* [PATCH 6.18 001/181] NFSD: Fix permission check for read access to executable-only files
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 002/181] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
` (193 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Mayhew, Jeff Layton, NeilBrown,
Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit e901c7fce59e72d9f3c92733c379849c4034ac50 upstream.
Commit abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET")
added NFSD_MAY_OWNER_OVERRIDE to the access flags passed from
nfsd4_layoutget() to fh_verify(). This causes LAYOUTGET to fail for
executable-only files, and causes xfstests generic/126 to fail on
pNFS SCSI.
To allow read access to executable-only files, what we really want is:
1. The "permissions" portion of the access flags (the lower 6 bits)
must be exactly NFSD_MAY_READ
2. The "hints" portion of the access flags (the upper 26 bits) can
contain any combination of NFSD_MAY_OWNER_OVERRIDE and
NFSD_MAY_READ_IF_EXEC
Fixes: abc02e5602f7 ("NFSD: Support write delegations in LAYOUTGET")
Cc: stable@vger.kernel.org # v6.6+
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: NeilBrown <neil@brown.name>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/vfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -2683,8 +2683,8 @@ nfsd_permission(struct svc_cred *cred, s
/* Allow read access to binaries even when mode 111 */
if (err == -EACCES && S_ISREG(inode->i_mode) &&
- (acc == (NFSD_MAY_READ | NFSD_MAY_OWNER_OVERRIDE) ||
- acc == (NFSD_MAY_READ | NFSD_MAY_READ_IF_EXEC)))
+ (((acc & NFSD_MAY_MASK) == NFSD_MAY_READ) &&
+ (acc & (NFSD_MAY_OWNER_OVERRIDE | NFSD_MAY_READ_IF_EXEC))))
err = inode_permission(&nop_mnt_idmap, inode, MAY_EXEC);
return err? nfserrno(err) : 0;
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 002/181] nfsd: provide locking for v4_end_grace
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 001/181] NFSD: Fix permission check for read access to executable-only files Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 003/181] nfsd: use correct loop termination in nfsd4_revoke_states() Greg Kroah-Hartman
` (192 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, NeilBrown, Jeff Layton,
Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
commit 2857bd59feb63fcf40fe4baf55401baea6b4feb4 upstream.
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
Closes: https://lore.kernel.org/linux-nfs/20250623030015.2353515-1-neil@brown.name/T/#t
Fixes: 7f5ef2e900d9 ("nfsd: add a v4_end_grace file to /proc/fs/nfsd")
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neil@brown.name>
Tested-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/netns.h | 2 ++
fs/nfsd/nfs4state.c | 42 ++++++++++++++++++++++++++++++++++++++++--
fs/nfsd/nfsctl.c | 3 +--
fs/nfsd/state.h | 2 +-
4 files changed, 44 insertions(+), 5 deletions(-)
--- a/fs/nfsd/netns.h
+++ b/fs/nfsd/netns.h
@@ -66,6 +66,8 @@ struct nfsd_net {
struct lock_manager nfsd4_manager;
bool grace_ended;
+ bool grace_end_forced;
+ bool client_tracking_active;
time64_t boot_time;
struct dentry *nfsd_client_dir;
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -84,7 +84,7 @@ static u64 current_sessionid = 1;
/* forward declarations */
static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
static void nfs4_free_ol_stateid(struct nfs4_stid *stid);
-void nfsd4_end_grace(struct nfsd_net *nn);
+static void nfsd4_end_grace(struct nfsd_net *nn);
static void _free_cpntf_state_locked(struct nfsd_net *nn, struct nfs4_cpntf_state *cps);
static void nfsd4_file_hash_remove(struct nfs4_file *fi);
static void deleg_reaper(struct nfsd_net *nn);
@@ -6597,7 +6597,7 @@ nfsd4_renew(struct svc_rqst *rqstp, stru
return nfs_ok;
}
-void
+static void
nfsd4_end_grace(struct nfsd_net *nn)
{
/* do nothing if grace period already ended */
@@ -6630,6 +6630,33 @@ nfsd4_end_grace(struct nfsd_net *nn)
*/
}
+/**
+ * nfsd4_force_end_grace - forcibly end the NFSv4 grace period
+ * @nn: network namespace for the server instance to be updated
+ *
+ * Forces bypass of normal grace period completion, then schedules
+ * the laundromat to end the grace period immediately. Does not wait
+ * for the grace period to fully terminate before returning.
+ *
+ * Return values:
+ * %true: Grace termination schedule
+ * %false: No action was taken
+ */
+bool nfsd4_force_end_grace(struct nfsd_net *nn)
+{
+ if (!nn->client_tracking_ops)
+ return false;
+ spin_lock(&nn->client_lock);
+ if (nn->grace_ended || !nn->client_tracking_active) {
+ spin_unlock(&nn->client_lock);
+ return false;
+ }
+ WRITE_ONCE(nn->grace_end_forced, true);
+ mod_delayed_work(laundry_wq, &nn->laundromat_work, 0);
+ spin_unlock(&nn->client_lock);
+ return true;
+}
+
/*
* If we've waited a lease period but there are still clients trying to
* reclaim, wait a little longer to give them a chance to finish.
@@ -6639,6 +6666,8 @@ static bool clients_still_reclaiming(str
time64_t double_grace_period_end = nn->boot_time +
2 * nn->nfsd4_lease;
+ if (READ_ONCE(nn->grace_end_forced))
+ return false;
if (nn->track_reclaim_completes &&
atomic_read(&nn->nr_reclaim_complete) ==
nn->reclaim_str_hashtbl_size)
@@ -8942,6 +8971,8 @@ static int nfs4_state_create_net(struct
nn->unconf_name_tree = RB_ROOT;
nn->boot_time = ktime_get_real_seconds();
nn->grace_ended = false;
+ nn->grace_end_forced = false;
+ nn->client_tracking_active = false;
nn->nfsd4_manager.block_opens = true;
INIT_LIST_HEAD(&nn->nfsd4_manager.list);
INIT_LIST_HEAD(&nn->client_lru);
@@ -9022,6 +9053,10 @@ nfs4_state_start_net(struct net *net)
return ret;
locks_start_grace(net, &nn->nfsd4_manager);
nfsd4_client_tracking_init(net);
+ /* safe for laundromat to run now */
+ spin_lock(&nn->client_lock);
+ nn->client_tracking_active = true;
+ spin_unlock(&nn->client_lock);
if (nn->track_reclaim_completes && nn->reclaim_str_hashtbl_size == 0)
goto skip_grace;
printk(KERN_INFO "NFSD: starting %lld-second grace period (net %x)\n",
@@ -9070,6 +9105,9 @@ nfs4_state_shutdown_net(struct net *net)
shrinker_free(nn->nfsd_client_shrinker);
cancel_work_sync(&nn->nfsd_shrinker_work);
+ spin_lock(&nn->client_lock);
+ nn->client_tracking_active = false;
+ spin_unlock(&nn->client_lock);
cancel_delayed_work_sync(&nn->laundromat_work);
locks_end_grace(&nn->nfsd4_manager);
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1082,10 +1082,9 @@ static ssize_t write_v4_end_grace(struct
case 'Y':
case 'y':
case '1':
- if (!nn->nfsd_serv)
+ if (!nfsd4_force_end_grace(nn))
return -EBUSY;
trace_nfsd_end_grace(netns(file));
- nfsd4_end_grace(nn);
break;
default:
return -EINVAL;
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -849,7 +849,7 @@ static inline void nfsd4_revoke_states(s
#endif
/* grace period management */
-void nfsd4_end_grace(struct nfsd_net *nn);
+bool nfsd4_force_end_grace(struct nfsd_net *nn);
/* nfs4recover operations */
extern int nfsd4_client_tracking_init(struct net *net);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 003/181] nfsd: use correct loop termination in nfsd4_revoke_states()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 001/181] NFSD: Fix permission check for read access to executable-only files Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 002/181] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 004/181] nfsd: check that server is running in unlock_filesystem Greg Kroah-Hartman
` (191 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, NeilBrown, Jeff Layton, Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
commit fb321998de7639f1954430674475e469fb529d9c upstream.
The loop in nfsd4_revoke_states() stops one too early because
the end value given is CLIENT_HASH_MASK where it should be
CLIENT_HASH_SIZE.
This means that an admin request to drop all locks for a filesystem will
miss locks held by clients which hash to the maximum possible hash value.
Fixes: 1ac3629bf012 ("nfsd: prepare for supporting admin-revocation of state")
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neil@brown.name>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1780,7 +1780,7 @@ void nfsd4_revoke_states(struct net *net
sc_types = SC_TYPE_OPEN | SC_TYPE_LOCK | SC_TYPE_DELEG | SC_TYPE_LAYOUT;
spin_lock(&nn->client_lock);
- for (idhashval = 0; idhashval < CLIENT_HASH_MASK; idhashval++) {
+ for (idhashval = 0; idhashval < CLIENT_HASH_SIZE; idhashval++) {
struct list_head *head = &nn->conf_id_hashtbl[idhashval];
struct nfs4_client *clp;
retry:
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 004/181] nfsd: check that server is running in unlock_filesystem
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 003/181] nfsd: use correct loop termination in nfsd4_revoke_states() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 005/181] NFSD: net ref data still needs to be freed even if net hasnt startup Greg Kroah-Hartman
` (190 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Jeff Layton,
Olga Kornievskaia, Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <okorniev@redhat.com>
commit d0424066fcd294977f310964bed6f2a487fa4515 upstream.
If we are trying to unlock the filesystem via an administrative
interface and nfsd isn't running, it crashes the server. This
happens currently because nfsd4_revoke_states() access state
structures (eg., conf_id_hashtbl) that has been freed as a part
of the server shutdown.
[ 59.465072] Call trace:
[ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P)
[ 59.465830] write_unlock_fs+0x258/0x440 [nfsd]
[ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd]
[ 59.466780] vfs_write+0x1f0/0x938
[ 59.467088] ksys_write+0xfc/0x1f8
[ 59.467395] __arm64_sys_write+0x74/0xb8
[ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8
[ 59.468177] do_el0_svc+0x154/0x1d8
[ 59.468489] el0_svc+0x40/0xe0
[ 59.468767] el0t_64_sync_handler+0xa0/0xe8
[ 59.469138] el0t_64_sync+0x1ac/0x1b0
Ensure this can't happen by taking the nfsd_mutex and checking that
the server is still up, and then holding the mutex across the call to
nfsd4_revoke_states().
Reviewed-by: NeilBrown <neil@brown.name>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Fixes: 1ac3629bf0125 ("nfsd: prepare for supporting admin-revocation of state")
Cc: stable@vger.kernel.org
Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 5 ++---
fs/nfsd/nfsctl.c | 9 ++++++++-
fs/nfsd/state.h | 4 ++--
3 files changed, 12 insertions(+), 6 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1759,7 +1759,7 @@ static struct nfs4_stid *find_one_sb_sti
/**
* nfsd4_revoke_states - revoke all nfsv4 states associated with given filesystem
- * @net: used to identify instance of nfsd (there is one per net namespace)
+ * @nn: used to identify instance of nfsd (there is one per net namespace)
* @sb: super_block used to identify target filesystem
*
* All nfs4 states (open, lock, delegation, layout) held by the server instance
@@ -1771,9 +1771,8 @@ static struct nfs4_stid *find_one_sb_sti
* The clients which own the states will subsequently being notified that the
* states have been "admin-revoked".
*/
-void nfsd4_revoke_states(struct net *net, struct super_block *sb)
+void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb)
{
- struct nfsd_net *nn = net_generic(net, nfsd_net_id);
unsigned int idhashval;
unsigned int sc_types;
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -259,6 +259,7 @@ static ssize_t write_unlock_fs(struct fi
struct path path;
char *fo_path;
int error;
+ struct nfsd_net *nn;
/* sanity check */
if (size == 0)
@@ -285,7 +286,13 @@ static ssize_t write_unlock_fs(struct fi
* 3. Is that directory the root of an exported file system?
*/
error = nlmsvc_unlock_all_by_sb(path.dentry->d_sb);
- nfsd4_revoke_states(netns(file), path.dentry->d_sb);
+ mutex_lock(&nfsd_mutex);
+ nn = net_generic(netns(file), nfsd_net_id);
+ if (nn->nfsd_serv)
+ nfsd4_revoke_states(nn, path.dentry->d_sb);
+ else
+ error = -EINVAL;
+ mutex_unlock(&nfsd_mutex);
path_put(&path);
return error;
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -841,9 +841,9 @@ static inline void get_nfs4_file(struct
struct nfsd_file *find_any_file(struct nfs4_file *f);
#ifdef CONFIG_NFSD_V4
-void nfsd4_revoke_states(struct net *net, struct super_block *sb);
+void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb);
#else
-static inline void nfsd4_revoke_states(struct net *net, struct super_block *sb)
+static inline void nfsd4_revoke_states(struct nfsd_net *nn, struct super_block *sb)
{
}
#endif
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 005/181] NFSD: net ref data still needs to be freed even if net hasnt startup
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 004/181] nfsd: check that server is running in unlock_filesystem Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 006/181] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
` (189 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6ee3b889bdeada0a6226,
Edward Adam Davis, Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 0b88bfa42e5468baff71909c2f324a495318532b upstream.
When the NFSD instance doesn't to startup, the net ref data memory is
not properly reclaimed, which triggers the memory leak issue reported
by syzbot [1].
To avoid the problem reported in [1], the net ref data memory reclamation
action is moved outside of nfsd_net_up when the net is shutdown.
[1]
unreferenced object 0xffff88812a39dfc0 (size 64):
backtrace (crc a2262fc6):
percpu_ref_init+0x94/0x1e0 lib/percpu-refcount.c:76
nfsd_create_serv+0xbe/0x260 fs/nfsd/nfssvc.c:605
nfsd_nl_listener_set_doit+0x62/0xb00 fs/nfsd/nfsctl.c:1882
genl_family_rcv_msg_doit+0x11e/0x190 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x2fd/0x440 net/netlink/genetlink.c:1210
BUG: memory leak
Reported-by: syzbot+6ee3b889bdeada0a6226@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6ee3b889bdeada0a6226
Fixes: 39972494e318 ("nfsd: update percpu_ref to manage references on nfsd_net")
Cc: stable@vger.kernel.org
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfssvc.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -424,26 +424,26 @@ static void nfsd_shutdown_net(struct net
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- if (!nn->nfsd_net_up)
- return;
-
- percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done);
- wait_for_completion(&nn->nfsd_net_confirm_done);
-
- nfsd_export_flush(net);
- nfs4_state_shutdown_net(net);
- nfsd_reply_cache_shutdown(nn);
- nfsd_file_cache_shutdown_net(net);
- if (nn->lockd_up) {
- lockd_down(net);
- nn->lockd_up = false;
+ if (nn->nfsd_net_up) {
+ percpu_ref_kill_and_confirm(&nn->nfsd_net_ref, nfsd_net_done);
+ wait_for_completion(&nn->nfsd_net_confirm_done);
+
+ nfsd_export_flush(net);
+ nfs4_state_shutdown_net(net);
+ nfsd_reply_cache_shutdown(nn);
+ nfsd_file_cache_shutdown_net(net);
+ if (nn->lockd_up) {
+ lockd_down(net);
+ nn->lockd_up = false;
+ }
+ wait_for_completion(&nn->nfsd_net_free_done);
}
- wait_for_completion(&nn->nfsd_net_free_done);
percpu_ref_exit(&nn->nfsd_net_ref);
+ if (nn->nfsd_net_up)
+ nfsd_shutdown_generic();
nn->nfsd_net_up = false;
- nfsd_shutdown_generic();
}
static DEFINE_SPINLOCK(nfsd_notifier_lock);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 006/181] NFSD: Remove NFSERR_EAGAIN
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 005/181] NFSD: net ref data still needs to be freed even if net hasnt startup Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 007/181] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
` (188 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, NeilBrown, Jeff Layton, Chuck Lever
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit c6c209ceb87f64a6ceebe61761951dcbbf4a0baa upstream.
I haven't found an NFSERR_EAGAIN in RFCs 1094, 1813, 7530, or 8881.
None of these RFCs have an NFS status code that match the numeric
value "11".
Based on the meaning of the EAGAIN errno, I presume the use of this
status in NFSD means NFS4ERR_DELAY. So replace the one usage of
nfserr_eagain, and remove it from NFSD's NFS status conversion
tables.
As far as I can tell, NFSERR_EAGAIN has existed since the pre-git
era, but was not actually used by any code until commit f4e44b393389
("NFSD: delay unmount source's export after inter-server copy
completed."), at which time it become possible for NFSD to return
a status code of 11 (which is not valid NFS protocol).
Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.")
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neil@brown.name>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs_common/common.c | 1 -
fs/nfsd/nfs4proc.c | 2 +-
fs/nfsd/nfsd.h | 1 -
include/trace/misc/nfs.h | 2 --
include/uapi/linux/nfs.h | 1 -
5 files changed, 1 insertion(+), 6 deletions(-)
--- a/fs/nfs_common/common.c
+++ b/fs/nfs_common/common.c
@@ -17,7 +17,6 @@ static const struct {
{ NFSERR_NOENT, -ENOENT },
{ NFSERR_IO, -EIO },
{ NFSERR_NXIO, -ENXIO },
-/* { NFSERR_EAGAIN, -EAGAIN }, */
{ NFSERR_ACCES, -EACCES },
{ NFSERR_EXIST, -EEXIST },
{ NFSERR_XDEV, -EXDEV },
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1506,7 +1506,7 @@ try_again:
(schedule_timeout(20*HZ) == 0)) {
finish_wait(&nn->nfsd_ssc_waitq, &wait);
kfree(work);
- return nfserr_eagain;
+ return nfserr_jukebox;
}
finish_wait(&nn->nfsd_ssc_waitq, &wait);
goto try_again;
--- a/fs/nfsd/nfsd.h
+++ b/fs/nfsd/nfsd.h
@@ -232,7 +232,6 @@ void nfsd_lockd_shutdown(void);
#define nfserr_noent cpu_to_be32(NFSERR_NOENT)
#define nfserr_io cpu_to_be32(NFSERR_IO)
#define nfserr_nxio cpu_to_be32(NFSERR_NXIO)
-#define nfserr_eagain cpu_to_be32(NFSERR_EAGAIN)
#define nfserr_acces cpu_to_be32(NFSERR_ACCES)
#define nfserr_exist cpu_to_be32(NFSERR_EXIST)
#define nfserr_xdev cpu_to_be32(NFSERR_XDEV)
--- a/include/trace/misc/nfs.h
+++ b/include/trace/misc/nfs.h
@@ -16,7 +16,6 @@ TRACE_DEFINE_ENUM(NFSERR_PERM);
TRACE_DEFINE_ENUM(NFSERR_NOENT);
TRACE_DEFINE_ENUM(NFSERR_IO);
TRACE_DEFINE_ENUM(NFSERR_NXIO);
-TRACE_DEFINE_ENUM(NFSERR_EAGAIN);
TRACE_DEFINE_ENUM(NFSERR_ACCES);
TRACE_DEFINE_ENUM(NFSERR_EXIST);
TRACE_DEFINE_ENUM(NFSERR_XDEV);
@@ -52,7 +51,6 @@ TRACE_DEFINE_ENUM(NFSERR_JUKEBOX);
{ NFSERR_NXIO, "NXIO" }, \
{ ECHILD, "CHILD" }, \
{ ETIMEDOUT, "TIMEDOUT" }, \
- { NFSERR_EAGAIN, "AGAIN" }, \
{ NFSERR_ACCES, "ACCES" }, \
{ NFSERR_EXIST, "EXIST" }, \
{ NFSERR_XDEV, "XDEV" }, \
--- a/include/uapi/linux/nfs.h
+++ b/include/uapi/linux/nfs.h
@@ -49,7 +49,6 @@
NFSERR_NOENT = 2, /* v2 v3 v4 */
NFSERR_IO = 5, /* v2 v3 v4 */
NFSERR_NXIO = 6, /* v2 v3 v4 */
- NFSERR_EAGAIN = 11, /* v2 v3 */
NFSERR_ACCES = 13, /* v2 v3 v4 */
NFSERR_EXIST = 17, /* v2 v3 v4 */
NFSERR_XDEV = 18, /* v3 v4 */
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 007/181] atm: Fix dma_free_coherent() size
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 006/181] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 008/181] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
` (187 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream.
The size of the buffer is not the same when alloc'd with
dma_alloc_coherent() in he_init_tpdrq() and freed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/atm/he.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/atm/he.c
+++ b/drivers/atm/he.c
@@ -1587,7 +1587,8 @@ he_stop(struct he_dev *he_dev)
he_dev->tbrq_base, he_dev->tbrq_phys);
if (he_dev->tpdrq_base)
- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq),
+ dma_free_coherent(&he_dev->pci_dev->dev,
+ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq),
he_dev->tpdrq_base, he_dev->tpdrq_phys);
dma_pool_destroy(he_dev->tpd_pool);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 008/181] net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 007/181] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 009/181] net: do not write to msg_get_inq in callee Greg Kroah-Hartman
` (186 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream.
pdev can be null and free_ring: can be called in 1297 with a null
pdev.
Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/3com/3c59x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -1473,7 +1473,7 @@ static int vortex_probe1(struct device *
return 0;
free_ring:
- dma_free_coherent(&pdev->dev,
+ dma_free_coherent(gendev,
sizeof(struct boom_rx_desc) * RX_RING_SIZE +
sizeof(struct boom_tx_desc) * TX_RING_SIZE,
vp->rx_ring, vp->rx_ring_dma);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 009/181] net: do not write to msg_get_inq in callee
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 008/181] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 010/181] arm64: Fix cleared E0POE bit after cpu_suspend()/resume() Greg Kroah-Hartman
` (185 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Jens Axboe,
Eric Dumazet, Kuniyuki Iwashima, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit 7d11e047eda5f98514ae62507065ac961981c025 upstream.
NULL pointer dereference fix.
msg_get_inq is an input field from caller to callee. Don't set it in
the callee, as the caller may not clear it on struct reuse.
This is a kernel-internal variant of msghdr only, and the only user
does reinitialize the field. So this is not critical for that reason.
But it is more robust to avoid the write, and slightly simpler code.
And it fixes a bug, see below.
Callers set msg_get_inq to request the input queue length to be
returned in msg_inq. This is equivalent to but independent from the
SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq).
To reduce branching in the hot path the second also sets the msg_inq.
That is WAI.
This is a fix to commit 4d1442979e4a ("af_unix: don't post cmsg for
SO_INQ unless explicitly asked for"), which fixed the inverse.
Also avoid NULL pointer dereference in unix_stream_read_generic if
state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg
can happen when splicing as of commit 2b514574f7e8 ("net: af_unix:
implement splice for stream af_unix sockets").
Also collapse two branches using a bitwise or.
Cc: stable@vger.kernel.org
Fixes: 4d1442979e4a ("af_unix: don't post cmsg for SO_INQ unless explicitly asked for")
Link: https://lore.kernel.org/netdev/willemdebruijn.kernel.24d8030f7a3de@gmail.com/
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260106150626.3944363-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp.c | 8 +++-----
net/unix/af_unix.c | 8 +++-----
2 files changed, 6 insertions(+), 10 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2651,10 +2651,8 @@ static int tcp_recvmsg_locked(struct soc
if (sk->sk_state == TCP_LISTEN)
goto out;
- if (tp->recvmsg_inq) {
+ if (tp->recvmsg_inq)
*cmsg_flags = TCP_CMSG_INQ;
- msg->msg_get_inq = 1;
- }
timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
/* Urgent data needs to be handled specially. */
@@ -2928,10 +2926,10 @@ int tcp_recvmsg(struct sock *sk, struct
ret = tcp_recvmsg_locked(sk, msg, len, flags, &tss, &cmsg_flags);
release_sock(sk);
- if ((cmsg_flags || msg->msg_get_inq) && ret >= 0) {
+ if ((cmsg_flags | msg->msg_get_inq) && ret >= 0) {
if (cmsg_flags & TCP_CMSG_TS)
tcp_recv_timestamp(msg, sk, &tss);
- if (msg->msg_get_inq) {
+ if ((cmsg_flags & TCP_CMSG_INQ) | msg->msg_get_inq) {
msg->msg_inq = tcp_inq_hint(sk);
if (cmsg_flags & TCP_CMSG_INQ)
put_cmsg(msg, SOL_TCP, TCP_CM_INQ,
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2929,7 +2929,6 @@ static int unix_stream_read_generic(stru
unsigned int last_len;
struct unix_sock *u;
int copied = 0;
- bool do_cmsg;
int err = 0;
long timeo;
int target;
@@ -2955,9 +2954,6 @@ static int unix_stream_read_generic(stru
u = unix_sk(sk);
- do_cmsg = READ_ONCE(u->recvmsg_inq);
- if (do_cmsg)
- msg->msg_get_inq = 1;
redo:
/* Lock the socket to prevent queue disordering
* while sleeps in memcpy_tomsg
@@ -3115,9 +3111,11 @@ unlock:
mutex_unlock(&u->iolock);
if (msg) {
+ bool do_cmsg = READ_ONCE(u->recvmsg_inq);
+
scm_recv_unix(sock, msg, &scm, flags);
- if (msg->msg_get_inq && (copied ?: err) >= 0) {
+ if ((do_cmsg | msg->msg_get_inq) && (copied ?: err) >= 0) {
msg->msg_inq = READ_ONCE(u->inq_len);
if (do_cmsg)
put_cmsg(msg, SOL_SOCKET, SCM_INQ,
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 010/181] arm64: Fix cleared E0POE bit after cpu_suspend()/resume()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 009/181] net: do not write to msg_get_inq in callee Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 011/181] bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup Greg Kroah-Hartman
` (184 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Anshuman Khandual,
Kevin Brodsky, Catalin Marinas
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
commit bdf3f4176092df5281877cacf42f843063b4784d upstream.
TCR2_ELx.E0POE is set during smp_init().
However, this bit is not reprogrammed when the CPU enters suspension and
later resumes via cpu_resume(), as __cpu_setup() does not re-enable E0POE
and there is no save/restore logic for the TCR2_ELx system register.
As a result, the E0POE feature no longer works after cpu_resume().
To address this, save and restore TCR2_EL1 in the cpu_suspend()/cpu_resume()
path, rather than adding related logic to __cpu_setup(), taking into account
possible future extensions of the TCR2_ELx feature.
Fixes: bf83dae90fbc ("arm64: enable the Permission Overlay Extension for EL0")
Cc: <stable@vger.kernel.org> # 6.12.x
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/suspend.h | 2 +-
arch/arm64/mm/proc.S | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
--- a/arch/arm64/include/asm/suspend.h
+++ b/arch/arm64/include/asm/suspend.h
@@ -2,7 +2,7 @@
#ifndef __ASM_SUSPEND_H
#define __ASM_SUSPEND_H
-#define NR_CTX_REGS 13
+#define NR_CTX_REGS 14
#define NR_CALLEE_SAVED_REGS 12
/*
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -100,6 +100,10 @@ SYM_FUNC_START(cpu_do_suspend)
* call stack.
*/
str x18, [x0, #96]
+alternative_if ARM64_HAS_TCR2
+ mrs x2, REG_TCR2_EL1
+ str x2, [x0, #104]
+alternative_else_nop_endif
ret
SYM_FUNC_END(cpu_do_suspend)
@@ -134,6 +138,10 @@ SYM_FUNC_START(cpu_do_resume)
msr tcr_el1, x8
msr vbar_el1, x9
msr mdscr_el1, x10
+alternative_if ARM64_HAS_TCR2
+ ldr x2, [x0, #104]
+ msr REG_TCR2_EL1, x2
+alternative_else_nop_endif
msr sctlr_el1, x12
set_this_cpu_offset x13
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 011/181] bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 010/181] arm64: Fix cleared E0POE bit after cpu_suspend()/resume() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 012/181] btrfs: always detect conflicting inodes when logging inode refs Greg Kroah-Hartman
` (183 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavan Chebbi, Breno Leitao,
Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
commit 3358995b1a7f9dcb52a56ec8251570d71024dad0 upstream.
When bnxt_init_one() fails during initialization (e.g.,
bnxt_init_int_mode returns -ENODEV), the error path calls
bnxt_free_hwrm_resources() which destroys the DMA pool and sets
bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,
which invokes ptp_clock_unregister().
Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to
disable events"), ptp_clock_unregister() now calls
ptp_disable_all_events(), which in turn invokes the driver's .enable()
callback (bnxt_ptp_enable()) to disable PTP events before completing the
unregistration.
bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()
and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This
function tries to allocate from bp->hwrm_dma_pool, causing a NULL
pointer dereference:
bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
Call Trace:
__hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)
bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)
ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)
ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)
bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)
bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)
Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")
Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before
freeing HWRM resources.
Suggested-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Fixes: a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events")
Cc: stable@vger.kernel.org
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://patch.msgid.link/20260106-bnxt-v3-1-71f37e11446a@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -16856,12 +16856,12 @@ init_err_dl:
init_err_pci_clean:
bnxt_hwrm_func_drv_unrgtr(bp);
- bnxt_free_hwrm_resources(bp);
- bnxt_hwmon_uninit(bp);
- bnxt_ethtool_free(bp);
bnxt_ptp_clear(bp);
kfree(bp->ptp_cfg);
bp->ptp_cfg = NULL;
+ bnxt_free_hwrm_resources(bp);
+ bnxt_hwmon_uninit(bp);
+ bnxt_ethtool_free(bp);
kfree(bp->fw_health);
bp->fw_health = NULL;
bnxt_cleanup_pci(bp);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 012/181] btrfs: always detect conflicting inodes when logging inode refs
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 011/181] bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 013/181] mei: me: add nova lake point S DID Greg Kroah-Hartman
` (182 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 upstream.
After rename exchanging (either with the rename exchange operation or
regular renames in multiple non-atomic steps) two inodes and at least
one of them is a directory, we can end up with a log tree that contains
only of the inodes and after a power failure that can result in an attempt
to delete the other inode when it should not because it was not deleted
before the power failure. In some case that delete attempt fails when
the target inode is a directory that contains a subvolume inside it, since
the log replay code is not prepared to deal with directory entries that
point to root items (only inode items).
1) We have directories "dir1" (inode A) and "dir2" (inode B) under the
same parent directory;
2) We have a file (inode C) under directory "dir1" (inode A);
3) We have a subvolume inside directory "dir2" (inode B);
4) All these inodes were persisted in a past transaction and we are
currently at transaction N;
5) We rename the file (inode C), so at btrfs_log_new_name() we update
inode C's last_unlink_trans to N;
6) We get a rename exchange for "dir1" (inode A) and "dir2" (inode B),
so after the exchange "dir1" is inode B and "dir2" is inode A.
During the rename exchange we call btrfs_log_new_name() for inodes
A and B, but because they are directories, we don't update their
last_unlink_trans to N;
7) An fsync against the file (inode C) is done, and because its inode
has a last_unlink_trans with a value of N we log its parent directory
(inode A) (through btrfs_log_all_parents(), called from
btrfs_log_inode_parent()).
8) So we end up with inode B not logged, which now has the old name
of inode A. At copy_inode_items_to_log(), when logging inode A, we
did not check if we had any conflicting inode to log because inode
A has a generation lower than the current transaction (created in
a past transaction);
9) After a power failure, when replaying the log tree, since we find that
inode A has a new name that conflicts with the name of inode B in the
fs tree, we attempt to delete inode B... this is wrong since that
directory was never deleted before the power failure, and because there
is a subvolume inside that directory, attempting to delete it will fail
since replay_dir_deletes() and btrfs_unlink_inode() are not prepared
to deal with dir items that point to roots instead of inodes.
When that happens the mount fails and we get a stack trace like the
following:
[87.2314] BTRFS info (device dm-0): start tree-log replay
[87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259
[87.2332] ------------[ cut here ]------------
[87.2338] BTRFS: Transaction aborted (error -2)
[87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs]
[87.2368] Modules linked in: btrfs loop dm_thin_pool (...)
[87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full)
[87.2489] Tainted: [W]=WARN
[87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
[87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs]
[87.2538] Code: c0 89 04 24 (...)
[87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286
[87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000
[87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff
[87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840
[87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0
[87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10
[87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000
[87.2629] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[87.2637] CR2: 00007ffc9ec33b98 CR3: 000000011273e003 CR4: 0000000000370ef0
[87.2648] Call Trace:
[87.2651] <TASK>
[87.2654] btrfs_unlink_inode+0x15/0x40 [btrfs]
[87.2661] unlink_inode_for_log_replay+0x27/0xf0 [btrfs]
[87.2669] check_item_in_log+0x1ea/0x2c0 [btrfs]
[87.2676] replay_dir_deletes+0x16b/0x380 [btrfs]
[87.2684] fixup_inode_link_count+0x34b/0x370 [btrfs]
[87.2696] fixup_inode_link_counts+0x41/0x160 [btrfs]
[87.2703] btrfs_recover_log_trees+0x1ff/0x7c0 [btrfs]
[87.2711] ? __pfx_replay_one_buffer+0x10/0x10 [btrfs]
[87.2719] open_ctree+0x10bb/0x15f0 [btrfs]
[87.2726] btrfs_get_tree.cold+0xb/0x16c [btrfs]
[87.2734] ? fscontext_read+0x15c/0x180
[87.2740] ? rw_verify_area+0x50/0x180
[87.2746] vfs_get_tree+0x25/0xd0
[87.2750] vfs_cmd_create+0x59/0xe0
[87.2755] __do_sys_fsconfig+0x4f6/0x6b0
[87.2760] do_syscall_64+0x50/0x1220
[87.2764] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[87.2770] RIP: 0033:0x7f7b9625f4aa
[87.2775] Code: 73 01 c3 48 (...)
[87.2803] RSP: 002b:00007ffc9ec35b08 EFLAGS: 00000246 ORIG_RAX: 00000000000001af
[87.2817] RAX: ffffffffffffffda RBX: 0000558bfa91ac20 RCX: 00007f7b9625f4aa
[87.2829] RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
[87.2842] RBP: 0000558bfa91b120 R08: 0000000000000000 R09: 0000000000000000
[87.2854] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[87.2864] R13: 00007f7b963f1580 R14: 00007f7b963f326c R15: 00007f7b963d8a23
[87.2877] </TASK>
[87.2882] ---[ end trace 0000000000000000 ]---
[87.2891] BTRFS: error (device dm-0 state A) in __btrfs_unlink_inode:4345: errno=-2 No such entry
[87.2904] BTRFS: error (device dm-0 state EAO) in do_abort_log_replay:191: errno=-2 No such entry
[87.2915] BTRFS critical (device dm-0 state EAO): log tree (for root 5) leaf currently being processed (slot 7 key (258 12 257)):
[87.2929] BTRFS info (device dm-0 state EAO): leaf 30736384 gen 10 total ptrs 7 free space 15712 owner 18446744073709551610
[87.2929] BTRFS info (device dm-0 state EAO): refs 3 lock_owner 0 current 638968
[87.2929] item 0 key (257 INODE_ITEM 0) itemoff 16123 itemsize 160
[87.2929] inode generation 9 transid 10 size 0 nbytes 0
[87.2929] block group 0 mode 40755 links 1 uid 0 gid 0
[87.2929] rdev 0 sequence 7 flags 0x0
[87.2929] atime 1765464494.678070921
[87.2929] ctime 1765464494.686606513
[87.2929] mtime 1765464494.686606513
[87.2929] otime 1765464494.678070921
[87.2929] item 1 key (257 INODE_REF 256) itemoff 16109 itemsize 14
[87.2929] index 4 name_len 4
[87.2929] item 2 key (257 DIR_LOG_INDEX 2) itemoff 16101 itemsize 8
[87.2929] dir log end 2
[87.2929] item 3 key (257 DIR_LOG_INDEX 3) itemoff 16093 itemsize 8
[87.2929] dir log end 18446744073709551615
[87.2930] item 4 key (257 DIR_INDEX 3) itemoff 16060 itemsize 33
[87.2930] location key (258 1 0) type 1
[87.2930] transid 10 data_len 0 name_len 3
[87.2930] item 5 key (258 INODE_ITEM 0) itemoff 15900 itemsize 160
[87.2930] inode generation 9 transid 10 size 0 nbytes 0
[87.2930] block group 0 mode 100644 links 1 uid 0 gid 0
[87.2930] rdev 0 sequence 2 flags 0x0
[87.2930] atime 1765464494.678456467
[87.2930] ctime 1765464494.686606513
[87.2930] mtime 1765464494.678456467
[87.2930] otime 1765464494.678456467
[87.2930] item 6 key (258 INODE_REF 257) itemoff 15887 itemsize 13
[87.2930] index 3 name_len 3
[87.2930] BTRFS critical (device dm-0 state EAO): log replay failed in unlink_inode_for_log_replay:1045 for root 5, stage 3, with error -2: failed to unlink inode 256 parent dir 259 name subvol root 5
[87.2963] BTRFS: error (device dm-0 state EAO) in btrfs_recover_log_trees:7743: errno=-2 No such entry
[87.2981] BTRFS: error (device dm-0 state EAO) in btrfs_replay_log:2083: errno=-2 No such entry (Failed to recover log tr
So fix this by changing copy_inode_items_to_log() to always detect if
there are conflicting inodes for the ref/extref of the inode being logged
even if the inode was created in a past transaction.
A test case for fstests will follow soon.
CC: stable@vger.kernel.org # 6.1+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -6348,10 +6348,8 @@ again:
* and no keys greater than that, so bail out.
*/
break;
- } else if ((min_key->type == BTRFS_INODE_REF_KEY ||
- min_key->type == BTRFS_INODE_EXTREF_KEY) &&
- (inode->generation == trans->transid ||
- ctx->logging_conflict_inodes)) {
+ } else if (min_key->type == BTRFS_INODE_REF_KEY ||
+ min_key->type == BTRFS_INODE_EXTREF_KEY) {
u64 other_ino = 0;
u64 other_parent = 0;
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 013/181] mei: me: add nova lake point S DID
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 012/181] btrfs: always detect conflicting inodes when logging inode refs Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 014/181] rust_binder: remove spin_lock() in rust_shrink_free_page() Greg Kroah-Hartman
` (181 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Tomas Winkler,
Alexander Usyskin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream.
Add Nova Lake S device id.
Cc: stable <stable@kernel.org>
Co-developed-by: Tomas Winkler <tomasw@gmail.com>
Signed-off-by: Tomas Winkler <tomasw@gmail.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/hw-me-regs.h | 2 ++
drivers/misc/mei/pci-me.c | 2 ++
2 files changed, 4 insertions(+)
--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -122,6 +122,8 @@
#define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */
+#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */
+
/*
* MEI HW Section
*/
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -129,6 +129,8 @@ static const struct pci_device_id mei_me
{MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)},
+
/* required last entry */
{0, }
};
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 014/181] rust_binder: remove spin_lock() in rust_shrink_free_page()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 013/181] mei: me: add nova lake point S DID Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 015/181] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
` (180 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alice Ryhl
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 361e0ff456a8daf9753c18030533256e4133ce7a upstream.
When forward-porting Rust Binder to 6.18, I neglected to take commit
fb56fdf8b9a2 ("mm/list_lru: split the lock to per-cgroup scope") into
account, and apparently I did not end up running the shrinker callback
when I sanity tested the driver before submission. This leads to crashes
like the following:
============================================
WARNING: possible recursive locking detected
6.18.0-mainline-maybe-dirty #1 Tainted: G IO
--------------------------------------------
kswapd0/68 is trying to acquire lock:
ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230
but task is already holding lock:
ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&l->lock);
lock(&l->lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by kswapd0/68:
#0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160
#1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20
#2: ffffffff90cf3680 (rcu_read_lock){....}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230
To fix this, remove the spin_lock() call from rust_shrink_free_page().
Cc: stable <stable@kernel.org>
Fixes: eafedbc7c050 ("rust_binder: add Rust Binder driver")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Link: https://patch.msgid.link/20251202-binder-shrink-unspin-v1-1-263efb9ad625@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder/page_range.rs | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/android/binder/page_range.rs b/drivers/android/binder/page_range.rs
index 9379038f61f5..fdd97112ef5c 100644
--- a/drivers/android/binder/page_range.rs
+++ b/drivers/android/binder/page_range.rs
@@ -727,8 +727,5 @@ fn drop(self: Pin<&mut Self>) {
drop(mm);
drop(page);
- // SAFETY: We just unlocked the lru lock, but it should be locked when we return.
- unsafe { bindings::spin_lock(&raw mut (*lru).lock) };
-
LRU_REMOVED_ENTRY
}
--
2.52.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 015/181] lib/crypto: aes: Fix missing MMU protection for AES S-box
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 014/181] rust_binder: remove spin_lock() in rust_shrink_free_page() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 016/181] counter: 104-quad-8: Fix incorrect return value in IRQ handler Greg Kroah-Hartman
` (179 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Ard Biesheuvel,
Eric Biggers
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream.
__cacheline_aligned puts the data in the ".data..cacheline_aligned"
section, which isn't marked read-only i.e. it doesn't receive MMU
protection. Replace it with ____cacheline_aligned which does the right
thing and just aligns the data while keeping it in ".rodata".
Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher")
Cc: stable@vger.kernel.org
Reported-by: Qingfang Deng <dqfext@gmail.com>
Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/crypto/aes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/lib/crypto/aes.c
+++ b/lib/crypto/aes.c
@@ -13,7 +13,7 @@
* Emit the sbox as volatile const to prevent the compiler from doing
* constant folding on sbox references involving fixed indexes.
*/
-static volatile const u8 __cacheline_aligned aes_sbox[] = {
+static volatile const u8 ____cacheline_aligned aes_sbox[] = {
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
@@ -48,7 +48,7 @@ static volatile const u8 __cacheline_ali
0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
};
-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = {
+static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = {
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 016/181] counter: 104-quad-8: Fix incorrect return value in IRQ handler
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 015/181] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 017/181] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
` (178 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Haotian Zhang,
William Breathitt Gray
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit 9517d76dd160208b7a432301ce7bec8fc1ddc305 upstream.
quad8_irq_handler() should return irqreturn_t enum values, but it
directly returns negative errno codes from regmap operations on error.
Return IRQ_NONE if the interrupt status cannot be read. If clearing the
interrupt fails, return IRQ_HANDLED to prevent the kernel from disabling
the IRQ line due to a spurious interrupt storm. Also, log these regmap
failures with dev_WARN_ONCE.
Fixes: 98ffe0252911 ("counter: 104-quad-8: Migrate to the regmap API")
Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://lore.kernel.org/r/20251215020114.1913-1-vulab@iscas.ac.cn
Cc: stable@vger.kernel.org
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/104-quad-8.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/drivers/counter/104-quad-8.c
+++ b/drivers/counter/104-quad-8.c
@@ -1192,6 +1192,7 @@ static irqreturn_t quad8_irq_handler(int
{
struct counter_device *counter = private;
struct quad8 *const priv = counter_priv(counter);
+ struct device *dev = counter->parent;
unsigned int status;
unsigned long irq_status;
unsigned long channel;
@@ -1200,8 +1201,11 @@ static irqreturn_t quad8_irq_handler(int
int ret;
ret = regmap_read(priv->map, QUAD8_INTERRUPT_STATUS, &status);
- if (ret)
- return ret;
+ if (ret) {
+ dev_WARN_ONCE(dev, true,
+ "Attempt to read Interrupt Status Register failed: %d\n", ret);
+ return IRQ_NONE;
+ }
if (!status)
return IRQ_NONE;
@@ -1223,8 +1227,9 @@ static irqreturn_t quad8_irq_handler(int
break;
default:
/* should never reach this path */
- WARN_ONCE(true, "invalid interrupt trigger function %u configured for channel %lu\n",
- flg_pins, channel);
+ dev_WARN_ONCE(dev, true,
+ "invalid interrupt trigger function %u configured for channel %lu\n",
+ flg_pins, channel);
continue;
}
@@ -1232,8 +1237,11 @@ static irqreturn_t quad8_irq_handler(int
}
ret = regmap_write(priv->map, QUAD8_CHANNEL_OPERATION, CLEAR_PENDING_INTERRUPTS);
- if (ret)
- return ret;
+ if (ret) {
+ dev_WARN_ONCE(dev, true,
+ "Attempt to clear pending interrupts by writing to Channel Operation Register failed: %d\n", ret);
+ return IRQ_HANDLED;
+ }
return IRQ_HANDLED;
}
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 017/181] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 016/181] counter: 104-quad-8: Fix incorrect return value in IRQ handler Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 018/181] tracing: Add recursion protection in kernel stack trace recording Greg Kroah-Hartman
` (177 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Alexander Sverdlin, Oleksij Rempel, William Breathitt Gray
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit 23f9485510c338476b9735d516c1d4aacb810d46 upstream.
An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
CONFIG_PROVE_RAW_LOCK_NESTING warns:
=============================
[ BUG: Invalid wait context ]
6.18.0-rc1+git... #1
-----------------------------
some-user-space-process/1251 is trying to lock:
(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
other info that might help us debug this:
context-{2:2}
no locks held by some-user-space-process/....
stack backtrace:
CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
Call trace:
show_stack (C)
dump_stack_lvl
dump_stack
__lock_acquire
lock_acquire
_raw_spin_lock_irqsave
counter_push_event [counter]
interrupt_cnt_isr [interrupt_cnt]
__handle_irq_event_percpu
handle_irq_event
handle_simple_irq
handle_irq_desc
generic_handle_domain_irq
gpio_irq_handler
handle_irq_desc
generic_handle_domain_irq
gic_handle_irq
call_on_irq_stack
do_interrupt_handler
el0_interrupt
__el0_irq_handler_common
el0t_64_irq_handler
el0t_64_irq
... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
alternative to switching to raw_spinlock_t, because the latter would limit
all potential nested locks to raw_spinlock_t only.
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20251117151314.xwLAZrWY@linutronix.de/
Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20251118083603.778626-1-alexander.sverdlin@siemens.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/interrupt-cnt.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/counter/interrupt-cnt.c
+++ b/drivers/counter/interrupt-cnt.c
@@ -229,8 +229,7 @@ static int interrupt_cnt_probe(struct pl
irq_set_status_flags(priv->irq, IRQ_NOAUTOEN);
ret = devm_request_irq(dev, priv->irq, interrupt_cnt_isr,
- IRQF_TRIGGER_RISING | IRQF_NO_THREAD,
- dev_name(dev), counter);
+ IRQF_TRIGGER_RISING, dev_name(dev), counter);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 018/181] tracing: Add recursion protection in kernel stack trace recording
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 017/181] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 019/181] riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped Greg Kroah-Hartman
` (176 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Joel Fernandes, Paul E. McKenney, Boqun Feng, Yao Kai,
Steven Rostedt (Google)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit 5f1ef0dfcb5b7f4a91a9b0e0ba533efd9f7e2cdb upstream.
A bug was reported about an infinite recursion caused by tracing the rcu
events with the kernel stack trace trigger enabled. The stack trace code
called back into RCU which then called the stack trace again.
Expand the ftrace recursion protection to add a set of bits to protect
events from recursion. Each bit represents the context that the event is
in (normal, softirq, interrupt and NMI).
Have the stack trace code use the interrupt context to protect against
recursion.
Note, the bug showed an issue in both the RCU code as well as the tracing
stacktrace code. This only handles the tracing stack trace side of the
bug. The RCU fix will be handled separately.
Link: https://lore.kernel.org/all/20260102122807.7025fc87@gandalf.local.home/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Joel Fernandes <joel@joelfernandes.org>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Link: https://patch.msgid.link/20260105203141.515cd49f@gandalf.local.home
Reported-by: Yao Kai <yaokai34@huawei.com>
Tested-by: Yao Kai <yaokai34@huawei.com>
Fixes: 5f5fa7ea89dc ("rcu: Don't use negative nesting depth in __rcu_read_unlock()")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/trace_recursion.h | 9 +++++++++
kernel/trace/trace.c | 6 ++++++
2 files changed, 15 insertions(+)
--- a/include/linux/trace_recursion.h
+++ b/include/linux/trace_recursion.h
@@ -34,6 +34,13 @@ enum {
TRACE_INTERNAL_SIRQ_BIT,
TRACE_INTERNAL_TRANSITION_BIT,
+ /* Internal event use recursion bits */
+ TRACE_INTERNAL_EVENT_BIT,
+ TRACE_INTERNAL_EVENT_NMI_BIT,
+ TRACE_INTERNAL_EVENT_IRQ_BIT,
+ TRACE_INTERNAL_EVENT_SIRQ_BIT,
+ TRACE_INTERNAL_EVENT_TRANSITION_BIT,
+
TRACE_BRANCH_BIT,
/*
* Abuse of the trace_recursion.
@@ -58,6 +65,8 @@ enum {
#define TRACE_LIST_START TRACE_INTERNAL_BIT
+#define TRACE_EVENT_START TRACE_INTERNAL_EVENT_BIT
+
#define TRACE_CONTEXT_MASK ((1 << (TRACE_LIST_START + TRACE_CONTEXT_BITS)) - 1)
/*
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3003,6 +3003,11 @@ static void __ftrace_trace_stack(struct
struct ftrace_stack *fstack;
struct stack_entry *entry;
int stackidx;
+ int bit;
+
+ bit = trace_test_and_set_recursion(_THIS_IP_, _RET_IP_, TRACE_EVENT_START);
+ if (bit < 0)
+ return;
/*
* Add one, for this function and the call to save_stack_trace()
@@ -3071,6 +3076,7 @@ static void __ftrace_trace_stack(struct
/* Again, don't let gcc optimize things here */
barrier();
__this_cpu_dec(ftrace_stack_reserve);
+ trace_clear_recursion(bit);
}
static inline void ftrace_trace_stack(struct trace_array *tr,
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 019/181] riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 018/181] tracing: Add recursion protection in kernel stack trace recording Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 020/181] nouveau: dont attempt fwsec on sb on newer platforms Greg Kroah-Hartman
` (175 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vivian Wang, Nathan Chancellor,
Han Gao, Paul Walmsley
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivian Wang <wangruikang@iscas.ac.cn>
commit 66562b66dcbc8f93c1e28632299f449bb2f5c47d upstream.
Since commit 4b47a3aefb29 ("kbuild: Restore pattern to avoid stripping
.rela.dyn from vmlinux") vmlinux has .rel*.dyn preserved. Therefore, use
vmlinux to produce Image, not vmlinux.unstripped.
Doing so fixes booting a RELOCATABLE=y Image with kexec. The problem is
caused by this chain of events:
- Since commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
vmlinux.unstripped"), vmlinux.unstripped gets a .modinfo section.
- The .modinfo section has SHF_ALLOC, so it ends up in Image, at the end
of it.
- The Image header's image_size field does not expect to include
.modinfo and does not account for it, since it should not be in Image.
- If .modinfo is large enough, the file size of Image ends up larger
than image_size, which eventually leads to it failing
sanity_check_segment_list().
Using vmlinux instead of vmlinux.unstripped means that the unexpected
.modinfo section is gone from Image, fixing the file size problem.
Cc: stable@vger.kernel.org
Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped")
Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Han Gao <gaohan@iscas.ac.cn>
Link: https://patch.msgid.link/20251230-riscv-vmlinux-not-unstripped-v1-1-15f49df880df@iscas.ac.cn
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/boot/Makefile | 4 ----
1 file changed, 4 deletions(-)
diff --git a/arch/riscv/boot/Makefile b/arch/riscv/boot/Makefile
index bfc3d0b75b9b..5301adf5f3f5 100644
--- a/arch/riscv/boot/Makefile
+++ b/arch/riscv/boot/Makefile
@@ -31,11 +31,7 @@ $(obj)/xipImage: vmlinux FORCE
endif
-ifdef CONFIG_RELOCATABLE
-$(obj)/Image: vmlinux.unstripped FORCE
-else
$(obj)/Image: vmlinux FORCE
-endif
$(call if_changed,objcopy)
$(obj)/Image.gz: $(obj)/Image FORCE
--
2.52.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 020/181] nouveau: dont attempt fwsec on sb on newer platforms.
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 019/181] riscv: boot: Always make Image from vmlinux, not vmlinux.unstripped Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 021/181] Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable" Greg Kroah-Hartman
` (174 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lyude Paul, Timur Tabi,
Matthew Schwartz, Christopher Snowhill, Dave Airlie
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Airlie <airlied@redhat.com>
commit e8b3627bec357698f2d4d6dbf27cdcfa0e9d8715 upstream.
The changes to always loads fwsec sb causes problems on newer GPUs
which don't use this path.
Add hooks and pass through the device specific layers.
Fixes: da67179e5538 ("drm/nouveau/gsp: Allocate fwsec-sb at boot")
Cc: <stable@vger.kernel.org> # v6.16+
Cc: Lyude Paul <lyude@redhat.com>
Cc: Timur Tabi <ttabi@nvidia.com>
Tested-by: Matthew Schwartz <matthew.schwartz@linux.dev>
Tested-by: Christopher Snowhill <chris@kode54.net>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patch.msgid.link/20260102041829.2748009-1-airlied@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
.../gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c | 3 +++
.../gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c | 8 +------
.../gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c | 3 +++
.../gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c | 3 +++
.../gpu/drm/nouveau/nvkm/subdev/gsp/priv.h | 23 +++++++++++++++++--
.../gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c | 15 ++++++++++++
.../gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c | 3 +++
7 files changed, 49 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c
index 35d1fcef520b..c456a9626823 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ad102.c
@@ -30,6 +30,9 @@ ad102_gsp = {
.booter.ctor = ga102_gsp_booter_ctor,
+ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
+ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
+
.dtor = r535_gsp_dtor,
.oneinit = tu102_gsp_oneinit,
.init = tu102_gsp_init,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c
index 503760246660..851140e80122 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/fwsec.c
@@ -337,18 +337,12 @@ nvkm_gsp_fwsec_sb(struct nvkm_gsp *gsp)
}
int
-nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp)
+nvkm_gsp_fwsec_sb_init(struct nvkm_gsp *gsp)
{
return nvkm_gsp_fwsec_init(gsp, &gsp->fws.falcon.sb, "fwsec-sb",
NVFW_FALCON_APPIF_DMEMMAPPER_CMD_SB);
}
-void
-nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp)
-{
- nvkm_falcon_fw_dtor(&gsp->fws.falcon.sb);
-}
-
int
nvkm_gsp_fwsec_frts(struct nvkm_gsp *gsp)
{
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c
index d201e8697226..27a13aeccd3c 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga100.c
@@ -47,6 +47,9 @@ ga100_gsp = {
.booter.ctor = tu102_gsp_booter_ctor,
+ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
+ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
+
.dtor = r535_gsp_dtor,
.oneinit = tu102_gsp_oneinit,
.init = tu102_gsp_init,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c
index 917f7e2f6c46..b6b3eb6f4c00 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/ga102.c
@@ -158,6 +158,9 @@ ga102_gsp_r535 = {
.booter.ctor = ga102_gsp_booter_ctor,
+ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
+ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
+
.dtor = r535_gsp_dtor,
.oneinit = tu102_gsp_oneinit,
.init = tu102_gsp_init,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h
index 86bdd203bc10..9dd66a2e3801 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/priv.h
@@ -7,9 +7,8 @@ enum nvkm_acr_lsf_id;
int nvkm_gsp_fwsec_frts(struct nvkm_gsp *);
-int nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *);
int nvkm_gsp_fwsec_sb(struct nvkm_gsp *);
-void nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *);
+int nvkm_gsp_fwsec_sb_init(struct nvkm_gsp *gsp);
struct nvkm_gsp_fwif {
int version;
@@ -52,6 +51,11 @@ struct nvkm_gsp_func {
struct nvkm_falcon *, struct nvkm_falcon_fw *);
} booter;
+ struct {
+ int (*ctor)(struct nvkm_gsp *);
+ void (*dtor)(struct nvkm_gsp *);
+ } fwsec_sb;
+
void (*dtor)(struct nvkm_gsp *);
int (*oneinit)(struct nvkm_gsp *);
int (*init)(struct nvkm_gsp *);
@@ -67,6 +71,8 @@ extern const struct nvkm_falcon_func tu102_gsp_flcn;
extern const struct nvkm_falcon_fw_func tu102_gsp_fwsec;
int tu102_gsp_booter_ctor(struct nvkm_gsp *, const char *, const struct firmware *,
struct nvkm_falcon *, struct nvkm_falcon_fw *);
+int tu102_gsp_fwsec_sb_ctor(struct nvkm_gsp *);
+void tu102_gsp_fwsec_sb_dtor(struct nvkm_gsp *);
int tu102_gsp_oneinit(struct nvkm_gsp *);
int tu102_gsp_init(struct nvkm_gsp *);
int tu102_gsp_fini(struct nvkm_gsp *, bool suspend);
@@ -91,5 +97,18 @@ int r535_gsp_fini(struct nvkm_gsp *, bool suspend);
int nvkm_gsp_new_(const struct nvkm_gsp_fwif *, struct nvkm_device *, enum nvkm_subdev_type, int,
struct nvkm_gsp **);
+static inline int nvkm_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp)
+{
+ if (gsp->func->fwsec_sb.ctor)
+ return gsp->func->fwsec_sb.ctor(gsp);
+ return 0;
+}
+
+static inline void nvkm_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp)
+{
+ if (gsp->func->fwsec_sb.dtor)
+ gsp->func->fwsec_sb.dtor(gsp);
+}
+
extern const struct nvkm_gsp_func gv100_gsp;
#endif
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
index 81e56da0474a..04b642a1f730 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu102.c
@@ -30,6 +30,18 @@
#include <nvfw/fw.h>
#include <nvfw/hs.h>
+int
+tu102_gsp_fwsec_sb_ctor(struct nvkm_gsp *gsp)
+{
+ return nvkm_gsp_fwsec_sb_init(gsp);
+}
+
+void
+tu102_gsp_fwsec_sb_dtor(struct nvkm_gsp *gsp)
+{
+ nvkm_falcon_fw_dtor(&gsp->fws.falcon.sb);
+}
+
static int
tu102_gsp_booter_unload(struct nvkm_gsp *gsp, u32 mbox0, u32 mbox1)
{
@@ -370,6 +382,9 @@ tu102_gsp = {
.booter.ctor = tu102_gsp_booter_ctor,
+ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
+ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
+
.dtor = r535_gsp_dtor,
.oneinit = tu102_gsp_oneinit,
.init = tu102_gsp_init,
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c
index 97eb046c25d0..58cf25842421 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/gsp/tu116.c
@@ -30,6 +30,9 @@ tu116_gsp = {
.booter.ctor = tu102_gsp_booter_ctor,
+ .fwsec_sb.ctor = tu102_gsp_fwsec_sb_ctor,
+ .fwsec_sb.dtor = tu102_gsp_fwsec_sb_dtor,
+
.dtor = r535_gsp_dtor,
.oneinit = tu102_gsp_oneinit,
.init = tu102_gsp_init,
--
2.52.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 021/181] Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable"
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 020/181] nouveau: dont attempt fwsec on sb on newer platforms Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 6.18 022/181] ALSA: ac97: fix a double free in snd_ac97_controller_register() Greg Kroah-Hartman
` (173 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Aradhya Bhatia,
Maxime Ripard, Linus Walleij
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit c1ef9a6cabb34dbc09e31417b0c0a672fe0de13a upstream.
This reverts commit c9b1150a68d9362a0827609fc0dc1664c0d8bfe1.
Changing the enable/disable sequence has caused regressions on multiple
platforms: R-Car, MCDE, Rockchip. A series (see link below) was sent to
fix these, but it was decided that it's better to revert the original
patch and change the enable/disable sequence only in the tidss driver.
Reverting this commit breaks tidss's DSI and OLDI outputs, which will be
fixed in the following commits.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://lore.kernel.org/all/20251202-mcde-drm-regression-thirdfix-v6-0-f1bffd4ec0fa%40kernel.org/
Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
Cc: stable@vger.kernel.org # v6.17+
Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Tested-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-1-fda68fa1b3de@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_atomic_helper.c | 8 +-
include/drm/drm_bridge.h | 249 ++++++++--------------------
2 files changed, 70 insertions(+), 187 deletions(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index 10adac9397cf..ef97f37560b2 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1341,9 +1341,9 @@ disable_outputs(struct drm_device *dev, struct drm_atomic_state *state)
{
encoder_bridge_disable(dev, state);
- crtc_disable(dev, state);
-
encoder_bridge_post_disable(dev, state);
+
+ crtc_disable(dev, state);
}
/**
@@ -1682,10 +1682,10 @@ encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state)
void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev,
struct drm_atomic_state *state)
{
- encoder_bridge_pre_enable(dev, state);
-
crtc_enable(dev, state);
+ encoder_bridge_pre_enable(dev, state);
+
encoder_bridge_enable(dev, state);
drm_atomic_helper_commit_writebacks(dev, state);
diff --git a/include/drm/drm_bridge.h b/include/drm/drm_bridge.h
index 0ff7ab4aa868..dbafe136833f 100644
--- a/include/drm/drm_bridge.h
+++ b/include/drm/drm_bridge.h
@@ -176,33 +176,17 @@ struct drm_bridge_funcs {
/**
* @disable:
*
- * The @disable callback should disable the bridge.
+ * This callback should disable the bridge. It is called right before
+ * the preceding element in the display pipe is disabled. If the
+ * preceding element is a bridge this means it's called before that
+ * bridge's @disable vfunc. If the preceding element is a &drm_encoder
+ * it's called right before the &drm_encoder_helper_funcs.disable,
+ * &drm_encoder_helper_funcs.prepare or &drm_encoder_helper_funcs.dpms
+ * hook.
*
* The bridge can assume that the display pipe (i.e. clocks and timing
* signals) feeding it is still running when this callback is called.
*
- *
- * If the preceding element is a &drm_bridge, then this is called before
- * that bridge is disabled via one of:
- *
- * - &drm_bridge_funcs.disable
- * - &drm_bridge_funcs.atomic_disable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called before the encoder is disabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_disable
- * - &drm_encoder_helper_funcs.prepare
- * - &drm_encoder_helper_funcs.disable
- * - &drm_encoder_helper_funcs.dpms
- *
- * and the CRTC is disabled via one of:
- *
- * - &drm_crtc_helper_funcs.prepare
- * - &drm_crtc_helper_funcs.atomic_disable
- * - &drm_crtc_helper_funcs.disable
- * - &drm_crtc_helper_funcs.dpms.
- *
* The @disable callback is optional.
*
* NOTE:
@@ -215,34 +199,17 @@ struct drm_bridge_funcs {
/**
* @post_disable:
*
+ * This callback should disable the bridge. It is called right after the
+ * preceding element in the display pipe is disabled. If the preceding
+ * element is a bridge this means it's called after that bridge's
+ * @post_disable function. If the preceding element is a &drm_encoder
+ * it's called right after the encoder's
+ * &drm_encoder_helper_funcs.disable, &drm_encoder_helper_funcs.prepare
+ * or &drm_encoder_helper_funcs.dpms hook.
+ *
* The bridge must assume that the display pipe (i.e. clocks and timing
- * signals) feeding this bridge is no longer running when the
- * @post_disable is called.
- *
- * This callback should perform all the actions required by the hardware
- * after it has stopped receiving signals from the preceding element.
- *
- * If the preceding element is a &drm_bridge, then this is called after
- * that bridge is post-disabled (unless marked otherwise by the
- * @pre_enable_prev_first flag) via one of:
- *
- * - &drm_bridge_funcs.post_disable
- * - &drm_bridge_funcs.atomic_post_disable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called after the encoder is disabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_disable
- * - &drm_encoder_helper_funcs.prepare
- * - &drm_encoder_helper_funcs.disable
- * - &drm_encoder_helper_funcs.dpms
- *
- * and the CRTC is disabled via one of:
- *
- * - &drm_crtc_helper_funcs.prepare
- * - &drm_crtc_helper_funcs.atomic_disable
- * - &drm_crtc_helper_funcs.disable
- * - &drm_crtc_helper_funcs.dpms
+ * signals) feeding it is no longer running when this callback is
+ * called.
*
* The @post_disable callback is optional.
*
@@ -285,30 +252,18 @@ struct drm_bridge_funcs {
/**
* @pre_enable:
*
+ * This callback should enable the bridge. It is called right before
+ * the preceding element in the display pipe is enabled. If the
+ * preceding element is a bridge this means it's called before that
+ * bridge's @pre_enable function. If the preceding element is a
+ * &drm_encoder it's called right before the encoder's
+ * &drm_encoder_helper_funcs.enable, &drm_encoder_helper_funcs.commit or
+ * &drm_encoder_helper_funcs.dpms hook.
+ *
* The display pipe (i.e. clocks and timing signals) feeding this bridge
- * will not yet be running when the @pre_enable is called.
- *
- * This callback should perform all the necessary actions to prepare the
- * bridge to accept signals from the preceding element.
- *
- * If the preceding element is a &drm_bridge, then this is called before
- * that bridge is pre-enabled (unless marked otherwise by
- * @pre_enable_prev_first flag) via one of:
- *
- * - &drm_bridge_funcs.pre_enable
- * - &drm_bridge_funcs.atomic_pre_enable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called before the CRTC is enabled via one of:
- *
- * - &drm_crtc_helper_funcs.atomic_enable
- * - &drm_crtc_helper_funcs.commit
- *
- * and the encoder is enabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_enable
- * - &drm_encoder_helper_funcs.enable
- * - &drm_encoder_helper_funcs.commit
+ * will not yet be running when this callback is called. The bridge must
+ * not enable the display link feeding the next bridge in the chain (if
+ * there is one) when this callback is called.
*
* The @pre_enable callback is optional.
*
@@ -322,31 +277,19 @@ struct drm_bridge_funcs {
/**
* @enable:
*
- * The @enable callback should enable the bridge.
+ * This callback should enable the bridge. It is called right after
+ * the preceding element in the display pipe is enabled. If the
+ * preceding element is a bridge this means it's called after that
+ * bridge's @enable function. If the preceding element is a
+ * &drm_encoder it's called right after the encoder's
+ * &drm_encoder_helper_funcs.enable, &drm_encoder_helper_funcs.commit or
+ * &drm_encoder_helper_funcs.dpms hook.
*
* The bridge can assume that the display pipe (i.e. clocks and timing
* signals) feeding it is running when this callback is called. This
* callback must enable the display link feeding the next bridge in the
* chain if there is one.
*
- * If the preceding element is a &drm_bridge, then this is called after
- * that bridge is enabled via one of:
- *
- * - &drm_bridge_funcs.enable
- * - &drm_bridge_funcs.atomic_enable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called after the CRTC is enabled via one of:
- *
- * - &drm_crtc_helper_funcs.atomic_enable
- * - &drm_crtc_helper_funcs.commit
- *
- * and the encoder is enabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_enable
- * - &drm_encoder_helper_funcs.enable
- * - drm_encoder_helper_funcs.commit
- *
* The @enable callback is optional.
*
* NOTE:
@@ -359,30 +302,17 @@ struct drm_bridge_funcs {
/**
* @atomic_pre_enable:
*
+ * This callback should enable the bridge. It is called right before
+ * the preceding element in the display pipe is enabled. If the
+ * preceding element is a bridge this means it's called before that
+ * bridge's @atomic_pre_enable or @pre_enable function. If the preceding
+ * element is a &drm_encoder it's called right before the encoder's
+ * &drm_encoder_helper_funcs.atomic_enable hook.
+ *
* The display pipe (i.e. clocks and timing signals) feeding this bridge
- * will not yet be running when the @atomic_pre_enable is called.
- *
- * This callback should perform all the necessary actions to prepare the
- * bridge to accept signals from the preceding element.
