09427367e99f39f588e31e2856a690e upstream.
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
Fixes: 5914d285f6b7 ("ASoC: stm32: sai: Add synchronization support")
Fixes: d4180b4c02e7 ("ASoC: stm32: sai: fix set_sync service")
Cc: Olivier Moysan <olivier.moysan@st.com>
Cc: stable@vger.kernel.org # 4.16: d4180b4c02e7
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai.c | 12 +++---------
sound/soc/stm/stm32_sai_sub.c | 23 ++++++++++++++++-------
2 files changed, 19 insertions(+), 16 deletions(-)
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -122,7 +122,6 @@ static int stm32_sai_set_sync(struct stm
if (!pdev) {
dev_err(&sai_client->pdev->dev,
"Device not found for node %pOFn\n", np_provider);
- of_node_put(np_provider);
return -ENODEV;
}
@@ -131,21 +130,16 @@ static int stm32_sai_set_sync(struct stm
if (!sai_provider) {
dev_err(&sai_client->pdev->dev,
"SAI sync provider data not found\n");
- ret = -EINVAL;
- goto error;
+ return -EINVAL;
}
/* Configure sync client */
ret = stm32_sai_sync_conf_client(sai_client, synci);
if (ret < 0)
- goto error;
+ return ret;
/* Configure sync provider */
- ret = stm32_sai_sync_conf_provider(sai_provider, synco);
-
-error:
- of_node_put(np_provider);
- return ret;
+ return stm32_sai_sync_conf_provider(sai_provider, synco);
}
static int stm32_sai_probe(struct platform_device *pdev)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1453,7 +1453,8 @@ static int stm32_sai_sub_parse_of(struct
dev_err(&pdev->dev,
"External synchro not supported\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
sai->sync = SAI_SYNC_EXTERNAL;
@@ -1462,7 +1463,8 @@ static int stm32_sai_sub_parse_of(struct
(sai->synci > (SAI_GCR_SYNCIN_MAX + 1))) {
dev_err(&pdev->dev, "Wrong SAI index\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
if (of_property_match_string(args.np, "compatible",
@@ -1476,7 +1478,8 @@ static int stm32_sai_sub_parse_of(struct
if (!sai->synco) {
dev_err(&pdev->dev, "Unknown SAI sub-block\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
}
@@ -1486,13 +1489,15 @@ static int stm32_sai_sub_parse_of(struct
of_node_put(args.np);
sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck");
- if (IS_ERR(sai->sai_ck))
- return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
- "Missing kernel clock sai_ck\n");
+ if (IS_ERR(sai->sai_ck)) {
+ ret = dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
+ "Missing kernel clock sai_ck\n");
+ goto err_put_sync_provider;
+ }
ret = clk_prepare(sai->pdata->pclk);
if (ret < 0)
- return ret;
+ goto err_put_sync_provider;
if (STM_SAI_IS_F4(sai->pdata))
return 0;
@@ -1514,6 +1519,8 @@ static int stm32_sai_sub_parse_of(struct
err_unprepare_pclk:
clk_unprepare(sai->pdata->pclk);
+err_put_sync_provider:
+ of_node_put(sai->np_sync_provider);
return ret;
}
@@ -1584,6 +1591,7 @@ static int stm32_sai_sub_probe(struct pl
err_unprepare_pclk:
clk_unprepare(sai->pdata->pclk);
+ of_node_put(sai->np_sync_provider);
return ret;
}
@@ -1596,6 +1604,7 @@ static void stm32_sai_sub_remove(struct
snd_dmaengine_pcm_unregister(&pdev->dev);
snd_soc_unregister_component(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ of_node_put(sai->np_sync_provider);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 545/737] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 544/737] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 546/737] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
` (202 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 950a4e5788fc7dc6e8e93614a7d4d0449c39fb8d upstream.
Driver does not expect the appl_ptr to move backward and requires
explict sync. Make sure that the userspace does not do appl_ptr rewinds
by specifying the correct flags in pcm_info.
Without this patch, the result could be a forever loop as current logic assumes
that appl_ptr can only move forward.
Fixes: 3d4a4411aa8b ("ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6apm-dai.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
@@ -85,6 +85,7 @@ static struct snd_pcm_hardware q6apm_dai
.info = (SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_BLOCK_TRANSFER |
SNDRV_PCM_INFO_MMAP_VALID | SNDRV_PCM_INFO_INTERLEAVED |
SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME |
+ SNDRV_PCM_INFO_NO_REWINDS | SNDRV_PCM_INFO_SYNC_APPLPTR |
SNDRV_PCM_INFO_BATCH),
.formats = (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE),
.rates = SNDRV_PCM_RATE_8000_48000,
@@ -104,6 +105,7 @@ static struct snd_pcm_hardware q6apm_dai
.info = (SNDRV_PCM_INFO_MMAP | SNDRV_PCM_INFO_BLOCK_TRANSFER |
SNDRV_PCM_INFO_MMAP_VALID | SNDRV_PCM_INFO_INTERLEAVED |
SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME |
+ SNDRV_PCM_INFO_NO_REWINDS | SNDRV_PCM_INFO_SYNC_APPLPTR |
SNDRV_PCM_INFO_BATCH),
.formats = (SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE),
.rates = SNDRV_PCM_RATE_8000_192000,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 546/737] ASoC: qcom: q6asm-dai: perform correct state check before closing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 545/737] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 547/737] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
` (201 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit bfbb12dfa144d45575bcfe139a71360b3ce80237 upstream.
Do not stop a q6asm stream if its not started, this can result in
unnecessary dsp command which will timeout anyway something like below:
q6asm-dai ab00000.remoteproc:glink-edge:apr:service@7:dais: CMD 10bcd timeout
Fix this by correctly checking the state.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-5-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -237,13 +237,14 @@ static int q6asm_dai_prepare(struct snd_
prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
prtd->pcm_irq_pos = 0;
/* rate and channels are sent to audio driver */
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
+ prtd->state = Q6ASM_STREAM_STOPPED;
}
ret = q6asm_map_memory_regions(substream->stream, prtd->audio_client,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 547/737] ASoC: qcom: q6adm: the the copp device only during last instance
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 546/737] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 548/737] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
` (200 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Martino Facchin,
Srinivas Kandagatla, Mark Brown, Alexey Klimov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 74cc4f3ea4e99262ba0d619c6a4ee33e2cd47f65 upstream.
A matching Common object post processing instance is normally resused
across multiple streams. However currently we close this on DSP
even though there is a refcount on this copp object, this can result in
below error.
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0
qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2]
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0
qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2
qcom-q6adm aprsvc:service:4:8: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: Failed to close copp -22
qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2
qcom-q6adm aprsvc:service:4:8: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: Failed to close copp -22
Fix this by addressing moving the adm_close to copp_kref destructor
callback.
Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver")
Cc: Stable@vger.kernel.org
Reported-by: Martino Facchin <m.facchin@arduino.cc>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6adm.c | 146 ++++++++++++++++++++-----------------------
1 file changed, 71 insertions(+), 75 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6adm.c
+++ b/sound/soc/qcom/qdsp6/q6adm.c
@@ -109,11 +109,75 @@ static struct q6copp *q6adm_find_copp(st
}
+static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp,
+ struct apr_pkt *pkt, uint32_t rsp_opcode)
+{
+ struct device *dev = adm->dev;
+ uint32_t opcode = pkt->hdr.opcode;
+ int ret;
+
+ mutex_lock(&adm->lock);
+ copp->result.opcode = 0;
+ copp->result.status = 0;
+ ret = apr_send_pkt(adm->apr, pkt);
+ if (ret < 0) {
+ dev_err(dev, "Failed to send APR packet\n");
+ ret = -EINVAL;
+ goto err;
+ }
+
+ /* Wait for the callback with copp id */
+ if (rsp_opcode)
+ ret = wait_event_timeout(copp->wait,
+ (copp->result.opcode == opcode) ||
+ (copp->result.opcode == rsp_opcode),
+ msecs_to_jiffies(TIMEOUT_MS));
+ else
+ ret = wait_event_timeout(copp->wait,
+ (copp->result.opcode == opcode),
+ msecs_to_jiffies(TIMEOUT_MS));
+
+ if (!ret) {
+ dev_err(dev, "ADM copp cmd timedout\n");
+ ret = -ETIMEDOUT;
+ } else if (copp->result.status > 0) {
+ dev_err(dev, "DSP returned error[%d]\n",
+ copp->result.status);
+ ret = -EINVAL;
+ }
+
+err:
+ mutex_unlock(&adm->lock);
+ return ret;
+}
+
+static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp,
+ int port_id, int copp_idx)
+{
+ struct apr_pkt close;
+
+ close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
+ APR_HDR_LEN(APR_HDR_SIZE),
+ APR_PKT_VER);
+ close.hdr.pkt_size = sizeof(close);
+ close.hdr.src_port = port_id;
+ close.hdr.dest_port = copp->id;
+ close.hdr.token = port_id << 16 | copp_idx;
+ close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5;
+
+ return q6adm_apr_send_copp_pkt(adm, copp, &close, 0);
+}
+
static void q6adm_free_copp(struct kref *ref)
{
struct q6copp *c = container_of(ref, struct q6copp, refcount);
struct q6adm *adm = c->adm;
unsigned long flags;
+ int ret;
+
+ ret = q6adm_device_close(adm, c, c->afe_port, c->copp_idx);
+ if (ret < 0)
+ dev_err(adm->dev, "Failed to close copp %d\n", ret);
spin_lock_irqsave(&adm->copps_list_lock, flags);
clear_bit(c->copp_idx, &adm->copp_bitmap[c->afe_port]);
@@ -155,13 +219,13 @@ static int q6adm_callback(struct apr_dev
switch (result->opcode) {
case ADM_CMD_DEVICE_OPEN_V5:
case ADM_CMD_DEVICE_CLOSE_V5:
- copp = q6adm_find_copp(adm, port_idx, copp_idx);
- if (!copp)
- return 0;
-
- copp->result = *result;
- wake_up(&copp->wait);
- kref_put(&copp->refcount, q6adm_free_copp);
+ list_for_each_entry(copp, &adm->copps_list, node) {
+ if ((port_idx == copp->afe_port) && (copp_idx == copp->copp_idx)) {
+ copp->result = *result;
+ wake_up(&copp->wait);
+ break;
+ }
+ }
break;
case ADM_CMD_MATRIX_MAP_ROUTINGS_V5:
adm->result = *result;
@@ -234,65 +298,6 @@ static struct q6copp *q6adm_alloc_copp(s
return c;
}
-static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp,
- struct apr_pkt *pkt, uint32_t rsp_opcode)
-{
- struct device *dev = adm->dev;
- uint32_t opcode = pkt->hdr.opcode;
- int ret;
-
- mutex_lock(&adm->lock);
- copp->result.opcode = 0;
- copp->result.status = 0;
- ret = apr_send_pkt(adm->apr, pkt);
- if (ret < 0) {
- dev_err(dev, "Failed to send APR packet\n");
- ret = -EINVAL;
- goto err;
- }
-
- /* Wait for the callback with copp id */
- if (rsp_opcode)
- ret = wait_event_timeout(copp->wait,
- (copp->result.opcode == opcode) ||
- (copp->result.opcode == rsp_opcode),
- msecs_to_jiffies(TIMEOUT_MS));
- else
- ret = wait_event_timeout(copp->wait,
- (copp->result.opcode == opcode),
- msecs_to_jiffies(TIMEOUT_MS));
-
- if (!ret) {
- dev_err(dev, "ADM copp cmd timedout\n");
- ret = -ETIMEDOUT;
- } else if (copp->result.status > 0) {
- dev_err(dev, "DSP returned error[%d]\n",
- copp->result.status);
- ret = -EINVAL;
- }
-
-err:
- mutex_unlock(&adm->lock);
- return ret;
-}
-
-static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp,
- int port_id, int copp_idx)
-{
- struct apr_pkt close;
-
- close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
- APR_HDR_LEN(APR_HDR_SIZE),
- APR_PKT_VER);
- close.hdr.pkt_size = sizeof(close);
- close.hdr.src_port = port_id;
- close.hdr.dest_port = copp->id;
- close.hdr.token = port_id << 16 | copp_idx;
- close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5;
-
- return q6adm_apr_send_copp_pkt(adm, copp, &close, 0);
-}
-
static struct q6copp *q6adm_find_matching_copp(struct q6adm *adm,
int port_id, int topology,
int mode, int rate,
@@ -567,15 +572,6 @@ EXPORT_SYMBOL_GPL(q6adm_matrix_map);
*/
int q6adm_close(struct device *dev, struct q6copp *copp)
{
- struct q6adm *adm = dev_get_drvdata(dev->parent);
- int ret = 0;
-
- ret = q6adm_device_close(adm, copp, copp->afe_port, copp->copp_idx);
- if (ret < 0) {
- dev_err(adm->dev, "Failed to close copp %d\n", ret);
- return ret;
- }
-
kref_put(&copp->refcount, q6adm_free_copp);
return 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 548/737] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 547/737] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 549/737] iommu/amd: Fix pci_segment memleak in alloc_pci_segment() Greg Kroah-Hartman
` (199 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 81c53b52de21b8d5a3de55ebd06b6bf188bf7efd upstream.
DSP expects the periods to be aligned to fragment sizes, currently
setting up to hw constriants on periods bytes is not going to work
correctly as we can endup with periods sizes aligned to 32 bytes however
not aligned to fragment size.
Update the constriants to use fragment size, and also set at step of
10ms for period size to accommodate DSP requirements of 10ms latency.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -413,13 +413,13 @@ static int q6asm_dai_open(struct snd_soc
}
ret = snd_pcm_hw_constraint_step(runtime, 0,
- SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
+ SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for period bytes step ret = %d\n",
ret);
}
ret = snd_pcm_hw_constraint_step(runtime, 0,
- SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
+ SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for buffer bytes step ret = %d\n",
ret);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 549/737] iommu/amd: Fix pci_segment memleak in alloc_pci_segment()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 548/737] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 550/737] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
` (198 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
commit 75ba146c2674ba49ed8a222c67f9abfb4a4f2a4f upstream.
Fix a memory leak of struct amd_iommu_pci_segment in alloc_pci_segment()
when system memory (or contiguous memory) is insufficient.
Fixes: 04230c119930 ("iommu/amd: Introduce per PCI segment device table")
Fixes: eda797a27795 ("iommu/amd: Introduce per PCI segment rlookup table")
Fixes: 99fc4ac3d297 ("iommu/amd: Introduce per PCI segment alias_table")
Cc: stable@vger.kernel.org
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/init.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -1666,13 +1666,22 @@ static struct amd_iommu_pci_seg *__init
list_add_tail(&pci_seg->list, &amd_iommu_pci_seg_list);
if (alloc_dev_table(pci_seg))
- return NULL;
+ goto err_free_pci_seg;
if (alloc_alias_table(pci_seg))
- return NULL;
+ goto err_free_dev_table;
if (alloc_rlookup_table(pci_seg))
- return NULL;
+ goto err_free_alias_table;
return pci_seg;
+
+err_free_alias_table:
+ free_alias_table(pci_seg);
+err_free_dev_table:
+ free_dev_table(pci_seg);
+err_free_pci_seg:
+ list_del(&pci_seg->list);
+ kfree(pci_seg);
+ return NULL;
}
static struct amd_iommu_pci_seg *__init get_pci_segment(u16 id,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 550/737] iommu/apple-dart: fix device leak on of_xlate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 549/737] iommu/amd: Fix pci_segment memleak in alloc_pci_segment() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 551/737] iommu/exynos: " Greg Kroah-Hartman
` (197 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Peter, Robin Murphy,
Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a6eaa872c52a181ae9a290fd4e40c9df91166d7a upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 46d1fb072e76 ("iommu/dart: Add DART iommu driver")
Cc: stable@vger.kernel.org # 5.15
Cc: Sven Peter <sven@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/apple-dart.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/apple-dart.c
+++ b/drivers/iommu/apple-dart.c
@@ -758,6 +758,8 @@ static int apple_dart_of_xlate(struct de
struct apple_dart *cfg_dart;
int i, sid;
+ put_device(&iommu_pdev->dev);
+
if (args->args_count != 1)
return -EINVAL;
sid = args->args[0];
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 551/737] iommu/exynos: fix device leak on of_xlate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 550/737] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 552/737] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
` (196 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Robin Murphy,
Marek Szyprowski, Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 05913cc43cb122f9afecdbe775115c058b906e1b upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Note that commit 1a26044954a6 ("iommu/exynos: add missing put_device()
call in exynos_iommu_of_xlate()") fixed the leak in a couple of error
paths, but the reference is still leaking on success.
Fixes: aa759fd376fb ("iommu/exynos: Add callback for initializing devices from device tree")
Cc: stable@vger.kernel.org # 4.2: 1a26044954a6
Cc: Yu Kuai <yukuai3@huawei.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/exynos-iommu.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/iommu/exynos-iommu.c
+++ b/drivers/iommu/exynos-iommu.c
@@ -1443,17 +1443,14 @@ static int exynos_iommu_of_xlate(struct
return -ENODEV;
data = platform_get_drvdata(sysmmu);
- if (!data) {
- put_device(&sysmmu->dev);
+ put_device(&sysmmu->dev);
+ if (!data)
return -ENODEV;
- }
if (!owner) {
owner = kzalloc(sizeof(*owner), GFP_KERNEL);
- if (!owner) {
- put_device(&sysmmu->dev);
+ if (!owner)
return -ENOMEM;
- }
INIT_LIST_HEAD(&owner->controllers);
mutex_init(&owner->rpm_lock);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 552/737] iommu/ipmmu-vmsa: fix device leak on of_xlate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 551/737] iommu/exynos: " Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 553/737] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
` (195 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Magnus Damm, Robin Murphy,
Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 80aa518452c4aceb9459f9a8e3184db657d1b441 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 7b2d59611fef ("iommu/ipmmu-vmsa: Replace local utlb code with fwspec ids")
Cc: stable@vger.kernel.org # 4.14
Cc: Magnus Damm <damm+renesas@opensource.se>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/ipmmu-vmsa.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/ipmmu-vmsa.c
+++ b/drivers/iommu/ipmmu-vmsa.c
@@ -681,6 +681,8 @@ static int ipmmu_init_platform_device(st
dev_iommu_priv_set(dev, platform_get_drvdata(ipmmu_pdev));
+ put_device(&ipmmu_pdev->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 553/737] iommu/mediatek-v1: fix device leak on probe_device()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 552/737] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 554/737] iommu/mediatek-v1: fix device leaks on probe() Greg Kroah-Hartman
` (194 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honghui Zhang, Robin Murphy, Yong Wu,
Johan Hovold, AngeloGioacchino Del Regno, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c77ad28bfee0df9cbc719eb5adc9864462cfb65b upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during probe_device().
Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
Cc: stable@vger.kernel.org # 4.8
Cc: Honghui Zhang <honghui.zhang@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu_v1.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/mtk_iommu_v1.c
+++ b/drivers/iommu/mtk_iommu_v1.c
@@ -420,6 +420,8 @@ static int mtk_iommu_v1_create_mapping(s
return -EINVAL;
dev_iommu_priv_set(dev, platform_get_drvdata(m4updev));
+
+ put_device(&m4updev->dev);
}
ret = iommu_fwspec_add_ids(dev, args->args, 1);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 554/737] iommu/mediatek-v1: fix device leaks on probe()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 553/737] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 555/737] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
` (193 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honghui Zhang, Robin Murphy,
Johan Hovold, AngeloGioacchino Del Regno, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 46207625c9f33da0e43bb4ae1e91f0791b6ed633 upstream.
Make sure to drop the references taken to the larb devices during
probe on probe failure (e.g. probe deferral) and on driver unbind.
Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
Cc: stable@vger.kernel.org # 4.8
Cc: Honghui Zhang <honghui.zhang@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu_v1.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
--- a/drivers/iommu/mtk_iommu_v1.c
+++ b/drivers/iommu/mtk_iommu_v1.c
@@ -654,8 +654,10 @@ static int mtk_iommu_v1_probe(struct pla
struct platform_device *plarbdev;
larbnode = of_parse_phandle(dev->of_node, "mediatek,larbs", i);
- if (!larbnode)
- return -EINVAL;
+ if (!larbnode) {
+ ret = -EINVAL;
+ goto out_put_larbs;
+ }
if (!of_device_is_available(larbnode)) {
of_node_put(larbnode);
@@ -665,11 +667,14 @@ static int mtk_iommu_v1_probe(struct pla
plarbdev = of_find_device_by_node(larbnode);
if (!plarbdev) {
of_node_put(larbnode);
- return -ENODEV;
+ ret = -ENODEV;
+ goto out_put_larbs;
}
if (!plarbdev->dev.driver) {
of_node_put(larbnode);
- return -EPROBE_DEFER;
+ put_device(&plarbdev->dev);
+ ret = -EPROBE_DEFER;
+ goto out_put_larbs;
}
data->larb_imu[i].dev = &plarbdev->dev;
@@ -681,7 +686,7 @@ static int mtk_iommu_v1_probe(struct pla
ret = mtk_iommu_v1_hw_init(data);
if (ret)
- return ret;
+ goto out_put_larbs;
ret = iommu_device_sysfs_add(&data->iommu, &pdev->dev, NULL,
dev_name(&pdev->dev));
@@ -703,12 +708,17 @@ out_sysfs_remove:
iommu_device_sysfs_remove(&data->iommu);
out_clk_unprepare:
clk_disable_unprepare(data->bclk);
+out_put_larbs:
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
+
return ret;
}
static void mtk_iommu_v1_remove(struct platform_device *pdev)
{
struct mtk_iommu_v1_data *data = platform_get_drvdata(pdev);
+ int i;
iommu_device_sysfs_remove(&data->iommu);
iommu_device_unregister(&data->iommu);
@@ -716,6 +726,9 @@ static void mtk_iommu_v1_remove(struct p
clk_disable_unprepare(data->bclk);
devm_free_irq(&pdev->dev, data->irq, data);
component_master_del(&pdev->dev, &mtk_iommu_v1_com_ops);
+
+ for (i = 0; i < MTK_LARB_NR_MAX; i++)
+ put_device(data->larb_imu[i].dev);
}
static int __maybe_unused mtk_iommu_v1_suspend(struct device *dev)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 555/737] iommu/mediatek: fix device leak on of_xlate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 554/737] iommu/mediatek-v1: fix device leaks on probe() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 556/737] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
` (192 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robin Murphy, Yong Wu, Johan Hovold,
AngeloGioacchino Del Regno, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b3f1ee18280363ef17f82b564fc379ceba9ec86f upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver")
Cc: stable@vger.kernel.org # 4.6
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -959,6 +959,8 @@ static int mtk_iommu_of_xlate(struct dev
return -EINVAL;
dev_iommu_priv_set(dev, platform_get_drvdata(m4updev));
+
+ put_device(&m4updev->dev);
}
return iommu_fwspec_add_ids(dev, args->args, 1);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 556/737] iommu/omap: fix device leaks on probe_device()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 555/737] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 557/737] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
` (191 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Anna, Robin Murphy,
Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b5870691065e6bbe6ba0650c0412636c6a239c5a upstream.
Make sure to drop the references taken to the iommu platform devices
when looking up their driver data during probe_device().
Note that the arch data device pointer added by commit 604629bcb505
("iommu/omap: add support for late attachment of iommu devices") has
never been used. Remove it to underline that the references are not
needed.
Fixes: 9d5018deec86 ("iommu/omap: Add support to program multiple iommus")
Fixes: 7d6827748d54 ("iommu/omap: Fix iommu archdata name for DT-based devices")
Cc: stable@vger.kernel.org # 3.18
Cc: Suman Anna <s-anna@ti.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/iommu/omap-iommu.c
+++ b/drivers/iommu/omap-iommu.c
@@ -1681,6 +1681,7 @@ static struct iommu_device *omap_iommu_p
}
oiommu = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!oiommu) {
of_node_put(np);
kfree(arch_data);
@@ -1688,7 +1689,6 @@ static struct iommu_device *omap_iommu_p
}
tmp->iommu_dev = oiommu;
- tmp->dev = &pdev->dev;
of_node_put(np);
}
--- a/drivers/iommu/omap-iommu.h
+++ b/drivers/iommu/omap-iommu.h
@@ -88,7 +88,6 @@ struct omap_iommu {
/**
* struct omap_iommu_arch_data - omap iommu private data
* @iommu_dev: handle of the OMAP iommu device
- * @dev: handle of the iommu device
*
* This is an omap iommu private data object, which binds an iommu user
* to its iommu device. This object should be placed at the iommu user's
@@ -97,7 +96,6 @@ struct omap_iommu {
*/
struct omap_iommu_arch_data {
struct omap_iommu *iommu_dev;
- struct device *dev;
};
struct cr_regs {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 557/737] iommu/qcom: fix device leak on of_xlate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 556/737] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 558/737] iommu/sun50i: " Greg Kroah-Hartman
` (190 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Yu Kuai, Robin Murphy,
Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 6a3908ce56e6879920b44ef136252b2f0c954194 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Note that commit e2eae09939a8 ("iommu/qcom: add missing put_device()
call in qcom_iommu_of_xlate()") fixed the leak in a couple of error
paths, but the reference is still leaking on success and late failures.
Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu")
Cc: stable@vger.kernel.org # 4.14: e2eae09939a8
Cc: Rob Clark <robin.clark@oss.qualcomm.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
+++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
@@ -539,14 +539,14 @@ static int qcom_iommu_of_xlate(struct de
qcom_iommu = platform_get_drvdata(iommu_pdev);
+ put_device(&iommu_pdev->dev);
+
/* make sure the asid specified in dt is valid, so we don't have
* to sanity check this elsewhere:
*/
if (WARN_ON(asid > qcom_iommu->max_asid) ||
- WARN_ON(qcom_iommu->ctxs[asid] == NULL)) {
- put_device(&iommu_pdev->dev);
+ WARN_ON(qcom_iommu->ctxs[asid] == NULL))
return -EINVAL;
- }
if (!dev_iommu_priv_get(dev)) {
dev_iommu_priv_set(dev, qcom_iommu);
@@ -555,10 +555,8 @@ static int qcom_iommu_of_xlate(struct de
* multiple different iommu devices. Multiple context
* banks are ok, but multiple devices are not:
*/
- if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) {
- put_device(&iommu_pdev->dev);
+ if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev)))
return -EINVAL;
- }
}
return iommu_fwspec_add_ids(dev, &asid, 1);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 558/737] iommu/sun50i: fix device leak on of_xlate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 557/737] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 559/737] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
` (189 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Robin Murphy,
Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f916109bf53864605d10bf6f4215afa023a80406 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Cc: stable@vger.kernel.org # 5.8
Cc: Maxime Ripard <mripard@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/sun50i-iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -824,6 +824,8 @@ static int sun50i_iommu_of_xlate(struct
dev_iommu_priv_set(dev, platform_get_drvdata(iommu_pdev));
+ put_device(&iommu_pdev->dev);
+
return iommu_fwspec_add_ids(dev, &id, 1);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 559/737] iommu/tegra: fix device leak on probe_device()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 558/737] iommu/sun50i: " Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 560/737] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
` (188 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Robin Murphy,
Thierry Reding, Johan Hovold, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c08934a61201db8f1d1c66fcc63fb2eb526b656d upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during probe_device().
Note that commit 9826e393e4a8 ("iommu/tegra-smmu: Fix missing
put_device() call in tegra_smmu_find") fixed the leak in an error path,
but the reference is still leaking on success.
Fixes: 891846516317 ("memory: Add NVIDIA Tegra memory controller support")
Cc: stable@vger.kernel.org # 3.19: 9826e393e4a8
Cc: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/tegra-smmu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -804,10 +804,9 @@ static struct tegra_smmu *tegra_smmu_fin
return NULL;
mc = platform_get_drvdata(pdev);
- if (!mc) {
- put_device(&pdev->dev);
+ put_device(&pdev->dev);
+ if (!mc)
return NULL;
- }
return mc->smmu;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 560/737] iommu: disable SVA when CONFIG_X86 is set
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 559/737] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 561/737] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
` (187 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lu Baolu, Jason Gunthorpe,
Alistair Popple, Andy Lutomirski, Borislav Betkov, Dave Hansen,
David Hildenbrand, Ingo Molnar, Jann Horn, Jean-Philippe Brucker,
Joerg Roedel, Kevin Tian, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Michal Hocko, Mike Rapoport,
Peter Zijlstra, Robin Murohy, Thomas Gleinxer,
Uladzislau Rezki (Sony), Vasant Hegde, Vinicius Costa Gomes,
Vlastimil Babka, Will Deacon, Yi Lai, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit 72f98ef9a4be30d2a60136dd6faee376f780d06c upstream.
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
Link: https://lkml.kernel.org/r/20251022082635.2462433-1-baolu.lu@linux.intel.com
Link: https://lkml.kernel.org/r/20251022082635.2462433-2-baolu.lu@linux.intel.com
Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Kevin Tian <kevin.tian@intel.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommu-sva.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/iommu/iommu-sva.c
+++ b/drivers/iommu/iommu-sva.c
@@ -71,6 +71,9 @@ struct iommu_sva *iommu_sva_bind_device(
if (!handle)
return ERR_PTR(-ENOMEM);
+ if (IS_ENABLED(CONFIG_X86))
+ return ERR_PTR(-EOPNOTSUPP);
+
mutex_lock(&iommu_sva_lock);
/* Search for an existing domain. */
domain = iommu_get_domain_for_dev_pasid(dev, mm->pasid,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 561/737] HID: logitech-dj: Remove duplicate error logging
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (559 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 560/737] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 562/737] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
` (186 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Jiri Kosina
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
commit ca389a55d8b2d86a817433bf82e0602b68c4d541 upstream.
logi_dj_recv_query_paired_devices() and logi_dj_recv_switch_to_dj_mode()
both have 2 callers which all log an error if the function fails. Move
the error logging to inside these 2 functions to remove the duplicated
error logging in the callers.
While at it also move the logi_dj_recv_send_report() call error handling
in logi_dj_recv_switch_to_dj_mode() to directly after the call. That call
only fails if the report cannot be found and in that case it does nothing,
so the msleep() is not necessary on failures.
Fixes: 6f20d3261265 ("HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-logitech-dj.c | 56 +++++++++++++++++-------------------------
1 file changed, 23 insertions(+), 33 deletions(-)
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -805,7 +805,6 @@ static void delayedwork_callback(struct
struct dj_workitem workitem;
unsigned long flags;
int count;
- int retval;
dbg_hid("%s\n", __func__);
@@ -842,11 +841,7 @@ static void delayedwork_callback(struct
logi_dj_recv_destroy_djhid_device(djrcv_dev, &workitem);
break;
case WORKITEM_TYPE_UNKNOWN:
- retval = logi_dj_recv_query_paired_devices(djrcv_dev);
- if (retval) {
- hid_err(djrcv_dev->hidpp, "%s: logi_dj_recv_query_paired_devices error: %d\n",
- __func__, retval);
- }
+ logi_dj_recv_query_paired_devices(djrcv_dev);
break;
case WORKITEM_TYPE_EMPTY:
dbg_hid("%s: device list is empty\n", __func__);
@@ -1239,8 +1234,10 @@ static int logi_dj_recv_query_paired_dev
djrcv_dev->last_query = jiffies;
- if (djrcv_dev->type != recvr_type_dj)
- return logi_dj_recv_query_hidpp_devices(djrcv_dev);
+ if (djrcv_dev->type != recvr_type_dj) {
+ retval = logi_dj_recv_query_hidpp_devices(djrcv_dev);
+ goto out;
+ }
dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL);
if (!dj_report)
@@ -1250,6 +1247,10 @@ static int logi_dj_recv_query_paired_dev
dj_report->report_type = REPORT_TYPE_CMD_GET_PAIRED_DEVICES;
retval = logi_dj_recv_send_report(djrcv_dev, dj_report);
kfree(dj_report);
+out:
+ if (retval < 0)
+ hid_err(djrcv_dev->hidpp, "%s error:%d\n", __func__, retval);
+
return retval;
}
@@ -1275,6 +1276,8 @@ static int logi_dj_recv_switch_to_dj_mod
(u8)timeout;
retval = logi_dj_recv_send_report(djrcv_dev, dj_report);
+ if (retval)
+ goto out;
/*
* Ugly sleep to work around a USB 3.0 bug when the receiver is
@@ -1283,11 +1286,6 @@ static int logi_dj_recv_switch_to_dj_mod
* 50 msec should gives enough time to the receiver to be ready.
*/
msleep(50);
-
- if (retval) {
- kfree(dj_report);
- return retval;
- }
}
/*
@@ -1313,7 +1311,12 @@ static int logi_dj_recv_switch_to_dj_mod
HIDPP_REPORT_SHORT_LENGTH, HID_OUTPUT_REPORT,
HID_REQ_SET_REPORT);
+out:
kfree(dj_report);
+
+ if (retval < 0)
+ hid_err(hdev, "%s error:%d\n", __func__, retval);
+
return retval;
}
@@ -1835,11 +1838,8 @@ static int logi_dj_probe(struct hid_devi
if (has_hidpp) {
retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_switch_to_dj_mode returned error:%d\n",
- __func__, retval);
+ if (retval < 0)
goto switch_to_dj_mode_fail;
- }
}
/* This is enabling the polling urb on the IN endpoint */
@@ -1857,15 +1857,11 @@ static int logi_dj_probe(struct hid_devi
spin_lock_irqsave(&djrcv_dev->lock, flags);
djrcv_dev->ready = true;
spin_unlock_irqrestore(&djrcv_dev->lock, flags);
- retval = logi_dj_recv_query_paired_devices(djrcv_dev);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_query_paired_devices error:%d\n",
- __func__, retval);
- /*
- * This can happen with a KVM, let the probe succeed,
- * logi_dj_recv_queue_unknown_work will retry later.
- */
- }
+ /*
+ * This can fail with a KVM. Ignore errors to let the probe
+ * succeed, logi_dj_recv_queue_unknown_work will retry later.
+ */
+ logi_dj_recv_query_paired_devices(djrcv_dev);
}
return 0;
@@ -1882,18 +1878,12 @@ hid_hw_start_fail:
#ifdef CONFIG_PM
static int logi_dj_reset_resume(struct hid_device *hdev)
{
- int retval;
struct dj_receiver_dev *djrcv_dev = hid_get_drvdata(hdev);
if (!djrcv_dev || djrcv_dev->hidpp != hdev)
return 0;
- retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_switch_to_dj_mode returned error:%d\n",
- __func__, retval);
- }
-
+ logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
return 0;
}
#endif
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 562/737] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (560 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 561/737] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 563/737] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator Greg Kroah-Hartman
` (185 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Rafael J. Wysocki (Intel)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 894f475f88e06c0f352c829849560790dbdedbe5 upstream.
When a PCI device is suspended, it is normally the PCI core's job to save
Config Space and put the device into a low power state. However drivers
are allowed to assume these responsibilities. When they do, the PCI core
can tell by looking at the state_saved flag in struct pci_dev: The flag
is cleared before commencing the suspend sequence and it is set when
pci_save_state() is called. If the PCI core finds the flag set late in
the suspend sequence, it refrains from calling pci_save_state() itself.
But there are two corner cases where the PCI core neglects to clear the
flag before commencing the suspend sequence:
* If a driver has legacy PCI PM callbacks, pci_legacy_suspend() neglects
to clear the flag. The (stale) flag is subsequently queried by
pci_legacy_suspend() itself and pci_legacy_suspend_late().
* If a device has no driver or its driver has no PCI PM callbacks,
pci_pm_freeze() neglects to clear the flag. The (stale) flag is
subsequently queried by pci_pm_freeze_noirq().
The flag may be set prior to suspend if the device went through error
recovery: Drivers commonly invoke pci_restore_state() + pci_save_state()
to restore Config Space after reset.
The flag may also be set if drivers call pci_save_state() on probe to
allow for recovery from subsequent errors.
The result is that pci_legacy_suspend_late() and pci_pm_freeze_noirq()
don't call pci_save_state() and so the state that will be restored on
resume is the one recorded on last error recovery or on probe, not the one
that the device had on suspend. If the two states happen to be identical,
there's no problem.
Reinstate clearing the flag in pci_legacy_suspend() and pci_pm_freeze().
The two functions used to do that until commit 4b77b0a2ba27 ("PCI: Clear
saved_state after the state has been restored") deemed it unnecessary
because it assumed that it's sufficient to clear the flag on resume in
pci_restore_state(). The commit seemingly did not take into account that
pci_save_state() and pci_restore_state() are not only used by power
management code, but also for error recovery.
Devices without driver or whose driver has no PCI PM callbacks may be in
runtime suspend when pci_pm_freeze() is called. Their state has already
been saved, so don't clear the flag to skip a pointless pci_save_state()
in pci_pm_freeze_noirq().
None of the drivers with legacy PCI PM callbacks seem to use runtime PM,
so clear the flag unconditionally in their case.
Fixes: 4b77b0a2ba27 ("PCI: Clear saved_state after the state has been restored")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Cc: stable@vger.kernel.org # v2.6.32+
Link: https://patch.msgid.link/094f2aad64418710daf0940112abe5a0afdc6bce.1763483367.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-driver.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -644,6 +644,8 @@ static int pci_legacy_suspend(struct dev
struct pci_dev *pci_dev = to_pci_dev(dev);
struct pci_driver *drv = pci_dev->driver;
+ pci_dev->state_saved = false;
+
if (drv && drv->suspend) {
pci_power_t prev = pci_dev->current_state;
int error;
@@ -1048,6 +1050,8 @@ static int pci_pm_freeze(struct device *
if (!pm) {
pci_pm_default_suspend(pci_dev);
+ if (!pm_runtime_suspended(dev))
+ pci_dev->state_saved = false;
return 0;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 563/737] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (561 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 562/737] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 564/737] powerpc, mm: Fix mprotect on book3s 32-bit Greg Kroah-Hartman
` (184 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Yemike Abhilash Chandra, Vignesh Raghavendra
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
commit 51f89c488f2ecc020f82bfedd77482584ce8027a upstream.
The SoC pin Y1 is incorrectly defined in the WKUP Pinmux device-tree node
(pinctrl@4301c000) leading to the following silent failure:
pinctrl-single 4301c000.pinctrl: mux offset out of range: 0x1dc (0x178)
According to the datasheet for the J721E SoC [0], the pin Y1 belongs to the
MAIN Pinmux device-tree node (pinctrl@11c000). This is confirmed by the
address of the pinmux register for it on page 142 of the datasheet which is
0x00011C1DC.
Hence fix it.
[0]: https://www.ti.com/lit/ds/symlink/tda4vm.pdf
Fixes: 97b67cc102dc ("arm64: dts: ti: k3-j721e-sk: Add DT nodes for power regulators")
Cc: stable@vger.kernel.org
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Reviewed-by: Yemike Abhilash Chandra <y-abhilashchandra@ti.com>
Link: https://patch.msgid.link/20251119160148.2752616-1-s-vadapalli@ti.com
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/ti/k3-j721e-sk.dts | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
+++ b/arch/arm64/boot/dts/ti/k3-j721e-sk.dts
@@ -571,6 +571,12 @@
J721E_IOPAD(0x234, PIN_INPUT, 7) /* (U3) EXT_REFCLK1.GPIO1_12 */
>;
};
+
+ vdd_sd_dv_pins_default: vdd-sd-dv-default-pins {
+ pinctrl-single,pins = <
+ J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */
+ >;
+ };
};
&wkup_pmx0 {
@@ -626,12 +632,6 @@
>;
};
- vdd_sd_dv_pins_default: vdd-sd-dv-default-pins {
- pinctrl-single,pins = <
- J721E_IOPAD(0x1dc, PIN_OUTPUT, 7) /* (Y1) SPI1_CLK.GPIO0_118 */
- >;
- };
-
wkup_uart0_pins_default: wkup-uart0-default-pins {
pinctrl-single,pins = <
J721E_WKUP_IOPAD(0xa0, PIN_INPUT, 0) /* (J29) WKUP_UART0_RXD */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 564/737] powerpc, mm: Fix mprotect on book3s 32-bit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (562 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 563/737] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 565/737] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
` (183 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy,
Ritesh Harjani (IBM), Dave Vasilevsky, Madhavan Srinivasan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Vasilevsky <dave@vasilevsky.ca>
commit 78fc63ffa7813e33681839bb33826c24195f0eb7 upstream.
On 32-bit book3s with hash-MMUs, tlb_flush() was a no-op. This was
unnoticed because all uses until recently were for unmaps, and thus
handled by __tlb_remove_tlb_entry().
After commit 4a18419f71cd ("mm/mprotect: use mmu_gather") in kernel 5.19,
tlb_gather_mmu() started being used for mprotect as well. This caused
mprotect to simply not work on these machines:
int *ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
*ptr = 1; // force HPTE to be created
mprotect(ptr, 4096, PROT_READ);
*ptr = 2; // should segfault, but succeeds
Fixed by making tlb_flush() actually flush TLB pages. This finally
agrees with the behaviour of boot3s64's tlb_flush().
Fixes: 4a18419f71cd ("mm/mprotect: use mmu_gather")
Cc: stable@vger.kernel.org
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Dave Vasilevsky <dave@vasilevsky.ca>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20251116-vasi-mprotect-g3-v3-1-59a9bd33ba00@vasilevsky.ca
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/book3s/32/tlbflush.h | 5 ++++-
arch/powerpc/mm/book3s32/tlb.c | 9 +++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/arch/powerpc/include/asm/book3s/32/tlbflush.h
+++ b/arch/powerpc/include/asm/book3s/32/tlbflush.h
@@ -11,6 +11,7 @@
void hash__flush_tlb_mm(struct mm_struct *mm);
void hash__flush_tlb_page(struct vm_area_struct *vma, unsigned long vmaddr);
void hash__flush_range(struct mm_struct *mm, unsigned long start, unsigned long end);
+void hash__flush_gather(struct mmu_gather *tlb);
#ifdef CONFIG_SMP
void _tlbie(unsigned long address);
@@ -29,7 +30,9 @@ void _tlbia(void);
static inline void tlb_flush(struct mmu_gather *tlb)
{
/* 603 needs to flush the whole TLB here since it doesn't use a hash table. */
- if (!mmu_has_feature(MMU_FTR_HPTE_TABLE))
+ if (mmu_has_feature(MMU_FTR_HPTE_TABLE))
+ hash__flush_gather(tlb);
+ else
_tlbia();
}
--- a/arch/powerpc/mm/book3s32/tlb.c
+++ b/arch/powerpc/mm/book3s32/tlb.c
@@ -105,3 +105,12 @@ void hash__flush_tlb_page(struct vm_area
flush_hash_pages(mm->context.id, vmaddr, pmd_val(*pmd), 1);
}
EXPORT_SYMBOL(hash__flush_tlb_page);
+
+void hash__flush_gather(struct mmu_gather *tlb)
+{
+ if (tlb->fullmm || tlb->need_flush_all)
+ hash__flush_tlb_mm(tlb->mm);
+ else
+ hash__flush_range(tlb->mm, tlb->start, tlb->end);
+}
+EXPORT_SYMBOL(hash__flush_gather);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 565/737] powerpc/64s/slb: Fix SLB multihit issue during SLB preload
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (563 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 564/737] powerpc, mm: Fix mprotect on book3s 32-bit Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 566/737] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
` (182 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Piggin, Donet Tom,
Ritesh Harjani (IBM), Madhavan Srinivasan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
commit 00312419f0863964625d6dcda8183f96849412c6 upstream.
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary continues...
START_THREAD
start_thread
preload_new_slb_context
/*
* This tries to add a new EA to preload cache which was earlier
* evicted from both cpu-1 HW SLB and preload cache. This caused the
* HW SLB of cpu-0 to go out of sync with the SW preload cache. The
* reason for this was, that when we context switched back on CPU-0,
* we should have ideally called switch_mmu_context() which will
* bring the HW SLB entries on CPU-0 in sync with SW preload cache
* entries by setting up the mmu context properly. But we didn't do
* that since the prev mm_struct running on cpu-0 was same as the
* next mm_struct (which is true for swapper / kernel threads). So
* now when we try to add this new entry into the HW SLB of cpu-0,
* we hit a SLB multi-hit error.
*/
WARNING: CPU: 0 PID: 1810970 at arch/powerpc/mm/book3s64/slb.c:62
assert_slb_presence+0x2c/0x50(48 results) 02:47:29 [20157/42149]
Modules linked in:
CPU: 0 UID: 0 PID: 1810970 Comm: dd Not tainted 6.16.0-rc3-dirty #12
VOLUNTARY
Hardware name: IBM pSeries (emulated by qemu) POWER8 (architected)
0x4d0200 0xf000004 of:SLOF,HEAD hv:linux,kvm pSeries
NIP: c00000000015426c LR: c0000000001543b4 CTR: 0000000000000000
REGS: c0000000497c77e0 TRAP: 0700 Not tainted (6.16.0-rc3-dirty)
MSR: 8000000002823033 <SF,VEC,VSX,FP,ME,IR,DR,RI,LE> CR: 28888482 XER: 00000000
CFAR: c0000000001543b0 IRQMASK: 3
<...>
NIP [c00000000015426c] assert_slb_presence+0x2c/0x50
LR [c0000000001543b4] slb_insert_entry+0x124/0x390
Call Trace:
0x7fffceb5ffff (unreliable)
preload_new_slb_context+0x100/0x1a0
start_thread+0x26c/0x420
load_elf_binary+0x1b04/0x1c40
bprm_execve+0x358/0x680
do_execveat_common+0x1f8/0x240
sys_execve+0x58/0x70
system_call_exception+0x114/0x300
system_call_common+0x160/0x2c4
>From the above analysis, during early exec the hardware SLB is cleared,
and entries from the software preload cache are reloaded into hardware
by switch_slb. However, preload_new_slb_context and slb_setup_new_exec
also attempt to load some of the same entries, which can trigger a
multi-hit. In most cases, these additional preloads simply hit existing
entries and add nothing new. Removing these functions avoids redundant
preloads and eliminates the multi-hit issue. This patch removes these
two functions.
We tested process switching performance using the context_switch
benchmark on POWER9/hash, and observed no regression.
Without this patch: 129041 ops/sec
With this patch: 129341 ops/sec
We also measured SLB faults during boot, and the counts are essentially
the same with and without this patch.
SLB faults without this patch: 19727
SLB faults with this patch: 19786
Fixes: 5434ae74629a ("powerpc/64s/hash: Add a SLB preload cache")
cc: stable@vger.kernel.org
Suggested-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/0ac694ae683494fe8cadbd911a1a5018d5d3c541.1761834163.git.ritesh.list@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/mm/book3s64/internal.h | 2
arch/powerpc/mm/book3s64/mmu_context.c | 2
arch/powerpc/mm/book3s64/slb.c | 88 --------------------------
5 files changed, 98 deletions(-)
--- a/arch/powerpc/include/asm/book3s/64/mmu-hash.h
+++ b/arch/powerpc/include/asm/book3s/64/mmu-hash.h
@@ -524,7 +524,6 @@ void slb_save_contents(struct slb_entry
void slb_dump_contents(struct slb_entry *slb_ptr);
extern void slb_vmalloc_update(void);
-void preload_new_slb_context(unsigned long start, unsigned long sp);
#ifdef CONFIG_PPC_64S_HASH_MMU
void slb_set_size(u16 size);
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1882,8 +1882,6 @@ int copy_thread(struct task_struct *p, c
return 0;
}
-void preload_new_slb_context(unsigned long start, unsigned long sp);
-
/*
* Set up a thread for executing a new program
*/
@@ -1891,9 +1889,6 @@ void start_thread(struct pt_regs *regs,
{
#ifdef CONFIG_PPC64
unsigned long load_addr = regs->gpr[2]; /* saved by ELF_PLAT_INIT */
-
- if (IS_ENABLED(CONFIG_PPC_BOOK3S_64) && !radix_enabled())
- preload_new_slb_context(start, sp);
#endif
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
--- a/arch/powerpc/mm/book3s64/internal.h
+++ b/arch/powerpc/mm/book3s64/internal.h
@@ -24,8 +24,6 @@ static inline bool stress_hpt(void)
void hpt_do_stress(unsigned long ea, unsigned long hpte_group);
-void slb_setup_new_exec(void);
-
void exit_lazy_flush_tlb(struct mm_struct *mm, bool always_flush);
#endif /* ARCH_POWERPC_MM_BOOK3S64_INTERNAL_H */
--- a/arch/powerpc/mm/book3s64/mmu_context.c
+++ b/arch/powerpc/mm/book3s64/mmu_context.c
@@ -150,8 +150,6 @@ static int hash__init_new_context(struct
void hash__setup_new_exec(void)
{
slice_setup_new_exec();
-
- slb_setup_new_exec();
}
#else
static inline int hash__init_new_context(struct mm_struct *mm)
--- a/arch/powerpc/mm/book3s64/slb.c
+++ b/arch/powerpc/mm/book3s64/slb.c
@@ -328,94 +328,6 @@ static void preload_age(struct thread_in
ti->slb_preload_tail = (ti->slb_preload_tail + 1) % SLB_PRELOAD_NR;
}
-void slb_setup_new_exec(void)
-{
- struct thread_info *ti = current_thread_info();
- struct mm_struct *mm = current->mm;
- unsigned long exec = 0x10000000;
-
- WARN_ON(irqs_disabled());
-
- /*
- * preload cache can only be used to determine whether a SLB
- * entry exists if it does not start to overflow.
- */
- if (ti->slb_preload_nr + 2 > SLB_PRELOAD_NR)
- return;
-
- hard_irq_disable();
-
- /*
- * We have no good place to clear the slb preload cache on exec,
- * flush_thread is about the earliest arch hook but that happens
- * after we switch to the mm and have already preloaded the SLBEs.
- *
- * For the most part that's probably okay to use entries from the
- * previous exec, they will age out if unused. It may turn out to
- * be an advantage to clear the cache before switching to it,
- * however.
- */
-
- /*
- * preload some userspace segments into the SLB.
- * Almost all 32 and 64bit PowerPC executables are linked at
- * 0x10000000 so it makes sense to preload this segment.
- */
- if (!is_kernel_addr(exec)) {
- if (preload_add(ti, exec))
- slb_allocate_user(mm, exec);
- }
-
- /* Libraries and mmaps. */
- if (!is_kernel_addr(mm->mmap_base)) {
- if (preload_add(ti, mm->mmap_base))
- slb_allocate_user(mm, mm->mmap_base);
- }
-
- /* see switch_slb */
- asm volatile("isync" : : : "memory");
-
- local_irq_enable();
-}
-
-void preload_new_slb_context(unsigned long start, unsigned long sp)
-{
- struct thread_info *ti = current_thread_info();
- struct mm_struct *mm = current->mm;
- unsigned long heap = mm->start_brk;
-
- WARN_ON(irqs_disabled());
-
- /* see above */
- if (ti->slb_preload_nr + 3 > SLB_PRELOAD_NR)
- return;
-
- hard_irq_disable();
-
- /* Userspace entry address. */
- if (!is_kernel_addr(start)) {
- if (preload_add(ti, start))
- slb_allocate_user(mm, start);
- }
-
- /* Top of stack, grows down. */
- if (!is_kernel_addr(sp)) {
- if (preload_add(ti, sp))
- slb_allocate_user(mm, sp);
- }
-
- /* Bottom of heap, grows up. */
- if (heap && !is_kernel_addr(heap)) {
- if (preload_add(ti, heap))
- slb_allocate_user(mm, heap);
- }
-
- /* see switch_slb */
- asm volatile("isync" : : : "memory");
-
- local_irq_enable();
-}
-
static void slb_cache_slbie_kernel(unsigned int index)
{
unsigned long slbie_data = get_paca()->slb_cache[index];
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 566/737] leds: leds-lp50xx: Allow LED 0 to be added to module bank
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (564 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 565/737] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 567/737] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
` (181 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hitz, Jacek Anaszewski,
Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 26fe74d598c32e7bc6f150edfc4aa43e1bee55db upstream.
led_banks contains LED module number(s) that should be grouped into the
module bank. led_banks is 0-initialized.
By checking the led_banks entries for 0, un-set entries are detected.
But a 0-entry also indicates that LED module 0 should be grouped into the
module bank.
By only iterating over the available entries no check for unused entries
is required and LED module 0 can be added to bank.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Link: https://patch.msgid.link/20251008123222.1117331-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -346,17 +346,15 @@ out:
return ret;
}
-static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[])
+static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[], int num_leds)
{
u8 led_config_lo, led_config_hi;
u32 bank_enable_mask = 0;
int ret;
int i;
- for (i = 0; i < priv->chip_info->max_modules; i++) {
- if (led_banks[i])
- bank_enable_mask |= (1 << led_banks[i]);
- }
+ for (i = 0; i < num_leds; i++)
+ bank_enable_mask |= (1 << led_banks[i]);
led_config_lo = bank_enable_mask;
led_config_hi = bank_enable_mask >> 8;
@@ -412,7 +410,7 @@ static int lp50xx_probe_leds(struct fwno
return ret;
}
- ret = lp50xx_set_banks(priv, led_banks);
+ ret = lp50xx_set_banks(priv, led_banks, num_leds);
if (ret) {
dev_err(priv->dev, "Cannot setup banked LEDs\n");
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 567/737] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (565 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 566/737] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 568/737] leds: leds-lp50xx: Enable chip before any communication Greg Kroah-Hartman
` (180 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Hitz, Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 5246e3673eeeccb4f5bf4f42375dd495d465ac15 upstream.
LP5009 supports 9 LED outputs that are grouped into 3 modules.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Link: https://patch.msgid.link/20251022063305.972190-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -56,7 +56,7 @@
/* There are 3 LED outputs per bank */
#define LP50XX_LEDS_PER_MODULE 3
-#define LP5009_MAX_LED_MODULES 2
+#define LP5009_MAX_LED_MODULES 3
#define LP5012_MAX_LED_MODULES 4
#define LP5018_MAX_LED_MODULES 6
#define LP5024_MAX_LED_MODULES 8
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 568/737] leds: leds-lp50xx: Enable chip before any communication
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (566 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 567/737] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 569/737] clk: samsung: exynos-clkout: Assign .num before accessing .hws Greg Kroah-Hartman
` (179 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Hitz, Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 434959618c47efe9e5f2e20f4a850caac4f6b823 upstream.
If a GPIO is used to control the chip's enable pin, it needs to be pulled
high before any i2c communication is attempted.
Currently, the enable GPIO handling is not correct.
Assume the enable GPIO is low when the probe function is entered. In this
case the device is in SHUTDOWN mode and does not react to i2c commands.
During probe the following sequence happens:
1. The call to lp50xx_reset() on line 548 has no effect as i2c is not
possible yet.
2. Then - on line 552 - lp50xx_enable_disable() is called. As
"priv->enable_gpio“ has not yet been initialized, setting the GPIO has
no effect. Also the i2c enable command is not executed as the device
is still in SHUTDOWN.
3. On line 556 the call to lp50xx_probe_dt() finally parses the rest of
the DT and the configured priv->enable_gpio is set up.
As a result the device is still in SHUTDOWN mode and not ready for
operation.
Split lp50xx_enable_disable() into distinct enable and disable functions
to enforce correct ordering between enable_gpio manipulations and i2c
commands.
Read enable_gpio configuration from DT before attempting to manipulate
enable_gpio.
Add delays to observe correct wait timing after manipulating enable_gpio
and before any i2c communication.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Link: https://patch.msgid.link/20251028155141.1603193-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 55 ++++++++++++++++++++++++++++++++-------------
1 file changed, 40 insertions(+), 15 deletions(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -52,6 +52,12 @@
#define LP50XX_SW_RESET 0xff
#define LP50XX_CHIP_EN BIT(6)
+#define LP50XX_CHIP_DISABLE 0x00
+#define LP50XX_START_TIME_US 500
+#define LP50XX_RESET_TIME_US 3
+
+#define LP50XX_EN_GPIO_LOW 0
+#define LP50XX_EN_GPIO_HIGH 1
/* There are 3 LED outputs per bank */
#define LP50XX_LEDS_PER_MODULE 3
@@ -374,19 +380,42 @@ static int lp50xx_reset(struct lp50xx *p
return regmap_write(priv->regmap, priv->chip_info->reset_reg, LP50XX_SW_RESET);
}
-static int lp50xx_enable_disable(struct lp50xx *priv, int enable_disable)
+static int lp50xx_enable(struct lp50xx *priv)
{
int ret;
- ret = gpiod_direction_output(priv->enable_gpio, enable_disable);
+ if (priv->enable_gpio) {
+ ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_HIGH);
+ if (ret)
+ return ret;
+
+ udelay(LP50XX_START_TIME_US);
+ }
+
+ ret = lp50xx_reset(priv);
if (ret)
return ret;
- if (enable_disable)
- return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);
- else
- return regmap_write(priv->regmap, LP50XX_DEV_CFG0, 0);
+ return regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_EN);
+}
+static int lp50xx_disable(struct lp50xx *priv)
+{
+ int ret;
+
+ ret = regmap_write(priv->regmap, LP50XX_DEV_CFG0, LP50XX_CHIP_DISABLE);
+ if (ret)
+ return ret;
+
+ if (priv->enable_gpio) {
+ ret = gpiod_direction_output(priv->enable_gpio, LP50XX_EN_GPIO_LOW);
+ if (ret)
+ return ret;
+
+ udelay(LP50XX_RESET_TIME_US);
+ }
+
+ return 0;
}
static int lp50xx_probe_leds(struct fwnode_handle *child, struct lp50xx *priv,
@@ -453,6 +482,10 @@ static int lp50xx_probe_dt(struct lp50xx
return dev_err_probe(priv->dev, PTR_ERR(priv->enable_gpio),
"Failed to get enable GPIO\n");
+ ret = lp50xx_enable(priv);
+ if (ret)
+ return ret;
+
priv->regulator = devm_regulator_get(priv->dev, "vled");
if (IS_ERR(priv->regulator))
priv->regulator = NULL;
@@ -559,14 +592,6 @@ static int lp50xx_probe(struct i2c_clien
return ret;
}
- ret = lp50xx_reset(led);
- if (ret)
- return ret;
-
- ret = lp50xx_enable_disable(led, 1);
- if (ret)
- return ret;
-
return lp50xx_probe_dt(led);
}
@@ -575,7 +600,7 @@ static void lp50xx_remove(struct i2c_cli
struct lp50xx *led = i2c_get_clientdata(client);
int ret;
- ret = lp50xx_enable_disable(led, 0);
+ ret = lp50xx_disable(led);
if (ret)
dev_err(led->dev, "Failed to disable chip\n");
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 569/737] clk: samsung: exynos-clkout: Assign .num before accessing .hws
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (567 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 568/737] leds: leds-lp50xx: Enable chip before any communication Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 570/737] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
` (178 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jochen Sprickerhof,
Nathan Chancellor, Kees Cook, Sam Protsenko, Krzysztof Kozlowski,
Stephen Boyd
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit cf33f0b7df13685234ccea7be7bfe316b60db4db upstream.
Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with
__counted_by") annotated the hws member of 'struct clk_hw_onecell_data'
with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)
about the number of elements in .hws[], so that it can warn when .hws[]
is accessed out of bounds. As noted in that change, the __counted_by
member must be initialized with the number of elements before the first
array access happens, otherwise there will be a warning from each access
prior to the initialization because the number of elements is zero. This
occurs in exynos_clkout_probe() due to .num being assigned after .hws[]
has been accessed:
UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18
index 0 is out of range for type 'clk_hw *[*]'
Move the .num initialization to before the first access of .hws[],
clearing up the warning.
Cc: stable@vger.kernel.org
Fixes: f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by")
Reported-by: Jochen Sprickerhof <jochen@sprickerhof.de>
Closes: https://lore.kernel.org/aSIYDN5eyKFKoXKL@eldamar.lan/
Tested-by: Jochen Sprickerhof <jochen@sprickerhof.de>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <kees@kernel.org>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/samsung/clk-exynos-clkout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/samsung/clk-exynos-clkout.c
+++ b/drivers/clk/samsung/clk-exynos-clkout.c
@@ -168,6 +168,7 @@ static int exynos_clkout_probe(struct pl
clkout->mux.shift = EXYNOS_CLKOUT_MUX_SHIFT;
clkout->mux.lock = &clkout->slock;
+ clkout->data.num = EXYNOS_CLKOUT_NR_CLKS;
clkout->data.hws[0] = clk_hw_register_composite(NULL, "clkout",
parent_names, parent_count, &clkout->mux.hw,
&clk_mux_ops, NULL, NULL, &clkout->gate.hw,
@@ -178,7 +179,6 @@ static int exynos_clkout_probe(struct pl
goto err_unmap;
}
- clkout->data.num = EXYNOS_CLKOUT_NR_CLKS;
ret = of_clk_add_hw_provider(clkout->np, of_clk_hw_onecell_get, &clkout->data);
if (ret)
goto err_clk_unreg;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 570/737] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (568 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 569/737] clk: samsung: exynos-clkout: Assign .num before accessing .hws Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 571/737] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
` (177 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ccb7cd3218e48665f3c7e19eede0da5f069c323d upstream.
Make sure to drop the reference taken to the sysmgr platform device when
retrieving its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: f36e789a1f8d ("mfd: altera-sysmgr: Add SOCFPGA System Manager")
Cc: stable@vger.kernel.org # 5.2
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/altera-sysmgr.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mfd/altera-sysmgr.c
+++ b/drivers/mfd/altera-sysmgr.c
@@ -117,6 +117,8 @@ struct regmap *altr_sysmgr_regmap_lookup
sysmgr = dev_get_drvdata(dev);
+ put_device(dev);
+
return sysmgr->regmap;
}
EXPORT_SYMBOL_GPL(altr_sysmgr_regmap_lookup_by_phandle);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 571/737] mfd: max77620: Fix potential IRQ chip conflict when probing two devices
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (569 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 570/737] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 572/737] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
` (176 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Lee Jones
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2bac49bad1f3553cc3b3bfb22cc194e9bd9e8427 upstream.
MAX77620 is most likely always a single device on the board, however
nothing stops board designers to have two of them, thus same device
driver could probe twice. Or user could manually try to probing second
time.
Device driver is not ready for that case, because it allocates
statically 'struct regmap_irq_chip' as non-const and stores during
probe in 'irq_drv_data' member a pointer to per-probe state
container ('struct max77620_chip'). devm_regmap_add_irq_chip() does not
make a copy of 'struct regmap_irq_chip' but store the pointer.
Second probe - either successful or failure - would overwrite the
'irq_drv_data' from previous device probe, so interrupts would be
executed in a wrong context.
Cc: stable@vger.kernel.org
Fixes: 3df140d11c6d ("mfd: max77620: Mask/unmask interrupt before/after servicing it")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20251023101939.67991-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/max77620.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/mfd/max77620.c
+++ b/drivers/mfd/max77620.c
@@ -253,7 +253,7 @@ static int max77620_irq_global_unmask(vo
return ret;
}
-static struct regmap_irq_chip max77620_top_irq_chip = {
+static const struct regmap_irq_chip max77620_top_irq_chip = {
.name = "max77620-top",
.irqs = max77620_top_irqs,
.num_irqs = ARRAY_SIZE(max77620_top_irqs),
@@ -498,6 +498,7 @@ static int max77620_probe(struct i2c_cli
const struct i2c_device_id *id = i2c_client_get_device_id(client);
const struct regmap_config *rmap_config;
struct max77620_chip *chip;
+ struct regmap_irq_chip *chip_desc;
const struct mfd_cell *mfd_cells;
int n_mfd_cells;
bool pm_off;
@@ -508,6 +509,14 @@ static int max77620_probe(struct i2c_cli
return -ENOMEM;
i2c_set_clientdata(client, chip);
+
+ chip_desc = devm_kmemdup(&client->dev, &max77620_top_irq_chip,
+ sizeof(max77620_top_irq_chip),
+ GFP_KERNEL);
+ if (!chip_desc)
+ return -ENOMEM;
+ chip_desc->irq_drv_data = chip;
+
chip->dev = &client->dev;
chip->chip_irq = client->irq;
chip->chip_id = (enum max77620_chip_id)id->driver_data;
@@ -544,11 +553,9 @@ static int max77620_probe(struct i2c_cli
if (ret < 0)
return ret;
- max77620_top_irq_chip.irq_drv_data = chip;
ret = devm_regmap_add_irq_chip(chip->dev, chip->rmap, client->irq,
IRQF_ONESHOT | IRQF_SHARED, 0,
- &max77620_top_irq_chip,
- &chip->top_irq_data);
+ chip_desc, &chip->top_irq_data);
if (ret < 0) {
dev_err(chip->dev, "Failed to add regmap irq: %d\n", ret);
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 572/737] media: rc: st_rc: Fix reset control resource leak
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (570 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 571/737] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 573/737] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
` (175 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Patrice Chotard,
Sean Young, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit 1240abf4b71f632f0117b056e22488e4d9808938 upstream.
The driver calls reset_control_get_optional_exclusive() but never calls
reset_control_put() in error paths or in the remove function. This causes
a resource leak when probe fails after successfully acquiring the reset
control, or when the driver is unloaded.
Switch to devm_reset_control_get_optional_exclusive() to automatically
manage the reset control resource.
Fixes: a4b80242d046 ("media: st-rc: explicitly request exclusive reset control")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/st_rc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/st_rc.c
+++ b/drivers/media/rc/st_rc.c
@@ -283,7 +283,7 @@ static int st_rc_probe(struct platform_d
else
rc_dev->rx_base = rc_dev->base;
- rc_dev->rstc = reset_control_get_optional_exclusive(dev, NULL);
+ rc_dev->rstc = devm_reset_control_get_optional_exclusive(dev, NULL);
if (IS_ERR(rc_dev->rstc)) {
ret = PTR_ERR(rc_dev->rstc);
goto err;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 573/737] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (571 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 572/737] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 574/737] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
` (174 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@stackframe.org>
commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream.
In wide mode, the IASQ contain the upper part of the GVA
during interruption. This needs to be reversed before
the space is used - otherwise it contains parts of IAOQ.
See Page 2-13 "Processing Resources / Interruption Instruction
Address Queues" in the Parisc 2.0 Architecture Manual page 2-13
for an explanation.
The IAOQ/IASQ space_adjust was skipped for other interruptions
than itlb misses. However, the code in handle_interruption()
checks whether iasq[0] contains a valid space. Due to the not
masked out bits this match failed and the process was killed.
Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values.
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org # v6.0+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/entry.S | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1059,8 +1059,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */
STREG %r17, PT_IOR(%r29)
#if defined(CONFIG_64BIT)
- b,n intr_save2
-
skip_save_ior:
/* We have a itlb miss, and when executing code above 4 Gb on ILP64, we
* need to adjust iasq/iaoq here in the same way we adjusted isr/ior
@@ -1069,10 +1067,17 @@ skip_save_ior:
bb,COND(>=),n %r8,PSW_W_BIT,intr_save2
LDREG PT_IASQ0(%r29), %r16
LDREG PT_IAOQ0(%r29), %r17
- /* adjust iasq/iaoq */
+ /* adjust iasq0/iaoq0 */
space_adjust %r16,%r17,%r1
STREG %r16, PT_IASQ0(%r29)
STREG %r17, PT_IAOQ0(%r29)
+
+ LDREG PT_IASQ1(%r29), %r16
+ LDREG PT_IAOQ1(%r29), %r17
+ /* adjust iasq1/iaoq1 */
+ space_adjust %r16,%r17,%r1
+ STREG %r16, PT_IASQ1(%r29)
+ STREG %r17, PT_IAOQ1(%r29)
#else
skip_save_ior:
#endif
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 574/737] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (572 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 573/737] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 575/737] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
` (173 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@stackframe.org>
commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream.
When the kernel leaves to userspace via syscall_restore_rfi(), the
W bit is not set in the new PSW. This doesn't cause any problems
because there's no 64 bit userspace for parisc. Simple static binaries
are usually loaded at addresses way below the 32 bit limit so the W bit
doesn't matter.
Fix this by setting the W bit when TIF_32BIT is not set.
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/asm-offsets.c | 2 ++
arch/parisc/kernel/entry.S | 5 ++++-
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/asm-offsets.c
+++ b/arch/parisc/kernel/asm-offsets.c
@@ -258,6 +258,8 @@ int main(void)
BLANK();
DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP);
DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP);
+ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT);
+
BLANK();
DEFINE(ASM_PMD_SHIFT, PMD_SHIFT);
DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT);
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1846,6 +1846,10 @@ syscall_restore_rfi:
extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0
depi -1,7,1,%r20 /* T bit */
+#ifdef CONFIG_64BIT
+ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0
+ depi -1,4,1,%r20 /* W bit */
+#endif
STREG %r20,TASK_PT_PSW(%r1)
/* Always store space registers, since sr3 can be changed (e.g. fork) */
@@ -1859,7 +1863,6 @@ syscall_restore_rfi:
STREG %r25,TASK_PT_IASQ0(%r1)
STREG %r25,TASK_PT_IASQ1(%r1)
- /* XXX W bit??? */
/* Now if old D bit is clear, it means we didn't save all registers
* on syscall entry, so do that now. This only happens on TRACEME
* calls, or if someone attached to us while we were on a syscall.
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 575/737] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (573 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 574/737] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 576/737] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
` (172 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Ritesh Harjani (IBM), Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
commit fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 upstream.
Patch series "powerpc/pseries/cmm: two smaller fixes".
Two smaller fixes identified while doing a bigger rework.
This patch (of 2):
We always have to initialize the balloon_dev_info, even when compaction is
not configured in: otherwise the containing list and the lock are left
uninitialized.
Likely not many such configs exist in practice, but let's CC stable to
be sure.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20251021100606.148294-1-david@redhat.com
Link: https://lkml.kernel.org/r/20251021100606.148294-2-david@redhat.com
Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo
static void cmm_balloon_compaction_init(void)
{
- balloon_devinfo_init(&b_dev_info);
b_dev_info.migratepage = cmm_migratepage;
}
#else /* CONFIG_BALLOON_COMPACTION */
@@ -572,6 +571,7 @@ static int cmm_init(void)
if (!firmware_has_feature(FW_FEATURE_CMO) && !simulate)
return -EOPNOTSUPP;
+ balloon_devinfo_init(&b_dev_info);
cmm_balloon_compaction_init();
rc = register_oom_notifier(&cmm_oom_nb);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 576/737] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (574 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 575/737] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 577/737] firmware: stratix10-svc: Add mutex in stratix10 memory management Greg Kroah-Hartman
` (171 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream.
It's possible for cp_read() and hdmi_read() to return -EIO. Those
values are further used as indexes for accessing arrays.
Fix that by checking return values where it's needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7842.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -2680,6 +2680,7 @@ static int adv7842_cp_log_status(struct
/* CP block */
struct adv7842_state *state = to_state(sd);
struct v4l2_dv_timings timings;
+ int temp;
u8 reg_io_0x02 = io_read(sd, 0x02);
u8 reg_io_0x21 = io_read(sd, 0x21);
u8 reg_rep_0x77 = rep_read(sd, 0x77);
@@ -2802,8 +2803,9 @@ static int adv7842_cp_log_status(struct
(((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
"(16-235)" : "(0-255)",
(reg_io_0x02 & 0x08) ? "enabled" : "disabled");
+ temp = cp_read(sd, 0xf4) >> 4;
v4l2_info(sd, "Color space conversion: %s\n",
- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]);
+ temp < 0 ? "" : csc_coeff_sel_rb[temp]);
if (!is_digital_input(sd))
return 0;
@@ -2833,8 +2835,9 @@ static int adv7842_cp_log_status(struct
hdmi_read(sd, 0x5f));
v4l2_info(sd, "AV Mute: %s\n",
(hdmi_read(sd, 0x04) & 0x40) ? "on" : "off");
+ temp = hdmi_read(sd, 0x0b) >> 6;
v4l2_info(sd, "Deep color mode: %s\n",
- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]);
+ temp < 0 ? "" : deep_color_mode_txt[temp]);
adv7842_log_infoframes(sd);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 577/737] firmware: stratix10-svc: Add mutex in stratix10 memory management
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (575 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 576/737] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 578/737] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
` (170 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mahesh Rao, Matthew Gerlach,
Dinh Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Rao <mahesh.rao@altera.com>
commit 85f96cbbbc67b59652b2c1ec394b8ddc0ddf1b0b upstream.
Add mutex lock to stratix10_svc_allocate_memory and
stratix10_svc_free_memory for thread safety. This prevents race
conditions and ensures proper synchronization during memory operations.
This is required for parallel communication with the Stratix10 service
channel.
Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
Cc: stable@vger.kernel.org
Signed-off-by: Mahesh Rao <mahesh.rao@altera.com>
Reviewed-by: Matthew Gerlach <matthew.gerlach@altera.com>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/stratix10-svc.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
/*
* Copyright (C) 2017-2018, Intel Corporation
+ * Copyright (C) 2025, Altera Corporation
*/
#include <linux/completion.h>
@@ -176,6 +177,12 @@ static LIST_HEAD(svc_ctrl);
static LIST_HEAD(svc_data_mem);
/**
+ * svc_mem_lock protects access to the svc_data_mem list for
+ * concurrent multi-client operations
+ */
+static DEFINE_MUTEX(svc_mem_lock);
+
+/**
* svc_pa_to_va() - translate physical address to virtual address
* @addr: to be translated physical address
*
@@ -187,6 +194,7 @@ static void *svc_pa_to_va(unsigned long
struct stratix10_svc_data_mem *pmem;
pr_debug("claim back P-addr=0x%016x\n", (unsigned int)addr);
+ guard(mutex)(&svc_mem_lock);
list_for_each_entry(pmem, &svc_data_mem, node)
if (pmem->paddr == addr)
return pmem->vaddr;
@@ -996,6 +1004,7 @@ int stratix10_svc_send(struct stratix10_
p_data->flag = ct->flags;
}
} else {
+ guard(mutex)(&svc_mem_lock);
list_for_each_entry(p_mem, &svc_data_mem, node)
if (p_mem->vaddr == p_msg->payload) {
p_data->paddr = p_mem->paddr;
@@ -1078,6 +1087,7 @@ void *stratix10_svc_allocate_memory(stru
if (!pmem)
return ERR_PTR(-ENOMEM);
+ guard(mutex)(&svc_mem_lock);
va = gen_pool_alloc(genpool, s);
if (!va)
return ERR_PTR(-ENOMEM);
@@ -1106,6 +1116,7 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate
void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
{
struct stratix10_svc_data_mem *pmem;
+ guard(mutex)(&svc_mem_lock);
list_for_each_entry(pmem, &svc_data_mem, node)
if (pmem->vaddr == kaddr) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 578/737] dm-ebs: Mark full buffer dirty even on partial write
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (576 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 577/737] firmware: stratix10-svc: Add mutex in stratix10 memory management Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 579/737] dm-bufio: align write boundary on physical block size Greg Kroah-Hartman
` (169 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uladzislau Rezki (Sony),
Mikulas Patocka
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uladzislau Rezki (Sony) <urezki@gmail.com>
commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream.
When performing a read-modify-write(RMW) operation, any modification
to a buffered block must cause the entire buffer to be marked dirty.
Marking only a subrange as dirty is incorrect because the underlying
device block size(ubs) defines the minimum read/write granularity. A
lower device can perform I/O only on regions which are fully aligned
and sized to ubs.
This change ensures that write-back operations always occur in full
ubs-sized chunks, matching the intended emulation semantics of the
EBS target.
As for user space visible impact, submitting sub-ubs and misaligned
I/O for devices which are tuned to ubs sizes only, will reject such
requests, therefore it can lead to losing data. Example:
1) Create a 8K nvme device in qemu by adding
-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192
2) Setup dm-ebs to emulate 512B to 8K mapping
urezki@pc638:~/bin$ cat dmsetup.sh
lower=/dev/nvme0n1
len=$(blockdev --getsz "$lower")
echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k
urezki@pc638:~/bin$
offset 0, ebs=1 and ubs=16(in sectors).
3) Create an ext4 filesystem(default 4K block size)
urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 2072576 4k blocks and 518144 inodes
Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system
urezki@pc638:~/bin$ dmesg
<snip>
[ 1618.875449] buffer_io_error: 1028 callbacks suppressed
[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write
[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write
[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write
[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write
[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write
[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write
[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write
[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write
[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write
[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write
<snip>
Many I/O errors because the lower 8K device rejects sub-ubs/misaligned
requests.
with a patch:
urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 2072576 4k blocks and 518144 inodes
Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/
urezki@pc638:~/bin$ ls -al /mnt/
total 24
drwxr-xr-x 3 root root 4096 Oct 17 15:13 .
drwxr-xr-x 19 root root 4096 Jul 10 19:42 ..
drwx------ 2 root root 16384 Oct 17 15:13 lost+found
urezki@pc638:~/bin$
After this change: mkfs completes; mount succeeds.
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ebs-target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ebs-target.c
+++ b/drivers/md/dm-ebs-target.c
@@ -103,7 +103,7 @@ static int __ebs_rw_bvec(struct ebs_c *e
} else {
flush_dcache_page(bv->bv_page);
memcpy(ba, pa, cur_len);
- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len);
+ dm_bufio_mark_buffer_dirty(b);
}
dm_bufio_release(b);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 579/737] dm-bufio: align write boundary on physical block size
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (577 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 578/737] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 580/737] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
` (168 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikulas Patocka,
Uladzislau Rezki (Sony)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit d0ac06ae53be0cdb61f5fe6b62d25d3317c51657 upstream.
There may be devices with physical block size larger than 4k.
If dm-bufio sends I/O that is not aligned on physical block size,
performance is degraded.
The 4k minimum alignment limit is there because some SSDs report logical
and physical block size 512 despite having 4k internally - so dm-bufio
shouldn't send I/Os not aligned on 4k boundary, because they perform
badly (the SSD does read-modify-write for them).
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-bufio.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -1375,7 +1375,7 @@ static void submit_io(struct dm_buffer *
{
unsigned int n_sectors;
sector_t sector;
- unsigned int offset, end;
+ unsigned int offset, end, align;
b->end_io = end_io;
@@ -1389,9 +1389,11 @@ static void submit_io(struct dm_buffer *
b->c->write_callback(b);
offset = b->write_start;
end = b->write_end;
- offset &= -DM_BUFIO_WRITE_ALIGN;
- end += DM_BUFIO_WRITE_ALIGN - 1;
- end &= -DM_BUFIO_WRITE_ALIGN;
+ align = max(DM_BUFIO_WRITE_ALIGN,
+ bdev_physical_block_size(b->c->bdev));
+ offset &= -align;
+ end += align - 1;
+ end &= -align;
if (unlikely(end > b->c->block_size))
end = b->c->block_size;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 580/737] fbdev: gbefb: fix to use physical address instead of dma address
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (578 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 579/737] dm-bufio: align write boundary on physical block size Greg Kroah-Hartman
@ 2026-01-09 11:41 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 581/737] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
` (167 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream.
While debuggigng why X would not start on mips64 Sgi/O2 I found the
phys adress being off. Turns out the gbefb passed the internal
dma_addr as phys. May be broken pre git history. Fix by converting
dma_to_phys.
Signed-off-by: René Rebe <rene@exactco.de>
Cc: <stable@vger.kernel.org> # v4.0+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/gbefb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/gbefb.c
+++ b/drivers/video/fbdev/gbefb.c
@@ -12,6 +12,7 @@
#include <linux/delay.h>
#include <linux/platform_device.h>
#include <linux/dma-mapping.h>
+#include <linux/dma-direct.h>
#include <linux/errno.h>
#include <linux/gfp.h>
#include <linux/fb.h>
@@ -65,7 +66,7 @@ struct gbefb_par {
static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024;
static void *gbe_mem;
static dma_addr_t gbe_dma_addr;
-static unsigned long gbe_mem_phys;
+static phys_addr_t gbe_mem_phys;
static struct {
uint16_t *cpu;
@@ -1182,7 +1183,7 @@ static int gbefb_probe(struct platform_d
goto out_release_mem_region;
}
- gbe_mem_phys = (unsigned long) gbe_dma_addr;
+ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr);
}
par = info->par;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 581/737] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (579 preceding siblings ...)