- *
- * If the preceding element is a &drm_bridge, then this is called before
- * that bridge is pre-enabled (unless marked otherwise by
- * @pre_enable_prev_first flag) via one of:
- *
- * - &drm_bridge_funcs.pre_enable
- * - &drm_bridge_funcs.atomic_pre_enable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called before the CRTC is enabled via one of:
- *
- * - &drm_crtc_helper_funcs.atomic_enable
- * - &drm_crtc_helper_funcs.commit
- *
- * and the encoder is enabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_enable
- * - &drm_encoder_helper_funcs.enable
- * - &drm_encoder_helper_funcs.commit
+ * will not yet be running when this callback is called. The bridge must
+ * not enable the display link feeding the next bridge in the chain (if
+ * there is one) when this callback is called.
*
* The @atomic_pre_enable callback is optional.
*/
@@ -392,31 +322,18 @@ struct drm_bridge_funcs {
/**
* @atomic_enable:
*
- * The @atomic_enable callback should enable the bridge.
+ * This callback should enable the bridge. It is called right after
+ * the preceding element in the display pipe is enabled. If the
+ * preceding element is a bridge this means it's called after that
+ * bridge's @atomic_enable or @enable function. If the preceding element
+ * is a &drm_encoder it's called right after the encoder's
+ * &drm_encoder_helper_funcs.atomic_enable hook.
*
* The bridge can assume that the display pipe (i.e. clocks and timing
* signals) feeding it is running when this callback is called. This
* callback must enable the display link feeding the next bridge in the
* chain if there is one.
*
- * If the preceding element is a &drm_bridge, then this is called after
- * that bridge is enabled via one of:
- *
- * - &drm_bridge_funcs.enable
- * - &drm_bridge_funcs.atomic_enable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called after the CRTC is enabled via one of:
- *
- * - &drm_crtc_helper_funcs.atomic_enable
- * - &drm_crtc_helper_funcs.commit
- *
- * and the encoder is enabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_enable
- * - &drm_encoder_helper_funcs.enable
- * - drm_encoder_helper_funcs.commit
- *
* The @atomic_enable callback is optional.
*/
void (*atomic_enable)(struct drm_bridge *bridge,
@@ -424,32 +341,16 @@ struct drm_bridge_funcs {
/**
* @atomic_disable:
*
- * The @atomic_disable callback should disable the bridge.
+ * This callback should disable the bridge. It is called right before
+ * the preceding element in the display pipe is disabled. If the
+ * preceding element is a bridge this means it's called before that
+ * bridge's @atomic_disable or @disable vfunc. If the preceding element
+ * is a &drm_encoder it's called right before the
+ * &drm_encoder_helper_funcs.atomic_disable hook.
*
* The bridge can assume that the display pipe (i.e. clocks and timing
* signals) feeding it is still running when this callback is called.
*
- * If the preceding element is a &drm_bridge, then this is called before
- * that bridge is disabled via one of:
- *
- * - &drm_bridge_funcs.disable
- * - &drm_bridge_funcs.atomic_disable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called before the encoder is disabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_disable
- * - &drm_encoder_helper_funcs.prepare
- * - &drm_encoder_helper_funcs.disable
- * - &drm_encoder_helper_funcs.dpms
- *
- * and the CRTC is disabled via one of:
- *
- * - &drm_crtc_helper_funcs.prepare
- * - &drm_crtc_helper_funcs.atomic_disable
- * - &drm_crtc_helper_funcs.disable
- * - &drm_crtc_helper_funcs.dpms.
- *
* The @atomic_disable callback is optional.
*/
void (*atomic_disable)(struct drm_bridge *bridge,
@@ -458,34 +359,16 @@ struct drm_bridge_funcs {
/**
* @atomic_post_disable:
*
+ * This callback should disable the bridge. It is called right after the
+ * preceding element in the display pipe is disabled. If the preceding
+ * element is a bridge this means it's called after that bridge's
+ * @atomic_post_disable or @post_disable function. If the preceding
+ * element is a &drm_encoder it's called right after the encoder's
+ * &drm_encoder_helper_funcs.atomic_disable hook.
+ *
* The bridge must assume that the display pipe (i.e. clocks and timing
- * signals) feeding this bridge is no longer running when the
- * @atomic_post_disable is called.
- *
- * This callback should perform all the actions required by the hardware
- * after it has stopped receiving signals from the preceding element.
- *
- * If the preceding element is a &drm_bridge, then this is called after
- * that bridge is post-disabled (unless marked otherwise by the
- * @pre_enable_prev_first flag) via one of:
- *
- * - &drm_bridge_funcs.post_disable
- * - &drm_bridge_funcs.atomic_post_disable
- *
- * If the preceding element of the bridge is a display controller, then
- * this callback is called after the encoder is disabled via one of:
- *
- * - &drm_encoder_helper_funcs.atomic_disable
- * - &drm_encoder_helper_funcs.prepare
- * - &drm_encoder_helper_funcs.disable
- * - &drm_encoder_helper_funcs.dpms
- *
- * and the CRTC is disabled via one of:
- *
- * - &drm_crtc_helper_funcs.prepare
- * - &drm_crtc_helper_funcs.atomic_disable
- * - &drm_crtc_helper_funcs.disable
- * - &drm_crtc_helper_funcs.dpms
+ * signals) feeding it is no longer running when this callback is
+ * called.
*
* The @atomic_post_disable callback is optional.
*/
--
2.52.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 022/181] ALSA: ac97: fix a double free in snd_ac97_controller_register()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 021/181] Revert "drm/atomic-helper: Re-order bridge chain pre-enable and post-disable" Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 023/181] ALSA: hda/tas2781: properly initialize speaker_id for TAS2563 Greg Kroah-Hartman
` (172 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f upstream.
If ac97_add_adapter() fails, put_device() is the correct way to drop
the device reference. kfree() is not required.
Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do
the cleanup.
Found by code review.
Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Link: https://patch.msgid.link/20251219162845.657525-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/ac97/bus.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/sound/ac97/bus.c
+++ b/sound/ac97/bus.c
@@ -298,6 +298,7 @@ static void ac97_adapter_release(struct
idr_remove(&ac97_adapter_idr, ac97_ctrl->nr);
dev_dbg(&ac97_ctrl->adap, "adapter unregistered by %s\n",
dev_name(ac97_ctrl->parent));
+ kfree(ac97_ctrl);
}
static const struct device_type ac97_adapter_type = {
@@ -319,7 +320,9 @@ static int ac97_add_adapter(struct ac97_
ret = device_register(&ac97_ctrl->adap);
if (ret)
put_device(&ac97_ctrl->adap);
- }
+ } else
+ kfree(ac97_ctrl);
+
if (!ret) {
list_add(&ac97_ctrl->controllers, &ac97_controllers);
dev_dbg(&ac97_ctrl->adap, "adapter registered by %s\n",
@@ -361,14 +364,11 @@ struct ac97_controller *snd_ac97_control
ret = ac97_add_adapter(ac97_ctrl);
if (ret)
- goto err;
+ return ERR_PTR(ret);
ac97_bus_reset(ac97_ctrl);
ac97_bus_scan(ac97_ctrl);
return ac97_ctrl;
-err:
- kfree(ac97_ctrl);
- return ERR_PTR(ret);
}
EXPORT_SYMBOL_GPL(snd_ac97_controller_register);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 023/181] ALSA: hda/tas2781: properly initialize speaker_id for TAS2563
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 6.18 022/181] ALSA: ac97: fix a double free in snd_ac97_controller_register() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 024/181] arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP Greg Kroah-Hartman
` (171 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, August Wikerfors, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: August Wikerfors <git@augustwikerfors.se>
commit e340663bbf2a75dae5d4fddf90b49281f5c9df3f upstream.
After speaker id retrieval was refactored to happen in tas2781_read_acpi,
devices that do not use a speaker id need a negative speaker_id value
instead of NULL, but no initialization was added to the TAS2563 code path.
This causes the driver to attempt to load a non-existent firmware file name
with a speaker id of 0 ("TAS2XXX38700.bin") instead of the correct file
name without a speaker id ("TAS2XXX3870.bin"), resulting in low volume and
these dmesg errors:
tas2781-hda i2c-INT8866:00: Direct firmware load for TAS2XXX38700.bin failed with error -2
tas2781-hda i2c-INT8866:00: tasdevice_dsp_parser: load TAS2XXX38700.bin error
tas2781-hda i2c-INT8866:00: dspfw load TAS2XXX38700.bin error
[...]
tas2781-hda i2c-INT8866:00: tasdevice_prmg_load: Firmware is NULL
Fix this by setting speaker_id to -1 as is done for other models.
Fixes: 945865a0ddf3 ("ALSA: hda/tas2781: fix speaker id retrieval for multiple probes")
Cc: stable@vger.kernel.org
Signed-off-by: August Wikerfors <git@augustwikerfors.se>
Link: https://patch.msgid.link/20251222194704.87232-1-git@augustwikerfors.se
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
+++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
@@ -111,8 +111,10 @@ static int tas2781_read_acpi(struct tasd
sub = acpi_get_subsystem_id(ACPI_HANDLE(physdev));
if (IS_ERR(sub)) {
/* No subsys id in older tas2563 projects. */
- if (!strncmp(hid, "INT8866", sizeof("INT8866")))
+ if (!strncmp(hid, "INT8866", sizeof("INT8866"))) {
+ p->speaker_id = -1;
goto end_2563;
+ }
dev_err(p->dev, "Failed to get SUBSYS ID.\n");
ret = PTR_ERR(sub);
goto err;
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 024/181] arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 023/181] ALSA: hda/tas2781: properly initialize speaker_id for TAS2563 Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 025/181] drm/amd/display: Apply e4479aecf658 to dml Greg Kroah-Hartman
` (170 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Carlos Song, Frank Li, Shawn Guo
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
commit cd0caaf2005547eaef8170356939aaabfcad4837 upstream.
I3C2 is in WAKEUP domain. Its pclk should be IMX95_CLK_BUSWAKEUP.
Fixes: 969497ebefcf ("arm64: dts: imx95: Add i3c1 and i3c2")
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx95.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/freescale/imx95.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx95.dtsi
@@ -806,7 +806,7 @@
interrupts = <GIC_SPI 57 IRQ_TYPE_LEVEL_HIGH>;
#address-cells = <3>;
#size-cells = <0>;
- clocks = <&scmi_clk IMX95_CLK_BUSAON>,
+ clocks = <&scmi_clk IMX95_CLK_BUSWAKEUP>,
<&scmi_clk IMX95_CLK_I3C2SLOW>;
clock-names = "pclk", "fast_clk";
status = "disabled";
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 025/181] drm/amd/display: Apply e4479aecf658 to dml
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 024/181] arm64: dts: imx95: correct I3C2 pclk to IMX95_CLK_BUSWAKEUP Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 026/181] drm/amdgpu: Fix query for VPE block_type and ip_count Greg Kroah-Hartman
` (169 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 70740454377f1ba3ff32f5df4acd965db99d055b upstream.
After an innocuous optimization change in clang-22, allmodconfig (which
enables CONFIG_KASAN and CONFIG_WERROR) breaks with:
drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (3144) exceeds limit (3072) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than]
1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib)
| ^
With clang-21, this function was already pretty close to the existing
limit of 3072 bytes.
drivers/gpu/drm/amd/amdgpu/../display/dc/dml/dcn32/display_mode_vba_32.c:1724:6: error: stack frame size (2904) exceeds limit (2048) in 'dml32_ModeSupportAndSystemConfigurationFull' [-Werror,-Wframe-larger-than]
1724 | void dml32_ModeSupportAndSystemConfigurationFull(struct display_mode_lib *mode_lib)
| ^
A similar situation occurred in dml2, which was resolved by
commit e4479aecf658 ("drm/amd/display: Increase sanitizer frame larger
than limit when compile testing with clang") by increasing the limit for
clang when compile testing with certain sanitizer enabled, so that
allmodconfig (an easy testing target) continues to work.
Apply that same change to the dml folder to clear up the warning for
allmodconfig, unbreaking the build.
Closes: https://github.com/ClangBuiltLinux/linux/issues/2135
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 25314b453cf812150e9951a32007a32bba85707e)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dml/Makefile | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/dml/Makefile
+++ b/drivers/gpu/drm/amd/display/dc/dml/Makefile
@@ -30,7 +30,11 @@ dml_rcflags := $(CC_FLAGS_NO_FPU)
ifneq ($(CONFIG_FRAME_WARN),0)
ifeq ($(filter y,$(CONFIG_KASAN)$(CONFIG_KCSAN)),y)
- frame_warn_limit := 3072
+ ifeq ($(CONFIG_CC_IS_CLANG)$(CONFIG_COMPILE_TEST),yy)
+ frame_warn_limit := 4096
+ else
+ frame_warn_limit := 3072
+ endif
else
frame_warn_limit := 2048
endif
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 026/181] drm/amdgpu: Fix query for VPE block_type and ip_count
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 025/181] drm/amd/display: Apply e4479aecf658 to dml Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 027/181] drm/atomic-helper: Export and namespace some functions Greg Kroah-Hartman
` (168 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lang Yu, Alan Liu, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Liu <haoping.liu@amd.com>
commit 72d7f4573660287f1b66c30319efecd6fcde92ee upstream.
[Why]
Query for VPE block_type and ip_count is missing.
[How]
Add VPE case in ip_block_type and hw_ip_count query.
Reviewed-by: Lang Yu <lang.yu@amd.com>
Signed-off-by: Alan Liu <haoping.liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit a6ea0a430aca5932b9c75d8e38deeb45665dd2ae)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -201,6 +201,9 @@ static enum amd_ip_block_type
type = (amdgpu_device_ip_get_ip_block(adev, AMD_IP_BLOCK_TYPE_JPEG)) ?
AMD_IP_BLOCK_TYPE_JPEG : AMD_IP_BLOCK_TYPE_VCN;
break;
+ case AMDGPU_HW_IP_VPE:
+ type = AMD_IP_BLOCK_TYPE_VPE;
+ break;
default:
type = AMD_IP_BLOCK_TYPE_NUM;
break;
@@ -721,6 +724,9 @@ int amdgpu_info_ioctl(struct drm_device
case AMD_IP_BLOCK_TYPE_UVD:
count = adev->uvd.num_uvd_inst;
break;
+ case AMD_IP_BLOCK_TYPE_VPE:
+ count = adev->vpe.num_instances;
+ break;
/* For all other IP block types not listed in the switch statement
* the ip status is valid here and the instance count is one.
*/
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 027/181] drm/atomic-helper: Export and namespace some functions
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 026/181] drm/amdgpu: Fix query for VPE block_type and ip_count Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 028/181] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
` (167 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Maxime Ripard,
Tomi Valkeinen, Aradhya Bhatia, Linus Walleij
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Walleij <linusw@kernel.org>
commit d1c7dc57ff2400b141e6582a8d2dc5170108cf81 upstream.
Export and namespace those not prefixed with drm_* so
it becomes possible to write custom commit tail functions
in individual drivers using the helper infrastructure.
Tested-by: Marek Vasut <marek.vasut+renesas@mailbox.org>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: stable@vger.kernel.org # v6.17+
Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Tested-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-3-fda68fa1b3de@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_atomic_helper.c | 122 +++++++++++++++++++++++++++++-------
include/drm/drm_atomic_helper.h | 22 ++++++
2 files changed, 121 insertions(+), 23 deletions(-)
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1162,8 +1162,18 @@ crtc_needs_disable(struct drm_crtc_state
new_state->self_refresh_active;
}
-static void
-encoder_bridge_disable(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_encoder_bridge_disable - disable bridges and encoder
+ * @dev: DRM device
+ * @state: the driver state object
+ *
+ * Loops over all connectors in the current state and if the CRTC needs
+ * it, disables the bridge chain all the way, then disables the encoder
+ * afterwards.
+ */
+void
+drm_atomic_helper_commit_encoder_bridge_disable(struct drm_device *dev,
+ struct drm_atomic_state *state)
{
struct drm_connector *connector;
struct drm_connector_state *old_conn_state, *new_conn_state;
@@ -1229,9 +1239,18 @@ encoder_bridge_disable(struct drm_device
}
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_disable);
-static void
-crtc_disable(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_crtc_disable - disable CRTSs
+ * @dev: DRM device
+ * @state: the driver state object
+ *
+ * Loops over all CRTCs in the current state and if the CRTC needs
+ * it, disables it.
+ */
+void
+drm_atomic_helper_commit_crtc_disable(struct drm_device *dev, struct drm_atomic_state *state)
{
struct drm_crtc *crtc;
struct drm_crtc_state *old_crtc_state, *new_crtc_state;
@@ -1282,9 +1301,18 @@ crtc_disable(struct drm_device *dev, str
drm_crtc_vblank_put(crtc);
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_disable);
-static void
-encoder_bridge_post_disable(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_encoder_bridge_post_disable - post-disable encoder bridges
+ * @dev: DRM device
+ * @state: the driver state object
+ *
+ * Loops over all connectors in the current state and if the CRTC needs
+ * it, post-disables all encoder bridges.
+ */
+void
+drm_atomic_helper_commit_encoder_bridge_post_disable(struct drm_device *dev, struct drm_atomic_state *state)
{
struct drm_connector *connector;
struct drm_connector_state *old_conn_state, *new_conn_state;
@@ -1335,15 +1363,16 @@ encoder_bridge_post_disable(struct drm_d
drm_bridge_put(bridge);
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_post_disable);
static void
disable_outputs(struct drm_device *dev, struct drm_atomic_state *state)
{
- encoder_bridge_disable(dev, state);
+ drm_atomic_helper_commit_encoder_bridge_disable(dev, state);
- encoder_bridge_post_disable(dev, state);
+ drm_atomic_helper_commit_encoder_bridge_post_disable(dev, state);
- crtc_disable(dev, state);
+ drm_atomic_helper_commit_crtc_disable(dev, state);
}
/**
@@ -1446,8 +1475,17 @@ void drm_atomic_helper_calc_timestamping
}
EXPORT_SYMBOL(drm_atomic_helper_calc_timestamping_constants);
-static void
-crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_crtc_set_mode - set the new mode
+ * @dev: DRM device
+ * @state: the driver state object
+ *
+ * Loops over all connectors in the current state and if the mode has
+ * changed, change the mode of the CRTC, then call down the bridge
+ * chain and change the mode in all bridges as well.
+ */
+void
+drm_atomic_helper_commit_crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *state)
{
struct drm_crtc *crtc;
struct drm_crtc_state *new_crtc_state;
@@ -1508,6 +1546,7 @@ crtc_set_mode(struct drm_device *dev, st
drm_bridge_put(bridge);
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_set_mode);
/**
* drm_atomic_helper_commit_modeset_disables - modeset commit to disable outputs
@@ -1531,12 +1570,21 @@ void drm_atomic_helper_commit_modeset_di
drm_atomic_helper_update_legacy_modeset_state(dev, state);
drm_atomic_helper_calc_timestamping_constants(state);
- crtc_set_mode(dev, state);
+ drm_atomic_helper_commit_crtc_set_mode(dev, state);
}
EXPORT_SYMBOL(drm_atomic_helper_commit_modeset_disables);
-static void drm_atomic_helper_commit_writebacks(struct drm_device *dev,
- struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_writebacks - issue writebacks
+ * @dev: DRM device
+ * @state: atomic state object being committed
+ *
+ * This loops over the connectors, checks if the new state requires
+ * a writeback job to be issued and in that case issues an atomic
+ * commit on each connector.
+ */
+void drm_atomic_helper_commit_writebacks(struct drm_device *dev,
+ struct drm_atomic_state *state)
{
struct drm_connector *connector;
struct drm_connector_state *new_conn_state;
@@ -1555,9 +1603,18 @@ static void drm_atomic_helper_commit_wri
}
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_writebacks);
-static void
-encoder_bridge_pre_enable(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_encoder_bridge_pre_enable - pre-enable bridges
+ * @dev: DRM device
+ * @state: atomic state object being committed
+ *
+ * This loops over the connectors and if the CRTC needs it, pre-enables
+ * the entire bridge chain.
+ */
+void
+drm_atomic_helper_commit_encoder_bridge_pre_enable(struct drm_device *dev, struct drm_atomic_state *state)
{
struct drm_connector *connector;
struct drm_connector_state *new_conn_state;
@@ -1588,9 +1645,18 @@ encoder_bridge_pre_enable(struct drm_dev
drm_bridge_put(bridge);
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_pre_enable);
-static void
-crtc_enable(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_crtc_enable - enables the CRTCs
+ * @dev: DRM device
+ * @state: atomic state object being committed
+ *
+ * This loops over CRTCs in the new state, and of the CRTC needs
+ * it, enables it.
+ */
+void
+drm_atomic_helper_commit_crtc_enable(struct drm_device *dev, struct drm_atomic_state *state)
{
struct drm_crtc *crtc;
struct drm_crtc_state *old_crtc_state;
@@ -1619,9 +1685,18 @@ crtc_enable(struct drm_device *dev, stru
}
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_crtc_enable);
-static void
-encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state)
+/**
+ * drm_atomic_helper_commit_encoder_bridge_enable - enables the bridges
+ * @dev: DRM device
+ * @state: atomic state object being committed
+ *
+ * This loops over all connectors in the new state, and of the CRTC needs
+ * it, enables the entire bridge chain.
+ */
+void
+drm_atomic_helper_commit_encoder_bridge_enable(struct drm_device *dev, struct drm_atomic_state *state)
{
struct drm_connector *connector;
struct drm_connector_state *new_conn_state;
@@ -1664,6 +1739,7 @@ encoder_bridge_enable(struct drm_device
drm_bridge_put(bridge);
}
}
+EXPORT_SYMBOL(drm_atomic_helper_commit_encoder_bridge_enable);
/**
* drm_atomic_helper_commit_modeset_enables - modeset commit to enable outputs
@@ -1682,11 +1758,11 @@ encoder_bridge_enable(struct drm_device
void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev,
struct drm_atomic_state *state)
{
- crtc_enable(dev, state);
+ drm_atomic_helper_commit_crtc_enable(dev, state);
- encoder_bridge_pre_enable(dev, state);
+ drm_atomic_helper_commit_encoder_bridge_pre_enable(dev, state);
- encoder_bridge_enable(dev, state);
+ drm_atomic_helper_commit_encoder_bridge_enable(dev, state);
drm_atomic_helper_commit_writebacks(dev, state);
}
--- a/include/drm/drm_atomic_helper.h
+++ b/include/drm/drm_atomic_helper.h
@@ -60,6 +60,12 @@ int drm_atomic_helper_check_plane_state(
int drm_atomic_helper_check_planes(struct drm_device *dev,
struct drm_atomic_state *state);
int drm_atomic_helper_check_crtc_primary_plane(struct drm_crtc_state *crtc_state);
+void drm_atomic_helper_commit_encoder_bridge_disable(struct drm_device *dev,
+ struct drm_atomic_state *state);
+void drm_atomic_helper_commit_crtc_disable(struct drm_device *dev,
+ struct drm_atomic_state *state);
+void drm_atomic_helper_commit_encoder_bridge_post_disable(struct drm_device *dev,
+ struct drm_atomic_state *state);
int drm_atomic_helper_check(struct drm_device *dev,
struct drm_atomic_state *state);
void drm_atomic_helper_commit_tail(struct drm_atomic_state *state);
@@ -89,8 +95,24 @@ drm_atomic_helper_update_legacy_modeset_
void
drm_atomic_helper_calc_timestamping_constants(struct drm_atomic_state *state);
+void drm_atomic_helper_commit_crtc_set_mode(struct drm_device *dev,
+ struct drm_atomic_state *state);
+
void drm_atomic_helper_commit_modeset_disables(struct drm_device *dev,
struct drm_atomic_state *state);
+
+void drm_atomic_helper_commit_writebacks(struct drm_device *dev,
+ struct drm_atomic_state *state);
+
+void drm_atomic_helper_commit_encoder_bridge_pre_enable(struct drm_device *dev,
+ struct drm_atomic_state *state);
+
+void drm_atomic_helper_commit_crtc_enable(struct drm_device *dev,
+ struct drm_atomic_state *state);
+
+void drm_atomic_helper_commit_encoder_bridge_enable(struct drm_device *dev,
+ struct drm_atomic_state *state);
+
void drm_atomic_helper_commit_modeset_enables(struct drm_device *dev,
struct drm_atomic_state *old_state);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 028/181] drm/pl111: Fix error handling in pl111_amba_probe
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 027/181] drm/atomic-helper: Export and namespace some functions Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 029/181] drm/tidss: Fix enable/disable order Greg Kroah-Hartman
` (166 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin,
Javier Martinez Canillas, Linus Walleij
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream.
Jump to the existing dev_put label when devm_request_irq() fails
so drm_dev_put() and of_reserved_mem_device_release() run
instead of returning early and leaking resources.
Found via static analysis and code review.
Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/pl111/pl111_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/pl111/pl111_drv.c
+++ b/drivers/gpu/drm/pl111/pl111_drv.c
@@ -295,7 +295,7 @@ static int pl111_amba_probe(struct amba_
variant->name, priv);
if (ret != 0) {
dev_err(dev, "%s failed irq %d\n", __func__, ret);
- return ret;
+ goto dev_put;
}
ret = pl111_modeset_init(drm);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 029/181] drm/tidss: Fix enable/disable order
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 028/181] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 030/181] drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] Greg Kroah-Hartman
` (165 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Aradhya Bhatia,
Maxime Ripard, Linus Walleij
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit 2fc04340cf30d7960eed2525d26ffb8905aca02b upstream.
TI's OLDI and DSI encoders need to be set up before the crtc is enabled,
but the DRM helpers will enable the crtc first. This causes various
issues on TI platforms, like visual artifacts or crtc sync lost
warnings.
Thus drm_atomic_helper_commit_modeset_enables() and
drm_atomic_helper_commit_modeset_disables() cannot be used, as they
enable the crtc before bridges' pre-enable, and disable the crtc after
bridges' post-disable.
Open code the drm_atomic_helper_commit_modeset_enables() and
drm_atomic_helper_commit_modeset_disables(), and first call the bridges'
pre-enables, then crtc enable, then bridges' post-enable (and vice versa
for disable).
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: stable@vger.kernel.org # v6.17+
Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
Reviewed-by: Aradhya Bhatia <aradhya.bhatia@linux.dev>
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Tested-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-4-fda68fa1b3de@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/tidss/tidss_kms.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/tidss/tidss_kms.c
+++ b/drivers/gpu/drm/tidss/tidss_kms.c
@@ -28,9 +28,33 @@ static void tidss_atomic_commit_tail(str
tidss_runtime_get(tidss);
- drm_atomic_helper_commit_modeset_disables(ddev, old_state);
- drm_atomic_helper_commit_planes(ddev, old_state, DRM_PLANE_COMMIT_ACTIVE_ONLY);
- drm_atomic_helper_commit_modeset_enables(ddev, old_state);
+ /*
+ * TI's OLDI and DSI encoders need to be set up before the crtc is
+ * enabled. Thus drm_atomic_helper_commit_modeset_enables() and
+ * drm_atomic_helper_commit_modeset_disables() cannot be used here, as
+ * they enable the crtc before bridges' pre-enable, and disable the crtc
+ * after bridges' post-disable.
+ *
+ * Open code the functions here and first call the bridges' pre-enables,
+ * then crtc enable, then bridges' post-enable (and vice versa for
+ * disable).
+ */
+
+ drm_atomic_helper_commit_encoder_bridge_disable(ddev, old_state);
+ drm_atomic_helper_commit_crtc_disable(ddev, old_state);
+ drm_atomic_helper_commit_encoder_bridge_post_disable(ddev, old_state);
+
+ drm_atomic_helper_update_legacy_modeset_state(ddev, old_state);
+ drm_atomic_helper_calc_timestamping_constants(old_state);
+ drm_atomic_helper_commit_crtc_set_mode(ddev, old_state);
+
+ drm_atomic_helper_commit_planes(ddev, old_state,
+ DRM_PLANE_COMMIT_ACTIVE_ONLY);
+
+ drm_atomic_helper_commit_encoder_bridge_pre_enable(ddev, old_state);
+ drm_atomic_helper_commit_crtc_enable(ddev, old_state);
+ drm_atomic_helper_commit_encoder_bridge_enable(ddev, old_state);
+ drm_atomic_helper_commit_writebacks(ddev, old_state);
drm_atomic_helper_commit_hw_done(old_state);
drm_atomic_helper_wait_for_flip_done(ddev, old_state);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 030/181] drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[]
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 029/181] drm/tidss: Fix enable/disable order Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 031/181] gpio: rockchip: mark the GPIO controller as sleeping Greg Kroah-Hartman
` (164 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 19158c7332468bc28572bdca428e89c7954ee1b1 upstream.
clockInfo[] is a generic uchar pointer to variable sized structures
which vary from ASIC to ASIC.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4374
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit dc135aa73561b5acc74eadf776e48530996529a3)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/radeon/pptable.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/pptable.h
+++ b/drivers/gpu/drm/radeon/pptable.h
@@ -450,7 +450,7 @@ typedef struct _ClockInfoArray{
//sizeof(ATOM_PPLIB_CLOCK_INFO)
UCHAR ucEntrySize;
- UCHAR clockInfo[] __counted_by(ucNumEntries);
+ UCHAR clockInfo[] /*__counted_by(ucNumEntries)*/;
}ClockInfoArray;
typedef struct _NonClockInfoArray{
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 031/181] gpio: rockchip: mark the GPIO controller as sleeping
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 030/181] drm/radeon: Remove __counted_by from ClockInfoArray.clockInfo[] Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 032/181] io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic Greg Kroah-Hartman
` (163 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Heiko Stuebner,
Bartosz Golaszewski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
commit 20cf2aed89ac6d78a0122e31c875228e15247194 upstream.
The GPIO controller is configured as non-sleeping but it uses generic
pinctrl helpers which use a mutex for synchronization.
This can cause the following lockdep splat with shared GPIOs enabled on
boards which have multiple devices using the same GPIO:
BUG: sleeping function called from invalid context at
kernel/locking/mutex.c:591
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 12, name:
kworker/u16:0
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
6 locks held by kworker/u16:0/12:
#0: ffff0001f0018d48 ((wq_completion)events_unbound#2){+.+.}-{0:0},
at: process_one_work+0x18c/0x604
#1: ffff8000842dbdf0 (deferred_probe_work){+.+.}-{0:0}, at:
process_one_work+0x1b4/0x604
#2: ffff0001f18498f8 (&dev->mutex){....}-{4:4}, at:
__device_attach+0x38/0x1b0
#3: ffff0001f75f1e90 (&gdev->srcu){.+.?}-{0:0}, at:
gpiod_direction_output_raw_commit+0x0/0x360
#4: ffff0001f46e3db8 (&shared_desc->spinlock){....}-{3:3}, at:
gpio_shared_proxy_direction_output+0xd0/0x144 [gpio_shared_proxy]
#5: ffff0001f180ee90 (&gdev->srcu){.+.?}-{0:0}, at:
gpiod_direction_output_raw_commit+0x0/0x360
irq event stamp: 81450
hardirqs last enabled at (81449): [<ffff8000813acba4>]
_raw_spin_unlock_irqrestore+0x74/0x78
hardirqs last disabled at (81450): [<ffff8000813abfb8>]
_raw_spin_lock_irqsave+0x84/0x88
softirqs last enabled at (79616): [<ffff8000811455fc>]
__alloc_skb+0x17c/0x1e8
softirqs last disabled at (79614): [<ffff8000811455fc>]
__alloc_skb+0x17c/0x1e8
CPU: 2 UID: 0 PID: 12 Comm: kworker/u16:0 Not tainted
6.19.0-rc4-next-20260105+ #11975 PREEMPT
Hardware name: Hardkernel ODROID-M1 (DT)
Workqueue: events_unbound deferred_probe_work_func
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0x90/0xd0
dump_stack+0x18/0x24
__might_resched+0x144/0x248
__might_sleep+0x48/0x98
__mutex_lock+0x5c/0x894
mutex_lock_nested+0x24/0x30
pinctrl_get_device_gpio_range+0x44/0x128
pinctrl_gpio_direction+0x3c/0xe0
pinctrl_gpio_direction_output+0x14/0x20
rockchip_gpio_direction_output+0xb8/0x19c
gpiochip_direction_output+0x38/0x94
gpiod_direction_output_raw_commit+0x1d8/0x360
gpiod_direction_output_nonotify+0x7c/0x230
gpiod_direction_output+0x34/0xf8
gpio_shared_proxy_direction_output+0xec/0x144 [gpio_shared_proxy]
gpiochip_direction_output+0x38/0x94
gpiod_direction_output_raw_commit+0x1d8/0x360
gpiod_direction_output_nonotify+0x7c/0x230
gpiod_configure_flags+0xbc/0x480
gpiod_find_and_request+0x1a0/0x574
gpiod_get_index+0x58/0x84
devm_gpiod_get_index+0x20/0xb4
devm_gpiod_get_optional+0x18/0x30
rockchip_pcie_probe+0x98/0x380
platform_probe+0x5c/0xac
really_probe+0xbc/0x298
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Cc: stable@vger.kernel.org
Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
Closes: https://lore.kernel.org/all/d035fc29-3b03-4cd6-b8ec-001f93540bc6@samsung.com/
Acked-by: Heiko Stuebner <heiko@sntech.de>
Link: https://lore.kernel.org/r/20260106090011.21603-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-rockchip.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -593,6 +593,7 @@ static int rockchip_gpiolib_register(str
gc->ngpio = bank->nr_pins;
gc->label = bank->name;
gc->parent = bank->dev;
+ gc->can_sleep = true;
ret = gpiochip_add_data(gc, bank);
if (ret) {
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 032/181] io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 031/181] gpio: rockchip: mark the GPIO controller as sleeping Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 033/181] PCI: meson: Report that link is up while in ASPM L0s and L1 states Greg Kroah-Hartman
` (162 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lewis Campbell,
Gabriel Krisman Bertazi, Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit e0392a10c9e80a3991855a81317da3039fcbe32c upstream.
A previous commit added this helper, and had it terminate if false is
returned from the handler. However, that is completely opposite, it
should abort the loop if true is returned.
Fix this up by having io_wq_for_each_worker() keep iterating as long
as false is returned, and only abort if true is returned.
Cc: stable@vger.kernel.org
Fixes: 751eedc4b4b7 ("io_uring/io-wq: move worker lists to struct io_wq_acct")
Reported-by: Lewis Campbell <info@lewiscampbell.tech>
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io-wq.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -951,11 +951,11 @@ static bool io_wq_for_each_worker(struct
void *data)
{
for (int i = 0; i < IO_WQ_ACCT_NR; i++) {
- if (!io_acct_for_each_worker(&wq->acct[i], func, data))
- return false;
+ if (io_acct_for_each_worker(&wq->acct[i], func, data))
+ return true;
}
- return true;
+ return false;
}
static bool io_wq_worker_wake(struct io_worker *worker, void *data)
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 033/181] PCI: meson: Report that link is up while in ASPM L0s and L1 states
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 032/181] io_uring/io-wq: fix incorrect io_wq_for_each_worker() termination logic Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 034/181] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
` (161 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linnaea Lavia, Bjorn Helgaas,
Neil Armstrong
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Helgaas <bhelgaas@google.com>
commit df27c03b9e3ef2baa9e9c9f56a771d463a84489d upstream.
Previously meson_pcie_link_up() only returned true if the link was in the
L0 state. This was incorrect because hardware autonomously manages
transitions between L0, L0s, and L1 while both components on the link stay
in D0. Those states should all be treated as "link is active".
Returning false when the device was in L0s or L1 broke config accesses
because dw_pcie_other_conf_map_bus() fails if the link is down, which
caused errors like this:
meson-pcie fc000000.pcie: error: wait linkup timeout
pci 0000:01:00.0: BAR 0: error updating (0xfc700004 != 0xffffffff)
Remove the LTSSM state check, timeout, speed check, and error message from
meson_pcie_link_up(), the dw_pcie_ops.link_up() method, so it is a simple
boolean check of whether the link is active. Timeouts and error messages
are handled at a higher level, e.g., dw_pcie_wait_for_link().
Fixes: 9c0ef6d34fdb ("PCI: amlogic: Add the Amlogic Meson PCIe controller driver")
Reported-by: Linnaea Lavia <linnaea-von-lavia@live.com>
Closes: https://lore.kernel.org/r/DM4PR05MB102707B8CDF84D776C39F22F2C7F0A@DM4PR05MB10270.namprd05.prod.outlook.com
[bhelgaas: squash removal of unused WAIT_LINKUP_TIMEOUT by
Martin Blumenstingl <martin.blumenstingl@googlemail.com>:
https://patch.msgid.link/20260105125625.239497-1-martin.blumenstingl@googlemail.com]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Linnaea Lavia <linnaea-von-lavia@live.com>
Tested-by: Neil Armstrong <neil.armstrong@linaro.org> # on BananaPi M2S
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251103221930.1831376-1-helgaas@kernel.org
Link: https://patch.msgid.link/20260105125625.239497-1-martin.blumenstingl@googlemail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/dwc/pci-meson.c | 37 ++-------------------------------
1 file changed, 3 insertions(+), 34 deletions(-)
--- a/drivers/pci/controller/dwc/pci-meson.c
+++ b/drivers/pci/controller/dwc/pci-meson.c
@@ -37,7 +37,6 @@
#define PCIE_CFG_STATUS17 0x44
#define PM_CURRENT_STATE(x) (((x) >> 7) & 0x1)
-#define WAIT_LINKUP_TIMEOUT 4000
#define PORT_CLK_RATE 100000000UL
#define MAX_PAYLOAD_SIZE 256
#define MAX_READ_REQ_SIZE 256
@@ -350,40 +349,10 @@ static struct pci_ops meson_pci_ops = {
static bool meson_pcie_link_up(struct dw_pcie *pci)
{
struct meson_pcie *mp = to_meson_pcie(pci);
- struct device *dev = pci->dev;
- u32 speed_okay = 0;
- u32 cnt = 0;
- u32 state12, state17, smlh_up, ltssm_up, rdlh_up;
-
- do {
- state12 = meson_cfg_readl(mp, PCIE_CFG_STATUS12);
- state17 = meson_cfg_readl(mp, PCIE_CFG_STATUS17);
- smlh_up = IS_SMLH_LINK_UP(state12);
- rdlh_up = IS_RDLH_LINK_UP(state12);
- ltssm_up = IS_LTSSM_UP(state12);
-
- if (PM_CURRENT_STATE(state17) < PCIE_GEN3)
- speed_okay = 1;
-
- if (smlh_up)
- dev_dbg(dev, "smlh_link_up is on\n");
- if (rdlh_up)
- dev_dbg(dev, "rdlh_link_up is on\n");
- if (ltssm_up)
- dev_dbg(dev, "ltssm_up is on\n");
- if (speed_okay)
- dev_dbg(dev, "speed_okay\n");
-
- if (smlh_up && rdlh_up && ltssm_up && speed_okay)
- return true;
+ u32 state12;
- cnt++;
-
- udelay(10);
- } while (cnt < WAIT_LINKUP_TIMEOUT);
-
- dev_err(dev, "error: wait linkup timeout\n");
- return false;
+ state12 = meson_cfg_readl(mp, PCIE_CFG_STATUS12);
+ return IS_SMLH_LINK_UP(state12) && IS_RDLH_LINK_UP(state12);
}
static int meson_pcie_host_init(struct dw_pcie_rp *pp)
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 034/181] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 033/181] PCI: meson: Report that link is up while in ASPM L0s and L1 states Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 035/181] PM: hibernate: Fix crash when freeing invalid crypto compressor Greg Kroah-Hartman
` (160 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Bartosz Golaszewski,
Dmitry Baryshkov, Bjorn Andersson, Linus Walleij
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
commit ebc18e9854e5a2b62a041fb57b216a903af45b85 upstream.
The gpio_chip settings in this driver say the controller can't sleep
but it actually uses a mutex for synchronization. This triggers the
following BUG():
[ 9.233659] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281
[ 9.233665] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 554, name: (udev-worker)
[ 9.233669] preempt_count: 1, expected: 0
[ 9.233673] RCU nest depth: 0, expected: 0
[ 9.233688] Tainted: [W]=WARN
[ 9.233690] Hardware name: Dell Inc. Latitude 7455/0FK7MX, BIOS 2.10.1 05/20/2025
[ 9.233694] Call trace:
[ 9.233696] show_stack+0x24/0x38 (C)
[ 9.233709] dump_stack_lvl+0x40/0x88
[ 9.233716] dump_stack+0x18/0x24
[ 9.233722] __might_resched+0x148/0x160
[ 9.233731] __might_sleep+0x38/0x98
[ 9.233736] mutex_lock+0x30/0xd8
[ 9.233749] lpi_config_set+0x2e8/0x3c8 [pinctrl_lpass_lpi]
[ 9.233757] lpi_gpio_direction_output+0x58/0x90 [pinctrl_lpass_lpi]
[ 9.233761] gpiod_direction_output_raw_commit+0x110/0x428
[ 9.233772] gpiod_direction_output_nonotify+0x234/0x358
[ 9.233779] gpiod_direction_output+0x38/0xd0
[ 9.233786] gpio_shared_proxy_direction_output+0xb8/0x2a8 [gpio_shared_proxy]
[ 9.233792] gpiod_direction_output_raw_commit+0x110/0x428
[ 9.233799] gpiod_direction_output_nonotify+0x234/0x358
[ 9.233806] gpiod_configure_flags+0x2c0/0x580
[ 9.233812] gpiod_find_and_request+0x358/0x4f8
[ 9.233819] gpiod_get_index+0x7c/0x98
[ 9.233826] devm_gpiod_get+0x34/0xb0
[ 9.233829] reset_gpio_probe+0x58/0x128 [reset_gpio]
[ 9.233836] auxiliary_bus_probe+0xb0/0xf0
[ 9.233845] really_probe+0x14c/0x450
[ 9.233853] __driver_probe_device+0xb0/0x188
[ 9.233858] driver_probe_device+0x4c/0x250
[ 9.233863] __driver_attach+0xf8/0x2a0
[ 9.233868] bus_for_each_dev+0xf8/0x158
[ 9.233872] driver_attach+0x30/0x48
[ 9.233876] bus_add_driver+0x158/0x2b8
[ 9.233880] driver_register+0x74/0x118
[ 9.233886] __auxiliary_driver_register+0x94/0xe8
[ 9.233893] init_module+0x34/0xfd0 [reset_gpio]
[ 9.233898] do_one_initcall+0xec/0x300
[ 9.233903] do_init_module+0x64/0x260
[ 9.233910] load_module+0x16c4/0x1900
[ 9.233915] __arm64_sys_finit_module+0x24c/0x378
[ 9.233919] invoke_syscall+0x4c/0xe8
[ 9.233925] el0_svc_common+0x8c/0xf0
[ 9.233929] do_el0_svc+0x28/0x40
[ 9.233934] el0_svc+0x38/0x100
[ 9.233938] el0t_64_sync_handler+0x84/0x130
[ 9.233943] el0t_64_sync+0x17c/0x180
Mark the controller as sleeping.
Fixes: 6e261d1090d6 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver")
Cc: stable@vger.kernel.org
Reported-by: Val Packett <val@packett.cool>
Closes: https://lore.kernel.org/all/98c0f185-b0e0-49ea-896c-f3972dd011ca@packett.cool/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
+++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
@@ -498,7 +498,7 @@ int lpi_pinctrl_probe(struct platform_de
pctrl->chip.base = -1;
pctrl->chip.ngpio = data->npins;
pctrl->chip.label = dev_name(dev);
- pctrl->chip.can_sleep = false;
+ pctrl->chip.can_sleep = true;
mutex_init(&pctrl->lock);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 035/181] PM: hibernate: Fix crash when freeing invalid crypto compressor
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 034/181] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 036/181] Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order" Greg Kroah-Hartman
` (159 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Malaya Kumar Rout, Rafael J. Wysocki
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Malaya Kumar Rout <mrout@redhat.com>
commit 7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 upstream.
When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL.
The cleanup code in save_compressed_image() and load_compressed_image()
unconditionally calls crypto_free_acomp() without checking for ERR_PTR,
which causes crypto_acomp_tfm() to dereference an invalid pointer and
crash the kernel.
This can be triggered when the compression algorithm is unavailable
(e.g., CONFIG_CRYPTO_LZO not enabled).
Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp()
and acomp_request_free(), similar to the existing kthread_stop() check.
Fixes: b03d542c3c95 ("PM: hibernate: Use crypto_acomp interface")
Signed-off-by: Malaya Kumar Rout <mrout@redhat.com>
Cc: 6.15+ <stable@vger.kernel.org> # 6.15+
[ rjw: Added 2 empty code lines ]
Link: https://patch.msgid.link/20251230115613.64080-1-mrout@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/power/swap.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/kernel/power/swap.c
+++ b/kernel/power/swap.c
@@ -897,8 +897,11 @@ out_clean:
for (thr = 0; thr < nr_threads; thr++) {
if (data[thr].thr)
kthread_stop(data[thr].thr);
- acomp_request_free(data[thr].cr);
- crypto_free_acomp(data[thr].cc);
+ if (data[thr].cr)
+ acomp_request_free(data[thr].cr);
+
+ if (!IS_ERR_OR_NULL(data[thr].cc))
+ crypto_free_acomp(data[thr].cc);
}
vfree(data);
}
@@ -1519,8 +1522,11 @@ out_clean:
for (thr = 0; thr < nr_threads; thr++) {
if (data[thr].thr)
kthread_stop(data[thr].thr);
- acomp_request_free(data[thr].cr);
- crypto_free_acomp(data[thr].cc);
+ if (data[thr].cr)
+ acomp_request_free(data[thr].cr);
+
+ if (!IS_ERR_OR_NULL(data[thr].cc))
+ crypto_free_acomp(data[thr].cc);
}
vfree(data);
}
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 036/181] Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order"
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 035/181] PM: hibernate: Fix crash when freeing invalid crypto compressor Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 037/181] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
` (158 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomi Valkeinen, Maxime Ripard,
Linus Walleij
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
commit 33e8150bd32d7dc25c977bb455f1f5d54bfd5241 upstream.
This reverts commit f5b1819193667bf62c3c99d3921b9429997a14b2.
As the original commit (c9b1150a68d9 ("drm/atomic-helper: Re-order
bridge chain pre-enable and post-disable")) causing the issue has been
reverted, let's revert the fix for mediatek.
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: stable@vger.kernel.org # v6.17+
Fixes: c9b1150a68d9 ("drm/atomic-helper: Re-order bridge chain pre-enable and post-disable")
Reviewed-by: Maxime Ripard <mripard@kernel.org>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Tested-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20251205-drm-seq-fix-v1-2-fda68fa1b3de@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_dsi.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/gpu/drm/mediatek/mtk_dsi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dsi.c
@@ -1002,12 +1002,6 @@ static int mtk_dsi_host_attach(struct mi
return PTR_ERR(dsi->next_bridge);
}
- /*
- * set flag to request the DSI host bridge be pre-enabled before device bridge
- * in the chain, so the DSI host is ready when the device bridge is pre-enabled
- */
- dsi->next_bridge->pre_enable_prev_first = true;
-
drm_bridge_add(&dsi->bridge);
ret = component_add(host->dev, &mtk_dsi_component_ops);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 037/181] wifi: avoid kernel-infoleak from struct iw_point
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 036/181] Revert "drm/mediatek: dsi: Fix DSI host and panel bridge pre-enable order" Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 038/181] wifi: mac80211: restore non-chanctx injection behaviour Greg Kroah-Hartman
` (157 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bfc7323743ca6dbcc3d3,
Eric Dumazet, Johannes Berg
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream.
struct iw_point has a 32bit hole on 64bit arches.
struct iw_point {
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
Make sure to zero the structure to avoid disclosing 32bits of kernel data
to user space.
Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c")
Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/wext-core.c | 4 ++++
net/wireless/wext-priv.c | 4 ++++
2 files changed, 8 insertions(+)
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -1101,6 +1101,10 @@ static int compat_standard_call(struct n
return ioctl_standard_call(dev, iwr, cmd, info, handler);
iwp_compat = (struct compat_iw_point *) &iwr->u.data;
+
+ /* struct iw_point has a 32bit hole on 64bit arches. */
+ memset(&iwp, 0, sizeof(iwp));
+
iwp.pointer = compat_ptr(iwp_compat->pointer);
iwp.length = iwp_compat->length;
iwp.flags = iwp_compat->flags;
--- a/net/wireless/wext-priv.c
+++ b/net/wireless/wext-priv.c
@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic
struct iw_point iwp;
iwp_compat = (struct compat_iw_point *) &iwr->u.data;
+
+ /* struct iw_point has a 32bit hole on 64bit arches. */
+ memset(&iwp, 0, sizeof(iwp));
+
iwp.pointer = compat_ptr(iwp_compat->pointer);
iwp.length = iwp_compat->length;
iwp.flags = iwp_compat->flags;
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 038/181] wifi: mac80211: restore non-chanctx injection behaviour
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 037/181] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 039/181] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
` (156 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Oscar Alfonso Diaz
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit d594cc6f2c588810888df70c83a9654b6bc7942d upstream.
During the transition to use channel contexts throughout, the
ability to do injection while in monitor mode concurrent with
another interface was lost, since the (virtual) monitor won't
have a chanctx assigned in this scenario.
It's harder to fix drivers that actually transitioned to using
channel contexts themselves, such as mt76, but it's easy to do
those that are (still) just using the emulation. Do that.
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218763
Reported-and-tested-by: Oscar Alfonso Diaz <oscar.alfonso.diaz@gmail.com>
Fixes: 0a44dfc07074 ("wifi: mac80211: simplify non-chanctx drivers")
Link: https://patch.msgid.link/20251216105242.18366-2-johannes@sipsolutions.net
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/tx.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2395,6 +2395,8 @@ netdev_tx_t ieee80211_monitor_start_xmit
if (chanctx_conf)
chandef = &chanctx_conf->def;
+ else if (local->emulate_chanctx)
+ chandef = &local->hw.conf.chandef;
else
goto fail_rcu;
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 039/181] libceph: prevent potential out-of-bounds reads in handle_auth_done()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 038/181] wifi: mac80211: restore non-chanctx injection behaviour Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 040/181] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
` (155 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ziming zhang <ezrakiez@gmail.com>
commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream.
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang <ezrakiez@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2377,7 +2377,9 @@ static int process_auth_done(struct ceph
ceph_decode_64_safe(&p, end, global_id, bad);
ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
+
ceph_decode_32_safe(&p, end, payload_len, bad);
+ ceph_decode_need(&p, end, payload_len, bad);
dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
__func__, con, global_id, con->v2.con_mode, payload_len);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 040/181] libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 039/181] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 041/181] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
` (154 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream.
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1979,11 +1979,13 @@ struct ceph_osdmap *osdmap_apply_increme
sizeof(u64) + sizeof(u32), e_inval);
ceph_decode_copy(p, &fsid, sizeof(fsid));
epoch = ceph_decode_32(p);
- BUG_ON(epoch != map->epoch+1);
ceph_decode_copy(p, &modified, sizeof(modified));
new_pool_max = ceph_decode_64(p);
new_flags = ceph_decode_32(p);
+ if (epoch != map->epoch + 1)
+ goto e_inval;
+
/* full map? */
ceph_decode_32_safe(p, end, len, e_inval);
if (len > 0) {
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 041/181] libceph: make free_choose_arg_map() resilient to partial allocation
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 040/181] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 042/181] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
` (153 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tuo Li, Viacheslav Dubeyko,
Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li <islituo@gmail.com>
commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream.
free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.
For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.
To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.
Cc: stable@vger.kernel.org
Co-authored-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -241,22 +241,26 @@ static struct crush_choose_arg_map *allo
static void free_choose_arg_map(struct crush_choose_arg_map *arg_map)
{
- if (arg_map) {
- int i, j;
+ int i, j;
- WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
+ if (!arg_map)
+ return;
+ WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
+
+ if (arg_map->args) {
for (i = 0; i < arg_map->size; i++) {
struct crush_choose_arg *arg = &arg_map->args[i];
-
- for (j = 0; j < arg->weight_set_size; j++)
- kfree(arg->weight_set[j].weights);
- kfree(arg->weight_set);
+ if (arg->weight_set) {
+ for (j = 0; j < arg->weight_set_size; j++)
+ kfree(arg->weight_set[j].weights);
+ kfree(arg->weight_set);
+ }
kfree(arg->ids);
}
kfree(arg_map->args);
- kfree(arg_map);
}
+ kfree(arg_map);
}
DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index,
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 042/181] libceph: return the handler error from mon_handle_auth_done()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 041/181] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 043/181] libceph: reset sparse-read state in osd_fault() Greg Kroah-Hartman
` (152 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Viacheslav Dubeyko
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream.
Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().
Cc: stable@vger.kernel.org
Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/mon_client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -1417,7 +1417,7 @@ static int mon_handle_auth_done(struct c
if (!ret)
finish_hunting(monc);
mutex_unlock(&monc->mutex);
- return 0;
+ return ret;
}
static int mon_handle_auth_bad_method(struct ceph_connection *con,
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 043/181] libceph: reset sparse-read state in osd_fault()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 042/181] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 044/181] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
` (151 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam Edwards, Ilya Dryomov
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam Edwards <cfsworks@gmail.com>
commit 11194b416ef95012c2cfe5f546d71af07b639e93 upstream.
When a fault occurs, the connection is abandoned, reestablished, and any
pending operations are retried. The OSD client tracks the progress of a
sparse-read reply using a separate state machine, largely independent of
the messenger's state.
If a connection is lost mid-payload or the sparse-read state machine
returns an error, the sparse-read state is not reset. The OSD client
will then interpret the beginning of a new reply as the continuation of
the old one. If this makes the sparse-read machinery enter a failure
state, it may never recover, producing loops like:
libceph: [0] got 0 extents
libceph: data len 142248331 != extent len 0
libceph: osd0 (1)...:6801 socket error on read
libceph: data len 142248331 != extent len 0
libceph: osd0 (1)...:6801 socket error on read
Therefore, reset the sparse-read state in osd_fault(), ensuring retries
start from a clean state.
Cc: stable@vger.kernel.org
Fixes: f628d7999727 ("libceph: add sparse read support to OSD client")
Signed-off-by: Sam Edwards <CFSworks@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osd_client.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -4283,6 +4283,9 @@ static void osd_fault(struct ceph_connec
goto out_unlock;
}
+ osd->o_sparse_op_idx = -1;
+ ceph_init_sparse_read(&osd->o_sparse_read);
+
if (!reopen_osd(osd))
kick_osd_requests(osd);
maybe_request_map(osdc);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 044/181] libceph: make calc_target() set t->paused, not just clear it
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 043/181] libceph: reset sparse-read state in osd_fault() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 045/181] ublk: reorder tag_set initialization before queue allocation Greg Kroah-Hartman
` (150 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov,
Viacheslav Dubeyko
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream.
Currently calc_target() clears t->paused if the request shouldn't be
paused anymore, but doesn't ever set t->paused even though it's able to
determine when the request should be paused. Setting t->paused is left
to __submit_request() which is fine for regular requests but doesn't
work for linger requests -- since __submit_request() doesn't operate
on linger requests, there is nowhere for lreq->t.paused to be set.
One consequence of this is that watches don't get reestablished on
paused -> unpaused transitions in cases where requests have been paused
long enough for the (paused) unwatch request to time out and for the
subsequent (re)watch request to enter the paused state. On top of the
watch not getting reestablished, rbd_reregister_watch() gets stuck with
rbd_dev->watch_mutex held:
rbd_register_watch
__rbd_register_watch
ceph_osdc_watch
linger_reg_commit_wait
It's waiting for lreq->reg_commit_wait to be completed, but for that to
happen the respective request needs to end up on need_resend_linger list
and be kicked when requests are unpaused. There is no chance for that
if the request in question is never marked paused in the first place.
The fact that rbd_dev->watch_mutex remains taken out forever then
prevents the image from getting unmapped -- "rbd unmap" would inevitably
hang in D state on an attempt to grab the mutex.
Cc: stable@vger.kernel.org
Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osd_client.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1588,6 +1588,7 @@ static enum calc_target_result calc_targ
struct ceph_pg_pool_info *pi;
struct ceph_pg pgid, last_pgid;
struct ceph_osds up, acting;
+ bool should_be_paused;
bool is_read = t->flags & CEPH_OSD_FLAG_READ;
bool is_write = t->flags & CEPH_OSD_FLAG_WRITE;
bool force_resend = false;
@@ -1656,10 +1657,16 @@ static enum calc_target_result calc_targ
&last_pgid))
force_resend = true;
- if (t->paused && !target_should_be_paused(osdc, t, pi)) {
- t->paused = false;
+ should_be_paused = target_should_be_paused(osdc, t, pi);
+ if (t->paused && !should_be_paused) {
unpaused = true;
}
+ if (t->paused != should_be_paused) {
+ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused,
+ should_be_paused);
+ t->paused = should_be_paused;
+ }
+
legacy_change = ceph_pg_compare(&t->pgid, &pgid) ||
ceph_osds_changed(&t->acting, &acting,
t->used_replica || any_change);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 045/181] ublk: reorder tag_set initialization before queue allocation
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 044/181] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 046/181] ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback Greg Kroah-Hartman
` (149 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos, Ming Lei,
Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
commit 011af85ccd871526df36988c7ff20ca375fb804d upstream.
Move ublk_add_tag_set() before ublk_init_queues() in the device
initialization path. This allows us to use the blk-mq CPU-to-queue
mapping established by the tag_set to determine the appropriate
NUMA node for each queue allocation.
The error handling paths are also reordered accordingly.
Reviewed-by: Caleb Sander Mateos <csander@purestorage.com>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[ Upstream commit 529d4d632788 ("ublk: implement NUMA-aware memory allocation")
is ported to linux-6.18.y, but it depends on commit 011af85ccd87 ("ublk:
reorder tag_set initialization before queue allocation"). kernel panic is
reported on 6.18.y: https://github.com/ublk-org/ublksrv/issues/174 ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/ublk_drv.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3280,17 +3280,17 @@ static int ublk_ctrl_add_dev(const struc
ub->dev_info.nr_hw_queues, nr_cpu_ids);
ublk_align_max_io_size(ub);
- ret = ublk_init_queues(ub);
+ ret = ublk_add_tag_set(ub);
if (ret)
goto out_free_dev_number;
- ret = ublk_add_tag_set(ub);
+ ret = ublk_init_queues(ub);
if (ret)
- goto out_deinit_queues;
+ goto out_free_tag_set;
ret = -EFAULT;
if (copy_to_user(argp, &ub->dev_info, sizeof(info)))
- goto out_free_tag_set;
+ goto out_deinit_queues;
/*
* Add the char dev so that ublksrv daemon can be setup.
@@ -3299,10 +3299,10 @@ static int ublk_ctrl_add_dev(const struc
ret = ublk_add_chdev(ub);
goto out_unlock;
-out_free_tag_set:
- blk_mq_free_tag_set(&ub->tag_set);
out_deinit_queues:
ublk_deinit_queues(ub);
+out_free_tag_set:
+ blk_mq_free_tag_set(&ub->tag_set);
out_free_dev_number:
ublk_free_dev_number(ub);
out_free_ub:
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 046/181] ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 045/181] ublk: reorder tag_set initialization before queue allocation Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 047/181] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
` (148 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Askar Safin, Peter Ujfalusi,
Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 161a0c617ab172bbcda7ce61803addeb2124dbff upstream.
When config table entries don't match with the device to be probed,
currently we fall back to SND_INTEL_DSP_DRIVER_ANY, which means to
allow any drivers to bind with it.
This was set so with the assumption (or hope) that all controller
drivers should cover the devices generally, but in practice, this
caused a problem as reported recently. Namely, when a specific
kconfig for SOF isn't set for the modern Intel chips like Alderlake,
a wrong driver (AVS) got probed and failed. This is because we have
entries like:
#if IS_ENABLED(CONFIG_SND_SOC_SOF_ALDERLAKE)
/* Alder Lake / Raptor Lake */
{
.flags = FLAG_SOF | FLAG_SOF_ONLY_IF_DMIC_OR_SOUNDWIRE,
.device = PCI_DEVICE_ID_INTEL_HDA_ADL_S,
},
....
#endif
so this entry is effective only when CONFIG_SND_SOC_SOF_ALDERLAKE is
set. If not set, there is no matching entry, hence it returns
SND_INTEL_DSP_DRIVER_ANY as fallback. OTOH, if the kconfig is set, it
explicitly falls back to SND_INTEL_DSP_DRIVER_LEGACY when no DMIC or
SoundWire is found -- that was the working scenario. That being said,
the current setup may be broken for modern Intel chips that are
supposed to work with either SOF or legacy driver when the
corresponding kconfig were missing.
For addressing the problem above, this patch changes the fallback
driver to the legacy driver, i.e. return SND_INTEL_DSP_DRIVER_LEGACY
type as much as possible. When CONFIG_SND_HDA_INTEL is also disabled,
the fallback is set to SND_INTEL_DSP_DRIVER_ANY type, just to be sure.
Reported-by: Askar Safin <safinaskar@gmail.com>
Closes: https://lore.kernel.org/all/20251014034156.4480-1-safinaskar@gmail.com/
Tested-by: Askar Safin <safinaskar@gmail.com>
Reviewed-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20251210131553.184404-1-tiwai@suse.de
Cc: Askar Safin <safinaskar@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/core/intel-dsp-config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/hda/core/intel-dsp-config.c
+++ b/sound/hda/core/intel-dsp-config.c
@@ -710,7 +710,8 @@ int snd_intel_dsp_driver_probe(struct pc
/* find the configuration for the specific device */
cfg = snd_intel_dsp_find_config(pci, config_table, ARRAY_SIZE(config_table));
if (!cfg)
- return SND_INTEL_DSP_DRIVER_ANY;
+ return IS_ENABLED(CONFIG_SND_HDA_INTEL) ?
+ SND_INTEL_DSP_DRIVER_LEGACY : SND_INTEL_DSP_DRIVER_ANY;
if (cfg->flags & FLAG_SOF) {
if (cfg->flags & FLAG_SOF_ONLY_IF_SOUNDWIRE &&
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 047/181] csky: fix csky_cmpxchg_fixup not working
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 046/181] ALSA: hda: intel-dsp-config: Prefer legacy driver as fallback Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 048/181] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
` (147 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Li, Guo Ren, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Li <yang.li85200@gmail.com>
[ Upstream commit 809ef03d6d21d5fea016bbf6babeec462e37e68c ]
In the csky_cmpxchg_fixup function, it is incorrect to use the global
variable csky_cmpxchg_stw to determine the address where the exception
occurred.The global variable csky_cmpxchg_stw stores the opcode at the
time of the exception, while &csky_cmpxchg_stw shows the address where
the exception occurred.
Signed-off-by: Yang Li <yang.li85200@gmail.com>
Signed-off-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/csky/mm/fault.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/csky/mm/fault.c b/arch/csky/mm/fault.c
index a6ca7dff42153..7ff4011089850 100644
--- a/arch/csky/mm/fault.c
+++ b/arch/csky/mm/fault.c
@@ -45,8 +45,8 @@ static inline void csky_cmpxchg_fixup(struct pt_regs *regs)
if (trap_no(regs) != VEC_TLBMODIFIED)
return;
- if (instruction_pointer(regs) == csky_cmpxchg_stw)
- instruction_pointer_set(regs, csky_cmpxchg_ldw);
+ if (instruction_pointer(regs) == (unsigned long)&csky_cmpxchg_stw)
+ instruction_pointer_set(regs, (unsigned long)&csky_cmpxchg_ldw);
return;
}
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 048/181] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 047/181] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 049/181] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
` (146 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Arnd Bergmann,
Sebastian Andrzej Siewior, Russell King (Oracle), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit fedadc4137234c3d00c4785eeed3e747fe9036ae ]
gup_pgd_range() is invoked with disabled interrupts and invokes
__kmap_local_page_prot() via pte_offset_map(), gup_p4d_range().
With HIGHPTE enabled, __kmap_local_page_prot() invokes kmap_high_get()
which uses a spinlock_t via lock_kmap_any(). This leads to an
sleeping-while-atomic error on PREEMPT_RT because spinlock_t becomes a
sleeping lock and must not be acquired in atomic context.
The loop in map_new_virtual() uses wait_queue_head_t for wake up which
also is using a spinlock_t.
Since HIGHPTE is rarely needed at all, turn it off for PREEMPT_RT
to allow the use of get_user_pages_fast().
[arnd: rework patch to turn off HIGHPTE instead of HAVE_PAST_GUP]
Co-developed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 4fb985b76e97f..70cd3b5b5a059 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1215,7 +1215,7 @@ config HIGHMEM
config HIGHPTE
bool "Allocate 2nd-level pagetables from highmem" if EXPERT
- depends on HIGHMEM
+ depends on HIGHMEM && !PREEMPT_RT
default y
help
The VM uses one page of physical memory for each page table.
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 049/181] alpha: dont reference obsolete termio struct for TC* constants
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 048/181] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 050/181] dm-verity: disable recursive forward error correction Greg Kroah-Hartman
` (145 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam James, Magnus Lindholm,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam James <sam@gentoo.org>
[ Upstream commit 9aeed9041929812a10a6d693af050846942a1d16 ]
Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42
drops the legacy termio struct, but the ioctls.h header still defines some
TC* constants in terms of termio (via sizeof). Hardcode the values instead.
This fixes building Python for example, which falls over like:
./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio'
Link: https://bugs.gentoo.org/961769
Link: https://bugs.gentoo.org/962600
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Magnus Lindholm <linmag7@gmail.com>
Link: https://lore.kernel.org/r/6ebd3451908785cad53b50ca6bc46cfe9d6bc03c.1764922497.git.sam@gentoo.org
Signed-off-by: Magnus Lindholm <linmag7@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/alpha/include/uapi/asm/ioctls.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/alpha/include/uapi/asm/ioctls.h b/arch/alpha/include/uapi/asm/ioctls.h
index 971311605288f..a09d04b49cc65 100644
--- a/arch/alpha/include/uapi/asm/ioctls.h
+++ b/arch/alpha/include/uapi/asm/ioctls.h
@@ -23,10 +23,10 @@
#define TCSETSW _IOW('t', 21, struct termios)
#define TCSETSF _IOW('t', 22, struct termios)
-#define TCGETA _IOR('t', 23, struct termio)
-#define TCSETA _IOW('t', 24, struct termio)
-#define TCSETAW _IOW('t', 25, struct termio)
-#define TCSETAF _IOW('t', 28, struct termio)
+#define TCGETA 0x40127417
+#define TCSETA 0x80127418
+#define TCSETAW 0x80127419
+#define TCSETAF 0x8012741c
#define TCSBRK _IO('t', 29)
#define TCXONC _IO('t', 30)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 050/181] dm-verity: disable recursive forward error correction
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 049/181] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 051/181] dm-snapshot: fix scheduling while atomic on real-time kernels Greg Kroah-Hartman
` (144 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Guangwu Zhang,
Sami Tolvanen, Eric Biggers, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 ]
There are two problems with the recursive correction:
1. It may cause denial-of-service. In fec_read_bufs, there is a loop that
has 253 iterations. For each iteration, we may call verity_hash_for_block
recursively. There is a limit of 4 nested recursions - that means that
there may be at most 253^4 (4 billion) iterations. Red Hat QE team
actually created an image that pushes dm-verity to this limit - and this
image just makes the udev-worker process get stuck in the 'D' state.