2026-01-09 11:41 ` [PATCH 6.6 580/737] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 582/737] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
` (166 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream.
The variables were never clamped because the return value of clamp_val()
was not used. Fix this by assigning the clamped values, and use clamp()
instead of clamp_val().
Cc: stable@vger.kernel.org
Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/pxafb.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/video/fbdev/pxafb.c
+++ b/drivers/video/fbdev/pxafb.c
@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px
var->yres = max_t(int, var->yres, MIN_YRES);
if (!(fbi->lccr0 & LCCR0_LCDT)) {
- clamp_val(var->hsync_len, 1, 64);
- clamp_val(var->vsync_len, 1, 64);
- clamp_val(var->left_margin, 1, 255);
- clamp_val(var->right_margin, 1, 255);
- clamp_val(var->upper_margin, 1, 255);
- clamp_val(var->lower_margin, 1, 255);
+ var->hsync_len = clamp(var->hsync_len, 1, 64);
+ var->vsync_len = clamp(var->vsync_len, 1, 64);
+ var->left_margin = clamp(var->left_margin, 1, 255);
+ var->right_margin = clamp(var->right_margin, 1, 255);
+ var->upper_margin = clamp(var->upper_margin, 1, 255);
+ var->lower_margin = clamp(var->lower_margin, 1, 255);
}
/* make sure each line is aligned on word boundary */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 582/737] fbdev: tcx.c fix mem_map to correct smem_start offset
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (580 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 581/737] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 583/737] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
` (165 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream.
403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the
physbase initializing breaking the user-space mmap, e.g. for Xorg
entirely.
Fix fbdev mmap table so the sbus mmap helper work correctly, and
not try to map vastly (physbase) offset memory.
Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning")
Cc: <stable@vger.kernel.org>
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/tcx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/tcx.c
+++ b/drivers/video/fbdev/tcx.c
@@ -436,7 +436,7 @@ static int tcx_probe(struct platform_dev
j = i;
break;
}
- par->mmap_map[i].poff = op->resource[j].start;
+ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start;
}
info->fbops = &tcx_ops;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 583/737] media: cec: Fix debugfs leak on bus_register() failure
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (581 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 582/737] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 584/737] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
` (164 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream.
In cec_devnode_init(), the debugfs directory created with
debugfs_create_dir() is not removed if bus_register() fails.
This leaves a stale "cec" entry in debugfs and prevents
proper module reloading.
Fix this by removing the debugfs directory in the error path.
Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/cec/core/cec-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/cec/core/cec-core.c
+++ b/drivers/media/cec/core/cec-core.c
@@ -449,6 +449,7 @@ static int __init cec_devnode_init(void)
ret = bus_register(&cec_bus_type);
if (ret < 0) {
+ debugfs_remove_recursive(top_cec_dir);
unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES);
pr_warn("cec: bus_register failed\n");
return -EIO;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 584/737] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (582 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 583/737] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 585/737] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
` (163 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream.
It's possible for max1 to remain -1 if msp_read() always fail. This
variable is further used as index for accessing arrays.
Fix that by checking max1 prior to array accesses.
It seems that restart is the preferable action in case of out-of-bounds
value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/msp3400-kthreads.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/msp3400-kthreads.c
+++ b/drivers/media/i2c/msp3400-kthreads.c
@@ -596,6 +596,8 @@ restart:
"carrier2 val: %5d / %s\n", val, cd[i].name);
}
+ if (max1 < 0 || max1 > 3)
+ goto restart;
/* program the msp3400 according to the results */
state->main = msp3400c_carrier_detect_main[max1].cdo;
switch (max1) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 585/737] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (583 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 584/737] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 586/737] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
` (162 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Geert Uytterhoeven,
Fabrizio Castro, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 445e1658894fd74eab7e53071fa16233887574ed upstream.
The function calls of_parse_phandle() which returns
a device node with an incremented reference count. When the bonded device
is not available, the function
returns NULL without releasing the reference, causing a reference leak.
Add of_node_put(np) to release the device node reference.
The of_node_put function handles NULL pointers.
Found through static analysis by reviewing the doc of of_parse_phandle()
and cross-checking its usage patterns across the codebase.
Fixes: 7625ee981af1 ("[media] media: platform: rcar_drif: Add DRIF support")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/renesas/rcar_drif.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/renesas/rcar_drif.c
+++ b/drivers/media/platform/renesas/rcar_drif.c
@@ -1249,6 +1249,7 @@ static struct device_node *rcar_drif_bon
if (np && of_device_is_available(np))
return np;
+ of_node_put(np);
return NULL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 586/737] media: samsung: exynos4-is: fix potential ABBA deadlock on init
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (584 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 585/737] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 587/737] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
` (161 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Sylwester Nawrocki,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b upstream.
v4l2_device_register_subdev_nodes() must called without taking
media_dev->graph_mutex to avoid potential AB-BA deadlock on further
subdevice driver initialization.
Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/samsung/exynos4-is/media-dev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/samsung/exynos4-is/media-dev.c
+++ b/drivers/media/platform/samsung/exynos4-is/media-dev.c
@@ -1410,12 +1410,14 @@ static int subdev_notifier_complete(stru
mutex_lock(&fmd->media_dev.graph_mutex);
ret = fimc_md_create_links(fmd);
- if (ret < 0)
- goto unlock;
+ if (ret < 0) {
+ mutex_unlock(&fmd->media_dev.graph_mutex);
+ return ret;
+ }
- ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
-unlock:
mutex_unlock(&fmd->media_dev.graph_mutex);
+
+ ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 587/737] media: TDA1997x: Remove redundant cancel_delayed_work in probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (585 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 586/737] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 588/737] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
` (160 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream.
The delayed_work delayed_work_enable_hpd is initialized with
INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe().
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path in tda1997x_probe() to avoid potential confusion.
Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/tda1997x.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/media/i2c/tda1997x.c
+++ b/drivers/media/i2c/tda1997x.c
@@ -2794,7 +2794,6 @@ err_free_media:
err_free_handler:
v4l2_ctrl_handler_free(&state->hdl);
err_free_mutex:
- cancel_delayed_work(&state->delayed_work_enable_hpd);
mutex_destroy(&state->page_lock);
mutex_destroy(&state->lock);
tda1997x_set_power(state, 0);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 588/737] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (586 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 587/737] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 589/737] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path Greg Kroah-Hartman
` (159 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Nicolas Dufresne,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
commit 47825b1646a6a9eca0f90baa3d4f98947c2add96 upstream.
Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a
ninvalid index is received from user space. This protects the hardware
from doing faulty memory access which then leads to bus errors.
To be noted that when a reference is missing, userspace such as GStreamer
passes an invalid DPB index of 255. This issue was found by seeking to a
CRA picture using GStreamer. The framework is currently missing the code
to skip over RASL pictures placed after the CRA. This situation can also
occur while doing live streaming over lossy transport.
Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
@@ -297,6 +297,15 @@ static void set_params(struct hantro_ctx
hantro_reg_write(vpu, &g2_apf_threshold, 8);
}
+static u32 get_dpb_index(const struct v4l2_ctrl_hevc_decode_params *decode_params,
+ const u32 index)
+{
+ if (index > decode_params->num_active_dpb_entries)
+ return 0;
+
+ return index;
+}
+
static void set_ref_pic_list(struct hantro_ctx *ctx)
{
const struct hantro_hevc_dec_ctrls *ctrls = &ctx->hevc_dec.ctrls;
@@ -369,8 +378,10 @@ static void set_ref_pic_list(struct hant
list1[j++] = list1[i++];
for (i = 0; i < V4L2_HEVC_DPB_ENTRIES_NUM_MAX; i++) {
- hantro_reg_write(vpu, &ref_pic_regs0[i], list0[i]);
- hantro_reg_write(vpu, &ref_pic_regs1[i], list1[i]);
+ hantro_reg_write(vpu, &ref_pic_regs0[i],
+ get_dpb_index(decode_params, list0[i]));
+ hantro_reg_write(vpu, &ref_pic_regs1[i],
+ get_dpb_index(decode_params, list1[i]));
}
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 589/737] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (587 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 588/737] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 590/737] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
` (158 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Marek Szyprowski,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit 94de23a9aa487d7c1372efb161721d7949a177ae upstream.
In vb2_dc_alloc(), get_device() is called to increment the device
reference count. However, if subsequent DMA allocation fails
(vb2_dc_alloc_coherent or vb2_dc_alloc_non_coherent returns error),
the function returns without calling put_device(), causing a device
reference leak.
Add put_device() call in the error path before kfree() to properly
release the device reference acquired earlier.
Fixes: de27891f675e ("media: videobuf2: handle non-contiguous DMA allocations")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/common/videobuf2/videobuf2-dma-contig.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
+++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
@@ -258,6 +258,7 @@ static void *vb2_dc_alloc(struct vb2_buf
if (ret) {
dev_err(dev, "dma alloc of size %lu failed\n", size);
+ put_device(buf->dev);
kfree(buf);
return ERR_PTR(-ENOMEM);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 590/737] media: vpif_capture: fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (588 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 589/737] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 591/737] media: vpif_display: " Greg Kroah-Hartman
` (157 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 0ef841113724166c3c484d0e9ae6db1eb5634fde upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function must not live in init.
Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section
mismatch warning") incorrectly suppressed the modpost warning.
Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning")
Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467")
Cc: stable@vger.kernel.org # 2.6.32
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/davinci/vpif_capture.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/ti/davinci/vpif_capture.c
+++ b/drivers/media/platform/ti/davinci/vpif_capture.c
@@ -1601,7 +1601,7 @@ err_cleanup:
* This creates device entries by register itself to the V4L2 driver and
* initializes fields of each channel objects
*/
-static __init int vpif_probe(struct platform_device *pdev)
+static int vpif_probe(struct platform_device *pdev)
{
struct vpif_subdev_info *subdevdata;
struct i2c_adapter *i2c_adap;
@@ -1808,7 +1808,7 @@ static int vpif_resume(struct device *de
static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume);
-static __refdata struct platform_driver vpif_driver = {
+static struct platform_driver vpif_driver = {
.driver = {
.name = VPIF_DRIVER_NAME,
.pm = &vpif_pm_ops,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 591/737] media: vpif_display: fix section mismatch
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (589 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 590/737] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 592/737] media: amphion: Cancel message work before releasing the VPU core Greg Kroah-Hartman
` (156 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 59ca64bf98e4209df8ace8057d31ae3c80f948cd upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function must not live in init.
Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section
mismatch warning") incorrectly suppressed the modpost warning.
Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning")
Fixes: e7332e3a552f ("V4L/DVB (12176): davinci/vpif_display: Add VPIF display driver")
Cc: stable@vger.kernel.org # 2.6.32
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/ti/davinci/vpif_display.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/ti/davinci/vpif_display.c
+++ b/drivers/media/platform/ti/davinci/vpif_display.c
@@ -1215,7 +1215,7 @@ probe_out:
* vpif_probe: This function creates device entries by register itself to the
* V4L2 driver and initializes fields of each channel objects
*/
-static __init int vpif_probe(struct platform_device *pdev)
+static int vpif_probe(struct platform_device *pdev)
{
struct vpif_subdev_info *subdevdata;
struct i2c_adapter *i2c_adap;
@@ -1391,7 +1391,7 @@ static int vpif_resume(struct device *de
static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume);
-static __refdata struct platform_driver vpif_driver = {
+static struct platform_driver vpif_driver = {
.driver = {
.name = VPIF_DRIVER_NAME,
.pm = &vpif_pm_ops,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 592/737] media: amphion: Cancel message work before releasing the VPU core
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (590 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 591/737] media: vpif_display: " Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 593/737] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
` (155 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
commit ae246b0032146e352c4c06a7bf03cd3d5bcb2ecd upstream.
To avoid accessing the VPU register after release of the VPU core,
cancel the message work and destroy the workqueue that handles the
VPU message before release of the VPU core.
Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_v4l2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -682,15 +682,15 @@ static int vpu_v4l2_release(struct vpu_i
{
vpu_trace(inst->vpu->dev, "%p\n", inst);
- vpu_release_core(inst->core);
- put_device(inst->dev);
-
if (inst->workqueue) {
cancel_work_sync(&inst->msg_work);
destroy_workqueue(inst->workqueue);
inst->workqueue = NULL;
}
+ vpu_release_core(inst->core);
+ put_device(inst->dev);
+
v4l2_ctrl_handler_free(&inst->ctrl_handler);
mutex_destroy(&inst->lock);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 593/737] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (591 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 592/737] media: amphion: Cancel message work before releasing the VPU core Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 594/737] media: i2c: adv7842: " Greg Kroah-Hartman
` (154 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream.
The delayed_work delayed_work_enable_hotplug is initialized with
INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled
anywhere in the probe function.
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path and adjust the goto label accordingly to simplify the code
and avoid potential confusion.
Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7604.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -3620,7 +3620,7 @@ static int adv76xx_probe(struct i2c_clie
err = media_entity_pads_init(&sd->entity, state->source_pad + 1,
state->pads);
if (err)
- goto err_work_queues;
+ goto err_i2c;
/* Configure regmaps */
err = configure_regmaps(state);
@@ -3661,8 +3661,6 @@ static int adv76xx_probe(struct i2c_clie
err_entity:
media_entity_cleanup(&sd->entity);
-err_work_queues:
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
err_i2c:
adv76xx_unregister_clients(state);
err_hdl:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 594/737] media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (592 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 593/737] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 595/737] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
` (153 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream.
The delayed_work delayed_work_enable_hotplug is initialized with
INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled
anywhere in the probe function.
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path and adjust the goto label accordingly to simplify the code
and avoid potential confusion.
Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7842.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -3564,7 +3564,7 @@ static int adv7842_probe(struct i2c_clie
err = media_entity_pads_init(&sd->entity, ADV7842_PAD_SOURCE + 1,
state->pads);
if (err)
- goto err_work_queues;
+ goto err_i2c;
err = adv7842_core_init(sd);
if (err)
@@ -3585,8 +3585,6 @@ static int adv7842_probe(struct i2c_clie
err_entity:
media_entity_cleanup(&sd->entity);
-err_work_queues:
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
err_i2c:
adv7842_unregister_clients(sd);
err_hdl:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 595/737] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (593 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 594/737] media: i2c: adv7842: " Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 596/737] LoongArch: Add new PCI ID for pci_fixup_vgadev() Greg Kroah-Hartman
` (152 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li,
AngeloGioacchino Del Regno, Tzung-Bi Shih, Nicolas Dufresne,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd upstream.
vpu_get_plat_device() increases the reference count of the returned
platform device. However, when devm_kzalloc() fails, the reference
is not released, causing a reference leak.
Fix this by calling put_device() on fw_pdev->dev before returning
on the error path.
Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
+++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
@@ -117,8 +117,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_
vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_enc_handler, priv, rst_id);
fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL);
- if (!fw)
+ if (!fw) {
+ put_device(&fw_pdev->dev);
return ERR_PTR(-ENOMEM);
+ }
fw->type = VPU;
fw->ops = &mtk_vcodec_vpu_msg;
fw->pdev = fw_pdev;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 596/737] LoongArch: Add new PCI ID for pci_fixup_vgadev()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (594 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 595/737] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 597/737] LoongArch: Correct the calculation logic of thread_count Greg Kroah-Hartman
` (151 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianrui Zhao, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit bf3fa8f232a1eec8d7b88dcd9e925e60f04f018d upstream.
Loongson-2K3000 has a new PCI ID (0x7a46) for its display controller,
Add it for pci_fixup_vgadev() since we prefer a discrete graphics card
as default boot device if present.
Cc: stable@vger.kernel.org
Signed-off-by: Tianrui Zhao <zhaotianrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/pci/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/loongarch/pci/pci.c
+++ b/arch/loongarch/pci/pci.c
@@ -15,6 +15,7 @@
#define PCI_DEVICE_ID_LOONGSON_HOST 0x7a00
#define PCI_DEVICE_ID_LOONGSON_DC1 0x7a06
#define PCI_DEVICE_ID_LOONGSON_DC2 0x7a36
+#define PCI_DEVICE_ID_LOONGSON_DC3 0x7a46
int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
int reg, int len, u32 *val)
@@ -98,3 +99,4 @@ static void pci_fixup_vgadev(struct pci_
}
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC1, pci_fixup_vgadev);
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC2, pci_fixup_vgadev);
+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LOONGSON, PCI_DEVICE_ID_LOONGSON_DC3, pci_fixup_vgadev);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 597/737] LoongArch: Correct the calculation logic of thread_count
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (595 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 596/737] LoongArch: Add new PCI ID for pci_fixup_vgadev() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 598/737] LoongArch: Fix build errors for CONFIG_RANDSTRUCT Greg Kroah-Hartman
` (150 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ma, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 1de0ae21f136efa6c5d8a4d3e07b7d1ca39c750f upstream.
For thread_count, the current calculation method has a maximum of 255,
which may not be sufficient in the future. Therefore, we are correcting
it now.
Reference: SMBIOS Specification, 7.5 Processor Information (Type 4)[1]
[1]: https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.9.0.pdf
Cc: stable@vger.kernel.org
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/setup.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/loongarch/kernel/setup.c
+++ b/arch/loongarch/kernel/setup.c
@@ -56,6 +56,7 @@
#define SMBIOS_FREQLOW_MASK 0xFF
#define SMBIOS_CORE_PACKAGE_OFFSET 0x23
#define SMBIOS_THREAD_PACKAGE_OFFSET 0x25
+#define SMBIOS_THREAD_PACKAGE_2_OFFSET 0x2E
#define LOONGSON_EFI_ENABLE (1 << 3)
#ifdef CONFIG_EFI
@@ -130,7 +131,12 @@ static void __init parse_cpu_table(const
cpu_clock_freq = freq_temp * 1000000;
loongson_sysconf.cpuname = (void *)dmi_string_parse(dm, dmi_data[16]);
- loongson_sysconf.cores_per_package = *(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET);
+ loongson_sysconf.cores_per_package = *(u8 *)(dmi_data + SMBIOS_THREAD_PACKAGE_OFFSET);
+ if (dm->length >= 0x30 && loongson_sysconf.cores_per_package == 0xff) {
+ /* SMBIOS 3.0+ has ThreadCount2 for more than 255 threads */
+ loongson_sysconf.cores_per_package =
+ *(u16 *)(dmi_data + SMBIOS_THREAD_PACKAGE_2_OFFSET);
+ }
pr_info("CpuClock = %llu\n", cpu_clock_freq);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 598/737] LoongArch: Fix build errors for CONFIG_RANDSTRUCT
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (596 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 597/737] LoongArch: Correct the calculation logic of thread_count Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 599/737] LoongArch: Use __pmd()/__pte() for swap entry conversions Greg Kroah-Hartman
` (149 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Rui Wang,
Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 3c250aecef62da81deb38ac6738ac0a88d91f1fc upstream.
When CONFIG_RANDSTRUCT enabled, members of task_struct are randomized.
There is a chance that TASK_STACK_CANARY be out of 12bit immediate's
range and causes build errors. TASK_STACK_CANARY is naturally aligned,
so fix it by replacing ld.d/st.d with ldptr.d/stptr.d which have 14bit
immediates.
Cc: stable@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202511240656.0NaPcJs1-lkp@intel.com/
Suggested-by: Rui Wang <wangrui@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/switch.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/kernel/switch.S
+++ b/arch/loongarch/kernel/switch.S
@@ -25,8 +25,8 @@ SYM_FUNC_START(__switch_to)
stptr.d a4, a0, THREAD_SCHED_CFA
#if defined(CONFIG_STACKPROTECTOR) && !defined(CONFIG_SMP)
la t7, __stack_chk_guard
- LONG_L t8, a1, TASK_STACK_CANARY
- LONG_S t8, t7, 0
+ ldptr.d t8, a1, TASK_STACK_CANARY
+ stptr.d t8, t7, 0
#endif
move tp, a2
cpu_restore_nonscratch a1
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 599/737] LoongArch: Use __pmd()/__pte() for swap entry conversions
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (597 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 598/737] LoongArch: Fix build errors for CONFIG_RANDSTRUCT Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 600/737] LoongArch: Use unsigned long for _end and _text Greg Kroah-Hartman
` (148 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuli Wang, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: WangYuli <wangyl5933@chinaunicom.cn>
commit 4a71df151e703b5e7e85b33369cee59ef2665e61 upstream.
The __pmd() and __pte() helper macros provide the correct initialization
syntax and abstraction for the pmd_t and pte_t types.
Use __pmd() to fix follow warning about __swp_entry_to_pmd() with gcc-15
under specific configs [1] :
In file included from ./include/linux/pgtable.h:6,
from ./include/linux/mm.h:31,
from ./include/linux/pagemap.h:8,
from arch/loongarch/mm/init.c:14:
./include/linux/swapops.h: In function ‘swp_entry_to_pmd’:
./arch/loongarch/include/asm/pgtable.h:302:34: error: missing braces around initializer [-Werror=missing-braces]
302 | #define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE })
| ^
./include/linux/swapops.h:559:16: note: in expansion of macro ‘__swp_entry_to_pmd’
559 | return __swp_entry_to_pmd(arch_entry);
| ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Also update __swp_entry_to_pte() to use __pte() for consistency.
[1]. https://download.01.org/0day-ci/archive/20251119/202511190316.luI90kAo-lkp@intel.com/config
Cc: stable@vger.kernel.org
Signed-off-by: Yuli Wang <wangyl5933@chinaunicom.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/pgtable.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/include/asm/pgtable.h
+++ b/arch/loongarch/include/asm/pgtable.h
@@ -285,9 +285,9 @@ static inline pte_t mk_swap_pte(unsigned
#define __swp_offset(x) ((x).val >> 24)
#define __swp_entry(type, offset) ((swp_entry_t) { pte_val(mk_swap_pte((type), (offset))) })
#define __pte_to_swp_entry(pte) ((swp_entry_t) { pte_val(pte) })
-#define __swp_entry_to_pte(x) ((pte_t) { (x).val })
+#define __swp_entry_to_pte(x) __pte((x).val)
#define __pmd_to_swp_entry(pmd) ((swp_entry_t) { pmd_val(pmd) })
-#define __swp_entry_to_pmd(x) ((pmd_t) { (x).val | _PAGE_HUGE })
+#define __swp_entry_to_pmd(x) __pmd((x).val | _PAGE_HUGE)
static inline int pte_swp_exclusive(pte_t pte)
{
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 600/737] LoongArch: Use unsigned long for _end and _text
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (598 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 599/737] LoongArch: Use __pmd()/__pte() for swap entry conversions Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 601/737] compiler_types.h: add "auto" as a macro for "__auto_type" Greg Kroah-Hartman
` (147 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tiezhu Yang, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tiezhu Yang <yangtiezhu@loongson.cn>
commit a258a3cb1895e3acf5f2fe245d17426e894bc935 upstream.
It is better to use unsigned long rather than long for _end and _text to
calculate the kernel length.
Cc: stable@vger.kernel.org # v6.3+
Fixes: e5f02b51fa0c ("LoongArch: Add support for kernel address space layout randomization (KASLR)")
Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/relocate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/kernel/relocate.c
+++ b/arch/loongarch/kernel/relocate.c
@@ -141,7 +141,7 @@ static inline void __init *determine_rel
if (kaslr_disabled())
return destination;
- kernel_length = (long)_end - (long)_text;
+ kernel_length = (unsigned long)_end - (unsigned long)_text;
random_offset = get_random_boot() << 16;
random_offset &= (CONFIG_RANDOMIZE_BASE_MAX_OFFSET - 1);
@@ -190,7 +190,7 @@ unsigned long __init relocate_kernel(voi
early_memunmap(cmdline, COMMAND_LINE_SIZE);
if (random_offset) {
- kernel_length = (long)(_end) - (long)(_text);
+ kernel_length = (unsigned long)(_end) - (unsigned long)(_text);
/* Copy the kernel to it's new location */
memcpy(location_new, _text, kernel_length);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 601/737] compiler_types.h: add "auto" as a macro for "__auto_type"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (599 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 600/737] LoongArch: Use unsigned long for _end and _text Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 602/737] kasan: refactor pcpu kasan vmalloc unpoison Greg Kroah-Hartman
` (146 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, H. Peter Anvin (Intel), Miguel Ojeda,
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: H. Peter Anvin <hpa@zytor.com>
commit 2fb6915fa22dc5524d704afba58a13305dd9f533 upstream.
"auto" was defined as a keyword back in the K&R days, but as a storage
type specifier. No one ever used it, since it was and is the default
storage type for local variables.
C++11 recycled the keyword to allow a type to be declared based on the
type of an initializer. This was finally adopted into standard C in
C23.
gcc and clang provide the "__auto_type" alias keyword as an extension
for pre-C23, however, there is no reason to pollute the bulk of the
source base with this temporary keyword; instead define "auto" as a
macro unless the compiler is running in C23+ mode.
This macro is added in <linux/compiler_types.h> because that header is
included in some of the tools headers, wheres <linux/compiler.h> is
not as it has a bunch of very kernel-specific things in it.
[ Cc: stable to reduce potential backporting burden. ]
Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/compiler_types.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -5,6 +5,19 @@
#ifndef __ASSEMBLY__
/*
+ * C23 introduces "auto" as a standard way to define type-inferred
+ * variables, but "auto" has been a (useless) keyword even since K&R C,
+ * so it has always been "namespace reserved."
+ *
+ * Until at some future time we require C23 support, we need the gcc
+ * extension __auto_type, but there is no reason to put that elsewhere
+ * in the source code.
+ */
+#if __STDC_VERSION__ < 202311L
+# define auto __auto_type
+#endif
+
+/*
* Skipped when running bindgen due to a libclang issue;
* see https://github.com/rust-lang/rust-bindgen/issues/2244.
*/
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 602/737] kasan: refactor pcpu kasan vmalloc unpoison
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (600 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 601/737] compiler_types.h: add "auto" as a macro for "__auto_type" Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 603/737] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
` (145 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Wieczor-Retman,
Andrey Konovalov, Alexander Potapenko, Andrey Ryabinin,
Danilo Krummrich, Dmitriy Vyukov, Jiayuan Chen, Kees Cook,
Marco Elver, Uladzislau Rezki (Sony), Vincenzo Frascino,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
commit 6f13db031e27e88213381039032a9cc061578ea6 upstream.
A KASAN tag mismatch, possibly causing a kernel panic, can be observed
on systems with a tag-based KASAN enabled and with multiple NUMA nodes.
It was reported on arm64 and reproduced on x86. It can be explained in
the following points:
1. There can be more than one virtual memory chunk.
2. Chunk's base address has a tag.
3. The base address points at the first chunk and thus inherits
the tag of the first chunk.
4. The subsequent chunks will be accessed with the tag from the
first chunk.
5. Thus, the subsequent chunks need to have their tag set to
match that of the first chunk.
Refactor code by reusing __kasan_unpoison_vmalloc in a new helper in
preparation for the actual fix.
Link: https://lkml.kernel.org/r/eb61d93b907e262eefcaa130261a08bcb6c5ce51.1764874575.git.m.wieczorretman@pm.me
Fixes: 1d96320f8d53 ("kasan, vmalloc: add vmalloc tagging for SW_TAGS")
Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@intel.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Danilo Krummrich <dakr@kernel.org>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: Kees Cook <kees@kernel.org>
Cc: Marco Elver <elver@google.com>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: <stable@vger.kernel.org> [6.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/kasan.h | 15 +++++++++++++++
mm/kasan/common.c | 17 +++++++++++++++++
mm/vmalloc.c | 4 +---
3 files changed, 33 insertions(+), 3 deletions(-)
--- a/include/linux/kasan.h
+++ b/include/linux/kasan.h
@@ -423,6 +423,16 @@ static __always_inline void kasan_poison
__kasan_poison_vmalloc(start, size);
}
+void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags);
+static __always_inline void
+kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{
+ if (kasan_enabled())
+ __kasan_unpoison_vmap_areas(vms, nr_vms, flags);
+}
+
#else /* CONFIG_KASAN_VMALLOC */
static inline void kasan_populate_early_vm_area_shadow(void *start,
@@ -446,6 +456,11 @@ static inline void *kasan_unpoison_vmall
static inline void kasan_poison_vmalloc(const void *start, unsigned long size)
{ }
+static __always_inline void
+kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{ }
+
#endif /* CONFIG_KASAN_VMALLOC */
#if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
--- a/mm/kasan/common.c
+++ b/mm/kasan/common.c
@@ -26,6 +26,7 @@
#include <linux/string.h>
#include <linux/types.h>
#include <linux/bug.h>
+#include <linux/vmalloc.h>
#include "kasan.h"
#include "../slab.h"
@@ -450,3 +451,19 @@ bool __kasan_check_byte(const void *addr
}
return true;
}
+
+#ifdef CONFIG_KASAN_VMALLOC
+void __kasan_unpoison_vmap_areas(struct vm_struct **vms, int nr_vms,
+ kasan_vmalloc_flags_t flags)
+{
+ unsigned long size;
+ void *addr;
+ int area;
+
+ for (area = 0 ; area < nr_vms ; area++) {
+ size = vms[area]->size;
+ addr = vms[area]->addr;
+ vms[area]->addr = __kasan_unpoison_vmalloc(addr, size, flags);
+ }
+}
+#endif
--- a/mm/vmalloc.c
+++ b/mm/vmalloc.c
@@ -4196,9 +4196,7 @@ retry:
* With hardware tag-based KASAN, marking is skipped for
* non-VM_ALLOC mappings, see __kasan_unpoison_vmalloc().
*/
- for (area = 0; area < nr_vms; area++)
- vms[area]->addr = kasan_unpoison_vmalloc(vms[area]->addr,
- vms[area]->size, KASAN_VMALLOC_PROT_NORMAL);
+ kasan_unpoison_vmap_areas(vms, nr_vms, KASAN_VMALLOC_PROT_NORMAL);
kfree(vas);
return vms;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 603/737] idr: fix idr_alloc() returning an ID out of range
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (601 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 602/737] kasan: refactor pcpu kasan vmalloc unpoison Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 604/737] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo Greg Kroah-Hartman
` (144 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Jan Sokolowski, Koen Koning, Peter Senna Tschudin,
Christian König, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit c6e8e595a0798ad67da0f7bebaf69c31ef70dfff upstream.
If you use an IDR with a non-zero base, and specify a range that lies
entirely below the base, 'max - base' becomes very large and
idr_get_free() can return an ID that lies outside of the requested range.
Link: https://lkml.kernel.org/r/20251128161853.3200058-1-willy@infradead.org
Fixes: 6ce711f27500 ("idr: Make 1-based IDRs more efficient")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reported-by: Koen Koning <koen.koning@intel.com>
Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449
Reviewed-by: Christian König <christian.koenig@amd.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/idr.c | 2 ++
tools/testing/radix-tree/idr-test.c | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+)
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -40,6 +40,8 @@ int idr_alloc_u32(struct idr *idr, void
if (WARN_ON_ONCE(!(idr->idr_rt.xa_flags & ROOT_IS_IDR)))
idr->idr_rt.xa_flags |= IDR_RT_MARKER;
+ if (max < base)
+ return -ENOSPC;
id = (id < base) ? 0 : id - base;
radix_tree_iter_init(&iter, id);
--- a/tools/testing/radix-tree/idr-test.c
+++ b/tools/testing/radix-tree/idr-test.c
@@ -57,6 +57,26 @@ void idr_alloc_test(void)
idr_destroy(&idr);
}
+void idr_alloc2_test(void)
+{
+ int id;
+ struct idr idr = IDR_INIT_BASE(idr, 1);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 1, 2, GFP_KERNEL);
+ assert(id == 1);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 2, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ idr_destroy(&idr);
+}
+
void idr_replace_test(void)
{
DEFINE_IDR(idr);
@@ -409,6 +429,7 @@ void idr_checks(void)
idr_replace_test();
idr_alloc_test();
+ idr_alloc2_test();
idr_null_test();
idr_nowait_test();
idr_get_next_test(0);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 604/737] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (602 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 603/737] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 605/737] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting Greg Kroah-Hartman
` (143 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rong Zhang, Borislav Petkov (AMD),
stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rong Zhang <i@rong.moe>
commit 150b1b97e27513535dcd3795d5ecd28e61b6cb8c upstream.
Zen5 also contains family 1Ah, models 70h-7Fh, which are mistakenly missing
from cpu_has_entrysign(). Add the missing range.
Fixes: 8a9fb5129e8e ("x86/microcode/AMD: Limit Entrysign signature checking to known generations")
Signed-off-by: Rong Zhang <i@rong.moe>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20251229182245.152747-1-i@rong.moe
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -237,7 +237,7 @@ static bool cpu_has_entrysign(void)
if (fam == 0x1a) {
if (model <= 0x2f ||
(0x40 <= model && model <= 0x4f) ||
- (0x60 <= model && model <= 0x6f))
+ (0x60 <= model && model <= 0x7f))
return true;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 605/737] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (603 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 604/737] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 606/737] samples/ftrace: Adjust LoongArch register restore order in direct calls Greg Kroah-Hartman
` (142 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaushlendra Kumar, Chongxi Zhao,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
commit 7013803444dd3bbbe28fd3360c084cec3057c554 upstream.
The ternary operator in compare_ts() returns 1 when timestamps are equal,
causing unstable sorting behavior. Replace with explicit three-way
comparison that returns 0 for equal timestamps, ensuring stable qsort
ordering and consistent output.
Link: https://lkml.kernel.org/r/20251209044552.3396468-1-kaushlendra.kumar@intel.com
Fixes: 8f9c447e2e2b ("tools/vm/page_owner_sort.c: support sorting pid and time")
Signed-off-by: Kaushlendra Kumar <kaushlendra.kumar@intel.com>
Cc: Chongxi Zhao <zhaochongxi2019@email.szu.edu.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/mm/page_owner_sort.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/tools/mm/page_owner_sort.c
+++ b/tools/mm/page_owner_sort.c
@@ -178,7 +178,11 @@ static int compare_ts(const void *p1, co
{
const struct block_list *l1 = p1, *l2 = p2;
- return l1->ts_nsec < l2->ts_nsec ? -1 : 1;
+ if (l1->ts_nsec < l2->ts_nsec)
+ return -1;
+ if (l1->ts_nsec > l2->ts_nsec)
+ return 1;
+ return 0;
}
static int compare_free_ts(const void *p1, const void *p2)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 606/737] samples/ftrace: Adjust LoongArch register restore order in direct calls
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (604 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 605/737] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 607/737] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
` (141 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Youling Tang,
Steven Rostedt (Google), Chenghao Duan, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghao Duan <duanchenghao@kylinos.cn>
commit bb85d206be208bbf834883e948125a35ac59993a upstream.
Ensure that in the ftrace direct call logic, the CPU register state
(with ra = parent return address) is restored to the correct state after
the execution of the custom trampoline function and before returning to
the traced function. Additionally, guarantee the correctness of the jump
logic for jr t0 (traced function address).
Cc: stable@vger.kernel.org
Fixes: 9cdc3b6a299c ("LoongArch: ftrace: Add direct call support")
Reported-by: Youling Tang <tangyouling@kylinos.cn>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Chenghao Duan <duanchenghao@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
samples/ftrace/ftrace-direct-modify.c | 8 ++++----
samples/ftrace/ftrace-direct-multi-modify.c | 8 ++++----
samples/ftrace/ftrace-direct-multi.c | 4 ++--
samples/ftrace/ftrace-direct-too.c | 4 ++--
samples/ftrace/ftrace-direct.c | 4 ++--
5 files changed, 14 insertions(+), 14 deletions(-)
--- a/samples/ftrace/ftrace-direct-modify.c
+++ b/samples/ftrace/ftrace-direct-modify.c
@@ -141,8 +141,8 @@ asm (
" st.d $t0, $sp, 0\n"
" st.d $ra, $sp, 8\n"
" bl my_direct_func1\n"
-" ld.d $t0, $sp, 0\n"
-" ld.d $ra, $sp, 8\n"
+" ld.d $ra, $sp, 0\n"
+" ld.d $t0, $sp, 8\n"
" addi.d $sp, $sp, 16\n"
" jr $t0\n"
" .size my_tramp1, .-my_tramp1\n"
@@ -154,8 +154,8 @@ asm (
" st.d $t0, $sp, 0\n"
" st.d $ra, $sp, 8\n"
" bl my_direct_func2\n"
-" ld.d $t0, $sp, 0\n"
-" ld.d $ra, $sp, 8\n"
+" ld.d $ra, $sp, 0\n"
+" ld.d $t0, $sp, 8\n"
" addi.d $sp, $sp, 16\n"
" jr $t0\n"
" .size my_tramp2, .-my_tramp2\n"
--- a/samples/ftrace/ftrace-direct-multi-modify.c
+++ b/samples/ftrace/ftrace-direct-multi-modify.c
@@ -158,8 +158,8 @@ asm (
" move $a0, $t0\n"
" bl my_direct_func1\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp1, .-my_tramp1\n"
@@ -174,8 +174,8 @@ asm (
" move $a0, $t0\n"
" bl my_direct_func2\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp2, .-my_tramp2\n"
--- a/samples/ftrace/ftrace-direct-multi.c
+++ b/samples/ftrace/ftrace-direct-multi.c
@@ -106,8 +106,8 @@ asm (
" move $a0, $t0\n"
" bl my_direct_func\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp, .-my_tramp\n"
--- a/samples/ftrace/ftrace-direct-too.c
+++ b/samples/ftrace/ftrace-direct-too.c
@@ -115,8 +115,8 @@ asm (
" ld.d $a0, $sp, 0\n"
" ld.d $a1, $sp, 8\n"
" ld.d $a2, $sp, 16\n"
-" ld.d $t0, $sp, 24\n"
-" ld.d $ra, $sp, 32\n"
+" ld.d $ra, $sp, 24\n"
+" ld.d $t0, $sp, 32\n"
" addi.d $sp, $sp, 48\n"
" jr $t0\n"
" .size my_tramp, .-my_tramp\n"
--- a/samples/ftrace/ftrace-direct.c
+++ b/samples/ftrace/ftrace-direct.c
@@ -100,8 +100,8 @@ asm (
" st.d $ra, $sp, 16\n"
" bl my_direct_func\n"
" ld.d $a0, $sp, 0\n"
-" ld.d $t0, $sp, 8\n"
-" ld.d $ra, $sp, 16\n"
+" ld.d $ra, $sp, 8\n"
+" ld.d $t0, $sp, 16\n"
" addi.d $sp, $sp, 32\n"
" jr $t0\n"
" .size my_tramp, .-my_tramp\n"
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 607/737] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (605 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 606/737] samples/ftrace: Adjust LoongArch register restore order in direct calls Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 608/737] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
` (140 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+938fcd548c303fe33c1a,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit a7b8e876e0ef0232b8076972c57ce9a7286b47ca upstream.
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Link: https://patch.msgid.link/r/0-v1-3fbaef094271+2cf-rdma_op_ip_rslv_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/68dc3dac.a00a0220.102ee.004f.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 33 ++++++++++-----------------------
1 file changed, 10 insertions(+), 23 deletions(-)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -80,37 +80,25 @@ static const struct nla_policy ib_nl_add
.min = sizeof(struct rdma_nla_ls_gid)},
};
-static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
+static void ib_nl_process_ip_rsep(const struct nlmsghdr *nlh)
{
struct nlattr *tb[LS_NLA_TYPE_MAX] = {};
+ union ib_gid gid;
+ struct addr_req *req;
+ int found = 0;
int ret;
if (nlh->nlmsg_flags & RDMA_NL_LS_F_ERR)
- return false;
+ return;
ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
nlmsg_len(nlh), ib_nl_addr_policy, NULL);
if (ret)
- return false;
-
- return true;
-}
-
-static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
-{
- const struct nlattr *head, *curr;
- union ib_gid gid;
- struct addr_req *req;
- int len, rem;
- int found = 0;
-
- head = (const struct nlattr *)nlmsg_data(nlh);
- len = nlmsg_len(nlh);
+ return;
- nla_for_each_attr(curr, head, len, rem) {
- if (curr->nla_type == LS_NLA_TYPE_DGID)
- memcpy(&gid, nla_data(curr), nla_len(curr));
- }
+ if (!tb[LS_NLA_TYPE_DGID])
+ return;
+ memcpy(&gid, nla_data(tb[LS_NLA_TYPE_DGID]), sizeof(gid));
spin_lock_bh(&lock);
list_for_each_entry(req, &req_list, list) {
@@ -137,8 +125,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b
!(NETLINK_CB(skb).sk))
return -EPERM;
- if (ib_nl_is_good_ip_resp(nlh))
- ib_nl_process_good_ip_rsep(nlh);
+ ib_nl_process_ip_rsep(nlh);
return 0;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 608/737] RDMA/cm: Fix leaking the multicast GID table reference
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (606 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 607/737] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 609/737] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
` (139 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b0da83a6c0e2e2bddbd4,
Jason Gunthorpe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 57f3cb6c84159d12ba343574df2115fb18dd83ca upstream.
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Link: https://patch.msgid.link/r/0-v1-4285d070a6b2+20a-rdma_mc_gid_leak_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: fe454dc31e84 ("RDMA/ucma: Fix use-after-free bug in ucma_create_uevent")
Reported-by: syzbot+b0da83a6c0e2e2bddbd4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68232e7b.050a0220.f2294.09f6.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1993,6 +1993,7 @@ static void destroy_mc(struct rdma_id_pr
ib_sa_free_multicast(mc->sa_mc);
if (rdma_protocol_roce(id_priv->id.device, id_priv->id.port_num)) {
+ struct rdma_cm_event *event = &mc->iboe_join.event;
struct rdma_dev_addr *dev_addr =
&id_priv->id.route.addr.dev_addr;
struct net_device *ndev = NULL;
@@ -2015,6 +2016,8 @@ static void destroy_mc(struct rdma_id_pr
dev_put(ndev);
cancel_work_sync(&mc->iboe_join.work);
+ if (event->event == RDMA_CM_EVENT_MULTICAST_JOIN)
+ rdma_destroy_ah_attr(&event->param.ud.ah_attr);
}
kfree(mc);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 609/737] e1000: fix OOB in e1000_tbi_should_accept()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (607 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 608/737] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 610/737] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
` (138 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Simon Horman,
Aleksandr Loktionov, Tony Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9c72a5182ed92904d01057f208c390a303f00a0f upstream.
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
Fixes: 2037110c96d5 ("e1000: move tbi workaround code into helper function")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -4091,7 +4091,15 @@ static bool e1000_tbi_should_accept(stru
u32 length, const u8 *data)
{
struct e1000_hw *hw = &adapter->hw;
- u8 last_byte = *(data + length - 1);
+ u8 last_byte;
+
+ /* Guard against OOB on data[length - 1] */
+ if (unlikely(!length))
+ return false;
+ /* Upper bound: length must not exceed rx_buffer_len */
+ if (unlikely(length > adapter->rx_buffer_len))
+ return false;
+ last_byte = *(data + length - 1);
if (TBI_ACCEPT(hw, status, errors, length, last_byte)) {
unsigned long irq_flags;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 610/737] fjes: Add missing iounmap in fjes_hw_init()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (608 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 609/737] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 611/737] LoongArch: BPF: Zero-extend bpf_tail_call() index Greg Kroah-Hartman
` (137 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Simon Horman,
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 15ef641a0c6728d25a400df73922e80ab2cf029c upstream.
In error paths, add fjes_hw_iounmap() to release the
resource acquired by fjes_hw_iomap(). Add a goto label
to do so.
Fixes: 8cdc3f6c5d22 ("fjes: Hardware initialization routine")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211073756.101824-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/fjes/fjes_hw.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/fjes/fjes_hw.c
+++ b/drivers/net/fjes/fjes_hw.c
@@ -334,7 +334,7 @@ int fjes_hw_init(struct fjes_hw *hw)
ret = fjes_hw_reset(hw);
if (ret)
- return ret;
+ goto err_iounmap;
fjes_hw_set_irqmask(hw, REG_ICTL_MASK_ALL, true);
@@ -347,8 +347,10 @@ int fjes_hw_init(struct fjes_hw *hw)
hw->max_epid = fjes_hw_get_max_epid(hw);
hw->my_epid = fjes_hw_get_my_epid(hw);
- if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid))
- return -ENXIO;
+ if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid)) {
+ ret = -ENXIO;
+ goto err_iounmap;
+ }
ret = fjes_hw_setup(hw);
@@ -356,6 +358,10 @@ int fjes_hw_init(struct fjes_hw *hw)
hw->hw_info.trace_size = FJES_DEBUG_BUFFER_SIZE;
return ret;
+
+err_iounmap:
+ fjes_hw_iounmap(hw);
+ return ret;
}
void fjes_hw_exit(struct fjes_hw *hw)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 611/737] LoongArch: BPF: Zero-extend bpf_tail_call() index
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (609 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 610/737] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 612/737] LoongArch: BPF: Sign extend kfunc call arguments Greg Kroah-Hartman
` (136 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hengqi Chen, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hengqi Chen <hengqi.chen@gmail.com>
commit eb71f5c433e1c6dff089b315881dec40a88a7baf upstream.
The bpf_tail_call() index should be treated as a u32 value. Let's
zero-extend it to avoid calling wrong BPF progs. See similar fixes
for x86 [1]) and arm64 ([2]) for more details.
[1]: https://github.com/torvalds/linux/commit/90caccdd8cc0215705f18b92771b449b01e2474a
[2]: https://github.com/torvalds/linux/commit/16338a9b3ac30740d49f5dfed81bac0ffa53b9c7
Cc: stable@vger.kernel.org
Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/net/bpf_jit.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -226,6 +226,8 @@ static int emit_bpf_tail_call(struct jit
* goto out;
*/
tc_ninsn = insn ? ctx->offset[insn+1] - ctx->offset[insn] : ctx->offset[0];
+ emit_zext_32(ctx, a2, true);
+
off = offsetof(struct bpf_array, map.max_entries);
emit_insn(ctx, ldwu, t1, a1, off);
/* bgeu $a2, $t1, jmp_offset */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 612/737] LoongArch: BPF: Sign extend kfunc call arguments
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (610 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 611/737] LoongArch: BPF: Zero-extend bpf_tail_call() index Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 613/737] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
` (135 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hengqi Chen, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hengqi Chen <hengqi.chen@gmail.com>
commit 3f5a238f24d7b75f9efe324d3539ad388f58536e upstream.
The kfunc calls are native calls so they should follow LoongArch calling
conventions. Sign extend its arguments properly to avoid kernel panic.
This is done by adding a new emit_abi_ext() helper. The emit_abi_ext()
helper performs extension in place meaning a value already store in the
target register (Note: this is different from the existing sign_extend()
helper and thus we can't reuse it).
Cc: stable@vger.kernel.org
Fixes: 5dc615520c4d ("LoongArch: Add BPF JIT support")
Signed-off-by: Hengqi Chen <hengqi.chen@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/net/bpf_jit.c | 16 ++++++++++++++++
arch/loongarch/net/bpf_jit.h | 26 ++++++++++++++++++++++++++
2 files changed, 42 insertions(+)
--- a/arch/loongarch/net/bpf_jit.c
+++ b/arch/loongarch/net/bpf_jit.c
@@ -834,6 +834,22 @@ static int build_insn(const struct bpf_i
if (ret < 0)
return ret;
+ if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL) {
+ const struct btf_func_model *m;
+ int i;
+
+ m = bpf_jit_find_kfunc_model(ctx->prog, insn);
+ if (!m)
+ return -EINVAL;
+
+ for (i = 0; i < m->nr_args; i++) {
+ u8 reg = regmap[BPF_REG_1 + i];
+ bool sign = m->arg_flags[i] & BTF_FMODEL_SIGNED_ARG;
+
+ emit_abi_ext(ctx, reg, m->arg_size[i], sign);
+ }
+ }
+
move_addr(ctx, t1, func_addr);
emit_insn(ctx, jirl, LOONGARCH_GPR_RA, t1, 0);
--- a/arch/loongarch/net/bpf_jit.h
+++ b/arch/loongarch/net/bpf_jit.h
@@ -87,6 +87,32 @@ static inline void emit_sext_32(struct j
emit_insn(ctx, addiw, reg, reg, 0);
}
+/* Emit proper extension according to ABI requirements.
+ * Note that it requires a value of size `size` already resides in register `reg`.
+ */
+static inline void emit_abi_ext(struct jit_ctx *ctx, int reg, u8 size, bool sign)
+{
+ /* ABI requires unsigned char/short to be zero-extended */
+ if (!sign && (size == 1 || size == 2))
+ return;
+
+ switch (size) {
+ case 1:
+ emit_insn(ctx, extwb, reg, reg);
+ break;
+ case 2:
+ emit_insn(ctx, extwh, reg, reg);
+ break;
+ case 4:
+ emit_insn(ctx, addiw, reg, reg, 0);
+ break;
+ case 8:
+ break;
+ default:
+ pr_warn("bpf_jit: invalid size %d for extension\n", size);
+ }
+}
+
static inline void move_addr(struct jit_ctx *ctx, enum loongarch_gpr rd, u64 addr)
{
u64 imm_11_0, imm_31_12, imm_51_32, imm_63_52;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 613/737] nfsd: Drop the client reference in client_states_open()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (611 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 612/737] LoongArch: BPF: Sign extend kfunc call arguments Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 614/737] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
` (134 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Haoxiang Li,
Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 1f941b2c23fd34c6f3b76d36f9d0a2528fa92b8f upstream.
In error path, call drop_client() to drop the reference
obtained by get_nfsdfs_clp().
Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2801,8 +2801,10 @@ static int client_states_open(struct ino
return -ENXIO;
ret = seq_open(file, &states_seq_ops);
- if (ret)
+ if (ret) {
+ drop_client(clp);
return ret;
+ }
s = file->private_data;
s->private = clp;
return 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 614/737] net: usb: sr9700: fix incorrect command used to write single register
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (612 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 613/737] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 615/737] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
` (133 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
commit fa0b198be1c6775bc7804731a43be5d899d19e7a upstream.
This fixes the device failing to initialize with "error reading MAC
address" for me, probably because the incorrect write of NCR_RST to
SR_NCR is not actually resetting the device.
Fixes: c9b37458e95629b1d1171457afdcc1bf1eb7881d ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
Cc: stable@vger.kernel.org
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20251221082400.50688-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/sr9700.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -52,7 +52,7 @@ static int sr_read_reg(struct usbnet *de
static int sr_write_reg(struct usbnet *dev, u8 reg, u8 value)
{
- return usbnet_write_cmd(dev, SR_WR_REGS, SR_REQ_WR_REG,
+ return usbnet_write_cmd(dev, SR_WR_REG, SR_REQ_WR_REG,
value, reg, NULL, 0);
}
@@ -65,7 +65,7 @@ static void sr_write_async(struct usbnet
static void sr_write_reg_async(struct usbnet *dev, u8 reg, u8 value)
{
- usbnet_write_cmd_async(dev, SR_WR_REGS, SR_REQ_WR_REG,
+ usbnet_write_cmd_async(dev, SR_WR_REG, SR_REQ_WR_REG,
value, reg, NULL, 0);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 615/737] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (613 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 614/737] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 616/737] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
` (132 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4ef89409a235d804c6c2,
Deepanshu Kartikey, Krzysztof Kozlowski, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 upstream.
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
Cc: stable@vger.kernel.org
Reported-by: syzbot+4ef89409a235d804c6c2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4ef89409a235d804c6c2
Link: https://lore.kernel.org/all/20251217054908.178907-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20251218012355.279940-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -1154,6 +1154,7 @@ EXPORT_SYMBOL(nfc_register_device);
void nfc_unregister_device(struct nfc_dev *dev)
{
int rc;
+ struct rfkill *rfk = NULL;
pr_debug("dev_name=%s\n", dev_name(&dev->dev));
@@ -1164,13 +1165,17 @@ void nfc_unregister_device(struct nfc_de
device_lock(&dev->dev);
if (dev->rfkill) {
- rfkill_unregister(dev->rfkill);
- rfkill_destroy(dev->rfkill);
+ rfk = dev->rfkill;
dev->rfkill = NULL;
}
dev->shutting_down = true;
device_unlock(&dev->dev);
+ if (rfk) {
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
+
if (dev->ops->check_presence) {
del_timer_sync(&dev->check_pres_timer);
cancel_work_sync(&dev->check_pres_work);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 616/737] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (614 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 615/737] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 617/737] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma Greg Kroah-Hartman
` (131 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Xiaolei Wang, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit 99537d5c476cada9cf75aef9fa75579a31faadb9 upstream.
In the non-RT kernel, local_bh_disable() merely disables preemption,
whereas it maps to an actual spin lock in the RT kernel. Consequently,
when attempting to refill RX buffers via netdev_alloc_skb() in
macb_mac_link_up(), a deadlock scenario arises as follows:
WARNING: possible circular locking dependency detected
6.18.0-08691-g2061f18ad76e #39 Not tainted
------------------------------------------------------
kworker/0:0/8 is trying to acquire lock:
ffff00080369bbe0 (&bp->lock){+.+.}-{3:3}, at: macb_start_xmit+0x808/0xb7c
but task is already holding lock:
ffff000803698e58 (&queue->tx_ptr_lock){+...}-{3:3}, at: macb_start_xmit
+0x148/0xb7c
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&queue->tx_ptr_lock){+...}-{3:3}:
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x148/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #2 (_xmit_ETHER#2){+...}-{3:3}:
rt_spin_lock+0x50/0x1f0
sch_direct_xmit+0x11c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #1 ((softirq_ctrl.lock)){+.+.}-{3:3}:
lock_release+0x250/0x348
__local_bh_enable_ip+0x7c/0x240
__netdev_alloc_skb+0x1b4/0x1d8
gem_rx_refill+0xdc/0x240
gem_init_rings+0xb4/0x108
macb_mac_link_up+0x9c/0x2b4
phylink_resolve+0x170/0x614
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #0 (&bp->lock){+.+.}-{3:3}:
__lock_acquire+0x15a8/0x2084
lock_acquire+0x1cc/0x350
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x808/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
other info that might help us debug this:
Chain exists of:
&bp->lock --> _xmit_ETHER#2 --> &queue->tx_ptr_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&queue->tx_ptr_lock);
lock(_xmit_ETHER#2);
lock(&queue->tx_ptr_lock);
lock(&bp->lock);
*** DEADLOCK ***
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0xa0/0xf0
dump_stack+0x18/0x24
print_circular_bug+0x28c/0x370
check_noncircular+0x198/0x1ac
__lock_acquire+0x15a8/0x2084
lock_acquire+0x1cc/0x350
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x808/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
Notably, invoking the mog_init_rings() callback upon link establishment
is unnecessary. Instead, we can exclusively call mog_init_rings() within
the ndo_open() callback. This adjustment resolves the deadlock issue.
Furthermore, since MACB_CAPS_MACB_IS_EMAC cases do not use mog_init_rings()
when opening the network interface via at91ether_open(), moving
mog_init_rings() to macb_open() also eliminates the MACB_CAPS_MACB_IS_EMAC
check.
Fixes: 633e98a711ac ("net: macb: use resolved link config in mac_link_up()")
Cc: stable@vger.kernel.org
Suggested-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://patch.msgid.link/20251222015624.1994551-1-xiaolei.wang@windriver.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -759,7 +759,6 @@ static void macb_mac_link_up(struct phyl
/* Initialize rings & buffers as clearing MACB_BIT(TE) in link down
* cleared the pipeline and control registers.
*/
- bp->macbgem_ops.mog_init_rings(bp);
macb_init_buffers(bp);
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
@@ -2953,6 +2952,8 @@ static int macb_open(struct net_device *
goto pm_exit;
}
+ bp->macbgem_ops.mog_init_rings(bp);
+
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) {
napi_enable(&queue->napi_rx);
napi_enable(&queue->napi_tx);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 617/737] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (615 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 616/737] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 618/737] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
` (130 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Eric Pelloux-Prayer,
Christian König, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
commit 4fa944255be521b1bbd9780383f77206303a3a5c upstream.
Users of ttm entities need to hold the gtt_window_lock before using them
to guarantee proper ordering of jobs.
Cc: stable@vger.kernel.org
Fixes: cb5cc4f573e1 ("drm/amdgpu: improve debug VRAM access performance using sdma")
Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
@@ -1495,6 +1495,7 @@ static int amdgpu_ttm_access_memory_sdma
if (r)
goto out;
+ mutex_lock(&adev->mman.gtt_window_lock);
amdgpu_res_first(abo->tbo.resource, offset, len, &src_mm);
src_addr = amdgpu_ttm_domain_start(adev, bo->resource->mem_type) +
src_mm.start;
@@ -1509,6 +1510,7 @@ static int amdgpu_ttm_access_memory_sdma
WARN_ON(job->ibs[0].length_dw > num_dw);
fence = amdgpu_job_submit(job);
+ mutex_unlock(&adev->mman.gtt_window_lock);
if (!dma_fence_wait_timeout(fence, false, adev->sdma_timeout))
r = -ETIMEDOUT;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 618/737] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (616 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 617/737] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 619/737] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
` (129 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Konrad Dybcio,
Rob Clark
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
commit 779b68a5bf2764c8ed3aa800e41ba0d5d007e1e7 upstream.
REG_A6XX_GMU_AO_AHB_FENCE_CTRL register falls under GMU's register
range. So, use gmu_write() routines to write to this register.
Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
Cc: stable@vger.kernel.org
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/688993/
Message-ID: <20251118-kaana-gpu-support-v4-1-86eeb8e93fb6@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -834,7 +834,7 @@ static void a6xx_get_gmu_registers(struc
return;
/* Set the fence to ALLOW mode so we can access the registers */
- gpu_write(gpu, REG_A6XX_GMU_AO_AHB_FENCE_CTRL, 0);
+ gmu_write(&a6xx_gpu->gmu, REG_A6XX_GMU_AO_AHB_FENCE_CTRL, 0);
_a6xx_get_gmu_registers(gpu, a6xx_state, &a6xx_gmu_reglist[2],
&a6xx_state->gmu_registers[2], false);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 619/737] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (617 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 618/737] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 620/737] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() Greg Kroah-Hartman
` (128 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Stefan Christ,
Daniel Vetter, dri-devel, Thomas Zimmermann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit be729f9de6c64240645dc80a24162ac4d3fe00a8 upstream.
Remove psb_fbdev_fb_setcolreg(), which hasn't been called in almost
a decade.
Gma500 commit 4d8d096e9ae8 ("gma500: introduce the framebuffer support
code") added the helper psb_fbdev_fb_setcolreg() for setting the fbdev
palette via fbdev's fb_setcolreg callback. Later
commit 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for
fb_ops") set several default helpers for fbdev emulation, including
fb_setcmap.
The fbdev subsystem always prefers fb_setcmap over fb_setcolreg. [1]
Hence, the gma500 code is no longer in use and gma500 has been using
drm_fb_helper_setcmap() for several years without issues.
Fixes: 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops")
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: Stefan Christ <contact@stefanchrist.eu>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v4.10+
Link: https://elixir.bootlin.com/linux/v6.16.9/source/drivers/video/fbdev/core/fbcmap.c#L246 # [1]
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Acked-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://lore.kernel.org/r/20250929082338.18845-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/fbdev.c | 43 -----------------------------------------
1 file changed, 43 deletions(-)
--- a/drivers/gpu/drm/gma500/fbdev.c
+++ b/drivers/gpu/drm/gma500/fbdev.c
@@ -51,48 +51,6 @@ static const struct vm_operations_struct
* struct fb_ops
*/
-#define CMAP_TOHW(_val, _width) ((((_val) << (_width)) + 0x7FFF - (_val)) >> 16)
-
-static int psb_fbdev_fb_setcolreg(unsigned int regno,
- unsigned int red, unsigned int green,
- unsigned int blue, unsigned int transp,
- struct fb_info *info)
-{
- struct drm_fb_helper *fb_helper = info->par;
- struct drm_framebuffer *fb = fb_helper->fb;
- uint32_t v;
-
- if (!fb)
- return -ENOMEM;
-
- if (regno > 255)
- return 1;
-
- red = CMAP_TOHW(red, info->var.red.length);
- blue = CMAP_TOHW(blue, info->var.blue.length);
- green = CMAP_TOHW(green, info->var.green.length);
- transp = CMAP_TOHW(transp, info->var.transp.length);
-
- v = (red << info->var.red.offset) |
- (green << info->var.green.offset) |
- (blue << info->var.blue.offset) |
- (transp << info->var.transp.offset);
-
- if (regno < 16) {
- switch (fb->format->cpp[0] * 8) {
- case 16:
- ((uint32_t *) info->pseudo_palette)[regno] = v;
- break;
- case 24:
- case 32:
- ((uint32_t *) info->pseudo_palette)[regno] = v;
- break;
- }
- }
-
- return 0;
-}
-
static int psb_fbdev_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
{
if (vma->vm_pgoff != 0)
@@ -137,7 +95,6 @@ static const struct fb_ops psb_fbdev_fb_
.owner = THIS_MODULE,
__FB_DEFAULT_IOMEM_OPS_RDWR,
DRM_FB_HELPER_DEFAULT_OPS,
- .fb_setcolreg = psb_fbdev_fb_setcolreg,
__FB_DEFAULT_IOMEM_OPS_DRAW,
.fb_mmap = psb_fbdev_fb_mmap,
.fb_destroy = psb_fbdev_fb_destroy,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 620/737] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (618 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 619/737] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 621/737] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
` (127 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin,
Markus Schneider-Pargmann, CK Hu, Chun-Kuang Hu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit a846505a193d7492ad3531e33cacfca31e4bcdd1 upstream.
The function mtk_dp_dt_parse() calls of_graph_get_endpoint_by_regs()
to get the endpoint device node, but fails to call of_node_put() to release
the reference when the function returns. This results in a device node
reference leak.
Fix this by adding the missing of_node_put() call before returning from
the function.
Found via static analysis and code review.
Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Markus Schneider-Pargmann <msp@baylibre.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20251029072307.10955-1-linmq006@gmail.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_dp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/mediatek/mtk_dp.c
+++ b/drivers/gpu/drm/mediatek/mtk_dp.c
@@ -1969,6 +1969,7 @@ static int mtk_dp_dt_parse(struct mtk_dp
endpoint = of_graph_get_endpoint_by_regs(pdev->dev.of_node, 1, -1);
len = of_property_count_elems_of_size(endpoint,
"data-lanes", sizeof(u32));
+ of_node_put(endpoint);
if (len < 0 || len > 4 || len == 3) {
dev_err(dev, "invalid data lane size: %d\n", len);
return -EINVAL;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 621/737] drm/ttm: Avoid NULL pointer deref for evicted BOs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (619 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 620/737] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 622/737] drm/mgag200: Fix big-endian support Greg Kroah-Hartman
` (126 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Simon Richter, Matthew Brost,
Shuicheng Lin, Christian König
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Richter <Simon.Richter@hogyros.de>
commit 491adc6a0f9903c32b05f284df1148de39e8e644 upstream.
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
Fixes: 7d08df5d0bd3 ("drm/ttm: Add ttm_bo_access")
Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
Cc: stable <stable@kernel.org>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6271
Signed-off-by: Simon Richter <Simon.Richter@hogyros.de>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251013161241.709916-1-Simon.Richter@hogyros.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/ttm/ttm_bo_vm.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -421,6 +421,11 @@ int ttm_bo_vm_access(struct vm_area_stru
if (ret)
return ret;
+ if (!bo->resource) {
+ ret = -ENODATA;
+ goto unlock;
+ }
+
switch (bo->resource->mem_type) {
case TTM_PL_SYSTEM:
fallthrough;
@@ -435,6 +440,7 @@ int ttm_bo_vm_access(struct vm_area_stru
ret = -EIO;
}
+unlock:
ttm_bo_unreserve(bo);
return ret;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 622/737] drm/mgag200: Fix big-endian support
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (620 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 621/737] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 623/737] drm/msm/dpu: Add missing NULL pointer check for pingpong interface Greg Kroah-Hartman
` (125 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, stable,
Thomas Zimmermann
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit 6cb31fba137d45e682ce455b8ea364f44d5d4f98 upstream.
Unlike the original, deleted Matrox mga driver, the new mgag200 driver
has the XRGB frame-buffer byte swapped on big-endian "RISC"
systems. Fix by enabling byte swapping "PowerPC" OPMODE for any
__BIG_ENDIAN config.
Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)")
Signed-off-by: René Rebe <rene@exactco.de>
Cc: stable@kernel.org
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20251208.141827.965103015954471168.rene@exactco.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mgag200/mgag200_mode.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/drivers/gpu/drm/mgag200/mgag200_mode.c
+++ b/drivers/gpu/drm/mgag200/mgag200_mode.c
@@ -173,6 +173,30 @@ static void mgag200_set_startadd(struct
WREG_ECRT(0x00, crtcext0);
}
+/*
+ * Set the opmode for the hardware swapper for Big-Endian processor
+ * support for the frame buffer aperture and DMAWIN space.
+ */
+static void mgag200_set_datasiz(struct mga_device *mdev, u32 format)
+{
+#if defined(__BIG_ENDIAN)
+ u32 opmode = RREG32(MGAREG_OPMODE);
+
+ opmode &= ~(GENMASK(17, 16) | GENMASK(9, 8) | GENMASK(3, 2));
+
+ /* Big-endian byte-swapping */
+ switch (format) {
+ case DRM_FORMAT_RGB565:
+ opmode |= 0x10100;
+ break;
+ case DRM_FORMAT_XRGB8888:
+ opmode |= 0x20200;
+ break;
+ }
+ WREG32(MGAREG_OPMODE, opmode);
+#endif
+}
+
void mgag200_init_registers(struct mga_device *mdev)
{
u8 crtc11, misc;
@@ -502,6 +526,7 @@ void mgag200_primary_plane_helper_atomic
struct drm_atomic_helper_damage_iter iter;
struct drm_rect damage;
+ mgag200_set_datasiz(mdev, fb->format->format);
drm_atomic_helper_damage_iter_init(&iter, old_plane_state, plane_state);
drm_atomic_for_each_plane_damage(&iter, &damage) {
mgag200_handle_damage(mdev, shadow_plane_state->data, fb, &damage);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 623/737] drm/msm/dpu: Add missing NULL pointer check for pingpong interface
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (621 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 622/737] drm/mgag200: Fix big-endian support Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 624/737] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Greg Kroah-Hartman
` (124 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikolay Kuratov, Dmitry Baryshkov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikolay Kuratov <kniv@yandex-team.ru>
commit 88733a0b64872357e5ecd82b7488121503cb9cc6 upstream.
It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a
single place the check is missing.
Also use convenient locals instead of phys_enc->* where available.
Cc: stable@vger.kernel.org
Fixes: d7d0e73f7de33 ("drm/msm/dpu: introduce the dpu_encoder_phys_* for writeback")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/693860/
Link: https://lore.kernel.org/r/20251211093630.171014-1-kniv@yandex-team.ru
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_wb.c
@@ -205,14 +205,12 @@ static void dpu_encoder_phys_wb_setup_cd
if (mode_3d && hw_pp && hw_pp->merge_3d)
intf_cfg.merge_3d = hw_pp->merge_3d->idx;
- if (phys_enc->hw_pp->merge_3d && phys_enc->hw_pp->merge_3d->ops.setup_3d_mode)
- phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d,
- mode_3d);
+ if (hw_pp && hw_pp->merge_3d && hw_pp->merge_3d->ops.setup_3d_mode)
+ hw_pp->merge_3d->ops.setup_3d_mode(hw_pp->merge_3d, mode_3d);
/* setup which pp blk will connect to this wb */
- if (hw_pp && phys_enc->hw_wb->ops.bind_pingpong_blk)
- phys_enc->hw_wb->ops.bind_pingpong_blk(phys_enc->hw_wb,
- phys_enc->hw_pp->idx);
+ if (hw_pp && hw_wb->ops.bind_pingpong_blk)
+ hw_wb->ops.bind_pingpong_blk(hw_wb, hw_pp->idx);
phys_enc->hw_ctl->ops.setup_intf_cfg(phys_enc->hw_ctl, &intf_cfg);
} else if (phys_enc->hw_ctl && phys_enc->hw_ctl->ops.setup_intf_cfg) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 624/737] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (622 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 623/737] drm/msm/dpu: Add missing NULL pointer check for pingpong interface Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 625/737] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
` (123 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gangmin Kim, Krzysztof Niemiec,
Janusz Krzysztofik, Krzysztof Karas, Andi Shyti, Andi Shyti,
Jani Nikula
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
commit 4fe2bd195435e71c117983d87f278112c5ab364c upstream.
Initialize the eb.vma array with values of 0 when the eb structure is
first set up. In particular, this sets the eb->vma[i].vma pointers to
NULL, simplifying cleanup and getting rid of the bug described below.
During the execution of eb_lookup_vmas(), the eb->vma array is
successively filled up with struct eb_vma objects. This process includes
calling eb_add_vma(), which might fail; however, even in the event of
failure, eb->vma[i].vma is set for the currently processed buffer.
If eb_add_vma() fails, eb_lookup_vmas() returns with an error, which
prompts a call to eb_release_vmas() to clean up the mess. Since
eb_lookup_vmas() might fail during processing any (possibly not first)
buffer, eb_release_vmas() checks whether a buffer's vma is NULL to know
at what point did the lookup function fail.
In eb_lookup_vmas(), eb->vma[i].vma is set to NULL if either the helper
function eb_lookup_vma() or eb_validate_vma() fails. eb->vma[i+1].vma is
set to NULL in case i915_gem_object_userptr_submit_init() fails; the
current one needs to be cleaned up by eb_release_vmas() at this point,
so the next one is set. If eb_add_vma() fails, neither the current nor
the next vma is set to NULL, which is a source of a NULL deref bug
described in the issue linked in the Closes tag.
When entering eb_lookup_vmas(), the vma pointers are set to the slab
poison value, instead of NULL. This doesn't matter for the actual
lookup, since it gets overwritten anyway, however the eb_release_vmas()
function only recognizes NULL as the stopping value, hence the pointers
are being set to NULL as they go in case of intermediate failure. This
patch changes the approach to filling them all with NULL at the start
instead, rather than handling that manually during failure.
Reported-by: Gangmin Kim <km.kim1503@gmail.com>
Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/15062
Fixes: 544460c33821 ("drm/i915: Multi-BB execbuf")
Cc: stable@vger.kernel.org # 5.16.x
Signed-off-by: Krzysztof Niemiec <krzysztof.niemiec@intel.com>
Reviewed-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Krzysztof Karas <krzysztof.karas@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251216180900.54294-2-krzysztof.niemiec@intel.com
(cherry picked from commit 08889b706d4f0b8d2352b7ca29c2d8df4d0787cd)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c | 37 +++++++++++--------------
1 file changed, 17 insertions(+), 20 deletions(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
@@ -950,13 +950,13 @@ static int eb_lookup_vmas(struct i915_ex
vma = eb_lookup_vma(eb, eb->exec[i].handle);
if (IS_ERR(vma)) {
err = PTR_ERR(vma);
- goto err;
+ return err;
}
err = eb_validate_vma(eb, &eb->exec[i], vma);
if (unlikely(err)) {
i915_vma_put(vma);
- goto err;
+ return err;
}
err = eb_add_vma(eb, ¤t_batch, i, vma);
@@ -965,19 +965,8 @@ static int eb_lookup_vmas(struct i915_ex
if (i915_gem_object_is_userptr(vma->obj)) {
err = i915_gem_object_userptr_submit_init(vma->obj);
- if (err) {
- if (i + 1 < eb->buffer_count) {
- /*
- * Execbuffer code expects last vma entry to be NULL,
- * since we already initialized this entry,
- * set the next value to NULL or we mess up
- * cleanup handling.
- */
- eb->vma[i + 1].vma = NULL;
- }
-
+ if (err)
return err;
- }
eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT;
eb->args->flags |= __EXEC_USERPTR_USED;
@@ -985,10 +974,6 @@ static int eb_lookup_vmas(struct i915_ex
}
return 0;
-
-err:
- eb->vma[i].vma = NULL;
- return err;
}
static int eb_lock_vmas(struct i915_execbuffer *eb)
@@ -3381,7 +3366,8 @@ i915_gem_do_execbuffer(struct drm_device
eb.exec = exec;
eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1);
- eb.vma[0].vma = NULL;
+ memset(eb.vma, 0, (args->buffer_count + 1) * sizeof(struct eb_vma));
+
eb.batch_pool = NULL;
eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
@@ -3590,7 +3576,18 @@ i915_gem_execbuffer2_ioctl(struct drm_de
if (err)
return err;
- /* Allocate extra slots for use by the command parser */
+ /*
+ * Allocate extra slots for use by the command parser.
+ *
+ * Note that this allocation handles two different arrays (the
+ * exec2_list array, and the eventual eb.vma array introduced in
+ * i915_gem_do_execbuffer()), that reside in virtually contiguous
+ * memory. Also note that the allocation intentionally doesn't fill the
+ * area with zeros, because the exec2_list part doesn't need to be, as
+ * it's immediately overwritten by user data a few lines below.
+ * However, the eb.vma part is explicitly zeroed later in
+ * i915_gem_do_execbuffer().
+ */
exec2_list = kvmalloc_array(count + 2, eb_element_size(),
__GFP_NOWARN | GFP_KERNEL);
if (exec2_list == NULL) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 625/737] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (623 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 624/737] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 626/737] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
` (122 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyude Paul <lyude@redhat.com>
commit 560271e10b2c86e95ea35afa9e79822e4847f07a upstream.
Since we recently started warning about uses of this function after the
atomic check phase completes, we've started getting warnings about this in
nouveau. It appears a misplaced drm_atomic_get_crtc_state() call has been
hiding in our .prepare_fb callback for a while.
So, fix this by adding a new nv50_head_atom_get_new() function and use that
in our .prepare_fb callback instead.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Fixes: 1590700d94ac ("drm/nouveau/kms/nv50-: split each resource type into their own source files")
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://patch.msgid.link/20251211190256.396742-1-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +++++++++++++
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/dispnv50/atom.h
+++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h
@@ -152,8 +152,21 @@ static inline struct nv50_head_atom *
nv50_head_atom_get(struct drm_atomic_state *state, struct drm_crtc *crtc)
{
struct drm_crtc_state *statec = drm_atomic_get_crtc_state(state, crtc);
+
if (IS_ERR(statec))
return (void *)statec;
+
+ return nv50_head_atom(statec);
+}
+
+static inline struct nv50_head_atom *
+nv50_head_atom_get_new(struct drm_atomic_state *state, struct drm_crtc *crtc)
+{
+ struct drm_crtc_state *statec = drm_atomic_get_new_crtc_state(state, crtc);
+
+ if (!statec)
+ return NULL;
+
return nv50_head_atom(statec);
}
--- a/drivers/gpu/drm/nouveau/dispnv50/wndw.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/wndw.c
@@ -567,7 +567,7 @@ nv50_wndw_prepare_fb(struct drm_plane *p
asyw->image.offset[0] = nvbo->offset;
if (wndw->func->prepare) {
- asyh = nv50_head_atom_get(asyw->state.state, asyw->state.crtc);
+ asyh = nv50_head_atom_get_new(asyw->state.state, asyw->state.crtc);
if (IS_ERR(asyh))
return PTR_ERR(asyh);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 626/737] usb: gadget: lpc32xx_udc: fix clock imbalance in error path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (624 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 625/737] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 627/737] blk-mq: add helper for checking if one CPU is mapped to specified hctx Greg Kroah-Hartman
` (121 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold,
Vladimir Zapolskiy
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 782be79e4551550d7a82b1957fc0f7347e6d461f upstream.
A recent change fixing a device reference leak introduced a clock
imbalance by reusing an error path so that the clock may be disabled
before having been enabled.
Note that the clock framework allows for passing in NULL clocks so there
is no risk for a NULL pointer dereference.
Also drop the bogus I2C client NULL check added by the offending commit
as the pointer has already been verified to be non-NULL.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -3027,7 +3027,7 @@ static int lpc32xx_udc_probe(struct plat
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- goto i2c_fail;
+ goto err_put_client;
udc->board = &lpc32xx_usbddata;
@@ -3047,7 +3047,7 @@ static int lpc32xx_udc_probe(struct plat
udc->udp_irq[i] = platform_get_irq(pdev, i);
if (udc->udp_irq[i] < 0) {
retval = udc->udp_irq[i];
- goto i2c_fail;
+ goto err_put_client;
}
}
@@ -3055,7 +3055,7 @@ static int lpc32xx_udc_probe(struct plat
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
retval = PTR_ERR(udc->udp_baseaddr);
- goto i2c_fail;
+ goto err_put_client;
}
/* Get USB device clock */
@@ -3063,14 +3063,14 @@ static int lpc32xx_udc_probe(struct plat
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
retval = PTR_ERR(udc->usb_slv_clk);
- goto i2c_fail;
+ goto err_put_client;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- goto i2c_fail;
+ goto err_put_client;
}
/* Setup deferred workqueue data */
@@ -3172,9 +3172,10 @@ dma_alloc_fail:
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
- if (udc->isp1301_i2c_client)
- put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
+err_put_client:
+ put_device(&udc->isp1301_i2c_client->dev);
+
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
return retval;
@@ -3199,11 +3200,10 @@ static int lpc32xx_udc_remove(struct pla
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
- if (udc->isp1301_i2c_client)
- put_device(&udc->isp1301_i2c_client->dev);
-
clk_disable_unprepare(udc->usb_slv_clk);
+ put_device(&udc->isp1301_i2c_client->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 627/737] blk-mq: add helper for checking if one CPU is mapped to specified hctx
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (625 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 626/737] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 628/737] tpm: Cap the number of PCR banks Greg Kroah-Hartman
` (120 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Raju Cheerla, Ming Lei, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
commit 7b815817aa58d2e2101feb2fcf64c60cae0b2695 upstream.
Commit a46c27026da1 ("blk-mq: don't schedule block kworker on isolated CPUs")
rules out isolated CPUs from hctx->cpumask, and hctx->cpumask should only be
used for scheduling kworker.
Add helper blk_mq_cpu_mapped_to_hctx() and apply it into cpuhp handlers.
This patch avoids to forget clearing INACTIVE of hctx state in case that one
isolated CPU becomes online, and fixes hang issue when allocating request
from this hctx's tags.
Cc: Raju Cheerla <rcheerla@redhat.com>
Fixes: a46c27026da1 ("blk-mq: don't schedule block kworker on isolated CPUs")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20240517020514.149771-1-ming.lei@redhat.com
Tested-by: Raju Cheerla <rcheerla@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-mq.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3617,12 +3617,28 @@ static int blk_mq_hctx_notify_offline(un
return ret;
}
+/*
+ * Check if one CPU is mapped to the specified hctx
+ *
+ * Isolated CPUs have been ruled out from hctx->cpumask, which is supposed
+ * to be used for scheduling kworker only. For other usage, please call this
+ * helper for checking if one CPU belongs to the specified hctx
+ */
+static bool blk_mq_cpu_mapped_to_hctx(unsigned int cpu,
+ const struct blk_mq_hw_ctx *hctx)
+{
+ struct blk_mq_hw_ctx *mapped_hctx = blk_mq_map_queue_type(hctx->queue,
+ hctx->type, cpu);
+
+ return mapped_hctx == hctx;
+}
+
static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node)
{
struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node,
struct blk_mq_hw_ctx, cpuhp_online);
- if (cpumask_test_cpu(cpu, hctx->cpumask))
+ if (blk_mq_cpu_mapped_to_hctx(cpu, hctx))
clear_bit(BLK_MQ_S_INACTIVE, &hctx->state);
return 0;
}
@@ -3640,7 +3656,7 @@ static int blk_mq_hctx_notify_dead(unsig
enum hctx_type type;
hctx = hlist_entry_safe(node, struct blk_mq_hw_ctx, cpuhp_dead);
- if (!cpumask_test_cpu(cpu, hctx->cpumask))
+ if (!blk_mq_cpu_mapped_to_hctx(cpu, hctx))
return 0;
ctx = __blk_mq_get_ctx(hctx->queue, cpu);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 628/737] tpm: Cap the number of PCR banks
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (626 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 627/737] blk-mq: add helper for checking if one CPU is mapped to specified hctx Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 629/737] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose() Greg Kroah-Hartman
` (119 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lai Yi, Jonathan McDowell,
Roberto Sassu, Jarkko Sakkinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e upstream.