2. It doesn't work. In fec_read_bufs we store data into the variable
"fio->bufs", but fio bufs is shared between recursive invocations, if
"verity_hash_for_block" invoked correction recursively, it would
overwrite partially filled fio->bufs.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Guangwu Zhang <guazhang@redhat.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-verity-fec.c | 4 +---
drivers/md/dm-verity-fec.h | 3 ---
drivers/md/dm-verity-target.c | 2 +-
3 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/md/dm-verity-fec.c b/drivers/md/dm-verity-fec.c
index 72047b47a7a0a..e41bde1d3b15b 100644
--- a/drivers/md/dm-verity-fec.c
+++ b/drivers/md/dm-verity-fec.c
@@ -413,10 +413,8 @@ int verity_fec_decode(struct dm_verity *v, struct dm_verity_io *io,
if (!verity_fec_is_enabled(v))
return -EOPNOTSUPP;
- if (fio->level >= DM_VERITY_FEC_MAX_RECURSION) {
- DMWARN_LIMIT("%s: FEC: recursion too deep", v->data_dev->name);
+ if (fio->level)
return -EIO;
- }
fio->level++;
diff --git a/drivers/md/dm-verity-fec.h b/drivers/md/dm-verity-fec.h
index 09123a6129538..ec37e607cb3f0 100644
--- a/drivers/md/dm-verity-fec.h
+++ b/drivers/md/dm-verity-fec.h
@@ -23,9 +23,6 @@
#define DM_VERITY_FEC_BUF_MAX \
(1 << (PAGE_SHIFT - DM_VERITY_FEC_BUF_RS_BITS))
-/* maximum recursion level for verity_fec_decode */
-#define DM_VERITY_FEC_MAX_RECURSION 4
-
#define DM_VERITY_OPT_FEC_DEV "use_fec_from_device"
#define DM_VERITY_OPT_FEC_BLOCKS "fec_blocks"
#define DM_VERITY_OPT_FEC_START "fec_start"
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 66a00a8ccb398..c8695c079cfe0 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1690,7 +1690,7 @@ static struct target_type verity_target = {
.name = "verity",
/* Note: the LSMs depend on the singleton and immutable features */
.features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE,
- .version = {1, 12, 0},
+ .version = {1, 13, 0},
.module = THIS_MODULE,
.ctr = verity_ctr,
.dtr = verity_dtr,
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 051/181] dm-snapshot: fix scheduling while atomic on real-time kernels
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 050/181] dm-verity: disable recursive forward error correction Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 052/181] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
` (143 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Jiping Ma,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
[ Upstream commit 8581b19eb2c5ccf06c195d3b5468c3c9d17a5020 ]
There is reported 'scheduling while atomic' bug when using dm-snapshot on
real-time kernels. The reason for the bug is that the hlist_bl code does
preempt_disable() when taking the lock and the kernel attempts to take
other spinlocks while holding the hlist_bl lock.
Fix this by converting a hlist_bl spinlock into a regular spinlock.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reported-by: Jiping Ma <jiping.ma2@windriver.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-exception-store.h | 2 +-
drivers/md/dm-snap.c | 73 +++++++++++++++------------------
2 files changed, 35 insertions(+), 40 deletions(-)
diff --git a/drivers/md/dm-exception-store.h b/drivers/md/dm-exception-store.h
index b679766375381..061b4d3108132 100644
--- a/drivers/md/dm-exception-store.h
+++ b/drivers/md/dm-exception-store.h
@@ -29,7 +29,7 @@ typedef sector_t chunk_t;
* chunk within the device.
*/
struct dm_exception {
- struct hlist_bl_node hash_list;
+ struct hlist_node hash_list;
chunk_t old_chunk;
chunk_t new_chunk;
diff --git a/drivers/md/dm-snap.c b/drivers/md/dm-snap.c
index f40c18da40000..dbd148967de42 100644
--- a/drivers/md/dm-snap.c
+++ b/drivers/md/dm-snap.c
@@ -40,10 +40,15 @@ static const char dm_snapshot_merge_target_name[] = "snapshot-merge";
#define DM_TRACKED_CHUNK_HASH(x) ((unsigned long)(x) & \
(DM_TRACKED_CHUNK_HASH_SIZE - 1))
+struct dm_hlist_head {
+ struct hlist_head head;
+ spinlock_t lock;
+};
+
struct dm_exception_table {
uint32_t hash_mask;
unsigned int hash_shift;
- struct hlist_bl_head *table;
+ struct dm_hlist_head *table;
};
struct dm_snapshot {
@@ -628,8 +633,8 @@ static uint32_t exception_hash(struct dm_exception_table *et, chunk_t chunk);
/* Lock to protect access to the completed and pending exception hash tables. */
struct dm_exception_table_lock {
- struct hlist_bl_head *complete_slot;
- struct hlist_bl_head *pending_slot;
+ spinlock_t *complete_slot;
+ spinlock_t *pending_slot;
};
static void dm_exception_table_lock_init(struct dm_snapshot *s, chunk_t chunk,
@@ -638,20 +643,20 @@ static void dm_exception_table_lock_init(struct dm_snapshot *s, chunk_t chunk,
struct dm_exception_table *complete = &s->complete;
struct dm_exception_table *pending = &s->pending;
- lock->complete_slot = &complete->table[exception_hash(complete, chunk)];
- lock->pending_slot = &pending->table[exception_hash(pending, chunk)];
+ lock->complete_slot = &complete->table[exception_hash(complete, chunk)].lock;
+ lock->pending_slot = &pending->table[exception_hash(pending, chunk)].lock;
}
static void dm_exception_table_lock(struct dm_exception_table_lock *lock)
{
- hlist_bl_lock(lock->complete_slot);
- hlist_bl_lock(lock->pending_slot);
+ spin_lock_nested(lock->complete_slot, 1);
+ spin_lock_nested(lock->pending_slot, 2);
}
static void dm_exception_table_unlock(struct dm_exception_table_lock *lock)
{
- hlist_bl_unlock(lock->pending_slot);
- hlist_bl_unlock(lock->complete_slot);
+ spin_unlock(lock->pending_slot);
+ spin_unlock(lock->complete_slot);
}
static int dm_exception_table_init(struct dm_exception_table *et,
@@ -661,13 +666,15 @@ static int dm_exception_table_init(struct dm_exception_table *et,
et->hash_shift = hash_shift;
et->hash_mask = size - 1;
- et->table = kvmalloc_array(size, sizeof(struct hlist_bl_head),
+ et->table = kvmalloc_array(size, sizeof(struct dm_hlist_head),
GFP_KERNEL);
if (!et->table)
return -ENOMEM;
- for (i = 0; i < size; i++)
- INIT_HLIST_BL_HEAD(et->table + i);
+ for (i = 0; i < size; i++) {
+ INIT_HLIST_HEAD(&et->table[i].head);
+ spin_lock_init(&et->table[i].lock);
+ }
return 0;
}
@@ -675,16 +682,17 @@ static int dm_exception_table_init(struct dm_exception_table *et,
static void dm_exception_table_exit(struct dm_exception_table *et,
struct kmem_cache *mem)
{
- struct hlist_bl_head *slot;
+ struct dm_hlist_head *slot;
struct dm_exception *ex;
- struct hlist_bl_node *pos, *n;
+ struct hlist_node *pos;
int i, size;
size = et->hash_mask + 1;
for (i = 0; i < size; i++) {
slot = et->table + i;
- hlist_bl_for_each_entry_safe(ex, pos, n, slot, hash_list) {
+ hlist_for_each_entry_safe(ex, pos, &slot->head, hash_list) {
+ hlist_del(&ex->hash_list);
kmem_cache_free(mem, ex);
cond_resched();
}
@@ -700,7 +708,7 @@ static uint32_t exception_hash(struct dm_exception_table *et, chunk_t chunk)
static void dm_remove_exception(struct dm_exception *e)
{
- hlist_bl_del(&e->hash_list);
+ hlist_del(&e->hash_list);
}
/*
@@ -710,12 +718,11 @@ static void dm_remove_exception(struct dm_exception *e)
static struct dm_exception *dm_lookup_exception(struct dm_exception_table *et,
chunk_t chunk)
{
- struct hlist_bl_head *slot;
- struct hlist_bl_node *pos;
+ struct hlist_head *slot;
struct dm_exception *e;
- slot = &et->table[exception_hash(et, chunk)];
- hlist_bl_for_each_entry(e, pos, slot, hash_list)
+ slot = &et->table[exception_hash(et, chunk)].head;
+ hlist_for_each_entry(e, slot, hash_list)
if (chunk >= e->old_chunk &&
chunk <= e->old_chunk + dm_consecutive_chunk_count(e))
return e;
@@ -762,18 +769,17 @@ static void free_pending_exception(struct dm_snap_pending_exception *pe)
static void dm_insert_exception(struct dm_exception_table *eh,
struct dm_exception *new_e)
{
- struct hlist_bl_head *l;
- struct hlist_bl_node *pos;
+ struct hlist_head *l;
struct dm_exception *e = NULL;
- l = &eh->table[exception_hash(eh, new_e->old_chunk)];
+ l = &eh->table[exception_hash(eh, new_e->old_chunk)].head;
/* Add immediately if this table doesn't support consecutive chunks */
if (!eh->hash_shift)
goto out;
/* List is ordered by old_chunk */
- hlist_bl_for_each_entry(e, pos, l, hash_list) {
+ hlist_for_each_entry(e, l, hash_list) {
/* Insert after an existing chunk? */
if (new_e->old_chunk == (e->old_chunk +
dm_consecutive_chunk_count(e) + 1) &&
@@ -804,13 +810,13 @@ static void dm_insert_exception(struct dm_exception_table *eh,
* Either the table doesn't support consecutive chunks or slot
* l is empty.
*/
- hlist_bl_add_head(&new_e->hash_list, l);
+ hlist_add_head(&new_e->hash_list, l);
} else if (new_e->old_chunk < e->old_chunk) {
/* Add before an existing exception */
- hlist_bl_add_before(&new_e->hash_list, &e->hash_list);
+ hlist_add_before(&new_e->hash_list, &e->hash_list);
} else {
/* Add to l's tail: e is the last exception in this slot */
- hlist_bl_add_behind(&new_e->hash_list, &e->hash_list);
+ hlist_add_behind(&new_e->hash_list, &e->hash_list);
}
}
@@ -820,7 +826,6 @@ static void dm_insert_exception(struct dm_exception_table *eh,
*/
static int dm_add_exception(void *context, chunk_t old, chunk_t new)
{
- struct dm_exception_table_lock lock;
struct dm_snapshot *s = context;
struct dm_exception *e;
@@ -833,17 +838,7 @@ static int dm_add_exception(void *context, chunk_t old, chunk_t new)
/* Consecutive_count is implicitly initialised to zero */
e->new_chunk = new;
- /*
- * Although there is no need to lock access to the exception tables
- * here, if we don't then hlist_bl_add_head(), called by
- * dm_insert_exception(), will complain about accessing the
- * corresponding list without locking it first.
- */
- dm_exception_table_lock_init(s, old, &lock);
-
- dm_exception_table_lock(&lock);
dm_insert_exception(&s->complete, e);
- dm_exception_table_unlock(&lock);
return 0;
}
@@ -873,7 +868,7 @@ static int calc_max_buckets(void)
/* use a fixed size of 2MB */
unsigned long mem = 2 * 1024 * 1024;
- mem /= sizeof(struct hlist_bl_head);
+ mem /= sizeof(struct dm_hlist_head);
return mem;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 052/181] NFSv4: ensure the open stateid seqid doesnt go backwards
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 051/181] dm-snapshot: fix scheduling while atomic on real-time kernels Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 053/181] ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again) Greg Kroah-Hartman
` (142 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Mayhew, Benjamin Coddington,
Trond Myklebust, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
[ Upstream commit 2e47c3cc64b44b0b06cd68c2801db92ff143f2b2 ]
We have observed an NFSv4 client receiving a LOCK reply with a status of
NFS4ERR_OLD_STATEID and subsequently retrying the LOCK request with an
earlier seqid value in the stateid. As this was for a new lockowner,
that would imply that nfs_set_open_stateid_locked() had updated the open
stateid seqid with an earlier value.
Looking at nfs_set_open_stateid_locked(), if the incoming seqid is out
of sequence, the task will sleep on the state->waitq for up to 5
seconds. If the task waits for the full 5 seconds, then after finishing
the wait it'll update the open stateid seqid with whatever value the
incoming seqid has. If there are multiple waiters in this scenario,
then the last one to perform said update may not be the one with the
highest seqid.
Add a check to ensure that the seqid can only be incremented, and add a
tracepoint to indicate when old seqids are skipped.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Benjamin Coddington <bcodding@hammerspace.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 13 +++++++++++--
fs/nfs/nfs4trace.h | 1 +
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 6f4e14fb7b9b8..3b436ba2ed3bf 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1780,8 +1780,17 @@ static void nfs_set_open_stateid_locked(struct nfs4_state *state,
if (nfs_stateid_is_sequential(state, stateid))
break;
- if (status)
- break;
+ if (status) {
+ if (nfs4_stateid_match_other(stateid, &state->open_stateid) &&
+ !nfs4_stateid_is_newer(stateid, &state->open_stateid)) {
+ trace_nfs4_open_stateid_update_skip(state->inode,
+ stateid, status);
+ return;
+ } else {
+ break;
+ }
+ }
+
/* Rely on seqids for serialisation with NFSv4.0 */
if (!nfs4_has_session(NFS_SERVER(state->inode)->nfs_client))
break;
diff --git a/fs/nfs/nfs4trace.h b/fs/nfs/nfs4trace.h
index 9776d220cec33..6285128e631a5 100644
--- a/fs/nfs/nfs4trace.h
+++ b/fs/nfs/nfs4trace.h
@@ -1353,6 +1353,7 @@ DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_setattr);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_delegreturn);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_open_stateid_update);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_open_stateid_update_wait);
+DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_open_stateid_update_skip);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_close_stateid_update_wait);
DECLARE_EVENT_CLASS(nfs4_getattr_event,
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 053/181] ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again)
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 052/181] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 054/181] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
` (141 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
[ Upstream commit 57d508b5f718730f74b11e0dc9609ac7976802d1 ]
'version' is an enum, thus cast of pointer on 64-bit compile test with
clang W=1 causes:
rockchip_pdm.c:583:17: error: cast to smaller integer type 'enum rk_pdm_version' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
This was already fixed in commit 49a4a8d12612 ("ASoC: rockchip: Fix
Wvoid-pointer-to-enum-cast warning") but then got bad in
commit 9958d85968ed ("ASoC: Use device_get_match_data()").
Discussion on LKML also pointed out that 'uintptr_t' is not the correct
type and either 'kernel_ulong_t' or 'unsigned long' should be used,
with several arguments towards the latter [1].
Link: https://lore.kernel.org/r/CAMuHMdX7t=mabqFE5O-Cii3REMuyaePHmqX+j_mqyrn6XXzsoA@mail.gmail.com/ [1]
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20251203141644.106459-2-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/rockchip/rockchip_pdm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/rockchip/rockchip_pdm.c b/sound/soc/rockchip/rockchip_pdm.c
index c1ee470ec6079..c69cdd6f24994 100644
--- a/sound/soc/rockchip/rockchip_pdm.c
+++ b/sound/soc/rockchip/rockchip_pdm.c
@@ -580,7 +580,7 @@ static int rockchip_pdm_probe(struct platform_device *pdev)
if (!pdm)
return -ENOMEM;
- pdm->version = (enum rk_pdm_version)device_get_match_data(&pdev->dev);
+ pdm->version = (unsigned long)device_get_match_data(&pdev->dev);
if (pdm->version == RK_PDM_RK3308) {
pdm->reset = devm_reset_control_get(&pdev->dev, "pdm-m");
if (IS_ERR(pdm->reset))
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 054/181] NFS: Fix up the automount fs_context to use the correct cred
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 053/181] ASoC: rockchip: Fix Wvoid-pointer-to-enum-cast warning (again) Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 055/181] ALSA: hda/realtek: Add support for ASUS UM3406GA Greg Kroah-Hartman
` (140 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit a2a8fc27dd668e7562b5326b5ed2f1604cb1e2e9 ]
When automounting, the fs_context should be fixed up to use the cred
from the parent filesystem, since the operation is just extending the
namespace. Authorisation to enter that namespace will already have been
provided by the preceding lookup.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/namespace.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 9e4d94f41fc67..af9be0c5f5163 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -170,6 +170,11 @@ struct vfsmount *nfs_d_automount(struct path *path)
if (!ctx->clone_data.fattr)
goto out_fc;
+ if (fc->cred != server->cred) {
+ put_cred(fc->cred);
+ fc->cred = get_cred(server->cred);
+ }
+
if (fc->net_ns != client->cl_net) {
put_net(fc->net_ns);
fc->net_ns = get_net(client->cl_net);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 055/181] ALSA: hda/realtek: Add support for ASUS UM3406GA
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 054/181] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 056/181] drm/amd/display: shrink struct members Greg Kroah-Hartman
` (139 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Binding, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Binding <sbinding@opensource.cirrus.com>
[ Upstream commit 826c0b1ed09e5335abcae07292440ce72346e578 ]
Laptops use 2 CS35L41 Amps with HDA, using External boost, with I2C
Signed-off-by: Stefan Binding <sbinding@opensource.cirrus.com>
Link: https://patch.msgid.link/20251205150614.49590-3-sbinding@opensource.cirrus.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index b3582e390dfa3..eea8399e32588 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -6761,6 +6761,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
SND_PCI_QUIRK(0x1043, 0x1533, "ASUS GV302XA/XJ/XQ/XU/XV/XI", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301VV/VQ/VU/VJ/VA/VC/VE/VVC/VQC/VUC/VJC/VEC/VCC", ALC285_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1584, "ASUS UM3406GA ", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x1043, 0x1652, "ASUS ROG Zephyrus Do 15 SE", ALC289_FIXUP_ASUS_ZEPHYRUS_DUAL_SPK),
SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK),
SND_PCI_QUIRK(0x1043, 0x1663, "ASUS GU603ZI/ZJ/ZQ/ZU/ZV", ALC285_FIXUP_ASUS_HEADSET_MIC),
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 056/181] drm/amd/display: shrink struct members
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 055/181] ALSA: hda/realtek: Add support for ASUS UM3406GA Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 057/181] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value Greg Kroah-Hartman
` (138 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rosen Penev, Alex Hung, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rosen Penev <rosenp@gmail.com>
[ Upstream commit 7329417fc9ac128729c3a092b006c8f1fd0d04a6 ]
On a 32-bit ARM system, the audio_decoder struct ends up being too large
for dp_retrain_link_dp_test.
link_dp_cts.c:157:1: error: the frame size of 1328 bytes is larger than
1280 bytes [-Werror=frame-larger-than=]
This is mitigated by shrinking the members of the struct and avoids
having to deal with dynamic allocation.
feed_back_divider is assigned but otherwise unused. Remove both.
pixel_repetition looks like it should be a bool since it's only ever
assigned to 1. But there are checks for 2 and 4. Reduce to uint8_t.
Remove ss_percentage_divider. Unused.
Shrink refresh_rate as it gets assigned to at most a 3 digit integer
value.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3849efdc7888d537f09c3dcfaea4b3cd377a102e)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 3 ---
drivers/gpu/drm/amd/display/include/audio_types.h | 12 +++++-------
2 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
index ebc220b29d142..b94fec8347400 100644
--- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
@@ -1458,9 +1458,6 @@ void build_audio_output(
state->clk_mgr);
}
- audio_output->pll_info.feed_back_divider =
- pipe_ctx->pll_settings.feedback_divider;
-
audio_output->pll_info.dto_source =
translate_to_dto_source(
pipe_ctx->stream_res.tg->inst + 1);
diff --git a/drivers/gpu/drm/amd/display/include/audio_types.h b/drivers/gpu/drm/amd/display/include/audio_types.h
index e4a26143f14c9..6699ad4fa825e 100644
--- a/drivers/gpu/drm/amd/display/include/audio_types.h
+++ b/drivers/gpu/drm/amd/display/include/audio_types.h
@@ -47,15 +47,15 @@ struct audio_crtc_info {
uint32_t h_total;
uint32_t h_active;
uint32_t v_active;
- uint32_t pixel_repetition;
uint32_t requested_pixel_clock_100Hz; /* in 100Hz */
uint32_t calculated_pixel_clock_100Hz; /* in 100Hz */
- uint32_t refresh_rate;
+ uint32_t dsc_bits_per_pixel;
+ uint32_t dsc_num_slices;
enum dc_color_depth color_depth;
enum dc_pixel_encoding pixel_encoding;
+ uint16_t refresh_rate;
+ uint8_t pixel_repetition;
bool interlaced;
- uint32_t dsc_bits_per_pixel;
- uint32_t dsc_num_slices;
};
struct azalia_clock_info {
uint32_t pixel_clock_in_10khz;
@@ -78,11 +78,9 @@ enum audio_dto_source {
struct audio_pll_info {
uint32_t audio_dto_source_clock_in_khz;
- uint32_t feed_back_divider;
+ uint32_t ss_percentage;
enum audio_dto_source dto_source;
bool ss_enabled;
- uint32_t ss_percentage;
- uint32_t ss_percentage_divider;
};
struct audio_channel_associate_info {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 057/181] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 056/181] drm/amd/display: shrink struct members Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 058/181] smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value Greg Kroah-Hartman
` (137 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong,
Paulo Alcantara (Red Hat), Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
[ Upstream commit 9f99caa8950a76f560a90074e3a4b93cfa8b3d84 ]
This was reported by the KUnit tests in the later patches.
See MS-ERREF 2.3.1 STATUS_UNABLE_TO_FREE_VM. Keep it consistent with the
value in the documentation.
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/nterr.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/nterr.h b/fs/smb/client/nterr.h
index 180602c22355e..e3a607b45e719 100644
--- a/fs/smb/client/nterr.h
+++ b/fs/smb/client/nterr.h
@@ -70,7 +70,7 @@ extern const struct nt_err_code_struct nt_errs[];
#define NT_STATUS_NO_MEMORY 0xC0000000 | 0x0017
#define NT_STATUS_CONFLICTING_ADDRESSES 0xC0000000 | 0x0018
#define NT_STATUS_NOT_MAPPED_VIEW 0xC0000000 | 0x0019
-#define NT_STATUS_UNABLE_TO_FREE_VM 0x80000000 | 0x001a
+#define NT_STATUS_UNABLE_TO_FREE_VM 0xC0000000 | 0x001a
#define NT_STATUS_UNABLE_TO_DELETE_SECTION 0xC0000000 | 0x001b
#define NT_STATUS_INVALID_SYSTEM_SERVICE 0xC0000000 | 0x001c
#define NT_STATUS_ILLEGAL_INSTRUCTION 0xC0000000 | 0x001d
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 058/181] smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 057/181] smb/client: fix NT_STATUS_UNABLE_TO_FREE_VM value Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 059/181] smb/client: fix NT_STATUS_NO_DATA_DETECTED value Greg Kroah-Hartman
` (136 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong,
Paulo Alcantara (Red Hat), Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
[ Upstream commit b2b50fca34da5ec231008edba798ddf92986bd7f ]
This was reported by the KUnit tests in the later patches.
See MS-ERREF 2.3.1 STATUS_DEVICE_DOOR_OPEN. Keep it consistent with the
value in the documentation.
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/nterr.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/nterr.h b/fs/smb/client/nterr.h
index e3a607b45e719..b3516c71cff77 100644
--- a/fs/smb/client/nterr.h
+++ b/fs/smb/client/nterr.h
@@ -44,7 +44,7 @@ extern const struct nt_err_code_struct nt_errs[];
#define NT_STATUS_NO_DATA_DETECTED 0x8000001c
#define NT_STATUS_STOPPED_ON_SYMLINK 0x8000002d
#define NT_STATUS_DEVICE_REQUIRES_CLEANING 0x80000288
-#define NT_STATUS_DEVICE_DOOR_OPEN 0x80000288
+#define NT_STATUS_DEVICE_DOOR_OPEN 0x80000289
#define NT_STATUS_UNSUCCESSFUL 0xC0000000 | 0x0001
#define NT_STATUS_NOT_IMPLEMENTED 0xC0000000 | 0x0002
#define NT_STATUS_INVALID_INFO_CLASS 0xC0000000 | 0x0003
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 059/181] smb/client: fix NT_STATUS_NO_DATA_DETECTED value
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 058/181] smb/client: fix NT_STATUS_DEVICE_DOOR_OPEN value Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 060/181] scsi: mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1 Greg Kroah-Hartman
` (135 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong,
Paulo Alcantara (Red Hat), Steve French, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: ChenXiaoSong <chenxiaosong@kylinos.cn>
[ Upstream commit a1237c203f1757480dc2f3b930608ee00072d3cc ]
This was reported by the KUnit tests in the later patches.
See MS-ERREF 2.3.1 STATUS_NO_DATA_DETECTED. Keep it consistent with the
value in the documentation.
Signed-off-by: ChenXiaoSong <chenxiaosong@kylinos.cn>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/nterr.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/smb/client/nterr.h b/fs/smb/client/nterr.h
index b3516c71cff77..09263c91d07a4 100644
--- a/fs/smb/client/nterr.h
+++ b/fs/smb/client/nterr.h
@@ -41,7 +41,7 @@ extern const struct nt_err_code_struct nt_errs[];
#define NT_STATUS_MEDIA_CHANGED 0x8000001c
#define NT_STATUS_END_OF_MEDIA 0x8000001e
#define NT_STATUS_MEDIA_CHECK 0x80000020
-#define NT_STATUS_NO_DATA_DETECTED 0x8000001c
+#define NT_STATUS_NO_DATA_DETECTED 0x80000022
#define NT_STATUS_STOPPED_ON_SYMLINK 0x8000002d
#define NT_STATUS_DEVICE_REQUIRES_CLEANING 0x80000288
#define NT_STATUS_DEVICE_DOOR_OPEN 0x80000289
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 060/181] scsi: mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 059/181] smb/client: fix NT_STATUS_NO_DATA_DETECTED value Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 061/181] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
` (134 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suganath Prabu S, Ranjan Kumar,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
[ Upstream commit 4588e65cfd66fc8bbd9969ea730db39b60a36a30 ]
Avoid scanning SAS/SATA devices in channel 1 when SAS transport is
enabled, as the SAS/SATA devices are exposed through channel 0.
Signed-off-by: Suganath Prabu S <suganath-prabu.subramani@broadcom.com>
Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
Link: https://lore.kernel.org/stable/20251120071955.463475-1-suganath-prabu.subramani%40broadcom.com
Link: https://patch.msgid.link/20251120071955.463475-1-suganath-prabu.subramani@broadcom.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpi3mr/mpi3mr.h | 4 ++--
drivers/scsi/mpi3mr/mpi3mr_os.c | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/mpi3mr/mpi3mr.h b/drivers/scsi/mpi3mr/mpi3mr.h
index 6742684e2990a..31d68c151b207 100644
--- a/drivers/scsi/mpi3mr/mpi3mr.h
+++ b/drivers/scsi/mpi3mr/mpi3mr.h
@@ -56,8 +56,8 @@ extern struct list_head mrioc_list;
extern int prot_mask;
extern atomic64_t event_counter;
-#define MPI3MR_DRIVER_VERSION "8.15.0.5.50"
-#define MPI3MR_DRIVER_RELDATE "12-August-2025"
+#define MPI3MR_DRIVER_VERSION "8.15.0.5.51"
+#define MPI3MR_DRIVER_RELDATE "18-November-2025"
#define MPI3MR_DRIVER_NAME "mpi3mr"
#define MPI3MR_DRIVER_LICENSE "GPL"
diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
index b88633e1efe27..d4ca878d08869 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
@@ -1184,6 +1184,8 @@ static void mpi3mr_update_tgtdev(struct mpi3mr_ioc *mrioc,
if (is_added == true)
tgtdev->io_throttle_enabled =
(flags & MPI3_DEVICE0_FLAGS_IO_THROTTLING_REQUIRED) ? 1 : 0;
+ if (!mrioc->sas_transport_enabled)
+ tgtdev->non_stl = 1;
switch (flags & MPI3_DEVICE0_FLAGS_MAX_WRITE_SAME_MASK) {
case MPI3_DEVICE0_FLAGS_MAX_WRITE_SAME_256_LB:
@@ -4844,7 +4846,7 @@ static int mpi3mr_target_alloc(struct scsi_target *starget)
spin_lock_irqsave(&mrioc->tgtdev_lock, flags);
if (starget->channel == mrioc->scsi_device_channel) {
tgt_dev = __mpi3mr_get_tgtdev_by_perst_id(mrioc, starget->id);
- if (tgt_dev && !tgt_dev->is_hidden) {
+ if (tgt_dev && !tgt_dev->is_hidden && tgt_dev->non_stl) {
scsi_tgt_priv_data->starget = starget;
scsi_tgt_priv_data->dev_handle = tgt_dev->dev_handle;
scsi_tgt_priv_data->perst_id = tgt_dev->perst_id;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 061/181] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 060/181] scsi: mpi3mr: Prevent duplicate SAS/SATA device entries in channel 1 Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 062/181] scsi: ufs: core: Fix EH failure after W-LUN resume error Greg Kroah-Hartman
` (133 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Mahlkuch, Wen Xiong,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Xiong <wenxiong@linux.ibm.com>
[ Upstream commit 6ac3484fb13b2fc7f31cfc7f56093e7d0ce646a5 ]
A dynamic remove/add storage adapter test hits EEH on PowerPC:
EEH: [c00000000004f75c] __eeh_send_failure_event+0x7c/0x160
EEH: [c000000000048444] eeh_dev_check_failure.part.0+0x254/0x650
EEH: [c008000001650678] eeh_readl+0x60/0x90 [ipr]
EEH: [c00800000166746c] ipr_cancel_op+0x2b8/0x524 [ipr]
EEH: [c008000001656524] ipr_eh_abort+0x6c/0x130 [ipr]
EEH: [c000000000ab0d20] scmd_eh_abort_handler+0x140/0x440
EEH: [c00000000017e558] process_one_work+0x298/0x590
EEH: [c00000000017eef8] worker_thread+0xa8/0x620
EEH: [c00000000018be34] kthread+0x124/0x130
EEH: [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64
A PCIe bus trace reveals that a vector of MSI-X is cleared to 0 by
irqbalance daemon. If we disable irqbalance daemon, we won't see the
issue.
With debug enabled in ipr driver:
[ 44.103071] ipr: Entering __ipr_remove
[ 44.103083] ipr: Entering ipr_initiate_ioa_bringdown
[ 44.103091] ipr: Entering ipr_reset_shutdown_ioa
[ 44.103099] ipr: Leaving ipr_reset_shutdown_ioa
[ 44.103105] ipr: Leaving ipr_initiate_ioa_bringdown
[ 44.149918] ipr: Entering ipr_reset_ucode_download
[ 44.149935] ipr: Entering ipr_reset_alert
[ 44.150032] ipr: Entering ipr_reset_start_timer
[ 44.150038] ipr: Leaving ipr_reset_alert
[ 44.244343] scsi 1:2:3:0: alua: Detached
[ 44.254300] ipr: Entering ipr_reset_start_bist
[ 44.254320] ipr: Entering ipr_reset_start_timer
[ 44.254325] ipr: Leaving ipr_reset_start_bist
[ 44.364329] scsi 1:2:4:0: alua: Detached
[ 45.134341] scsi 1:2:5:0: alua: Detached
[ 45.860949] ipr: Entering ipr_reset_shutdown_ioa
[ 45.860962] ipr: Leaving ipr_reset_shutdown_ioa
[ 45.860966] ipr: Entering ipr_reset_alert
[ 45.861028] ipr: Entering ipr_reset_start_timer
[ 45.861035] ipr: Leaving ipr_reset_alert
[ 45.964302] ipr: Entering ipr_reset_start_bist
[ 45.964309] ipr: Entering ipr_reset_start_timer
[ 45.964313] ipr: Leaving ipr_reset_start_bist
[ 46.264301] ipr: Entering ipr_reset_bist_done
[ 46.264309] ipr: Leaving ipr_reset_bist_done
During adapter reset, ipr device driver blocks config space access but
can't block MMIO access for MSI-X entries. There is very small window:
irqbalance daemon kicks in during adapter reset before ipr driver calls
pci_restore_state(pdev) to restore MSI-X table.
irqbalance daemon reads back all 0 for that MSI-X vector in
__pci_read_msi_msg().
irqbalance daemon:
msi_domain_set_affinity()
->irq_chip_set_affinity_patent()
->xive_irq_set_affinity()
->irq_chip_compose_msi_msg()
->pseries_msi_compose_msg()
->__pci_read_msi_msg(): read all 0 since didn't call pci_restore_state
->irq_chip_write_msi_msg()
-> pci_write_msg_msi(): write 0 to the msix vector entry
When ipr driver calls pci_restore_state(pdev) in
ipr_reset_restore_cfg_space(), the MSI-X vector entry has been cleared
by irqbalance daemon in pci_write_msg_msix().
pci_restore_state()
->__pci_restore_msix_state()
Below is the MSI-X table for ipr adapter after irqbalance daemon kicked
in during adapter reset:
Dump MSIx table: index=0 address_lo=c800 address_hi=10000000 msg_data=0
Dump MSIx table: index=1 address_lo=c810 address_hi=10000000 msg_data=0
Dump MSIx table: index=2 address_lo=c820 address_hi=10000000 msg_data=0
Dump MSIx table: index=3 address_lo=c830 address_hi=10000000 msg_data=0
Dump MSIx table: index=4 address_lo=c840 address_hi=10000000 msg_data=0
Dump MSIx table: index=5 address_lo=c850 address_hi=10000000 msg_data=0
Dump MSIx table: index=6 address_lo=c860 address_hi=10000000 msg_data=0
Dump MSIx table: index=7 address_lo=c870 address_hi=10000000 msg_data=0
Dump MSIx table: index=8 address_lo=0 address_hi=0 msg_data=0
---------> Hit EEH since msix vector of index=8 are 0
Dump MSIx table: index=9 address_lo=c890 address_hi=10000000 msg_data=0
Dump MSIx table: index=10 address_lo=c8a0 address_hi=10000000 msg_data=0
Dump MSIx table: index=11 address_lo=c8b0 address_hi=10000000 msg_data=0
Dump MSIx table: index=12 address_lo=c8c0 address_hi=10000000 msg_data=0
Dump MSIx table: index=13 address_lo=c8d0 address_hi=10000000 msg_data=0
Dump MSIx table: index=14 address_lo=c8e0 address_hi=10000000 msg_data=0
Dump MSIx table: index=15 address_lo=c8f0 address_hi=10000000 msg_data=0
[ 46.264312] ipr: Entering ipr_reset_restore_cfg_space
[ 46.267439] ipr: Entering ipr_fail_all_ops
[ 46.267447] ipr: Leaving ipr_fail_all_ops
[ 46.267451] ipr: Leaving ipr_reset_restore_cfg_space
[ 46.267454] ipr: Entering ipr_ioa_bringdown_done
[ 46.267458] ipr: Leaving ipr_ioa_bringdown_done
[ 46.267467] ipr: Entering ipr_worker_thread
[ 46.267470] ipr: Leaving ipr_worker_thread
IRQ balancing is not required during adapter reset.
Enable "IRQ_NO_BALANCING" flag before starting adapter reset and disable
it after calling pci_restore_state(). The irqbalance daemon is disabled
for this short period of time (~2s).
Co-developed-by: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
Signed-off-by: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
Signed-off-by: Wen Xiong <wenxiong@linux.ibm.com>
Link: https://patch.msgid.link/20251028142427.3969819-2-wenxiong@linux.ibm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ipr.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 44214884deaf5..d62bb7d0e4164 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -61,8 +61,8 @@
#include <linux/hdreg.h>
#include <linux/reboot.h>
#include <linux/stringify.h>
+#include <linux/irq.h>
#include <asm/io.h>
-#include <asm/irq.h>
#include <asm/processor.h>
#include <scsi/scsi.h>
#include <scsi/scsi_host.h>
@@ -7843,6 +7843,30 @@ static int ipr_dump_mailbox_wait(struct ipr_cmnd *ipr_cmd)
return IPR_RC_JOB_RETURN;
}
+/**
+ * ipr_set_affinity_nobalance
+ * @ioa_cfg: ipr_ioa_cfg struct for an ipr device
+ * @flag: bool
+ * true: ensable "IRQ_NO_BALANCING" bit for msix interrupt
+ * false: disable "IRQ_NO_BALANCING" bit for msix interrupt
+ * Description: This function will be called to disable/enable
+ * "IRQ_NO_BALANCING" to avoid irqbalance daemon
+ * kicking in during adapter reset.
+ **/
+static void ipr_set_affinity_nobalance(struct ipr_ioa_cfg *ioa_cfg, bool flag)
+{
+ int irq, i;
+
+ for (i = 0; i < ioa_cfg->nvectors; i++) {
+ irq = pci_irq_vector(ioa_cfg->pdev, i);
+
+ if (flag)
+ irq_set_status_flags(irq, IRQ_NO_BALANCING);
+ else
+ irq_clear_status_flags(irq, IRQ_NO_BALANCING);
+ }
+}
+
/**
* ipr_reset_restore_cfg_space - Restore PCI config space.
* @ipr_cmd: ipr command struct
@@ -7867,6 +7891,7 @@ static int ipr_reset_restore_cfg_space(struct ipr_cmnd *ipr_cmd)
return IPR_RC_JOB_CONTINUE;
}
+ ipr_set_affinity_nobalance(ioa_cfg, false);
ipr_fail_all_ops(ioa_cfg);
if (ioa_cfg->sis64) {
@@ -7946,6 +7971,7 @@ static int ipr_reset_start_bist(struct ipr_cmnd *ipr_cmd)
rc = pci_write_config_byte(ioa_cfg->pdev, PCI_BIST, PCI_BIST_START);
if (rc == PCIBIOS_SUCCESSFUL) {
+ ipr_set_affinity_nobalance(ioa_cfg, true);
ipr_cmd->job_step = ipr_reset_bist_done;
ipr_reset_start_timer(ipr_cmd, IPR_WAIT_FOR_BIST_TIMEOUT);
rc = IPR_RC_JOB_RETURN;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 062/181] scsi: ufs: core: Fix EH failure after W-LUN resume error
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 061/181] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 063/181] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
` (132 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Kao, Bart Van Assche,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Kao <powenkao@google.com>
[ Upstream commit b4bb6daf4ac4d4560044ecdd81e93aa2f6acbb06 ]
When a W-LUN resume fails, its parent devices in the SCSI hierarchy,
including the scsi_target, may be runtime suspended. Subsequently, the
error handler in ufshcd_recover_pm_error() fails to set the W-LUN device
back to active because the parent target is not active. This results in
the following errors:
google-ufshcd 3c2d0000.ufs: ufshcd_err_handler started; HBA state eh_fatal; ...
ufs_device_wlun 0:0:0:49488: START_STOP failed for power mode: 1, result 40000
ufs_device_wlun 0:0:0:49488: ufshcd_wl_runtime_resume failed: -5
...
ufs_device_wlun 0:0:0:49488: runtime PM trying to activate child device 0:0:0:49488 but parent (target0:0:0) is not active
Address this by:
1. Ensuring the W-LUN's parent scsi_target is runtime resumed before
attempting to set the W-LUN to active within
ufshcd_recover_pm_error().
2. Explicitly checking for power.runtime_error on the HBA and W-LUN
devices before calling pm_runtime_set_active() to clear the error
state.
3. Adding pm_runtime_get_sync(hba->dev) in
ufshcd_err_handling_prepare() to ensure the HBA itself is active
during error recovery, even if a child device resume failed.
These changes ensure the device power states are managed correctly
during error recovery.
Signed-off-by: Brian Kao <powenkao@google.com>
Tested-by: Brian Kao <powenkao@google.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20251112063214.1195761-1-powenkao@google.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ufs/core/ufshcd.c | 36 ++++++++++++++++++++++++++++--------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index ba1bb3953cf69..022810b524e96 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -6498,6 +6498,11 @@ static void ufshcd_clk_scaling_suspend(struct ufs_hba *hba, bool suspend)
static void ufshcd_err_handling_prepare(struct ufs_hba *hba)
{
+ /*
+ * A WLUN resume failure could potentially lead to the HBA being
+ * runtime suspended, so take an extra reference on hba->dev.
+ */
+ pm_runtime_get_sync(hba->dev);
ufshcd_rpm_get_sync(hba);
if (pm_runtime_status_suspended(&hba->ufs_device_wlun->sdev_gendev) ||
hba->is_sys_suspended) {
@@ -6537,6 +6542,7 @@ static void ufshcd_err_handling_unprepare(struct ufs_hba *hba)
if (ufshcd_is_clkscaling_supported(hba))
ufshcd_clk_scaling_suspend(hba, false);
ufshcd_rpm_put(hba);
+ pm_runtime_put(hba->dev);
}
static inline bool ufshcd_err_handling_should_stop(struct ufs_hba *hba)
@@ -6551,28 +6557,42 @@ static inline bool ufshcd_err_handling_should_stop(struct ufs_hba *hba)
#ifdef CONFIG_PM
static void ufshcd_recover_pm_error(struct ufs_hba *hba)
{
+ struct scsi_target *starget = hba->ufs_device_wlun->sdev_target;
struct Scsi_Host *shost = hba->host;
struct scsi_device *sdev;
struct request_queue *q;
- int ret;
+ bool resume_sdev_queues = false;
hba->is_sys_suspended = false;
+
/*
- * Set RPM status of wlun device to RPM_ACTIVE,
- * this also clears its runtime error.
+ * Ensure the parent's error status is cleared before proceeding
+ * to the child, as the parent must be active to activate the child.
*/
- ret = pm_runtime_set_active(&hba->ufs_device_wlun->sdev_gendev);
+ if (hba->dev->power.runtime_error) {
+ /* hba->dev has no functional parent thus simplily set RPM_ACTIVE */
+ pm_runtime_set_active(hba->dev);
+ resume_sdev_queues = true;
+ }
+
+ if (hba->ufs_device_wlun->sdev_gendev.power.runtime_error) {
+ /*
+ * starget, parent of wlun, might be suspended if wlun resume failed.
+ * Make sure parent is resumed before set child (wlun) active.
+ */
+ pm_runtime_get_sync(&starget->dev);
+ pm_runtime_set_active(&hba->ufs_device_wlun->sdev_gendev);
+ pm_runtime_put_sync(&starget->dev);
+ resume_sdev_queues = true;
+ }
- /* hba device might have a runtime error otherwise */
- if (ret)
- ret = pm_runtime_set_active(hba->dev);
/*
* If wlun device had runtime error, we also need to resume those
* consumer scsi devices in case any of them has failed to be
* resumed due to supplier runtime resume failure. This is to unblock
* blk_queue_enter in case there are bios waiting inside it.
*/
- if (!ret) {
+ if (resume_sdev_queues) {
shost_for_each_device(sdev, shost) {
q = sdev->request_queue;
if (q->dev && (q->rpm_status == RPM_SUSPENDED ||
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 063/181] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed"
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 062/181] scsi: ufs: core: Fix EH failure after W-LUN resume error Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 064/181] btrfs: fix qgroup_snapshot_quick_inherit() squota bug Greg Kroah-Hartman
` (131 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Jason Yan, John Garry,
Martin K. Petersen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 278712d20bc8ec29d1ad6ef9bdae9000ef2c220c ]
This reverts commit ab2068a6fb84751836a84c26ca72b3beb349619d.
When probing the exp-attached sata device, libsas/libata will issue a
hard reset in sas_probe_sata() -> ata_sas_async_probe(), then a
broadcast event will be received after the disk probe fails, and this
commit causes the probe will be re-executed on the disk, and a faulty
disk may get into an indefinite loop of probe.
Therefore, revert this commit, although it can fix some temporary issues
with disk probe failure.
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20251202065627.140361-1-yangxingui@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libsas/sas_internal.h | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h
index 6706f2be8d274..da5408c701cdd 100644
--- a/drivers/scsi/libsas/sas_internal.h
+++ b/drivers/scsi/libsas/sas_internal.h
@@ -145,20 +145,6 @@ static inline void sas_fail_probe(struct domain_device *dev, const char *func, i
func, dev->parent ? "exp-attached" :
"direct-attached",
SAS_ADDR(dev->sas_addr), err);
-
- /*
- * If the device probe failed, the expander phy attached address
- * needs to be reset so that the phy will not be treated as flutter
- * in the next revalidation
- */
- if (dev->parent && !dev_is_expander(dev->dev_type)) {
- struct sas_phy *phy = dev->phy;
- struct domain_device *parent = dev->parent;
- struct ex_phy *ex_phy = &parent->ex_dev.ex_phy[phy->number];
-
- memset(ex_phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
- }
-
sas_unregister_dev(dev->port, dev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 064/181] btrfs: fix qgroup_snapshot_quick_inherit() squota bug
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 063/181] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 065/181] btrfs: qgroup: update all parent qgroups when doing quick inherit Greg Kroah-Hartman
` (130 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Burkov <boris@bur.io>
[ Upstream commit 7ee19a59a75e3d5b9ec00499b86af8e2a46fbe86 ]
qgroup_snapshot_quick_inherit() detects conditions where the snapshot
destination would land in the same parent qgroup as the snapshot source
subvolume. In this case we can avoid costly qgroup calculations and just
add the nodesize of the new snapshot to the parent.
However, in the case of squotas this is actually a double count, and
also an undercount for deeper qgroup nestings.
The following annotated script shows the issue:
btrfs quota enable --simple "$mnt"
# Create 2-level qgroup hierarchy
btrfs qgroup create 2/100 "$mnt" # Q2 (level 2)
btrfs qgroup create 1/100 "$mnt" # Q1 (level 1)
btrfs qgroup assign 1/100 2/100 "$mnt"
# Create base subvolume
btrfs subvolume create "$mnt/base" >/dev/null
base_id=$(btrfs subvolume show "$mnt/base" | grep 'Subvolume ID:' | awk '{print $3}')
# Create intermediate snapshot and add to Q1
btrfs subvolume snapshot "$mnt/base" "$mnt/intermediate" >/dev/null
inter_id=$(btrfs subvolume show "$mnt/intermediate" | grep 'Subvolume ID:' | awk '{print $3}')
btrfs qgroup assign "0/$inter_id" 1/100 "$mnt"
# Create working snapshot with --inherit (auto-adds to Q1)
# src=intermediate (in only Q1)
# dst=snap (inheriting only into Q1)
# This double counts the 16k nodesize of the snapshot in Q1, and
# undercounts it in Q2.
btrfs subvolume snapshot -i 1/100 "$mnt/intermediate" "$mnt/snap" >/dev/null
snap_id=$(btrfs subvolume show "$mnt/snap" | grep 'Subvolume ID:' | awk '{print $3}')
# Fully complete snapshot creation
sync
# Delete working snapshot
# Q1 and Q2 will lose the full snap usage
btrfs subvolume delete "$mnt/snap" >/dev/null
# Delete intermediate and remove from Q1
# Q1 and Q2 will lose the full intermediate usage
btrfs qgroup remove "0/$inter_id" 1/100 "$mnt"
btrfs subvolume delete "$mnt/intermediate" >/dev/null
# Q1 should be at 0, but still has 16k. Q2 is "correct" at 0 (for now...)
# Trigger cleaner, wait for deletions
mount -o remount,sync=1 "$mnt"
btrfs subvolume sync "$mnt" "$snap_id"
btrfs subvolume sync "$mnt" "$inter_id"
# Remove Q1 from Q2
# Frees 16k more from Q2, underflowing it to 16EiB
btrfs qgroup remove 1/100 2/100 "$mnt"
# And show the bad state:
btrfs qgroup show -pc "$mnt"
Qgroupid Referenced Exclusive Parent Child Path
-------- ---------- --------- ------ ----- ----
0/5 16.00KiB 16.00KiB - - <toplevel>
0/256 16.00KiB 16.00KiB - - base
1/100 16.00KiB 16.00KiB - - <0 member qgroups>
2/100 16.00EiB 16.00EiB - - <0 member qgroups>
Fix this by simply not doing this quick inheritance with squotas.
I suspect that it is also wrong in normal qgroups to not recurse up the
qgroup tree in the quick inherit case, though other consistency checks
will likely fix it anyway.
Fixes: b20fe56cd285 ("btrfs: qgroup: allow quick inherit if snapshot is created and added to the same parent")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/qgroup.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 31ad8580322a6..7faaa777010d7 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -3247,6 +3247,9 @@ static int qgroup_snapshot_quick_inherit(struct btrfs_fs_info *fs_info,
struct btrfs_qgroup_list *list;
int nr_parents = 0;
+ if (btrfs_qgroup_mode(fs_info) != BTRFS_QGROUP_MODE_FULL)
+ return 0;
+
src = find_qgroup_rb(fs_info, srcid);
if (!src)
return -ENOENT;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 065/181] btrfs: qgroup: update all parent qgroups when doing quick inherit
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 064/181] btrfs: fix qgroup_snapshot_quick_inherit() squota bug Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 066/181] btrfs: fix NULL dereference on root when tracing inode eviction Greg Kroah-Hartman
` (129 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Qu Wenruo,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 68d4b3fa18d72b7f649e83012e7e08f1881f6b75 ]
[BUG]
There is a bug that if a subvolume has multi-level parent qgroups, and
is able to do a quick inherit, only the direct parent qgroup got
updated:
mkfs.btrfs -f -O quota $dev
mount $dev $mnt
btrfs subv create $mnt/subv1
btrfs qgroup create 1/100 $mnt
btrfs qgroup create 2/100 $mnt
btrfs qgroup assign 1/100 2/100 $mnt
btrfs qgroup assign 0/256 1/100 $mnt
btrfs qgroup show -p --sync $mnt
Qgroupid Referenced Exclusive Parent Path
-------- ---------- --------- ------ ----
0/5 16.00KiB 16.00KiB - <toplevel>
0/256 16.00KiB 16.00KiB 1/100 subv1
1/100 16.00KiB 16.00KiB 2/100 2/100<1 member qgroup>
2/100 16.00KiB 16.00KiB - <0 member qgroups>
btrfs subv snap -i 1/100 $mnt/subv1 $mnt/snap1
btrfs qgroup show -p --sync $mnt
Qgroupid Referenced Exclusive Parent Path
-------- ---------- --------- ------ ----
0/5 16.00KiB 16.00KiB - <toplevel>
0/256 16.00KiB 16.00KiB 1/100 subv1
0/257 16.00KiB 16.00KiB 1/100 snap1
1/100 32.00KiB 32.00KiB 2/100 2/100<1 member qgroup>
2/100 16.00KiB 16.00KiB - <0 member qgroups>
# Note that 2/100 is not updated, and qgroup numbers are inconsistent
umount $mnt
[CAUSE]
If the snapshot source subvolume belongs to a parent qgroup, and the new
snapshot target is also added to the new same parent qgroup, we allow a
quick update without marking qgroup inconsistent.
But that quick update only update the parent qgroup, without checking if
there is any more parent qgroups.
[FIX]
Iterate through all parent qgroups during the quick inherit.
Reported-by: Boris Burkov <boris@bur.io>
Fixes: b20fe56cd285 ("btrfs: qgroup: allow quick inherit if snapshot is created and added to the same parent")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/qgroup.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
index 7faaa777010d7..febc22d1b6487 100644
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -3244,7 +3244,10 @@ static int qgroup_snapshot_quick_inherit(struct btrfs_fs_info *fs_info,
{
struct btrfs_qgroup *src;
struct btrfs_qgroup *parent;
+ struct btrfs_qgroup *qgroup;
struct btrfs_qgroup_list *list;
+ LIST_HEAD(qgroup_list);
+ const u32 nodesize = fs_info->nodesize;
int nr_parents = 0;
if (btrfs_qgroup_mode(fs_info) != BTRFS_QGROUP_MODE_FULL)
@@ -3284,8 +3287,19 @@ static int qgroup_snapshot_quick_inherit(struct btrfs_fs_info *fs_info,
if (parent->excl != parent->rfer)
return 1;
- parent->excl += fs_info->nodesize;
- parent->rfer += fs_info->nodesize;
+ qgroup_iterator_add(&qgroup_list, parent);
+ list_for_each_entry(qgroup, &qgroup_list, iterator) {
+ qgroup->rfer += nodesize;
+ qgroup->rfer_cmpr += nodesize;
+ qgroup->excl += nodesize;
+ qgroup->excl_cmpr += nodesize;
+ qgroup_dirty(fs_info, qgroup);
+
+ /* Append parent qgroups to @qgroup_list. */
+ list_for_each_entry(list, &qgroup->groups, next_group)
+ qgroup_iterator_add(&qgroup_list, list->group);
+ }
+ qgroup_iterator_clean(&qgroup_list);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 066/181] btrfs: fix NULL dereference on root when tracing inode eviction
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 065/181] btrfs: qgroup: update all parent qgroups when doing quick inherit Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 067/181] btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Greg Kroah-Hartman
` (128 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d991fea1b4b23b1f6bf8,
Miquel Sabaté Solà, David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Sabaté Solà <mssola@mssola.com>
[ Upstream commit f157dd661339fc6f5f2b574fe2429c43bd309534 ]
When evicting an inode the first thing we do is to setup tracing for it,
which implies fetching the root's id. But in btrfs_evict_inode() the
root might be NULL, as implied in the next check that we do in
btrfs_evict_inode().
Hence, we either should set the ->root_objectid to 0 in case the root is
NULL, or we move tracing setup after checking that the root is not
NULL. Setting the rootid to 0 at least gives us the possibility to trace
this call even in the case when the root is NULL, so that's the solution
taken here.
Fixes: 1abe9b8a138c ("Btrfs: add initial tracepoint support for btrfs")
Reported-by: syzbot+d991fea1b4b23b1f6bf8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d991fea1b4b23b1f6bf8
Signed-off-by: Miquel Sabaté Solà <mssola@mssola.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/btrfs.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
index 7e418f065b945..125bdc166bfed 100644
--- a/include/trace/events/btrfs.h
+++ b/include/trace/events/btrfs.h
@@ -224,7 +224,8 @@ DECLARE_EVENT_CLASS(btrfs__inode,
__entry->generation = BTRFS_I(inode)->generation;
__entry->last_trans = BTRFS_I(inode)->last_trans;
__entry->logged_trans = BTRFS_I(inode)->logged_trans;
- __entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root);
+ __entry->root_objectid = BTRFS_I(inode)->root ?
+ btrfs_root_id(BTRFS_I(inode)->root) : 0;
),
TP_printk_btrfs("root=%llu(%s) gen=%llu ino=%llu blocks=%llu "
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 067/181] btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 066/181] btrfs: fix NULL dereference on root when tracing inode eviction Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 068/181] of: unittest: Fix memory leak in unittest_data_add() Greg Kroah-Hartman
` (127 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Filipe Manana,
Leo Martins, David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Martins <loemra.dev@gmail.com>
[ Upstream commit 83f59076a1ae6f5c6845d6f7ed3a1a373d883684 ]
Previously, btrfs_get_or_create_delayed_node() set the delayed_node's
refcount before acquiring the root->delayed_nodes lock.
Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes")
moved refcount_set inside the critical section, which means there is
no longer a memory barrier between setting the refcount and setting
btrfs_inode->delayed_node.
Without that barrier, the stores to node->refs and
btrfs_inode->delayed_node may become visible out of order. Another
thread can then read btrfs_inode->delayed_node and attempt to
increment a refcount that hasn't been set yet, leading to a
refcounting bug and a use-after-free warning.
The fix is to move refcount_set back to where it was to take
advantage of the implicit memory barrier provided by lock
acquisition.
Because the allocations now happen outside of the lock's critical
section, they can use GFP_NOFS instead of GFP_ATOMIC.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202511262228.6dda231e-lkp@intel.com
Fixes: e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes")
Tested-by: kernel test robot <oliver.sang@intel.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Leo Martins <loemra.dev@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/delayed-inode.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 3df7b9d7fbe8d..59b489d7e4b58 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -152,37 +152,39 @@ static struct btrfs_delayed_node *btrfs_get_or_create_delayed_node(
return ERR_PTR(-ENOMEM);
btrfs_init_delayed_node(node, root, ino);
+ /* Cached in the inode and can be accessed. */
+ refcount_set(&node->refs, 2);
+ btrfs_delayed_node_ref_tracker_alloc(node, tracker, GFP_NOFS);
+ btrfs_delayed_node_ref_tracker_alloc(node, &node->inode_cache_tracker, GFP_NOFS);
+
/* Allocate and reserve the slot, from now it can return a NULL from xa_load(). */
ret = xa_reserve(&root->delayed_nodes, ino, GFP_NOFS);
- if (ret == -ENOMEM) {
- btrfs_delayed_node_ref_tracker_dir_exit(node);
- kmem_cache_free(delayed_node_cache, node);
- return ERR_PTR(-ENOMEM);
- }
+ if (ret == -ENOMEM)
+ goto cleanup;
+
xa_lock(&root->delayed_nodes);
ptr = xa_load(&root->delayed_nodes, ino);
if (ptr) {
/* Somebody inserted it, go back and read it. */
xa_unlock(&root->delayed_nodes);
- btrfs_delayed_node_ref_tracker_dir_exit(node);
- kmem_cache_free(delayed_node_cache, node);
- node = NULL;
- goto again;
+ goto cleanup;
}
ptr = __xa_store(&root->delayed_nodes, ino, node, GFP_ATOMIC);
ASSERT(xa_err(ptr) != -EINVAL);
ASSERT(xa_err(ptr) != -ENOMEM);
ASSERT(ptr == NULL);
-
- /* Cached in the inode and can be accessed. */
- refcount_set(&node->refs, 2);
- btrfs_delayed_node_ref_tracker_alloc(node, tracker, GFP_ATOMIC);
- btrfs_delayed_node_ref_tracker_alloc(node, &node->inode_cache_tracker, GFP_ATOMIC);
-
btrfs_inode->delayed_node = node;
xa_unlock(&root->delayed_nodes);
return node;
+cleanup:
+ btrfs_delayed_node_ref_tracker_free(node, tracker);
+ btrfs_delayed_node_ref_tracker_free(node, &node->inode_cache_tracker);
+ btrfs_delayed_node_ref_tracker_dir_exit(node);
+ kmem_cache_free(delayed_node_cache, node);
+ if (ret)
+ return ERR_PTR(ret);
+ goto again;
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 068/181] of: unittest: Fix memory leak in unittest_data_add()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 067/181] btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 069/181] arm64: dts: ti: k3-am642-phyboard-electra-peb-c-010: Fix icssg-prueth schema warning Greg Kroah-Hartman
` (126 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Herring, Jianhao Xu, Zilin Guan,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 235a1eb8d2dcc49a6cf0a5ee1aa85544a5d0054b ]
In unittest_data_add(), if of_resolve_phandles() fails, the allocated
unittest_data is not freed, leading to a memory leak.
Fix this by using scope-based cleanup helper __free(kfree) for automatic
resource cleanup. This ensures unittest_data is automatically freed when
it goes out of scope in error paths.
For the success path, use retain_and_null_ptr() to transfer ownership
of the memory to the device tree and prevent double freeing.
Fixes: 2eb46da2a760 ("of/selftest: Use the resolver to fixup phandles")
Suggested-by: Rob Herring <robh@kernel.org>
Co-developed-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
Signed-off-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://patch.msgid.link/20251231114915.234638-1-zilin@seu.edu.cn
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/of/unittest.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
index 388e9ec2cccf8..3b773aaf9d050 100644
--- a/drivers/of/unittest.c
+++ b/drivers/of/unittest.c
@@ -1985,7 +1985,6 @@ static void attach_node_and_children(struct device_node *np)
*/
static int __init unittest_data_add(void)
{
- void *unittest_data;
void *unittest_data_align;
struct device_node *unittest_data_node = NULL, *np;
/*
@@ -2004,7 +2003,7 @@ static int __init unittest_data_add(void)
}
/* creating copy */
- unittest_data = kmalloc(size + FDT_ALIGN_SIZE, GFP_KERNEL);
+ void *unittest_data __free(kfree) = kmalloc(size + FDT_ALIGN_SIZE, GFP_KERNEL);
if (!unittest_data)
return -ENOMEM;
@@ -2014,12 +2013,10 @@ static int __init unittest_data_add(void)
ret = of_fdt_unflatten_tree(unittest_data_align, NULL, &unittest_data_node);
if (!ret) {
pr_warn("%s: unflatten testcases tree failed\n", __func__);
- kfree(unittest_data);
return -ENODATA;
}
if (!unittest_data_node) {
pr_warn("%s: testcases tree is empty\n", __func__);
- kfree(unittest_data);
return -ENODATA;
}
@@ -2038,7 +2035,6 @@ static int __init unittest_data_add(void)
/* attach the sub-tree to live tree */
if (!of_root) {
pr_warn("%s: no live tree to attach sub-tree\n", __func__);
- kfree(unittest_data);
rc = -ENODEV;
goto unlock;
}
@@ -2059,6 +2055,8 @@ static int __init unittest_data_add(void)
EXPECT_END(KERN_INFO,
"Duplicate name in testcase-data, renamed to \"duplicate-name#1\"");
+ retain_and_null_ptr(unittest_data);
+
unlock:
of_overlay_mutex_unlock();
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 069/181] arm64: dts: ti: k3-am642-phyboard-electra-peb-c-010: Fix icssg-prueth schema warning
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 068/181] of: unittest: Fix memory leak in unittest_data_add() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 070/181] arm64: dts: ti: k3-am642-phyboard-electra-x27-gpio1-spi1-uart3: Fix schema warnings Greg Kroah-Hartman
` (125 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wadim Egorov, Nishanth Menon,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wadim Egorov <w.egorov@phytec.de>
[ Upstream commit 05bbe52d0be5637dcd3c880348e3688f7ec64eb7 ]
Reduce length of dma-names and dmas properties for icssg1-ethernet
node to comply with ti,icssg-prueth schema constraints. The previous
entries exceeded the allowed count and triggered dtschema warnings
during validation.
Fixes: e53fbf955ea7 ("arm64: dts: ti: k3-am642-phyboard-electra: Add PEB-C-010 Overlay")
Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
Link: https://patch.msgid.link/20251127122733.2523367-1-w.egorov@phytec.de
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso
index 7fc73cfacadb8..1176a52d560b7 100644
--- a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso
+++ b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-peb-c-010.dtso
@@ -30,13 +30,10 @@
<&main_pktdma 0xc206 15>, /* egress slice 1 */
<&main_pktdma 0xc207 15>, /* egress slice 1 */
<&main_pktdma 0x4200 15>, /* ingress slice 0 */
- <&main_pktdma 0x4201 15>, /* ingress slice 1 */
- <&main_pktdma 0x4202 0>, /* mgmnt rsp slice 0 */
- <&main_pktdma 0x4203 0>; /* mgmnt rsp slice 1 */
+ <&main_pktdma 0x4201 15>; /* ingress slice 1 */
dma-names = "tx0-0", "tx0-1", "tx0-2", "tx0-3",
"tx1-0", "tx1-1", "tx1-2", "tx1-3",
- "rx0", "rx1",
- "rxmgm0", "rxmgm1";
+ "rx0", "rx1";
firmware-name = "ti-pruss/am65x-sr2-pru0-prueth-fw.elf",
"ti-pruss/am65x-sr2-rtu0-prueth-fw.elf",
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 070/181] arm64: dts: ti: k3-am642-phyboard-electra-x27-gpio1-spi1-uart3: Fix schema warnings
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 069/181] arm64: dts: ti: k3-am642-phyboard-electra-peb-c-010: Fix icssg-prueth schema warning Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 071/181] arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix " Greg Kroah-Hartman
` (124 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wadim Egorov, Nishanth Menon,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wadim Egorov <w.egorov@phytec.de>
[ Upstream commit d876bb9353d87dee0ae620300106e8def189c785 ]
Rename pinctrl nodes to comply with naming conventions required by
pinctrl-single schema. Also, replace invalid integer assignment in
SPI node with a boolean to align with omap-spi schema.
Fixes: 638ab30ce4c6 ("arm64: dts: ti: am64-phyboard-electra: Add DT overlay for X27 connector")
Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
Link: https://patch.msgid.link/20251127122733.2523367-2-w.egorov@phytec.de
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso
index 996c42ec4253e..bea8efa3e9094 100644
--- a/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso
+++ b/arch/arm64/boot/dts/ti/k3-am642-phyboard-electra-x27-gpio1-spi1-uart3.dtso
@@ -20,13 +20,13 @@
};
&main_pmx0 {
- main_gpio1_exp_header_gpio_pins_default: main-gpio1-exp-header-gpio-pins-default {
+ main_gpio1_exp_header_gpio_pins_default: main-gpio1-exp-header-gpio-default-pins {
pinctrl-single,pins = <
AM64X_IOPAD(0x0220, PIN_INPUT, 7) /* (D14) SPI1_CS1.GPIO1_48 */
>;
};
- main_spi1_pins_default: main-spi1-pins-default {
+ main_spi1_pins_default: main-spi1-default-pins {
pinctrl-single,pins = <
AM64X_IOPAD(0x0224, PIN_INPUT, 0) /* (C14) SPI1_CLK */
AM64X_IOPAD(0x021C, PIN_OUTPUT, 0) /* (B14) SPI1_CS0 */
@@ -35,7 +35,7 @@
>;
};
- main_uart3_pins_default: main-uart3-pins-default {
+ main_uart3_pins_default: main-uart3-default-pins {
pinctrl-single,pins = <
AM64X_IOPAD(0x0048, PIN_INPUT, 2) /* (U20) GPMC0_AD3.UART3_RXD */
AM64X_IOPAD(0x004c, PIN_OUTPUT, 2) /* (U18) GPMC0_AD4.UART3_TXD */
@@ -52,7 +52,7 @@
&main_spi1 {
pinctrl-names = "default";
pinctrl-0 = <&main_spi1_pins_default>;
- ti,pindir-d0-out-d1-in = <1>;
+ ti,pindir-d0-out-d1-in;
status = "okay";
};
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 071/181] arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix schema warnings
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 070/181] arm64: dts: ti: k3-am642-phyboard-electra-x27-gpio1-spi1-uart3: Fix schema warnings Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 072/181] gpu: nova-core: select RUST_FW_LOADER_ABSTRACTIONS Greg Kroah-Hartman
` (123 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wadim Egorov, Nishanth Menon,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wadim Egorov <w.egorov@phytec.de>
[ Upstream commit cf5e8adebe77917a4cc95e43e461cdbd857591ce ]
Rename pinctrl nodes to comply with naming conventions required by
pinctrl-single schema.
Fixes: e569152274fec ("arm64: dts: ti: am62-lp-sk: Add overlay for NAND expansion card")
Signed-off-by: Wadim Egorov <w.egorov@phytec.de>
Link: https://patch.msgid.link/20251127122733.2523367-3-w.egorov@phytec.de
Signed-off-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso b/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso
index 173ac60723b64..b4daa674eaa1e 100644
--- a/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso
+++ b/arch/arm64/boot/dts/ti/k3-am62-lp-sk-nand.dtso
@@ -14,7 +14,7 @@
};
&main_pmx0 {
- gpmc0_pins_default: gpmc0-pins-default {
+ gpmc0_pins_default: gpmc0-default-pins {
pinctrl-single,pins = <
AM62X_IOPAD(0x003c, PIN_INPUT, 0) /* (K19) GPMC0_AD0 */
AM62X_IOPAD(0x0040, PIN_INPUT, 0) /* (L19) GPMC0_AD1 */
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 072/181] gpu: nova-core: select RUST_FW_LOADER_ABSTRACTIONS
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 071/181] arm64: dts: ti: k3-am62-lp-sk-nand: Rename pinctrls to fix " Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 073/181] gpio: it87: balance superio enter/exit calls in error path Greg Kroah-Hartman
` (122 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alyssa Ross, Danilo Krummrich,
Alexandre Courbot, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Courbot <acourbot@nvidia.com>
[ Upstream commit 3d3352e73a55a4ccf110f8b3419bbe2fbfd8a030 ]
RUST_FW_LOADER_ABSTRACTIONS was depended on by NOVA_CORE, but NOVA_CORE
is selected by DRM_NOVA. This creates a situation where, if DRM_NOVA is
selected, NOVA_CORE gets enabled but not RUST_FW_LOADER_ABSTRACTIONS,
which results in a build error.
Since the firmware loader is an implementation detail of the driver, it
should be enabled along with it, so change the "depends on" to a
"select".
Fixes: 54e6baf123fd ("gpu: nova-core: add initial driver stub")
Closes: https://lore.kernel.org/oe-kbuild-all/202512061721.rxKGnt5q-lkp@intel.com/
Tested-by: Alyssa Ross <hi@alyssa.is>
Acked-by: Danilo Krummrich <dakr@kernel.org>
Link: https://patch.msgid.link/20251106-b4-select-rust-fw-v3-2-771172257755@nvidia.com
Signed-off-by: Alexandre Courbot <acourbot@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/nova-core/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/nova-core/Kconfig b/drivers/gpu/nova-core/Kconfig
index 20d3e6d0d796e..527920f9c4d39 100644
--- a/drivers/gpu/nova-core/Kconfig
+++ b/drivers/gpu/nova-core/Kconfig
@@ -3,7 +3,7 @@ config NOVA_CORE
depends on 64BIT
depends on PCI
depends on RUST
- depends on RUST_FW_LOADER_ABSTRACTIONS
+ select RUST_FW_LOADER_ABSTRACTIONS
select AUXILIARY_BUS
default n
help
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 073/181] gpio: it87: balance superio enter/exit calls in error path
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 072/181] gpu: nova-core: select RUST_FW_LOADER_ABSTRACTIONS Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 074/181] HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value Greg Kroah-Hartman
` (121 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Gibson, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
[ Upstream commit a05543d6b05ba998fdbb4b383319ae5121bb7407 ]
We always call superio_enter() in it87_gpio_direction_out() but only
call superio_exit() if the call to it87_gpio_set() succeeds. Move the
label to balance the calls in error path as well.
Fixes: ef877a159072 ("gpio: it87: use new line value setter callbacks")
Reported-by: Daniel Gibson <daniel@gibson.sh>
Closes: https://lore.kernel.org/all/bd0a00e3-9b8c-43e8-8772-e67b91f4c71e@gibson.sh/
Link: https://lore.kernel.org/r/20251210055026.23146-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-it87.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/gpio/gpio-it87.c b/drivers/gpio/gpio-it87.c
index 5d677bcfccf26..2ad3c239367bc 100644
--- a/drivers/gpio/gpio-it87.c
+++ b/drivers/gpio/gpio-it87.c
@@ -12,6 +12,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/cleanup.h>
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
@@ -241,23 +242,17 @@ static int it87_gpio_direction_out(struct gpio_chip *chip,
mask = 1 << (gpio_num % 8);
group = (gpio_num / 8);
- spin_lock(&it87_gpio->lock);
+ guard(spinlock)(&it87_gpio->lock);
rc = superio_enter();
if (rc)
- goto exit;
+ return rc;
/* set the output enable bit */
superio_set_mask(mask, group + it87_gpio->output_base);
rc = it87_gpio_set(chip, gpio_num, val);
- if (rc)
- goto exit;
-
superio_exit();
-
-exit:
- spin_unlock(&it87_gpio->lock);
return rc;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 074/181] HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 073/181] gpio: it87: balance superio enter/exit calls in error path Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 075/181] HID: Intel-thc-hid: Intel-thc: Fix wrong register reading Greg Kroah-Hartman
` (120 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Even Xu,
Andy Shevchenko, Benjamin Tissoires, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 0e13150c1a13a3a3d6184c24bfd080d5999945d1 ]
The `dma_unmap_sg()` functions should be called with the same nents as the
`dma_map_sg()`, not the value the map function returned.
Save the number of entries in struct thc_dma_configuration.
Fixes: a688404b2e20 ("HID: intel-thc-hid: intel-thc: Add THC DMA interfaces")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Even Xu <even.xu@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c | 4 +++-
drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c
index 82b8854843e05..a0c368aa7979c 100644
--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c
+++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.c
@@ -232,6 +232,7 @@ static int setup_dma_buffers(struct thc_device *dev,
return 0;
memset(config->sgls, 0, sizeof(config->sgls));
+ memset(config->sgls_nent_pages, 0, sizeof(config->sgls_nent_pages));
memset(config->sgls_nent, 0, sizeof(config->sgls_nent));
cpu_addr = dma_alloc_coherent(dev->dev, prd_tbls_size,
@@ -254,6 +255,7 @@ static int setup_dma_buffers(struct thc_device *dev,
}
count = dma_map_sg(dev->dev, config->sgls[i], nent, dir);
+ config->sgls_nent_pages[i] = nent;
config->sgls_nent[i] = count;
}
@@ -299,7 +301,7 @@ static void release_dma_buffers(struct thc_device *dev,
continue;
dma_unmap_sg(dev->dev, config->sgls[i],
- config->sgls_nent[i],
+ config->sgls_nent_pages[i],
config->dir);
sgl_free(config->sgls[i]);
diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h
index 78917400492ca..541d33995baf3 100644
--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h
+++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dma.h
@@ -91,6 +91,7 @@ struct thc_prd_table {
* @dir: Direction of DMA for this config
* @prd_tbls: PRD tables for current DMA
* @sgls: Array of pointers to scatter-gather lists
+ * @sgls_nent_pages: Number of pages per scatter-gather list
* @sgls_nent: Actual number of entries per scatter-gather list
* @prd_tbl_num: Actual number of PRD tables
* @max_packet_size: Size of the buffer needed for 1 DMA message (1 PRD table)
@@ -107,6 +108,7 @@ struct thc_dma_configuration {
struct thc_prd_table *prd_tbls;
struct scatterlist *sgls[PRD_TABLES_NUM];
+ u8 sgls_nent_pages[PRD_TABLES_NUM];
u8 sgls_nent[PRD_TABLES_NUM];
u8 prd_tbl_num;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 075/181] HID: Intel-thc-hid: Intel-thc: Fix wrong register reading
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 074/181] HID: Intel-thc-hid: Intel-thc: fix dma_unmap_sg() nents value Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 076/181] netfs: Fix early read unlock of page with EOF in middle Greg Kroah-Hartman
` (119 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Even Xu, Benjamin Tissoires,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Even Xu <even.xu@intel.com>
[ Upstream commit f39006965dd37e7be823dba6ca484adccc7a4dff ]
Correct the read register for the setting of max input size and
interrupt delay.
Fixes: 22da60f0304b ("HID: Intel-thc-hid: Intel-thc: Introduce interrupt delay control")
Fixes: 45e92a093099 ("HID: Intel-thc-hid: Intel-thc: Introduce max input size control")
Signed-off-by: Even Xu <even.xu@intel.com>
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
index 636a683065015..7e220a4c5ded7 100644
--- a/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
+++ b/drivers/hid/intel-thc-hid/intel-thc/intel-thc-dev.c
@@ -1593,7 +1593,7 @@ int thc_i2c_set_rx_max_size(struct thc_device *dev, u32 max_rx_size)
if (!max_rx_size)
return -EOPNOTSUPP;
- ret = regmap_read(dev->thc_regmap, THC_M_PRT_SW_SEQ_STS_OFFSET, &val);
+ ret = regmap_read(dev->thc_regmap, THC_M_PRT_SPI_ICRRD_OPCODE_OFFSET, &val);
if (ret)
return ret;
@@ -1662,7 +1662,7 @@ int thc_i2c_set_rx_int_delay(struct thc_device *dev, u32 delay_us)
if (!delay_us)
return -EOPNOTSUPP;
- ret = regmap_read(dev->thc_regmap, THC_M_PRT_SW_SEQ_STS_OFFSET, &val);
+ ret = regmap_read(dev->thc_regmap, THC_M_PRT_SPI_ICRRD_OPCODE_OFFSET, &val);
if (ret)
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 076/181] netfs: Fix early read unlock of page with EOF in middle
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 075/181] HID: Intel-thc-hid: Intel-thc: Fix wrong register reading Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 077/181] pinctrl: mediatek: mt8189: restore previous register base name array order Greg Kroah-Hartman
` (118 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Schoenebeck, David Howells,
Dominique Martinet, v9fs, netfs, linux-fsdevel, Christian Brauner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 570ad253a3455a520f03c2136af8714bc780186d ]
The read result collection for buffered reads seems to run ahead of the
completion of subrequests under some circumstances, as can be seen in the
following log snippet:
9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0
...
netfs_sreq: R=00001b55[1] DOWN TERM f=192 s=0 5fb2/5fb2 s=5 e=0
...
netfs_collect_folio: R=00001b55 ix=00004 r=4000-5000 t=4000/5fb2
netfs_folio: i=157f3 ix=00004-00004 read-done
netfs_folio: i=157f3 ix=00004-00004 read-unlock
netfs_collect_folio: R=00001b55 ix=00005 r=5000-5fb2 t=5000/5fb2
netfs_folio: i=157f3 ix=00005-00005 read-done
netfs_folio: i=157f3 ix=00005-00005 read-unlock
...
netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff
netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=c
netfs_collect_stream: R=00001b55[0:] cto=5fb2 frn=ffffffff
netfs_collect_state: R=00001b55 col=5fb2 cln=6000 n=8
...
netfs_sreq: R=00001b55[2] ZERO SUBMT f=000 s=5fb2 0/4e s=0 e=0
netfs_sreq: R=00001b55[2] ZERO TERM f=102 s=5fb2 4e/4e s=5 e=0
The 'cto=5fb2' indicates the collected file pos we've collected results to
so far - but we still have 0x4e more bytes to go - so we shouldn't have
collected folio ix=00005 yet. The 'ZERO' subreq that clears the tail
happens after we unlock the folio, allowing the application to see the
uncleared tail through mmap.
The problem is that netfs_read_unlock_folios() will unlock a folio in which
the amount of read results collected hits EOF position - but the ZERO
subreq lies beyond that and so happens after.
Fix this by changing the end check to always be the end of the folio and
never the end of the file.
In the future, I should look at clearing to the end of the folio here rather
than adding a ZERO subreq to do this. On the other hand, the ZERO subreq can
run in parallel with an async READ subreq. Further, the ZERO subreq may still
be necessary to, say, handle extents in a ceph file that don't have any
backing store and are thus implicitly all zeros.
This can be reproduced by creating a file, the size of which doesn't align
to a page boundary, e.g. 24998 (0x5fb2) bytes and then doing something
like:
xfs_io -c "mmap -r 0 0x6000" -c "madvise -d 0 0x6000" \
-c "mread -v 0 0x6000" /xfstest.test/x
The last 0x4e bytes should all be 00, but if the tail hasn't been cleared
yet, you may see rubbish there. This can be reproduced with kafs by
modifying the kernel to disable the call to netfs_read_subreq_progress()
and to stop afs_issue_read() from doing the async call for NETFS_READAHEAD.
Reproduction can be made easier by inserting an mdelay(100) in
netfs_issue_read() for the ZERO-subreq case.
AFS and CIFS are normally unlikely to show this as they dispatch READ ops
asynchronously, which allows the ZERO-subreq to finish first. 9P's READ op is
completely synchronous, so the ZERO-subreq will always happen after. It isn't
seen all the time, though, because the collection may be done in a worker
thread.
Reported-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Link: https://lore.kernel.org/r/8622834.T7Z3S40VBb@weasel/
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://patch.msgid.link/938162.1766233900@warthog.procyon.org.uk
Fixes: e2d46f2ec332 ("netfs: Change the read result collector to only use one work item")
Tested-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Acked-by: Dominique Martinet <asmadeus@codewreck.org>
Suggested-by: Dominique Martinet <asmadeus@codewreck.org>
cc: Dominique Martinet <asmadeus@codewreck.org>
cc: Christian Schoenebeck <linux_oss@crudebyte.com>
cc: v9fs@lists.linux.dev
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/netfs/read_collect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c
index a95e7aadafd07..7a0ffa675fb17 100644
--- a/fs/netfs/read_collect.c
+++ b/fs/netfs/read_collect.c
@@ -137,7 +137,7 @@ static void netfs_read_unlock_folios(struct netfs_io_request *rreq,
rreq->front_folio_order = order;
fsize = PAGE_SIZE << order;
fpos = folio_pos(folio);
- fend = umin(fpos + fsize, rreq->i_size);
+ fend = fpos + fsize;
trace_netfs_collect_folio(rreq, folio, fend, collected_to);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 077/181] pinctrl: mediatek: mt8189: restore previous register base name array order
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 076/181] netfs: Fix early read unlock of page with EOF in middle Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 078/181] crypto: qat - fix duplicate restarting msg during AER error Greg Kroah-Hartman
` (117 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Louis-Alexis Eyraud, Linus Walleij,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
[ Upstream commit fa917d3d570279dc3d699cbd947d0da0fde2e402 ]
In mt8189-pinctrl driver, a previous commit changed the register base
name array (mt8189_pinctrl_register_base_names) entry name and order to
align it with the same name and order as the "mediatek,mt8189-pinctrl"
devicetree bindings. The new order (by ascending register address) now
causes an issue with MT8189 pinctrl configuration.
MT8189 SoC has multiple base addresses for the pin configuration
registers. Several constant data structures, declaring each pin
configuration, are using PIN_FIELD_BASE() macro which i_base parameter
indicates for a given pin the lookup index in the base register address
array of the driver internal data for the configuration register
read/write accesses. But in practice, this parameter is given a
hardcoded numerical value that corresponds to the expected base
register entry index in mt8189_pinctrl_register_base_names array.
Since this array reordering, the i_base index matching is no more
correct.
So, in order to avoid modifying over a thousand of PIN_FIELD_BASE()
calls, restore previous mt8189_pinctrl_register_base_names entry order.
Fixes: 518919276c41 ("pinctrl: mediatek: mt8189: align register base names to dt-bindings ones")
Signed-off-by: Louis-Alexis Eyraud <louisalexis.eyraud@collabora.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/mediatek/pinctrl-mt8189.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/mediatek/pinctrl-mt8189.c b/drivers/pinctrl/mediatek/pinctrl-mt8189.c
index f6a3e584588b0..cd4cdff309a12 100644
--- a/drivers/pinctrl/mediatek/pinctrl-mt8189.c
+++ b/drivers/pinctrl/mediatek/pinctrl-mt8189.c
@@ -1642,7 +1642,7 @@ static const struct mtk_pin_reg_calc mt8189_reg_cals[PINCTRL_PIN_REG_MAX] = {
};
static const char * const mt8189_pinctrl_register_base_names[] = {
- "base", "lm", "rb0", "rb1", "bm0", "bm1", "bm2", "lt0", "lt1", "rt",
+ "base", "bm0", "bm1", "bm2", "lm", "lt0", "lt1", "rb0", "rb1", "rt",
};
static const struct mtk_eint_hw mt8189_eint_hw = {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 078/181] crypto: qat - fix duplicate restarting msg during AER error
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 077/181] pinctrl: mediatek: mt8189: restore previous register base name array order Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 079/181] arm64: dts: imx8qm-mek: correct the light sensor interrupt type to low level Greg Kroah-Hartman
` (116 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshita Bhilwaria, Giovanni Cabiddu,
Ahsan Atta, Ravikumar PM, Srikanth Thokala, Herbert Xu,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshita Bhilwaria <harshita.bhilwaria@intel.com>
[ Upstream commit 961ac9d97be72267255f1ed841aabf6694b17454 ]
The restarting message from PF to VF is sent twice during AER error
handling: once from adf_error_detected() and again from
adf_disable_sriov().
This causes userspace subservices to shutdown unexpectedly when they
receive a duplicate restarting message after already being restarted.
Avoid calling adf_pf2vf_notify_restarting() and
adf_pf2vf_wait_for_restarting_complete() from adf_error_detected() so
that the restarting msg is sent only once from PF to VF.
Fixes: 9567d3dc760931 ("crypto: qat - improve aer error reset handling")
Signed-off-by: Harshita Bhilwaria <harshita.bhilwaria@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Ravikumar PM <ravikumar.pm@intel.com>
Reviewed-by: Srikanth Thokala <srikanth.thokala@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/intel/qat/qat_common/adf_aer.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/crypto/intel/qat/qat_common/adf_aer.c b/drivers/crypto/intel/qat/qat_common/adf_aer.c
index 35679b21ff63b..a098689ab5b75 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_aer.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_aer.c
@@ -41,8 +41,6 @@ static pci_ers_result_t adf_error_detected(struct pci_dev *pdev,
adf_error_notifier(accel_dev);
adf_pf2vf_notify_fatal_error(accel_dev);
adf_dev_restarting_notify(accel_dev);
- adf_pf2vf_notify_restarting(accel_dev);
- adf_pf2vf_wait_for_restarting_complete(accel_dev);
pci_clear_master(pdev);
adf_dev_down(accel_dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 079/181] arm64: dts: imx8qm-mek: correct the light sensor interrupt type to low level
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 078/181] crypto: qat - fix duplicate restarting msg during AER error Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 080/181] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
` (115 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Frank Li, Shawn Guo,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit e0d8678c2f09dca22e6197321f223fa9a0ca2839 ]
light sensor isl29023 share the interrupt with lsm303arg, but these
two devices use different interrupt type. According to the datasheet
of these two devides, both support low level trigger type, so correct
the interrupt type here to avoid the following error log:
irq: type mismatch, failed to map hwirq-11 for gpio@5d0c0000!
Fixes: 9918092cbb0e ("arm64: dts: imx8qm-mek: add i2c0 and children devices")
Fixes: 1d8a9f043a77 ("arm64: dts: imx8: use defines for interrupts")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
index 9c0b6b8d6459d..d4b13cfd87a92 100644
--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
@@ -560,7 +560,7 @@ light-sensor@44 {
compatible = "isil,isl29023";
reg = <0x44>;
interrupt-parent = <&lsio_gpio4>;
- interrupts = <11 IRQ_TYPE_EDGE_FALLING>;
+ interrupts = <11 IRQ_TYPE_LEVEL_LOW>;
};
pressure-sensor@60 {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 080/181] arm64: dts: add off-on-delay-us for usdhc2 regulator
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 079/181] arm64: dts: imx8qm-mek: correct the light sensor interrupt type to low level Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 081/181] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
` (114 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Haibo Chen, Shawn Guo,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ]
For SD card, according to the spec requirement, for sd card power reset
operation, it need sd card supply voltage to be lower than 0.5v and keep
over 1ms, otherwise, next time power back the sd card supply voltage to
3.3v, sd card can't support SD3.0 mode again.
To match such requirement on imx8qm-mek board, add 4.8ms delay between
sd power off and power on.
Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
index d4b13cfd87a92..df99fe88cf4ac 100644
--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
@@ -256,6 +256,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc {
regulator-max-microvolt = <3000000>;
gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>;
enable-active-high;
+ off-on-delay-us = <4800>;
};
reg_audio: regulator-audio {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 081/181] ARM: dts: imx6q-ba16: fix RTC interrupt level
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 080/181] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 6.18 082/181] arm64: dts: freescale: moduline-display: fix compatible Greg Kroah-Hartman
` (113 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Shawn Guo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Ray <ian.ray@gehealthcare.com>
[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ]
RTC interrupt level should be set to "LOW". This was revealed by the
introduction of commit:
f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode")
which changed the way IRQ type is obtained.
Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module")
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi
index 53013b12c2ecb..02d66523668d2 100644
--- a/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi
+++ b/arch/arm/boot/dts/nxp/imx/imx6q-ba16.dtsi
@@ -337,7 +337,7 @@ rtc@32 {
pinctrl-0 = <&pinctrl_rtc>;
reg = <0x32>;
interrupt-parent = <&gpio4>;
- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts = <10 IRQ_TYPE_LEVEL_LOW>;
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 082/181] arm64: dts: freescale: moduline-display: fix compatible
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 081/181] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 083/181] arm64: dts: freescale: tx8p-ml81: fix eqos nvmem-cells Greg Kroah-Hartman
` (112 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maud Spierings, Shawn Guo,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maud Spierings <maudspierings@gocontroll.com>
[ Upstream commit 056c68875122dd342782e5956ed145fe9e059614 ]
The compatibles should include the SoM compatible, this board is based
on the Ka-Ro TX8P-ML81 SoM, so add it to allow using shared code in the
bootloader which uses upstream Linux devicetrees as a base.
Also add the hardware revision to the board compatible to handle
revision specific quirks in the bootloader/userspace.
This is a breaking change, but it is early enough that it can be
corrected without causing any issues.
Fixes: 03f07be54cdc ("arm64: dts: freescale: Add the GOcontroll Moduline Display baseboard")
Signed-off-by: Maud Spierings <maudspierings@gocontroll.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts
index 88ad422c27603..399230144ce39 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81-moduline-display-106.dts
@@ -9,7 +9,7 @@
#include "imx8mp-tx8p-ml81.dtsi"
/ {
- compatible = "gocontroll,moduline-display", "fsl,imx8mp";
+ compatible = "gocontroll,moduline-display-106", "karo,tx8p-ml81", "fsl,imx8mp";
chassis-type = "embedded";
hardware = "Moduline Display V1.06";
model = "GOcontroll Moduline Display baseboard";
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 083/181] arm64: dts: freescale: tx8p-ml81: fix eqos nvmem-cells
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 6.18 082/181] arm64: dts: freescale: moduline-display: fix compatible Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 084/181] arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
` (111 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maud Spierings, Shawn Guo,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maud Spierings <maudspierings@gocontroll.com>
[ Upstream commit cdf4e631eec5ddd49bb625df9fb144d6ecdd6f15 ]
On this SoM eqos is the primary ethernet interface, Ka-Ro fuses the
address for it in eth_mac1, eth_mac2 seems to be left unfused. In their
downstream u-boot they fetch it from eth_mac1 [1][2], by setting alias
of eqos to ethernet0, the driver then fetches the mac address based on
the alias number.
Set eqos to read from eth_mac1 instead of eth_mac2. Also set fec to
point at eth_mac2 as it may be fused later even though it is disabled
by default.
With this changed barebox is now capable of loading the correct address.
Link: https://github.com/karo-electronics/karo-tx-uboot/blob/380543278410bbf04264d80a3bfbe340b8e62439/drivers/net/dwc_eth_qos.c#L1167 [1]
Link: https://github.com/karo-electronics/karo-tx-uboot/blob/380543278410bbf04264d80a3bfbe340b8e62439/arch/arm/dts/imx8mp-karo.dtsi#L12 [2]
Fixes: bac63d7c5f46 ("arm64: dts: freescale: add Ka-Ro Electronics tx8p-ml81 COM")
Signed-off-by: Maud Spierings <maudspierings@gocontroll.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi
index fe8ba16eb40e7..761ee046eb72e 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-tx8p-ml81.dtsi
@@ -47,6 +47,7 @@ &eqos {
<&clk IMX8MP_SYS_PLL2_100M>,
<&clk IMX8MP_SYS_PLL2_50M>;
assigned-clock-rates = <266000000>, <100000000>, <50000000>;
+ nvmem-cells = <ð_mac1>;
phy-handle = <ðphy0>;
phy-mode = "rmii";
pinctrl-0 = <&pinctrl_eqos>;
@@ -75,6 +76,10 @@ ethphy0: ethernet-phy@0 {
};
};
+&fec {
+ nvmem-cells = <ð_mac2>;
+};
+
&gpio1 {
gpio-line-names = "SODIMM_152",
"SODIMM_42",
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 084/181] arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 083/181] arm64: dts: freescale: tx8p-ml81: fix eqos nvmem-cells Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 085/181] arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart Greg Kroah-Hartman
` (110 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Christoph Niedermaier,
Shawn Guo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marek.vasut@mailbox.org>
[ Upstream commit c63749a7ddc59ac6ec0b05abfa0a21af9f2c1d38 ]
Add missing 'clocks' property to LAN8740Ai PHY node, to allow the PHY driver
to manage LAN8740Ai CLKIN reference clock supply. This fixes sporadic link
bouncing caused by interruptions on the PHY reference clock, by letting the
PHY driver manage the reference clock and assure there are no interruptions.
This follows the matching PHY driver recommendation described in commit
bedd8d78aba3 ("net: phy: smsc: LAN8710/20: add phy refclk in support")
Fixes: 8d6712695bc8 ("arm64: dts: imx8mp: Add support for DH electronics i.MX8M Plus DHCOM and PDK2")
Signed-off-by: Marek Vasut <marek.vasut@mailbox.org>
Tested-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
index 68c2e0156a5c8..f8303b7e2bd22 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mp-dhcom-som.dtsi
@@ -113,6 +113,7 @@ mdio {
ethphy0f: ethernet-phy@1 { /* SMSC LAN8740Ai */
compatible = "ethernet-phy-id0007.c110",
"ethernet-phy-ieee802.3-c22";
+ clocks = <&clk IMX8MP_CLK_ENET_QOS>;
interrupt-parent = <&gpio3>;
interrupts = <19 IRQ_TYPE_LEVEL_LOW>;
pinctrl-0 = <&pinctrl_ethphy0>;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 085/181] arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 084/181] arm64: dts: imx8mp: Fix LAN8740Ai PHY reference clock on DH electronics i.MX8M Plus DHCOM Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 086/181] arm64: dts: mba8mx: Fix Ethernet PHY IRQ support Greg Kroah-Hartman
` (109 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sherry Sun, Frank Li,
Alexander Stein, Shawn Guo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sherry Sun <sherry.sun@nxp.com>
[ Upstream commit a988caeed9d918452aa0a68de2c6e94d86aa43ba ]
The commit 616effc0272b5 ("arm64: dts: imx8: Fix lpuart DMA channel
order") swap uart rx and tx channel at common imx8-ss-dma.dtsi. But miss
update imx8qm-ss-dma.dtsi.
The commit 5a8e9b022e569 ("arm64: dts: imx8qm-ss-dma: Pass lpuart
dma-names") just simple add dma-names as binding doc requirement.
Correct lpuart0 - lpuart3 dma rx and tx channels, and use defines for
the FSL_EDMA_RX flag.
Fixes: 5a8e9b022e56 ("arm64: dts: imx8qm-ss-dma: Pass lpuart dma-names")
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi
index d4856b8590e0c..e186c31bfd482 100644
--- a/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8qm-ss-dma.dtsi
@@ -171,25 +171,25 @@ &flexcan3 {
&lpuart0 {
compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart";
- dmas = <&edma2 13 0 0>, <&edma2 12 0 1>;
+ dmas = <&edma2 12 0 FSL_EDMA_RX>, <&edma2 13 0 0>;
dma-names = "rx","tx";
};
&lpuart1 {
compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart";
- dmas = <&edma2 15 0 0>, <&edma2 14 0 1>;
+ dmas = <&edma2 14 0 FSL_EDMA_RX>, <&edma2 15 0 0>;
dma-names = "rx","tx";
};
&lpuart2 {
compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart";
- dmas = <&edma2 17 0 0>, <&edma2 16 0 1>;
+ dmas = <&edma2 16 0 FSL_EDMA_RX>, <&edma2 17 0 0>;
dma-names = "rx","tx";
};
&lpuart3 {
compatible = "fsl,imx8qm-lpuart", "fsl,imx8qxp-lpuart";
- dmas = <&edma2 19 0 0>, <&edma2 18 0 1>;
+ dmas = <&edma2 18 0 FSL_EDMA_RX>, <&edma2 19 0 0>;
dma-names = "rx","tx";
};
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 086/181] arm64: dts: mba8mx: Fix Ethernet PHY IRQ support
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 085/181] arm64: dts: imx8qm-ss-dma: correct the dma channels of lpuart Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 087/181] netfilter: nft_set_pipapo: fix range overlap detection Greg Kroah-Hartman
` (108 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Andrew Lunn,
Shawn Guo, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 89e87d0dc87eb3654c9ae01afc4a18c1c6d1e523 ]
Ethernet PHY interrupt mode is level triggered. Adjust the mode
accordingly.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Fixes: 70cf622bb16e ("arm64: dts: mba8mx: Add Ethernet PHY IRQ support")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/mba8mx.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/mba8mx.dtsi b/arch/arm64/boot/dts/freescale/mba8mx.dtsi
index 79daba930ad64..3e41da4d6122b 100644
--- a/arch/arm64/boot/dts/freescale/mba8mx.dtsi
+++ b/arch/arm64/boot/dts/freescale/mba8mx.dtsi
@@ -185,7 +185,7 @@ ethphy0: ethernet-phy@e {
reset-assert-us = <500000>;
reset-deassert-us = <500>;
interrupt-parent = <&expander2>;
- interrupts = <6 IRQ_TYPE_EDGE_FALLING>;
+ interrupts = <6 IRQ_TYPE_LEVEL_LOW>;
};
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 087/181] netfilter: nft_set_pipapo: fix range overlap detection
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 086/181] arm64: dts: mba8mx: Fix Ethernet PHY IRQ support Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 088/181] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
` (107 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7711f4bb4b360d9c0ff84db1c0ec91e385625047 ]
set->klen has to be used, not sizeof(). The latter only compares a
single register but a full check of the entire key is needed.
Example:
table ip t {
map s {
typeof iifname . ip saddr : verdict
flags interval
}
}
nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected
nft add element t s '{ "lo" . 10.0.0.0/24 : drop }' # no error, expected
nft add element t s '{ "lo" . 10.0.0.0/8 : drop }' # bug: no error
The 3rd 'add element' should be rejected via -ENOTEMPTY, not -EEXIST,
so userspace / nft can report an error to the user.
The latter is only correct for the 2nd case (re-add of existing element).
As-is, userspace is told that the command was successful, but no elements were
added.
After this patch, 3rd command gives:
Error: Could not process rule: File exists
add element t s { "lo" . 127.0.0.0/8 . "lo" : drop }
^^^^^^^^^^^^^^^^^^^^^^^^^
Fixes: 0eb4b5ee33f2 ("netfilter: nft_set_pipapo: Separate partial and complete overlap cases on insertion")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_pipapo.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 112fe46788b6f..6d77a5f0088ad 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1317,8 +1317,8 @@ static int nft_pipapo_insert(const struct net *net, const struct nft_set *set,
else
dup_end = dup_key;
- if (!memcmp(start, dup_key->data, sizeof(*dup_key->data)) &&
- !memcmp(end, dup_end->data, sizeof(*dup_end->data))) {
+ if (!memcmp(start, dup_key->data, set->klen) &&
+ !memcmp(end, dup_end->data, set->klen)) {
*elem_priv = &dup->priv;
return -EEXIST;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 088/181] netfilter: nft_synproxy: avoid possible data-race on update operation
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 087/181] netfilter: nft_set_pipapo: fix range overlap detection Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 089/181] gpiolib: remove unnecessary out of memory messages Greg Kroah-Hartman
` (106 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ]
During nft_synproxy eval we are reading nf_synproxy_info struct which
can be modified on update operation concurrently. As nf_synproxy_info
struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations.
Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_synproxy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index 5d3e518259859..4d3e5a31b4125 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv,
struct tcphdr *_tcph,
struct synproxy_options *opts)
{
- struct nf_synproxy_info info = priv->info;
+ struct nf_synproxy_info info = READ_ONCE(priv->info);
struct net *net = nft_net(pkt);
struct synproxy_net *snet = synproxy_pernet(net);
struct sk_buff *skb = pkt->skb;
@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv,
struct tcphdr *_tcph,
struct synproxy_options *opts)
{
- struct nf_synproxy_info info = priv->info;
+ struct nf_synproxy_info info = READ_ONCE(priv->info);
struct net *net = nft_net(pkt);
struct synproxy_net *snet = synproxy_pernet(net);
struct sk_buff *skb = pkt->skb;
@@ -340,7 +340,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj,
struct nft_synproxy *newpriv = nft_obj_data(newobj);
struct nft_synproxy *priv = nft_obj_data(obj);
- priv->info = newpriv->info;
+ WRITE_ONCE(priv->info, newpriv->info);
}
static struct nft_object_type nft_synproxy_obj_type;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 089/181] gpiolib: remove unnecessary out of memory messages
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 088/181] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 090/181] gpiolib: rename GPIO chip printk macros Greg Kroah-Hartman
` (105 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 0ba6f1ed3808b1f095fbdb490006f0ecd00f52bd ]
We don't need to add additional logs when returning -ENOMEM so remove
unnecessary error messages.
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Stable-dep-of: a7ac22d53d09 ("gpiolib: fix race condition for gdev->srcu")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index cd8800ba5825f..f2ed234b4135e 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -2316,10 +2316,8 @@ int gpiochip_add_pingroup_range(struct gpio_chip *gc,
int ret;
pin_range = kzalloc(sizeof(*pin_range), GFP_KERNEL);
- if (!pin_range) {
- chip_err(gc, "failed to allocate pin ranges\n");
+ if (!pin_range)
return -ENOMEM;
- }
/* Use local offset as range ID */
pin_range->range.id = gpio_offset;
@@ -2379,10 +2377,8 @@ int gpiochip_add_pin_range_with_pins(struct gpio_chip *gc,
int ret;
pin_range = kzalloc(sizeof(*pin_range), GFP_KERNEL);
- if (!pin_range) {
- chip_err(gc, "failed to allocate pin ranges\n");
+ if (!pin_range)
return -ENOMEM;
- }
/* Use local offset as range ID */
pin_range->range.id = gpio_offset;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 090/181] gpiolib: rename GPIO chip printk macros
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 089/181] gpiolib: remove unnecessary out of memory messages Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 091/181] gpiolib: fix race condition for gdev->srcu Greg Kroah-Hartman
` (104 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit d4f335b410ddbe3e99f48f8b5ea78a25041274f1 ]
The chip_$level() macros take struct gpio_chip as argument so make it
follow the convention of using the 'gpiochip_' prefix.
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Stable-dep-of: a7ac22d53d09 ("gpiolib: fix race condition for gdev->srcu")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 2 +-
drivers/gpio/gpiolib-sysfs.c | 2 +-
drivers/gpio/gpiolib.c | 80 ++++++++++++++++++------------------
drivers/gpio/gpiolib.h | 8 ++--
4 files changed, 45 insertions(+), 47 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index d8d93059ac04c..d925e75d1dce1 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -2828,7 +2828,7 @@ int gpiolib_cdev_register(struct gpio_device *gdev, dev_t devt)
if (!gc)
return -ENODEV;
- chip_dbg(gc, "added GPIO chardev (%d:%d)\n", MAJOR(devt), gdev->id);
+ gpiochip_dbg(gc, "added GPIO chardev (%d:%d)\n", MAJOR(devt), gdev->id);
return 0;
}
diff --git a/drivers/gpio/gpiolib-sysfs.c b/drivers/gpio/gpiolib-sysfs.c
index 9a849245b3588..7d5fc1ea2aa54 100644
--- a/drivers/gpio/gpiolib-sysfs.c
+++ b/drivers/gpio/gpiolib-sysfs.c
@@ -1091,7 +1091,7 @@ static int gpiofind_sysfs_register(struct gpio_chip *gc, const void *data)
ret = gpiochip_sysfs_register(gdev);
if (ret)
- chip_err(gc, "failed to register the sysfs entry: %d\n", ret);
+ gpiochip_err(gc, "failed to register the sysfs entry: %d\n", ret);
return 0;
}
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index f2ed234b4135e..9a4395a29f68e 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -921,8 +921,8 @@ static void gpiochip_machine_hog(struct gpio_chip *gc, struct gpiod_hog *hog)
desc = gpiochip_get_desc(gc, hog->chip_hwnum);
if (IS_ERR(desc)) {
- chip_err(gc, "%s: unable to get GPIO desc: %ld\n", __func__,
- PTR_ERR(desc));
+ gpiochip_err(gc, "%s: unable to get GPIO desc: %ld\n",
+ __func__, PTR_ERR(desc));
return;
}
@@ -1124,7 +1124,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
ret = gpiodev_add_to_list_unlocked(gdev);
if (ret) {
- chip_err(gc, "GPIO integer space overlap, cannot add chip\n");
+ gpiochip_err(gc, "GPIO integer space overlap, cannot add chip\n");
goto err_free_label;
}
}
@@ -1528,8 +1528,7 @@ static void gpiochip_set_hierarchical_irqchip(struct gpio_chip *gc,
&parent_hwirq,
&parent_type);
if (ret) {
- chip_err(gc, "skip set-up on hwirq %d\n",
- i);
+ gpiochip_err(gc, "skip set-up on hwirq %d\n", i);
continue;
}
@@ -1542,15 +1541,14 @@ static void gpiochip_set_hierarchical_irqchip(struct gpio_chip *gc,
ret = irq_domain_alloc_irqs(gc->irq.domain, 1,
NUMA_NO_NODE, &fwspec);
if (ret < 0) {
- chip_err(gc,
- "can not allocate irq for GPIO line %d parent hwirq %d in hierarchy domain: %d\n",
- i, parent_hwirq,
- ret);
+ gpiochip_err(gc,
+ "can not allocate irq for GPIO line %d parent hwirq %d in hierarchy domain: %d\n",
+ i, parent_hwirq, ret);
}
}
}
- chip_err(gc, "%s unknown fwnode type proceed anyway\n", __func__);
+ gpiochip_err(gc, "%s unknown fwnode type proceed anyway\n", __func__);
return;
}
@@ -1602,15 +1600,15 @@ static int gpiochip_hierarchy_irq_domain_alloc(struct irq_domain *d,
if (ret)
return ret;
- chip_dbg(gc, "allocate IRQ %d, hwirq %lu\n", irq, hwirq);
+ gpiochip_dbg(gc, "allocate IRQ %d, hwirq %lu\n", irq, hwirq);
ret = girq->child_to_parent_hwirq(gc, hwirq, type,
&parent_hwirq, &parent_type);
if (ret) {
- chip_err(gc, "can't look up hwirq %lu\n", hwirq);
+ gpiochip_err(gc, "can't look up hwirq %lu\n", hwirq);
return ret;
}
- chip_dbg(gc, "found parent hwirq %u\n", parent_hwirq);
+ gpiochip_dbg(gc, "found parent hwirq %u\n", parent_hwirq);
/*
* We set handle_bad_irq because the .set_type() should
@@ -1631,8 +1629,8 @@ static int gpiochip_hierarchy_irq_domain_alloc(struct irq_domain *d,
if (ret)
return ret;
- chip_dbg(gc, "alloc_irqs_parent for %d parent hwirq %d\n",
- irq, parent_hwirq);
+ gpiochip_dbg(gc, "alloc_irqs_parent for %d parent hwirq %d\n",
+ irq, parent_hwirq);
irq_set_lockdep_class(irq, gc->irq.lock_key, gc->irq.request_key);
ret = irq_domain_alloc_irqs_parent(d, irq, 1, &gpio_parent_fwspec);
/*
@@ -1642,9 +1640,9 @@ static int gpiochip_hierarchy_irq_domain_alloc(struct irq_domain *d,
if (irq_domain_is_msi(d->parent) && (ret == -EEXIST))
ret = 0;
if (ret)
- chip_err(gc,
- "failed to allocate parent hwirq %d for hwirq %lu\n",
- parent_hwirq, hwirq);
+ gpiochip_err(gc,
+ "failed to allocate parent hwirq %d for hwirq %lu\n",
+ parent_hwirq, hwirq);
return ret;
}
@@ -1720,7 +1718,7 @@ static struct irq_domain *gpiochip_hierarchy_create_domain(struct gpio_chip *gc)
if (!gc->irq.child_to_parent_hwirq ||
!gc->irq.fwnode) {
- chip_err(gc, "missing irqdomain vital data\n");
+ gpiochip_err(gc, "missing irqdomain vital data\n");
return ERR_PTR(-EINVAL);
}
@@ -1993,7 +1991,7 @@ static void gpiochip_set_irq_hooks(struct gpio_chip *gc)
if (irqchip->flags & IRQCHIP_IMMUTABLE)
return;
- chip_warn(gc, "not an immutable chip, please consider fixing it!\n");
+ gpiochip_warn(gc, "not an immutable chip, please consider fixing it!\n");
if (!irqchip->irq_request_resources &&
!irqchip->irq_release_resources) {
@@ -2009,8 +2007,8 @@ static void gpiochip_set_irq_hooks(struct gpio_chip *gc)
* ...and if so, give a gentle warning that this is bad
* practice.
*/
- chip_info(gc,
- "detected irqchip that is shared with multiple gpiochips: please fix the driver.\n");
+ gpiochip_info(gc,
+ "detected irqchip that is shared with multiple gpiochips: please fix the driver.\n");
return;
}
@@ -2039,7 +2037,8 @@ static int gpiochip_irqchip_add_allocated_domain(struct gpio_chip *gc,
return -EINVAL;
if (gc->to_irq)
- chip_warn(gc, "to_irq is redefined in %s and you shouldn't rely on it\n", __func__);
+ gpiochip_warn(gc, "to_irq is redefined in %s and you shouldn't rely on it\n",
+ __func__);
gc->to_irq = gpiochip_to_irq;
gc->irq.domain = domain;
@@ -2080,7 +2079,7 @@ static int gpiochip_add_irqchip(struct gpio_chip *gc,
return 0;
if (gc->irq.parent_handler && gc->can_sleep) {
- chip_err(gc, "you cannot have chained interrupts on a chip that may sleep\n");
+ gpiochip_err(gc, "you cannot have chained interrupts on a chip that may sleep\n");
return -EINVAL;
}
@@ -2336,7 +2335,7 @@ int gpiochip_add_pingroup_range(struct gpio_chip *gc,
pinctrl_add_gpio_range(pctldev, &pin_range->range);
- chip_dbg(gc, "created GPIO range %d->%d ==> %s PINGRP %s\n",
+ gpiochip_dbg(gc, "created GPIO range %d->%d ==> %s PINGRP %s\n",
gpio_offset, gpio_offset + pin_range->range.npins - 1,
pinctrl_dev_get_devname(pctldev), pin_group);
@@ -2392,19 +2391,18 @@ int gpiochip_add_pin_range_with_pins(struct gpio_chip *gc,
&pin_range->range);
if (IS_ERR(pin_range->pctldev)) {
ret = PTR_ERR(pin_range->pctldev);
- chip_err(gc, "could not create pin range\n");
+ gpiochip_err(gc, "could not create pin range\n");
kfree(pin_range);
return ret;
}
if (pin_range->range.pins)
- chip_dbg(gc, "created GPIO range %d->%d ==> %s %d sparse PIN range { %d, ... }",
- gpio_offset, gpio_offset + npins - 1,
- pinctl_name, npins, pins[0]);
+ gpiochip_dbg(gc, "created GPIO range %d->%d ==> %s %d sparse PIN range { %d, ... }",
+ gpio_offset, gpio_offset + npins - 1,
+ pinctl_name, npins, pins[0]);
else
- chip_dbg(gc, "created GPIO range %d->%d ==> %s PIN %d->%d\n",
- gpio_offset, gpio_offset + npins - 1,
- pinctl_name,
- pin_offset, pin_offset + npins - 1);
+ gpiochip_dbg(gc, "created GPIO range %d->%d ==> %s PIN %d->%d\n",
+ gpio_offset, gpio_offset + npins - 1, pinctl_name,
+ pin_offset, pin_offset + npins - 1);
list_add_tail(&pin_range->node, &gdev->pin_ranges);
@@ -2614,7 +2612,7 @@ struct gpio_desc *gpiochip_request_own_desc(struct gpio_chip *gc,
int ret;
if (IS_ERR(desc)) {
- chip_err(gc, "failed to get GPIO %s descriptor\n", name);
+ gpiochip_err(gc, "failed to get GPIO %s descriptor\n", name);
return desc;
}
@@ -2625,7 +2623,7 @@ struct gpio_desc *gpiochip_request_own_desc(struct gpio_chip *gc,
ret = gpiod_configure_flags(desc, label, lflags, dflags);
if (ret) {
gpiod_free_commit(desc);
- chip_err(gc, "setup of own GPIO %s failed\n", name);
+ gpiochip_err(gc, "setup of own GPIO %s failed\n", name);
return ERR_PTR(ret);
}
@@ -4052,8 +4050,8 @@ int gpiochip_lock_as_irq(struct gpio_chip *gc, unsigned int offset)
int dir = gpiod_get_direction(desc);
if (dir < 0) {
- chip_err(gc, "%s: cannot get GPIO direction\n",
- __func__);
+ gpiochip_err(gc, "%s: cannot get GPIO direction\n",
+ __func__);
return dir;
}
}
@@ -4061,9 +4059,9 @@ int gpiochip_lock_as_irq(struct gpio_chip *gc, unsigned int offset)
/* To be valid for IRQ the line needs to be input or open drain */
if (test_bit(GPIOD_FLAG_IS_OUT, &desc->flags) &&
!test_bit(GPIOD_FLAG_OPEN_DRAIN, &desc->flags)) {
- chip_err(gc,
- "%s: tried to flag a GPIO set as output for IRQ\n",
- __func__);
+ gpiochip_err(gc,
+ "%s: tried to flag a GPIO set as output for IRQ\n",
+ __func__);
return -EIO;
}
@@ -4140,7 +4138,7 @@ int gpiochip_reqres_irq(struct gpio_chip *gc, unsigned int offset)
ret = gpiochip_lock_as_irq(gc, offset);
if (ret) {
- chip_err(gc, "unable to lock HW IRQ %u for IRQ\n", offset);
+ gpiochip_err(gc, "unable to lock HW IRQ %u for IRQ\n", offset);
module_put(gc->gpiodev->owner);
return ret;
}
diff --git a/drivers/gpio/gpiolib.h b/drivers/gpio/gpiolib.h
index 2a003a7311e7a..6ee29d0222393 100644
--- a/drivers/gpio/gpiolib.h
+++ b/drivers/gpio/gpiolib.h
@@ -309,13 +309,13 @@ do { \
/* With chip prefix */
-#define chip_err(gc, fmt, ...) \
+#define gpiochip_err(gc, fmt, ...) \
dev_err(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__)
-#define chip_warn(gc, fmt, ...) \
+#define gpiochip_warn(gc, fmt, ...) \
dev_warn(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__)
-#define chip_info(gc, fmt, ...) \
+#define gpiochip_info(gc, fmt, ...) \
dev_info(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__)
-#define chip_dbg(gc, fmt, ...) \
+#define gpiochip_dbg(gc, fmt, ...) \
dev_dbg(&gc->gpiodev->dev, "(%s): " fmt, gc->label, ##__VA_ARGS__)
#endif /* GPIOLIB_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 091/181] gpiolib: fix race condition for gdev->srcu
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 090/181] gpiolib: rename GPIO chip printk macros Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 092/181] gpio: pca953x: handle short interrupt pulses on PCAL devices Greg Kroah-Hartman
` (103 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Lewalski, Paweł Narewski,
Bartosz Golaszewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paweł Narewski <pawel.narewski@nokia.com>
[ Upstream commit a7ac22d53d0990152b108c3f4fe30df45fcb0181 ]
If two drivers were calling gpiochip_add_data_with_key(), one may be
traversing the srcu-protected list in gpio_name_to_desc(), meanwhile
other has just added its gdev in gpiodev_add_to_list_unlocked().
This creates a non-mutexed and non-protected timeframe, when one
instance is dereferencing and using &gdev->srcu, before the other
has initialized it, resulting in crash:
[ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000
[ 4.943396] Mem abort info:
[ 4.943400] ESR = 0x0000000096000005
[ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits
[ 4.943407] SET = 0, FnV = 0
[ 4.943410] EA = 0, S1PTW = 0
[ 4.943413] FSC = 0x05: level 1 translation fault
[ 4.943416] Data abort info:
[ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
[ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000
[ 4.961449] [ffff800272bcc000] pgd=0000000000000000
[ 4.969203] , p4d=1000000039739003
[ 4.979730] , pud=0000000000000000
[ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node "reset"
[ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
...
[ 5.121359] pc : __srcu_read_lock+0x44/0x98
[ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0
[ 5.153671] sp : ffff8000833bb430
[ 5.298440]
[ 5.298443] Call trace:
[ 5.298445] __srcu_read_lock+0x44/0x98
[ 5.309484] gpio_name_to_desc+0x60/0x1a0
[ 5.320692] gpiochip_add_data_with_key+0x488/0xf00
5.946419] ---[ end trace 0000000000000000 ]---
Move initialization code for gdev fields before it is added to
gpio_devices, with adjacent initialization code.
Adjust goto statements to reflect modified order of operations
Fixes: 47d8b4c1d868 ("gpio: add SRCU infrastructure to struct gpio_device")
Reviewed-by: Jakub Lewalski <jakub.lewalski@nokia.com>
Signed-off-by: Paweł Narewski <pawel.narewski@nokia.com>
[Bartosz: fixed a build issue, removed stray newline]
Link: https://lore.kernel.org/r/20251224082641.10769-1-bartosz.golaszewski@oss.qualcomm.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib.c | 40 ++++++++++++++++++++--------------------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 9a4395a29f68e..9aa6ddf6389cc 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -1091,6 +1091,18 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
gdev->ngpio = gc->ngpio;
gdev->can_sleep = gc->can_sleep;
+ rwlock_init(&gdev->line_state_lock);
+ RAW_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier);
+ BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier);
+
+ ret = init_srcu_struct(&gdev->srcu);
+ if (ret)
+ goto err_free_label;
+
+ ret = init_srcu_struct(&gdev->desc_srcu);
+ if (ret)
+ goto err_cleanup_gdev_srcu;
+
scoped_guard(mutex, &gpio_devices_lock) {
/*
* TODO: this allocates a Linux GPIO number base in the global
@@ -1105,7 +1117,7 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
if (base < 0) {
ret = base;
base = 0;
- goto err_free_label;
+ goto err_cleanup_desc_srcu;
}
/*
@@ -1125,22 +1137,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
ret = gpiodev_add_to_list_unlocked(gdev);
if (ret) {
gpiochip_err(gc, "GPIO integer space overlap, cannot add chip\n");
- goto err_free_label;
+ goto err_cleanup_desc_srcu;
}
}
- rwlock_init(&gdev->line_state_lock);
- RAW_INIT_NOTIFIER_HEAD(&gdev->line_state_notifier);
- BLOCKING_INIT_NOTIFIER_HEAD(&gdev->device_notifier);
-
- ret = init_srcu_struct(&gdev->srcu);
- if (ret)
- goto err_remove_from_list;
-
- ret = init_srcu_struct(&gdev->desc_srcu);
- if (ret)
- goto err_cleanup_gdev_srcu;
-
#ifdef CONFIG_PINCTRL
INIT_LIST_HEAD(&gdev->pin_ranges);
#endif
@@ -1150,11 +1150,11 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
ret = gpiochip_set_names(gc);
if (ret)
- goto err_cleanup_desc_srcu;
+ goto err_remove_from_list;
ret = gpiochip_init_valid_mask(gc);
if (ret)
- goto err_cleanup_desc_srcu;
+ goto err_remove_from_list;
for (desc_index = 0; desc_index < gc->ngpio; desc_index++) {
struct gpio_desc *desc = &gdev->descs[desc_index];
@@ -1227,10 +1227,6 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
of_gpiochip_remove(gc);
err_free_valid_mask:
gpiochip_free_valid_mask(gc);
-err_cleanup_desc_srcu:
- cleanup_srcu_struct(&gdev->desc_srcu);
-err_cleanup_gdev_srcu:
- cleanup_srcu_struct(&gdev->srcu);
err_remove_from_list:
scoped_guard(mutex, &gpio_devices_lock)
list_del_rcu(&gdev->list);
@@ -1240,6 +1236,10 @@ int gpiochip_add_data_with_key(struct gpio_chip *gc, void *data,
gpio_device_put(gdev);
goto err_print_message;
}
+err_cleanup_desc_srcu:
+ cleanup_srcu_struct(&gdev->desc_srcu);
+err_cleanup_gdev_srcu:
+ cleanup_srcu_struct(&gdev->srcu);
err_free_label:
kfree_const(gdev->label);
err_free_descs:
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 092/181] gpio: pca953x: handle short interrupt pulses on PCAL devices
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 091/181] gpiolib: fix race condition for gdev->srcu Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 093/181] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
` (102 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ernest Van Hoecke, Andy Shevchenko,
Bartosz Golaszewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ernest Van Hoecke <ernest.vanhoecke@toradex.com>
[ Upstream commit 014a17deb41201449f76df2b20c857a9c3294a7c ]
GPIO drivers with latch input support may miss short pulses on input
pins even when input latching is enabled. The generic interrupt logic in
the pca953x driver reports interrupts by comparing the current input
value against the previously sampled one and only signals an event when
a level change is observed between two reads.
For short pulses, the first edge is captured when the input register is
read, but if the signal returns to its previous level before the read,
the second edge is not observed. As a result, successive pulses can
produce identical input values at read time and no level change is
detected, causing interrupts to be missed. Below timing diagram shows
this situation where the top signal is the input pin level and the
bottom signal indicates the latched value.
─────┐ ┌──*───────────────┐ ┌──*─────────────────┐ ┌──*───
│ │ . │ │ . │ │ .
│ │ │ │ │ │ │ │ │
└──*──┘ │ └──*──┘ │ └──*──┘ │
Input │ │ │ │ │ │
▼ │ ▼ │ ▼ │
IRQ │ IRQ │ IRQ │
. . .
─────┐ .┌──────────────┐ .┌────────────────┐ .┌──
│ │ │ │ │ │
│ │ │ │ │ │
└────────*┘ └────────*┘ └────────*┘
Latched │ │ │
▼ ▼ ▼
READ 0 READ 0 READ 0
NO CHANGE NO CHANGE
PCAL variants provide an interrupt status register that records which
pins triggered an interrupt, but the status and input registers cannot
be read atomically. The interrupt status is only cleared when the input
port is read, and the input value must also be read to determine the
triggering edge. If another interrupt occurs on a different line after
the status register has been read but before the input register is
sampled, that event will not be reflected in the earlier status
snapshot, so relying solely on the interrupt status register is also
insufficient.
Support for input latching and interrupt status handling was previously
added by [1], but the interrupt status-based logic was reverted by [2]
due to these issues. This patch addresses the original problem by
combining both sources of information. Events indicated by the interrupt
status register are merged with events detected through the existing
level-change logic. As a result:
* short pulses, whose second edges are invisible, are detected via the
interrupt status register, and
* interrupts that occur between the status and input reads are still
caught by the generic level-change logic.
This significantly improves robustness on devices that signal interrupts
as short pulses, while avoiding the issues that led to the earlier
reversion. In practice, even if only the first edge of a pulse is
observable, the interrupt is reliably detected.
This fixes missed interrupts from an Ilitek touch controller with its
interrupt line connected to a PCAL6416A, where active-low pulses are
approximately 200 us long.
[1] commit 44896beae605 ("gpio: pca953x: add PCAL9535 interrupt support for Galileo Gen2")
[2] commit d6179f6c6204 ("gpio: pca953x: Improve interrupt support")
Fixes: d6179f6c6204 ("gpio: pca953x: Improve interrupt support")
Signed-off-by: Ernest Van Hoecke <ernest.vanhoecke@toradex.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20251217153050.142057-1-ernestvanhoecke@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-pca953x.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
index b46927f550389..b2de916107f42 100644
--- a/drivers/gpio/gpio-pca953x.c
+++ b/drivers/gpio/gpio-pca953x.c
@@ -940,14 +940,35 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin
DECLARE_BITMAP(old_stat, MAX_LINE);
DECLARE_BITMAP(cur_stat, MAX_LINE);
DECLARE_BITMAP(new_stat, MAX_LINE);
+ DECLARE_BITMAP(int_stat, MAX_LINE);
DECLARE_BITMAP(trigger, MAX_LINE);
DECLARE_BITMAP(edges, MAX_LINE);
int ret;
+ if (chip->driver_data & PCA_PCAL) {
+ /* Read INT_STAT before it is cleared by the input-port read. */
+ ret = pca953x_read_regs(chip, PCAL953X_INT_STAT, int_stat);
+ if (ret)
+ return false;
+ }
+
ret = pca953x_read_regs(chip, chip->regs->input, cur_stat);
if (ret)
return false;
+ if (chip->driver_data & PCA_PCAL) {
+ /* Detect short pulses via INT_STAT. */
+ bitmap_and(trigger, int_stat, chip->irq_mask, gc->ngpio);
+
+ /* Apply filter for rising/falling edge selection. */
+ bitmap_replace(new_stat, chip->irq_trig_fall, chip->irq_trig_raise,
+ cur_stat, gc->ngpio);
+
+ bitmap_and(int_stat, new_stat, trigger, gc->ngpio);
+ } else {
+ bitmap_zero(int_stat, gc->ngpio);
+ }
+
/* Remove output pins from the equation */
pca953x_read_regs(chip, chip->regs->direction, reg_direction);
@@ -961,7 +982,8 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin
if (bitmap_empty(chip->irq_trig_level_high, gc->ngpio) &&
bitmap_empty(chip->irq_trig_level_low, gc->ngpio)) {
- if (bitmap_empty(trigger, gc->ngpio))
+ if (bitmap_empty(trigger, gc->ngpio) &&
+ bitmap_empty(int_stat, gc->ngpio))
return false;
}
@@ -969,6 +991,7 @@ static bool pca953x_irq_pending(struct pca953x_chip *chip, unsigned long *pendin
bitmap_and(old_stat, chip->irq_trig_raise, new_stat, gc->ngpio);
bitmap_or(edges, old_stat, cur_stat, gc->ngpio);
bitmap_and(pending, edges, trigger, gc->ngpio);
+ bitmap_or(pending, pending, int_stat, gc->ngpio);
bitmap_and(cur_stat, new_stat, chip->irq_trig_level_high, gc->ngpio);
bitmap_and(cur_stat, cur_stat, chip->irq_mask, gc->ngpio);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 093/181] netfilter: nf_tables: fix memory leak in nf_tables_newrule()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 092/181] gpio: pca953x: handle short interrupt pulses on PCAL devices Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 094/181] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
` (101 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Florian Westphal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ]
In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to
the err_release_rule label without freeing the allocated flow, leading
to a memory leak.
Fix this by adding a new label err_destroy_flow and jumping to it when
nft_use_inc() fails. This ensures that the flow is properly released
in this error case.
Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1a204f6371ad1..a3669acd68a32 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4378,7 +4378,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
if (!nft_use_inc(&chain->use)) {
err = -EMFILE;
- goto err_release_rule;
+ goto err_destroy_flow;
}
if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
@@ -4428,6 +4428,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
err_destroy_flow_rule:
nft_use_dec_restore(&chain->use);
+err_destroy_flow:
if (flow)
nft_flow_rule_destroy(flow);
err_release_rule:
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 094/181] netfilter: nf_conncount: update last_gc only when GC has been performed
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 093/181] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 095/181] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
` (100 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ]
Currently last_gc is being updated everytime a new connection is
tracked, that means that it is updated even if a GC wasn't performed.
With a sufficiently high packet rate, it is possible to always bypass
the GC, causing the list to grow infinitely.
Update the last_gc value only when a GC has been actually performed.
Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 3c1b155f7a0ea..828d5c64c68a3 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net,
nf_ct_put(found_ct);
}
+ list->last_gc = (u32)jiffies;
add_new_node:
if (WARN_ON_ONCE(list->count > INT_MAX)) {
@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net,
conn->jiffies32 = (u32)jiffies;
list_add_tail(&conn->node, &list->head);
list->count++;
- list->last_gc = (u32)jiffies;
out_put:
if (refcounted)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 095/181] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 094/181] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 096/181] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
` (99 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Elad Nachman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ]
devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.
This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Acked-by: Elad Nachman <enachman@marvell.com>
Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c
index 2a4c9df4eb797..e63d95c1842f3 100644
--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c
+++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c
@@ -387,6 +387,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev)
dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch),
dev->dev);
+ if (!dl)
+ return NULL;
return devlink_priv(dl);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 096/181] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 095/181] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 097/181] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
` (98 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Knecht, Ido Schimmel,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Knecht <knecht.alexandre@gmail.com>
[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ]
When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is
incorrectly stripped from frames during egress processing.
br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN
from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also
moves any "next" VLAN from the payload into hwaccel:
/* move next vlan tag to hw accel tag */
__skb_vlan_pop(skb, &vlan_tci);
__vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
For QinQ frames where the C-VLAN sits in the payload, this moves it to
hwaccel where it gets lost during VXLAN encapsulation.
Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only
the hwaccel S-VLAN and leaves the payload untouched.
This path is only taken when vlan_tunnel is enabled and tunnel_info
is configured, so 802.1Q bridges are unaffected.
Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN
preserved in VXLAN payload via tcpdump.
Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths")
Signed-off-by: Alexandre Knecht <knecht.alexandre@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_vlan_tunnel.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c
index a966a6ec82634..257cae9f15698 100644
--- a/net/bridge/br_vlan_tunnel.c
+++ b/net/bridge/br_vlan_tunnel.c
@@ -189,7 +189,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
IP_TUNNEL_DECLARE_FLAGS(flags) = { };
struct metadata_dst *tunnel_dst;
__be64 tunnel_id;
- int err;
if (!vlan)
return 0;
@@ -199,9 +198,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
return 0;
skb_dst_drop(skb);
- err = skb_vlan_pop(skb);
- if (err)
- return err;
+ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN
+ * from payload to hwaccel after clearing S-VLAN. We only need to
+ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for
+ * correct VXLAN encapsulation. This is also correct for 802.1Q
+ * where no C-VLAN exists in payload.
+ */
+ __vlan_hwaccel_clear_tag(skb);
if (BR_INPUT_SKB_CB(skb)->backup_nhid) {
__set_bit(IP_TUNNEL_KEY_BIT, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 097/181] net: mscc: ocelot: Fix crash when adding interface under a lag
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 096/181] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 098/181] inet: ping: Fix icmp out counting Greg Kroah-Hartman
` (97 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jerry Wu, Vladimir Oltean,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerry Wu <w.7erry@foxmail.com>
[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ]
Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.
This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.
Fix this by checking if the port pointer is valid before accessing it.
Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array")
Signed-off-by: Jerry Wu <w.7erry@foxmail.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mscc/ocelot.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 08bee56aea35f..c345d9b17c892 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -2307,14 +2307,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot)
/* Now, set PGIDs for each active LAG */
for (lag = 0; lag < ocelot->num_phys_ports; lag++) {
- struct net_device *bond = ocelot->ports[lag]->bond;
+ struct ocelot_port *ocelot_port = ocelot->ports[lag];
int num_active_ports = 0;
+ struct net_device *bond;
unsigned long bond_mask;
u8 aggr_idx[16];
- if (!bond || (visited & BIT(lag)))
+ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag)))
continue;
+ bond = ocelot_port->bond;
bond_mask = ocelot_get_bond_mask(ocelot, bond);
for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 098/181] inet: ping: Fix icmp out counting
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 097/181] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 099/181] net: phy: mxl-86110: Add power management and soft reset support Greg Kroah-Hartman
` (96 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, yuan.gao, Ido Schimmel,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: yuan.gao <yuan.gao@ucloud.cn>
[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ]
When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO
messages, ICMP_MIB_OUTMSGS is counted twice.
ping_v4_sendmsg
ping_v4_push_pending_frames
ip_push_pending_frames
ip_finish_skb
__ip_make_skb
icmp_out_count(net, icmp_type); // first count
icmp_out_count(sock_net(sk), user_icmph.type); // second count
However, when the ping program uses an IPPROTO_RAW socket,
ICMP_MIB_OUTMSGS is counted correctly only once.
Therefore, the first count should be removed.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: yuan.gao <yuan.gao@ucloud.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ping.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 5321c5801c64d..a5227d23bb0b5 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -828,10 +828,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
out_free:
if (free)
kfree(ipc.opt);
- if (!err) {
- icmp_out_count(sock_net(sk), user_icmph.type);
+ if (!err)
return len;
- }
return err;
do_confirm:
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 099/181] net: phy: mxl-86110: Add power management and soft reset support
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 098/181] inet: ping: Fix icmp out counting Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 100/181] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
` (95 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefano Radaelli, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Radaelli <stefano.r@variscite.com>
[ Upstream commit 62f7edd59964eb588e96fce1ad35a2327ea54424 ]
Implement soft_reset, suspend, and resume callbacks using
genphy_soft_reset(), genphy_suspend(), and genphy_resume()
to fix PHY initialization and power management issues.
The soft_reset callback is needed to properly recover the PHY after an
ifconfig down/up cycle. Without it, the PHY can remain in power-down
state, causing MDIO register access failures during config_init().
The soft reset ensures the PHY is operational before configuration.
The suspend/resume callbacks enable proper power management during
system suspend/resume cycles.
Fixes: b2908a989c59 ("net: phy: add driver for MaxLinear MxL86110 PHY")
Signed-off-by: Stefano Radaelli <stefano.r@variscite.com>
Link: https://patch.msgid.link/20251223120940.407195-1-stefano.r@variscite.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mxl-86110.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/phy/mxl-86110.c b/drivers/net/phy/mxl-86110.c
index e5d137a37a1d4..42a5fe3f115f4 100644
--- a/drivers/net/phy/mxl-86110.c
+++ b/drivers/net/phy/mxl-86110.c
@@ -938,6 +938,9 @@ static struct phy_driver mxl_phy_drvs[] = {
PHY_ID_MATCH_EXACT(PHY_ID_MXL86110),
.name = "MXL86110 Gigabit Ethernet",
.config_init = mxl86110_config_init,
+ .suspend = genphy_suspend,
+ .resume = genphy_resume,
+ .soft_reset = genphy_soft_reset,
.get_wol = mxl86110_get_wol,
.set_wol = mxl86110_set_wol,
.led_brightness_set = mxl86110_led_brightness_set,
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 100/181] net: sock: fix hardened usercopy panic in sock_recv_errqueue
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 099/181] net: phy: mxl-86110: Add power management and soft reset support Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 101/181] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
` (94 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ]
skbuff_fclone_cache was created without defining a usercopy region,
[1] unlike skbuff_head_cache which properly whitelists the cb[] field.
[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is
enabled and the kernel attempts to copy sk_buff.cb data to userspace
via sock_recv_errqueue() -> put_cmsg().
The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()
(from skbuff_fclone_cache) [1]
2. The skb is cloned via skb_clone() using the pre-allocated fclone
[3] 3. The cloned skb is queued to sk_error_queue for timestamp
reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)
5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb
[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no
usercopy whitelist [5]
When cloned skbs allocated from skbuff_fclone_cache are used in the
socket error queue, accessing the sock_exterr_skb structure in skb->cb
via put_cmsg() triggers a usercopy hardening violation:
[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)!
[ 5.382796] kernel BUG at mm/usercopy.c:102!