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
Cc: stable@vger.kernel.org # v5.10+
Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
Tested-by: Lai Yi <yi1.lai@linux.intel.com>
Reviewed-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm-chip.c | 1 -
drivers/char/tpm/tpm1-cmd.c | 5 -----
drivers/char/tpm/tpm2-cmd.c | 8 +++-----
include/linux/tpm.h | 8 +++++---
4 files changed, 8 insertions(+), 14 deletions(-)
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -279,7 +279,6 @@ static void tpm_dev_release(struct devic
kfree(chip->work_space.context_buf);
kfree(chip->work_space.session_buf);
- kfree(chip->allocated_banks);
kfree(chip);
}
--- a/drivers/char/tpm/tpm1-cmd.c
+++ b/drivers/char/tpm/tpm1-cmd.c
@@ -799,11 +799,6 @@ int tpm1_pm_suspend(struct tpm_chip *chi
*/
int tpm1_get_pcr_allocation(struct tpm_chip *chip)
{
- chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks),
- GFP_KERNEL);
- if (!chip->allocated_banks)
- return -ENOMEM;
-
chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -574,11 +574,9 @@ ssize_t tpm2_get_pcr_allocation(struct t
nr_possible_banks = be32_to_cpup(
(__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
-
- chip->allocated_banks = kcalloc(nr_possible_banks,
- sizeof(*chip->allocated_banks),
- GFP_KERNEL);
- if (!chip->allocated_banks) {
+ if (nr_possible_banks > TPM2_MAX_PCR_BANKS) {
+ pr_err("tpm: out of bank capacity: %u > %u\n",
+ nr_possible_banks, TPM2_MAX_PCR_BANKS);
rc = -ENOMEM;
goto out;
}
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -25,7 +25,9 @@
#include <crypto/hash_info.h>
#define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
-#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
+
+#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
+#define TPM2_MAX_PCR_BANKS 8
struct tpm_chip;
struct trusted_key_payload;
@@ -51,7 +53,7 @@ enum tpm_algorithms {
struct tpm_digest {
u16 alg_id;
- u8 digest[TPM_MAX_DIGEST_SIZE];
+ u8 digest[TPM2_MAX_DIGEST_SIZE];
} __packed;
struct tpm_bank_info {
@@ -157,7 +159,7 @@ struct tpm_chip {
unsigned int groups_cnt;
u32 nr_allocated_banks;
- struct tpm_bank_info *allocated_banks;
+ struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS];
#ifdef CONFIG_ACPI
acpi_handle acpi_dev_handle;
char ppi_version[TPM_PPI_VERSION_LEN + 1];
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 629/737] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose().
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (627 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 628/737] tpm: Cap the number of PCR banks Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 630/737] ALSA: wavefront: Use standard print API Greg Kroah-Hartman
` (118 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3a92d359bc2ec6255a33,
Kuniyuki Iwashima, Matthieu Baerts (NGI0), Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit f07f4ea53e22429c84b20832fa098b5ecc0d4e35 ]
syzbot reported divide-by-zero in __tcp_select_window() by
MPTCP socket. [0]
We had a similar issue for the bare TCP and fixed in commit
499350a5a6e7 ("tcp: initialize rcv_mss to TCP_MIN_MSS instead
of 0").
Let's apply the same fix to mptcp_do_fastclose().
[0]:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6068 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__tcp_select_window+0x824/0x1320 net/ipv4/tcp_output.c:3336
Code: ff ff ff 44 89 f1 d3 e0 89 c1 f7 d1 41 01 cc 41 21 c4 e9 a9 00 00 00 e8 ca 49 01 f8 e9 9c 00 00 00 e8 c0 49 01 f8 44 89 e0 99 <f7> 7c 24 1c 41 29 d4 48 bb 00 00 00 00 00 fc ff df e9 80 00 00 00
RSP: 0018:ffffc90003017640 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88807b469e40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90003017730 R08: ffff888033268143 R09: 1ffff1100664d028
R10: dffffc0000000000 R11: ffffed100664d029 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 000055557faa0500(0000) GS:ffff888126135000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f64a1912ff8 CR3: 0000000072122000 CR4: 00000000003526f0
Call Trace:
<TASK>
tcp_select_window net/ipv4/tcp_output.c:281 [inline]
__tcp_transmit_skb+0xbc7/0x3aa0 net/ipv4/tcp_output.c:1568
tcp_transmit_skb net/ipv4/tcp_output.c:1649 [inline]
tcp_send_active_reset+0x2d1/0x5b0 net/ipv4/tcp_output.c:3836
mptcp_do_fastclose+0x27e/0x380 net/mptcp/protocol.c:2793
mptcp_disconnect+0x238/0x710 net/mptcp/protocol.c:3253
mptcp_sendmsg_fastopen+0x2f8/0x580 net/mptcp/protocol.c:1776
mptcp_sendmsg+0x1774/0x1980 net/mptcp/protocol.c:1855
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg+0xe5/0x270 net/socket.c:742
__sys_sendto+0x3bd/0x520 net/socket.c:2244
__do_sys_sendto net/socket.c:2251 [inline]
__se_sys_sendto net/socket.c:2247 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2247
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66e998f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff9acedb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f66e9be5fa0 RCX: 00007f66e998f749
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffff9acee10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007f66e9be5fa0 R14: 00007f66e9be5fa0 R15: 0000000000000006
</TASK>
Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
Reported-by: syzbot+3a92d359bc2ec6255a33@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/69260882.a70a0220.d98e3.00b4.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251125195331.309558-1-kuniyu@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2823,6 +2823,12 @@ static void mptcp_do_fastclose(struct so
goto unlock;
subflow->send_fastclose = 1;
+
+ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+ * issue in __tcp_select_window(), see tcp_disconnect().
+ */
+ inet_csk(ssk)->icsk_ack.rcv_mss = TCP_MIN_MSS;
+
tcp_send_active_reset(ssk, ssk->sk_allocation);
unlock:
release_sock(ssk);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 630/737] ALSA: wavefront: Use standard print API
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (628 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 629/737] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 631/737] ALSA: wavefront: Fix integer overflow in sample size validation Greg Kroah-Hartman
` (117 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaroslav Kysela, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 8b4ac5429938dd5f1fbf2eea0687f08cbcccb6be ]
Use the standard print API with dev_*() instead of the old house-baked
one. It gives better information and allows dynamically control of
debug prints.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20240807133452.9424-36-tiwai@suse.de
Stable-dep-of: 0c4a13ba8859 ("ALSA: wavefront: Fix integer overflow in sample size validation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/sound/snd_wavefront.h | 4
sound/isa/wavefront/wavefront.c | 61 +++++-----
sound/isa/wavefront/wavefront_fx.c | 36 +++---
sound/isa/wavefront/wavefront_midi.c | 15 +-
sound/isa/wavefront/wavefront_synth.c | 196 +++++++++++++++++-----------------
5 files changed, 158 insertions(+), 154 deletions(-)
--- a/include/sound/snd_wavefront.h
+++ b/include/sound/snd_wavefront.h
@@ -137,8 +137,4 @@ extern int snd_wavefront_fx_ioctl (str
extern int snd_wavefront_fx_open (struct snd_hwdep *, struct file *);
extern int snd_wavefront_fx_release (struct snd_hwdep *, struct file *);
-/* prefix in all snd_printk() delivered messages */
-
-#define LOGNAME "WaveFront: "
-
#endif /* __SOUND_SND_WAVEFRONT_H__ */
--- a/sound/isa/wavefront/wavefront.c
+++ b/sound/isa/wavefront/wavefront.c
@@ -140,7 +140,7 @@ snd_wavefront_pnp (int dev, snd_wavefron
err = pnp_activate_dev(pdev);
if (err < 0) {
- snd_printk(KERN_ERR "PnP WSS pnp configure failure\n");
+ dev_err(&pdev->dev, "PnP WSS pnp configure failure\n");
return err;
}
@@ -156,7 +156,7 @@ snd_wavefront_pnp (int dev, snd_wavefron
err = pnp_activate_dev(pdev);
if (err < 0) {
- snd_printk(KERN_ERR "PnP ICS2115 pnp configure failure\n");
+ dev_err(&pdev->dev, "PnP ICS2115 pnp configure failure\n");
return err;
}
@@ -174,26 +174,27 @@ snd_wavefront_pnp (int dev, snd_wavefron
err = pnp_activate_dev(pdev);
if (err < 0) {
- snd_printk(KERN_ERR "PnP MPU401 pnp configure failure\n");
+ dev_err(&pdev->dev, "PnP MPU401 pnp configure failure\n");
cs4232_mpu_port[dev] = SNDRV_AUTO_PORT;
} else {
cs4232_mpu_port[dev] = pnp_port_start(pdev, 0);
cs4232_mpu_irq[dev] = pnp_irq(pdev, 0);
}
- snd_printk (KERN_INFO "CS4232 MPU: port=0x%lx, irq=%i\n",
- cs4232_mpu_port[dev],
- cs4232_mpu_irq[dev]);
+ dev_info(&pdev->dev, "CS4232 MPU: port=0x%lx, irq=%i\n",
+ cs4232_mpu_port[dev],
+ cs4232_mpu_irq[dev]);
}
- snd_printdd ("CS4232: pcm port=0x%lx, fm port=0x%lx, dma1=%i, dma2=%i, irq=%i\nICS2115: port=0x%lx, irq=%i\n",
- cs4232_pcm_port[dev],
- fm_port[dev],
- dma1[dev],
- dma2[dev],
- cs4232_pcm_irq[dev],
- ics2115_port[dev],
- ics2115_irq[dev]);
+ dev_dbg(&pdev->dev,
+ "CS4232: pcm port=0x%lx, fm port=0x%lx, dma1=%i, dma2=%i, irq=%i\nICS2115: port=0x%lx, irq=%i\n",
+ cs4232_pcm_port[dev],
+ fm_port[dev],
+ dma1[dev],
+ dma2[dev],
+ cs4232_pcm_irq[dev],
+ ics2115_port[dev],
+ ics2115_irq[dev]);
return 0;
}
@@ -251,7 +252,7 @@ static struct snd_hwdep *snd_wavefront_n
struct snd_hwdep *fx_processor;
if (snd_wavefront_fx_start (&acard->wavefront)) {
- snd_printk (KERN_ERR "cannot initialize YSS225 FX processor");
+ dev_err(card->dev, "cannot initialize YSS225 FX processor");
return NULL;
}
@@ -282,7 +283,7 @@ static struct snd_rawmidi *snd_wavefront
first = 0;
acard->wavefront.midi.base = port;
if (snd_wavefront_midi_start (acard)) {
- snd_printk (KERN_ERR "cannot initialize MIDI interface\n");
+ dev_err(card->dev, "cannot initialize MIDI interface\n");
return NULL;
}
}
@@ -349,7 +350,7 @@ snd_wavefront_probe (struct snd_card *ca
cs4232_pcm_irq[dev], dma1[dev], dma2[dev],
WSS_HW_DETECT, 0, &chip);
if (err < 0) {
- snd_printk(KERN_ERR "can't allocate WSS device\n");
+ dev_err(card->dev, "can't allocate WSS device\n");
return err;
}
@@ -369,7 +370,7 @@ snd_wavefront_probe (struct snd_card *ca
err = snd_opl3_create(card, fm_port[dev], fm_port[dev] + 2,
OPL3_HW_OPL3_CS, 0, &opl3);
if (err < 0) {
- snd_printk (KERN_ERR "can't allocate or detect OPL3 synth\n");
+ dev_err(card->dev, "can't allocate or detect OPL3 synth\n");
return err;
}
@@ -385,14 +386,14 @@ snd_wavefront_probe (struct snd_card *ca
devm_request_region(card->dev, ics2115_port[dev], 16,
"ICS2115");
if (acard->wavefront.res_base == NULL) {
- snd_printk(KERN_ERR "unable to grab ICS2115 i/o region 0x%lx-0x%lx\n",
- ics2115_port[dev], ics2115_port[dev] + 16 - 1);
+ dev_err(card->dev, "unable to grab ICS2115 i/o region 0x%lx-0x%lx\n",
+ ics2115_port[dev], ics2115_port[dev] + 16 - 1);
return -EBUSY;
}
if (devm_request_irq(card->dev, ics2115_irq[dev],
snd_wavefront_ics2115_interrupt,
0, "ICS2115", acard)) {
- snd_printk(KERN_ERR "unable to use ICS2115 IRQ %d\n", ics2115_irq[dev]);
+ dev_err(card->dev, "unable to use ICS2115 IRQ %d\n", ics2115_irq[dev]);
return -EBUSY;
}
@@ -402,7 +403,7 @@ snd_wavefront_probe (struct snd_card *ca
wavefront_synth = snd_wavefront_new_synth(card, hw_dev, acard);
if (wavefront_synth == NULL) {
- snd_printk (KERN_ERR "can't create WaveFront synth device\n");
+ dev_err(card->dev, "can't create WaveFront synth device\n");
return -ENOMEM;
}
@@ -414,7 +415,7 @@ snd_wavefront_probe (struct snd_card *ca
err = snd_wss_mixer(chip);
if (err < 0) {
- snd_printk (KERN_ERR "can't allocate mixer device\n");
+ dev_err(card->dev, "can't allocate mixer device\n");
return err;
}
@@ -425,7 +426,7 @@ snd_wavefront_probe (struct snd_card *ca
cs4232_mpu_port[dev], 0,
cs4232_mpu_irq[dev], NULL);
if (err < 0) {
- snd_printk (KERN_ERR "can't allocate CS4232 MPU-401 device\n");
+ dev_err(card->dev, "can't allocate CS4232 MPU-401 device\n");
return err;
}
midi_dev++;
@@ -441,7 +442,7 @@ snd_wavefront_probe (struct snd_card *ca
ics2115_port[dev],
internal_mpu);
if (ics2115_internal_rmidi == NULL) {
- snd_printk (KERN_ERR "can't setup ICS2115 internal MIDI device\n");
+ dev_err(card->dev, "can't setup ICS2115 internal MIDI device\n");
return -ENOMEM;
}
midi_dev++;
@@ -457,7 +458,7 @@ snd_wavefront_probe (struct snd_card *ca
ics2115_port[dev],
external_mpu);
if (ics2115_external_rmidi == NULL) {
- snd_printk (KERN_ERR "can't setup ICS2115 external MIDI device\n");
+ dev_err(card->dev, "can't setup ICS2115 external MIDI device\n");
return -ENOMEM;
}
midi_dev++;
@@ -471,7 +472,7 @@ snd_wavefront_probe (struct snd_card *ca
acard,
ics2115_port[dev]);
if (fx_processor == NULL) {
- snd_printk (KERN_ERR "can't setup FX device\n");
+ dev_err(card->dev, "can't setup FX device\n");
return -ENOMEM;
}
@@ -525,11 +526,11 @@ static int snd_wavefront_isa_match(struc
return 0;
#endif
if (cs4232_pcm_port[dev] == SNDRV_AUTO_PORT) {
- snd_printk(KERN_ERR "specify CS4232 port\n");
+ dev_err(pdev, "specify CS4232 port\n");
return 0;
}
if (ics2115_port[dev] == SNDRV_AUTO_PORT) {
- snd_printk(KERN_ERR "specify ICS2115 port\n");
+ dev_err(pdev, "specify ICS2115 port\n");
return 0;
}
return 1;
@@ -585,7 +586,7 @@ static int snd_wavefront_pnp_detect(stru
if (snd_wavefront_pnp (dev, card->private_data, pcard, pid) < 0) {
if (cs4232_pcm_port[dev] == SNDRV_AUTO_PORT) {
- snd_printk (KERN_ERR "isapnp detection failed\n");
+ dev_err(card->dev, "isapnp detection failed\n");
return -ENODEV;
}
}
--- a/sound/isa/wavefront/wavefront_fx.c
+++ b/sound/isa/wavefront/wavefront_fx.c
@@ -38,7 +38,7 @@ wavefront_fx_idle (snd_wavefront_t *dev)
}
if (x & 0x80) {
- snd_printk ("FX device never idle.\n");
+ dev_err(dev->card->dev, "FX device never idle.\n");
return 0;
}
@@ -64,14 +64,14 @@ wavefront_fx_memset (snd_wavefront_t *de
unsigned short *data)
{
if (page < 0 || page > 7) {
- snd_printk ("FX memset: "
- "page must be >= 0 and <= 7\n");
+ dev_err(dev->card->dev,
+ "FX memset: page must be >= 0 and <= 7\n");
return -EINVAL;
}
if (addr < 0 || addr > 0x7f) {
- snd_printk ("FX memset: "
- "addr must be >= 0 and <= 7f\n");
+ dev_err(dev->card->dev,
+ "FX memset: addr must be >= 0 and <= 7f\n");
return -EINVAL;
}
@@ -83,7 +83,7 @@ wavefront_fx_memset (snd_wavefront_t *de
outb ((data[0] >> 8), dev->fx_dsp_msb);
outb ((data[0] & 0xff), dev->fx_dsp_lsb);
- snd_printk ("FX: addr %d:%x set to 0x%x\n",
+ dev_err(dev->card->dev, "FX: addr %d:%x set to 0x%x\n",
page, addr, data[0]);
} else {
@@ -102,9 +102,9 @@ wavefront_fx_memset (snd_wavefront_t *de
}
if (i != cnt) {
- snd_printk ("FX memset "
- "(0x%x, 0x%x, 0x%lx, %d) incomplete\n",
- page, addr, (unsigned long) data, cnt);
+ dev_err(dev->card->dev,
+ "FX memset (0x%x, 0x%x, 0x%lx, %d) incomplete\n",
+ page, addr, (unsigned long) data, cnt);
return -EIO;
}
}
@@ -123,7 +123,7 @@ snd_wavefront_fx_detect (snd_wavefront_t
*/
if (inb (dev->fx_status) & 0x80) {
- snd_printk ("Hmm, probably a Maui or Tropez.\n");
+ dev_err(dev->card->dev, "Hmm, probably a Maui or Tropez.\n");
return -1;
}
@@ -180,15 +180,15 @@ snd_wavefront_fx_ioctl (struct snd_hwdep
case WFFX_MEMSET:
if (r.data[2] <= 0) {
- snd_printk ("cannot write "
- "<= 0 bytes to FX\n");
+ dev_err(dev->card->dev,
+ "cannot write <= 0 bytes to FX\n");
return -EIO;
} else if (r.data[2] == 1) {
pd = (unsigned short *) &r.data[3];
} else {
if (r.data[2] > 256) {
- snd_printk ("cannot write "
- "> 512 bytes to FX\n");
+ dev_err(dev->card->dev,
+ "cannot write > 512 bytes to FX\n");
return -EIO;
}
page_data = memdup_user((unsigned char __user *)
@@ -208,8 +208,8 @@ snd_wavefront_fx_ioctl (struct snd_hwdep
break;
default:
- snd_printk ("FX: ioctl %d not yet supported\n",
- r.request);
+ dev_err(dev->card->dev, "FX: ioctl %d not yet supported\n",
+ r.request);
return -ENOTTY;
}
return err;
@@ -254,8 +254,8 @@ snd_wavefront_fx_start (snd_wavefront_t
goto out;
}
} else {
- snd_printk(KERN_ERR "invalid address"
- " in register data\n");
+ dev_err(dev->card->dev,
+ "invalid address in register data\n");
err = -1;
goto out;
}
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -501,7 +501,8 @@ snd_wavefront_midi_start (snd_wavefront_
for (i = 0; i < 30000 && !output_ready (midi); i++);
if (!output_ready (midi)) {
- snd_printk ("MIDI interface not ready for command\n");
+ dev_err(card->wavefront.card->dev,
+ "MIDI interface not ready for command\n");
return -1;
}
@@ -523,7 +524,8 @@ snd_wavefront_midi_start (snd_wavefront_
}
if (!ok) {
- snd_printk ("cannot set UART mode for MIDI interface");
+ dev_err(card->wavefront.card->dev,
+ "cannot set UART mode for MIDI interface");
dev->interrupts_are_midi = 0;
return -1;
}
@@ -531,7 +533,8 @@ snd_wavefront_midi_start (snd_wavefront_
/* Route external MIDI to WaveFront synth (by default) */
if (snd_wavefront_cmd (dev, WFC_MISYNTH_ON, rbuf, wbuf)) {
- snd_printk ("can't enable MIDI-IN-2-synth routing.\n");
+ dev_warn(card->wavefront.card->dev,
+ "can't enable MIDI-IN-2-synth routing.\n");
/* XXX error ? */
}
@@ -547,14 +550,16 @@ snd_wavefront_midi_start (snd_wavefront_
*/
if (snd_wavefront_cmd (dev, WFC_VMIDI_OFF, rbuf, wbuf)) {
- snd_printk ("virtual MIDI mode not disabled\n");
+ dev_warn(card->wavefront.card->dev,
+ "virtual MIDI mode not disabled\n");
return 0; /* We're OK, but missing the external MIDI dev */
}
snd_wavefront_midi_enable_virtual (card);
if (snd_wavefront_cmd (dev, WFC_VMIDI_ON, rbuf, wbuf)) {
- snd_printk ("cannot enable virtual MIDI mode.\n");
+ dev_warn(card->wavefront.card->dev,
+ "cannot enable virtual MIDI mode.\n");
snd_wavefront_midi_disable_virtual (card);
}
return 0;
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -116,7 +116,7 @@ MODULE_PARM_DESC(osrun_time, "how many s
#define DPRINT(cond, ...) \
if ((dev->debug & (cond)) == (cond)) { \
- snd_printk (__VA_ARGS__); \
+ pr_debug(__VA_ARGS__); \
}
#else
#define DPRINT(cond, args...)
@@ -341,7 +341,7 @@ snd_wavefront_cmd (snd_wavefront_t *dev,
wfcmd = wavefront_get_command(cmd);
if (!wfcmd) {
- snd_printk ("command 0x%x not supported.\n",
+ dev_err(dev->card->dev, "command 0x%x not supported.\n",
cmd);
return 1;
}
@@ -623,7 +623,7 @@ wavefront_get_sample_status (snd_wavefro
/* check sample status */
if (snd_wavefront_cmd (dev, WFC_GET_NSAMPLES, rbuf, wbuf)) {
- snd_printk ("cannot request sample count.\n");
+ dev_err(dev->card->dev, "cannot request sample count.\n");
return -1;
}
@@ -635,8 +635,8 @@ wavefront_get_sample_status (snd_wavefro
wbuf[1] = i >> 7;
if (snd_wavefront_cmd (dev, WFC_IDENTIFY_SAMPLE_TYPE, rbuf, wbuf)) {
- snd_printk(KERN_WARNING "cannot identify sample "
- "type of slot %d\n", i);
+ dev_warn(dev->card->dev,
+ "cannot identify sample type of slot %d\n", i);
dev->sample_status[i] = WF_ST_EMPTY;
continue;
}
@@ -661,9 +661,9 @@ wavefront_get_sample_status (snd_wavefro
break;
default:
- snd_printk ("unknown sample type for "
- "slot %d (0x%x)\n",
- i, rbuf[0]);
+ dev_err(dev->card->dev,
+ "unknown sample type for slot %d (0x%x)\n",
+ i, rbuf[0]);
}
if (rbuf[0] != WF_ST_EMPTY) {
@@ -671,9 +671,10 @@ wavefront_get_sample_status (snd_wavefro
}
}
- snd_printk ("%d samples used (%d real, %d aliases, %d multi), "
- "%d empty\n", dev->samples_used, sc_real, sc_alias, sc_multi,
- WF_MAX_SAMPLE - dev->samples_used);
+ dev_info(dev->card->dev,
+ "%d samples used (%d real, %d aliases, %d multi), %d empty\n",
+ dev->samples_used, sc_real, sc_alias, sc_multi,
+ WF_MAX_SAMPLE - dev->samples_used);
return (0);
@@ -706,8 +707,8 @@ wavefront_get_patch_status (snd_wavefron
} else if (x == 3) { /* Bad patch number */
dev->patch_status[i] = 0;
} else {
- snd_printk ("upload patch "
- "error 0x%x\n", x);
+ dev_err(dev->card->dev,
+ "upload patch error 0x%x\n", x);
dev->patch_status[i] = 0;
return 1;
}
@@ -724,7 +725,8 @@ wavefront_get_patch_status (snd_wavefron
}
}
- snd_printk ("%d patch slots filled, %d in use\n", cnt, cnt2);
+ dev_info(dev->card->dev, "%d patch slots filled, %d in use\n",
+ cnt, cnt2);
return (0);
}
@@ -760,8 +762,8 @@ wavefront_get_program_status (snd_wavefr
} else if (x == 1) { /* Bad program number */
dev->prog_status[i] = 0;
} else {
- snd_printk ("upload program "
- "error 0x%x\n", x);
+ dev_err(dev->card->dev,
+ "upload program error 0x%x\n", x);
dev->prog_status[i] = 0;
}
}
@@ -772,7 +774,7 @@ wavefront_get_program_status (snd_wavefr
}
}
- snd_printk ("%d programs slots in use\n", cnt);
+ dev_info(dev->card->dev, "%d programs slots in use\n", cnt);
return (0);
}
@@ -796,7 +798,7 @@ wavefront_send_patch (snd_wavefront_t *d
munge_buf ((unsigned char *)&header->hdr.p, bptr, WF_PATCH_BYTES);
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_PATCH, NULL, buf)) {
- snd_printk ("download patch failed\n");
+ dev_err(dev->card->dev, "download patch failed\n");
return -EIO;
}
@@ -837,7 +839,7 @@ wavefront_send_program (snd_wavefront_t
munge_buf ((unsigned char *)&header->hdr.pr, &buf[1], WF_PROGRAM_BYTES);
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_PROGRAM, NULL, buf)) {
- snd_printk ("download patch failed\n");
+ dev_err(dev->card->dev, "download patch failed\n");
return -EIO;
}
@@ -851,7 +853,7 @@ wavefront_freemem (snd_wavefront_t *dev)
char rbuf[8];
if (snd_wavefront_cmd (dev, WFC_REPORT_FREE_MEMORY, rbuf, NULL)) {
- snd_printk ("can't get memory stats.\n");
+ dev_err(dev->card->dev, "can't get memory stats.\n");
return -1;
} else {
return demunge_int32 (rbuf, 4);
@@ -901,7 +903,7 @@ wavefront_send_sample (snd_wavefront_t *
x = wavefront_find_free_sample(dev);
if (x < 0)
return -ENOMEM;
- snd_printk ("unspecified sample => %d\n", x);
+ dev_info(dev->card->dev, "unspecified sample => %d\n", x);
header->number = x;
}
@@ -935,9 +937,9 @@ wavefront_send_sample (snd_wavefront_t *
if (dev->rom_samples_rdonly) {
if (dev->sample_status[header->number] & WF_SLOT_ROM) {
- snd_printk ("sample slot %d "
- "write protected\n",
- header->number);
+ dev_err(dev->card->dev,
+ "sample slot %d write protected\n",
+ header->number);
return -EACCES;
}
}
@@ -949,9 +951,9 @@ wavefront_send_sample (snd_wavefront_t *
dev->freemem = wavefront_freemem (dev);
if (dev->freemem < (int)header->size) {
- snd_printk ("insufficient memory to "
- "load %d byte sample.\n",
- header->size);
+ dev_err(dev->card->dev,
+ "insufficient memory to load %d byte sample.\n",
+ header->size);
return -ENOMEM;
}
@@ -960,8 +962,8 @@ wavefront_send_sample (snd_wavefront_t *
skip = WF_GET_CHANNEL(&header->hdr.s);
if (skip > 0 && header->hdr.s.SampleResolution != LINEAR_16BIT) {
- snd_printk ("channel selection only "
- "possible on 16-bit samples");
+ dev_err(dev->card->dev,
+ "channel selection only possible on 16-bit samples");
return -EINVAL;
}
@@ -1057,8 +1059,8 @@ wavefront_send_sample (snd_wavefront_t *
header->size ?
WFC_DOWNLOAD_SAMPLE : WFC_DOWNLOAD_SAMPLE_HEADER,
NULL, sample_hdr)) {
- snd_printk ("sample %sdownload refused.\n",
- header->size ? "" : "header ");
+ dev_err(dev->card->dev, "sample %sdownload refused.\n",
+ header->size ? "" : "header ");
return -EIO;
}
@@ -1083,8 +1085,8 @@ wavefront_send_sample (snd_wavefront_t *
}
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_BLOCK, NULL, NULL)) {
- snd_printk ("download block "
- "request refused.\n");
+ dev_err(dev->card->dev,
+ "download block request refused.\n");
return -EIO;
}
@@ -1145,13 +1147,13 @@ wavefront_send_sample (snd_wavefront_t *
dma_ack = wavefront_read(dev);
if (dma_ack != WF_DMA_ACK) {
if (dma_ack == -1) {
- snd_printk ("upload sample "
- "DMA ack timeout\n");
+ dev_err(dev->card->dev,
+ "upload sample DMA ack timeout\n");
return -EIO;
} else {
- snd_printk ("upload sample "
- "DMA ack error 0x%x\n",
- dma_ack);
+ dev_err(dev->card->dev,
+ "upload sample DMA ack error 0x%x\n",
+ dma_ack);
return -EIO;
}
}
@@ -1195,7 +1197,7 @@ wavefront_send_alias (snd_wavefront_t *d
munge_int32 (*(&header->hdr.a.FrequencyBias+1), &alias_hdr[23], 2);
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_SAMPLE_ALIAS, NULL, alias_hdr)) {
- snd_printk ("download alias failed.\n");
+ dev_err(dev->card->dev, "download alias failed.\n");
return -EIO;
}
@@ -1248,7 +1250,7 @@ wavefront_send_multisample (snd_wavefron
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_MULTISAMPLE,
(unsigned char *) (long) ((num_samples*2)+3),
msample_hdr)) {
- snd_printk ("download of multisample failed.\n");
+ dev_err(dev->card->dev, "download of multisample failed.\n");
kfree(msample_hdr);
return -EIO;
}
@@ -1271,7 +1273,7 @@ wavefront_fetch_multisample (snd_wavefro
munge_int32 (header->number, number, 2);
if (snd_wavefront_cmd (dev, WFC_UPLOAD_MULTISAMPLE, log_ns, number)) {
- snd_printk ("upload multisample failed.\n");
+ dev_err(dev->card->dev, "upload multisample failed.\n");
return -EIO;
}
@@ -1290,16 +1292,16 @@ wavefront_fetch_multisample (snd_wavefro
val = wavefront_read(dev);
if (val == -1) {
- snd_printk ("upload multisample failed "
- "during sample loop.\n");
+ dev_err(dev->card->dev,
+ "upload multisample failed during sample loop.\n");
return -EIO;
}
d[0] = val;
val = wavefront_read(dev);
if (val == -1) {
- snd_printk ("upload multisample failed "
- "during sample loop.\n");
+ dev_err(dev->card->dev,
+ "upload multisample failed during sample loop.\n");
return -EIO;
}
d[1] = val;
@@ -1334,7 +1336,7 @@ wavefront_send_drum (snd_wavefront_t *de
}
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_EDRUM_PROGRAM, NULL, drumbuf)) {
- snd_printk ("download drum failed.\n");
+ dev_err(dev->card->dev, "download drum failed.\n");
return -EIO;
}
@@ -1352,7 +1354,7 @@ wavefront_find_free_sample (snd_wavefron
return i;
}
}
- snd_printk ("no free sample slots!\n");
+ dev_err(dev->card->dev, "no free sample slots!\n");
return -1;
}
@@ -1368,7 +1370,7 @@ wavefront_find_free_patch (snd_wavefront
return i;
}
}
- snd_printk ("no free patch slots!\n");
+ dev_err(dev->card->dev, "no free patch slots!\n");
return -1;
}
#endif
@@ -1385,7 +1387,7 @@ wavefront_load_patch (snd_wavefront_t *d
if (copy_from_user (header, addr, sizeof(wavefront_patch_info) -
sizeof(wavefront_any))) {
- snd_printk ("bad address for load patch.\n");
+ dev_err(dev->card->dev, "bad address for load patch.\n");
err = -EFAULT;
goto __error;
}
@@ -1463,8 +1465,8 @@ wavefront_load_patch (snd_wavefront_t *d
break;
default:
- snd_printk ("unknown patch type %d.\n",
- header->subkey);
+ dev_err(dev->card->dev, "unknown patch type %d.\n",
+ header->subkey);
err = -EINVAL;
break;
}
@@ -1527,13 +1529,13 @@ wavefront_synth_control (snd_wavefront_c
switch (wc->cmd) {
case WFC_DISABLE_INTERRUPTS:
- snd_printk ("interrupts disabled.\n");
+ dev_dbg(dev->card->dev, "interrupts disabled.\n");
outb (0x80|0x20, dev->control_port);
dev->interrupts_are_midi = 1;
return 0;
case WFC_ENABLE_INTERRUPTS:
- snd_printk ("interrupts enabled.\n");
+ dev_dbg(dev->card->dev, "interrupts enabled.\n");
outb (0x80|0x40|0x20, dev->control_port);
dev->interrupts_are_midi = 1;
return 0;
@@ -1550,7 +1552,7 @@ wavefront_synth_control (snd_wavefront_c
case WFC_IDENTIFY_SLOT_TYPE:
i = wc->wbuf[0] | (wc->wbuf[1] << 7);
if (i <0 || i >= WF_MAX_SAMPLE) {
- snd_printk ("invalid slot ID %d\n",
+ dev_err(dev->card->dev, "invalid slot ID %d\n",
i);
wc->status = EINVAL;
return -EINVAL;
@@ -1561,7 +1563,7 @@ wavefront_synth_control (snd_wavefront_c
case WFC_DEBUG_DRIVER:
dev->debug = wc->wbuf[0];
- snd_printk ("debug = 0x%x\n", dev->debug);
+ dev_dbg(dev->card->dev, "debug = 0x%x\n", dev->debug);
return 0;
case WFC_UPLOAD_PATCH:
@@ -1578,8 +1580,8 @@ wavefront_synth_control (snd_wavefront_c
return 0;
case WFC_UPLOAD_SAMPLE_ALIAS:
- snd_printk ("support for sample alias upload "
- "being considered.\n");
+ dev_err(dev->card->dev,
+ "support for sample alias upload being considered.\n");
wc->status = EINVAL;
return -EINVAL;
}
@@ -1620,9 +1622,8 @@ wavefront_synth_control (snd_wavefront_c
break;
case WFC_UPLOAD_SAMPLE_ALIAS:
- snd_printk ("support for "
- "sample aliases still "
- "being considered.\n");
+ dev_err(dev->card->dev,
+ "support for sample aliases still being considered.\n");
break;
case WFC_VMIDI_OFF:
@@ -1760,7 +1761,7 @@ snd_wavefront_internal_interrupt (snd_wa
*/
static int
-snd_wavefront_interrupt_bits (int irq)
+snd_wavefront_interrupt_bits(snd_wavefront_t *dev, int irq)
{
int bits;
@@ -1780,7 +1781,7 @@ snd_wavefront_interrupt_bits (int irq)
break;
default:
- snd_printk ("invalid IRQ %d\n", irq);
+ dev_err(dev->card->dev, "invalid IRQ %d\n", irq);
bits = -1;
}
@@ -1815,7 +1816,7 @@ wavefront_reset_to_cleanliness (snd_wave
/* IRQ already checked */
- bits = snd_wavefront_interrupt_bits (dev->irq);
+ bits = snd_wavefront_interrupt_bits(dev, dev->irq);
/* try reset of port */
@@ -1885,7 +1886,7 @@ wavefront_reset_to_cleanliness (snd_wave
*/
if (!dev->irq_ok) {
- snd_printk ("intr not received after h/w un-reset.\n");
+ dev_err(dev->card->dev, "intr not received after h/w un-reset.\n");
goto gone_bad;
}
@@ -1909,18 +1910,18 @@ wavefront_reset_to_cleanliness (snd_wave
dev->data_port, ramcheck_time*HZ);
if (!dev->irq_ok) {
- snd_printk ("post-RAM-check interrupt not received.\n");
+ dev_err(dev->card->dev, "post-RAM-check interrupt not received.\n");
goto gone_bad;
}
if (!wavefront_wait (dev, STAT_CAN_READ)) {
- snd_printk ("no response to HW version cmd.\n");
+ dev_err(dev->card->dev, "no response to HW version cmd.\n");
goto gone_bad;
}
hwv[0] = wavefront_read(dev);
if (hwv[0] == -1) {
- snd_printk ("board not responding correctly.\n");
+ dev_err(dev->card->dev, "board not responding correctly.\n");
goto gone_bad;
}
@@ -1932,11 +1933,11 @@ wavefront_reset_to_cleanliness (snd_wave
hwv[0] = wavefront_read(dev);
if (hwv[0] == -1) {
- snd_printk ("on-board RAM test failed "
- "(bad error code).\n");
+ dev_err(dev->card->dev,
+ "on-board RAM test failed (bad error code).\n");
} else {
- snd_printk ("on-board RAM test failed "
- "(error code: 0x%x).\n",
+ dev_err(dev->card->dev,
+ "on-board RAM test failed (error code: 0x%x).\n",
hwv[0]);
}
goto gone_bad;
@@ -1946,12 +1947,12 @@ wavefront_reset_to_cleanliness (snd_wave
hwv[1] = wavefront_read(dev);
if (hwv[1] == -1) {
- snd_printk ("incorrect h/w response.\n");
+ dev_err(dev->card->dev, "incorrect h/w response.\n");
goto gone_bad;
}
- snd_printk ("hardware version %d.%d\n",
- hwv[0], hwv[1]);
+ dev_info(dev->card->dev, "hardware version %d.%d\n",
+ hwv[0], hwv[1]);
return 0;
@@ -1971,7 +1972,7 @@ wavefront_download_firmware (snd_wavefro
err = request_firmware(&firmware, path, dev->card->dev);
if (err < 0) {
- snd_printk(KERN_ERR "firmware (%s) download failed!!!\n", path);
+ dev_err(dev->card->dev, "firmware (%s) download failed!!!\n", path);
return 1;
}
@@ -1982,16 +1983,16 @@ wavefront_download_firmware (snd_wavefro
if (section_length == 0)
break;
if (section_length < 0 || section_length > WF_SECTION_MAX) {
- snd_printk(KERN_ERR
- "invalid firmware section length %d\n",
- section_length);
+ dev_err(dev->card->dev,
+ "invalid firmware section length %d\n",
+ section_length);
goto failure;
}
buf++;
len++;
if (firmware->size < len + section_length) {
- snd_printk(KERN_ERR "firmware section read error.\n");
+ dev_err(dev->card->dev, "firmware section read error.\n");
goto failure;
}
@@ -2008,15 +2009,14 @@ wavefront_download_firmware (snd_wavefro
/* get ACK */
if (!wavefront_wait(dev, STAT_CAN_READ)) {
- snd_printk(KERN_ERR "time out for firmware ACK.\n");
+ dev_err(dev->card->dev, "time out for firmware ACK.\n");
goto failure;
}
err = inb(dev->data_port);
if (err != WF_ACK) {
- snd_printk(KERN_ERR
- "download of section #%d not "
- "acknowledged, ack = 0x%x\n",
- section_cnt_downloaded + 1, err);
+ dev_err(dev->card->dev,
+ "download of section #%d not acknowledged, ack = 0x%x\n",
+ section_cnt_downloaded + 1, err);
goto failure;
}
@@ -2028,7 +2028,7 @@ wavefront_download_firmware (snd_wavefro
failure:
release_firmware(firmware);
- snd_printk(KERN_ERR "firmware download failed!!!\n");
+ dev_err(dev->card->dev, "firmware download failed!!!\n");
return 1;
}
@@ -2040,7 +2040,7 @@ wavefront_do_reset (snd_wavefront_t *dev
char voices[1];
if (wavefront_reset_to_cleanliness (dev)) {
- snd_printk ("hw reset failed.\n");
+ dev_err(dev->card->dev, "hw reset failed.\n");
goto gone_bad;
}
@@ -2064,7 +2064,7 @@ wavefront_do_reset (snd_wavefront_t *dev
(osrun_time*HZ));
if (!dev->irq_ok) {
- snd_printk ("no post-OS interrupt.\n");
+ dev_err(dev->card->dev, "no post-OS interrupt.\n");
goto gone_bad;
}
@@ -2074,7 +2074,7 @@ wavefront_do_reset (snd_wavefront_t *dev
dev->data_port, (10*HZ));
if (!dev->irq_ok) {
- snd_printk ("no post-OS interrupt(2).\n");
+ dev_err(dev->card->dev, "no post-OS interrupt(2).\n");
goto gone_bad;
}
@@ -2094,20 +2094,20 @@ wavefront_do_reset (snd_wavefront_t *dev
if (dev->freemem < 0)
goto gone_bad;
- snd_printk ("available DRAM %dk\n", dev->freemem / 1024);
+ dev_info(dev->card->dev, "available DRAM %dk\n", dev->freemem / 1024);
if (wavefront_write (dev, 0xf0) ||
wavefront_write (dev, 1) ||
(wavefront_read (dev) < 0)) {
dev->debug = 0;
- snd_printk ("MPU emulation mode not set.\n");
+ dev_err(dev->card->dev, "MPU emulation mode not set.\n");
goto gone_bad;
}
voices[0] = 32;
if (snd_wavefront_cmd (dev, WFC_SET_NVOICES, NULL, voices)) {
- snd_printk ("cannot set number of voices to 32.\n");
+ dev_err(dev->card->dev, "cannot set number of voices to 32.\n");
goto gone_bad;
}
@@ -2187,8 +2187,8 @@ snd_wavefront_detect (snd_wavefront_card
dev->fw_version[0] = rbuf[0];
dev->fw_version[1] = rbuf[1];
- snd_printk ("firmware %d.%d already loaded.\n",
- rbuf[0], rbuf[1]);
+ dev_info(dev->card->dev, "firmware %d.%d already loaded.\n",
+ rbuf[0], rbuf[1]);
/* check that a command actually works */
@@ -2197,22 +2197,24 @@ snd_wavefront_detect (snd_wavefront_card
dev->hw_version[0] = rbuf[0];
dev->hw_version[1] = rbuf[1];
} else {
- snd_printk ("not raw, but no "
- "hardware version!\n");
+ dev_err(dev->card->dev,
+ "not raw, but no hardware version!\n");
return -1;
}
if (!wf_raw) {
return 0;
} else {
- snd_printk ("reloading firmware as you requested.\n");
+ dev_info(dev->card->dev,
+ "reloading firmware as you requested.\n");
dev->israw = 1;
}
} else {
dev->israw = 1;
- snd_printk ("no response to firmware probe, assume raw.\n");
+ dev_info(dev->card->dev,
+ "no response to firmware probe, assume raw.\n");
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 631/737] ALSA: wavefront: Fix integer overflow in sample size validation
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (629 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 630/737] ALSA: wavefront: Use standard print API Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 632/737] ALSA: wavefront: Use guard() for spin locks Greg Kroah-Hartman
` (116 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 0c4a13ba88594fd4a27292853e736c6b4349823d ]
The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_synth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -950,9 +950,9 @@ wavefront_send_sample (snd_wavefront_t *
if (header->size) {
dev->freemem = wavefront_freemem (dev);
- if (dev->freemem < (int)header->size) {
+ if (dev->freemem < 0 || dev->freemem < header->size) {
dev_err(dev->card->dev,
- "insufficient memory to load %d byte sample.\n",
+ "insufficient memory to load %u byte sample.\n",
header->size);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 632/737] ALSA: wavefront: Use guard() for spin locks
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (630 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 631/737] ALSA: wavefront: Fix integer overflow in sample size validation Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 633/737] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
` (115 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 4b97f8e614ba46a50bd181d40b5a1424411a211a ]
Clean up the code using guard() for spin locks.
Merely code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20250829145300.5460-19-tiwai@suse.de
Stable-dep-of: e11c5c13ce0a ("ALSA: wavefront: Clear substream pointers on close")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_midi.c | 127 +++++++++++++---------------------
sound/isa/wavefront/wavefront_synth.c | 18 ++--
2 files changed, 59 insertions(+), 86 deletions(-)
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -113,7 +113,6 @@ static void snd_wavefront_midi_output_wr
{
snd_wavefront_midi_t *midi = &card->wavefront.midi;
snd_wavefront_mpu_id mpu;
- unsigned long flags;
unsigned char midi_byte;
int max = 256, mask = 1;
int timeout;
@@ -142,11 +141,9 @@ static void snd_wavefront_midi_output_wr
break;
}
- spin_lock_irqsave (&midi->virtual, flags);
- if ((midi->mode[midi->output_mpu] & MPU401_MODE_OUTPUT) == 0) {
- spin_unlock_irqrestore (&midi->virtual, flags);
+ guard(spinlock_irqsave)(&midi->virtual);
+ if ((midi->mode[midi->output_mpu] & MPU401_MODE_OUTPUT) == 0)
goto __second;
- }
if (output_ready (midi)) {
if (snd_rawmidi_transmit(midi->substream_output[midi->output_mpu], &midi_byte, 1) == 1) {
if (!midi->isvirtual ||
@@ -160,14 +157,11 @@ static void snd_wavefront_midi_output_wr
del_timer(&midi->timer);
}
midi->mode[midi->output_mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
- spin_unlock_irqrestore (&midi->virtual, flags);
goto __second;
}
} else {
- spin_unlock_irqrestore (&midi->virtual, flags);
return;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
}
__second:
@@ -185,15 +179,13 @@ static void snd_wavefront_midi_output_wr
break;
}
- spin_lock_irqsave (&midi->virtual, flags);
+ guard(spinlock_irqsave)(&midi->virtual);
if (!midi->isvirtual)
mask = 0;
mpu = midi->output_mpu ^ mask;
mask = 0; /* don't invert the value from now */
- if ((midi->mode[mpu] & MPU401_MODE_OUTPUT) == 0) {
- spin_unlock_irqrestore (&midi->virtual, flags);
+ if ((midi->mode[mpu] & MPU401_MODE_OUTPUT) == 0)
return;
- }
if (snd_rawmidi_transmit_empty(midi->substream_output[mpu]))
goto __timer;
if (output_ready (midi)) {
@@ -215,20 +207,16 @@ static void snd_wavefront_midi_output_wr
del_timer(&midi->timer);
}
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
- spin_unlock_irqrestore (&midi->virtual, flags);
return;
}
} else {
- spin_unlock_irqrestore (&midi->virtual, flags);
return;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
}
}
static int snd_wavefront_midi_input_open(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -243,17 +231,15 @@ static int snd_wavefront_midi_input_open
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] |= MPU401_MODE_INPUT;
midi->substream_input[mpu] = substream;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_output_open(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -268,17 +254,15 @@ static int snd_wavefront_midi_output_ope
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] |= MPU401_MODE_OUTPUT;
midi->substream_output[mpu] = substream;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_input_close(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -293,16 +277,14 @@ static int snd_wavefront_midi_input_clos
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static int snd_wavefront_midi_output_close(struct snd_rawmidi_substream *substream)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -317,15 +299,13 @@ static int snd_wavefront_midi_output_clo
if (!midi)
return -EIO;
- spin_lock_irqsave (&midi->open, flags);
+ guard(spinlock_irqsave)(&midi->open);
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
- spin_unlock_irqrestore (&midi->open, flags);
return 0;
}
static void snd_wavefront_midi_input_trigger(struct snd_rawmidi_substream *substream, int up)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -341,30 +321,27 @@ static void snd_wavefront_midi_input_tri
if (!midi)
return;
- spin_lock_irqsave (&midi->virtual, flags);
+ guard(spinlock_irqsave)(&midi->virtual);
if (up) {
midi->mode[mpu] |= MPU401_MODE_INPUT_TRIGGER;
} else {
midi->mode[mpu] &= ~MPU401_MODE_INPUT_TRIGGER;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
}
static void snd_wavefront_midi_output_timer(struct timer_list *t)
{
snd_wavefront_midi_t *midi = from_timer(midi, t, timer);
snd_wavefront_card_t *card = midi->timer_card;
- unsigned long flags;
- spin_lock_irqsave (&midi->virtual, flags);
- mod_timer(&midi->timer, 1 + jiffies);
- spin_unlock_irqrestore (&midi->virtual, flags);
+ scoped_guard(spinlock_irqsave, &midi->virtual) {
+ mod_timer(&midi->timer, 1 + jiffies);
+ }
snd_wavefront_midi_output_write(card);
}
static void snd_wavefront_midi_output_trigger(struct snd_rawmidi_substream *substream, int up)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
snd_wavefront_mpu_id mpu;
@@ -380,22 +357,22 @@ static void snd_wavefront_midi_output_tr
if (!midi)
return;
- spin_lock_irqsave (&midi->virtual, flags);
- if (up) {
- if ((midi->mode[mpu] & MPU401_MODE_OUTPUT_TRIGGER) == 0) {
- if (!midi->istimer) {
- timer_setup(&midi->timer,
- snd_wavefront_midi_output_timer,
- 0);
- mod_timer(&midi->timer, 1 + jiffies);
+ scoped_guard(spinlock_irqsave, &midi->virtual) {
+ if (up) {
+ if ((midi->mode[mpu] & MPU401_MODE_OUTPUT_TRIGGER) == 0) {
+ if (!midi->istimer) {
+ timer_setup(&midi->timer,
+ snd_wavefront_midi_output_timer,
+ 0);
+ mod_timer(&midi->timer, 1 + jiffies);
+ }
+ midi->istimer++;
+ midi->mode[mpu] |= MPU401_MODE_OUTPUT_TRIGGER;
}
- midi->istimer++;
- midi->mode[mpu] |= MPU401_MODE_OUTPUT_TRIGGER;
+ } else {
+ midi->mode[mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
}
- } else {
- midi->mode[mpu] &= ~MPU401_MODE_OUTPUT_TRIGGER;
}
- spin_unlock_irqrestore (&midi->virtual, flags);
if (up)
snd_wavefront_midi_output_write((snd_wavefront_card_t *)substream->rmidi->card->private_data);
@@ -405,7 +382,6 @@ void
snd_wavefront_midi_interrupt (snd_wavefront_card_t *card)
{
- unsigned long flags;
snd_wavefront_midi_t *midi;
static struct snd_rawmidi_substream *substream = NULL;
static int mpu = external_mpu;
@@ -419,37 +395,37 @@ snd_wavefront_midi_interrupt (snd_wavefr
return;
}
- spin_lock_irqsave (&midi->virtual, flags);
- while (--max) {
+ scoped_guard(spinlock_irqsave, &midi->virtual) {
+ while (--max) {
- if (input_avail (midi)) {
- byte = read_data (midi);
+ if (input_avail(midi)) {
+ byte = read_data(midi);
- if (midi->isvirtual) {
- if (byte == WF_EXTERNAL_SWITCH) {
- substream = midi->substream_input[external_mpu];
- mpu = external_mpu;
- } else if (byte == WF_INTERNAL_SWITCH) {
- substream = midi->substream_output[internal_mpu];
+ if (midi->isvirtual) {
+ if (byte == WF_EXTERNAL_SWITCH) {
+ substream = midi->substream_input[external_mpu];
+ mpu = external_mpu;
+ } else if (byte == WF_INTERNAL_SWITCH) {
+ substream = midi->substream_output[internal_mpu];
+ mpu = internal_mpu;
+ } /* else just leave it as it is */
+ } else {
+ substream = midi->substream_input[internal_mpu];
mpu = internal_mpu;
- } /* else just leave it as it is */
- } else {
- substream = midi->substream_input[internal_mpu];
- mpu = internal_mpu;
- }
+ }
- if (substream == NULL) {
- continue;
- }
+ if (substream == NULL) {
+ continue;
+ }
- if (midi->mode[mpu] & MPU401_MODE_INPUT_TRIGGER) {
- snd_rawmidi_receive(substream, &byte, 1);
+ if (midi->mode[mpu] & MPU401_MODE_INPUT_TRIGGER) {
+ snd_rawmidi_receive(substream, &byte, 1);
+ }
+ } else {
+ break;
}
- } else {
- break;
}
- }
- spin_unlock_irqrestore (&midi->virtual, flags);
+ }
snd_wavefront_midi_output_write(card);
}
@@ -471,13 +447,10 @@ void
snd_wavefront_midi_disable_virtual (snd_wavefront_card_t *card)
{
- unsigned long flags;
-
- spin_lock_irqsave (&card->wavefront.midi.virtual, flags);
+ guard(spinlock_irqsave)(&card->wavefront.midi.virtual);
// snd_wavefront_midi_input_close (card->ics2115_external_rmidi);
// snd_wavefront_midi_output_close (card->ics2115_external_rmidi);
card->wavefront.midi.isvirtual = 0;
- spin_unlock_irqrestore (&card->wavefront.midi.virtual, flags);
}
int
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -1741,10 +1741,10 @@ snd_wavefront_internal_interrupt (snd_wa
return;
}
- spin_lock(&dev->irq_lock);
- dev->irq_ok = 1;
- dev->irq_cnt++;
- spin_unlock(&dev->irq_lock);
+ scoped_guard(spinlock, &dev->irq_lock) {
+ dev->irq_ok = 1;
+ dev->irq_cnt++;
+ }
wake_up(&dev->interrupt_sleeper);
}
@@ -1796,11 +1796,11 @@ wavefront_should_cause_interrupt (snd_wa
wait_queue_entry_t wait;
init_waitqueue_entry(&wait, current);
- spin_lock_irq(&dev->irq_lock);
- add_wait_queue(&dev->interrupt_sleeper, &wait);
- dev->irq_ok = 0;
- outb (val,port);
- spin_unlock_irq(&dev->irq_lock);
+ scoped_guard(spinlock_irq, &dev->irq_lock) {
+ add_wait_queue(&dev->interrupt_sleeper, &wait);
+ dev->irq_ok = 0;
+ outb(val, port);
+ }
while (!dev->irq_ok && time_before(jiffies, timeout)) {
schedule_timeout_uninterruptible(1);
barrier();
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 633/737] ALSA: wavefront: Clear substream pointers on close
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (631 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 632/737] ALSA: wavefront: Use guard() for spin locks Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 634/737] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() Greg Kroah-Hartman
` (114 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit e11c5c13ce0ab2325d38fe63500be1dd88b81e38 ]
Clear substream pointers in close functions to avoid leaving dangling
pointers, helping to improve code safety and
prevents potential issues.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_midi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -278,6 +278,7 @@ static int snd_wavefront_midi_input_clos
return -EIO;
guard(spinlock_irqsave)(&midi->open);
+ midi->substream_input[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
return 0;
@@ -300,6 +301,7 @@ static int snd_wavefront_midi_output_clo
return -EIO;
guard(spinlock_irqsave)(&midi->open);
+ midi->substream_output[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
return 0;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 634/737] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (632 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 633/737] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 635/737] ext4: fix string copying in parse_apply_sb_mount_options() Greg Kroah-Hartman
` (113 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Arefev, Richard Fitzgerald,
Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Arefev <arefev@swemel.ru>
[ Upstream commit c34b04cc6178f33c08331568c7fd25c5b9a39f66 ]
The acpi_get_first_physical_node() function can return NULL, in which
case the get_device() function also returns NULL, but this value is
then dereferenced without checking,so add a check to prevent a crash.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems")
Cc: stable@vger.kernel.org
Signed-off-by: Denis Arefev <arefev@swemel.ru>
Reviewed-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20251202101338.11437-1-arefev@swemel.ru
[ NULL check right after acpi_dev_put(adev) cleanup call ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/cs35l41_hda.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/cs35l41_hda.c
+++ b/sound/pci/hda/cs35l41_hda.c
@@ -1432,6 +1432,8 @@ static int cs35l41_hda_read_acpi(struct
physdev = get_device(acpi_get_first_physical_node(adev));
acpi_dev_put(adev);
+ if (!physdev)
+ return -ENODEV;
sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev));
if (IS_ERR(sub))
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 635/737] ext4: fix string copying in parse_apply_sb_mount_options()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (633 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 634/737] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 636/737] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
` (112 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Baokun Li, Jan Kara,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit ee5a977b4e771cc181f39d504426dbd31ed701cc ]
strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term
string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce
memtostr() and memtostr_pad()") provides additional information in that
regard. So if this happens, the following warning is observed:
strnlen: detected buffer overflow: 65 byte read of buffer size 64
WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Modules linked in:
CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032
Call Trace:
<TASK>
__fortify_panic+0x1f/0x30 lib/string_helpers.c:1039
strnlen include/linux/fortify-string.h:235 [inline]
sized_strscpy include/linux/fortify-string.h:309 [inline]
parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline]
__ext4_fill_super fs/ext4/super.c:5261 [inline]
ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706
get_tree_bdev_flags+0x387/0x620 fs/super.c:1636
vfs_get_tree+0x93/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3553 [inline]
path_mount+0x6ae/0x1f70 fs/namespace.c:3880
do_mount fs/namespace.c:3893 [inline]
__do_sys_mount fs/namespace.c:4103 [inline]
__se_sys_mount fs/namespace.c:4080 [inline]
__x64_sys_mount+0x280/0x300 fs/namespace.c:4080
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Since userspace is expected to provide s_mount_opts field to be at most 63
characters long with the ending byte being NUL-term, use a 64-byte buffer
which matches the size of s_mount_opts, so that strscpy_pad() does its job
properly. Return with error if the user still managed to provide a
non-NUL-term string here.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 8ecb790ea8c3 ("ext4: avoid potential buffer over-read in parse_apply_sb_mount_options()")
Cc: stable@vger.kernel.org
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251101160430.222297-1-pchelkin@ispras.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ adapted 2-argument strscpy_pad() call to 3-argument form with explicit sizeof() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2507,7 +2507,7 @@ static int parse_apply_sb_mount_options(
struct ext4_fs_context *m_ctx)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
- char s_mount_opts[65];
+ char s_mount_opts[64];
struct ext4_fs_context *s_ctx = NULL;
struct fs_context *fc = NULL;
int ret = -ENOMEM;
@@ -2515,7 +2515,8 @@ static int parse_apply_sb_mount_options(
if (!sbi->s_es->s_mount_opts[0])
return 0;
- strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts, sizeof(s_mount_opts));
+ if (strscpy_pad(s_mount_opts, sbi->s_es->s_mount_opts, sizeof(s_mount_opts)) < 0)
+ return -E2BIG;
fc = kzalloc(sizeof(struct fs_context), GFP_KERNEL);
if (!fc)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 636/737] jbd2: fix the inconsistency between checksum and data in memory for journal sb
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (634 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 635/737] ext4: fix string copying in parse_apply_sb_mount_options() Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 637/737] gfs2: fix freeze error handling Greg Kroah-Hartman
` (111 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Baokun Li, Darrick J. Wong,
Jan Kara, Theodore Tso, stable, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 6abfe107894af7e8ce3a2e120c619d81ee764ad5 ]
Copying the file system while it is mounted as read-only results in
a mount failure:
[~]# mkfs.ext4 -F /dev/sdc
[~]# mount /dev/sdc -o ro /mnt/test
[~]# dd if=/dev/sdc of=/dev/sda bs=1M
[~]# mount /dev/sda /mnt/test1
[ 1094.849826] JBD2: journal checksum error
[ 1094.850927] EXT4-fs (sda): Could not load journal inode
mount: mount /dev/sda on /mnt/test1 failed: Bad message
The process described above is just an abstracted way I came up with to
reproduce the issue. In the actual scenario, the file system was mounted
read-only and then copied while it was still mounted. It was found that
the mount operation failed. The user intended to verify the data or use
it as a backup, and this action was performed during a version upgrade.
Above issue may happen as follows:
ext4_fill_super
set_journal_csum_feature_set(sb)
if (ext4_has_metadata_csum(sb))
incompat = JBD2_FEATURE_INCOMPAT_CSUM_V3;
if (test_opt(sb, JOURNAL_CHECKSUM)
jbd2_journal_set_features(sbi->s_journal, compat, 0, incompat);
lock_buffer(journal->j_sb_buffer);
sb->s_feature_incompat |= cpu_to_be32(incompat);
//The data in the journal sb was modified, but the checksum was not
updated, so the data remaining in memory has a mismatch between the
data and the checksum.
unlock_buffer(journal->j_sb_buffer);
In this case, the journal sb copied over is in a state where the checksum
and data are inconsistent, so mounting fails.
To solve the above issue, update the checksum in memory after modifying
the journal sb.
Fixes: 4fd5ea43bc11 ("jbd2: checksum journal superblock")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251103010123.3753631-1-yebin@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ jbd2_superblock_csum() also takes a journal param ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -2405,6 +2405,12 @@ int jbd2_journal_set_features(journal_t
sb->s_feature_compat |= cpu_to_be32(compat);
sb->s_feature_ro_compat |= cpu_to_be32(ro);
sb->s_feature_incompat |= cpu_to_be32(incompat);
+ /*
+ * Update the checksum now so that it is valid even for read-only
+ * filesystems where jbd2_write_superblock() doesn't get called.
+ */
+ if (jbd2_journal_has_csum_v2or3(journal))
+ sb->s_checksum = jbd2_superblock_csum(journal, sb);
unlock_buffer(journal->j_sb_buffer);
jbd2_journal_init_transaction_limits(journal);
@@ -2434,9 +2440,17 @@ void jbd2_journal_clear_features(journal
sb = journal->j_superblock;
+ lock_buffer(journal->j_sb_buffer);
sb->s_feature_compat &= ~cpu_to_be32(compat);
sb->s_feature_ro_compat &= ~cpu_to_be32(ro);
sb->s_feature_incompat &= ~cpu_to_be32(incompat);
+ /*
+ * Update the checksum now so that it is valid even for read-only
+ * filesystems where jbd2_write_superblock() doesn't get called.
+ */
+ if (jbd2_journal_has_csum_v2or3(journal))
+ sb->s_checksum = jbd2_superblock_csum(journal, sb);
+ unlock_buffer(journal->j_sb_buffer);
jbd2_journal_init_transaction_limits(journal);
}
EXPORT_SYMBOL(jbd2_journal_clear_features);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 637/737] gfs2: fix freeze error handling
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (635 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 636/737] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 638/737] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
` (110 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Velichayshiy,
Andreas Gruenbacher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
[ Upstream commit 4cfc7d5a4a01d2133b278cdbb1371fba1b419174 ]
After commit b77b4a4815a9 ("gfs2: Rework freeze / thaw logic"),
the freeze error handling is broken because gfs2_do_thaw()
overwrites the 'error' variable, causing incorrect processing
of the original freeze error.
Fix this by calling gfs2_do_thaw() when gfs2_lock_fs_check_clean()
fails but ignoring its return value to preserve the original
freeze error for proper reporting.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: b77b4a4815a9 ("gfs2: Rework freeze / thaw logic")
Cc: stable@vger.kernel.org # v6.5+
Signed-off-by: Alexey Velichayshiy <a.velichayshiy@ispras.ru>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
[ gfs2_do_thaw() only takes one param ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/super.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -776,9 +776,7 @@ static int gfs2_freeze_super(struct supe
if (!error)
break; /* success */
- error = gfs2_do_thaw(sdp);
- if (error)
- goto out;
+ (void)gfs2_do_thaw(sdp);
if (error == -EBUSY)
fs_err(sdp, "waiting for recovery before freeze\n");
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 638/737] btrfs: dont rewrite ret from inode_permission
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (636 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 637/737] gfs2: fix freeze error handling Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 639/737] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
` (109 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Josef Bacik,
Daniel Vacek, David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 0185c2292c600993199bc6b1f342ad47a9e8c678 ]
In our user safe ino resolve ioctl we'll just turn any ret into -EACCES
from inode_permission(). This is redundant, and could potentially be
wrong if we had an ENOMEM in the security layer or some such other
error, so simply return the actual return value.
Note: The patch was taken from v5 of fscrypt patchset
(https://lore.kernel.org/linux-btrfs/cover.1706116485.git.josef@toxicpanda.com/)
which was handled over time by various people: Omar Sandoval, Sweet Tea
Dorminy, Josef Bacik.
Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Daniel Vacek <neelx@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add note ]
Signed-off-by: David Sterba <dsterba@suse.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2006,10 +2006,8 @@ static int btrfs_search_path_in_tree_use
ret = inode_permission(idmap, temp_inode,
MAY_READ | MAY_EXEC);
iput(temp_inode);
- if (ret) {
- ret = -EACCES;
+ if (ret)
goto out_put;
- }
if (key.offset == upper_limit.objectid)
break;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 639/737] wifi: mt76: Fix DTS power-limits on little endian systems
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (637 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 638/737] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 640/737] mm/ksm: fix exec/fork inheritance support for prctl Greg Kroah-Hartman
` (108 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Eckelmann (Plasma Cloud),
Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Sven Eckelmann (Plasma Cloud)" <se@simonwunderlich.de>
[ Upstream commit 38b845e1f9e810869b0a0b69f202b877b7b7fb12 ]
The power-limits for ru and mcs and stored in the devicetree as bytewise
array (often with sizes which are not a multiple of 4). These arrays have a
prefix which defines for how many modes a line is applied. This prefix is
also only a byte - but the code still tried to fix the endianness of this
byte with a be32 operation. As result, loading was mostly failing or was
sending completely unexpected values to the firmware.
Since the other rates are also stored in the devicetree as bytewise arrays,
just drop the u32 access + be32_to_cpu conversion and directly access them
as bytes arrays.
Cc: stable@vger.kernel.org
Fixes: 22b980badc0f ("mt76: add functions for parsing rate power limits from DT")
Fixes: a9627d992b5e ("mt76: extend DT rate power limits to support 11ax devices")
Signed-off-by: Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/eeprom.c | 37 ++++++++++++++++++----------
1 file changed, 24 insertions(+), 13 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
@@ -245,6 +245,19 @@ mt76_get_of_array(struct device_node *np
return prop->value;
}
+static const s8 *
+mt76_get_of_array_s8(struct device_node *np, char *name, size_t *len, int min)
+{
+ struct property *prop = of_find_property(np, name, NULL);
+
+ if (!prop || !prop->value || prop->length < min)
+ return NULL;
+
+ *len = prop->length;
+
+ return prop->value;
+}
+
static struct device_node *
mt76_find_channel_node(struct device_node *np, struct ieee80211_channel *chan)
{
@@ -284,7 +297,7 @@ mt76_get_txs_delta(struct device_node *n
}
static void
-mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data,
+mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const s8 *data,
s8 target_power, s8 nss_delta, s8 *max_power)
{
int i;
@@ -293,15 +306,14 @@ mt76_apply_array_limit(s8 *pwr, size_t p
return;
for (i = 0; i < pwr_len; i++) {
- pwr[i] = min_t(s8, target_power,
- be32_to_cpu(data[i]) + nss_delta);
+ pwr[i] = min_t(s8, target_power, data[i] + nss_delta);
*max_power = max(*max_power, pwr[i]);
}
}
static void
mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num,
- const __be32 *data, size_t len, s8 target_power,
+ const s8 *data, size_t len, s8 target_power,
s8 nss_delta, s8 *max_power)
{
int i, cur;
@@ -309,8 +321,7 @@ mt76_apply_multi_array_limit(s8 *pwr, si
if (!data)
return;
- len /= 4;
- cur = be32_to_cpu(data[0]);
+ cur = data[0];
for (i = 0; i < pwr_num; i++) {
if (len < pwr_len + 1)
break;
@@ -325,7 +336,7 @@ mt76_apply_multi_array_limit(s8 *pwr, si
if (!len)
break;
- cur = be32_to_cpu(data[0]);
+ cur = data[0];
}
}
@@ -336,7 +347,7 @@ s8 mt76_get_rate_power_limits(struct mt7
{
struct mt76_dev *dev = phy->dev;
struct device_node *np;
- const __be32 *val;
+ const s8 *val;
char name[16];
u32 mcs_rates = dev->drv->mcs_rates;
u32 ru_rates = ARRAY_SIZE(dest->ru[0]);
@@ -382,21 +393,21 @@ s8 mt76_get_rate_power_limits(struct mt7
txs_delta = mt76_get_txs_delta(np, hweight8(phy->antenna_mask));
- val = mt76_get_of_array(np, "rates-cck", &len, ARRAY_SIZE(dest->cck));
+ val = mt76_get_of_array_s8(np, "rates-cck", &len, ARRAY_SIZE(dest->cck));
mt76_apply_array_limit(dest->cck, ARRAY_SIZE(dest->cck), val,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-ofdm",
- &len, ARRAY_SIZE(dest->ofdm));
+ val = mt76_get_of_array_s8(np, "rates-ofdm",
+ &len, ARRAY_SIZE(dest->ofdm));
mt76_apply_array_limit(dest->ofdm, ARRAY_SIZE(dest->ofdm), val,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-mcs", &len, mcs_rates + 1);
+ val = mt76_get_of_array_s8(np, "rates-mcs", &len, mcs_rates + 1);
mt76_apply_multi_array_limit(dest->mcs[0], ARRAY_SIZE(dest->mcs[0]),
ARRAY_SIZE(dest->mcs), val, len,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-ru", &len, ru_rates + 1);
+ val = mt76_get_of_array_s8(np, "rates-ru", &len, ru_rates + 1);
mt76_apply_multi_array_limit(dest->ru[0], ARRAY_SIZE(dest->ru[0]),
ARRAY_SIZE(dest->ru), val, len,
target_power, txs_delta, &max_power);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 640/737] mm/ksm: fix exec/fork inheritance support for prctl
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (638 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 639/737] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
@ 2026-01-09 11:42 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 641/737] usb: ohci-nxp: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
` (107 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xu xin, Stefan Roesch,
David Hildenbrand, Jinjiang Tu, Wang Yaxin, Yang Yang,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: xu xin <xu.xin16@zte.com.cn>
[ Upstream commit 590c03ca6a3fbb114396673314e2aa483839608b ]
Patch series "ksm: fix exec/fork inheritance", v2.
This series fixes exec/fork inheritance. See the detailed description of
the issue below.
This patch (of 2):
Background
==========
commit d7597f59d1d33 ("mm: add new api to enable ksm per process")
introduced MMF_VM_MERGE_ANY for mm->flags, and allowed user to set it by
prctl() so that the process's VMAs are forcibly scanned by ksmd.
Subsequently, the 3c6f33b7273a ("mm/ksm: support fork/exec for prctl")
supported inheriting the MMF_VM_MERGE_ANY flag when a task calls execve().
Finally, commit 3a9e567ca45fb ("mm/ksm: fix ksm exec support for prctl")
fixed the issue that ksmd doesn't scan the mm_struct with MMF_VM_MERGE_ANY
by adding the mm_slot to ksm_mm_head in __bprm_mm_init().
Problem
=======
In some extreme scenarios, however, this inheritance of MMF_VM_MERGE_ANY
during exec/fork can fail. For example, when the scanning frequency of
ksmd is tuned extremely high, a process carrying MMF_VM_MERGE_ANY may
still fail to pass it to the newly exec'd process. This happens because
ksm_execve() is executed too early in the do_execve flow (prematurely
adding the new mm_struct to the ksm_mm_slot list).
As a result, before do_execve completes, ksmd may have already performed a
scan and found that this new mm_struct has no VM_MERGEABLE VMAs, thus
clearing its MMF_VM_MERGE_ANY flag. Consequently, when the new program
executes, the flag MMF_VM_MERGE_ANY inheritance missed.
Root reason
===========
commit d7597f59d1d33 ("mm: add new api to enable ksm per process") clear
the flag MMF_VM_MERGE_ANY when ksmd found no VM_MERGEABLE VMAs.
Solution
========
Firstly, Don't clear MMF_VM_MERGE_ANY when ksmd found no VM_MERGEABLE
VMAs, because perhaps their mm_struct has just been added to ksm_mm_slot
list, and its process has not yet officially started running or has not
yet performed mmap/brk to allocate anonymous VMAS.
Secondly, recheck MMF_VM_MERGEABLE again if a process takes
MMF_VM_MERGE_ANY, and create a mm_slot and join it into ksm_scan_list
again.
Link: https://lkml.kernel.org/r/20251007182504440BJgK8VXRHh8TD7IGSUIY4@zte.com.cn
Link: https://lkml.kernel.org/r/20251007182821572h_SoFqYZXEP1mvWI4n9VL@zte.com.cn
Fixes: 3c6f33b7273a ("mm/ksm: support fork/exec for prctl")
Fixes: d7597f59d1d3 ("mm: add new api to enable ksm per process")
Signed-off-by: xu xin <xu.xin16@zte.com.cn>
Cc: Stefan Roesch <shr@devkernel.io>
Cc: David Hildenbrand <david@redhat.com>
Cc: Jinjiang Tu <tujinjiang@huawei.com>
Cc: Wang Yaxin <wang.yaxin@zte.com.cn>
Cc: Yang Yang <yang.yang29@zte.com.cn>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ changed mm_flags_test() and mm_flags_clear() calls to test_bit() and clear_bit() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/ksm.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -2451,8 +2451,14 @@ no_vmas:
spin_unlock(&ksm_mmlist_lock);
mm_slot_free(mm_slot_cache, mm_slot);
+ /*
+ * Only clear MMF_VM_MERGEABLE. We must not clear
+ * MMF_VM_MERGE_ANY, because for those MMF_VM_MERGE_ANY process,
+ * perhaps their mm_struct has just been added to ksm_mm_slot
+ * list, and its process has not yet officially started running
+ * or has not yet performed mmap/brk to allocate anonymous VMAS.
+ */
clear_bit(MMF_VM_MERGEABLE, &mm->flags);
- clear_bit(MMF_VM_MERGE_ANY, &mm->flags);
mmap_read_unlock(mm);
mmdrop(mm);
} else {
@@ -2567,8 +2573,16 @@ void ksm_add_vma(struct vm_area_struct *
{
struct mm_struct *mm = vma->vm_mm;
- if (test_bit(MMF_VM_MERGE_ANY, &mm->flags))
+ if (test_bit(MMF_VM_MERGE_ANY, &mm->flags)) {
__ksm_add_vma(vma);
+ /*
+ * Generally, the flags here always include MMF_VM_MERGEABLE.
+ * However, in rare cases, this flag may be cleared by ksmd who
+ * scans a cycle without finding any mergeable vma.
+ */
+ if (unlikely(!test_bit(MMF_VM_MERGEABLE, &mm->flags)))
+ __ksm_enter(mm);
+ }
}
static void ksm_add_vmas(struct mm_struct *mm)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 641/737] usb: ohci-nxp: Use helper function devm_clk_get_enabled()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (639 preceding siblings ...)
2026-01-09 11:42 ` [PATCH 6.6 640/737] mm/ksm: fix exec/fork inheritance support for prctl Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 642/737] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
` (106 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Zekun, Alan Stern, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Zekun <zhangzekun11@huawei.com>
[ Upstream commit c146ede472717f352b7283a525bd9a1a2b15e2cf ]
devm_clk_get() and clk_prepare_enable() can be replaced by helper
function devm_clk_get_enabled(). Let's use devm_clk_get_enabled() to
simplify code and avoid calling clk_disable_unprepare().
Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20240902123020.29267-3-zhangzekun11@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: b4c61e542faf ("usb: ohci-nxp: fix device leak on probe failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-nxp.c | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
--- a/drivers/usb/host/ohci-nxp.c
+++ b/drivers/usb/host/ohci-nxp.c
@@ -51,8 +51,6 @@ static struct hc_driver __read_mostly oh
static struct i2c_client *isp1301_i2c_client;
-static struct clk *usb_host_clk;
-
static void isp1301_configure_lpc32xx(void)
{
/* LPC32XX only supports DAT_SE0 USB mode */
@@ -155,6 +153,7 @@ static int ohci_hcd_nxp_probe(struct pla
struct resource *res;
int ret = 0, irq;
struct device_node *isp1301_node;
+ struct clk *usb_host_clk;
if (pdev->dev.of_node) {
isp1301_node = of_parse_phandle(pdev->dev.of_node,
@@ -180,26 +179,20 @@ static int ohci_hcd_nxp_probe(struct pla
}
/* Enable USB host clock */
- usb_host_clk = devm_clk_get(&pdev->dev, NULL);
+ usb_host_clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(usb_host_clk)) {
- dev_err(&pdev->dev, "failed to acquire USB OHCI clock\n");
+ dev_err(&pdev->dev, "failed to acquire and start USB OHCI clock\n");
ret = PTR_ERR(usb_host_clk);
goto fail_disable;
}
- ret = clk_prepare_enable(usb_host_clk);
- if (ret < 0) {
- dev_err(&pdev->dev, "failed to start USB OHCI clock\n");
- goto fail_disable;
- }
-
isp1301_configure();
hcd = usb_create_hcd(driver, &pdev->dev, dev_name(&pdev->dev));
if (!hcd) {
dev_err(&pdev->dev, "Failed to allocate HC buffer\n");
ret = -ENOMEM;
- goto fail_hcd;
+ goto fail_disable;
}
hcd->regs = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
@@ -229,8 +222,6 @@ static int ohci_hcd_nxp_probe(struct pla
ohci_nxp_stop_hc();
fail_resource:
usb_put_hcd(hcd);
-fail_hcd:
- clk_disable_unprepare(usb_host_clk);
fail_disable:
isp1301_i2c_client = NULL;
return ret;
@@ -243,7 +234,6 @@ static void ohci_hcd_nxp_remove(struct p
usb_remove_hcd(hcd);
ohci_nxp_stop_hc();
usb_put_hcd(hcd);
- clk_disable_unprepare(usb_host_clk);
isp1301_i2c_client = NULL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 642/737] usb: ohci-nxp: fix device leak on probe failure
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (640 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 641/737] usb: ohci-nxp: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 643/737] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Greg Kroah-Hartman
` (105 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold, Alan Stern,
Vladimir Zapolskiy, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 ]
Make sure to drop the reference taken when looking up the PHY I2C device
during probe on probe failure (e.g. probe deferral) and on driver
unbind.
Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver")
Cc: stable@vger.kernel.org # 3.5
Reported-by: Ma Ke <make24@iscas.ac.cn>
Link: https://lore.kernel.org/lkml/20251117013428.21840-1-make24@iscas.ac.cn/
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-nxp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/host/ohci-nxp.c
+++ b/drivers/usb/host/ohci-nxp.c
@@ -223,6 +223,7 @@ static int ohci_hcd_nxp_probe(struct pla
fail_resource:
usb_put_hcd(hcd);
fail_disable:
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
return ret;
}
@@ -234,6 +235,7 @@ static void ohci_hcd_nxp_remove(struct p
usb_remove_hcd(hcd);
ohci_nxp_stop_hc();
usb_put_hcd(hcd);
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 643/737] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (641 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 642/737] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 644/737] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
` (104 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seunghwan Baek, Peter Wang,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seunghwan Baek <sh8267.baek@samsung.com>
[ Upstream commit c9f36f04a8a2725172cdf2b5e32363e4addcb14c ]
If UFS resume fails, the event history is updated in ufshcd_resume(), but
there is no code anywhere to record UFS suspend. Therefore, add code to
record UFS suspend error event history.
Fixes: dd11376b9f1b ("scsi: ufs: Split the drivers/scsi/ufs directory")
Cc: stable@vger.kernel.org
Signed-off-by: Seunghwan Baek <sh8267.baek@samsung.com>
Reviewed-by: Peter Wang <peter.wang@mediatek.com>
Link: https://patch.msgid.link/20251210063854.1483899-2-sh8267.baek@samsung.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ufs/core/ufshcd.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -10182,7 +10182,7 @@ static int ufshcd_suspend(struct ufs_hba
ret = ufshcd_setup_clocks(hba, false);
if (ret) {
ufshcd_enable_irq(hba);
- return ret;
+ goto out;
}
if (ufshcd_is_clkgating_allowed(hba)) {
hba->clk_gating.state = CLKS_OFF;
@@ -10193,6 +10193,9 @@ static int ufshcd_suspend(struct ufs_hba
ufshcd_vreg_set_lpm(hba);
/* Put the host controller in low power mode if possible */
ufshcd_hba_vreg_set_lpm(hba);
+out:
+ if (ret)
+ ufshcd_update_evt_hist(hba, UFS_EVT_SUSPEND_ERR, (u32)ret);
return ret;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 644/737] mptcp: pm: ignore unknown endpoint flags
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (642 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 643/737] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 645/737] f2fs: use f2fs_err_ratelimited() to avoid redundant logs Greg Kroah-Hartman
` (103 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 0ace3297a7301911e52d8195cb1006414897c859 ]
Before this patch, the kernel was saving any flags set by the userspace,
even unknown ones. This doesn't cause critical issues because the kernel
is only looking at specific ones. But on the other hand, endpoints dumps
could tell the userspace some recent flags seem to be supported on older
kernel versions.