[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7
[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80
[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490
[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246
[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74
[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0
[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74
[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001
[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00
[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000
[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0
[ 5.384903] PKRU: 55555554
[ 5.384903] Call Trace:
[ 5.384903] <TASK>
[ 5.384903] __check_heap_object+0x9a/0xd0
[ 5.384903] __check_object_size+0x46c/0x690
[ 5.384903] put_cmsg+0x129/0x5e0
[ 5.384903] sock_recv_errqueue+0x22f/0x380
[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? schedule+0x6d/0x270
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? mutex_unlock+0x81/0xd0
[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10
[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10
[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0
[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
The crash offset 296 corresponds to skb2->cb within skbuff_fclones:
- sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -
offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =
272 + 24 (inside sock_exterr_skb.ee)
This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.
[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885
[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104
[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566
[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491
[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719
Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index dc03d4b5909a2..5a38837a58384 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3836,7 +3836,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag)
int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
int level, int type)
{
- struct sock_exterr_skb *serr;
+ struct sock_extended_err ee;
struct sk_buff *skb;
int copied, err;
@@ -3856,8 +3856,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
sock_recv_timestamp(msg, sk, skb);
- serr = SKB_EXT_ERR(skb);
- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee);
+ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */
+ ee = SKB_EXT_ERR(skb)->ee;
+ put_cmsg(msg, level, type, sizeof(ee), &ee);
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 101/181] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 100/181] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 102/181] net/mlx5: Lag, multipath, give priority for routes with smaller network prefix Greg Kroah-Hartman
` (93 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Di Zhu, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Di Zhu <zhud@hygon.cn>
[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ]
Directly increment the TSO features incurs a side effect: it will also
directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device,
which can cause issues such as the inability to enable the nocache copy
feature on the bonding driver.
The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby
preventing it from being cleared.
Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master")
Signed-off-by: Di Zhu <zhud@hygon.cn>
Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 77c46a2823eca..c6c04cd0a6816 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -5299,7 +5299,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all,
static inline netdev_features_t netdev_add_tso_features(netdev_features_t features,
netdev_features_t mask)
{
- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask);
+ return netdev_increment_features(features, NETIF_F_ALL_TSO |
+ NETIF_F_ALL_FOR_ALL, mask);
}
int __netdev_update_features(struct net_device *dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 102/181] net/mlx5: Lag, multipath, give priority for routes with smaller network prefix
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 101/181] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 103/181] net/mlx5e: Dont gate FEC histograms on ppcnt_statistical_group Greg Kroah-Hartman
` (92 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Mark Bloch,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrisious Haddad <phaddad@nvidia.com>
[ Upstream commit 31057979cdadfee9f934746fd84046b43506ba61 ]
Today multipath offload is controlled by a single route and the route
controlling is selected if it meets one of the following criteria:
1. No controlling route is set.
2. New route destination is the same as old one.
3. New route metric is lower than old route metric.
This can cause unwanted behaviour in case a new route is added
with a smaller network prefix which should get the priority.
Fix this by adding a new criteria to give priority to new route with
a smaller network prefix.
Fixes: ad11c4f1d8fd ("net/mlx5e: Lag, Only handle events from highest priority multipath entry")
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20251225132717.358820-2-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c
index aee17fcf3b36c..cdc99fe5c9568 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lag/mp.c
@@ -173,10 +173,15 @@ static void mlx5_lag_fib_route_event(struct mlx5_lag *ldev, unsigned long event,
}
/* Handle multipath entry with lower priority value */
- if (mp->fib.mfi && mp->fib.mfi != fi &&
+ if (mp->fib.mfi &&
(mp->fib.dst != fen_info->dst || mp->fib.dst_len != fen_info->dst_len) &&
- fi->fib_priority >= mp->fib.priority)
+ mp->fib.dst_len <= fen_info->dst_len &&
+ !(mp->fib.dst_len == fen_info->dst_len &&
+ fi->fib_priority < mp->fib.priority)) {
+ mlx5_core_dbg(ldev->pf[idx].dev,
+ "Multipath entry with lower priority was rejected\n");
return;
+ }
nh_dev0 = mlx5_lag_get_next_fib_dev(ldev, fi, NULL);
nh_dev1 = mlx5_lag_get_next_fib_dev(ldev, fi, nh_dev0);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 103/181] net/mlx5e: Dont gate FEC histograms on ppcnt_statistical_group
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 102/181] net/mlx5: Lag, multipath, give priority for routes with smaller network prefix Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 104/181] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
` (91 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Lazar, Tariq Toukan,
Mark Bloch, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Lazar <alazar@nvidia.com>
[ Upstream commit 6c75dc9de40ff91ec2b621b78f6cd9031762067c ]
Currently, the ppcnt_statistical_group capability check
incorrectly gates access to FEC histogram statistics.
This capability applies only to statistical and physical
counter groups, not for histogram data.
Restrict the ppcnt_statistical_group check to the
Physical_Layer_Counters and Physical_Layer_Statistical_Counters
groups.
Histogram statistics access remains gated by the pphcr
capability.
The issue is harmless as of today, as it happens that
ppcnt_statistical_group is set on all existing devices that
have pphcr set.
Fixes: 6b81b8a0b197 ("net/mlx5e: Don't query FEC statistics when FEC is disabled")
Signed-off-by: Alexei Lazar <alazar@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20251225132717.358820-3-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_stats.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
index a2802cfc9b989..a8af84fc97638 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.c
@@ -1608,12 +1608,13 @@ void mlx5e_stats_fec_get(struct mlx5e_priv *priv,
{
int mode = fec_active_mode(priv->mdev);
- if (mode == MLX5E_FEC_NOFEC ||
- !MLX5_CAP_PCAM_FEATURE(priv->mdev, ppcnt_statistical_group))
+ if (mode == MLX5E_FEC_NOFEC)
return;
- fec_set_corrected_bits_total(priv, fec_stats);
- fec_set_block_stats(priv, mode, fec_stats);
+ if (MLX5_CAP_PCAM_FEATURE(priv->mdev, ppcnt_statistical_group)) {
+ fec_set_corrected_bits_total(priv, fec_stats);
+ fec_set_block_stats(priv, mode, fec_stats);
+ }
if (MLX5_CAP_PCAM_REG(priv->mdev, pphcr))
fec_set_histograms_stats(priv, mode, hist);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 104/181] net/mlx5e: Dont print error message due to invalid module
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 103/181] net/mlx5e: Dont gate FEC histograms on ppcnt_statistical_group Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 105/181] net/mlx5e: Dealloc forgotten PSP RX modify header Greg Kroah-Hartman
` (90 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Tariq Toukan,
Mark Bloch, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ]
Dumping module EEPROM on newer modules is supported through the netlink
interface only.
Querying with old userspace ethtool (or other tools, such as 'lshw')
which still uses the ioctl interface results in an error message that
could flood dmesg (in addition to the expected error return value).
The original message was added under the assumption that the driver
should be able to handle all module types, but now that such flows are
easily triggered from userspace, it doesn't serve its purpose.
Change the log level of the print in mlx5_query_module_eeprom() to
debug.
Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c
index aa9f2b0a77d36..876e648c91ba8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c
@@ -430,7 +430,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset);
break;
default:
- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id);
+ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n",
+ module_id);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 105/181] net/mlx5e: Dealloc forgotten PSP RX modify header
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 104/181] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 106/181] net/ena: fix missing lock when update devlink params Greg Kroah-Hartman
` (89 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Ratiu, Dragos Tatulea,
Tariq Toukan, Mark Bloch, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cosmin Ratiu <cratiu@nvidia.com>
[ Upstream commit 0462a15d2d1fafd3d48cf3c7c67393e42d03908c ]
The commit which added RX steering rules for PSP forgot to free a modify
header HW object on the cleanup path, which lead to health errors when
reloading the driver and uninitializing the device:
mlx5_core 0000:08:00.0: poll_health:803:(pid 3021): Fatal error 3 detected
Fix that by saving the modify header pointer in the PSP steering struct
and deallocating it after freeing the rule which references it.
Fixes: 9536fbe10c9d ("net/mlx5e: Add PSP steering in local NIC RX")
Signed-off-by: Cosmin Ratiu <cratiu@nvidia.com>
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20251225132717.358820-6-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/en_accel/psp.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
index 8565cfe8d7dce..943d6fc6e7a04 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/psp.c
@@ -41,6 +41,7 @@ struct mlx5e_accel_fs_psp_prot {
struct mlx5_flow_table *ft;
struct mlx5_flow_group *miss_group;
struct mlx5_flow_handle *miss_rule;
+ struct mlx5_modify_hdr *rx_modify_hdr;
struct mlx5_flow_destination default_dest;
struct mlx5e_psp_rx_err rx_err;
u32 refcnt;
@@ -217,13 +218,19 @@ static int accel_psp_fs_rx_err_create_ft(struct mlx5e_psp_fs *fs,
return err;
}
-static void accel_psp_fs_rx_fs_destroy(struct mlx5e_accel_fs_psp_prot *fs_prot)
+static void accel_psp_fs_rx_fs_destroy(struct mlx5e_psp_fs *fs,
+ struct mlx5e_accel_fs_psp_prot *fs_prot)
{
if (fs_prot->def_rule) {
mlx5_del_flow_rules(fs_prot->def_rule);
fs_prot->def_rule = NULL;
}
+ if (fs_prot->rx_modify_hdr) {
+ mlx5_modify_header_dealloc(fs->mdev, fs_prot->rx_modify_hdr);
+ fs_prot->rx_modify_hdr = NULL;
+ }
+
if (fs_prot->miss_rule) {
mlx5_del_flow_rules(fs_prot->miss_rule);
fs_prot->miss_rule = NULL;
@@ -327,6 +334,7 @@ static int accel_psp_fs_rx_create_ft(struct mlx5e_psp_fs *fs,
modify_hdr = NULL;
goto out_err;
}
+ fs_prot->rx_modify_hdr = modify_hdr;
flow_act.action = MLX5_FLOW_CONTEXT_ACTION_FWD_DEST |
MLX5_FLOW_CONTEXT_ACTION_CRYPTO_DECRYPT |
@@ -347,7 +355,7 @@ static int accel_psp_fs_rx_create_ft(struct mlx5e_psp_fs *fs,
goto out;
out_err:
- accel_psp_fs_rx_fs_destroy(fs_prot);
+ accel_psp_fs_rx_fs_destroy(fs, fs_prot);
out:
kvfree(flow_group_in);
kvfree(spec);
@@ -364,7 +372,7 @@ static int accel_psp_fs_rx_destroy(struct mlx5e_psp_fs *fs, enum accel_fs_psp_ty
/* The netdev unreg already happened, so all offloaded rule are already removed */
fs_prot = &accel_psp->fs_prot[type];
- accel_psp_fs_rx_fs_destroy(fs_prot);
+ accel_psp_fs_rx_fs_destroy(fs, fs_prot);
accel_psp_fs_rx_err_destroy_ft(fs, &fs_prot->rx_err);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 106/181] net/ena: fix missing lock when update devlink params
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 105/181] net/mlx5e: Dealloc forgotten PSP RX modify header Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 107/181] net: wwan: iosm: Fix memory leak in ipc_mux_deinit() Greg Kroah-Hartman
` (88 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Liang, David Arinzon,
Jiri Pirko, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Liang <xiliang@redhat.com>
[ Upstream commit 8da901ffe497a53fa4ecc3ceed0e6d771586f88e ]
Fix assert lock warning while calling devl_param_driverinit_value_set()
in ena.
WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9
CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy)
Hardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017
Workqueue: events work_for_cpu_fn
RIP: 0010:devl_assert_locked+0x62/0x90
Call Trace:
<TASK>
devl_param_driverinit_value_set+0x15/0x1c0
ena_devlink_alloc+0x18c/0x220 [ena]
? __pfx_ena_devlink_alloc+0x10/0x10 [ena]
? trace_hardirqs_on+0x18/0x140
? lockdep_hardirqs_on+0x8c/0x130
? __raw_spin_unlock_irqrestore+0x5d/0x80
? __raw_spin_unlock_irqrestore+0x46/0x80
? devm_ioremap_wc+0x9a/0xd0
ena_probe+0x4d2/0x1b20 [ena]
? __lock_acquire+0x56a/0xbd0
? __pfx_ena_probe+0x10/0x10 [ena]
? local_clock+0x15/0x30
? __lock_release.isra.0+0x1c9/0x340
? mark_held_locks+0x40/0x70
? lockdep_hardirqs_on_prepare.part.0+0x92/0x170
? trace_hardirqs_on+0x18/0x140
? lockdep_hardirqs_on+0x8c/0x130
? __raw_spin_unlock_irqrestore+0x5d/0x80
? __raw_spin_unlock_irqrestore+0x46/0x80
? __pfx_ena_probe+0x10/0x10 [ena]
......
</TASK>
Fixes: 816b52624cf6 ("net: ena: Control PHC enable through devlink")
Signed-off-by: Frank Liang <xiliang@redhat.com>
Reviewed-by: David Arinzon <darinzon@amazon.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://patch.msgid.link/20251231145808.6103-1-xiliang@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amazon/ena/ena_devlink.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/amazon/ena/ena_devlink.c b/drivers/net/ethernet/amazon/ena/ena_devlink.c
index ac81c24016dd4..4772185e669d2 100644
--- a/drivers/net/ethernet/amazon/ena/ena_devlink.c
+++ b/drivers/net/ethernet/amazon/ena/ena_devlink.c
@@ -53,10 +53,12 @@ void ena_devlink_disable_phc_param(struct devlink *devlink)
{
union devlink_param_value value;
+ devl_lock(devlink);
value.vbool = false;
devl_param_driverinit_value_set(devlink,
DEVLINK_PARAM_GENERIC_ID_ENABLE_PHC,
value);
+ devl_unlock(devlink);
}
static void ena_devlink_port_register(struct devlink *devlink)
@@ -145,10 +147,12 @@ static int ena_devlink_configure_params(struct devlink *devlink)
return rc;
}
+ devl_lock(devlink);
value.vbool = ena_phc_is_enabled(adapter);
devl_param_driverinit_value_set(devlink,
DEVLINK_PARAM_GENERIC_ID_ENABLE_PHC,
value);
+ devl_unlock(devlink);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 107/181] net: wwan: iosm: Fix memory leak in ipc_mux_deinit()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 106/181] net/ena: fix missing lock when update devlink params Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 108/181] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
` (87 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianhao Xu, Zilin Guan, Loic Poulain,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 92e6e0a87f6860a4710f9494f8c704d498ae60f8 ]
Commit 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support")
allocated memory for pp_qlt in ipc_mux_init() but did not free it in
ipc_mux_deinit(). This results in a memory leak when the driver is
unloaded.
Free the allocated memory in ipc_mux_deinit() to fix the leak.
Fixes: 1f52d7b62285 ("net: wwan: iosm: Enable M.2 7360 WWAN card support")
Co-developed-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
Signed-off-by: Jianhao Xu <jianhao.xu@seu.edu.cn>
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Reviewed-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Link: https://patch.msgid.link/20251230071853.1062223-1-zilin@seu.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wwan/iosm/iosm_ipc_mux.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wwan/iosm/iosm_ipc_mux.c b/drivers/net/wwan/iosm/iosm_ipc_mux.c
index fc928b298a984..b846889fcb099 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_mux.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_mux.c
@@ -456,6 +456,7 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux)
struct sk_buff_head *free_list;
union mux_msg mux_msg;
struct sk_buff *skb;
+ int i;
if (!ipc_mux->initialized)
return;
@@ -479,5 +480,10 @@ void ipc_mux_deinit(struct iosm_mux *ipc_mux)
ipc_mux->channel->dl_pipe.is_open = false;
}
+ if (ipc_mux->protocol != MUX_LITE) {
+ for (i = 0; i < IPC_MEM_MUX_IP_SESSION_ENTRIES; i++)
+ kfree(ipc_mux->ul_adb.pp_qlt[i]);
+ }
+
kfree(ipc_mux);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 108/181] bnxt_en: Fix potential data corruption with HW GRO/LRO
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 107/181] net: wwan: iosm: Fix memory leak in ipc_mux_deinit() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 109/181] virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Greg Kroah-Hartman
` (86 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ray Jui, Srijit Bose, Michael Chan,
Vadim Fedorenko, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srijit Bose <srijit.bose@broadcom.com>
[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ]
Fix the max number of bits passed to find_first_zero_bit() in
bnxt_alloc_agg_idx(). We were incorrectly passing the number of
long words. find_first_zero_bit() may fail to find a zero bit and
cause a wrong ID to be used. If the wrong ID is already in use, this
can cause data corruption. Sometimes an error like this can also be
seen:
bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1
Fix it by passing the correct number of bits MAX_TPA_P5. Use
DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity
check to warn if a bit cannot be found and reset the ring [MChan].
Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.")
Reviewed-by: Ray Jui <ray.jui@broadcom.com>
Signed-off-by: Srijit Bose <srijit.bose@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++---
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +---
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 0366323ab0676..95c774d98da66 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1482,9 +1482,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id)
struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map;
u16 idx = agg_id & MAX_TPA_P5_MASK;
- if (test_bit(idx, map->agg_idx_bmap))
- idx = find_first_zero_bit(map->agg_idx_bmap,
- BNXT_AGG_IDX_BMAP_SIZE);
+ if (test_bit(idx, map->agg_idx_bmap)) {
+ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5);
+ if (idx >= MAX_TPA_P5)
+ return INVALID_HW_RING_ID;
+ }
__set_bit(idx, map->agg_idx_bmap);
map->agg_id_tbl[agg_id] = idx;
return idx;
@@ -1548,6 +1550,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr,
if (bp->flags & BNXT_FLAG_CHIP_P5_PLUS) {
agg_id = TPA_START_AGG_ID_P5(tpa_start);
agg_id = bnxt_alloc_agg_idx(rxr, agg_id);
+ if (unlikely(agg_id == INVALID_HW_RING_ID)) {
+ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n",
+ rxr->bnapi->index,
+ TPA_START_AGG_ID_P5(tpa_start));
+ bnxt_sched_reset_rxr(bp, rxr);
+ return;
+ }
} else {
agg_id = TPA_START_AGG_ID(tpa_start);
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index 3613a172483a1..45bbaec75ded4 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -1079,11 +1079,9 @@ struct bnxt_tpa_info {
struct rx_agg_cmp *agg_arr;
};
-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG)
-
struct bnxt_tpa_idx_map {
u16 agg_id_tbl[1024];
- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE];
+ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5);
};
struct bnxt_rx_ring_info {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 109/181] virtio_net: fix device mismatch in devm_kzalloc/devm_kfree
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 108/181] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 110/181] inet: frags: drop fraglist conntrack references Greg Kroah-Hartman
` (85 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kommula Shiva Shankar,
Michael S. Tsirkin, Jason Wang, Xuan Zhuo, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kommula Shiva Shankar <kshankar@marvell.com>
[ Upstream commit acb4bc6e1ba34ae1a34a9334a1ce8474c909466e ]
Initial rss_hdr allocation uses virtio_device->device,
but virtnet_set_queues() frees using net_device->device.
This device mismatch causing below devres warning
[ 3788.514041] ------------[ cut here ]------------
[ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463
[ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa]
[ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT
[ 3788.514067] Tainted: [W]=WARN
[ 3788.514069] Hardware name: Marvell CN106XX board (DT)
[ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
[ 3788.514074] pc : devm_kfree+0x84/0x98
[ 3788.514076] lr : devm_kfree+0x54/0x98
[ 3788.514079] sp : ffff800084e2f220
[ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f
[ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080
[ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018
[ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000
[ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff
[ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff
[ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c
[ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f
[ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080
[ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000
[ 3788.514123] Call trace:
[ 3788.514125] devm_kfree+0x84/0x98 (P)
[ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net]
[ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net]
[ 3788.514139] virtio_dev_probe+0x1e0/0x338
[ 3788.514144] really_probe+0xc8/0x3a0
[ 3788.514149] __driver_probe_device+0x84/0x170
[ 3788.514152] driver_probe_device+0x44/0x120
[ 3788.514155] __device_attach_driver+0xc4/0x168
[ 3788.514158] bus_for_each_drv+0x8c/0xf0
[ 3788.514161] __device_attach+0xa4/0x1c0
[ 3788.514164] device_initial_probe+0x1c/0x30
[ 3788.514168] bus_probe_device+0xb4/0xc0
[ 3788.514170] device_add+0x614/0x828
[ 3788.514173] register_virtio_device+0x214/0x258
[ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa]
[ 3788.514179] vdpa_dev_probe+0xa8/0xd8
[ 3788.514183] really_probe+0xc8/0x3a0
[ 3788.514186] __driver_probe_device+0x84/0x170
[ 3788.514189] driver_probe_device+0x44/0x120
[ 3788.514192] __device_attach_driver+0xc4/0x168
[ 3788.514195] bus_for_each_drv+0x8c/0xf0
[ 3788.514197] __device_attach+0xa4/0x1c0
[ 3788.514200] device_initial_probe+0x1c/0x30
[ 3788.514203] bus_probe_device+0xb4/0xc0
[ 3788.514206] device_add+0x614/0x828
[ 3788.514209] _vdpa_register_device+0x58/0x88
[ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa]
[ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0
[ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158
[ 3788.514222] genl_rcv_msg+0x218/0x298
[ 3788.514225] netlink_rcv_skb+0x64/0x138
[ 3788.514229] genl_rcv+0x40/0x60
[ 3788.514233] netlink_unicast+0x32c/0x3b0
[ 3788.514237] netlink_sendmsg+0x170/0x3b8
[ 3788.514241] __sys_sendto+0x12c/0x1c0
[ 3788.514246] __arm64_sys_sendto+0x30/0x48
[ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8
[ 3788.514255] do_el0_svc+0x48/0xd0
[ 3788.514259] el0_svc+0x48/0x210
[ 3788.514264] el0t_64_sync_handler+0xa0/0xe8
[ 3788.514268] el0t_64_sync+0x198/0x1a0
[ 3788.514271] ---[ end trace 0000000000000000 ]---
Fix by using virtio_device->device consistently for
allocation and deallocation
Fixes: 4944be2f5ad8c ("virtio_net: Allocate rss_hdr with devres")
Signed-off-by: Kommula Shiva Shankar <kshankar@marvell.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Link: https://patch.msgid.link/20260102101900.692770-1-kshankar@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/virtio_net.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
index 8e04adb57f52a..4e1a5291099a5 100644
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3783,7 +3783,7 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs)
if (vi->has_rss && !netif_is_rxfh_configured(dev)) {
old_rss_hdr = vi->rss_hdr;
old_rss_trailer = vi->rss_trailer;
- vi->rss_hdr = devm_kzalloc(&dev->dev, virtnet_rss_hdr_size(vi), GFP_KERNEL);
+ vi->rss_hdr = devm_kzalloc(&vi->vdev->dev, virtnet_rss_hdr_size(vi), GFP_KERNEL);
if (!vi->rss_hdr) {
vi->rss_hdr = old_rss_hdr;
return -ENOMEM;
@@ -3794,7 +3794,7 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs)
if (!virtnet_commit_rss_command(vi)) {
/* restore ctrl_rss if commit_rss_command failed */
- devm_kfree(&dev->dev, vi->rss_hdr);
+ devm_kfree(&vi->vdev->dev, vi->rss_hdr);
vi->rss_hdr = old_rss_hdr;
vi->rss_trailer = old_rss_trailer;
@@ -3802,7 +3802,7 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs)
queue_pairs);
return -EINVAL;
}
- devm_kfree(&dev->dev, old_rss_hdr);
+ devm_kfree(&vi->vdev->dev, old_rss_hdr);
goto succ;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 110/181] inet: frags: drop fraglist conntrack references
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 109/181] virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 111/181] perf: Ensure swevent hrtimer is properly destroyed Greg Kroah-Hartman
` (84 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4393c47753b7808dac7d,
Florian Westphal, Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 2ef02ac38d3c17f34a00c4b267d961a8d4b45d1a ]
Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging
leaked skbs/conntrack references more obvious.
syzbot reports this as triggering, and I can also reproduce this via
ip_defrag.sh selftest:
conntrack cleanup blocked for 60s
WARNING: net/netfilter/nf_conntrack_core.c:2512
[..]
conntrack clenups gets stuck because there are skbs with still hold nf_conn
references via their frag_list.
net.core.skb_defer_max=0 makes the hang disappear.
Eric Dumazet points out that skb_release_head_state() doesn't follow the
fraglist.
ip_defrag.sh can only reproduce this problem since
commit 6471658dc66c ("udp: use skb_attempt_defer_free()"), but AFAICS this
problem could happen with TCP as well if pmtu discovery is off.
The relevant problem path for udp is:
1. netns emits fragmented packets
2. nf_defrag_v6_hook reassembles them (in output hook)
3. reassembled skb is tracked (skb owns nf_conn reference)
4. ip6_output refragments
5. refragmented packets also own nf_conn reference (ip6_fragment
calls ip6_copy_metadata())
6. on input path, nf_defrag_v6_hook skips defragmentation: the
fragments already have skb->nf_conn attached
7. skbs are reassembled via ipv6_frag_rcv()
8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up
in pcpu freelist, but still has nf_conn reference.
Possible solutions:
1 let defrag engine drop nf_conn entry, OR
2 export kick_defer_list_purge() and call it from the conntrack
netns exit callback, OR
3 add skb_has_frag_list() check to skb_attempt_defer_free()
2 & 3 also solve ip_defrag.sh hang but share same drawback:
Such reassembled skbs, queued to socket, can prevent conntrack module
removal until userspace has consumed the packet. While both tcp and udp
stack do call nf_reset_ct() before placing skb on socket queue, that
function doesn't iterate frag_list skbs.
Therefore drop nf_conn entries when they are placed in defrag queue.
Keep the nf_conn entry of the first (offset 0) skb so that reassembled
skb retains nf_conn entry for sake of TX path.
Note that fixes tag is incorrect; it points to the commit introducing the
'ip_defrag.sh reproducible problem': no need to backport this patch to
every stable kernel.
Reported-by: syzbot+4393c47753b7808dac7d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/693b0fa7.050a0220.4004e.040d.GAE@google.com/
Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260102140030.32367-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_fragment.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 001ee5c4d962e..4e6d7467ed444 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -488,6 +488,8 @@ int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb,
}
FRAG_CB(skb)->ip_defrag_offset = offset;
+ if (offset)
+ nf_reset_ct(skb);
return IPFRAG_OK;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 111/181] perf: Ensure swevent hrtimer is properly destroyed
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 110/181] inet: frags: drop fraglist conntrack references Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 112/181] drm/amd/pm: fix wrong pcie parameter on navi1x Greg Kroah-Hartman
` (83 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, CyberUnicorns,
Peter Zijlstra (Intel), Sasha Levin, Thomas Gleixner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit ff5860f5088e9076ebcccf05a6ca709d5935cfa9 ]
With the change to hrtimer_try_to_cancel() in
perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to
still be active by the time the event gets freed.
Make sure the event does a full hrtimer_cancel() on the free path by
installing a perf_event::destroy handler.
Fixes: eb3182ef0405 ("perf/core: Fix system hang caused by cpu-clock usage")
Reported-by: CyberUnicorns <a101e_iotvul@163.com>
Tested-by: CyberUnicorns <a101e_iotvul@163.com>
Debugged-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 413b88a4e00fb..d95f9dce018f4 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11835,6 +11835,11 @@ static void perf_swevent_cancel_hrtimer(struct perf_event *event)
}
}
+static void perf_swevent_destroy_hrtimer(struct perf_event *event)
+{
+ hrtimer_cancel(&event->hw.hrtimer);
+}
+
static void perf_swevent_init_hrtimer(struct perf_event *event)
{
struct hw_perf_event *hwc = &event->hw;
@@ -11843,6 +11848,7 @@ static void perf_swevent_init_hrtimer(struct perf_event *event)
return;
hrtimer_setup(&hwc->hrtimer, perf_swevent_hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL_HARD);
+ event->destroy = perf_swevent_destroy_hrtimer;
/*
* Since hrtimers have a fixed rate, we can do a static freq->period
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 112/181] drm/amd/pm: fix wrong pcie parameter on navi1x
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 111/181] perf: Ensure swevent hrtimer is properly destroyed Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 113/181] drm/amd/pm: force send pcie parmater " Greg Kroah-Hartman
` (82 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Wang, Kenneth Feng,
Alex Deucher, Lijo Lazar, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit 4f74c2dd970611d3ec3bb0d58215e73af5cd7214 ]
fix wrong pcie dpm parameter on navi1x
Fixes: 1a18607c07bb ("drm/amd/pm: override pcie dpm parameters only if it is necessary")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4671
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Co-developed-by: Kenneth Feng <kenneth.feng@amd.com>
Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 5c5189cf4b0cc0a22bac74a40743ee711cff07f8)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
index 0028f10ead423..d0fd9537e6236 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
@@ -2463,8 +2463,8 @@ static int navi10_update_pcie_parameters(struct smu_context *smu,
pptable->PcieLaneCount[i] > pcie_width_cap ?
pcie_width_cap : pptable->PcieLaneCount[i];
smu_pcie_arg = i << 16;
- smu_pcie_arg |= pcie_gen_cap << 8;
- smu_pcie_arg |= pcie_width_cap;
+ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_gen[i] << 8;
+ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_lane[i];
ret = smu_cmn_send_smc_msg_with_param(smu,
SMU_MSG_OverridePcieParameters,
smu_pcie_arg,
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 113/181] drm/amd/pm: force send pcie parmater on navi1x
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 112/181] drm/amd/pm: fix wrong pcie parameter on navi1x Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 114/181] vsock: Make accept()ed sockets use custom setsockopt() Greg Kroah-Hartman
` (81 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Wang, Lijo Lazar, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit dc8a887de1a7d397ab4131f45676e89565417aa8 ]
v1:
the PMFW didn't initialize the PCIe DPM parameters
and requires the KMD to actively provide these parameters.
v2:
clean & remove unused code logic (lijo)
Fixes: 1a18607c07bb ("drm/amd/pm: override pcie dpm parameters only if it is necessary")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4671
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b0dbd5db7cf1f81e4aaedd25cb5e72ce369387b2)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 33 +++++++++----------
1 file changed, 15 insertions(+), 18 deletions(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
index d0fd9537e6236..a2fcf678182b4 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
@@ -2454,24 +2454,21 @@ static int navi10_update_pcie_parameters(struct smu_context *smu,
}
for (i = 0; i < NUM_LINK_LEVELS; i++) {
- if (pptable->PcieGenSpeed[i] > pcie_gen_cap ||
- pptable->PcieLaneCount[i] > pcie_width_cap) {
- dpm_context->dpm_tables.pcie_table.pcie_gen[i] =
- pptable->PcieGenSpeed[i] > pcie_gen_cap ?
- pcie_gen_cap : pptable->PcieGenSpeed[i];
- dpm_context->dpm_tables.pcie_table.pcie_lane[i] =
- pptable->PcieLaneCount[i] > pcie_width_cap ?
- pcie_width_cap : pptable->PcieLaneCount[i];
- smu_pcie_arg = i << 16;
- smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_gen[i] << 8;
- smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_lane[i];
- ret = smu_cmn_send_smc_msg_with_param(smu,
- SMU_MSG_OverridePcieParameters,
- smu_pcie_arg,
- NULL);
- if (ret)
- break;
- }
+ dpm_context->dpm_tables.pcie_table.pcie_gen[i] =
+ pptable->PcieGenSpeed[i] > pcie_gen_cap ?
+ pcie_gen_cap : pptable->PcieGenSpeed[i];
+ dpm_context->dpm_tables.pcie_table.pcie_lane[i] =
+ pptable->PcieLaneCount[i] > pcie_width_cap ?
+ pcie_width_cap : pptable->PcieLaneCount[i];
+ smu_pcie_arg = i << 16;
+ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_gen[i] << 8;
+ smu_pcie_arg |= dpm_context->dpm_tables.pcie_table.pcie_lane[i];
+ ret = smu_cmn_send_smc_msg_with_param(smu,
+ SMU_MSG_OverridePcieParameters,
+ smu_pcie_arg,
+ NULL);
+ if (ret)
+ return ret;
}
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 114/181] vsock: Make accept()ed sockets use custom setsockopt()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 113/181] drm/amd/pm: force send pcie parmater " Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 115/181] btrfs: release path before initializing extent tree in btrfs_read_locked_inode() Greg Kroah-Hartman
` (80 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Luczaj, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Luczaj <mhal@rbox.co>
[ Upstream commit ce5e612dd411de096aa041b9e9325ba1bec5f9f4 ]
SO_ZEROCOPY handling in vsock_connectible_setsockopt() does not get called
on accept()ed sockets due to a missing flag. Flip it.
Fixes: e0718bd82e27 ("vsock: enable setting SO_ZEROCOPY")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Link: https://patch.msgid.link/20251229-vsock-child-sock-custom-sockopt-v2-1-64778d6c4f88@rbox.co
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index a9ca9c3b87b31..cbd649bf01459 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1787,6 +1787,10 @@ static int vsock_accept(struct socket *sock, struct socket *newsock,
} else {
newsock->state = SS_CONNECTED;
sock_graft(connected, newsock);
+
+ set_bit(SOCK_CUSTOM_SOCKOPT,
+ &connected->sk_socket->flags);
+
if (vsock_msgzerocopy_allow(vconnected->transport))
set_bit(SOCK_SUPPORT_ZC,
&connected->sk_socket->flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 115/181] btrfs: release path before initializing extent tree in btrfs_read_locked_inode()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 114/181] vsock: Make accept()ed sockets use custom setsockopt() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 116/181] btrfs: only enforce free space tree if v1 cache is required for bs < ps cases Greg Kroah-Hartman
` (79 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Hellström, Qu Wenruo,
Filipe Manana, David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347 ]
In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()
while holding a path with a read locked leaf from a subvolume tree, and
btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can
trigger reclaim.
This can create a circular lock dependency which lockdep warns about with
the following splat:
[6.1433] ======================================================
[6.1574] WARNING: possible circular locking dependency detected
[6.1583] 6.18.0+ #4 Tainted: G U
[6.1591] ------------------------------------------------------
[6.1599] kswapd0/117 is trying to acquire lock:
[6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1625]
but task is already holding lock:
[6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60
[6.1646]
which lock already depends on the new lock.
[6.1657]
the existing dependency chain (in reverse order) is:
[6.1667]
-> #2 (fs_reclaim){+.+.}-{0:0}:
[6.1677] fs_reclaim_acquire+0x9d/0xd0
[6.1685] __kmalloc_cache_noprof+0x59/0x750
[6.1694] btrfs_init_file_extent_tree+0x90/0x100
[6.1702] btrfs_read_locked_inode+0xc3/0x6b0
[6.1710] btrfs_iget+0xbb/0xf0
[6.1716] btrfs_lookup_dentry+0x3c5/0x8e0
[6.1724] btrfs_lookup+0x12/0x30
[6.1731] lookup_open.isra.0+0x1aa/0x6a0
[6.1739] path_openat+0x5f7/0xc60
[6.1746] do_filp_open+0xd6/0x180
[6.1753] do_sys_openat2+0x8b/0xe0
[6.1760] __x64_sys_openat+0x54/0xa0
[6.1768] do_syscall_64+0x97/0x3e0
[6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[6.1784]
-> #1 (btrfs-tree-00){++++}-{3:3}:
[6.1794] lock_release+0x127/0x2a0
[6.1801] up_read+0x1b/0x30
[6.1808] btrfs_search_slot+0x8e0/0xff0
[6.1817] btrfs_lookup_inode+0x52/0xd0
[6.1825] __btrfs_update_delayed_inode+0x73/0x520
[6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120
[6.1842] btrfs_log_inode+0x608/0x1aa0
[6.1849] btrfs_log_inode_parent+0x249/0xf80
[6.1857] btrfs_log_dentry_safe+0x3e/0x60
[6.1865] btrfs_sync_file+0x431/0x690
[6.1872] do_fsync+0x39/0x80
[6.1879] __x64_sys_fsync+0x13/0x20
[6.1887] do_syscall_64+0x97/0x3e0
[6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[6.1903]
-> #0 (&delayed_node->mutex){+.+.}-{3:3}:
[6.1913] __lock_acquire+0x15e9/0x2820
[6.1920] lock_acquire+0xc9/0x2d0
[6.1927] __mutex_lock+0xcc/0x10a0
[6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1944] btrfs_evict_inode+0x20b/0x4b0
[6.1952] evict+0x15a/0x2f0
[6.1958] prune_icache_sb+0x91/0xd0
[6.1966] super_cache_scan+0x150/0x1d0
[6.1974] do_shrink_slab+0x155/0x6f0
[6.1981] shrink_slab+0x48e/0x890
[6.1988] shrink_one+0x11a/0x1f0
[6.1995] shrink_node+0xbfd/0x1320
[6.1002] balance_pgdat+0x67f/0xc60
[6.1321] kswapd+0x1dc/0x3e0
[6.1643] kthread+0xff/0x240
[6.1965] ret_from_fork+0x223/0x280
[6.1287] ret_from_fork_asm+0x1a/0x30
[6.1616]
other info that might help us debug this:
[6.1561] Chain exists of:
&delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim
[6.1503] Possible unsafe locking scenario:
[6.1110] CPU0 CPU1
[6.1411] ---- ----
[6.1707] lock(fs_reclaim);
[6.1998] lock(btrfs-tree-00);
[6.1291] lock(fs_reclaim);
[6.1581] lock(&delayed_node->mutex);
[6.1874]
*** DEADLOCK ***
[6.1716] 2 locks held by kswapd0/117:
[6.1999] #0: ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60
[6.1294] #1: ffff8d998344b0e0 (&type->s_umount_key#40){++++}- {3:3}, at: super_cache_scan+0x37/0x1d0
[6.1596]
stack backtrace:
[6.1183] CPU: 11 UID: 0 PID: 117 Comm: kswapd0 Tainted: G U 6.18.0+ #4 PREEMPT(lazy)
[6.1185] Tainted: [U]=USER
[6.1186] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023
[6.1187] Call Trace:
[6.1187] <TASK>
[6.1189] dump_stack_lvl+0x6e/0xa0
[6.1192] print_circular_bug.cold+0x17a/0x1c0
[6.1194] check_noncircular+0x175/0x190
[6.1197] __lock_acquire+0x15e9/0x2820
[6.1200] lock_acquire+0xc9/0x2d0
[6.1201] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1204] __mutex_lock+0xcc/0x10a0
[6.1206] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1208] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1211] ? __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1213] __btrfs_release_delayed_node.part.0+0x39/0x2f0
[6.1215] btrfs_evict_inode+0x20b/0x4b0
[6.1217] ? lock_acquire+0xc9/0x2d0
[6.1220] evict+0x15a/0x2f0
[6.1222] prune_icache_sb+0x91/0xd0
[6.1224] super_cache_scan+0x150/0x1d0
[6.1226] do_shrink_slab+0x155/0x6f0
[6.1228] shrink_slab+0x48e/0x890
[6.1229] ? shrink_slab+0x2d2/0x890
[6.1231] shrink_one+0x11a/0x1f0
[6.1234] shrink_node+0xbfd/0x1320
[6.1236] ? shrink_node+0xa2d/0x1320
[6.1236] ? shrink_node+0xbd3/0x1320
[6.1239] ? balance_pgdat+0x67f/0xc60
[6.1239] balance_pgdat+0x67f/0xc60
[6.1241] ? finish_task_switch.isra.0+0xc4/0x2a0
[6.1246] kswapd+0x1dc/0x3e0
[6.1247] ? __pfx_autoremove_wake_function+0x10/0x10
[6.1249] ? __pfx_kswapd+0x10/0x10
[6.1250] kthread+0xff/0x240
[6.1251] ? __pfx_kthread+0x10/0x10
[6.1253] ret_from_fork+0x223/0x280
[6.1255] ? __pfx_kthread+0x10/0x10
[6.1257] ret_from_fork_asm+0x1a/0x30
[6.1260] </TASK>
This is because:
1) The fsync task is holding an inode's delayed node mutex (for a
directory) while calling __btrfs_update_delayed_inode() and that needs
to do a search on the subvolume's btree (therefore read lock some
extent buffers);
2) The lookup task, at btrfs_lookup(), triggered reclaim with the
GFP_KERNEL allocation done by btrfs_init_file_extent_tree() while
holding a read lock on a subvolume leaf;
3) The reclaim triggered kswapd which is doing inode eviction for the
directory inode the fsync task is using as an argument to
btrfs_commit_inode_delayed_inode() - but in that call chain we are
trying to read lock the same leaf that the lookup task is holding
while calling btrfs_init_file_extent_tree() and doing the GFP_KERNEL
allocation.
Fix this by calling btrfs_init_file_extent_tree() after we don't need the
path anymore and release it in btrfs_read_locked_inode().
Reported-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Link: https://lore.kernel.org/linux-btrfs/6e55113a22347c3925458a5d840a18401a38b276.camel@linux.intel.com/
Fixes: 8679d2687c35 ("btrfs: initialize inode::file_extent_tree after i_mode has been set")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 51401d586a7b6..27a562bad6e87 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3976,11 +3976,6 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path
btrfs_set_inode_mapping_order(inode);
cache_index:
- ret = btrfs_init_file_extent_tree(inode);
- if (ret)
- goto out;
- btrfs_inode_set_file_extent_range(inode, 0,
- round_up(i_size_read(vfs_inode), fs_info->sectorsize));
/*
* If we were modified in the current generation and evicted from memory
* and then re-read we need to do a full sync since we don't have any
@@ -4067,6 +4062,20 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path
btrfs_ino(inode), btrfs_root_id(root), ret);
}
+ /*
+ * We don't need the path anymore, so release it to avoid holding a read
+ * lock on a leaf while calling btrfs_init_file_extent_tree(), which can
+ * allocate memory that triggers reclaim (GFP_KERNEL) and cause a locking
+ * dependency.
+ */
+ btrfs_release_path(path);
+
+ ret = btrfs_init_file_extent_tree(inode);
+ if (ret)
+ goto out;
+ btrfs_inode_set_file_extent_range(inode, 0,
+ round_up(i_size_read(vfs_inode), fs_info->sectorsize));
+
if (!maybe_acls)
cache_no_acl(vfs_inode);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 116/181] btrfs: only enforce free space tree if v1 cache is required for bs < ps cases
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 115/181] btrfs: release path before initializing extent tree in btrfs_read_locked_inode() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 117/181] btrfs: fix NULL pointer dereference in do_abort_log_replay() Greg Kroah-Hartman
` (78 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 30bcf4e824aa37d305502f52e1527c7b1eabef3d ]
[BUG]
Since the introduction of btrfs bs < ps support, v1 cache was never on
the plan due to its hard coded PAGE_SIZE usage, and the future plan to
properly deprecate it.
However for bs < ps cases, even if 'nospace_cache,clear_cache' mount
option is specified, it's never respected and free space tree is always
enabled:
mkfs.btrfs -f -O ^bgt,fst $dev
mount $dev $mnt -o clear_cache,nospace_cache
umount $mnt
btrfs ins dump-super $dev
...
compat_ro_flags 0x3
( FREE_SPACE_TREE |
FREE_SPACE_TREE_VALID )
...
This means a different behavior compared to bs >= ps cases.
[CAUSE]
The forcing usage of v2 space cache is done inside
btrfs_set_free_space_cache_settings(), however it never checks if we're
even using space cache but always enabling v2 cache.
[FIX]
Instead unconditionally enable v2 cache, only forcing v2 cache if the
old v1 cache is required.
Now v2 space cache can be properly disabled on bs < ps cases:
mkfs.btrfs -f -O ^bgt,fst $dev
mount $dev $mnt -o clear_cache,nospace_cache
umount $mnt
btrfs ins dump-super $dev
...
compat_ro_flags 0x0
...
Fixes: 9f73f1aef98b ("btrfs: force v2 space cache usage for subpage mount")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/super.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 430e7419349c9..c40944ca7b948 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -736,14 +736,12 @@ bool btrfs_check_options(const struct btrfs_fs_info *info,
*/
void btrfs_set_free_space_cache_settings(struct btrfs_fs_info *fs_info)
{
- if (fs_info->sectorsize < PAGE_SIZE) {
+ if (fs_info->sectorsize < PAGE_SIZE && btrfs_test_opt(fs_info, SPACE_CACHE)) {
+ btrfs_info(fs_info,
+ "forcing free space tree for sector size %u with page size %lu",
+ fs_info->sectorsize, PAGE_SIZE);
btrfs_clear_opt(fs_info->mount_opt, SPACE_CACHE);
- if (!btrfs_test_opt(fs_info, FREE_SPACE_TREE)) {
- btrfs_info(fs_info,
- "forcing free space tree for sector size %u with page size %lu",
- fs_info->sectorsize, PAGE_SIZE);
- btrfs_set_opt(fs_info->mount_opt, FREE_SPACE_TREE);
- }
+ btrfs_set_opt(fs_info->mount_opt, FREE_SPACE_TREE);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 117/181] btrfs: fix NULL pointer dereference in do_abort_log_replay()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 116/181] btrfs: only enforce free space tree if v1 cache is required for bs < ps cases Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 118/181] net: airoha: Fix npu rx DMA definitions Greg Kroah-Hartman
` (77 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Suchit Karunakaran,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suchit Karunakaran <suchitkarunakaran@gmail.com>
[ Upstream commit 530e3d4af566ca44807d79359b90794dea24c4f3 ]
Coverity reported a NULL pointer dereference issue (CID 1666756) in
do_abort_log_replay(). When btrfs_alloc_path() fails in
replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay()
calls do_abort_log_replay() which unconditionally dereferences
wc->subvol_path when attempting to print debug information. Fix this by
adding a NULL check before dereferencing wc->subvol_path in
do_abort_log_replay().
Fixes: 2753e4917624 ("btrfs: dump detailed info and specific messages on log replay failures")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Suchit Karunakaran <suchitkarunakaran@gmail.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index de9ea9d52482f..1444857de9fe8 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -189,7 +189,7 @@ static void do_abort_log_replay(struct walk_control *wc, const char *function,
btrfs_abort_transaction(wc->trans, error);
- if (wc->subvol_path->nodes[0]) {
+ if (wc->subvol_path && wc->subvol_path->nodes[0]) {
btrfs_crit(fs_info,
"subvolume (root %llu) leaf currently being processed:",
btrfs_root_id(wc->root));
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 118/181] net: airoha: Fix npu rx DMA definitions
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 117/181] btrfs: fix NULL pointer dereference in do_abort_log_replay() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 119/181] riscv: cpufeature: Fix Zk bundled extension missing Zknh Greg Kroah-Hartman
` (76 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit a7fc8c641cab855824c45e5e8877e40fd528b5df ]
Fix typos in npu rx DMA descriptor definitions.
Fixes: b3ef7bdec66fb ("net: airoha: Add airoha_offload.h header")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260102-airoha-npu-dma-rx-def-fixes-v1-1-205fc6bf7d94@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/soc/airoha/airoha_offload.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/soc/airoha/airoha_offload.h b/include/linux/soc/airoha/airoha_offload.h
index 6f66eb339b3fc..1a33f846afafa 100644
--- a/include/linux/soc/airoha/airoha_offload.h
+++ b/include/linux/soc/airoha/airoha_offload.h
@@ -70,12 +70,12 @@ static inline void airoha_ppe_dev_check_skb(struct airoha_ppe_dev *dev,
#define NPU_RX1_DESC_NUM 512
/* CTRL */
-#define NPU_RX_DMA_DESC_LAST_MASK BIT(29)
-#define NPU_RX_DMA_DESC_LEN_MASK GENMASK(28, 15)
-#define NPU_RX_DMA_DESC_CUR_LEN_MASK GENMASK(14, 1)
+#define NPU_RX_DMA_DESC_LAST_MASK BIT(27)
+#define NPU_RX_DMA_DESC_LEN_MASK GENMASK(26, 14)
+#define NPU_RX_DMA_DESC_CUR_LEN_MASK GENMASK(13, 1)
#define NPU_RX_DMA_DESC_DONE_MASK BIT(0)
/* INFO */
-#define NPU_RX_DMA_PKT_COUNT_MASK GENMASK(31, 28)
+#define NPU_RX_DMA_PKT_COUNT_MASK GENMASK(31, 29)
#define NPU_RX_DMA_PKT_ID_MASK GENMASK(28, 26)
#define NPU_RX_DMA_SRC_PORT_MASK GENMASK(25, 21)
#define NPU_RX_DMA_CRSN_MASK GENMASK(20, 16)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 119/181] riscv: cpufeature: Fix Zk bundled extension missing Zknh
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 118/181] net: airoha: Fix npu rx DMA definitions Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 120/181] riscv: pgtable: Cleanup useless VA_USER_XXX definitions Greg Kroah-Hartman
` (75 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guodong Xu, Clément Léger,
Paul Walmsley, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guodong Xu <guodong@riscstar.com>
[ Upstream commit 8632180daf735074a746ce2b3808a8f2c079310e ]
The Zk extension is a bundle consisting of Zkn, Zkr, and Zkt. The Zkn
extension itself is a bundle consisting of Zbkb, Zbkc, Zbkx, Zknd, Zkne,
and Zknh.
The current implementation of riscv_zk_bundled_exts manually listed
the dependencies but missed RISCV_ISA_EXT_ZKNH.
Fix this by introducing a RISCV_ISA_EXT_ZKN macro that lists the Zkn
components and using it in both riscv_zk_bundled_exts and
riscv_zkn_bundled_exts.
This adds the missing Zknh extension to Zk and reduces code duplication.
Fixes: 0d8295ed975b ("riscv: add ISA extension parsing for scalar crypto")
Link: https://patch.msgid.link/20231114141256.126749-4-cleger@rivosinc.com/
Signed-off-by: Guodong Xu <guodong@riscstar.com>
Reviewed-by: Clément Léger <cleger@rivosinc.com>
Link: https://patch.msgid.link/20251223-zk-missing-zknh-v1-1-b627c990ee1a@riscstar.com
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/cpufeature.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
index 72ca768f4e919..2367e9755524a 100644
--- a/arch/riscv/kernel/cpufeature.c
+++ b/arch/riscv/kernel/cpufeature.c
@@ -279,23 +279,22 @@ static const unsigned int riscv_a_exts[] = {
RISCV_ISA_EXT_ZALRSC,
};
+#define RISCV_ISA_EXT_ZKN \
+ RISCV_ISA_EXT_ZBKB, \
+ RISCV_ISA_EXT_ZBKC, \
+ RISCV_ISA_EXT_ZBKX, \
+ RISCV_ISA_EXT_ZKND, \
+ RISCV_ISA_EXT_ZKNE, \
+ RISCV_ISA_EXT_ZKNH
+
static const unsigned int riscv_zk_bundled_exts[] = {
- RISCV_ISA_EXT_ZBKB,
- RISCV_ISA_EXT_ZBKC,
- RISCV_ISA_EXT_ZBKX,
- RISCV_ISA_EXT_ZKND,
- RISCV_ISA_EXT_ZKNE,
+ RISCV_ISA_EXT_ZKN,
RISCV_ISA_EXT_ZKR,
- RISCV_ISA_EXT_ZKT,
+ RISCV_ISA_EXT_ZKT
};
static const unsigned int riscv_zkn_bundled_exts[] = {
- RISCV_ISA_EXT_ZBKB,
- RISCV_ISA_EXT_ZBKC,
- RISCV_ISA_EXT_ZBKX,
- RISCV_ISA_EXT_ZKND,
- RISCV_ISA_EXT_ZKNE,
- RISCV_ISA_EXT_ZKNH,
+ RISCV_ISA_EXT_ZKN
};
static const unsigned int riscv_zks_bundled_exts[] = {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 120/181] riscv: pgtable: Cleanup useless VA_USER_XXX definitions
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 119/181] riscv: cpufeature: Fix Zk bundled extension missing Zknh Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 121/181] net: fix memory leak in skb_segment_list for GRO packets Greg Kroah-Hartman
` (74 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guo Ren (Alibaba DAMO Academy),
Jinjie Ruan, Paul Walmsley, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guo Ren (Alibaba DAMO Academy) <guoren@kernel.org>
[ Upstream commit 5e5be092ffadcab0093464ccd9e30f0c5cce16b9 ]
These marcos are not used after commit b5b4287accd7 ("riscv: mm: Use
hint address in mmap if available"). Cleanup VA_USER_XXX definitions
in asm/pgtable.h.
Fixes: b5b4287accd7 ("riscv: mm: Use hint address in mmap if available")
Signed-off-by: Guo Ren (Alibaba DAMO Academy) <guoren@kernel.org>
Reviewed-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://patch.msgid.link/20251201005850.702569-1-guoren@kernel.org
Signed-off-by: Paul Walmsley <pjw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/pgtable.h | 4 ----
1 file changed, 4 deletions(-)
diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h
index 5a08eb5fe99fc..30d1ea93dde34 100644
--- a/arch/riscv/include/asm/pgtable.h
+++ b/arch/riscv/include/asm/pgtable.h
@@ -124,10 +124,6 @@
#ifdef CONFIG_64BIT
#include <asm/pgtable-64.h>
-#define VA_USER_SV39 (UL(1) << (VA_BITS_SV39 - 1))
-#define VA_USER_SV48 (UL(1) << (VA_BITS_SV48 - 1))
-#define VA_USER_SV57 (UL(1) << (VA_BITS_SV57 - 1))
-
#define MMAP_VA_BITS_64 ((VA_BITS >= VA_BITS_SV48) ? VA_BITS_SV48 : VA_BITS)
#define MMAP_MIN_VA_BITS_64 (VA_BITS_SV39)
#define MMAP_VA_BITS (is_compat_task() ? VA_BITS_SV32 : MMAP_VA_BITS_64)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 121/181] net: fix memory leak in skb_segment_list for GRO packets
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 120/181] riscv: pgtable: Cleanup useless VA_USER_XXX definitions Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 122/181] PCI/VGA: Dont assume the only VGA device on a system is `boot_vga` Greg Kroah-Hartman
` (73 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mohammad Heib, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohammad Heib <mheib@redhat.com>
[ Upstream commit 238e03d0466239410b72294b79494e43d4fabe77 ]
When skb_segment_list() is called during packet forwarding, it handles
packets that were aggregated by the GRO engine.
Historically, the segmentation logic in skb_segment_list assumes that
individual segments are split from a parent SKB and may need to carry
their own socket memory accounting. Accordingly, the code transfers
truesize from the parent to the newly created segments.
Prior to commit ed4cccef64c1 ("gro: fix ownership transfer"), this
truesize subtraction in skb_segment_list() was valid because fragments
still carry a reference to the original socket.
However, commit ed4cccef64c1 ("gro: fix ownership transfer") changed
this behavior by ensuring that fraglist entries are explicitly
orphaned (skb->sk = NULL) to prevent illegal orphaning later in the
stack. This change meant that the entire socket memory charge remained
with the head SKB, but the corresponding accounting logic in
skb_segment_list() was never updated.
As a result, the current code unconditionally adds each fragment's
truesize to delta_truesize and subtracts it from the parent SKB. Since
the fragments are no longer charged to the socket, this subtraction
results in an effective under-count of memory when the head is freed.
This causes sk_wmem_alloc to remain non-zero, preventing socket
destruction and leading to a persistent memory leak.
The leak can be observed via KMEMLEAK when tearing down the networking
environment:
unreferenced object 0xffff8881e6eb9100 (size 2048):
comm "ping", pid 6720, jiffies 4295492526
backtrace:
kmem_cache_alloc_noprof+0x5c6/0x800
sk_prot_alloc+0x5b/0x220
sk_alloc+0x35/0xa00
inet6_create.part.0+0x303/0x10d0
__sock_create+0x248/0x640
__sys_socket+0x11b/0x1d0
Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST
packets constructed by GRO, the truesize adjustment is removed.
The call to skb_release_head_state() must be preserved. As documented in
commit cf673ed0e057 ("net: fix fraglist segmentation reference count
leak"), it is still required to correctly drop references to SKB
extensions that may be overwritten during __copy_skb_header().
Fixes: ed4cccef64c1 ("gro: fix ownership transfer")
Signed-off-by: Mohammad Heib <mheib@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260104213101.352887-1-mheib@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6be01454f262a..9a763d120925a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4597,12 +4597,14 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
{
struct sk_buff *list_skb = skb_shinfo(skb)->frag_list;
unsigned int tnl_hlen = skb_tnl_header_len(skb);
- unsigned int delta_truesize = 0;
unsigned int delta_len = 0;
struct sk_buff *tail = NULL;
struct sk_buff *nskb, *tmp;
int len_diff, err;
+ /* Only skb_gro_receive_list generated skbs arrive here */
+ DEBUG_NET_WARN_ON_ONCE(!(skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST));
+
skb_push(skb, -skb_network_offset(skb) + offset);
/* Ensure the head is writeable before touching the shared info */
@@ -4616,8 +4618,9 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
nskb = list_skb;
list_skb = list_skb->next;
+ DEBUG_NET_WARN_ON_ONCE(nskb->sk);
+
err = 0;
- delta_truesize += nskb->truesize;
if (skb_shared(nskb)) {
tmp = skb_clone(nskb, GFP_ATOMIC);
if (tmp) {
@@ -4660,7 +4663,6 @@ struct sk_buff *skb_segment_list(struct sk_buff *skb,
goto err_linearize;
}
- skb->truesize = skb->truesize - delta_truesize;
skb->data_len = skb->data_len - delta_len;
skb->len = skb->len - delta_len;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 122/181] PCI/VGA: Dont assume the only VGA device on a system is `boot_vga`
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 121/181] net: fix memory leak in skb_segment_list for GRO packets Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 123/181] idpf: keep the netdev when a reset fails Greg Kroah-Hartman
` (72 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aaron Erhardt, Thomas Zimmermann,
Luke D. Jones, Mario Limonciello (AMD), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit fd390ff144513eb0310c350b1cf5fa8d6ddd0c53 ]
Some systems ship with multiple display class devices but not all
of them are VGA devices. If the "only" VGA device on the system is not
used for displaying the image on the screen marking it as `boot_vga`
because nothing was found is totally wrong.
This behavior actually leads to mistakes of the wrong device being
advertised to userspace and then userspace can make incorrect decisions.
As there is an accurate `boot_display` sysfs file stop lying about
`boot_vga` by assuming if nothing is found it's the right device.
Reported-by: Aaron Erhardt <aer@tuxedocomputers.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220712
Tested-by: Aaron Erhardt <aer@tuxedocomputers.com>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: ad90860bd10ee ("fbcon: Use screen info to find primary device")
Tested-by: Luke D. Jones <luke@ljones.dev>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patch.msgid.link/20260106044638.52906-1-superm1@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/vgaarb.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/pci/vgaarb.c b/drivers/pci/vgaarb.c
index 436fa7f4c3873..baa242b140993 100644
--- a/drivers/pci/vgaarb.c
+++ b/drivers/pci/vgaarb.c
@@ -652,13 +652,6 @@ static bool vga_is_boot_device(struct vga_device *vgadev)
return true;
}
- /*
- * Vgadev has neither IO nor MEM enabled. If we haven't found any
- * other VGA devices, it is the best candidate so far.
- */
- if (!boot_vga)
- return true;
-
return false;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 123/181] idpf: keep the netdev when a reset fails
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 122/181] PCI/VGA: Dont assume the only VGA device on a system is `boot_vga` Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 124/181] idpf: convert vport state to bitmap Greg Kroah-Hartman
` (71 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tantilov, Aleksandr Loktionov,
Samuel Salin, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tantilov <emil.s.tantilov@intel.com>
[ Upstream commit 083029bd8b445595222a3cd14076b880781c1765 ]
During a successful reset the driver would re-allocate vport resources
while keeping the netdevs intact. However, in case of an error in the
init task, the netdev of the failing vport will be unregistered,
effectively removing the network interface:
[ 121.211076] idpf 0000:83:00.0: enabling device (0100 -> 0102)
[ 121.221976] idpf 0000:83:00.0: Device HW Reset initiated
[ 124.161229] idpf 0000:83:00.0 ens801f0: renamed from eth0
[ 124.163364] idpf 0000:83:00.0 ens801f0d1: renamed from eth1
[ 125.934656] idpf 0000:83:00.0 ens801f0d2: renamed from eth2
[ 128.218429] idpf 0000:83:00.0 ens801f0d3: renamed from eth3
ip -br a
ens801f0 UP
ens801f0d1 UP
ens801f0d2 UP
ens801f0d3 UP
echo 1 > /sys/class/net/ens801f0/device/reset
[ 145.885537] idpf 0000:83:00.0: resetting
[ 145.990280] idpf 0000:83:00.0: reset done
[ 146.284766] idpf 0000:83:00.0: HW reset detected
[ 146.296610] idpf 0000:83:00.0: Device HW Reset initiated
[ 211.556719] idpf 0000:83:00.0: Transaction timed-out (op:526 cookie:7700 vc_op:526 salt:77 timeout:60000ms)
[ 272.996705] idpf 0000:83:00.0: Transaction timed-out (op:502 cookie:7800 vc_op:502 salt:78 timeout:60000ms)
ip -br a
ens801f0d1 DOWN
ens801f0d2 DOWN
ens801f0d3 DOWN
Re-shuffle the logic in the error path of the init task to make sure the
netdevs remain intact. This will allow the driver to attempt recovery via
subsequent resets, provided the FW is still functional.
The main change is to make sure that idpf_decfg_netdev() is not called
should the init task fail during a reset. The error handling is
consolidated under unwind_vports, as the removed labels had the same
cleanup logic split depending on the point of failure.
Fixes: ce1b75d0635c ("idpf: add ptypes and MAC filter support")
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index aaafe40f5eaf7..452f3107378cb 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1579,6 +1579,10 @@ void idpf_init_task(struct work_struct *work)
goto unwind_vports;
}
+ err = idpf_send_get_rx_ptype_msg(vport);
+ if (err)
+ goto unwind_vports;
+
index = vport->idx;
vport_config = adapter->vport_config[index];
@@ -1590,15 +1594,11 @@ void idpf_init_task(struct work_struct *work)
err = idpf_check_supported_desc_ids(vport);
if (err) {
dev_err(&pdev->dev, "failed to get required descriptor ids\n");
- goto cfg_netdev_err;
+ goto unwind_vports;
}
if (idpf_cfg_netdev(vport))
- goto cfg_netdev_err;
-
- err = idpf_send_get_rx_ptype_msg(vport);
- if (err)
- goto handle_err;
+ goto unwind_vports;
/* Once state is put into DOWN, driver is ready for dev_open */
np = netdev_priv(vport->netdev);
@@ -1645,11 +1645,6 @@ void idpf_init_task(struct work_struct *work)
return;
-handle_err:
- idpf_decfg_netdev(vport);
-cfg_netdev_err:
- idpf_vport_rel(vport);
- adapter->vports[index] = NULL;
unwind_vports:
if (default_vport) {
for (index = 0; index < adapter->max_vports; index++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 124/181] idpf: convert vport state to bitmap
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 123/181] idpf: keep the netdev when a reset fails Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 125/181] idpf: detach and close netdevs while handling a reset Greg Kroah-Hartman
` (70 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Aleksandr Loktionov,
Chittim Madhu, Emil Tantilov, Samuel Salin, Tony Nguyen,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tantilov <emil.s.tantilov@intel.com>
[ Upstream commit 8dd72ebc73f37b216410db17340f15e6fb2cdb7b ]
Convert vport state to a bitmap and remove the DOWN state which is
redundant in the existing logic. There are no functional changes aside
from the use of bitwise operations when setting and checking the states.
Removed the double underscore to be consistent with the naming of other
bitmaps in the header and renamed current_state to vport_is_up to match
the meaning of the new variable.
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Chittim Madhu <madhu.chittim@intel.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Link: https://patch.msgid.link/20251125223632.1857532-6-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 2e281e1155fc ("idpf: detach and close netdevs while handling a reset")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf.h | 12 ++++------
.../net/ethernet/intel/idpf/idpf_ethtool.c | 12 +++++-----
drivers/net/ethernet/intel/idpf/idpf_lib.c | 24 +++++++++----------
.../ethernet/intel/idpf/idpf_singleq_txrx.c | 2 +-
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +-
.../net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++--
drivers/net/ethernet/intel/idpf/xdp.c | 2 +-
7 files changed, 28 insertions(+), 30 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h
index ca4da0c899794..64142f8163fed 100644
--- a/drivers/net/ethernet/intel/idpf/idpf.h
+++ b/drivers/net/ethernet/intel/idpf/idpf.h
@@ -131,14 +131,12 @@ enum idpf_cap_field {
/**
* enum idpf_vport_state - Current vport state
- * @__IDPF_VPORT_DOWN: Vport is down
- * @__IDPF_VPORT_UP: Vport is up
- * @__IDPF_VPORT_STATE_LAST: Must be last, number of states
+ * @IDPF_VPORT_UP: Vport is up
+ * @IDPF_VPORT_STATE_NBITS: Must be last, number of states
*/
enum idpf_vport_state {
- __IDPF_VPORT_DOWN,
- __IDPF_VPORT_UP,
- __IDPF_VPORT_STATE_LAST,
+ IDPF_VPORT_UP,
+ IDPF_VPORT_STATE_NBITS
};
/**
@@ -162,7 +160,7 @@ struct idpf_netdev_priv {
u16 vport_idx;
u16 max_tx_hdr_size;
u16 tx_max_bufs;
- enum idpf_vport_state state;
+ DECLARE_BITMAP(state, IDPF_VPORT_STATE_NBITS);
struct rtnl_link_stats64 netstats;
spinlock_t stats_lock;
};
diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
index a5a1eec9ade8b..eed166bc46f38 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
@@ -386,7 +386,7 @@ static int idpf_get_rxfh(struct net_device *netdev,
}
rss_data = &adapter->vport_config[np->vport_idx]->user_config.rss_data;
- if (np->state != __IDPF_VPORT_UP)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
goto unlock_mutex;
rxfh->hfunc = ETH_RSS_HASH_TOP;
@@ -436,7 +436,7 @@ static int idpf_set_rxfh(struct net_device *netdev,
}
rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data;
- if (np->state != __IDPF_VPORT_UP)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
goto unlock_mutex;
if (rxfh->hfunc != ETH_RSS_HASH_NO_CHANGE &&
@@ -1167,7 +1167,7 @@ static void idpf_get_ethtool_stats(struct net_device *netdev,
idpf_vport_ctrl_lock(netdev);
vport = idpf_netdev_to_vport(netdev);
- if (np->state != __IDPF_VPORT_UP) {
+ if (!test_bit(IDPF_VPORT_UP, np->state)) {
idpf_vport_ctrl_unlock(netdev);
return;
@@ -1319,7 +1319,7 @@ static int idpf_get_q_coalesce(struct net_device *netdev,
idpf_vport_ctrl_lock(netdev);
vport = idpf_netdev_to_vport(netdev);
- if (np->state != __IDPF_VPORT_UP)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
goto unlock_mutex;
if (q_num >= vport->num_rxq && q_num >= vport->num_txq) {
@@ -1507,7 +1507,7 @@ static int idpf_set_coalesce(struct net_device *netdev,
idpf_vport_ctrl_lock(netdev);
vport = idpf_netdev_to_vport(netdev);
- if (np->state != __IDPF_VPORT_UP)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
goto unlock_mutex;
for (i = 0; i < vport->num_txq; i++) {
@@ -1710,7 +1710,7 @@ static void idpf_get_ts_stats(struct net_device *netdev,
ts_stats->err = u64_stats_read(&vport->tstamp_stats.discarded);
} while (u64_stats_fetch_retry(&vport->tstamp_stats.stats_sync, start));
- if (np->state != __IDPF_VPORT_UP)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
goto exit;
for (u16 i = 0; i < vport->num_txq_grp; i++) {
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index 452f3107378cb..313803c088478 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -519,7 +519,7 @@ static int idpf_del_mac_filter(struct idpf_vport *vport,
}
spin_unlock_bh(&vport_config->mac_filter_list_lock);
- if (np->state == __IDPF_VPORT_UP) {
+ if (test_bit(IDPF_VPORT_UP, np->state)) {
int err;
err = idpf_add_del_mac_filters(vport, np, false, async);
@@ -590,7 +590,7 @@ static int idpf_add_mac_filter(struct idpf_vport *vport,
if (err)
return err;
- if (np->state == __IDPF_VPORT_UP)
+ if (test_bit(IDPF_VPORT_UP, np->state))
err = idpf_add_del_mac_filters(vport, np, true, async);
return err;
@@ -894,7 +894,7 @@ static void idpf_vport_stop(struct idpf_vport *vport, bool rtnl)
{
struct idpf_netdev_priv *np = netdev_priv(vport->netdev);
- if (np->state <= __IDPF_VPORT_DOWN)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
return;
if (rtnl)
@@ -921,7 +921,7 @@ static void idpf_vport_stop(struct idpf_vport *vport, bool rtnl)
idpf_xdp_rxq_info_deinit_all(vport);
idpf_vport_queues_rel(vport);
idpf_vport_intr_rel(vport);
- np->state = __IDPF_VPORT_DOWN;
+ clear_bit(IDPF_VPORT_UP, np->state);
if (rtnl)
rtnl_unlock();
@@ -1345,7 +1345,7 @@ static int idpf_up_complete(struct idpf_vport *vport)
netif_tx_start_all_queues(vport->netdev);
}
- np->state = __IDPF_VPORT_UP;
+ set_bit(IDPF_VPORT_UP, np->state);
return 0;
}
@@ -1391,7 +1391,7 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
struct idpf_vport_config *vport_config;
int err;
- if (np->state != __IDPF_VPORT_DOWN)
+ if (test_bit(IDPF_VPORT_UP, np->state))
return -EBUSY;
if (rtnl)
@@ -1602,7 +1602,7 @@ void idpf_init_task(struct work_struct *work)
/* Once state is put into DOWN, driver is ready for dev_open */
np = netdev_priv(vport->netdev);
- np->state = __IDPF_VPORT_DOWN;
+ clear_bit(IDPF_VPORT_UP, np->state);
if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, vport_config->flags))
idpf_vport_open(vport, true);
@@ -1796,7 +1796,7 @@ static void idpf_set_vport_state(struct idpf_adapter *adapter)
continue;
np = netdev_priv(adapter->netdevs[i]);
- if (np->state == __IDPF_VPORT_UP)
+ if (test_bit(IDPF_VPORT_UP, np->state))
set_bit(IDPF_VPORT_UP_REQUESTED,
adapter->vport_config[i]->flags);
}
@@ -1934,7 +1934,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
enum idpf_vport_reset_cause reset_cause)
{
struct idpf_netdev_priv *np = netdev_priv(vport->netdev);
- enum idpf_vport_state current_state = np->state;
+ bool vport_is_up = test_bit(IDPF_VPORT_UP, np->state);
struct idpf_adapter *adapter = vport->adapter;
struct idpf_vport *new_vport;
int err;
@@ -1985,7 +1985,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
goto free_vport;
}
- if (current_state <= __IDPF_VPORT_DOWN) {
+ if (!vport_is_up) {
idpf_send_delete_queues_msg(vport);
} else {
set_bit(IDPF_VPORT_DEL_QUEUES, vport->flags);
@@ -2018,7 +2018,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
if (err)
goto err_open;
- if (current_state == __IDPF_VPORT_UP)
+ if (vport_is_up)
err = idpf_vport_open(vport, false);
goto free_vport;
@@ -2028,7 +2028,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
vport->num_rxq, vport->num_bufq);
err_open:
- if (current_state == __IDPF_VPORT_UP)
+ if (vport_is_up)
idpf_vport_open(vport, false);
free_vport:
diff --git a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
index 61e6130661404..e3ddf18dcbf51 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_singleq_txrx.c
@@ -570,7 +570,7 @@ static bool idpf_tx_singleq_clean(struct idpf_tx_queue *tx_q, int napi_budget,
np = netdev_priv(tx_q->netdev);
nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx);
- dont_wake = np->state != __IDPF_VPORT_UP ||
+ dont_wake = !test_bit(IDPF_VPORT_UP, np->state) ||
!netif_carrier_ok(tx_q->netdev);
__netif_txq_completed_wake(nq, ss.packets, ss.bytes,
IDPF_DESC_UNUSED(tx_q), IDPF_TX_WAKE_THRESH,
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
index 828f7c444d309..1993a3b0da59b 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -2275,7 +2275,7 @@ static bool idpf_tx_clean_complq(struct idpf_compl_queue *complq, int budget,
/* Update BQL */
nq = netdev_get_tx_queue(tx_q->netdev, tx_q->idx);
- dont_wake = !complq_ok || np->state != __IDPF_VPORT_UP ||
+ dont_wake = !complq_ok || !test_bit(IDPF_VPORT_UP, np->state) ||
!netif_carrier_ok(tx_q->netdev);
/* Check if the TXQ needs to and can be restarted */
__netif_txq_completed_wake(nq, tx_q->cleaned_pkts, tx_q->cleaned_bytes,
diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
index fc03d55bc9b90..5bbe7d9294c14 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
@@ -68,7 +68,7 @@ static void idpf_handle_event_link(struct idpf_adapter *adapter,
vport->link_up = v2e->link_status;
- if (np->state != __IDPF_VPORT_UP)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
return;
if (vport->link_up) {
@@ -2760,7 +2760,7 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport)
/* Don't send get_stats message if the link is down */
- if (np->state <= __IDPF_VPORT_DOWN)
+ if (!test_bit(IDPF_VPORT_UP, np->state))
return 0;
stats_msg.vport_id = cpu_to_le32(vport->vport_id);
diff --git a/drivers/net/ethernet/intel/idpf/xdp.c b/drivers/net/ethernet/intel/idpf/xdp.c
index 21ce25b0567f6..958d16f874248 100644
--- a/drivers/net/ethernet/intel/idpf/xdp.c
+++ b/drivers/net/ethernet/intel/idpf/xdp.c
@@ -418,7 +418,7 @@ static int idpf_xdp_setup_prog(struct idpf_vport *vport,
if (test_bit(IDPF_REMOVE_IN_PROG, vport->adapter->flags) ||
!test_bit(IDPF_VPORT_REG_NETDEV, cfg->flags) ||
!!vport->xdp_prog == !!prog) {
- if (np->state == __IDPF_VPORT_UP)
+ if (test_bit(IDPF_VPORT_UP, np->state))
idpf_xdp_copy_prog_to_rqs(vport, prog);
old = xchg(&vport->xdp_prog, prog);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 125/181] idpf: detach and close netdevs while handling a reset
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 124/181] idpf: convert vport state to bitmap Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 126/181] idpf: fix memory leak in idpf_vport_rel() Greg Kroah-Hartman
` (69 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tantilov, Madhu Chittim,
Samuel Salin, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tantilov <emil.s.tantilov@intel.com>
[ Upstream commit 2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 ]
Protect the reset path from callbacks by setting the netdevs to detached
state and close any netdevs in UP state until the reset handling has
completed. During a reset, the driver will de-allocate resources for the
vport, and there is no guarantee that those will recover, which is why the
existing vport_ctrl_lock does not provide sufficient protection.
idpf_detach_and_close() is called right before reset handling. If the
reset handling succeeds, the netdevs state is recovered via call to
idpf_attach_and_open(). If the reset handling fails the netdevs remain
down. The detach/down calls are protected with RTNL lock to avoid racing
with callbacks. On the recovery side the attach can be done without
holding the RTNL lock as there are no callbacks expected at that point,
due to detach/close always being done first in that flow.
The previous logic restoring the netdevs state based on the
IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence
the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is
still being used to restore the state of the netdevs following the reset,
but has no use outside of the reset handling flow.
idpf_init_hard_reset() is converted to void, since it was used as such and
there is no error handling being done based on its return value.
Before this change, invoking hard and soft resets simultaneously will
cause the driver to lose the vport state:
ip -br a
<inf> UP
echo 1 > /sys/class/net/ens801f0/device/reset& \
ethtool -L ens801f0 combined 8
ip -br a
<inf> DOWN
ip link set <inf> up
ip -br a
<inf> DOWN
Also in case of a failure in the reset path, the netdev is left
exposed to external callbacks, while vport resources are not
initialized, leading to a crash on subsequent ifup/down:
[408471.398966] idpf 0000:83:00.0: HW reset detected
[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated
[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2
[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078
[408508.126112] #PF: supervisor read access in kernel mode
[408508.126687] #PF: error_code(0x0000) - not-present page
[408508.127256] PGD 2aae2f067 P4D 0
[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI
...
[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]
...
[408508.139193] Call Trace:
[408508.139637] <TASK>
[408508.140077] __dev_close_many+0xbb/0x260
[408508.140533] __dev_change_flags+0x1cf/0x280
[408508.140987] netif_change_flags+0x26/0x70
[408508.141434] dev_change_flags+0x3d/0xb0
[408508.141878] devinet_ioctl+0x460/0x890
[408508.142321] inet_ioctl+0x18e/0x1d0
[408508.142762] ? _copy_to_user+0x22/0x70
[408508.143207] sock_do_ioctl+0x3d/0xe0
[408508.143652] sock_ioctl+0x10e/0x330
[408508.144091] ? find_held_lock+0x2b/0x80
[408508.144537] __x64_sys_ioctl+0x96/0xe0
[408508.144979] do_syscall_64+0x79/0x3d0
[408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[408508.145860] RIP: 0033:0x7f3e0bb4caff
Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration")
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 121 ++++++++++++---------
1 file changed, 72 insertions(+), 49 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index 313803c088478..a964e0f5891eb 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -729,6 +729,65 @@ static int idpf_init_mac_addr(struct idpf_vport *vport,
return 0;
}
+static void idpf_detach_and_close(struct idpf_adapter *adapter)
+{
+ int max_vports = adapter->max_vports;
+
+ for (int i = 0; i < max_vports; i++) {
+ struct net_device *netdev = adapter->netdevs[i];
+
+ /* If the interface is in detached state, that means the
+ * previous reset was not handled successfully for this
+ * vport.
+ */
+ if (!netif_device_present(netdev))
+ continue;
+
+ /* Hold RTNL to protect racing with callbacks */
+ rtnl_lock();
+ netif_device_detach(netdev);
+ if (netif_running(netdev)) {
+ set_bit(IDPF_VPORT_UP_REQUESTED,
+ adapter->vport_config[i]->flags);
+ dev_close(netdev);
+ }
+ rtnl_unlock();
+ }
+}
+
+static void idpf_attach_and_open(struct idpf_adapter *adapter)
+{
+ int max_vports = adapter->max_vports;
+
+ for (int i = 0; i < max_vports; i++) {
+ struct idpf_vport *vport = adapter->vports[i];
+ struct idpf_vport_config *vport_config;
+ struct net_device *netdev;
+
+ /* In case of a critical error in the init task, the vport
+ * will be freed. Only continue to restore the netdevs
+ * if the vport is allocated.
+ */
+ if (!vport)
+ continue;
+
+ /* No need for RTNL on attach as this function is called
+ * following detach and dev_close(). We do take RTNL for
+ * dev_open() below as it can race with external callbacks
+ * following the call to netif_device_attach().
+ */
+ netdev = adapter->netdevs[i];
+ netif_device_attach(netdev);
+ vport_config = adapter->vport_config[vport->idx];
+ if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED,
+ vport_config->flags)) {
+ rtnl_lock();
+ dev_open(netdev, NULL);
+ rtnl_unlock();
+ }
+ }
+}
+
/**
* idpf_cfg_netdev - Allocate, configure and register a netdev
* @vport: main vport structure
@@ -1041,10 +1100,11 @@ static void idpf_vport_dealloc(struct idpf_vport *vport)
idpf_idc_deinit_vport_aux_device(vport->vdev_info);
idpf_deinit_mac_addr(vport);
- idpf_vport_stop(vport, true);
- if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags))
+ if (!test_bit(IDPF_HR_RESET_IN_PROG, adapter->flags)) {
+ idpf_vport_stop(vport, true);
idpf_decfg_netdev(vport);
+ }
if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags))
idpf_del_all_mac_filters(vport);
@@ -1544,7 +1604,6 @@ void idpf_init_task(struct work_struct *work)
struct idpf_vport_config *vport_config;
struct idpf_vport_max_q max_q;
struct idpf_adapter *adapter;
- struct idpf_netdev_priv *np;
struct idpf_vport *vport;
u16 num_default_vports;
struct pci_dev *pdev;
@@ -1600,12 +1659,6 @@ void idpf_init_task(struct work_struct *work)
if (idpf_cfg_netdev(vport))
goto unwind_vports;
- /* Once state is put into DOWN, driver is ready for dev_open */
- np = netdev_priv(vport->netdev);
- clear_bit(IDPF_VPORT_UP, np->state);
- if (test_and_clear_bit(IDPF_VPORT_UP_REQUESTED, vport_config->flags))
- idpf_vport_open(vport, true);
-
/* Spawn and return 'idpf_init_task' work queue until all the
* default vports are created
*/
@@ -1781,27 +1834,6 @@ static int idpf_check_reset_complete(struct idpf_hw *hw,
return -EBUSY;
}
-/**
- * idpf_set_vport_state - Set the vport state to be after the reset
- * @adapter: Driver specific private structure
- */
-static void idpf_set_vport_state(struct idpf_adapter *adapter)
-{
- u16 i;
-
- for (i = 0; i < adapter->max_vports; i++) {
- struct idpf_netdev_priv *np;
-
- if (!adapter->netdevs[i])
- continue;
-
- np = netdev_priv(adapter->netdevs[i]);
- if (test_bit(IDPF_VPORT_UP, np->state))
- set_bit(IDPF_VPORT_UP_REQUESTED,
- adapter->vport_config[i]->flags);
- }
-}
-
/**
* idpf_init_hard_reset - Initiate a hardware reset
* @adapter: Driver specific private structure
@@ -1810,28 +1842,17 @@ static void idpf_set_vport_state(struct idpf_adapter *adapter)
* reallocate. Also reinitialize the mailbox. Return 0 on success,
* negative on failure.
*/
-static int idpf_init_hard_reset(struct idpf_adapter *adapter)
+static void idpf_init_hard_reset(struct idpf_adapter *adapter)
{
struct idpf_reg_ops *reg_ops = &adapter->dev_ops.reg_ops;
struct device *dev = &adapter->pdev->dev;
- struct net_device *netdev;
int err;
- u16 i;
+ idpf_detach_and_close(adapter);
mutex_lock(&adapter->vport_ctrl_lock);
dev_info(dev, "Device HW Reset initiated\n");
- /* Avoid TX hangs on reset */
- for (i = 0; i < adapter->max_vports; i++) {
- netdev = adapter->netdevs[i];
- if (!netdev)
- continue;
-
- netif_carrier_off(netdev);
- netif_tx_disable(netdev);
- }
-
/* Prepare for reset */
if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) {
reg_ops->trigger_reset(adapter, IDPF_HR_DRV_LOAD);
@@ -1840,7 +1861,6 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter)
idpf_idc_issue_reset_event(adapter->cdev_info);
- idpf_set_vport_state(adapter);
idpf_vc_core_deinit(adapter);
if (!is_reset)
reg_ops->trigger_reset(adapter, IDPF_HR_FUNC_RESET);
@@ -1887,11 +1907,14 @@ static int idpf_init_hard_reset(struct idpf_adapter *adapter)
unlock_mutex:
mutex_unlock(&adapter->vport_ctrl_lock);
- /* Wait until all vports are created to init RDMA CORE AUX */
- if (!err)
- err = idpf_idc_init(adapter);
-
- return err;
+ /* Attempt to restore netdevs and initialize RDMA CORE AUX device,
+ * provided vc_core_init succeeded. It is still possible that
+ * vports are not allocated at this point if the init task failed.
+ */
+ if (!err) {
+ idpf_attach_and_open(adapter);
+ idpf_idc_init(adapter);
+ }
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 126/181] idpf: fix memory leak in idpf_vport_rel()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 125/181] idpf: detach and close netdevs while handling a reset Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 127/181] idpf: fix memory leak in idpf_vc_core_deinit() Greg Kroah-Hartman
` (68 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tantilov, Aleksandr Loktionov,
Madhu Chittim, Samuel Salin, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tantilov <emil.s.tantilov@intel.com>
[ Upstream commit f6242b354605faff263ca45882b148200915a3f6 ]
Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory
during a reset. Reported by kmemleak:
unreferenced object 0xff450acac838a000 (size 4096):
comm "kworker/u258:5", pid 7732, jiffies 4296830044
hex dump (first 32 bytes):
00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ................
backtrace (crc 3da81902):
__kmalloc_cache_noprof+0x469/0x7a0
idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf]
idpf_init_task+0x1ec/0x8d0 [idpf]
process_one_work+0x226/0x6d0
worker_thread+0x19e/0x340
kthread+0x10f/0x250
ret_from_fork+0x251/0x2b0
ret_from_fork_asm+0x1a/0x30
Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration")
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index a964e0f5891eb..04af10cfaa8cb 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1082,6 +1082,8 @@ static void idpf_vport_rel(struct idpf_vport *vport)
kfree(adapter->vport_config[idx]->req_qs_chunks);
adapter->vport_config[idx]->req_qs_chunks = NULL;
}
+ kfree(vport->rx_ptype_lkup);
+ vport->rx_ptype_lkup = NULL;
kfree(vport);
adapter->num_alloc_vports--;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 127/181] idpf: fix memory leak in idpf_vc_core_deinit()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 126/181] idpf: fix memory leak in idpf_vport_rel() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 128/181] idpf: fix error handling in the init_task on load Greg Kroah-Hartman
` (67 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Tantilov, Aleksandr Loktionov,
Joshua Hay, Samuel Salin, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tantilov <emil.s.tantilov@intel.com>
[ Upstream commit e111cbc4adf9f9974eed040aeece7e17460f6bff ]
Make sure to free hw->lan_regs. Reported by kmemleak during reset:
unreferenced object 0xff1b913d02a936c0 (size 96):
comm "kworker/u258:14", pid 2174, jiffies 4294958305
hex dump (first 32 bytes):
00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ......-.........
00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@.......%...-.
backtrace (crc 36063c4f):
__kmalloc_noprof+0x48f/0x890
idpf_vc_core_init+0x6ce/0x9b0 [idpf]
idpf_vc_event_task+0x1fb/0x350 [idpf]
process_one_work+0x226/0x6d0
worker_thread+0x19e/0x340
kthread+0x10f/0x250
ret_from_fork+0x251/0x2b0
ret_from_fork_asm+0x1a/0x30
Fixes: 6aa53e861c1a ("idpf: implement get LAN MMIO memory regions")
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Joshua Hay <joshua.a.hay@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_virtchnl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
index 5bbe7d9294c14..01bbd12a642a0 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
@@ -3570,6 +3570,7 @@ int idpf_vc_core_init(struct idpf_adapter *adapter)
*/
void idpf_vc_core_deinit(struct idpf_adapter *adapter)
{
+ struct idpf_hw *hw = &adapter->hw;
bool remove_in_prog;
if (!test_bit(IDPF_VC_CORE_INIT, adapter->flags))
@@ -3593,6 +3594,9 @@ void idpf_vc_core_deinit(struct idpf_adapter *adapter)
idpf_vport_params_buf_rel(adapter);
+ kfree(hw->lan_regs);
+ hw->lan_regs = NULL;
+
kfree(adapter->vports);
adapter->vports = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 128/181] idpf: fix error handling in the init_task on load
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 127/181] idpf: fix memory leak in idpf_vc_core_deinit() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 129/181] idpf: fix memory leak of flow steer list on rmmod Greg Kroah-Hartman
` (66 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vivek Kumar, Emil Tantilov,
Madhu Chittim, Samuel Salin, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Tantilov <emil.s.tantilov@intel.com>
[ Upstream commit 4d792219fe6f891b5b557a607ac8a0a14eda6e38 ]
If the init_task fails during a driver load, we end up without vports and
netdevs, effectively failing the entire process. In that state a
subsequent reset will result in a crash as the service task attempts to
access uninitialized resources. Following trace is from an error in the
init_task where the CREATE_VPORT (op 501) is rejected by the FW:
[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated
[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)
[40958.148190] idpf 0000:83:00.0: HW reset detected
[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8
...
[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf]
[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]
...
[40958.177932] Call Trace:
[40958.178491] <TASK>
[40958.179040] process_one_work+0x226/0x6d0
[40958.179609] worker_thread+0x19e/0x340
[40958.180158] ? __pfx_worker_thread+0x10/0x10
[40958.180702] kthread+0x10f/0x250
[40958.181238] ? __pfx_kthread+0x10/0x10
[40958.181774] ret_from_fork+0x251/0x2b0
[40958.182307] ? __pfx_kthread+0x10/0x10
[40958.182834] ret_from_fork_asm+0x1a/0x30
[40958.183370] </TASK>
Fix the error handling in the init_task to make sure the service and
mailbox tasks are disabled if the error happens during load. These are
started in idpf_vc_core_init(), which spawns the init_task and has no way
of knowing if it failed. If the error happens on reset, following
successful driver load, the tasks can still run, as that will allow the
netdevs to attempt recovery through another reset. Stop the PTP callbacks
either way as those will be restarted by the call to idpf_vc_core_init()
during a successful reset.
Fixes: 0fe45467a104 ("idpf: add create vport and netdev configuration")
Reported-by: Vivek Kumar <iamvivekkumar@google.com>
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index 04af10cfaa8cb..e2ee8b137421f 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1690,10 +1690,9 @@ void idpf_init_task(struct work_struct *work)
set_bit(IDPF_VPORT_REG_NETDEV, vport_config->flags);
}
- /* As all the required vports are created, clear the reset flag
- * unconditionally here in case we were in reset and the link was down.
- */
+ /* Clear the reset and load bits as all vports are created */
clear_bit(IDPF_HR_RESET_IN_PROG, adapter->flags);
+ clear_bit(IDPF_HR_DRV_LOAD, adapter->flags);
/* Start the statistics task now */
queue_delayed_work(adapter->stats_wq, &adapter->stats_task,
msecs_to_jiffies(10 * (pdev->devfn & 0x07)));
@@ -1707,6 +1706,15 @@ void idpf_init_task(struct work_struct *work)
idpf_vport_dealloc(adapter->vports[index]);
}
}
+ /* Cleanup after vc_core_init, which has no way of knowing the
+ * init task failed on driver load.
+ */
+ if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) {
+ cancel_delayed_work_sync(&adapter->serv_task);
+ cancel_delayed_work_sync(&adapter->mbx_task);
+ }
+ idpf_ptp_release(adapter);
+
clear_bit(IDPF_HR_RESET_IN_PROG, adapter->flags);
}
@@ -1856,7 +1864,7 @@ static void idpf_init_hard_reset(struct idpf_adapter *adapter)
dev_info(dev, "Device HW Reset initiated\n");
/* Prepare for reset */
- if (test_and_clear_bit(IDPF_HR_DRV_LOAD, adapter->flags)) {
+ if (test_bit(IDPF_HR_DRV_LOAD, adapter->flags)) {
reg_ops->trigger_reset(adapter, IDPF_HR_DRV_LOAD);
} else if (test_and_clear_bit(IDPF_HR_FUNC_RESET, adapter->flags)) {
bool is_reset = idpf_is_reset_detected(adapter);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 129/181] idpf: fix memory leak of flow steer list on rmmod
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 128/181] idpf: fix error handling in the init_task on load Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 130/181] idpf: fix issue with ethtool -n command display Greg Kroah-Hartman
` (65 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Aleksandr Loktionov,
Sreedevi Joshi, Simon Horman, Mina Almasry, Tony Nguyen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sreedevi Joshi <sreedevi.joshi@intel.com>
[ Upstream commit f9841bd28b600526ca4f6713b0ca49bf7bb98452 ]
The flow steering list maintains entries that are added and removed as
ethtool creates and deletes flow steering rules. Module removal with active
entries causes memory leak as the list is not properly cleaned up.
Prevent this by iterating through the remaining entries in the list and
freeing the associated memory during module removal. Add a spinlock
(flow_steer_list_lock) to protect the list access from multiple threads.
Fixes: ada3e24b84a0 ("idpf: add flow steering support")
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Mina Almasry <almasrymina@google.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf.h | 2 ++
.../net/ethernet/intel/idpf/idpf_ethtool.c | 15 ++++++++--
drivers/net/ethernet/intel/idpf/idpf_lib.c | 28 ++++++++++++++++++-
3 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h
index 64142f8163fed..af8deb5fa80f0 100644
--- a/drivers/net/ethernet/intel/idpf/idpf.h
+++ b/drivers/net/ethernet/intel/idpf/idpf.h
@@ -558,6 +558,7 @@ struct idpf_vector_lifo {
* @max_q: Maximum possible queues
* @req_qs_chunks: Queue chunk data for requested queues
* @mac_filter_list_lock: Lock to protect mac filters
+ * @flow_steer_list_lock: Lock to protect fsteer filters
* @flags: See enum idpf_vport_config_flags
*/
struct idpf_vport_config {
@@ -565,6 +566,7 @@ struct idpf_vport_config {
struct idpf_vport_max_q max_q;
struct virtchnl2_add_queues *req_qs_chunks;
spinlock_t mac_filter_list_lock;
+ spinlock_t flow_steer_list_lock;
DECLARE_BITMAP(flags, IDPF_VPORT_CONFIG_FLAGS_NBITS);
};
diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
index eed166bc46f38..8477e7ba28706 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
@@ -18,6 +18,7 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
{
struct idpf_netdev_priv *np = netdev_priv(netdev);
struct idpf_vport_user_config_data *user_config;
+ struct idpf_vport_config *vport_config;
struct idpf_fsteer_fltr *f;
struct idpf_vport *vport;
unsigned int cnt = 0;
@@ -25,7 +26,8 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
idpf_vport_ctrl_lock(netdev);
vport = idpf_netdev_to_vport(netdev);
- user_config = &np->adapter->vport_config[np->vport_idx]->user_config;
+ vport_config = np->adapter->vport_config[np->vport_idx];
+ user_config = &vport_config->user_config;
switch (cmd->cmd) {
case ETHTOOL_GRXRINGS:
@@ -37,15 +39,18 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
break;
case ETHTOOL_GRXCLSRULE:
err = -EINVAL;
+ spin_lock_bh(&vport_config->flow_steer_list_lock);
list_for_each_entry(f, &user_config->flow_steer_list, list)
if (f->loc == cmd->fs.location) {
cmd->fs.ring_cookie = f->q_index;
err = 0;
break;
}
+ spin_unlock_bh(&vport_config->flow_steer_list_lock);
break;
case ETHTOOL_GRXCLSRLALL:
cmd->data = idpf_fsteer_max_rules(vport);
+ spin_lock_bh(&vport_config->flow_steer_list_lock);
list_for_each_entry(f, &user_config->flow_steer_list, list) {
if (cnt == cmd->rule_cnt) {
err = -EMSGSIZE;
@@ -56,6 +61,7 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
}
if (!err)
cmd->rule_cnt = user_config->num_fsteer_fltrs;
+ spin_unlock_bh(&vport_config->flow_steer_list_lock);
break;
default:
break;
@@ -224,6 +230,7 @@ static int idpf_add_flow_steer(struct net_device *netdev,
fltr->loc = fsp->location;
fltr->q_index = q_index;
+ spin_lock_bh(&vport_config->flow_steer_list_lock);
list_for_each_entry(f, &user_config->flow_steer_list, list) {
if (f->loc >= fltr->loc)
break;
@@ -234,6 +241,7 @@ static int idpf_add_flow_steer(struct net_device *netdev,
list_add(&fltr->list, &user_config->flow_steer_list);
user_config->num_fsteer_fltrs++;
+ spin_unlock_bh(&vport_config->flow_steer_list_lock);
out:
kfree(rule);
@@ -286,17 +294,20 @@ static int idpf_del_flow_steer(struct net_device *netdev,
goto out;
}
+ spin_lock_bh(&vport_config->flow_steer_list_lock);
list_for_each_entry_safe(f, iter,
&user_config->flow_steer_list, list) {
if (f->loc == fsp->location) {
list_del(&f->list);
kfree(f);
user_config->num_fsteer_fltrs--;
- goto out;
+ goto out_unlock;
}
}
err = -EINVAL;
+out_unlock:
+ spin_unlock_bh(&vport_config->flow_steer_list_lock);
out:
kfree(rule);
return err;
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index e2ee8b137421f..d56366e676cf7 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -442,6 +442,29 @@ int idpf_intr_req(struct idpf_adapter *adapter)
return err;
}
+/**
+ * idpf_del_all_flow_steer_filters - Delete all flow steer filters in list
+ * @vport: main vport struct
+ *
+ * Takes flow_steer_list_lock spinlock. Deletes all filters
+ */
+static void idpf_del_all_flow_steer_filters(struct idpf_vport *vport)
+{
+ struct idpf_vport_config *vport_config;
+ struct idpf_fsteer_fltr *f, *ftmp;
+
+ vport_config = vport->adapter->vport_config[vport->idx];
+
+ spin_lock_bh(&vport_config->flow_steer_list_lock);
+ list_for_each_entry_safe(f, ftmp, &vport_config->user_config.flow_steer_list,
+ list) {
+ list_del(&f->list);
+ kfree(f);
+ }
+ vport_config->user_config.num_fsteer_fltrs = 0;
+ spin_unlock_bh(&vport_config->flow_steer_list_lock);
+}
+
/**
* idpf_find_mac_filter - Search filter list for specific mac filter
* @vconfig: Vport config structure
@@ -1107,8 +1130,10 @@ static void idpf_vport_dealloc(struct idpf_vport *vport)
idpf_vport_stop(vport, true);
idpf_decfg_netdev(vport);
}
- if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags))
+ if (test_bit(IDPF_REMOVE_IN_PROG, adapter->flags)) {
idpf_del_all_mac_filters(vport);
+ idpf_del_all_flow_steer_filters(vport);
+ }
if (adapter->netdevs[i]) {
struct idpf_netdev_priv *np = netdev_priv(adapter->netdevs[i]);
@@ -1648,6 +1673,7 @@ void idpf_init_task(struct work_struct *work)
vport_config = adapter->vport_config[index];
spin_lock_init(&vport_config->mac_filter_list_lock);
+ spin_lock_init(&vport_config->flow_steer_list_lock);
INIT_LIST_HEAD(&vport_config->user_config.mac_filter_list);
INIT_LIST_HEAD(&vport_config->user_config.flow_steer_list);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 130/181] idpf: fix issue with ethtool -n command display
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 129/181] idpf: fix memory leak of flow steer list on rmmod Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 131/181] idpf: Fix RSS LUT NULL pointer crash on early ethtool operations Greg Kroah-Hartman
` (64 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erik Gabriel Carrillo,
Sreedevi Joshi, Przemek Kitszel, Aleksandr Loktionov,
Simon Horman, Mina Almasry, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Erik Gabriel Carrillo <erik.g.carrillo@intel.com>
[ Upstream commit 36aae2ea6bd76b8246caa50e34a4f4824f0a3be8 ]
When ethtool -n is executed on an interface to display the flow steering
rules, "rxclass: Unknown flow type" error is generated.
The flow steering list maintained in the driver currently stores only the
location and q_index but other fields of the ethtool_rx_flow_spec are not
stored. This may be enough for the virtchnl command to delete the entry.
However, when the ethtool -n command is used to query the flow steering
rules, the ethtool_rx_flow_spec returned is not complete causing the
error below.
Resolve this by storing the flow spec (fsp) when rules are added and
returning the complete flow spec when rules are queried.
Also, change the return value from EINVAL to ENOENT when flow steering
entry is not found during query by location or when deleting an entry.
Add logic to detect and reject duplicate filter entries at the same
location and change logic to perform upfront validation of all error
conditions before adding flow rules through virtchnl. This avoids the
need for additional virtchnl delete messages when subsequent operations
fail, which was missing in the original upstream code.
Example:
Before the fix:
ethtool -n eth1
2 RX rings available
Total 2 rules
rxclass: Unknown flow type
rxclass: Unknown flow type
After the fix:
ethtool -n eth1
2 RX rings available
Total 2 rules
Filter: 0
Rule Type: TCP over IPv4
Src IP addr: 10.0.0.1 mask: 0.0.0.0
Dest IP addr: 0.0.0.0 mask: 255.255.255.255
TOS: 0x0 mask: 0xff
Src port: 0 mask: 0xffff
Dest port: 0 mask: 0xffff
Action: Direct to queue 0
Filter: 1
Rule Type: UDP over IPv4
Src IP addr: 10.0.0.1 mask: 0.0.0.0
Dest IP addr: 0.0.0.0 mask: 255.255.255.255
TOS: 0x0 mask: 0xff
Src port: 0 mask: 0xffff
Dest port: 0 mask: 0xffff
Action: Direct to queue 0
Fixes: ada3e24b84a0 ("idpf: add flow steering support")
Signed-off-by: Erik Gabriel Carrillo <erik.g.carrillo@intel.com>
Co-developed-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Mina Almasry <almasrymina@google.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf.h | 3 +-
.../net/ethernet/intel/idpf/idpf_ethtool.c | 59 ++++++++++++-------
2 files changed, 40 insertions(+), 22 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h
index af8deb5fa80f0..df64d252b5642 100644
--- a/drivers/net/ethernet/intel/idpf/idpf.h
+++ b/drivers/net/ethernet/intel/idpf/idpf.h
@@ -284,8 +284,7 @@ struct idpf_port_stats {
struct idpf_fsteer_fltr {
struct list_head list;
- u32 loc;
- u32 q_index;
+ struct ethtool_rx_flow_spec fs;
};
/**
diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
index 8477e7ba28706..8e9a93125b4aa 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
@@ -38,11 +38,15 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
cmd->data = idpf_fsteer_max_rules(vport);
break;
case ETHTOOL_GRXCLSRULE:
- err = -EINVAL;
+ err = -ENOENT;
spin_lock_bh(&vport_config->flow_steer_list_lock);
list_for_each_entry(f, &user_config->flow_steer_list, list)
- if (f->loc == cmd->fs.location) {
- cmd->fs.ring_cookie = f->q_index;
+ if (f->fs.location == cmd->fs.location) {
+ /* Avoid infoleak from padding: zero first,
+ * then assign fields
+ */
+ memset(&cmd->fs, 0, sizeof(cmd->fs));
+ cmd->fs = f->fs;
err = 0;
break;
}
@@ -56,7 +60,7 @@ static int idpf_get_rxnfc(struct net_device *netdev, struct ethtool_rxnfc *cmd,
err = -EMSGSIZE;
break;
}
- rule_locs[cnt] = f->loc;
+ rule_locs[cnt] = f->fs.location;
cnt++;
}
if (!err)
@@ -158,7 +162,7 @@ static int idpf_add_flow_steer(struct net_device *netdev,
struct idpf_vport *vport;
u32 flow_type, q_index;
u16 num_rxq;
- int err;
+ int err = 0;
vport = idpf_netdev_to_vport(netdev);
vport_config = vport->adapter->vport_config[np->vport_idx];
@@ -184,6 +188,29 @@ static int idpf_add_flow_steer(struct net_device *netdev,
if (!rule)
return -ENOMEM;
+ fltr = kzalloc(sizeof(*fltr), GFP_KERNEL);
+ if (!fltr) {
+ err = -ENOMEM;
+ goto out_free_rule;
+ }
+
+ /* detect duplicate entry and reject before adding rules */
+ spin_lock_bh(&vport_config->flow_steer_list_lock);
+ list_for_each_entry(f, &user_config->flow_steer_list, list) {
+ if (f->fs.location == fsp->location) {
+ err = -EEXIST;
+ break;
+ }
+
+ if (f->fs.location > fsp->location)
+ break;
+ parent = f;
+ }
+ spin_unlock_bh(&vport_config->flow_steer_list_lock);
+
+ if (err)
+ goto out;
+
rule->vport_id = cpu_to_le32(vport->vport_id);
rule->count = cpu_to_le32(1);
info = &rule->rule_info[0];
@@ -222,28 +249,20 @@ static int idpf_add_flow_steer(struct net_device *netdev,
goto out;
}
- fltr = kzalloc(sizeof(*fltr), GFP_KERNEL);
- if (!fltr) {
- err = -ENOMEM;
- goto out;
- }
+ /* Save a copy of the user's flow spec so ethtool can later retrieve it */
+ fltr->fs = *fsp;
- fltr->loc = fsp->location;
- fltr->q_index = q_index;
spin_lock_bh(&vport_config->flow_steer_list_lock);
- list_for_each_entry(f, &user_config->flow_steer_list, list) {
- if (f->loc >= fltr->loc)
- break;
- parent = f;
- }
-
parent ? list_add(&fltr->list, &parent->list) :
list_add(&fltr->list, &user_config->flow_steer_list);
user_config->num_fsteer_fltrs++;
spin_unlock_bh(&vport_config->flow_steer_list_lock);
+ goto out_free_rule;
out:
+ kfree(fltr);
+out_free_rule:
kfree(rule);
return err;
}
@@ -297,14 +316,14 @@ static int idpf_del_flow_steer(struct net_device *netdev,
spin_lock_bh(&vport_config->flow_steer_list_lock);
list_for_each_entry_safe(f, iter,
&user_config->flow_steer_list, list) {
- if (f->loc == fsp->location) {
+ if (f->fs.location == fsp->location) {
list_del(&f->list);
kfree(f);
user_config->num_fsteer_fltrs--;
goto out_unlock;
}
}
- err = -EINVAL;
+ err = -ENOENT;
out_unlock:
spin_unlock_bh(&vport_config->flow_steer_list_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 131/181] idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 130/181] idpf: fix issue with ethtool -n command display Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 132/181] idpf: Fix RSS LUT configuration on down interfaces Greg Kroah-Hartman
` (63 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sreedevi Joshi, Sridhar Samudrala,
Emil Tantilov, Aleksandr Loktionov, Paul Menzel, Simon Horman,
Samuel Salin, Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sreedevi Joshi <sreedevi.joshi@intel.com>
[ Upstream commit 83f38f210b85676f40ba8586b5a8edae19b56995 ]
The RSS LUT is not initialized until the interface comes up, causing
the following NULL pointer crash when ethtool operations like rxhash on/off
are performed before the interface is brought up for the first time.
Move RSS LUT initialization from ndo_open to vport creation to ensure LUT
is always available. This enables RSS configuration via ethtool before
bringing the interface up. Simplify LUT management by maintaining all
changes in the driver's soft copy and programming zeros to the indirection
table when rxhash is disabled. Defer HW programming until the interface
comes up if it is down during rxhash and LUT configuration changes.
Steps to reproduce:
** Load idpf driver; interfaces will be created
modprobe idpf
** Before bringing the interfaces up, turn rxhash off
ethtool -K eth2 rxhash off
[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000
[89408.371908] #PF: supervisor read access in kernel mode
[89408.371924] #PF: error_code(0x0000) - not-present page
[89408.371940] PGD 0 P4D 0
[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI
<snip>
[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130
[89408.372310] Call Trace:
[89408.372317] <TASK>
[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf]
[89408.372363] __netdev_update_features+0x295/0xde0
[89408.372384] ethnl_set_features+0x15e/0x460
[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180
[89408.372429] genl_rcv_msg+0x1ad/0x2b0
[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10
[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10
[89408.372482] netlink_rcv_skb+0x58/0x100
[89408.372502] genl_rcv+0x2c/0x50
[89408.372516] netlink_unicast+0x289/0x3e0
[89408.372533] netlink_sendmsg+0x215/0x440
[89408.372551] __sys_sendto+0x234/0x240
[89408.372571] __x64_sys_sendto+0x28/0x30
[89408.372585] x64_sys_call+0x1909/0x1da0
[89408.372604] do_syscall_64+0x7a/0xfa0
[89408.373140] ? clear_bhb_loop+0x60/0xb0
[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[89408.378887] </TASK>
<snip>
Fixes: a251eee62133 ("idpf: add SRIOV support and other ndo_ops")
Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Reviewed-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf.h | 2 -
drivers/net/ethernet/intel/idpf/idpf_lib.c | 94 +++++++++----------
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 36 +++----
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 4 +-
.../net/ethernet/intel/idpf/idpf_virtchnl.c | 9 +-
5 files changed, 66 insertions(+), 79 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf.h b/drivers/net/ethernet/intel/idpf/idpf.h
index df64d252b5642..c74c47bc0b9b9 100644
--- a/drivers/net/ethernet/intel/idpf/idpf.h
+++ b/drivers/net/ethernet/intel/idpf/idpf.h
@@ -423,14 +423,12 @@ enum idpf_user_flags {
* @rss_key: RSS hash key
* @rss_lut_size: Size of RSS lookup table
* @rss_lut: RSS lookup table
- * @cached_lut: Used to restore previously init RSS lut
*/
struct idpf_rss_data {
u16 rss_key_size;
u8 *rss_key;
u16 rss_lut_size;
u32 *rss_lut;
- u32 *cached_lut;
};
/**
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index d56366e676cf7..51716e5a84ef3 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1073,7 +1073,7 @@ static void idpf_vport_rel(struct idpf_vport *vport)
u16 idx = vport->idx;
vport_config = adapter->vport_config[vport->idx];
- idpf_deinit_rss(vport);
+ idpf_deinit_rss_lut(vport);
rss_data = &vport_config->user_config.rss_data;
kfree(rss_data->rss_key);
rss_data->rss_key = NULL;
@@ -1226,6 +1226,7 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter,
u16 idx = adapter->next_vport;
struct idpf_vport *vport;
u16 num_max_q;
+ int err;
if (idx == IDPF_NO_FREE_SLOT)
return NULL;
@@ -1276,10 +1277,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter,
idpf_vport_init(vport, max_q);
- /* This alloc is done separate from the LUT because it's not strictly
- * dependent on how many queues we have. If we change number of queues
- * and soft reset we'll need a new LUT but the key can remain the same
- * for as long as the vport exists.
+ /* LUT and key are both initialized here. Key is not strictly dependent
+ * on how many queues we have. If we change number of queues and soft
+ * reset is initiated, LUT will be freed and a new LUT will be allocated
+ * as per the updated number of queues during vport bringup. However,
+ * the key remains the same for as long as the vport exists.
*/
rss_data = &adapter->vport_config[idx]->user_config.rss_data;
rss_data->rss_key = kzalloc(rss_data->rss_key_size, GFP_KERNEL);
@@ -1289,6 +1291,11 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter,
/* Initialize default rss key */
netdev_rss_key_fill((void *)rss_data->rss_key, rss_data->rss_key_size);
+ /* Initialize default rss LUT */
+ err = idpf_init_rss_lut(vport);
+ if (err)
+ goto free_rss_key;
+
/* fill vport slot in the adapter struct */
adapter->vports[idx] = vport;
adapter->vport_ids[idx] = idpf_get_vport_id(vport);
@@ -1299,6 +1306,8 @@ static struct idpf_vport *idpf_vport_alloc(struct idpf_adapter *adapter,
return vport;
+free_rss_key:
+ kfree(rss_data->rss_key);
free_vector_idxs:
kfree(vport->q_vector_idxs);
free_vport:
@@ -1476,6 +1485,7 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
struct idpf_netdev_priv *np = netdev_priv(vport->netdev);
struct idpf_adapter *adapter = vport->adapter;
struct idpf_vport_config *vport_config;
+ struct idpf_rss_data *rss_data;
int err;
if (test_bit(IDPF_VPORT_UP, np->state))
@@ -1570,12 +1580,21 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
idpf_restore_features(vport);
vport_config = adapter->vport_config[vport->idx];
- if (vport_config->user_config.rss_data.rss_lut)
- err = idpf_config_rss(vport);
- else
- err = idpf_init_rss(vport);
+ rss_data = &vport_config->user_config.rss_data;
+
+ if (!rss_data->rss_lut) {
+ err = idpf_init_rss_lut(vport);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to initialize RSS LUT for vport %u: %d\n",
+ vport->vport_id, err);
+ goto disable_vport;
+ }
+ }
+
+ err = idpf_config_rss(vport);
if (err) {
- dev_err(&adapter->pdev->dev, "Failed to initialize RSS for vport %u: %d\n",
+ dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n",
vport->vport_id, err);
goto disable_vport;
}
@@ -1584,7 +1603,7 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
if (err) {
dev_err(&adapter->pdev->dev, "Failed to complete interface up for vport %u: %d\n",
vport->vport_id, err);
- goto deinit_rss;
+ goto disable_vport;
}
if (rtnl)
@@ -1592,8 +1611,6 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
return 0;
-deinit_rss:
- idpf_deinit_rss(vport);
disable_vport:
idpf_send_disable_vport_msg(vport);
disable_queues:
@@ -2051,7 +2068,7 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
idpf_vport_stop(vport, false);
}
- idpf_deinit_rss(vport);
+ idpf_deinit_rss_lut(vport);
/* We're passing in vport here because we need its wait_queue
* to send a message and it should be getting all the vport
* config data out of the adapter but we need to be careful not
@@ -2219,40 +2236,6 @@ static void idpf_set_rx_mode(struct net_device *netdev)
dev_err(dev, "Failed to set promiscuous mode: %d\n", err);
}
-/**
- * idpf_vport_manage_rss_lut - disable/enable RSS
- * @vport: the vport being changed
- *
- * In the event of disable request for RSS, this function will zero out RSS
- * LUT, while in the event of enable request for RSS, it will reconfigure RSS
- * LUT with the default LUT configuration.
- */
-static int idpf_vport_manage_rss_lut(struct idpf_vport *vport)
-{
- bool ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH);
- struct idpf_rss_data *rss_data;
- u16 idx = vport->idx;
- int lut_size;
-
- rss_data = &vport->adapter->vport_config[idx]->user_config.rss_data;
- lut_size = rss_data->rss_lut_size * sizeof(u32);
-
- if (ena) {
- /* This will contain the default or user configured LUT */
- memcpy(rss_data->rss_lut, rss_data->cached_lut, lut_size);
- } else {
- /* Save a copy of the current LUT to be restored later if
- * requested.
- */
- memcpy(rss_data->cached_lut, rss_data->rss_lut, lut_size);
-
- /* Zero out the current LUT to disable */
- memset(rss_data->rss_lut, 0, lut_size);
- }
-
- return idpf_config_rss(vport);
-}
-
/**
* idpf_set_features - set the netdev feature flags
* @netdev: ptr to the netdev being adjusted
@@ -2278,10 +2261,19 @@ static int idpf_set_features(struct net_device *netdev,
}
if (changed & NETIF_F_RXHASH) {
+ struct idpf_netdev_priv *np = netdev_priv(netdev);
+
netdev->features ^= NETIF_F_RXHASH;
- err = idpf_vport_manage_rss_lut(vport);
- if (err)
- goto unlock_mutex;
+
+ /* If the interface is not up when changing the rxhash, update
+ * to the HW is skipped. The updated LUT will be committed to
+ * the HW when the interface is brought up.
+ */
+ if (test_bit(IDPF_VPORT_UP, np->state)) {
+ err = idpf_config_rss(vport);
+ if (err)
+ goto unlock_mutex;
+ }
}
if (changed & NETIF_F_GRO_HW) {
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
index 1993a3b0da59b..39553689ffdbf 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -4650,57 +4650,47 @@ static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport)
rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data;
- for (i = 0; i < rss_data->rss_lut_size; i++) {
+ for (i = 0; i < rss_data->rss_lut_size; i++)
rss_data->rss_lut[i] = i % num_active_rxq;
- rss_data->cached_lut[i] = rss_data->rss_lut[i];
- }
}
/**
- * idpf_init_rss - Allocate and initialize RSS resources
+ * idpf_init_rss_lut - Allocate and initialize RSS LUT
* @vport: virtual port
*
- * Return 0 on success, negative on failure
+ * Return: 0 on success, negative on failure
*/
-int idpf_init_rss(struct idpf_vport *vport)
+int idpf_init_rss_lut(struct idpf_vport *vport)
{
struct idpf_adapter *adapter = vport->adapter;
struct idpf_rss_data *rss_data;
- u32 lut_size;
rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data;
+ if (!rss_data->rss_lut) {
+ u32 lut_size;
- lut_size = rss_data->rss_lut_size * sizeof(u32);
- rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL);
- if (!rss_data->rss_lut)
- return -ENOMEM;
-
- rss_data->cached_lut = kzalloc(lut_size, GFP_KERNEL);
- if (!rss_data->cached_lut) {
- kfree(rss_data->rss_lut);
- rss_data->rss_lut = NULL;
-
- return -ENOMEM;
+ lut_size = rss_data->rss_lut_size * sizeof(u32);
+ rss_data->rss_lut = kzalloc(lut_size, GFP_KERNEL);
+ if (!rss_data->rss_lut)
+ return -ENOMEM;
}
/* Fill the default RSS lut values */
idpf_fill_dflt_rss_lut(vport);
- return idpf_config_rss(vport);
+ return 0;
}
/**
- * idpf_deinit_rss - Release RSS resources
+ * idpf_deinit_rss_lut - Release RSS LUT
* @vport: virtual port
*/
-void idpf_deinit_rss(struct idpf_vport *vport)
+void idpf_deinit_rss_lut(struct idpf_vport *vport)
{
struct idpf_adapter *adapter = vport->adapter;
struct idpf_rss_data *rss_data;
rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data;
- kfree(rss_data->cached_lut);
- rss_data->cached_lut = NULL;
kfree(rss_data->rss_lut);
rss_data->rss_lut = NULL;
}
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
index 75b977094741f..7d20593bd8778 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -1086,8 +1086,8 @@ void idpf_vport_intr_deinit(struct idpf_vport *vport);
int idpf_vport_intr_init(struct idpf_vport *vport);
void idpf_vport_intr_ena(struct idpf_vport *vport);
int idpf_config_rss(struct idpf_vport *vport);
-int idpf_init_rss(struct idpf_vport *vport);
-void idpf_deinit_rss(struct idpf_vport *vport);
+int idpf_init_rss_lut(struct idpf_vport *vport);
+void idpf_deinit_rss_lut(struct idpf_vport *vport);
int idpf_rx_bufs_init_all(struct idpf_vport *vport);
struct idpf_q_vector *idpf_find_rxq_vec(const struct idpf_vport *vport,
diff --git a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
index 01bbd12a642a0..cb702eac86c80 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_virtchnl.c
@@ -2804,6 +2804,10 @@ int idpf_send_get_stats_msg(struct idpf_vport *vport)
* @vport: virtual port data structure
* @get: flag to set or get rss look up table
*
+ * When rxhash is disabled, RSS LUT will be configured with zeros. If rxhash
+ * is enabled, the LUT values stored in driver's soft copy will be used to setup
+ * the HW.
+ *
* Returns 0 on success, negative on failure.
*/
int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get)
@@ -2814,10 +2818,12 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get)
struct idpf_rss_data *rss_data;
int buf_size, lut_buf_size;
ssize_t reply_sz;
+ bool rxhash_ena;
int i;
rss_data =
&vport->adapter->vport_config[vport->idx]->user_config.rss_data;
+ rxhash_ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH);
buf_size = struct_size(rl, lut, rss_data->rss_lut_size);
rl = kzalloc(buf_size, GFP_KERNEL);
if (!rl)
@@ -2839,7 +2845,8 @@ int idpf_send_get_set_rss_lut_msg(struct idpf_vport *vport, bool get)
} else {
rl->lut_entries = cpu_to_le16(rss_data->rss_lut_size);
for (i = 0; i < rss_data->rss_lut_size; i++)
- rl->lut[i] = cpu_to_le32(rss_data->rss_lut[i]);
+ rl->lut[i] = rxhash_ena ?
+ cpu_to_le32(rss_data->rss_lut[i]) : 0;
xn_params.vc_op = VIRTCHNL2_OP_SET_RSS_LUT;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 132/181] idpf: Fix RSS LUT configuration on down interfaces
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 131/181] idpf: Fix RSS LUT NULL pointer crash on early ethtool operations Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 133/181] idpf: Fix RSS LUT NULL ptr issue after soft reset Greg Kroah-Hartman
` (62 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sreedevi Joshi, Aleksandr Loktionov,
Sridhar Samudrala, Emil Tantilov, Samuel Salin, Tony Nguyen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sreedevi Joshi <sreedevi.joshi@intel.com>
[ Upstream commit 445b49d13787da2fe8d51891ee196e5077feef44 ]
RSS LUT provisioning and queries on a down interface currently return
silently without effect. Users should be able to configure RSS settings
even when the interface is down.
Fix by maintaining RSS configuration changes in the driver's soft copy and
deferring HW programming until the interface comes up.
Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks")
Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Reviewed-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_ethtool.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
index 8e9a93125b4aa..3e191cf528b69 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_ethtool.c
@@ -395,7 +395,10 @@ static u32 idpf_get_rxfh_indir_size(struct net_device *netdev)
* @netdev: network interface device structure
* @rxfh: pointer to param struct (indir, key, hfunc)
*
- * Reads the indirection table directly from the hardware. Always returns 0.
+ * RSS LUT and Key information are read from driver's cached
+ * copy. When rxhash is off, rss lut will be displayed as zeros.
+ *
+ * Return: 0 on success, -errno otherwise.
*/
static int idpf_get_rxfh(struct net_device *netdev,
struct ethtool_rxfh_param *rxfh)
@@ -403,10 +406,13 @@ static int idpf_get_rxfh(struct net_device *netdev,
struct idpf_netdev_priv *np = netdev_priv(netdev);
struct idpf_rss_data *rss_data;
struct idpf_adapter *adapter;
+ struct idpf_vport *vport;
+ bool rxhash_ena;
int err = 0;
u16 i;
idpf_vport_ctrl_lock(netdev);
+ vport = idpf_netdev_to_vport(netdev);
adapter = np->adapter;
@@ -416,9 +422,8 @@ static int idpf_get_rxfh(struct net_device *netdev,
}
rss_data = &adapter->vport_config[np->vport_idx]->user_config.rss_data;
- if (!test_bit(IDPF_VPORT_UP, np->state))
- goto unlock_mutex;
+ rxhash_ena = idpf_is_feature_ena(vport, NETIF_F_RXHASH);
rxfh->hfunc = ETH_RSS_HASH_TOP;
if (rxfh->key)
@@ -426,7 +431,7 @@ static int idpf_get_rxfh(struct net_device *netdev,
if (rxfh->indir) {
for (i = 0; i < rss_data->rss_lut_size; i++)
- rxfh->indir[i] = rss_data->rss_lut[i];
+ rxfh->indir[i] = rxhash_ena ? rss_data->rss_lut[i] : 0;
}
unlock_mutex:
@@ -466,8 +471,6 @@ static int idpf_set_rxfh(struct net_device *netdev,
}
rss_data = &adapter->vport_config[vport->idx]->user_config.rss_data;
- if (!test_bit(IDPF_VPORT_UP, np->state))
- goto unlock_mutex;
if (rxfh->hfunc != ETH_RSS_HASH_NO_CHANGE &&
rxfh->hfunc != ETH_RSS_HASH_TOP) {
@@ -483,7 +486,8 @@ static int idpf_set_rxfh(struct net_device *netdev,
rss_data->rss_lut[lut] = rxfh->indir[lut];
}
- err = idpf_config_rss(vport);
+ if (test_bit(IDPF_VPORT_UP, np->state))
+ err = idpf_config_rss(vport);
unlock_mutex:
idpf_vport_ctrl_unlock(netdev);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 133/181] idpf: Fix RSS LUT NULL ptr issue after soft reset
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 132/181] idpf: Fix RSS LUT configuration on down interfaces Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 134/181] idpf: Fix error handling in idpf_vport_open() Greg Kroah-Hartman
` (61 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sreedevi Joshi, Aleksandr Loktionov,
Sridhar Samudrala, Emil Tantilov, Simon Horman, Samuel Salin,
Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sreedevi Joshi <sreedevi.joshi@intel.com>
[ Upstream commit ebecca5b093895da801b3eba1a55b4ec4027d196 ]
During soft reset, the RSS LUT is freed and not restored unless the
interface is up. If an ethtool command that accesses the rss lut is
attempted immediately after reset, it will result in NULL ptr
dereference. Also, there is no need to reset the rss lut if the soft reset
does not involve queue count change.
After soft reset, set the RSS LUT to default values based on the updated
queue count only if the reset was a result of a queue count change and
the LUT was not configured by the user. In all other cases, don't touch
the LUT.
Steps to reproduce:
** Bring the interface down (if up)
ifconfig eth1 down
** update the queue count (eg., 27->20)
ethtool -L eth1 combined 20
** display the RSS LUT
ethtool -x eth1
[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000
[82375.558373] #PF: supervisor read access in kernel mode
[82375.558391] #PF: error_code(0x0000) - not-present page
[82375.558408] PGD 0 P4D 0
[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI
<snip>
[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]
[82375.558786] Call Trace:
[82375.558793] <TASK>
[82375.558804] rss_prepare.isra.0+0x187/0x2a0
[82375.558827] rss_prepare_data+0x3a/0x50
[82375.558845] ethnl_default_doit+0x13d/0x3e0
[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180
[82375.558886] genl_rcv_msg+0x1ad/0x2b0
[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10
[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10
[82375.558937] netlink_rcv_skb+0x58/0x100
[82375.558957] genl_rcv+0x2c/0x50
[82375.558971] netlink_unicast+0x289/0x3e0
[82375.558988] netlink_sendmsg+0x215/0x440
[82375.559005] __sys_sendto+0x234/0x240
[82375.559555] __x64_sys_sendto+0x28/0x30
[82375.560068] x64_sys_call+0x1909/0x1da0
[82375.560576] do_syscall_64+0x7a/0xfa0
[82375.561076] ? clear_bhb_loop+0x60/0xb0
[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e
<snip>
Fixes: 02cbfba1add5 ("idpf: add ethtool callbacks")
Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Reviewed-by: Emil Tantilov <emil.s.tantilov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 20 ++++----------------
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 2 +-
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 +
3 files changed, 6 insertions(+), 17 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index 51716e5a84ef3..003bab3ce5ae6 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1484,8 +1484,6 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
{
struct idpf_netdev_priv *np = netdev_priv(vport->netdev);
struct idpf_adapter *adapter = vport->adapter;
- struct idpf_vport_config *vport_config;
- struct idpf_rss_data *rss_data;
int err;
if (test_bit(IDPF_VPORT_UP, np->state))
@@ -1579,19 +1577,6 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
idpf_restore_features(vport);
- vport_config = adapter->vport_config[vport->idx];
- rss_data = &vport_config->user_config.rss_data;
-
- if (!rss_data->rss_lut) {
- err = idpf_init_rss_lut(vport);
- if (err) {
- dev_err(&adapter->pdev->dev,
- "Failed to initialize RSS LUT for vport %u: %d\n",
- vport->vport_id, err);
- goto disable_vport;
- }
- }
-
err = idpf_config_rss(vport);
if (err) {
dev_err(&adapter->pdev->dev, "Failed to configure RSS for vport %u: %d\n",
@@ -2068,7 +2053,6 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
idpf_vport_stop(vport, false);
}
- idpf_deinit_rss_lut(vport);
/* We're passing in vport here because we need its wait_queue
* to send a message and it should be getting all the vport
* config data out of the adapter but we need to be careful not
@@ -2094,6 +2078,10 @@ int idpf_initiate_soft_reset(struct idpf_vport *vport,
if (err)
goto err_open;
+ if (reset_cause == IDPF_SR_Q_CHANGE &&
+ !netif_is_rxfh_configured(vport->netdev))
+ idpf_fill_dflt_rss_lut(vport);
+
if (vport_is_up)
err = idpf_vport_open(vport, false);
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
index 39553689ffdbf..3698979b4c9ee 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -4641,7 +4641,7 @@ int idpf_config_rss(struct idpf_vport *vport)
* idpf_fill_dflt_rss_lut - Fill the indirection table with the default values
* @vport: virtual port structure
*/
-static void idpf_fill_dflt_rss_lut(struct idpf_vport *vport)
+void idpf_fill_dflt_rss_lut(struct idpf_vport *vport)
{
struct idpf_adapter *adapter = vport->adapter;
u16 num_active_rxq = vport->num_rxq;
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
index 7d20593bd8778..0472698ca1927 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -1085,6 +1085,7 @@ void idpf_vport_intr_update_itr_ena_irq(struct idpf_q_vector *q_vector);
void idpf_vport_intr_deinit(struct idpf_vport *vport);
int idpf_vport_intr_init(struct idpf_vport *vport);
void idpf_vport_intr_ena(struct idpf_vport *vport);
+void idpf_fill_dflt_rss_lut(struct idpf_vport *vport);
int idpf_config_rss(struct idpf_vport *vport);
int idpf_init_rss_lut(struct idpf_vport *vport);
void idpf_deinit_rss_lut(struct idpf_vport *vport);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 134/181] idpf: Fix error handling in idpf_vport_open()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 133/181] idpf: Fix RSS LUT NULL ptr issue after soft reset Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 135/181] idpf: cap maximum Rx buffer size Greg Kroah-Hartman
` (60 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sreedevi Joshi, Madhu Chittim,
Aleksandr Loktionov, Simon Horman, Samuel Salin, Tony Nguyen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sreedevi Joshi <sreedevi.joshi@intel.com>
[ Upstream commit 87b8ee64685bc096a087af833d4594b2332bfdb1 ]
Fix error handling to properly cleanup interrupts when
idpf_vport_queue_ids_init() or idpf_rx_bufs_init_all() fail. Jump to
'intr_deinit' instead of 'queues_rel' to ensure interrupts are cleaned up
before releasing other resources.
Fixes: d4d558718266 ("idpf: initialize interrupts and enable vport")
Signed-off-by: Sreedevi Joshi <sreedevi.joshi@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Samuel Salin <Samuel.salin@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_lib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_lib.c b/drivers/net/ethernet/intel/idpf/idpf_lib.c
index 003bab3ce5ae6..131a8121839bd 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_lib.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_lib.c
@@ -1524,14 +1524,14 @@ static int idpf_vport_open(struct idpf_vport *vport, bool rtnl)
if (err) {
dev_err(&adapter->pdev->dev, "Failed to initialize queue registers for vport %u: %d\n",
vport->vport_id, err);
- goto queues_rel;
+ goto intr_deinit;
}
err = idpf_rx_bufs_init_all(vport);
if (err) {
dev_err(&adapter->pdev->dev, "Failed to initialize RX buffers for vport %u: %d\n",
vport->vport_id, err);
- goto queues_rel;
+ goto intr_deinit;
}
idpf_rx_init_buf_tail(vport);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 135/181] idpf: cap maximum Rx buffer size
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 134/181] idpf: Fix error handling in idpf_vport_open() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 136/181] idpf: fix aux device unplugging when rdma is not supported by vport Greg Kroah-Hartman
` (59 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hay, Alexander Lobakin,
Madhu Chittim, Jacob Keller, Aleksandr Loktionov, David Decotigny,
Tony Nguyen, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hay <joshua.a.hay@intel.com>
[ Upstream commit 086efe0a1ecc36cffe46640ce12649a4cd3ff171 ]
The HW only supports a maximum Rx buffer size of 16K-128. On systems
using large pages, the libeth logic can configure the buffer size to be
larger than this. The upper bound is PAGE_SIZE while the lower bound is
MTU rounded up to the nearest power of 2. For example, ARM systems with
a 64K page size and an mtu of 9000 will set the Rx buffer size to 16K,
which will cause the config Rx queues message to fail.
Initialize the bufq/fill queue buf_len field to the maximum supported
size. This will trigger the libeth logic to cap the maximum Rx buffer
size by reducing the upper bound.
Fixes: 74d1412ac8f37 ("idpf: use libeth Rx buffer management for payload buffer")
Signed-off-by: Joshua Hay <joshua.a.hay@intel.com>
Acked-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: David Decotigny <ddecotig@google.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_txrx.c | 8 +++++---
drivers/net/ethernet/intel/idpf/idpf_txrx.h | 1 +
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.c b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
index 3698979b4c9ee..f66948f5de78b 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.c
@@ -695,9 +695,10 @@ static int idpf_rx_buf_alloc_singleq(struct idpf_rx_queue *rxq)
static int idpf_rx_bufs_init_singleq(struct idpf_rx_queue *rxq)
{
struct libeth_fq fq = {
- .count = rxq->desc_count,
- .type = LIBETH_FQE_MTU,
- .nid = idpf_q_vector_to_mem(rxq->q_vector),
+ .count = rxq->desc_count,
+ .type = LIBETH_FQE_MTU,
+ .buf_len = IDPF_RX_MAX_BUF_SZ,
+ .nid = idpf_q_vector_to_mem(rxq->q_vector),
};
int ret;
@@ -754,6 +755,7 @@ static int idpf_rx_bufs_init(struct idpf_buf_queue *bufq,
.truesize = bufq->truesize,
.count = bufq->desc_count,
.type = type,
+ .buf_len = IDPF_RX_MAX_BUF_SZ,
.hsplit = idpf_queue_has(HSPLIT_EN, bufq),
.xdp = idpf_xdp_enabled(bufq->q_vector->vport),
.nid = idpf_q_vector_to_mem(bufq->q_vector),
diff --git a/drivers/net/ethernet/intel/idpf/idpf_txrx.h b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
index 0472698ca1927..423cc9486dce7 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_txrx.h
+++ b/drivers/net/ethernet/intel/idpf/idpf_txrx.h
@@ -101,6 +101,7 @@ do { \
idx = 0; \
} while (0)
+#define IDPF_RX_MAX_BUF_SZ (16384 - 128)
#define IDPF_RX_BUF_STRIDE 32
#define IDPF_RX_BUF_POST_STRIDE 16
#define IDPF_LOW_WATERMARK 64
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 136/181] idpf: fix aux device unplugging when rdma is not supported by vport
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 135/181] idpf: cap maximum Rx buffer size Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 137/181] Revert "dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable" Greg Kroah-Hartman
` (58 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Madhu Chittim, Larysa Zaremba,
Paul Menzel, Aleksandr Loktionov, Krishneil Singh, Tony Nguyen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Larysa Zaremba <larysa.zaremba@intel.com>
[ Upstream commit 4648fb2f2e7210c53b85220ee07d42d1e4bae3f9 ]
If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not
allocate vdev_info for this vport. This leads to kernel NULL pointer
dereference in idpf_idc_vport_dev_down(), which references vdev_info for
every vport regardless.
Check, if vdev_info was ever allocated before unplugging aux device.