Instead, ignore all unknown flags when parsing them. By doing that, the
userspace can continue to set unsupported flags, but it has a way to
verify what is supported by the kernel.
Note that it sounds better to continue accepting unsupported flags not
to change the behaviour, but also that eases things on the userspace
side by adding "optional" endpoint types only supported by newer kernel
versions without having to deal with the different kernel versions.
A note for the backports: there will be conflicts in mptcp.h on older
versions not having the mentioned flags, the new line should still be
added last, and the '5' needs to be adapted to have the same value as
the last entry.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-1-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ GENMASK(5, 0) => GENMASK(4, 0) + context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/mptcp.h | 1 +
net/mptcp/pm_netlink.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/include/uapi/linux/mptcp.h
+++ b/include/uapi/linux/mptcp.h
@@ -88,6 +88,7 @@ enum {
#define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2)
#define MPTCP_PM_ADDR_FLAG_FULLMESH (1 << 3)
#define MPTCP_PM_ADDR_FLAG_IMPLICIT (1 << 4)
+#define MPTCP_PM_ADDR_FLAGS_MASK GENMASK(4, 0)
enum {
MPTCP_PM_CMD_UNSPEC,
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1435,7 +1435,8 @@ int mptcp_pm_parse_entry(struct nlattr *
}
if (tb[MPTCP_PM_ADDR_ATTR_FLAGS])
- entry->flags = nla_get_u32(tb[MPTCP_PM_ADDR_ATTR_FLAGS]);
+ entry->flags = nla_get_u32(tb[MPTCP_PM_ADDR_ATTR_FLAGS]) &
+ MPTCP_PM_ADDR_FLAGS_MASK;
if (tb[MPTCP_PM_ADDR_ATTR_PORT])
entry->addr.port = htons(nla_get_u16(tb[MPTCP_PM_ADDR_ATTR_PORT]));
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 645/737] f2fs: use f2fs_err_ratelimited() to avoid redundant logs
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (643 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 644/737] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 646/737] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
` (102 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 0b8eb814e05885cde53c1d56ee012a029b8413e6 ]
Use f2fs_err_ratelimited() to instead f2fs_err() in
f2fs_record_stop_reason() and f2fs_record_errors() to
avoid redundant logs.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: ca8b201f2854 ("f2fs: fix to avoid potential deadlock")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4054,7 +4054,9 @@ static void f2fs_record_stop_reason(stru
f2fs_up_write(&sbi->sb_lock);
if (err)
- f2fs_err(sbi, "f2fs_commit_super fails to record err:%d", err);
+ f2fs_err_ratelimited(sbi,
+ "f2fs_commit_super fails to record stop_reason, err:%d",
+ err);
}
void f2fs_save_errors(struct f2fs_sb_info *sbi, unsigned char flag)
@@ -4097,8 +4099,9 @@ static void f2fs_record_errors(struct f2
err = f2fs_commit_super(sbi, false);
if (err)
- f2fs_err(sbi, "f2fs_commit_super fails to record errors:%u, err:%d",
- error, err);
+ f2fs_err_ratelimited(sbi,
+ "f2fs_commit_super fails to record errors:%u, err:%d",
+ error, err);
out_unlock:
f2fs_up_write(&sbi->sb_lock);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 646/737] f2fs: fix to avoid potential deadlock
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (644 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 645/737] f2fs: use f2fs_err_ratelimited() to avoid redundant logs Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 647/737] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
` (101 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+14b90e1156b9f6fc1266,
Jiaming Zhang, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit ca8b201f28547e28343a6f00a6e91fa8c09572fe ]
As Jiaming Zhang and syzbot reported, there is potential deadlock in
f2fs as below:
Chain exists of:
&sbi->cp_rwsem --> fs_reclaim --> sb_internal#2
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(sb_internal#2);
lock(fs_reclaim);
lock(sb_internal#2);
rlock(&sbi->cp_rwsem);
*** DEADLOCK ***
3 locks held by kswapd0/73:
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:7015 [inline]
#0: ffffffff8e247a40 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x951/0x2800 mm/vmscan.c:7389
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_trylock_shared fs/super.c:562 [inline]
#1: ffff8880118400e0 (&type->s_umount_key#50){.+.+}-{4:4}, at: super_cache_scan+0x91/0x4b0 fs/super.c:197
#2: ffff888011840610 (sb_internal#2){.+.+}-{0:0}, at: f2fs_evict_inode+0x8d9/0x1b60 fs/f2fs/inode.c:890
stack backtrace:
CPU: 0 UID: 0 PID: 73 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_read+0x46/0x2e0 kernel/locking/rwsem.c:1537
f2fs_down_read fs/f2fs/f2fs.h:2278 [inline]
f2fs_lock_op fs/f2fs/f2fs.h:2357 [inline]
f2fs_do_truncate_blocks+0x21c/0x10c0 fs/f2fs/file.c:791
f2fs_truncate_blocks+0x10a/0x300 fs/f2fs/file.c:867
f2fs_truncate+0x489/0x7c0 fs/f2fs/file.c:925
f2fs_evict_inode+0x9f2/0x1b60 fs/f2fs/inode.c:897
evict+0x504/0x9c0 fs/inode.c:810
f2fs_evict_inode+0x1dc/0x1b60 fs/f2fs/inode.c:853
evict+0x504/0x9c0 fs/inode.c:810
dispose_list fs/inode.c:852 [inline]
prune_icache_sb+0x21b/0x2c0 fs/inode.c:1000
super_cache_scan+0x39b/0x4b0 fs/super.c:224
do_shrink_slab+0x6ef/0x1110 mm/shrinker.c:437
shrink_slab_memcg mm/shrinker.c:550 [inline]
shrink_slab+0x7ef/0x10d0 mm/shrinker.c:628
shrink_one+0x28a/0x7c0 mm/vmscan.c:4955
shrink_many mm/vmscan.c:5016 [inline]
lru_gen_shrink_node mm/vmscan.c:5094 [inline]
shrink_node+0x315d/0x3780 mm/vmscan.c:6081
kswapd_shrink_node mm/vmscan.c:6941 [inline]
balance_pgdat mm/vmscan.c:7124 [inline]
kswapd+0x147c/0x2800 mm/vmscan.c:7389
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The root cause is deadlock among four locks as below:
kswapd
- fs_reclaim --- Lock A
- shrink_one
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- iput
- evict
- f2fs_evict_inode
- sb_start_intwrite --- Lock B
- f2fs_truncate
- f2fs_truncate_blocks
- f2fs_do_truncate_blocks
- f2fs_lock_op --- Lock C
ioctl
- f2fs_ioc_commit_atomic_write
- f2fs_lock_op --- Lock C
- __f2fs_commit_atomic_write
- __replace_atomic_write_block
- f2fs_get_dnode_of_data
- __get_node_folio
- f2fs_check_nid_range
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
open
- do_open
- do_truncate
- security_inode_need_killpriv
- f2fs_getxattr
- lookup_all_xattrs
- f2fs_handle_error
- f2fs_record_errors
- f2fs_down_write --- Lock D
- f2fs_commit_super
- read_mapping_folio
- filemap_alloc_folio_noprof
- prepare_alloc_pages
- fs_reclaim_acquire --- Lock A
In order to avoid such deadlock, we need to avoid grabbing sb_lock in
f2fs_handle_error(), so, let's use asynchronous method instead:
- remove f2fs_handle_error() implementation
- rename f2fs_handle_error_async() to f2fs_handle_error()
- spread f2fs_handle_error()
Fixes: 95fa90c9e5a7 ("f2fs: support recording errors into superblock")
Cc: stable@kernel.org
Reported-by: syzbot+14b90e1156b9f6fc1266@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/68eae49b.050a0220.ac43.0001.GAE@google.com
Reported-by: Jiaming Zhang <r772577952@gmail.com>
Closes: https://lore.kernel.org/lkml/CANypQFa-Gy9sD-N35o3PC+FystOWkNuN8pv6S75HLT0ga-Tzgw@mail.gmail.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/compress.c | 5 +----
fs/f2fs/f2fs.h | 1 -
fs/f2fs/super.c | 41 -----------------------------------------
3 files changed, 1 insertion(+), 46 deletions(-)
--- a/fs/f2fs/compress.c
+++ b/fs/f2fs/compress.c
@@ -754,10 +754,7 @@ void f2fs_decompress_cluster(struct deco
ret = -EFSCORRUPTED;
/* Avoid f2fs_commit_super in irq context */
- if (!in_task)
- f2fs_handle_error_async(sbi, ERROR_FAIL_DECOMPRESSION);
- else
- f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION);
+ f2fs_handle_error(sbi, ERROR_FAIL_DECOMPRESSION);
goto out_release;
}
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3638,7 +3638,6 @@ void f2fs_quota_off_umount(struct super_
void f2fs_save_errors(struct f2fs_sb_info *sbi, unsigned char flag);
void f2fs_handle_critical_error(struct f2fs_sb_info *sbi, unsigned char reason);
void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error);
-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error);
int f2fs_commit_super(struct f2fs_sb_info *sbi, bool recover);
int f2fs_sync_fs(struct super_block *sb, int sync);
int f2fs_sanity_check_ckpt(struct f2fs_sb_info *sbi);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4071,50 +4071,9 @@ void f2fs_save_errors(struct f2fs_sb_inf
spin_unlock_irqrestore(&sbi->error_lock, flags);
}
-static bool f2fs_update_errors(struct f2fs_sb_info *sbi)
-{
- unsigned long flags;
- bool need_update = false;
-
- spin_lock_irqsave(&sbi->error_lock, flags);
- if (sbi->error_dirty) {
- memcpy(F2FS_RAW_SUPER(sbi)->s_errors, sbi->errors,
- MAX_F2FS_ERRORS);
- sbi->error_dirty = false;
- need_update = true;
- }
- spin_unlock_irqrestore(&sbi->error_lock, flags);
-
- return need_update;
-}
-
-static void f2fs_record_errors(struct f2fs_sb_info *sbi, unsigned char error)
-{
- int err;
-
- f2fs_down_write(&sbi->sb_lock);
-
- if (!f2fs_update_errors(sbi))
- goto out_unlock;
-
- err = f2fs_commit_super(sbi, false);
- if (err)
- f2fs_err_ratelimited(sbi,
- "f2fs_commit_super fails to record errors:%u, err:%d",
- error, err);
-out_unlock:
- f2fs_up_write(&sbi->sb_lock);
-}
-
void f2fs_handle_error(struct f2fs_sb_info *sbi, unsigned char error)
{
f2fs_save_errors(sbi, error);
- f2fs_record_errors(sbi, error);
-}
-
-void f2fs_handle_error_async(struct f2fs_sb_info *sbi, unsigned char error)
-{
- f2fs_save_errors(sbi, error);
if (!sbi->error_dirty)
return;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 647/737] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (645 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 646/737] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 648/737] gpiolib: acpi: Add quirk for Dell Precision 7780 Greg Kroah-Hartman
` (100 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 27d17641cacfedd816789b75d342430f6b912bd2 ]
>>From RFC 8881:
5.8.1.14. Attribute 75: suppattr_exclcreat
> The bit vector that would set all REQUIRED and RECOMMENDED
> attributes that are supported by the EXCLUSIVE4_1 method of file
> creation via the OPEN operation. The scope of this attribute
> applies to all objects with a matching fsid.
There's nothing in RFC 8881 that states that suppattr_exclcreat is
or is not allowed to contain bits for attributes that are clear in
the reported supported_attrs bitmask. But it doesn't make sense for
an NFS server to indicate that it /doesn't/ implement an attribute,
but then also indicate that clients /are/ allowed to set that
attribute using OPEN(create) with EXCLUSIVE4_1.
Ensure that the SECURITY_LABEL and ACL bits are not set in the
suppattr_exclcreat bitmask when they are also not set in the
supported_attrs bitmask.
Fixes: 8c18f2052e75 ("nfsd41: SUPPATTR_EXCLCREAT attribute")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3419,6 +3419,11 @@ out_acl:
u32 supp[3];
memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
+ if (!IS_POSIXACL(d_inode(dentry)))
+ supp[0] &= ~FATTR4_WORD0_ACL;
+ if (!contextsupport)
+ supp[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+
supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 648/737] gpiolib: acpi: Add quirk for Dell Precision 7780
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (646 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 647/737] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 649/737] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
` (99 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Askar Safin,
Bartosz Golaszewski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Askar Safin <safinaskar@gmail.com>
[ Upstream commit 2d967310c49ed93ac11cef408a55ddf15c3dd52e ]
Dell Precision 7780 often wakes up on its own from suspend. Sometimes
wake up happens immediately (i. e. within 7 seconds), sometimes it happens
after, say, 30 minutes.
Fixes: 1796f808e4bb ("HID: i2c-hid: acpi: Stop setting wakeup_capable")
Link: https://lore.kernel.org/linux-i2c/197ae95ffd8.dc819e60457077.7692120488609091556@zohomail.com/
Cc: stable@vger.kernel.org
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Askar Safin <safinaskar@gmail.com>
Link: https://lore.kernel.org/r/20251206180414.3183334-2-safinaskar@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
[ adapted quirk entry location from gpiolib-acpi-quirks.c to gpiolib-acpi.c ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -1720,6 +1720,28 @@ static const struct dmi_system_id gpioli
.ignore_interrupt = "AMDI0030:00@11",
},
},
+ {
+ /*
+ * Spurious wakeups, likely from touchpad controller
+ * Dell Precision 7780
+ * Found in BIOS 1.24.1
+ *
+ * Found in touchpad firmware, installed by Dell Touchpad Firmware Update Utility version 1160.4196.9, A01
+ * ( Dell-Touchpad-Firmware-Update-Utility_VYGNN_WIN64_1160.4196.9_A00.EXE ),
+ * released on 11 Jul 2024
+ *
+ * https://lore.kernel.org/linux-i2c/197ae95ffd8.dc819e60457077.7692120488609091556@zohomail.com/
+ */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_FAMILY, "Precision"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Precision 7780"),
+ DMI_MATCH(DMI_BOARD_NAME, "0C6JVW"),
+ },
+ .driver_data = &(struct acpi_gpiolib_dmi_quirk) {
+ .ignore_wake = "VEN_0488:00@355",
+ },
+ },
{} /* Terminating entry */
};
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 649/737] ARM: dts: microchip: sama7g5: fix uart fifo size to 32
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (647 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 648/737] gpiolib: acpi: Add quirk for Dell Precision 7780 Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 650/737] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
` (98 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Ferre, Claudiu Beznea,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@microchip.com>
[ Upstream commit 5654889a94b0de5ad6ceae3793e7f5e0b61b50b6 ]
On some flexcom nodes related to uart, the fifo sizes were wrong: fix
them to 32 data.
Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek")
Cc: stable@vger.kernel.org # 5.15+
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20251114103313.20220-2-nicolas.ferre@microchip.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/microchip/sama7g5.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/boot/dts/microchip/sama7g5.dtsi
+++ b/arch/arm/boot/dts/microchip/sama7g5.dtsi
@@ -811,7 +811,7 @@
dma-names = "tx", "rx";
atmel,use-dma-rx;
atmel,use-dma-tx;
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
};
@@ -837,7 +837,7 @@
dma-names = "tx", "rx";
atmel,use-dma-rx;
atmel,use-dma-tx;
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
};
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 650/737] svcrdma: bound check rq_pages index in inline path
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (648 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 649/737] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 651/737] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
` (97 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
[ Upstream commit d1bea0ce35b6095544ee82bb54156fc62c067e58 ]
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ adapted rc_curpage and rq_maxpages fields to ri_pageno and RPCSVC_MAXPAGES constant ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -815,6 +815,9 @@ static int svc_rdma_copy_inline_range(st
for (page_no = 0; page_no < numpages; page_no++) {
unsigned int page_len;
+ if (info->ri_pageno >= RPCSVC_MAXPAGES)
+ return -EINVAL;
+
page_len = min_t(unsigned int, remaining,
PAGE_SIZE - info->ri_pageoff);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 651/737] fuse: fix readahead reclaim deadlock
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (649 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 650/737] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 652/737] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
` (96 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Omar Sandoval,
Miklos Szeredi, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 ]
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
Fixes: e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Reported-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -113,7 +113,9 @@ static void fuse_file_put(struct fuse_fi
struct fuse_args *args = (ra ? &ra->args : NULL);
if (!args) {
- /* Do nothing when server does not implement 'open' */
+ /* Do nothing when server does not implement 'opendir' */
+ } else if (args->opcode == FUSE_RELEASE && ff->fm->fc->no_open) {
+ fuse_release_end(ff->fm, args, 0);
} else if (sync) {
fuse_simple_request(ff->fm, args);
fuse_release_end(ff->fm, args, 0);
@@ -134,8 +136,17 @@ struct fuse_file *fuse_file_open(struct
struct fuse_file *ff;
int opcode = isdir ? FUSE_OPENDIR : FUSE_OPEN;
bool open = isdir ? !fc->no_opendir : !fc->no_open;
+ bool release = !isdir || open;
- ff = fuse_file_alloc(fm, open);
+ /*
+ * ff->args->release_args still needs to be allocated (so we can hold an
+ * inode reference while there are pending inflight file operations when
+ * ->release() is called, see fuse_prepare_release()) even if
+ * fc->no_open is set else it becomes possible for reclaim to deadlock
+ * if while servicing the readahead request the server triggers reclaim
+ * and reclaim evicts the inode of the file being read ahead.
+ */
+ ff = fuse_file_alloc(fm, release);
if (!ff)
return ERR_PTR(-ENOMEM);
@@ -154,13 +165,14 @@ struct fuse_file *fuse_file_open(struct
fuse_file_free(ff);
return ERR_PTR(err);
} else {
- /* No release needed */
- kfree(ff->release_args);
- ff->release_args = NULL;
- if (isdir)
+ if (isdir) {
+ /* No release needed */
+ kfree(ff->release_args);
+ ff->release_args = NULL;
fc->no_opendir = 1;
- else
+ } else {
fc->no_open = 1;
+ }
}
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 652/737] PCI: brcmstb: Fix disabling L0s capability
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (650 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 651/737] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 653/737] mptcp: fallback earlier on simult connection Greg Kroah-Hartman
` (95 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Jim Quinlan,
Manivannan Sadhasivam, Florian Fainelli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Quinlan <james.quinlan@broadcom.com>
[ Upstream commit 9583f9d22991d2cfb5cc59a2552040c4ae98d998 ]
caab002d5069 ("PCI: brcmstb: Disable L0s component of ASPM if requested")
set PCI_EXP_LNKCAP_ASPM_L1 and (optionally) PCI_EXP_LNKCAP_ASPM_L0S in
PCI_EXP_LNKCAP (aka PCIE_RC_CFG_PRIV1_LINK_CAPABILITY in brcmstb).
But instead of using PCI_EXP_LNKCAP_ASPM_L1 and PCI_EXP_LNKCAP_ASPM_L0S
directly, it used PCIE_LINK_STATE_L1 and PCIE_LINK_STATE_L0S, which are
Linux-created values that only coincidentally matched the PCIe spec.
b478e162f227 ("PCI/ASPM: Consolidate link state defines") later changed
them so they no longer matched the PCIe spec, so the bits ended up in the
wrong place in PCI_EXP_LNKCAP.
Use PCI_EXP_LNKCAP_ASPM_L0S to clear L0s support when there's an
'aspm-no-l0s' property. Rely on brcmstb hardware to advertise L0s and/or
L1 support otherwise.
Fixes: caab002d5069 ("PCI: brcmstb: Disable L0s component of ASPM if requested")
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Closes: https://lore.kernel.org/linux-pci/20250925194424.GA2197200@bhelgaas
Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
[mani: reworded subject and description, added closes tag and CCed stable]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251003170436.1446030-1-james.quinlan@broadcom.com
[ adapted context due to missing link width negotiation defines and variables ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -46,7 +46,6 @@
#define PCIE_RC_CFG_PRIV1_ID_VAL3_CLASS_CODE_MASK 0xffffff
#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY 0x04dc
-#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK 0xc00
#define PCIE_RC_DL_MDIO_ADDR 0x1100
#define PCIE_RC_DL_MDIO_WR_DATA 0x1104
@@ -867,7 +866,7 @@ static int brcm_pcie_setup(struct brcm_p
void __iomem *base = pcie->base;
struct pci_host_bridge *bridge;
struct resource_entry *entry;
- u32 tmp, burst, aspm_support;
+ u32 tmp, burst;
int num_out_wins = 0;
int ret, memc;
@@ -971,12 +970,9 @@ static int brcm_pcie_setup(struct brcm_p
writel(tmp, base + PCIE_MISC_RC_BAR3_CONFIG_LO);
/* Don't advertise L0s capability if 'aspm-no-l0s' */
- aspm_support = PCIE_LINK_STATE_L1;
- if (!of_property_read_bool(pcie->np, "aspm-no-l0s"))
- aspm_support |= PCIE_LINK_STATE_L0S;
tmp = readl(base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
- u32p_replace_bits(&tmp, aspm_support,
- PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK);
+ if (of_property_read_bool(pcie->np, "aspm-no-l0s"))
+ tmp &= ~PCI_EXP_LNKCAP_ASPM_L0S;
writel(tmp, base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
/*
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 653/737] mptcp: fallback earlier on simult connection
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (651 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 652/737] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 654/737] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
` (94 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0ff6b771b4f7a5bce83b,
Paolo Abeni, Matthieu Baerts (NGI0), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 71154bbe49423128c1c8577b6576de1ed6836830 ]
Syzkaller reports a simult-connect race leading to inconsistent fallback
status:
WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Modules linked in:
CPU: 3 UID: 0 PID: 33 Comm: ksoftirqd/3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515
Code: 89 ee e8 78 61 3c f6 40 84 ed 75 21 e8 8e 66 3c f6 44 89 fe bf 07 00 00 00 e8 c1 61 3c f6 41 83 ff 07 74 09 e8 76 66 3c f6 90 <0f> 0b 90 e8 6d 66 3c f6 48 89 df e8 e5 ad ff ff 31 ff 89 c5 89 c6
RSP: 0018:ffffc900006cf338 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888031acd100 RCX: ffffffff8b7f2abf
RDX: ffff88801e6ea440 RSI: ffffffff8b7f2aca RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000007
R10: 0000000000000004 R11: 0000000000002c10 R12: ffff88802ba69900
R13: 1ffff920000d9e67 R14: ffff888046f81800 R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880d69bc000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560fc0ca1670 CR3: 0000000032c3a000 CR4: 0000000000352ef0
Call Trace:
<TASK>
tcp_data_queue+0x13b0/0x4f90 net/ipv4/tcp_input.c:5197
tcp_rcv_state_process+0xfdf/0x4ec0 net/ipv4/tcp_input.c:6922
tcp_v6_do_rcv+0x492/0x1740 net/ipv6/tcp_ipv6.c:1672
tcp_v6_rcv+0x2976/0x41e0 net/ipv6/tcp_ipv6.c:1918
ip6_protocol_deliver_rcu+0x188/0x1520 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1e4/0x4b0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ip6_input+0x105/0x2f0 net/ipv6/ip6_input.c:500
dst_input include/net/dst.h:471 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:318 [inline]
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0x264/0x650 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:5979
__netif_receive_skb+0x1d/0x160 net/core/dev.c:6092
process_backlog+0x442/0x15e0 net/core/dev.c:6444
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7494
napi_poll net/core/dev.c:7557 [inline]
net_rx_action+0xa9f/0xfe0 net/core/dev.c:7684
handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
run_ksoftirqd kernel/softirq.c:968 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:960
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
The TCP subflow can process the simult-connect syn-ack packet after
transitioning to TCP_FIN1 state, bypassing the MPTCP fallback check,
as the sk_state_change() callback is not invoked for * -> FIN_WAIT1
transitions.
That will move the msk socket to an inconsistent status and the next
incoming data will hit the reported splat.
Close the race moving the simult-fallback check at the earliest possible
stage - that is at syn-ack generation time.
About the fixes tags: [2] was supposed to also fix this issue introduced
by [3]. [1] is required as a dependence: it was not explicitly marked as
a fix, but it is one and it has already been backported before [3]. In
other words, this commit should be backported up to [3], including [2]
and [1] if that's not already there.
Fixes: 23e89e8ee7be ("tcp: Don't drop SYN+ACK for simultaneous connect().") [1]
Fixes: 4fd19a307016 ("mptcp: fix inconsistent state on fastopen race") [2]
Fixes: 1e777f39b4d7 ("mptcp: add MSG_FASTOPEN sendmsg flag support") [3]
Cc: stable@vger.kernel.org
Reported-by: syzbot+0ff6b771b4f7a5bce83b@syzkaller.appspotmail.com
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/586
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251212-net-mptcp-subflow_data_ready-warn-v1-1-d1f9fd1c36c8@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ adapted mptcp_try_fallback() call ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/options.c | 10 ++++++++++
net/mptcp/protocol.h | 6 ++----
net/mptcp/subflow.c | 10 +---------
3 files changed, 13 insertions(+), 13 deletions(-)
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -408,6 +408,16 @@ bool mptcp_syn_options(struct sock *sk,
*/
subflow->snd_isn = TCP_SKB_CB(skb)->end_seq;
if (subflow->request_mptcp) {
+ if (unlikely(subflow_simultaneous_connect(sk))) {
+ WARN_ON_ONCE(!mptcp_try_fallback(sk));
+
+ /* Ensure mptcp_finish_connect() will not process the
+ * MPC handshake.
+ */
+ subflow->request_mptcp = 0;
+ return false;
+ }
+
opts->suboptions = OPTION_MPTCP_MPC_SYN;
opts->csum_reqd = mptcp_is_checksum_enabled(sock_net(sk));
opts->allow_join_id0 = mptcp_allow_join_id0(sock_net(sk));
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -1175,10 +1175,8 @@ static inline bool subflow_simultaneous_
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
- return (1 << sk->sk_state) &
- (TCPF_ESTABLISHED | TCPF_FIN_WAIT1 | TCPF_FIN_WAIT2 | TCPF_CLOSING) &&
- is_active_ssk(subflow) &&
- !subflow->conn_finished;
+ /* Note that the sk state implies !subflow->conn_finished. */
+ return sk->sk_state == TCP_SYN_RECV && is_active_ssk(subflow);
}
#ifdef CONFIG_SYN_COOKIES
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1793,18 +1793,10 @@ static void subflow_state_change(struct
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct sock *parent = subflow->conn;
- struct mptcp_sock *msk;
+ struct mptcp_sock *msk = mptcp_sk(parent);
__subflow_state_change(sk);
- msk = mptcp_sk(parent);
- if (subflow_simultaneous_connect(sk)) {
- WARN_ON_ONCE(!mptcp_try_fallback(sk));
- pr_fallback(msk);
- subflow->conn_finished = 1;
- mptcp_propagate_state(parent, sk, subflow, NULL);
- }
-
/* as recvmsg() does not acquire the subflow socket for ssk selection
* a fin packet carrying a DSS can be unnoticed if we don't trigger
* the data available machinery here.
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 654/737] lockd: fix vfs_test_lock() calls
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (652 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 653/737] mptcp: fallback earlier on simult connection Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 655/737] wifi: mac80211: Discard Beacon frames to non-broadcast address Greg Kroah-Hartman
` (93 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, NeilBrown,
Jeff Layton, Chuck Lever, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
[ Upstream commit a49a2a1baa0c553c3548a1c414b6a3c005a8deba ]
Usage of vfs_test_lock() is somewhat confused. Documentation suggests
it is given a "lock" but this is not the case. It is given a struct
file_lock which contains some details of the sort of lock it should be
looking for.
In particular passing a "file_lock" containing fl_lmops or fl_ops is
meaningless and possibly confusing.
This is particularly problematic in lockd. nlmsvc_testlock() receives
an initialised "file_lock" from xdr-decode, including manager ops and an
owner. It then mistakenly passes this to vfs_test_lock() which might
replace the owner and the ops. This can lead to confusion when freeing
the lock.
The primary role of the 'struct file_lock' passed to vfs_test_lock() is
to report a conflicting lock that was found, so it makes more sense for
nlmsvc_testlock() to pass "conflock", which it uses for returning the
conflicting lock.
With this change, freeing of the lock is not confused and code in
__nlm4svc_proc_test() and __nlmsvc_proc_test() can be simplified.
Documentation for vfs_test_lock() is improved to reflect its real
purpose, and a WARN_ON_ONCE() is added to avoid a similar problem in the
future.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Closes: https://lore.kernel.org/all/20251021130506.45065-1-okorniev@redhat.com
Signed-off-by: NeilBrown <neil@brown.name>
Fixes: 20fa19027286 ("nfs: add export operations")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ adapted fl->c.flc_* field references to flat fl->fl_* naming convention ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/lockd/svc4proc.c | 4 +---
fs/lockd/svclock.c | 21 ++++++++++++---------
fs/lockd/svcproc.c | 5 +----
fs/locks.c | 12 ++++++++++--
4 files changed, 24 insertions(+), 18 deletions(-)
--- a/fs/lockd/svc4proc.c
+++ b/fs/lockd/svc4proc.c
@@ -96,7 +96,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
struct nlm_args *argp = rqstp->rq_argp;
struct nlm_host *host;
struct nlm_file *file;
- struct nlm_lockowner *test_owner;
__be32 rc = rpc_success;
dprintk("lockd: TEST4 called\n");
@@ -106,7 +105,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
if ((resp->status = nlm4svc_retrieve_args(rqstp, argp, &host, &file)))
return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
- test_owner = argp->lock.fl.fl_owner;
/* Now check for conflicting locks */
resp->status = nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie);
if (resp->status == nlm_drop_reply)
@@ -114,7 +112,7 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
else
dprintk("lockd: TEST4 status %d\n", ntohl(resp->status));
- nlmsvc_put_lockowner(test_owner);
+ nlmsvc_release_lockowner(&argp->lock);
nlmsvc_release_host(host);
nlm_release_file(file);
return rc;
--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -615,7 +615,13 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
}
mode = lock_to_openmode(&lock->fl);
- error = vfs_test_lock(file->f_file[mode], &lock->fl);
+ locks_init_lock(&conflock->fl);
+ /* vfs_test_lock only uses start, end, and owner, but tests fl_file */
+ conflock->fl.fl_file = lock->fl.fl_file;
+ conflock->fl.fl_start = lock->fl.fl_start;
+ conflock->fl.fl_end = lock->fl.fl_end;
+ conflock->fl.fl_owner = lock->fl.fl_owner;
+ error = vfs_test_lock(file->f_file[mode], &conflock->fl);
if (error) {
/* We can't currently deal with deferred test requests */
if (error == FILE_LOCK_DEFERRED)
@@ -625,22 +631,19 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
goto out;
}
- if (lock->fl.fl_type == F_UNLCK) {
+ if (conflock->fl.fl_type == F_UNLCK) {
ret = nlm_granted;
goto out;
}
dprintk("lockd: conflicting lock(ty=%d, %Ld-%Ld)\n",
- lock->fl.fl_type, (long long)lock->fl.fl_start,
- (long long)lock->fl.fl_end);
+ conflock->fl.fl_type, (long long)conflock->fl.fl_start,
+ (long long)conflock->fl.fl_end);
conflock->caller = "somehost"; /* FIXME */
conflock->len = strlen(conflock->caller);
conflock->oh.len = 0; /* don't return OH info */
- conflock->svid = lock->fl.fl_pid;
- conflock->fl.fl_type = lock->fl.fl_type;
- conflock->fl.fl_start = lock->fl.fl_start;
- conflock->fl.fl_end = lock->fl.fl_end;
- locks_release_private(&lock->fl);
+ conflock->svid = conflock->fl.fl_pid;
+ locks_release_private(&conflock->fl);
ret = nlm_lck_denied;
out:
--- a/fs/lockd/svcproc.c
+++ b/fs/lockd/svcproc.c
@@ -117,7 +117,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
struct nlm_args *argp = rqstp->rq_argp;
struct nlm_host *host;
struct nlm_file *file;
- struct nlm_lockowner *test_owner;
__be32 rc = rpc_success;
dprintk("lockd: TEST called\n");
@@ -127,8 +126,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
if ((resp->status = nlmsvc_retrieve_args(rqstp, argp, &host, &file)))
return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
- test_owner = argp->lock.fl.fl_owner;
-
/* Now check for conflicting locks */
resp->status = cast_status(nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie));
if (resp->status == nlm_drop_reply)
@@ -137,7 +134,7 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
dprintk("lockd: TEST status %d vers %d\n",
ntohl(resp->status), rqstp->rq_vers);
- nlmsvc_put_lockowner(test_owner);
+ nlmsvc_release_lockowner(&argp->lock);
nlmsvc_release_host(host);
nlm_release_file(file);
return rc;
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -2124,13 +2124,21 @@ SYSCALL_DEFINE2(flock, unsigned int, fd,
/**
* vfs_test_lock - test file byte range lock
* @filp: The file to test lock for
- * @fl: The lock to test; also used to hold result
+ * @fl: The byte-range in the file to test; also used to hold result
*
+ * On entry, @fl does not contain a lock, but identifies a range (fl_start, fl_end)
+ * in the file (c.flc_file), and an owner (c.flc_owner) for whom existing locks
+ * should be ignored. c.flc_type and c.flc_flags are ignored.
+ * Both fl_lmops and fl_ops in @fl must be NULL.
* Returns -ERRNO on failure. Indicates presence of conflicting lock by
- * setting conf->fl_type to something other than F_UNLCK.
+ * setting fl->fl_type to something other than F_UNLCK.
+ *
+ * If vfs_test_lock() does find a lock and return it, the caller must
+ * use locks_free_lock() or locks_release_private() on the returned lock.
*/
int vfs_test_lock(struct file *filp, struct file_lock *fl)
{
+ WARN_ON_ONCE(fl->fl_ops || fl->fl_lmops);
WARN_ON_ONCE(filp != fl->fl_file);
if (filp->f_op->lock)
return filp->f_op->lock(filp, F_GETLK, fl);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 655/737] wifi: mac80211: Discard Beacon frames to non-broadcast address
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (653 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 654/737] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 656/737] mm: simplify folio_expected_ref_count() Greg Kroah-Hartman
` (92 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Malinen, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
[ Upstream commit 193d18f60588e95d62e0f82b6a53893e5f2f19f8 ]
Beacon frames are required to be sent to the broadcast address, see IEEE
Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame
shall be set to the broadcast address"). A unicast Beacon frame might be
used as a targeted attack to get one of the associated STAs to do
something (e.g., using CSA to move it to another channel). As such, it
is better have strict filtering for this on the received side and
discard all Beacon frames that are sent to an unexpected address.
This is even more important for cases where beacon protection is used.
The current implementation in mac80211 is correctly discarding unicast
Beacon frames if the Protected Frame bit in the Frame Control field is
set to 0. However, if that bit is set to 1, the logic used for checking
for configured BIGTK(s) does not actually work. If the driver does not
have logic for dropping unicast Beacon frames with Protected Frame bit
1, these frames would be accepted in mac80211 processing as valid Beacon
frames even though they are not protected. This would allow beacon
protection to be bypassed. While the logic for checking beacon
protection could be extended to cover this corner case, a more generic
check for discard all Beacon frames based on A1=unicast address covers
this without needing additional changes.
Address all these issues by dropping received Beacon frames if they are
sent to a non-broadcast address.
Cc: stable@vger.kernel.org
Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Link: https://patch.msgid.link/20251215151134.104501-1-jouni.malinen@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ changed RX_DROP to RX_DROP_MONITOR ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/rx.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3388,6 +3388,11 @@ ieee80211_rx_h_mgmt_check(struct ieee802
rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
return RX_DROP_U_RUNT_ACTION;
+ /* Drop non-broadcast Beacon frames */
+ if (ieee80211_is_beacon(mgmt->frame_control) &&
+ !is_broadcast_ether_addr(mgmt->da))
+ return RX_DROP_MONITOR;
+
if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
ieee80211_is_beacon(mgmt->frame_control) &&
!(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 656/737] mm: simplify folio_expected_ref_count()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (654 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 655/737] wifi: mac80211: Discard Beacon frames to non-broadcast address Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 657/737] mm: consider non-anon swap cache folios in folio_expected_ref_count() Greg Kroah-Hartman
` (91 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Zi Yan,
Lorenzo Stoakes, Harry Yoo, Alistair Popple, Al Viro,
Arnd Bergmann, Brendan Jackman, Byungchul Park, Chengming Zhou,
Christian Brauner, Christophe Leroy, Eugenio Pé rez,
Gregory Price, Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 78cb1a13c42a6d843e21389f74d1edb90ed07288 ]
Now that PAGE_MAPPING_MOVABLE is gone, we can simplify and rely on the
folio_test_anon() test only.
... but staring at the users, this function should never even have been
called on movable_ops pages. E.g.,
* __buffer_migrate_folio() does not make sense for them
* folio_migrate_mapping() does not make sense for them
* migrate_huge_page_move_mapping() does not make sense for them
* __migrate_folio() does not make sense for them
* ... and khugepaged should never stumble over them
Let's simply refuse typed pages (which includes slab) except hugetlb, and
WARN.
Link: https://lkml.kernel.org/r/20250704102524.326966-26-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: Harry Yoo <harry.yoo@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: f183663901f2 ("mm: consider non-anon swap cache folios in folio_expected_ref_count()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2194,13 +2194,13 @@ static inline int folio_expected_ref_cou
const int order = folio_order(folio);
int ref_count = 0;
- if (WARN_ON_ONCE(folio_test_slab(folio)))
+ if (WARN_ON_ONCE(page_has_type(&folio->page) && !folio_test_hugetlb(folio)))
return 0;
if (folio_test_anon(folio)) {
/* One reference per page from the swapcache. */
ref_count += folio_test_swapcache(folio) << order;
- } else if (!((unsigned long)folio->mapping & PAGE_MAPPING_FLAGS)) {
+ } else {
/* One reference per page from the pagecache. */
ref_count += !!folio->mapping << order;
/* One reference from PG_private. */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 657/737] mm: consider non-anon swap cache folios in folio_expected_ref_count()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (655 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 656/737] mm: simplify folio_expected_ref_count() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 658/737] pmdomain: Use device_get_match_data() Greg Kroah-Hartman
` (90 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bijan Tabatabai,
David Hildenbrand (Red Hat), Zi Yan, Baolin Wang, Liam Howlett,
Lorenzo Stoakes, Michal Hocko, Mike Rapoport, Shivank Garg,
Suren Baghdasaryan, Vlastimil Babka, Kairui Song, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bijan Tabatabai <bijan311@gmail.com>
[ Upstream commit f183663901f21fe0fba8bd31ae894bc529709ee0 ]
Currently, folio_expected_ref_count() only adds references for the swap
cache if the folio is anonymous. However, according to the comment above
the definition of PG_swapcache in enum pageflags, shmem folios can also
have PG_swapcache set. This patch makes sure references for the swap
cache are added if folio_test_swapcache(folio) is true.
This issue was found when trying to hot-unplug memory in a QEMU/KVM
virtual machine. When initiating hot-unplug when most of the guest memory
is allocated, hot-unplug hangs partway through removal due to migration
failures. The following message would be printed several times, and would
be printed again about every five seconds:
[ 49.641309] migrating pfn b12f25 failed ret:7
[ 49.641310] page: refcount:2 mapcount:0 mapping:0000000033bd8fe2 index:0x7f404d925 pfn:0xb12f25
[ 49.641311] aops:swap_aops
[ 49.641313] flags: 0x300000000030508(uptodate|active|owner_priv_1|reclaim|swapbacked|node=0|zone=3)
[ 49.641314] raw: 0300000000030508 ffffed312c4bc908 ffffed312c4bc9c8 0000000000000000
[ 49.641315] raw: 00000007f404d925 00000000000c823b 00000002ffffffff 0000000000000000
[ 49.641315] page dumped because: migration failure
When debugging this, I found that these migration failures were due to
__migrate_folio() returning -EAGAIN for a small set of folios because the
expected reference count it calculates via folio_expected_ref_count() is
one less than the actual reference count of the folios. Furthermore, all
of the affected folios were not anonymous, but had the PG_swapcache flag
set, inspiring this patch. After applying this patch, the memory
hot-unplug behaves as expected.
I tested this on a machine running Ubuntu 24.04 with kernel version
6.8.0-90-generic and 64GB of memory. The guest VM is managed by libvirt
and runs Ubuntu 24.04 with kernel version 6.18 (though the head of the
mm-unstable branch as a Dec 16, 2025 was also tested and behaves the same)
and 48GB of memory. The libvirt XML definition for the VM can be found at
[1]. CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_MOVABLE is set in the guest
kernel so the hot-pluggable memory is automatically onlined.
Below are the steps to reproduce this behavior:
1) Define and start and virtual machine
host$ virsh -c qemu:///system define ./test_vm.xml # test_vm.xml from [1]
host$ virsh -c qemu:///system start test_vm
2) Setup swap in the guest
guest$ sudo fallocate -l 32G /swapfile
guest$ sudo chmod 0600 /swapfile
guest$ sudo mkswap /swapfile
guest$ sudo swapon /swapfile
3) Use alloc_data [2] to allocate most of the remaining guest memory
guest$ ./alloc_data 45
4) In a separate guest terminal, monitor the amount of used memory
guest$ watch -n1 free -h
5) When alloc_data has finished allocating, initiate the memory
hot-unplug using the provided xml file [3]
host$ virsh -c qemu:///system detach-device test_vm ./remove.xml --live
After initiating the memory hot-unplug, you should see the amount of
available memory in the guest decrease, and the amount of used swap data
increase. If everything works as expected, when all of the memory is
unplugged, there should be around 8.5-9GB of data in swap. If the
unplugging is unsuccessful, the amount of used swap data will settle below
that. If that happens, you should be able to see log messages in dmesg
similar to the one posted above.
Link: https://lkml.kernel.org/r/20251216200727.2360228-1-bijan311@gmail.com
Link: https://github.com/BijanT/linux_patch_files/blob/main/test_vm.xml [1]
Link: https://github.com/BijanT/linux_patch_files/blob/main/alloc_data.c [2]
Link: https://github.com/BijanT/linux_patch_files/blob/main/remove.xml [3]
Fixes: 86ebd50224c0 ("mm: add folio_expected_ref_count() for reference count calculation")
Signed-off-by: Bijan Tabatabai <bijan311@gmail.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Shivank Garg <shivankg@amd.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Kairui Song <ryncsn@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2197,10 +2197,10 @@ static inline int folio_expected_ref_cou
if (WARN_ON_ONCE(page_has_type(&folio->page) && !folio_test_hugetlb(folio)))
return 0;
- if (folio_test_anon(folio)) {
- /* One reference per page from the swapcache. */
- ref_count += folio_test_swapcache(folio) << order;
- } else {
+ /* One reference per page from the swapcache. */
+ ref_count += folio_test_swapcache(folio) << order;
+
+ if (!folio_test_anon(folio)) {
/* One reference per page from the pagecache. */
ref_count += !!folio->mapping << order;
/* One reference from PG_private. */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 658/737] pmdomain: Use device_get_match_data()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (656 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 657/737] mm: consider non-anon swap cache folios in folio_expected_ref_count() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 659/737] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
` (89 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rob Herring, Ulf Hansson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring <robh@kernel.org>
[ Upstream commit 3ba9fdfaa550936837b50b73d6c27ac401fde875 ]
Use preferred device_get_match_data() instead of of_match_device() to
get the driver match data. With this, adjust the includes to explicitly
include the correct headers.
Signed-off-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20231006224614.444488-1-robh@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 73cb5f6eafb0 ("pmdomain: imx: Fix reference count leak in imx_gpc_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/actions/owl-sps.c | 16 +++++-----------
drivers/pmdomain/imx/gpc.c | 7 +++----
drivers/pmdomain/rockchip/pm-domains.c | 13 ++++---------
3 files changed, 12 insertions(+), 24 deletions(-)
--- a/drivers/pmdomain/actions/owl-sps.c
+++ b/drivers/pmdomain/actions/owl-sps.c
@@ -8,8 +8,10 @@
* Copyright (c) 2017 Andreas Färber
*/
+#include <linux/mod_devicetable.h>
#include <linux/of_address.h>
-#include <linux/of_platform.h>
+#include <linux/platform_device.h>
+#include <linux/property.h>
#include <linux/pm_domain.h>
#include <linux/soc/actions/owl-sps.h>
#include <dt-bindings/power/owl-s500-powergate.h>
@@ -96,24 +98,16 @@ static int owl_sps_init_domain(struct ow
static int owl_sps_probe(struct platform_device *pdev)
{
- const struct of_device_id *match;
const struct owl_sps_info *sps_info;
struct owl_sps *sps;
int i, ret;
- if (!pdev->dev.of_node) {
- dev_err(&pdev->dev, "no device node\n");
- return -ENODEV;
- }
-
- match = of_match_device(pdev->dev.driver->of_match_table, &pdev->dev);
- if (!match || !match->data) {
+ sps_info = device_get_match_data(&pdev->dev);
+ if (!sps_info) {
dev_err(&pdev->dev, "unknown compatible or missing data\n");
return -EINVAL;
}
- sps_info = match->data;
-
sps = devm_kzalloc(&pdev->dev,
struct_size(sps, domains, sps_info->num_domains),
GFP_KERNEL);
--- a/drivers/pmdomain/imx/gpc.c
+++ b/drivers/pmdomain/imx/gpc.c
@@ -7,9 +7,10 @@
#include <linux/clk.h>
#include <linux/delay.h>
#include <linux/io.h>
-#include <linux/of_device.h>
+#include <linux/of.h>
#include <linux/platform_device.h>
#include <linux/pm_domain.h>
+#include <linux/property.h>
#include <linux/regmap.h>
#include <linux/regulator/consumer.h>
@@ -403,9 +404,7 @@ clk_err:
static int imx_gpc_probe(struct platform_device *pdev)
{
- const struct of_device_id *of_id =
- of_match_device(imx_gpc_dt_ids, &pdev->dev);
- const struct imx_gpc_dt_data *of_id_data = of_id->data;
+ const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
struct device_node *pgc_node;
struct regmap *regmap;
void __iomem *base;
--- a/drivers/pmdomain/rockchip/pm-domains.c
+++ b/drivers/pmdomain/rockchip/pm-domains.c
@@ -9,11 +9,13 @@
#include <linux/iopoll.h>
#include <linux/err.h>
#include <linux/mutex.h>
+#include <linux/platform_device.h>
#include <linux/pm_clock.h>
#include <linux/pm_domain.h>
+#include <linux/property.h>
+#include <linux/of.h>
#include <linux/of_address.h>
#include <linux/of_clk.h>
-#include <linux/of_platform.h>
#include <linux/clk.h>
#include <linux/regmap.h>
#include <linux/mfd/syscon.h>
@@ -857,7 +859,6 @@ static int rockchip_pm_domain_probe(stru
struct device_node *node;
struct device *parent;
struct rockchip_pmu *pmu;
- const struct of_device_id *match;
const struct rockchip_pmu_info *pmu_info;
int error;
@@ -866,13 +867,7 @@ static int rockchip_pm_domain_probe(stru
return -ENODEV;
}
- match = of_match_device(dev->driver->of_match_table, dev);
- if (!match || !match->data) {
- dev_err(dev, "missing pmu data\n");
- return -EINVAL;
- }
-
- pmu_info = match->data;
+ pmu_info = device_get_match_data(dev);
pmu = devm_kzalloc(dev,
struct_size(pmu, domains, pmu_info->num_domains),
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 659/737] pmdomain: imx: Fix reference count leak in imx_gpc_probe()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (657 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 658/737] pmdomain: Use device_get_match_data() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 660/737] net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration Greg Kroah-Hartman
` (88 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Frank Li, Ulf Hansson,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 73cb5f6eafb0ac7aea8cdeb8ff12981aa741d8fb ]
of_get_child_by_name() returns a node pointer with refcount incremented.
Use the __free() attribute to manage the pgc_node reference, ensuring
automatic of_node_put() cleanup when pgc_node goes out of scope.
This eliminates the need for explicit error handling paths and avoids
reference count leaks.
Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pmdomain/imx/gpc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/pmdomain/imx/gpc.c
+++ b/drivers/pmdomain/imx/gpc.c
@@ -405,13 +405,12 @@ clk_err:
static int imx_gpc_probe(struct platform_device *pdev)
{
const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
- struct device_node *pgc_node;
+ struct device_node *pgc_node __free(device_node)
+ = of_get_child_by_name(pdev->dev.of_node, "pgc");
struct regmap *regmap;
void __iomem *base;
int ret;
- pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc");
-
/* bail out if DT too old and doesn't provide the necessary info */
if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") &&
!pgc_node)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 660/737] net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (658 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 659/737] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 661/737] mptcp: ensure context reset on disconnect() Greg Kroah-Hartman
` (87 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Daniel Golle,
Andrew Lunn, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 1e5a541420b8c6d87d88eb50b6b978cdeafee1c9 ]
When nvmem_cell_read() fails in mt798x_phy_calibration(), the function
returns without calling nvmem_cell_put(), leaking the cell reference.
Move nvmem_cell_put() right after nvmem_cell_read() to ensure the cell
reference is always released regardless of the read result.
Found via static analysis and code review.
Fixes: 98c485eaf509 ("net: phy: add driver for MediaTek SoC built-in GE PHYs")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251211081313.2368460-1-linmq006@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/mediatek-ge-soc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/phy/mediatek-ge-soc.c
+++ b/drivers/net/phy/mediatek-ge-soc.c
@@ -1082,9 +1082,9 @@ static int mt798x_phy_calibration(struct
}
buf = (u32 *)nvmem_cell_read(cell, &len);
+ nvmem_cell_put(cell);
if (IS_ERR(buf))
return PTR_ERR(buf);
- nvmem_cell_put(cell);
if (!buf[0] || !buf[1] || !buf[2] || !buf[3] || len < 4 * sizeof(u32)) {
phydev_err(phydev, "invalid efuse data\n");
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 661/737] mptcp: ensure context reset on disconnect()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (659 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 660/737] net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 662/737] drm/amdgpu: Forward VMID reservation errors Greg Kroah-Hartman
` (86 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts (NGI0),
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 86730ac255b0497a272704de9a1df559f5d6602e ]
After the blamed commit below, if the MPC subflow is already in TCP_CLOSE
status or has fallback to TCP at mptcp_disconnect() time,
mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later
__mptcp_close_ssk() does not reset anymore the related subflow context.
Any later connection will be created with both the `request_mptcp` flag
and the msk-level fallback status off (it is unconditionally cleared at
MPTCP disconnect time), leading to a warning in subflow_data_ready():
WARNING: CPU: 26 PID: 8996 at net/mptcp/subflow.c:1519 subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Modules linked in:
CPU: 26 UID: 0 PID: 8996 Comm: syz.22.39 Not tainted 6.18.0-rc7-05427-g11fc074f6c36 #1 PREEMPT(voluntary)
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
RIP: 0010:subflow_data_ready (net/mptcp/subflow.c:1519 (discriminator 13))
Code: 90 0f 0b 90 90 e9 04 fe ff ff e8 b7 1e f5 fe 89 ee bf 07 00 00 00 e8 db 19 f5 fe 83 fd 07 0f 84 35 ff ff ff e8 9d 1e f5 fe 90 <0f> 0b 90 e9 27 ff ff ff e8 8f 1e f5 fe 4c 89 e7 48 89 de e8 14 09
RSP: 0018:ffffc9002646fb30 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88813b218000 RCX: ffffffff825c8435
RDX: ffff8881300b3580 RSI: ffffffff825c8443 RDI: 0000000000000005
RBP: 000000000000000b R08: ffffffff825c8435 R09: 000000000000000b
R10: 0000000000000005 R11: 0000000000000007 R12: ffff888131ac0000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f88330af6c0(0000) GS:ffff888a93dd2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88330aefe8 CR3: 000000010ff59000 CR4: 0000000000350ef0
Call Trace:
<TASK>
tcp_data_ready (net/ipv4/tcp_input.c:5356)
tcp_data_queue (net/ipv4/tcp_input.c:5445)
tcp_rcv_state_process (net/ipv4/tcp_input.c:7165)
tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1955)
__release_sock (include/net/sock.h:1158 (discriminator 6) net/core/sock.c:3180 (discriminator 6))
release_sock (net/core/sock.c:3737)
mptcp_sendmsg (net/mptcp/protocol.c:1763 net/mptcp/protocol.c:1857)
inet_sendmsg (net/ipv4/af_inet.c:853 (discriminator 7))
__sys_sendto (net/socket.c:727 (discriminator 15) net/socket.c:742 (discriminator 15) net/socket.c:2244 (discriminator 15))
__x64_sys_sendto (net/socket.c:2247)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f883326702d
Address the issue setting an explicit `fastclosing` flag at fastclose
time, and checking such flag after mptcp_do_fastclose().
Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251212-net-mptcp-subflow_data_ready-warn-v1-2-d1f9fd1c36c8@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ adapted context in mptcp_do_fastclose() to exclude missing mptcp_backlog_purge() call ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 8 +++++---
net/mptcp/protocol.h | 3 ++-
2 files changed, 7 insertions(+), 4 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2441,10 +2441,10 @@ bool __mptcp_retransmit_pending_data(str
*/
static void __mptcp_subflow_disconnect(struct sock *ssk,
struct mptcp_subflow_context *subflow,
- unsigned int flags)
+ bool fastclosing)
{
if (((1 << ssk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
- subflow->send_fastclose) {
+ fastclosing) {
/* The MPTCP code never wait on the subflow sockets, TCP-level
* disconnect should never fail
*/
@@ -2496,7 +2496,7 @@ static void __mptcp_close_ssk(struct soc
need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk);
if (!dispose_it) {
- __mptcp_subflow_disconnect(ssk, subflow, flags);
+ __mptcp_subflow_disconnect(ssk, subflow, msk->fastclosing);
release_sock(ssk);
goto out;
@@ -2808,6 +2808,7 @@ static void mptcp_do_fastclose(struct so
struct mptcp_sock *msk = mptcp_sk(sk);
mptcp_set_state(sk, TCP_CLOSE);
+ msk->fastclosing = 1;
/* Explicitly send the fastclose reset as need */
if (__mptcp_check_fallback(msk))
@@ -3320,6 +3321,7 @@ static int mptcp_disconnect(struct sock
msk->bytes_sent = 0;
msk->bytes_retrans = 0;
msk->rcvspace_init = 0;
+ msk->fastclosing = 0;
WRITE_ONCE(sk->sk_shutdown, 0);
sk_error_report(sk);
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -305,7 +305,8 @@ struct mptcp_sock {
fastopening:1,
in_accept_queue:1,
free_first:1,
- rcvspace_init:1;
+ rcvspace_init:1,
+ fastclosing:1;
int keepalive_cnt;
int keepalive_idle;
int keepalive_intvl;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 662/737] drm/amdgpu: Forward VMID reservation errors
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (660 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 661/737] mptcp: ensure context reset on disconnect() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 663/737] drm/mediatek: Fix probe memory leak Greg Kroah-Hartman
` (85 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian König, Natalie Vock,
Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Natalie Vock <natalie.vock@gmx.de>
[ Upstream commit 8defb4f081a5feccc3ea8372d0c7af3522124e1f ]
Otherwise userspace may be fooled into believing it has a reserved VMID
when in reality it doesn't, ultimately leading to GPU hangs when SPM is
used.
Fixes: 80e709ee6ecc ("drm/amdgpu: add option params to enforce process isolation between graphics and compute")
Cc: stable@vger.kernel.org
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Natalie Vock <natalie.vock@gmx.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[ adapted 3-argument amdgpu_vmid_alloc_reserved(adev, vm, vmhub) call to 2-argument version and added separate error check to preserve reserved_vmid tracking logic. ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -2496,10 +2496,12 @@ int amdgpu_vm_ioctl(struct drm_device *d
case AMDGPU_VM_OP_RESERVE_VMID:
/* We only have requirement to reserve vmid from gfxhub */
if (!fpriv->vm.reserved_vmid[AMDGPU_GFXHUB(0)]) {
- amdgpu_vmid_alloc_reserved(adev, AMDGPU_GFXHUB(0));
+ int r = amdgpu_vmid_alloc_reserved(adev, AMDGPU_GFXHUB(0));
+
+ if (r)
+ return r;
fpriv->vm.reserved_vmid[AMDGPU_GFXHUB(0)] = true;
}
-
break;
case AMDGPU_VM_OP_UNRESERVE_VMID:
if (fpriv->vm.reserved_vmid[AMDGPU_GFXHUB(0)]) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 663/737] drm/mediatek: Fix probe memory leak
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (661 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 662/737] drm/amdgpu: Forward VMID reservation errors Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 664/737] drm/mediatek: Fix probe resource leaks Greg Kroah-Hartman
` (84 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, Johan Hovold,
AngeloGioacchino Del Regno, Chun-Kuang Hu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 5e49200593f331cd0629b5376fab9192f698e8ef ]
The Mediatek DRM driver allocates private data for components without a
platform driver but as the lifetime is tied to each component device,
the memory is never freed.
Tie the allocation lifetime to the DRM platform device so that the
memory is released on probe failure (e.g. probe deferral) and when the
driver is unbound.
Fixes: c0d36de868a6 ("drm/mediatek: Move clk info from struct mtk_ddp_comp to sub driver private data")
Cc: stable@vger.kernel.org # 5.12
Cc: CK Hu <ck.hu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-3-johan@kernel.org/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c
@@ -588,7 +588,7 @@ int mtk_ddp_comp_init(struct device_node
type == MTK_DSI)
return 0;
- priv = devm_kzalloc(comp->dev, sizeof(*priv), GFP_KERNEL);
+ priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 664/737] drm/mediatek: Fix probe resource leaks
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (662 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 663/737] drm/mediatek: Fix probe memory leak Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 665/737] drm/tilcdc: request and mapp iomem with devres Greg Kroah-Hartman
` (83 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CK Hu, Johan Hovold,
AngeloGioacchino Del Regno, Chun-Kuang Hu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 07c7c640a8eb9e196f357d15d88a59602a947197 ]
Make sure to unmap and release the component iomap and clock on probe
failure (e.g. probe deferral) and on driver unbind.
Note that unlike of_iomap(), devm_of_iomap() also checks whether the
region is already mapped.
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Cc: stable@vger.kernel.org # 4.7
Cc: CK Hu <ck.hu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250923152340.18234-2-johan@kernel.org/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c | 20 ++++++++++++++++----
drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h | 2 +-
drivers/gpu/drm/mediatek/mtk_drm_drv.c | 4 ++--
3 files changed, 19 insertions(+), 7 deletions(-)
--- a/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.c
@@ -543,15 +543,20 @@ unsigned int mtk_drm_find_possible_crtc_
return ret;
}
-int mtk_ddp_comp_init(struct device_node *node, struct mtk_ddp_comp *comp,
+static void mtk_ddp_comp_clk_put(void *_clk)
+{
+ struct clk *clk = _clk;
+
+ clk_put(clk);
+}
+
+int mtk_ddp_comp_init(struct device *dev, struct device_node *node, struct mtk_ddp_comp *comp,
unsigned int comp_id)
{
struct platform_device *comp_pdev;
enum mtk_ddp_comp_type type;
struct mtk_ddp_comp_dev *priv;
-#if IS_REACHABLE(CONFIG_MTK_CMDQ)
int ret;
-#endif
if (comp_id >= DDP_COMPONENT_DRM_ID_MAX)
return -EINVAL;
@@ -592,11 +597,18 @@ int mtk_ddp_comp_init(struct device_node
if (!priv)
return -ENOMEM;
- priv->regs = of_iomap(node, 0);
+ priv->regs = devm_of_iomap(dev, node, 0, NULL);
+ if (IS_ERR(priv->regs))
+ return PTR_ERR(priv->regs);
+
priv->clk = of_clk_get(node, 0);
if (IS_ERR(priv->clk))
return PTR_ERR(priv->clk);
+ ret = devm_add_action_or_reset(dev, mtk_ddp_comp_clk_put, priv->clk);
+ if (ret)
+ return ret;
+
#if IS_REACHABLE(CONFIG_MTK_CMDQ)
ret = cmdq_dev_get_client_reg(comp->dev, &priv->cmdq_reg, 0);
if (ret)
--- a/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h
+++ b/drivers/gpu/drm/mediatek/mtk_drm_ddp_comp.h
@@ -279,7 +279,7 @@ int mtk_ddp_comp_get_id(struct device_no
enum mtk_ddp_comp_type comp_type);
unsigned int mtk_drm_find_possible_crtc_by_comp(struct drm_device *drm,
struct device *dev);
-int mtk_ddp_comp_init(struct device_node *comp_node, struct mtk_ddp_comp *comp,
+int mtk_ddp_comp_init(struct device *dev, struct device_node *comp_node, struct mtk_ddp_comp *comp,
unsigned int comp_id);
enum mtk_ddp_comp_type mtk_ddp_comp_get_type(unsigned int comp_id);
void mtk_ddp_write(struct cmdq_pkt *cmdq_pkt, unsigned int value,
--- a/drivers/gpu/drm/mediatek/mtk_drm_drv.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_drv.c
@@ -841,7 +841,7 @@ static int mtk_drm_probe(struct platform
(void *)private->mmsys_dev,
sizeof(*private->mmsys_dev));
private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR].dev = &ovl_adaptor->dev;
- mtk_ddp_comp_init(NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR],
+ mtk_ddp_comp_init(dev, NULL, &private->ddp_comp[DDP_COMPONENT_DRM_OVL_ADAPTOR],
DDP_COMPONENT_DRM_OVL_ADAPTOR);
component_match_add(dev, &match, compare_dev, &ovl_adaptor->dev);
}
@@ -910,7 +910,7 @@ static int mtk_drm_probe(struct platform
node);
}
- ret = mtk_ddp_comp_init(node, &private->ddp_comp[comp_id], comp_id);
+ ret = mtk_ddp_comp_init(dev, node, &private->ddp_comp[comp_id], comp_id);
if (ret) {
of_node_put(node);
goto err_node;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 665/737] drm/tilcdc: request and mapp iomem with devres
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (663 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 664/737] drm/mediatek: Fix probe resource leaks Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 666/737] drm/tilcdc: Fix removal actions in case of failed probe Greg Kroah-Hartman
` (82 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann, Philipp Stanner,
Jyri Sarha, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philipp Stanner <pstanner@redhat.com>
[ Upstream commit a196a5166e0812db267281c32fa0724fc5be6582 ]
tilcdc currently just ioremaps its iomem, without doing the (a bit more
robust) request on the memory first. The devm_ functions provide a handy
way to both request and ioremap the memory with automatic cleanup.
Replace the manual ioremap with the devm_ version.
Suggested-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Jyri Sarha <jyri.sarha@iki.fi>
Tested-by: Jyri Sarha <jyri.sarha@iki.fi>
Signed-off-by: Jyri Sarha <jyri.sarha@iki.fi>
Link: https://patchwork.freedesktop.org/patch/msgid/20231222115216.19218-2-pstanner@redhat.com
Stable-dep-of: a585c7ef9cab ("drm/tilcdc: Fix removal actions in case of failed probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tilcdc/tilcdc_drv.c | 19 ++++---------------
1 file changed, 4 insertions(+), 15 deletions(-)
--- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c
+++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c
@@ -182,9 +182,6 @@ static void tilcdc_fini(struct drm_devic
if (priv->clk)
clk_put(priv->clk);
- if (priv->mmio)
- iounmap(priv->mmio);
-
if (priv->wq)
destroy_workqueue(priv->wq);
@@ -201,7 +198,6 @@ static int tilcdc_init(const struct drm_
struct platform_device *pdev = to_platform_device(dev);
struct device_node *node = dev->of_node;
struct tilcdc_drm_private *priv;
- struct resource *res;
u32 bpp = 0;
int ret;
@@ -226,17 +222,10 @@ static int tilcdc_init(const struct drm_
goto init_failed;
}
- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- if (!res) {
- dev_err(dev, "failed to get memory resource\n");
- ret = -EINVAL;
- goto init_failed;
- }
-
- priv->mmio = ioremap(res->start, resource_size(res));
- if (!priv->mmio) {
- dev_err(dev, "failed to ioremap\n");
- ret = -ENOMEM;
+ priv->mmio = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(priv->mmio)) {
+ dev_err(dev, "failed to request / ioremap\n");
+ ret = PTR_ERR(priv->mmio);
goto init_failed;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 666/737] drm/tilcdc: Fix removal actions in case of failed probe
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (664 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 665/737] drm/tilcdc: request and mapp iomem with devres Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 667/737] tty: introduce and use tty_port_tty_vhangup() helper Greg Kroah-Hartman
` (81 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kory Maincent (TI.com),
Douglas Anderson, Luca Ceresoli, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Kory Maincent (TI.com)" <kory.maincent@bootlin.com>
[ Upstream commit a585c7ef9cabda58088916baedc6573e9a5cd2a7 ]
The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers
should only be called when the device has been successfully registered.
Currently, these functions are called unconditionally in tilcdc_fini(),
which causes warnings during probe deferral scenarios.
[ 7.972317] WARNING: CPU: 0 PID: 23 at drivers/gpu/drm/drm_atomic_state_helper.c:175 drm_atomic_helper_crtc_duplicate_state+0x60/0x68
...
[ 8.005820] drm_atomic_helper_crtc_duplicate_state from drm_atomic_get_crtc_state+0x68/0x108
[ 8.005858] drm_atomic_get_crtc_state from drm_atomic_helper_disable_all+0x90/0x1c8
[ 8.005885] drm_atomic_helper_disable_all from drm_atomic_helper_shutdown+0x90/0x144
[ 8.005911] drm_atomic_helper_shutdown from tilcdc_fini+0x68/0xf8 [tilcdc]
[ 8.005957] tilcdc_fini [tilcdc] from tilcdc_pdev_probe+0xb0/0x6d4 [tilcdc]
Fix this by rewriting the failed probe cleanup path using the standard
goto error handling pattern, which ensures that cleanup functions are
only called on successfully initialized resources. Additionally, remove
the now-unnecessary is_registered flag.
Cc: stable@vger.kernel.org
Fixes: 3c4babae3c4a ("drm: Call drm_atomic_helper_shutdown() at shutdown/remove time for misc drivers")
Signed-off-by: Kory Maincent (TI.com) <kory.maincent@bootlin.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patch.msgid.link/20251125090546.137193-1-kory.maincent@bootlin.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tilcdc/tilcdc_crtc.c | 2 -
drivers/gpu/drm/tilcdc/tilcdc_drv.c | 53 +++++++++++++++++++++++------------
drivers/gpu/drm/tilcdc/tilcdc_drv.h | 2 -
3 files changed, 37 insertions(+), 20 deletions(-)
--- a/drivers/gpu/drm/tilcdc/tilcdc_crtc.c
+++ b/drivers/gpu/drm/tilcdc/tilcdc_crtc.c
@@ -586,7 +586,7 @@ out:
drm_modeset_unlock(&crtc->mutex);
}
-static void tilcdc_crtc_destroy(struct drm_crtc *crtc)
+void tilcdc_crtc_destroy(struct drm_crtc *crtc)
{
struct tilcdc_drm_private *priv = crtc->dev->dev_private;
--- a/drivers/gpu/drm/tilcdc/tilcdc_drv.c
+++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.c
@@ -171,8 +171,7 @@ static void tilcdc_fini(struct drm_devic
if (priv->crtc)
tilcdc_crtc_shutdown(priv->crtc);
- if (priv->is_registered)
- drm_dev_unregister(dev);
+ drm_dev_unregister(dev);
drm_kms_helper_poll_fini(dev);
drm_atomic_helper_shutdown(dev);
@@ -219,21 +218,21 @@ static int tilcdc_init(const struct drm_
priv->wq = alloc_ordered_workqueue("tilcdc", 0);
if (!priv->wq) {
ret = -ENOMEM;
- goto init_failed;
+ goto put_drm;
}
priv->mmio = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(priv->mmio)) {
dev_err(dev, "failed to request / ioremap\n");
ret = PTR_ERR(priv->mmio);
- goto init_failed;
+ goto free_wq;
}
priv->clk = clk_get(dev, "fck");
if (IS_ERR(priv->clk)) {
dev_err(dev, "failed to get functional clock\n");
ret = -ENODEV;
- goto init_failed;
+ goto free_wq;
}
pm_runtime_enable(dev);
@@ -312,7 +311,7 @@ static int tilcdc_init(const struct drm_
ret = tilcdc_crtc_create(ddev);
if (ret < 0) {
dev_err(dev, "failed to create crtc\n");
- goto init_failed;
+ goto disable_pm;
}
modeset_init(ddev);
@@ -323,46 +322,46 @@ static int tilcdc_init(const struct drm_
if (ret) {
dev_err(dev, "failed to register cpufreq notifier\n");
priv->freq_transition.notifier_call = NULL;
- goto init_failed;
+ goto destroy_crtc;
}
#endif
if (priv->is_componentized) {
ret = component_bind_all(dev, ddev);
if (ret < 0)
- goto init_failed;
+ goto unregister_cpufreq_notif;
ret = tilcdc_add_component_encoder(ddev);
if (ret < 0)
- goto init_failed;
+ goto unbind_component;
} else {
ret = tilcdc_attach_external_device(ddev);
if (ret)
- goto init_failed;
+ goto unregister_cpufreq_notif;
}
if (!priv->external_connector &&
((priv->num_encoders == 0) || (priv->num_connectors == 0))) {
dev_err(dev, "no encoders/connectors found\n");
ret = -EPROBE_DEFER;
- goto init_failed;
+ goto unbind_component;
}
ret = drm_vblank_init(ddev, 1);
if (ret < 0) {
dev_err(dev, "failed to initialize vblank\n");
- goto init_failed;
+ goto unbind_component;
}
ret = platform_get_irq(pdev, 0);
if (ret < 0)
- goto init_failed;
+ goto unbind_component;
priv->irq = ret;
ret = tilcdc_irq_install(ddev, priv->irq);
if (ret < 0) {
dev_err(dev, "failed to install IRQ handler\n");
- goto init_failed;
+ goto unbind_component;
}
drm_mode_config_reset(ddev);
@@ -371,15 +370,33 @@ static int tilcdc_init(const struct drm_
ret = drm_dev_register(ddev, 0);
if (ret)
- goto init_failed;
- priv->is_registered = true;
+ goto stop_poll;
drm_fbdev_dma_setup(ddev, bpp);
return 0;
-init_failed:
- tilcdc_fini(ddev);
+stop_poll:
+ drm_kms_helper_poll_fini(ddev);
+ tilcdc_irq_uninstall(ddev);
+unbind_component:
+ if (priv->is_componentized)
+ component_unbind_all(dev, ddev);
+unregister_cpufreq_notif:
+#ifdef CONFIG_CPU_FREQ
+ cpufreq_unregister_notifier(&priv->freq_transition,
+ CPUFREQ_TRANSITION_NOTIFIER);
+destroy_crtc:
+#endif
+ tilcdc_crtc_destroy(priv->crtc);
+disable_pm:
+ pm_runtime_disable(dev);
+ clk_put(priv->clk);
+free_wq:
+ destroy_workqueue(priv->wq);
+put_drm:
platform_set_drvdata(pdev, NULL);
+ ddev->dev_private = NULL;
+ drm_dev_put(ddev);
return ret;
}
--- a/drivers/gpu/drm/tilcdc/tilcdc_drv.h
+++ b/drivers/gpu/drm/tilcdc/tilcdc_drv.h
@@ -82,7 +82,6 @@ struct tilcdc_drm_private {
struct drm_encoder *external_encoder;
struct drm_connector *external_connector;
- bool is_registered;
bool is_componentized;
bool irq_enabled;
};
@@ -164,6 +163,7 @@ void tilcdc_crtc_set_panel_info(struct d
void tilcdc_crtc_set_simulate_vesa_sync(struct drm_crtc *crtc,
bool simulate_vesa_sync);
void tilcdc_crtc_shutdown(struct drm_crtc *crtc);
+void tilcdc_crtc_destroy(struct drm_crtc *crtc);
int tilcdc_crtc_update_fb(struct drm_crtc *crtc,
struct drm_framebuffer *fb,
struct drm_pending_vblank_event *event);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 667/737] tty: introduce and use tty_port_tty_vhangup() helper
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (665 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 666/737] drm/tilcdc: Fix removal actions in case of failed probe Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 668/737] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
` (80 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE), Karsten Keil,
David Lin, Johan Hovold, Alex Elder, Oliver Neukum,
Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz,
Ilpo Järvinen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
[ Upstream commit 2b5eac0f8c6e79bc152c8804f9f88d16717013ab ]
This code (tty_get -> vhangup -> tty_put) is repeated on few places.
Introduce a helper similar to tty_port_tty_hangup() (asynchronous) to
handle even vhangup (synchronous).
And use it on those places.
In fact, reuse the tty_port_tty_hangup()'s code and call tty_vhangup()
depending on a new bool parameter.
Signed-off-by: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: David Lin <dtwlin@gmail.com>
Cc: Johan Hovold <johan@kernel.org>
Cc: Alex Elder <elder@kernel.org>
Cc: Oliver Neukum <oneukum@suse.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20250611100319.186924-2-jirislaby@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 74098cc06e75 ("xhci: dbgtty: fix device unregister: fixup")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/capi/capi.c | 8 +-------
drivers/staging/greybus/uart.c | 7 +------
drivers/tty/serial/serial_core.c | 7 +------
drivers/tty/tty_port.c | 12 ++++++++----
drivers/usb/class/cdc-acm.c | 7 +------
drivers/usb/serial/usb-serial.c | 7 +------
include/linux/tty_port.h | 12 +++++++++++-
net/bluetooth/rfcomm/tty.c | 7 +------
8 files changed, 25 insertions(+), 42 deletions(-)
--- a/drivers/isdn/capi/capi.c
+++ b/drivers/isdn/capi/capi.c
@@ -304,15 +304,9 @@ static void capincci_alloc_minor(struct
static void capincci_free_minor(struct capincci *np)
{
struct capiminor *mp = np->minorp;
- struct tty_struct *tty;
if (mp) {
- tty = tty_port_tty_get(&mp->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
-
+ tty_port_tty_vhangup(&mp->port);
capiminor_free(mp);
}
}
--- a/drivers/staging/greybus/uart.c
+++ b/drivers/staging/greybus/uart.c
@@ -914,7 +914,6 @@ static void gb_uart_remove(struct gbphy_
{
struct gb_tty *gb_tty = gb_gbphy_get_data(gbphy_dev);
struct gb_connection *connection = gb_tty->connection;
- struct tty_struct *tty;
int ret;
ret = gbphy_runtime_get_sync(gbphy_dev);
@@ -927,11 +926,7 @@ static void gb_uart_remove(struct gbphy_
wake_up_all(&gb_tty->wioctl);
mutex_unlock(&gb_tty->mutex);
- tty = tty_port_tty_get(&gb_tty->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&gb_tty->port);
gb_connection_disable_rx(connection);
tty_unregister_device(gb_tty_driver, gb_tty->minor);
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -3250,7 +3250,6 @@ static void serial_core_remove_one_port(
struct uart_state *state = drv->state + uport->line;
struct tty_port *port = &state->port;
struct uart_port *uart_port;
- struct tty_struct *tty;
mutex_lock(&port->mutex);
uart_port = uart_port_check(state);
@@ -3269,11 +3268,7 @@ static void serial_core_remove_one_port(
*/
tty_port_unregister_device(port, drv->tty_driver, uport->line);
- tty = tty_port_tty_get(port);
- if (tty) {
- tty_vhangup(port->tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(port);
/*
* If the port is used as a console, unregister it
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -414,15 +414,19 @@ EXPORT_SYMBOL(tty_port_hangup);
* @port: tty port
* @check_clocal: hang only ttys with %CLOCAL unset?
*/
-void tty_port_tty_hangup(struct tty_port *port, bool check_clocal)
+void __tty_port_tty_hangup(struct tty_port *port, bool check_clocal, bool async)
{
struct tty_struct *tty = tty_port_tty_get(port);
- if (tty && (!check_clocal || !C_CLOCAL(tty)))
- tty_hangup(tty);
+ if (tty && (!check_clocal || !C_CLOCAL(tty))) {
+ if (async)
+ tty_hangup(tty);
+ else
+ tty_vhangup(tty);
+ }
tty_kref_put(tty);
}
-EXPORT_SYMBOL_GPL(tty_port_tty_hangup);
+EXPORT_SYMBOL_GPL(__tty_port_tty_hangup);
/**
* tty_port_tty_wakeup - helper to wake up a tty
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1572,7 +1572,6 @@ err_put_port:
static void acm_disconnect(struct usb_interface *intf)
{
struct acm *acm = usb_get_intfdata(intf);
- struct tty_struct *tty;
int i;
/* sibling interface is already cleaning up */
@@ -1599,11 +1598,7 @@ static void acm_disconnect(struct usb_in
usb_set_intfdata(acm->data, NULL);
mutex_unlock(&acm->mutex);
- tty = tty_port_tty_get(&acm->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&acm->port);
cancel_delayed_work_sync(&acm->dwork);
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -1178,7 +1178,6 @@ static void usb_serial_disconnect(struct
struct usb_serial *serial = usb_get_intfdata(interface);
struct device *dev = &interface->dev;
struct usb_serial_port *port;
- struct tty_struct *tty;
/* sibling interface is cleaning up */
if (!serial)
@@ -1193,11 +1192,7 @@ static void usb_serial_disconnect(struct
for (i = 0; i < serial->num_ports; ++i) {
port = serial->port[i];
- tty = tty_port_tty_get(&port->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&port->port);
usb_serial_port_poison_urbs(port);
wake_up_interruptible(&port->port.delta_msr_wait);
cancel_work_sync(&port->work);
--- a/include/linux/tty_port.h
+++ b/include/linux/tty_port.h
@@ -235,7 +235,7 @@ bool tty_port_carrier_raised(struct tty_
void tty_port_raise_dtr_rts(struct tty_port *port);
void tty_port_lower_dtr_rts(struct tty_port *port);
void tty_port_hangup(struct tty_port *port);
-void tty_port_tty_hangup(struct tty_port *port, bool check_clocal);
+void __tty_port_tty_hangup(struct tty_port *port, bool check_clocal, bool async);
void tty_port_tty_wakeup(struct tty_port *port);
int tty_port_block_til_ready(struct tty_port *port, struct tty_struct *tty,
struct file *filp);
@@ -254,4 +254,14 @@ static inline int tty_port_users(struct
return port->count + port->blocked_open;
}
+static inline void tty_port_tty_hangup(struct tty_port *port, bool check_clocal)
+{
+ __tty_port_tty_hangup(port, check_clocal, true);
+}
+
+static inline void tty_port_tty_vhangup(struct tty_port *port)
+{
+ __tty_port_tty_hangup(port, false, false);
+}
+
#endif
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -438,7 +438,6 @@ static int __rfcomm_release_dev(void __u
{
struct rfcomm_dev_req req;
struct rfcomm_dev *dev;
- struct tty_struct *tty;
if (copy_from_user(&req, arg, sizeof(req)))
return -EFAULT;
@@ -464,11 +463,7 @@ static int __rfcomm_release_dev(void __u
rfcomm_dlc_close(dev->dlc, 0);
/* Shut down TTY synchronously before freeing rfcomm_dev */
- tty = tty_port_tty_get(&dev->port);
- if (tty) {
- tty_vhangup(tty);
- tty_kref_put(tty);
- }
+ tty_port_tty_vhangup(&dev->port);
if (!test_bit(RFCOMM_TTY_OWNED, &dev->status))
tty_port_put(&dev->port);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 668/737] xhci: dbgtty: fix device unregister: fixup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (666 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 667/737] tty: introduce and use tty_port_tty_vhangup() helper Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 669/737] usb: xhci: move link chain bit quirk checks into one helper function Greg Kroah-Hartman
` (79 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Łukasz Bartosik,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Łukasz Bartosik <ukaszb@chromium.org>
[ Upstream commit 74098cc06e753d3ffd8398b040a3a1dfb65260c0 ]
This fixup replaces tty_vhangup() call with call to
tty_port_tty_vhangup(). Both calls hangup tty device
synchronously however tty_port_tty_vhangup() increases
reference count during the hangup operation using
scoped_guard(tty_port_tty).
Cc: stable <stable@kernel.org>
Fixes: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
Link: https://patch.msgid.link/20251127111644.3161386-1-ukaszb@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgtty.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -522,7 +522,7 @@ static void xhci_dbc_tty_unregister_devi
* Hang up the TTY. This wakes up any blocked
* writers and causes subsequent writes to fail.
*/
- tty_vhangup(port->port.tty);
+ tty_port_tty_vhangup(&port->port);
tty_unregister_device(dbc_tty_driver, port->minor);
xhci_dbc_tty_exit_port(port);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 669/737] usb: xhci: move link chain bit quirk checks into one helper function.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (667 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 668/737] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 670/737] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
` (78 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Neronin, Mathias Nyman,
Shivani Agarwal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Neronin <niklas.neronin@linux.intel.com>
commit 7476a2215c07703db5e95efaa3fc5b9f957b9417 upstream.
Older 0.95 xHCI hosts and some other specific newer hosts require the
chain bit to be set for Link TRBs even if the link TRB is not in the
middle of a transfer descriptor (TD).
move the checks for all those cases into one xhci_link_chain_quirk()
function to clean up and avoid code duplication.
No functional changes.
[skip renaming chain_links flag, reword commit message -Mathias]
Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240626124835.1023046-10-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Shivani: Modified to apply on 6.6.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-mem.c | 10 ++--------
drivers/usb/host/xhci-ring.c | 8 ++------
drivers/usb/host/xhci.h | 7 +++++--
3 files changed, 9 insertions(+), 16 deletions(-)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -136,10 +136,7 @@ static void xhci_link_rings(struct xhci_
if (!ring || !first || !last)
return;
- /* Set chain bit for 0.95 hosts, and for isoc rings on AMD 0.96 host */
- chain_links = !!(xhci_link_trb_quirk(xhci) ||
- (ring->type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)));
+ chain_links = xhci_link_chain_quirk(xhci, ring->type);
next = ring->enq_seg->next;
xhci_link_segments(ring->enq_seg, first, ring->type, chain_links);
@@ -330,10 +327,7 @@ static int xhci_alloc_segments_for_ring(
unsigned int num = 0;
bool chain_links;
- /* Set chain bit for 0.95 hosts, and for isoc rings on AMD 0.96 host */
- chain_links = !!(xhci_link_trb_quirk(xhci) ||
- (type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)));
+ chain_links = xhci_link_chain_quirk(xhci, type);
prev = xhci_segment_alloc(xhci, cycle_state, max_packet, num, flags);
if (!prev)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -245,9 +245,7 @@ static void inc_enq(struct xhci_hcd *xhc
* AMD 0.96 host, carry over the chain bit of the previous TRB
* (which may mean the chain bit is cleared).
*/
- if (!(ring->type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)) &&
- !xhci_link_trb_quirk(xhci)) {
+ if (!xhci_link_chain_quirk(xhci, ring->type)) {
next->link.control &= cpu_to_le32(~TRB_CHAIN);
next->link.control |= cpu_to_le32(chain);
}
@@ -3381,9 +3379,7 @@ static int prepare_ring(struct xhci_hcd
/* If we're not dealing with 0.95 hardware or isoc rings
* on AMD 0.96 host, clear the chain bit.
*/
- if (!xhci_link_trb_quirk(xhci) &&
- !(ep_ring->type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)))
+ if (!xhci_link_chain_quirk(xhci, ep_ring->type))
ep_ring->enqueue->link.control &=
cpu_to_le32(~TRB_CHAIN);
else
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1784,9 +1784,12 @@ static inline void xhci_write_64(struct
lo_hi_writeq(val, regs);
}
-static inline int xhci_link_trb_quirk(struct xhci_hcd *xhci)
+
+/* Link TRB chain should always be set on 0.95 hosts, and AMD 0.96 ISOC rings */
+static inline bool xhci_link_chain_quirk(struct xhci_hcd *xhci, enum xhci_ring_type type)
{
- return xhci->quirks & XHCI_LINK_TRB_QUIRK;
+ return (xhci->quirks & XHCI_LINK_TRB_QUIRK) ||
+ (type == TYPE_ISOC && (xhci->quirks & XHCI_AMD_0x96_HOST));
}
/* xHCI debugging */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 670/737] usb: xhci: Apply the link chain quirk on NEC isoc endpoints
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (668 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 669/737] usb: xhci: move link chain bit quirk checks into one helper function Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 671/737] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF Greg Kroah-Hartman
` (77 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, Mathias Nyman,
Shivani Agarwal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit bb0ba4cb1065e87f9cc75db1fa454e56d0894d01 upstream.
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No negative side effects seen in UVC recording and UAC playback with a
few devices at full speed, high speed and SuperSpeed.
The problem doesn't reproduce on the newer Renesas uPD720201/uPD720202
and on old Etron EJ168 and VIA VL805 (but the VL805 has other bug).
[shorten line length of log snippets in commit messge -Mathias]
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250306144954.3507700-14-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Shivani: Modified to apply on 6.6.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.h | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1785,11 +1785,20 @@ static inline void xhci_write_64(struct
}
-/* Link TRB chain should always be set on 0.95 hosts, and AMD 0.96 ISOC rings */
+/*
+ * Reportedly, some chapters of v0.95 spec said that Link TRB always has its chain bit set.
+ * Other chapters and later specs say that it should only be set if the link is inside a TD
+ * which continues from the end of one segment to the next segment.
+ *
+ * Some 0.95 hardware was found to misbehave if any link TRB doesn't have the chain bit set.
+ *
+ * 0.96 hardware from AMD and NEC was found to ignore unchained isochronous link TRBs when
+ * "resynchronizing the pipe" after a Missed Service Error.
+ */
static inline bool xhci_link_chain_quirk(struct xhci_hcd *xhci, enum xhci_ring_type type)
{
return (xhci->quirks & XHCI_LINK_TRB_QUIRK) ||
- (type == TYPE_ISOC && (xhci->quirks & XHCI_AMD_0x96_HOST));
+ (type == TYPE_ISOC && (xhci->quirks & (XHCI_AMD_0x96_HOST | XHCI_NEC_HOST)));
}
/* xHCI debugging */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 671/737] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (669 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 670/737] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 672/737] drm/amd/display: Fix null pointer deref in dcn20_resource.c Greg Kroah-Hartman
` (76 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, yan kang, yue sun,
Kuniyuki Iwashima, Stanislav Fomichev, Ido Schimmel,
Nikolay Aleksandrov, Paolo Abeni, Thadeu Lima de Souza Cascardo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit ed3ba9b6e280e14cc3148c1b226ba453f02fa76c upstream.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 893b19587534 ("net: bridge: fix ioctl locking")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: yan kang <kangyan91@outlook.com>
Reported-by: yue sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/netdev/SY8P300MB0421225D54EB92762AE8F0F2A1D32@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20250316192851.19781-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[cascardo: fixed conflict at dev_ifsioc]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/if_bridge.h | 6 ++----
net/bridge/br_ioctl.c | 36 +++++++++++++++++++++++++++++++++---
net/bridge/br_private.h | 3 +--
net/core/dev_ioctl.c | 16 ----------------
net/socket.c | 19 +++++++++----------
5 files changed, 45 insertions(+), 35 deletions(-)
--- a/include/linux/if_bridge.h
+++ b/include/linux/if_bridge.h
@@ -65,11 +65,9 @@ struct br_ip_list {
#define BR_DEFAULT_AGEING_TIME (300 * HZ)
struct net_bridge;
-void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br,
- unsigned int cmd, struct ifreq *ifr,
+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd,
void __user *uarg));
-int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg);
+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg);
#if IS_ENABLED(CONFIG_BRIDGE) && IS_ENABLED(CONFIG_BRIDGE_IGMP_SNOOPING)
int br_multicast_list_adjacent(struct net_device *dev,
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -394,10 +394,26 @@ static int old_deviceless(struct net *ne
return -EOPNOTSUPP;
}
-int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg)
+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg)
{
int ret = -EOPNOTSUPP;
+ struct ifreq ifr;
+
+ if (cmd == SIOCBRADDIF || cmd == SIOCBRDELIF) {
+ void __user *data;
+ char *colon;
+
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (get_user_ifreq(&ifr, &data, uarg))
+ return -EFAULT;
+
+ ifr.ifr_name[IFNAMSIZ - 1] = 0;
+ colon = strchr(ifr.ifr_name, ':');
+ if (colon)
+ *colon = 0;
+ }
rtnl_lock();
@@ -430,7 +446,21 @@ int br_ioctl_stub(struct net *net, struc
break;
case SIOCBRADDIF:
case SIOCBRDELIF:
- ret = add_del_if(br, ifr->ifr_ifindex, cmd == SIOCBRADDIF);
+ {
+ struct net_device *dev;
+
+ dev = __dev_get_by_name(net, ifr.ifr_name);
+ if (!dev || !netif_device_present(dev)) {
+ ret = -ENODEV;
+ break;
+ }
+ if (!netif_is_bridge_master(dev)) {
+ ret = -EOPNOTSUPP;
+ break;
+ }
+
+ ret = add_del_if(netdev_priv(dev), ifr.ifr_ifindex, cmd == SIOCBRADDIF);
+ }
break;
}
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -948,8 +948,7 @@ br_port_get_check_rtnl(const struct net_
/* br_ioctl.c */
int br_dev_siocdevprivate(struct net_device *dev, struct ifreq *rq,
void __user *data, int cmd);
-int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg);
+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg);
/* br_multicast.c */
#ifdef CONFIG_BRIDGE_IGMP_SNOOPING
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -517,7 +517,6 @@ static int dev_ifsioc(struct net *net, s
int err;
struct net_device *dev = __dev_get_by_name(net, ifr->ifr_name);
const struct net_device_ops *ops;
- netdevice_tracker dev_tracker;
if (!dev)
return -ENODEV;
@@ -580,19 +579,6 @@ static int dev_ifsioc(struct net *net, s
case SIOCWANDEV:
return dev_siocwandev(dev, &ifr->ifr_settings);
- case SIOCBRADDIF:
- case SIOCBRDELIF:
- if (!netif_device_present(dev))
- return -ENODEV;
- if (!netif_is_bridge_master(dev))
- return -EOPNOTSUPP;
- netdev_hold(dev, &dev_tracker, GFP_KERNEL);
- rtnl_unlock();
- err = br_ioctl_call(net, netdev_priv(dev), cmd, ifr, NULL);
- netdev_put(dev, &dev_tracker);
- rtnl_lock();
- return err;
-
case SIOCDEVPRIVATE ... SIOCDEVPRIVATE + 15:
return dev_siocdevprivate(dev, ifr, data, cmd);
@@ -773,8 +759,6 @@ int dev_ioctl(struct net *net, unsigned
case SIOCBONDRELEASE:
case SIOCBONDSETHWADDR:
case SIOCBONDCHANGEACTIVE:
- case SIOCBRADDIF:
- case SIOCBRDELIF:
case SIOCSHWTSTAMP:
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
--- a/net/socket.c
+++ b/net/socket.c
@@ -1168,12 +1168,10 @@ static ssize_t sock_write_iter(struct ki
*/
static DEFINE_MUTEX(br_ioctl_mutex);
-static int (*br_ioctl_hook)(struct net *net, struct net_bridge *br,
- unsigned int cmd, struct ifreq *ifr,
+static int (*br_ioctl_hook)(struct net *net, unsigned int cmd,
void __user *uarg);
-void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br,
- unsigned int cmd, struct ifreq *ifr,
+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd,
void __user *uarg))
{
mutex_lock(&br_ioctl_mutex);
@@ -1182,8 +1180,7 @@ void brioctl_set(int (*hook)(struct net
}
EXPORT_SYMBOL(brioctl_set);
-int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg)
+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg)
{
int err = -ENOPKG;
@@ -1192,7 +1189,7 @@ int br_ioctl_call(struct net *net, struc
mutex_lock(&br_ioctl_mutex);
if (br_ioctl_hook)
- err = br_ioctl_hook(net, br, cmd, ifr, uarg);
+ err = br_ioctl_hook(net, cmd, uarg);
mutex_unlock(&br_ioctl_mutex);
return err;
@@ -1292,7 +1289,9 @@ static long sock_ioctl(struct file *file
case SIOCSIFBR:
case SIOCBRADDBR:
case SIOCBRDELBR:
- err = br_ioctl_call(net, NULL, cmd, NULL, argp);
+ case SIOCBRADDIF:
+ case SIOCBRDELIF:
+ err = br_ioctl_call(net, cmd, argp);
break;
case SIOCGIFVLAN:
case SIOCSIFVLAN:
@@ -3454,6 +3453,8 @@ static int compat_sock_ioctl_trans(struc
case SIOCGPGRP:
case SIOCBRADDBR:
case SIOCBRDELBR:
+ case SIOCBRADDIF:
+ case SIOCBRDELIF:
case SIOCGIFVLAN:
case SIOCSIFVLAN:
case SIOCGSKNS:
@@ -3493,8 +3494,6 @@ static int compat_sock_ioctl_trans(struc
case SIOCGIFPFLAGS:
case SIOCGIFTXQLEN:
case SIOCSIFTXQLEN:
- case SIOCBRADDIF:
- case SIOCBRDELIF:
case SIOCGIFNAME:
case SIOCSIFNAME:
case SIOCGMIIPHY:
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 672/737] drm/amd/display: Fix null pointer deref in dcn20_resource.c
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (670 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 671/737] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 673/737] LoongArch: Refactor register restoration in ftrace_common_return Greg Kroah-Hartman
` (75 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aurabindo Pillai, Rodrigo Siqueira,
Alex Deucher, David Nyström
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aurabindo Pillai <aurabindo.pillai@amd.com>
[ Upstream commit ecbf60782662f0a388493685b85a645a0ba1613c ]
Fixes a hang thats triggered when MPV is run on a DCN401 dGPU:
mpv --hwdec=vaapi --vo=gpu --hwdec-codecs=all
and then enabling fullscreen playback (double click on the video)
The following calltrace will be seen:
[ 181.843989] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 181.843997] #PF: supervisor instruction fetch in kernel mode
[ 181.844003] #PF: error_code(0x0010) - not-present page
[ 181.844009] PGD 0 P4D 0
[ 181.844020] Oops: 0010 [#1] PREEMPT SMP NOPTI
[ 181.844028] CPU: 6 PID: 1892 Comm: gnome-shell Tainted: G W OE 6.5.0-41-generic #41~22.04.2-Ubuntu
[ 181.844038] Hardware name: System manufacturer System Product Name/CROSSHAIR VI HERO, BIOS 6302 10/23/2018
[ 181.844044] RIP: 0010:0x0
[ 181.844079] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[ 181.844084] RSP: 0018:ffffb593c2b8f7b0 EFLAGS: 00010246
[ 181.844093] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000004
[ 181.844099] RDX: ffffb593c2b8f804 RSI: ffffb593c2b8f7e0 RDI: ffff9e3c8e758400
[ 181.844105] RBP: ffffb593c2b8f7b8 R08: ffffb593c2b8f9c8 R09: ffffb593c2b8f96c
[ 181.844110] R10: 0000000000000000 R11: 0000000000000000 R12: ffffb593c2b8f9c8
[ 181.844115] R13: 0000000000000001 R14: ffff9e3c88000000 R15: 0000000000000005
[ 181.844121] FS: 00007c6e323bb5c0(0000) GS:ffff9e3f85f80000(0000) knlGS:0000000000000000
[ 181.844128] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 181.844134] CR2: ffffffffffffffd6 CR3: 0000000140fbe000 CR4: 00000000003506e0
[ 181.844141] Call Trace:
[ 181.844146] <TASK>
[ 181.844153] ? show_regs+0x6d/0x80
[ 181.844167] ? __die+0x24/0x80
[ 181.844179] ? page_fault_oops+0x99/0x1b0
[ 181.844192] ? do_user_addr_fault+0x31d/0x6b0
[ 181.844204] ? exc_page_fault+0x83/0x1b0
[ 181.844216] ? asm_exc_page_fault+0x27/0x30
[ 181.844237] dcn20_get_dcc_compression_cap+0x23/0x30 [amdgpu]
[ 181.845115] amdgpu_dm_plane_validate_dcc.constprop.0+0xe5/0x180 [amdgpu]
[ 181.845985] amdgpu_dm_plane_fill_plane_buffer_attributes+0x300/0x580 [amdgpu]
[ 181.846848] fill_dc_plane_info_and_addr+0x258/0x350 [amdgpu]
[ 181.847734] fill_dc_plane_attributes+0x162/0x350 [amdgpu]
[ 181.848748] dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]
[ 181.849791] ? dm_update_plane_state.constprop.0+0x4e3/0x6b0 [amdgpu]
[ 181.850840] amdgpu_dm_atomic_check+0xdfe/0x1760 [amdgpu]
Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_resource.c
@@ -2179,10 +2179,11 @@ bool dcn20_get_dcc_compression_cap(const
const struct dc_dcc_surface_param *input,
struct dc_surface_dcc_cap *output)
{
- return dc->res_pool->hubbub->funcs->get_dcc_compression_cap(
- dc->res_pool->hubbub,
- input,
- output);
+ if (dc->res_pool->hubbub->funcs->get_dcc_compression_cap)
+ return dc->res_pool->hubbub->funcs->get_dcc_compression_cap(
+ dc->res_pool->hubbub, input, output);
+
+ return false;
}
static void dcn20_destroy_resource_pool(struct resource_pool **pool)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 673/737] LoongArch: Refactor register restoration in ftrace_common_return
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (671 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 672/737] drm/amd/display: Fix null pointer deref in dcn20_resource.c Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 674/737] powerpc/64s/radix/kfence: map __kfence_pool at page granularity Greg Kroah-Hartman
` (74 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chenghao Duan, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chenghao Duan <duanchenghao@kylinos.cn>
commit 45cb47c628dfbd1994c619f3eac271a780602826 upstream.
Refactor the register restoration sequence in the ftrace_common_return
function to clearly distinguish between the logic of normal returns and
direct call returns in function tracing scenarios. The logic is as
follows:
1. In the case of a normal return, the execution flow returns to the
traced function, and ftrace must ensure that the register data is
consistent with the state when the function was entered.
ra = parent return address; t0 = traced function return address.
2. In the case of a direct call return, the execution flow jumps to the
custom trampoline function, and ftrace must ensure that the register
data is consistent with the state when ftrace was entered.
ra = traced function return address; t0 = parent return address.
Cc: stable@vger.kernel.org
Fixes: 9cdc3b6a299c ("LoongArch: ftrace: Add direct call support")
Signed-off-by: Chenghao Duan <duanchenghao@kylinos.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/mcount_dyn.S | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/arch/loongarch/kernel/mcount_dyn.S
+++ b/arch/loongarch/kernel/mcount_dyn.S
@@ -93,7 +93,6 @@ SYM_INNER_LABEL(ftrace_graph_call, SYM_L
* at the callsite, so there is no need to restore the T series regs.
*/
ftrace_common_return:
- PTR_L ra, sp, PT_R1
PTR_L a0, sp, PT_R4
PTR_L a1, sp, PT_R5
PTR_L a2, sp, PT_R6
@@ -103,12 +102,17 @@ ftrace_common_return:
PTR_L a6, sp, PT_R10
PTR_L a7, sp, PT_R11
PTR_L fp, sp, PT_R22
- PTR_L t0, sp, PT_ERA
PTR_L t1, sp, PT_R13
- PTR_ADDI sp, sp, PT_SIZE
bnez t1, .Ldirect
+
+ PTR_L ra, sp, PT_R1
+ PTR_L t0, sp, PT_ERA
+ PTR_ADDI sp, sp, PT_SIZE
jr t0
.Ldirect:
+ PTR_L t0, sp, PT_R1
+ PTR_L ra, sp, PT_ERA
+ PTR_ADDI sp, sp, PT_SIZE
jr t1
SYM_CODE_END(ftrace_common)
@@ -155,6 +159,8 @@ SYM_CODE_END(return_to_handler)
#ifdef CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS
SYM_CODE_START(ftrace_stub_direct_tramp)
- jr t0
+ move t1, ra
+ move ra, t0
+ jr t1
SYM_CODE_END(ftrace_stub_direct_tramp)
#endif /* CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 674/737] powerpc/64s/radix/kfence: map __kfence_pool at page granularity
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (672 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 673/737] LoongArch: Refactor register restoration in ftrace_common_return Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 675/737] ext4: fix error message when rejecting the default hash Greg Kroah-Hartman
` (73 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hari Bathini, Michael Ellerman,
Aboorva Devarajan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hari Bathini <hbathini@linux.ibm.com>
commit 353d7a84c214f184d5a6b62acdec8b4424159b7c upstream.
When KFENCE is enabled, total system memory is mapped at page level
granularity. But in radix MMU mode, ~3GB additional memory is needed
to map 100GB of system memory at page level granularity when compared
to using 2MB direct mapping.This is not desired considering KFENCE is
designed to be enabled in production kernels [1].
Mapping only the memory allocated for KFENCE pool at page granularity is
sufficient to enable KFENCE support. So, allocate __kfence_pool during
bootup and map it at page granularity instead of mapping all system
memory at page granularity.
Without patch:
# cat /proc/meminfo
MemTotal: 101201920 kB
With patch:
# cat /proc/meminfo
MemTotal: 104483904 kB
Note that enabling KFENCE at runtime is disabled for radix MMU for now,
as it depends on the ability to split page table mappings and such APIs
are not currently implemented for radix MMU.
All kfence_test.c testcases passed with this patch.
[1] https://lore.kernel.org/all/20201103175841.3495947-2-elver@google.com/
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240701130021.578240-1-hbathini@linux.ibm.com
Cc: Aboorva Devarajan <aboorvad@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/kfence.h | 11 +++-
arch/powerpc/mm/book3s64/radix_pgtable.c | 84 +++++++++++++++++++++++++++++--
arch/powerpc/mm/init-common.c | 3 +
3 files changed, 93 insertions(+), 5 deletions(-)
--- a/arch/powerpc/include/asm/kfence.h
+++ b/arch/powerpc/include/asm/kfence.h
@@ -15,10 +15,19 @@
#define ARCH_FUNC_PREFIX "."
#endif
+#ifdef CONFIG_KFENCE
+extern bool kfence_disabled;
+
+static inline void disable_kfence(void)
+{
+ kfence_disabled = true;
+}
+
static inline bool arch_kfence_init_pool(void)
{
- return true;
+ return !kfence_disabled;
}
+#endif
#ifdef CONFIG_PPC64
static inline bool kfence_protect_page(unsigned long addr, bool protect)
--- a/arch/powerpc/mm/book3s64/radix_pgtable.c
+++ b/arch/powerpc/mm/book3s64/radix_pgtable.c
@@ -17,6 +17,7 @@
#include <linux/hugetlb.h>
#include <linux/string_helpers.h>
#include <linux/memory.h>
+#include <linux/kfence.h>
#include <asm/pgalloc.h>
#include <asm/mmu_context.h>
@@ -31,6 +32,7 @@
#include <asm/uaccess.h>
#include <asm/ultravisor.h>
#include <asm/set_memory.h>
+#include <asm/kfence.h>
#include <trace/events/thp.h>
@@ -293,7 +295,8 @@ static unsigned long next_boundary(unsig
static int __meminit create_physical_mapping(unsigned long start,
unsigned long end,
- int nid, pgprot_t _prot)
+ int nid, pgprot_t _prot,
+ unsigned long mapping_sz_limit)
{
unsigned long vaddr, addr, mapping_size = 0;
bool prev_exec, exec = false;
@@ -301,7 +304,10 @@ static int __meminit create_physical_map
int psize;
unsigned long max_mapping_size = memory_block_size;
- if (debug_pagealloc_enabled_or_kfence())
+ if (mapping_sz_limit < max_mapping_size)
+ max_mapping_size = mapping_sz_limit;
+
+ if (debug_pagealloc_enabled())
max_mapping_size = PAGE_SIZE;
start = ALIGN(start, PAGE_SIZE);
@@ -356,8 +362,74 @@ static int __meminit create_physical_map
return 0;
}
+#ifdef CONFIG_KFENCE
+static bool __ro_after_init kfence_early_init = !!CONFIG_KFENCE_SAMPLE_INTERVAL;
+
+static int __init parse_kfence_early_init(char *arg)
+{
+ int val;
+
+ if (get_option(&arg, &val))
+ kfence_early_init = !!val;
+ return 0;
+}
+early_param("kfence.sample_interval", parse_kfence_early_init);
+
+static inline phys_addr_t alloc_kfence_pool(void)
+{
+ phys_addr_t kfence_pool;
+
+ /*
+ * TODO: Support to enable KFENCE after bootup depends on the ability to
+ * split page table mappings. As such support is not currently
+ * implemented for radix pagetables, support enabling KFENCE
+ * only at system startup for now.
+ *
+ * After support for splitting mappings is available on radix,
+ * alloc_kfence_pool() & map_kfence_pool() can be dropped and
+ * mapping for __kfence_pool memory can be
+ * split during arch_kfence_init_pool().
+ */
+ if (!kfence_early_init)
+ goto no_kfence;
+
+ kfence_pool = memblock_phys_alloc(KFENCE_POOL_SIZE, PAGE_SIZE);
+ if (!kfence_pool)
+ goto no_kfence;
+
+ memblock_mark_nomap(kfence_pool, KFENCE_POOL_SIZE);
+ return kfence_pool;
+
+no_kfence:
+ disable_kfence();
+ return 0;
+}
+
+static inline void map_kfence_pool(phys_addr_t kfence_pool)
+{
+ if (!kfence_pool)
+ return;
+
+ if (create_physical_mapping(kfence_pool, kfence_pool + KFENCE_POOL_SIZE,
+ -1, PAGE_KERNEL, PAGE_SIZE))
+ goto err;
+
+ memblock_clear_nomap(kfence_pool, KFENCE_POOL_SIZE);
+ __kfence_pool = __va(kfence_pool);
+ return;
+
+err:
+ memblock_phys_free(kfence_pool, KFENCE_POOL_SIZE);
+ disable_kfence();
+}
+#else
+static inline phys_addr_t alloc_kfence_pool(void) { return 0; }
+static inline void map_kfence_pool(phys_addr_t kfence_pool) { }
+#endif
+
static void __init radix_init_pgtable(void)
{
+ phys_addr_t kfence_pool;
unsigned long rts_field;
phys_addr_t start, end;
u64 i;
@@ -365,6 +437,8 @@ static void __init radix_init_pgtable(vo
/* We don't support slb for radix */
slb_set_size(0);
+ kfence_pool = alloc_kfence_pool();
+
/*
* Create the linear mapping
*/
@@ -381,9 +455,11 @@ static void __init radix_init_pgtable(vo
}
WARN_ON(create_physical_mapping(start, end,
- -1, PAGE_KERNEL));
+ -1, PAGE_KERNEL, ~0UL));
}
+ map_kfence_pool(kfence_pool);
+
if (!cpu_has_feature(CPU_FTR_HVMODE) &&
cpu_has_feature(CPU_FTR_P9_RADIX_PREFETCH_BUG)) {
/*
@@ -875,7 +951,7 @@ int __meminit radix__create_section_mapp
}
return create_physical_mapping(__pa(start), __pa(end),
- nid, prot);
+ nid, prot, ~0UL);
}
int __meminit radix__remove_section_mapping(unsigned long start, unsigned long end)
--- a/arch/powerpc/mm/init-common.c
+++ b/arch/powerpc/mm/init-common.c
@@ -31,6 +31,9 @@ EXPORT_SYMBOL_GPL(kernstart_virt_addr);
bool disable_kuep = !IS_ENABLED(CONFIG_PPC_KUEP);
bool disable_kuap = !IS_ENABLED(CONFIG_PPC_KUAP);
+#ifdef CONFIG_KFENCE
+bool __ro_after_init kfence_disabled;
+#endif
static int __init parse_nosmep(char *p)
{
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 675/737] ext4: fix error message when rejecting the default hash
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (673 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 674/737] powerpc/64s/radix/kfence: map __kfence_pool at page granularity Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 676/737] ext4: introduce ITAIL helper Greg Kroah-Hartman
` (72 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriel Krisman Bertazi,
Theodore Tso, Ankan Biswas
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@suse.de>
[ Upstream commit a2187431c395cdfbf144e3536f25468c64fc7cfa ]
Commit 985b67cd8639 ("ext4: filesystems without casefold feature cannot
be mounted with siphash") properly rejects volumes where
s_def_hash_version is set to DX_HASH_SIPHASH, but the check and the
error message should not look into casefold setup - a filesystem should
never have DX_HASH_SIPHASH as the default hash. Fix it and, since we
are there, move the check to ext4_hash_info_init.
Fixes:985b67cd8639 ("ext4: filesystems without casefold feature cannot
be mounted with siphash")
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Link: https://patch.msgid.link/87jzg1en6j.fsf_-_@mailhost.krisman.be
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[ The commit a2187431c395 intended to remove the if-block which was used
for an old SIPHASH rejection check. ]
Signed-off-by: Ankan Biswas <spyjetfayed@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 1 +
fs/ext4/super.c | 20 +++++++++++++++++---
2 files changed, 18 insertions(+), 3 deletions(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2459,6 +2459,7 @@ static inline __le16 ext4_rec_len_to_dis
#define DX_HASH_HALF_MD4_UNSIGNED 4
#define DX_HASH_TEA_UNSIGNED 5
#define DX_HASH_SIPHASH 6
+#define DX_HASH_LAST DX_HASH_SIPHASH
static inline u32 ext4_chksum(struct ext4_sb_info *sbi, u32 crc,
const void *address, unsigned int length)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5140,16 +5140,27 @@ out:
return ret;
}
-static void ext4_hash_info_init(struct super_block *sb)
+static int ext4_hash_info_init(struct super_block *sb)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
unsigned int i;
+ sbi->s_def_hash_version = es->s_def_hash_version;
+
+ if (sbi->s_def_hash_version > DX_HASH_LAST) {
+ ext4_msg(sb, KERN_ERR,
+ "Invalid default hash set in the superblock");
+ return -EINVAL;
+ } else if (sbi->s_def_hash_version == DX_HASH_SIPHASH) {
+ ext4_msg(sb, KERN_ERR,
+ "SIPHASH is not a valid default hash value");
+ return -EINVAL;
+ }
+
for (i = 0; i < 4; i++)
sbi->s_hash_seed[i] = le32_to_cpu(es->s_hash_seed[i]);
- sbi->s_def_hash_version = es->s_def_hash_version;
if (ext4_has_feature_dir_index(sb)) {
i = le32_to_cpu(es->s_flags);
if (i & EXT2_FLAGS_UNSIGNED_HASH)
@@ -5167,6 +5178,7 @@ static void ext4_hash_info_init(struct s
#endif
}
}
+ return 0;
}
static int ext4_block_group_meta_init(struct super_block *sb, int silent)
@@ -5311,7 +5323,9 @@ static int __ext4_fill_super(struct fs_c
if (err)
goto failed_mount;
- ext4_hash_info_init(sb);
+ err = ext4_hash_info_init(sb);
+ if (err)
+ goto failed_mount;
err = ext4_handle_clustersize(sb);
if (err)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 676/737] ext4: introduce ITAIL helper
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (674 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 675/737] ext4: fix error message when rejecting the default hash Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 677/737] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
` (71 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
David Nyström
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 69f3a3039b0d0003de008659cafd5a1eaaa0a7a4 ]
Introduce ITAIL helper to get the bound of xattr in inode.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250208063141.1539283-2-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 10 +++++-----
fs/ext4/xattr.h | 3 +++
2 files changed, 8 insertions(+), 5 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -653,7 +653,7 @@ ext4_xattr_ibody_get(struct inode *inode
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
error = xattr_check_inode(inode, header, end);
if (error)
goto cleanup;
@@ -797,7 +797,7 @@ ext4_xattr_ibody_list(struct dentry *den
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
error = xattr_check_inode(inode, header, end);
if (error)
goto cleanup;
@@ -883,7 +883,7 @@ int ext4_get_inode_usage(struct inode *i
goto out;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
ret = xattr_check_inode(inode, header, end);
if (ret)
goto out;
@@ -2248,7 +2248,7 @@ int ext4_xattr_ibody_find(struct inode *
header = IHDR(inode, raw_inode);
is->s.base = is->s.first = IFIRST(header);
is->s.here = is->s.first;
- is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ is->s.end = ITAIL(inode, raw_inode);
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
error = xattr_check_inode(inode, header, is->s.end);
if (error)
@@ -2799,7 +2799,7 @@ retry:
*/
base = IFIRST(header);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
min_offs = end - base;
total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -68,6 +68,9 @@ struct ext4_xattr_entry {
((void *)raw_inode + \
EXT4_GOOD_OLD_INODE_SIZE + \
EXT4_I(inode)->i_extra_isize))
+#define ITAIL(inode, raw_inode) \
+ ((void *)(raw_inode) + \
+ EXT4_SB((inode)->i_sb)->s_inode_size)
#define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
/*
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 677/737] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (675 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 676/737] ext4: introduce ITAIL helper Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 678/737] xfrm: state: fix out-of-bounds read during lookup Greg Kroah-Hartman
` (70 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
David Nyström
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 5701875f9609b000d91351eaa6bfd97fe2f157f4 ]
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250208063141.1539283-3-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 5 +++++
fs/ext4/xattr.c | 26 +-------------------------
fs/ext4/xattr.h | 7 +++++++
3 files changed, 13 insertions(+), 25 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4728,6 +4728,11 @@ static inline int ext4_iget_extra_inode(
*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
int err;
+ err = xattr_check_inode(inode, IHDR(inode, raw_inode),
+ ITAIL(inode, raw_inode));
+ if (err)
+ return err;
+
ext4_set_inode_state(inode, EXT4_STATE_XATTR);
err = ext4_find_inline_data_nolock(inode);
if (!err && ext4_has_inline_data(inode))
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -312,7 +312,7 @@ __ext4_xattr_check_block(struct inode *i
__ext4_xattr_check_block((inode), (bh), __func__, __LINE__)
-static inline int
+int
__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
void *end, const char *function, unsigned int line)
{
@@ -320,9 +320,6 @@ __xattr_check_inode(struct inode *inode,
function, line);
}
-#define xattr_check_inode(inode, header, end) \
- __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
-
static int
xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry,
void *end, int name_index, const char *name, int sorted)
@@ -654,9 +651,6 @@ ext4_xattr_ibody_get(struct inode *inode
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
end = ITAIL(inode, raw_inode);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
entry = IFIRST(header);
error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
if (error)
@@ -787,7 +781,6 @@ ext4_xattr_ibody_list(struct dentry *den
struct ext4_xattr_ibody_header *header;
struct ext4_inode *raw_inode;
struct ext4_iloc iloc;
- void *end;
int error;
if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR))
@@ -797,14 +790,9 @@ ext4_xattr_ibody_list(struct dentry *den
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = ITAIL(inode, raw_inode);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
error = ext4_xattr_list_entries(dentry, IFIRST(header),
buffer, buffer_size);
-cleanup:
brelse(iloc.bh);
return error;
}
@@ -872,7 +860,6 @@ int ext4_get_inode_usage(struct inode *i
struct ext4_xattr_ibody_header *header;
struct ext4_xattr_entry *entry;
qsize_t ea_inode_refs = 0;
- void *end;
int ret;
lockdep_assert_held_read(&EXT4_I(inode)->xattr_sem);
@@ -883,10 +870,6 @@ int ext4_get_inode_usage(struct inode *i
goto out;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = ITAIL(inode, raw_inode);
- ret = xattr_check_inode(inode, header, end);
- if (ret)
- goto out;
for (entry = IFIRST(header); !IS_LAST_ENTRY(entry);
entry = EXT4_XATTR_NEXT(entry))
@@ -2250,9 +2233,6 @@ int ext4_xattr_ibody_find(struct inode *
is->s.here = is->s.first;
is->s.end = ITAIL(inode, raw_inode);
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
- error = xattr_check_inode(inode, header, is->s.end);
- if (error)
- return error;
/* Find the named attribute. */
error = xattr_find_entry(inode, &is->s.here, is->s.end,
i->name_index, i->name, 0);
@@ -2803,10 +2783,6 @@ retry:
min_offs = end - base;
total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
-
ifree = ext4_xattr_free_space(base, &min_offs, base, &total_ino);
if (ifree >= isize_diff)
goto shift;
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -210,6 +210,13 @@ extern int ext4_xattr_ibody_set(handle_t
extern struct mb_cache *ext4_xattr_create_cache(void);
extern void ext4_xattr_destroy_cache(struct mb_cache *);
+extern int
+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
+ void *end, const char *function, unsigned int line);
+
+#define xattr_check_inode(inode, header, end) \
+ __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
+
#ifdef CONFIG_EXT4_FS_SECURITY
extern int ext4_init_security(handle_t *handle, struct inode *inode,
struct inode *dir, const struct qstr *qstr);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 678/737] xfrm: state: fix out-of-bounds read during lookup
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (676 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 677/737] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 679/737] page_pool: Fix use-after-free in page_pool_recycle_in_ring Greg Kroah-Hartman
` (69 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+5f9f31cb7d985f584d8e,
Florian Westphal, Steffen Klassert, Rajani Kantha, Dmitry Vyukov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e952837f3ddb0ff726d5b582aa1aad9aa38d024d ]
lookup and resize can run in parallel.
The xfrm_state_hash_generation seqlock ensures a retry, but the hash
functions can observe a hmask value that is too large for the new hlist
array.
rehash does:
rcu_assign_pointer(net->xfrm.state_bydst, ndst) [..]
net->xfrm.state_hmask = nhashmask;
While state lookup does:
h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family);
hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) {
This is only safe in case the update to state_bydst is larger than
net->xfrm.xfrm_state_hmask (or if the lookup function gets
serialized via state spinlock again).
Fix this by prefetching state_hmask and the associated pointers.
The xfrm_state_hash_generation seqlock retry will ensure that the pointer
and the hmask will be consistent.
The existing helpers, like xfrm_dst_hash(), are now unsafe for RCU side,
add lockdep assertions to document that they are only safe for insert
side.
xfrm_state_lookup_byaddr() uses the spinlock rather than RCU.
AFAICS this is an oversight from back when state lookup was converted to
RCU, this lock should be replaced with RCU in a future patch.
Reported-by: syzbot+5f9f31cb7d985f584d8e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/CACT4Y+azwfrE3uz6A5ZErov5YN2LYBN5KrsymBerT36VU8qzBA@mail.gmail.com/
Diagnosed-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: c2f672fc9464 ("xfrm: state lookup can be lockless")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[ Minor context change fixed ]
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_state.c | 84 +++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 66 insertions(+), 18 deletions(-)
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -34,6 +34,8 @@
#define xfrm_state_deref_prot(table, net) \
rcu_dereference_protected((table), lockdep_is_held(&(net)->xfrm.xfrm_state_lock))
+#define xfrm_state_deref_check(table, net) \
+ rcu_dereference_check((table), lockdep_is_held(&(net)->xfrm.xfrm_state_lock))
static void xfrm_state_gc_task(struct work_struct *work);
@@ -62,6 +64,8 @@ static inline unsigned int xfrm_dst_hash
u32 reqid,
unsigned short family)
{
+ lockdep_assert_held(&net->xfrm.xfrm_state_lock);
+
return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask);
}
@@ -70,6 +74,8 @@ static inline unsigned int xfrm_src_hash
const xfrm_address_t *saddr,
unsigned short family)
{
+ lockdep_assert_held(&net->xfrm.xfrm_state_lock);
+
return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
}
@@ -77,11 +83,15 @@ static inline unsigned int
xfrm_spi_hash(struct net *net, const xfrm_address_t *daddr,
__be32 spi, u8 proto, unsigned short family)
{
+ lockdep_assert_held(&net->xfrm.xfrm_state_lock);
+
return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
}
static unsigned int xfrm_seq_hash(struct net *net, u32 seq)
{
+ lockdep_assert_held(&net->xfrm.xfrm_state_lock);
+
return __xfrm_seq_hash(seq, net->xfrm.state_hmask);
}
@@ -1025,16 +1035,38 @@ xfrm_init_tempstate(struct xfrm_state *x
x->props.family = tmpl->encap_family;
}
-static struct xfrm_state *__xfrm_state_lookup_all(struct net *net, u32 mark,
+struct xfrm_hash_state_ptrs {
+ const struct hlist_head *bydst;
+ const struct hlist_head *bysrc;
+ const struct hlist_head *byspi;
+ unsigned int hmask;
+};
+
+static void xfrm_hash_ptrs_get(const struct net *net, struct xfrm_hash_state_ptrs *ptrs)
+{
+ unsigned int sequence;
+
+ do {
+ sequence = read_seqcount_begin(&net->xfrm.xfrm_state_hash_generation);
+
+ ptrs->bydst = xfrm_state_deref_check(net->xfrm.state_bydst, net);
+ ptrs->bysrc = xfrm_state_deref_check(net->xfrm.state_bysrc, net);
+ ptrs->byspi = xfrm_state_deref_check(net->xfrm.state_byspi, net);
+ ptrs->hmask = net->xfrm.state_hmask;
+ } while (read_seqcount_retry(&net->xfrm.xfrm_state_hash_generation, sequence));
+}
+
+static struct xfrm_state *__xfrm_state_lookup_all(const struct xfrm_hash_state_ptrs *state_ptrs,
+ u32 mark,
const xfrm_address_t *daddr,
__be32 spi, u8 proto,
unsigned short family,
struct xfrm_dev_offload *xdo)
{
- unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
+ unsigned int h = __xfrm_spi_hash(daddr, spi, proto, family, state_ptrs->hmask);
struct xfrm_state *x;
- hlist_for_each_entry_rcu(x, net->xfrm.state_byspi + h, byspi) {
+ hlist_for_each_entry_rcu(x, state_ptrs->byspi + h, byspi) {
#ifdef CONFIG_XFRM_OFFLOAD
if (xdo->type == XFRM_DEV_OFFLOAD_PACKET) {
if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
@@ -1068,15 +1100,16 @@ static struct xfrm_state *__xfrm_state_l
return NULL;
}
-static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
+static struct xfrm_state *__xfrm_state_lookup(const struct xfrm_hash_state_ptrs *state_ptrs,
+ u32 mark,
const xfrm_address_t *daddr,
__be32 spi, u8 proto,
unsigned short family)
{
- unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
+ unsigned int h = __xfrm_spi_hash(daddr, spi, proto, family, state_ptrs->hmask);
struct xfrm_state *x;
- hlist_for_each_entry_rcu(x, net->xfrm.state_byspi + h, byspi) {
+ hlist_for_each_entry_rcu(x, state_ptrs->byspi + h, byspi) {
if (x->props.family != family ||
x->id.spi != spi ||
x->id.proto != proto ||
@@ -1093,15 +1126,16 @@ static struct xfrm_state *__xfrm_state_l
return NULL;
}
-static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark,
+static struct xfrm_state *__xfrm_state_lookup_byaddr(const struct xfrm_hash_state_ptrs *state_ptrs,
+ u32 mark,
const xfrm_address_t *daddr,
const xfrm_address_t *saddr,
u8 proto, unsigned short family)
{
- unsigned int h = xfrm_src_hash(net, daddr, saddr, family);
+ unsigned int h = __xfrm_src_hash(daddr, saddr, family, state_ptrs->hmask);
struct xfrm_state *x;
- hlist_for_each_entry_rcu(x, net->xfrm.state_bysrc + h, bysrc) {
+ hlist_for_each_entry_rcu(x, state_ptrs->bysrc + h, bysrc) {
if (x->props.family != family ||
x->id.proto != proto ||
!xfrm_addr_equal(&x->id.daddr, daddr, family) ||
@@ -1121,14 +1155,17 @@ static struct xfrm_state *__xfrm_state_l
static inline struct xfrm_state *
__xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
{
+ struct xfrm_hash_state_ptrs state_ptrs;
struct net *net = xs_net(x);
u32 mark = x->mark.v & x->mark.m;
+ xfrm_hash_ptrs_get(net, &state_ptrs);
+
if (use_spi)
- return __xfrm_state_lookup(net, mark, &x->id.daddr,
+ return __xfrm_state_lookup(&state_ptrs, mark, &x->id.daddr,
x->id.spi, x->id.proto, family);
else
- return __xfrm_state_lookup_byaddr(net, mark,
+ return __xfrm_state_lookup_byaddr(&state_ptrs, mark,
&x->id.daddr,
&x->props.saddr,
x->id.proto, family);
@@ -1191,6 +1228,7 @@ xfrm_state_find(const xfrm_address_t *da
unsigned short family, u32 if_id)
{
static xfrm_address_t saddr_wildcard = { };
+ struct xfrm_hash_state_ptrs state_ptrs;
struct net *net = xp_net(pol);
unsigned int h, h_wildcard;
struct xfrm_state *x, *x0, *to_put;
@@ -1207,8 +1245,10 @@ xfrm_state_find(const xfrm_address_t *da
sequence = read_seqcount_begin(&net->xfrm.xfrm_state_hash_generation);
rcu_read_lock();
- h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family);
- hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) {
+ xfrm_hash_ptrs_get(net, &state_ptrs);
+
+ h = __xfrm_dst_hash(daddr, saddr, tmpl->reqid, encap_family, state_ptrs.hmask);
+ hlist_for_each_entry_rcu(x, state_ptrs.bydst + h, bydst) {
#ifdef CONFIG_XFRM_OFFLOAD
if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
@@ -1241,8 +1281,9 @@ xfrm_state_find(const xfrm_address_t *da
if (best || acquire_in_progress)
goto found;
- h_wildcard = xfrm_dst_hash(net, daddr, &saddr_wildcard, tmpl->reqid, encap_family);
- hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h_wildcard, bydst) {
+ h_wildcard = __xfrm_dst_hash(daddr, &saddr_wildcard, tmpl->reqid,
+ encap_family, state_ptrs.hmask);
+ hlist_for_each_entry_rcu(x, state_ptrs.bydst + h_wildcard, bydst) {
#ifdef CONFIG_XFRM_OFFLOAD
if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
@@ -1277,7 +1318,7 @@ found:
x = best;
if (!x && !error && !acquire_in_progress) {
if (tmpl->id.spi &&
- (x0 = __xfrm_state_lookup_all(net, mark, daddr,
+ (x0 = __xfrm_state_lookup_all(&state_ptrs, mark, daddr,
tmpl->id.spi, tmpl->id.proto,
encap_family,
&pol->xdo)) != NULL) {
@@ -2032,10 +2073,13 @@ struct xfrm_state *
xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32 spi,
u8 proto, unsigned short family)
{
+ struct xfrm_hash_state_ptrs state_ptrs;
struct xfrm_state *x;
rcu_read_lock();
- x = __xfrm_state_lookup(net, mark, daddr, spi, proto, family);
+ xfrm_hash_ptrs_get(net, &state_ptrs);
+
+ x = __xfrm_state_lookup(&state_ptrs, mark, daddr, spi, proto, family);
rcu_read_unlock();
return x;
}
@@ -2046,10 +2090,14 @@ xfrm_state_lookup_byaddr(struct net *net
const xfrm_address_t *daddr, const xfrm_address_t *saddr,
u8 proto, unsigned short family)
{
+ struct xfrm_hash_state_ptrs state_ptrs;
struct xfrm_state *x;
spin_lock_bh(&net->xfrm.xfrm_state_lock);
- x = __xfrm_state_lookup_byaddr(net, mark, daddr, saddr, proto, family);
+
+ xfrm_hash_ptrs_get(net, &state_ptrs);
+
+ x = __xfrm_state_lookup_byaddr(&state_ptrs, mark, daddr, saddr, proto, family);
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
return x;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 679/737] page_pool: Fix use-after-free in page_pool_recycle_in_ring
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (677 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 678/737] xfrm: state: fix out-of-bounds read during lookup Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 680/737] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Greg Kroah-Hartman
` (68 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski,
syzbot+204a4382fcb3311f3858, Dong Chenchen,
Toke Høiland-Jørgensen, Mina Almasry, Ruohan Lan
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dong Chenchen <dongchenchen2@huawei.com>
[ Upstream commit 271683bb2cf32e5126c592b5d5e6a756fa374fd9 ]
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826
page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036
skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242
kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
page_pool_recycle_in_ring
ptr_ring_produce
spin_lock(&r->producer_lock);
WRITE_ONCE(r->queue[r->producer++], ptr)
//recycle last page to pool
page_pool_release
page_pool_scrub
page_pool_empty_ring
ptr_ring_consume
page_pool_return_page //release all page
__page_pool_destroy
free_percpu(pool->recycle_stats);
free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool, ring);
page_pool can be free while page pool recycle the last page in ring.
Add producer-lock barrier to page_pool_release to prevent the page
pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not
enabled, which will trigger Wempty-body build warning. Add definition
for pool stat macro to fix warning.
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/netdev/20250513083123.3514193-1-dongchenchen2@huawei.com
Fixes: ff7d6b27f894 ("page_pool: refurbish version of page_pool code")
Reported-by: syzbot+204a4382fcb3311f3858@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=204a4382fcb3311f3858
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Link: https://patch.msgid.link/20250527114152.3119109-1-dongchenchen2@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Minor context change fixed. ]
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/page_pool.c | 27 ++++++++++++++-------------
1 file changed, 14 insertions(+), 13 deletions(-)
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -140,9 +140,9 @@ u64 *page_pool_ethtool_stats_get(u64 *da
EXPORT_SYMBOL(page_pool_ethtool_stats_get);
#else
-#define alloc_stat_inc(pool, __stat)
-#define recycle_stat_inc(pool, __stat)
-#define recycle_stat_add(pool, __stat, val)
+#define alloc_stat_inc(...) do { } while (0)
+#define recycle_stat_inc(...) do { } while (0)
+#define recycle_stat_add(...) do { } while (0)
#endif
static bool page_pool_producer_lock(struct page_pool *pool)
@@ -549,19 +549,16 @@ skip_dma_unmap:
static bool page_pool_recycle_in_ring(struct page_pool *pool, struct page *page)
{
- int ret;
- /* BH protection not needed if current is softirq */
- if (in_softirq())
- ret = ptr_ring_produce(&pool->ring, page);
- else
- ret = ptr_ring_produce_bh(&pool->ring, page);
+ bool in_softirq, ret;
- if (!ret) {
+ /* BH protection not needed if current is softirq */
+ in_softirq = page_pool_producer_lock(pool);
+ ret = !__ptr_ring_produce(&pool->ring, page);
+ if (ret)
recycle_stat_inc(pool, ring);
- return true;
- }
+ page_pool_producer_unlock(pool, in_softirq);
- return false;
+ return ret;
}
/* Only allow direct recycling in special circumstances, into the
@@ -850,10 +847,14 @@ static void page_pool_scrub(struct page_
static int page_pool_release(struct page_pool *pool)
{
+ bool in_softirq;
int inflight;
page_pool_scrub(pool);
inflight = page_pool_inflight(pool);
+ /* Acquire producer lock to make sure producers have exited. */
+ in_softirq = page_pool_producer_lock(pool);
+ page_pool_producer_unlock(pool, in_softirq);
if (!inflight)
page_pool_free(pool);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 680/737] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (678 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 679/737] page_pool: Fix use-after-free in page_pool_recycle_in_ring Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 681/737] mm: fix arithmetic for bdi min_ratio Greg Kroah-Hartman
` (67 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Simon Horman,
Jakub Kicinski, Chen Yu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 5f2b28b79d2d1946ee36ad8b3dc0066f73c90481 ]
There are actually 2 problems:
- deleting the last element doesn't require the memmove of elements
[i + 1, end) over it. Actually, element i+1 is out of bounds.
- The memmove itself should move size - i - 1 elements, because the last
element is out of bounds.
The out-of-bounds element still remains out of bounds after being
accessed, so the problem is only that we touch it, not that it becomes
in active use. But I suppose it can lead to issues if the out-of-bounds
element is part of an unmapped page.
Fixes: 6666cebc5e30 ("net: dsa: sja1105: Add support for VLAN operations")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20250318115716.2124395-4-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Chen Yu <xnguchen@sina.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/sja1105/sja1105_static_config.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/dsa/sja1105/sja1105_static_config.c
+++ b/drivers/net/dsa/sja1105/sja1105_static_config.c
@@ -1921,8 +1921,10 @@ int sja1105_table_delete_entry(struct sj
if (i > table->entry_count)
return -ERANGE;
- memmove(entries + i * entry_size, entries + (i + 1) * entry_size,
- (table->entry_count - i) * entry_size);
+ if (i + 1 < table->entry_count) {
+ memmove(entries + i * entry_size, entries + (i + 1) * entry_size,
+ (table->entry_count - i - 1) * entry_size);
+ }
table->entry_count--;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 681/737] mm: fix arithmetic for bdi min_ratio
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (679 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 680/737] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 682/737] mm: fix arithmetic for max_prop_frac when setting max_ratio Greg Kroah-Hartman
` (66 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, jefflexu, Joseph Qi,
Matthew Wilcox (Oracle), Stefan Roesch, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingbo Xu <jefflexu@linux.alibaba.com>
commit e0646b7590084a5bf3b056d3ad871d9379d2c25a upstream.
Since now bdi->min_ratio is part per million, fix the wrong arithmetic.
Otherwise it will fail with -EINVAL when setting a reasonable min_ratio,
as it tries to set min_ratio to (min_ratio * BDI_RATIO_SCALE) in
percentage unit, which exceeds 100% anyway.
# cat /sys/class/bdi/253\:0/min_ratio
0
# cat /sys/class/bdi/253\:0/max_ratio
100
# echo 1 > /sys/class/bdi/253\:0/min_ratio
-bash: echo: write error: Invalid argument
Link: https://lkml.kernel.org/r/20231219142508.86265-2-jefflexu@linux.alibaba.com
Fixes: 8021fb3232f2 ("mm: split off __bdi_set_min_ratio() function")
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Reported-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Stefan Roesch <shr@devkernel.io>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page-writeback.c | 1 -
1 file changed, 1 deletion(-)
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -714,7 +714,6 @@ static int __bdi_set_min_ratio(struct ba
if (min_ratio > 100 * BDI_RATIO_SCALE)
return -EINVAL;
- min_ratio *= BDI_RATIO_SCALE;
spin_lock_bh(&bdi_lock);
if (min_ratio > bdi->max_ratio) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 682/737] mm: fix arithmetic for max_prop_frac when setting max_ratio
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (680 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 681/737] mm: fix arithmetic for bdi min_ratio Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 683/737] genirq/irq_sim: Initialize work context pointers properly Greg Kroah-Hartman
` (65 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, jefflexu, Joseph Qi,
Matthew Wilcox (Oracle), Stefan Roesch, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jingbo Xu <jefflexu@linux.alibaba.com>
commit fa151a39a6879144b587f35c0dfcc15e1be9450f upstream.
Since now bdi->max_ratio is part per million, fix the wrong arithmetic for
max_prop_frac when setting max_ratio. Otherwise the miscalculated
max_prop_frac will affect the incrementing of writeout completion count
when max_ratio is not 100%.
Link: https://lkml.kernel.org/r/20231219142508.86265-3-jefflexu@linux.alibaba.com
Fixes: efc3e6ad53ea ("mm: split off __bdi_set_max_ratio() function")
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Stefan Roesch <shr@devkernel.io>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page-writeback.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -750,7 +750,8 @@ static int __bdi_set_max_ratio(struct ba
ret = -EINVAL;
} else {
bdi->max_ratio = max_ratio;
- bdi->max_prop_frac = (FPROP_FRAC_BASE * max_ratio) / 100;
+ bdi->max_prop_frac = (FPROP_FRAC_BASE * max_ratio) /
+ (100 * BDI_RATIO_SCALE);
}
spin_unlock_bh(&bdi_lock);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 683/737] genirq/irq_sim: Initialize work context pointers properly
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (681 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 682/737] mm: fix arithmetic for max_prop_frac when setting max_ratio Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 684/737] f2fs: remove unused GC_FAILURE_PIN Greg Kroah-Hartman
` (64 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gyeyoung Baek, Thomas Gleixner,
Rahul Sharma
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gyeyoung Baek <gye976@gmail.com>
[ Upstream commit 8a2277a3c9e4cc5398f80821afe7ecbe9bdf2819 ]
Initialize `ops` member's pointers properly by using kzalloc() instead of
kmalloc() when allocating the simulation work context. Otherwise the
pointers contain random content leading to invalid dereferencing.
Signed-off-by: Gyeyoung Baek <gye976@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20250612124827.63259-1-gye976@gmail.com
[ The context change is due to the commit 011f583781fa
("genirq/irq_sim: add an extended irq_sim initializer")
which is irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/irq/irq_sim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/irq/irq_sim.c
+++ b/kernel/irq/irq_sim.c
@@ -166,7 +166,7 @@ struct irq_domain *irq_domain_create_sim
{
struct irq_sim_work_ctx *work_ctx;
- work_ctx = kmalloc(sizeof(*work_ctx), GFP_KERNEL);
+ work_ctx = kzalloc(sizeof(*work_ctx), GFP_KERNEL);
if (!work_ctx)
goto err_out;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 684/737] f2fs: remove unused GC_FAILURE_PIN
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (682 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 683/737] genirq/irq_sim: Initialize work context pointers properly Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 685/737] f2fs: keep POSIX_FADV_NOREUSE ranges Greg Kroah-Hartman
` (63 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 968c4f72b23c0c8f1e94e942eab89b8c5a3022e7 ]
After commit 3db1de0e582c ("f2fs: change the current atomic write way"),
we removed all GC_FAILURE_ATOMIC usage, let's change i_gc_failures[]
array to i_pin_failure for cleanup.
Meanwhile, let's define i_current_depth and i_gc_failures as union
variable due to they won't be valid at the same time.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 10b591e7fb7c ("f2fs: fix to avoid updating compression context during writeback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 14 +++++---------
fs/f2fs/file.c | 12 +++++-------
fs/f2fs/inode.c | 6 ++----
fs/f2fs/recovery.c | 3 +--
4 files changed, 13 insertions(+), 22 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -762,11 +762,6 @@ enum {
#define DEF_DIR_LEVEL 0
-enum {
- GC_FAILURE_PIN,
- MAX_GC_FAILURE
-};
-
/* used for f2fs_inode_info->flags */
enum {
FI_NEW_INODE, /* indicate newly allocated inode */
@@ -814,9 +809,10 @@ struct f2fs_inode_info {
unsigned long i_flags; /* keep an inode flags for ioctl */
unsigned char i_advise; /* use to give file attribute hints */
unsigned char i_dir_level; /* use for dentry level for large dir */
- unsigned int i_current_depth; /* only for directory depth */
- /* for gc failure statistic */
- unsigned int i_gc_failures[MAX_GC_FAILURE];
+ union {
+ unsigned int i_current_depth; /* only for directory depth */
+ unsigned int i_gc_failures; /* for gc failure statistic */
+ };
unsigned int i_pino; /* parent inode number */
umode_t i_acl_mode; /* keep file acl mode temporarily */
@@ -3173,7 +3169,7 @@ static inline void f2fs_i_depth_write(st
static inline void f2fs_i_gc_failures_write(struct inode *inode,
unsigned int count)
{
- F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN] = count;
+ F2FS_I(inode)->i_gc_failures = count;
f2fs_mark_inode_dirty_sync(inode, true);
}
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -3329,13 +3329,11 @@ int f2fs_pin_file_control(struct inode *
/* Use i_gc_failures for normal file as a risk signal. */
if (inc)
- f2fs_i_gc_failures_write(inode,
- fi->i_gc_failures[GC_FAILURE_PIN] + 1);
+ f2fs_i_gc_failures_write(inode, fi->i_gc_failures + 1);
- if (fi->i_gc_failures[GC_FAILURE_PIN] > sbi->gc_pin_file_threshold) {
+ if (fi->i_gc_failures > sbi->gc_pin_file_threshold) {
f2fs_warn(sbi, "%s: Enable GC = ino %lx after %x GC trials",
- __func__, inode->i_ino,
- fi->i_gc_failures[GC_FAILURE_PIN]);
+ __func__, inode->i_ino, fi->i_gc_failures);
clear_inode_flag(inode, FI_PIN_FILE);
return -EAGAIN;
}
@@ -3404,7 +3402,7 @@ static int f2fs_ioc_set_pin_file(struct
}
set_inode_flag(inode, FI_PIN_FILE);
- ret = F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN];
+ ret = F2FS_I(inode)->i_gc_failures;
done:
f2fs_update_time(sbi, REQ_TIME);
out:
@@ -3419,7 +3417,7 @@ static int f2fs_ioc_get_pin_file(struct
__u32 pin = 0;
if (is_inode_flag_set(inode, FI_PIN_FILE))
- pin = F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN];
+ pin = F2FS_I(inode)->i_gc_failures;
return put_user(pin, (u32 __user *)arg);
}
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -428,8 +428,7 @@ static int do_read_inode(struct inode *i
if (S_ISDIR(inode->i_mode))
fi->i_current_depth = le32_to_cpu(ri->i_current_depth);
else if (S_ISREG(inode->i_mode))
- fi->i_gc_failures[GC_FAILURE_PIN] =
- le16_to_cpu(ri->i_gc_failures);
+ fi->i_gc_failures = le16_to_cpu(ri->i_gc_failures);
fi->i_xattr_nid = le32_to_cpu(ri->i_xattr_nid);
fi->i_flags = le32_to_cpu(ri->i_flags);
if (S_ISREG(inode->i_mode))
@@ -691,8 +690,7 @@ void f2fs_update_inode(struct inode *ino
ri->i_current_depth =
cpu_to_le32(F2FS_I(inode)->i_current_depth);
else if (S_ISREG(inode->i_mode))
- ri->i_gc_failures =
- cpu_to_le16(F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN]);
+ ri->i_gc_failures = cpu_to_le16(F2FS_I(inode)->i_gc_failures);
ri->i_xattr_nid = cpu_to_le32(F2FS_I(inode)->i_xattr_nid);
ri->i_flags = cpu_to_le32(F2FS_I(inode)->i_flags);
ri->i_pino = cpu_to_le32(F2FS_I(inode)->i_pino);
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -330,8 +330,7 @@ static int recover_inode(struct inode *i
F2FS_I(inode)->i_advise = raw->i_advise;
F2FS_I(inode)->i_flags = le32_to_cpu(raw->i_flags);
f2fs_set_inode_flags(inode);
- F2FS_I(inode)->i_gc_failures[GC_FAILURE_PIN] =
- le16_to_cpu(raw->i_gc_failures);
+ F2FS_I(inode)->i_gc_failures = le16_to_cpu(raw->i_gc_failures);
recover_inline_flags(inode, raw);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 685/737] f2fs: keep POSIX_FADV_NOREUSE ranges
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (683 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 684/737] f2fs: remove unused GC_FAILURE_PIN Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 686/737] f2fs: drop inode from the donation list when the last file is closed Greg Kroah-Hartman
` (62 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
[ Upstream commit ef0c333cad8d1940f132a7ce15f15920216a3bd5 ]
This patch records POSIX_FADV_NOREUSE ranges for users to reclaim the caches
instantly off from LRU.
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 10b591e7fb7c ("f2fs: fix to avoid updating compression context during writeback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/debug.c | 3 ++
fs/f2fs/f2fs.h | 12 ++++++++++-
fs/f2fs/file.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
fs/f2fs/inode.c | 14 +++++++++++++
fs/f2fs/super.c | 1
5 files changed, 84 insertions(+), 6 deletions(-)
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -100,6 +100,7 @@ static void update_general_status(struct
si->ndirty_imeta = get_pages(sbi, F2FS_DIRTY_IMETA);
si->ndirty_dirs = sbi->ndirty_inode[DIR_INODE];
si->ndirty_files = sbi->ndirty_inode[FILE_INODE];
+ si->ndonate_files = sbi->donate_files;
si->nquota_files = sbi->nquota_files;
si->ndirty_all = sbi->ndirty_inode[DIRTY_META];
si->aw_cnt = atomic_read(&sbi->atomic_files);
@@ -436,6 +437,8 @@ static int stat_show(struct seq_file *s,
si->compr_inode, si->compr_blocks);
seq_printf(s, " - Swapfile Inode: %u\n",
si->swapfile_inode);
+ seq_printf(s, " - Donate Inode: %u\n",
+ si->ndonate_files);
seq_printf(s, " - Orphan/Append/Update Inode: %u, %u, %u\n",
si->orphans, si->append, si->update);
seq_printf(s, "\nMain area: %d segs, %d secs %d zones\n",
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -837,6 +837,11 @@ struct f2fs_inode_info {
#endif
struct list_head dirty_list; /* dirty list for dirs and files */
struct list_head gdirty_list; /* linked in global dirty list */
+
+ /* linked in global inode list for cache donation */
+ struct list_head gdonate_list;
+ pgoff_t donate_start, donate_end; /* inclusive */
+
struct task_struct *atomic_write_task; /* store atomic write task */
struct extent_tree *extent_tree[NR_EXTENT_CACHES];
/* cached extent_tree entry */
@@ -1261,6 +1266,7 @@ enum inode_type {
DIR_INODE, /* for dirty dir inode */
FILE_INODE, /* for dirty regular/symlink inode */
DIRTY_META, /* for all dirtied inode metadata */
+ DONATE_INODE, /* for all inode to donate pages */
NR_INODE_TYPE,
};
@@ -1613,6 +1619,9 @@ struct f2fs_sb_info {
unsigned int warm_data_age_threshold;
unsigned int last_age_weight;
+ /* control donate caches */
+ unsigned int donate_files;
+
/* basic filesystem units */
unsigned int log_sectors_per_block; /* log2 sectors per block */
unsigned int log_blocksize; /* log2 block size */
@@ -3948,7 +3957,8 @@ struct f2fs_stat_info {
unsigned long long allocated_data_blocks;
int ndirty_node, ndirty_dent, ndirty_meta, ndirty_imeta;
int ndirty_data, ndirty_qdata;
- unsigned int ndirty_dirs, ndirty_files, nquota_files, ndirty_all;
+ unsigned int ndirty_dirs, ndirty_files, ndirty_all;
+ unsigned int nquota_files, ndonate_files;
int nats, dirty_nats, sits, dirty_sits;
int free_nids, avail_nids, alloc_nids;
int total_count, utilization;
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2435,6 +2435,52 @@ static int f2fs_ioc_shutdown(struct file
return ret;
}
+static void f2fs_keep_noreuse_range(struct inode *inode,
+ loff_t offset, loff_t len)
+{
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ u64 max_bytes = F2FS_BLK_TO_BYTES(max_file_blocks(inode));
+ u64 start, end;
+
+ if (!S_ISREG(inode->i_mode))
+ return;
+
+ if (offset >= max_bytes || len > max_bytes ||
+ (offset + len) > max_bytes)
+ return;
+
+ start = offset >> PAGE_SHIFT;
+ end = DIV_ROUND_UP(offset + len, PAGE_SIZE);
+
+ inode_lock(inode);
+ if (f2fs_is_atomic_file(inode)) {
+ inode_unlock(inode);
+ return;
+ }
+
+ spin_lock(&sbi->inode_lock[DONATE_INODE]);
+ /* let's remove the range, if len = 0 */
+ if (!len) {
+ if (!list_empty(&F2FS_I(inode)->gdonate_list)) {
+ list_del_init(&F2FS_I(inode)->gdonate_list);
+ sbi->donate_files--;
+ }
+ } else {
+ if (list_empty(&F2FS_I(inode)->gdonate_list)) {
+ list_add_tail(&F2FS_I(inode)->gdonate_list,
+ &sbi->inode_list[DONATE_INODE]);
+ sbi->donate_files++;
+ } else {
+ list_move_tail(&F2FS_I(inode)->gdonate_list,
+ &sbi->inode_list[DONATE_INODE]);
+ }
+ F2FS_I(inode)->donate_start = start;
+ F2FS_I(inode)->donate_end = end - 1;
+ }
+ spin_unlock(&sbi->inode_lock[DONATE_INODE]);
+ inode_unlock(inode);
+}
+
static int f2fs_ioc_fitrim(struct file *filp, unsigned long arg)
{
struct inode *inode = file_inode(filp);
@@ -5078,12 +5124,16 @@ static int f2fs_file_fadvise(struct file
}
err = generic_fadvise(filp, offset, len, advice);
- if (!err && advice == POSIX_FADV_DONTNEED &&
- test_opt(F2FS_I_SB(inode), COMPRESS_CACHE) &&
- f2fs_compressed_file(inode))
- f2fs_invalidate_compress_pages(F2FS_I_SB(inode), inode->i_ino);
+ if (err)
+ return err;
- return err;
+ if (advice == POSIX_FADV_DONTNEED &&
+ (test_opt(F2FS_I_SB(inode), COMPRESS_CACHE) &&
+ f2fs_compressed_file(inode)))
+ f2fs_invalidate_compress_pages(F2FS_I_SB(inode), inode->i_ino);
+ else if (advice == POSIX_FADV_NOREUSE)
+ f2fs_keep_noreuse_range(inode, offset, len);
+ return 0;
}
#ifdef CONFIG_COMPAT
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -811,6 +811,19 @@ int f2fs_write_inode(struct inode *inode
return 0;
}
+static void f2fs_remove_donate_inode(struct inode *inode)
+{
+ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+
+ if (list_empty(&F2FS_I(inode)->gdonate_list))
+ return;
+
+ spin_lock(&sbi->inode_lock[DONATE_INODE]);
+ list_del_init(&F2FS_I(inode)->gdonate_list);
+ sbi->donate_files--;
+ spin_unlock(&sbi->inode_lock[DONATE_INODE]);
+}
+
/*
* Called at the last iput() if i_nlink is zero
*/
@@ -844,6 +857,7 @@ void f2fs_evict_inode(struct inode *inod
f2fs_bug_on(sbi, get_dirty_pages(inode));
f2fs_remove_dirty_inode(inode);
+ f2fs_remove_donate_inode(inode);
f2fs_destroy_extent_tree(inode);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1413,6 +1413,7 @@ static struct inode *f2fs_alloc_inode(st
spin_lock_init(&fi->i_size_lock);
INIT_LIST_HEAD(&fi->dirty_list);
INIT_LIST_HEAD(&fi->gdirty_list);
+ INIT_LIST_HEAD(&fi->gdonate_list);
init_f2fs_rwsem(&fi->i_gc_rwsem[READ]);
init_f2fs_rwsem(&fi->i_gc_rwsem[WRITE]);
init_f2fs_rwsem(&fi->i_xattr_sem);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 686/737] f2fs: drop inode from the donation list when the last file is closed
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (684 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 685/737] f2fs: keep POSIX_FADV_NOREUSE ranges Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 687/737] f2fs: fix to avoid updating compression context during writeback Greg Kroah-Hartman
` (61 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaegeuk Kim <jaegeuk@kernel.org>
[ Upstream commit 078cad8212ce4f4ebbafcc0936475b8215e1ca2a ]
Let's drop the inode from the donation list when there is no other
open file.
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Stable-dep-of: 10b591e7fb7c ("f2fs: fix to avoid updating compression context during writeback")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 2 ++
fs/f2fs/file.c | 8 +++++++-
fs/f2fs/inode.c | 2 +-
fs/f2fs/super.c | 1 +
4 files changed, 11 insertions(+), 2 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -841,6 +841,7 @@ struct f2fs_inode_info {
/* linked in global inode list for cache donation */
struct list_head gdonate_list;
pgoff_t donate_start, donate_end; /* inclusive */
+ atomic_t open_count; /* # of open files */
struct task_struct *atomic_write_task; /* store atomic write task */
struct extent_tree *extent_tree[NR_EXTENT_CACHES];
@@ -3560,6 +3561,7 @@ int f2fs_try_to_free_nats(struct f2fs_sb
void f2fs_update_inode(struct inode *inode, struct page *node_page);
void f2fs_update_inode_page(struct inode *inode);
int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc);
+void f2fs_remove_donate_inode(struct inode *inode);
void f2fs_evict_inode(struct inode *inode);
void f2fs_handle_failed_inode(struct inode *inode);
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -621,7 +621,10 @@ static int f2fs_file_open(struct inode *
if (err)
return err;
- return finish_preallocate_blocks(inode);
+ err = finish_preallocate_blocks(inode);
+ if (!err)
+ atomic_inc(&F2FS_I(inode)->open_count);
+ return err;
}
void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count)
@@ -1966,6 +1969,9 @@ out:
static int f2fs_release_file(struct inode *inode, struct file *filp)
{
+ if (atomic_dec_and_test(&F2FS_I(inode)->open_count))
+ f2fs_remove_donate_inode(inode);
+
/*
* f2fs_release_file is called at every close calls. So we should
* not drop any inmemory pages by close called by other process.
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -811,7 +811,7 @@ int f2fs_write_inode(struct inode *inode
return 0;
}
-static void f2fs_remove_donate_inode(struct inode *inode)
+void f2fs_remove_donate_inode(struct inode *inode)
{
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1409,6 +1409,7 @@ static struct inode *f2fs_alloc_inode(st
/* Initialize f2fs-specific inode info */
atomic_set(&fi->dirty_pages, 0);
atomic_set(&fi->i_compr_blocks, 0);
+ atomic_set(&fi->open_count, 0);
init_f2fs_rwsem(&fi->i_sem);
spin_lock_init(&fi->i_size_lock);
INIT_LIST_HEAD(&fi->dirty_list);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 687/737] f2fs: fix to avoid updating compression context during writeback
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (685 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 686/737] f2fs: drop inode from the donation list when the last file is closed Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 688/737] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
` (60 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Bai, Shuangpeng, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 10b591e7fb7cdc8c1e53e9c000dc0ef7069aaa76 ]
Bai, Shuangpeng <sjb7183@psu.edu> reported a bug as below:
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 11441 Comm: syz.0.46 Not tainted 6.17.0 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:f2fs_all_cluster_page_ready+0x106/0x550 fs/f2fs/compress.c:857
Call Trace:
<TASK>
f2fs_write_cache_pages fs/f2fs/data.c:3078 [inline]
__f2fs_write_data_pages fs/f2fs/data.c:3290 [inline]
f2fs_write_data_pages+0x1c19/0x3600 fs/f2fs/data.c:3317
do_writepages+0x38e/0x640 mm/page-writeback.c:2634
filemap_fdatawrite_wbc mm/filemap.c:386 [inline]
__filemap_fdatawrite_range mm/filemap.c:419 [inline]
file_write_and_wait_range+0x2ba/0x3e0 mm/filemap.c:794
f2fs_do_sync_file+0x6e6/0x1b00 fs/f2fs/file.c:294
generic_write_sync include/linux/fs.h:3043 [inline]
f2fs_file_write_iter+0x76e/0x2700 fs/f2fs/file.c:5259
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x7e9/0xe00 fs/read_write.c:686
ksys_write+0x19d/0x2d0 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf7/0x470 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The bug was triggered w/ below race condition:
fsync setattr ioctl
- f2fs_do_sync_file
- file_write_and_wait_range
- f2fs_write_cache_pages
: inode is non-compressed
: cc.cluster_size =
F2FS_I(inode)->i_cluster_size = 0
- tag_pages_for_writeback
- f2fs_setattr
- truncate_setsize
- f2fs_truncate
- f2fs_fileattr_set
- f2fs_setflags_common
- set_compress_context
: F2FS_I(inode)->i_cluster_size = 4
: set_inode_flag(inode, FI_COMPRESSED_FILE)
- f2fs_compressed_file
: return true
- f2fs_all_cluster_page_ready
: "pgidx % cc->cluster_size" trigger dividing 0 issue
Let's change as below to fix this issue:
- introduce a new atomic type variable .writeback in structure f2fs_inode_info
to track the number of threads which calling f2fs_write_cache_pages().
- use .i_sem lock to protect .writeback update.
- check .writeback before update compression context in f2fs_setflags_common()
to avoid race w/ ->writepages.
Fixes: 4c8ff7095bef ("f2fs: support data compression")
Cc: stable@kernel.org
Reported-by: Bai, Shuangpeng <sjb7183@psu.edu>
Tested-by: Bai, Shuangpeng <sjb7183@psu.edu>
Closes: https://lore.kernel.org/lkml/44D8F7B3-68AD-425F-9915-65D27591F93F@psu.edu
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/data.c | 17 +++++++++++++++++
fs/f2fs/f2fs.h | 3 ++-
fs/f2fs/file.c | 5 +++--
fs/f2fs/super.c | 1 +
4 files changed, 23 insertions(+), 3 deletions(-)
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -3233,6 +3233,19 @@ static inline bool __should_serialize_io
return false;
}
+static inline void account_writeback(struct inode *inode, bool inc)
+{
+ if (!f2fs_sb_has_compression(F2FS_I_SB(inode)))
+ return;
+
+ f2fs_down_read(&F2FS_I(inode)->i_sem);
+ if (inc)
+ atomic_inc(&F2FS_I(inode)->writeback);
+ else
+ atomic_dec(&F2FS_I(inode)->writeback);
+ f2fs_up_read(&F2FS_I(inode)->i_sem);
+}
+
static int __f2fs_write_data_pages(struct address_space *mapping,
struct writeback_control *wbc,
enum iostat_type io_type)
@@ -3282,10 +3295,14 @@ static int __f2fs_write_data_pages(struc
locked = true;
}
+ account_writeback(inode, true);
+
blk_start_plug(&plug);
ret = f2fs_write_cache_pages(mapping, wbc, io_type);
blk_finish_plug(&plug);
+ account_writeback(inode, false);
+
if (locked)
mutex_unlock(&sbi->writepages);
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -869,6 +869,7 @@ struct f2fs_inode_info {
unsigned char i_compress_level; /* compress level (lz4hc,zstd) */
unsigned char i_compress_flag; /* compress flag */
unsigned int i_cluster_size; /* cluster size */
+ atomic_t writeback; /* count # of writeback thread */
unsigned int atomic_write_cnt;
loff_t original_i_size; /* original i_size before atomic write */
@@ -4485,7 +4486,7 @@ static inline bool f2fs_disable_compress
f2fs_up_write(&F2FS_I(inode)->i_sem);
return true;
}
- if (f2fs_is_mmap_file(inode) ||
+ if (f2fs_is_mmap_file(inode) || atomic_read(&fi->writeback) ||
(S_ISREG(inode->i_mode) && F2FS_HAS_BLOCKS(inode))) {
f2fs_up_write(&F2FS_I(inode)->i_sem);
return false;
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -2045,8 +2045,9 @@ static int f2fs_setflags_common(struct i
f2fs_down_write(&F2FS_I(inode)->i_sem);
if (!f2fs_may_compress(inode) ||
- (S_ISREG(inode->i_mode) &&
- F2FS_HAS_BLOCKS(inode))) {
+ atomic_read(&fi->writeback) ||
+ (S_ISREG(inode->i_mode) &&
+ F2FS_HAS_BLOCKS(inode))) {
f2fs_up_write(&F2FS_I(inode)->i_sem);
return -EINVAL;
}
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1410,6 +1410,7 @@ static struct inode *f2fs_alloc_inode(st
atomic_set(&fi->dirty_pages, 0);
atomic_set(&fi->i_compr_blocks, 0);
atomic_set(&fi->open_count, 0);
+ atomic_set(&fi->writeback, 0);
init_f2fs_rwsem(&fi->i_sem);
spin_lock_init(&fi->i_size_lock);
INIT_LIST_HEAD(&fi->dirty_list);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 688/737] f2fs: fix to propagate error from f2fs_enable_checkpoint()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (686 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 687/737] f2fs: fix to avoid updating compression context during writeback Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 689/737] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
` (59 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit be112e7449a6e1b54aa9feac618825d154b3a5c7 ]
In order to let userspace detect such error rather than suffering
silent failure.