Fixes: be91128c579c ("idpf: implement RDMA vport auxiliary dev create, init, and destroy")
Reviewed-by: Madhu Chittim <madhu.chittim@intel.com>
Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Krishneil Singh <krishneil.k.singh@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/idpf/idpf_idc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/idpf/idpf_idc.c b/drivers/net/ethernet/intel/idpf/idpf_idc.c
index 7e20a07e98e53..6dad0593f7f22 100644
--- a/drivers/net/ethernet/intel/idpf/idpf_idc.c
+++ b/drivers/net/ethernet/intel/idpf/idpf_idc.c
@@ -322,7 +322,7 @@ static void idpf_idc_vport_dev_down(struct idpf_adapter *adapter)
for (i = 0; i < adapter->num_alloc_vports; i++) {
struct idpf_vport *vport = adapter->vports[i];
- if (!vport)
+ if (!vport || !vport->vdev_info)
continue;
idpf_unplug_aux_dev(vport->vdev_info->adev);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 137/181] Revert "dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable"
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 136/181] idpf: fix aux device unplugging when rdma is not supported by vport Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 138/181] udp: call skb_orphan() before skb_attempt_defer_free() Greg Kroah-Hartman
` (57 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Holger Brunck, Vladimir Oltean,
Andrew Lunn, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 7801edc9badd972cb62cf11c0427e70b6dca239d ]
This reverts commit 926eae604403acfa27ba5b072af458e87e634a50, which
never could have produced the intended effect:
https://lore.kernel.org/netdev/AM0PR06MB10396BBF8B568D77556FC46F8F7DEA@AM0PR06MB10396.eurprd06.prod.outlook.com/
The reason why it is broken beyond repair in this form is that the
mv88e6xxx driver outsources its "tx-p2p-microvolt" property to the OF
node of an external Ethernet PHY. This:
(a) does not work if there is no external PHY (chip-to-chip connection,
or SFP module)
(b) pollutes the OF property namespace / bindings of said external PHY
("tx-p2p-microvolt" could have meaning for the Ethernet PHY's SerDes
interface as well)
We can revisit the idea of making SerDes amplitude configurable once we
have proper bindings for the mv88e6xxx SerDes. Until then, remove the
code that leaves us with unnecessary baggage.
Fixes: 926eae604403 ("dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable")
Cc: Holger Brunck <holger.brunck@hitachienergy.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260104093952.486606-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/mv88e6xxx/chip.c | 23 ---------------
drivers/net/dsa/mv88e6xxx/chip.h | 4 ---
drivers/net/dsa/mv88e6xxx/serdes.c | 46 ------------------------------
drivers/net/dsa/mv88e6xxx/serdes.h | 5 ----
4 files changed, 78 deletions(-)
diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index b4d48997bf467..09002c853b78e 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -3364,13 +3364,10 @@ static int mv88e6xxx_setup_upstream_port(struct mv88e6xxx_chip *chip, int port)
static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port)
{
- struct device_node *phy_handle = NULL;
struct fwnode_handle *ports_fwnode;
struct fwnode_handle *port_fwnode;
struct dsa_switch *ds = chip->ds;
struct mv88e6xxx_port *p;
- struct dsa_port *dp;
- int tx_amp;
int err;
u16 reg;
u32 val;
@@ -3582,23 +3579,6 @@ static int mv88e6xxx_setup_port(struct mv88e6xxx_chip *chip, int port)
return err;
}
- if (chip->info->ops->serdes_set_tx_amplitude) {
- dp = dsa_to_port(ds, port);
- if (dp)
- phy_handle = of_parse_phandle(dp->dn, "phy-handle", 0);
-
- if (phy_handle && !of_property_read_u32(phy_handle,
- "tx-p2p-microvolt",
- &tx_amp))
- err = chip->info->ops->serdes_set_tx_amplitude(chip,
- port, tx_amp);
- if (phy_handle) {
- of_node_put(phy_handle);
- if (err)
- return err;
- }
- }
-
/* Port based VLAN map: give each port the same default address
* database, and allow bidirectional communication between the
* CPU and DSA port(s), and the other ports.
@@ -4768,7 +4748,6 @@ static const struct mv88e6xxx_ops mv88e6176_ops = {
.serdes_irq_mapping = mv88e6352_serdes_irq_mapping,
.serdes_get_regs_len = mv88e6352_serdes_get_regs_len,
.serdes_get_regs = mv88e6352_serdes_get_regs,
- .serdes_set_tx_amplitude = mv88e6352_serdes_set_tx_amplitude,
.gpio_ops = &mv88e6352_gpio_ops,
.phylink_get_caps = mv88e6352_phylink_get_caps,
.pcs_ops = &mv88e6352_pcs_ops,
@@ -5044,7 +5023,6 @@ static const struct mv88e6xxx_ops mv88e6240_ops = {
.serdes_irq_mapping = mv88e6352_serdes_irq_mapping,
.serdes_get_regs_len = mv88e6352_serdes_get_regs_len,
.serdes_get_regs = mv88e6352_serdes_get_regs,
- .serdes_set_tx_amplitude = mv88e6352_serdes_set_tx_amplitude,
.gpio_ops = &mv88e6352_gpio_ops,
.avb_ops = &mv88e6352_avb_ops,
.ptp_ops = &mv88e6352_ptp_ops,
@@ -5481,7 +5459,6 @@ static const struct mv88e6xxx_ops mv88e6352_ops = {
.serdes_get_stats = mv88e6352_serdes_get_stats,
.serdes_get_regs_len = mv88e6352_serdes_get_regs_len,
.serdes_get_regs = mv88e6352_serdes_get_regs,
- .serdes_set_tx_amplitude = mv88e6352_serdes_set_tx_amplitude,
.phylink_get_caps = mv88e6352_phylink_get_caps,
.pcs_ops = &mv88e6352_pcs_ops,
};
diff --git a/drivers/net/dsa/mv88e6xxx/chip.h b/drivers/net/dsa/mv88e6xxx/chip.h
index 2f211e55cb47b..e073446ee7d02 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.h
+++ b/drivers/net/dsa/mv88e6xxx/chip.h
@@ -642,10 +642,6 @@ struct mv88e6xxx_ops {
void (*serdes_get_regs)(struct mv88e6xxx_chip *chip, int port,
void *_p);
- /* SERDES SGMII/Fiber Output Amplitude */
- int (*serdes_set_tx_amplitude)(struct mv88e6xxx_chip *chip, int port,
- int val);
-
/* Address Translation Unit operations */
int (*atu_get_hash)(struct mv88e6xxx_chip *chip, u8 *hash);
int (*atu_set_hash)(struct mv88e6xxx_chip *chip, u8 hash);
diff --git a/drivers/net/dsa/mv88e6xxx/serdes.c b/drivers/net/dsa/mv88e6xxx/serdes.c
index b3330211edbca..a936ee80ce006 100644
--- a/drivers/net/dsa/mv88e6xxx/serdes.c
+++ b/drivers/net/dsa/mv88e6xxx/serdes.c
@@ -25,14 +25,6 @@ static int mv88e6352_serdes_read(struct mv88e6xxx_chip *chip, int reg,
reg, val);
}
-static int mv88e6352_serdes_write(struct mv88e6xxx_chip *chip, int reg,
- u16 val)
-{
- return mv88e6xxx_phy_page_write(chip, MV88E6352_ADDR_SERDES,
- MV88E6352_SERDES_PAGE_FIBER,
- reg, val);
-}
-
static int mv88e6390_serdes_read(struct mv88e6xxx_chip *chip,
int lane, int device, int reg, u16 *val)
{
@@ -506,41 +498,3 @@ void mv88e6390_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p)
p[i] = reg;
}
}
-
-static const int mv88e6352_serdes_p2p_to_reg[] = {
- /* Index of value in microvolts corresponds to the register value */
- 14000, 112000, 210000, 308000, 406000, 504000, 602000, 700000,
-};
-
-int mv88e6352_serdes_set_tx_amplitude(struct mv88e6xxx_chip *chip, int port,
- int val)
-{
- bool found = false;
- u16 ctrl, reg;
- int err;
- int i;
-
- err = mv88e6352_g2_scratch_port_has_serdes(chip, port);
- if (err <= 0)
- return err;
-
- for (i = 0; i < ARRAY_SIZE(mv88e6352_serdes_p2p_to_reg); ++i) {
- if (mv88e6352_serdes_p2p_to_reg[i] == val) {
- reg = i;
- found = true;
- break;
- }
- }
-
- if (!found)
- return -EINVAL;
-
- err = mv88e6352_serdes_read(chip, MV88E6352_SERDES_SPEC_CTRL2, &ctrl);
- if (err)
- return err;
-
- ctrl &= ~MV88E6352_SERDES_OUT_AMP_MASK;
- ctrl |= reg;
-
- return mv88e6352_serdes_write(chip, MV88E6352_SERDES_SPEC_CTRL2, ctrl);
-}
diff --git a/drivers/net/dsa/mv88e6xxx/serdes.h b/drivers/net/dsa/mv88e6xxx/serdes.h
index ad887d8601bcb..17a3e85fabaa3 100644
--- a/drivers/net/dsa/mv88e6xxx/serdes.h
+++ b/drivers/net/dsa/mv88e6xxx/serdes.h
@@ -29,8 +29,6 @@ struct phylink_link_state;
#define MV88E6352_SERDES_INT_FIBRE_ENERGY BIT(4)
#define MV88E6352_SERDES_INT_STATUS 0x13
-#define MV88E6352_SERDES_SPEC_CTRL2 0x1a
-#define MV88E6352_SERDES_OUT_AMP_MASK 0x0007
#define MV88E6341_PORT5_LANE 0x15
@@ -140,9 +138,6 @@ void mv88e6352_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p);
int mv88e6390_serdes_get_regs_len(struct mv88e6xxx_chip *chip, int port);
void mv88e6390_serdes_get_regs(struct mv88e6xxx_chip *chip, int port, void *_p);
-int mv88e6352_serdes_set_tx_amplitude(struct mv88e6xxx_chip *chip, int port,
- int val);
-
/* Return the (first) SERDES lane address a port is using, -errno otherwise. */
static inline int mv88e6xxx_serdes_get_lane(struct mv88e6xxx_chip *chip,
int port)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 138/181] udp: call skb_orphan() before skb_attempt_defer_free()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 137/181] Revert "dsa: mv88e6xxx: make serdes SGMII/Fiber tx amplitude configurable" Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 139/181] net: sfp: return the number of written bytes for smbus single byte access Greg Kroah-Hartman
` (56 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3e68572cf2286ce5ebe9,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e5c8eda39a9fc1547d1398d707aa06c1d080abdd ]
Standard UDP receive path does not use skb->destructor.
But skmsg layer does use it, since it calls skb_set_owner_sk_safe()
from udp_read_skb().
This then triggers this warning in skb_attempt_defer_free():
DEBUG_NET_WARN_ON_ONCE(skb->destructor);
We must call skb_orphan() to fix this issue.
Fixes: 6471658dc66c ("udp: use skb_attempt_defer_free()")
Reported-by: syzbot+3e68572cf2286ce5ebe9@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/695b83bd.050a0220.1c9965.002b.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260105093630.1976085-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 30dfbf73729da..860bd61ff047f 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1851,6 +1851,7 @@ void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len)
sk_peek_offset_bwd(sk, len);
if (!skb_shared(skb)) {
+ skb_orphan(skb);
skb_attempt_defer_free(skb);
return;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 139/181] net: sfp: return the number of written bytes for smbus single byte access
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 138/181] udp: call skb_orphan() before skb_attempt_defer_free() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 140/181] net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy Greg Kroah-Hartman
` (55 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxime Chevallier <maxime.chevallier@bootlin.com>
[ Upstream commit 13ff3e724207f579d3c814ee05516fefcb4f32e8 ]
We expect the SFP write accessors to return the number of written bytes.
We fail to do so for single-byte smbus accesses, which may cause errors
when setting a module's high-power state and for some cotsworks modules.
Let's return the amount of written bytes, as expected.
Fixes: 7662abf4db94 ("net: phy: sfp: Add support for SMBus module access")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260105151840.144552-1-maxime.chevallier@bootlin.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 0401fa6b24d25..6b4dd906b804f 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -763,7 +763,7 @@ static int sfp_smbus_byte_write(struct sfp *sfp, bool a2, u8 dev_addr,
dev_addr++;
}
- return 0;
+ return data - (u8 *)buf;
}
static int sfp_i2c_configure(struct sfp *sfp, struct i2c_adapter *i2c)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 140/181] net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 139/181] net: sfp: return the number of written bytes for smbus single byte access Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 141/181] selftests: drv-net: Bring back tool() to driver __init__s Greg Kroah-Hartman
` (54 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8f1c492ffa4644ff3826,
Shivani Gupta, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivani Gupta <shivani07g@gmail.com>
[ Upstream commit adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c ]
syzbot reported a crash in tc_act_in_hw() during netns teardown where
tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action
pointer, leading to an invalid dereference.
Guard against ERR_PTR entries when iterating the action IDR so teardown
does not call tc_act_in_hw() on an error pointer.
Fixes: 84a7d6797e6a ("net/sched: acp_api: no longer acquire RTNL in tc_action_net_exit()")
Link: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826
Reported-by: syzbot+8f1c492ffa4644ff3826@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8f1c492ffa4644ff3826
Signed-off-by: Shivani Gupta <shivani07g@gmail.com>
Link: https://patch.msgid.link/20260105005905.243423-1-shivani07g@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/act_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index ff6be5cfe2b05..e1ab0faeb8113 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -940,6 +940,8 @@ void tcf_idrinfo_destroy(const struct tc_action_ops *ops,
int ret;
idr_for_each_entry_ul(idr, p, tmp, id) {
+ if (IS_ERR(p))
+ continue;
if (tc_act_in_hw(p) && !mutex_taken) {
rtnl_lock();
mutex_taken = true;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 141/181] selftests: drv-net: Bring back tool() to driver __init__s
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 140/181] net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 6.18 142/181] net: netdevsim: fix inconsistent carrier state after link/unlink Greg Kroah-Hartman
` (53 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nimrod Oren, Gal Pressman,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 353cfc0ef3f34ef7fe313ae38dac37f2454a7cf5 ]
The pp_alloc_fail.py test (which doesn't run in NIPA CI?) uses tool, add
back the import.
Resolves:
ImportError: cannot import name 'tool' from 'lib.py'
Fixes: 68a052239fc4 ("selftests: drv-net: update remaining Python init files")
Reviewed-by: Nimrod Oren <noren@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20260105163319.47619-1-gal@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/drivers/net/hw/lib/py/__init__.py | 4 ++--
tools/testing/selftests/net/lib/py/__init__.py | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py b/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py
index fb010a48a5a19..a86f5c311fdcb 100644
--- a/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py
+++ b/tools/testing/selftests/drivers/net/hw/lib/py/__init__.py
@@ -22,7 +22,7 @@ try:
NlError, RtnlFamily, DevlinkFamily, PSPFamily
from net.lib.py import CmdExitFailure
from net.lib.py import bkg, cmd, bpftool, bpftrace, defer, ethtool, \
- fd_read_timeout, ip, rand_port, wait_port_listen, wait_file
+ fd_read_timeout, ip, rand_port, wait_port_listen, wait_file, tool
from net.lib.py import KsftSkipEx, KsftFailEx, KsftXfailEx
from net.lib.py import ksft_disruptive, ksft_exit, ksft_pr, ksft_run, \
ksft_setup
@@ -37,7 +37,7 @@ try:
"CmdExitFailure",
"bkg", "cmd", "bpftool", "bpftrace", "defer", "ethtool",
"fd_read_timeout", "ip", "rand_port",
- "wait_port_listen", "wait_file",
+ "wait_port_listen", "wait_file", "tool",
"KsftSkipEx", "KsftFailEx", "KsftXfailEx",
"ksft_disruptive", "ksft_exit", "ksft_pr", "ksft_run",
"ksft_setup",
diff --git a/tools/testing/selftests/net/lib/py/__init__.py b/tools/testing/selftests/net/lib/py/__init__.py
index 97b7cf2b20eb9..8f2da17d53510 100644
--- a/tools/testing/selftests/net/lib/py/__init__.py
+++ b/tools/testing/selftests/net/lib/py/__init__.py
@@ -12,7 +12,7 @@ from .ksft import KsftFailEx, KsftSkipEx, KsftXfailEx, ksft_pr, ksft_eq, \
from .netns import NetNS, NetNSEnter
from .nsim import NetdevSim, NetdevSimDev
from .utils import CmdExitFailure, fd_read_timeout, cmd, bkg, defer, \
- bpftool, ip, ethtool, bpftrace, rand_port, wait_port_listen, wait_file
+ bpftool, ip, ethtool, bpftrace, rand_port, wait_port_listen, wait_file, tool
from .ynl import NlError, YnlFamily, EthtoolFamily, NetdevFamily, RtnlFamily, RtnlAddrFamily
from .ynl import NetshaperFamily, DevlinkFamily, PSPFamily
@@ -25,7 +25,7 @@ __all__ = ["KSRC",
"NetNS", "NetNSEnter",
"CmdExitFailure", "fd_read_timeout", "cmd", "bkg", "defer",
"bpftool", "ip", "ethtool", "bpftrace", "rand_port",
- "wait_port_listen", "wait_file",
+ "wait_port_listen", "wait_file", "tool",
"NetdevSim", "NetdevSimDev",
"NetshaperFamily", "DevlinkFamily", "PSPFamily", "NlError",
"YnlFamily", "EthtoolFamily", "NetdevFamily", "RtnlFamily",
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 142/181] net: netdevsim: fix inconsistent carrier state after link/unlink
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 141/181] selftests: drv-net: Bring back tool() to driver __init__s Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 143/181] block: dont merge bios with different app_tags Greg Kroah-Hartman
` (52 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yohei Kojima, Breno Leitao,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yohei Kojima <yk@y-koj.net>
[ Upstream commit d83dddffe1904e4a576d11a541878850a8e64cd2 ]
This patch fixes the edge case behavior on ifup/ifdown and
linking/unlinking two netdevsim interfaces:
1. unlink two interfaces netdevsim1 and netdevsim2
2. ifdown netdevsim1
3. ifup netdevsim1
4. link two interfaces netdevsim1 and netdevsim2
5. (Now two interfaces are linked in terms of netdevsim peer, but
carrier state of the two interfaces remains DOWN.)
This inconsistent behavior is caused by the current implementation,
which only cares about the "link, then ifup" order, not "ifup, then
link" order. This patch fixes the inconsistency by calling
netif_carrier_on() when two netdevsim interfaces are linked.
This patch fixes buggy behavior on NetworkManager-based systems which
causes the netdevsim test to fail with the following error:
# timeout set to 600
# selftests: drivers/net/netdevsim: peer.sh
# 2025/12/25 00:54:03 socat[9115] W address is opened in read-write mode but only supports read-only
# 2025/12/25 00:56:17 socat[9115] W connect(7, AF=2 192.168.1.1:1234, 16): Connection timed out
# 2025/12/25 00:56:17 socat[9115] E TCP:192.168.1.1:1234: Connection timed out
# expected 3 bytes, got 0
# 2025/12/25 00:56:17 socat[9109] W exiting on signal 15
not ok 13 selftests: drivers/net/netdevsim: peer.sh # exit=1
This patch also solves timeout on TCP Fast Open (TFO) test in
NetworkManager-based systems because it also depends on netdevsim's
carrier consistency.
Fixes: 1a8fed52f7be ("netdevsim: set the carrier when the device goes up")
Signed-off-by: Yohei Kojima <yk@y-koj.net>
Reviewed-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/602c9e1ba5bb2ee1997bb38b1d866c9c3b807ae9.1767624906.git.yk@y-koj.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/netdevsim/bus.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/netdevsim/bus.c b/drivers/net/netdevsim/bus.c
index 70e8c38ddad6b..d16b95304aa7e 100644
--- a/drivers/net/netdevsim/bus.c
+++ b/drivers/net/netdevsim/bus.c
@@ -332,6 +332,11 @@ static ssize_t link_device_store(const struct bus_type *bus, const char *buf, si
rcu_assign_pointer(nsim_a->peer, nsim_b);
rcu_assign_pointer(nsim_b->peer, nsim_a);
+ if (netif_running(dev_a) && netif_running(dev_b)) {
+ netif_carrier_on(dev_a);
+ netif_carrier_on(dev_b);
+ }
+
out_err:
put_net(ns_b);
put_net(ns_a);
@@ -381,6 +386,9 @@ static ssize_t unlink_device_store(const struct bus_type *bus, const char *buf,
if (!peer)
goto out_put_netns;
+ netif_carrier_off(dev);
+ netif_carrier_off(peer->netdev);
+
err = 0;
RCU_INIT_POINTER(nsim->peer, NULL);
RCU_INIT_POINTER(peer->peer, NULL);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 143/181] block: dont merge bios with different app_tags
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 6.18 142/181] net: netdevsim: fix inconsistent carrier state after link/unlink Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 144/181] trace: ftrace_dump_on_oops[] is not exported, make it static Greg Kroah-Hartman
` (51 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos, Jens Axboe,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Sander Mateos <csander@purestorage.com>
[ Upstream commit 6acd4ac5f8f0ec9b946875553e52907700bcfc77 ]
nvme_set_app_tag() uses the app_tag value from the bio_integrity_payload
of the struct request's first bio. This assumes all the request's bios
have the same app_tag. However, it is possible for bios with different
app_tag values to be merged into a single request.
Add a check in blk_integrity_merge_{bio,rq}() to prevent the merging of
bios/requests with different app_tag values if BIP_CHECK_APPTAG is set.
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: 3d8b5a22d404 ("block: add support to pass user meta buffer")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-integrity.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/block/blk-integrity.c b/block/blk-integrity.c
index 9b27963680dc3..964eebbee14d0 100644
--- a/block/blk-integrity.c
+++ b/block/blk-integrity.c
@@ -140,14 +140,21 @@ EXPORT_SYMBOL_GPL(blk_rq_integrity_map_user);
bool blk_integrity_merge_rq(struct request_queue *q, struct request *req,
struct request *next)
{
+ struct bio_integrity_payload *bip, *bip_next;
+
if (blk_integrity_rq(req) == 0 && blk_integrity_rq(next) == 0)
return true;
if (blk_integrity_rq(req) == 0 || blk_integrity_rq(next) == 0)
return false;
- if (bio_integrity(req->bio)->bip_flags !=
- bio_integrity(next->bio)->bip_flags)
+ bip = bio_integrity(req->bio);
+ bip_next = bio_integrity(next->bio);
+ if (bip->bip_flags != bip_next->bip_flags)
+ return false;
+
+ if (bip->bip_flags & BIP_CHECK_APPTAG &&
+ bip->app_tag != bip_next->app_tag)
return false;
if (req->nr_integrity_segments + next->nr_integrity_segments >
@@ -163,15 +170,21 @@ bool blk_integrity_merge_rq(struct request_queue *q, struct request *req,
bool blk_integrity_merge_bio(struct request_queue *q, struct request *req,
struct bio *bio)
{
+ struct bio_integrity_payload *bip, *bip_bio = bio_integrity(bio);
int nr_integrity_segs;
- if (blk_integrity_rq(req) == 0 && bio_integrity(bio) == NULL)
+ if (blk_integrity_rq(req) == 0 && bip_bio == NULL)
return true;
- if (blk_integrity_rq(req) == 0 || bio_integrity(bio) == NULL)
+ if (blk_integrity_rq(req) == 0 || bip_bio == NULL)
+ return false;
+
+ bip = bio_integrity(req->bio);
+ if (bip->bip_flags != bip_bio->bip_flags)
return false;
- if (bio_integrity(req->bio)->bip_flags != bio_integrity(bio)->bip_flags)
+ if (bip->bip_flags & BIP_CHECK_APPTAG &&
+ bip->app_tag != bip_bio->app_tag)
return false;
nr_integrity_segs = blk_rq_count_integrity_sg(q, bio);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 144/181] trace: ftrace_dump_on_oops[] is not exported, make it static
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 143/181] block: dont merge bios with different app_tags Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 145/181] sparc/PCI: Correct 64-bit non-pref -> pref BAR resources Greg Kroah-Hartman
` (50 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Steven Rostedt (Google),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 1e2ed4bfd50ace3c4272cfab7e9aa90956fb7ae0 ]
The ftrace_dump_on_oops string is not used outside of trace.c so
make it static to avoid the export warning from sparse:
kernel/trace/trace.c:141:6: warning: symbol 'ftrace_dump_on_oops' was not declared. Should it be static?
Fixes: dd293df6395a2 ("tracing: Move trace sysctls into trace.c")
Link: https://patch.msgid.link/20260106231054.84270-1-ben.dooks@codethink.co.uk
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index ddff2af3cd3f7..142e3b737f0bc 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -141,7 +141,7 @@ cpumask_var_t __read_mostly tracing_buffer_mask;
* by commas.
*/
/* Set to string format zero to disable by default */
-char ftrace_dump_on_oops[MAX_TRACER_SIZE] = "0";
+static char ftrace_dump_on_oops[MAX_TRACER_SIZE] = "0";
/* When set, tracing will stop when a WARN*() is hit */
static int __disable_trace_on_warning;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 145/181] sparc/PCI: Correct 64-bit non-pref -> pref BAR resources
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 144/181] trace: ftrace_dump_on_oops[] is not exported, make it static Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 146/181] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
` (49 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathaniel Roach, Ilpo Järvinen,
Bjorn Helgaas, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
[ Upstream commit bdb32359eab94013e80cf7e3d40a3fd4972da93a ]
SPARC T5-2 dts describes some PCI BARs as 64-bit resources without the
pref(etchable) bit (0x83... vs 0xc3... in assigned-addresses) for address
ranges above the 4G threshold. Such resources cannot be placed into a
non-prefetchable PCI bridge window that is capable only of 32-bit
addressing. As such, it looks like the platform is improperly described by
the dts.
The kernel detects this problem (see the IORESOURCE_PREFETCH check in
pci_find_parent_resource()) and fails to assign these BAR resources to the
resource tree due to lack of a compatible bridge window.
Prior to 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they
do nothing extra") SPARC arch code did not test whether device resources
were successfully in the resource tree when enabling a device, effectively
hiding the problem. After removing the arch-specific enable code,
pci_enable_resources() refuses to enable the device when it finds not all
mem resources are assigned, and therefore mpt3sas can't be enabled:
pci 0001:04:00.0: reg 0x14: [mem 0x801110000000-0x80111000ffff 64bit]
pci 0001:04:00.0: reg 0x1c: [mem 0x801110040000-0x80111007ffff 64bit]
pci 0001:04:00.0: BAR 1 [mem 0x801110000000-0x80111000ffff 64bit]: can't claim; no compatible bridge window
pci 0001:04:00.0: BAR 3 [mem 0x801110040000-0x80111007ffff 64bit]: can't claim; no compatible bridge window
mpt3sas 0001:04:00.0: BAR 1 [mem size 0x00010000 64bit]: not assigned; can't enable device
For clarity, this filtered log only shows failures for one mpt3sas device
but other devices fail similarly. In the reported case, the end result with
all the failures is an unbootable system.
Things appeared to "work" before 754babaaf333 ("sparc/PCI: Remove
pcibios_enable_device() as they do nothing extra") because the resource
tree is agnostic to whether PCI BAR resources are properly in the tree or
not. So as long as there was a parent resource (e.g. a root bus resource)
that contains the address range, the resource tree code just places
resource request underneath it without any consideration to the
intermediate BAR resource. While it worked, it's incorrect setup still.
Add an OF fixup to set the IORESOURCE_PREFETCH flag for a 64-bit PCI
resource that has the end address above 4G requiring placement into the
prefetchable window. Also log the issue.
Fixes: 754babaaf333 ("sparc/PCI: Remove pcibios_enable_device() as they do nothing extra")
Reported-by: Nathaniel Roach <nroach44@gmail.com>
Closes: https://github.com/sparclinux/issues/issues/22
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Nathaniel Roach <nroach44@gmail.com>
Link: https://patch.msgid.link/20251124170411.3709-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/sparc/kernel/pci.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/arch/sparc/kernel/pci.c b/arch/sparc/kernel/pci.c
index a9448088e762e..b290107170e94 100644
--- a/arch/sparc/kernel/pci.c
+++ b/arch/sparc/kernel/pci.c
@@ -181,6 +181,28 @@ static int __init ofpci_debug(char *str)
__setup("ofpci_debug=", ofpci_debug);
+static void of_fixup_pci_pref(struct pci_dev *dev, int index,
+ struct resource *res)
+{
+ struct pci_bus_region region;
+
+ if (!(res->flags & IORESOURCE_MEM_64))
+ return;
+
+ if (!resource_size(res))
+ return;
+
+ pcibios_resource_to_bus(dev->bus, ®ion, res);
+ if (region.end <= ~((u32)0))
+ return;
+
+ if (!(res->flags & IORESOURCE_PREFETCH)) {
+ res->flags |= IORESOURCE_PREFETCH;
+ pci_info(dev, "reg 0x%x: fixup: pref added to 64-bit resource\n",
+ index);
+ }
+}
+
static unsigned long pci_parse_of_flags(u32 addr0)
{
unsigned long flags = 0;
@@ -244,6 +266,7 @@ static void pci_parse_of_addrs(struct platform_device *op,
res->end = op_res->end;
res->flags = flags;
res->name = pci_name(dev);
+ of_fixup_pci_pref(dev, i, res);
pci_info(dev, "reg 0x%x: %pR\n", i, res);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 146/181] HID: quirks: work around VID/PID conflict for appledisplay
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 145/181] sparc/PCI: Correct 64-bit non-pref -> pref BAR resources Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 147/181] net: airoha: Fix schedule while atomic in airoha_ppe_deinit() Greg Kroah-Hartman
` (48 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Jiri Kosina,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ]
For years I wondered why the Apple Cinema Display driver would not
just work for me. Turns out the hidraw driver instantly takes it
over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver.
Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display")
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index c89a015686c07..6a8a7ca3d8047 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -232,6 +232,15 @@ static const struct hid_device_id hid_quirks[] = {
* used as a driver. See hid_scan_report().
*/
static const struct hid_device_id hid_have_special_driver[] = {
+#if IS_ENABLED(CONFIG_APPLEDISPLAY)
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) },
+#endif
#if IS_ENABLED(CONFIG_HID_A4TECH)
{ HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) },
{ HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) },
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 147/181] net: airoha: Fix schedule while atomic in airoha_ppe_deinit()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 146/181] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 148/181] wifi: mac80211_hwsim: fix typo in frequency notification Greg Kroah-Hartman
` (47 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Paolo Abeni,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit 6abcf751bc084804a9e5b3051442e8a2ce67f48a ]
airoha_ppe_deinit() runs airoha_npu_ppe_deinit() in atomic context.
airoha_npu_ppe_deinit routine allocates ppe_data buffer with GFP_KERNEL
flag. Rely on rcu_replace_pointer in airoha_ppe_deinit routine in order
to fix schedule while atomic issue in airoha_npu_ppe_deinit() since we
do not need atomic context there.
Fixes: 00a7678310fe3 ("net: airoha: Introduce flowtable offload support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260105-airoha-fw-ethtool-v2-1-3b32b158cc31@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/airoha/airoha_ppe.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/airoha/airoha_ppe.c b/drivers/net/ethernet/airoha/airoha_ppe.c
index c0e17035db18e..190d98970014f 100644
--- a/drivers/net/ethernet/airoha/airoha_ppe.c
+++ b/drivers/net/ethernet/airoha/airoha_ppe.c
@@ -1466,13 +1466,16 @@ void airoha_ppe_deinit(struct airoha_eth *eth)
{
struct airoha_npu *npu;
- rcu_read_lock();
- npu = rcu_dereference(eth->npu);
+ mutex_lock(&flow_offload_mutex);
+
+ npu = rcu_replace_pointer(eth->npu, NULL,
+ lockdep_is_held(&flow_offload_mutex));
if (npu) {
npu->ops.ppe_deinit(npu);
airoha_npu_put(npu);
}
- rcu_read_unlock();
+
+ mutex_unlock(&flow_offload_mutex);
rhashtable_destroy(ð->ppe->l2_flows);
rhashtable_destroy(ð->flow_table);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 148/181] wifi: mac80211_hwsim: fix typo in frequency notification
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 147/181] net: airoha: Fix schedule while atomic in airoha_ppe_deinit() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 149/181] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
` (46 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Ilan Peer,
Miriam Rachel Korenblit, Johannes Berg, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit 333418872bfecf4843f1ded7a4151685dfcf07d5 ]
The NAN notification is for 5745 MHz which corresponds to channel 149
and not 5475 which is not actually a valid channel. This could result in
a NULL pointer dereference in cfg80211_next_nan_dw_notif.
Fixes: a37a6f54439b ("wifi: mac80211_hwsim: Add simulation support for NAN device")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20260107143652.7dab2035836f.Iacbaf7bb94ed5c14a0928a625827e4137d8bfede@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/virtual/mac80211_hwsim.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index 5903d82e1ab1e..2f263d89d2d69 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -4040,7 +4040,7 @@ mac80211_hwsim_nan_dw_start(struct hrtimer *timer)
ieee80211_vif_to_wdev(data->nan_device_vif);
if (data->nan_curr_dw_band == NL80211_BAND_5GHZ)
- ch = ieee80211_get_channel(hw->wiphy, 5475);
+ ch = ieee80211_get_channel(hw->wiphy, 5745);
else
ch = ieee80211_get_channel(hw->wiphy, 2437);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 149/181] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 148/181] wifi: mac80211_hwsim: fix typo in frequency notification Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 150/181] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
` (45 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiang Mei, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ]
`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class
itself is active.
Two qfq_class objects may point to the same leaf_qdisc. This happens
when:
1. one QFQ qdisc is attached to the dev as the root qdisc, and
2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()
/ qdisc_put()) and is pending to be destroyed, as in function
tc_new_tfilter.
When packets are enqueued through the root QFQ qdisc, the shared
leaf_qdisc->q.qlen increases. At the same time, the second QFQ
qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters
qfq_reset() with its own q->q.qlen == 0, but its class's leaf
qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate
an inactive aggregate and trigger a null-deref in qfq_deactivate_agg:
[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 0.903571] #PF: supervisor write access in kernel mode
[ 0.903860] #PF: error_code(0x0002) - not-present page
[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0
[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI
[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE
[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.910247] PKRU: 55555554
[ 0.910391] Call Trace:
[ 0.910527] <TASK>
[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)
[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)
[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)
[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)
[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)
[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)
[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894)
[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1))
[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686)
[ 0.913077] ksys_write (fs/read_write.c:738)
[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
[ 0.913687] RIP: 0033:0x424c34
[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9
Code starting with the faulting instruction
===========================================
0: 89 02 mov %eax,(%rdx)
2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
9: eb bd jmp 0xffffffffffffffc8
b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
12: 00 00 00
15: 90 nop
16: f3 0f 1e fa endbr64
1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e
21: 74 13 je 0x36
23: b8 01 00 00 00 mov $0x1,%eax
28: 0f 05 syscall
2a: 09 .byte 0x9
[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34
[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003
[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000
[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28
[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001
[ 0.917039] </TASK>
[ 0.917158] Modules linked in:
[ 0.917316] CR2: 0000000000000000
[ 0.917484] ---[ end trace 0000000000000000 ]---
[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.922097] PKRU: 55555554
[ 0.922240] Kernel panic - not syncing: Fatal exception
[ 0.922590] Kernel Offset: disabled
Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler")
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_qfq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index 2255355e51d35..a91a5bac8f737 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -1481,7 +1481,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch)
for (i = 0; i < q->clhash.hashsize; i++) {
hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) {
- if (cl->qdisc->q.qlen > 0)
+ if (cl_is_active(cl))
qfq_deactivate_class(q, cl);
qdisc_reset(cl->qdisc);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 150/181] net: usb: pegasus: fix memory leak in update_eth_regs_async()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 149/181] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 151/181] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
` (44 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petko Manolov, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petko Manolov <petkan@nucleusys.com>
[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ]
When asynchronously writing to the device registers and if usb_submit_urb()
fail, the code fail to release allocated to this point resources.
Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission")
Signed-off-by: Petko Manolov <petkan@nucleusys.com>
Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/pegasus.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index 81ca64debc5b9..c514483134f05 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus)
netif_device_detach(pegasus->net);
netif_err(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ usb_free_urb(async_urb);
+ kfree(req);
}
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 151/181] net: enetc: fix build warning when PAGE_SIZE is greater than 128K
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 150/181] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 152/181] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
` (43 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Wei Fang,
Frank Li, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ]
The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE
is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will
be greater than 0xFFFF, thus causing a build warning.
This will not cause any practical issues because ENETC is currently only
used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch
is only for fixing the build warning that occurs when compiling ENETC
drivers for other platforms.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/
Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h
index f279fa597991e..60c7205ea9ff5 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.h
+++ b/drivers/net/ethernet/freescale/enetc/enetc.h
@@ -79,9 +79,9 @@ struct enetc_lso_t {
#define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1)
#define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */
#define ENETC_RXB_DMA_SIZE \
- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD)
+ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff)
#define ENETC_RXB_DMA_SIZE_XDP \
- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM)
+ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff)
struct enetc_rx_swbd {
dma_addr_t dma;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 152/181] arp: do not assume dev_hard_header() does not change skb->head
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 151/181] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 153/181] ublk: fix use-after-free in ublk_partition_scan_work Greg Kroah-Hartman
` (42 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+58b44a770a1585795351,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ]
arp_create() is the only dev_hard_header() caller
making assumption about skb->head being unchanged.
A recent commit broke this assumption.
Initialize @arp pointer after dev_hard_header() call.
Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/arp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 833f2cf97178e..3ce1664e8632a 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -564,7 +564,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
skb_reserve(skb, hlen);
skb_reset_network_header(skb);
- arp = skb_put(skb, arp_hdr_len(dev));
+ skb_put(skb, arp_hdr_len(dev));
skb->dev = dev;
skb->protocol = htons(ETH_P_ARP);
if (!src_hw)
@@ -572,12 +572,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
if (!dest_hw)
dest_hw = dev->broadcast;
- /*
- * Fill the device header for the ARP frame
+ /* Fill the device header for the ARP frame.
+ * Note: skb->head can be changed.
*/
if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0)
goto out;
+ arp = arp_hdr(skb);
/*
* Fill out the arp protocol part.
*
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 153/181] ublk: fix use-after-free in ublk_partition_scan_work
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 152/181] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 154/181] irqchip/gic-v5: Fix gicv5_its_map_event() ITTE read endianness Greg Kroah-Hartman
` (41 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ruikai Peng, Ming Lei, Jens Axboe,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
[ Upstream commit f0d385f6689f37a2828c686fb279121df006b4cb ]
A race condition exists between the async partition scan work and device
teardown that can lead to a use-after-free of ub->ub_disk:
1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk()
2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does:
- del_gendisk(ub->ub_disk)
- ublk_detach_disk() sets ub->ub_disk = NULL
- put_disk() which may free the disk
3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk
leading to UAF
Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold
a reference to the disk during the partition scan. The spinlock in
ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker
either gets a valid reference or sees NULL and exits early.
Also change flush_work() to cancel_work_sync() to avoid running the
partition scan work unnecessarily when the disk is already detached.
Fixes: 7fc4da6a304b ("ublk: scan partition in async way")
Reported-by: Ruikai Peng <ruikai@pwno.io>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ublk_drv.c | 37 ++++++++++++++++++++++---------------
1 file changed, 22 insertions(+), 15 deletions(-)
diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index babb58d2dcaf7..e09c1b5999b75 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -255,20 +255,6 @@ static inline struct request *__ublk_check_and_get_req(struct ublk_device *ub,
u16 q_id, u16 tag, struct ublk_io *io, size_t offset);
static inline unsigned int ublk_req_build_flags(struct request *req);
-static void ublk_partition_scan_work(struct work_struct *work)
-{
- struct ublk_device *ub =
- container_of(work, struct ublk_device, partition_scan_work);
-
- if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN,
- &ub->ub_disk->state)))
- return;
-
- mutex_lock(&ub->ub_disk->open_mutex);
- bdev_disk_changed(ub->ub_disk, false);
- mutex_unlock(&ub->ub_disk->open_mutex);
-}
-
static inline struct ublksrv_io_desc *
ublk_get_iod(const struct ublk_queue *ubq, unsigned tag)
{
@@ -1663,6 +1649,27 @@ static void ublk_put_disk(struct gendisk *disk)
put_device(disk_to_dev(disk));
}
+static void ublk_partition_scan_work(struct work_struct *work)
+{
+ struct ublk_device *ub =
+ container_of(work, struct ublk_device, partition_scan_work);
+ /* Hold disk reference to prevent UAF during concurrent teardown */
+ struct gendisk *disk = ublk_get_disk(ub);
+
+ if (!disk)
+ return;
+
+ if (WARN_ON_ONCE(!test_and_clear_bit(GD_SUPPRESS_PART_SCAN,
+ &disk->state)))
+ goto out;
+
+ mutex_lock(&disk->open_mutex);
+ bdev_disk_changed(disk, false);
+ mutex_unlock(&disk->open_mutex);
+out:
+ ublk_put_disk(disk);
+}
+
/*
* Use this function to ensure that ->canceling is consistently set for
* the device and all queues. Do not set these flags directly.
@@ -2107,7 +2114,7 @@ static void ublk_stop_dev(struct ublk_device *ub)
mutex_lock(&ub->mutex);
ublk_stop_dev_unlocked(ub);
mutex_unlock(&ub->mutex);
- flush_work(&ub->partition_scan_work);
+ cancel_work_sync(&ub->partition_scan_work);
ublk_cancel_dev(ub);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 154/181] irqchip/gic-v5: Fix gicv5_its_map_event() ITTE read endianness
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 153/181] ublk: fix use-after-free in ublk_partition_scan_work Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 155/181] erofs: dont bother with s_stack_depth increasing for now Greg Kroah-Hartman
` (40 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Lorenzo Pieralisi,
Thomas Gleixner, Marc Zyngier, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Pieralisi <lpieralisi@kernel.org>
[ Upstream commit 1690eeb0cb2bb77096cb6c826b6849ef05013e34 ]
Kbuild bot (through sparse) reported that the ITTE read to carry out
a valid check in gicv5_its_map_event() lacks proper endianness handling.
Add the missing endianess conversion.
Fixes: 57d72196dfc8 ("irqchip/gic-v5: Add GICv5 ITS support")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Acked-by: Marc Zyngier <maz@kernel.org>
Link: https://patch.msgid.link/20251222102250.435460-1-lpieralisi@kernel.org
Closes: https://lore.kernel.org/oe-kbuild-all/202512131849.30ZRTBeR-lkp@intel.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-gic-v5-its.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-gic-v5-its.c b/drivers/irqchip/irq-gic-v5-its.c
index 554485f0be1fb..8e22134b9f486 100644
--- a/drivers/irqchip/irq-gic-v5-its.c
+++ b/drivers/irqchip/irq-gic-v5-its.c
@@ -849,7 +849,7 @@ static int gicv5_its_map_event(struct gicv5_its_dev *its_dev, u16 event_id, u32
itte = gicv5_its_device_get_itte_ref(its_dev, event_id);
- if (FIELD_GET(GICV5_ITTL2E_VALID, *itte))
+ if (FIELD_GET(GICV5_ITTL2E_VALID, le64_to_cpu(*itte)))
return -EEXIST;
itt_entry = FIELD_PREP(GICV5_ITTL2E_LPI_ID, lpi) |
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 155/181] erofs: dont bother with s_stack_depth increasing for now
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 154/181] irqchip/gic-v5: Fix gicv5_its_map_event() ITTE read endianness Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 156/181] erofs: fix file-backed mounts no longer working on EROFS partitions Greg Kroah-Hartman
` (39 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Timothée Ravier,
Alekséi Naidénov, Amir Goldstein, Alexander Larsson,
Zhiguo Niu, Chao Yu, Christian Brauner, Miklos Szeredi, Gao Xiang,
Sasha Levin, Dusty Mabe, Sheng Yong
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit 072a7c7cdbea4f91df854ee2bb216256cd619f2a ]
Previously, commit d53cd891f0e4 ("erofs: limit the level of fs stacking
for file-backed mounts") bumped `s_stack_depth` by one to avoid kernel
stack overflow when stacking an unlimited number of EROFS on top of
each other.
This fix breaks composefs mounts, which need EROFS+ovl^2 sometimes
(and such setups are already used in production for quite a long time).
One way to fix this regression is to bump FILESYSTEM_MAX_STACK_DEPTH
from 2 to 3, but proving that this is safe in general is a high bar.
After a long discussion on GitHub issues [1] about possible solutions,
one conclusion is that there is no need to support nesting file-backed
EROFS mounts on stacked filesystems, because there is always the option
to use loopback devices as a fallback.
As a quick fix for the composefs regression for this cycle, instead of
bumping `s_stack_depth` for file backed EROFS mounts, we disallow
nesting file-backed EROFS over EROFS and over filesystems with
`s_stack_depth` > 0.
This works for all known file-backed mount use cases (composefs,
containerd, and Android APEX for some Android vendors), and the fix is
self-contained.
Essentially, we are allowing one extra unaccounted fs stacking level of
EROFS below stacking filesystems, but EROFS can only be used in the read
path (i.e. overlayfs lower layers), which typically has much lower stack
usage than the write path.
We can consider increasing FILESYSTEM_MAX_STACK_DEPTH later, after more
stack usage analysis or using alternative approaches, such as splitting
the `s_stack_depth` limitation according to different combinations of
stacking.
Fixes: d53cd891f0e4 ("erofs: limit the level of fs stacking for file-backed mounts")
Reported-and-tested-by: Dusty Mabe <dusty@dustymabe.com>
Reported-by: Timothée Ravier <tim@siosm.fr>
Closes: https://github.com/coreos/fedora-coreos-tracker/issues/2087 [1]
Reported-by: "Alekséi Naidénov" <an@digitaltide.io>
Closes: https://lore.kernel.org/r/CAFHtUiYv4+=+JP_-JjARWjo6OwcvBj1wtYN=z0QXwCpec9sXtg@mail.gmail.com
Acked-by: Amir Goldstein <amir73il@gmail.com>
Acked-by: Alexander Larsson <alexl@redhat.com>
Reviewed-and-tested-by: Sheng Yong <shengyong1@xiaomi.com>
Reviewed-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/super.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/fs/erofs/super.c b/fs/erofs/super.c
index 937a215f626c1..e93264034b5db 100644
--- a/fs/erofs/super.c
+++ b/fs/erofs/super.c
@@ -644,14 +644,20 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc)
* fs contexts (including its own) due to self-controlled RO
* accesses/contexts and no side-effect changes that need to
* context save & restore so it can reuse the current thread
- * context. However, it still needs to bump `s_stack_depth` to
- * avoid kernel stack overflow from nested filesystems.
+ * context.
+ * However, we still need to prevent kernel stack overflow due
+ * to filesystem nesting: just ensure that s_stack_depth is 0
+ * to disallow mounting EROFS on stacked filesystems.
+ * Note: s_stack_depth is not incremented here for now, since
+ * EROFS is the only fs supporting file-backed mounts for now.
+ * It MUST change if another fs plans to support them, which
+ * may also require adjusting FILESYSTEM_MAX_STACK_DEPTH.
*/
if (erofs_is_fileio_mode(sbi)) {
- sb->s_stack_depth =
- file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1;
- if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
- erofs_err(sb, "maximum fs stacking depth exceeded");
+ inode = file_inode(sbi->dif0.file);
+ if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) ||
+ inode->i_sb->s_stack_depth) {
+ erofs_err(sb, "file-backed mounts cannot be applied to stacked fses");
return -ENOTBLK;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 156/181] erofs: fix file-backed mounts no longer working on EROFS partitions
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 155/181] erofs: dont bother with s_stack_depth increasing for now Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 157/181] btrfs: truncate ordered extent when skipping writeback past i_size Greg Kroah-Hartman
` (38 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sheng Yong, Gao Xiang,
Linus Torvalds, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gao Xiang <hsiangkao@linux.alibaba.com>
[ Upstream commit 7893cc12251f6f19e7689a4cf3ba803bddbd8437 ]
Sheng Yong reported [1] that Android APEX images didn't work with commit
072a7c7cdbea ("erofs: don't bother with s_stack_depth increasing for
now") because "EROFS-formatted APEX file images can be stored within an
EROFS-formatted Android system partition."
In response, I sent a quick fat-fingered [PATCH v3] to address the
report. Unfortunately, the updated condition was incorrect:
if (erofs_is_fileio_mode(sbi)) {
- sb->s_stack_depth =
- file_inode(sbi->dif0.file)->i_sb->s_stack_depth + 1;
- if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
- erofs_err(sb, "maximum fs stacking depth exceeded");
+ inode = file_inode(sbi->dif0.file);
+ if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) ||
+ inode->i_sb->s_stack_depth) {
The condition `!sb->s_bdev` is always true for all file-backed EROFS
mounts, making the check effectively a no-op.
The real fix tested and confirmed by Sheng Yong [2] at that time was
[PATCH v3 RESEND], which correctly ensures the following EROFS^2 setup
works:
EROFS (on a block device) + EROFS (file-backed mount)
But sadly I screwed it up again by upstreaming the outdated [PATCH v3].
This patch applies the same logic as the delta between the upstream
[PATCH v3] and the real fix [PATCH v3 RESEND].
Reported-by: Sheng Yong <shengyong1@xiaomi.com>
Closes: https://lore.kernel.org/r/3acec686-4020-4609-aee4-5dae7b9b0093@gmail.com [1]
Fixes: 072a7c7cdbea ("erofs: don't bother with s_stack_depth increasing for now")
Link: https://lore.kernel.org/r/243f57b8-246f-47e7-9fb1-27a771e8e9e8@gmail.com [2]
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/super.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/erofs/super.c b/fs/erofs/super.c
index e93264034b5db..5136cda5972a9 100644
--- a/fs/erofs/super.c
+++ b/fs/erofs/super.c
@@ -655,7 +655,8 @@ static int erofs_fc_fill_super(struct super_block *sb, struct fs_context *fc)
*/
if (erofs_is_fileio_mode(sbi)) {
inode = file_inode(sbi->dif0.file);
- if ((inode->i_sb->s_op == &erofs_sops && !sb->s_bdev) ||
+ if ((inode->i_sb->s_op == &erofs_sops &&
+ !inode->i_sb->s_bdev) ||
inode->i_sb->s_stack_depth) {
erofs_err(sb, "file-backed mounts cannot be applied to stacked fses");
return -ENOTBLK;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 157/181] btrfs: truncate ordered extent when skipping writeback past i_size
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 156/181] erofs: fix file-backed mounts no longer working on EROFS partitions Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 158/181] btrfs: use variable for end offset in extent_writepage_io() Greg Kroah-Hartman
` (37 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Anand Jain, Filipe Manana,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 18de34daa7c62c830be533aace6b7c271e8e95cf ]
While running test case btrfs/192 from fstests with support for large
folios (needs CONFIG_BTRFS_EXPERIMENTAL=y) I ended up getting very sporadic
btrfs check failures reporting that csum items were missing. Looking into
the issue it turned out that btrfs check searches for csum items of a file
extent item with a range that spans beyond the i_size of a file and we
don't have any, because the kernel's writeback code skips submitting bios
for ranges beyond eof. It's not expected however to find a file extent item
that crosses the rounded up (by the sector size) i_size value, but there is
a short time window where we can end up with a transaction commit leaving
this small inconsistency between the i_size and the last file extent item.
Example btrfs check output when this happens:
$ btrfs check /dev/sdc
Opening filesystem to check...
Checking filesystem on /dev/sdc
UUID: 69642c61-5efb-4367-aa31-cdfd4067f713
[1/8] checking log skipped (none written)
[2/8] checking root items
[3/8] checking extents
[4/8] checking free space tree
[5/8] checking fs roots
root 5 inode 332 errors 1000, some csum missing
ERROR: errors found in fs roots
(...)
Looking at a tree dump of the fs tree (root 5) for inode 332 we have:
$ btrfs inspect-internal dump-tree -t 5 /dev/sdc
(...)
item 28 key (332 INODE_ITEM 0) itemoff 2006 itemsize 160
generation 17 transid 19 size 610969 nbytes 86016
block group 0 mode 100666 links 1 uid 0 gid 0 rdev 0
sequence 11 flags 0x0(none)
atime 1759851068.391327881 (2025-10-07 16:31:08)
ctime 1759851068.410098267 (2025-10-07 16:31:08)
mtime 1759851068.410098267 (2025-10-07 16:31:08)
otime 1759851068.391327881 (2025-10-07 16:31:08)
item 29 key (332 INODE_REF 340) itemoff 1993 itemsize 13
index 2 namelen 3 name: f1f
item 30 key (332 EXTENT_DATA 589824) itemoff 1940 itemsize 53
generation 19 type 1 (regular)
extent data disk byte 21745664 nr 65536
extent data offset 0 nr 65536 ram 65536
extent compression 0 (none)
(...)
We can see that the file extent item for file offset 589824 has a length of
64K and its number of bytes is 64K. Looking at the inode item we see that
its i_size is 610969 bytes which falls within the range of that file extent
item [589824, 655360[.
Looking into the csum tree:
$ btrfs inspect-internal dump-tree /dev/sdc
(...)
item 15 key (EXTENT_CSUM EXTENT_CSUM 21565440) itemoff 991 itemsize 200
range start 21565440 end 21770240 length 204800
item 16 key (EXTENT_CSUM EXTENT_CSUM 1104576512) itemoff 983 itemsize 8
range start 1104576512 end 1104584704 length 8192
(..)
We see that the csum item number 15 covers the first 24K of the file extent
item - it ends at offset 21770240 and the extent's disk_bytenr is 21745664,
so we have:
21770240 - 21745664 = 24K
We see that the next csum item (number 16) is completely outside the range,
so the remaining 40K of the extent doesn't have csum items in the tree.
If we round up the i_size to the sector size, we get:
round_up(610969, 4096) = 614400
If we subtract from that the file offset for the extent item we get:
614400 - 589824 = 24K
So the missing 40K corresponds to the end of the file extent item's range
minus the rounded up i_size:
655360 - 614400 = 40K
Normally we don't expect a file extent item to span over the rounded up
i_size of an inode, since when truncating, doing hole punching and other
operations that trim a file extent item, the number of bytes is adjusted.
There is however a short time window where the kernel can end up,
temporarily,persisting an inode with an i_size that falls in the middle of
the last file extent item and the file extent item was not yet trimmed (its
number of bytes reduced so that it doesn't cross i_size rounded up by the
sector size).
The steps (in the kernel) that lead to such scenario are the following:
1) We have inode I as an empty file, no allocated extents, i_size is 0;
2) A buffered write is done for file range [589824, 655360[ (length of
64K) and the i_size is updated to 655360. Note that we got a single
large folio for the range (64K);
3) A truncate operation starts that reduces the inode's i_size down to
610969 bytes. The truncate sets the inode's new i_size at
btrfs_setsize() by calling truncate_setsize() and before calling
btrfs_truncate();
4) At btrfs_truncate() we trigger writeback for the range starting at
610304 (which is the new i_size rounded down to the sector size) and
ending at (u64)-1;
5) During the writeback, at extent_write_cache_pages(), we get from the
call to filemap_get_folios_tag(), the 64K folio that starts at file
offset 589824 since it contains the start offset of the writeback
range (610304);
6) At writepage_delalloc() we find the whole range of the folio is dirty
and therefore we run delalloc for that 64K range ([589824, 655360[),
reserving a 64K extent, creating an ordered extent, etc;
7) At extent_writepage_io() we submit IO only for subrange [589824, 614400[
because the inode's i_size is 610969 bytes (rounded up by sector size
is 614400). There, in the while loop we intentionally skip IO beyond
i_size to avoid any unnecessay work and just call
btrfs_mark_ordered_io_finished() for the range [614400, 655360[ (which
has a 40K length);
8) Once the IO finishes we finish the ordered extent by ending up at
btrfs_finish_one_ordered(), join transaction N, insert a file extent
item in the inode's subvolume tree for file offset 589824 with a number
of bytes of 64K, and update the inode's delayed inode item or directly
the inode item with a call to btrfs_update_inode_fallback(), which
results in storing the new i_size of 610969 bytes;
9) Transaction N is committed either by the transaction kthread or some
other task committed it (in response to a sync or fsync for example).
At this point we have inode I persisted with an i_size of 610969 bytes
and file extent item that starts at file offset 589824 and has a number
of bytes of 64K, ending at an offset of 655360 which is beyond the
i_size rounded up to the sector size (614400).
--> So after a crash or power failure here, the btrfs check program
reports that error about missing checksum items for this inode, as
it tries to lookup for checksums covering the whole range of the
extent;
10) Only after transaction N is committed that at btrfs_truncate() the
call to btrfs_start_transaction() starts a new transaction, N + 1,
instead of joining transaction N. And it's with transaction N + 1 that
it calls btrfs_truncate_inode_items() which updates the file extent
item at file offset 589824 to reduce its number of bytes from 64K down
to 24K, so that the file extent item's range ends at the i_size
rounded up to the sector size (614400 bytes).
Fix this by truncating the ordered extent at extent_writepage_io() when we
skip writeback because the current offset in the folio is beyond i_size.
This ensures we don't ever persist a file extent item with a number of
bytes beyond the rounded up (by sector size) value of the i_size.
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: e9e3b22ddfa7 ("btrfs: fix beyond-EOF write handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent_io.c | 21 +++++++++++++++++++--
fs/btrfs/ordered-data.c | 5 +++--
2 files changed, 22 insertions(+), 4 deletions(-)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1692,13 +1692,13 @@ static noinline_for_stack int extent_wri
bool submitted_io = false;
int found_error = 0;
const u64 folio_start = folio_pos(folio);
+ const u64 folio_end = folio_start + folio_size(folio);
const unsigned int blocks_per_folio = btrfs_blocks_per_folio(fs_info, folio);
u64 cur;
int bit;
int ret = 0;
- ASSERT(start >= folio_start &&
- start + len <= folio_start + folio_size(folio));
+ ASSERT(start >= folio_start && start + len <= folio_end);
ret = btrfs_writepage_cow_fixup(folio);
if (ret == -EAGAIN) {
@@ -1725,6 +1725,23 @@ static noinline_for_stack int extent_wri
cur = folio_pos(folio) + (bit << fs_info->sectorsize_bits);
if (cur >= i_size) {
+ struct btrfs_ordered_extent *ordered;
+ unsigned long flags;
+
+ ordered = btrfs_lookup_first_ordered_range(inode, cur,
+ folio_end - cur);
+ /*
+ * We have just run delalloc before getting here, so
+ * there must be an ordered extent.
+ */
+ ASSERT(ordered != NULL);
+ spin_lock_irqsave(&inode->ordered_tree_lock, flags);
+ set_bit(BTRFS_ORDERED_TRUNCATED, &ordered->flags);
+ ordered->truncated_len = min(ordered->truncated_len,
+ cur - ordered->file_offset);
+ spin_unlock_irqrestore(&inode->ordered_tree_lock, flags);
+ btrfs_put_ordered_extent(ordered);
+
btrfs_mark_ordered_io_finished(inode, folio, cur,
start + len - cur, true);
/*
--- a/fs/btrfs/ordered-data.c
+++ b/fs/btrfs/ordered-data.c
@@ -1098,8 +1098,9 @@ struct btrfs_ordered_extent *btrfs_looku
struct rb_node *prev;
struct rb_node *next;
struct btrfs_ordered_extent *entry = NULL;
+ unsigned long flags;
- spin_lock_irq(&inode->ordered_tree_lock);
+ spin_lock_irqsave(&inode->ordered_tree_lock, flags);
node = inode->ordered_tree.rb_node;
/*
* Here we don't want to use tree_search() which will use tree->last
@@ -1154,7 +1155,7 @@ out:
trace_btrfs_ordered_extent_lookup_first_range(inode, entry);
}
- spin_unlock_irq(&inode->ordered_tree_lock);
+ spin_unlock_irqrestore(&inode->ordered_tree_lock, flags);
return entry;
}
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 158/181] btrfs: use variable for end offset in extent_writepage_io()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 157/181] btrfs: truncate ordered extent when skipping writeback past i_size Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 159/181] btrfs: fix beyond-EOF write handling Greg Kroah-Hartman
` (36 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Anand Jain, Filipe Manana,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 46a23908598f4b8e61483f04ea9f471b2affc58a ]
Instead of repeating the expression "start + len" multiple times, store it
in a variable and use it where needed.
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <asj@kernel.org>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: e9e3b22ddfa7 ("btrfs: fix beyond-EOF write handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent_io.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1691,6 +1691,7 @@ static noinline_for_stack int extent_wri
unsigned long range_bitmap = 0;
bool submitted_io = false;
int found_error = 0;
+ const u64 end = start + len;
const u64 folio_start = folio_pos(folio);
const u64 folio_end = folio_start + folio_size(folio);
const unsigned int blocks_per_folio = btrfs_blocks_per_folio(fs_info, folio);
@@ -1698,7 +1699,7 @@ static noinline_for_stack int extent_wri
int bit;
int ret = 0;
- ASSERT(start >= folio_start && start + len <= folio_end);
+ ASSERT(start >= folio_start && end <= folio_end);
ret = btrfs_writepage_cow_fixup(folio);
if (ret == -EAGAIN) {
@@ -1714,7 +1715,7 @@ static noinline_for_stack int extent_wri
return ret;
}
- for (cur = start; cur < start + len; cur += fs_info->sectorsize)
+ for (cur = start; cur < end; cur += fs_info->sectorsize)
set_bit((cur - folio_start) >> fs_info->sectorsize_bits, &range_bitmap);
bitmap_and(&bio_ctrl->submit_bitmap, &bio_ctrl->submit_bitmap, &range_bitmap,
blocks_per_folio);
@@ -1743,7 +1744,7 @@ static noinline_for_stack int extent_wri
btrfs_put_ordered_extent(ordered);
btrfs_mark_ordered_io_finished(inode, folio, cur,
- start + len - cur, true);
+ end - cur, true);
/*
* This range is beyond i_size, thus we don't need to
* bother writing back.
@@ -1752,8 +1753,7 @@ static noinline_for_stack int extent_wri
* writeback the sectors with subpage dirty bits,
* causing writeback without ordered extent.
*/
- btrfs_folio_clear_dirty(fs_info, folio, cur,
- start + len - cur);
+ btrfs_folio_clear_dirty(fs_info, folio, cur, end - cur);
break;
}
ret = submit_one_sector(inode, folio, cur, bio_ctrl, i_size);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 159/181] btrfs: fix beyond-EOF write handling
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 158/181] btrfs: use variable for end offset in extent_writepage_io() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 160/181] gpio: mpsse: ensure worker is torn down Greg Kroah-Hartman
` (35 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit e9e3b22ddfa760762b696ac6417c8d6edd182e49 ]
[BUG]
For the following write sequence with 64K page size and 4K fs block size,
it will lead to file extent items to be inserted without any data
checksum:
mkfs.btrfs -s 4k -f $dev > /dev/null
mount $dev $mnt
xfs_io -f -c "pwrite 0 16k" -c "pwrite 32k 4k" -c pwrite "60k 64K" \
-c "truncate 16k" $mnt/foobar
umount $mnt
This will result the following 2 file extent items to be inserted (extra
trace point added to insert_ordered_extent_file_extent()):
btrfs_finish_one_ordered: root=5 ino=257 file_off=61440 num_bytes=4096 csum_bytes=0
btrfs_finish_one_ordered: root=5 ino=257 file_off=0 num_bytes=16384 csum_bytes=16384
Note for file offset 60K, we're inserting a file extent without any
data checksum.
Also note that range [32K, 36K) didn't reach
insert_ordered_extent_file_extent(), which is the correct behavior as
that OE is fully truncated, should not result any file extent.
Although file extent at 60K will be later dropped by btrfs_truncate(),
if the transaction got committed after file extent inserted but before
the file extent dropping, we will have a small window where we have a
file extent beyond EOF and without any data checksum.
That will cause "btrfs check" to report error.
[CAUSE]
The sequence happens like this:
- Buffered write dirtied the page cache and updated isize
Now the inode size is 64K, with the following page cache layout:
0 16K 32K 48K 64K
|/////////////| |//| |//|
- Truncate the inode to 16K
Which will trigger writeback through:
btrfs_setsize()
|- truncate_setsize()
| Now the inode size is set to 16K
|
|- btrfs_truncate()
|- btrfs_wait_ordered_range() for [16K, u64(-1)]
|- btrfs_fdatawrite_range() for [16K, u64(-1)}
|- extent_writepage() for folio 0
|- writepage_delalloc()
| Generated OE for [0, 16K), [32K, 36K] and [60K, 64K)
|
|- extent_writepage_io()
Then inside extent_writepage_io(), the dirty fs blocks are handled
differently:
- Submit write for range [0, 16K)
As they are still inside the inode size (16K).
- Mark OE [32K, 36K) as truncated
Since we only call btrfs_lookup_first_ordered_range() once, which
returned the first OE after file offset 16K.
- Mark all OEs inside range [16K, 64K) as finished
Which will mark OE ranges [32K, 36K) and [60K, 64K) as finished.
For OE [32K, 36K) since it's already marked as truncated, and its
truncated length is 0, no file extent will be inserted.
For OE [60K, 64K) it has never been submitted thus has no data
checksum, and we insert the file extent as usual.
This is the root cause of file extent at 60K to be inserted without
any data checksum.
- Clear dirty flags for range [16K, 64K)
It is the function btrfs_folio_clear_dirty() which searches and clears
any dirty blocks inside that range.
[FIX]
The bug itself was introduced a long time ago, way before subpage and
large folio support.
At that time, fs block size must match page size, thus the range
[cur, end) is just one fs block.
But later with subpage and large folios, the same range [cur, end)
can have multiple blocks and ordered extents.
Later commit 18de34daa7c6 ("btrfs: truncate ordered extent when skipping
writeback past i_size") was fixing a bug related to subpage/large
folios, but it's still utilizing the old range [cur, end), meaning only
the first OE will be marked as truncated.
The proper fix here is to make EOF handling block-by-block, not trying
to handle the whole range to @end.
By this we always locate and truncate the OE for every dirty block.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent_io.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -1730,7 +1730,7 @@ static noinline_for_stack int extent_wri
unsigned long flags;
ordered = btrfs_lookup_first_ordered_range(inode, cur,
- folio_end - cur);
+ fs_info->sectorsize);
/*
* We have just run delalloc before getting here, so
* there must be an ordered extent.
@@ -1744,7 +1744,7 @@ static noinline_for_stack int extent_wri
btrfs_put_ordered_extent(ordered);
btrfs_mark_ordered_io_finished(inode, folio, cur,
- end - cur, true);
+ fs_info->sectorsize, true);
/*
* This range is beyond i_size, thus we don't need to
* bother writing back.
@@ -1753,8 +1753,8 @@ static noinline_for_stack int extent_wri
* writeback the sectors with subpage dirty bits,
* causing writeback without ordered extent.
*/
- btrfs_folio_clear_dirty(fs_info, folio, cur, end - cur);
- break;
+ btrfs_folio_clear_dirty(fs_info, folio, cur, fs_info->sectorsize);
+ continue;
}
ret = submit_one_sector(inode, folio, cur, bio_ctrl, i_size);
if (unlikely(ret < 0)) {
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 160/181] gpio: mpsse: ensure worker is torn down
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 159/181] btrfs: fix beyond-EOF write handling Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 161/181] gpio: mpsse: add quirk support Greg Kroah-Hartman
` (34 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mary Strodl, Linus Walleij,
Bartosz Golaszewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mary Strodl <mstrodl@csh.rit.edu>
[ Upstream commit 179ef1127d7a4f09f0e741fa9f30b8a8e7886271 ]
When an IRQ worker is running, unplugging the device would cause a
crash. The sealevel hardware this driver was written for was not
hotpluggable, so I never realized it.
This change uses a spinlock to protect a list of workers, which
it tears down on disconnect.
Signed-off-by: Mary Strodl <mstrodl@csh.rit.edu>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20251014133530.3592716-3-mstrodl@csh.rit.edu
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Stable-dep-of: 1e876e5a0875 ("gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mpsse.c | 106 ++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 99 insertions(+), 7 deletions(-)
--- a/drivers/gpio/gpio-mpsse.c
+++ b/drivers/gpio/gpio-mpsse.c
@@ -10,6 +10,7 @@
#include <linux/cleanup.h>
#include <linux/gpio/driver.h>
#include <linux/mutex.h>
+#include <linux/spinlock.h>
#include <linux/usb.h>
struct mpsse_priv {
@@ -17,8 +18,10 @@ struct mpsse_priv {
struct usb_device *udev; /* USB device encompassing all MPSSEs */
struct usb_interface *intf; /* USB interface for this MPSSE */
u8 intf_id; /* USB interface number for this MPSSE */
- struct work_struct irq_work; /* polling work thread */
+ struct list_head workers; /* polling work threads */
struct mutex irq_mutex; /* lock over irq_data */
+ struct mutex irq_race; /* race for polling worker teardown */
+ raw_spinlock_t irq_spin; /* protects worker list */
atomic_t irq_type[16]; /* pin -> edge detection type */
atomic_t irq_enabled;
int id;
@@ -34,6 +37,14 @@ struct mpsse_priv {
struct mutex io_mutex; /* sync I/O with disconnect */
};
+struct mpsse_worker {
+ struct mpsse_priv *priv;
+ struct work_struct work;
+ atomic_t cancelled;
+ struct list_head list; /* linked list */
+ struct list_head destroy; /* teardown linked list */
+};
+
struct bulk_desc {
bool tx; /* direction of bulk transfer */
u8 *data; /* input (tx) or output (rx) */
@@ -284,18 +295,62 @@ static int gpio_mpsse_get_direction(stru
return ret;
}
-static void gpio_mpsse_poll(struct work_struct *work)
+/*
+ * Stops all workers except `my_worker`.
+ * Safe to call only when `irq_race` is held.
+ */
+static void gpio_mpsse_stop_all_except(struct mpsse_priv *priv,
+ struct mpsse_worker *my_worker)
+{
+ struct mpsse_worker *worker, *worker_tmp;
+ struct list_head destructors = LIST_HEAD_INIT(destructors);
+
+ scoped_guard(raw_spinlock_irqsave, &priv->irq_spin) {
+ list_for_each_entry_safe(worker, worker_tmp,
+ &priv->workers, list) {
+ /* Don't stop ourselves */
+ if (worker == my_worker)
+ continue;
+
+ list_del(&worker->list);
+
+ /* Give worker a chance to terminate itself */
+ atomic_set(&worker->cancelled, 1);
+ /* Keep track of stuff to cancel */
+ INIT_LIST_HEAD(&worker->destroy);
+ list_add(&worker->destroy, &destructors);
+ }
+ }
+
+ list_for_each_entry_safe(worker, worker_tmp,
+ &destructors, destroy) {
+ list_del(&worker->destroy);
+ cancel_work_sync(&worker->work);
+ kfree(worker);
+ }
+}
+
+static void gpio_mpsse_poll(struct work_struct *my_work)
{
unsigned long pin_mask, pin_states, flags;
int irq_enabled, offset, err, value, fire_irq,
irq, old_value[16], irq_type[16];
- struct mpsse_priv *priv = container_of(work, struct mpsse_priv,
- irq_work);
+ struct mpsse_worker *my_worker = container_of(my_work, struct mpsse_worker, work);
+ struct mpsse_priv *priv = my_worker->priv;
for (offset = 0; offset < priv->gpio.ngpio; ++offset)
old_value[offset] = -1;
- while ((irq_enabled = atomic_read(&priv->irq_enabled))) {
+ /*
+ * We only want one worker. Workers race to acquire irq_race and tear
+ * down all other workers. This is a cond guard so that we don't deadlock
+ * trying to cancel a worker.
+ */
+ scoped_cond_guard(mutex_try, return, &priv->irq_race)
+ gpio_mpsse_stop_all_except(priv, my_worker);
+
+ while ((irq_enabled = atomic_read(&priv->irq_enabled)) &&
+ !atomic_read(&my_worker->cancelled)) {
usleep_range(MPSSE_POLL_INTERVAL, MPSSE_POLL_INTERVAL + 1000);
/* Cleanup will trigger at the end of the loop */
guard(mutex)(&priv->irq_mutex);
@@ -370,21 +425,45 @@ static int gpio_mpsse_set_irq_type(struc
static void gpio_mpsse_irq_disable(struct irq_data *irqd)
{
+ struct mpsse_worker *worker;
struct mpsse_priv *priv = irq_data_get_irq_chip_data(irqd);
atomic_and(~BIT(irqd->hwirq), &priv->irq_enabled);
gpiochip_disable_irq(&priv->gpio, irqd->hwirq);
+
+ /*
+ * Can't actually do teardown in IRQ context (it blocks).
+ * As a result, these workers will stick around until irq is reenabled
+ * or device gets disconnected
+ */
+ scoped_guard(raw_spinlock_irqsave, &priv->irq_spin)
+ list_for_each_entry(worker, &priv->workers, list)
+ atomic_set(&worker->cancelled, 1);
}
static void gpio_mpsse_irq_enable(struct irq_data *irqd)
{
+ struct mpsse_worker *worker;
struct mpsse_priv *priv = irq_data_get_irq_chip_data(irqd);
gpiochip_enable_irq(&priv->gpio, irqd->hwirq);
/* If no-one else was using the IRQ, enable it */
if (!atomic_fetch_or(BIT(irqd->hwirq), &priv->irq_enabled)) {
- INIT_WORK(&priv->irq_work, gpio_mpsse_poll);
- schedule_work(&priv->irq_work);
+ /*
+ * Can't be devm because it uses a non-raw spinlock (illegal in
+ * this context, where a raw spinlock is held by our caller)
+ */
+ worker = kzalloc(sizeof(*worker), GFP_NOWAIT);
+ if (!worker)
+ return;
+
+ worker->priv = priv;
+ INIT_LIST_HEAD(&worker->list);
+ INIT_WORK(&worker->work, gpio_mpsse_poll);
+ schedule_work(&worker->work);
+
+ scoped_guard(raw_spinlock_irqsave, &priv->irq_spin)
+ list_add(&worker->list, &priv->workers);
}
}
@@ -436,6 +515,12 @@ static int gpio_mpsse_probe(struct usb_i
if (err)
return err;
+ err = devm_mutex_init(dev, &priv->irq_race);
+ if (err)
+ return err;
+
+ raw_spin_lock_init(&priv->irq_spin);
+
priv->gpio.label = devm_kasprintf(dev, GFP_KERNEL,
"gpio-mpsse.%d.%d",
priv->id, priv->intf_id);
@@ -506,6 +591,13 @@ static void gpio_mpsse_disconnect(struct
{
struct mpsse_priv *priv = usb_get_intfdata(intf);
+ /*
+ * Lock prevents double-free of worker from here and the teardown
+ * step at the beginning of gpio_mpsse_poll
+ */
+ scoped_guard(mutex, &priv->irq_race)
+ gpio_mpsse_stop_all_except(priv, NULL);
+
priv->intf = NULL;
usb_set_intfdata(intf, NULL);
usb_put_dev(priv->udev);
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 161/181] gpio: mpsse: add quirk support
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 160/181] gpio: mpsse: ensure worker is torn down Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 162/181] gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths Greg Kroah-Hartman
` (33 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mary Strodl, Dan Carpenter,
Linus Walleij, Bartosz Golaszewski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mary Strodl <mstrodl@csh.rit.edu>
[ Upstream commit f13b0f72af238d63bb9a2e417657da8b45d72544 ]
Builds out a facility for specifying compatible lines directions and
labels for MPSSE-based devices.
* dir_in/out are bitmask of lines that can go in/out. 1 means
compatible, 0 means incompatible.
* names is an array of line names which will be exposed to userspace.
Also changes the chip label format to include some more useful
information about the device to help identify it from userspace.
Signed-off-by: Mary Strodl <mstrodl@csh.rit.edu>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20251014133530.3592716-4-mstrodl@csh.rit.edu
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Stable-dep-of: 1e876e5a0875 ("gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mpsse.c | 109 ++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 106 insertions(+), 3 deletions(-)
--- a/drivers/gpio/gpio-mpsse.c
+++ b/drivers/gpio/gpio-mpsse.c
@@ -29,6 +29,9 @@ struct mpsse_priv {
u8 gpio_outputs[2]; /* Output states for GPIOs [L, H] */
u8 gpio_dir[2]; /* Directions for GPIOs [L, H] */
+ unsigned long dir_in; /* Bitmask of valid input pins */
+ unsigned long dir_out; /* Bitmask of valid output pins */
+
u8 *bulk_in_buf; /* Extra recv buffer to grab status bytes */
struct usb_endpoint_descriptor *bulk_in;
@@ -54,6 +57,14 @@ struct bulk_desc {
int timeout;
};
+#define MPSSE_NGPIO 16
+
+struct mpsse_quirk {
+ const char *names[MPSSE_NGPIO]; /* Pin names, if applicable */
+ unsigned long dir_in; /* Bitmask of valid input pins */
+ unsigned long dir_out; /* Bitmask of valid output pins */
+};
+
static const struct usb_device_id gpio_mpsse_table[] = {
{ USB_DEVICE(0x0c52, 0xa064) }, /* SeaLevel Systems, Inc. */
{ } /* Terminating entry */
@@ -171,6 +182,32 @@ static int gpio_mpsse_get_bank(struct mp
return buf;
}
+static int mpsse_ensure_supported(struct gpio_chip *chip,
+ unsigned long mask, int direction)
+{
+ unsigned long supported, unsupported;
+ char *type = "input";
+ struct mpsse_priv *priv = gpiochip_get_data(chip);
+
+ supported = priv->dir_in;
+ if (direction == GPIO_LINE_DIRECTION_OUT) {
+ supported = priv->dir_out;
+ type = "output";
+ }
+
+ /* An invalid bit was in the provided mask */
+ unsupported = mask & ~supported;
+ if (unsupported) {
+ dev_err(&priv->udev->dev,
+ "mpsse: GPIO %lu doesn't support %s\n",
+ find_first_bit(&unsupported, sizeof(unsupported) * 8),
+ type);
+ return -EOPNOTSUPP;
+ }
+
+ return 0;
+}
+
static int gpio_mpsse_set_multiple(struct gpio_chip *chip, unsigned long *mask,
unsigned long *bits)
{
@@ -178,6 +215,10 @@ static int gpio_mpsse_set_multiple(struc
int ret;
struct mpsse_priv *priv = gpiochip_get_data(chip);
+ ret = mpsse_ensure_supported(chip, *mask, GPIO_LINE_DIRECTION_OUT);
+ if (ret)
+ return ret;
+
guard(mutex)(&priv->io_mutex);
for_each_set_clump8(i, bank_mask, mask, chip->ngpio) {
bank = i / 8;
@@ -205,6 +246,10 @@ static int gpio_mpsse_get_multiple(struc
int ret;
struct mpsse_priv *priv = gpiochip_get_data(chip);
+ ret = mpsse_ensure_supported(chip, *mask, GPIO_LINE_DIRECTION_IN);
+ if (ret)
+ return ret;
+
guard(mutex)(&priv->io_mutex);
for_each_set_clump8(i, bank_mask, mask, chip->ngpio) {
bank = i / 8;
@@ -253,10 +298,15 @@ static int gpio_mpsse_gpio_set(struct gp
static int gpio_mpsse_direction_output(struct gpio_chip *chip,
unsigned int offset, int value)
{
+ int ret;
struct mpsse_priv *priv = gpiochip_get_data(chip);
int bank = (offset & 8) >> 3;
int bank_offset = offset & 7;
+ ret = mpsse_ensure_supported(chip, BIT(offset), GPIO_LINE_DIRECTION_OUT);
+ if (ret)
+ return ret;
+
scoped_guard(mutex, &priv->io_mutex)
priv->gpio_dir[bank] |= BIT(bank_offset);
@@ -266,10 +316,15 @@ static int gpio_mpsse_direction_output(s
static int gpio_mpsse_direction_input(struct gpio_chip *chip,
unsigned int offset)
{
+ int ret;
struct mpsse_priv *priv = gpiochip_get_data(chip);
int bank = (offset & 8) >> 3;
int bank_offset = offset & 7;
+ ret = mpsse_ensure_supported(chip, BIT(offset), GPIO_LINE_DIRECTION_IN);
+ if (ret)
+ return ret;
+
guard(mutex)(&priv->io_mutex);
priv->gpio_dir[bank] &= ~BIT(bank_offset);
gpio_mpsse_set_bank(priv, bank);
@@ -483,18 +538,49 @@ static void gpio_mpsse_ida_remove(void *
ida_free(&gpio_mpsse_ida, priv->id);
}
+static int mpsse_init_valid_mask(struct gpio_chip *chip,
+ unsigned long *valid_mask,
+ unsigned int ngpios)
+{
+ struct mpsse_priv *priv = gpiochip_get_data(chip);
+
+ if (WARN_ON(priv == NULL))
+ return -ENODEV;
+
+ *valid_mask = priv->dir_in | priv->dir_out;
+
+ return 0;
+}
+
+static void mpsse_irq_init_valid_mask(struct gpio_chip *chip,
+ unsigned long *valid_mask,
+ unsigned int ngpios)
+{
+ struct mpsse_priv *priv = gpiochip_get_data(chip);
+
+ if (WARN_ON(priv == NULL))
+ return;
+
+ /* Can only use IRQ on input capable pins */
+ *valid_mask = priv->dir_in;
+}
+
static int gpio_mpsse_probe(struct usb_interface *interface,
const struct usb_device_id *id)
{
struct mpsse_priv *priv;
struct device *dev;
+ char *serial;
int err;
+ struct mpsse_quirk *quirk = (void *)id->driver_info;
dev = &interface->dev;
priv = devm_kzalloc(dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
return -ENOMEM;
+ INIT_LIST_HEAD(&priv->workers);
+
priv->udev = usb_get_dev(interface_to_usbdev(interface));
priv->intf = interface;
priv->intf_id = interface->cur_altsetting->desc.bInterfaceNumber;
@@ -521,9 +607,15 @@ static int gpio_mpsse_probe(struct usb_i
raw_spin_lock_init(&priv->irq_spin);
+ serial = priv->udev->serial;
+ if (!serial)
+ serial = "NONE";
+
priv->gpio.label = devm_kasprintf(dev, GFP_KERNEL,
- "gpio-mpsse.%d.%d",
- priv->id, priv->intf_id);
+ "MPSSE%04x:%04x.%d.%d.%s",
+ id->idVendor, id->idProduct,
+ priv->intf_id, priv->id,
+ serial);
if (!priv->gpio.label)
return -ENOMEM;
@@ -537,10 +629,20 @@ static int gpio_mpsse_probe(struct usb_i
priv->gpio.get_multiple = gpio_mpsse_get_multiple;
priv->gpio.set_multiple = gpio_mpsse_set_multiple;
priv->gpio.base = -1;
- priv->gpio.ngpio = 16;
+ priv->gpio.ngpio = MPSSE_NGPIO;
priv->gpio.offset = priv->intf_id * priv->gpio.ngpio;
priv->gpio.can_sleep = 1;
+ if (quirk) {
+ priv->dir_out = quirk->dir_out;
+ priv->dir_in = quirk->dir_in;
+ priv->gpio.names = quirk->names;
+ priv->gpio.init_valid_mask = mpsse_init_valid_mask;
+ } else {
+ priv->dir_in = U16_MAX;
+ priv->dir_out = U16_MAX;
+ }
+
err = usb_find_common_endpoints(interface->cur_altsetting,
&priv->bulk_in, &priv->bulk_out,
NULL, NULL);
@@ -579,6 +681,7 @@ static int gpio_mpsse_probe(struct usb_i
priv->gpio.irq.parents = NULL;
priv->gpio.irq.default_type = IRQ_TYPE_NONE;
priv->gpio.irq.handler = handle_simple_irq;
+ priv->gpio.irq.init_valid_mask = mpsse_irq_init_valid_mask;
err = devm_gpiochip_add_data(dev, &priv->gpio, priv);
if (err)
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 162/181] gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 161/181] gpio: mpsse: add quirk support Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 163/181] bpf, test_run: Subtract size of xdp_frame from allowed metadata size Greg Kroah-Hartman
` (32 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Bartosz Golaszewski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 1e876e5a0875e71e34148c9feb2eedd3bf6b2b43 ]
The reference obtained by calling usb_get_dev() is not released in the
gpio_mpsse_probe() error paths. Fix that by using device managed helper
functions. Also remove the usb_put_dev() call in the disconnect function
since now it will be released automatically.
Cc: stable@vger.kernel.org
Fixes: c46a74ff05c0 ("gpio: add support for FTDI's MPSSE as GPIO")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://lore.kernel.org/r/20251226060414.20785-1-nihaal@cse.iitm.ac.in
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mpsse.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/gpio/gpio-mpsse.c
+++ b/drivers/gpio/gpio-mpsse.c
@@ -538,6 +538,13 @@ static void gpio_mpsse_ida_remove(void *
ida_free(&gpio_mpsse_ida, priv->id);
}
+static void gpio_mpsse_usb_put_dev(void *data)
+{
+ struct mpsse_priv *priv = data;
+
+ usb_put_dev(priv->udev);
+}
+
static int mpsse_init_valid_mask(struct gpio_chip *chip,
unsigned long *valid_mask,
unsigned int ngpios)
@@ -582,6 +589,10 @@ static int gpio_mpsse_probe(struct usb_i
INIT_LIST_HEAD(&priv->workers);
priv->udev = usb_get_dev(interface_to_usbdev(interface));
+ err = devm_add_action_or_reset(dev, gpio_mpsse_usb_put_dev, priv);
+ if (err)
+ return err;
+
priv->intf = interface;
priv->intf_id = interface->cur_altsetting->desc.bInterfaceNumber;
@@ -703,7 +714,6 @@ static void gpio_mpsse_disconnect(struct
priv->intf = NULL;
usb_set_intfdata(intf, NULL);
- usb_put_dev(priv->udev);
}
static struct usb_driver gpio_mpsse_driver = {
^ permalink raw reply [flat|nested] 196+ messages in thread* [PATCH 6.18 163/181] bpf, test_run: Subtract size of xdp_frame from allowed metadata size
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 162/181] gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 164/181] bpf: Fix reference count leak in bpf_prog_test_run_xdp() Greg Kroah-Hartman
` (31 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yinhao Hu, Kaiyan Mei,
Toke Høiland-Jørgensen, Amery Hung, Alexei Starovoitov,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit e558cca217790286e799a8baacd1610bda31b261 ]
The xdp_frame structure takes up part of the XDP frame headroom,
limiting the size of the metadata. However, in bpf_test_run, we don't
take this into account, which makes it possible for userspace to supply
a metadata size that is too large (taking up the entire headroom).
If userspace supplies such a large metadata size in live packet mode,
the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
will fail, after which packet transmission proceeds with an
uninitialised frame structure, leading to the usual Bad Stuff.
The commit in the Fixes tag fixed a related bug where the second check
in xdp_update_frame_from_buff() could fail, but did not add any
additional constraints on the metadata size. Complete the fix by adding
an additional check on the metadata size. Reorder the checks slightly to
make the logic clearer and add a comment.
Link: https://lore.kernel.org/r/fa2be179-bad7-4ee3-8668-4903d1853461@hust.edu.cn
Fixes: b6f1f780b393 ("bpf, test_run: Fix packet size check for live packet mode")
Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20260105114747.1358750-1-toke@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 55a79337ac51f..59620fdd5cfda 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1231,8 +1231,6 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
batch_size = NAPI_POLL_WEIGHT;
else if (batch_size > TEST_XDP_MAX_BATCH)
return -E2BIG;
-
- headroom += sizeof(struct xdp_page_head);
} else if (batch_size) {
return -EINVAL;
}
@@ -1245,16 +1243,26 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
/* There can't be user provided data before the meta data */
if (ctx->data_meta || ctx->data_end > kattr->test.data_size_in ||
ctx->data > ctx->data_end ||
- unlikely(xdp_metalen_invalid(ctx->data)) ||
(do_live && (kattr->test.data_out || kattr->test.ctx_out)))
goto free_ctx;
- /* Meta data is allocated from the headroom */
- headroom -= ctx->data;
meta_sz = ctx->data;
+ if (xdp_metalen_invalid(meta_sz) || meta_sz > headroom - sizeof(struct xdp_frame))
+ goto free_ctx;
+
+ /* Meta data is allocated from the headroom */
+ headroom -= meta_sz;
linear_sz = ctx->data_end;
}
+ /* The xdp_page_head structure takes up space in each page, limiting the
+ * size of the packet data; add the extra size to headroom here to make
+ * sure it's accounted in the length checks below, but not in the
+ * metadata size check above.
+ */
+ if (do_live)
+ headroom += sizeof(struct xdp_page_head);
+
max_linear_sz = PAGE_SIZE - headroom - tailroom;
linear_sz = min_t(u32, linear_sz, max_linear_sz);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 164/181] bpf: Fix reference count leak in bpf_prog_test_run_xdp()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 163/181] bpf, test_run: Subtract size of xdp_frame from allowed metadata size Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 165/181] net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant Greg Kroah-Hartman
` (30 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+881d65229ca4f9ae8c84,
Tetsuo Handa, Toke Høiland-Jørgensen,
Alexei Starovoitov, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit ec69daabe45256f98ac86c651b8ad1b2574489a7 ]
syzbot is reporting
unregister_netdevice: waiting for sit0 to become free. Usage count = 2
problem. A debug printk() patch found that a refcount is obtained at
xdp_convert_md_to_buff() from bpf_prog_test_run_xdp().
According to commit ec94670fcb3b ("bpf: Support specifying ingress via
xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by
xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md().
Therefore, we can consider that the error handling path introduced by
commit 1c1949982524 ("bpf: introduce frags support to
bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
Fixes: 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()")
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/af090e53-9d9b-4412-8acb-957733b3975c@I-love.SAKURA.ne.jp
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 59620fdd5cfda..6b04f47301c1e 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -1300,13 +1300,13 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
if (sinfo->nr_frags == MAX_SKB_FRAGS) {
ret = -ENOMEM;
- goto out;
+ goto out_put_dev;
}
page = alloc_page(GFP_KERNEL);
if (!page) {
ret = -ENOMEM;
- goto out;
+ goto out_put_dev;
}
frag = &sinfo->frags[sinfo->nr_frags++];
@@ -1318,7 +1318,7 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
if (copy_from_user(page_address(page), data_in + size,
data_len)) {
ret = -EFAULT;
- goto out;
+ goto out_put_dev;
}
sinfo->xdp_frags_size += data_len;
size += data_len;
@@ -1333,6 +1333,7 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
ret = bpf_test_run_xdp_live(prog, &xdp, repeat, batch_size, &duration);
else
ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration, true);
+out_put_dev:
/* We convert the xdp_buff back to an xdp_md before checking the return
* code so the reference count of any held netdevice will be decremented
* even if the test run failed.
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 165/181] net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 164/181] bpf: Fix reference count leak in bpf_prog_test_run_xdp() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 166/181] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
` (29 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Hughes, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcus Hughes <marcus.hughes@betterinternet.ltd>
[ Upstream commit 71cfa7c893a05d09e7dc14713b27a8309fd4a2db ]
Some Potron SFP+ XGSPON ONU sticks are shipped with different EEPROM
vendor ID and vendor name strings, but are otherwise functionally
identical to the existing "Potron SFP+ XGSPON ONU Stick" handled by
sfp_quirk_potron().
These modules, including units distributed under the "Better Internet"
branding, use the same UART pin assignment and require the same
TX_FAULT/LOS behaviour and boot delay. Re-use the existing Potron
quirk for this EEPROM variant.
Signed-off-by: Marcus Hughes <marcus.hughes@betterinternet.ltd>
Link: https://patch.msgid.link/20251207210355.333451-1-marcus.hughes@betterinternet.ltd
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/sfp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/phy/sfp.c b/drivers/net/phy/sfp.c
index 6b4dd906b804f..84bef5099dda6 100644
--- a/drivers/net/phy/sfp.c
+++ b/drivers/net/phy/sfp.c
@@ -497,6 +497,8 @@ static const struct sfp_quirk sfp_quirks[] = {
SFP_QUIRK("ALCATELLUCENT", "3FE46541AA", sfp_quirk_2500basex,
sfp_fixup_nokia),
+ SFP_QUIRK_F("BIDB", "X-ONU-SFPP", sfp_fixup_potron),
+
// FLYPRO SFP-10GT-CS-30M uses Rollball protocol to talk to the PHY.
SFP_QUIRK_F("FLYPRO", "SFP-10GT-CS-30M", sfp_fixup_rollball),
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 166/181] powercap: fix race condition in register_control_type()
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 165/181] net: sfp: extend Potron XGSPON quirk to cover additional EEPROM variant Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 167/181] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
` (28 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumeet Pawnikar, Rafael J. Wysocki,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ Upstream commit 7bda1910c4bccd4b8d4726620bb3d6bbfb62286e ]
The device becomes visible to userspace via device_register()
even before it fully initialized by idr_init(). If userspace
or another thread tries to register a zone immediately after
device_register(), the control_type_valid() will fail because
the control_type is not yet in the list. The IDR is not yet
initialized, so this race condition causes zone registration
failure.
Move idr_init() and list addition before device_register()
fix the race condition.
Signed-off-by: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ rjw: Subject adjustment, empty line added ]
Link: https://patch.msgid.link/20251205190216.5032-1-sumeet4linux@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/powercap/powercap_sys.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
index 4112a00973382..d14b36b75189d 100644
--- a/drivers/powercap/powercap_sys.c
+++ b/drivers/powercap/powercap_sys.c
@@ -625,17 +625,23 @@ struct powercap_control_type *powercap_register_control_type(
INIT_LIST_HEAD(&control_type->node);
control_type->dev.class = &powercap_class;
dev_set_name(&control_type->dev, "%s", name);
- result = device_register(&control_type->dev);
- if (result) {
- put_device(&control_type->dev);
- return ERR_PTR(result);
- }
idr_init(&control_type->idr);
mutex_lock(&powercap_cntrl_list_lock);
list_add_tail(&control_type->node, &powercap_cntrl_list);
mutex_unlock(&powercap_cntrl_list_lock);
+ result = device_register(&control_type->dev);
+ if (result) {
+ mutex_lock(&powercap_cntrl_list_lock);
+ list_del(&control_type->node);
+ mutex_unlock(&powercap_cntrl_list_lock);
+
+ idr_destroy(&control_type->idr);
+ put_device(&control_type->dev);
+ return ERR_PTR(result);
+ }
+
return control_type;
}
EXPORT_SYMBOL_GPL(powercap_register_control_type);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 167/181] powercap: fix sscanf() error return value handling
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 166/181] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 168/181] netfilter: nf_tables: avoid chain re-validation if possible Greg Kroah-Hartman
` (27 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumeet Pawnikar, Rafael J. Wysocki,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ Upstream commit efc4c35b741af973de90f6826bf35d3b3ac36bf1 ]
Fix inconsistent error handling for sscanf() return value check.
Implicit boolean conversion is used instead of explicit return
value checks. The code checks if (!sscanf(...)) which is incorrect
because:
1. sscanf returns the number of successfully parsed items
2. On success, it returns 1 (one item passed)
3. On failure, it returns 0 or EOF
4. The check 'if (!sscanf(...))' is wrong because it treats
success (1) as failure
All occurrences of sscanf() now uses explicit return value check.
With this behavior it returns '-EINVAL' when parsing fails (returns
0 or EOF), and continues when parsing succeeds (returns 1).
Signed-off-by: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ rjw: Subject and changelog edits ]
Link: https://patch.msgid.link/20251207151549.202452-1-sumeet4linux@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/powercap/powercap_sys.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
index d14b36b75189d..1ff369880beb2 100644
--- a/drivers/powercap/powercap_sys.c
+++ b/drivers/powercap/powercap_sys.c
@@ -68,7 +68,7 @@ static ssize_t show_constraint_##_attr(struct device *dev, \
int id; \
struct powercap_zone_constraint *pconst;\
\
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) \
+ if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) \
return -EINVAL; \
if (id >= power_zone->const_id_cnt) \
return -EINVAL; \
@@ -93,7 +93,7 @@ static ssize_t store_constraint_##_attr(struct device *dev,\
int id; \
struct powercap_zone_constraint *pconst;\
\
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) \
+ if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) \
return -EINVAL; \
if (id >= power_zone->const_id_cnt) \
return -EINVAL; \
@@ -162,7 +162,7 @@ static ssize_t show_constraint_name(struct device *dev,
ssize_t len = -ENODATA;
struct powercap_zone_constraint *pconst;
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id))
+ if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1)
return -EINVAL;
if (id >= power_zone->const_id_cnt)
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 168/181] netfilter: nf_tables: avoid chain re-validation if possible
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 167/181] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 169/181] ata: libata-core: Disable LPM on ST2000DM008-2FR102 Greg Kroah-Hartman
` (26 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hamza Mahfooz, Florian Westphal,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 8e1a1bc4f5a42747c08130b8242ebebd1210b32f ]
Hamza Mahfooz reports cpu soft lock-ups in
nft_chain_validate():
watchdog: BUG: soft lockup - CPU#1 stuck for 27s! [iptables-nft-re:37547]
[..]
RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables]
[..]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_immediate_validate+0x36/0x50 [nf_tables]
nft_chain_validate+0xc9/0x110 [nf_tables]
nft_table_validate+0x6b/0xb0 [nf_tables]
nf_tables_validate+0x8b/0xa0 [nf_tables]
nf_tables_commit+0x1df/0x1eb0 [nf_tables]
[..]
Currently nf_tables will traverse the entire table (chain graph), starting
from the entry points (base chains), exploring all possible paths
(chain jumps). But there are cases where we could avoid revalidation.
Consider:
1 input -> j2 -> j3
2 input -> j2 -> j3
3 input -> j1 -> j2 -> j3
Then the second rule does not need to revalidate j2, and, by extension j3,
because this was already checked during validation of the first rule.
We need to validate it only for rule 3.
This is needed because chain loop detection also ensures we do not exceed
the jump stack: Just because we know that j2 is cycle free, its last jump
might now exceed the allowed stack size. We also need to update all
reachable chains with the new largest observed call depth.
Care has to be taken to revalidate even if the chain depth won't be an
issue: chain validation also ensures that expressions are not called from
invalid base chains. For example, the masquerade expression can only be
called from NAT postrouting base chains.
Therefore we also need to keep record of the base chain context (type,
hooknum) and revalidate if the chain becomes reachable from a different
hook location.
Reported-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Closes: https://lore.kernel.org/netfilter-devel/20251118221735.GA5477@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net/
Tested-by: Hamza Mahfooz <hamzamahfooz@linux.microsoft.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 34 +++++++++++----
net/netfilter/nf_tables_api.c | 69 +++++++++++++++++++++++++++++--
2 files changed, 91 insertions(+), 12 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index fab7dc73f738c..0e266c2d0e7f0 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1091,6 +1091,29 @@ struct nft_rule_blob {
__attribute__((aligned(__alignof__(struct nft_rule_dp))));
};
+enum nft_chain_types {
+ NFT_CHAIN_T_DEFAULT = 0,
+ NFT_CHAIN_T_ROUTE,
+ NFT_CHAIN_T_NAT,
+ NFT_CHAIN_T_MAX
+};
+
+/**
+ * struct nft_chain_validate_state - validation state
+ *
+ * If a chain is encountered again during table validation it is
+ * possible to avoid revalidation provided the calling context is
+ * compatible. This structure stores relevant calling context of
+ * previous validations.
+ *
+ * @hook_mask: the hook numbers and locations the chain is linked to
+ * @depth: the deepest call chain level the chain is linked to
+ */
+struct nft_chain_validate_state {
+ u8 hook_mask[NFT_CHAIN_T_MAX];
+ u8 depth;
+};
+
/**
* struct nft_chain - nf_tables chain
*
@@ -1109,6 +1132,7 @@ struct nft_rule_blob {
* @udlen: user data length
* @udata: user data in the chain
* @blob_next: rule blob pointer to the next in the chain
+ * @vstate: validation state
*/
struct nft_chain {
struct nft_rule_blob __rcu *blob_gen_0;
@@ -1128,9 +1152,10 @@ struct nft_chain {
/* Only used during control plane commit phase: */
struct nft_rule_blob *blob_next;
+ struct nft_chain_validate_state vstate;
};
-int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain);
+int nft_chain_validate(const struct nft_ctx *ctx, struct nft_chain *chain);
int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
const struct nft_set_iter *iter,
struct nft_elem_priv *elem_priv);
@@ -1138,13 +1163,6 @@ int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
-enum nft_chain_types {
- NFT_CHAIN_T_DEFAULT = 0,
- NFT_CHAIN_T_ROUTE,
- NFT_CHAIN_T_NAT,
- NFT_CHAIN_T_MAX
-};
-
/**
* struct nft_chain_type - nf_tables chain type info
*
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a3669acd68a32..3cbf2573b9e90 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -123,6 +123,29 @@ static void nft_validate_state_update(struct nft_table *table, u8 new_validate_s
table->validate_state = new_validate_state;
}
+
+static bool nft_chain_vstate_valid(const struct nft_ctx *ctx,
+ const struct nft_chain *chain)
+{
+ const struct nft_base_chain *base_chain;
+ enum nft_chain_types type;
+ u8 hooknum;
+
+ if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain)))
+ return false;
+
+ base_chain = nft_base_chain(ctx->chain);
+ hooknum = base_chain->ops.hooknum;
+ type = base_chain->type->type;
+
+ /* chain is already validated for this call depth */
+ if (chain->vstate.depth >= ctx->level &&
+ chain->vstate.hook_mask[type] & BIT(hooknum))
+ return true;
+
+ return false;
+}
+
static void nf_tables_trans_destroy_work(struct work_struct *w);
static void nft_trans_gc_work(struct work_struct *work);
@@ -4079,6 +4102,29 @@ static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *r
nf_tables_rule_destroy(ctx, rule);
}
+static void nft_chain_vstate_update(const struct nft_ctx *ctx, struct nft_chain *chain)
+{
+ const struct nft_base_chain *base_chain;
+ enum nft_chain_types type;
+ u8 hooknum;
+
+ /* ctx->chain must hold the calling base chain. */
+ if (WARN_ON_ONCE(!nft_is_base_chain(ctx->chain))) {
+ memset(&chain->vstate, 0, sizeof(chain->vstate));
+ return;
+ }
+
+ base_chain = nft_base_chain(ctx->chain);
+ hooknum = base_chain->ops.hooknum;
+ type = base_chain->type->type;
+
+ BUILD_BUG_ON(BIT(NF_INET_NUMHOOKS) > U8_MAX);
+
+ chain->vstate.hook_mask[type] |= BIT(hooknum);
+ if (chain->vstate.depth < ctx->level)
+ chain->vstate.depth = ctx->level;
+}
+
/** nft_chain_validate - loop detection and hook validation
*
* @ctx: context containing call depth and base chain
@@ -4088,15 +4134,25 @@ static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *r
* and set lookups until either the jump limit is hit or all reachable
* chains have been validated.
*/
-int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
+int nft_chain_validate(const struct nft_ctx *ctx, struct nft_chain *chain)
{
struct nft_expr *expr, *last;
struct nft_rule *rule;
int err;
+ BUILD_BUG_ON(NFT_JUMP_STACK_SIZE > 255);
if (ctx->level == NFT_JUMP_STACK_SIZE)
return -EMLINK;
+ if (ctx->level > 0) {
+ /* jumps to base chains are not allowed. */
+ if (nft_is_base_chain(chain))
+ return -ELOOP;
+
+ if (nft_chain_vstate_valid(ctx, chain))
+ return 0;
+ }
+
list_for_each_entry(rule, &chain->rules, list) {
if (fatal_signal_pending(current))
return -EINTR;
@@ -4117,6 +4173,7 @@ int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
}
}
+ nft_chain_vstate_update(ctx, chain);
return 0;
}
EXPORT_SYMBOL_GPL(nft_chain_validate);
@@ -4128,7 +4185,7 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)
.net = net,
.family = table->family,
};
- int err;
+ int err = 0;
list_for_each_entry(chain, &table->chains, list) {
if (!nft_is_base_chain(chain))
@@ -4137,12 +4194,16 @@ static int nft_table_validate(struct net *net, const struct nft_table *table)
ctx.chain = chain;
err = nft_chain_validate(&ctx, chain);
if (err < 0)
- return err;
+ goto err;
cond_resched();
}
- return 0;
+err:
+ list_for_each_entry(chain, &table->chains, list)
+ memset(&chain->vstate, 0, sizeof(chain->vstate));
+
+ return err;
}
int nft_setelem_validate(const struct nft_ctx *ctx, struct nft_set *set,
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 169/181] ata: libata-core: Disable LPM on ST2000DM008-2FR102
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 168/181] netfilter: nf_tables: avoid chain re-validation if possible Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 170/181] accel/amdxdna: Block running under a hypervisor Greg Kroah-Hartman
` (25 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emerson Pinter, Niklas Cassel,
Damien Le Moal, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Cassel <cassel@kernel.org>
[ Upstream commit ba624ba88d9f5c3e2ace9bb6697dbeb05b2dbc44 ]
According to a user report, the ST2000DM008-2FR102 has problems with LPM.
Reported-by: Emerson Pinter <e@pinter.dev>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220693
Signed-off-by: Niklas Cassel <cassel@kernel.org>
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index f48fb63d7e854..1216b4f2eb904 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4132,6 +4132,9 @@ static const struct ata_dev_quirks_entry __ata_dev_quirks[] = {
{ "ST3320[68]13AS", "SD1[5-9]", ATA_QUIRK_NONCQ |
ATA_QUIRK_FIRMWARE_WARN },
+ /* Seagate disks with LPM issues */
+ { "ST2000DM008-2FR102", NULL, ATA_QUIRK_NOLPM },
+
/* drives which fail FPDMA_AA activation (some may freeze afterwards)
the ST disks also have LPM issues */
{ "ST1000LM024 HN-M101MBB", NULL, ATA_QUIRK_BROKEN_FPDMA_AA |
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 170/181] accel/amdxdna: Block running under a hypervisor
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 169/181] ata: libata-core: Disable LPM on ST2000DM008-2FR102 Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 171/181] drm/amd/display: Fix DP no audio issue Greg Kroah-Hartman
` (24 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lizhi Hou, Mario Limonciello (AMD),
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit 7bbf6d15e935abbb3d604c1fa157350e84a26f98 ]
SVA support is required, which isn't configured by hypervisor
solutions.
Closes: https://github.com/QubesOS/qubes-issues/issues/10275
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4656
Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
Link: https://patch.msgid.link/20251213054513.87925-1-superm1@kernel.org
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/amdxdna/aie2_pci.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/accel/amdxdna/aie2_pci.c b/drivers/accel/amdxdna/aie2_pci.c
index 43f725e1a2d76..6e07793bbeacf 100644
--- a/drivers/accel/amdxdna/aie2_pci.c
+++ b/drivers/accel/amdxdna/aie2_pci.c
@@ -17,6 +17,7 @@
#include <linux/iopoll.h>
#include <linux/pci.h>
#include <linux/xarray.h>
+#include <asm/hypervisor.h>
#include "aie2_msg_priv.h"
#include "aie2_pci.h"
@@ -486,6 +487,11 @@ static int aie2_init(struct amdxdna_dev *xdna)
unsigned long bars = 0;
int i, nvec, ret;
+ if (!hypervisor_is_type(X86_HYPER_NATIVE)) {
+ XDNA_ERR(xdna, "Running under hypervisor not supported");
+ return -EINVAL;
+ }
+
ndev = drmm_kzalloc(&xdna->ddev, sizeof(*ndev), GFP_KERNEL);
if (!ndev)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 171/181] drm/amd/display: Fix DP no audio issue
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 170/181] accel/amdxdna: Block running under a hypervisor Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 172/181] spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ Greg Kroah-Hartman
` (23 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Swapnil Patel, Charlene Liu,
Chenyu Chen, Daniel Wheeler, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Charlene Liu <Charlene.Liu@amd.com>
[ Upstream commit 3886b198bd6e49c801fe9552fcfbfc387a49fbbc ]
[why]
need to enable APG_CLOCK_ENABLE enable first
also need to wake up az from D3 before access az block
Reviewed-by: Swapnil Patel <swapnil.patel@amd.com>
Signed-off-by: Charlene Liu <Charlene.Liu@amd.com>
Signed-off-by: Chenyu Chen <chen-yu.chen@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit bf5e396957acafd46003318965500914d5f4edfa)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
index b94fec8347400..39be5a58f837a 100644
--- a/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/hwss/dce110/dce110_hwseq.c
@@ -1098,13 +1098,13 @@ void dce110_enable_audio_stream(struct pipe_ctx *pipe_ctx)
if (dc->current_state->res_ctx.pipe_ctx[i].stream_res.audio != NULL)
num_audio++;
}
+ if (num_audio >= 1 && clk_mgr->funcs->enable_pme_wa) {
+ /*wake AZ from D3 first before access az endpoint*/
+ clk_mgr->funcs->enable_pme_wa(clk_mgr);
+ }
pipe_ctx->stream_res.audio->funcs->az_enable(pipe_ctx->stream_res.audio);
- if (num_audio >= 1 && clk_mgr->funcs->enable_pme_wa)
- /*this is the first audio. apply the PME w/a in order to wake AZ from D3*/
- clk_mgr->funcs->enable_pme_wa(clk_mgr);
-
link_hwss->enable_audio_packet(pipe_ctx);
if (pipe_ctx->stream_res.audio)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 172/181] spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 171/181] drm/amd/display: Fix DP no audio issue Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 173/181] drm/amdkfd: Fix improper NULL termination of queue restore SMI event string Greg Kroah-Hartman
` (22 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fei Shao, Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fei Shao <fshao@chromium.org>
[ Upstream commit 8c04b77f87e6e321ae6acd28ce1de5553916153f ]
This driver is migrated to use threaded IRQ since commit 5972eb05ca32
("spi: spi-mt65xx: Use threaded interrupt for non-SPIMEM transfer"), and
we almost always want to disable the interrupt line to avoid excess
interrupts while the threaded handler is processing SPI transfer.
Use IRQF_ONESHOT for that purpose.
In practice, we see MediaTek devices show SPI transfer timeout errors
when communicating with ChromeOS EC in certain scenarios, and with
IRQF_ONESHOT, the issue goes away.
Signed-off-by: Fei Shao <fshao@chromium.org>
Link: https://patch.msgid.link/20251217101131.1975131-1-fshao@chromium.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-mt65xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
index 4b40985af1eaf..90e5813cfdc33 100644
--- a/drivers/spi/spi-mt65xx.c
+++ b/drivers/spi/spi-mt65xx.c
@@ -1320,7 +1320,7 @@ static int mtk_spi_probe(struct platform_device *pdev)
ret = devm_request_threaded_irq(dev, irq, mtk_spi_interrupt,
mtk_spi_interrupt_thread,
- IRQF_TRIGGER_NONE, dev_name(dev), host);
+ IRQF_ONESHOT, dev_name(dev), host);
if (ret)
return dev_err_probe(dev, ret, "failed to register irq\n");
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 173/181] drm/amdkfd: Fix improper NULL termination of queue restore SMI event string
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 172/181] spi: mt65xx: Use IRQF_ONESHOT with threaded IRQ Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 174/181] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
` (21 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Kocoloski, Philip Yang,
Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Kocoloski <brian.kocoloski@amd.com>
[ Upstream commit 969faea4e9d01787c58bab4d945f7ad82dad222d ]
Pass character "0" rather than NULL terminator to properly format
queue restoration SMI events. Currently, the NULL terminator precedes
the newline character that is intended to delineate separate events
in the SMI event buffer, which can break userspace parsers.
Signed-off-by: Brian Kocoloski <brian.kocoloski@amd.com>
Reviewed-by: Philip Yang <Philip.Yang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6e7143e5e6e21f9d5572e0390f7089e6d53edf3c)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c b/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c
index a499449fcb068..d2bc169e84b0b 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_smi_events.c
@@ -312,7 +312,7 @@ void kfd_smi_event_queue_restore(struct kfd_node *node, pid_t pid)
{
kfd_smi_event_add(pid, node, KFD_SMI_EVENT_QUEUE_RESTORE,
KFD_EVENT_FMT_QUEUE_RESTORE(ktime_get_boottime_ns(), pid,
- node->id, 0));
+ node->id, '0'));
}
void kfd_smi_event_queue_restore_rescheduled(struct mm_struct *mm)
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 174/181] can: j1939: make j1939_session_activate() fail if device is no longer registered
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 173/181] drm/amdkfd: Fix improper NULL termination of queue restore SMI event string Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 175/181] block: validate pi_offset integrity limit Greg Kroah-Hartman
` (20 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Oleksij Rempel,
Marc Kleine-Budde, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 5d5602236f5db19e8b337a2cd87a90ace5ea776d ]
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.
Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.
Reported-by: syzbot <syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/b9653191-d479-4c8b-8536-1326d028db5c@I-love.SAKURA.ne.jp
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/j1939/transport.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index fbf5c8001c9df..613a911dda100 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1567,6 +1567,8 @@ int j1939_session_activate(struct j1939_session *session)
if (active) {
j1939_session_put(active);
ret = -EAGAIN;
+ } else if (priv->ndev->reg_state != NETREG_REGISTERED) {
+ ret = -ENODEV;
} else {
WARN_ON_ONCE(session->state != J1939_SESSION_NEW);
list_add_tail(&session->active_session_list_entry,
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 175/181] block: validate pi_offset integrity limit
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 174/181] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 176/181] ALSA: usb-audio: Update for native DSD support quirks Greg Kroah-Hartman
` (19 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos,
Christoph Hellwig, Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Sander Mateos <csander@purestorage.com>
[ Upstream commit ccb8a3c08adf8121e2afb8e704f007ce99324d79 ]
The PI tuple must be contained within the metadata value, so validate
that pi_offset + pi_tuple_size <= metadata_size. This guards against
block drivers that report invalid pi_offset values.
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-settings.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/block/blk-settings.c b/block/blk-settings.c
index d74b13ec8e548..f2c1940fe6f1a 100644
--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -148,10 +148,9 @@ static int blk_validate_integrity_limits(struct queue_limits *lim)
return -EINVAL;
}
- if (bi->pi_tuple_size > bi->metadata_size) {
- pr_warn("pi_tuple_size (%u) exceeds metadata_size (%u)\n",
- bi->pi_tuple_size,
- bi->metadata_size);
+ if (bi->pi_offset + bi->pi_tuple_size > bi->metadata_size) {
+ pr_warn("pi_offset (%u) + pi_tuple_size (%u) exceeds metadata_size (%u)\n",
+ bi->pi_offset, bi->pi_tuple_size, bi->metadata_size);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 176/181] ALSA: usb-audio: Update for native DSD support quirks
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 175/181] block: validate pi_offset integrity limit Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 177/181] ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 Greg Kroah-Hartman
` (18 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jussi Laako, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jussi Laako <jussi@sonarnerd.net>
[ Upstream commit da3a7efff64ec0d63af4499eea3a46a2e13b5797 ]
Maintenance patch for native DSD support.
Add set of missing device and vendor quirks; TEAC, Esoteric, Luxman and
Musical Fidelity.
Signed-off-by: Jussi Laako <jussi@sonarnerd.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20251211152224.1780782-1-jussi@sonarnerd.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
index 61bd61ffb1b23..94a8fdc9c6d3c 100644
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2230,6 +2230,12 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
DEVICE_FLG(0x0644, 0x806b, /* TEAC UD-701 */
QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY |
QUIRK_FLAG_IFACE_DELAY),
+ DEVICE_FLG(0x0644, 0x807d, /* TEAC UD-507 */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY |
+ QUIRK_FLAG_IFACE_DELAY),
+ DEVICE_FLG(0x0644, 0x806c, /* Esoteric XD */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY |
+ QUIRK_FLAG_IFACE_DELAY),
DEVICE_FLG(0x06f8, 0xb000, /* Hercules DJ Console (Windows Edition) */
QUIRK_FLAG_IGNORE_CTL_ERROR),
DEVICE_FLG(0x06f8, 0xd002, /* Hercules DJ Console (Macintosh Edition) */
@@ -2388,6 +2394,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_CTL_MSG_DELAY_1M),
DEVICE_FLG(0x30be, 0x0101, /* Schiit Hel */
QUIRK_FLAG_IGNORE_CTL_ERROR),
+ DEVICE_FLG(0x3255, 0x0000, /* Luxman D-10X */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
DEVICE_FLG(0x339b, 0x3a07, /* Synaptics HONOR USB-C HEADSET */
QUIRK_FLAG_MIXER_PLAYBACK_MIN_MUTE),
DEVICE_FLG(0x413c, 0xa506, /* Dell AE515 sound bar */
@@ -2431,6 +2439,8 @@ static const struct usb_audio_quirk_flags_table quirk_flags_table[] = {
QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x2622, /* IAG Limited devices */
QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x2772, /* Musical Fidelity devices */
+ QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x278b, /* Rotel? */
QUIRK_FLAG_DSD_RAW),
VENDOR_FLG(0x292b, /* Gustard/Ess based devices */
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 177/181] ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 176/181] ALSA: usb-audio: Update for native DSD support quirks Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 178/181] ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL Greg Kroah-Hartman
` (17 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Elantsev, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Elantsev <elantsew.andrew@gmail.com>
[ Upstream commit e2cb8ef0372665854fca6fa7b30b20dd35acffeb ]
Add a DMI quirk for the Honor MagicBook X16 2025 laptop
fixing the issue where the internal microphone was
not detected.
Signed-off-by: Andrew Elantsev <elantsew.andrew@gmail.com>
Link: https://patch.msgid.link/20251210203800.142822-1-elantsew.andrew@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/amd/yc/acp6x-mach.c b/sound/soc/amd/yc/acp6x-mach.c
index f210a253da9f5..bf4d9d3365617 100644
--- a/sound/soc/amd/yc/acp6x-mach.c
+++ b/sound/soc/amd/yc/acp6x-mach.c
@@ -661,6 +661,13 @@ static const struct dmi_system_id yc_acp_quirk_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Bravo 15 C7UCX"),
}
},
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "HONOR"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "GOH-X"),
+ }
+ },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 178/181] ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 177/181] ASoC: amd: yc: Add quirk for Honor MagicBook X16 2025 Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 179/181] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
` (16 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, davplsm, Kai Vehmanen, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
[ Upstream commit e64826e5e367ad45539ab245b92f009ee165025c ]
The ALC233 codec on these Medion NM14LNL (SPRCHRGD 14 S2) systems
requires a quirk to enable all speakers.
Tested-by: davplsm <davpal@yahoo.com>
Link: https://github.com/thesofproject/linux/issues/5611
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://patch.msgid.link/20251212174658.752641-1-kai.vehmanen@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/realtek/alc269.c b/sound/hda/codecs/realtek/alc269.c
index eea8399e32588..eb6197d19078c 100644
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -7211,6 +7211,7 @@ static const struct hda_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1945, "Redmi G", ALC256_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1d72, 0x1947, "RedmiBook Air", ALC255_FIXUP_XIAOMI_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1e39, 0xca14, "MEDION NM14LNL", ALC233_FIXUP_MEDION_MTL_SPK),
SND_PCI_QUIRK(0x1ee7, 0x2078, "HONOR BRB-X M1010", ALC2XX_FIXUP_HEADSET_MIC),
SND_PCI_QUIRK(0x1f66, 0x0105, "Ayaneo Portable Game Player", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x2014, 0x800a, "Positivo ARN50", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 179/181] ASoC: fsl_sai: Add missing registers to cache default
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 178/181] ALSA: hda/realtek: enable woofer speakers on Medion NM14LNL Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 180/181] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
` (15 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 90ed688792a6b7012b3e8a2f858bc3fe7454d0eb ]
Drivers does cache sync during runtime resume, setting all writable
registers. Not all writable registers are set in cache default, resulting
in the erorr message:
fsl-sai 30c30000.sai: using zero-initialized flat cache, this may cause
unexpected behavior
Fix this by adding missing writable register defaults.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://patch.msgid.link/20251216102246.676181-1-alexander.stein@ew.tq-group.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_sai.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
index 86730c2149146..2fa14fbdfe1a8 100644
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -1081,6 +1081,7 @@ static const struct reg_default fsl_sai_reg_defaults_ofs0[] = {
{FSL_SAI_TDR6, 0},
{FSL_SAI_TDR7, 0},
{FSL_SAI_TMR, 0},
+ {FSL_SAI_TTCTL, 0},
{FSL_SAI_RCR1(0), 0},
{FSL_SAI_RCR2(0), 0},
{FSL_SAI_RCR3(0), 0},
@@ -1104,12 +1105,14 @@ static const struct reg_default fsl_sai_reg_defaults_ofs8[] = {
{FSL_SAI_TDR6, 0},
{FSL_SAI_TDR7, 0},
{FSL_SAI_TMR, 0},
+ {FSL_SAI_TTCTL, 0},
{FSL_SAI_RCR1(8), 0},
{FSL_SAI_RCR2(8), 0},
{FSL_SAI_RCR3(8), 0},
{FSL_SAI_RCR4(8), 0},
{FSL_SAI_RCR5(8), 0},
{FSL_SAI_RMR, 0},
+ {FSL_SAI_RTCTL, 0},
{FSL_SAI_MCTL, 0},
{FSL_SAI_MDIV, 0},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 180/181] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 179/181] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 6.18 181/181] spi: cadence-quadspi: Prevent lost complete() call during indirect read Greg Kroah-Hartman
` (14 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Rábek, Tomas Henzl,
Changhui Zhong, Ewan D. Milne, John Meneghini, Martin K. Petersen,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Rábek <mrabek@redhat.com>
[ Upstream commit 0e1677654259a2f3ccf728de1edde922a3c4ba57 ]
A race condition was found in sg_proc_debug_helper(). It was observed on
a system using an IBM LTO-9 SAS Tape Drive (ULTRIUM-TD9) and monitoring
/proc/scsi/sg/debug every second. A very large elapsed time would
sometimes appear. This is caused by two race conditions.
We reproduced the issue with an IBM ULTRIUM-HH9 tape drive on an x86_64
architecture. A patched kernel was built, and the race condition could
not be observed anymore after the application of this patch. A
reproducer C program utilising the scsi_debug module was also built by
Changhui Zhong and can be viewed here:
https://github.com/MichaelRabek/linux-tests/blob/master/drivers/scsi/sg/sg_race_trigger.c
The first race happens between the reading of hp->duration in
sg_proc_debug_helper() and request completion in sg_rq_end_io(). The
hp->duration member variable may hold either of two types of
information:
#1 - The start time of the request. This value is present while
the request is not yet finished.
#2 - The total execution time of the request (end_time - start_time).
If sg_proc_debug_helper() executes *after* the value of hp->duration was
changed from #1 to #2, but *before* srp->done is set to 1 in
sg_rq_end_io(), a fresh timestamp is taken in the else branch, and the
elapsed time (value type #2) is subtracted from a timestamp, which
cannot yield a valid elapsed time (which is a type #2 value as well).
To fix this issue, the value of hp->duration must change under the
protection of the sfp->rq_list_lock in sg_rq_end_io(). Since
sg_proc_debug_helper() takes this read lock, the change to srp->done and
srp->header.duration will happen atomically from the perspective of
sg_proc_debug_helper() and the race condition is thus eliminated.
The second race condition happens between sg_proc_debug_helper() and
sg_new_write(). Even though hp->duration is set to the current time
stamp in sg_add_request() under the write lock's protection, it gets
overwritten by a call to get_sg_io_hdr(), which calls copy_from_user()
to copy struct sg_io_hdr from userspace into kernel space. hp->duration
is set to the start time again in sg_common_write(). If
sg_proc_debug_helper() is called between these two calls, an arbitrary
value set by userspace (usually zero) is used to compute the elapsed
time.
To fix this issue, hp->duration must be set to the current timestamp
again after get_sg_io_hdr() returns successfully. A small race window
still exists between get_sg_io_hdr() and setting hp->duration, but this
window is only a few instructions wide and does not result in observable
issues in practice, as confirmed by testing.
Additionally, we fix the format specifier from %d to %u for printing
unsigned int values in sg_proc_debug_helper().
Signed-off-by: Michal Rábek <mrabek@redhat.com>
Suggested-by: Tomas Henzl <thenzl@redhat.com>
Tested-by: Changhui Zhong <czhong@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Link: https://patch.msgid.link/20251212160900.64924-1-mrabek@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index b3af9b78fa123..57fba34832ad1 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -731,6 +731,8 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
sg_remove_request(sfp, srp);
return -EFAULT;
}
+ hp->duration = jiffies_to_msecs(jiffies);
+
if (hp->interface_id != 'S') {
sg_remove_request(sfp, srp);
return -ENOSYS;
@@ -815,7 +817,6 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
return -ENODEV;
}
- hp->duration = jiffies_to_msecs(jiffies);
if (hp->interface_id != '\0' && /* v3 (or later) interface */
(SG_FLAG_Q_AT_TAIL & hp->flags))
at_head = 0;
@@ -1338,9 +1339,6 @@ sg_rq_end_io(struct request *rq, blk_status_t status)
"sg_cmd_done: pack_id=%d, res=0x%x\n",
srp->header.pack_id, result));
srp->header.resid = resid;
- ms = jiffies_to_msecs(jiffies);
- srp->header.duration = (ms > srp->header.duration) ?
- (ms - srp->header.duration) : 0;
if (0 != result) {
struct scsi_sense_hdr sshdr;
@@ -1389,6 +1387,9 @@ sg_rq_end_io(struct request *rq, blk_status_t status)
done = 0;
}
srp->done = done;
+ ms = jiffies_to_msecs(jiffies);
+ srp->header.duration = (ms > srp->header.duration) ?
+ (ms - srp->header.duration) : 0;
write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
if (likely(done)) {
@@ -2533,6 +2534,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
const sg_io_hdr_t *hp;
const char * cp;
unsigned int ms;
+ unsigned int duration;
k = 0;
list_for_each_entry(fp, &sdp->sfds, sfd_siblings) {
@@ -2570,13 +2572,17 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
seq_printf(s, " id=%d blen=%d",
srp->header.pack_id, blen);
if (srp->done)
- seq_printf(s, " dur=%d", hp->duration);
+ seq_printf(s, " dur=%u", hp->duration);
else {
ms = jiffies_to_msecs(jiffies);
- seq_printf(s, " t_o/elap=%d/%d",
+ duration = READ_ONCE(hp->duration);
+ if (duration)
+ duration = (ms > duration ?
+ ms - duration : 0);
+ seq_printf(s, " t_o/elap=%u/%u",
(new_interface ? hp->timeout :
jiffies_to_msecs(fp->timeout)),
- (ms > hp->duration ? ms - hp->duration : 0));
+ duration);
}
seq_printf(s, "ms sgat=%d op=0x%02x\n", usg,
(int) srp->data.cmd_opcode);
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* [PATCH 6.18 181/181] spi: cadence-quadspi: Prevent lost complete() call during indirect read
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 180/181] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 17:56 ` [PATCH 6.18 000/181] 6.18.6-rc1 review Ronald Warsow
` (13 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mateusz Litwin, Mark Brown,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Litwin <mateusz.litwin@nokia.com>
[ Upstream commit d67396c9d697041b385d70ff2fd59cb07ae167e8 ]
A race condition exists between the read loop and IRQ `complete()` call.
An interrupt could call the complete() between the inner loop and
reinit_completion(), potentially losing the completion event and causing
an unnecessary timeout. Moving reinit_completion() before the loop
prevents this. A premature signal will only result in a spurious wakeup
and another wait cycle, which is preferable to waiting for a timeout.
Signed-off-by: Mateusz Litwin <mateusz.litwin@nokia.com>
Link: https://patch.msgid.link/20251218-cqspi_indirect_read_improve-v2-1-396079972f2a@nokia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence-quadspi.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-cadence-quadspi.c b/drivers/spi/spi-cadence-quadspi.c
index 3231bdaf9bd06..1cca9d87fbde4 100644
--- a/drivers/spi/spi-cadence-quadspi.c
+++ b/drivers/spi/spi-cadence-quadspi.c
@@ -769,6 +769,7 @@ static int cqspi_indirect_read_execute(struct cqspi_flash_pdata *f_pdata,
readl(reg_base + CQSPI_REG_INDIRECTRD); /* Flush posted write. */
while (remaining > 0) {
+ ret = 0;
if (use_irq &&
!wait_for_completion_timeout(&cqspi->transfer_complete,
msecs_to_jiffies(CQSPI_READ_TIMEOUT_MS)))
@@ -781,6 +782,14 @@ static int cqspi_indirect_read_execute(struct cqspi_flash_pdata *f_pdata,
if (cqspi->slow_sram)
writel(0x0, reg_base + CQSPI_REG_IRQMASK);
+ /*
+ * Prevent lost interrupt and race condition by reinitializing early.
+ * A spurious wakeup and another wait cycle can occur here,
+ * which is preferable to waiting until timeout if interrupt is lost.
+ */
+ if (use_irq)
+ reinit_completion(&cqspi->transfer_complete);
+
bytes_to_read = cqspi_get_rd_sram_level(cqspi);
if (ret && bytes_to_read == 0) {
@@ -813,7 +822,6 @@ static int cqspi_indirect_read_execute(struct cqspi_flash_pdata *f_pdata,
}
if (use_irq && remaining > 0) {
- reinit_completion(&cqspi->transfer_complete);
if (cqspi->slow_sram)
writel(CQSPI_REG_IRQ_WATERMARK, reg_base + CQSPI_REG_IRQMASK);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 6.18 181/181] spi: cadence-quadspi: Prevent lost complete() call during indirect read Greg Kroah-Hartman
@ 2026-01-15 17:56 ` Ronald Warsow
2026-01-15 19:15 ` Brett A C Sheffield
` (12 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Ronald Warsow @ 2026-01-15 17:56 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
no regressions here on x86_64 (RKL, Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-01-15 17:56 ` [PATCH 6.18 000/181] 6.18.6-rc1 review Ronald Warsow
@ 2026-01-15 19:15 ` Brett A C Sheffield
2026-01-15 20:00 ` Slade Watkins
` (11 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Brett A C Sheffield @ 2026-01-15 19:15 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.18.6-rc1-g486e59ed73a6 #1 SMP PREEMPT_DYNAMIC Thu Jan 15 17:58:53 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-01-15 19:15 ` Brett A C Sheffield
@ 2026-01-15 20:00 ` Slade Watkins
2026-01-15 22:40 ` Shuah Khan
` (10 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Slade Watkins @ 2026-01-15 20:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Thu, Jan 15, 2026 at 11:53 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
6.18.6-rc1 built and run on my x86_64 test system (AMD Ryzen 9 9900X,
System76 thelio-mira-r4-n3). No errors or regressions.
Tested-by: Slade Watkins <sr@sladewatkins.com>
Thanks,
Slade
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-01-15 20:00 ` Slade Watkins
@ 2026-01-15 22:40 ` Shuah Khan
2026-01-15 23:32 ` Florian Fainelli
` (9 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Shuah Khan @ 2026-01-15 22:40 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 1/15/26 09:45, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-01-15 22:40 ` Shuah Khan
@ 2026-01-15 23:32 ` Florian Fainelli
2026-01-16 4:23 ` Takeshi Ogasawara
` (8 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Florian Fainelli @ 2026-01-15 23:32 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 1/15/26 08:45, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-01-15 23:32 ` Florian Fainelli
@ 2026-01-16 4:23 ` Takeshi Ogasawara
2026-01-16 9:56 ` Ron Economos
` (7 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Takeshi Ogasawara @ 2026-01-16 4:23 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Hi Greg
On Fri, Jan 16, 2026 at 1:54 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
6.18.6-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.18.6-rc1rv-g486e59ed73a6
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 15.2.1 20260103, GNU ld (GNU
Binutils) 2.45.1) #1 SMP PREEMPT_DYNAMIC Fri Jan 16 12:22:57 JST 2026
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-01-16 4:23 ` Takeshi Ogasawara
@ 2026-01-16 9:56 ` Ron Economos
2026-01-16 11:23 ` Jon Hunter
` (6 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Ron Economos @ 2026-01-16 9:56 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 1/15/26 08:45, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-01-16 9:56 ` Ron Economos
@ 2026-01-16 11:23 ` Jon Hunter
2026-01-16 12:28 ` Peter Schneider
` (5 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Jon Hunter @ 2026-01-16 11:23 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Thu, 15 Jan 2026 17:45:37 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.18:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
120 tests: 120 pass, 0 fail
Linux version: 6.18.6-rc1-g486e59ed73a6
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-01-16 11:23 ` Jon Hunter
@ 2026-01-16 12:28 ` Peter Schneider
2026-01-16 16:23 ` Mark Brown
` (4 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Peter Schneider @ 2026-01-16 12:28 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 15.01.2026 um 17:45 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-01-16 12:28 ` Peter Schneider
@ 2026-01-16 16:23 ` Mark Brown
2026-01-16 17:51 ` Hardik Garg
` (3 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Mark Brown @ 2026-01-16 16:23 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr
[-- Attachment #1: Type: text/plain, Size: 345 bytes --]
On Thu, Jan 15, 2026 at 05:45:37PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-01-16 16:23 ` Mark Brown
@ 2026-01-16 17:51 ` Hardik Garg
2026-01-16 21:55 ` Brett Mastbergen
` (2 subsequent siblings)
194 siblings, 0 replies; 196+ messages in thread
From: Hardik Garg @ 2026-01-16 17:51 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Hardik Garg
The kernel, bpf tool, perf tool, and kselftest builds fine for v6.18.6-rc1
on x86 and arm64 Azure VM.
Tested-by: Hardik Garg <hargar@linux.microsoft.com>
Thanks,
Hardik
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-01-16 17:51 ` Hardik Garg
@ 2026-01-16 21:55 ` Brett Mastbergen
2026-01-17 14:49 ` Miguel Ojeda
2026-01-19 9:01 ` Jeffrin Thalakkottoor
194 siblings, 0 replies; 196+ messages in thread
From: Brett Mastbergen @ 2026-01-16 21:55 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Jan 15, 2026 at 11:54 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Builds successfully. Boots and works on qemu and Intel Core i7-10810U
Tested-by: Brett Mastbergen <bmastbergen@ciq.com>
Thanks,
Brett
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-01-16 21:55 ` Brett Mastbergen
@ 2026-01-17 14:49 ` Miguel Ojeda
2026-01-19 9:01 ` Jeffrin Thalakkottoor
194 siblings, 0 replies; 196+ messages in thread
From: Miguel Ojeda @ 2026-01-17 14:49 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Thu, 15 Jan 2026 17:45:37 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.6 release.
> There are 181 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 196+ messages in thread* Re: [PATCH 6.18 000/181] 6.18.6-rc1 review
2026-01-15 16:45 [PATCH 6.18 000/181] 6.18.6-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-01-17 14:49 ` Miguel Ojeda
@ 2026-01-19 9:01 ` Jeffrin Thalakkottoor
194 siblings, 0 replies; 196+ messages in thread
From: Jeffrin Thalakkottoor @ 2026-01-19 9:01 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
hello
Compiled and booted 6.18.6-rc1+
No typical new regressions from dmesg.
As per dmidecode command.
Version: AMD Ryzen 3 3250U with Radeon Graphics
Processor Information
Socket Designation: FP5
Type: Central Processor
Family: Zen
Manufacturer: Advanced Micro Devices, Inc.
ID: 81 0F 81 00 FF FB 8B 17
Signature: Family 23, Model 24, Stepping 1
Tested-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in>
--
software engineer
rajagiri school of engineering and technology
^ permalink raw reply [flat|nested] 196+ messages in thread