Fixes: 4354994f097d ("f2fs: checkpoint disabling")
Cc: stable@kernel.org
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Adjust context, no rollback ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2267,9 +2267,10 @@ restore_flag:
return err;
}
-static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
+static int f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
{
int retry = DEFAULT_RETRY_IO_COUNT;
+ int ret;
/* we should flush all the data to keep data consistency */
do {
@@ -2287,10 +2288,14 @@ static void f2fs_enable_checkpoint(struc
set_sbi_flag(sbi, SBI_IS_DIRTY);
f2fs_up_write(&sbi->gc_lock);
- f2fs_sync_fs(sbi->sb, 1);
+ ret = f2fs_sync_fs(sbi->sb, 1);
+ if (ret)
+ f2fs_err(sbi, "%s sync_fs failed, ret: %d", __func__, ret);
/* Let's ensure there's no pending checkpoint anymore */
f2fs_flush_ckpt_thread(sbi);
+
+ return ret;
}
static int f2fs_remount(struct super_block *sb, int *flags, char *data)
@@ -2511,7 +2516,9 @@ static int f2fs_remount(struct super_blo
if (err)
goto restore_discard;
} else {
- f2fs_enable_checkpoint(sbi);
+ err = f2fs_enable_checkpoint(sbi);
+ if (err)
+ goto restore_discard;
}
}
@@ -4689,13 +4696,12 @@ reset_checkpoint:
/* f2fs_recover_fsync_data() cleared this already */
clear_sbi_flag(sbi, SBI_POR_DOING);
- if (test_opt(sbi, DISABLE_CHECKPOINT)) {
+ if (test_opt(sbi, DISABLE_CHECKPOINT))
err = f2fs_disable_checkpoint(sbi);
- if (err)
- goto sync_free_meta;
- } else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) {
- f2fs_enable_checkpoint(sbi);
- }
+ else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG))
+ err = f2fs_enable_checkpoint(sbi);
+ if (err)
+ goto sync_free_meta;
/*
* If filesystem is not mounted as read-only then
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 689/737] f2fs: use global inline_xattr_slab instead of per-sb slab cache
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (687 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 688/737] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 690/737] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
` (58 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Hong Yun, Chao Yu,
Jaegeuk Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 ]
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
__kmem_cache_create include/linux/slab.h:353 [inline]
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
vfs_get_tree+0x43/0x140 fs/super.c:1815
do_new_mount+0x201/0x550 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
Fixes: a999150f4fe3 ("f2fs: use kmem_cache pool during inline xattr lookups")
Cc: stable@kernel.org
Reported-by: Hong Yun <yhong@link.cuhk.edu.hk>
Tested-by: Hong Yun <yhong@link.cuhk.edu.hk>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 ---
fs/f2fs/super.c | 17 ++++++++---------
fs/f2fs/xattr.c | 30 ++++++++++--------------------
fs/f2fs/xattr.h | 10 ++++++----
4 files changed, 24 insertions(+), 36 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1778,9 +1778,6 @@ struct f2fs_sb_info {
spinlock_t error_lock; /* protect errors/stop_reason array */
bool error_dirty; /* errors of sb is dirty */
- struct kmem_cache *inline_xattr_slab; /* inline xattr entry */
- unsigned int inline_xattr_slab_size; /* default inline xattr slab size */
-
/* For reclaimed segs statistics per each GC mode */
unsigned int gc_segment_mode; /* GC state for reclaimed segments */
unsigned int gc_reclaimed_segs[MAX_GC_MODE]; /* Reclaimed segs for each mode */
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1683,7 +1683,6 @@ static void f2fs_put_super(struct super_
destroy_device_list(sbi);
f2fs_destroy_page_array_cache(sbi);
- f2fs_destroy_xattr_caches(sbi);
#ifdef CONFIG_QUOTA
for (i = 0; i < MAXQUOTAS; i++)
kfree(F2FS_OPTION(sbi).s_qf_names[i]);
@@ -4464,13 +4463,9 @@ try_onemore:
if (err)
goto free_iostat;
- /* init per sbi slab cache */
- err = f2fs_init_xattr_caches(sbi);
- if (err)
- goto free_percpu;
err = f2fs_init_page_array_cache(sbi);
if (err)
- goto free_xattr_cache;
+ goto free_percpu;
/* get an inode for meta space */
sbi->meta_inode = f2fs_iget(sb, F2FS_META_INO(sbi));
@@ -4787,8 +4782,6 @@ free_meta_inode:
sbi->meta_inode = NULL;
free_page_array_cache:
f2fs_destroy_page_array_cache(sbi);
-free_xattr_cache:
- f2fs_destroy_xattr_caches(sbi);
free_percpu:
destroy_percpu_info(sbi);
free_iostat:
@@ -4949,10 +4942,15 @@ static int __init init_f2fs_fs(void)
err = f2fs_create_casefold_cache();
if (err)
goto free_compress_cache;
- err = register_filesystem(&f2fs_fs_type);
+ err = f2fs_init_xattr_cache();
if (err)
goto free_casefold_cache;
+ err = register_filesystem(&f2fs_fs_type);
+ if (err)
+ goto free_xattr_cache;
return 0;
+free_xattr_cache:
+ f2fs_destroy_xattr_cache();
free_casefold_cache:
f2fs_destroy_casefold_cache();
free_compress_cache:
@@ -4993,6 +4991,7 @@ fail:
static void __exit exit_f2fs_fs(void)
{
unregister_filesystem(&f2fs_fs_type);
+ f2fs_destroy_xattr_cache();
f2fs_destroy_casefold_cache();
f2fs_destroy_compress_cache();
f2fs_destroy_compress_mempool();
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -23,11 +23,12 @@
#include "xattr.h"
#include "segment.h"
+static struct kmem_cache *inline_xattr_slab;
static void *xattr_alloc(struct f2fs_sb_info *sbi, int size, bool *is_inline)
{
- if (likely(size == sbi->inline_xattr_slab_size)) {
+ if (likely(size == DEFAULT_XATTR_SLAB_SIZE)) {
*is_inline = true;
- return f2fs_kmem_cache_alloc(sbi->inline_xattr_slab,
+ return f2fs_kmem_cache_alloc(inline_xattr_slab,
GFP_F2FS_ZERO, false, sbi);
}
*is_inline = false;
@@ -38,7 +39,7 @@ static void xattr_free(struct f2fs_sb_in
bool is_inline)
{
if (is_inline)
- kmem_cache_free(sbi->inline_xattr_slab, xattr_addr);
+ kmem_cache_free(inline_xattr_slab, xattr_addr);
else
kfree(xattr_addr);
}
@@ -830,25 +831,14 @@ int f2fs_setxattr(struct inode *inode, i
return err;
}
-int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi)
+int __init f2fs_init_xattr_cache(void)
{
- dev_t dev = sbi->sb->s_bdev->bd_dev;
- char slab_name[32];
-
- sprintf(slab_name, "f2fs_xattr_entry-%u:%u", MAJOR(dev), MINOR(dev));
-
- sbi->inline_xattr_slab_size = F2FS_OPTION(sbi).inline_xattr_size *
- sizeof(__le32) + XATTR_PADDING_SIZE;
-
- sbi->inline_xattr_slab = f2fs_kmem_cache_create(slab_name,
- sbi->inline_xattr_slab_size);
- if (!sbi->inline_xattr_slab)
- return -ENOMEM;
-
- return 0;
+ inline_xattr_slab = f2fs_kmem_cache_create("f2fs_xattr_entry",
+ DEFAULT_XATTR_SLAB_SIZE);
+ return inline_xattr_slab ? 0 : -ENOMEM;
}
-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi)
+void f2fs_destroy_xattr_cache(void)
{
- kmem_cache_destroy(sbi->inline_xattr_slab);
+ kmem_cache_destroy(inline_xattr_slab);
}
--- a/fs/f2fs/xattr.h
+++ b/fs/f2fs/xattr.h
@@ -89,6 +89,8 @@ struct f2fs_xattr_entry {
F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \
DEF_INLINE_RESERVED_SIZE - \
MIN_INLINE_DENTRY_SIZE / sizeof(__le32))
+#define DEFAULT_XATTR_SLAB_SIZE (DEFAULT_INLINE_XATTR_ADDRS * \
+ sizeof(__le32) + XATTR_PADDING_SIZE)
/*
* On-disk structure of f2fs_xattr
@@ -132,8 +134,8 @@ extern int f2fs_setxattr(struct inode *,
extern int f2fs_getxattr(struct inode *, int, const char *, void *,
size_t, struct page *);
extern ssize_t f2fs_listxattr(struct dentry *, char *, size_t);
-extern int f2fs_init_xattr_caches(struct f2fs_sb_info *);
-extern void f2fs_destroy_xattr_caches(struct f2fs_sb_info *);
+extern int __init f2fs_init_xattr_cache(void);
+extern void f2fs_destroy_xattr_cache(void);
#else
#define f2fs_xattr_handlers NULL
@@ -150,8 +152,8 @@ static inline int f2fs_getxattr(struct i
{
return -EOPNOTSUPP;
}
-static inline int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) { return 0; }
-static inline void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) { }
+static inline int __init f2fs_init_xattr_cache(void) { return 0; }
+static inline void f2fs_destroy_xattr_cache(void) { }
#endif
#ifdef CONFIG_F2FS_FS_SECURITY
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 690/737] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (688 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 689/737] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 691/737] media: verisilicon: Store chroma and motion vectors offset Greg Kroah-Hartman
` (57 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 68d05693f8c031257a0822464366e1c2a239a512 ]
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync # avoid CP_UMOUNT_FLAG in last f2fs_checkpoint.ckpt_flags
touch /mnt/f2fs/bar
f2fs_io fsync /mnt/f2fs/bar
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
blockdev --setro /dev/vdd
mount /dev/vdd /mnt/f2fs
mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.
For the case if we create and fsync a new inode before sudden power-cut,
without norecovery or disable_roll_forward mount option, the following
mount will succeed w/o recovering last fsynced inode.
The problem here is that we only check inode_list list after
find_fsync_dnodes() in f2fs_recover_fsync_data() to find out whether
there is recoverable data in the iamge, but there is a missed case, if
last fsynced inode is not existing in last checkpoint, then, we will
fail to get its inode due to nat of inode node is not existing in last
checkpoint, so the inode won't be linked in inode_list.
Let's detect such case in dyrun mode to fix this issue.
After this change, mount will fail as expected below:
mount: /mnt/f2fs: cannot mount /dev/vdd read-only.
dmesg(1) may have more information after failed mount system call.
demsg:
F2FS-fs (vdd): Need to recover fsync data, but write access unavailable, please try mount w/ disable_roll_forward or norecovery
Cc: stable@kernel.org
Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/recovery.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -404,7 +404,7 @@ static int sanity_check_node_chain(struc
}
static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head,
- bool check_only)
+ bool check_only, bool *new_inode)
{
struct curseg_info *curseg;
struct page *page = NULL;
@@ -451,16 +451,19 @@ static int find_fsync_dnodes(struct f2fs
quota_inode = true;
}
- /*
- * CP | dnode(F) | inode(DF)
- * For this case, we should not give up now.
- */
entry = add_fsync_inode(sbi, head, ino_of_node(page),
quota_inode);
if (IS_ERR(entry)) {
err = PTR_ERR(entry);
- if (err == -ENOENT)
+ /*
+ * CP | dnode(F) | inode(DF)
+ * For this case, we should not give up now.
+ */
+ if (err == -ENOENT) {
+ if (check_only)
+ *new_inode = true;
goto next;
+ }
f2fs_put_page(page, 1);
break;
}
@@ -863,6 +866,7 @@ int f2fs_recover_fsync_data(struct f2fs_
unsigned long s_flags = sbi->sb->s_flags;
bool need_writecp = false;
bool fix_curseg_write_pointer = false;
+ bool new_inode = false;
if (is_sbi_flag_set(sbi, SBI_IS_WRITABLE))
f2fs_info(sbi, "recover fsync data on readonly fs");
@@ -875,8 +879,8 @@ int f2fs_recover_fsync_data(struct f2fs_
f2fs_down_write(&sbi->cp_global_sem);
/* step #1: find fsynced inode numbers */
- err = find_fsync_dnodes(sbi, &inode_list, check_only);
- if (err || list_empty(&inode_list))
+ err = find_fsync_dnodes(sbi, &inode_list, check_only, &new_inode);
+ if (err < 0 || (list_empty(&inode_list) && (!check_only || !new_inode)))
goto skip;
if (check_only) {
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 691/737] media: verisilicon: Store chroma and motion vectors offset
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (689 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 690/737] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 692/737] media: verisilicon: g2: Use common helpers to compute chroma and mv offsets Greg Kroah-Hartman
` (56 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard,
Andrzej Pietrasiewicz, Ezequiel Garcia, Philipp Zabel,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
[ Upstream commit 545bf944f978b7468d3a6bd668d9ff6953bc542e ]
Store computed values of chroma and motion vectors offset because
they depends on width and height values which change if the resolution
change.
Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
CC: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
CC: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: 19c286b75507 ("media: verisilicon: Fix CPU stalls on G2 bus error")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/hantro.h | 2 ++
drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c | 6 ++++--
2 files changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/verisilicon/hantro.h
+++ b/drivers/media/platform/verisilicon/hantro.h
@@ -328,6 +328,8 @@ struct hantro_vp9_decoded_buffer_info {
/* Info needed when the decoded frame serves as a reference frame. */
unsigned short width;
unsigned short height;
+ size_t chroma_offset;
+ size_t mv_offset;
u32 bit_depth : 4;
};
--- a/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
@@ -158,9 +158,11 @@ static void config_output(struct hantro_
chroma_addr = luma_addr + chroma_offset(ctx, dec_params);
hantro_write_addr(ctx->dev, G2_OUT_CHROMA_ADDR, chroma_addr);
+ dst->vp9.chroma_offset = chroma_offset(ctx, dec_params);
mv_addr = luma_addr + mv_offset(ctx, dec_params);
hantro_write_addr(ctx->dev, G2_OUT_MV_ADDR, mv_addr);
+ dst->vp9.mv_offset = mv_offset(ctx, dec_params);
}
struct hantro_vp9_ref_reg {
@@ -195,7 +197,7 @@ static void config_ref(struct hantro_ctx
luma_addr = hantro_get_dec_buf_addr(ctx, &buf->base.vb.vb2_buf);
hantro_write_addr(ctx->dev, ref_reg->y_base, luma_addr);
- chroma_addr = luma_addr + chroma_offset(ctx, dec_params);
+ chroma_addr = luma_addr + buf->vp9.chroma_offset;
hantro_write_addr(ctx->dev, ref_reg->c_base, chroma_addr);
}
@@ -238,7 +240,7 @@ static void config_ref_registers(struct
config_ref(ctx, dst, &ref_regs[2], dec_params, dec_params->alt_frame_ts);
mv_addr = hantro_get_dec_buf_addr(ctx, &mv_ref->base.vb.vb2_buf) +
- mv_offset(ctx, dec_params);
+ mv_ref->vp9.mv_offset;
hantro_write_addr(ctx->dev, G2_REF_MV_ADDR(0), mv_addr);
hantro_reg_write(ctx->dev, &vp9_last_sign_bias,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 692/737] media: verisilicon: g2: Use common helpers to compute chroma and mv offsets
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (690 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 691/737] media: verisilicon: Store chroma and motion vectors offset Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 693/737] media: verisilicon: Fix CPU stalls on G2 bus error Greg Kroah-Hartman
` (55 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard,
Andrzej Pietrasiewicz, Ezequiel Garcia, Philipp Zabel,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
[ Upstream commit 3eeaee737dcee3c32e256870dbc2687a2a6fe970 ]
HEVC and VP9 are running on the same hardware and share the same
chroma and motion vectors offset constraint.
Create common helpers functions for these computation.
Source and destination buffer height may not be the same because
alignment constraint are different so use destination height to
compute chroma offset because we target this buffer as hardware
output.
To be able to use the helpers in both VP9 HEVC code remove dec_params
and use context->bit_depth instead.
Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
CC: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
CC: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Stable-dep-of: 19c286b75507 ("media: verisilicon: Fix CPU stalls on G2 bus error")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/hantro_g2.c | 14 ++++++++
drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 18 +----------
drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c | 26 ++--------------
drivers/media/platform/verisilicon/hantro_hw.h | 3 +
4 files changed, 23 insertions(+), 38 deletions(-)
--- a/drivers/media/platform/verisilicon/hantro_g2.c
+++ b/drivers/media/platform/verisilicon/hantro_g2.c
@@ -8,6 +8,8 @@
#include "hantro_hw.h"
#include "hantro_g2_regs.h"
+#define G2_ALIGN 16
+
void hantro_g2_check_idle(struct hantro_dev *vpu)
{
int i;
@@ -42,3 +44,15 @@ irqreturn_t hantro_g2_irq(int irq, void
return IRQ_HANDLED;
}
+
+size_t hantro_g2_chroma_offset(struct hantro_ctx *ctx)
+{
+ return ctx->dst_fmt.width * ctx->dst_fmt.height * ctx->bit_depth / 8;
+}
+
+size_t hantro_g2_motion_vectors_offset(struct hantro_ctx *ctx)
+{
+ size_t cr_offset = hantro_g2_chroma_offset(ctx);
+
+ return ALIGN((cr_offset * 3) / 2, G2_ALIGN);
+}
--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
@@ -8,20 +8,6 @@
#include "hantro_hw.h"
#include "hantro_g2_regs.h"
-#define G2_ALIGN 16
-
-static size_t hantro_hevc_chroma_offset(struct hantro_ctx *ctx)
-{
- return ctx->dst_fmt.width * ctx->dst_fmt.height * ctx->bit_depth / 8;
-}
-
-static size_t hantro_hevc_motion_vectors_offset(struct hantro_ctx *ctx)
-{
- size_t cr_offset = hantro_hevc_chroma_offset(ctx);
-
- return ALIGN((cr_offset * 3) / 2, G2_ALIGN);
-}
-
static void prepare_tile_info_buffer(struct hantro_ctx *ctx)
{
struct hantro_dev *vpu = ctx->dev;
@@ -395,8 +381,8 @@ static int set_ref(struct hantro_ctx *ct
struct hantro_dev *vpu = ctx->dev;
struct vb2_v4l2_buffer *vb2_dst;
struct hantro_decoded_buffer *dst;
- size_t cr_offset = hantro_hevc_chroma_offset(ctx);
- size_t mv_offset = hantro_hevc_motion_vectors_offset(ctx);
+ size_t cr_offset = hantro_g2_chroma_offset(ctx);
+ size_t mv_offset = hantro_g2_motion_vectors_offset(ctx);
u32 max_ref_frames;
u16 dpb_longterm_e;
static const struct hantro_reg cur_poc[] = {
--- a/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
@@ -16,8 +16,6 @@
#include "hantro_vp9.h"
#include "hantro_g2_regs.h"
-#define G2_ALIGN 16
-
enum hantro_ref_frames {
INTRA_FRAME = 0,
LAST_FRAME = 1,
@@ -90,22 +88,6 @@ static int start_prepare_run(struct hant
return 0;
}
-static size_t chroma_offset(const struct hantro_ctx *ctx,
- const struct v4l2_ctrl_vp9_frame *dec_params)
-{
- int bytes_per_pixel = dec_params->bit_depth == 8 ? 1 : 2;
-
- return ctx->src_fmt.width * ctx->src_fmt.height * bytes_per_pixel;
-}
-
-static size_t mv_offset(const struct hantro_ctx *ctx,
- const struct v4l2_ctrl_vp9_frame *dec_params)
-{
- size_t cr_offset = chroma_offset(ctx, dec_params);
-
- return ALIGN((cr_offset * 3) / 2, G2_ALIGN);
-}
-
static struct hantro_decoded_buffer *
get_ref_buf(struct hantro_ctx *ctx, struct vb2_v4l2_buffer *dst, u64 timestamp)
{
@@ -156,13 +138,13 @@ static void config_output(struct hantro_
luma_addr = hantro_get_dec_buf_addr(ctx, &dst->base.vb.vb2_buf);
hantro_write_addr(ctx->dev, G2_OUT_LUMA_ADDR, luma_addr);
- chroma_addr = luma_addr + chroma_offset(ctx, dec_params);
+ chroma_addr = luma_addr + hantro_g2_chroma_offset(ctx);
hantro_write_addr(ctx->dev, G2_OUT_CHROMA_ADDR, chroma_addr);
- dst->vp9.chroma_offset = chroma_offset(ctx, dec_params);
+ dst->vp9.chroma_offset = hantro_g2_chroma_offset(ctx);
- mv_addr = luma_addr + mv_offset(ctx, dec_params);
+ mv_addr = luma_addr + hantro_g2_motion_vectors_offset(ctx);
hantro_write_addr(ctx->dev, G2_OUT_MV_ADDR, mv_addr);
- dst->vp9.mv_offset = mv_offset(ctx, dec_params);
+ dst->vp9.mv_offset = hantro_g2_motion_vectors_offset(ctx);
}
struct hantro_vp9_ref_reg {
--- a/drivers/media/platform/verisilicon/hantro_hw.h
+++ b/drivers/media/platform/verisilicon/hantro_hw.h
@@ -519,6 +519,9 @@ hantro_av1_mv_size(unsigned int width, u
return ALIGN(num_sbs * 384, 16) * 2 + 512;
}
+size_t hantro_g2_chroma_offset(struct hantro_ctx *ctx);
+size_t hantro_g2_motion_vectors_offset(struct hantro_ctx *ctx);
+
int hantro_g1_mpeg2_dec_run(struct hantro_ctx *ctx);
int rockchip_vpu2_mpeg2_dec_run(struct hantro_ctx *ctx);
void hantro_mpeg2_dec_copy_qtable(u8 *qtable,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 693/737] media: verisilicon: Fix CPU stalls on G2 bus error
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (691 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 692/737] media: verisilicon: g2: Use common helpers to compute chroma and mv offsets Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 694/737] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
` (54 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Nicolas Dufresne,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
[ Upstream commit 19c286b755072a22a063052f530a6b1fac8a1f63 ]
In some seek stress tests, we are getting IRQ from the G2 decoder where
the dec_bus_int and the dec_e bits are high, meaning the decoder is
still running despite the error.
Fix this by reworking the IRQ handler to only finish the job once we
have reached completion and move the software reset to when our software
watchdog triggers.
This way, we let the hardware continue on errors when it did not self
reset and in worse case scenario the hardware timeout will
automatically stop it. The actual error will be fixed in a follow up
patch.
Fixes: 3385c514ecc5a ("media: hantro: Convert imx8m_vpu_g2_irq to helper")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/verisilicon/hantro_g2.c | 84 ++++++++++++----
drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c | 2
drivers/media/platform/verisilicon/hantro_g2_regs.h | 13 ++
drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c | 2
drivers/media/platform/verisilicon/hantro_hw.h | 1
drivers/media/platform/verisilicon/imx8m_vpu_hw.c | 2
6 files changed, 83 insertions(+), 21 deletions(-)
--- a/drivers/media/platform/verisilicon/hantro_g2.c
+++ b/drivers/media/platform/verisilicon/hantro_g2.c
@@ -5,43 +5,93 @@
* Copyright (C) 2021 Collabora Ltd, Andrzej Pietrasiewicz <andrzej.p@collabora.com>
*/
+#include <linux/delay.h>
#include "hantro_hw.h"
#include "hantro_g2_regs.h"
#define G2_ALIGN 16
-void hantro_g2_check_idle(struct hantro_dev *vpu)
+static bool hantro_g2_active(struct hantro_ctx *ctx)
{
- int i;
+ struct hantro_dev *vpu = ctx->dev;
+ u32 status;
+
+ status = vdpu_read(vpu, G2_REG_INTERRUPT);
+
+ return (status & G2_REG_INTERRUPT_DEC_E);
+}
- for (i = 0; i < 3; i++) {
- u32 status;
+/**
+ * hantro_g2_reset:
+ * @ctx: the hantro context
+ *
+ * Emulates a reset using Hantro abort function. Failing this procedure would
+ * results in programming a running IP which leads to CPU hang.
+ *
+ * Using a hard reset procedure instead is prefferred.
+ */
+void hantro_g2_reset(struct hantro_ctx *ctx)
+{
+ struct hantro_dev *vpu = ctx->dev;
+ u32 status;
- /* Make sure the VPU is idle */
- status = vdpu_read(vpu, G2_REG_INTERRUPT);
- if (status & G2_REG_INTERRUPT_DEC_E) {
- dev_warn(vpu->dev, "device still running, aborting");
- status |= G2_REG_INTERRUPT_DEC_ABORT_E | G2_REG_INTERRUPT_DEC_IRQ_DIS;
- vdpu_write(vpu, status, G2_REG_INTERRUPT);
- }
+ status = vdpu_read(vpu, G2_REG_INTERRUPT);
+ if (status & G2_REG_INTERRUPT_DEC_E) {
+ dev_warn_ratelimited(vpu->dev, "device still running, aborting");
+ status |= G2_REG_INTERRUPT_DEC_ABORT_E | G2_REG_INTERRUPT_DEC_IRQ_DIS;
+ vdpu_write(vpu, status, G2_REG_INTERRUPT);
+
+ do {
+ mdelay(1);
+ } while (hantro_g2_active(ctx));
}
}
irqreturn_t hantro_g2_irq(int irq, void *dev_id)
{
struct hantro_dev *vpu = dev_id;
- enum vb2_buffer_state state;
u32 status;
status = vdpu_read(vpu, G2_REG_INTERRUPT);
- state = (status & G2_REG_INTERRUPT_DEC_RDY_INT) ?
- VB2_BUF_STATE_DONE : VB2_BUF_STATE_ERROR;
- vdpu_write(vpu, 0, G2_REG_INTERRUPT);
- vdpu_write(vpu, G2_REG_CONFIG_DEC_CLK_GATE_E, G2_REG_CONFIG);
+ if (!(status & G2_REG_INTERRUPT_DEC_IRQ))
+ return IRQ_NONE;
+
+ hantro_reg_write(vpu, &g2_dec_irq, 0);
+ hantro_reg_write(vpu, &g2_dec_int_stat, 0);
+ hantro_reg_write(vpu, &g2_clk_gate_e, 1);
+
+ if (status & G2_REG_INTERRUPT_DEC_RDY_INT) {
+ hantro_irq_done(vpu, VB2_BUF_STATE_DONE);
+ return IRQ_HANDLED;
+ }
+
+ if (status & G2_REG_INTERRUPT_DEC_ABORT_INT) {
+ /* disabled on abort, though lets be safe and handle it */
+ dev_warn_ratelimited(vpu->dev, "decode operation aborted.");
+ return IRQ_HANDLED;
+ }
+
+ if (status & G2_REG_INTERRUPT_DEC_LAST_SLICE_INT)
+ dev_warn_ratelimited(vpu->dev, "not all macroblocks were decoded.");
+
+ if (status & G2_REG_INTERRUPT_DEC_BUS_INT)
+ dev_warn_ratelimited(vpu->dev, "bus error detected.");
+
+ if (status & G2_REG_INTERRUPT_DEC_ERROR_INT)
+ dev_warn_ratelimited(vpu->dev, "decode error detected.");
- hantro_irq_done(vpu, state);
+ if (status & G2_REG_INTERRUPT_DEC_TIMEOUT)
+ dev_warn_ratelimited(vpu->dev, "frame decode timed out.");
+
+ /**
+ * If the decoding haven't stopped, let it continue. The hardware timeout
+ * will trigger if it is trully stuck.
+ */
+ if (status & G2_REG_INTERRUPT_DEC_E)
+ return IRQ_HANDLED;
+ hantro_irq_done(vpu, VB2_BUF_STATE_ERROR);
return IRQ_HANDLED;
}
--- a/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_hevc_dec.c
@@ -578,8 +578,6 @@ int hantro_g2_hevc_dec_run(struct hantro
struct hantro_dev *vpu = ctx->dev;
int ret;
- hantro_g2_check_idle(vpu);
-
/* Prepare HEVC decoder context. */
ret = hantro_hevc_dec_prepare_run(ctx);
if (ret)
--- a/drivers/media/platform/verisilicon/hantro_g2_regs.h
+++ b/drivers/media/platform/verisilicon/hantro_g2_regs.h
@@ -22,7 +22,14 @@
#define G2_REG_VERSION G2_SWREG(0)
#define G2_REG_INTERRUPT G2_SWREG(1)
+#define G2_REG_INTERRUPT_DEC_LAST_SLICE_INT BIT(19)
+#define G2_REG_INTERRUPT_DEC_TIMEOUT BIT(18)
+#define G2_REG_INTERRUPT_DEC_ERROR_INT BIT(16)
+#define G2_REG_INTERRUPT_DEC_BUF_INT BIT(14)
+#define G2_REG_INTERRUPT_DEC_BUS_INT BIT(13)
#define G2_REG_INTERRUPT_DEC_RDY_INT BIT(12)
+#define G2_REG_INTERRUPT_DEC_ABORT_INT BIT(11)
+#define G2_REG_INTERRUPT_DEC_IRQ BIT(8)
#define G2_REG_INTERRUPT_DEC_ABORT_E BIT(5)
#define G2_REG_INTERRUPT_DEC_IRQ_DIS BIT(4)
#define G2_REG_INTERRUPT_DEC_E BIT(0)
@@ -35,6 +42,9 @@
#define BUS_WIDTH_128 2
#define BUS_WIDTH_256 3
+#define g2_dec_int_stat G2_DEC_REG(1, 11, 0xf)
+#define g2_dec_irq G2_DEC_REG(1, 8, 0x1)
+
#define g2_strm_swap G2_DEC_REG(2, 28, 0xf)
#define g2_strm_swap_old G2_DEC_REG(2, 27, 0x1f)
#define g2_pic_swap G2_DEC_REG(2, 22, 0x1f)
@@ -225,6 +235,9 @@
#define vp9_filt_level_seg5 G2_DEC_REG(19, 8, 0x3f)
#define vp9_quant_seg5 G2_DEC_REG(19, 0, 0xff)
+#define g2_timemout_override_e G2_DEC_REG(45, 31, 0x1)
+#define g2_timemout_cycles G2_DEC_REG(45, 0, 0x7fffffff)
+
#define hevc_cur_poc_00 G2_DEC_REG(46, 24, 0xff)
#define hevc_cur_poc_01 G2_DEC_REG(46, 16, 0xff)
#define hevc_cur_poc_02 G2_DEC_REG(46, 8, 0xff)
--- a/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
+++ b/drivers/media/platform/verisilicon/hantro_g2_vp9_dec.c
@@ -893,8 +893,6 @@ int hantro_g2_vp9_dec_run(struct hantro_
struct vb2_v4l2_buffer *dst;
int ret;
- hantro_g2_check_idle(ctx->dev);
-
ret = start_prepare_run(ctx, &decode_params);
if (ret) {
hantro_end_prepare_run(ctx);
--- a/drivers/media/platform/verisilicon/hantro_hw.h
+++ b/drivers/media/platform/verisilicon/hantro_hw.h
@@ -541,6 +541,7 @@ void hantro_g2_vp9_dec_done(struct hantr
int hantro_vp9_dec_init(struct hantro_ctx *ctx);
void hantro_vp9_dec_exit(struct hantro_ctx *ctx);
void hantro_g2_check_idle(struct hantro_dev *vpu);
+void hantro_g2_reset(struct hantro_ctx *ctx);
irqreturn_t hantro_g2_irq(int irq, void *dev_id);
#endif /* HANTRO_HW_H_ */
--- a/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
+++ b/drivers/media/platform/verisilicon/imx8m_vpu_hw.c
@@ -312,11 +312,13 @@ static const struct hantro_codec_ops imx
static const struct hantro_codec_ops imx8mq_vpu_g2_codec_ops[] = {
[HANTRO_MODE_HEVC_DEC] = {
.run = hantro_g2_hevc_dec_run,
+ .reset = hantro_g2_reset,
.init = hantro_hevc_dec_init,
.exit = hantro_hevc_dec_exit,
},
[HANTRO_MODE_VP9_DEC] = {
.run = hantro_g2_vp9_dec_run,
+ .reset = hantro_g2_reset,
.done = hantro_g2_vp9_dec_done,
.init = hantro_vp9_dec_init,
.exit = hantro_vp9_dec_exit,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 694/737] mm/balloon_compaction: we cannot have isolated pages in the balloon list
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (692 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 693/737] media: verisilicon: Fix CPU stalls on G2 bus error Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 695/737] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
` (53 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Zi Yan,
Lorenzo Stoakes, Alistair Popple, Al Viro, Arnd Bergmann,
Brendan Jackman, Byungchul Park, Chengming Zhou,
Christian Brauner, Christophe Leroy, Eugenio Pé rez,
Gregory Price, Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Harry Yoo, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit fb05f992b6bbb4702307d96f00703ee637b24dbf ]
Patch series "mm/migration: rework movable_ops page migration (part 1)",
v2.
In the future, as we decouple "struct page" from "struct folio", pages
that support "non-lru page migration" -- movable_ops page migration such
as memory balloons and zsmalloc -- will no longer be folios. They will
not have ->mapping, ->lru, and likely no refcount and no page lock. But
they will have a type and flags 🙂
This is the first part (other parts not written yet) of decoupling
movable_ops page migration from folio migration.
In this series, we get rid of the ->mapping usage, and start cleaning up
the code + separating it from folio migration.
Migration core will have to be further reworked to not treat movable_ops
pages like folios. This is the first step into that direction.
This patch (of 29):
The core will set PG_isolated only after mops->isolate_page() was called.
In case of the balloon, that is where we will remove it from the balloon
list. So we cannot have isolated pages in the balloon list.
Let's drop this unnecessary check.
Link: https://lkml.kernel.org/r/20250704102524.326966-2-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: Harry Yoo <harry.yoo@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/balloon_compaction.c | 6 ------
1 file changed, 6 deletions(-)
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -93,12 +93,6 @@ size_t balloon_page_list_dequeue(struct
if (!trylock_page(page))
continue;
- if (IS_ENABLED(CONFIG_BALLOON_COMPACTION) &&
- PageIsolated(page)) {
- /* raced with isolation */
- unlock_page(page);
- continue;
- }
balloon_page_delete(page);
__count_vm_event(BALLOON_DEFLATE);
list_add(&page->lru, pages);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 695/737] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (693 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 694/737] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 696/737] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
` (52 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Lorenzo Stoakes,
Alistair Popple, Al Viro, Arnd Bergmann, Brendan Jackman,
Byungchul Park, Chengming Zhou, Christian Brauner,
Christophe Leroy, Eugenio Pé rez, Gregory Price, Harry Yoo,
Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Zi Yan, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 15504b1163007bbfbd9a63460d5c14737c16e96d ]
Let's move the removal of the page from the balloon list into the single
caller, to remove the dependency on the PG_isolated flag and clarify
locking requirements.
Note that for now, balloon_page_delete() was used on two paths:
(1) Removing a page from the balloon for deflation through
balloon_page_list_dequeue()
(2) Removing an isolated page from the balloon for migration in the
per-driver migration handlers. Isolated pages were already removed from
the balloon list during isolation.
So instead of relying on the flag, we can just distinguish both cases
directly and handle it accordingly in the caller.
We'll shuffle the operations a bit such that they logically make more
sense (e.g., remove from the list before clearing flags).
In balloon migration functions we can now move the balloon_page_finalize()
out of the balloon lock and perform the finalization just before dropping
the balloon reference.
Document that the page lock is currently required when modifying the
movability aspects of a page; hopefully we can soon decouple this from the
page lock.
Link: https://lkml.kernel.org/r/20250704102524.326966-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 2 -
drivers/misc/vmw_balloon.c | 3 --
drivers/virtio/virtio_balloon.c | 4 ---
include/linux/balloon_compaction.h | 43 +++++++++++++----------------------
mm/balloon_compaction.c | 3 +-
5 files changed, 21 insertions(+), 34 deletions(-)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -532,7 +532,6 @@ static int cmm_migratepage(struct balloo
spin_lock_irqsave(&b_dev_info->pages_lock, flags);
balloon_page_insert(b_dev_info, newpage);
- balloon_page_delete(page);
b_dev_info->isolated_pages--;
spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
@@ -542,6 +541,7 @@ static int cmm_migratepage(struct balloo
*/
plpar_page_set_active(page);
+ balloon_page_finalize(page);
/* balloon page list reference */
put_page(page);
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -1789,8 +1789,7 @@ static int vmballoon_migratepage(struct
* @pages_lock . We keep holding @comm_lock since we will need it in a
* second.
*/
- balloon_page_delete(page);
-
+ balloon_page_finalize(page);
put_page(page);
/* Inflate */
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -789,15 +789,13 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
/* balloon's page migration 2nd step -- deflate "page" */
- spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
- balloon_page_delete(page);
- spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);
mutex_unlock(&vb->balloon_lock);
+ balloon_page_finalize(page);
put_page(page); /* balloon reference */
return MIGRATEPAGE_SUCCESS;
--- a/include/linux/balloon_compaction.h
+++ b/include/linux/balloon_compaction.h
@@ -98,27 +98,6 @@ static inline void balloon_page_insert(s
}
/*
- * balloon_page_delete - delete a page from balloon's page list and clear
- * the page->private assignement accordingly.
- * @page : page to be released from balloon's page list
- *
- * Caller must ensure the page is locked and the spin_lock protecting balloon
- * pages list is held before deleting a page from the balloon device.
- */
-static inline void balloon_page_delete(struct page *page)
-{
- __ClearPageOffline(page);
- __ClearPageMovable(page);
- set_page_private(page, 0);
- /*
- * No touch page.lru field once @page has been isolated
- * because VM is using the field.
- */
- if (!PageIsolated(page))
- list_del(&page->lru);
-}
-
-/*
* balloon_page_device - get the b_dev_info descriptor for the balloon device
* that enqueues the given page.
*/
@@ -141,12 +120,6 @@ static inline void balloon_page_insert(s
list_add(&page->lru, &balloon->pages);
}
-static inline void balloon_page_delete(struct page *page)
-{
- __ClearPageOffline(page);
- list_del(&page->lru);
-}
-
static inline gfp_t balloon_mapping_gfp_mask(void)
{
return GFP_HIGHUSER;
@@ -155,6 +128,22 @@ static inline gfp_t balloon_mapping_gfp_
#endif /* CONFIG_BALLOON_COMPACTION */
/*
+ * balloon_page_finalize - prepare a balloon page that was removed from the
+ * balloon list for release to the page allocator
+ * @page: page to be released to the page allocator
+ *
+ * Caller must ensure that the page is locked.
+ */
+static inline void balloon_page_finalize(struct page *page)
+{
+ if (IS_ENABLED(CONFIG_BALLOON_COMPACTION)) {
+ __ClearPageMovable(page);
+ set_page_private(page, 0);
+ }
+ __ClearPageOffline(page);
+}
+
+/*
* balloon_page_push - insert a page into a page list.
* @head : pointer to list
* @page : page to be added
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -93,7 +93,8 @@ size_t balloon_page_list_dequeue(struct
if (!trylock_page(page))
continue;
- balloon_page_delete(page);
+ list_del(&page->lru);
+ balloon_page_finalize(page);
__count_vm_event(BALLOON_DEFLATE);
list_add(&page->lru, pages);
unlock_page(page);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 696/737] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (694 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 695/737] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 697/737] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
` (51 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Ritesh Harjani (IBM), Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 0da2ba35c0d532ca0fe7af698b17d74c4d084b9a ]
Let's properly adjust BALLOON_MIGRATE like the other drivers.
Note that the INFLATE/DEFLATE events are triggered from the core when
enqueueing/dequeueing pages.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20251021100606.148294-3-david@redhat.com
Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -532,6 +532,7 @@ static int cmm_migratepage(struct balloo
spin_lock_irqsave(&b_dev_info->pages_lock, flags);
balloon_page_insert(b_dev_info, newpage);
+ __count_vm_event(BALLOON_MIGRATE);
b_dev_info->isolated_pages--;
spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 697/737] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (695 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 696/737] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 698/737] media: amphion: Add a frame flush mode for decoder Greg Kroah-Hartman
` (50 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Gao, Dongli Zhang,
Sean Christopherson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dongli Zhang <dongli.zhang@oracle.com>
[ Upstream commit 29763138830916f46daaa50e83e7f4f907a3236b ]
If an APICv status updated was pended while L2 was active, immediately
refresh vmcs01's controls instead of pending KVM_REQ_APICV_UPDATE as
kvm_vcpu_update_apicv() only calls into vendor code if a change is
necessary.
E.g. if APICv is inhibited, and then activated while L2 is running:
kvm_vcpu_update_apicv()
|
-> __kvm_vcpu_update_apicv()
|
-> apic->apicv_active = true
|
-> vmx_refresh_apicv_exec_ctrl()
|
-> vmx->nested.update_vmcs01_apicv_status = true
|
-> return
Then L2 exits to L1:
__nested_vmx_vmexit()
|
-> kvm_make_request(KVM_REQ_APICV_UPDATE)
vcpu_enter_guest(): KVM_REQ_APICV_UPDATE
-> kvm_vcpu_update_apicv()
|
-> __kvm_vcpu_update_apicv()
|
-> return // because if (apic->apicv_active == activate)
Reported-by: Chao Gao <chao.gao@intel.com>
Closes: https://lore.kernel.org/all/aQ2jmnN8wUYVEawF@intel.com
Fixes: 7c69661e225c ("KVM: nVMX: Defer APICv updates while L2 is active until L1 is active")
Cc: stable@vger.kernel.org
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
[sean: write changelog]
Link: https://patch.msgid.link/20251205231913.441872-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ exported vmx_refresh_apicv_exec_ctrl() and added declaration in vmx.h ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 2 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/vmx/vmx.h | 1 +
3 files changed, 3 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4908,7 +4908,7 @@ void nested_vmx_vmexit(struct kvm_vcpu *
if (vmx->nested.update_vmcs01_apicv_status) {
vmx->nested.update_vmcs01_apicv_status = false;
- kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
+ vmx_refresh_apicv_exec_ctrl(vcpu);
}
if (vmx->nested.update_vmcs01_hwapic_isr) {
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4451,7 +4451,7 @@ static u32 vmx_vmexit_ctrl(void)
~(VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL | VM_EXIT_LOAD_IA32_EFER);
}
-static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
+void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -395,6 +395,7 @@ void __vmx_set_segment(struct kvm_vcpu *
u64 construct_eptp(struct kvm_vcpu *vcpu, hpa_t root_hpa, int root_level);
bool vmx_guest_inject_ac(struct kvm_vcpu *vcpu);
+void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu);
void vmx_update_exception_bitmap(struct kvm_vcpu *vcpu);
bool vmx_nmi_blocked(struct kvm_vcpu *vcpu);
bool __vmx_interrupt_blocked(struct kvm_vcpu *vcpu);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 698/737] media: amphion: Add a frame flush mode for decoder
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (696 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 697/737] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 699/737] media: amphion: Make some vpu_v4l2 functions static Greg Kroah-Hartman
` (49 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Sebastian Fricke, Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
[ Upstream commit 9ea16ba6eaf93f25f61855751f71e2e701709ddf ]
By default the amphion decoder will pre-parse 3 frames before starting
to decode the first frame. Alternatively, a block of flush padding data
can be appended to the frame, which will ensure that the decoder can
start decoding immediately after parsing the flush padding data, thus
potentially reducing decoding latency.
This mode was previously only enabled, when the display delay was set to
0. Allow the user to manually toggle the use of that mode via a module
parameter called low_latency, which enables the mode without
changing the display order.
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Stable-dep-of: 634c2cd17bd0 ("media: amphion: Remove vpu_vb_is_codecconfig")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_malone.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/amphion/vpu_malone.c
+++ b/drivers/media/platform/amphion/vpu_malone.c
@@ -25,6 +25,10 @@
#include "vpu_imx8q.h"
#include "vpu_malone.h"
+static bool low_latency;
+module_param(low_latency, bool, 0644);
+MODULE_PARM_DESC(low_latency, "Set low latency frame flush mode: 0 (disable) or 1 (enable)");
+
#define CMD_SIZE 25600
#define MSG_SIZE 25600
#define CODEC_SIZE 0x1000
@@ -1567,7 +1571,15 @@ static int vpu_malone_input_frame_data(s
vpu_malone_update_wptr(str_buf, wptr);
- if (disp_imm && !vpu_vb_is_codecconfig(vbuf)) {
+ /*
+ * Enable the low latency flush mode if display delay is set to 0
+ * or the low latency frame flush mode if it is set to 1.
+ * The low latency flush mode requires some padding data to be appended to each frame,
+ * but there must not be any padding data between the sequence header and the frame.
+ * This module is currently only supported for the H264 and HEVC formats,
+ * for other formats, vpu_malone_add_scode() will return 0.
+ */
+ if ((disp_imm || low_latency) && !vpu_vb_is_codecconfig(vbuf)) {
ret = vpu_malone_add_scode(inst->core->iface,
inst->id,
&inst->stream_buffer,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 699/737] media: amphion: Make some vpu_v4l2 functions static
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (697 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 698/737] media: amphion: Add a frame flush mode for decoder Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 700/737] media: amphion: Remove vpu_vb_is_codecconfig Greg Kroah-Hartman
` (48 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Ming Qian,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
[ Upstream commit 5d1e54bb4dc6741284a3ed587e994308ddee2f16 ]
Some functions defined in vpu_v4l2.c are never used outside of that
compilation unit. Make them static.
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Ming Qian <ming.qian@oss.nxp.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Stable-dep-of: 634c2cd17bd0 ("media: amphion: Remove vpu_vb_is_codecconfig")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_v4l2.c | 12 +++++++++---
drivers/media/platform/amphion/vpu_v4l2.h | 8 --------
2 files changed, 9 insertions(+), 11 deletions(-)
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -24,6 +24,11 @@
#include "vpu_msgs.h"
#include "vpu_helpers.h"
+static char *vpu_type_name(u32 type)
+{
+ return V4L2_TYPE_IS_OUTPUT(type) ? "output" : "capture";
+}
+
void vpu_inst_lock(struct vpu_inst *inst)
{
mutex_lock(&inst->lock);
@@ -42,7 +47,7 @@ dma_addr_t vpu_get_vb_phy_addr(struct vb
vb->planes[plane_no].data_offset;
}
-unsigned int vpu_get_vb_length(struct vb2_buffer *vb, u32 plane_no)
+static unsigned int vpu_get_vb_length(struct vb2_buffer *vb, u32 plane_no)
{
if (plane_no >= vb->num_planes)
return 0;
@@ -74,7 +79,7 @@ void vpu_v4l2_set_error(struct vpu_inst
vpu_inst_unlock(inst);
}
-int vpu_notify_eos(struct vpu_inst *inst)
+static int vpu_notify_eos(struct vpu_inst *inst)
{
static const struct v4l2_event ev = {
.id = 0,
@@ -546,7 +551,8 @@ static void vpu_vb2_buf_finish(struct vb
call_void_vop(inst, on_queue_empty, q->type);
}
-void vpu_vb2_buffers_return(struct vpu_inst *inst, unsigned int type, enum vb2_buffer_state state)
+static void vpu_vb2_buffers_return(struct vpu_inst *inst, unsigned int type,
+ enum vb2_buffer_state state)
{
struct vb2_v4l2_buffer *buf;
--- a/drivers/media/platform/amphion/vpu_v4l2.h
+++ b/drivers/media/platform/amphion/vpu_v4l2.h
@@ -25,15 +25,12 @@ void vpu_skip_frame(struct vpu_inst *ins
struct vb2_v4l2_buffer *vpu_find_buf_by_sequence(struct vpu_inst *inst, u32 type, u32 sequence);
struct vb2_v4l2_buffer *vpu_find_buf_by_idx(struct vpu_inst *inst, u32 type, u32 idx);
void vpu_v4l2_set_error(struct vpu_inst *inst);
-int vpu_notify_eos(struct vpu_inst *inst);
int vpu_notify_source_change(struct vpu_inst *inst);
int vpu_set_last_buffer_dequeued(struct vpu_inst *inst, bool eos);
-void vpu_vb2_buffers_return(struct vpu_inst *inst, unsigned int type, enum vb2_buffer_state state);
int vpu_get_num_buffers(struct vpu_inst *inst, u32 type);
bool vpu_is_source_empty(struct vpu_inst *inst);
dma_addr_t vpu_get_vb_phy_addr(struct vb2_buffer *vb, u32 plane_no);
-unsigned int vpu_get_vb_length(struct vb2_buffer *vb, u32 plane_no);
static inline struct vpu_format *vpu_get_format(struct vpu_inst *inst, u32 type)
{
if (V4L2_TYPE_IS_OUTPUT(type))
@@ -42,11 +39,6 @@ static inline struct vpu_format *vpu_get
return &inst->cap_format;
}
-static inline char *vpu_type_name(u32 type)
-{
- return V4L2_TYPE_IS_OUTPUT(type) ? "output" : "capture";
-}
-
static inline int vpu_vb_is_codecconfig(struct vb2_v4l2_buffer *vbuf)
{
#ifdef V4L2_BUF_FLAG_CODECCONFIG
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 700/737] media: amphion: Remove vpu_vb_is_codecconfig
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (698 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 699/737] media: amphion: Make some vpu_v4l2 functions static Greg Kroah-Hartman
@ 2026-01-09 11:43 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 701/737] media: mediatek: vcodec: Use spinlock for context list protection lock Greg Kroah-Hartman
` (47 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Qian, Nicolas Dufresne,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Qian <ming.qian@oss.nxp.com>
[ Upstream commit 634c2cd17bd021487c57b95973bddb14be8002ff ]
Currently the function vpu_vb_is_codecconfig() always returns 0.
Delete it and its related code.
Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support")
Cc: stable@vger.kernel.org
Signed-off-by: Ming Qian <ming.qian@oss.nxp.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/amphion/vpu_malone.c | 23 +++--------------------
drivers/media/platform/amphion/vpu_v4l2.c | 10 ----------
drivers/media/platform/amphion/vpu_v4l2.h | 10 ----------
3 files changed, 3 insertions(+), 40 deletions(-)
--- a/drivers/media/platform/amphion/vpu_malone.c
+++ b/drivers/media/platform/amphion/vpu_malone.c
@@ -1320,22 +1320,18 @@ static int vpu_malone_insert_scode_vc1_g
{
if (!scode->inst->total_input_count)
return 0;
- if (vpu_vb_is_codecconfig(to_vb2_v4l2_buffer(scode->vb)))
- scode->need_data = 0;
return 0;
}
static int vpu_malone_insert_scode_vc1_g_pic(struct malone_scode_t *scode)
{
- struct vb2_v4l2_buffer *vbuf;
u8 nal_hdr[MALONE_VC1_NAL_HEADER_LEN];
u32 *data = NULL;
int ret;
- vbuf = to_vb2_v4l2_buffer(scode->vb);
data = vb2_plane_vaddr(scode->vb, 0);
- if (scode->inst->total_input_count == 0 || vpu_vb_is_codecconfig(vbuf))
+ if (scode->inst->total_input_count == 0)
return 0;
if (MALONE_VC1_CONTAIN_NAL(*data))
return 0;
@@ -1356,8 +1352,6 @@ static int vpu_malone_insert_scode_vc1_l
int size = 0;
u8 rcv_seqhdr[MALONE_VC1_RCV_SEQ_HEADER_LEN];
- if (vpu_vb_is_codecconfig(to_vb2_v4l2_buffer(scode->vb)))
- scode->need_data = 0;
if (scode->inst->total_input_count)
return 0;
scode->need_data = 0;
@@ -1543,7 +1537,7 @@ static int vpu_malone_input_frame_data(s
scode.vb = vb;
scode.wptr = wptr;
scode.need_data = 1;
- if (vbuf->sequence == 0 || vpu_vb_is_codecconfig(vbuf))
+ if (vbuf->sequence == 0)
ret = vpu_malone_insert_scode(&scode, SCODE_SEQUENCE);
if (ret < 0)
@@ -1579,7 +1573,7 @@ static int vpu_malone_input_frame_data(s
* This module is currently only supported for the H264 and HEVC formats,
* for other formats, vpu_malone_add_scode() will return 0.
*/
- if ((disp_imm || low_latency) && !vpu_vb_is_codecconfig(vbuf)) {
+ if (disp_imm || low_latency) {
ret = vpu_malone_add_scode(inst->core->iface,
inst->id,
&inst->stream_buffer,
@@ -1626,7 +1620,6 @@ int vpu_malone_input_frame(struct vpu_sh
struct vpu_inst *inst, struct vb2_buffer *vb)
{
struct vpu_dec_ctrl *hc = shared->priv;
- struct vb2_v4l2_buffer *vbuf;
struct vpu_malone_str_buffer __iomem *str_buf = hc->str_buf[inst->id];
u32 disp_imm = hc->codec_param[inst->id].disp_imm;
u32 size;
@@ -1640,16 +1633,6 @@ int vpu_malone_input_frame(struct vpu_sh
return ret;
size = ret;
- /*
- * if buffer only contain codec data, and the timestamp is invalid,
- * don't put the invalid timestamp to resync
- * merge the data to next frame
- */
- vbuf = to_vb2_v4l2_buffer(vb);
- if (vpu_vb_is_codecconfig(vbuf)) {
- inst->extra_size += size;
- return 0;
- }
if (inst->extra_size) {
size += inst->extra_size;
inst->extra_size = 0;
--- a/drivers/media/platform/amphion/vpu_v4l2.c
+++ b/drivers/media/platform/amphion/vpu_v4l2.c
@@ -342,16 +342,6 @@ struct vb2_v4l2_buffer *vpu_next_src_buf
if (!src_buf || vpu_get_buffer_state(src_buf) == VPU_BUF_STATE_IDLE)
return NULL;
- while (vpu_vb_is_codecconfig(src_buf)) {
- v4l2_m2m_src_buf_remove(inst->fh.m2m_ctx);
- vpu_set_buffer_state(src_buf, VPU_BUF_STATE_IDLE);
- v4l2_m2m_buf_done(src_buf, VB2_BUF_STATE_DONE);
-
- src_buf = v4l2_m2m_next_src_buf(inst->fh.m2m_ctx);
- if (!src_buf || vpu_get_buffer_state(src_buf) == VPU_BUF_STATE_IDLE)
- return NULL;
- }
-
return src_buf;
}
--- a/drivers/media/platform/amphion/vpu_v4l2.h
+++ b/drivers/media/platform/amphion/vpu_v4l2.h
@@ -38,14 +38,4 @@ static inline struct vpu_format *vpu_get
else
return &inst->cap_format;
}
-
-static inline int vpu_vb_is_codecconfig(struct vb2_v4l2_buffer *vbuf)
-{
-#ifdef V4L2_BUF_FLAG_CODECCONFIG
- return (vbuf->flags & V4L2_BUF_FLAG_CODECCONFIG) ? 1 : 0;
-#else
- return 0;
-#endif
-}
-
#endif
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 701/737] media: mediatek: vcodec: Use spinlock for context list protection lock
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (699 preceding siblings ...)
2026-01-09 11:43 ` [PATCH 6.6 700/737] media: amphion: Remove vpu_vb_is_codecconfig Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 702/737] KVM: SVM: Introduce svm_recalc_lbr_msr_intercepts() Greg Kroah-Hartman
` (46 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunfei Dong, Chen-Yu Tsai, Fei Shao,
Tomasz Figa, Nicolas Dufresne, Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
[ Upstream commit a5844227e0f030d2af2d85d4aed10c5eca6ca176 ]
Previously a mutex was added to protect the encoder and decoder context
lists from unexpected changes originating from the SCP IP block, causing
the context pointer to go invalid, resulting in a NULL pointer
dereference in the IPI handler.
Turns out on the MT8173, the VPU IPI handler is called from hard IRQ
context. This causes a big warning from the scheduler. This was first
reported downstream on the ChromeOS kernels, but is also reproducible
on mainline using Fluster with the FFmpeg v4l2m2m decoders. Even though
the actual capture format is not supported, the affected code paths
are triggered.
Since this lock just protects the context list and operations on it are
very fast, it should be OK to switch to a spinlock.
Fixes: 6467cda18c9f ("media: mediatek: vcodec: adding lock to protect decoder context list")
Fixes: afaaf3a0f647 ("media: mediatek: vcodec: adding lock to protect encoder context list")
Cc: Yunfei Dong <yunfei.dong@mediatek.com>
Cc: stable@vger.kernel.org
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Fei Shao <fshao@chromium.org>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ adapted file_to_dec_ctx() and file_to_enc_ctx() helper calls to equivalent fh_to_dec_ctx(file->private_data) and fh_to_enc_ctx(file->private_data) pattern ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c | 10 +++++---
drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c | 12 +++++-----
drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h | 2 -
drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c | 5 ++--
drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c | 12 +++++-----
drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h | 2 -
drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c | 5 ++--
7 files changed, 28 insertions(+), 20 deletions(-)
--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
+++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_vpu.c
@@ -47,30 +47,32 @@ static void mtk_vcodec_vpu_reset_dec_han
{
struct mtk_vcodec_dec_dev *dev = priv;
struct mtk_vcodec_dec_ctx *ctx;
+ unsigned long flags;
dev_err(&dev->plat_dev->dev, "Watchdog timeout!!");
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &dev->ctx_list, list) {
ctx->state = MTK_STATE_ABORT;
mtk_v4l2_vdec_dbg(0, ctx, "[%d] Change to state MTK_STATE_ABORT", ctx->id);
}
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
}
static void mtk_vcodec_vpu_reset_enc_handler(void *priv)
{
struct mtk_vcodec_enc_dev *dev = priv;
struct mtk_vcodec_enc_ctx *ctx;
+ unsigned long flags;
dev_err(&dev->plat_dev->dev, "Watchdog timeout!!");
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &dev->ctx_list, list) {
ctx->state = MTK_STATE_ABORT;
mtk_v4l2_vdec_dbg(0, ctx, "[%d] Change to state MTK_STATE_ABORT", ctx->id);
}
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
}
static const struct mtk_vcodec_fw_ops mtk_vcodec_vpu_msg = {
--- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.c
@@ -198,6 +198,7 @@ static int fops_vcodec_open(struct file
struct mtk_vcodec_dec_ctx *ctx = NULL;
int ret = 0, i, hw_count;
struct vb2_queue *src_vq;
+ unsigned long flags;
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx)
@@ -268,9 +269,9 @@ static int fops_vcodec_open(struct file
ctx->dev->vdec_pdata->init_vdec_params(ctx);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_add(&ctx->list, &dev->ctx_list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
mtk_vcodec_dbgfs_create(ctx);
mutex_unlock(&dev->dev_mutex);
@@ -295,6 +296,7 @@ static int fops_vcodec_release(struct fi
{
struct mtk_vcodec_dec_dev *dev = video_drvdata(file);
struct mtk_vcodec_dec_ctx *ctx = fh_to_dec_ctx(file->private_data);
+ unsigned long flags;
mtk_v4l2_vdec_dbg(0, ctx, "[%d] decoder", ctx->id);
mutex_lock(&dev->dev_mutex);
@@ -313,9 +315,9 @@ static int fops_vcodec_release(struct fi
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
mtk_vcodec_dbgfs_remove(dev, ctx->id);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_del_init(&ctx->list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
kfree(ctx);
mutex_unlock(&dev->dev_mutex);
return 0;
@@ -382,7 +384,7 @@ static int mtk_vcodec_probe(struct platf
for (i = 0; i < MTK_VDEC_HW_MAX; i++)
mutex_init(&dev->dec_mutex[i]);
mutex_init(&dev->dev_mutex);
- mutex_init(&dev->dev_ctx_lock);
+ spin_lock_init(&dev->dev_ctx_lock);
spin_lock_init(&dev->irqlock);
snprintf(dev->v4l2_dev.name, sizeof(dev->v4l2_dev.name), "%s",
--- a/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/decoder/mtk_vcodec_dec_drv.h
@@ -271,7 +271,7 @@ struct mtk_vcodec_dec_dev {
/* decoder hardware mutex lock */
struct mutex dec_mutex[MTK_VDEC_HW_MAX];
struct mutex dev_mutex;
- struct mutex dev_ctx_lock;
+ spinlock_t dev_ctx_lock;
struct workqueue_struct *decode_workqueue;
spinlock_t irqlock;
--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec_vpu_if.c
@@ -75,16 +75,17 @@ static void handle_get_param_msg_ack(con
static bool vpu_dec_check_ap_inst(struct mtk_vcodec_dec_dev *dec_dev, struct vdec_vpu_inst *vpu)
{
struct mtk_vcodec_dec_ctx *ctx;
+ unsigned long flags;
int ret = false;
- mutex_lock(&dec_dev->dev_ctx_lock);
+ spin_lock_irqsave(&dec_dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &dec_dev->ctx_list, list) {
if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
ret = true;
break;
}
}
- mutex_unlock(&dec_dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dec_dev->dev_ctx_lock, flags);
return ret;
}
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.c
@@ -117,6 +117,7 @@ static int fops_vcodec_open(struct file
struct mtk_vcodec_enc_ctx *ctx = NULL;
int ret = 0;
struct vb2_queue *src_vq;
+ unsigned long flags;
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx)
@@ -177,9 +178,9 @@ static int fops_vcodec_open(struct file
mtk_v4l2_venc_dbg(2, ctx, "Create instance [%d]@%p m2m_ctx=%p ",
ctx->id, ctx, ctx->m2m_ctx);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_add(&ctx->list, &dev->ctx_list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
mutex_unlock(&dev->dev_mutex);
mtk_v4l2_venc_dbg(0, ctx, "%s encoder [%d]", dev_name(&dev->plat_dev->dev),
@@ -204,6 +205,7 @@ static int fops_vcodec_release(struct fi
{
struct mtk_vcodec_enc_dev *dev = video_drvdata(file);
struct mtk_vcodec_enc_ctx *ctx = fh_to_enc_ctx(file->private_data);
+ unsigned long flags;
mtk_v4l2_venc_dbg(1, ctx, "[%d] encoder", ctx->id);
mutex_lock(&dev->dev_mutex);
@@ -214,9 +216,9 @@ static int fops_vcodec_release(struct fi
v4l2_fh_exit(&ctx->fh);
v4l2_ctrl_handler_free(&ctx->ctrl_hdl);
- mutex_lock(&dev->dev_ctx_lock);
+ spin_lock_irqsave(&dev->dev_ctx_lock, flags);
list_del_init(&ctx->list);
- mutex_unlock(&dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&dev->dev_ctx_lock, flags);
kfree(ctx);
mutex_unlock(&dev->dev_mutex);
return 0;
@@ -298,7 +300,7 @@ static int mtk_vcodec_probe(struct platf
mutex_init(&dev->enc_mutex);
mutex_init(&dev->dev_mutex);
- mutex_init(&dev->dev_ctx_lock);
+ spin_lock_init(&dev->dev_ctx_lock);
spin_lock_init(&dev->irqlock);
snprintf(dev->v4l2_dev.name, sizeof(dev->v4l2_dev.name), "%s",
--- a/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
+++ b/drivers/media/platform/mediatek/vcodec/encoder/mtk_vcodec_enc_drv.h
@@ -206,7 +206,7 @@ struct mtk_vcodec_enc_dev {
/* encoder hardware mutex lock */
struct mutex enc_mutex;
struct mutex dev_mutex;
- struct mutex dev_ctx_lock;
+ spinlock_t dev_ctx_lock;
struct workqueue_struct *encode_workqueue;
int enc_irq;
--- a/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc_vpu_if.c
@@ -45,16 +45,17 @@ static void handle_enc_encode_msg(struct
static bool vpu_enc_check_ap_inst(struct mtk_vcodec_enc_dev *enc_dev, struct venc_vpu_inst *vpu)
{
struct mtk_vcodec_enc_ctx *ctx;
+ unsigned long flags;
int ret = false;
- mutex_lock(&enc_dev->dev_ctx_lock);
+ spin_lock_irqsave(&enc_dev->dev_ctx_lock, flags);
list_for_each_entry(ctx, &enc_dev->ctx_list, list) {
if (!IS_ERR_OR_NULL(ctx) && ctx->vpu_inst == vpu) {
ret = true;
break;
}
}
- mutex_unlock(&enc_dev->dev_ctx_lock);
+ spin_unlock_irqrestore(&enc_dev->dev_ctx_lock, flags);
return ret;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 702/737] KVM: SVM: Introduce svm_recalc_lbr_msr_intercepts()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (700 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 701/737] media: mediatek: vcodec: Use spinlock for context list protection lock Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 703/737] KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() Greg Kroah-Hartman
` (45 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
Introduce a helper updating the intercepts for LBR MSRs, similar to the
one introduced upstream by commit 160f143cc131 ("KVM: SVM: Manually
recalc all MSR intercepts on userspace MSR filter change"). The main
difference is that this version uses set_msr_interception(), which has
inverted polarity compared to svm_set_intercept_for_msr().
This is intended to simplify incoming backports. No functional changes
intended.
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1012,18 +1012,31 @@ void svm_copy_lbrs(struct vmcb *to_vmcb,
vmcb_mark_dirty(to_vmcb, VMCB_LBR);
}
-void svm_enable_lbrv(struct kvm_vcpu *vcpu)
+static void svm_recalc_lbr_msr_intercepts(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
+ bool intercept = !(svm->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK);
- svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHFROMIP, 1, 1);
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHTOIP, 1, 1);
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTINTFROMIP, 1, 1);
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTINTTOIP, 1, 1);
+ set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHFROMIP,
+ !intercept, !intercept);
+ set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHTOIP,
+ !intercept, !intercept);
+ set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTINTFROMIP,
+ !intercept, !intercept);
+ set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTINTTOIP,
+ !intercept, !intercept);
if (sev_es_guest(vcpu->kvm))
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_DEBUGCTLMSR, 1, 1);
+ set_msr_interception(vcpu, svm->msrpm, MSR_IA32_DEBUGCTLMSR,
+ !intercept, !intercept);
+}
+
+void svm_enable_lbrv(struct kvm_vcpu *vcpu)
+{
+ struct vcpu_svm *svm = to_svm(vcpu);
+
+ svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;
+ svm_recalc_lbr_msr_intercepts(vcpu);
/* Move the LBR msrs to the vmcb02 so that the guest can see them. */
if (is_guest_mode(vcpu))
@@ -1037,10 +1050,7 @@ static void svm_disable_lbrv(struct kvm_
KVM_BUG_ON(sev_es_guest(vcpu->kvm), vcpu->kvm);
svm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK;
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHFROMIP, 0, 0);
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHTOIP, 0, 0);
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTINTFROMIP, 0, 0);
- set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTINTTOIP, 0, 0);
+ svm_recalc_lbr_msr_intercepts(vcpu);
/*
* Move the LBR msrs back to the vmcb01 to avoid copying them
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 703/737] KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (701 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 702/737] KVM: SVM: Introduce svm_recalc_lbr_msr_intercepts() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 704/737] KVM: nSVM: Fix and simplify LBR virtualization handling with nested Greg Kroah-Hartman
` (44 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit fbe5e5f030c22ae717ee422aaab0e00ea84fab5e upstream.
svm_update_lbrv() is called when MSR_IA32_DEBUGCTLMSR is updated, and on
nested transitions where LBRV is used. It checks whether LBRV enablement
needs to be changed in the current VMCB, and if it does, it also
recalculate intercepts to LBR MSRs.
However, there are cases where intercepts need to be updated even when
LBRV enablement doesn't. Example scenario:
- L1 has MSR_IA32_DEBUGCTLMSR cleared.
- L1 runs L2 without LBR_CTL_ENABLE (no LBRV).
- L2 sets DEBUGCTLMSR_LBR in MSR_IA32_DEBUGCTLMSR, svm_update_lbrv()
sets LBR_CTL_ENABLE in VMCB02 and disables intercepts to LBR MSRs.
- L2 exits to L1, svm_update_lbrv() is not called on this transition.
- L1 clears MSR_IA32_DEBUGCTLMSR, svm_update_lbrv() finds that
LBR_CTL_ENABLE is already cleared in VMCB01 and does nothing.
- Intercepts remain disabled, L1 reads to LBR MSRs read the host MSRs.
Fix it by always recalculating intercepts in svm_update_lbrv().
Fixes: 1d5a1b5860ed ("KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251108004524.1600006-3-yosry.ahmed@linux.dev
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1031,26 +1031,30 @@ static void svm_recalc_lbr_msr_intercept
!intercept, !intercept);
}
-void svm_enable_lbrv(struct kvm_vcpu *vcpu)
+static void __svm_enable_lbrv(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;
- svm_recalc_lbr_msr_intercepts(vcpu);
/* Move the LBR msrs to the vmcb02 so that the guest can see them. */
if (is_guest_mode(vcpu))
svm_copy_lbrs(svm->vmcb, svm->vmcb01.ptr);
}
-static void svm_disable_lbrv(struct kvm_vcpu *vcpu)
+void svm_enable_lbrv(struct kvm_vcpu *vcpu)
+{
+ __svm_enable_lbrv(vcpu);
+ svm_recalc_lbr_msr_intercepts(vcpu);
+}
+
+static void __svm_disable_lbrv(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
KVM_BUG_ON(sev_es_guest(vcpu->kvm), vcpu->kvm);
svm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK;
- svm_recalc_lbr_msr_intercepts(vcpu);
/*
* Move the LBR msrs back to the vmcb01 to avoid copying them
@@ -1079,13 +1083,18 @@ void svm_update_lbrv(struct kvm_vcpu *vc
(is_guest_mode(vcpu) && guest_can_use(vcpu, X86_FEATURE_LBRV) &&
(svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK));
- if (enable_lbrv == current_enable_lbrv)
- return;
+ if (enable_lbrv && !current_enable_lbrv)
+ __svm_enable_lbrv(vcpu);
+ else if (!enable_lbrv && current_enable_lbrv)
+ __svm_disable_lbrv(vcpu);
- if (enable_lbrv)
- svm_enable_lbrv(vcpu);
- else
- svm_disable_lbrv(vcpu);
+ /*
+ * During nested transitions, it is possible that the current VMCB has
+ * LBR_CTL set, but the previous LBR_CTL had it cleared (or vice versa).
+ * In this case, even though LBR_CTL does not need an update, intercepts
+ * do, so always recalculate the intercepts here.
+ */
+ svm_recalc_lbr_msr_intercepts(vcpu);
}
void disable_nmi_singlestep(struct vcpu_svm *svm)
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 704/737] KVM: nSVM: Fix and simplify LBR virtualization handling with nested
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (702 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 703/737] KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 705/737] KVM: SVM: Fix redundant updates of LBR MSR intercepts Greg Kroah-Hartman
` (43 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 8a4821412cf2c1429fffa07c012dd150f2edf78c upstream.
The current scheme for handling LBRV when nested is used is very
complicated, especially when L1 does not enable LBRV (i.e. does not set
LBR_CTL_ENABLE_MASK).
To avoid copying LBRs between VMCB01 and VMCB02 on every nested
transition, the current implementation switches between using VMCB01 or
VMCB02 as the source of truth for the LBRs while L2 is running. If L2
enables LBR, VMCB02 is used as the source of truth. When L2 disables
LBR, the LBRs are copied to VMCB01 and VMCB01 is used as the source of
truth. This introduces significant complexity, and incorrect behavior in
some cases.
For example, on a nested #VMEXIT, the LBRs are only copied from VMCB02
to VMCB01 if LBRV is enabled in VMCB01. This is because L2's writes to
MSR_IA32_DEBUGCTLMSR to enable LBR are intercepted and propagated to
VMCB01 instead of VMCB02. However, LBRV is only enabled in VMCB02 when
L2 is running.
This means that if L2 enables LBR and exits to L1, the LBRs will not be
propagated from VMCB02 to VMCB01, because LBRV is disabled in VMCB01.
There is no meaningful difference in CPUID rate in L2 when copying LBRs
on every nested transition vs. the current approach, so do the simple
and correct thing and always copy LBRs between VMCB01 and VMCB02 on
nested transitions (when LBRV is disabled by L1). Drop the conditional
LBRs copying in __svm_{enable/disable}_lbrv() as it is now unnecessary.
VMCB02 becomes the only source of truth for LBRs when L2 is running,
regardless of LBRV being enabled by L1, drop svm_get_lbr_vmcb() and use
svm->vmcb directly in its place.
Fixes: 1d5a1b5860ed ("KVM: x86: nSVM: correctly virtualize LBR msrs when L2 is running")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251108004524.1600006-4-yosry.ahmed@linux.dev
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 20 ++++++-------------
arch/x86/kvm/svm/svm.c | 47 +++++++++-------------------------------------
2 files changed, 17 insertions(+), 50 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -601,11 +601,10 @@ static void nested_vmcb02_prepare_save(s
*/
svm_copy_lbrs(vmcb02, vmcb12);
vmcb02->save.dbgctl &= ~DEBUGCTL_RESERVED_BITS;
- svm_update_lbrv(&svm->vcpu);
-
- } else if (unlikely(vmcb01->control.virt_ext & LBR_CTL_ENABLE_MASK)) {
+ } else {
svm_copy_lbrs(vmcb02, vmcb01);
}
+ svm_update_lbrv(&svm->vcpu);
}
static inline bool is_evtinj_soft(u32 evtinj)
@@ -731,11 +730,7 @@ static void nested_vmcb02_prepare_contro
svm->soft_int_next_rip = vmcb12_rip;
}
- vmcb02->control.virt_ext = vmcb01->control.virt_ext &
- LBR_CTL_ENABLE_MASK;
- if (guest_can_use(vcpu, X86_FEATURE_LBRV))
- vmcb02->control.virt_ext |=
- (svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK);
+ /* LBR_CTL_ENABLE_MASK is controlled by svm_update_lbrv() */
if (!nested_vmcb_needs_vls_intercept(svm))
vmcb02->control.virt_ext |= VIRTUAL_VMLOAD_VMSAVE_ENABLE_MASK;
@@ -1066,13 +1061,12 @@ int nested_svm_vmexit(struct vcpu_svm *s
kvm_make_request(KVM_REQ_EVENT, &svm->vcpu);
if (unlikely(guest_can_use(vcpu, X86_FEATURE_LBRV) &&
- (svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK))) {
+ (svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK)))
svm_copy_lbrs(vmcb12, vmcb02);
- svm_update_lbrv(vcpu);
- } else if (unlikely(vmcb01->control.virt_ext & LBR_CTL_ENABLE_MASK)) {
+ else
svm_copy_lbrs(vmcb01, vmcb02);
- svm_update_lbrv(vcpu);
- }
+
+ svm_update_lbrv(vcpu);
if (vnmi) {
if (vmcb02->control.int_ctl & V_NMI_BLOCKING_MASK)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1033,13 +1033,7 @@ static void svm_recalc_lbr_msr_intercept
static void __svm_enable_lbrv(struct kvm_vcpu *vcpu)
{
- struct vcpu_svm *svm = to_svm(vcpu);
-
- svm->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;
-
- /* Move the LBR msrs to the vmcb02 so that the guest can see them. */
- if (is_guest_mode(vcpu))
- svm_copy_lbrs(svm->vmcb, svm->vmcb01.ptr);
+ to_svm(vcpu)->vmcb->control.virt_ext |= LBR_CTL_ENABLE_MASK;
}
void svm_enable_lbrv(struct kvm_vcpu *vcpu)
@@ -1050,36 +1044,15 @@ void svm_enable_lbrv(struct kvm_vcpu *vc
static void __svm_disable_lbrv(struct kvm_vcpu *vcpu)
{
- struct vcpu_svm *svm = to_svm(vcpu);
-
KVM_BUG_ON(sev_es_guest(vcpu->kvm), vcpu->kvm);
-
- svm->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK;
-
- /*
- * Move the LBR msrs back to the vmcb01 to avoid copying them
- * on nested guest entries.
- */
- if (is_guest_mode(vcpu))
- svm_copy_lbrs(svm->vmcb01.ptr, svm->vmcb);
-}
-
-static struct vmcb *svm_get_lbr_vmcb(struct vcpu_svm *svm)
-{
- /*
- * If LBR virtualization is disabled, the LBR MSRs are always kept in
- * vmcb01. If LBR virtualization is enabled and L1 is running VMs of
- * its own, the MSRs are moved between vmcb01 and vmcb02 as needed.
- */
- return svm->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK ? svm->vmcb :
- svm->vmcb01.ptr;
+ to_svm(vcpu)->vmcb->control.virt_ext &= ~LBR_CTL_ENABLE_MASK;
}
void svm_update_lbrv(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
bool current_enable_lbrv = svm->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK;
- bool enable_lbrv = (svm_get_lbr_vmcb(svm)->save.dbgctl & DEBUGCTLMSR_LBR) ||
+ bool enable_lbrv = (svm->vmcb->save.dbgctl & DEBUGCTLMSR_LBR) ||
(is_guest_mode(vcpu) && guest_can_use(vcpu, X86_FEATURE_LBRV) &&
(svm->nested.ctl.virt_ext & LBR_CTL_ENABLE_MASK));
@@ -2925,19 +2898,19 @@ static int svm_get_msr(struct kvm_vcpu *
msr_info->data = svm->tsc_aux;
break;
case MSR_IA32_DEBUGCTLMSR:
- msr_info->data = svm_get_lbr_vmcb(svm)->save.dbgctl;
+ msr_info->data = svm->vmcb->save.dbgctl;
break;
case MSR_IA32_LASTBRANCHFROMIP:
- msr_info->data = svm_get_lbr_vmcb(svm)->save.br_from;
+ msr_info->data = svm->vmcb->save.br_from;
break;
case MSR_IA32_LASTBRANCHTOIP:
- msr_info->data = svm_get_lbr_vmcb(svm)->save.br_to;
+ msr_info->data = svm->vmcb->save.br_to;
break;
case MSR_IA32_LASTINTFROMIP:
- msr_info->data = svm_get_lbr_vmcb(svm)->save.last_excp_from;
+ msr_info->data = svm->vmcb->save.last_excp_from;
break;
case MSR_IA32_LASTINTTOIP:
- msr_info->data = svm_get_lbr_vmcb(svm)->save.last_excp_to;
+ msr_info->data = svm->vmcb->save.last_excp_to;
break;
case MSR_VM_HSAVE_PA:
msr_info->data = svm->nested.hsave_msr;
@@ -3206,10 +3179,10 @@ static int svm_set_msr(struct kvm_vcpu *
if (data & DEBUGCTL_RESERVED_BITS)
return 1;
- if (svm_get_lbr_vmcb(svm)->save.dbgctl == data)
+ if (svm->vmcb->save.dbgctl == data)
break;
- svm_get_lbr_vmcb(svm)->save.dbgctl = data;
+ svm->vmcb->save.dbgctl = data;
vmcb_mark_dirty(svm->vmcb, VMCB_LBR);
svm_update_lbrv(vcpu);
break;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 705/737] KVM: SVM: Fix redundant updates of LBR MSR intercepts
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (703 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 704/737] KVM: nSVM: Fix and simplify LBR virtualization handling with nested Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 706/737] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
` (42 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Sean Christopherson,
Paolo Bonzini
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 3fa05f96fc08dff5e846c2cc283a249c1bf029a1 upstream.
Don't update the LBR MSR intercept bitmaps if they're already up-to-date,
as unconditionally updating the intercepts forces KVM to recalculate the
MSR bitmaps for vmcb02 on every nested VMRUN. The redundant updates are
functionally okay; however, they neuter an optimization in Hyper-V
nested virtualization enlightenments and this manifests as a self-test
failure.
In particular, Hyper-V lets L1 mark "nested enlightenments" as clean, i.e.
tell KVM that no changes were made to the MSR bitmap since the last VMRUN.
The hyperv_svm_test KVM selftest intentionally changes the MSR bitmap
"without telling KVM about it" to verify that KVM honors the clean hint,
correctly fails because KVM notices the changed bitmap anyway:
==== Test Assertion Failure ====
x86/hyperv_svm_test.c:120: vmcb->control.exit_code == 0x081
pid=193558 tid=193558 errno=4 - Interrupted system call
1 0x0000000000411361: assert_on_unhandled_exception at processor.c:659
2 0x0000000000406186: _vcpu_run at kvm_util.c:1699
3 (inlined by) vcpu_run at kvm_util.c:1710
4 0x0000000000401f2a: main at hyperv_svm_test.c:175
5 0x000000000041d0d3: __libc_start_call_main at libc-start.o:?
6 0x000000000041f27c: __libc_start_main_impl at ??:?
7 0x00000000004021a0: _start at ??:?
vmcb->control.exit_code == SVM_EXIT_VMMCALL
Do *not* fix this by skipping svm_hv_vmcb_dirty_nested_enlightenments()
when svm_set_intercept_for_msr() performs a no-op change. changes to
the L0 MSR interception bitmap are only triggered by full CPUID updates
and MSR filter updates, both of which should be rare. Changing
svm_set_intercept_for_msr() risks hiding unintended pessimizations
like this one, and is actually more complex than this change.
Fixes: fbe5e5f030c2 ("KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv()")
Cc: stable@vger.kernel.org
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251112013017.1836863-1-yosry.ahmed@linux.dev
[Rewritten commit message based on mailing list discussion. - Paolo]
Reviewed-by: Sean Christopherson <seanjc@google.com>
Tested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 6 ++++++
arch/x86/kvm/svm/svm.h | 1 +
2 files changed, 7 insertions(+)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -1017,6 +1017,9 @@ static void svm_recalc_lbr_msr_intercept
struct vcpu_svm *svm = to_svm(vcpu);
bool intercept = !(svm->vmcb->control.virt_ext & LBR_CTL_ENABLE_MASK);
+ if (intercept == svm->lbr_msrs_intercepted)
+ return;
+
set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHFROMIP,
!intercept, !intercept);
set_msr_interception(vcpu, svm->msrpm, MSR_IA32_LASTBRANCHTOIP,
@@ -1029,6 +1032,8 @@ static void svm_recalc_lbr_msr_intercept
if (sev_es_guest(vcpu->kvm))
set_msr_interception(vcpu, svm->msrpm, MSR_IA32_DEBUGCTLMSR,
!intercept, !intercept);
+
+ svm->lbr_msrs_intercepted = intercept;
}
static void __svm_enable_lbrv(struct kvm_vcpu *vcpu)
@@ -1473,6 +1478,7 @@ static int svm_vcpu_create(struct kvm_vc
}
svm->x2avic_msrs_intercepted = true;
+ svm->lbr_msrs_intercepted = true;
svm->vmcb01.ptr = page_address(vmcb01_page);
svm->vmcb01.pa = __sme_set(page_to_pfn(vmcb01_page) << PAGE_SHIFT);
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -288,6 +288,7 @@ struct vcpu_svm {
bool guest_state_loaded;
bool x2avic_msrs_intercepted;
+ bool lbr_msrs_intercepted;
/* Guest GIF value, used when vGIF is not enabled */
bool guest_gif;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 706/737] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (704 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 705/737] KVM: SVM: Fix redundant updates of LBR MSR intercepts Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 707/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
` (41 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 7890e5b5bb6e386155c6e755fe70e0cdcc77f18e upstream.
damon_test_split_evenly_fail() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-19-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr-test.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/mm/damon/vaddr-test.h
+++ b/mm/damon/vaddr-test.h
@@ -250,7 +250,16 @@ static void damon_test_split_evenly_fail
unsigned long start, unsigned long end, unsigned int nr_pieces)
{
struct damon_target *t = damon_new_target();
- struct damon_region *r = damon_new_region(start, end);
+ struct damon_region *r;
+
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+
+ r = damon_new_region(start, end);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
KUNIT_EXPECT_EQ(test,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 707/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (705 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 706/737] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 708/737] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Greg Kroah-Hartman
` (40 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 2b22d0fcc6320ba29b2122434c1d2f0785fb0a25 upstream.
damon_do_test_apply_three_regions() is assuming all dynamic memory
allocation in it will succeed. Those are indeed likely in the real use
cases since those allocations are too small to fail, but theoretically
those could fail. In the case, inappropriate memory access can happen.
Fix it by appropriately cleanup pre-allocated memory and skip the
execution of the remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-18-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr-test.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/vaddr-test.h
+++ b/mm/damon/vaddr-test.h
@@ -136,8 +136,14 @@ static void damon_do_test_apply_three_re
int i;
t = damon_new_target();
+ if (!t)
+ kunit_skip(test, "target alloc fail");
for (i = 0; i < nr_regions / 2; i++) {
r = damon_new_region(regions[i * 2], regions[i * 2 + 1]);
+ if (!r) {
+ damon_destroy_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 708/737] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (706 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 707/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 709/737] sched/fair: Small cleanup to sched_balance_newidle() Greg Kroah-Hartman
` (39 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e2ce9e275ecc70a30b72,
Zhu Yanjun, Jason Gunthorpe, Sasha Levin, Ajay Kaher,
Shivani Agarwal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
commit d0706bfd3ee40923c001c6827b786a309e2a8713 upstream.
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
Fixes: 779e0bf47632 ("RDMA/core: Do not indicate device ready when device enablement fails")
Link: https://patch.msgid.link/r/20250506151008.75701-1-yanjun.zhu@linux.dev
Reported-by: syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e2ce9e275ecc70a30b72
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Ajay: Modified to apply on v5.10.y-v6.6.y
ib_device_notify_register() not present in v5.10.y-v6.6.y,
so directly added lock for kobject_uevent() ]
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/device.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -1450,8 +1450,13 @@ int ib_register_device(struct ib_device
return ret;
}
dev_set_uevent_suppress(&device->dev, false);
+
+ down_read(&devices_rwsem);
+
/* Mark for userspace that device is ready */
kobject_uevent(&device->dev.kobj, KOBJ_ADD);
+
+ up_read(&devices_rwsem);
ib_device_put(device);
return 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 709/737] sched/fair: Small cleanup to sched_balance_newidle()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (707 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 708/737] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 710/737] sched/fair: Small cleanup to update_newidle_cost() Greg Kroah-Hartman
` (38 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, vschneid@redhat.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Chris Mason,
Peter Zijlstra (Intel), Dietmar Eggemann, Ajay Kaher, Chris Mason
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit e78e70dbf603c1425f15f32b455ca148c932f6c1 upstream.
Pull out the !sd check to simplify code.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Chris Mason <clm@meta.com>
Link: https://patch.msgid.link/20251107161739.525916173@infradead.org
[ Ajay: Modified to apply on v6.6 ]
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/fair.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -12374,14 +12374,15 @@ static int sched_balance_newidle(struct
rcu_read_lock();
sd = rcu_dereference_check_sched_domain(this_rq->sd);
+ if (!sd) {
+ rcu_read_unlock();
+ goto out;
+ }
if (!READ_ONCE(this_rq->rd->overload) ||
- (sd && this_rq->avg_idle < sd->max_newidle_lb_cost)) {
-
- if (sd)
- update_next_balance(sd, &next_balance);
+ this_rq->avg_idle < sd->max_newidle_lb_cost) {
+ update_next_balance(sd, &next_balance);
rcu_read_unlock();
-
goto out;
}
rcu_read_unlock();
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 710/737] sched/fair: Small cleanup to update_newidle_cost()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (708 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 709/737] sched/fair: Small cleanup to sched_balance_newidle() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 711/737] sched/fair: Proportional newidle balance Greg Kroah-Hartman
` (37 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, vschneid@redhat.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Chris Mason,
Peter Zijlstra (Intel), Dietmar Eggemann, Ajay Kaher, Chris Mason
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 08d473dd8718e4a4d698b1113a14a40ad64a909b upstream.
Simplify code by adding a few variables.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Chris Mason <clm@meta.com>
Link: https://patch.msgid.link/20251107161739.655208666@infradead.org
[ Ajay: Modified to apply on v6.6 ]
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/sched/fair.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -11718,22 +11718,25 @@ void update_max_interval(void)
static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost)
{
+ unsigned long next_decay = sd->last_decay_max_lb_cost + HZ;
+ unsigned long now = jiffies;
+
if (cost > sd->max_newidle_lb_cost) {
/*
* Track max cost of a domain to make sure to not delay the
* next wakeup on the CPU.
*/
sd->max_newidle_lb_cost = cost;
- sd->last_decay_max_lb_cost = jiffies;
- } else if (time_after(jiffies, sd->last_decay_max_lb_cost + HZ)) {
+ sd->last_decay_max_lb_cost = now;
+
+ } else if (time_after(now, next_decay)) {
/*
* Decay the newidle max times by ~1% per second to ensure that
* it is not outdated and the current max cost is actually
* shorter.
*/
sd->max_newidle_lb_cost = (sd->max_newidle_lb_cost * 253) / 256;
- sd->last_decay_max_lb_cost = jiffies;
-
+ sd->last_decay_max_lb_cost = now;
return true;
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 711/737] sched/fair: Proportional newidle balance
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (709 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 710/737] sched/fair: Small cleanup to update_newidle_cost() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 712/737] net: Remove conditional threaded-NAPI wakeup based on task state Greg Kroah-Hartman
` (36 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
mingo@redhat.com, peterz@infradead.org, juri.lelli@redhat.com, vincent.guittot@linaro.org, dietmar.eggemann@arm.com, rostedt@goodmis.org, bsegall@google.com, mgorman@suse.de, vschneid@redhat.com, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Chris Mason,
Peter Zijlstra (Intel), Dietmar Eggemann, Ajay Kaher, Chris Mason
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra (Intel) <peterz@infradead.org>
commit 33cf66d88306663d16e4759e9d24766b0aaa2e17 upstream.
Add a randomized algorithm that runs newidle balancing proportional to
its success rate.
This improves schbench significantly:
6.18-rc4: 2.22 Mrps/s
6.18-rc4+revert: 2.04 Mrps/s
6.18-rc4+revert+random: 2.18 Mrps/S
Conversely, per Adam Li this affects SpecJBB slightly, reducing it by 1%:
6.17: -6%
6.17+revert: 0%
6.17+revert+random: -1%
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Tested-by: Chris Mason <clm@meta.com>
Link: https://lkml.kernel.org/r/6825c50d-7fa7-45d8-9b81-c6e7e25738e2@meta.com
Link: https://patch.msgid.link/20251107161739.770122091@infradead.org
[ Ajay: Modified to apply on v6.6 ]
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/sched/topology.h | 3 ++
kernel/sched/core.c | 3 ++
kernel/sched/fair.c | 44 +++++++++++++++++++++++++++++++++++++----
kernel/sched/features.h | 5 ++++
kernel/sched/sched.h | 7 ++++++
kernel/sched/topology.c | 6 +++++
6 files changed, 64 insertions(+), 4 deletions(-)
--- a/include/linux/sched/topology.h
+++ b/include/linux/sched/topology.h
@@ -106,6 +106,9 @@ struct sched_domain {
unsigned int nr_balance_failed; /* initialise to 0 */
/* idle_balance() stats */
+ unsigned int newidle_call;
+ unsigned int newidle_success;
+ unsigned int newidle_ratio;
u64 max_newidle_lb_cost;
unsigned long last_decay_max_lb_cost;
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -116,6 +116,7 @@ EXPORT_TRACEPOINT_SYMBOL_GPL(sched_util_
EXPORT_TRACEPOINT_SYMBOL_GPL(sched_update_nr_running_tp);
DEFINE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues);
+DEFINE_PER_CPU(struct rnd_state, sched_rnd_state);
#ifdef CONFIG_SCHED_DEBUG
/*
@@ -9872,6 +9873,8 @@ void __init sched_init_smp(void)
{
sched_init_numa(NUMA_NO_NODE);
+ prandom_init_once(&sched_rnd_state);
+
/*
* There's no userspace yet to cause hotplug operations; hence all the
* CPU masks are stable and all blatant races in the below code cannot
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -11716,11 +11716,27 @@ void update_max_interval(void)
max_load_balance_interval = HZ*num_online_cpus()/10;
}
-static inline bool update_newidle_cost(struct sched_domain *sd, u64 cost)
+static inline void update_newidle_stats(struct sched_domain *sd, unsigned int success)
+{
+ sd->newidle_call++;
+ sd->newidle_success += success;
+
+ if (sd->newidle_call >= 1024) {
+ sd->newidle_ratio = sd->newidle_success;
+ sd->newidle_call /= 2;
+ sd->newidle_success /= 2;
+ }
+}
+
+static inline bool
+update_newidle_cost(struct sched_domain *sd, u64 cost, unsigned int success)
{
unsigned long next_decay = sd->last_decay_max_lb_cost + HZ;
unsigned long now = jiffies;
+ if (cost)
+ update_newidle_stats(sd, success);
+
if (cost > sd->max_newidle_lb_cost) {
/*
* Track max cost of a domain to make sure to not delay the
@@ -11768,7 +11784,7 @@ static void rebalance_domains(struct rq
* Decay the newidle max times here because this is a regular
* visit to all the domains.
*/
- need_decay = update_newidle_cost(sd, 0);
+ need_decay = update_newidle_cost(sd, 0, 0);
max_cost += sd->max_newidle_lb_cost;
/*
@@ -12406,6 +12422,22 @@ static int sched_balance_newidle(struct
break;
if (sd->flags & SD_BALANCE_NEWIDLE) {
+ unsigned int weight = 1;
+
+ if (sched_feat(NI_RANDOM)) {
+ /*
+ * Throw a 1k sided dice; and only run
+ * newidle_balance according to the success
+ * rate.
+ */
+ u32 d1k = sched_rng() % 1024;
+ weight = 1 + sd->newidle_ratio;
+ if (d1k > weight) {
+ update_newidle_stats(sd, 0);
+ continue;
+ }
+ weight = (1024 + weight/2) / weight;
+ }
pulled_task = load_balance(this_cpu, this_rq,
sd, CPU_NEWLY_IDLE,
@@ -12413,10 +12445,14 @@ static int sched_balance_newidle(struct
t1 = sched_clock_cpu(this_cpu);
domain_cost = t1 - t0;
- update_newidle_cost(sd, domain_cost);
-
curr_cost += domain_cost;
t0 = t1;
+
+ /*
+ * Track max cost of a domain to make sure to not delay the
+ * next wakeup on the CPU.
+ */
+ update_newidle_cost(sd, domain_cost, weight * !!pulled_task);
}
/*
--- a/kernel/sched/features.h
+++ b/kernel/sched/features.h
@@ -88,4 +88,9 @@ SCHED_FEAT(UTIL_EST_FASTUP, true)
SCHED_FEAT(LATENCY_WARN, false)
+/*
+ * Do newidle balancing proportional to its success rate using randomization.
+ */
+SCHED_FEAT(NI_RANDOM, true)
+
SCHED_FEAT(HZ_BW, true)
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -5,6 +5,7 @@
#ifndef _KERNEL_SCHED_SCHED_H
#define _KERNEL_SCHED_SCHED_H
+#include <linux/prandom.h>
#include <linux/sched/affinity.h>
#include <linux/sched/autogroup.h>
#include <linux/sched/cpufreq.h>
@@ -1205,6 +1206,12 @@ static inline bool is_migration_disabled
}
DECLARE_PER_CPU_SHARED_ALIGNED(struct rq, runqueues);
+DECLARE_PER_CPU(struct rnd_state, sched_rnd_state);
+
+static inline u32 sched_rng(void)
+{
+ return prandom_u32_state(this_cpu_ptr(&sched_rnd_state));
+}
#define cpu_rq(cpu) (&per_cpu(runqueues, (cpu)))
#define this_rq() this_cpu_ptr(&runqueues)
--- a/kernel/sched/topology.c
+++ b/kernel/sched/topology.c
@@ -1600,6 +1600,12 @@ sd_init(struct sched_domain_topology_lev
.last_balance = jiffies,
.balance_interval = sd_weight,
+
+ /* 50% success rate */
+ .newidle_call = 512,
+ .newidle_success = 256,
+ .newidle_ratio = 512,
+
.max_newidle_lb_cost = 0,
.last_decay_max_lb_cost = jiffies,
.child = child,
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 712/737] net: Remove conditional threaded-NAPI wakeup based on task state.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (710 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 711/737] sched/fair: Proportional newidle balance Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 713/737] net: Allow to use SMP threads for backlog NAPI Greg Kroah-Hartman
` (35 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski,
Sebastian Andrzej Siewior, Paolo Abeni, Wen Yang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit 56364c910691f6d10ba88c964c9041b9ab777bd6 upstream.
A NAPI thread is scheduled by first setting NAPI_STATE_SCHED bit. If
successful (the bit was not yet set) then the NAPI_STATE_SCHED_THREADED
is set but only if thread's state is not TASK_INTERRUPTIBLE (is
TASK_RUNNING) followed by task wakeup.
If the task is idle (TASK_INTERRUPTIBLE) then the
NAPI_STATE_SCHED_THREADED bit is not set. The thread is no relying on
the bit but always leaving the wait-loop after returning from schedule()
because there must have been a wakeup.
The smpboot-threads implementation for per-CPU threads requires an
explicit condition and does not support "if we get out of schedule()
then there must be something to do".
Removing this optimisation simplifies the following integration.
Set NAPI_STATE_SCHED_THREADED unconditionally on wakeup and rely on it
in the wait path by removing the `woken' condition.
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Wen Yang <wen.yang@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4526,13 +4526,7 @@ static inline void ____napi_schedule(str
*/
thread = READ_ONCE(napi->thread);
if (thread) {
- /* Avoid doing set_bit() if the thread is in
- * INTERRUPTIBLE state, cause napi_thread_wait()
- * makes sure to proceed with napi polling
- * if the thread is explicitly woken from here.
- */
- if (READ_ONCE(thread->__state) != TASK_INTERRUPTIBLE)
- set_bit(NAPI_STATE_SCHED_THREADED, &napi->state);
+ set_bit(NAPI_STATE_SCHED_THREADED, &napi->state);
wake_up_process(thread);
return;
}
@@ -6688,8 +6682,6 @@ static int napi_poll(struct napi_struct
static int napi_thread_wait(struct napi_struct *napi)
{
- bool woken = false;
-
set_current_state(TASK_INTERRUPTIBLE);
while (!kthread_should_stop()) {
@@ -6698,15 +6690,13 @@ static int napi_thread_wait(struct napi_
* Testing SCHED bit is not enough because SCHED bit might be
* set by some other busy poll thread or by napi_disable().
*/
- if (test_bit(NAPI_STATE_SCHED_THREADED, &napi->state) || woken) {
+ if (test_bit(NAPI_STATE_SCHED_THREADED, &napi->state)) {
WARN_ON(!list_empty(&napi->poll_list));
__set_current_state(TASK_RUNNING);
return 0;
}
schedule();
- /* woken being true indicates this thread owns this napi. */
- woken = true;
set_current_state(TASK_INTERRUPTIBLE);
}
__set_current_state(TASK_RUNNING);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 713/737] net: Allow to use SMP threads for backlog NAPI.
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (711 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 712/737] net: Remove conditional threaded-NAPI wakeup based on task state Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 714/737] RDMA/rxe: Remove the direct link to net_device Greg Kroah-Hartman
` (34 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski,
Sebastian Andrzej Siewior, Paolo Abeni, Wen Yang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
commit dad6b97702639fba27a2bd3e986982ad6f0db3a7 upstream.
Backlog NAPI is a per-CPU NAPI struct only (with no device behind it)
used by drivers which don't do NAPI them self, RPS and parts of the
stack which need to avoid recursive deadlocks while processing a packet.
The non-NAPI driver use the CPU local backlog NAPI. If RPS is enabled
then a flow for the skb is computed and based on the flow the skb can be
enqueued on a remote CPU. Scheduling/ raising the softirq (for backlog's
NAPI) on the remote CPU isn't trivial because the softirq is only
scheduled on the local CPU and performed after the hardirq is done.
In order to schedule a softirq on the remote CPU, an IPI is sent to the
remote CPU which schedules the backlog-NAPI on the then local CPU.
On PREEMPT_RT interrupts are force-threaded. The soft interrupts are
raised within the interrupt thread and processed after the interrupt
handler completed still within the context of the interrupt thread. The
softirq is handled in the context where it originated.
With force-threaded interrupts enabled, ksoftirqd is woken up if a
softirq is raised from hardirq context. This is the case if it is raised
from an IPI. Additionally there is a warning on PREEMPT_RT if the
softirq is raised from the idle thread.
This was done for two reasons:
- With threaded interrupts the processing should happen in thread
context (where it originated) and ksoftirqd is the only thread for
this context if raised from hardirq. Using the currently running task
instead would "punish" a random task.
- Once ksoftirqd is active it consumes all further softirqs until it
stops running. This changed recently and is no longer the case.
Instead of keeping the backlog NAPI in ksoftirqd (in force-threaded/
PREEMPT_RT setups) I am proposing NAPI-threads for backlog.
The "proper" setup with threaded-NAPI is not doable because the threads
are not pinned to an individual CPU and can be modified by the user.
Additionally a dummy network device would have to be assigned. Also
CPU-hotplug has to be considered if additional CPUs show up.
All this can be probably done/ solved but the smpboot-threads already
provide this infrastructure.
Sending UDP packets over loopback expects that the packet is processed
within the call. Delaying it by handing it over to the thread hurts
performance. It is not beneficial to the outcome if the context switch
happens immediately after enqueue or after a while to process a few
packets in a batch.
There is no need to always use the thread if the backlog NAPI is
requested on the local CPU. This restores the loopback throuput. The
performance drops mostly to the same value after enabling RPS on the
loopback comparing the IPI and the tread result.
Create NAPI-threads for backlog if request during boot. The thread runs
the inner loop from napi_threaded_poll(), the wait part is different. It
checks for NAPI_STATE_SCHED (the backlog NAPI can not be disabled).
The NAPI threads for backlog are optional, it has to be enabled via the boot
argument "thread_backlog_napi". It is mandatory for PREEMPT_RT to avoid the
wakeup of ksoftirqd from the IPI.
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Wen Yang <wen.yang@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 152 +++++++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 115 insertions(+), 37 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -78,6 +78,7 @@
#include <linux/slab.h>
#include <linux/sched.h>
#include <linux/sched/mm.h>
+#include <linux/smpboot.h>
#include <linux/mutex.h>
#include <linux/rwsem.h>
#include <linux/string.h>
@@ -217,6 +218,31 @@ static inline struct hlist_head *dev_ind
return &net->dev_index_head[ifindex & (NETDEV_HASHENTRIES - 1)];
}
+#ifndef CONFIG_PREEMPT_RT
+
+static DEFINE_STATIC_KEY_FALSE(use_backlog_threads_key);
+
+static int __init setup_backlog_napi_threads(char *arg)
+{
+ static_branch_enable(&use_backlog_threads_key);
+ return 0;
+}
+early_param("thread_backlog_napi", setup_backlog_napi_threads);
+
+static bool use_backlog_threads(void)
+{
+ return static_branch_unlikely(&use_backlog_threads_key);
+}
+
+#else
+
+static bool use_backlog_threads(void)
+{
+ return true;
+}
+
+#endif
+
static inline void rps_lock_irqsave(struct softnet_data *sd,
unsigned long *flags)
{
@@ -4494,6 +4520,7 @@ EXPORT_SYMBOL(__dev_direct_xmit);
/*************************************************************************
* Receiver routines
*************************************************************************/
+static DEFINE_PER_CPU(struct task_struct *, backlog_napi);
int netdev_max_backlog __read_mostly = 1000;
EXPORT_SYMBOL(netdev_max_backlog);
@@ -4526,12 +4553,16 @@ static inline void ____napi_schedule(str
*/
thread = READ_ONCE(napi->thread);
if (thread) {
+ if (use_backlog_threads() && thread == raw_cpu_read(backlog_napi))
+ goto use_local_napi;
+
set_bit(NAPI_STATE_SCHED_THREADED, &napi->state);
wake_up_process(thread);
return;
}
}
+use_local_napi:
list_add_tail(&napi->poll_list, &sd->poll_list);
WRITE_ONCE(napi->list_owner, smp_processor_id());
/* If not called from net_rx_action()
@@ -4777,6 +4808,11 @@ static void napi_schedule_rps(struct sof
#ifdef CONFIG_RPS
if (sd != mysd) {
+ if (use_backlog_threads()) {
+ __napi_schedule_irqoff(&sd->backlog);
+ return;
+ }
+
sd->rps_ipi_next = mysd->rps_ipi_list;
mysd->rps_ipi_list = sd;
@@ -6000,7 +6036,7 @@ static void net_rps_action_and_irq_enabl
#ifdef CONFIG_RPS
struct softnet_data *remsd = sd->rps_ipi_list;
- if (remsd) {
+ if (!use_backlog_threads() && remsd) {
sd->rps_ipi_list = NULL;
local_irq_enable();
@@ -6015,7 +6051,7 @@ static void net_rps_action_and_irq_enabl
static bool sd_has_rps_ipi_waiting(struct softnet_data *sd)
{
#ifdef CONFIG_RPS
- return sd->rps_ipi_list != NULL;
+ return !use_backlog_threads() && sd->rps_ipi_list;
#else
return false;
#endif
@@ -6059,7 +6095,7 @@ static int process_backlog(struct napi_s
* We can use a plain write instead of clear_bit(),
* and we dont need an smp_mb() memory barrier.
*/
- napi->state = 0;
+ napi->state &= NAPIF_STATE_THREADED;
again = false;
} else {
skb_queue_splice_tail_init(&sd->input_pkt_queue,
@@ -6725,43 +6761,48 @@ static void skb_defer_free_flush(struct
}
}
-static int napi_threaded_poll(void *data)
+static void napi_threaded_poll_loop(struct napi_struct *napi)
{
- struct napi_struct *napi = data;
struct softnet_data *sd;
- void *have;
+ unsigned long last_qs = jiffies;
- while (!napi_thread_wait(napi)) {
- unsigned long last_qs = jiffies;
+ for (;;) {
+ bool repoll = false;
+ void *have;
- for (;;) {
- bool repoll = false;
+ local_bh_disable();
+ sd = this_cpu_ptr(&softnet_data);
+ sd->in_napi_threaded_poll = true;
- local_bh_disable();
- sd = this_cpu_ptr(&softnet_data);
- sd->in_napi_threaded_poll = true;
-
- have = netpoll_poll_lock(napi);
- __napi_poll(napi, &repoll);
- netpoll_poll_unlock(have);
-
- sd->in_napi_threaded_poll = false;
- barrier();
-
- if (sd_has_rps_ipi_waiting(sd)) {
- local_irq_disable();
- net_rps_action_and_irq_enable(sd);
- }
- skb_defer_free_flush(sd);
- local_bh_enable();
+ have = netpoll_poll_lock(napi);
+ __napi_poll(napi, &repoll);
+ netpoll_poll_unlock(have);
+
+ sd->in_napi_threaded_poll = false;
+ barrier();
+
+ if (sd_has_rps_ipi_waiting(sd)) {
+ local_irq_disable();
+ net_rps_action_and_irq_enable(sd);
+ }
+ skb_defer_free_flush(sd);
+ local_bh_enable();
- if (!repoll)
- break;
+ if (!repoll)
+ break;
- rcu_softirq_qs_periodic(last_qs);
- cond_resched();
- }
+ rcu_softirq_qs_periodic(last_qs);
+ cond_resched();
}
+}
+
+static int napi_threaded_poll(void *data)
+{
+ struct napi_struct *napi = data;
+
+ while (!napi_thread_wait(napi))
+ napi_threaded_poll_loop(napi);
+
return 0;
}
@@ -11346,7 +11387,7 @@ static int dev_cpu_dead(unsigned int old
list_del_init(&napi->poll_list);
if (napi->poll == process_backlog)
- napi->state = 0;
+ napi->state &= NAPIF_STATE_THREADED;
else
____napi_schedule(sd, napi);
}
@@ -11354,12 +11395,14 @@ static int dev_cpu_dead(unsigned int old
raise_softirq_irqoff(NET_TX_SOFTIRQ);
local_irq_enable();
+ if (!use_backlog_threads()) {
#ifdef CONFIG_RPS
- remsd = oldsd->rps_ipi_list;
- oldsd->rps_ipi_list = NULL;
+ remsd = oldsd->rps_ipi_list;
+ oldsd->rps_ipi_list = NULL;
#endif
- /* send out pending IPI's on offline CPU */
- net_rps_send_ipi(remsd);
+ /* send out pending IPI's on offline CPU */
+ net_rps_send_ipi(remsd);
+ }
/* Process offline CPU's input_pkt_queue */
while ((skb = __skb_dequeue(&oldsd->process_queue))) {
@@ -11622,6 +11665,38 @@ static struct pernet_operations __net_in
*
*/
+static int backlog_napi_should_run(unsigned int cpu)
+{
+ struct softnet_data *sd = per_cpu_ptr(&softnet_data, cpu);
+ struct napi_struct *napi = &sd->backlog;
+
+ return test_bit(NAPI_STATE_SCHED_THREADED, &napi->state);
+}
+
+static void run_backlog_napi(unsigned int cpu)
+{
+ struct softnet_data *sd = per_cpu_ptr(&softnet_data, cpu);
+
+ napi_threaded_poll_loop(&sd->backlog);
+}
+
+static void backlog_napi_setup(unsigned int cpu)
+{
+ struct softnet_data *sd = per_cpu_ptr(&softnet_data, cpu);
+ struct napi_struct *napi = &sd->backlog;
+
+ napi->thread = this_cpu_read(backlog_napi);
+ set_bit(NAPI_STATE_THREADED, &napi->state);
+}
+
+static struct smp_hotplug_thread backlog_threads = {
+ .store = &backlog_napi,
+ .thread_should_run = backlog_napi_should_run,
+ .thread_fn = run_backlog_napi,
+ .thread_comm = "backlog_napi/%u",
+ .setup = backlog_napi_setup,
+};
+
/*
* This is called single threaded during boot, so no need
* to take the rtnl semaphore.
@@ -11672,7 +11747,10 @@ static int __init net_dev_init(void)
init_gro_hash(&sd->backlog);
sd->backlog.poll = process_backlog;
sd->backlog.weight = weight_p;
+ INIT_LIST_HEAD(&sd->backlog.poll_list);
}
+ if (use_backlog_threads())
+ smpboot_register_percpu_thread(&backlog_threads);
dev_boot_phase = 0;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 714/737] RDMA/rxe: Remove the direct link to net_device
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (712 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 713/737] net: Allow to use SMP threads for backlog NAPI Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 715/737] RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests Greg Kroah-Hartman
` (33 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4b87489410b4efd181bf,
Zhu Yanjun, Leon Romanovsky, Sasha Levin, Shivani Agarwal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
[ Upstream commit 2ac5415022d16d63d912a39a06f32f1f51140261 ]
The similar patch in siw is in the link:
https://git.kernel.org/rdma/rdma/c/16b87037b48889
This problem also occurred in RXE. The following analyze this problem.
In the following Call Traces:
"
BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
Read of size 4 at addr ffff8880554640b0 by task kworker/1:4/5295
CPU: 1 UID: 0 PID: 5295 Comm: kworker/1:4 Not tainted
6.12.0-rc3-syzkaller-00399-g9197b73fd7bb #0
Hardware name: Google Compute Engine/Google Compute Engine,
BIOS Google 09/13/2024
Workqueue: infiniband ib_cache_event_task
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
dev_get_flags+0x188/0x1d0 net/core/dev.c:8782
rxe_query_port+0x12d/0x260 drivers/infiniband/sw/rxe/rxe_verbs.c:60
__ib_query_port drivers/infiniband/core/device.c:2111 [inline]
ib_query_port+0x168/0x7d0 drivers/infiniband/core/device.c:2143
ib_cache_update+0x1a9/0xb80 drivers/infiniband/core/cache.c:1494
ib_cache_event_task+0xf3/0x1e0 drivers/infiniband/core/cache.c:1568
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa65/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f2/0x390 kernel/kthread.c:389
ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
"
1). In the link [1],
"
infiniband syz2: set down
"
This means that on 839.350575, the event ib_cache_event_task was sent andi
queued in ib_wq.
2). In the link [1],
"
team0 (unregistering): Port device team_slave_0 removed
"
It indicates that before 843.251853, the net device should be freed.
3). In the link [1],
"
BUG: KASAN: slab-use-after-free in dev_get_flags+0x188/0x1d0
"
This means that on 850.559070, this slab-use-after-free problem occurred.
In all, on 839.350575, the event ib_cache_event_task was sent and queued
in ib_wq,
before 843.251853, the net device veth was freed.
on 850.559070, this event was executed, and the mentioned freed net device
was called. Thus, the above call trace occurred.
[1] https://syzkaller.appspot.com/x/log.txt?x=12e7025f980000
Reported-by: syzbot+4b87489410b4efd181bf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4b87489410b4efd181bf
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://patch.msgid.link/20241220222325.2487767-1-yanjun.zhu@linux.dev
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Shivani: - exported ib_device_get_netdev() function.
- added ib_device_get_netdev() to ib_verbs.h.]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/device.c | 1 +
drivers/infiniband/sw/rxe/rxe.c | 23 +++++++++++++++++++----
drivers/infiniband/sw/rxe/rxe.h | 3 ++-
drivers/infiniband/sw/rxe/rxe_mcast.c | 22 ++++++++++++++++++++--
drivers/infiniband/sw/rxe/rxe_net.c | 25 ++++++++++++++++++++-----
drivers/infiniband/sw/rxe/rxe_verbs.c | 26 +++++++++++++++++++++-----
drivers/infiniband/sw/rxe/rxe_verbs.h | 11 ++++++++---
include/rdma/ib_verbs.h | 2 ++
8 files changed, 93 insertions(+), 20 deletions(-)
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -2259,6 +2259,7 @@ struct net_device *ib_device_get_netdev(
return res;
}
+EXPORT_SYMBOL(ib_device_get_netdev);
/**
* ib_device_get_by_netdev - Find an IB device associated with a netdev
--- a/drivers/infiniband/sw/rxe/rxe.c
+++ b/drivers/infiniband/sw/rxe/rxe.c
@@ -40,6 +40,8 @@ void rxe_dealloc(struct ib_device *ib_de
/* initialize rxe device parameters */
static void rxe_init_device_param(struct rxe_dev *rxe)
{
+ struct net_device *ndev;
+
rxe->max_inline_data = RXE_MAX_INLINE_DATA;
rxe->attr.vendor_id = RXE_VENDOR_ID;
@@ -71,8 +73,15 @@ static void rxe_init_device_param(struct
rxe->attr.max_fast_reg_page_list_len = RXE_MAX_FMR_PAGE_LIST_LEN;
rxe->attr.max_pkeys = RXE_MAX_PKEYS;
rxe->attr.local_ca_ack_delay = RXE_LOCAL_CA_ACK_DELAY;
+
+ ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
+ if (!ndev)
+ return;
+
addrconf_addr_eui48((unsigned char *)&rxe->attr.sys_image_guid,
- rxe->ndev->dev_addr);
+ ndev->dev_addr);
+
+ dev_put(ndev);
rxe->max_ucontext = RXE_MAX_UCONTEXT;
}
@@ -109,10 +118,15 @@ static void rxe_init_port_param(struct r
static void rxe_init_ports(struct rxe_dev *rxe)
{
struct rxe_port *port = &rxe->port;
+ struct net_device *ndev;
rxe_init_port_param(port);
+ ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
+ if (!ndev)
+ return;
addrconf_addr_eui48((unsigned char *)&port->port_guid,
- rxe->ndev->dev_addr);
+ ndev->dev_addr);
+ dev_put(ndev);
spin_lock_init(&port->port_lock);
}
@@ -169,12 +183,13 @@ void rxe_set_mtu(struct rxe_dev *rxe, un
/* called by ifc layer to create new rxe device.
* The caller should allocate memory for rxe by calling ib_alloc_device.
*/
-int rxe_add(struct rxe_dev *rxe, unsigned int mtu, const char *ibdev_name)
+int rxe_add(struct rxe_dev *rxe, unsigned int mtu, const char *ibdev_name,
+ struct net_device *ndev)
{
rxe_init(rxe);
rxe_set_mtu(rxe, mtu);
- return rxe_register_device(rxe, ibdev_name);
+ return rxe_register_device(rxe, ibdev_name, ndev);
}
static int rxe_newlink(const char *ibdev_name, struct net_device *ndev)
--- a/drivers/infiniband/sw/rxe/rxe.h
+++ b/drivers/infiniband/sw/rxe/rxe.h
@@ -139,7 +139,8 @@ enum resp_states {
void rxe_set_mtu(struct rxe_dev *rxe, unsigned int dev_mtu);
-int rxe_add(struct rxe_dev *rxe, unsigned int mtu, const char *ibdev_name);
+int rxe_add(struct rxe_dev *rxe, unsigned int mtu, const char *ibdev_name,
+ struct net_device *ndev);
void rxe_rcv(struct sk_buff *skb);
--- a/drivers/infiniband/sw/rxe/rxe_mcast.c
+++ b/drivers/infiniband/sw/rxe/rxe_mcast.c
@@ -31,10 +31,19 @@
static int rxe_mcast_add(struct rxe_dev *rxe, union ib_gid *mgid)
{
unsigned char ll_addr[ETH_ALEN];
+ struct net_device *ndev;
+ int ret;
+
+ ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
+ if (!ndev)
+ return -ENODEV;
ipv6_eth_mc_map((struct in6_addr *)mgid->raw, ll_addr);
- return dev_mc_add(rxe->ndev, ll_addr);
+ ret = dev_mc_add(ndev, ll_addr);
+ dev_put(ndev);
+
+ return ret;
}
/**
@@ -47,10 +56,19 @@ static int rxe_mcast_add(struct rxe_dev
static int rxe_mcast_del(struct rxe_dev *rxe, union ib_gid *mgid)
{
unsigned char ll_addr[ETH_ALEN];
+ struct net_device *ndev;
+ int ret;
+
+ ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
+ if (!ndev)
+ return -ENODEV;
ipv6_eth_mc_map((struct in6_addr *)mgid->raw, ll_addr);
- return dev_mc_del(rxe->ndev, ll_addr);
+ ret = dev_mc_del(ndev, ll_addr);
+ dev_put(ndev);
+
+ return ret;
}
/**
--- a/drivers/infiniband/sw/rxe/rxe_net.c
+++ b/drivers/infiniband/sw/rxe/rxe_net.c
@@ -509,7 +509,16 @@ out:
*/
const char *rxe_parent_name(struct rxe_dev *rxe, unsigned int port_num)
{
- return rxe->ndev->name;
+ struct net_device *ndev;
+ char *ndev_name;
+
+ ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
+ if (!ndev)
+ return NULL;
+ ndev_name = ndev->name;
+ dev_put(ndev);
+
+ return ndev_name;
}
int rxe_net_add(const char *ibdev_name, struct net_device *ndev)
@@ -521,9 +530,7 @@ int rxe_net_add(const char *ibdev_name,
if (!rxe)
return -ENOMEM;
- rxe->ndev = ndev;
-
- err = rxe_add(rxe, ndev->mtu, ibdev_name);
+ err = rxe_add(rxe, ndev->mtu, ibdev_name, ndev);
if (err) {
ib_dealloc_device(&rxe->ib_dev);
return err;
@@ -571,10 +578,18 @@ void rxe_port_down(struct rxe_dev *rxe)
void rxe_set_port_state(struct rxe_dev *rxe)
{
- if (netif_running(rxe->ndev) && netif_carrier_ok(rxe->ndev))
+ struct net_device *ndev;
+
+ ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
+ if (!ndev)
+ return;
+
+ if (netif_running(ndev) && netif_carrier_ok(ndev))
rxe_port_up(rxe);
else
rxe_port_down(rxe);
+
+ dev_put(ndev);
}
static int rxe_notify(struct notifier_block *not_blk,
--- a/drivers/infiniband/sw/rxe/rxe_verbs.c
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.c
@@ -41,6 +41,7 @@ static int rxe_query_port(struct ib_devi
u32 port_num, struct ib_port_attr *attr)
{
struct rxe_dev *rxe = to_rdev(ibdev);
+ struct net_device *ndev;
int err, ret;
if (port_num != 1) {
@@ -51,19 +52,26 @@ static int rxe_query_port(struct ib_devi
memcpy(attr, &rxe->port.attr, sizeof(*attr));
+ ndev = rxe_ib_device_get_netdev(ibdev);
+ if (!ndev) {
+ err = -ENODEV;
+ goto err_out;
+ }
+
mutex_lock(&rxe->usdev_lock);
ret = ib_get_eth_speed(ibdev, port_num, &attr->active_speed,
&attr->active_width);
if (attr->state == IB_PORT_ACTIVE)
attr->phys_state = IB_PORT_PHYS_STATE_LINK_UP;
- else if (dev_get_flags(rxe->ndev) & IFF_UP)
+ else if (dev_get_flags(ndev) & IFF_UP)
attr->phys_state = IB_PORT_PHYS_STATE_POLLING;
else
attr->phys_state = IB_PORT_PHYS_STATE_DISABLED;
mutex_unlock(&rxe->usdev_lock);
+ dev_put(ndev);
return ret;
err_out:
@@ -1428,9 +1436,16 @@ static const struct attribute_group rxe_
static int rxe_enable_driver(struct ib_device *ib_dev)
{
struct rxe_dev *rxe = container_of(ib_dev, struct rxe_dev, ib_dev);
+ struct net_device *ndev;
+
+ ndev = rxe_ib_device_get_netdev(ib_dev);
+ if (!ndev)
+ return -ENODEV;
rxe_set_port_state(rxe);
- dev_info(&rxe->ib_dev.dev, "added %s\n", netdev_name(rxe->ndev));
+ dev_info(&rxe->ib_dev.dev, "added %s\n", netdev_name(ndev));
+
+ dev_put(ndev);
return 0;
}
@@ -1498,7 +1513,8 @@ static const struct ib_device_ops rxe_de
INIT_RDMA_OBJ_SIZE(ib_mw, rxe_mw, ibmw),
};
-int rxe_register_device(struct rxe_dev *rxe, const char *ibdev_name)
+int rxe_register_device(struct rxe_dev *rxe, const char *ibdev_name,
+ struct net_device *ndev)
{
int err;
struct ib_device *dev = &rxe->ib_dev;
@@ -1510,13 +1526,13 @@ int rxe_register_device(struct rxe_dev *
dev->num_comp_vectors = num_possible_cpus();
dev->local_dma_lkey = 0;
addrconf_addr_eui48((unsigned char *)&dev->node_guid,
- rxe->ndev->dev_addr);
+ ndev->dev_addr);
dev->uverbs_cmd_mask |= BIT_ULL(IB_USER_VERBS_CMD_POST_SEND) |
BIT_ULL(IB_USER_VERBS_CMD_REQ_NOTIFY_CQ);
ib_set_device_ops(dev, &rxe_dev_ops);
- err = ib_device_set_netdev(&rxe->ib_dev, rxe->ndev, 1);
+ err = ib_device_set_netdev(&rxe->ib_dev, ndev, 1);
if (err)
return err;
--- a/drivers/infiniband/sw/rxe/rxe_verbs.h
+++ b/drivers/infiniband/sw/rxe/rxe_verbs.h
@@ -369,6 +369,7 @@ struct rxe_port {
u32 qp_gsi_index;
};
+#define RXE_PORT 1
struct rxe_dev {
struct ib_device ib_dev;
struct ib_device_attr attr;
@@ -376,8 +377,6 @@ struct rxe_dev {
int max_inline_data;
struct mutex usdev_lock;
- struct net_device *ndev;
-
struct rxe_pool uc_pool;
struct rxe_pool pd_pool;
struct rxe_pool ah_pool;
@@ -405,6 +404,11 @@ struct rxe_dev {
struct crypto_shash *tfm;
};
+static inline struct net_device *rxe_ib_device_get_netdev(struct ib_device *dev)
+{
+ return ib_device_get_netdev(dev, RXE_PORT);
+}
+
static inline void rxe_counter_inc(struct rxe_dev *rxe, enum rxe_counters index)
{
atomic64_inc(&rxe->stats_counters[index]);
@@ -470,6 +474,7 @@ static inline struct rxe_pd *rxe_mw_pd(s
return to_rpd(mw->ibmw.pd);
}
-int rxe_register_device(struct rxe_dev *rxe, const char *ibdev_name);
+int rxe_register_device(struct rxe_dev *rxe, const char *ibdev_name,
+ struct net_device *ndev);
#endif /* RXE_VERBS_H */
--- a/include/rdma/ib_verbs.h
+++ b/include/rdma/ib_verbs.h
@@ -4444,6 +4444,8 @@ struct net_device *ib_get_net_dev_by_par
const struct sockaddr *addr);
int ib_device_set_netdev(struct ib_device *ib_dev, struct net_device *ndev,
unsigned int port);
+struct net_device *ib_device_get_netdev(struct ib_device *ib_dev,
+ u32 port);
struct ib_wq *ib_create_wq(struct ib_pd *pd,
struct ib_wq_init_attr *init_attr);
int ib_destroy_wq_user(struct ib_wq *wq, struct ib_udata *udata);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 715/737] RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (713 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 714/737] RDMA/rxe: Remove the direct link to net_device Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 716/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
` (32 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhu Yanjun, Daisuke Matsuda,
Leon Romanovsky, Sasha Levin, Shivani Agarwal
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
[ Upstream commit 8ce2eb9dfac8743d1c423b86339336a5b6a6069e ]
In rdma-core, the following failures appear.
"
$ ./build/bin/run_tests.py -k device
ssssssss....FF........s
======================================================================
FAIL: test_query_device (tests.test_device.DeviceTest.test_query_device)
Test ibv_query_device()
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/ubuntu/rdma-core/tests/test_device.py", line 63, in
test_query_device
self.verify_device_attr(attr, dev)
File "/home/ubuntu/rdma-core/tests/test_device.py", line 200, in
verify_device_attr
assert attr.sys_image_guid != 0
^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError
======================================================================
FAIL: test_query_device_ex (tests.test_device.DeviceTest.test_query_device_ex)
Test ibv_query_device_ex()
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/ubuntu/rdma-core/tests/test_device.py", line 222, in
test_query_device_ex
self.verify_device_attr(attr_ex.orig_attr, dev)
File "/home/ubuntu/rdma-core/tests/test_device.py", line 200, in
verify_device_attr
assert attr.sys_image_guid != 0
^^^^^^^^^^^^^^^^^^^^^^^^
AssertionError
"
The root cause is: before a net device is set with rxe, this net device
is used to generate a sys_image_guid.
Fixes: 2ac5415022d1 ("RDMA/rxe: Remove the direct link to net_device")
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://patch.msgid.link/20250302215444.3742072-1-yanjun.zhu@linux.dev
Reviewed-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
Tested-by: Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Shivani: Modified to apply on 6.6.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/sw/rxe/rxe.c | 25 ++++++-------------------
1 file changed, 6 insertions(+), 19 deletions(-)
--- a/drivers/infiniband/sw/rxe/rxe.c
+++ b/drivers/infiniband/sw/rxe/rxe.c
@@ -38,10 +38,8 @@ void rxe_dealloc(struct ib_device *ib_de
}
/* initialize rxe device parameters */
-static void rxe_init_device_param(struct rxe_dev *rxe)
+static void rxe_init_device_param(struct rxe_dev *rxe, struct net_device *ndev)
{
- struct net_device *ndev;
-
rxe->max_inline_data = RXE_MAX_INLINE_DATA;
rxe->attr.vendor_id = RXE_VENDOR_ID;
@@ -74,15 +72,9 @@ static void rxe_init_device_param(struct
rxe->attr.max_pkeys = RXE_MAX_PKEYS;
rxe->attr.local_ca_ack_delay = RXE_LOCAL_CA_ACK_DELAY;
- ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
- if (!ndev)
- return;
-
addrconf_addr_eui48((unsigned char *)&rxe->attr.sys_image_guid,
ndev->dev_addr);
- dev_put(ndev);
-
rxe->max_ucontext = RXE_MAX_UCONTEXT;
}
@@ -115,18 +107,13 @@ static void rxe_init_port_param(struct r
/* initialize port state, note IB convention that HCA ports are always
* numbered from 1
*/
-static void rxe_init_ports(struct rxe_dev *rxe)
+static void rxe_init_ports(struct rxe_dev *rxe, struct net_device *ndev)
{
struct rxe_port *port = &rxe->port;
- struct net_device *ndev;
rxe_init_port_param(port);
- ndev = rxe_ib_device_get_netdev(&rxe->ib_dev);
- if (!ndev)
- return;
addrconf_addr_eui48((unsigned char *)&port->port_guid,
ndev->dev_addr);
- dev_put(ndev);
spin_lock_init(&port->port_lock);
}
@@ -144,12 +131,12 @@ static void rxe_init_pools(struct rxe_de
}
/* initialize rxe device state */
-static void rxe_init(struct rxe_dev *rxe)
+static void rxe_init(struct rxe_dev *rxe, struct net_device *ndev)
{
/* init default device parameters */
- rxe_init_device_param(rxe);
+ rxe_init_device_param(rxe, ndev);
- rxe_init_ports(rxe);
+ rxe_init_ports(rxe, ndev);
rxe_init_pools(rxe);
/* init pending mmap list */
@@ -186,7 +173,7 @@ void rxe_set_mtu(struct rxe_dev *rxe, un
int rxe_add(struct rxe_dev *rxe, unsigned int mtu, const char *ibdev_name,
struct net_device *ndev)
{
- rxe_init(rxe);
+ rxe_init(rxe, ndev);
rxe_set_mtu(rxe, mtu);
return rxe_register_device(rxe, ibdev_name, ndev);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 716/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (714 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 715/737] RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 717/737] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Greg Kroah-Hartman
` (31 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0a63a0e7570b9b2631dfb8d836dc572709dce39e upstream.
damon_test_split_evenly_succ() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-20-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr-test.h | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/damon/vaddr-test.h
+++ b/mm/damon/vaddr-test.h
@@ -284,10 +284,17 @@ static void damon_test_split_evenly_succ
unsigned long start, unsigned long end, unsigned int nr_pieces)
{
struct damon_target *t = damon_new_target();
- struct damon_region *r = damon_new_region(start, end);
+ struct damon_region *r;
unsigned long expected_width = (end - start) / nr_pieces;
unsigned long i = 0;
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+ r = damon_new_region(start, end);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
KUNIT_EXPECT_EQ(test,
damon_va_evenly_split_region(t, r, nr_pieces), 0);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 717/737] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (715 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 716/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 718/737] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
` (30 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 28ab2265e9422ccd81e4beafc0ace90f78de04c4 upstream.
damon_test_new_filter() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-14-sj@kernel.org
Fixes: 2a158e956b98 ("mm/damon/core-test: add a test for damos_new_filter()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -346,6 +346,8 @@ static void damos_test_new_filter(struct
struct damos_filter *filter;
filter = damos_new_filter(DAMOS_FILTER_TYPE_ANON, true);
+ if (!filter)
+ kunit_skip(test, "filter alloc fail");
KUNIT_EXPECT_EQ(test, filter->type, DAMOS_FILTER_TYPE_ANON);
KUNIT_EXPECT_EQ(test, filter->matching, true);
KUNIT_EXPECT_PTR_EQ(test, filter->list.prev, &filter->list);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 718/737] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (716 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 717/737] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 719/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
` (29 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit e16fdd4f754048d6e23c56bd8d920b71e41e3777 upstream.
damon_test_regions() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-3-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -20,11 +20,17 @@ static void damon_test_regions(struct ku
struct damon_target *t;
r = damon_new_region(1, 2);
+ if (!r)
+ kunit_skip(test, "region alloc fail");
KUNIT_EXPECT_EQ(test, 1ul, r->ar.start);
KUNIT_EXPECT_EQ(test, 2ul, r->ar.end);
KUNIT_EXPECT_EQ(test, 0u, r->nr_accesses);
t = damon_new_target();
+ if (!t) {
+ damon_free_region(r);
+ kunit_skip(test, "target alloc fail");
+ }
KUNIT_EXPECT_EQ(test, 0u, damon_nr_regions(t));
damon_add_region(r, t);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 719/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (717 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 718/737] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 720/737] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
` (28 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 5e80d73f22043c59c8ad36452a3253937ed77955 upstream.
damon_test_split_at() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-6-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -129,8 +129,19 @@ static void damon_test_split_at(struct k
struct damon_target *t;
struct damon_region *r;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(0, 100);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
damon_split_region_at(t, r, 25);
KUNIT_EXPECT_EQ(test, r->ar.start, 0ul);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 720/737] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (718 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 719/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 721/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
` (27 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0998d2757218771c59d5ca59ccf13d1542a38f17 upstream.
damon_test_merge_regions_of() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-8-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -210,8 +210,14 @@ static void damon_test_merge_regions_of(
int i;
t = damon_new_target();
+ if (!t)
+ kunit_skip(test, "target alloc fail");
for (i = 0; i < ARRAY_SIZE(sa); i++) {
r = damon_new_region(sa[i], ea[i]);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = nrs[i];
damon_add_region(r, t);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 721/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (719 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 720/737] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 722/737] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
` (26 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 3d443dd29a1db7efa587a4bb0c06a497e13ca9e4 upstream.
damon_test_merge_two() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-7-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -162,10 +162,20 @@ static void damon_test_merge_two(struct
int i;
t = damon_new_target();
+ if (!t)
+ kunit_skip(test, "target alloc fail");
r = damon_new_region(0, 100);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = 10;
damon_add_region(r, t);
r2 = damon_new_region(100, 300);
+ if (!r2) {
+ damon_free_target(t);
+ kunit_skip(test, "second region alloc fail");
+ }
r2->nr_accesses = 20;
damon_add_region(r2, t);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 722/737] mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (720 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 721/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 723/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
` (25 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit fafe953de2c661907c94055a2497c6b8dbfd26f3 upstream.
damon_test_target() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-4-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -58,7 +58,14 @@ static void damon_test_target(struct kun
struct damon_ctx *c = damon_new_ctx();
struct damon_target *t;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
KUNIT_EXPECT_EQ(test, 0u, nr_damon_targets(c));
damon_add_target(c, t);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 723/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (721 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 722/737] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 724/737] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
` (24 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit eded254cb69044bd4abde87394ea44909708d7c0 upstream.
damon_test_split_regions_of() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-9-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -256,15 +256,35 @@ static void damon_test_split_regions_of(
struct damon_target *t;
struct damon_region *r;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(0, 22);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
damon_split_regions_of(t, 2);
KUNIT_EXPECT_LE(test, damon_nr_regions(t), 2u);
damon_free_target(t);
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "second target alloc fail");
+ }
r = damon_new_region(0, 220);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "second region alloc fail");
+ }
damon_add_region(r, t);
damon_split_regions_of(t, 4);
KUNIT_EXPECT_LE(test, damon_nr_regions(t), 4u);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 724/737] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (722 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 723/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 725/737] mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out() Greg Kroah-Hartman
` (23 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit f79f2fc44ebd0ed655239046be3e80e8804b5545 upstream.
damon_test_aggregate() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-5-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -97,8 +97,15 @@ static void damon_test_aggregate(struct
struct damon_region *r;
int it, ir;
+ if (!ctx)
+ kunit_skip(test, "ctx alloc fail");
+
for (it = 0; it < 3; it++) {
t = damon_new_target();
+ if (!t) {
+ damon_destroy_ctx(ctx);
+ kunit_skip(test, "target alloc fail");
+ }
damon_add_target(ctx, t);
}
@@ -106,6 +113,10 @@ static void damon_test_aggregate(struct
damon_for_each_target(t, ctx) {
for (ir = 0; ir < 3; ir++) {
r = damon_new_region(saddr[it][ir], eaddr[it][ir]);
+ if (!r) {
+ damon_destroy_ctx(ctx);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = accesses[it][ir];
damon_add_region(r, t);
}
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 725/737] mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (723 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 724/737] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 726/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Greg Kroah-Hartman
` (22 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit d14d5671e7c9cc788c5a1edfa94e6f9064275905 upstream.
damon_test_filter_out() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-16-sj@kernel.org
Fixes: 26713c890875 ("mm/damon/core-test: add a unit test for __damos_filter_out()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.6+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -433,11 +433,22 @@ static void damos_test_filter_out(struct
struct damos_filter *f;
f = damos_new_filter(DAMOS_FILTER_TYPE_ADDR, true);
+ if (!f)
+ kunit_skip(test, "filter alloc fail");
f->addr_range = (struct damon_addr_range){
.start = DAMON_MIN_REGION * 2, .end = DAMON_MIN_REGION * 6};
t = damon_new_target();
+ if (!t) {
+ damos_destroy_filter(f);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(DAMON_MIN_REGION * 3, DAMON_MIN_REGION * 5);
+ if (!r) {
+ damos_destroy_filter(f);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
/* region in the range */
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 726/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (724 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 725/737] mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 727/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Greg Kroah-Hartman
` (21 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 74d5969995d129fd59dd93b9c7daa6669cb6810f upstream.
damon_test_set_regions() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-11-sj@kernel.org
Fixes: 62f409560eb2 ("mm/damon/core-test: test damon_set_regions")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.1+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -341,13 +341,26 @@ static void damon_test_ops_registration(
static void damon_test_set_regions(struct kunit *test)
{
struct damon_target *t = damon_new_target();
- struct damon_region *r1 = damon_new_region(4, 16);
- struct damon_region *r2 = damon_new_region(24, 32);
+ struct damon_region *r1, *r2;
struct damon_addr_range range = {.start = 8, .end = 28};
unsigned long expects[] = {8, 16, 16, 24, 24, 28};
int expect_idx = 0;
struct damon_region *r;
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+ r1 = damon_new_region(4, 16);
+ if (!r1) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
+ r2 = damon_new_region(24, 32);
+ if (!r2) {
+ damon_free_target(t);
+ damon_free_region(r1);
+ kunit_skip(test, "second region alloc fail");
+ }
+
damon_add_region(r1, t);
damon_add_region(r2, t);
damon_set_regions(t, &range, 1);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 727/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (725 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 726/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 728/737] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Greg Kroah-Hartman
` (20 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 4f835f4e8c863985f15abd69db033c2f66546094 upstream.
damon_test_ops_registration() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-10-sj@kernel.org
Fixes: 4f540f5ab4f2 ("mm/damon/core-test: add a kunit test case for ops registration")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.19+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -308,6 +308,9 @@ static void damon_test_ops_registration(
struct damon_ctx *c = damon_new_ctx();
struct damon_operations ops, bak;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
/* DAMON_OPS_{V,P}ADDR are registered on subsys_initcall */
KUNIT_EXPECT_EQ(test, damon_select_ops(c, DAMON_OPS_VADDR), 0);
KUNIT_EXPECT_EQ(test, damon_select_ops(c, DAMON_OPS_PADDR), 0);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 728/737] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (726 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 727/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 729/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Greg Kroah-Hartman
` (19 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 915a2453d824a9b6bf724e3f970d86ae1d092a61 upstream.
damon_test_set_attrs() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-13-sj@kernel.org
Fixes: aa13779be6b7 ("mm/damon/core-test: add a test for damon_set_attrs()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -413,6 +413,9 @@ static void damon_test_set_attrs(struct
.sample_interval = 5000, .aggr_interval = 100000,};
struct damon_attrs invalid_attrs;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
KUNIT_EXPECT_EQ(test, damon_set_attrs(c, &valid_attrs), 0);
invalid_attrs = valid_attrs;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 729/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result()
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (727 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 728/737] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 730/737] virtio_console: fix order of fields cols and rows Greg Kroah-Hartman
` (18 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 8cf298c01b7fdb08eef5b6b26d0fe98d48134d72 upstream.
damon_test_update_monitoring_result() is assuming all dynamic memory
allocation in it will succeed. Those are indeed likely in the real use
cases since those allocations are too small to fail, but theoretically
those could fail. In the case, inappropriate memory access can happen.
Fix it by appropriately cleanup pre-allocated memory and skip the
execution of the remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-12-sj@kernel.org
Fixes: f4c978b6594b ("mm/damon/core-test: add a test for damon_update_monitoring_results()")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [6.3+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -383,6 +383,9 @@ static void damon_test_update_monitoring
struct damon_attrs new_attrs;
struct damon_region *r = damon_new_region(3, 7);
+ if (!r)
+ kunit_skip(test, "region alloc fail");
+
r->nr_accesses = 15;
r->age = 20;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 730/737] virtio_console: fix order of fields cols and rows
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (728 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 729/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
` (17 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maximilian Immanuel Brandtner,
Michael S. Tsirkin, Filip Hejsek
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Immanuel Brandtner <maxbr@linux.ibm.com>
commit 5326ab737a47278dbd16ed3ee7380b26c7056ddd upstream.
According to section 5.3.6.2 (Multiport Device Operation) of the virtio
spec(version 1.2) a control buffer with the event VIRTIO_CONSOLE_RESIZE
is followed by a virtio_console_resize struct containing cols then rows.
The kernel implements this the wrong way around (rows then cols) resulting
in the two values being swapped.
Signed-off-by: Maximilian Immanuel Brandtner <maxbr@linux.ibm.com>
Message-Id: <20250324144300.905535-1-maxbr@linux.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Filip Hejsek <filip.hejsek@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/virtio_console.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1612,8 +1612,8 @@ static void handle_control_message(struc
break;
case VIRTIO_CONSOLE_RESIZE: {
struct {
- __virtio16 rows;
__virtio16 cols;
+ __virtio16 rows;
} size;
if (!is_console_port(port))
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (729 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 730/737] virtio_console: fix order of fields cols and rows Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 13:40 ` Thadeu Lima de Souza Cascardo
2026-01-09 11:44 ` [PATCH 6.6 732/737] net: stmmac: make sure that ptp_rate is not 0 before configuring EST Greg Kroah-Hartman
` (16 subsequent siblings)
747 siblings, 1 reply; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+340581ba9dceb7e06fb3,
Lizhi Xu, Theodore Tso, Thadeu Lima de Souza Cascardo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
commit 985b67cd86392310d9e9326de941c22fc9340eec upstream.
When mounting the ext4 filesystem, if the default hash version is set to
DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
Reported-by: syzbot+340581ba9dceb7e06fb3@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[cascardo: small conflict fixup]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3632,6 +3632,14 @@ int ext4_feature_set_ok(struct super_blo
}
#endif
+ if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH &&
+ !ext4_has_feature_casefold(sb)) {
+ ext4_msg(sb, KERN_ERR,
+ "Filesystem without casefold feature cannot be "
+ "mounted with siphash");
+ return 0;
+ }
+
if (readonly)
return 1;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 732/737] net: stmmac: make sure that ptp_rate is not 0 before configuring EST
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (730 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 733/737] pwm: stm32: Always program polarity Greg Kroah-Hartman
` (15 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier,
Alexis Lothoré, Jakub Kicinski, Rahul Sharma
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexis Lothoré <alexis.lothore@bootlin.com>
commit cbefe2ffa7784525ec5d008ba87c7add19ec631a upstream.
If the ptp_rate recorded earlier in the driver happens to be 0, this
bogus value will propagate up to EST configuration, where it will
trigger a division by 0.
Prevent this division by 0 by adding the corresponding check and error
code.
Suggested-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Fixes: 8572aec3d0dc ("net: stmmac: Add basic EST support for XGMAC")
Link: https://patch.msgid.link/20250529-stmmac_tstamp_div-v4-2-d73340a794d5@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ The context change is due to the commit c3f3b97238f6
("net: stmmac: Refactor EST implementation")
which is irrelevant to the logic of this patch. ]
Signed-off-by: Rahul Sharma <black.hawk@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/dwmac5.c | 5 +++++
drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c | 5 +++++
2 files changed, 10 insertions(+)
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac5.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac5.c
@@ -597,6 +597,11 @@ int dwmac5_est_configure(void __iomem *i
int i, ret = 0x0;
u32 ctrl;
+ if (!ptp_rate) {
+ pr_warn("Dwmac5: Invalid PTP rate");
+ return -EINVAL;
+ }
+
ret |= dwmac5_est_write(ioaddr, BTR_LOW, cfg->btr[0], false);
ret |= dwmac5_est_write(ioaddr, BTR_HIGH, cfg->btr[1], false);
ret |= dwmac5_est_write(ioaddr, TER, cfg->ter, false);
--- a/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwxgmac2_core.c
@@ -1537,6 +1537,11 @@ static int dwxgmac3_est_configure(void _
int i, ret = 0x0;
u32 ctrl;
+ if (!ptp_rate) {
+ pr_warn("Dwxgmac2: Invalid PTP rate");
+ return -EINVAL;
+ }
+
ret |= dwxgmac3_est_write(ioaddr, XGMAC_BTR_LOW, cfg->btr[0], false);
ret |= dwxgmac3_est_write(ioaddr, XGMAC_BTR_HIGH, cfg->btr[1], false);
ret |= dwxgmac3_est_write(ioaddr, XGMAC_TER, cfg->ter, false);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 733/737] pwm: stm32: Always program polarity
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (731 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 732/737] net: stmmac: make sure that ptp_rate is not 0 before configuring EST Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 734/737] blk-mq: setup queue ->tag_set before initializing hctx Greg Kroah-Hartman
` (14 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer,
Uwe Kleine-K�nig
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1177 bytes --]
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
Commit 7346e7a058a2 ("pwm: stm32: Always do lazy disabling") triggered a
regression where PWM polarity changes could be ignored.
stm32_pwm_set_polarity() was skipped due to a mismatch between the
cached pwm->state.polarity and the actual hardware state, leaving the
hardware polarity unchanged.
Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
Cc: stable@vger.kernel.org # <= 6.12
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Co-developed-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
---
drivers/pwm/pwm-stm32.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/pwm/pwm-stm32.c
+++ b/drivers/pwm/pwm-stm32.c
@@ -462,8 +462,7 @@ static int stm32_pwm_apply(struct pwm_ch
return 0;
}
- if (state->polarity != pwm->state.polarity)
- stm32_pwm_set_polarity(priv, pwm->hwpwm, state->polarity);
+ stm32_pwm_set_polarity(priv, pwm->hwpwm, state->polarity);
ret = stm32_pwm_config(priv, pwm->hwpwm,
state->duty_cycle, state->period);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 734/737] blk-mq: setup queue ->tag_set before initializing hctx
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (732 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 733/737] pwm: stm32: Always program polarity Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 735/737] tty: fix tty_port_tty_*hangup() kernel-doc Greg Kroah-Hartman
` (13 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ming Lei, Christoph Hellwig,
John Garry, Jens Axboe, Rick Koch
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
commit c25c0c9035bb8b28c844dfddeda7b8bdbcfcae95 upstream.
Commit 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx")
needs to check queue mapping via tag set in hctx's cpuhp handler.
However, q->tag_set may not be setup yet when the cpuhp handler is
enabled, then kernel oops is triggered.
Fix the issue by setup queue tag_set before initializing hctx.
Cc: stable@vger.kernel.org
Reported-and-tested-by: Rick Koch <mr.rickkoch@gmail.com>
Closes: https://lore.kernel.org/linux-block/CANa58eeNDozLaBHKPLxSAhEy__FPfJT_F71W=sEQw49UCrC9PQ@mail.gmail.com
Fixes: 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://lore.kernel.org/r/20241014005115.2699642-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-mq.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -4453,6 +4453,12 @@ int blk_mq_init_allocated_queue(struct b
/* mark the queue as mq asap */
q->mq_ops = set->ops;
+ /*
+ * ->tag_set has to be setup before initialize hctx, which cpuphp
+ * handler needs it for checking queue mapping
+ */
+ q->tag_set = set;
+
if (blk_mq_alloc_ctxs(q))
goto err_exit;
@@ -4471,8 +4477,6 @@ int blk_mq_init_allocated_queue(struct b
INIT_WORK(&q->timeout_work, blk_mq_timeout_work);
blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ);
- q->tag_set = set;
-
q->queue_flags |= QUEUE_FLAG_MQ_DEFAULT;
blk_mq_update_poll_flag(q);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 735/737] tty: fix tty_port_tty_*hangup() kernel-doc
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (733 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 734/737] blk-mq: setup queue ->tag_set before initializing hctx Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 736/737] firmware: arm_scmi: Fix unused notifier-block in unregister Greg Kroah-Hartman
` (12 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE),
Ilpo Järvinen, Jonathan Corbet, linux-doc
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
commit 6241b49540a65a6d5274fa938fd3eb4cbfe2e076 upstream.
The commit below added a new helper, but omitted to move (and add) the
corressponding kernel-doc. Do it now.
Signed-off-by: "Jiri Slaby (SUSE)" <jirislaby@kernel.org>
Fixes: 2b5eac0f8c6e ("tty: introduce and use tty_port_tty_vhangup() helper")
Link: https://lore.kernel.org/all/b23d566c-09dc-7374-cc87-0ad4660e8b2e@linux.intel.com/
Reported-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: linux-doc@vger.kernel.org
Link: https://lore.kernel.org/r/20250624080641.509959-6-jirislaby@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/driver-api/tty/tty_port.rst | 5 +++--
drivers/tty/tty_port.c | 5 -----
include/linux/tty_port.h | 9 +++++++++
3 files changed, 12 insertions(+), 7 deletions(-)
--- a/Documentation/driver-api/tty/tty_port.rst
+++ b/Documentation/driver-api/tty/tty_port.rst
@@ -42,9 +42,10 @@ TTY Refcounting
TTY Helpers
-----------
+.. kernel-doc:: include/linux/tty_port.h
+ :identifiers: tty_port_tty_hangup tty_port_tty_vhangup
.. kernel-doc:: drivers/tty/tty_port.c
- :identifiers: tty_port_tty_hangup tty_port_tty_wakeup
-
+ :identifiers: tty_port_tty_wakeup
Modem Signals
-------------
--- a/drivers/tty/tty_port.c
+++ b/drivers/tty/tty_port.c
@@ -409,11 +409,6 @@ void tty_port_hangup(struct tty_port *po
}
EXPORT_SYMBOL(tty_port_hangup);
-/**
- * tty_port_tty_hangup - helper to hang up a tty
- * @port: tty port
- * @check_clocal: hang only ttys with %CLOCAL unset?
- */
void __tty_port_tty_hangup(struct tty_port *port, bool check_clocal, bool async)
{
struct tty_struct *tty = tty_port_tty_get(port);
--- a/include/linux/tty_port.h
+++ b/include/linux/tty_port.h
@@ -254,11 +254,20 @@ static inline int tty_port_users(struct
return port->count + port->blocked_open;
}
+/**
+ * tty_port_tty_hangup - helper to hang up a tty asynchronously
+ * @port: tty port
+ * @check_clocal: hang only ttys with %CLOCAL unset?
+ */
static inline void tty_port_tty_hangup(struct tty_port *port, bool check_clocal)
{
__tty_port_tty_hangup(port, check_clocal, true);
}
+/**
+ * tty_port_tty_vhangup - helper to hang up a tty synchronously
+ * @port: tty port
+ */
static inline void tty_port_tty_vhangup(struct tty_port *port)
{
__tty_port_tty_hangup(port, false, false);
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 736/737] firmware: arm_scmi: Fix unused notifier-block in unregister
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (734 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 735/737] tty: fix tty_port_tty_*hangup() kernel-doc Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 737/737] Revert "iommu/amd: Skip enabling command/event buffers for kdump" Greg Kroah-Hartman
` (11 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Cristian Marussi,
Amitai Gottlieb, Sudeep Holla
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amitai Gottlieb <amitaig@hailo.ai>
In scmi_devm_notifier_unregister(), the notifier-block argument was ignored
and never passed to devres_release(). As a result, the function always
returned -ENOENT and failed to unregister the notifier.
Drivers that depend on this helper for teardown could therefore hit
unexpected failures, including kernel panics.
Commit 264a2c520628 ("firmware: arm_scmi: Simplify scmi_devm_notifier_unregister")
removed the faulty code path during refactoring and hence this fix is not
required upstream.
Cc: <stable@vger.kernel.org> # 5.15.x, 6.1.x, and 6.6.x
Fixes: 5ad3d1cf7d34 ("firmware: arm_scmi: Introduce new devres notification ops")
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Amitai Gottlieb <amitaig@hailo.ai>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/arm_scmi/notify.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/firmware/arm_scmi/notify.c
+++ b/drivers/firmware/arm_scmi/notify.c
@@ -1539,6 +1539,7 @@ static int scmi_devm_notifier_unregister
dres.handle = sdev->handle;
dres.proto_id = proto_id;
dres.evt_id = evt_id;
+ dres.nb = nb;
if (src_id) {
dres.__src_id = *src_id;
dres.src_id = &dres.__src_id;
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH 6.6 737/737] Revert "iommu/amd: Skip enabling command/event buffers for kdump"
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (735 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 736/737] firmware: arm_scmi: Fix unused notifier-block in unregister Greg Kroah-Hartman
@ 2026-01-09 11:44 ` Greg Kroah-Hartman
2026-01-09 19:02 ` [PATCH 6.6 000/737] 6.6.120-rc1 review Brett A C Sheffield
` (10 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 11:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashish Kalra, Vasant Hegde,
Sairaj Kodilkar, Joerg Roedel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 44a764aec64b3f3235b9cbac2525222f69685418 which is
commit 9be15fbfc6c5c89c22cf6e209f66ea43ee0e58bb upstream.
This causes problems in older kernel trees as SNP host kdump is not
supported in them, so drop it from the stable branches.
Reported-by: Ashish Kalra <ashish.kalra@amd.com>
Link: https://lore.kernel.org/r/dacdff7f-0606-4ed5-b056-2de564404d51@amd.com
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Sairaj Kodilkar <sarunkod@amd.com>
Cc: Joerg Roedel <joerg.roedel@amd.com>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/init.c | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -840,16 +840,11 @@ static void iommu_enable_command_buffer(
BUG_ON(iommu->cmd_buf == NULL);
- if (!is_kdump_kernel()) {
- /*
- * Command buffer is re-used for kdump kernel and setting
- * of MMIO register is not required.
- */
- entry = iommu_virt_to_phys(iommu->cmd_buf);
- entry |= MMIO_CMD_SIZE_512;
- memcpy_toio(iommu->mmio_base + MMIO_CMD_BUF_OFFSET,
- &entry, sizeof(entry));
- }
+ entry = iommu_virt_to_phys(iommu->cmd_buf);
+ entry |= MMIO_CMD_SIZE_512;
+
+ memcpy_toio(iommu->mmio_base + MMIO_CMD_BUF_OFFSET,
+ &entry, sizeof(entry));
amd_iommu_reset_cmd_buffer(iommu);
}
@@ -898,15 +893,10 @@ static void iommu_enable_event_buffer(st
BUG_ON(iommu->evt_buf == NULL);
- if (!is_kdump_kernel()) {
- /*
- * Event buffer is re-used for kdump kernel and setting
- * of MMIO register is not required.
- */
- entry = iommu_virt_to_phys(iommu->evt_buf) | EVT_LEN_MASK;
- memcpy_toio(iommu->mmio_base + MMIO_EVT_BUF_OFFSET,
- &entry, sizeof(entry));
- }
+ entry = iommu_virt_to_phys(iommu->evt_buf) | EVT_LEN_MASK;
+
+ memcpy_toio(iommu->mmio_base + MMIO_EVT_BUF_OFFSET,
+ &entry, sizeof(entry));
/* set head and tail to zero manually */
writel(0x00, iommu->mmio_base + MMIO_EVT_HEAD_OFFSET);
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash
2026-01-09 11:44 ` [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
@ 2026-01-09 13:40 ` Thadeu Lima de Souza Cascardo
2026-01-09 14:13 ` Greg Kroah-Hartman
2026-01-27 18:36 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
0 siblings, 2 replies; 769+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2026-01-09 13:40 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, syzbot+340581ba9dceb7e06fb3, Lizhi Xu,
Theodore Tso
Hi, Greg.
The followup to 985b67cd86392310d9e9326de941c22fc9340eec, that I submitted
in the same thread, has not been picked up.
20260108150350.3354622-2-cascardo@igalia.com
https://lore.kernel.org/stable/20260108150350.3354622-2-cascardo@igalia.com/
a2187431c395 ("ext4: fix error message when rejecting the default hash")
You picked it up for 6.1 and 5.15 though.
Regards.
Cascardo.
On Fri, Jan 09, 2026 at 12:44:30PM +0100, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Lizhi Xu <lizhi.xu@windriver.com>
>
> commit 985b67cd86392310d9e9326de941c22fc9340eec upstream.
>
> When mounting the ext4 filesystem, if the default hash version is set to
> DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
>
> Reported-by: syzbot+340581ba9dceb7e06fb3@syzkaller.appspotmail.com
> Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
> Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com
> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
> [cascardo: small conflict fixup]
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> fs/ext4/super.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -3632,6 +3632,14 @@ int ext4_feature_set_ok(struct super_blo
> }
> #endif
>
> + if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH &&
> + !ext4_has_feature_casefold(sb)) {
> + ext4_msg(sb, KERN_ERR,
> + "Filesystem without casefold feature cannot be "
> + "mounted with siphash");
> + return 0;
> + }
> +
> if (readonly)
> return 1;
>
>
>
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash
2026-01-09 13:40 ` Thadeu Lima de Souza Cascardo
@ 2026-01-09 14:13 ` Greg Kroah-Hartman
2026-01-11 10:30 ` Thadeu Lima de Souza Cascardo
2026-01-27 18:36 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
1 sibling, 1 reply; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-09 14:13 UTC (permalink / raw)
To: Thadeu Lima de Souza Cascardo
Cc: stable, patches, syzbot+340581ba9dceb7e06fb3, Lizhi Xu,
Theodore Tso
On Fri, Jan 09, 2026 at 10:40:34AM -0300, Thadeu Lima de Souza Cascardo wrote:
> Hi, Greg.
>
> The followup to 985b67cd86392310d9e9326de941c22fc9340eec, that I submitted
> in the same thread, has not been picked up.
>
> 20260108150350.3354622-2-cascardo@igalia.com
> https://lore.kernel.org/stable/20260108150350.3354622-2-cascardo@igalia.com/
> a2187431c395 ("ext4: fix error message when rejecting the default hash")
>
> You picked it up for 6.1 and 5.15 though.
It's in the queue, odd you didn't get an email.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (736 preceding siblings ...)
2026-01-09 11:44 ` [PATCH 6.6 737/737] Revert "iommu/amd: Skip enabling command/event buffers for kdump" Greg Kroah-Hartman
@ 2026-01-09 19:02 ` Brett A C Sheffield
2026-01-09 19:35 ` Florian Fainelli
` (9 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Brett A C Sheffield @ 2026-01-09 19:02 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.6.120-rc1-g00f48cae9e13 #1 SMP PREEMPT_DYNAMIC Fri Jan 9 18:23:00 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (737 preceding siblings ...)
2026-01-09 19:02 ` [PATCH 6.6 000/737] 6.6.120-rc1 review Brett A C Sheffield
@ 2026-01-09 19:35 ` Florian Fainelli
2026-01-09 20:29 ` Slade Watkins
` (8 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Florian Fainelli @ 2026-01-09 19:35 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 1/9/26 03:32, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.120-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (738 preceding siblings ...)
2026-01-09 19:35 ` Florian Fainelli
@ 2026-01-09 20:29 ` Slade Watkins
2026-01-09 23:59 ` Shuah Khan
` (7 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Slade Watkins @ 2026-01-09 20:29 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Fri, Jan 9, 2026 at 6:50 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
> Anything received after that time might be too late.
6.6.120-rc1 built and run on my x86_64 test system (AMD Ryzen 9 9900X,
System76 thelio-mira-r4-n3). No errors or regressions.
Tested-by: Slade Watkins <sr@sladewatkins.com>
Thanks,
Slade
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (739 preceding siblings ...)
2026-01-09 20:29 ` Slade Watkins
@ 2026-01-09 23:59 ` Shuah Khan
2026-01-10 5:03 ` Peter Schneider
` (6 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Shuah Khan @ 2026-01-09 23:59 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 1/9/26 04:32, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.120-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (740 preceding siblings ...)
2026-01-09 23:59 ` Shuah Khan
@ 2026-01-10 5:03 ` Peter Schneider
2026-01-10 6:59 ` Ron Economos
` (5 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Peter Schneider @ 2026-01-10 5:03 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 09.01.2026 um 12:32 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (741 preceding siblings ...)
2026-01-10 5:03 ` Peter Schneider
@ 2026-01-10 6:59 ` Ron Economos
2026-01-10 8:27 ` Francesco Dolcini
` (4 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Ron Economos @ 2026-01-10 6:59 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 1/9/26 03:32, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.120-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (742 preceding siblings ...)
2026-01-10 6:59 ` Ron Economos
@ 2026-01-10 8:27 ` Francesco Dolcini
2026-01-10 10:44 ` Jeffrin Thalakkottoor
` (3 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Francesco Dolcini @ 2026-01-10 8:27 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Fri, Jan 09, 2026 at 12:32:19PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Compiled and tested on
- Verdin iMX8MM
- Colibri iMX6
- Apalis iMX6
- Colibri iMX6ULL
- Colibri iMX7
Tested-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (743 preceding siblings ...)
2026-01-10 8:27 ` Francesco Dolcini
@ 2026-01-10 10:44 ` Jeffrin Thalakkottoor
2026-01-10 12:55 ` Jon Hunter
` (2 subsequent siblings)
747 siblings, 0 replies; 769+ messages in thread
From: Jeffrin Thalakkottoor @ 2026-01-10 10:44 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
hello
Compiled and booted 6.6.120-rc1+
No typical new regressions from dmesg.
As per dmidecode command.
Version: AMD Ryzen 3 3250U with Radeon Graphics
Processor Information
Socket Designation: FP5
Type: Central Processor
Family: Zen
Manufacturer: Advanced Micro Devices, Inc.
ID: 81 0F 81 00 FF FB 8B 17
Signature: Family 23, Model 24, Stepping 1
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (744 preceding siblings ...)
2026-01-10 10:44 ` Jeffrin Thalakkottoor
@ 2026-01-10 12:55 ` Jon Hunter
2026-01-10 20:07 ` Mark Brown
2026-01-10 21:15 ` Miguel Ojeda
747 siblings, 0 replies; 769+ messages in thread
From: Jon Hunter @ 2026-01-10 12:55 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Fri, 09 Jan 2026 12:32:19 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.120-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.6:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
120 tests: 120 pass, 0 fail
Linux version: 6.6.120-rc1-g00f48cae9e13
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (745 preceding siblings ...)
2026-01-10 12:55 ` Jon Hunter
@ 2026-01-10 20:07 ` Mark Brown
2026-01-10 21:15 ` Miguel Ojeda
747 siblings, 0 replies; 769+ messages in thread
From: Mark Brown @ 2026-01-10 20:07 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
On Fri, Jan 09, 2026 at 12:32:19PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 000/737] 6.6.120-rc1 review
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
` (746 preceding siblings ...)
2026-01-10 20:07 ` Mark Brown
@ 2026-01-10 21:15 ` Miguel Ojeda
747 siblings, 0 replies; 769+ messages in thread
From: Miguel Ojeda @ 2026-01-10 21:15 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Fri, 09 Jan 2026 12:32:19 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.120 release.
> There are 737 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sun, 11 Jan 2026 11:19:41 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash
2026-01-09 14:13 ` Greg Kroah-Hartman
@ 2026-01-11 10:30 ` Thadeu Lima de Souza Cascardo
2026-01-11 13:57 ` Greg Kroah-Hartman
0 siblings, 1 reply; 769+ messages in thread
From: Thadeu Lima de Souza Cascardo @ 2026-01-11 10:30 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, syzbot+340581ba9dceb7e06fb3, Lizhi Xu,
Theodore Tso
On Fri, Jan 09, 2026 at 03:13:55PM +0100, Greg Kroah-Hartman wrote:
> On Fri, Jan 09, 2026 at 10:40:34AM -0300, Thadeu Lima de Souza Cascardo wrote:
> > Hi, Greg.
> >
> > The followup to 985b67cd86392310d9e9326de941c22fc9340eec, that I submitted
> > in the same thread, has not been picked up.
> >
> > 20260108150350.3354622-2-cascardo@igalia.com
> > https://lore.kernel.org/stable/20260108150350.3354622-2-cascardo@igalia.com/
> > a2187431c395 ("ext4: fix error message when rejecting the default hash")
> >
> > You picked it up for 6.1 and 5.15 though.
>
> It's in the queue, odd you didn't get an email.
>
> thanks,
>
> greg k-h
Ah, I see it now, when looking for the upstream hash and not my sign-off.
It was a different backport that ommitted the original fix and only applied
the fixup/followup.
The original fix adds a hunk that is then removed by the followup. So when
applying the followup that ignores that hunk and then the original fix with
that hunk, 6.6 queue now is carrying an undesired hunk message.
If you drop a032fc761cc3f1112c42732d9a2482f23acad5fc and apply
https://lore.kernel.org/stable/20260108150350.3354622-2-cascardo@igalia.com/
instead, it should be in the expected final state. I would rather do that,
as then 6.6.y would be carrying the original fix, avoiding it to be
backported again.
Cascardo.
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash
2026-01-11 10:30 ` Thadeu Lima de Souza Cascardo
@ 2026-01-11 13:57 ` Greg Kroah-Hartman
0 siblings, 0 replies; 769+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-11 13:57 UTC (permalink / raw)
To: Thadeu Lima de Souza Cascardo
Cc: stable, patches, syzbot+340581ba9dceb7e06fb3, Lizhi Xu,
Theodore Tso
On Sun, Jan 11, 2026 at 07:30:58AM -0300, Thadeu Lima de Souza Cascardo wrote:
> On Fri, Jan 09, 2026 at 03:13:55PM +0100, Greg Kroah-Hartman wrote:
> > On Fri, Jan 09, 2026 at 10:40:34AM -0300, Thadeu Lima de Souza Cascardo wrote:
> > > Hi, Greg.
> > >
> > > The followup to 985b67cd86392310d9e9326de941c22fc9340eec, that I submitted
> > > in the same thread, has not been picked up.
> > >
> > > 20260108150350.3354622-2-cascardo@igalia.com
> > > https://lore.kernel.org/stable/20260108150350.3354622-2-cascardo@igalia.com/
> > > a2187431c395 ("ext4: fix error message when rejecting the default hash")
> > >
> > > You picked it up for 6.1 and 5.15 though.
> >
> > It's in the queue, odd you didn't get an email.
> >
> > thanks,
> >
> > greg k-h
>
> Ah, I see it now, when looking for the upstream hash and not my sign-off.
> It was a different backport that ommitted the original fix and only applied
> the fixup/followup.
>
> The original fix adds a hunk that is then removed by the followup. So when
> applying the followup that ignores that hunk and then the original fix with
> that hunk, 6.6 queue now is carrying an undesired hunk message.
>
> If you drop a032fc761cc3f1112c42732d9a2482f23acad5fc and apply
> https://lore.kernel.org/stable/20260108150350.3354622-2-cascardo@igalia.com/
> instead, it should be in the expected final state. I would rather do that,
> as then 6.6.y would be carrying the original fix, avoiding it to be
> backported again.
Ok, thanks, now done!
greg k-h
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH] cpuset: Treat cpusets in attaching as populated
2026-01-09 11:35 ` [PATCH 6.6 186/737] cpuset: Treat cpusets in attaching as populated Greg Kroah-Hartman
@ 2026-01-12 2:42 ` Chen Ridong
2026-01-12 3:02 ` Chen Ridong
2026-01-12 6:42 ` Greg KH
0 siblings, 2 replies; 769+ messages in thread
From: Chen Ridong @ 2026-01-12 2:42 UTC (permalink / raw)
To: longman, lizefan.x, tj, hannes; +Cc: cgroups, stable, lujialin4, chenridong
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Ridong <chenridong@huawei.com>
[ Upstream commit b1bcaed1e39a9e0dfbe324a15d2ca4253deda316 ]
Currently, the check for whether a partition is populated does not
account for tasks in the cpuset of attaching. This is a corner case
that can leave a task stuck in a partition with no effective CPUs.
The race condition occurs as follows:
cpu0 cpu1
//cpuset A with cpu N
migrate task p to A
cpuset_can_attach
// with effective cpus
// check ok
// cpuset_mutex is not held // clear cpuset.cpus.exclusive
// making effective cpus empty
update_exclusive_cpumask
// tasks_nocpu_error check ok
// empty effective cpus, partition valid
cpuset_attach
...
// task p stays in A, with non-effective cpus.
To fix this issue, this patch introduces cs_is_populated, which considers
tasks in the attaching cpuset. This new helper is used in validate_change
and partition_is_populated.
Fixes: e2d59900d936 ("cgroup/cpuset: Allow no-task partition to have empty cpuset.cpus.effective")
Signed-off-by: Chen Ridong <chenridong@huawei.com>
Reviewed-by: Waiman Long <longman@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cpuset.c | 37 ++++++++++++++++++++++++++++---------
1 file changed, 28 insertions(+), 9 deletions(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index eadb028916c8..3c466e742751 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -453,6 +453,15 @@ static inline bool is_in_v2_mode(void)
(cpuset_cgrp_subsys.root->flags & CGRP_ROOT_CPUSET_V2_MODE);
}
+static inline bool cpuset_is_populated(struct cpuset *cs)
+{
+ lockdep_assert_held(&cpuset_mutex);
+
+ /* Cpusets in the process of attaching should be considered as populated */
+ return cgroup_is_populated(cs->css.cgroup) ||
+ cs->attach_in_progress;
+}
+
/**
* partition_is_populated - check if partition has tasks
* @cs: partition root to be checked
@@ -465,21 +474,31 @@ static inline bool is_in_v2_mode(void)
static inline bool partition_is_populated(struct cpuset *cs,
struct cpuset *excluded_child)
{
- struct cgroup_subsys_state *css;
- struct cpuset *child;
+ struct cpuset *cp;
+ struct cgroup_subsys_state *pos_css;
- if (cs->css.cgroup->nr_populated_csets)
+ /*
+ * We cannot call cs_is_populated(cs) directly, as
+ * nr_populated_domain_children may include populated
+ * csets from descendants that are partitions.
+ */
+ if (cs->css.cgroup->nr_populated_csets ||
+ cs->attach_in_progress)
return true;
if (!excluded_child && !cs->nr_subparts_cpus)
- return cgroup_is_populated(cs->css.cgroup);
+ return cpuset_is_populated(cs);
rcu_read_lock();
- cpuset_for_each_child(child, css, cs) {
- if (child == excluded_child)
+ cpuset_for_each_descendant_pre(cp, pos_css, cs) {
+ if (cp == cs || cp == excluded_child)
continue;
- if (is_partition_valid(child))
+
+ if (is_partition_valid(cp)) {
+ pos_css = css_rightmost_descendant(pos_css);
continue;
- if (cgroup_is_populated(child->css.cgroup)) {
+ }
+
+ if (cpuset_is_populated(cp)) {
rcu_read_unlock();
return true;
}
@@ -751,7 +770,7 @@ static int validate_change(struct cpuset *cur, struct cpuset *trial)
* be changed to have empty cpus_allowed or mems_allowed.
*/
ret = -ENOSPC;
- if ((cgroup_is_populated(cur->css.cgroup) || cur->attach_in_progress)) {
+ if (cpuset_is_populated(cur)) {
if (!cpumask_empty(cur->cpus_allowed) &&
cpumask_empty(trial->cpus_allowed))
goto out;
--
2.34.1
^ permalink raw reply related [flat|nested] 769+ messages in thread
* Re: [PATCH] cpuset: Treat cpusets in attaching as populated
2026-01-12 2:42 ` [PATCH] " Chen Ridong
@ 2026-01-12 3:02 ` Chen Ridong
2026-01-12 6:42 ` Greg KH
1 sibling, 0 replies; 769+ messages in thread
From: Chen Ridong @ 2026-01-12 3:02 UTC (permalink / raw)
To: longman, lizefan.x, tj, hannes, Greg Kroah-Hartman, Sasha Levin
Cc: cgroups, stable, lujialin4
On 2026/1/12 10:42, Chen Ridong wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Chen Ridong <chenridong@huawei.com>
>
> [ Upstream commit b1bcaed1e39a9e0dfbe324a15d2ca4253deda316 ]
>
> Currently, the check for whether a partition is populated does not
> account for tasks in the cpuset of attaching. This is a corner case
> that can leave a task stuck in a partition with no effective CPUs.
>
> The race condition occurs as follows:
>
> cpu0 cpu1
> //cpuset A with cpu N
> migrate task p to A
> cpuset_can_attach
> // with effective cpus
> // check ok
>
> // cpuset_mutex is not held // clear cpuset.cpus.exclusive
> // making effective cpus empty
> update_exclusive_cpumask
> // tasks_nocpu_error check ok
> // empty effective cpus, partition valid
> cpuset_attach
> ...
> // task p stays in A, with non-effective cpus.
>
> To fix this issue, this patch introduces cs_is_populated, which considers
> tasks in the attaching cpuset. This new helper is used in validate_change
> and partition_is_populated.
>
> Fixes: e2d59900d936 ("cgroup/cpuset: Allow no-task partition to have empty cpuset.cpus.effective")
> Signed-off-by: Chen Ridong <chenridong@huawei.com>
> Reviewed-by: Waiman Long <longman@redhat.com>
> Signed-off-by: Tejun Heo <tj@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> kernel/cgroup/cpuset.c | 37 ++++++++++++++++++++++++++++---------
> 1 file changed, 28 insertions(+), 9 deletions(-)
>
> diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
> index eadb028916c8..3c466e742751 100644
> --- a/kernel/cgroup/cpuset.c
> +++ b/kernel/cgroup/cpuset.c
> @@ -453,6 +453,15 @@ static inline bool is_in_v2_mode(void)
> (cpuset_cgrp_subsys.root->flags & CGRP_ROOT_CPUSET_V2_MODE);
> }
>
> +static inline bool cpuset_is_populated(struct cpuset *cs)
> +{
> + lockdep_assert_held(&cpuset_mutex);
> +
> + /* Cpusets in the process of attaching should be considered as populated */
> + return cgroup_is_populated(cs->css.cgroup) ||
> + cs->attach_in_progress;
> +}
> +
> /**
> * partition_is_populated - check if partition has tasks
> * @cs: partition root to be checked
> @@ -465,21 +474,31 @@ static inline bool is_in_v2_mode(void)
> static inline bool partition_is_populated(struct cpuset *cs,
> struct cpuset *excluded_child)
> {
> - struct cgroup_subsys_state *css;
> - struct cpuset *child;
> + struct cpuset *cp;
> + struct cgroup_subsys_state *pos_css;
>
> - if (cs->css.cgroup->nr_populated_csets)
> + /*
> + * We cannot call cs_is_populated(cs) directly, as
> + * nr_populated_domain_children may include populated
> + * csets from descendants that are partitions.
> + */
> + if (cs->css.cgroup->nr_populated_csets ||
> + cs->attach_in_progress)
> return true;
> if (!excluded_child && !cs->nr_subparts_cpus)
> - return cgroup_is_populated(cs->css.cgroup);
> + return cpuset_is_populated(cs);
>
We should adjust this part to use cpuset_is_populated instead of cgroup_is_populated.
Thanks.
> rcu_read_lock();
> - cpuset_for_each_child(child, css, cs) {
> - if (child == excluded_child)
> + cpuset_for_each_descendant_pre(cp, pos_css, cs) {
> + if (cp == cs || cp == excluded_child)
> continue;
> - if (is_partition_valid(child))
> +
> + if (is_partition_valid(cp)) {
> + pos_css = css_rightmost_descendant(pos_css);
> continue;
> - if (cgroup_is_populated(child->css.cgroup)) {
> + }
> +
> + if (cpuset_is_populated(cp)) {
> rcu_read_unlock();
> return true;
> }
> @@ -751,7 +770,7 @@ static int validate_change(struct cpuset *cur, struct cpuset *trial)
> * be changed to have empty cpus_allowed or mems_allowed.
> */
> ret = -ENOSPC;
> - if ((cgroup_is_populated(cur->css.cgroup) || cur->attach_in_progress)) {
> + if (cpuset_is_populated(cur)) {
> if (!cpumask_empty(cur->cpus_allowed) &&
> cpumask_empty(trial->cpus_allowed))
> goto out;
--
Best regards,
Ridong
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH] cpuset: Treat cpusets in attaching as populated
2026-01-12 2:42 ` [PATCH] " Chen Ridong
2026-01-12 3:02 ` Chen Ridong
@ 2026-01-12 6:42 ` Greg KH
2026-01-12 6:55 ` Chen Ridong
1 sibling, 1 reply; 769+ messages in thread
From: Greg KH @ 2026-01-12 6:42 UTC (permalink / raw)
To: Chen Ridong; +Cc: longman, lizefan.x, tj, hannes, cgroups, stable, lujialin4
On Mon, Jan 12, 2026 at 02:42:57AM +0000, Chen Ridong wrote:
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
I did not send this :(
> 6.6-stable review patch. If anyone has any objections, please let me know.
This is already in the 6.6.120 release.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH] cpuset: Treat cpusets in attaching as populated
2026-01-12 6:42 ` Greg KH
@ 2026-01-12 6:55 ` Chen Ridong
2026-01-12 7:03 ` Greg KH
0 siblings, 1 reply; 769+ messages in thread
From: Chen Ridong @ 2026-01-12 6:55 UTC (permalink / raw)
To: Greg KH; +Cc: longman, lizefan.x, tj, hannes, cgroups, stable, lujialin4
On 2026/1/12 14:42, Greg KH wrote:
> On Mon, Jan 12, 2026 at 02:42:57AM +0000, Chen Ridong wrote:
>> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> I did not send this :(
>
>> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> This is already in the 6.6.120 release.
>
> thanks,
>
> greg k-h
I am sorry for the confusion.
I downloaded and modified the patch, and replied.
My point is that the patch intended for the 6.6.120 release should include an adaptation.
Specifically, the following block:
[...]
if (!excluded_child && !cs->nr_subparts_cpus)
return cgroup_is_populated(cs->css.cgroup);
[...]
Should be corrected to:
if (!excluded_child && !cs->nr_subparts_cpus)
- return cgroup_is_populated(cs->css.cgroup);
+ return cpuset_is_populated(cs);
--
Best regards,
Ridong
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH] cpuset: Treat cpusets in attaching as populated
2026-01-12 6:55 ` Chen Ridong
@ 2026-01-12 7:03 ` Greg KH
2026-01-14 1:51 ` [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated Chen Ridong
0 siblings, 1 reply; 769+ messages in thread
From: Greg KH @ 2026-01-12 7:03 UTC (permalink / raw)
To: Chen Ridong; +Cc: longman, lizefan.x, tj, hannes, cgroups, stable, lujialin4
On Mon, Jan 12, 2026 at 02:55:53PM +0800, Chen Ridong wrote:
>
>
> On 2026/1/12 14:42, Greg KH wrote:
> > On Mon, Jan 12, 2026 at 02:42:57AM +0000, Chen Ridong wrote:
> >> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >
> > I did not send this :(
> >
> >> 6.6-stable review patch. If anyone has any objections, please let me know.
> >
> > This is already in the 6.6.120 release.
> >
> > thanks,
> >
> > greg k-h
>
> I am sorry for the confusion.
>
> I downloaded and modified the patch, and replied.
>
> My point is that the patch intended for the 6.6.120 release should include an adaptation.
> Specifically, the following block:
>
> [...]
> if (!excluded_child && !cs->nr_subparts_cpus)
> return cgroup_is_populated(cs->css.cgroup);
> [...]
>
> Should be corrected to:
>
> if (!excluded_child && !cs->nr_subparts_cpus)
> - return cgroup_is_populated(cs->css.cgroup);
> + return cpuset_is_populated(cs);
>
Great, can you send a fixup patch for this that we can apply to the next
release?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 769+ messages in thread
* [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated
2026-01-12 7:03 ` Greg KH
@ 2026-01-14 1:51 ` Chen Ridong
2026-01-14 2:13 ` Chen Ridong
0 siblings, 1 reply; 769+ messages in thread
From: Chen Ridong @ 2026-01-14 1:51 UTC (permalink / raw)
To: gregkh; +Cc: stable, chenridong, lujialin4
From: Chen Ridong <chenridong@huawei.com>
Commit b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
was backported to the long‑term support (LTS) branches. However, because
commit d5cf4d34a333 ("cgroup/cpuset: Don't track # of local child
partitions") was not backported, a corresponding adaptation to the
backported code is still required.
To ensure correct behavior, replace cgroup_is_populated with
cpuset_is_populated in the partition_is_populated function.
Cc: stable@vger.kernel.org # 6.1+
Fixes: b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
Signed-off-by: Chen Ridong <chenridong@huawei.com>
---
kernel/cgroup/cpuset.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index f61dde0497f3..3c466e742751 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -486,7 +486,7 @@ static inline bool partition_is_populated(struct cpuset *cs,
cs->attach_in_progress)
return true;
if (!excluded_child && !cs->nr_subparts_cpus)
- return cgroup_is_populated(cs->css.cgroup);
+ return cpuset_is_populated(cs);
rcu_read_lock();
cpuset_for_each_descendant_pre(cp, pos_css, cs) {
--
2.34.1
^ permalink raw reply related [flat|nested] 769+ messages in thread
* Re: [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated
2026-01-14 1:51 ` [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated Chen Ridong
@ 2026-01-14 2:13 ` Chen Ridong
2026-01-15 14:54 ` Greg KH
0 siblings, 1 reply; 769+ messages in thread
From: Chen Ridong @ 2026-01-14 2:13 UTC (permalink / raw)
To: gregkh, Waiman Long, Tejun Heo; +Cc: stable, lujialin4, Chen Ridong
On 2026/1/14 9:51, Chen Ridong wrote:
> From: Chen Ridong <chenridong@huawei.com>
>
> Commit b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
> was backported to the long‑term support (LTS) branches. However, because
> commit d5cf4d34a333 ("cgroup/cpuset: Don't track # of local child
> partitions") was not backported, a corresponding adaptation to the
> backported code is still required.
>
> To ensure correct behavior, replace cgroup_is_populated with
> cpuset_is_populated in the partition_is_populated function.
>
> Cc: stable@vger.kernel.org # 6.1+
> Fixes: b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
> Signed-off-by: Chen Ridong <chenridong@huawei.com>
> ---
> kernel/cgroup/cpuset.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
> index f61dde0497f3..3c466e742751 100644
> --- a/kernel/cgroup/cpuset.c
> +++ b/kernel/cgroup/cpuset.c
> @@ -486,7 +486,7 @@ static inline bool partition_is_populated(struct cpuset *cs,
> cs->attach_in_progress)
> return true;
> if (!excluded_child && !cs->nr_subparts_cpus)
> - return cgroup_is_populated(cs->css.cgroup);
> + return cpuset_is_populated(cs);
>
> rcu_read_lock();
> cpuset_for_each_descendant_pre(cp, pos_css, cs) {
Hi Greg,
Is this patch suitable for applying?
Note: Because the corresponding commit varies between LTS branches,, the Fixes tag points to a
mainline commit.
--
Best regards,
Ridong
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated
2026-01-14 2:13 ` Chen Ridong
@ 2026-01-15 14:54 ` Greg KH
2026-01-16 0:57 ` Chen Ridong
0 siblings, 1 reply; 769+ messages in thread
From: Greg KH @ 2026-01-15 14:54 UTC (permalink / raw)
To: Chen Ridong; +Cc: Waiman Long, Tejun Heo, stable, lujialin4
On Wed, Jan 14, 2026 at 10:13:16AM +0800, Chen Ridong wrote:
>
>
> On 2026/1/14 9:51, Chen Ridong wrote:
> > From: Chen Ridong <chenridong@huawei.com>
> >
> > Commit b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
> > was backported to the long‑term support (LTS) branches. However, because
> > commit d5cf4d34a333 ("cgroup/cpuset: Don't track # of local child
> > partitions") was not backported, a corresponding adaptation to the
> > backported code is still required.
> >
> > To ensure correct behavior, replace cgroup_is_populated with
> > cpuset_is_populated in the partition_is_populated function.
> >
> > Cc: stable@vger.kernel.org # 6.1+
> > Fixes: b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
> > Signed-off-by: Chen Ridong <chenridong@huawei.com>
> > ---
> > kernel/cgroup/cpuset.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
> > index f61dde0497f3..3c466e742751 100644
> > --- a/kernel/cgroup/cpuset.c
> > +++ b/kernel/cgroup/cpuset.c
> > @@ -486,7 +486,7 @@ static inline bool partition_is_populated(struct cpuset *cs,
> > cs->attach_in_progress)
> > return true;
> > if (!excluded_child && !cs->nr_subparts_cpus)
> > - return cgroup_is_populated(cs->css.cgroup);
> > + return cpuset_is_populated(cs);
> >
> > rcu_read_lock();
> > cpuset_for_each_descendant_pre(cp, pos_css, cs) {
>
> Hi Greg,
>
> Is this patch suitable for applying?
It needs approval from the maintainers of this file.
> Note: Because the corresponding commit varies between LTS branches,, the Fixes tag points to a
> mainline commit.
As this is only for 6.1.y, why not point it at the commit there?
Or is this for other branches? If so, which ones? It might be best to
provide a backport for all of the relevant ones so that we get it right.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated
2026-01-15 14:54 ` Greg KH
@ 2026-01-16 0:57 ` Chen Ridong
2026-02-17 12:39 ` Greg KH
0 siblings, 1 reply; 769+ messages in thread
From: Chen Ridong @ 2026-01-16 0:57 UTC (permalink / raw)
To: Greg KH; +Cc: Waiman Long, Tejun Heo, stable, lujialin4
On 2026/1/15 22:54, Greg KH wrote:
> On Wed, Jan 14, 2026 at 10:13:16AM +0800, Chen Ridong wrote:
>>
>>
>> On 2026/1/14 9:51, Chen Ridong wrote:
>>> From: Chen Ridong <chenridong@huawei.com>
>>>
>>> Commit b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
>>> was backported to the long‑term support (LTS) branches. However, because
>>> commit d5cf4d34a333 ("cgroup/cpuset: Don't track # of local child
>>> partitions") was not backported, a corresponding adaptation to the
>>> backported code is still required.
>>>
>>> To ensure correct behavior, replace cgroup_is_populated with
>>> cpuset_is_populated in the partition_is_populated function.
>>>
>>> Cc: stable@vger.kernel.org # 6.1+
>>> Fixes: b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
>>> Signed-off-by: Chen Ridong <chenridong@huawei.com>
>>> ---
>>> kernel/cgroup/cpuset.c | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
>>> index f61dde0497f3..3c466e742751 100644
>>> --- a/kernel/cgroup/cpuset.c
>>> +++ b/kernel/cgroup/cpuset.c
>>> @@ -486,7 +486,7 @@ static inline bool partition_is_populated(struct cpuset *cs,
>>> cs->attach_in_progress)
>>> return true;
>>> if (!excluded_child && !cs->nr_subparts_cpus)
>>> - return cgroup_is_populated(cs->css.cgroup);
>>> + return cpuset_is_populated(cs);
>>>
>>> rcu_read_lock();
>>> cpuset_for_each_descendant_pre(cp, pos_css, cs) {
>>
>> Hi Greg,
>>
>> Is this patch suitable for applying?
>> It needs approval from the maintainers of this file.
>
Hi, Longman,
I appreciate you could have a review.
>> Note: Because the corresponding commit varies between LTS branches,, the Fixes tag points to a
>> mainline commit.
>
> As this is only for 6.1.y, why not point it at the commit there?
>
This fix (commit b1bcaed1e39a "cpuset: Treat cpusets in attaching as populated") was backported to
the stable branches v6.1 and later. The latest LTS(v6.18) has this issue, so it should be v6.1+.
Cc: stable@vger.kernel.org # v6.1+
> Or is this for other branches? If so, which ones? It might be best to
> provide a backport for all of the relevant ones so that we get it right.
>
> thanks,
>
> greg k-h
--
Best regards,
Ridong
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-09 13:40 ` Thadeu Lima de Souza Cascardo
2026-01-09 14:13 ` Greg Kroah-Hartman
@ 2026-01-27 18:36 ` Hamza Mahfooz
2026-01-27 18:41 ` Hamza Mahfooz
1 sibling, 1 reply; 769+ messages in thread
From: Hamza Mahfooz @ 2026-01-27 18:36 UTC (permalink / raw)
To: cascardo
Cc: gregkh, lizhi.xu, patches, stable, syzbot+340581ba9dceb7e06fb3,
tytso
Hi,
It appears that this patch broke the build, see:
In file included from util/arm-spe-decoder/arm-spe-pkt-decoder.h:10,
from util/arm-spe-decoder/arm-spe-pkt-decoder.c:14:
linux/tools/include/linux/bitfield.h: In function ‘le16_encode_bits’:
linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le16’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le16_get_bits’:
linux/tools/include/linux/bitfield.h:166:54: error: implicit declaration of function ‘le16_to_cpu’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be16_encode_bits’:
linux/tools/include/linux/bitfield.h:167:38: error: implicit declaration of function ‘cpu_to_be16’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be16_get_bits’:
linux/tools/include/linux/bitfield.h:167:54: error: implicit declaration of function ‘be16_to_cpu’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le32_encode_bits’:
linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le32’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le32_get_bits’:
linux/tools/include/linux/bitfield.h:166:54: error: implicit declaration of function ‘le32_to_cpu’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be32_encode_bits’:
linux/tools/include/linux/bitfield.h:167:38: error: implicit declaration of function ‘cpu_to_be32’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be32_get_bits’:
linux/tools/include/linux/bitfield.h:167:54: error: implicit declaration of function ‘be32_to_cpu’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
CC util/thread.o
linux/tools/include/linux/bitfield.h: In function ‘le64_encode_bits’:
linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le64’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le64_get_bits’:
linux/tools/include/linux/bitfield.h:166:54: error: implicit declaration of function ‘le64_to_cpu’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be64_encode_bits’:
CC util/thread_map.o
linux/tools/include/linux/bitfield.h:167:38: error: implicit declaration of function ‘cpu_to_be64’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be64_get_bits’:
linux/tools/include/linux/bitfield.h:167:54: error: implicit declaration of function ‘be64_to_cpu’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
BR,
Hamza
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-09 11:35 ` [PATCH 6.6 177/737] perf arm_spe: Fix memset subclass in operation Greg Kroah-Hartman
@ 2026-01-27 18:38 ` Hamza Mahfooz
2026-01-28 9:02 ` Leo Yan
0 siblings, 1 reply; 769+ messages in thread
From: Hamza Mahfooz @ 2026-01-27 18:38 UTC (permalink / raw)
To: gregkh; +Cc: irogers, james.clark, leo.yan, namhyung, patches, sashal, stable
Hi,
It appears that this patch broke the build, see:
In file included from util/arm-spe-decoder/arm-spe-pkt-decoder.h:10,
from util/arm-spe-decoder/arm-spe-pkt-decoder.c:14:
linux/tools/include/linux/bitfield.h: In function ‘le16_encode_bits’:
linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le16’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le16_get_bits’:
linux/tools/include/linux/bitfield.h:166:54: error: implicit declaration of function ‘le16_to_cpu’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be16_encode_bits’:
linux/tools/include/linux/bitfield.h:167:38: error: implicit declaration of function ‘cpu_to_be16’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be16_get_bits’:
linux/tools/include/linux/bitfield.h:167:54: error: implicit declaration of function ‘be16_to_cpu’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
170 | __MAKE_OP(16)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le32_encode_bits’:
linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le32’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le32_get_bits’:
linux/tools/include/linux/bitfield.h:166:54: error: implicit declaration of function ‘le32_to_cpu’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be32_encode_bits’:
linux/tools/include/linux/bitfield.h:167:38: error: implicit declaration of function ‘cpu_to_be32’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be32_get_bits’:
linux/tools/include/linux/bitfield.h:167:54: error: implicit declaration of function ‘be32_to_cpu’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:171:1: note: in expansion of macro ‘__MAKE_OP’
171 | __MAKE_OP(32)
| ^~~~~~~~~
CC util/thread.o
linux/tools/include/linux/bitfield.h: In function ‘le64_encode_bits’:
linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le64’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘le64_get_bits’:
linux/tools/include/linux/bitfield.h:166:54: error: implicit declaration of function ‘le64_to_cpu’ [-Wimplicit-function-declaration]
166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be64_encode_bits’:
CC util/thread_map.o
linux/tools/include/linux/bitfield.h:167:38: error: implicit declaration of function ‘cpu_to_be64’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
149 | return to((v & field_mask(field)) * field_multiplier(field)); \
| ^~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
linux/tools/include/linux/bitfield.h: In function ‘be64_get_bits’:
linux/tools/include/linux/bitfield.h:167:54: error: implicit declaration of function ‘be64_to_cpu’ [-Wimplicit-function-declaration]
167 | ____MAKE_OP(be##size,u##size,cpu_to_be##size,be##size##_to_cpu) \
| ^~
linux/tools/include/linux/bitfield.h:163:17: note: in definition of macro ‘____MAKE_OP’
163 | return (from(v) & field)/field_multiplier(field); \
| ^~~~
linux/tools/include/linux/bitfield.h:172:1: note: in expansion of macro ‘__MAKE_OP’
172 | __MAKE_OP(64)
| ^~~~~~~~~
BR,
Hamza
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-27 18:36 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
@ 2026-01-27 18:41 ` Hamza Mahfooz
0 siblings, 0 replies; 769+ messages in thread
From: Hamza Mahfooz @ 2026-01-27 18:41 UTC (permalink / raw)
To: hamzamahfooz
Cc: cascardo, gregkh, lizhi.xu, patches, stable,
syzbot+340581ba9dceb7e06fb3, tytso
I replied to the wrong thread, please disregard this message.
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-27 18:38 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
@ 2026-01-28 9:02 ` Leo Yan
2026-01-28 16:13 ` Arnaldo Carvalho de Melo
0 siblings, 1 reply; 769+ messages in thread
From: Leo Yan @ 2026-01-28 9:02 UTC (permalink / raw)
To: Hamza Mahfooz, Arnaldo Carvalho de Melo
Cc: gregkh, irogers, james.clark, namhyung, patches, sashal, stable
Hi,
[ + Arnaldo ]
On Tue, Jan 27, 2026 at 10:38:30AM -0800, Hamza Mahfooz wrote:
> Hi,
>
> It appears that this patch broke the build, see:
>
> In file included from util/arm-spe-decoder/arm-spe-pkt-decoder.h:10,
> from util/arm-spe-decoder/arm-spe-pkt-decoder.c:14:
> linux/tools/include/linux/bitfield.h: In function ‘le16_encode_bits’:
> linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le16’ [-Wimplicit-function-declaration]
> 166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
> | ^~~~~~~~~
> linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
> 149 | return to((v & field_mask(field)) * field_multiplier(field)); \
> | ^~
> linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
> 170 | __MAKE_OP(16)
> | ^~~~~~~~~
FYI, the fix has been sent out:
https://lore.kernel.org/linux-perf-users/20260123-perf_fix_bitfield-h-v2-1-cc8f8752607c@arm.com/
Thanks,
Leo
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-28 9:02 ` Leo Yan
@ 2026-01-28 16:13 ` Arnaldo Carvalho de Melo
2026-01-28 16:20 ` Arnaldo Carvalho de Melo
0 siblings, 1 reply; 769+ messages in thread
From: Arnaldo Carvalho de Melo @ 2026-01-28 16:13 UTC (permalink / raw)
To: Leo Yan
Cc: Hamza Mahfooz, gregkh, irogers, james.clark, namhyung, patches,
sashal, stable
On Wed, Jan 28, 2026 at 09:02:23AM +0000, Leo Yan wrote:
> Hi,
> [ + Arnaldo ]
> On Tue, Jan 27, 2026 at 10:38:30AM -0800, Hamza Mahfooz wrote:
>
> > It appears that this patch broke the build, see:
> >
> > In file included from util/arm-spe-decoder/arm-spe-pkt-decoder.h:10,
> > from util/arm-spe-decoder/arm-spe-pkt-decoder.c:14:
> > linux/tools/include/linux/bitfield.h: In function ‘le16_encode_bits’:
> > linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le16’ [-Wimplicit-function-declaration]
> > 166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
> > | ^~~~~~~~~
> > linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
> > 149 | return to((v & field_mask(field)) * field_multiplier(field)); \
> > | ^~
> > linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
> > 170 | __MAKE_OP(16)
> > | ^~~~~~~~~
> FYI, the fix has been sent out:
> https://lore.kernel.org/linux-perf-users/20260123-perf_fix_bitfield-h-v2-1-cc8f8752607c@arm.com/
Thanks, applied to perf-tools-next, I also added a Reported-by: Hamza,
- Arnaldo
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH 6.6 176/737] perf arm-spe: Extend branch operations
2026-01-28 16:13 ` Arnaldo Carvalho de Melo
@ 2026-01-28 16:20 ` Arnaldo Carvalho de Melo
0 siblings, 0 replies; 769+ messages in thread
From: Arnaldo Carvalho de Melo @ 2026-01-28 16:20 UTC (permalink / raw)
To: Leo Yan
Cc: Hamza Mahfooz, gregkh, irogers, james.clark, namhyung, patches,
sashal, stable
On Wed, Jan 28, 2026 at 01:13:35PM -0300, Arnaldo Carvalho de Melo wrote:
> On Wed, Jan 28, 2026 at 09:02:23AM +0000, Leo Yan wrote:
> > Hi,
>
> > [ + Arnaldo ]
>
> > On Tue, Jan 27, 2026 at 10:38:30AM -0800, Hamza Mahfooz wrote:
> >
> > > It appears that this patch broke the build, see:
> > >
> > > In file included from util/arm-spe-decoder/arm-spe-pkt-decoder.h:10,
> > > from util/arm-spe-decoder/arm-spe-pkt-decoder.c:14:
> > > linux/tools/include/linux/bitfield.h: In function ‘le16_encode_bits’:
> > > linux/tools/include/linux/bitfield.h:166:38: error: implicit declaration of function ‘cpu_to_le16’ [-Wimplicit-function-declaration]
> > > 166 | ____MAKE_OP(le##size,u##size,cpu_to_le##size,le##size##_to_cpu) \
> > > | ^~~~~~~~~
> > > linux/tools/include/linux/bitfield.h:149:16: note: in definition of macro ‘____MAKE_OP’
> > > 149 | return to((v & field_mask(field)) * field_multiplier(field)); \
> > > | ^~
> > > linux/tools/include/linux/bitfield.h:170:1: note: in expansion of macro ‘__MAKE_OP’
> > > 170 | __MAKE_OP(16)
> > > | ^~~~~~~~~
>
> > FYI, the fix has been sent out:
> > https://lore.kernel.org/linux-perf-users/20260123-perf_fix_bitfield-h-v2-1-cc8f8752607c@arm.com/
>
> Thanks, applied to perf-tools-next, I also added a Reported-by: Hamza,
Humm, this applies cleanly to perf-tools-next and seems legit as
bitfield.h uses things defined in kernel.h, but then it drifts further
from what is in the tools kernel.h :-\
Anyway, I'll keep it there for now.
- Arnaldo
^ permalink raw reply [flat|nested] 769+ messages in thread
* Re: [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated
2026-01-16 0:57 ` Chen Ridong
@ 2026-02-17 12:39 ` Greg KH
0 siblings, 0 replies; 769+ messages in thread
From: Greg KH @ 2026-02-17 12:39 UTC (permalink / raw)
To: Chen Ridong; +Cc: Waiman Long, Tejun Heo, stable, lujialin4
On Fri, Jan 16, 2026 at 08:57:40AM +0800, Chen Ridong wrote:
>
>
> On 2026/1/15 22:54, Greg KH wrote:
> > On Wed, Jan 14, 2026 at 10:13:16AM +0800, Chen Ridong wrote:
> >>
> >>
> >> On 2026/1/14 9:51, Chen Ridong wrote:
> >>> From: Chen Ridong <chenridong@huawei.com>
> >>>
> >>> Commit b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
> >>> was backported to the long‑term support (LTS) branches. However, because
> >>> commit d5cf4d34a333 ("cgroup/cpuset: Don't track # of local child
> >>> partitions") was not backported, a corresponding adaptation to the
> >>> backported code is still required.
> >>>
> >>> To ensure correct behavior, replace cgroup_is_populated with
> >>> cpuset_is_populated in the partition_is_populated function.
> >>>
> >>> Cc: stable@vger.kernel.org # 6.1+
> >>> Fixes: b1bcaed1e39a ("cpuset: Treat cpusets in attaching as populated")
> >>> Signed-off-by: Chen Ridong <chenridong@huawei.com>
> >>> ---
> >>> kernel/cgroup/cpuset.c | 2 +-
> >>> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>>
> >>> diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
> >>> index f61dde0497f3..3c466e742751 100644
> >>> --- a/kernel/cgroup/cpuset.c
> >>> +++ b/kernel/cgroup/cpuset.c
> >>> @@ -486,7 +486,7 @@ static inline bool partition_is_populated(struct cpuset *cs,
> >>> cs->attach_in_progress)
> >>> return true;
> >>> if (!excluded_child && !cs->nr_subparts_cpus)
> >>> - return cgroup_is_populated(cs->css.cgroup);
> >>> + return cpuset_is_populated(cs);
> >>>
> >>> rcu_read_lock();
> >>> cpuset_for_each_descendant_pre(cp, pos_css, cs) {
> >>
> >> Hi Greg,
> >>
> >> Is this patch suitable for applying?
> >> It needs approval from the maintainers of this file.
> >
>
> Hi, Longman,
>
> I appreciate you could have a review.
>
> >> Note: Because the corresponding commit varies between LTS branches,, the Fixes tag points to a
> >> mainline commit.
> >
> > As this is only for 6.1.y, why not point it at the commit there?
> >
>
> This fix (commit b1bcaed1e39a "cpuset: Treat cpusets in attaching as populated") was backported to
> the stable branches v6.1 and later. The latest LTS(v6.18) has this issue, so it should be v6.1+.
>
> Cc: stable@vger.kernel.org # v6.1+
Ok, makes sense. I've applied this, with manual fixups for 6.18.y and
6.12.y, to the relevent trees.
greg k-h
^ permalink raw reply [flat|nested] 769+ messages in thread
end of thread, other threads:[~2026-02-17 12:39 UTC | newest]
Thread overview: 769+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-09 11:32 [PATCH 6.6 000/737] 6.6.120-rc1 review Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 001/737] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 002/737] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 003/737] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 004/737] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 005/737] leds: spi-byte: Use devm_led_classdev_register_ext() Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 006/737] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 007/737] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 008/737] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 009/737] ksmbd: ipc: fix use-after-free in ipc_msg_send_request Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 010/737] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 011/737] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 012/737] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 013/737] KVM: SVM: Dont skip unrelated instruction if INT3/INTO is replaced Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 014/737] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 015/737] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 016/737] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 017/737] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 018/737] serial: add support of CPCI cards Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 019/737] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 020/737] USB: serial: kobil_sct: " Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 021/737] ftrace: bpf: Fix IPMODIFY + DIRECT in modify_ftrace_direct() Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 022/737] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 023/737] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 024/737] drm/vmwgfx: Use kref in vmw_bo_dirty Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 025/737] Bluetooth: btrtl: Avoid loading the config file on security chips Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 026/737] smb: fix invalid username check in smb3_fs_context_parse_param() Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 027/737] ALSA: usb-audio: Add native DSD quirks for PureAudio DAC series Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 028/737] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 029/737] HID: hid-input: Extend Elan ignore battery quirk to USB Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 030/737] nvme: fix admin request_queue lifetime Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 031/737] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 032/737] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 033/737] HID: apple: Add SONiX AK870 PRO to non_apple_keyboards quirk list Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 034/737] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 035/737] platform/x86/amd: pmc: Add Lenovo Legion Go 2 to pmc quirk list Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 036/737] platform/x86/amd/pmc: Add spurious_8042 to Xbox Ally Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 037/737] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 038/737] LoongArch: Mask all interrupts during kexec/kdump Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 039/737] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
2026-01-09 11:32 ` [PATCH 6.6 040/737] wifi: rtw88: Add USB ID 2001:3329 for D-Link AC13U rev. A1 Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 041/737] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 042/737] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 043/737] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 044/737] staging: rtl8723bs: fix out-of-bounds read in rtw_get_ie() parser Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 045/737] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 046/737] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 047/737] smack: fix bug: unprivileged task can create labels Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 048/737] gpu: host1x: Fix race in syncpt alloc/free Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 049/737] drm/panel: visionox-rm69299: Dont clear all mode flags Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 050/737] drm/vgem-fence: Fix potential deadlock on release Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 051/737] USB: Fix descriptor count when handling invalid MBIM extended descriptor Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 052/737] clk: renesas: cpg-mssr: Add missing 1ms delay into reset toggle callback Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 053/737] clk: renesas: rzg2l: Simplify the logic in rzg2l_mod_clock_endisable() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 054/737] clk: renesas: rzg2l: Remove critical area Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 055/737] clk: renesas: rzg2l: Use %x format specifier to print CLK_ON_R() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 056/737] clk: renesas: Use str_on_off() helper Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 057/737] clk: renesas: Pass sub struct of cpg_mssr_priv to cpg_clk_register Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 058/737] clk: renesas: cpg-mssr: Read back reset registers to assure values latched Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 059/737] HID: logitech-hidpp: Do not assume FAP in hidpp_send_message_sync() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 060/737] objtool: Fix standalone --hacks=jump_label Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 061/737] objtool: Fix weak symbol detection Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 062/737] sched/fair: Forfeit vruntime on yield Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 063/737] irqchip/irq-bcm7038-l1: Fix section mismatch Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 064/737] irqchip/irq-bcm7120-l2: " Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 065/737] irqchip/irq-brcmstb-l2: " Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 066/737] irqchip/imx-mu-msi: " Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 067/737] irqchip/qcom-irq-combiner: " Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 068/737] crypto: authenc - Correctly pass EINPROGRESS back up to the caller Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 069/737] ntfs3: fix uninit memory after failed mi_read in mi_format_new Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 070/737] ntfs3: Fix uninit buffer allocated by __getname() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 071/737] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 072/737] inet: Avoid ehash lookup race in inet_ehash_insert() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 073/737] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 074/737] arm64: dts: freescale: imx8mp-venice-gw7905-2x: remove duplicate usdhc1 props Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 075/737] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 076/737] arm64: dts: imx8mp-venice-gw702x: remove off-board uart Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 077/737] arm64: dts: imx8mp-venice-gw702x: remove off-board sdhc1 Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 078/737] PCI: rcar-gen2: Drop ARM dependency from PCI_RCAR_GEN2 Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 079/737] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 080/737] clk: qcom: camcc-sm6350: Specify Titan GDSC power domain as a parent to other Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 081/737] clk: qcom: camcc-sm6350: Fix PLL config of PLL2 Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 082/737] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 083/737] crypto: hisilicon/qm - restore original qos values Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 084/737] wifi: ath11k: fix peer HE MCS assignment Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 085/737] s390/smp: Fix fallback CPU detection Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 086/737] s390/ap: Dont leak debug feature files if AP instructions are not available Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 087/737] arm64: dts: ti: k3-am62p: Fix memory ranges for GPU Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 088/737] firmware: imx: scu-irq: fix OF node leak in Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 089/737] arm64: dts: qcom: sdm845-oneplus: Correct gpio used for slider Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 090/737] phy: mscc: Fix PTP for VSC8574 and VSC8572 Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 091/737] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 092/737] RDMA/rxe: Fix null deref on srq->rq.queue after resize failure Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 093/737] ARM: dts: renesas: gose: Remove superfluous port property Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 094/737] ARM: dts: renesas: r9a06g032-rzn1d400-db: Drop invalid #cells properties Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 095/737] Revert "mtd: rawnand: marvell: fix layouts" Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 096/737] mtd: nand: relax ECC parameter validation check Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 097/737] mtd: rawnand: lpc32xx_slc: fix GPIO descriptor leak on probe error and remove Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 098/737] task_work: Fix NMI race condition Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 099/737] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() Greg Kroah-Hartman
2026-01-09 11:33 ` [PATCH 6.6 100/737] tools/nolibc/stdio: let perror work when NOLIBC_IGNORE_ERRNO is set Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 101/737] soc: qcom: smem: fix hwspinlock resource leak in probe error paths Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 102/737] pinctrl: stm32: fix hwspinlock resource leak in probe function Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 103/737] i3c: master: Inherit DMA masks and parameters from parent device Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 104/737] i3c: fix refcount inconsistency in i3c_master_register Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 105/737] i3c: master: svc: Prevent incomplete IBI transaction Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 106/737] interconnect: qcom: msm8996: add missing link to SLAVE_USB_HS Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 107/737] arm64: dts: qcom: msm8996: add interconnect paths to USB2 controller Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 108/737] interconnect: debugfs: Fix incorrect error handling for NULL path Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 109/737] perf maps: Add maps__load_first() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 110/737] perf lock contention: Load kernel map before lookup Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 111/737] perf record: skip synthesize event when open evsel failed Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 112/737] power: supply: cw2015: Check devm_delayed_work_autocancel() return code Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 113/737] power: supply: rt9467: Return error on failure in rt9467_set_value_from_ranges() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 114/737] power: supply: rt9467: Prevent using uninitialized local variable " Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 115/737] power: supply: wm831x: Check wm831x_set_bits() return value Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 116/737] power: supply: apm_power: only unset own apm_get_power_status Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 117/737] scsi: target: Do not write NUL characters into ASCII configfs output Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 118/737] fs/9p: Dont open remote file with APPEND mode when writeback cache is used Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 119/737] spi: tegra210-quad: Fix timeout handling Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 120/737] ARM: dts: am335x-netcom-plus-2xx: add missing GPIO labels Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 121/737] ARM: dts: omap3: beagle-xm: Correct obsolete TWL4030 power compatible Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 122/737] ARM: dts: omap3: n900: " Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 123/737] x86/boot: Fix page table access in 5-level to 4-level paging transition Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 124/737] efi/libstub: " Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 125/737] mfd: da9055: Fix missing regmap_del_irq_chip() in error path Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 126/737] ext4: correct the checking of quota files before moving extents Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 127/737] perf/x86/intel: Correct large PEBS flag check Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 128/737] regulator: core: disable supply if enabling main regulator fails Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 129/737] nbd: defer config put in recv_work Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 130/737] scsi: stex: Fix reboot_notifier leak in probe error path Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 131/737] scsi: smartpqi: Fix device resources accessed after device removal Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 132/737] staging: most: i2c: Drop explicit initialization of struct i2c_device_id::driver_data to 0 Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 133/737] staging: most: remove broken i2c driver Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 134/737] dt-bindings: PCI: amlogic: Fix the register name of the DBI region Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 135/737] RDMA/rtrs: server: Fix error handling in get_or_create_srv Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 136/737] ARM: dts: stm32: stm32mp157c-phycore: Fix STMPE811 touchscreen node properties Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 137/737] ntfs3: init run lock for extend inode Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 138/737] scsi: ufs: core: fix incorrect buffer duplication in ufshcd_read_string_desc() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 139/737] cpufreq/amd-pstate: Call cppc_set_auto_sel() only for online CPUs Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 140/737] powerpc/32: Fix unpaired stwcx. on interrupt exit Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 141/737] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 142/737] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 143/737] nbd: defer config unlock in nbd_genl_connect Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 144/737] coresight: etm4x: Correct polling IDLE bit Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 145/737] coresight: etm4x: Extract the trace unit controlling Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 146/737] coresight: etm4x: Add context synchronization before enabling trace Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 147/737] clk: renesas: r9a06g032: Fix memory leak in error path Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 148/737] lib/vsprintf: Check pointer before dereferencing in time_and_date() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 149/737] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 150/737] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 151/737] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 152/737] leds: netxbig: Fix GPIO descriptor leak in error paths Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 153/737] bpf: Free special fields when update [lru_,]percpu_hash maps Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 154/737] PCI: keystone: Exit ks_pcie_probe() for invalid mode Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 155/737] arm64: dts: rockchip: Move the EEPROM to correct I2C bus on Radxa ROCK 5A Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 156/737] arm64: dts: rockchip: Add eeprom vcc-supply for " Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 157/737] ps3disk: use memcpy_{from,to}_bvec index Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 158/737] bpf: Handle return value of ftrace_set_filter_ip in register_fentry Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 159/737] selftests/bpf: Fix failure paths in send_signal test Greg Kroah-Hartman
2026-01-09 11:34 ` [PATCH 6.6 160/737] bpf: Check skb->transport_header is set in bpf_skb_check_mtu Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 161/737] watchdog: wdat_wdt: Fix ACPI table leak in probe function Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 162/737] watchdog: starfive: Fix resource leak in probe error path Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 163/737] tracefs: fix a leak in eventfs_create_events_dir() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 164/737] NFSD/blocklayout: Fix minlength check in proc_layoutget Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 165/737] drm/msm/a2xx: stop over-complaining about the legacy firmware Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 166/737] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 167/737] bpf: Improve program stats run-time calculation Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 168/737] bpf: Fix invalid prog->stats access when update_effective_progs fails Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 169/737] powerpc/64s/hash: Restrict stress_hpt_struct memblock region to within RMA limit Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 170/737] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 171/737] fs/ntfs3: out1 also needs to put mi Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 172/737] fs/ntfs3: Prevent memory leaks in add sub record Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 173/737] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 174/737] net/ipv6: Remove expired routes with a separated list of routes Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 175/737] ipv6: clear RA flags when adding a static route Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 177/737] perf arm_spe: Fix memset subclass in operation Greg Kroah-Hartman
2026-01-27 18:38 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
2026-01-28 9:02 ` Leo Yan
2026-01-28 16:13 ` Arnaldo Carvalho de Melo
2026-01-28 16:20 ` Arnaldo Carvalho de Melo
2026-01-09 11:35 ` [PATCH 6.6 178/737] pwm: bcm2835: Make sure the channel is enabled after pwm_request() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 179/737] scsi: qla2xxx: Fix improper freeing of purex item Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 180/737] wifi: mac80211: remove RX_DROP_UNUSABLE Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 181/737] wifi: mac80211: fix CMAC functions not handling errors Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 182/737] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 183/737] mfd: mt6358-irq: " Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 184/737] phy: renesas: rcar-gen3-usb2: Fix an error handling path in rcar_gen3_phy_usb2_probe() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 185/737] net: phy: adin1100: Fix software power-down ready condition Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 186/737] cpuset: Treat cpusets in attaching as populated Greg Kroah-Hartman
2026-01-12 2:42 ` [PATCH] " Chen Ridong
2026-01-12 3:02 ` Chen Ridong
2026-01-12 6:42 ` Greg KH
2026-01-12 6:55 ` Chen Ridong
2026-01-12 7:03 ` Greg KH
2026-01-14 1:51 ` [PATCH stable] cpuset: Fix missing adaptation for cpuset_is_populated Chen Ridong
2026-01-14 2:13 ` Chen Ridong
2026-01-15 14:54 ` Greg KH
2026-01-16 0:57 ` Chen Ridong
2026-02-17 12:39 ` Greg KH
2026-01-09 11:35 ` [PATCH 6.6 187/737] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 188/737] ima: Handle error code returned by ima_filter_rule_match() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 189/737] usb: chaoskey: fix locking for O_NONBLOCK Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 190/737] usb: dwc2: disable platform lowlevel hw resources during shutdown Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 191/737] usb: dwc2: fix hang during shutdown if set as peripheral Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 192/737] usb: dwc2: fix hang during suspend " Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 193/737] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 194/737] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 195/737] selftests/bpf: Improve reliability of test_perf_branches_no_hw() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 196/737] crypto: starfive - Correctly handle return of sg_nents_for_len Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 197/737] crypto: ccree " Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 198/737] RISC-V: KVM: Fix guest page fault within HLV* instructions Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 199/737] RDMA/bnxt_re: Fix the inline size for GenP7 devices Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 200/737] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 201/737] firmware: stratix10-svc: fix make htmldocs warning for stratix10_svc Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 202/737] staging: fbtft: core: fix potential memory leak in fbtft_probe_common() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 203/737] btrfs: fix leaf leak in an error path in btrfs_del_items() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 204/737] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 205/737] drm/nouveau: restrict the flush page to a 32-bit address Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 206/737] iomap: factor out a iomap_dio_done helper Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 207/737] iomap: always run error completions in user context Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 208/737] wifi: ieee80211: correct FILS status codes Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 209/737] backlight: led-bl: Add devlink to supplier LEDs Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 210/737] backlight: lp855x: Fix lp855x.h kernel-doc warnings Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 211/737] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 212/737] RDMA/irdma: Fix data race in irdma_sc_ccq_arm Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 213/737] RDMA/irdma: Fix data race in irdma_free_pble Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 214/737] RDMA/irdma: Add support to re-register a memory region Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 215/737] RDMA/irdma: Do not directly rely on IB_PD_UNSAFE_GLOBAL_RKEY Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 216/737] ASoC: fsl_xcvr: clear the channel status control memory Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 217/737] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 218/737] hwmon: sy7636a: Fix regulator_enable resource leak on error path Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 219/737] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 Greg Kroah-Hartman
2026-01-09 11:35 ` [PATCH 6.6 220/737] ublk: make sure io cmd handled in submitter task context Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 221/737] ublk: complete command synchronously on error Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 222/737] ublk: prevent invalid access with DEBUG Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 223/737] ext4: remove unused return value of __mb_check_buddy Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 224/737] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 225/737] virtio_vdpa: fix misleading return in void function Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 226/737] virtio: fix typo in virtio_device_ready() comment Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 227/737] virtio: fix whitespace in virtio_config_ops Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 228/737] virtio: fix virtqueue_set_affinity() docs Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 229/737] vdpa/pds: use %pe for ERR_PTR() in event handler registration Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 230/737] ASoC: Intel: catpt: Fix error path in hw_params() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 231/737] ARM: dts: samsung: universal_c210: turn off SDIO WLAN chip during system suspend Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 232/737] ARM: dts: samsung: exynos4210-i9100: " Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 233/737] ARM: dts: samsung: exynos4210-trats: " Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 234/737] ARM: dts: samsung: exynos4412-midas: " Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 235/737] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 236/737] resource: Reuse for_each_resource() macro Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 237/737] resource: replace open coded resource_intersection() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 238/737] resource: introduce is_type_match() helper and use it Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 239/737] Reinstate "resource: avoid unnecessary lookups in find_next_iomem_res()" Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 240/737] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 241/737] netfilter: nf_conncount: rework API to use sk_buff directly Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 242/737] netfilter: nft_connlimit: update the count if add was skipped Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 243/737] net: stmmac: fix rx limit check in stmmac_rx_zc() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 244/737] mtd: rawnand: renesas: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 245/737] selftests: bonding: add missing build configs Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 246/737] selftests: bonding: Add more missing config options Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 247/737] selftests: bonding: add ipvlan over bond testing Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 248/737] selftests: bonding: add delay before each xvlan_over_bond connectivity check Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 249/737] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 250/737] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 251/737] md/raid5: fix IO hang when array is broken with IO inflight Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 252/737] clk: keystone: fix compile testing Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 253/737] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 254/737] perf tools: Fix split kallsyms DSO counting Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 255/737] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 256/737] pinctrl: single: Fix incorrect type for error return variable Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 257/737] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 258/737] 9p: fix cache/debug options printing in v9fs_show_options Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 259/737] NFS: Avoid changing nlink when file removes and attribute updates race Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 260/737] fs/nls: Fix utf16 to utf8 conversion Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 261/737] NFS: Initialise verifiers for visible dentries in readdir and lookup Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 262/737] NFS: Initialise verifiers for visible dentries in nfs_atomic_open() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 263/737] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 264/737] Revert "nfs: ignore SB_RDONLY when remounting nfs" Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 265/737] Revert "nfs: clear SB_RDONLY before getting superblock" Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 266/737] Revert "nfs: ignore SB_RDONLY when mounting nfs" Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 267/737] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 268/737] Expand the type of nfs_fattr->valid Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 269/737] NFS: Fix inheritance of the block sizes when automounting Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 270/737] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 271/737] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 272/737] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 273/737] ASoC: ak4458: Disable regulator when error happens Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 274/737] ASoC: ak5558: " Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 275/737] blk-mq: Abort suspend when wakeup events are pending Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 276/737] block: fix comment for op_is_zone_mgmt() to include RESET_ALL Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 277/737] nvme-auth: use kvfree() for memory allocated with kvcalloc() Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 278/737] ALSA: firewire-motu: fix buffer overflow in hwdep read for DSP events Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 279/737] dma/pool: eliminate alloc_pages warning in atomic_pool_expand Greg Kroah-Hartman
2026-01-09 11:36 ` [PATCH 6.6 280/737] ALSA: uapi: Fix typo in asound.h comment Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 281/737] rtc: gamecube: Check the return value of ioremap() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 282/737] ALSA: firewire-motu: add bounds check in put_user loop for DSP events Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 283/737] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 284/737] block: Use RCU in blk_mq_[un]quiesce_tagset() instead of set->tag_list_lock Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 285/737] dm-raid: fix possible NULL dereference with undefined raid type Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 286/737] dm log-writes: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 287/737] efi/cper: Add a new helper function to print bitmasks Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 288/737] efi/cper: Adjust infopfx size to accept an extra space Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 289/737] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 290/737] irqchip/mchp-eic: Fix error code in mchp_eic_domain_alloc() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 291/737] ocfs2: fix memory leak in ocfs2_merge_rec_left() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 292/737] [PATCH 6.12] LoongArch: Add machine_kexec_mask_interrupts() implementation Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 293/737] net: lan743x: Allocate rings outside ZONE_DMA Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 294/737] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 295/737] usb: phy: Initialize struct usb_phy list_head Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 296/737] ALSA: dice: fix buffer overflow in detect_stream_formats() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 297/737] ipv6: avoid possible NULL deref in modify_prefix_route() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 298/737] ipv6: add exception routes to GC list in rt6_insert_exception Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 299/737] btrfs: do not skip logging new dentries when logging a new name Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 300/737] btrfs: fix a potential path leak in print_data_reloc_error() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 301/737] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 302/737] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 303/737] iomap: adjust read range correctly for non-block-aligned positions Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 304/737] iomap: account for unaligned end offsets when truncating read range Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 305/737] perf/x86/amd: Check event before enable to avoid GPF Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 306/737] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 307/737] sched/fair: Revert max_newidle_lb_cost bump Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 308/737] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 309/737] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 310/737] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 311/737] cpufreq: dt-platdev: Add JH7110S SOC to the allowlist Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 312/737] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 313/737] cpuidle: menu: Use residency threshold in polling state override decisions Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 314/737] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 315/737] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 316/737] kbuild: Use objtree for module signing key path Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 317/737] ntfs: set dummy blocksize to read boot_block when mounting Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 318/737] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 319/737] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 320/737] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 321/737] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 322/737] wifi: brcmfmac: Add DMI nvram filename quirk for Acer A1 840 tablet Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 323/737] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 324/737] gfs2: fix remote evict for read-only filesystems Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 325/737] smb/server: fix return value of smb2_ioctl() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 326/737] ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 327/737] ksmbd: vfs: fix race on m_flags in vfs_cache Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 328/737] Bluetooth: btusb: Add new VID/PID 2b89/6275 for RTL8761BUV Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 329/737] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 330/737] gfs2: Fix use of bio_chain Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 331/737] net: fec: ERR007885 Workaround for XDP TX path Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 332/737] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 333/737] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 334/737] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 335/737] mlxsw: spectrum_router: Fix possible neighbour reference count leak Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 336/737] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 337/737] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 338/737] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 339/737] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
2026-01-09 11:37 ` [PATCH 6.6 340/737] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 341/737] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 342/737] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 343/737] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 344/737] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 345/737] netfilter: nf_tables: pass context structure to nft_parse_register_load Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 346/737] netfilter: nf_tables: allow loads only when register is initialized Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 347/737] netfilter: nf_tables: remove redundant chain validation on register store Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 348/737] iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 349/737] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 350/737] net/mlx5: fw reset, clear reset requested on drain_fw_reset Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 351/737] net/mlx5: Drain firmware reset in shutdown callback Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 352/737] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 353/737] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 354/737] net/mlx5: Skip HotPlug check on sync reset using hot reset Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 355/737] net/mlx5: Serialize firmware reset with devlink Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 356/737] net/handshake: duplicate handshake cancellations leak socket Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 357/737] net: enetc: do not transmit redirected XDP frames when the link is down Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 358/737] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 359/737] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 360/737] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 361/737] hwmon: (ibmpex) fix use-after-free in high/low store Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 362/737] hwmon: (tmp401) fix overflow caused by default conversion rate value Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 363/737] MIPS: Fix a reference leak bug in ip22_check_gio() Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 364/737] drm/panel: sony-td4353-jdi: Enable prepare_prev_first Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 365/737] x86/xen: Move Xen upcall handler Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 366/737] x86/xen: Fix sparse warning in enlighten_pv.c Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 367/737] spi: cadence-quadspi: Fix clock disable on probe failure path Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 368/737] block: rnbd-clt: Fix leaked ID in init_dev() Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 369/737] ksmbd: skip lock-range check on equal size to avoid size==0 underflow Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 370/737] ksmbd: Fix refcount leak when invalid session is found on session lookup Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 371/737] ksmbd: fix buffer validation by including null terminator size in EA length Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 372/737] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 373/737] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 374/737] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 375/737] can: gs_usb: gs_can_open(): fix error handling Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 376/737] ACPI: PCC: Fix race condition by removing static qualifier Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 377/737] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 378/737] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 379/737] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 380/737] dt-bindings: mmc: sdhci-of-aspeed: Switch ref to sdhci-common.yaml Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 381/737] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 382/737] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 383/737] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 384/737] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 385/737] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 386/737] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 387/737] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 388/737] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 389/737] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 390/737] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 391/737] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 392/737] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 393/737] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 394/737] fuse: Always flush the page cache before FOPEN_DIRECT_IO write Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 395/737] fuse: Invalidate the page cache after " Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 396/737] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 397/737] reset: fix BIT macro reference Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 398/737] exfat: fix remount failure in different process environments Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 399/737] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
2026-01-09 11:38 ` [PATCH 6.6 400/737] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 401/737] iio: adc: ti_am335x_adc: Limit step_avg to valid range for gcc complains Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 402/737] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 403/737] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 404/737] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 405/737] libperf cpumap: Fix perf_cpu_map__max for an empty/NULL map Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 406/737] i2c: designware: Disable SMBus interrupts to prevent storms from mis-configured firmware Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 407/737] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 408/737] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 409/737] block: rnbd-clt: Fix signedness bug in init_dev() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 410/737] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 411/737] cifs: Fix memory and information leak in smb3_reconfigure() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 412/737] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 413/737] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 414/737] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 415/737] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 416/737] s390/dasd: Fix gendisk parent after copy pair swap Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 417/737] block: rate-limit capacity change info log Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 418/737] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 419/737] kallsyms: Fix wrong "big" kernel symbol type read from procfs Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 420/737] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 421/737] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 422/737] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 423/737] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 424/737] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 425/737] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 426/737] jbd2: use a per-journal lock_class_key for jbd2_trans_commit_key Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 427/737] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 428/737] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 429/737] mptcp: schedule rtx timer only after pushing data Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 430/737] mptcp: avoid deadlock on fallback while reinjecting Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 431/737] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 432/737] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 433/737] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 434/737] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 435/737] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 436/737] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 437/737] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 438/737] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 439/737] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 440/737] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 441/737] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 442/737] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 443/737] cpuidle: governors: teo: Drop misguided target residency check Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 444/737] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 445/737] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 446/737] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 447/737] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 448/737] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 449/737] f2fs: ensure node page reads complete before f2fs_put_super() finishes Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 450/737] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 451/737] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 452/737] f2fs: fix age extent cache insertion skip on counter overflow Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 453/737] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 454/737] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 455/737] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 456/737] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 457/737] KVM: x86: Dont clear async #PF queue when CR0.PG is disabled (e.g. on #SMI) Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 458/737] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 459/737] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
2026-01-09 11:39 ` [PATCH 6.6 460/737] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 461/737] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 462/737] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 463/737] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 464/737] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 465/737] KVM: nSVM: Avoid incorrect injection of SVM_EXIT_CR0_SEL_WRITE Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 466/737] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 467/737] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 468/737] KVM: SVM: Mark VMCB_PERM_MAP as dirty on nested VMRUN Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 469/737] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 470/737] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 471/737] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 472/737] tracing: Do not register unsupported perf events Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 473/737] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 474/737] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 475/737] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 476/737] net/handshake: restore destructor on submit failure Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 477/737] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 478/737] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 479/737] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 480/737] powerpc/kexec: Enable SMT before waking offline CPUs Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 481/737] btrfs: dont log conflicting inode if its a dir moved in the current transaction Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 482/737] s390/ipl: Clear SBP flag when bootprog is set Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 483/737] gpio: regmap: Fix memleak in error path in gpio_regmap_register() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 484/737] io_uring/poll: correctly handle io_poll_add() return value on update Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 485/737] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 486/737] selftests: openvswitch: Fix escape chars in regexp Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 487/737] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 488/737] crypto: caam - Add check for kcalloc() in test_len() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 489/737] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 490/737] tracing: Fix fixed array of synthetic event Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 491/737] soc: qcom: ocmem: fix device leak on lookup Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 492/737] soc: amlogic: canvas: " Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 493/737] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 494/737] platform/x86: intel: chtwc_int33fe: dont dereference swnode args Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 495/737] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 496/737] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 497/737] hwmon: (w83791d) Convert macros to functions " Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 498/737] hwmon: (w83l786ng) " Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 499/737] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 500/737] iommu/mediatek: fix use-after-free on probe deferral Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 501/737] wifi: rtw88: limit indirect IO under powered off for RTL8822CS Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 502/737] wifi: cfg80211: sme: store capped length in __cfg80211_connect_result() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 503/737] wifi: mac80211: do not use old MBSSID elements Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 504/737] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 505/737] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 506/737] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 507/737] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 508/737] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 509/737] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 510/737] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 511/737] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 512/737] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 513/737] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 514/737] amd-xgbe: reset retries and mode on RX adapt failures Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 515/737] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 516/737] selftests: net: fix "buffer overflow detected" for tap.c Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 517/737] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 518/737] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 519/737] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-09 11:40 ` [PATCH 6.6 520/737] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 521/737] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 522/737] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 523/737] platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 524/737] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 525/737] net: stmmac: fix the crash issue for zero copy XDP_TX action Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 526/737] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 527/737] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 528/737] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 529/737] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 530/737] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 531/737] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 532/737] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 533/737] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 534/737] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 535/737] ksmbd: Fix memory leak in get_file_all_info() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 536/737] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 537/737] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 538/737] blk-mq: dont schedule block kworker on isolated CPUs Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 539/737] blk-mq: skip CPU offline notify on unmapped hctx Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 540/737] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 541/737] ntfs: Do not overwrite uptodate pages Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 542/737] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 543/737] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 544/737] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 545/737] ASoC: qcom: q6apm-dai: set flags to reflect correct operation of appl_ptr Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 546/737] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 547/737] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 548/737] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 549/737] iommu/amd: Fix pci_segment memleak in alloc_pci_segment() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 550/737] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 551/737] iommu/exynos: " Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 552/737] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 553/737] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 554/737] iommu/mediatek-v1: fix device leaks on probe() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 555/737] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 556/737] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 557/737] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 558/737] iommu/sun50i: " Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 559/737] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 560/737] iommu: disable SVA when CONFIG_X86 is set Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 561/737] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 562/737] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 563/737] arm64: dts: ti: k3-j721e-sk: Fix pinmux for pin Y1 used by power regulator Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 564/737] powerpc, mm: Fix mprotect on book3s 32-bit Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 565/737] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 566/737] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 567/737] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 568/737] leds: leds-lp50xx: Enable chip before any communication Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 569/737] clk: samsung: exynos-clkout: Assign .num before accessing .hws Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 570/737] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 571/737] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 572/737] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 573/737] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 574/737] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 575/737] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 576/737] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 577/737] firmware: stratix10-svc: Add mutex in stratix10 memory management Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 578/737] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 579/737] dm-bufio: align write boundary on physical block size Greg Kroah-Hartman
2026-01-09 11:41 ` [PATCH 6.6 580/737] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 581/737] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 582/737] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 583/737] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 584/737] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 585/737] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 586/737] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 587/737] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 588/737] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 589/737] media: videobuf2: Fix device reference leak in vb2_dc_alloc error path Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 590/737] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 591/737] media: vpif_display: " Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 592/737] media: amphion: Cancel message work before releasing the VPU core Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 593/737] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 594/737] media: i2c: adv7842: " Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 595/737] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 596/737] LoongArch: Add new PCI ID for pci_fixup_vgadev() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 597/737] LoongArch: Correct the calculation logic of thread_count Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 598/737] LoongArch: Fix build errors for CONFIG_RANDSTRUCT Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 599/737] LoongArch: Use __pmd()/__pte() for swap entry conversions Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 600/737] LoongArch: Use unsigned long for _end and _text Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 601/737] compiler_types.h: add "auto" as a macro for "__auto_type" Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 602/737] kasan: refactor pcpu kasan vmalloc unpoison Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 603/737] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 604/737] x86/microcode/AMD: Fix Entrysign revision check for Zen5/Strix Halo Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 605/737] tools/mm/page_owner_sort: fix timestamp comparison for stable sorting Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 606/737] samples/ftrace: Adjust LoongArch register restore order in direct calls Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 607/737] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 608/737] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 609/737] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 610/737] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 611/737] LoongArch: BPF: Zero-extend bpf_tail_call() index Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 612/737] LoongArch: BPF: Sign extend kfunc call arguments Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 613/737] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 614/737] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 615/737] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 616/737] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 617/737] drm/amdgpu: add missing lock to amdgpu_ttm_access_memory_sdma Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 618/737] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 619/737] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 620/737] drm/mediatek: Fix device node reference leak in mtk_dp_dt_parse() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 621/737] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 622/737] drm/mgag200: Fix big-endian support Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 623/737] drm/msm/dpu: Add missing NULL pointer check for pingpong interface Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 624/737] drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 625/737] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 626/737] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 627/737] blk-mq: add helper for checking if one CPU is mapped to specified hctx Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 628/737] tpm: Cap the number of PCR banks Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 629/737] mptcp: Initialise rcv_mss before calling tcp_send_active_reset() in mptcp_do_fastclose() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 630/737] ALSA: wavefront: Use standard print API Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 631/737] ALSA: wavefront: Fix integer overflow in sample size validation Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 632/737] ALSA: wavefront: Use guard() for spin locks Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 633/737] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 634/737] ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_hda_read_acpi() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 635/737] ext4: fix string copying in parse_apply_sb_mount_options() Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 636/737] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 637/737] gfs2: fix freeze error handling Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 638/737] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 639/737] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
2026-01-09 11:42 ` [PATCH 6.6 640/737] mm/ksm: fix exec/fork inheritance support for prctl Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 641/737] usb: ohci-nxp: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 642/737] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 643/737] scsi: ufs: core: Add ufshcd_update_evt_hist() for UFS suspend error Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 644/737] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 645/737] f2fs: use f2fs_err_ratelimited() to avoid redundant logs Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 646/737] f2fs: fix to avoid potential deadlock Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 647/737] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 648/737] gpiolib: acpi: Add quirk for Dell Precision 7780 Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 649/737] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 650/737] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 651/737] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 652/737] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 653/737] mptcp: fallback earlier on simult connection Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 654/737] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 655/737] wifi: mac80211: Discard Beacon frames to non-broadcast address Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 656/737] mm: simplify folio_expected_ref_count() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 657/737] mm: consider non-anon swap cache folios in folio_expected_ref_count() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 658/737] pmdomain: Use device_get_match_data() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 659/737] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 660/737] net: phy: mediatek: fix nvmem cell reference leak in mt798x_phy_calibration Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 661/737] mptcp: ensure context reset on disconnect() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 662/737] drm/amdgpu: Forward VMID reservation errors Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 663/737] drm/mediatek: Fix probe memory leak Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 664/737] drm/mediatek: Fix probe resource leaks Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 665/737] drm/tilcdc: request and mapp iomem with devres Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 666/737] drm/tilcdc: Fix removal actions in case of failed probe Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 667/737] tty: introduce and use tty_port_tty_vhangup() helper Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 668/737] xhci: dbgtty: fix device unregister: fixup Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 669/737] usb: xhci: move link chain bit quirk checks into one helper function Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 670/737] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 671/737] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 672/737] drm/amd/display: Fix null pointer deref in dcn20_resource.c Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 673/737] LoongArch: Refactor register restoration in ftrace_common_return Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 674/737] powerpc/64s/radix/kfence: map __kfence_pool at page granularity Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 675/737] ext4: fix error message when rejecting the default hash Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 676/737] ext4: introduce ITAIL helper Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 677/737] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 678/737] xfrm: state: fix out-of-bounds read during lookup Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 679/737] page_pool: Fix use-after-free in page_pool_recycle_in_ring Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 680/737] net: dsa: sja1105: fix kasan out-of-bounds warning in sja1105_table_delete_entry() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 681/737] mm: fix arithmetic for bdi min_ratio Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 682/737] mm: fix arithmetic for max_prop_frac when setting max_ratio Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 683/737] genirq/irq_sim: Initialize work context pointers properly Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 684/737] f2fs: remove unused GC_FAILURE_PIN Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 685/737] f2fs: keep POSIX_FADV_NOREUSE ranges Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 686/737] f2fs: drop inode from the donation list when the last file is closed Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 687/737] f2fs: fix to avoid updating compression context during writeback Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 688/737] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 689/737] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 690/737] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 691/737] media: verisilicon: Store chroma and motion vectors offset Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 692/737] media: verisilicon: g2: Use common helpers to compute chroma and mv offsets Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 693/737] media: verisilicon: Fix CPU stalls on G2 bus error Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 694/737] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 695/737] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 696/737] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 697/737] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 698/737] media: amphion: Add a frame flush mode for decoder Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 699/737] media: amphion: Make some vpu_v4l2 functions static Greg Kroah-Hartman
2026-01-09 11:43 ` [PATCH 6.6 700/737] media: amphion: Remove vpu_vb_is_codecconfig Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 701/737] media: mediatek: vcodec: Use spinlock for context list protection lock Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 702/737] KVM: SVM: Introduce svm_recalc_lbr_msr_intercepts() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 703/737] KVM: nSVM: Always recalculate LBR MSR intercepts in svm_update_lbrv() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 704/737] KVM: nSVM: Fix and simplify LBR virtualization handling with nested Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 705/737] KVM: SVM: Fix redundant updates of LBR MSR intercepts Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 706/737] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 707/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 708/737] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 709/737] sched/fair: Small cleanup to sched_balance_newidle() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 710/737] sched/fair: Small cleanup to update_newidle_cost() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 711/737] sched/fair: Proportional newidle balance Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 712/737] net: Remove conditional threaded-NAPI wakeup based on task state Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 713/737] net: Allow to use SMP threads for backlog NAPI Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 714/737] RDMA/rxe: Remove the direct link to net_device Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 715/737] RDMA/rxe: Fix the failure of ibv_query_device() and ibv_query_device_ex() tests Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 716/737] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 717/737] mm/damon/tests/core-kunit: handle alloc failres in damon_test_new_filter() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 718/737] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 719/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 720/737] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 721/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 722/737] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 723/737] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 724/737] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 725/737] mm/damon/tests/core-kunit: handle alloc failures on damos_test_filter_out() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 726/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_set_regions() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 727/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_ops_registration() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 728/737] mm/damon/tests/core-kunit: handle alloc failure on damon_test_set_attrs() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 729/737] mm/damon/tests/core-kunit: handle alloc failures in damon_test_update_monitoring_result() Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 730/737] virtio_console: fix order of fields cols and rows Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 731/737] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
2026-01-09 13:40 ` Thadeu Lima de Souza Cascardo
2026-01-09 14:13 ` Greg Kroah-Hartman
2026-01-11 10:30 ` Thadeu Lima de Souza Cascardo
2026-01-11 13:57 ` Greg Kroah-Hartman
2026-01-27 18:36 ` [PATCH 6.6 176/737] perf arm-spe: Extend branch operations Hamza Mahfooz
2026-01-27 18:41 ` Hamza Mahfooz
2026-01-09 11:44 ` [PATCH 6.6 732/737] net: stmmac: make sure that ptp_rate is not 0 before configuring EST Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 733/737] pwm: stm32: Always program polarity Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 734/737] blk-mq: setup queue ->tag_set before initializing hctx Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 735/737] tty: fix tty_port_tty_*hangup() kernel-doc Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 736/737] firmware: arm_scmi: Fix unused notifier-block in unregister Greg Kroah-Hartman
2026-01-09 11:44 ` [PATCH 6.6 737/737] Revert "iommu/amd: Skip enabling command/event buffers for kdump" Greg Kroah-Hartman
2026-01-09 19:02 ` [PATCH 6.6 000/737] 6.6.120-rc1 review Brett A C Sheffield
2026-01-09 19:35 ` Florian Fainelli
2026-01-09 20:29 ` Slade Watkins
2026-01-09 23:59 ` Shuah Khan
2026-01-10 5:03 ` Peter Schneider
2026-01-10 6:59 ` Ron Economos
2026-01-10 8:27 ` Francesco Dolcini
2026-01-10 10:44 ` Jeffrin Thalakkottoor
2026-01-10 12:55 ` Jon Hunter
2026-01-10 20:07 ` Mark Brown
2026-01-10 21:15 ` Miguel Ojeda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox