* [PATCH 5.15 000/554] 5.15.198-rc1 review
@ 2026-01-15 16:41 Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 001/554] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
` (559 more replies)
0 siblings, 560 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 5.15.198 release.
There are 554 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.198-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.198-rc1
Michal Rábek <mrabek@redhat.com>
scsi: sg: Fix occasional bogus elapsed time that exceeds timeout
Alexander Stein <alexander.stein@ew.tq-group.com>
ASoC: fsl_sai: Add missing registers to cache default
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
can: j1939: make j1939_session_activate() fail if device is no longer registered
Sumeet Pawnikar <sumeet4linux@gmail.com>
powercap: fix sscanf() error return value handling
Sumeet Pawnikar <sumeet4linux@gmail.com>
powercap: fix race condition in register_control_type()
Laibin Qiu <qiulaibin@huawei.com>
blk-throttle: Set BIO_THROTTLED when bio has been throttled
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells
Alexander Sverdlin <alexander.sverdlin@siemens.com>
counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
NeilBrown <neil@brown.name>
nfsd: provide locking for v4_end_grace
Chuck Lever <chuck.lever@oracle.com>
NFSD: Remove NFSERR_EAGAIN
Mike Snitzer <snitzer@kernel.org>
nfs_common: factor out nfs_errtbl and nfs_stat_to_errno
Chen Hanxiao <chenhx.fnst@fujitsu.com>
NFS: trace: show TIMEDOUT instead of 0x6e
Eric Dumazet <edumazet@google.com>
arp: do not assume dev_hard_header() does not change skb->head
Wei Fang <wei.fang@nxp.com>
net: enetc: fix build warning when PAGE_SIZE is greater than 128K
Petko Manolov <petkan@nucleusys.com>
net: usb: pegasus: fix memory leak in update_eth_regs_async()
Xiang Mei <xmei5@asu.edu>
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
René Rebe <rene@exactco.de>
HID: quirks: work around VID/PID conflict for appledisplay
Srijit Bose <srijit.bose@broadcom.com>
bnxt_en: Fix potential data corruption with HW GRO/LRO
Jakub Kicinski <kuba@kernel.org>
eth: bnxt: move and rename reset helpers
Gal Pressman <gal@nvidia.com>
net/mlx5e: Don't print error message due to invalid module
Di Zhu <zhud@hygon.cn>
netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates
Weiming Shi <bestswngs@gmail.com>
net: sock: fix hardened usercopy panic in sock_recv_errqueue
yuan.gao <yuan.gao@ucloud.cn>
inet: ping: Fix icmp out counting
Jerry Wu <w.7erry@foxmail.com>
net: mscc: ocelot: Fix crash when adding interface under a lag
Alexandre Knecht <knecht.alexandre@gmail.com>
bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
Alok Tiwari <alok.a.tiwari@oracle.com>
net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_conncount: update last_gc only when GC has been performed
Zilin Guan <zilin@seu.edu.cn>
netfilter: nf_tables: fix memory leak in nf_tables_newrule()
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nft_synproxy: avoid possible data-race on update operation
Ian Ray <ian.ray@gehealthcare.com>
ARM: dts: imx6q-ba16: fix RTC interrupt level
Haibo Chen <haibo.chen@nxp.com>
arm64: dts: add off-on-delay-us for usdhc2 regulator
Xingui Yang <yangxingui@huawei.com>
scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed"
Wen Xiong <wenxiong@linux.ibm.com>
scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix up the automount fs_context to use the correct cred
Scott Mayhew <smayhew@redhat.com>
NFSv4: ensure the open stateid seqid doesn't go backwards
Sam James <sam@gentoo.org>
alpha: don't reference obsolete termio struct for TC* constants
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels
Yang Li <yang.li85200@gmail.com>
csky: fix csky_cmpxchg_fixup not working
Kuniyuki Iwashima <kuniyu@google.com>
tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
net: Add locking to protect skb->dev access in ip_output
Ye Bin <yebin10@huawei.com>
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
Ye Bin <yebin10@huawei.com>
ext4: introduce ITAIL helper
Ilya Dryomov <idryomov@gmail.com>
libceph: make calc_target() set t->paused, not just clear it
Ilya Dryomov <idryomov@gmail.com>
libceph: return the handler error from mon_handle_auth_done()
Tuo Li <islituo@gmail.com>
libceph: make free_choose_arg_map() resilient to partial allocation
Ilya Dryomov <idryomov@gmail.com>
libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
ziming zhang <ezrakiez@gmail.com>
libceph: prevent potential out-of-bounds reads in handle_auth_done()
Eric Dumazet <edumazet@google.com>
wifi: avoid kernel-infoleak from struct iw_point
Miaoqian Lin <linmq006@gmail.com>
drm/pl111: Fix error handling in pl111_amba_probe
Eric Biggers <ebiggers@kernel.org>
lib/crypto: aes: Fix missing MMU protection for AES S-box
Alexander Usyskin <alexander.usyskin@intel.com>
mei: me: add nova lake point S DID
Thomas Fourier <fourier.thomas@gmail.com>
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
Thomas Fourier <fourier.thomas@gmail.com>
atm: Fix dma_free_coherent() size
Johan Hovold <johan@kernel.org>
usb: gadget: lpc32xx_udc: fix clock imbalance in error path
Su Hui <suhui@nfschina.com>
net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "iommu/amd: Skip enabling command/event buffers for kdump"
Amitai Gottlieb <amitaig@hailo.ai>
firmware: arm_scmi: Fix unused notifier-block in unregister
Gabriel Krisman Bertazi <krisman@suse.de>
ext4: fix error message when rejecting the default hash
Jason Yan <yanaijie@huawei.com>
ext4: factor out ext4_hash_info_init()
Lizhi Xu <lizhi.xu@windriver.com>
ext4: filesystems without casefold feature cannot be mounted with siphash
Sean Nyekjaer <sean@geanix.com>
pwm: stm32: Always program polarity
Arnd Bergmann <arnd@arndb.de>
x86: remove __range_not_ok()
Andrea Righi <andrea.righi@canonical.com>
selftests: net: test_vxlan_under_vrf: fix HV connectivity test
Shigeru Yoshida <syoshida@redhat.com>
ipv4: Fix uninit-value access in __ip_make_skb()
Shigeru Yoshida <syoshida@redhat.com>
ipv6: Fix potential uninit-value access in __ip6_make_skb()
Justin Stitt <justinstitt@google.com>
KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning
Peter Xu <peterx@redhat.com>
mm/mprotect: use long for page accountings and retval
Alan Stern <stern@rowland.harvard.edu>
HID: core: Harden s32ton() against conversion to 0 bits
Sean Christopherson <seanjc@google.com>
KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
Dong Chenchen <dongchenchen2@huawei.com>
page_pool: Fix use-after-free in page_pool_recycle_in_ring
Andrzej Hajda <andrzej.hajda@intel.com>
drm/i915/selftests: fix subtraction overflow bug
Sergey Shtylyov <s.shtylyov@omp.ru>
mmc: core: use sysfs_emit() instead of sprintf()
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
Thomas Zimmermann <tzimmermann@suse.de>
drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
Jouni Malinen <jouni.malinen@oss.qualcomm.com>
wifi: mac80211: Discard Beacon frames to non-broadcast address
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix OF node leak on probe
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void
NeilBrown <neil@brown.name>
lockd: fix vfs_test_lock() calls
Wentao Liang <vulab@iscas.ac.cn>
pmdomain: imx: Fix reference count leak in imx_gpc_probe()
Rob Herring <robh@kernel.org>
pmdomain: Use device_get_match_data()
David Hildenbrand <david@redhat.com>
powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
David Hildenbrand <david@redhat.com>
mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
David Hildenbrand <david@redhat.com>
mm/balloon_compaction: we cannot have isolated pages in the balloon list
Miaohe Lin <linmiaohe@huawei.com>
mm/balloon_compaction: make balloon page compaction callbacks static
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix clk prepare imbalance on probe failure
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ASoC: stm32: sai: Use the devm_clk_get_optional() helper
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: stm: Use dev_err_probe() helper
René Rebe <rene@exactco.de>
r8169: fix RTL8117 Wake-on-Lan in DASH mode
Johan Hovold <johan@kernel.org>
iommu/qcom: fix device leak on of_xlate()
Donet Tom <donettom@linux.ibm.com>
powerpc/64s/slb: Fix SLB multihit issue during SLB preload
Jim Quinlan <james.quinlan@broadcom.com>
PCI: brcmstb: Fix disabling L0s capability
David Hildenbrand <david@redhat.com>
powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
Miaoqian Lin <linmq006@gmail.com>
media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
Marek Szyprowski <m.szyprowski@samsung.com>
media: samsung: exynos4-is: fix potential ABBA deadlock on init
Chuck Lever <chuck.lever@oracle.com>
NFSD: NFSv4 file creation neglects setting ACL
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
Johan Hovold <johan@kernel.org>
media: vpif_capture: fix section mismatch
Haoxiang Li <haoxiang_li2024@163.com>
media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
Joshua Rogers <linux@joshua.hu>
SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
Jim Mattson <jmattson@google.com>
KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
Shivani Agarwal <shivani.agarwal@broadcom.com>
crypto: af_alg - zero initialize memory allocated via sock_kmalloc
Nicolas Ferre <nicolas.ferre@microchip.com>
ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
Joshua Rogers <linux@joshua.hu>
svcrdma: bound check rq_pages index in inline path
Nicolas Ferre <nicolas.ferre@microchip.com>
ARM: dts: microchip: sama7g5: fix uart fifo size to 32
Joanne Koong <joannelkoong@gmail.com>
fuse: fix readahead reclaim deadlock
Johan Hovold <johan@kernel.org>
usb: ohci-nxp: fix device leak on probe failure
Zhang Zekun <zhangzekun11@huawei.com>
usb: ohci-nxp: Use helper function devm_clk_get_enabled()
Matthieu Baerts (NGI0) <matttbe@kernel.org>
mptcp: pm: ignore unknown endpoint flags
Udipto Goswami <udipto.goswami@oss.qualcomm.com>
usb: dwc3: keep susphy enabled during exit to avoid controller faults
Chao Yu <chao@kernel.org>
f2fs: fix to avoid updating zero-sized extent in extent cache
Chao Yu <chao@kernel.org>
f2fs: fix to propagate error from f2fs_enable_checkpoint()
Chao Yu <chao@kernel.org>
f2fs: use global inline_xattr_slab instead of per-sb slab cache
Chao Yu <chao@kernel.org>
f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
xfs: fix a memory leak in xfs_buf_item_init()
Dongli Zhang <dongli.zhang@oracle.com>
KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
Chuck Lever <chuck.lever@oracle.com>
NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
Junrui Luo <moonafterrain@outlook.com>
ALSA: wavefront: Fix integer overflow in sample size validation
Takashi Iwai <tiwai@suse.de>
ALSA: wavefront: Use standard print API
Junrui Luo <moonafterrain@outlook.com>
ALSA: wavefront: Clear substream pointers on close
Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
wifi: mt76: Fix DTS power-limits on little endian systems
Josef Bacik <josef@toxicpanda.com>
btrfs: don't rewrite ret from inode_permission
Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
tpm: Cap the number of PCR banks
Ye Bin <yebin10@huawei.com>
jbd2: fix the inconsistency between checksum and data in memory for journal sb
Łukasz Bartosik <ukaszb@chromium.org>
xhci: dbgtty: fix device unregister
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: dbgtty: use IDR to support several dbc instances.
Jimmy Hu <hhhuuu@google.com>
usb: gadget: udc: fix use-after-free in usb_gadget_state_work
Michal Pecio <michal.pecio@gmail.com>
usb: xhci: Apply the link chain quirk on NEC isoc endpoints
Niklas Neronin <niklas.neronin@linux.intel.com>
usb: xhci: move link chain bit quirk checks into one helper function.
Zack Rusin <zack.rusin@broadcom.com>
drm/vmwgfx: Fix a null-ptr access in the cursor snooper
Maximilian Immanuel Brandtner <maxbr@linux.ibm.com>
virtio_console: fix order of fields cols and rows
Martin Nybo Andersen <tweek@tweek.dk>
kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
SeongJae Park <sj@kernel.org>
mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
SeongJae Park <sj@kernel.org>
mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
Lyude Paul <lyude@redhat.com>
drm/nouveau/dispnv50: Don't call drm_atomic_get_crtc_state() in prepare_fb
Simon Richter <Simon.Richter@hogyros.de>
drm/ttm: Avoid NULL pointer deref for evicted BOs
Akhil P Oommen <akhilpo@oss.qualcomm.com>
drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
Xiaolei Wang <xiaolei.wang@windriver.com>
net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
Deepanshu Kartikey <kartikey406@gmail.com>
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
Ethan Nelson-Moore <enelsonmoore@gmail.com>
net: usb: sr9700: fix incorrect command used to write single register
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
nfsd: Drop the client reference in client_states_open()
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
fjes: Add missing iounmap in fjes_hw_init()
Guangshuo Li <lgs201920130244@gmail.com>
e1000: fix OOB in e1000_tbi_should_accept()
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/cm: Fix leaking the multicast GID table reference
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
Matthew Wilcox (Oracle) <willy@infradead.org>
idr: fix idr_alloc() returning an ID out of range
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
Duoming Zhou <duoming@zju.edu.cn>
media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
Duoming Zhou <duoming@zju.edu.cn>
media: TDA1997x: Remove redundant cancel_delayed_work in probe
Ivan Abramov <i.abramov@mt-integration.ru>
media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
Haotian Zhang <vulab@iscas.ac.cn>
media: cec: Fix debugfs leak on bus_register() failure
René Rebe <rene@exactco.de>
fbdev: tcx.c fix mem_map to correct smem_start offset
Thorsten Blum <thorsten.blum@linux.dev>
fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
Rene Rebe <rene@exactco.de>
fbdev: gbefb: fix to use physical address instead of dma address
Uladzislau Rezki (Sony) <urezki@gmail.com>
dm-ebs: Mark full buffer dirty even on partial write
Ivan Abramov <i.abramov@mt-integration.ru>
media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
Sven Schnelle <svens@stackframe.org>
parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
Sven Schnelle <svens@stackframe.org>
parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
Haotian Zhang <vulab@iscas.ac.cn>
media: rc: st_rc: Fix reset control resource leak
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
mfd: max77620: Fix potential IRQ chip conflict when probing two devices
Johan Hovold <johan@kernel.org>
mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
Christian Hitz <christian.hitz@bbv.ch>
leds: leds-lp50xx: Allow LED 0 to be added to module bank
Lukas Wunner <lukas@wunner.de>
PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
Hans de Goede <johannes.goede@oss.qualcomm.com>
HID: logitech-dj: Remove duplicate error logging
Johan Hovold <johan@kernel.org>
iommu/tegra: fix device leak on probe_device()
Johan Hovold <johan@kernel.org>
iommu/sun50i: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/omap: fix device leaks on probe_device()
Johan Hovold <johan@kernel.org>
iommu/mediatek: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/mediatek-v1: fix device leak on probe_device()
Johan Hovold <johan@kernel.org>
iommu/ipmmu-vmsa: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/exynos: fix device leak on of_xlate()
Johan Hovold <johan@kernel.org>
iommu/apple-dart: fix device leak on of_xlate()
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6adm: the the copp device only during last instance
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
ASoC: qcom: q6asm-dai: perform correct state check before closing
Johan Hovold <johan@kernel.org>
ASoC: stm32: sai: fix device leak on probe
Yipeng Zou <zouyipeng@huawei.com>
selftests/ftrace: traceonoff_triggers: strip off names
Thomas Fourier <fourier.thomas@gmail.com>
RDMA/bnxt_re: fix dma_free_coherent() pointer
Honggang LI <honggangli@163.com>
RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
RDMA/bnxt_re: Fix to use correct page size for PDE table
Alok Tiwari <alok.a.tiwari@oracle.com>
RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
Alok Tiwari <alok.a.tiwari@oracle.com>
RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
Jang Ingyu <ingyujang25@korea.ac.kr>
RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
Michael Margolin <mrgolin@amazon.com>
RDMA/efa: Remove possible negative shift
Michal Schmidt <mschmidt@redhat.com>
RDMA/irdma: avoid invalid read in irdma_net_event
Pwnverse <stanksal@purdue.edu>
net: rose: fix invalid array index in rose_kill_by_device()
Ido Schimmel <idosch@nvidia.com>
ipv4: Fix reference count leak when using error routes with nexthop objects
Will Rosenberg <whrosenb@asu.edu>
ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
Anshumali Gaur <agaur@marvell.com>
octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
Bagas Sanjaya <bagasdotme@gmail.com>
net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
Deepanshu Kartikey <kartikey406@gmail.com>
net: usb: asix: validate PHY address before use
Jonas Gorski <jonas.gorski@gmail.com>
net: dsa: b53: skip multicast entries for fdb_dump()
Thomas Fourier <fourier.thomas@gmail.com>
firewire: nosy: Fix dma_free_coherent() size
Andrew Morton <akpm@linux-foundation.org>
genalloc.h: fix htmldocs warning
Yeoreum Yun <yeoreum.yun@arm.com>
smc91x: fix broken irq-context in PREEMPT_RT
Deepakkumar Karn <dkarn@redhat.com>
net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
Jiri Pirko <jiri@nvidia.com>
team: fix check for port enabled in team_queue_override_port_prio_changed()
Junrui Luo <moonafterrain@outlook.com>
platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
Thomas Fourier <fourier.thomas@gmail.com>
platform/x86: msi-laptop: add missing sysfs_remove_group()
Eric Dumazet <edumazet@google.com>
ip6_gre: make ip6gre_header() robust
Toke Høiland-Jørgensen <toke@redhat.com>
net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
Jacky Chou <jacky_chou@aspeedtech.com>
net: mdio: aspeed: add dummy read to avoid read-after-write issue
Potin Lai <potin.lai@quantatw.com>
net: mdio: aspeed: move reg accessing part into separate functions
Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Bluetooth: btusb: revert use of devm_kzalloc in btusb
Herbert Xu <herbert@gondor.apana.org.au>
crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
Kohei Enju <enjuk@amazon.com>
iavf: fix off-by-one issues in iavf_config_rss_reg()
Gregory Herrero <gregory.herrero@oracle.com>
i40e: validate ring_len parameter against hardware-specific values
Ivan Vecera <ivecera@redhat.com>
i40e: Refactor argument of i40e_detect_recover_hung()
Ivan Vecera <ivecera@redhat.com>
i40e: Refactor argument of several client notification functions
Przemyslaw Korba <przemyslaw.korba@intel.com>
i40e: fix scheduling in set_rx_mode
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
Gui-Dong Han <hanguidong02@gmail.com>
hwmon: (max16065) Use local variable to avoid TOCTOU
Ma Ke <make24@iscas.ac.cn>
i2c: amd-mp2: fix reference leak in MP2 PCI device
Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
rpmsg: glink: fix rpmsg device leak
Johan Hovold <johan@kernel.org>
soc: amlogic: canvas: fix device leak on lookup
Johan Hovold <johan@kernel.org>
soc: qcom: ocmem: fix device leak on lookup
Johan Hovold <johan@kernel.org>
amba: tegra-ahb: Fix device leak on SMMU enable
Alex Deucher <alexander.deucher@amd.com>
drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
Prithvi Tambewagh <activprithvi@gmail.com>
io_uring: fix filename leak in __io_openat_prep()
Joshua Rogers <linux@joshua.hu>
svcrdma: return 0 on success from svc_rdma_copy_inline_range
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
nfsd: Mark variable __maybe_unused to avoid W=1 build break
Amir Goldstein <amir73il@gmail.com>
fsnotify: do not generate ACCESS/MODIFY events on child for special files
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: runtime: Do not clear needs_force_resume with enabled runtime PM
Steven Rostedt <rostedt@goodmis.org>
tracing: Do not register unsupported perf events
Sean Christopherson <seanjc@google.com>
KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
Sean Christopherson <seanjc@google.com>
KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
Yosry Ahmed <yosry.ahmed@linux.dev>
KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
fuqiang wang <fuqiang.wng@gmail.com>
KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
fuqiang wang <fuqiang.wng@gmail.com>
KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
Sean Christopherson <seanjc@google.com>
KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
Ilya Dryomov <idryomov@gmail.com>
libceph: make decode_pool() more resilient against corrupted osdmaps
Helge Deller <deller@gmx.de>
parisc: Do not reprogram affinitiy on ASP chip
Zhichi Lin <zhichi.lin@vivo.com>
scs: fix a wrong parameter in __scs_magic
Tzung-Bi Shih <tzungbi@kernel.org>
platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
Prithvi Tambewagh <activprithvi@gmail.com>
ocfs2: fix kernel BUG in ocfs2_find_victim_chain
Jeongjun Park <aha310510@gmail.com>
media: vidtv: initialize local pointers upon transfer of memory ownership
Alison Schofield <alison.schofield@intel.com>
tools/testing/nvdimm: Use per-DIMM device handle
Chao Yu <chao@kernel.org>
f2fs: fix return value of f2fs_recover_fsync_data()
Deepanshu Kartikey <kartikey406@gmail.com>
f2fs: invalidate dentry cache on failed whiteout creation
Andrey Vatoropin <a.vatoropin@crpt.ru>
scsi: target: Reset t_task_cdb pointer in error case
Dai Ngo <dai.ngo@oracle.com>
NFSD: use correct reservation type in nfsd4_scsi_fence_client
Junrui Luo <moonafterrain@outlook.com>
scsi: aic94xx: fix use-after-free in device removal path
Tony Battersby <tonyb@cybernetics.com>
scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
Miaoqian Lin <linmq006@gmail.com>
cpufreq: nforce2: fix reference count leak in nforce2
Ma Ke <make24@iscas.ac.cn>
intel_th: Fix error handling in intel_th_output_open
Tianchu Chen <flynnnchen@tencent.com>
char: applicom: fix NULL pointer dereference in ac_ioctl
Haoxiang Li <haoxiang_li2024@163.com>
usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
Miaoqian Lin <linmq006@gmail.com>
usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
Johan Hovold <johan@kernel.org>
usb: phy: isp1301: fix non-OF device reference imbalance
Duoming Zhou <duoming@zju.edu.cn>
usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
Ma Ke <make24@iscas.ac.cn>
USB: lpc32xx_udc: Fix error handling in probe
Johan Hovold <johan@kernel.org>
phy: broadcom: bcm63xx-usbh: fix section mismatches
Colin Ian King <colin.i.king@gmail.com>
media: pvrusb2: Fix incorrect variable used in trace message
Jeongjun Park <aha310510@gmail.com>
media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
Chen Changcheng <chenchangcheng@kylinos.cn>
usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
Laurent Pinchart <laurent.pinchart@ideasonboard.com>
media: v4l2-mem2mem: Fix outdated documentation
Byungchul Park <byungchul@sk.com>
jbd2: use a weaker annotation in journal handling
Baokun Li <libaokun1@huawei.com>
ext4: align max orphan file size with e2fsprogs limit
Yongjian Sun <sunyongjian1@huawei.com>
ext4: fix incorrect group number assertion in mb_check_buddy
Haibo Chen <haibo.chen@nxp.com>
ext4: clear i_state_flags when alloc inode
Karina Yankevich <k.yankevich@omp.ru>
ext4: xattr: fix null pointer deref in ext4_raw_inode()
Steven Rostedt <rostedt@goodmis.org>
ktest.pl: Fix uninitialized var in config-bisect.pl
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: fix mount failure for sparse runs in run_unpack()
Rene Rebe <rene@exactco.de>
floppy: fix for PAGE_SIZE != 4KB
Li Chen <chenl311@chinatelecom.cn>
block: rate-limit capacity change info log
Eric Biggers <ebiggers@kernel.org>
lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
Sarthak Garg <sarthak.garg@oss.qualcomm.com>
mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
Jarkko Sakkinen <jarkko@kernel.org>
KEYS: trusted: Fix a memory leak in tpm2_load_cmd
Stefano Garzarella <sgarzare@redhat.com>
vhost/vsock: improve RCU read sections around vhost_vsock_get()
Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
Daniel Wagner <wagi@kernel.org>
nvme-fc: don't hold rport lock when putting ctrl
Wenhua Lin <Wenhua.Lin@unisoc.com>
serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
Chen Changcheng <chenchangcheng@kylinos.cn>
usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
Hongyu Xie <xiehongyu1@kylinos.cn>
usb: xhci: limit run_graceperiod for only usb 3.0 devices
Mark Pearson <mpearson-lenovo@squebb.ca>
usb: typec: ucsi: Handle incorrect num_connectors capability
Lizhi Xu <lizhi.xu@windriver.com>
usbip: Fix locking bug in RT-enabled kernels
Yuezhang Mo <Yuezhang.Mo@sony.com>
exfat: fix remount failure in different process environments
Encrow Thorne <jyc0019@gmail.com>
reset: fix BIT macro reference
Li Qiang <liqiang01@kylinos.cn>
via_wdt: fix critical boot hang due to unnamed resource allocation
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
Tony Battersby <tonyb@cybernetics.com>
scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
Ben Collins <bcollins@kernel.org>
powerpc/addnote: Fix overflow on 32-bit builds
Josua Mayer <josua@solid-run.com>
clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
Matthias Schiffer <matthias.schiffer@tq-group.com>
ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
Peng Fan <peng.fan@nxp.com>
firmware: imx: scu-irq: Init workqueue before request mbox channel
Jinhui Guo <guojinhui.liam@bytedance.com>
ipmi: Fix __scan_channels() failing to rescan channels
Jinhui Guo <guojinhui.liam@bytedance.com>
ipmi: Fix the race between __scan_channels() and deliver_response()
Shipei Qu <qu@darknavy.com>
ALSA: usb-mixer: us16x08: validate meter packet indices
Haotian Zhang <vulab@iscas.ac.cn>
ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
Haotian Zhang <vulab@iscas.ac.cn>
ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
Jared Kangas <jkangas@redhat.com>
mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
Christophe Leroy <christophe.leroy@csgroup.eu>
spi: fsl-cpm: Check length parity before switching to 16 bit mode
Pengjie Zhang <zhangpengjie2@huawei.com>
ACPI: CPPC: Fix missing PCC check for guaranteed_perf
Christoffer Sandberg <cs@tuxedo.de>
Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
Junjie Cao <junjie.cao@intel.com>
Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
Ping Cheng <pinglinux@gmail.com>
HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
Jian Shen <shenjian15@huawei.com>
net: hns3: add VLAN id validation before using
Jian Shen <shenjian15@huawei.com>
net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
Hao Chen <chenhao288@hisilicon.com>
net: hns3: Align type of some variables with their print type
Jian Shen <shenjian15@huawei.com>
net: hns3: using the num_tqps in the vf driver to apply for resources
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Handle escaped percent properly
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Validate format string parameters
Shay Drory <shayd@nvidia.com>
net/mlx5: fw_tracer, Add support for unrecognized string
Gal Pressman <gal@nvidia.com>
ethtool: Avoid overflowing userspace buffer on stats query
Daniil Tatianin <d-tatianin@yandex-team.ru>
net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers
Daniil Tatianin <d-tatianin@yandex-team.ru>
net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats
Tom Rix <trix@redhat.com>
ethtool: use phydev variable
Dan Carpenter <dan.carpenter@linaro.org>
nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
Victor Nogueira <victor@mojatatu.com>
net/sched: ets: Remove drr class from the active list if it changes to strict
Junrui Luo <moonafterrain@outlook.com>
caif: fix integer underflow in cffrml_receive()
Slavin Liu <slavin452@gmail.com>
ipvs: fix ipv4 null-ptr-deref in route error path
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_conncount: fix leaked ct in error paths
Alexey Simakov <bigalex934@gmail.com>
broadcom: b44: prevent uninitialized value usage
Ilya Maximets <i.maximets@ovn.org>
net: openvswitch: fix middle attribute validation in push_nsh() action
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
Ido Schimmel <idosch@nvidia.com>
mlxsw: spectrum_router: Fix neighbour use-after-free
Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
Jamal Hadi Salim <jhs@mojatatu.com>
net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
Wang Liang <wangliang74@huawei.com>
netrom: Fix memory leak in nr_sendmsg()
Gongwei Li <ligongwei@kylinos.cn>
Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
Qu Wenruo <wqu@suse.com>
btrfs: scrub: always update btrfs_scrub_progress::last_physical
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix volume corruption issue for generic/073
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
hfsplus: Verify inode mode when loading from disk
Yang Chenzhi <yang.chenzhi@vivo.com>
hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
Viacheslav Dubeyko <slava@dubeyko.com>
hfsplus: fix volume corruption issue for generic/070
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Support timestamps prior to epoch
Song Liu <song@kernel.org>
livepatch: Match old_sympos 0 and 1 in klp_find_func()
Shuhao Fu <sfual@cse.ust.hk>
cpufreq: s5pv210: fix refcount leak
Sakari Ailus <sakari.ailus@linux.intel.com>
ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
ACPICA: Avoid walking the Namespace if start_node is NULL
Peter Zijlstra <peterz@infradead.org>
x86/ptrace: Always inline trivial accessors
Doug Berger <opendmb@gmail.com>
sched/deadline: only set free_cpus for online runqueues
Deepanshu Kartikey <kartikey406@gmail.com>
btrfs: fix memory leak of fs_devices in degraded seed device path
Ondrej Mosnacek <omosnace@redhat.com>
bpf, arm64: Do not audit capability check in do_jit()
Jamie Iles <quic_jiles@quicinc.com>
i3c: fix uninitialized variable use in i2c setup
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
Krishna Yarlagadda <kyarlagadda@nvidia.com>
spi: tegra210-quad: Fix validate combined sequence
Leo Yan <leo.yan@arm.com>
coresight: etm4x: Correct polling IDLE bit
Nicklas Bo Jensen <njensen@akamai.com>
netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around
Sun Ke <sunke32@huawei.com>
NFS: Fix missing unlock in nfs_unlink()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: get channel status data when PHY is not exists
Junrui Luo <moonafterrain@outlook.com>
ALSA: dice: fix buffer overflow in detect_stream_formats()
Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
usb: phy: Initialize struct usb_phy list_head
Haotien Hsu <haotienh@nvidia.com>
usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
Dmitry Antipov <dmantipov@yandex.ru>
ocfs2: fix memory leak in ocfs2_merge_rec_left()
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
efi/cper: Adjust infopfx size to accept an extra space
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
efi/cper: Add a new helper function to print bitmasks
Haotian Zhang <vulab@iscas.ac.cn>
dm log-writes: Add missing set_freezable() for freezable kthread
Alexey Simakov <bigalex934@gmail.com>
dm-raid: fix possible NULL dereference with undefined raid type
Liyuan Pang <pangliyuan1@huawei.com>
ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad()
Andres J Rosa <andyrosa@gmail.com>
ALSA: uapi: Fix typo in asound.h comment
Dave Kleikamp <dave.kleikamp@oracle.com>
dma/pool: eliminate alloc_pages warning in atomic_pool_expand
shechenglong <shechenglong@xfusion.com>
block: fix comment for op_is_zone_mgmt() to include RESET_ALL
Cong Zhang <cong.zhang@oss.qualcomm.com>
blk-mq: Abort suspend when wakeup events are pending
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: ak5558: Disable regulator when error happens
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: ak4458: Disable regulator when error happens
Haotian Zhang <vulab@iscas.ac.cn>
ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure()
Anton Khirnov <anton@khirnov.net>
platform/x86: asus-wmi: use brightness_set_blocking() for kbd led
Armin Wolf <W_Armin@gmx.de>
fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
Ondrej Mosnacek <omosnace@redhat.com>
fs_context: drop the unused lsm_flags member
Trond Myklebust <trond.myklebust@hammerspace.com>
Revert "nfs: ignore SB_RDONLY when mounting nfs"
Trond Myklebust <trond.myklebust@hammerspace.com>
Revert "nfs: clear SB_RDONLY before getting superblock"
Trond Myklebust <trond.myklebust@hammerspace.com>
Revert "nfs: ignore SB_RDONLY when remounting nfs"
Jonathan Curley <jcurley@purestorage.com>
NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Initialise verifiers for visible dentries in nfs_atomic_open()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open()
Trond Myklebust <trond.myklebust@primarydata.com>
NFSv4: Add some support for case insensitive filesystems
Armin Wolf <W_Armin@gmx.de>
fs/nls: Fix utf16 to utf8 conversion
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Avoid changing nlink when file removes and attribute updates race
NeilBrown <neilb@suse.de>
NFS: don't unhash dentry during unlink/rename
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink()
Abdun Nihaal <nihaal@cse.iitm.ac.in>
fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe()
Haotian Zhang <vulab@iscas.ac.cn>
pinctrl: single: Fix incorrect type for error return variable
Matthijs Kooijman <matthijs@stdin.nl>
pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling
Namhyung Kim <namhyung@kernel.org>
perf tools: Fix split kallsyms DSO counting
Xiang Mei <xmei5@asu.edu>
net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
Alexandru Gagniuc <mr.nuke.me@gmail.com>
remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs
Ivan Stepchenko <sid@itb.spb.ru>
mtd: lpddr_cmds: fix signed shifts in lpddr_cmds
Alexey Kodanev <aleksei.kodanev@bell-sw.com>
net: stmmac: fix rx limit check in stmmac_rx_zc()
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nft_connlimit: update the count if add was skipped
Fernando Fernandez Mancera <fmancera@suse.de>
netfilter: nf_conncount: rework API to use sk_buff directly
William Tu <u9012063@gmail.com>
netfilter: nf_conncount: reduce unnecessary GC
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: check for maximum number of encapsulations in bridge vlan
sparkhuang <huangshaobo3@xiaomi.com>
regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: catpt: Fix error path in hw_params()
Michael S. Tsirkin <mst@redhat.com>
virtio: fix virtqueue_set_affinity() docs
Alok Tiwari <alok.a.tiwari@oracle.com>
virtio_vdpa: fix misleading return in void function
Eli Cohen <elic@nvidia.com>
vdpa: Sync calls set/get config/status with cf_mutex
Parav Pandit <parav@nvidia.com>
vdpa: Introduce query of device config layout
Parav Pandit <parav@nvidia.com>
vdpa: Introduce and use vdpa device get, set config helpers
Yongjian Sun <sunyongjian1@huawei.com>
ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation
Kemeng Shi <shikemeng@huaweicloud.com>
ext4: remove unused return value of __mb_check_buddy
René Rebe <rene@exactco.de>
ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4
Dan Carpenter <dan.carpenter@linaro.org>
drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1()
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: clear the channel status control memory
Chancel Liu <chancel.liu@nxp.com>
ASoC: fsl_xcvr: Add support for i.MX93 platform
Shengjiu Wang <shengjiu.wang@nxp.com>
ASoC: fsl_xcvr: Add Counter registers
Krzysztof Czurylo <krzysztof.czurylo@intel.com>
RDMA/irdma: Fix data race in irdma_free_pble
Krzysztof Czurylo <krzysztof.czurylo@intel.com>
RDMA/irdma: Fix data race in irdma_sc_ccq_arm
Stephan Gerhold <stephan.gerhold@linaro.org>
iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal
Randy Dunlap <rdunlap@infradead.org>
backlight: lp855x: Fix lp855x.h kernel-doc warnings
Luca Ceresoli <luca.ceresoli@bootlin.com>
backlight: led-bl: Add devlink to supplier LEDs
Mans Rullgard <mans@mansr.com>
backlight: led_bl: Take led_access lock when required
Ria Thomas <ria.thomas@morsemicro.com>
wifi: ieee80211: correct FILS status codes
Shawn Lin <shawn.lin@rock-chips.com>
PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition
Jianglei Nie <niejianglei2021@163.com>
staging: fbtft: core: fix potential memory leak in fbtft_probe_common()
Zilin Guan <zilin@seu.edu.cn>
mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Haotian Zhang <vulab@iscas.ac.cn>
crypto: ccree - Correctly handle return of sg_nents_for_len
Matt Bobrowski <mattbobrowski@google.com>
selftests/bpf: Improve reliability of test_perf_branches_no_hw()
Matt Bobrowski <mattbobrowski@google.com>
selftests/bpf: skip test_perf_branches_hw() on unsupported platforms
Gopi Krishna Menon <krishnagopi487@gmail.com>
usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
Jisheng Zhang <jszhang@kernel.org>
usb: dwc2: fix hang during suspend if set as peripheral
Jisheng Zhang <jszhang@kernel.org>
usb: dwc2: fix hang during shutdown if set as peripheral
Jisheng Zhang <jszhang@kernel.org>
usb: dwc2: disable platform lowlevel hw resources during shutdown
Oliver Neukum <oneukum@suse.com>
usb: chaoskey: fix locking for O_NONBLOCK
Zhao Yipeng <zhaoyipeng5@huawei.com>
ima: Handle error code returned by ima_filter_rule_match()
Seungjin Bae <eeodqql09@gmail.com>
wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
Haotian Zhang <vulab@iscas.ac.cn>
mfd: mt6358-irq: Fix missing irq_domain_remove() in error path
Haotian Zhang <vulab@iscas.ac.cn>
mfd: mt6397-irq: Fix missing irq_domain_remove() in error path
Uwe Kleine-König <u.kleine-koenig@baylibre.com>
pwm: bcm2835: Make sure the channel is enabled after pwm_request()
Jay Liu <jay.liu@mediatek.com>
drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue
Edward Adam Davis <eadavis@qq.com>
fs/ntfs3: Prevent memory leaks in add sub record
Edward Adam Davis <eadavis@qq.com>
fs/ntfs3: out1 also needs to put mi
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Make ni_ins_new_attr return error
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Remove unused mi_mark_free
Ritesh Harjani (IBM) <ritesh.list@gmail.com>
powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format
Abdun Nihaal <nihaal@cse.iitm.ac.in>
wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
Sergey Bashirov <sergeybashirov@gmail.com>
NFSD/blocklayout: Fix minlength check in proc_layoutget
Haotian Zhang <vulab@iscas.ac.cn>
watchdog: wdat_wdt: Fix ACPI table leak in probe function
Liu Xinpeng <liuxp11@chinatelecom.cn>
watchdog: wdat_wdt: Stop watchdog when uninstalling module
Alexei Starovoitov <ast@kernel.org>
selftests/bpf: Fix failure paths in send_signal test
Rene Rebe <rene@exactco.de>
ps3disk: use memcpy_{from,to}_bvec index
Siddharth Vadapalli <s-vadapalli@ti.com>
PCI: keystone: Exit ks_pcie_probe() for invalid mode
Haotian Zhang <vulab@iscas.ac.cn>
leds: netxbig: Fix GPIO descriptor leak in error paths
Haotian Zhang <vulab@iscas.ac.cn>
scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls
Haotian Zhang <vulab@iscas.ac.cn>
ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint()
Dmitry Antipov <dmantipov@yandex.ru>
ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
lib/vsprintf: Check pointer before dereferencing in time_and_date()
Haotian Zhang <vulab@iscas.ac.cn>
clk: renesas: r9a06g032: Fix memory leak in error path
Herve Codina <herve.codina@bootlin.com>
soc: renesas: r9a06g032-sysctrl: Handle h2mode setting based on USBF presence
Miquel Raynal <miquel.raynal@bootlin.com>
clk: renesas: r9a06g032: Export function to set dmamux
Leo Yan <leo.yan@arm.com>
coresight: etm4x: Add context synchronization before enabling trace
Leo Yan <leo.yan@arm.com>
coresight: etm4x: Extract the trace unit controlling
Yuanfang Zhang <quic_yuanfang@quicinc.com>
coresight-etm4x: add isb() before reading the TRCSTATR
Suzuki K Poulose <suzuki.poulose@arm.com>
coresight: etm4x: Use Trace Filtering controls dynamically
Suzuki K Poulose <suzuki.poulose@arm.com>
coresight: etm4x: Save restore TRFCR_EL1
Zheng Qixing <zhengqixing@huawei.com>
nbd: defer config unlock in nbd_genl_connect
Abdun Nihaal <nihaal@cse.iitm.ac.in>
wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper()
Long Li <leo.lilong@huawei.com>
macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/32: Fix unpaired stwcx. on interrupt exit
Edward Adam Davis <eadavis@qq.com>
ntfs3: init run lock for extend inode
Ma Ke <make24@iscas.ac.cn>
RDMA/rtrs: server: Fix error handling in get_or_create_srv
Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
dt-bindings: PCI: amlogic: Fix the register name of the DBI region
Neil Armstrong <neil.armstrong@linaro.org>
dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema
Haotian Zhang <vulab@iscas.ac.cn>
scsi: stex: Fix reboot_notifier leak in probe error path
Zheng Qixing <zhengqixing@huawei.com>
nbd: defer config put in recv_work
Yu Kuai <yukuai3@huawei.com>
nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply()
Yu Kuai <yukuai3@huawei.com>
nbd: clean up return value checking of sock_xmit()
Gabor Juhos <j4g8y7@gmail.com>
regulator: core: disable supply if enabling main regulator fails
Dapeng Mi <dapeng1.mi@linux.intel.com>
perf/x86/intel: Correct large PEBS flag check
Zhang Yi <yi.zhang@huawei.com>
ext4: correct the checking of quota files before moving extents
Eric Whitney <enwlinux@gmail.com>
ext4: minor defrag code improvements
Haotian Zhang <vulab@iscas.ac.cn>
mfd: da9055: Fix missing regmap_del_irq_chip() in error path
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: Fix timeout handling
Vishwaroop A <va@nvidia.com>
spi: tegra210-quad: modify chip select (CS) deactivation
Krishna Yarlagadda <kyarlagadda@nvidia.com>
spi: tegra210-quad: combined sequence mode
Krishna Yarlagadda <kyarlagadda@nvidia.com>
spi: tegra210-quad: add new chips to compatible
Krishna Yarlagadda <kyarlagadda@nvidia.com>
spi: tegra210-quad: use device_reset method
Bart Van Assche <bvanassche@acm.org>
scsi: target: Do not write NUL characters into ASCII configfs output
Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
power: supply: apm_power: only unset own apm_get_power_status
Ivan Abramov <i.abramov@mt-integration.ru>
power: supply: wm831x: Check wm831x_set_bits() return value
Stanley Chu <yschu@nuvoton.com>
i3c: master: svc: Prevent incomplete IBI transaction
Frank Li <Frank.Li@nxp.com>
i3c: fix refcount inconsistency in i3c_master_register
Jarkko Nikula <jarkko.nikula@linux.intel.com>
i3c: master: Inherit DMA masks and parameters from parent device
Jeremy Kerr <jk@codeconstruct.com.au>
i3c: Allow OF-alias-based persistent bus numbering
Jamie Iles <quic_jiles@quicinc.com>
i3c: support dynamically added i2c devices
Jamie Iles <quic_jiles@quicinc.com>
i3c: remove i2c board info from i2c_dev_desc
Haotian Zhang <vulab@iscas.ac.cn>
pinctrl: stm32: fix hwspinlock resource leak in probe function
Tengda Wu <wutengda@huaweicloud.com>
x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()
Alexander Potapenko <glider@google.com>
x86: kmsan: don't instrument stack walking functions
Alexander Potapenko <glider@google.com>
kmsan: introduce __no_sanitize_memory and __no_kmsan_checks
Kees Cook <keescook@chromium.org>
compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer
Kuniyuki Iwashima <kuniyu@google.com>
sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().
Horatiu Vultur <horatiu.vultur@microchip.com>
phy: mscc: Fix PTP for VSC8574 and VSC8572
Peng Fan <peng.fan@nxp.com>
firmware: imx: scu-irq: fix OF node leak in
Heiko Carstens <hca@linux.ibm.com>
s390/ap: Don't leak debug feature files if AP instructions are not available
Heiko Carstens <hca@linux.ibm.com>
s390/smp: Fix fallback CPU detection
nieweiqiang <nieweiqiang@huawei.com>
crypto: hisilicon/qm - restore original qos values
Thorsten Blum <thorsten.blum@linux.dev>
crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
Li Qiang <liqiang01@kylinos.cn>
uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe
Tim Harvey <tharvey@gateworks.com>
arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl
Francesco Lavra <flavra@baylibre.com>
iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member
Lorenzo Bianconi <lorenzo@kernel.org>
iio: imu: st_lsm6dsx: discard samples during filters settling time
Lorenzo Bianconi <lorenzo@kernel.org>
iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine
Xuanqiang Luo <luoxuanqiang@kylinos.cn>
inet: Avoid ehash lookup race in inet_ehash_insert()
Xuanqiang Luo <luoxuanqiang@kylinos.cn>
rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu()
Sidharth Seela <sidharthseela@gmail.com>
ntfs3: Fix uninit buffer allocated by __getname()
Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
ntfs3: fix uninit memory after failed mi_read in mi_format_new
Johan Hovold <johan@kernel.org>
irqchip/qcom-irq-combiner: Fix section mismatch
Seungjin Bae <eeodqql09@gmail.com>
USB: Fix descriptor count when handling invalid MBIM extended descriptor
Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
drm/vgem-fence: Fix potential deadlock on release
Guido Günther <agx@sigxcpu.org>
drm/panel: visionox-rm69299: Don't clear all mode flags
Mainak Sen <msen@nvidia.com>
gpu: host1x: Fix race in syncpt alloc/free
Konstantin Andreev <andreev@swemel.ru>
smack: fix bug: unprivileged task can create labels
Navaneeth K <knavaneeth786@gmail.com>
staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
Navaneeth K <knavaneeth786@gmail.com>
staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
comedi: check device's attached status in compat ioctls
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
comedi: multiq3: sanitize config options in multiq3_attach()
Ian Abbott <abbotti@mev.co.uk>
comedi: c6xdigio: Fix invalid PNP driver unregistration
Linus Torvalds <torvalds@linux-foundation.org>
samples: work around glibc redefining some of our defines wrong
Naoki Ueki <naoki25519@gmail.com>
HID: elecom: Add support for ELECOM M-XT3URBK (018F)
Jia Ston <ston.jia@outlook.com>
platform/x86: huawei-wmi: add keys for HONOR models
Armin Wolf <W_Armin@gmx.de>
platform/x86: acer-wmi: Ignore backlight event
Praveen Talari <praveen.talari@oss.qualcomm.com>
pinctrl: qcom: msm: Fix deadlock in pinmux configuration
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
bfs: Reconstruct file type when loading from disk
Robin Gong <yibin.gong@nxp.com>
spi: imx: keep dma request disabled before dma transfer setup
Alvaro Gamez Machado <alvaro.gamez@hazent.com>
spi: xilinx: increase number of retries before declaring stall
Johan Hovold <johan@kernel.org>
USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
Johan Hovold <johan@kernel.org>
USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
Magne Bruno <magne.bruno@addi-data.com>
serial: add support of CPCI cards
Johan Hovold <johan@kernel.org>
USB: serial: ftdi_sio: match on interface number for jtag
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: move Telit 0x10c7 composition in the right place
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit Cinterion FE910C04 new compositions
Slark Xiao <slark_xiao@163.com>
USB: serial: option: add Foxconn T99W760
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
Alexey Nepomnyashih <sdl@nppct.ru>
ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
Alexander Sverdlin <alexander.sverdlin@siemens.com>
locking/spinlock/debug: Fix data-race in do_raw_write_lock
Deepanshu Kartikey <kartikey406@gmail.com>
ext4: refresh inline data size before write operations
Ye Bin <yebin10@huawei.com>
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
Bagas Sanjaya <bagasdotme@gmail.com>
Documentation: process: Also mention Sasha Levin as stable tree maintainer
Stefan Kalscheuer <stefan@stklcode.de>
leds: spi-byte: Use devm_led_classdev_register_ext()
Azeem Shaikh <azeemshaikh38@gmail.com>
leds: Replace all non-returning strlcpy with strscpy
Kai Song <songkai01@inspur.com>
drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR
Robert-Ionut Alexa <robert-ionut.alexa@nxp.com>
dpaa2-mac: bail if the dpmacs fwnode is not found
Sabrina Dubroca <sd@queasysnail.net>
xfrm: flush all states in xfrm_state_fini
Sabrina Dubroca <sd@queasysnail.net>
xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
Sabrina Dubroca <sd@queasysnail.net>
Revert "xfrm: destroy xfrm_state synchronously on net exit path"
Sabrina Dubroca <sd@queasysnail.net>
xfrm: delete x->tunnel as we delete x
-------------
Diffstat:
.../devicetree/bindings/pci/amlogic,axg-pcie.yaml | 134 +++++++++
.../devicetree/bindings/pci/amlogic,meson-pcie.txt | 70 -----
Documentation/filesystems/mount_api.rst | 1 -
Documentation/process/2.Process.rst | 6 +-
Makefile | 4 +-
arch/alpha/include/uapi/asm/ioctls.h | 8 +-
arch/arm/Kconfig | 2 +-
arch/arm/boot/dts/imx6q-ba16.dtsi | 2 +-
arch/arm/boot/dts/sama5d2.dtsi | 10 +-
arch/arm/boot/dts/sama7g5.dtsi | 4 +-
arch/arm/include/asm/word-at-a-time.h | 10 +-
.../boot/dts/freescale/imx8mm-venice-gw72xx.dtsi | 11 -
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 +
arch/arm64/kvm/Makefile | 3 +
arch/arm64/net/bpf_jit_comp.c | 2 +-
arch/csky/mm/fault.c | 4 +-
arch/parisc/kernel/asm-offsets.c | 2 +
arch/parisc/kernel/entry.S | 16 +-
arch/powerpc/boot/addnote.c | 7 +-
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1 -
arch/powerpc/kernel/entry_32.S | 10 +-
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/mm/book3s64/internal.h | 1 -
arch/powerpc/mm/book3s64/mmu_context.c | 2 -
arch/powerpc/mm/book3s64/slb.c | 88 ------
arch/powerpc/mm/ptdump/hashpagetable.c | 6 +
arch/powerpc/platforms/pseries/cmm.c | 5 +-
arch/s390/kernel/smp.c | 1 +
arch/x86/crypto/blake2s-core.S | 4 +-
arch/x86/events/core.c | 2 +-
arch/x86/events/intel/core.c | 4 +-
arch/x86/include/asm/ptrace.h | 20 +-
arch/x86/include/asm/uaccess.h | 10 +-
arch/x86/kernel/dumpstack.c | 35 ++-
arch/x86/kernel/stacktrace.c | 2 +-
arch/x86/kernel/unwind_frame.c | 11 +
arch/x86/kvm/lapic.c | 32 ++-
arch/x86/kvm/svm/nested.c | 5 +-
arch/x86/kvm/svm/svm.c | 20 +-
arch/x86/kvm/svm/svm.h | 7 +-
arch/x86/kvm/vmx/nested.c | 2 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/vmx/vmx.h | 1 +
arch/x86/kvm/x86.c | 2 +
arch/x86/lib/usercopy.c | 2 +-
block/blk-mq.c | 18 +-
block/blk-throttle.c | 16 +-
block/genhd.c | 2 +-
crypto/af_alg.c | 5 +-
crypto/algif_hash.c | 3 +-
crypto/algif_rng.c | 3 +-
crypto/asymmetric_keys/asymmetric_type.c | 12 +-
crypto/seqiv.c | 8 +-
drivers/acpi/acpica/nswalk.c | 9 +-
drivers/acpi/apei/ghes.c | 16 +-
drivers/acpi/cppc_acpi.c | 3 +-
drivers/acpi/processor_core.c | 2 +-
drivers/acpi/property.c | 9 +-
drivers/amba/tegra-ahb.c | 1 +
drivers/atm/he.c | 3 +-
drivers/base/power/runtime.c | 22 +-
drivers/block/floppy.c | 2 +-
drivers/block/nbd.c | 96 ++++---
drivers/block/ps3disk.c | 4 +
drivers/bluetooth/btusb.c | 14 +-
drivers/bus/ti-sysc.c | 11 +-
drivers/char/applicom.c | 5 +-
drivers/char/ipmi/ipmi_msghandler.c | 20 +-
drivers/char/tpm/tpm-chip.c | 1 -
drivers/char/tpm/tpm1-cmd.c | 5 -
drivers/char/tpm/tpm2-cmd.c | 8 +-
drivers/char/virtio_console.c | 2 +-
drivers/clk/mvebu/cp110-system-controller.c | 20 ++
drivers/clk/renesas/r9a06g032-clocks.c | 69 ++++-
drivers/comedi/comedi_fops.c | 42 ++-
drivers/comedi/drivers/c6xdigio.c | 46 ++-
drivers/comedi/drivers/multiq3.c | 9 +
drivers/comedi/drivers/pcl818.c | 5 +-
drivers/counter/interrupt-cnt.c | 3 +-
drivers/cpufreq/cpufreq-nforce2.c | 3 +
drivers/cpufreq/s5pv210-cpufreq.c | 6 +-
drivers/crypto/ccree/cc_buffer_mgr.c | 6 +-
drivers/crypto/hisilicon/qm.c | 14 +-
drivers/firewire/nosy.c | 10 +-
drivers/firmware/arm_scmi/notify.c | 1 +
drivers/firmware/efi/cper-arm.c | 52 ++--
drivers/firmware/efi/cper.c | 60 ++++
drivers/firmware/imx/imx-scu-irq.c | 8 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 8 +-
drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
drivers/gpu/drm/gma500/framebuffer.c | 42 ---
.../gpu/drm/i915/gem/selftests/i915_gem_dmabuf.c | 4 +-
drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 2 +-
drivers/gpu/drm/mediatek/mtk_disp_ccorr.c | 23 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
drivers/gpu/drm/panel/panel-visionox-rm69299.c | 2 +-
drivers/gpu/drm/pl111/pl111_drv.c | 2 +-
drivers/gpu/drm/ttm/ttm_bo_vm.c | 6 +
drivers/gpu/drm/vgem/vgem_fence.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 +-
drivers/gpu/host1x/syncpt.c | 4 +-
drivers/hid/hid-core.c | 7 +-
drivers/hid/hid-elecom.c | 6 +-
drivers/hid/hid-ids.h | 3 +-
drivers/hid/hid-input.c | 18 +-
drivers/hid/hid-logitech-dj.c | 56 ++--
drivers/hid/hid-quirks.c | 12 +-
drivers/hwmon/max16065.c | 7 +-
drivers/hwmon/w83791d.c | 19 +-
drivers/hwmon/w83l786ng.c | 26 +-
drivers/hwtracing/coresight/coresight-core.c | 20 +-
drivers/hwtracing/coresight/coresight-etm4x-core.c | 284 +++++++++++++------
drivers/hwtracing/coresight/coresight-etm4x.h | 9 +-
.../coresight/coresight-self-hosted-trace.h | 31 +++
drivers/hwtracing/intel_th/core.c | 20 +-
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 +-
drivers/i3c/master.c | 189 +++++++++++--
drivers/i3c/master/svc-i3c-master.c | 22 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 24 +-
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 71 +++--
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 32 ++-
drivers/infiniband/core/addr.c | 33 +--
drivers/infiniband/core/cma.c | 3 +
drivers/infiniband/core/device.c | 5 +
drivers/infiniband/core/verbs.c | 2 +-
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +-
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 8 +-
drivers/infiniband/hw/efa/efa_verbs.c | 4 -
drivers/infiniband/hw/irdma/ctrl.c | 3 +
drivers/infiniband/hw/irdma/pble.c | 6 +-
drivers/infiniband/hw/irdma/utils.c | 3 +-
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
drivers/input/serio/i8042-acpipnpio.h | 7 +
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
drivers/iommu/amd/init.c | 28 +-
drivers/iommu/apple-dart.c | 2 +
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 27 +-
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 +-
drivers/iommu/exynos-iommu.c | 9 +-
drivers/iommu/ipmmu-vmsa.c | 2 +
drivers/iommu/mtk_iommu.c | 2 +
drivers/iommu/mtk_iommu_v1.c | 2 +
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 -
drivers/iommu/sun50i-iommu.c | 2 +
drivers/iommu/tegra-smmu.c | 5 +-
drivers/irqchip/qcom-irq-combiner.c | 2 +-
drivers/leds/flash/leds-aat1290.c | 2 +-
drivers/leds/led-class.c | 2 +-
drivers/leds/leds-lp50xx.c | 12 +-
drivers/leds/leds-netxbig.c | 36 ++-
drivers/leds/leds-spi-byte.c | 11 +-
drivers/macintosh/mac_hid.c | 3 +-
drivers/md/dm-ebs-target.c | 2 +-
drivers/md/dm-log-writes.c | 1 +
drivers/md/dm-raid.c | 2 +
drivers/media/cec/core/cec-core.c | 1 +
drivers/media/i2c/adv7604.c | 4 +-
drivers/media/i2c/adv7842.c | 11 +-
drivers/media/i2c/msp3400-kthreads.c | 2 +
drivers/media/i2c/tda1997x.c | 1 -
drivers/media/platform/davinci/vpif_capture.c | 4 +-
drivers/media/platform/exynos4-is/media-dev.c | 10 +-
.../media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 4 +-
drivers/media/platform/rcar_drif.c | 1 +
drivers/media/rc/st_rc.c | 2 +-
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +
drivers/media/usb/dvb-usb/dtv5100.c | 5 +
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
drivers/mfd/altera-sysmgr.c | 2 +
drivers/mfd/da9055-core.c | 1 +
drivers/mfd/max77620.c | 15 +-
drivers/mfd/mt6358-irq.c | 1 +
drivers/mfd/mt6397-irq.c | 1 +
drivers/misc/mei/hw-me-regs.h | 2 +
drivers/misc/mei/pci-me.c | 2 +
drivers/misc/vmw_balloon.c | 3 +-
drivers/mmc/core/bus.c | 9 +-
drivers/mmc/core/bus.h | 3 +-
drivers/mmc/core/mmc.c | 16 +-
drivers/mmc/core/sd.c | 23 +-
drivers/mmc/core/sdio.c | 5 +-
drivers/mmc/core/sdio_bus.c | 7 +-
drivers/mmc/host/Kconfig | 4 +-
drivers/mmc/host/sdhci-msm.c | 27 +-
drivers/mtd/lpddr/lpddr_cmds.c | 8 +-
drivers/net/dsa/b53/b53_common.c | 3 +
drivers/net/ethernet/3com/3c59x.c | 2 +-
drivers/net/ethernet/broadcom/b44.c | 3 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 87 +++---
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +-
drivers/net/ethernet/cadence/macb_main.c | 3 +-
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c | 5 +-
drivers/net/ethernet/freescale/enetc/enetc.h | 4 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 2 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 7 +-
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +-
drivers/net/ethernet/intel/i40e/i40e.h | 15 +-
drivers/net/ethernet/intel/i40e/i40e_client.c | 20 +-
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 -
drivers/net/ethernet/intel/i40e/i40e_main.c | 15 +-
drivers/net/ethernet/intel/i40e/i40e_txrx.c | 10 +-
drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +-
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 +-
.../ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 +
.../ethernet/marvell/prestera/prestera_devlink.c | 2 +
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 122 +++++++-
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.h | 2 +
drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 +-
drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 +
.../net/ethernet/mellanox/mlxsw/spectrum_router.c | 17 +-
drivers/net/ethernet/mscc/ocelot.c | 6 +-
drivers/net/ethernet/realtek/r8169_main.c | 5 +-
drivers/net/ethernet/smsc/smc91x.c | 10 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
drivers/net/fjes/fjes_hw.c | 12 +-
drivers/net/ipvlan/ipvlan_core.c | 3 +
drivers/net/mdio/mdio-aspeed.c | 77 +++---
drivers/net/phy/mscc/mscc_main.c | 6 +-
drivers/net/team/team.c | 2 +-
drivers/net/usb/asix_common.c | 5 +
drivers/net/usb/pegasus.c | 2 +
drivers/net/usb/rtl8150.c | 2 +
drivers/net/usb/sr9700.c | 4 +-
drivers/net/wireless/mediatek/mt76/eeprom.c | 37 ++-
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 4 +-
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 9 +-
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 27 +-
drivers/net/wireless/st/cw1200/bh.c | 6 +-
drivers/nfc/pn533/usb.c | 2 +-
drivers/nvme/host/fc.c | 6 +-
drivers/parisc/gsc.c | 4 +-
drivers/pci/controller/dwc/pci-keystone.c | 2 +
drivers/pci/controller/dwc/pcie-designware.h | 2 +-
drivers/pci/controller/pcie-brcmstb.c | 10 +-
drivers/pci/pci-driver.c | 4 +
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +-
drivers/pinctrl/pinctrl-single.c | 25 +-
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 3 +-
drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
drivers/pinctrl/stm32/pinctrl-stm32.c | 2 +-
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
drivers/platform/x86/acer-wmi.c | 4 +
drivers/platform/x86/asus-wmi.c | 8 +-
drivers/platform/x86/huawei-wmi.c | 4 +
drivers/platform/x86/ibm_rtl.c | 2 +-
drivers/platform/x86/intel/hid.c | 12 +
drivers/platform/x86/msi-laptop.c | 3 +
drivers/power/supply/apm_power.c | 3 +-
drivers/power/supply/wm831x_power.c | 10 +-
drivers/powercap/powercap_sys.c | 22 +-
drivers/pwm/pwm-bcm2835.c | 28 +-
drivers/pwm/pwm-stm32.c | 3 +-
drivers/regulator/core.c | 37 ++-
drivers/remoteproc/qcom_q6v5_wcss.c | 8 +-
drivers/rpmsg/qcom_glink_native.c | 8 +
drivers/s390/crypto/ap_bus.c | 8 +-
drivers/scsi/aic94xx/aic94xx_init.c | 3 +
drivers/scsi/ipr.c | 28 +-
drivers/scsi/libsas/sas_internal.h | 14 -
drivers/scsi/qla2xxx/qla_def.h | 1 -
drivers/scsi/qla2xxx/qla_gbl.h | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 32 +--
drivers/scsi/qla2xxx/qla_mbx.c | 2 +
drivers/scsi/qla2xxx/qla_mid.c | 4 +-
drivers/scsi/qla2xxx/qla_os.c | 14 +-
drivers/scsi/sg.c | 20 +-
drivers/scsi/sim710.c | 2 +
drivers/scsi/stex.c | 1 +
drivers/soc/actions/owl-sps.c | 16 +-
drivers/soc/amlogic/meson-canvas.c | 5 +-
drivers/soc/imx/gpc.c | 12 +-
drivers/soc/qcom/ocmem.c | 2 +-
drivers/soc/rockchip/pm_domains.c | 13 +-
drivers/spi/spi-fsl-spi.c | 2 +-
drivers/spi/spi-imx.c | 15 +-
drivers/spi/spi-tegra210-quad.c | 307 +++++++++++++++++++--
drivers/spi/spi-xilinx.c | 2 +-
drivers/staging/fbtft/fbtft-core.c | 4 +-
drivers/staging/media/hantro/hantro_g2_hevc_dec.c | 15 +-
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 13 +-
drivers/target/target_core_configfs.c | 1 -
drivers/target/target_core_transport.c | 1 +
drivers/tty/serial/8250/8250_pci.c | 37 +++
drivers/tty/serial/sprd_serial.c | 6 +
drivers/uio/uio_fsl_elbc_gpcm.c | 7 +
drivers/usb/core/message.c | 2 +-
drivers/usb/dwc2/platform.c | 16 +-
drivers/usb/dwc3/dwc3-of-simple.c | 7 +-
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
drivers/usb/gadget/legacy/raw_gadget.c | 3 +
drivers/usb/gadget/udc/core.c | 17 +-
drivers/usb/gadget/udc/lpc32xx_udc.c | 20 +-
drivers/usb/gadget/udc/tegra-xudc.c | 6 -
drivers/usb/host/ohci-nxp.c | 20 +-
drivers/usb/host/xhci-dbgcap.h | 1 +
drivers/usb/host/xhci-dbgtty.c | 52 +++-
drivers/usb/host/xhci-hub.c | 2 +-
drivers/usb/host/xhci-mem.c | 10 +-
drivers/usb/host/xhci-ring.c | 8 +-
drivers/usb/host/xhci.h | 16 +-
drivers/usb/misc/chaoskey.c | 16 +-
drivers/usb/phy/phy-fsl-usb.c | 1 +
drivers/usb/phy/phy-isp1301.c | 7 +-
drivers/usb/phy/phy.c | 4 +
drivers/usb/renesas_usbhs/pipe.c | 2 +
drivers/usb/serial/belkin_sa.c | 28 +-
drivers/usb/serial/ftdi_sio.c | 72 ++---
drivers/usb/serial/kobil_sct.c | 18 +-
drivers/usb/serial/option.c | 22 +-
drivers/usb/storage/unusual_uas.h | 2 +-
drivers/usb/typec/ucsi/ucsi.c | 6 +
drivers/usb/usbip/vhci_hcd.c | 6 +-
drivers/vdpa/vdpa.c | 231 ++++++++++++++++
drivers/vhost/vdpa.c | 10 +-
drivers/vhost/vsock.c | 15 +-
drivers/video/backlight/led_bl.c | 18 +-
drivers/video/fbdev/gbefb.c | 5 +-
drivers/video/fbdev/pxafb.c | 12 +-
drivers/video/fbdev/ssd1307fb.c | 4 +-
drivers/video/fbdev/tcx.c | 2 +-
drivers/virtio/virtio_balloon.c | 4 +-
drivers/virtio/virtio_vdpa.c | 6 +-
drivers/watchdog/via_wdt.c | 1 +
drivers/watchdog/wdat_wdt.c | 65 +++--
fs/bfs/inode.c | 19 +-
fs/btrfs/ioctl.c | 4 +-
fs/btrfs/scrub.c | 5 +
fs/btrfs/volumes.c | 1 +
fs/exfat/super.c | 19 +-
fs/ext4/ext4.h | 1 +
fs/ext4/ialloc.c | 1 -
fs/ext4/inline.c | 14 +-
fs/ext4/inode.c | 6 +-
fs/ext4/mballoc.c | 58 ++--
fs/ext4/move_extent.c | 18 +-
fs/ext4/orphan.c | 4 +-
fs/ext4/super.c | 65 +++--
fs/ext4/xattr.c | 38 +--
fs/ext4/xattr.h | 10 +
fs/f2fs/f2fs.h | 3 -
fs/f2fs/file.c | 3 +-
fs/f2fs/namei.c | 6 +-
fs/f2fs/recovery.c | 9 +-
fs/f2fs/super.c | 53 ++--
fs/f2fs/xattr.c | 32 +--
fs/f2fs/xattr.h | 10 +-
fs/fuse/file.c | 26 +-
fs/hfsplus/bnode.c | 4 +-
fs/hfsplus/dir.c | 7 +-
fs/hfsplus/inode.c | 32 ++-
fs/jbd2/journal.c | 14 +
fs/jbd2/transaction.c | 21 +-
fs/lockd/svc4proc.c | 4 +-
fs/lockd/svclock.c | 21 +-
fs/lockd/svcproc.c | 5 +-
fs/locks.c | 13 +-
fs/nfs/Kconfig | 1 +
fs/nfs/dir.c | 114 ++++++--
fs/nfs/internal.h | 2 +-
fs/nfs/namespace.c | 11 +
fs/nfs/nfs2xdr.c | 70 +----
fs/nfs/nfs3xdr.c | 108 ++------
fs/nfs/nfs4proc.c | 21 +-
fs/nfs/nfs4trace.h | 1 +
fs/nfs/nfs4xdr.c | 44 ++-
fs/nfs/pnfs.c | 1 +
fs/nfs/super.c | 26 --
fs/nfs_common/Makefile | 2 +
fs/nfs_common/common.c | 66 +++++
fs/nfsd/Kconfig | 1 +
fs/nfsd/blocklayout.c | 7 +-
fs/nfsd/export.c | 2 +-
fs/nfsd/netns.h | 2 +
fs/nfsd/nfs4proc.c | 2 +-
fs/nfsd/nfs4state.c | 46 ++-
fs/nfsd/nfs4xdr.c | 5 +
fs/nfsd/nfsctl.c | 3 +-
fs/nfsd/nfsd.h | 1 -
fs/nfsd/state.h | 2 +-
fs/nfsd/vfs.c | 2 +-
fs/nls/nls_base.c | 27 +-
fs/notify/fsnotify.c | 9 +-
fs/ntfs3/frecord.c | 49 +++-
fs/ntfs3/fsntfs.c | 18 +-
fs/ntfs3/inode.c | 4 +-
fs/ntfs3/namei.c | 2 +-
fs/ntfs3/ntfs_fs.h | 12 +-
fs/ntfs3/record.c | 22 --
fs/ntfs3/run.c | 6 +-
fs/ntfs3/super.c | 2 +-
fs/ocfs2/alloc.c | 1 -
fs/ocfs2/move_extents.c | 8 +-
fs/ocfs2/suballoc.c | 10 +
fs/xfs/xfs_buf_item.c | 1 +
include/linux/balloon_compaction.h | 65 ++---
include/linux/blk_types.h | 5 +-
include/linux/compiler-clang.h | 23 ++
include/linux/compiler-gcc.h | 14 +
include/linux/coresight.h | 4 +
include/linux/cper.h | 12 +-
include/linux/fs_context.h | 1 -
include/linux/genalloc.h | 1 +
include/linux/hugetlb.h | 4 +-
include/linux/i3c/master.h | 1 -
include/linux/ieee80211.h | 4 +-
include/linux/if_bridge.h | 6 +-
include/linux/mm.h | 2 +-
include/linux/netdevice.h | 3 +-
include/linux/nfs_common.h | 16 ++
include/linux/nfs_fs.h | 9 +
include/linux/nfs_fs_sb.h | 2 +
include/linux/nfs_xdr.h | 2 +
include/linux/platform_data/lp855x.h | 4 +-
include/linux/rculist_nulls.h | 59 ++++
include/linux/reset.h | 1 +
include/linux/security.h | 2 +-
include/linux/soc/renesas/r9a06g032-sysctrl.h | 11 +
include/linux/tpm.h | 9 +-
include/linux/usb/gadget.h | 5 +
include/linux/vdpa.h | 22 +-
include/linux/virtio_config.h | 2 +-
include/media/v4l2-mem2mem.h | 3 +-
include/net/dst.h | 12 +
include/net/netfilter/nf_conntrack_count.h | 16 +-
include/net/sock.h | 13 +
include/net/xfrm.h | 13 +-
include/sound/snd_wavefront.h | 4 -
include/trace/misc/nfs.h | 3 +-
include/uapi/linux/mptcp.h | 1 +
include/uapi/linux/nfs.h | 1 -
include/uapi/linux/vdpa.h | 6 +
include/uapi/sound/asound.h | 2 +-
io_uring/io_uring.c | 2 +-
kernel/dma/pool.c | 2 +-
kernel/livepatch/core.c | 8 +-
kernel/locking/spinlock_debug.c | 4 +-
kernel/sched/cpudeadline.c | 34 +--
kernel/sched/cpudeadline.h | 4 +-
kernel/sched/deadline.c | 8 +-
kernel/scs.c | 2 +-
kernel/trace/trace_events.c | 2 +
lib/crypto/aes.c | 4 +-
lib/idr.c | 2 +
lib/vsprintf.c | 6 +-
mm/balloon_compaction.c | 15 +-
mm/damon/core-test.h | 73 ++++-
mm/damon/vaddr-test.h | 26 +-
mm/hugetlb.c | 4 +-
mm/mempolicy.c | 2 +-
mm/mprotect.c | 26 +-
net/bridge/br_ioctl.c | 36 ++-
net/bridge/br_private.h | 4 +-
net/bridge/br_vlan_tunnel.c | 11 +-
net/caif/cffrml.c | 9 +-
net/can/j1939/transport.c | 2 +
net/ceph/messenger_v2.c | 2 +
net/ceph/mon_client.c | 2 +-
net/ceph/osd_client.c | 11 +-
net/ceph/osdmap.c | 140 +++++-----
net/core/dev_ioctl.c | 15 -
net/core/page_pool.c | 18 +-
net/core/sock.c | 7 +-
net/ethtool/ioctl.c | 134 ++++++---
net/hsr/hsr_forward.c | 2 +
net/ipv4/arp.c | 7 +-
net/ipv4/fib_trie.c | 7 +-
net/ipv4/inet_hashtables.c | 8 +-
net/ipv4/ip_output.c | 19 +-
net/ipv4/ipcomp.c | 2 +
net/ipv4/ping.c | 4 +-
net/ipv4/raw.c | 3 +
net/ipv6/calipso.c | 3 +-
net/ipv6/ip6_gre.c | 9 +-
net/ipv6/ip6_output.c | 3 +-
net/ipv6/ipcomp6.c | 2 +
net/ipv6/xfrm6_tunnel.c | 2 +-
net/key/af_key.c | 2 +-
net/mac80211/rx.c | 5 +
net/mptcp/pm_netlink.c | 3 +-
net/netfilter/ipvs/ip_vs_xmit.c | 3 +
net/netfilter/nf_conncount.c | 219 ++++++++++-----
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nft_connlimit.c | 34 +--
net/netfilter/nft_flow_offload.c | 9 +-
net/netfilter/nft_synproxy.c | 6 +-
net/netfilter/xt_connlimit.c | 14 +-
net/netrom/nr_out.c | 4 +-
net/nfc/core.c | 9 +-
net/openvswitch/conntrack.c | 16 +-
net/openvswitch/flow_netlink.c | 13 +-
net/openvswitch/vport-netdev.c | 17 +-
net/rose/af_rose.c | 2 +-
net/sched/sch_cake.c | 60 ++--
net/sched/sch_ets.c | 6 +-
net/sched/sch_qfq.c | 2 +-
net/sctp/socket.c | 5 +-
net/socket.c | 19 +-
net/sunrpc/auth_gss/svcauth_gss.c | 3 +-
net/sunrpc/xprtrdma/svc_rdma_rw.c | 5 +-
net/tls/tls_device.c | 18 +-
net/wireless/wext-core.c | 4 +
net/wireless/wext-priv.c | 4 +
net/xfrm/xfrm_ipcomp.c | 1 -
net/xfrm/xfrm_state.c | 41 ++-
net/xfrm/xfrm_user.c | 2 +-
samples/vfs/test-statx.c | 6 +
samples/watch_queue/watch_test.c | 6 +
scripts/Makefile.modinst | 2 +-
security/integrity/ima/ima_policy.c | 2 +-
security/keys/trusted-keys/trusted_tpm2.c | 6 +-
security/smack/smack_lsm.c | 41 ++-
sound/firewire/dice/dice-extension.c | 4 +-
sound/isa/wavefront/wavefront.c | 61 ++--
sound/isa/wavefront/wavefront_fx.c | 36 +--
sound/isa/wavefront/wavefront_midi.c | 17 +-
sound/isa/wavefront/wavefront_synth.c | 198 ++++++-------
sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +-
sound/pcmcia/vx/vxpocket.c | 8 +-
sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +-
sound/soc/codecs/ak4458.c | 10 +-
sound/soc/codecs/ak5558.c | 10 +-
sound/soc/fsl/fsl_sai.c | 3 +
sound/soc/fsl/fsl_xcvr.c | 197 ++++++++++---
sound/soc/fsl/fsl_xcvr.h | 28 ++
sound/soc/intel/catpt/pcm.c | 4 +-
sound/soc/qcom/qdsp6/q6adm.c | 146 +++++-----
sound/soc/qcom/qdsp6/q6asm-dai.c | 7 +-
sound/soc/stm/stm32_i2s.c | 62 ++---
sound/soc/stm/stm32_sai.c | 51 ++--
sound/soc/stm/stm32_sai_sub.c | 65 +++--
sound/soc/stm/stm32_spdifrx.c | 44 +--
sound/usb/mixer_us16x08.c | 20 +-
tools/perf/util/symbol.c | 4 +-
tools/testing/ktest/config-bisect.pl | 4 +-
tools/testing/nvdimm/test/nfit.c | 7 +-
tools/testing/radix-tree/idr-test.c | 21 ++
.../selftests/bpf/prog_tests/perf_branches.c | 22 +-
.../testing/selftests/bpf/prog_tests/send_signal.c | 5 +
.../selftests/bpf/progs/test_perf_branches.c | 3 +
.../test.d/ftrace/func_traceonoff_triggers.tc | 5 +-
.../testing/selftests/net/test_vxlan_under_vrf.sh | 2 +
550 files changed, 5691 insertions(+), 3045 deletions(-)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 001/554] xfrm: delete x->tunnel as we delete x
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 002/554] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
` (558 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit b441cf3f8c4b8576639d20c8eb4aa32917602ecd ]
The ipcomp fallback tunnels currently get deleted (from the various
lists and hashtables) as the last user state that needed that fallback
is destroyed (not deleted). If a reference to that user state still
exists, the fallback state will remain on the hashtables/lists,
triggering the WARN in xfrm_state_fini. Because of those remaining
references, the fix in commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path") is not complete.
We recently fixed one such situation in TCP due to defered freeing of
skbs (commit 9b6412e6979f ("tcp: drop secpath at the same time as we
currently drop dst")). This can also happen due to IP reassembly: skbs
with a secpath remain on the reassembly queue until netns
destruction. If we can't guarantee that the queues are flushed by the
time xfrm_state_fini runs, there may still be references to a (user)
xfrm_state, preventing the timely deletion of the corresponding
fallback state.
Instead of chasing each instance of skbs holding a secpath one by one,
this patch fixes the issue directly within xfrm, by deleting the
fallback state as soon as the last user state depending on it has been
deleted. Destruction will still happen when the final reference is
dropped.
A separate lockdep class for the fallback state is required since
we're going to lock x->tunnel while x is locked.
Fixes: 9d4139c76905 ("netns xfrm: per-netns xfrm_state_all list")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xfrm.h | 1 -
net/ipv4/ipcomp.c | 2 ++
net/ipv6/ipcomp6.c | 2 ++
net/ipv6/xfrm6_tunnel.c | 2 +-
net/xfrm/xfrm_ipcomp.c | 1 -
net/xfrm/xfrm_state.c | 19 ++++++++-----------
6 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 3232cdf1b4ef4..3e1690e0a38de 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -394,7 +394,6 @@ int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo);
int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo);
void xfrm_flush_gc(void);
-void xfrm_state_delete_tunnel(struct xfrm_state *x);
struct xfrm_type {
struct module *owner;
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 366094c1ce6ca..f9f8ed65e1ec9 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -54,6 +54,7 @@ static int ipcomp4_err(struct sk_buff *skb, u32 info)
}
/* We always hold one tunnel user reference to indicate a tunnel */
+static struct lock_class_key xfrm_state_lock_key;
static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -62,6 +63,7 @@ static struct xfrm_state *ipcomp_tunnel_create(struct xfrm_state *x)
t = xfrm_state_alloc(net);
if (!t)
goto out;
+ lockdep_set_class(&t->lock, &xfrm_state_lock_key);
t->id.proto = IPPROTO_IPIP;
t->id.spi = x->props.saddr.a4;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 15f984be35705..faa1ac5a9715e 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -71,6 +71,7 @@ static int ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
return 0;
}
+static struct lock_class_key xfrm_state_lock_key;
static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -79,6 +80,7 @@ static struct xfrm_state *ipcomp6_tunnel_create(struct xfrm_state *x)
t = xfrm_state_alloc(net);
if (!t)
goto out;
+ lockdep_set_class(&t->lock, &xfrm_state_lock_key);
t->id.proto = IPPROTO_IPV6;
t->id.spi = xfrm6_tunnel_alloc_spi(net, (xfrm_address_t *)&x->props.saddr);
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 2b31112c0856b..34f500a417fa6 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -330,8 +330,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_flush_gc();
xfrm_state_flush(net, 0, false, true);
+ xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index 92ad336a83ab5..342e7bc2804ee 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -318,7 +318,6 @@ void ipcomp_destroy(struct xfrm_state *x)
struct ipcomp_data *ipcd = x->data;
if (!ipcd)
return;
- xfrm_state_delete_tunnel(x);
mutex_lock(&ipcomp_resource_mutex);
ipcomp_free_data(ipcd);
mutex_unlock(&ipcomp_resource_mutex);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index c1bc5d780f640..6e410f30feba7 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -675,6 +675,7 @@ void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
}
EXPORT_SYMBOL(__xfrm_state_destroy);
+static void xfrm_state_delete_tunnel(struct xfrm_state *x);
int __xfrm_state_delete(struct xfrm_state *x)
{
struct net *net = xs_net(x);
@@ -698,6 +699,8 @@ int __xfrm_state_delete(struct xfrm_state *x)
xfrm_dev_state_delete(x);
+ xfrm_state_delete_tunnel(x);
+
/* All xfrm_state objects are created by xfrm_state_alloc.
* The xfrm_state_alloc call gives a reference, and that
* is what we are dropping here.
@@ -801,10 +804,7 @@ int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
err = xfrm_state_delete(x);
xfrm_audit_state_delete(x, err ? 0 : 1,
task_valid);
- if (sync)
- xfrm_state_put_sync(x);
- else
- xfrm_state_put(x);
+ xfrm_state_put(x);
if (!err)
cnt++;
@@ -2567,20 +2567,17 @@ void xfrm_flush_gc(void)
}
EXPORT_SYMBOL(xfrm_flush_gc);
-/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
-void xfrm_state_delete_tunnel(struct xfrm_state *x)
+static void xfrm_state_delete_tunnel(struct xfrm_state *x)
{
if (x->tunnel) {
struct xfrm_state *t = x->tunnel;
- if (atomic_read(&t->tunnel_users) == 2)
+ if (atomic_dec_return(&t->tunnel_users) == 1)
xfrm_state_delete(t);
- atomic_dec(&t->tunnel_users);
- xfrm_state_put_sync(t);
+ xfrm_state_put(t);
x->tunnel = NULL;
}
}
-EXPORT_SYMBOL(xfrm_state_delete_tunnel);
u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
{
@@ -2748,8 +2745,8 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- flush_work(&xfrm_state_gc_work);
xfrm_state_flush(net, 0, false, true);
+ flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 002/554] Revert "xfrm: destroy xfrm_state synchronously on net exit path"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 001/554] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 003/554] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
` (557 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 2a198bbec6913ae1c90ec963750003c6213668c7 ]
This reverts commit f75a2804da391571563c4b6b29e7797787332673.
With all states (whether user or kern) removed from the hashtables
during deletion, there's no need for synchronous destruction of
states. xfrm6_tunnel states still need to have been destroyed (which
will be the case when its last user is deleted (not destroyed)) so
that xfrm6_tunnel_free_spi removes it from the per-netns hashtable
before the netns is destroyed.
This has the benefit of skipping one synchronize_rcu per state (in
__xfrm_state_destroy(sync=true)) when we exit a netns.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xfrm.h | 12 +++---------
net/ipv6/xfrm6_tunnel.c | 2 +-
net/key/af_key.c | 2 +-
net/xfrm/xfrm_state.c | 23 +++++++++--------------
net/xfrm/xfrm_user.c | 2 +-
5 files changed, 15 insertions(+), 26 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 3e1690e0a38de..875f7dc4706ef 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -785,7 +785,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
xfrm_pol_put(pols[i]);
}
-void __xfrm_state_destroy(struct xfrm_state *, bool);
+void __xfrm_state_destroy(struct xfrm_state *);
static inline void __xfrm_state_put(struct xfrm_state *x)
{
@@ -795,13 +795,7 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
static inline void xfrm_state_put(struct xfrm_state *x)
{
if (refcount_dec_and_test(&x->refcnt))
- __xfrm_state_destroy(x, false);
-}
-
-static inline void xfrm_state_put_sync(struct xfrm_state *x)
-{
- if (refcount_dec_and_test(&x->refcnt))
- __xfrm_state_destroy(x, true);
+ __xfrm_state_destroy(x);
}
static inline void xfrm_state_hold(struct xfrm_state *x)
@@ -1577,7 +1571,7 @@ struct xfrmk_spdinfo {
struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
int xfrm_state_delete(struct xfrm_state *x);
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 34f500a417fa6..3d811248f3129 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -330,7 +330,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_state_flush(net, 0, false, true);
+ xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 258fa046f440d..925fe4f89966b 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1766,7 +1766,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
if (proto == 0)
return -EINVAL;
- err = xfrm_state_flush(net, proto, true, false);
+ err = xfrm_state_flush(net, proto, true);
err2 = unicast_flush_resp(sk, hdr);
if (err || err2) {
if (err == -ESRCH) /* empty table - go quietly */
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 6e410f30feba7..0e2e13c62e6b7 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -497,7 +497,7 @@ void xfrm_state_free(struct xfrm_state *x)
}
EXPORT_SYMBOL(xfrm_state_free);
-static void ___xfrm_state_destroy(struct xfrm_state *x)
+static void xfrm_state_gc_destroy(struct xfrm_state *x)
{
hrtimer_cancel(&x->mtimer);
del_timer_sync(&x->rtimer);
@@ -535,7 +535,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
synchronize_rcu();
hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
- ___xfrm_state_destroy(x);
+ xfrm_state_gc_destroy(x);
}
static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
@@ -659,19 +659,14 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
}
EXPORT_SYMBOL(xfrm_state_alloc);
-void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
+void __xfrm_state_destroy(struct xfrm_state *x)
{
WARN_ON(x->km.state != XFRM_STATE_DEAD);
- if (sync) {
- synchronize_rcu();
- ___xfrm_state_destroy(x);
- } else {
- spin_lock_bh(&xfrm_state_gc_lock);
- hlist_add_head(&x->gclist, &xfrm_state_gc_list);
- spin_unlock_bh(&xfrm_state_gc_lock);
- schedule_work(&xfrm_state_gc_work);
- }
+ spin_lock_bh(&xfrm_state_gc_lock);
+ hlist_add_head(&x->gclist, &xfrm_state_gc_list);
+ spin_unlock_bh(&xfrm_state_gc_lock);
+ schedule_work(&xfrm_state_gc_work);
}
EXPORT_SYMBOL(__xfrm_state_destroy);
@@ -782,7 +777,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
}
#endif
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
{
int i, err = 0, cnt = 0;
@@ -2745,7 +2740,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- xfrm_state_flush(net, 0, false, true);
+ xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1aa05b608ccf0..d9238e17ab427 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2210,7 +2210,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_usersa_flush *p = nlmsg_data(nlh);
int err;
- err = xfrm_state_flush(net, p->proto, true, false);
+ err = xfrm_state_flush(net, p->proto, true);
if (err) {
if (err == -ESRCH) /* empty table */
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 003/554] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 001/554] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 002/554] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 004/554] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
` (556 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+999eb23467f83f9bf9bf,
Sabrina Dubroca, Steffen Klassert, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 10deb69864840ccf96b00ac2ab3a2055c0c04721 ]
In commit b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x"), I
missed the case where state creation fails between full
initialization (->init_state has been called) and being inserted on
the lists.
In this situation, ->init_state has been called, so for IPcomp
tunnels, the fallback tunnel has been created and added onto the
lists, but the user state never gets added, because we fail before
that. The user state doesn't go through __xfrm_state_delete, so we
don't call xfrm_state_delete_tunnel for those states, and we end up
leaking the FB tunnel.
There are several codepaths affected by this: the add/update paths, in
both net/key and xfrm, and the migrate code (xfrm_migrate,
xfrm_state_migrate). A "proper" rollback of the init_state work would
probably be doable in the add/update code, but for migrate it gets
more complicated as multiple states may be involved.
At some point, the new (not-inserted) state will be destroyed, so call
xfrm_state_delete_tunnel during xfrm_state_gc_destroy. Most states
will have their fallback tunnel cleaned up during __xfrm_state_delete,
which solves the issue that b441cf3f8c4b (and other patches before it)
aimed at. All states (including FB tunnels) will be removed from the
lists once xfrm_state_fini has called flush_work(&xfrm_state_gc_work).
Reported-by: syzbot+999eb23467f83f9bf9bf@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=999eb23467f83f9bf9bf
Fixes: b441cf3f8c4b ("xfrm: delete x->tunnel as we delete x")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 0e2e13c62e6b7..8287dc73e839d 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -497,6 +497,7 @@ void xfrm_state_free(struct xfrm_state *x)
}
EXPORT_SYMBOL(xfrm_state_free);
+static void xfrm_state_delete_tunnel(struct xfrm_state *x);
static void xfrm_state_gc_destroy(struct xfrm_state *x)
{
hrtimer_cancel(&x->mtimer);
@@ -511,6 +512,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
kfree(x->preplay_esn);
if (x->type_offload)
xfrm_put_type_offload(x->type_offload);
+ xfrm_state_delete_tunnel(x);
if (x->type) {
x->type->destructor(x);
xfrm_put_type(x->type);
@@ -670,7 +672,6 @@ void __xfrm_state_destroy(struct xfrm_state *x)
}
EXPORT_SYMBOL(__xfrm_state_destroy);
-static void xfrm_state_delete_tunnel(struct xfrm_state *x);
int __xfrm_state_delete(struct xfrm_state *x)
{
struct net *net = xs_net(x);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 004/554] xfrm: flush all states in xfrm_state_fini
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 003/554] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 005/554] dpaa2-mac: bail if the dpmacs fwnode is not found Greg Kroah-Hartman
` (555 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6641a61fe0e2e89ae8c5,
Sabrina Dubroca, Simon Horman, Steffen Klassert, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 42e42562c9cfcdacf000f1b42284a4fad24f8546 ]
While reverting commit f75a2804da39 ("xfrm: destroy xfrm_state
synchronously on net exit path"), I incorrectly changed
xfrm_state_flush's "proto" argument back to IPSEC_PROTO_ANY. This
reverts some of the changes in commit dbb2483b2a46 ("xfrm: clean up
xfrm protocol checks"), and leads to some states not being removed
when we exit the netns.
Pass 0 instead of IPSEC_PROTO_ANY from both xfrm_state_fini
xfrm6_tunnel_net_exit, so that xfrm_state_flush deletes all states.
Fixes: 2a198bbec691 ("Revert "xfrm: destroy xfrm_state synchronously on net exit path"")
Reported-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6641a61fe0e2e89ae8c5
Tested-by: syzbot+6641a61fe0e2e89ae8c5@syzkaller.appspotmail.com
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/xfrm6_tunnel.c | 2 +-
net/xfrm/xfrm_state.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 3d811248f3129..a3e6860406fcb 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -330,7 +330,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
unsigned int i;
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
xfrm_flush_gc();
for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 8287dc73e839d..54ae99f69f25f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2741,7 +2741,7 @@ void xfrm_state_fini(struct net *net)
unsigned int sz;
flush_work(&net->xfrm.state_hash_work);
- xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+ xfrm_state_flush(net, 0, false);
flush_work(&xfrm_state_gc_work);
WARN_ON(!list_empty(&net->xfrm.state_all));
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 005/554] dpaa2-mac: bail if the dpmacs fwnode is not found
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 004/554] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 006/554] drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR Greg Kroah-Hartman
` (554 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert-Ionut Alexa, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert-Ionut Alexa <robert-ionut.alexa@nxp.com>
[ Upstream commit 5b1e38c0792cc7a44997328de37d393f81b2501a ]
The parent pointer node handler must be declared with a NULL
initializer. Before using it, a check must be performed to make
sure that a valid address has been assigned to it.
Signed-off-by: Robert-Ionut Alexa <robert-ionut.alexa@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
index ae6d382d87352..4ace67bfa07c1 100644
--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
+++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
@@ -40,7 +40,7 @@ static int phy_mode(enum dpmac_eth_if eth_if, phy_interface_t *if_mode)
static struct fwnode_handle *dpaa2_mac_get_node(struct device *dev,
u16 dpmac_id)
{
- struct fwnode_handle *fwnode, *parent, *child = NULL;
+ struct fwnode_handle *fwnode, *parent = NULL, *child = NULL;
struct device_node *dpmacs = NULL;
int err;
u32 id;
@@ -55,6 +55,9 @@ static struct fwnode_handle *dpaa2_mac_get_node(struct device *dev,
parent = fwnode;
}
+ if (!parent)
+ return NULL;
+
fwnode_for_each_child_node(parent, child) {
err = -EINVAL;
if (is_acpi_device_node(child))
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 006/554] drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 005/554] dpaa2-mac: bail if the dpmacs fwnode is not found Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 007/554] leds: Replace all non-returning strlcpy with strscpy Greg Kroah-Hartman
` (553 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kai Song, Matthew Auld, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Song <songkai01@inspur.com>
[ Upstream commit fc7bf4c0d65a342b29fe38c332db3fe900b481b9 ]
Fix inconsistent IS_ERR and PTR_ERR in i915_gem_dmabuf.c
Signed-off-by: Kai Song <songkai01@inspur.com>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211022120655.22173-1-songkai01@inspur.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/gem/selftests/i915_gem_dmabuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/gem/selftests/i915_gem_dmabuf.c b/drivers/gpu/drm/i915/gem/selftests/i915_gem_dmabuf.c
index 4a6bb64c3a354..3cc74b0fed068 100644
--- a/drivers/gpu/drm/i915/gem/selftests/i915_gem_dmabuf.c
+++ b/drivers/gpu/drm/i915/gem/selftests/i915_gem_dmabuf.c
@@ -102,7 +102,7 @@ static int igt_dmabuf_import_same_driver_lmem(void *arg)
obj = __i915_gem_object_create_user(i915, PAGE_SIZE, &lmem, 1);
if (IS_ERR(obj)) {
pr_err("__i915_gem_object_create_user failed with err=%ld\n",
- PTR_ERR(dmabuf));
+ PTR_ERR(obj));
err = PTR_ERR(obj);
goto out_ret;
}
@@ -158,7 +158,7 @@ static int igt_dmabuf_import_same_driver(struct drm_i915_private *i915,
regions, num_regions);
if (IS_ERR(obj)) {
pr_err("__i915_gem_object_create_user failed with err=%ld\n",
- PTR_ERR(dmabuf));
+ PTR_ERR(obj));
err = PTR_ERR(obj);
goto out_ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 007/554] leds: Replace all non-returning strlcpy with strscpy
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 006/554] drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 008/554] leds: spi-byte: Use devm_led_classdev_register_ext() Greg Kroah-Hartman
` (552 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Azeem Shaikh, Kees Cook, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Azeem Shaikh <azeemshaikh38@gmail.com>
[ Upstream commit bf4a35e9201d30b63a8d276797d6ecfaa596ccd3 ]
strlcpy() reads the entire source buffer first.
This read may exceed the destination size limit.
This is both inefficient and can lead to linear read
overflows if a source string is not NUL-terminated [1].
In an effort to remove strlcpy() completely [2], replace
strlcpy() here with strscpy().
No return values were used, so direct replacement is safe.
[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
[2] https://github.com/KSPP/linux/issues/89
Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20230523021451.2406362-1-azeemshaikh38@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: ccc35ff2fd29 ("leds: spi-byte: Use devm_led_classdev_register_ext()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/flash/leds-aat1290.c | 2 +-
drivers/leds/led-class.c | 2 +-
drivers/leds/leds-spi-byte.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/leds/flash/leds-aat1290.c b/drivers/leds/flash/leds-aat1290.c
index 589484b22c796..f12ecb2c65803 100644
--- a/drivers/leds/flash/leds-aat1290.c
+++ b/drivers/leds/flash/leds-aat1290.c
@@ -425,7 +425,7 @@ static void aat1290_init_v4l2_flash_config(struct aat1290_led *led,
struct led_classdev *led_cdev = &led->fled_cdev.led_cdev;
struct led_flash_setting *s;
- strlcpy(v4l2_sd_cfg->dev_name, led_cdev->dev->kobj.name,
+ strscpy(v4l2_sd_cfg->dev_name, led_cdev->dev->kobj.name,
sizeof(v4l2_sd_cfg->dev_name));
s = &v4l2_sd_cfg->intensity;
diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c
index 1e4fed64aee18..e098e001a7b0b 100644
--- a/drivers/leds/led-class.c
+++ b/drivers/leds/led-class.c
@@ -321,7 +321,7 @@ static int led_classdev_next_name(const char *init_name, char *name,
int ret = 0;
struct device *dev;
- strlcpy(name, init_name, len);
+ strscpy(name, init_name, len);
while ((ret < len) &&
(dev = class_find_device_by_name(leds_class, name))) {
diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c
index 82696e0607a53..958e898b58d09 100644
--- a/drivers/leds/leds-spi-byte.c
+++ b/drivers/leds/leds-spi-byte.c
@@ -97,7 +97,7 @@ static int spi_byte_probe(struct spi_device *spi)
return -ENOMEM;
of_property_read_string(child, "label", &name);
- strlcpy(led->name, name, sizeof(led->name));
+ strscpy(led->name, name, sizeof(led->name));
led->spi = spi;
mutex_init(&led->mutex);
led->cdef = device_get_match_data(dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 008/554] leds: spi-byte: Use devm_led_classdev_register_ext()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 007/554] leds: Replace all non-returning strlcpy with strscpy Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 009/554] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
` (551 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Kalscheuer, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Kalscheuer <stefan@stklcode.de>
[ Upstream commit ccc35ff2fd2911986b716a87fe65e03fac2312c9 ]
Use extended classdev registration to generate generic device names from
color and function enums instead of reading only the label from the
device tree.
Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
Link: https://lore.kernel.org/r/20240204150726.29783-1-stefan@stklcode.de
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-spi-byte.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c
index 958e898b58d09..9a17424fd2da8 100644
--- a/drivers/leds/leds-spi-byte.c
+++ b/drivers/leds/leds-spi-byte.c
@@ -83,7 +83,7 @@ static int spi_byte_probe(struct spi_device *spi)
struct device_node *child;
struct device *dev = &spi->dev;
struct spi_byte_led *led;
- const char *name = "leds-spi-byte::";
+ struct led_init_data init_data = {};
const char *state;
int ret;
@@ -96,12 +96,9 @@ static int spi_byte_probe(struct spi_device *spi)
if (!led)
return -ENOMEM;
- of_property_read_string(child, "label", &name);
- strscpy(led->name, name, sizeof(led->name));
led->spi = spi;
mutex_init(&led->mutex);
led->cdef = device_get_match_data(dev);
- led->ldev.name = led->name;
led->ldev.brightness = LED_OFF;
led->ldev.max_brightness = led->cdef->max_value - led->cdef->off_value;
led->ldev.brightness_set_blocking = spi_byte_brightness_set_blocking;
@@ -121,7 +118,11 @@ static int spi_byte_probe(struct spi_device *spi)
spi_byte_brightness_set_blocking(&led->ldev,
led->ldev.brightness);
- ret = devm_led_classdev_register(&spi->dev, &led->ldev);
+ init_data.fwnode = of_fwnode_handle(child);
+ init_data.devicename = "leds-spi-byte";
+ init_data.default_label = ":";
+
+ ret = devm_led_classdev_register_ext(&spi->dev, &led->ldev, &init_data);
if (ret) {
of_node_put(child);
mutex_destroy(&led->mutex);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 009/554] Documentation: process: Also mention Sasha Levin as stable tree maintainer
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 008/554] leds: spi-byte: Use devm_led_classdev_register_ext() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 010/554] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
` (550 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Randy Dunlap,
Jonathan Corbet
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
commit ba2457109d5b47a90fe565b39524f7225fc23e60 upstream.
Sasha has also maintaining stable branch in conjunction with Greg
since cb5d21946d2a2f ("MAINTAINERS: Add Sasha as a stable branch
maintainer"). Mention him in 2.Process.rst.
Cc: stable@vger.kernel.org
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20251022034336.22839-1-bagasdotme@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/process/2.Process.rst | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/Documentation/process/2.Process.rst
+++ b/Documentation/process/2.Process.rst
@@ -104,8 +104,10 @@ kernels go out with a handful of known r
of them are serious.
Once a stable release is made, its ongoing maintenance is passed off to the
-"stable team," currently Greg Kroah-Hartman. The stable team will release
-occasional updates to the stable release using the 5.x.y numbering scheme.
+"stable team," currently consists of Greg Kroah-Hartman and Sasha Levin. The
+stable team will release occasional updates to the stable release using the
+5.x.y numbering scheme.
+
To be considered for an update release, a patch must (1) fix a significant
bug, and (2) already be merged into the mainline for the next development
kernel. Kernels will typically receive stable updates for a little more
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 010/554] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 009/554] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 011/554] ext4: refresh inline data size before write operations Greg Kroah-Hartman
` (549 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
commit 986835bf4d11032bba4ab8414d18fce038c61bb4 upstream.
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
R13: ffff88812c432000 R14: ffff88812c608000 R15: ffff888120bfc000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91d6970c99 CR3: 00000001159c4000 CR4: 00000000000006f0
Call Trace:
<TASK>
__ext4_journal_get_create_access+0x42/0x170
ext4_getblk+0x319/0x6f0
ext4_bread+0x11/0x100
ext4_append+0x1e6/0x4a0
ext4_init_new_dir+0x145/0x1d0
ext4_mkdir+0x326/0x920
vfs_mkdir+0x45c/0x740
do_mkdirat+0x234/0x2f0
__x64_sys_mkdir+0xd6/0x120
do_syscall_64+0x5f/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The above issue occurs with us in errors=continue mode when accompanied by
storage failures. There have been many inconsistencies in the file system
data.
In the case of file system data inconsistency, for example, if the block
bitmap of a referenced block is not set, it can lead to the situation where
a block being committed is allocated and used again. As a result, the
following condition will not be satisfied then trigger BUG_ON. Of course,
it is entirely possible to construct a problematic image that can trigger
this BUG_ON through specific operations. In fact, I have constructed such
an image and easily reproduced this issue.
Therefore, J_ASSERT() holds true only under ideal conditions, but it may
not necessarily be satisfied in exceptional scenarios. Using J_ASSERT()
directly in abnormal situations would cause the system to crash, which is
clearly not what we want. So here we directly trigger a JBD abort instead
of immediately invoking BUG_ON.
Fixes: 470decc613ab ("[PATCH] jbd2: initial copy of files from jbd")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251025072657.307851-1-yebin@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -1294,14 +1294,23 @@ int jbd2_journal_get_create_access(handl
* committing transaction's lists, but it HAS to be in Forget state in
* that case: the transaction must have deleted the buffer for it to be
* reused here.
+ * In the case of file system data inconsistency, for example, if the
+ * block bitmap of a referenced block is not set, it can lead to the
+ * situation where a block being committed is allocated and used again.
+ * As a result, the following condition will not be satisfied, so here
+ * we directly trigger a JBD abort instead of immediately invoking
+ * bugon.
*/
spin_lock(&jh->b_state_lock);
- J_ASSERT_JH(jh, (jh->b_transaction == transaction ||
- jh->b_transaction == NULL ||
- (jh->b_transaction == journal->j_committing_transaction &&
- jh->b_jlist == BJ_Forget)));
+ if (!(jh->b_transaction == transaction || jh->b_transaction == NULL ||
+ (jh->b_transaction == journal->j_committing_transaction &&
+ jh->b_jlist == BJ_Forget)) || jh->b_next_transaction != NULL) {
+ err = -EROFS;
+ spin_unlock(&jh->b_state_lock);
+ jbd2_journal_abort(journal, err);
+ goto out;
+ }
- J_ASSERT_JH(jh, jh->b_next_transaction == NULL);
J_ASSERT_JH(jh, buffer_locked(jh2bh(jh)));
if (jh->b_transaction == NULL) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 011/554] ext4: refresh inline data size before write operations
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 010/554] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 012/554] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
` (548 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f3185be57d7e8dda32b8, stable,
Deepanshu Kartikey, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 892e1cf17555735e9d021ab036c36bc7b58b0e3b upstream.
The cached ei->i_inline_size can become stale between the initial size
check and when ext4_update_inline_data()/ext4_create_inline_data() use
it. Although ext4_get_max_inline_size() reads the correct value at the
time of the check, concurrent xattr operations can modify i_inline_size
before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to
work with stale capacity values, leading to a BUG_ON() crash in
ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331!
BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window:
1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct)
2. Size check passes for 50-byte write
3. [Another thread adds xattr, i_inline_size changes to 40]
4. ext4_write_lock_xattr() acquires lock
5. ext4_update_inline_data() uses stale i_inline_size = 60
6. Attempts to write 50 bytes but only 40 bytes actually available
7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock()
immediately after acquiring xattr_sem. This ensures ext4_update_inline_data()
and ext4_create_inline_data() work with current values that are protected
from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an
inline_data file while its xattrs are changing") which fixed i_inline_off
staleness. This patch addresses the related i_inline_size staleness issue.
Reported-by: syzbot+f3185be57d7e8dda32b8@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=f3185be57d7e8dda32b8
Cc: stable@kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Message-ID: <20251020060936.474314-1-kartikey406@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -413,7 +413,12 @@ static int ext4_prepare_inline_data(hand
return -ENOSPC;
ext4_write_lock_xattr(inode, &no_expand);
-
+ /*
+ * ei->i_inline_size may have changed since the initial check
+ * if other xattrs were added. Recalculate to ensure
+ * ext4_update_inline_data() validates against current capacity.
+ */
+ (void) ext4_find_inline_data_nolock(inode);
if (ei->i_inline_off)
ret = ext4_update_inline_data(handle, inode, len);
else
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 012/554] locking/spinlock/debug: Fix data-race in do_raw_write_lock
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 011/554] ext4: refresh inline data size before write operations Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 013/554] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
` (547 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Freihofer, Alexander Sverdlin,
Boqun Feng, Peter Zijlstra (Intel), Paul E. McKenney, Waiman Long
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit c14ecb555c3ee80eeb030a4e46d00e679537f03a upstream.
KCSAN reports:
BUG: KCSAN: data-race in do_raw_write_lock / do_raw_write_lock
write (marked) to 0xffff800009cf504c of 4 bytes by task 1102 on cpu 1:
do_raw_write_lock+0x120/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
read to 0xffff800009cf504c of 4 bytes by task 1103 on cpu 0:
do_raw_write_lock+0x88/0x204
_raw_write_lock_irq
do_exit
call_usermodehelper_exec_async
ret_from_fork
value changed: 0xffffffff -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 1103 Comm: kworker/u4:1 6.1.111
Commit 1a365e822372 ("locking/spinlock/debug: Fix various data races") has
adressed most of these races, but seems to be not consistent/not complete.
>From do_raw_write_lock() only debug_write_lock_after() part has been
converted to WRITE_ONCE(), but not debug_write_lock_before() part.
Do it now.
Fixes: 1a365e822372 ("locking/spinlock/debug: Fix various data races")
Reported-by: Adrian Freihofer <adrian.freihofer@siemens.com>
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Waiman Long <longman@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/locking/spinlock_debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/locking/spinlock_debug.c
+++ b/kernel/locking/spinlock_debug.c
@@ -183,8 +183,8 @@ void do_raw_read_unlock(rwlock_t *lock)
static inline void debug_write_lock_before(rwlock_t *lock)
{
RWLOCK_BUG_ON(lock->magic != RWLOCK_MAGIC, lock, "bad magic");
- RWLOCK_BUG_ON(lock->owner == current, lock, "recursion");
- RWLOCK_BUG_ON(lock->owner_cpu == raw_smp_processor_id(),
+ RWLOCK_BUG_ON(READ_ONCE(lock->owner) == current, lock, "recursion");
+ RWLOCK_BUG_ON(READ_ONCE(lock->owner_cpu) == raw_smp_processor_id(),
lock, "cpu recursion");
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 013/554] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 012/554] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 014/554] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
` (546 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexey Nepomnyashih, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Nepomnyashih <sdl@nppct.ru>
commit 0cd8feea8777f8d9b9a862b89c688b049a5c8475 upstream.
Fix a race between inline data destruction and block mapping.
The function ext4_destroy_inline_data_nolock() changes the inode data
layout by clearing EXT4_INODE_INLINE_DATA and setting EXT4_INODE_EXTENTS.
At the same time, another thread may execute ext4_map_blocks(), which
tests EXT4_INODE_EXTENTS to decide whether to call ext4_ext_map_blocks()
or ext4_ind_map_blocks().
Without i_data_sem protection, ext4_ind_map_blocks() may receive inode
with EXT4_INODE_EXTENTS flag and triggering assert.
kernel BUG at fs/ext4/indirect.c:546!
EXT4-fs (loop2): unmounting filesystem.
invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:ext4_ind_map_blocks.cold+0x2b/0x5a fs/ext4/indirect.c:546
Call Trace:
<TASK>
ext4_map_blocks+0xb9b/0x16f0 fs/ext4/inode.c:681
_ext4_get_block+0x242/0x590 fs/ext4/inode.c:822
ext4_block_write_begin+0x48b/0x12c0 fs/ext4/inode.c:1124
ext4_write_begin+0x598/0xef0 fs/ext4/inode.c:1255
ext4_da_write_begin+0x21e/0x9c0 fs/ext4/inode.c:3000
generic_perform_write+0x259/0x5d0 mm/filemap.c:3846
ext4_buffered_write_iter+0x15b/0x470 fs/ext4/file.c:285
ext4_file_write_iter+0x8e0/0x17f0 fs/ext4/file.c:679
call_write_iter include/linux/fs.h:2271 [inline]
do_iter_readv_writev+0x212/0x3c0 fs/read_write.c:735
do_iter_write+0x186/0x710 fs/read_write.c:861
vfs_iter_write+0x70/0xa0 fs/read_write.c:902
iter_file_splice_write+0x73b/0xc90 fs/splice.c:685
do_splice_from fs/splice.c:763 [inline]
direct_splice_actor+0x10f/0x170 fs/splice.c:950
splice_direct_to_actor+0x33a/0xa10 fs/splice.c:896
do_splice_direct+0x1a9/0x280 fs/splice.c:1002
do_sendfile+0xb13/0x12c0 fs/read_write.c:1255
__do_sys_sendfile64 fs/read_write.c:1323 [inline]
__se_sys_sendfile64 fs/read_write.c:1309 [inline]
__x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fixes: c755e251357a ("ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()")
Cc: stable@vger.kernel.org # v4.11+
Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
Message-ID: <20251104093326.697381-1-sdl@nppct.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inline.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -446,9 +446,13 @@ static int ext4_destroy_inline_data_nolo
if (!ei->i_inline_off)
return 0;
+ down_write(&ei->i_data_sem);
+
error = ext4_get_inode_loc(inode, &is.iloc);
- if (error)
+ if (error) {
+ up_write(&ei->i_data_sem);
return error;
+ }
error = ext4_xattr_ibody_find(inode, &i, &is);
if (error)
@@ -487,6 +491,7 @@ out:
brelse(is.iloc.bh);
if (error == -ENODATA)
error = 0;
+ up_write(&ei->i_data_sem);
return error;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 014/554] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 013/554] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 015/554] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
` (545 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fce5d9d5bd067d6fbe9b, stable,
Nikita Zhandarovich, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit a51f025b5038abd3d22eed2ede4cd46793d89565 upstream.
Syzbot identified an issue [1] in pcl818_ai_cancel(), which stems from
the fact that in case of early device detach via pcl818_detach(),
subdevice dev->read_subdev may not have initialized its pointer to
&struct comedi_async as intended. Thus, any such dereferencing of
&s->async->cmd will lead to general protection fault and kernel crash.
Mitigate this problem by removing a call to pcl818_ai_cancel() from
pcl818_detach() altogether. This way, if the subdevice setups its
support for async commands, everything async-related will be
handled via subdevice's own ->cancel() function in
comedi_device_detach_locked() even before pcl818_detach(). If no
support for asynchronous commands is provided, there is no need
to cancel anything either.
[1] Syzbot crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
CPU: 1 UID: 0 PID: 6050 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:pcl818_ai_cancel+0x69/0x3f0 drivers/comedi/drivers/pcl818.c:762
...
Call Trace:
<TASK>
pcl818_detach+0x66/0xd0 drivers/comedi/drivers/pcl818.c:1115
comedi_device_detach_locked+0x178/0x750 drivers/comedi/drivers.c:207
do_devconfig_ioctl drivers/comedi/comedi_fops.c:848 [inline]
comedi_unlocked_ioctl+0xcde/0x1020 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
...
Reported-by: syzbot+fce5d9d5bd067d6fbe9b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fce5d9d5bd067d6fbe9b
Fixes: 00aba6e7b565 ("staging: comedi: pcl818: remove 'neverending_ai' from private data")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023141457.398685-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/pcl818.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/comedi/drivers/pcl818.c
+++ b/drivers/comedi/drivers/pcl818.c
@@ -1113,10 +1113,9 @@ static void pcl818_detach(struct comedi_
{
struct pcl818_private *devpriv = dev->private;
- if (devpriv) {
- pcl818_ai_cancel(dev, dev->read_subdev);
+ if (devpriv)
pcl818_reset(dev);
- }
+
pcl818_free_dma(dev);
comedi_legacy_detach(dev);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 015/554] USB: serial: option: add Foxconn T99W760
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 014/554] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 016/554] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
` (544 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Slark Xiao, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slark Xiao <slark_xiao@163.com>
commit 7970b4969c4c99bcdaf105f9f39c6d2021f6d244 upstream.
T99W760 is designed based on Qualcomm SDX35 (5G redcap) chip. There are
three serial ports to be enumerated: Modem, NMEA and Diag.
test evidence as below:
T: Bus=03 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e123 Rev=05.15
S: Manufacturer=QCOM
S: Product=SDXBAAGHA-IDP _SN:39A8D3E4
S: SerialNumber=39a8d3e4
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
0&1: MBIM, 2:Modem, 3:GNSS(non-serial port), 4: NMEA, 5:Diag
Signed-off-by: Slark Xiao <slark_xiao@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2376,6 +2376,8 @@ static const struct usb_device_id option
.driver_info = RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0f0, 0xff), /* Foxconn T99W373 MBIM */
.driver_info = RSVD(3) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe123, 0xff), /* Foxconn T99W760 MBIM */
+ .driver_info = RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe145, 0xff), /* Foxconn T99W651 RNDIS */
.driver_info = RSVD(5) | RSVD(6) },
{ USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe15f, 0xff), /* Foxconn T99W709 */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 016/554] USB: serial: option: add Telit Cinterion FE910C04 new compositions
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 015/554] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 017/554] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
` (543 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit c908039a29aa70870871f4848125b3d743f929bf upstream.
Add the following Telit Cinterion new compositions:
0x10c1: RNDIS + tty (AT/NMEA) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c1 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c2: MBIM + tty (AT/NMEA) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 8 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c2 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c3: ECM + tty (AT/NMEA) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c3 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c5: RNDIS + tty (AT) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c5 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c6: MBIM + tty (AT) + tty (AT) + tty (diag)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c6 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10c9: MBIM + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10c9 Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
0x10cb: RNDIS + tty (AT) + tty (diag) + DPL (Data Packet Logging) + adb
T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=01 Dev#= 9 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=10cb Rev=05.15
S: Manufacturer=Telit Cinterion
S: Product=FE910
S: SerialNumber=f71b8b32
C: #Ifs= 6 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Cc: stable@vger.kernel.org
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1433,10 +1433,24 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10b3, 0xff, 0xff, 0x60) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c0, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c1, 0xff), /* Telit FE910C04 (RNDIS) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c2, 0xff), /* Telit FE910C04 (MBIM) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c3, 0xff), /* Telit FE910C04 (ECM) */
+ .driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c4, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(3) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c5, 0xff), /* Telit FE910C04 (RNDIS) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */
+ .driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */
+ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10cb, 0xff), /* Telit FE910C04 (RNDIS) */
+ .driver_info = NCTRL(3) | RSVD(4) | RSVD(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x30), /* Telit FN990B (rmnet) */
.driver_info = NCTRL(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 017/554] USB: serial: option: move Telit 0x10c7 composition in the right place
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 016/554] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 018/554] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
` (542 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 072f2c49572547f4b0776fe2da6b8f61e4b34699 upstream.
Move Telit 0x10c7 composition right after 0x10c6 composition and
before 0x10c8 composition.
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1445,6 +1445,9 @@ static const struct usb_device_id option
.driver_info = NCTRL(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c6, 0xff), /* Telit FE910C04 (MBIM) */
.driver_info = NCTRL(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */
+ .driver_info = NCTRL(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c8, 0xff), /* Telit FE910C04 (rmnet) */
.driver_info = RSVD(0) | NCTRL(2) | RSVD(3) | RSVD(4) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x10c9, 0xff), /* Telit FE910C04 (MBIM) */
@@ -1455,9 +1458,6 @@ static const struct usb_device_id option
.driver_info = NCTRL(5) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d0, 0xff, 0xff, 0x60) },
- { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x30), /* Telit FE910C04 (ECM) */
- .driver_info = NCTRL(4) },
- { USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10c7, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x30), /* Telit FN990B (MBIM) */
.driver_info = NCTRL(6) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x10d1, 0xff, 0xff, 0x40) },
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 018/554] USB: serial: ftdi_sio: match on interface number for jtag
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 017/554] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 019/554] serial: add support of CPCI cards Greg Kroah-Hartman
` (541 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4e31a5d0a9ee672f708fc993c1d5520643f769fd upstream.
Some FTDI devices have the first port reserved for JTAG and have been
using a dedicated quirk to prevent binding to it.
As can be inferred directly or indirectly from the commit messages,
almost all of these devices are dual port devices which means that the
more recently added macro for matching on interface number can be used
instead (and some such devices do so already).
This avoids probing interfaces that will never be bound and cleans up
the match table somewhat.
Note that the JTAG quirk is kept for quad port devices, which would
otherwise require three match entries.
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 72 ++++++++++++++----------------------------
1 file changed, 24 insertions(+), 48 deletions(-)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -606,10 +606,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_IBS_PEDO_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_IBS_PROD_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_TAVIR_STK500_PID) },
- { USB_DEVICE(FTDI_VID, FTDI_TIAO_UMPA_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLXM_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TIAO_UMPA_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_NT_ORIONLXM_PID, 1) },
{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) },
@@ -820,24 +818,17 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) },
- { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, CYBER_CORTEX_AV_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(OLIMEX_VID, OLIMEX_ARM_USB_TINY_H_PID, 1) },
- { USB_DEVICE(FIC_VID, FIC_NEO1973_DEBUG_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FIC_VID, FIC_NEO1973_DEBUG_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_OOCDLINK_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TURTELIZER_PID, 1) },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) },
{ USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) },
@@ -879,17 +870,14 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(ATMEL_VID, STK541_PID) },
{ USB_DEVICE(DE_VID, STB_PID) },
{ USB_DEVICE(DE_VID, WHT_PID) },
- { USB_DEVICE(ADI_VID, ADI_GNICE_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(ADI_VID, ADI_GNICEPLUS_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICE_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ADI_VID, ADI_GNICEPLUS_PID, 1) },
{ USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
USB_CLASS_VENDOR_SPEC,
USB_SUBCLASS_VENDOR_SPEC, 0x00) },
{ USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
{ USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
- { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(MARVELL_VID, MARVELL_SHEEVAPLUG_PID, 1) },
{ USB_DEVICE(LARSENBRUSGAARD_VID, LB_ALTITRACK_PID) },
{ USB_DEVICE(GN_OTOMETRICS_VID, AURICAL_USB_PID) },
{ USB_DEVICE(FTDI_VID, PI_C865_PID) },
@@ -912,10 +900,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(PI_VID, PI_1016_PID) },
{ USB_DEVICE(KONDO_VID, KONDO_USB_SERIAL_PID) },
{ USB_DEVICE(BAYER_VID, BAYER_CONTOUR_CABLE_PID) },
- { USB_DEVICE(FTDI_VID, MARVELL_OPENRD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, TI_XDS100V2_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, MARVELL_OPENRD_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, TI_XDS100V2_PID, 1) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO820_PID) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO720_PID) },
{ USB_DEVICE(FTDI_VID, HAMEG_HO730_PID) },
@@ -924,18 +910,14 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, MJSG_SR_RADIO_PID) },
{ USB_DEVICE(FTDI_VID, MJSG_HD_RADIO_PID) },
{ USB_DEVICE(FTDI_VID, MJSG_XM_RADIO_PID) },
- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_ST_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_ST_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SLITE_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, XVERVE_SIGNALYZER_SH2_PID, 1) },
{ USB_DEVICE(FTDI_VID, XVERVE_SIGNALYZER_SH4_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
{ USB_DEVICE(FTDI_VID, SEGWAY_RMP200_PID) },
{ USB_DEVICE(FTDI_VID, ACCESIO_COM4SM_PID) },
- { USB_DEVICE(IONICS_VID, IONICS_PLUGCOMPUTER_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(IONICS_VID, IONICS_PLUGCOMPUTER_PID, 1) },
{ USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_24_MASTER_WING_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_PC_WING_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_CHAMSYS_USB_DMX_PID) },
@@ -950,15 +932,12 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(FTDI_VID, FTDI_CINTERION_MC55I_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_FHE_PID) },
{ USB_DEVICE(FTDI_VID, FTDI_DOTEC_PID) },
- { USB_DEVICE(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(ST_VID, ST_STMCLT_2232_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(QIHARDWARE_VID, MILKYMISTONE_JTAGSERIAL_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(ST_VID, ST_STMCLT_2232_PID, 1) },
{ USB_DEVICE(ST_VID, ST_STMCLT_4232_PID),
.driver_info = (kernel_ulong_t)&ftdi_stmclite_quirk },
{ USB_DEVICE(FTDI_VID, FTDI_RF_R106) },
- { USB_DEVICE(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_DISTORTEC_JTAG_LOCK_PICK_PID, 1) },
{ USB_DEVICE(FTDI_VID, FTDI_LUMEL_PD12_PID) },
/* Crucible Devices */
{ USB_DEVICE(FTDI_VID, FTDI_CT_COMET_PID) },
@@ -1033,8 +1012,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
{ USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
{ USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) },
- { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(TI_VID, TI_CC3200_LAUNCHPAD_PID, 1) },
{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) },
{ USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) },
{ USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
@@ -1054,10 +1032,8 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) },
{ USB_DEVICE_INTERFACE_NUMBER(UBLOX_VID, UBLOX_EVK_M101_PID, 2) },
/* FreeCalypso USB adapters */
- { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
- { USB_DEVICE(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID),
- .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_BUF_PID, 1) },
+ { USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_FALCONIA_JTAG_UNBUF_PID, 1) },
/* GMC devices */
{ USB_DEVICE(GMC_VID, GMC_Z216C_PID) },
/* Altera USB Blaster 3 */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 019/554] serial: add support of CPCI cards
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 018/554] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 020/554] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
` (540 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Magne Bruno, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Magne Bruno <magne.bruno@addi-data.com>
commit 0e5a99e0e5f50353b86939ff6e424800d769c818 upstream.
Addi-Data GmbH is manufacturing multi-serial ports cards supporting CompactPCI (known as CPCI).
Those cards are identified with different DeviceIds. Those cards integrating standard UARTs
work the same way as PCI/PCIe models already supported in the serial driver.
Signed-off-by: Magne Bruno <magne.bruno@addi-data.com>
Link: https://patch.msgid.link/20251110162456.341029-1-magne.bruno@addi-data.com
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 37 +++++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -2134,6 +2134,11 @@ pci_moxa_setup(struct serial_private *pr
#define PCI_DEVICE_ID_MOXA_CP138E_A 0x1381
#define PCI_DEVICE_ID_MOXA_CP168EL_A 0x1683
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7500 0x7003
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG 0x7024
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG 0x7025
+#define PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG 0x7026
+
/* Unknown vendors/cards - this should not be in linux/pci_ids.h */
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1584 0x1584
#define PCI_SUBDEVICE_ID_UNKNOWN_0x1588 0x1588
@@ -6297,6 +6302,38 @@ static const struct pci_device_id serial
0,
pbn_ADDIDATA_PCIe_8_3906250 },
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7500,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_4_115200 },
+
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7500_NG,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_4_115200 },
+
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7420_NG,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_2_115200 },
+
+ { PCI_VENDOR_ID_ADDIDATA,
+ PCI_DEVICE_ID_ADDIDATA_CPCI7300_NG,
+ PCI_ANY_ID,
+ PCI_ANY_ID,
+ 0,
+ 0,
+ pbn_b0_1_115200 },
+
{ PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835,
PCI_VENDOR_ID_IBM, 0x0299,
0, 0, pbn_b0_bt_2_115200 },
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 020/554] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 019/554] serial: add support of CPCI cards Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 021/554] USB: serial: kobil_sct: " Greg Kroah-Hartman
` (539 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b6e0b3016187446ddef9edac03cd9d544ac63f11 upstream.
Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC
should not deassert any lines that are not in the mask.
Fix this long-standing regression dating back to 2003 when the
tiocmset() callback was introduced.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/belkin_sa.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/drivers/usb/serial/belkin_sa.c
+++ b/drivers/usb/serial/belkin_sa.c
@@ -428,7 +428,7 @@ static int belkin_sa_tiocmset(struct tty
struct belkin_sa_private *priv = usb_get_serial_port_data(port);
unsigned long control_state;
unsigned long flags;
- int retval;
+ int retval = 0;
int rts = 0;
int dtr = 0;
@@ -445,26 +445,32 @@ static int belkin_sa_tiocmset(struct tty
}
if (clear & TIOCM_RTS) {
control_state &= ~TIOCM_RTS;
- rts = 0;
+ rts = 1;
}
if (clear & TIOCM_DTR) {
control_state &= ~TIOCM_DTR;
- dtr = 0;
+ dtr = 1;
}
priv->control_state = control_state;
spin_unlock_irqrestore(&priv->lock, flags);
- retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST, rts);
- if (retval < 0) {
- dev_err(&port->dev, "Set RTS error %d\n", retval);
- goto exit;
+ if (rts) {
+ retval = BSA_USB_CMD(BELKIN_SA_SET_RTS_REQUEST,
+ !!(control_state & TIOCM_RTS));
+ if (retval < 0) {
+ dev_err(&port->dev, "Set RTS error %d\n", retval);
+ goto exit;
+ }
}
- retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST, dtr);
- if (retval < 0) {
- dev_err(&port->dev, "Set DTR error %d\n", retval);
- goto exit;
+ if (dtr) {
+ retval = BSA_USB_CMD(BELKIN_SA_SET_DTR_REQUEST,
+ !!(control_state & TIOCM_DTR));
+ if (retval < 0) {
+ dev_err(&port->dev, "Set DTR error %d\n", retval);
+ goto exit;
+ }
}
exit:
return retval;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 021/554] USB: serial: kobil_sct: fix TIOCMBIS and TIOCMBIC
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 020/554] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 022/554] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
` (538 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit d432df758f92c4c28aac409bc807fd1716167577 upstream.
Asserting or deasserting a modem control line using TIOCMBIS or TIOCMBIC
should not deassert any lines that are not in the mask.
Fix this long-standing issue dating back to 2003 when the support for
these ioctls was added with the introduction of the tiocmset() callback.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/kobil_sct.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/drivers/usb/serial/kobil_sct.c
+++ b/drivers/usb/serial/kobil_sct.c
@@ -419,7 +419,7 @@ static int kobil_tiocmset(struct tty_str
struct usb_serial_port *port = tty->driver_data;
struct device *dev = &port->dev;
struct kobil_private *priv;
- int result;
+ int result = 0;
int dtr = 0;
int rts = 0;
@@ -436,12 +436,12 @@ static int kobil_tiocmset(struct tty_str
if (set & TIOCM_DTR)
dtr = 1;
if (clear & TIOCM_RTS)
- rts = 0;
+ rts = 1;
if (clear & TIOCM_DTR)
- dtr = 0;
+ dtr = 1;
- if (priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) {
- if (dtr != 0)
+ if (dtr && priv->device_type == KOBIL_ADAPTER_B_PRODUCT_ID) {
+ if (set & TIOCM_DTR)
dev_dbg(dev, "%s - Setting DTR\n", __func__);
else
dev_dbg(dev, "%s - Clearing DTR\n", __func__);
@@ -449,13 +449,13 @@ static int kobil_tiocmset(struct tty_str
usb_sndctrlpipe(port->serial->dev, 0),
SUSBCRequest_SetStatusLinesOrQueues,
USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT,
- ((dtr != 0) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR),
+ ((set & TIOCM_DTR) ? SUSBCR_SSL_SETDTR : SUSBCR_SSL_CLRDTR),
0,
NULL,
0,
KOBIL_TIMEOUT);
- } else {
- if (rts != 0)
+ } else if (rts) {
+ if (set & TIOCM_RTS)
dev_dbg(dev, "%s - Setting RTS\n", __func__);
else
dev_dbg(dev, "%s - Clearing RTS\n", __func__);
@@ -463,7 +463,7 @@ static int kobil_tiocmset(struct tty_str
usb_sndctrlpipe(port->serial->dev, 0),
SUSBCRequest_SetStatusLinesOrQueues,
USB_TYPE_VENDOR | USB_RECIP_ENDPOINT | USB_DIR_OUT,
- ((rts != 0) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS),
+ ((set & TIOCM_RTS) ? SUSBCR_SSL_SETRTS : SUSBCR_SSL_CLRRTS),
0,
NULL,
0,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 022/554] spi: xilinx: increase number of retries before declaring stall
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 021/554] USB: serial: kobil_sct: " Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 023/554] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
` (537 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alvaro Gamez Machado,
Ricardo Ribalda, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
[ Upstream commit 939edfaa10f1d22e6af6a84bf4bd96dc49c67302 ]
SPI devices using a (relative) slow frequency need a larger time.
For instance, microblaze running at 83.25MHz and performing a
3 bytes transaction using a 10MHz/16 = 625kHz needed this stall
value increased to at least 20. The SPI device is quite slow, but
also is the microblaze, so set this value to 32 to give it even
more margin.
Signed-off-by: Alvaro Gamez Machado <alvaro.gamez@hazent.com>
Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
Link: https://patch.msgid.link/20251106134545.31942-1-alvaro.gamez@hazent.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-xilinx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-xilinx.c b/drivers/spi/spi-xilinx.c
index 523edfdf5dcd1..d497fc4bc19eb 100644
--- a/drivers/spi/spi-xilinx.c
+++ b/drivers/spi/spi-xilinx.c
@@ -298,7 +298,7 @@ static int xilinx_spi_txrx_bufs(struct spi_device *spi, struct spi_transfer *t)
/* Read out all the data from the Rx FIFO */
rx_words = n_words;
- stalled = 10;
+ stalled = 32;
while (rx_words) {
if (rx_words == n_words && !(stalled--) &&
!(sr & XSPI_SR_TX_EMPTY_MASK) &&
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 023/554] spi: imx: keep dma request disabled before dma transfer setup
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 022/554] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 024/554] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
` (536 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Song, Robin Gong, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robin Gong <yibin.gong@nxp.com>
[ Upstream commit 86d57d9c07d54e8cb385ffe800930816ccdba0c1 ]
Since sdma hardware configure postpone to transfer phase, have to disable
dma request before dma transfer setup because there is a hardware
limitation on sdma event enable(ENBLn) as below:
"It is thus essential for the Arm platform to program them before any DMA
request is triggered to the SDMA, otherwise an unpredictable combination
of channels may be started."
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Signed-off-by: Robin Gong <yibin.gong@nxp.com>
Link: https://patch.msgid.link/20251024055320.408482-1-carlos.song@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-imx.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index f22b867b8c8a9..bcc31951a9925 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -498,9 +498,15 @@ static void mx51_ecspi_trigger(struct spi_imx_data *spi_imx)
{
u32 reg;
- reg = readl(spi_imx->base + MX51_ECSPI_CTRL);
- reg |= MX51_ECSPI_CTRL_XCH;
- writel(reg, spi_imx->base + MX51_ECSPI_CTRL);
+ if (spi_imx->usedma) {
+ reg = readl(spi_imx->base + MX51_ECSPI_DMA);
+ reg |= MX51_ECSPI_DMA_TEDEN | MX51_ECSPI_DMA_RXDEN;
+ writel(reg, spi_imx->base + MX51_ECSPI_DMA);
+ } else {
+ reg = readl(spi_imx->base + MX51_ECSPI_CTRL);
+ reg |= MX51_ECSPI_CTRL_XCH;
+ writel(reg, spi_imx->base + MX51_ECSPI_CTRL);
+ }
}
static void mx51_disable_dma(struct spi_imx_data *spi_imx)
@@ -665,7 +671,6 @@ static void mx51_setup_wml(struct spi_imx_data *spi_imx)
writel(MX51_ECSPI_DMA_RX_WML(spi_imx->wml - 1) |
MX51_ECSPI_DMA_TX_WML(tx_wml) |
MX51_ECSPI_DMA_RXT_WML(spi_imx->wml) |
- MX51_ECSPI_DMA_TEDEN | MX51_ECSPI_DMA_RXDEN |
MX51_ECSPI_DMA_RXTDEN, spi_imx->base + MX51_ECSPI_DMA);
}
@@ -1422,6 +1427,8 @@ static int spi_imx_dma_transfer(struct spi_imx_data *spi_imx,
reinit_completion(&spi_imx->dma_tx_completion);
dma_async_issue_pending(master->dma_tx);
+ spi_imx->devtype_data->trigger(spi_imx);
+
transfer_timeout = spi_imx_calculate_timeout(spi_imx, transfer->len);
/* Wait SDMA to finish the data transfer.*/
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 024/554] bfs: Reconstruct file type when loading from disk
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 023/554] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 025/554] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
` (535 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+895c23f6917da440ed0d,
Tetsuo Handa, Tigran Aivazian, Christian Brauner, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 34ab4c75588c07cca12884f2bf6b0347c7a13872 ]
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 32bits "mode" field loaded from disk are corrupted
or when the 32bits "attributes" field loaded from disk are corrupted.
A documentation says that BFS uses only lower 9 bits of the "mode" field.
But I can't find an explicit explanation that the unused upper 23 bits
(especially, the S_IFMT bits) are initialized with 0.
Therefore, ignore the S_IFMT bits of the "mode" field loaded from disk.
Also, verify that the value of the "attributes" field loaded from disk is
either BFS_VREG or BFS_VDIR (because BFS supports only regular files and
the root directory).
Reported-by: syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://patch.msgid.link/fabce673-d5b9-4038-8287-0fd65d80203b@I-love.SAKURA.ne.jp
Reviewed-by: Tigran Aivazian <aivazian.tigran@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/bfs/inode.c | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/fs/bfs/inode.c b/fs/bfs/inode.c
index fd691e4815c56..fa4e002925852 100644
--- a/fs/bfs/inode.c
+++ b/fs/bfs/inode.c
@@ -60,7 +60,19 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
off = (ino - BFS_ROOT_INO) % BFS_INODES_PER_BLOCK;
di = (struct bfs_inode *)bh->b_data + off;
- inode->i_mode = 0x0000FFFF & le32_to_cpu(di->i_mode);
+ /*
+ * https://martin.hinner.info/fs/bfs/bfs-structure.html explains that
+ * BFS in SCO UnixWare environment used only lower 9 bits of di->i_mode
+ * value. This means that, although bfs_write_inode() saves whole
+ * inode->i_mode bits (which include S_IFMT bits and S_IS{UID,GID,VTX}
+ * bits), middle 7 bits of di->i_mode value can be garbage when these
+ * bits were not saved by bfs_write_inode().
+ * Since we can't tell whether middle 7 bits are garbage, use only
+ * lower 12 bits (i.e. tolerate S_IS{UID,GID,VTX} bits possibly being
+ * garbage) and reconstruct S_IFMT bits for Linux environment from
+ * di->i_vtype value.
+ */
+ inode->i_mode = 0x00000FFF & le32_to_cpu(di->i_mode);
if (le32_to_cpu(di->i_vtype) == BFS_VDIR) {
inode->i_mode |= S_IFDIR;
inode->i_op = &bfs_dir_inops;
@@ -70,6 +82,11 @@ struct inode *bfs_iget(struct super_block *sb, unsigned long ino)
inode->i_op = &bfs_file_inops;
inode->i_fop = &bfs_file_operations;
inode->i_mapping->a_ops = &bfs_aops;
+ } else {
+ brelse(bh);
+ printf("Unknown vtype=%u %s:%08lx\n",
+ le32_to_cpu(di->i_vtype), inode->i_sb->s_id, ino);
+ goto error;
}
BFS_I(inode)->i_sblock = le32_to_cpu(di->i_sblock);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 025/554] pinctrl: qcom: msm: Fix deadlock in pinmux configuration
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 024/554] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 026/554] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
` (534 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prasad Sodagudi, Praveen Talari,
Bjorn Andersson, Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Praveen Talari <praveen.talari@oss.qualcomm.com>
[ Upstream commit 1c2e70397b4125022dba80f6111271a37fb36bae ]
Replace disable_irq() with disable_irq_nosync() in msm_pinmux_set_mux()
to prevent deadlock when wakeup IRQ is triggered on the same
GPIO being reconfigured.
The issue occurs when a wakeup IRQ is triggered on a GPIO and the IRQ
handler attempts to reconfigure the same GPIO's pinmux. In this scenario,
msm_pinmux_set_mux() calls disable_irq() which waits for the currently
running IRQ handler to complete, creating a circular dependency that
results in deadlock.
Using disable_irq_nosync() avoids waiting for the IRQ handler to
complete, preventing the deadlock condition while still properly
disabling the interrupt during pinmux reconfiguration.
Suggested-by: Prasad Sodagudi <prasad.sodagudi@oss.qualcomm.com>
Signed-off-by: Praveen Talari <praveen.talari@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/qcom/pinctrl-msm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/qcom/pinctrl-msm.c b/drivers/pinctrl/qcom/pinctrl-msm.c
index 676b16397b07c..1bb7be9ed92f2 100644
--- a/drivers/pinctrl/qcom/pinctrl-msm.c
+++ b/drivers/pinctrl/qcom/pinctrl-msm.c
@@ -213,7 +213,7 @@ static int msm_pinmux_set_mux(struct pinctrl_dev *pctldev,
*/
if (d && i != gpio_func &&
!test_and_set_bit(d->hwirq, pctrl->disabled_for_mux))
- disable_irq(irq);
+ disable_irq_nosync(irq);
raw_spin_lock_irqsave(&pctrl->lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 026/554] platform/x86: acer-wmi: Ignore backlight event
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 025/554] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 027/554] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
` (533 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bugaddr, Armin Wolf,
Ilpo Järvinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 444a9256f8d106e08a6bc2dc8ef28a8699e4b3ba ]
On the Acer Nitro AN515-58, the event 4 - 0 is send by the ACPI
firmware when the backlight up/down keys are pressed. Ignore this
event to avoid spamming the kernel log with error messages, as the
acpi-video driver already handles brightness up/down events.
Reported-by: Bugaddr <Bugaddr@protonmail.com>
Closes: https://bugaddr.tech/posts/2025-11-16-debugging-the-acer-nitro-5-an515-58-fn-f10-keyboard-backlight-bug-on-linux/#wmi-interface-issues
Tested-by: Bugaddr <Bugaddr@protonmail.com>
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20251117155938.3030-1-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/acer-wmi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
index 7ef80f517e76e..ea5dbe8081570 100644
--- a/drivers/platform/x86/acer-wmi.c
+++ b/drivers/platform/x86/acer-wmi.c
@@ -86,6 +86,7 @@ MODULE_ALIAS("wmi:676AA15E-6A47-4D9F-A2CC-1E6D18D14026");
enum acer_wmi_event_ids {
WMID_HOTKEY_EVENT = 0x1,
+ WMID_BACKLIGHT_EVENT = 0x4,
WMID_ACCEL_OR_KBD_DOCK_EVENT = 0x5,
WMID_GAMING_TURBO_KEY_EVENT = 0x7,
WMID_AC_EVENT = 0x8,
@@ -2060,6 +2061,9 @@ static void acer_wmi_notify(u32 value, void *context)
sparse_keymap_report_event(acer_wmi_input_dev, scancode, 1, true);
}
break;
+ case WMID_BACKLIGHT_EVENT:
+ /* Already handled by acpi-video */
+ break;
case WMID_ACCEL_OR_KBD_DOCK_EVENT:
acer_gsensor_event();
acer_kbd_dock_event(&return_value);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 027/554] platform/x86: huawei-wmi: add keys for HONOR models
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 026/554] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 028/554] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
` (532 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ston Jia, Ilpo Järvinen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jia Ston <ston.jia@outlook.com>
[ Upstream commit 5c72329716d0858621021193330594d5d26bf44d ]
HONOR MagicBook X16/X14 models produced in 2025 cannot use the Print
Screen and YOYO keys properly, with the system reporting them as
unknown key presses (codes: 0x028b and 0x028e).
To resolve this, a key_entry is added for both the HONOR Print Screen
key and the HONOR YOYO key, ensuring they function correctly on these
models.
Signed-off-by: Ston Jia <ston.jia@outlook.com>
Link: https://patch.msgid.link/20251029051804.220111-1-ston.jia@outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/huawei-wmi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
index 23ebd0c046e16..da9f80bde794f 100644
--- a/drivers/platform/x86/huawei-wmi.c
+++ b/drivers/platform/x86/huawei-wmi.c
@@ -82,6 +82,10 @@ static const struct key_entry huawei_wmi_keymap[] = {
{ KE_KEY, 0x289, { KEY_WLAN } },
// Huawei |M| key
{ KE_KEY, 0x28a, { KEY_CONFIG } },
+ // HONOR YOYO key
+ { KE_KEY, 0x28b, { KEY_NOTIFICATION_CENTER } },
+ // HONOR print screen
+ { KE_KEY, 0x28e, { KEY_PRINT } },
// Keyboard backlit
{ KE_IGNORE, 0x293, { KEY_KBDILLUMTOGGLE } },
{ KE_IGNORE, 0x294, { KEY_KBDILLUMUP } },
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 028/554] HID: elecom: Add support for ELECOM M-XT3URBK (018F)
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 027/554] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 029/554] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
` (531 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Naoki Ueki, Jiri Kosina, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Naoki Ueki <naoki25519@gmail.com>
[ Upstream commit cdcbb8e8d10f656642380ee13516290437b52b36 ]
The ELECOM M-XT3URBK trackball has an additional device ID (0x018F), which
shares the same report descriptor as the existing device (0x00FB). However,
the driver does not currently recognize this new ID, resulting in only five
buttons being functional.
This patch adds the new device ID so that all six buttons work properly.
Signed-off-by: Naoki Ueki <naoki25519@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-elecom.c | 6 ++++--
drivers/hid/hid-ids.h | 3 ++-
drivers/hid/hid-quirks.c | 3 ++-
3 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-elecom.c b/drivers/hid/hid-elecom.c
index 4fa45ee77503b..f76fec79e8903 100644
--- a/drivers/hid/hid-elecom.c
+++ b/drivers/hid/hid-elecom.c
@@ -75,7 +75,8 @@ static __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc,
*/
mouse_button_fixup(hdev, rdesc, *rsize, 20, 28, 22, 14, 8);
break;
- case USB_DEVICE_ID_ELECOM_M_XT3URBK:
+ case USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB:
+ case USB_DEVICE_ID_ELECOM_M_XT3URBK_018F:
case USB_DEVICE_ID_ELECOM_M_XT3DRBK:
case USB_DEVICE_ID_ELECOM_M_XT4DRBK:
/*
@@ -117,7 +118,8 @@ static __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc,
static const struct hid_device_id elecom_devices[] = {
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XGL20DLBK) },
- { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_018F) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT4DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1URBK) },
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index d897d48404d21..b68293a505518 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -415,7 +415,8 @@
#define USB_VENDOR_ID_ELECOM 0x056e
#define USB_DEVICE_ID_ELECOM_BM084 0x0061
#define USB_DEVICE_ID_ELECOM_M_XGL20DLBK 0x00e6
-#define USB_DEVICE_ID_ELECOM_M_XT3URBK 0x00fb
+#define USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB 0x00fb
+#define USB_DEVICE_ID_ELECOM_M_XT3URBK_018F 0x018f
#define USB_DEVICE_ID_ELECOM_M_XT3DRBK 0x00fc
#define USB_DEVICE_ID_ELECOM_M_XT4DRBK 0x00fd
#define USB_DEVICE_ID_ELECOM_M_DT1URBK 0x00fe
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index c07c7dc06d914..4b645db5cd4bc 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -382,7 +382,8 @@ static const struct hid_device_id hid_have_special_driver[] = {
#if IS_ENABLED(CONFIG_HID_ELECOM)
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) },
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XGL20DLBK) },
- { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_00FB) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3URBK_018F) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT3DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_XT4DRBK) },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_M_DT1URBK) },
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 029/554] samples: work around glibc redefining some of our defines wrong
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 028/554] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 030/554] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
` (530 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Torvalds, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds <torvalds@linux-foundation.org>
[ Upstream commit a48f822908982353c3256e35a089e9e7d0d61580 ]
Apparently as of version 2.42, glibc headers define AT_RENAME_NOREPLACE
and some of the other flags for renameat2() and friends in <stdio.h>.
Which would all be fine, except for inexplicable reasons glibc decided
to define them _differently_ from the kernel definitions, which then
makes some of our sample code that includes both kernel headers and user
space headers unhappy, because the compiler will (correctly) complain
about redefining things.
Now, mixing kernel headers and user space headers is always a somewhat
iffy proposition due to namespacing issues, but it's kind of inevitable
in our sample and selftest code. And this is just glibc being stupid.
Those defines come from the kernel, glibc is exposing the kernel
interfaces, and glibc shouldn't make up some random new expressions for
these values.
It's not like glibc headers changed the actual result values, but they
arbitrarily just decided to use a different expression to describe those
values. The kernel just does
#define AT_RENAME_NOREPLACE 0x0001
while glibc does
# define RENAME_NOREPLACE (1 << 0)
# define AT_RENAME_NOREPLACE RENAME_NOREPLACE
instead. Same value in the end, but very different macro definition.
For absolutely no reason.
This has since been fixed in the glibc development tree, so eventually
we'll end up with the canonical expressions and no clashes. But in the
meantime the broken headers are in the glibc-2.42 release and have made
it out into distributions.
Do a minimal work-around to make the samples build cleanly by just
undefining the affected macros in between the user space header include
and the kernel header includes.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
samples/vfs/test-statx.c | 6 ++++++
samples/watch_queue/watch_test.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/samples/vfs/test-statx.c b/samples/vfs/test-statx.c
index 49c7a46cee073..424a6fa15723c 100644
--- a/samples/vfs/test-statx.c
+++ b/samples/vfs/test-statx.c
@@ -19,6 +19,12 @@
#include <time.h>
#include <sys/syscall.h>
#include <sys/types.h>
+
+// Work around glibc header silliness
+#undef AT_RENAME_NOREPLACE
+#undef AT_RENAME_EXCHANGE
+#undef AT_RENAME_WHITEOUT
+
#include <linux/stat.h>
#include <linux/fcntl.h>
#define statx foo
diff --git a/samples/watch_queue/watch_test.c b/samples/watch_queue/watch_test.c
index 8c6cb57d5cfc5..24cf7d7a19725 100644
--- a/samples/watch_queue/watch_test.c
+++ b/samples/watch_queue/watch_test.c
@@ -16,6 +16,12 @@
#include <errno.h>
#include <sys/ioctl.h>
#include <limits.h>
+
+// Work around glibc header silliness
+#undef AT_RENAME_NOREPLACE
+#undef AT_RENAME_EXCHANGE
+#undef AT_RENAME_WHITEOUT
+
#include <linux/watch_queue.h>
#include <linux/unistd.h>
#include <linux/keyctl.h>
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 030/554] comedi: c6xdigio: Fix invalid PNP driver unregistration
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 029/554] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 031/554] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
` (529 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6616bba359cec7a1def1, stable,
Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Abbott <abbotti@mev.co.uk>
commit 72262330f7b3ad2130e800cecf02adcce3c32c77 upstream.
The Comedi low-level driver "c6xdigio" seems to be for a parallel port
connected device. When the Comedi core calls the driver's Comedi
"attach" handler `c6xdigio_attach()` to configure a Comedi to use this
driver, it tries to enable the parallel port PNP resources by
registering a PNP driver with `pnp_register_driver()`, but ignores the
return value. (The `struct pnp_driver` it uses has only the `name` and
`id_table` members filled in.) The driver's Comedi "detach" handler
`c6xdigio_detach()` unconditionally unregisters the PNP driver with
`pnp_unregister_driver()`.
It is possible for `c6xdigio_attach()` to return an error before it
calls `pnp_register_driver()` and it is possible for the call to
`pnp_register_driver()` to return an error (that is ignored). In both
cases, the driver should not be calling `pnp_unregister_driver()` as it
does in `c6xdigio_detach()`. (Note that `c6xdigio_detach()` will be
called by the Comedi core if `c6xdigio_attach()` returns an error, or if
the Comedi core decides to detach the Comedi device from the driver for
some other reason.)
The unconditional call to `pnp_unregister_driver()` without a previous
successful call to `pnp_register_driver()` will cause
`driver_unregister()` to issue a warning "Unexpected driver
unregister!". This was detected by Syzbot [1].
Also, the PNP driver registration and unregistration should be done at
module init and exit time, respectively, not when attaching or detaching
Comedi devices to the driver. (There might be more than one Comedi
device being attached to the driver, although that is unlikely.)
Change the driver to do the PNP driver registration at module init time,
and the unregistration at module exit time. Since `c6xdigio_detach()`
now only calls `comedi_legacy_detach()`, remove the function and change
the Comedi driver "detach" handler to `comedi_legacy_detach`.
-------------------------------------------
[1] Syzbot sample crash report:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister drivers/base/driver.c:273 [inline]
WARNING: CPU: 0 PID: 5970 at drivers/base/driver.c:273 driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Modules linked in:
CPU: 0 UID: 0 PID: 5970 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:driver_unregister drivers/base/driver.c:273 [inline]
RIP: 0010:driver_unregister+0x90/0xb0 drivers/base/driver.c:270
Code: 48 89 ef e8 c2 e6 82 fc 48 89 df e8 3a 93 ff ff 5b 5d e9 c3 6d d9 fb e8 be 6d d9 fb 90 48 c7 c7 e0 f8 1f 8c e8 51 a2 97 fb 90 <0f> 0b 90 90 5b 5d e9 a5 6d d9 fb e8 e0 f4 41 fc eb 94 e8 d9 f4 41
RSP: 0018:ffffc9000373f9a0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8ff24720 RCX: ffffffff817b6ee8
RDX: ffff88807c932480 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffffffff8ff24660
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88814cca0000
FS: 000055556dab1500(0000) GS:ffff8881249d9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f77f285cd0 CR3: 000000007d871000 CR4: 00000000003526f0
Call Trace:
<TASK>
comedi_device_detach_locked+0x12f/0xa50 drivers/comedi/drivers.c:207
comedi_device_detach+0x67/0xb0 drivers/comedi/drivers.c:215
comedi_device_attach+0x43d/0x900 drivers/comedi/drivers.c:1011
do_devconfig_ioctl+0x1b1/0x710 drivers/comedi/comedi_fops.c:872
comedi_unlocked_ioctl+0x165d/0x2f00 drivers/comedi/comedi_fops.c:2178
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc05798eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8184238 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc057be5fa0 RCX: 00007fc05798eec9
RDX: 0000200000000080 RSI: 0000000040946400 RDI: 0000000000000003
RBP: 00007fc057a11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc057be5fa0 R14: 00007fc057be5fa0 R15: 0000000000000003
</TASK>
-------------------------------------------
Reported-by: syzbot+6616bba359cec7a1def1@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6616bba359cec7a1def1
Fixes: 2c89e159cd2f ("Staging: comedi: add c6xdigio driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023123141.6537-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/c6xdigio.c | 46 ++++++++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 11 deletions(-)
--- a/drivers/comedi/drivers/c6xdigio.c
+++ b/drivers/comedi/drivers/c6xdigio.c
@@ -250,9 +250,6 @@ static int c6xdigio_attach(struct comedi
if (ret)
return ret;
- /* Make sure that PnP ports get activated */
- pnp_register_driver(&c6xdigio_pnp_driver);
-
s = &dev->subdevices[0];
/* pwm output subdevice */
s->type = COMEDI_SUBD_PWM;
@@ -279,19 +276,46 @@ static int c6xdigio_attach(struct comedi
return 0;
}
-static void c6xdigio_detach(struct comedi_device *dev)
-{
- comedi_legacy_detach(dev);
- pnp_unregister_driver(&c6xdigio_pnp_driver);
-}
-
static struct comedi_driver c6xdigio_driver = {
.driver_name = "c6xdigio",
.module = THIS_MODULE,
.attach = c6xdigio_attach,
- .detach = c6xdigio_detach,
+ .detach = comedi_legacy_detach,
};
-module_comedi_driver(c6xdigio_driver);
+
+static bool c6xdigio_pnp_registered = false;
+
+static int __init c6xdigio_module_init(void)
+{
+ int ret;
+
+ ret = comedi_driver_register(&c6xdigio_driver);
+ if (ret)
+ return ret;
+
+ if (IS_ENABLED(CONFIG_PNP)) {
+ /* Try to activate the PnP ports */
+ ret = pnp_register_driver(&c6xdigio_pnp_driver);
+ if (ret) {
+ pr_warn("failed to register pnp driver - err %d\n",
+ ret);
+ ret = 0; /* ignore the error. */
+ } else {
+ c6xdigio_pnp_registered = true;
+ }
+ }
+
+ return 0;
+}
+module_init(c6xdigio_module_init);
+
+static void __exit c6xdigio_module_exit(void)
+{
+ if (c6xdigio_pnp_registered)
+ pnp_unregister_driver(&c6xdigio_pnp_driver);
+ comedi_driver_unregister(&c6xdigio_driver);
+}
+module_exit(c6xdigio_module_exit);
MODULE_AUTHOR("Comedi https://www.comedi.org");
MODULE_DESCRIPTION("Comedi driver for the C6x_DIGIO DSP daughter card");
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 031/554] comedi: multiq3: sanitize config options in multiq3_attach()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 030/554] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 032/554] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
` (528 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7811bb68a317954a0347, stable,
Nikita Zhandarovich, Ian Abbott
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit f24c6e3a39fa355dabfb684c9ca82db579534e72 upstream.
Syzbot identified an issue [1] in multiq3_attach() that induces a
task timeout due to open() or COMEDI_DEVCONFIG ioctl operations,
specifically, in the case of multiq3 driver.
This problem arose when syzkaller managed to craft weird configuration
options used to specify the number of channels in encoder subdevice.
If a particularly great number is passed to s->n_chan in
multiq3_attach() via it->options[2], then multiple calls to
multiq3_encoder_reset() at the end of driver-specific attach() method
will be running for minutes, thus blocking tasks and affected devices
as well.
While this issue is most likely not too dangerous for real-life
devices, it still makes sense to sanitize configuration inputs. Enable
a sensible limit on the number of encoder chips (4 chips max, each
with 2 channels) to stop this behaviour from manifesting.
[1] Syzbot crash:
INFO: task syz.2.19:6067 blocked for more than 143 seconds.
...
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5254 [inline]
__schedule+0x17c4/0x4d60 kernel/sched/core.c:6862
__schedule_loop kernel/sched/core.c:6944 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6959
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7016
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:760
comedi_open+0xc0/0x590 drivers/comedi/comedi_fops.c:2868
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0x953/0x13f0 fs/open.c:965
vfs_open+0x3b/0x340 fs/open.c:1097
...
Reported-by: syzbot+7811bb68a317954a0347@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7811bb68a317954a0347
Fixes: 77e01cdbad51 ("Staging: comedi: add multiq3 driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://patch.msgid.link/20251023132205.395753-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/drivers/multiq3.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/comedi/drivers/multiq3.c
+++ b/drivers/comedi/drivers/multiq3.c
@@ -68,6 +68,11 @@
#define MULTIQ3_TRSFRCNTR_OL 0x10 /* xfer CNTR to OL (x and y) */
#define MULTIQ3_EFLAG_RESET 0x06 /* reset E bit of flag reg */
+/*
+ * Limit on the number of optional encoder channels
+ */
+#define MULTIQ3_MAX_ENC_CHANS 8
+
static void multiq3_set_ctrl(struct comedi_device *dev, unsigned int bits)
{
/*
@@ -313,6 +318,10 @@ static int multiq3_attach(struct comedi_
s->insn_read = multiq3_encoder_insn_read;
s->insn_config = multiq3_encoder_insn_config;
+ /* sanity check for number of encoder channels */
+ if (s->n_chan > MULTIQ3_MAX_ENC_CHANS)
+ s->n_chan = MULTIQ3_MAX_ENC_CHANS;
+
for (i = 0; i < s->n_chan; i++)
multiq3_encoder_reset(dev, i);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 032/554] comedi: check devices attached status in compat ioctls
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 031/554] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 033/554] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
` (527 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ab8008c24e84adee93ff, stable,
Ian Abbott, Nikita Zhandarovich
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
commit 0de7d9cd07a2671fa6089173bccc0b2afe6b93ee upstream.
Syzbot identified an issue [1] that crashes kernel, seemingly due to
unexistent callback dev->get_valid_routes(). By all means, this should
not occur as said callback must always be set to
get_zero_valid_routes() in __comedi_device_postconfig().
As the crash seems to appear exclusively in i386 kernels, at least,
judging from [1] reports, the blame lies with compat versions
of standard IOCTL handlers. Several of them are modified and
do not use comedi_unlocked_ioctl(). While functionality of these
ioctls essentially copy their original versions, they do not
have required sanity check for device's attached status. This,
in turn, leads to a possibility of calling select IOCTLs on a
device that has not been properly setup, even via COMEDI_DEVCONFIG.
Doing so on unconfigured devices means that several crucial steps
are missed, for instance, specifying dev->get_valid_routes()
callback.
Fix this somewhat crudely by ensuring device's attached status before
performing any ioctls, improving logic consistency between modern
and compat functions.
[1] Syzbot report:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CR2: ffffffffffffffd6 CR3: 000000006c717000 CR4: 0000000000352ef0
Call Trace:
<TASK>
get_valid_routes drivers/comedi/comedi_fops.c:1322 [inline]
parse_insn+0x78c/0x1970 drivers/comedi/comedi_fops.c:1401
do_insnlist_ioctl+0x272/0x700 drivers/comedi/comedi_fops.c:1594
compat_insnlist drivers/comedi/comedi_fops.c:3208 [inline]
comedi_compat_ioctl+0x810/0x990 drivers/comedi/comedi_fops.c:3273
__do_compat_sys_ioctl fs/ioctl.c:695 [inline]
__se_compat_sys_ioctl fs/ioctl.c:638 [inline]
__ia32_compat_sys_ioctl+0x242/0x370 fs/ioctl.c:638
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
...
Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab8008c24e84adee93ff
Fixes: 3fbfd2223a27 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CHANINFO compat")
Cc: stable <stable@kernel.org>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Link: https://patch.msgid.link/20251023132234.395794-1-n.zhandarovich@fintech.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/comedi/comedi_fops.c | 42 ++++++++++++++++++++++++++++++++++++------
1 file changed, 36 insertions(+), 6 deletions(-)
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -2966,7 +2966,12 @@ static int compat_chaninfo(struct file *
chaninfo.rangelist = compat_ptr(chaninfo32.rangelist);
mutex_lock(&dev->mutex);
- err = do_chaninfo_ioctl(dev, &chaninfo);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ err = -ENODEV;
+ } else {
+ err = do_chaninfo_ioctl(dev, &chaninfo);
+ }
mutex_unlock(&dev->mutex);
return err;
}
@@ -2987,7 +2992,12 @@ static int compat_rangeinfo(struct file
rangeinfo.range_ptr = compat_ptr(rangeinfo32.range_ptr);
mutex_lock(&dev->mutex);
- err = do_rangeinfo_ioctl(dev, &rangeinfo);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ err = -ENODEV;
+ } else {
+ err = do_rangeinfo_ioctl(dev, &rangeinfo);
+ }
mutex_unlock(&dev->mutex);
return err;
}
@@ -3063,7 +3073,12 @@ static int compat_cmd(struct file *file,
return rc;
mutex_lock(&dev->mutex);
- rc = do_cmd_ioctl(dev, &cmd, ©, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_cmd_ioctl(dev, &cmd, ©, file);
+ }
mutex_unlock(&dev->mutex);
if (copy) {
/* Special case: copy cmd back to user. */
@@ -3088,7 +3103,12 @@ static int compat_cmdtest(struct file *f
return rc;
mutex_lock(&dev->mutex);
- rc = do_cmdtest_ioctl(dev, &cmd, ©, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_cmdtest_ioctl(dev, &cmd, ©, file);
+ }
mutex_unlock(&dev->mutex);
if (copy) {
err = put_compat_cmd(compat_ptr(arg), &cmd);
@@ -3148,7 +3168,12 @@ static int compat_insnlist(struct file *
}
mutex_lock(&dev->mutex);
- rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_insnlist_ioctl(dev, insns, insnlist32.n_insns, file);
+ }
mutex_unlock(&dev->mutex);
kfree(insns);
return rc;
@@ -3167,7 +3192,12 @@ static int compat_insn(struct file *file
return rc;
mutex_lock(&dev->mutex);
- rc = do_insn_ioctl(dev, &insn, file);
+ if (!dev->attached) {
+ dev_dbg(dev->class_dev, "no driver attached\n");
+ rc = -ENODEV;
+ } else {
+ rc = do_insn_ioctl(dev, &insn, file);
+ }
mutex_unlock(&dev->mutex);
return rc;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 033/554] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 032/554] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 034/554] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
` (526 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Navaneeth K, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 6ef0e1c10455927867cac8f0ed6b49f328f8cf95 upstream.
The Supported Rates IE length from an incoming Association Request frame
was used directly as the memcpy() length when copying into a fixed-size
16-byte stack buffer (supportRate). A malicious station can advertise an
IE length larger than 16 bytes, causing a stack buffer overflow.
Clamp ie_len to the buffer size before copying the Supported Rates IE,
and correct the bounds check when merging Extended Supported Rates to
prevent a second potential overflow.
This prevents kernel stack corruption triggered by malformed association
requests.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -1042,6 +1042,9 @@ unsigned int OnAssocReq(struct adapter *
status = WLAN_STATUS_CHALLENGE_FAIL;
goto OnAssocReqFail;
} else {
+ if (ie_len > sizeof(supportRate))
+ ie_len = sizeof(supportRate);
+
memcpy(supportRate, p+2, ie_len);
supportRateNum = ie_len;
@@ -1049,7 +1052,7 @@ unsigned int OnAssocReq(struct adapter *
pkt_len - WLAN_HDR_A3_LEN - ie_offset);
if (p) {
- if (supportRateNum <= sizeof(supportRate)) {
+ if (supportRateNum + ie_len <= sizeof(supportRate)) {
memcpy(supportRate+supportRateNum, p+2, ie_len);
supportRateNum += ie_len;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 034/554] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR IE parsing
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 033/554] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 035/554] smack: fix bug: unprivileged task can create labels Greg Kroah-Hartman
` (525 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Navaneeth K, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Navaneeth K <knavaneeth786@gmail.com>
commit 502ddcc405b69fa92e0add6c1714d654504f6fd7 upstream.
The Extended Supported Rates (ESR) IE handling in OnBeacon accessed
*(p + 1 + ielen) and *(p + 2 + ielen) without verifying that these
offsets lie within the received frame buffer. A malformed beacon with
an ESR IE positioned at the end of the buffer could cause an
out-of-bounds read, potentially triggering a kernel panic.
Add a boundary check to ensure that the ESR IE body and the subsequent
bytes are within the limits of the frame before attempting to access
them.
This prevents OOB reads caused by malformed beacon frames.
Signed-off-by: Navaneeth K <knavaneeth786@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -584,9 +584,11 @@ unsigned int OnBeacon(struct adapter *pa
p = rtw_get_ie(pframe + sizeof(struct ieee80211_hdr_3addr) + _BEACON_IE_OFFSET_, WLAN_EID_EXT_SUPP_RATES, &ielen, precv_frame->u.hdr.len - sizeof(struct ieee80211_hdr_3addr) - _BEACON_IE_OFFSET_);
if (p && ielen > 0) {
- if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D))
- /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
- *(p + 1) = ielen - 1;
+ if (p + 2 + ielen < pframe + len) {
+ if ((*(p + 1 + ielen) == 0x2D) && (*(p + 2 + ielen) != 0x2D))
+ /* Invalid value 0x2D is detected in Extended Supported Rates (ESR) IE. Try to fix the IE length to avoid failed Beacon parsing. */
+ *(p + 1) = ielen - 1;
+ }
}
if (pmlmeext->sitesurvey_res.state == SCAN_PROCESS) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 035/554] smack: fix bug: unprivileged task can create labels
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 034/554] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 036/554] gpu: host1x: Fix race in syncpt alloc/free Greg Kroah-Hartman
` (524 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konstantin Andreev, Casey Schaufler,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Andreev <andreev@swemel.ru>
[ Upstream commit c147e13ea7fe9f118f8c9ba5e96cbd644b00d6b3 ]
If an unprivileged task is allowed to relabel itself
(/smack/relabel-self is not empty),
it can freely create new labels by writing their
names into own /proc/PID/attr/smack/current
This occurs because do_setattr() imports
the provided label in advance,
before checking "relabel-self" list.
This change ensures that the "relabel-self" list
is checked before importing the label.
Fixes: 38416e53936e ("Smack: limited capability for changing process label")
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/smack/smack_lsm.c | 41 +++++++++++++++++++++++++-------------
1 file changed, 27 insertions(+), 14 deletions(-)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 1c62b3db50045..6075c43999675 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -3551,8 +3551,8 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
struct task_smack *tsp = smack_cred(current_cred());
struct cred *new;
struct smack_known *skp;
- struct smack_known_list_elem *sklep;
- int rc;
+ char *labelstr;
+ int rc = 0;
if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel))
return -EPERM;
@@ -3563,28 +3563,41 @@ static int smack_setprocattr(const char *name, void *value, size_t size)
if (strcmp(name, "current") != 0)
return -EINVAL;
- skp = smk_import_entry(value, size);
- if (IS_ERR(skp))
- return PTR_ERR(skp);
+ labelstr = smk_parse_smack(value, size);
+ if (IS_ERR(labelstr))
+ return PTR_ERR(labelstr);
/*
* No process is ever allowed the web ("@") label
* and the star ("*") label.
*/
- if (skp == &smack_known_web || skp == &smack_known_star)
- return -EINVAL;
+ if (labelstr[1] == '\0' /* '@', '*' */) {
+ const char c = labelstr[0];
+
+ if (c == *smack_known_web.smk_known ||
+ c == *smack_known_star.smk_known) {
+ rc = -EPERM;
+ goto free_labelstr;
+ }
+ }
if (!smack_privileged(CAP_MAC_ADMIN)) {
- rc = -EPERM;
+ const struct smack_known_list_elem *sklep;
list_for_each_entry(sklep, &tsp->smk_relabel, list)
- if (sklep->smk_label == skp) {
- rc = 0;
- break;
- }
- if (rc)
- return rc;
+ if (strcmp(sklep->smk_label->smk_known, labelstr) == 0)
+ goto free_labelstr;
+ rc = -EPERM;
}
+free_labelstr:
+ kfree(labelstr);
+ if (rc)
+ return -EPERM;
+
+ skp = smk_import_entry(value, size);
+ if (IS_ERR(skp))
+ return PTR_ERR(skp);
+
new = prepare_creds();
if (new == NULL)
return -ENOMEM;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 036/554] gpu: host1x: Fix race in syncpt alloc/free
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 035/554] smack: fix bug: unprivileged task can create labels Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 037/554] drm/panel: visionox-rm69299: Dont clear all mode flags Greg Kroah-Hartman
` (523 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mainak Sen, Mikko Perttunen,
Thierry Reding, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mainak Sen <msen@nvidia.com>
[ Upstream commit c7d393267c497502fa737607f435f05dfe6e3d9b ]
Fix race condition between host1x_syncpt_alloc()
and host1x_syncpt_put() by using kref_put_mutex()
instead of kref_put() + manual mutex locking.
This ensures no thread can acquire the
syncpt_mutex after the refcount drops to zero
but before syncpt_release acquires it.
This prevents races where syncpoints could
be allocated while still being cleaned up
from a previous release.
Remove explicit mutex locking in syncpt_release
as kref_put_mutex() handles this atomically.
Signed-off-by: Mainak Sen <msen@nvidia.com>
Fixes: f5ba33fb9690 ("gpu: host1x: Reserve VBLANK syncpoints at initialization")
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20250707-host1x-syncpt-race-fix-v1-1-28b0776e70bc@nvidia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/host1x/syncpt.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/host1x/syncpt.c b/drivers/gpu/host1x/syncpt.c
index a89a408182e60..c36197eab6fe4 100644
--- a/drivers/gpu/host1x/syncpt.c
+++ b/drivers/gpu/host1x/syncpt.c
@@ -394,8 +394,6 @@ static void syncpt_release(struct kref *ref)
sp->locked = false;
- mutex_lock(&sp->host->syncpt_mutex);
-
host1x_syncpt_base_free(sp->base);
kfree(sp->name);
sp->base = NULL;
@@ -418,7 +416,7 @@ void host1x_syncpt_put(struct host1x_syncpt *sp)
if (!sp)
return;
- kref_put(&sp->ref, syncpt_release);
+ kref_put_mutex(&sp->ref, syncpt_release, &sp->host->syncpt_mutex);
}
EXPORT_SYMBOL(host1x_syncpt_put);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 037/554] drm/panel: visionox-rm69299: Dont clear all mode flags
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 036/554] gpu: host1x: Fix race in syncpt alloc/free Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 038/554] drm/vgem-fence: Fix potential deadlock on release Greg Kroah-Hartman
` (522 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Guido Günther,
Dmitry Baryshkov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guido Günther <agx@sigxcpu.org>
[ Upstream commit 39144b611e9cd4f5814f4098c891b545dd70c536 ]
Don't clear all mode flags. We only want to maek sure we use HS mode
during unprepare.
Fixes: c7f66d32dd431 ("drm/panel: add support for rm69299 visionox panel")
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Guido Günther <agx@sigxcpu.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20250910-shift6mq-panel-v3-2-a7729911afb9@sigxcpu.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-visionox-rm69299.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-visionox-rm69299.c b/drivers/gpu/drm/panel/panel-visionox-rm69299.c
index 6134432e4918d..2260d5abf1ae8 100644
--- a/drivers/gpu/drm/panel/panel-visionox-rm69299.c
+++ b/drivers/gpu/drm/panel/panel-visionox-rm69299.c
@@ -64,7 +64,7 @@ static int visionox_rm69299_unprepare(struct drm_panel *panel)
struct visionox_rm69299 *ctx = panel_to_ctx(panel);
int ret;
- ctx->dsi->mode_flags = 0;
+ ctx->dsi->mode_flags &= ~MIPI_DSI_MODE_LPM;
ret = mipi_dsi_dcs_write(ctx->dsi, MIPI_DCS_SET_DISPLAY_OFF, NULL, 0);
if (ret < 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 038/554] drm/vgem-fence: Fix potential deadlock on release
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 037/554] drm/panel: visionox-rm69299: Dont clear all mode flags Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 039/554] USB: Fix descriptor count when handling invalid MBIM extended descriptor Greg Kroah-Hartman
` (521 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janusz Krzysztofik,
Christian König, Maarten Lankhorst, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
[ Upstream commit 78b4d6463e9e69e5103f98b367f8984ad12cdc6f ]
A timer that expires a vgem fence automatically in 10 seconds is now
released with timer_delete_sync() from fence->ops.release() called on last
dma_fence_put(). In some scenarios, it can run in IRQ context, which is
not safe unless TIMER_IRQSAFE is used. One potentially risky scenario was
demonstrated in Intel DRM CI trybot, BAT run on machine bat-adlp-6, while
working on new IGT subtests syncobj_timeline@stress-* as user space
replacements of some problematic test cases of a dma-fence-chain selftest
[1].
[117.004338] ================================
[117.004340] WARNING: inconsistent lock state
[117.004342] 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 Tainted: G S U
[117.004346] --------------------------------
[117.004347] inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
[117.004349] swapper/0/0 [HC1[1]:SC1[1]:HE0:SE0] takes:
[117.004352] ffff888138f86aa8 ((&fence->timer)){?.-.}-{0:0}, at: __timer_delete_sync+0x4b/0x190
[117.004361] {HARDIRQ-ON-W} state was registered at:
[117.004363] lock_acquire+0xc4/0x2e0
[117.004366] call_timer_fn+0x80/0x2a0
[117.004368] __run_timers+0x231/0x310
[117.004370] run_timer_softirq+0x76/0xe0
[117.004372] handle_softirqs+0xd4/0x4d0
[117.004375] __irq_exit_rcu+0x13f/0x160
[117.004377] irq_exit_rcu+0xe/0x20
[117.004379] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004382] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004385] cpuidle_enter_state+0x12b/0x8a0
[117.004388] cpuidle_enter+0x2e/0x50
[117.004393] call_cpuidle+0x22/0x60
[117.004395] do_idle+0x1fd/0x260
[117.004398] cpu_startup_entry+0x29/0x30
[117.004401] start_secondary+0x12d/0x160
[117.004404] common_startup_64+0x13e/0x141
[117.004407] irq event stamp: 2282669
[117.004409] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.004414] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.004419] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.004423] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.004426]
other info that might help us debug this:
[117.004429] Possible unsafe locking scenario:
[117.004432] CPU0
[117.004433] ----
[117.004434] lock((&fence->timer));
[117.004436] <Interrupt>
[117.004438] lock((&fence->timer));
[117.004440]
*** DEADLOCK ***
[117.004443] 1 lock held by swapper/0/0:
[117.004445] #0: ffffc90000003d50 ((&fence->timer)){?.-.}-{0:0}, at: call_timer_fn+0x7a/0x2a0
[117.004450]
stack backtrace:
[117.004453] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004455] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004455] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004456] Call Trace:
[117.004456] <IRQ>
[117.004457] dump_stack_lvl+0x91/0xf0
[117.004460] dump_stack+0x10/0x20
[117.004461] print_usage_bug.part.0+0x260/0x360
[117.004463] mark_lock+0x76e/0x9c0
[117.004465] ? register_lock_class+0x48/0x4a0
[117.004467] __lock_acquire+0xbc3/0x2860
[117.004469] lock_acquire+0xc4/0x2e0
[117.004470] ? __timer_delete_sync+0x4b/0x190
[117.004472] ? __timer_delete_sync+0x4b/0x190
[117.004473] __timer_delete_sync+0x68/0x190
[117.004474] ? __timer_delete_sync+0x4b/0x190
[117.004475] timer_delete_sync+0x10/0x20
[117.004476] vgem_fence_release+0x19/0x30 [vgem]
[117.004478] dma_fence_release+0xc1/0x3b0
[117.004480] ? dma_fence_release+0xa1/0x3b0
[117.004481] dma_fence_chain_release+0xe7/0x130
[117.004483] dma_fence_release+0xc1/0x3b0
[117.004484] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004485] dma_fence_chain_irq_work+0x59/0x80
[117.004487] irq_work_single+0x75/0xa0
[117.004490] irq_work_run_list+0x33/0x60
[117.004491] irq_work_run+0x18/0x40
[117.004493] __sysvec_irq_work+0x35/0x170
[117.004494] sysvec_irq_work+0x47/0xc0
[117.004496] asm_sysvec_irq_work+0x1b/0x20
[117.004497] RIP: 0010:_raw_spin_unlock_irqrestore+0x57/0x80
[117.004499] Code: 00 75 1c 65 ff 0d d9 34 68 01 74 20 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc e8 7f 9d d3 fe fb 0f 1f 44 00 00 <eb> d7 0f 1f 44 00 00 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3
[117.004499] RSP: 0018:ffffc90000003cf0 EFLAGS: 00000246
[117.004500] RAX: 0000000000000000 RBX: ffff888155e94c40 RCX: 0000000000000000
[117.004501] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004502] RBP: ffffc90000003d00 R08: 0000000000000000 R09: 0000000000000000
[117.004502] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000246
[117.004502] R13: 0000000000000001 R14: 0000000000000246 R15: ffff888155e94c80
[117.004506] dma_fence_signal+0x49/0xb0
[117.004507] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004508] vgem_fence_timeout+0x12/0x20 [vgem]
[117.004509] call_timer_fn+0xa1/0x2a0
[117.004512] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004513] __run_timers+0x231/0x310
[117.004514] ? tmigr_handle_remote+0x2ac/0x560
[117.004517] timer_expire_remote+0x46/0x70
[117.004518] tmigr_handle_remote+0x433/0x560
[117.004520] ? __run_timers+0x239/0x310
[117.004521] ? run_timer_softirq+0x21/0xe0
[117.004522] ? lock_release+0xce/0x2a0
[117.004524] run_timer_softirq+0xcf/0xe0
[117.004525] handle_softirqs+0xd4/0x4d0
[117.004526] __irq_exit_rcu+0x13f/0x160
[117.004527] irq_exit_rcu+0xe/0x20
[117.004528] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004529] </IRQ>
[117.004529] <TASK>
[117.004529] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004530] RIP: 0010:cpuidle_enter_state+0x12b/0x8a0
[117.004532] Code: 48 0f a3 05 97 ce 0e 01 0f 82 2e 03 00 00 31 ff e8 8a 41 bd fe 80 7d d0 00 0f 85 11 03 00 00 e8 8b 06 d5 fe fb 0f 1f 44 00 00 <45> 85 f6 0f 88 67 02 00 00 4d 63 ee 49 83 fd 0a 0f 83 34 06 00 00
[117.004532] RSP: 0018:ffffffff83403d88 EFLAGS: 00000246
[117.004533] RAX: 0000000000000000 RBX: ffff88888f046440 RCX: 0000000000000000
[117.004533] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004534] RBP: ffffffff83403dd8 R08: 0000000000000000 R09: 0000000000000000
[117.004534] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff837cbe80
[117.004534] R13: 0000000000000004 R14: 0000000000000004 R15: 0000001ad1df466b
[117.004537] ? cpuidle_enter_state+0x125/0x8a0
[117.004538] ? sched_clock_noinstr+0x9/0x10
[117.004540] cpuidle_enter+0x2e/0x50
[117.004542] call_cpuidle+0x22/0x60
[117.004542] do_idle+0x1fd/0x260
[117.004544] cpu_startup_entry+0x29/0x30
[117.004546] rest_init+0x104/0x200
[117.004548] start_kernel+0x93d/0xbd0
[117.004550] ? load_ucode_intel_bsp+0x2a/0x90
[117.004551] ? sme_unmap_bootdata+0x14/0x80
[117.004554] x86_64_start_reservations+0x18/0x30
[117.004555] x86_64_start_kernel+0xfd/0x150
[117.004556] ? soft_restart_cpu+0x14/0x14
[117.004558] common_startup_64+0x13e/0x141
[117.004560] </TASK>
[117.004565] ------------[ cut here ]------------
[117.004692] WARNING: CPU: 0 PID: 0 at kernel/time/timer.c:1610 __timer_delete_sync+0x126/0x190
[117.004697] Modules linked in: vgem snd_hda_codec_intelhdmi snd_hda_codec_hdmi i915 prime_numbers ttm drm_buddy drm_display_helper cec rc_core i2c_algo_bit hid_sensor_custom hid_sensor_hub hid_generic intel_ishtp_hid hid intel_uncore_frequency intel_uncore_frequency_common x86_pkg_temp_thermal intel_powerclamp cmdlinepart ee1004 r8153_ecm spi_nor coretemp cdc_ether mei_pxp mei_hdcp usbnet mtd intel_rapl_msr wmi_bmof kvm_intel snd_hda_intel snd_intel_dspcfg processor_thermal_device_pci kvm snd_hda_codec processor_thermal_device irqbypass processor_thermal_wt_hint polyval_clmulni platform_temperature_control snd_hda_core ghash_clmulni_intel processor_thermal_rfim spi_pxa2xx_platform snd_hwdep aesni_intel processor_thermal_rapl dw_dmac snd_pcm dw_dmac_core intel_rapl_common r8152 rapl mii intel_cstate spi_pxa2xx_core i2c_i801 processor_thermal_wt_req snd_timer i2c_mux mei_me intel_ish_ipc processor_thermal_power_floor e1000e snd i2c_smbus spi_intel_pci processor_thermal_mbox mei soundcore intel_ishtp thunderbolt idma64
[117.004733] spi_intel int340x_thermal_zone igen6_edac binfmt_misc intel_skl_int3472_tps68470 intel_pmc_core tps68470_regulator video clk_tps68470 pmt_telemetry pmt_discovery nls_iso8859_1 pmt_class intel_pmc_ssram_telemetry intel_skl_int3472_discrete int3400_thermal intel_hid intel_skl_int3472_common acpi_thermal_rel intel_vsec wmi pinctrl_tigerlake acpi_tad sparse_keymap acpi_pad dm_multipath msr nvme_fabrics fuse efi_pstore nfnetlink autofs4
[117.004782] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S U 6.17.0-rc7-CI_DRM_17270-g7644974e648c+ #1 PREEMPT(voluntary)
[117.004787] Tainted: [S]=CPU_OUT_OF_SPEC, [U]=USER
[117.004789] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-P DDR4 RVP, BIOS RPLPFWI1.R00.4035.A00.2301200723 01/20/2023
[117.004793] RIP: 0010:__timer_delete_sync+0x126/0x190
[117.004795] Code: 31 c0 45 31 c9 c3 cc cc cc cc 48 8b 75 d0 45 84 f6 74 63 49 c7 45 18 00 00 00 00 48 89 c7 e8 51 46 39 01 f3 90 e9 66 ff ff ff <0f> 0b e9 5f ff ff ff e8 ee e4 0c 00 49 8d 5d 28 45 31 c9 31 c9 4c
[117.004801] RSP: 0018:ffffc90000003a40 EFLAGS: 00010046
[117.004804] RAX: ffffffff815093fb RBX: ffff888138f86aa8 RCX: 0000000000000000
[117.004807] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004809] RBP: ffffc90000003a70 R08: 0000000000000000 R09: 0000000000000000
[117.004812] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff815093fb
[117.004814] R13: ffff888138f86a80 R14: 0000000000000000 R15: 0000000000000000
[117.004817] FS: 0000000000000000(0000) GS:ffff88890b0f7000(0000) knlGS:0000000000000000
[117.004820] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[117.004823] CR2: 00005db8131eb7f0 CR3: 0000000003448000 CR4: 0000000000f52ef0
[117.004826] PKRU: 55555554
[117.004827] Call Trace:
[117.004829] <IRQ>
[117.004831] timer_delete_sync+0x10/0x20
[117.004833] vgem_fence_release+0x19/0x30 [vgem]
[117.004836] dma_fence_release+0xc1/0x3b0
[117.004838] ? dma_fence_release+0xa1/0x3b0
[117.004841] dma_fence_chain_release+0xe7/0x130
[117.004844] dma_fence_release+0xc1/0x3b0
[117.004847] ? _raw_spin_unlock_irqrestore+0x27/0x80
[117.004850] dma_fence_chain_irq_work+0x59/0x80
[117.004853] irq_work_single+0x75/0xa0
[117.004857] irq_work_run_list+0x33/0x60
[117.004860] irq_work_run+0x18/0x40
[117.004863] __sysvec_irq_work+0x35/0x170
[117.004865] sysvec_irq_work+0x47/0xc0
[117.004868] asm_sysvec_irq_work+0x1b/0x20
[117.004871] RIP: 0010:_raw_spin_unlock_irqrestore+0x57/0x80
[117.004874] Code: 00 75 1c 65 ff 0d d9 34 68 01 74 20 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3 cc cc cc cc e8 7f 9d d3 fe fb 0f 1f 44 00 00 <eb> d7 0f 1f 44 00 00 5b 41 5c 5d 31 c0 31 d2 31 c9 31 f6 31 ff c3
[117.004879] RSP: 0018:ffffc90000003cf0 EFLAGS: 00000246
[117.004882] RAX: 0000000000000000 RBX: ffff888155e94c40 RCX: 0000000000000000
[117.004884] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004887] RBP: ffffc90000003d00 R08: 0000000000000000 R09: 0000000000000000
[117.004890] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000246
[117.004892] R13: 0000000000000001 R14: 0000000000000246 R15: ffff888155e94c80
[117.004897] dma_fence_signal+0x49/0xb0
[117.004899] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004902] vgem_fence_timeout+0x12/0x20 [vgem]
[117.004904] call_timer_fn+0xa1/0x2a0
[117.004908] ? __pfx_vgem_fence_timeout+0x10/0x10 [vgem]
[117.004910] __run_timers+0x231/0x310
[117.004913] ? tmigr_handle_remote+0x2ac/0x560
[117.004917] timer_expire_remote+0x46/0x70
[117.004919] tmigr_handle_remote+0x433/0x560
[117.004923] ? __run_timers+0x239/0x310
[117.004925] ? run_timer_softirq+0x21/0xe0
[117.004928] ? lock_release+0xce/0x2a0
[117.004931] run_timer_softirq+0xcf/0xe0
[117.004933] handle_softirqs+0xd4/0x4d0
[117.004936] __irq_exit_rcu+0x13f/0x160
[117.004938] irq_exit_rcu+0xe/0x20
[117.004940] sysvec_apic_timer_interrupt+0xa0/0xc0
[117.004943] </IRQ>
[117.004944] <TASK>
[117.004946] asm_sysvec_apic_timer_interrupt+0x1b/0x20
[117.004949] RIP: 0010:cpuidle_enter_state+0x12b/0x8a0
[117.004953] Code: 48 0f a3 05 97 ce 0e 01 0f 82 2e 03 00 00 31 ff e8 8a 41 bd fe 80 7d d0 00 0f 85 11 03 00 00 e8 8b 06 d5 fe fb 0f 1f 44 00 00 <45> 85 f6 0f 88 67 02 00 00 4d 63 ee 49 83 fd 0a 0f 83 34 06 00 00
[117.004961] RSP: 0018:ffffffff83403d88 EFLAGS: 00000246
[117.004963] RAX: 0000000000000000 RBX: ffff88888f046440 RCX: 0000000000000000
[117.004966] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[117.004968] RBP: ffffffff83403dd8 R08: 0000000000000000 R09: 0000000000000000
[117.004971] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff837cbe80
[117.004974] R13: 0000000000000004 R14: 0000000000000004 R15: 0000001ad1df466b
[117.004978] ? cpuidle_enter_state+0x125/0x8a0
[117.004981] ? sched_clock_noinstr+0x9/0x10
[117.004985] cpuidle_enter+0x2e/0x50
[117.004989] call_cpuidle+0x22/0x60
[117.004991] do_idle+0x1fd/0x260
[117.005001] cpu_startup_entry+0x29/0x30
[117.005004] rest_init+0x104/0x200
[117.005008] start_kernel+0x93d/0xbd0
[117.005011] ? load_ucode_intel_bsp+0x2a/0x90
[117.005014] ? sme_unmap_bootdata+0x14/0x80
[117.005017] x86_64_start_reservations+0x18/0x30
[117.005020] x86_64_start_kernel+0xfd/0x150
[117.005023] ? soft_restart_cpu+0x14/0x14
[117.005026] common_startup_64+0x13e/0x141
[117.005030] </TASK>
[117.005032] irq event stamp: 2282669
[117.005034] hardirqs last enabled at (2282668): [<ffffffff8289db71>] _raw_spin_unlock_irqrestore+0x51/0x80
[117.005038] hardirqs last disabled at (2282669): [<ffffffff82882021>] sysvec_irq_work+0x11/0xc0
[117.005043] softirqs last enabled at (2254702): [<ffffffff8289fd00>] __do_softirq+0x10/0x18
[117.005047] softirqs last disabled at (2254725): [<ffffffff813d4ddf>] __irq_exit_rcu+0x13f/0x160
[117.005051] ---[ end trace 0000000000000000 ]---
Make the timer IRQ safe.
[1] https://patchwork.freedesktop.org/series/154987/#rev2
Fixes: 4077798484459 ("drm/vgem: Attach sw fences to exported vGEM dma-buf (ioctl)")
Signed-off-by: Janusz Krzysztofik <janusz.krzysztofik@linux.intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Link: https://lore.kernel.org/r/20250926152628.2165080-2-janusz.krzysztofik@linux.intel.com
Signed-off-by: Maarten Lankhorst <dev@lankhorst.se>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vgem/vgem_fence.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vgem/vgem_fence.c b/drivers/gpu/drm/vgem/vgem_fence.c
index 43fc56d0c4a06..539cf4ee57672 100644
--- a/drivers/gpu/drm/vgem/vgem_fence.c
+++ b/drivers/gpu/drm/vgem/vgem_fence.c
@@ -94,7 +94,7 @@ static struct dma_fence *vgem_fence_create(struct vgem_file *vfile,
dma_fence_init(&fence->base, &vgem_fence_ops, &fence->lock,
dma_fence_context_alloc(1), 1);
- timer_setup(&fence->timer, vgem_fence_timeout, 0);
+ timer_setup(&fence->timer, vgem_fence_timeout, TIMER_IRQSAFE);
/* We force the fence to expire within 10s to prevent driver hangs */
mod_timer(&fence->timer, jiffies + VGEM_FENCE_TIMEOUT);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 039/554] USB: Fix descriptor count when handling invalid MBIM extended descriptor
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 038/554] drm/vgem-fence: Fix potential deadlock on release Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 040/554] irqchip/qcom-irq-combiner: Fix section mismatch Greg Kroah-Hartman
` (520 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit 5570ad1423ee60f6e972dadb63fb2e5f90a54cbe ]
In cdc_parse_cdc_header(), the check for the USB_CDC_MBIM_EXTENDED_TYPE
descriptor was using 'break' upon detecting an invalid length.
This was incorrect because 'break' only exits the switch statement,
causing the code to fall through to cnt++, thus incorrectly
incrementing the count of parsed descriptors for a descriptor that was
actually invalid and being discarded.
This patch changes 'break' to 'goto next_desc;' to ensure that the
logic skips the counter increment and correctly proceeds to the next
descriptor in the buffer. This maintains an accurate count of only
the successfully parsed descriptors.
Fixes: e4c6fb7794982 ("usbnet: move the CDC parser into USB core")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Link: https://lore.kernel.org/r/20250928185611.764589-1-eeodqql09@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/message.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
index 1673e5d089263..9f65556dc3745 100644
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -2386,7 +2386,7 @@ int cdc_parse_cdc_header(struct usb_cdc_parsed_header *hdr,
break;
case USB_CDC_MBIM_EXTENDED_TYPE:
if (elength < sizeof(struct usb_cdc_mbim_extended_desc))
- break;
+ goto next_desc;
hdr->usb_cdc_mbim_extended_desc =
(struct usb_cdc_mbim_extended_desc *)buffer;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 040/554] irqchip/qcom-irq-combiner: Fix section mismatch
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 039/554] USB: Fix descriptor count when handling invalid MBIM extended descriptor Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 041/554] ntfs3: fix uninit memory after failed mi_read in mi_format_new Greg Kroah-Hartman
` (519 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thomas Gleixner,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 9b685058ca936752285c5520d351b828312ac965 ]
Platform drivers can be probed after their init sections have been
discarded so the probe callback must not live in init.
Fixes: f20cc9b00c7b ("irqchip/qcom: Add IRQ combiner driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/qcom-irq-combiner.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/qcom-irq-combiner.c b/drivers/irqchip/qcom-irq-combiner.c
index 18e696dc7f4d6..9308088773be7 100644
--- a/drivers/irqchip/qcom-irq-combiner.c
+++ b/drivers/irqchip/qcom-irq-combiner.c
@@ -222,7 +222,7 @@ static int get_registers(struct platform_device *pdev, struct combiner *comb)
return 0;
}
-static int __init combiner_probe(struct platform_device *pdev)
+static int combiner_probe(struct platform_device *pdev)
{
struct combiner *combiner;
int nregs;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 041/554] ntfs3: fix uninit memory after failed mi_read in mi_format_new
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 040/554] irqchip/qcom-irq-combiner: Fix section mismatch Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 042/554] ntfs3: Fix uninit buffer allocated by __getname() Greg Kroah-Hartman
` (518 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7a2ba6b7b66340cff225,
Raphael Pinsonneault-Thibeault, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
[ Upstream commit 73e6b9dacf72a1e7a4265eacca46f8f33e0997d6 ]
Fix a KMSAN un-init bug found by syzkaller.
ntfs_get_bh() expects a buffer from sb_getblk(), that buffer may not be
uptodate. We do not bring the buffer uptodate before setting it as
uptodate. If the buffer were to not be uptodate, it could mean adding a
buffer with un-init data to the mi record. Attempting to load that record
will trigger KMSAN.
Avoid this by setting the buffer as uptodate, if it’s not already, by
overwriting it.
Reported-by: syzbot+7a2ba6b7b66340cff225@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=7a2ba6b7b66340cff225
Tested-by: syzbot+7a2ba6b7b66340cff225@syzkaller.appspotmail.com
Fixes: 4342306f0f0d5 ("fs/ntfs3: Add file operations and implementation")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/fsntfs.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index abf28c0db71a3..c82398194cd10 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -1343,7 +1343,14 @@ int ntfs_get_bh(struct ntfs_sb_info *sbi, const struct runs_tree *run, u64 vbo,
}
if (buffer_locked(bh))
__wait_on_buffer(bh);
- set_buffer_uptodate(bh);
+
+ lock_buffer(bh);
+ if (!buffer_uptodate(bh))
+ {
+ memset(bh->b_data, 0, blocksize);
+ set_buffer_uptodate(bh);
+ }
+ unlock_buffer(bh);
} else {
bh = ntfs_bread(sb, block);
if (!bh) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 042/554] ntfs3: Fix uninit buffer allocated by __getname()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 041/554] ntfs3: fix uninit memory after failed mi_read in mi_format_new Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 043/554] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() Greg Kroah-Hartman
` (517 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+332bd4e9d148f11a87dc,
Sidharth Seela, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sidharth Seela <sidharthseela@gmail.com>
[ Upstream commit 9948dcb2f7b5a1bf8e8710eafaf6016e00be3ad6 ]
Fix uninit errors caused after buffer allocation given to 'de'; by
initializing the buffer with zeroes. The fix was found by using KMSAN.
Reported-by: syzbot+332bd4e9d148f11a87dc@syzkaller.appspotmail.com
Fixes: 78ab59fee07f2 ("fs/ntfs3: Rework file operations")
Signed-off-by: Sidharth Seela <sidharthseela@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 019a98e300dcf..7797e35364495 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1696,6 +1696,7 @@ int ntfs_link_inode(struct inode *inode, struct dentry *dentry)
de = __getname();
if (!de)
return -ENOMEM;
+ memset(de, 0, PATH_MAX);
/* Mark rw ntfs as dirty. It will be cleared at umount. */
ntfs_set_state(sbi, NTFS_DIRTY_DIRTY);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 043/554] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 042/554] ntfs3: Fix uninit buffer allocated by __getname() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 044/554] inet: Avoid ehash lookup race in inet_ehash_insert() Greg Kroah-Hartman
` (516 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima,
Frederic Weisbecker, Eric Dumazet, Xuanqiang Luo, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
[ Upstream commit 9c4609225ec1cb551006d6a03c7c4ad8cb5584c0 ]
Add two functions to atomically replace RCU-protected hlist_nulls entries.
Keep using WRITE_ONCE() to assign values to ->next and ->pprev, as
mentioned in the patch below:
commit efd04f8a8b45 ("rcu: Use WRITE_ONCE() for assignments to ->next for
rculist_nulls")
commit 860c8802ace1 ("rcu: Use WRITE_ONCE() for assignments to ->pprev for
hlist_nulls")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
Link: https://patch.msgid.link/20251015020236.431822-2-xuanqiang.luo@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 1532ed0d0753 ("inet: Avoid ehash lookup race in inet_ehash_insert()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/rculist_nulls.h | 59 +++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
diff --git a/include/linux/rculist_nulls.h b/include/linux/rculist_nulls.h
index d8afdb8784c1c..c89dd30fa3dff 100644
--- a/include/linux/rculist_nulls.h
+++ b/include/linux/rculist_nulls.h
@@ -52,6 +52,13 @@ static inline void hlist_nulls_del_init_rcu(struct hlist_nulls_node *n)
#define hlist_nulls_next_rcu(node) \
(*((struct hlist_nulls_node __rcu __force **)&(node)->next))
+/**
+ * hlist_nulls_pprev_rcu - returns the dereferenced pprev of @node.
+ * @node: element of the list.
+ */
+#define hlist_nulls_pprev_rcu(node) \
+ (*((struct hlist_nulls_node __rcu __force **)(node)->pprev))
+
/**
* hlist_nulls_del_rcu - deletes entry from hash list without re-initialization
* @n: the element to delete from the hash list.
@@ -152,6 +159,58 @@ static inline void hlist_nulls_add_fake(struct hlist_nulls_node *n)
n->next = (struct hlist_nulls_node *)NULLS_MARKER(NULL);
}
+/**
+ * hlist_nulls_replace_rcu - replace an old entry by a new one
+ * @old: the element to be replaced
+ * @new: the new element to insert
+ *
+ * Description:
+ * Replace the old entry with the new one in a RCU-protected hlist_nulls, while
+ * permitting racing traversals.
+ *
+ * The caller must take whatever precautions are necessary (such as holding
+ * appropriate locks) to avoid racing with another list-mutation primitive, such
+ * as hlist_nulls_add_head_rcu() or hlist_nulls_del_rcu(), running on this same
+ * list. However, it is perfectly legal to run concurrently with the _rcu
+ * list-traversal primitives, such as hlist_nulls_for_each_entry_rcu().
+ */
+static inline void hlist_nulls_replace_rcu(struct hlist_nulls_node *old,
+ struct hlist_nulls_node *new)
+{
+ struct hlist_nulls_node *next = old->next;
+
+ WRITE_ONCE(new->next, next);
+ WRITE_ONCE(new->pprev, old->pprev);
+ rcu_assign_pointer(hlist_nulls_pprev_rcu(new), new);
+ if (!is_a_nulls(next))
+ WRITE_ONCE(next->pprev, &new->next);
+}
+
+/**
+ * hlist_nulls_replace_init_rcu - replace an old entry by a new one and
+ * initialize the old
+ * @old: the element to be replaced
+ * @new: the new element to insert
+ *
+ * Description:
+ * Replace the old entry with the new one in a RCU-protected hlist_nulls, while
+ * permitting racing traversals, and reinitialize the old entry.
+ *
+ * Note: @old must be hashed.
+ *
+ * The caller must take whatever precautions are necessary (such as holding
+ * appropriate locks) to avoid racing with another list-mutation primitive, such
+ * as hlist_nulls_add_head_rcu() or hlist_nulls_del_rcu(), running on this same
+ * list. However, it is perfectly legal to run concurrently with the _rcu
+ * list-traversal primitives, such as hlist_nulls_for_each_entry_rcu().
+ */
+static inline void hlist_nulls_replace_init_rcu(struct hlist_nulls_node *old,
+ struct hlist_nulls_node *new)
+{
+ hlist_nulls_replace_rcu(old, new);
+ WRITE_ONCE(old->pprev, NULL);
+}
+
/**
* hlist_nulls_for_each_entry_rcu - iterate over rcu list of given type
* @tpos: the type * to use as a loop cursor.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 044/554] inet: Avoid ehash lookup race in inet_ehash_insert()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 043/554] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 045/554] iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine Greg Kroah-Hartman
` (515 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jiayuan Chen,
Xuanqiang Luo, Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
[ Upstream commit 1532ed0d0753c83e72595f785f82b48c28bbe5dc ]
Since ehash lookups are lockless, if one CPU performs a lookup while
another concurrently deletes and inserts (removing reqsk and inserting sk),
the lookup may fail to find the socket, an RST may be sent.
The call trace map is drawn as follows:
CPU 0 CPU 1
----- -----
inet_ehash_insert()
spin_lock()
sk_nulls_del_node_init_rcu(osk)
__inet_lookup_established()
(lookup failed)
__sk_nulls_add_node_rcu(sk, list)
spin_unlock()
As both deletion and insertion operate on the same ehash chain, this patch
introduces a new sk_nulls_replace_node_init_rcu() helper functions to
implement atomic replacement.
Fixes: 5e0724d027f0 ("tcp/dccp: fix hashdance race for passive sessions")
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Xuanqiang Luo <luoxuanqiang@kylinos.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251015020236.431822-3-xuanqiang.luo@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 13 +++++++++++++
net/ipv4/inet_hashtables.c | 8 ++++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index b987074f80965..ee9c398dd8f25 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -785,6 +785,19 @@ static inline bool sk_nulls_del_node_init_rcu(struct sock *sk)
return rc;
}
+static inline bool sk_nulls_replace_node_init_rcu(struct sock *old,
+ struct sock *new)
+{
+ if (sk_hashed(old)) {
+ hlist_nulls_replace_init_rcu(&old->sk_nulls_node,
+ &new->sk_nulls_node);
+ __sock_put(old);
+ return true;
+ }
+
+ return false;
+}
+
static inline void __sk_add_node(struct sock *sk, struct hlist_head *list)
{
hlist_add_head(&sk->sk_node, list);
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 7d2c21c3cfd4a..a7d11b82fe64d 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -541,8 +541,11 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
spin_lock(lock);
if (osk) {
WARN_ON_ONCE(sk->sk_hash != osk->sk_hash);
- ret = sk_nulls_del_node_init_rcu(osk);
- } else if (found_dup_sk) {
+ ret = sk_nulls_replace_node_init_rcu(osk, sk);
+ goto unlock;
+ }
+
+ if (found_dup_sk) {
*found_dup_sk = inet_ehash_lookup_by_sk(sk, list);
if (*found_dup_sk)
ret = false;
@@ -551,6 +554,7 @@ bool inet_ehash_insert(struct sock *sk, struct sock *osk, bool *found_dup_sk)
if (ret)
__sk_nulls_add_node_rcu(sk, list);
+unlock:
spin_unlock(lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 045/554] iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 044/554] inet: Avoid ehash lookup race in inet_ehash_insert() Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 046/554] iio: imu: st_lsm6dsx: discard samples during filters settling time Greg Kroah-Hartman
` (514 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Bianconi, Jonathan Cameron,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit cd83c5c10036a2a156d725725daf3409832c8a24 ]
Introduce st_lsm6dsx_device_set_enable utility routine and remove
duplicated code used to enable/disable sensors
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/e3fbe5d4a3bed41130908669f745f78c8505cf47.1665399959.git.lorenzo@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: c6d702f2b771 ("iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 11 +++++++++++
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 14 +++-----------
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 14 ++------------
3 files changed, 16 insertions(+), 23 deletions(-)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
index 72abb5c62e4a9..6a6e963fe9731 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
@@ -505,6 +505,17 @@ st_lsm6dsx_get_mount_matrix(const struct iio_dev *iio_dev,
return &hw->orientation;
}
+static inline int
+st_lsm6dsx_device_set_enable(struct st_lsm6dsx_sensor *sensor, bool enable)
+{
+ if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
+ sensor->id == ST_LSM6DSX_ID_EXT1 ||
+ sensor->id == ST_LSM6DSX_ID_EXT2)
+ return st_lsm6dsx_shub_set_enable(sensor, enable);
+
+ return st_lsm6dsx_sensor_set_enable(sensor, enable);
+}
+
static const
struct iio_chan_spec_ext_info __maybe_unused st_lsm6dsx_accel_ext_info[] = {
IIO_MOUNT_MATRIX(IIO_SHARED_BY_ALL, st_lsm6dsx_get_mount_matrix),
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
index e78b699a044ed..9ebaf73561336 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
@@ -678,17 +678,9 @@ int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable)
goto out;
}
- if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
- sensor->id == ST_LSM6DSX_ID_EXT1 ||
- sensor->id == ST_LSM6DSX_ID_EXT2) {
- err = st_lsm6dsx_shub_set_enable(sensor, enable);
- if (err < 0)
- goto out;
- } else {
- err = st_lsm6dsx_sensor_set_enable(sensor, enable);
- if (err < 0)
- goto out;
- }
+ err = st_lsm6dsx_device_set_enable(sensor, enable);
+ if (err < 0)
+ goto out;
err = st_lsm6dsx_set_fifo_odr(sensor, enable);
if (err < 0)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
index a778aceba3b10..dd674f3119ad2 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -2304,12 +2304,7 @@ static int __maybe_unused st_lsm6dsx_suspend(struct device *dev)
continue;
}
- if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
- sensor->id == ST_LSM6DSX_ID_EXT1 ||
- sensor->id == ST_LSM6DSX_ID_EXT2)
- err = st_lsm6dsx_shub_set_enable(sensor, false);
- else
- err = st_lsm6dsx_sensor_set_enable(sensor, false);
+ err = st_lsm6dsx_device_set_enable(sensor, false);
if (err < 0)
return err;
@@ -2340,12 +2335,7 @@ static int __maybe_unused st_lsm6dsx_resume(struct device *dev)
if (!(hw->suspend_mask & BIT(sensor->id)))
continue;
- if (sensor->id == ST_LSM6DSX_ID_EXT0 ||
- sensor->id == ST_LSM6DSX_ID_EXT1 ||
- sensor->id == ST_LSM6DSX_ID_EXT2)
- err = st_lsm6dsx_shub_set_enable(sensor, true);
- else
- err = st_lsm6dsx_sensor_set_enable(sensor, true);
+ err = st_lsm6dsx_device_set_enable(sensor, true);
if (err < 0)
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 046/554] iio: imu: st_lsm6dsx: discard samples during filters settling time
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 045/554] iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 047/554] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member Greg Kroah-Hartman
` (513 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philippe De Muyter, Lorenzo Bianconi,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit db3c490503bee4d0611f9fc17fcd8cfe6fcdbcad ]
During digital filters settling time the driver is expected to drop
samples since they can be corrupted. Introduce the capability to drop
a given number of samples according to the configured ODR.
Add sample_to_discard for LSM6DSM-like sensors since new generation
devices (e.g. LSM6DSO) support DRDY mask where corrupted samples are
masked in hw with values greather than 0x7ffd so the driver can easily
discard them.
I have not added sample_to_discard support for LSM6DS3 or LSM6DS3H since
I do not have any sample for testing at the moment.
Reported-by: Philippe De Muyter <phdm@macqel.be>
Tested-by: Philippe De Muyter <phdm@macqel.be>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/21dcd94935c147ef9b1da4984b3da6264ee9609e.1677496295.git.lorenzo@kernel.org
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: c6d702f2b771 ("iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 11 ++++
.../iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c | 57 ++++++++++++++++---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 18 ++++++
3 files changed, 78 insertions(+), 8 deletions(-)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
index 6a6e963fe9731..d448c802572eb 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
@@ -124,6 +124,13 @@ struct st_lsm6dsx_odr_table_entry {
int odr_len;
};
+struct st_lsm6dsx_samples_to_discard {
+ struct {
+ u32 milli_hz;
+ u16 samples;
+ } val[ST_LSM6DSX_ODR_LIST_SIZE];
+};
+
struct st_lsm6dsx_fs {
u32 gain;
u8 val;
@@ -286,6 +293,7 @@ struct st_lsm6dsx_ext_dev_settings {
* @irq_config: interrupts related registers.
* @drdy_mask: register info for data-ready mask (addr + mask).
* @odr_table: Hw sensors odr table (Hz + val).
+ * @samples_to_discard: Number of samples to discard for filters settling time.
* @fs_table: Hw sensors gain table (gain + val).
* @decimator: List of decimator register info (addr + mask).
* @batch: List of FIFO batching register info (addr + mask).
@@ -319,6 +327,7 @@ struct st_lsm6dsx_settings {
} irq_config;
struct st_lsm6dsx_reg drdy_mask;
struct st_lsm6dsx_odr_table_entry odr_table[2];
+ struct st_lsm6dsx_samples_to_discard samples_to_discard[2];
struct st_lsm6dsx_fs_table_entry fs_table[2];
struct st_lsm6dsx_reg decimator[ST_LSM6DSX_ID_MAX];
struct st_lsm6dsx_reg batch[2];
@@ -340,6 +349,7 @@ enum st_lsm6dsx_fifo_mode {
* @hw: Pointer to instance of struct st_lsm6dsx_hw.
* @gain: Configured sensor sensitivity.
* @odr: Output data rate of the sensor [Hz].
+ * @samples_to_discard: Number of samples to discard for filters settling time.
* @watermark: Sensor watermark level.
* @decimator: Sensor decimation factor.
* @sip: Number of samples in a given pattern.
@@ -354,6 +364,7 @@ struct st_lsm6dsx_sensor {
u32 gain;
u32 odr;
+ u16 samples_to_discard;
u16 watermark;
u8 decimator;
u8 sip;
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
index 9ebaf73561336..635a9018e7dba 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c
@@ -459,17 +459,31 @@ int st_lsm6dsx_read_fifo(struct st_lsm6dsx_hw *hw)
}
if (gyro_sip > 0 && !(sip % gyro_sensor->decimator)) {
- iio_push_to_buffers_with_timestamp(
- hw->iio_devs[ST_LSM6DSX_ID_GYRO],
- &hw->scan[ST_LSM6DSX_ID_GYRO],
- gyro_sensor->ts_ref + ts);
+ /*
+ * We need to discards gyro samples during
+ * filters settling time
+ */
+ if (gyro_sensor->samples_to_discard > 0)
+ gyro_sensor->samples_to_discard--;
+ else
+ iio_push_to_buffers_with_timestamp(
+ hw->iio_devs[ST_LSM6DSX_ID_GYRO],
+ &hw->scan[ST_LSM6DSX_ID_GYRO],
+ gyro_sensor->ts_ref + ts);
gyro_sip--;
}
if (acc_sip > 0 && !(sip % acc_sensor->decimator)) {
- iio_push_to_buffers_with_timestamp(
- hw->iio_devs[ST_LSM6DSX_ID_ACC],
- &hw->scan[ST_LSM6DSX_ID_ACC],
- acc_sensor->ts_ref + ts);
+ /*
+ * We need to discards accel samples during
+ * filters settling time
+ */
+ if (acc_sensor->samples_to_discard > 0)
+ acc_sensor->samples_to_discard--;
+ else
+ iio_push_to_buffers_with_timestamp(
+ hw->iio_devs[ST_LSM6DSX_ID_ACC],
+ &hw->scan[ST_LSM6DSX_ID_ACC],
+ acc_sensor->ts_ref + ts);
acc_sip--;
}
if (ext_sip > 0 && !(sip % ext_sensor->decimator)) {
@@ -659,6 +673,30 @@ int st_lsm6dsx_flush_fifo(struct st_lsm6dsx_hw *hw)
return err;
}
+static void
+st_lsm6dsx_update_samples_to_discard(struct st_lsm6dsx_sensor *sensor)
+{
+ const struct st_lsm6dsx_samples_to_discard *data;
+ struct st_lsm6dsx_hw *hw = sensor->hw;
+ int i;
+
+ if (sensor->id != ST_LSM6DSX_ID_GYRO &&
+ sensor->id != ST_LSM6DSX_ID_ACC)
+ return;
+
+ /* check if drdy mask is supported in hw */
+ if (hw->settings->drdy_mask.addr)
+ return;
+
+ data = &hw->settings->samples_to_discard[sensor->id];
+ for (i = 0; i < ST_LSM6DSX_ODR_LIST_SIZE; i++) {
+ if (data->val[i].milli_hz == sensor->odr) {
+ sensor->samples_to_discard = data->val[i].samples;
+ return;
+ }
+ }
+}
+
int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable)
{
struct st_lsm6dsx_hw *hw = sensor->hw;
@@ -678,6 +716,9 @@ int st_lsm6dsx_update_fifo(struct st_lsm6dsx_sensor *sensor, bool enable)
goto out;
}
+ if (enable)
+ st_lsm6dsx_update_samples_to_discard(sensor);
+
err = st_lsm6dsx_device_set_enable(sensor, enable);
if (err < 0)
goto out;
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
index dd674f3119ad2..f4872860cb458 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c
@@ -622,6 +622,24 @@ static const struct st_lsm6dsx_settings st_lsm6dsx_sensor_settings[] = {
.fs_len = 4,
},
},
+ .samples_to_discard = {
+ [ST_LSM6DSX_ID_ACC] = {
+ .val[0] = { 12500, 1 },
+ .val[1] = { 26000, 1 },
+ .val[2] = { 52000, 1 },
+ .val[3] = { 104000, 2 },
+ .val[4] = { 208000, 2 },
+ .val[5] = { 416000, 2 },
+ },
+ [ST_LSM6DSX_ID_GYRO] = {
+ .val[0] = { 12500, 2 },
+ .val[1] = { 26000, 5 },
+ .val[2] = { 52000, 7 },
+ .val[3] = { 104000, 12 },
+ .val[4] = { 208000, 20 },
+ .val[5] = { 416000, 36 },
+ },
+ },
.irq_config = {
.irq1 = {
.addr = 0x0d,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 047/554] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 046/554] iio: imu: st_lsm6dsx: discard samples during filters settling time Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 048/554] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl Greg Kroah-Hartman
` (512 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Lavra, Lorenzo Bianconi,
Jonathan Cameron, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francesco Lavra <flavra@baylibre.com>
[ Upstream commit c6d702f2b77194b62fb2098c63bb7f2a87da142d ]
The `odr` field in struct st_lsm6dsx_sensor contains a data rate
value expressed in mHz, not in Hz.
Fixes: f8710f0357bc3 ("iio: imu: st_lsm6dsx: express odr in mHZ")
Signed-off-by: Francesco Lavra <flavra@baylibre.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
index d448c802572eb..5fce038b61e03 100644
--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
+++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx.h
@@ -348,7 +348,7 @@ enum st_lsm6dsx_fifo_mode {
* @id: Sensor identifier.
* @hw: Pointer to instance of struct st_lsm6dsx_hw.
* @gain: Configured sensor sensitivity.
- * @odr: Output data rate of the sensor [Hz].
+ * @odr: Output data rate of the sensor [mHz].
* @samples_to_discard: Number of samples to discard for filters settling time.
* @watermark: Sensor watermark level.
* @decimator: Sensor decimation factor.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 048/554] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 047/554] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 049/554] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe Greg Kroah-Hartman
` (511 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Harvey, Peng Fan, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Harvey <tharvey@gateworks.com>
[ Upstream commit d949b8d12d6e8fa119bca10d3157cd42e810f6f7 ]
The SDHC1 interface is not used on the imx8mm-venice-gw72xx. Remove the
unused pinctrl_usdhc1 iomux node.
Fixes: 6f30b27c5ef5 ("arm64: dts: imx8mm: Add Gateworks i.MX 8M Mini Development Kits")
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../boot/dts/freescale/imx8mm-venice-gw72xx.dtsi | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi
index 806ee21651d1f..6f26c9bbe57f0 100644
--- a/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-venice-gw72xx.dtsi
@@ -259,17 +259,6 @@ MX8MM_IOMUXC_UART4_TXD_UART4_DCE_TX 0x140
>;
};
- pinctrl_usdhc1: usdhc1grp {
- fsl,pins = <
- MX8MM_IOMUXC_SD1_CLK_USDHC1_CLK 0x190
- MX8MM_IOMUXC_SD1_CMD_USDHC1_CMD 0x1d0
- MX8MM_IOMUXC_SD1_DATA0_USDHC1_DATA0 0x1d0
- MX8MM_IOMUXC_SD1_DATA1_USDHC1_DATA1 0x1d0
- MX8MM_IOMUXC_SD1_DATA2_USDHC1_DATA2 0x1d0
- MX8MM_IOMUXC_SD1_DATA3_USDHC1_DATA3 0x1d0
- >;
- };
-
pinctrl_usdhc2: usdhc2grp {
fsl,pins = <
MX8MM_IOMUXC_SD2_CLK_USDHC2_CLK 0x190
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 049/554] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 048/554] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 050/554] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Greg Kroah-Hartman
` (510 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Qiang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Qiang <liqiang01@kylinos.cn>
[ Upstream commit d48fb15e6ad142e0577428a8c5028136e10c7b3d ]
devm_kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure.
Fixes: d57801c45f53e ("uio: uio_fsl_elbc_gpcm: use device-managed allocators")
Signed-off-by: Li Qiang <liqiang01@kylinos.cn>
Link: https://patch.msgid.link/20251015064020.56589-1-liqiang01@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/uio/uio_fsl_elbc_gpcm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/uio/uio_fsl_elbc_gpcm.c b/drivers/uio/uio_fsl_elbc_gpcm.c
index 7d8eb9dc20681..db4e64550f121 100644
--- a/drivers/uio/uio_fsl_elbc_gpcm.c
+++ b/drivers/uio/uio_fsl_elbc_gpcm.c
@@ -384,6 +384,11 @@ static int uio_fsl_elbc_gpcm_probe(struct platform_device *pdev)
/* set all UIO data */
info->mem[0].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%pOFn", node);
+ if (!info->mem[0].name) {
+ ret = -ENODEV;
+ goto out_err3;
+ }
+
info->mem[0].addr = res.start;
info->mem[0].size = resource_size(&res);
info->mem[0].memtype = UIO_MEM_PHYS;
@@ -423,6 +428,8 @@ static int uio_fsl_elbc_gpcm_probe(struct platform_device *pdev)
out_err2:
if (priv->shutdown)
priv->shutdown(info, true);
+
+out_err3:
iounmap(info->mem[0].internal_addr);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 050/554] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 049/554] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 051/554] crypto: hisilicon/qm - restore original qos values Greg Kroah-Hartman
` (509 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Lukas Wunner,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
[ Upstream commit df0845cf447ae1556c3440b8b155de0926cbaa56 ]
Use check_add_overflow() to guard against potential integer overflows
when adding the binary blob lengths and the size of an asymmetric_key_id
structure and return ERR_PTR(-EOVERFLOW) accordingly. This prevents a
possible buffer overflow when copying data from potentially malicious
X.509 certificate fields that can be arbitrarily large, such as ASN.1
INTEGER serial numbers, issuer names, etc.
Fixes: 7901c1a8effb ("KEYS: Implement binary asymmetric key ID handling")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Reviewed-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/asymmetric_keys/asymmetric_type.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/asymmetric_type.c b/crypto/asymmetric_keys/asymmetric_type.c
index ad8af3d70ac04..2e3fa520d6eb1 100644
--- a/crypto/asymmetric_keys/asymmetric_type.c
+++ b/crypto/asymmetric_keys/asymmetric_type.c
@@ -11,6 +11,7 @@
#include <crypto/public_key.h>
#include <linux/seq_file.h>
#include <linux/module.h>
+#include <linux/overflow.h>
#include <linux/slab.h>
#include <linux/ctype.h>
#include <keys/system_keyring.h>
@@ -138,12 +139,17 @@ struct asymmetric_key_id *asymmetric_key_generate_id(const void *val_1,
size_t len_2)
{
struct asymmetric_key_id *kid;
-
- kid = kmalloc(sizeof(struct asymmetric_key_id) + len_1 + len_2,
- GFP_KERNEL);
+ size_t kid_sz;
+ size_t len;
+
+ if (check_add_overflow(len_1, len_2, &len))
+ return ERR_PTR(-EOVERFLOW);
+ if (check_add_overflow(sizeof(struct asymmetric_key_id), len, &kid_sz))
+ return ERR_PTR(-EOVERFLOW);
+ kid = kmalloc(kid_sz, GFP_KERNEL);
if (!kid)
return ERR_PTR(-ENOMEM);
- kid->len = len_1 + len_2;
+ kid->len = len;
memcpy(kid->data, val_1, len_1);
memcpy(kid->data + len_1, val_2, len_2);
return kid;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 051/554] crypto: hisilicon/qm - restore original qos values
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 050/554] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 052/554] s390/smp: Fix fallback CPU detection Greg Kroah-Hartman
` (508 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, nieweiqiang, Chenghai Huang,
Herbert Xu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: nieweiqiang <nieweiqiang@huawei.com>
[ Upstream commit e7066160f5b4187ad9869b712fa7a35d3d5be6b9 ]
When the new qos valus setting fails, restore to
the original qos values.
Fixes: 72b010dc33b9 ("crypto: hisilicon/qm - supports writing QoS int the host")
Signed-off-by: nieweiqiang <nieweiqiang@huawei.com>
Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/qm.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/hisilicon/qm.c b/drivers/crypto/hisilicon/qm.c
index 58e995db37838..a48c6306a8cb2 100644
--- a/drivers/crypto/hisilicon/qm.c
+++ b/drivers/crypto/hisilicon/qm.c
@@ -4010,6 +4010,7 @@ static int qm_clear_vft_config(struct hisi_qm *qm)
static int qm_func_shaper_enable(struct hisi_qm *qm, u32 fun_index, u32 qos)
{
struct device *dev = &qm->pdev->dev;
+ struct qm_shaper_factor t_factor;
u32 ir = qos * QM_QOS_RATE;
int ret, total_vfs, i;
@@ -4017,6 +4018,7 @@ static int qm_func_shaper_enable(struct hisi_qm *qm, u32 fun_index, u32 qos)
if (fun_index > total_vfs)
return -EINVAL;
+ memcpy(&t_factor, &qm->factor[fun_index], sizeof(t_factor));
qm->factor[fun_index].func_qos = qos;
ret = qm_get_shaper_para(ir, &qm->factor[fun_index]);
@@ -4030,11 +4032,21 @@ static int qm_func_shaper_enable(struct hisi_qm *qm, u32 fun_index, u32 qos)
ret = qm_set_vft_common(qm, SHAPER_VFT, fun_index, i, 1);
if (ret) {
dev_err(dev, "type: %d, failed to set shaper vft!\n", i);
- return -EINVAL;
+ goto back_func_qos;
}
}
return 0;
+
+back_func_qos:
+ memcpy(&qm->factor[fun_index], &t_factor, sizeof(t_factor));
+ for (i--; i >= ALG_TYPE_0; i--) {
+ ret = qm_set_vft_common(qm, SHAPER_VFT, fun_index, i, 1);
+ if (ret)
+ dev_err(dev, "failed to restore shaper vft during rollback!\n");
+ }
+
+ return -EINVAL;
}
static u32 qm_get_shaper_vft_qos(struct hisi_qm *qm, u32 fun_index)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 052/554] s390/smp: Fix fallback CPU detection
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 051/554] crypto: hisilicon/qm - restore original qos values Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 053/554] s390/ap: Dont leak debug feature files if AP instructions are not available Greg Kroah-Hartman
` (507 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Egorenkov, Mete Durlu,
Heiko Carstens, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 07a75d08cfa1b883a6e1256666e5f0617ee99231 ]
In case SCLP CPU detection does not work a fallback mechanism using SIGP is
in place. Since a cleanup this does not work correctly anymore: new CPUs
are only considered if their type matches the boot CPU.
Before the cleanup the information if a CPU type should be considered was
also part of a structure generated by the fallback mechanism and indicated
that a CPU type should not be considered when adding CPUs.
Since the rework a global SCLP state is used instead. If the global SCLP
state indicates that the CPU type should be considered and the fallback
mechanism is used, there may be a mismatch with CPU types if CPUs are
added. This can lead to a system with only a single CPU even tough there
are many more CPUs.
Address this by simply copying the boot cpu type into the generated data
structure from the fallback mechanism.
Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Fixes: d08d94306e90 ("s390/smp: cleanup core vs. cpu in the SCLP interface")
Reviewed-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/smp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
index 5c1fd147591cb..824941e3204d7 100644
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
@@ -754,6 +754,7 @@ static void __ref smp_get_core_info(struct sclp_core_info *info, int early)
continue;
info->core[info->configured].core_id =
address >> smp_cpu_mt_shift;
+ info->core[info->configured].type = boot_core_type;
info->configured++;
}
info->combined = info->configured;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 053/554] s390/ap: Dont leak debug feature files if AP instructions are not available
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 052/554] s390/smp: Fix fallback CPU detection Greg Kroah-Hartman
@ 2026-01-15 16:41 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 054/554] firmware: imx: scu-irq: fix OF node leak in Greg Kroah-Hartman
` (506 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:41 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harald Freudenberger, Heiko Carstens,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 020d5dc57874e58d3ebae398f3fe258f029e3d06 ]
If no AP instructions are available the AP bus module leaks registered
debug feature files. Change function call order to fix this.
Fixes: cccd85bfb7bf ("s390/zcrypt: Rework debug feature invocations.")
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/crypto/ap_bus.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/s390/crypto/ap_bus.c b/drivers/s390/crypto/ap_bus.c
index 1dd6dd2ed7fbc..489dff1dd94ef 100644
--- a/drivers/s390/crypto/ap_bus.c
+++ b/drivers/s390/crypto/ap_bus.c
@@ -1873,15 +1873,15 @@ static int __init ap_module_init(void)
{
int rc;
- rc = ap_debug_init();
- if (rc)
- return rc;
-
if (!ap_instructions_available()) {
pr_warn("The hardware system does not support AP instructions\n");
return -ENODEV;
}
+ rc = ap_debug_init();
+ if (rc)
+ return rc;
+
/* init ap_queue hashtable */
hash_init(ap_queues);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 054/554] firmware: imx: scu-irq: fix OF node leak in
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-01-15 16:41 ` [PATCH 5.15 053/554] s390/ap: Dont leak debug feature files if AP instructions are not available Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 055/554] phy: mscc: Fix PTP for VSC8574 and VSC8572 Greg Kroah-Hartman
` (505 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Peng Fan, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit ee67247843a2b62d1473cfa4df300e69b5190ccf ]
imx_scu_enable_general_irq_channel() calls of_parse_phandle_with_args(),
but does not release the OF node reference. Add a of_node_put() call
to release the reference.
Fixes: 851826c7566e ("firmware: imx: enable imx scu general irq function")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/imx-scu-irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/imx/imx-scu-irq.c b/drivers/firmware/imx/imx-scu-irq.c
index d9dcc20945c6a..32b1ca4e10508 100644
--- a/drivers/firmware/imx/imx-scu-irq.c
+++ b/drivers/firmware/imx/imx-scu-irq.c
@@ -160,8 +160,10 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
- "#mbox-cells", 0, &spec))
+ "#mbox-cells", 0, &spec)) {
i = of_alias_get_id(spec.np, "mu");
+ of_node_put(spec.np);
+ }
/* use mu1 as general mu irq channel if failed */
if (i < 0)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 055/554] phy: mscc: Fix PTP for VSC8574 and VSC8572
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 054/554] firmware: imx: scu-irq: fix OF node leak in Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 056/554] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock() Greg Kroah-Hartman
` (504 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Chevallier, Horatiu Vultur,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horatiu Vultur <horatiu.vultur@microchip.com>
[ Upstream commit ea5df88aeca112aac69e6c32e3dd1433a113b0c9 ]
The PTP initialization is two-step. First part are the function
vsc8584_ptp_probe_once() and vsc8584_ptp_probe() at probe time which
initialize the locks, queues, creates the PTP device. The second part is
the function vsc8584_ptp_init() at config_init() time which initialize
PTP in the HW.
For VSC8574 and VSC8572, the PTP initialization is incomplete. It is
missing the first part but it makes the second part. Meaning that the
ptp_clock_register() is never called.
There is no crash without the first part when enabling PTP but this is
unexpected because some PHys have PTP functionality exposed by the
driver and some don't even though they share the same PTP clock PTP.
Fixes: 774626fa440e ("net: phy: mscc: Add PTP support for 2 more VSC PHYs")
Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://patch.msgid.link/20251023191350.190940-3-horatiu.vultur@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/mscc/mscc_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/phy/mscc/mscc_main.c b/drivers/net/phy/mscc/mscc_main.c
index 982e73adf2bcf..acc9e1a266314 100644
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2560,7 +2560,7 @@ static struct phy_driver vsc85xx_driver[] = {
.suspend = &genphy_suspend,
.resume = &genphy_resume,
.remove = &vsc85xx_remove,
- .probe = &vsc8574_probe,
+ .probe = &vsc8584_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
.get_tunable = &vsc85xx_get_tunable,
@@ -2581,12 +2581,12 @@ static struct phy_driver vsc85xx_driver[] = {
.config_aneg = &vsc85xx_config_aneg,
.aneg_done = &genphy_aneg_done,
.read_status = &vsc85xx_read_status,
- .handle_interrupt = vsc85xx_handle_interrupt,
+ .handle_interrupt = vsc8584_handle_interrupt,
.config_intr = &vsc85xx_config_intr,
.suspend = &genphy_suspend,
.resume = &genphy_resume,
.remove = &vsc85xx_remove,
- .probe = &vsc8574_probe,
+ .probe = &vsc8584_probe,
.set_wol = &vsc85xx_wol_set,
.get_wol = &vsc85xx_wol_get,
.get_tunable = &vsc85xx_get_tunable,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 056/554] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 055/554] phy: mscc: Fix PTP for VSC8574 and VSC8572 Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 057/554] compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer Greg Kroah-Hartman
` (503 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Xin Long,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit 622e8838a29845316668ec2e7648428878df7f9a ]
SCTP_DBG_OBJCNT_INC() is called only when sctp_init_sock()
returns 0 after successfully allocating sctp_sk(sk)->ep.
OTOH, SCTP_DBG_OBJCNT_DEC() is called in sctp_close().
The code seems to expect that the socket is always exposed
to userspace once SCTP_DBG_OBJCNT_INC() is incremented, but
there is a path where the assumption is not true.
In sctp_accept(), sctp_sock_migrate() could fail after
sctp_init_sock().
Then, sk_common_release() does not call inet_release() nor
sctp_close(). Instead, it calls sk->sk_prot->destroy().
Let's move SCTP_DBG_OBJCNT_DEC() from sctp_close() to
sctp_destroy_sock().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20251023231751.4168390-2-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 0aaea911b21ef..424af9d0434db 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1551,8 +1551,6 @@ static void sctp_close(struct sock *sk, long timeout)
spin_unlock_bh(&net->sctp.addr_wq_lock);
sock_put(sk);
-
- SCTP_DBG_OBJCNT_DEC(sock);
}
/* Handle EPIPE error. */
@@ -5101,9 +5099,12 @@ static void sctp_destroy_sock(struct sock *sk)
sp->do_auto_asconf = 0;
list_del(&sp->auto_asconf_list);
}
+
sctp_endpoint_free(sp->ep);
+
sk_sockets_allocated_dec(sk);
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+ SCTP_DBG_OBJCNT_DEC(sock);
}
/* Triggered when there are no references on the socket anymore */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 057/554] compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 056/554] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 058/554] kmsan: introduce __no_sanitize_memory and __no_kmsan_checks Greg Kroah-Hartman
` (502 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Nick Desaulniers,
Andrew Morton, Will Deacon, Arvind Sankar, Masahiro Yamada, llvm,
Kees Cook, Nathan Chancellor, Miguel Ojeda, Marco Elver,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 9a48e7564ac83fb0f1d5b0eac5fe8a7af62da398 ]
When Clang is using the hwaddress sanitizer, it sets __SANITIZE_ADDRESS__
explicitly:
#if __has_feature(address_sanitizer) || __has_feature(hwaddress_sanitizer)
/* Emulate GCC's __SANITIZE_ADDRESS__ flag */
#define __SANITIZE_ADDRESS__
#endif
Once hwaddress sanitizer was added to GCC, however, a separate define
was created, __SANITIZE_HWADDRESS__. The kernel is expecting to find
__SANITIZE_ADDRESS__ in either case, though, and the existing string
macros break on supported architectures:
#if (defined(CONFIG_KASAN_GENERIC) || defined(CONFIG_KASAN_SW_TAGS)) && \
!defined(__SANITIZE_ADDRESS__)
where as other architectures (like arm32) have no idea about hwaddress
sanitizer and just check for __SANITIZE_ADDRESS__:
#if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
This would lead to compiler foritfy self-test warnings when building
with CONFIG_KASAN_SW_TAGS=y:
warning: unsafe memmove() usage lacked '__read_overflow2' symbol in lib/test_fortify/read_overflow2-memmove.c
warning: unsafe memcpy() usage lacked '__write_overflow' symbol in lib/test_fortify/write_overflow-memcpy.c
...
Sort this out by also defining __SANITIZE_ADDRESS__ in GCC under the
hwaddress sanitizer.
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Will Deacon <will@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: llvm@lists.linux.dev
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Miguel Ojeda <ojeda@kernel.org>
Reviewed-by: Marco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20211020200039.170424-1-keescook@chromium.org
Stable-dep-of: ced37e9ceae5 ("x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/compiler-gcc.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index b9d5f9c373a09..06c1cf2ab0244 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -123,6 +123,14 @@
#define __no_sanitize_coverage
#endif
+/*
+ * Treat __SANITIZE_HWADDRESS__ the same as __SANITIZE_ADDRESS__ in the kernel,
+ * matching the defines used by Clang.
+ */
+#ifdef __SANITIZE_HWADDRESS__
+#define __SANITIZE_ADDRESS__
+#endif
+
/*
* Turn individual warnings and errors on and off locally, depending
* on version.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 058/554] kmsan: introduce __no_sanitize_memory and __no_kmsan_checks
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 057/554] compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 059/554] x86: kmsan: dont instrument stack walking functions Greg Kroah-Hartman
` (501 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Marco Elver,
Alexander Viro, Alexei Starovoitov, Andrey Konovalov,
Andrey Konovalov, Andy Lutomirski, Arnd Bergmann, Borislav Petkov,
Christoph Hellwig, Christoph Lameter, David Rientjes,
Dmitry Vyukov, Eric Biggers, Eric Biggers, Eric Dumazet,
Herbert Xu, Ilya Leoshkevich, Ingo Molnar, Jens Axboe,
Joonsoo Kim, Kees Cook, Mark Rutland, Matthew Wilcox,
Michael S. Tsirkin, Pekka Enberg, Peter Zijlstra, Petr Mladek,
Stephen Rothwell, Steven Rostedt, Thomas Gleixner, Vasily Gorbik,
Vegard Nossum, Vlastimil Babka, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
[ Upstream commit 9b448bc25b776daab3215393c3ce6953dd3bb8ad ]
__no_sanitize_memory is a function attribute that instructs KMSAN to skip
a function during instrumentation. This is needed to e.g. implement the
noinstr functions.
__no_kmsan_checks is a function attribute that makes KMSAN ignore the
uninitialized values coming from the function's inputs, and initialize the
function's outputs.
Functions marked with this attribute can't be inlined into functions not
marked with it, and vice versa. This behavior is overridden by
__always_inline.
__SANITIZE_MEMORY__ is a macro that's defined iff the file is instrumented
with KMSAN. This is not the same as CONFIG_KMSAN, which is defined for
every file.
Link: https://lkml.kernel.org/r/20220915150417.722975-8-glider@google.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Marco Elver <elver@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Ilya Leoshkevich <iii@linux.ibm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: ced37e9ceae5 ("x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/compiler-clang.h | 23 +++++++++++++++++++++++
include/linux/compiler-gcc.h | 6 ++++++
2 files changed, 29 insertions(+)
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index 29be8ad715498..3397f6809c869 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -79,6 +79,29 @@
#define __no_sanitize_undefined
#endif
+#if __has_feature(memory_sanitizer)
+#define __SANITIZE_MEMORY__
+/*
+ * Unlike other sanitizers, KMSAN still inserts code into functions marked with
+ * no_sanitize("kernel-memory"). Using disable_sanitizer_instrumentation
+ * provides the behavior consistent with other __no_sanitize_ attributes,
+ * guaranteeing that __no_sanitize_memory functions remain uninstrumented.
+ */
+#define __no_sanitize_memory __disable_sanitizer_instrumentation
+
+/*
+ * The __no_kmsan_checks attribute ensures that a function does not produce
+ * false positive reports by:
+ * - initializing all local variables and memory stores in this function;
+ * - skipping all shadow checks;
+ * - passing initialized arguments to this function's callees.
+ */
+#define __no_kmsan_checks __attribute__((no_sanitize("kernel-memory")))
+#else
+#define __no_sanitize_memory
+#define __no_kmsan_checks
+#endif
+
/*
* Support for __has_feature(coverage_sanitizer) was added in Clang 13 together
* with no_sanitize("coverage"). Prior versions of Clang support coverage
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 06c1cf2ab0244..64e20878af4d0 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -131,6 +131,12 @@
#define __SANITIZE_ADDRESS__
#endif
+/*
+ * GCC does not support KMSAN.
+ */
+#define __no_sanitize_memory
+#define __no_kmsan_checks
+
/*
* Turn individual warnings and errors on and off locally, depending
* on version.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 059/554] x86: kmsan: dont instrument stack walking functions
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 058/554] kmsan: introduce __no_sanitize_memory and __no_kmsan_checks Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 060/554] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() Greg Kroah-Hartman
` (500 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Potapenko, Alexander Viro,
Alexei Starovoitov, Andrey Konovalov, Andrey Konovalov,
Andy Lutomirski, Arnd Bergmann, Borislav Petkov,
Christoph Hellwig, Christoph Lameter, David Rientjes,
Dmitry Vyukov, Eric Biggers, Eric Biggers, Eric Dumazet,
Herbert Xu, Ilya Leoshkevich, Ingo Molnar, Jens Axboe,
Joonsoo Kim, Kees Cook, Marco Elver, Mark Rutland, Matthew Wilcox,
Michael S. Tsirkin, Pekka Enberg, Peter Zijlstra, Petr Mladek,
Stephen Rothwell, Steven Rostedt, Thomas Gleixner, Vasily Gorbik,
Vegard Nossum, Vlastimil Babka, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
[ Upstream commit 37ad4ee8364255c73026a3c343403b5977fa7e79 ]
Upon function exit, KMSAN marks local variables as uninitialized. Further
function calls may result in the compiler creating the stack frame where
these local variables resided. This results in frame pointers being
marked as uninitialized data, which is normally correct, because they are
not stack-allocated.
However stack unwinding functions are supposed to read and dereference the
frame pointers, in which case KMSAN might be reporting uses of
uninitialized values.
To work around that, we mark update_stack_state(), unwind_next_frame() and
show_trace_log_lvl() with __no_kmsan_checks, preventing all KMSAN reports
inside those functions and making them return initialized values.
Link: https://lkml.kernel.org/r/20220915150417.722975-40-glider@google.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Christoph Lameter <cl@linux.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers@google.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Ilya Leoshkevich <iii@linux.ibm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Marco Elver <elver@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: ced37e9ceae5 ("x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/dumpstack.c | 6 ++++++
arch/x86/kernel/unwind_frame.c | 11 +++++++++++
2 files changed, 17 insertions(+)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 8a8660074284f..4adbc85b74a33 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -183,6 +183,12 @@ static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs,
}
}
+/*
+ * This function reads pointers from the stack and dereferences them. The
+ * pointers may not have their KMSAN shadow set up properly, which may result
+ * in false positive reports. Disable instrumentation to avoid those.
+ */
+__no_kmsan_checks
static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
unsigned long *stack, const char *log_lvl)
{
diff --git a/arch/x86/kernel/unwind_frame.c b/arch/x86/kernel/unwind_frame.c
index d7c44b257f7f4..8943114f9ebed 100644
--- a/arch/x86/kernel/unwind_frame.c
+++ b/arch/x86/kernel/unwind_frame.c
@@ -183,6 +183,16 @@ static struct pt_regs *decode_frame_pointer(unsigned long *bp)
}
#endif
+/*
+ * While walking the stack, KMSAN may stomp on stale locals from other
+ * functions that were marked as uninitialized upon function exit, and
+ * now hold the call frame information for the current function (e.g. the frame
+ * pointer). Because KMSAN does not specifically mark call frames as
+ * initialized, false positive reports are possible. To prevent such reports,
+ * we mark the functions scanning the stack (here and below) with
+ * __no_kmsan_checks.
+ */
+__no_kmsan_checks
static bool update_stack_state(struct unwind_state *state,
unsigned long *next_bp)
{
@@ -251,6 +261,7 @@ static bool update_stack_state(struct unwind_state *state,
return true;
}
+__no_kmsan_checks
bool unwind_next_frame(struct unwind_state *state)
{
struct pt_regs *regs;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 060/554] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 059/554] x86: kmsan: dont instrument stack walking functions Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 061/554] pinctrl: stm32: fix hwspinlock resource leak in probe function Greg Kroah-Hartman
` (499 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tengda Wu, Borislav Petkov (AMD),
Andrey Ryabinin, Josh Poimboeuf, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tengda Wu <wutengda@huaweicloud.com>
[ Upstream commit ced37e9ceae50e4cb6cd058963bd315ec9afa651 ]
When triggering a stack dump via sysrq (echo t > /proc/sysrq-trigger),
KASAN may report false-positive out-of-bounds access:
BUG: KASAN: out-of-bounds in __show_regs+0x4b/0x340
Call Trace:
dump_stack_lvl
print_address_description.constprop.0
print_report
__show_regs
show_trace_log_lvl
sched_show_task
show_state_filter
sysrq_handle_showstate
__handle_sysrq
write_sysrq_trigger
proc_reg_write
vfs_write
ksys_write
do_syscall_64
entry_SYSCALL_64_after_hwframe
The issue occurs as follows:
Task A (walk other tasks' stacks) Task B (running)
1. echo t > /proc/sysrq-trigger
show_trace_log_lvl
regs = unwind_get_entry_regs()
show_regs_if_on_stack(regs)
2. The stack value pointed by
`regs` keeps changing, and
so are the tags in its
KASAN shadow region.
__show_regs(regs)
regs->ax, regs->bx, ...
3. hit KASAN redzones, OOB
When task A walks task B's stack without suspending it, the continuous changes
in task B's stack (and corresponding KASAN shadow tags) may cause task A to
hit KASAN redzones when accessing obsolete values on the stack, resulting in
false positive reports.
Simply stopping the task before unwinding is not a viable fix, as it would
alter the state intended to inspect. This is especially true for diagnosing
misbehaving tasks (e.g., in a hard lockup), where stopping might fail or hide
the root cause by changing the call stack.
Therefore, fix this by disabling KASAN checks during asynchronous stack
unwinding, which is identified when the unwinding task does not match the
current task (task != current).
[ bp: Align arguments on function's opening brace. ]
Fixes: 3b3fa11bc700 ("x86/dumpstack: Print any pt_regs found on the stack")
Signed-off-by: Tengda Wu <wutengda@huaweicloud.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://patch.msgid.link/all/20251023090632.269121-1-wutengda@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/dumpstack.c | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
index 4adbc85b74a33..82ade5a7879ff 100644
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -189,8 +189,8 @@ static void show_regs_if_on_stack(struct stack_info *info, struct pt_regs *regs,
* in false positive reports. Disable instrumentation to avoid those.
*/
__no_kmsan_checks
-static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
- unsigned long *stack, const char *log_lvl)
+static void __show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ unsigned long *stack, const char *log_lvl)
{
struct unwind_state state;
struct stack_info stack_info = {0};
@@ -311,6 +311,25 @@ static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
}
}
+static void show_trace_log_lvl(struct task_struct *task, struct pt_regs *regs,
+ unsigned long *stack, const char *log_lvl)
+{
+ /*
+ * Disable KASAN to avoid false positives during walking another
+ * task's stacks, as values on these stacks may change concurrently
+ * with task execution.
+ */
+ bool disable_kasan = task && task != current;
+
+ if (disable_kasan)
+ kasan_disable_current();
+
+ __show_trace_log_lvl(task, regs, stack, log_lvl);
+
+ if (disable_kasan)
+ kasan_enable_current();
+}
+
void show_stack(struct task_struct *task, unsigned long *sp,
const char *loglvl)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 061/554] pinctrl: stm32: fix hwspinlock resource leak in probe function
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 060/554] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 062/554] i3c: remove i2c board info from i2c_dev_desc Greg Kroah-Hartman
` (498 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Antonio Borneo,
Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 002679f79ed605e543fbace465557317cd307c9a ]
In stm32_pctl_probe(), hwspin_lock_request_specific() is called to
request a hwspinlock, but the acquired lock is not freed on multiple
error paths after this call. This causes resource leakage when the
function fails to initialize properly.
Use devm_hwspin_lock_request_specific() instead of
hwspin_lock_request_specific() to automatically manage the hwspinlock
resource lifecycle.
Fixes: 97cfb6cd34f2 ("pinctrl: stm32: protect configuration registers with a hwspinlock")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Antonio Borneo <antonio.borneo@foss.st.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index 821ec5a97551d..e8afed94fccc1 100644
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1490,7 +1490,7 @@ int stm32_pctl_probe(struct platform_device *pdev)
if (hwlock_id == -EPROBE_DEFER)
return hwlock_id;
} else {
- pctl->hwlock = hwspin_lock_request_specific(hwlock_id);
+ pctl->hwlock = devm_hwspin_lock_request_specific(dev, hwlock_id);
}
spin_lock_init(&pctl->irqmux_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 062/554] i3c: remove i2c board info from i2c_dev_desc
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 061/554] pinctrl: stm32: fix hwspinlock resource leak in probe function Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 063/554] i3c: support dynamically added i2c devices Greg Kroah-Hartman
` (497 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Belloni, Jamie Iles,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamie Iles <quic_jiles@quicinc.com>
[ Upstream commit 31b9887c7258ca47d9c665a80f19f006c86756b1 ]
I2C board info is only required during adapter setup so there is no
requirement to keeping a pointer to it once running. To support dynamic
device addition we can't rely on board info - user-space creation
through sysfs won't have a boardinfo.
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220117174816.1963463-2-quic_jiles@quicinc.com
Stable-dep-of: 9d4f219807d5 ("i3c: fix refcount inconsistency in i3c_master_register")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 18 ++++++++++--------
include/linux/i3c/master.h | 1 -
2 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 717b337f9e22d..d4e9299472679 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -610,7 +610,7 @@ static void i3c_master_free_i2c_dev(struct i2c_dev_desc *dev)
static struct i2c_dev_desc *
i3c_master_alloc_i2c_dev(struct i3c_master_controller *master,
- const struct i2c_dev_boardinfo *boardinfo)
+ u16 addr, u8 lvr)
{
struct i2c_dev_desc *dev;
@@ -619,9 +619,8 @@ i3c_master_alloc_i2c_dev(struct i3c_master_controller *master,
return ERR_PTR(-ENOMEM);
dev->common.master = master;
- dev->boardinfo = boardinfo;
- dev->addr = boardinfo->base.addr;
- dev->lvr = boardinfo->lvr;
+ dev->addr = addr;
+ dev->lvr = lvr;
return dev;
}
@@ -695,7 +694,7 @@ i3c_master_find_i2c_dev_by_addr(const struct i3c_master_controller *master,
struct i2c_dev_desc *dev;
i3c_bus_for_each_i2cdev(&master->bus, dev) {
- if (dev->boardinfo->base.addr == addr)
+ if (dev->addr == addr)
return dev;
}
@@ -1692,7 +1691,9 @@ static int i3c_master_bus_init(struct i3c_master_controller *master)
i2cboardinfo->base.addr,
I3C_ADDR_SLOT_I2C_DEV);
- i2cdev = i3c_master_alloc_i2c_dev(master, i2cboardinfo);
+ i2cdev = i3c_master_alloc_i2c_dev(master,
+ i2cboardinfo->base.addr,
+ i2cboardinfo->lvr);
if (IS_ERR(i2cdev)) {
ret = PTR_ERR(i2cdev);
goto err_detach_devs;
@@ -2178,6 +2179,7 @@ static int i3c_master_i2c_adapter_init(struct i3c_master_controller *master)
{
struct i2c_adapter *adap = i3c_master_to_i2c_adapter(master);
struct i2c_dev_desc *i2cdev;
+ struct i2c_dev_boardinfo *i2cboardinfo;
int ret;
adap->dev.parent = master->dev.parent;
@@ -2197,8 +2199,8 @@ static int i3c_master_i2c_adapter_init(struct i3c_master_controller *master)
* We silently ignore failures here. The bus should keep working
* correctly even if one or more i2c devices are not registered.
*/
- i3c_bus_for_each_i2cdev(&master->bus, i2cdev)
- i2cdev->dev = i2c_new_client_device(adap, &i2cdev->boardinfo->base);
+ list_for_each_entry(i2cboardinfo, &master->boardinfo.i2c, node)
+ i2cdev->dev = i2c_new_client_device(adap, &i2cboardinfo->base);
return 0;
}
diff --git a/include/linux/i3c/master.h b/include/linux/i3c/master.h
index 9cb39d901cd5f..604a126b78c83 100644
--- a/include/linux/i3c/master.h
+++ b/include/linux/i3c/master.h
@@ -85,7 +85,6 @@ struct i2c_dev_boardinfo {
*/
struct i2c_dev_desc {
struct i3c_i2c_dev_desc common;
- const struct i2c_dev_boardinfo *boardinfo;
struct i2c_client *dev;
u16 addr;
u8 lvr;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 063/554] i3c: support dynamically added i2c devices
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 062/554] i3c: remove i2c board info from i2c_dev_desc Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 064/554] i3c: Allow OF-alias-based persistent bus numbering Greg Kroah-Hartman
` (496 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Belloni, Jamie Iles,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamie Iles <quic_jiles@quicinc.com>
[ Upstream commit 72a4501b5d089772671360a6ec74d5350acf8c2e ]
I2C devices can be added to the system dynamically through several
sources other than static board info including device tree overlays and
sysfs i2c new_device.
Add an I2C bus notifier to attach the clients at runtime if they were
not defined in the board info. For DT devices find the LVR in the reg
property, for user-space new_device additions we synthesize a
conservative setting of no spike filters and fast mode only.
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220117174816.1963463-3-quic_jiles@quicinc.com
Stable-dep-of: 9d4f219807d5 ("i3c: fix refcount inconsistency in i3c_master_register")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 128 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 127 insertions(+), 1 deletion(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index d4e9299472679..ae60eb7b27601 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2170,11 +2170,122 @@ static u32 i3c_master_i2c_funcs(struct i2c_adapter *adapter)
return I2C_FUNC_SMBUS_EMUL | I2C_FUNC_I2C;
}
+static u8 i3c_master_i2c_get_lvr(struct i2c_client *client)
+{
+ /* Fall back to no spike filters and FM bus mode. */
+ u8 lvr = I3C_LVR_I2C_INDEX(2) | I3C_LVR_I2C_FM_MODE;
+
+ if (client->dev.of_node) {
+ u32 reg[3];
+
+ if (!of_property_read_u32_array(client->dev.of_node, "reg",
+ reg, ARRAY_SIZE(reg)))
+ lvr = reg[2];
+ }
+
+ return lvr;
+}
+
+static int i3c_master_i2c_attach(struct i2c_adapter *adap, struct i2c_client *client)
+{
+ struct i3c_master_controller *master = i2c_adapter_to_i3c_master(adap);
+ enum i3c_addr_slot_status status;
+ struct i2c_dev_desc *i2cdev;
+ int ret;
+
+ /* Already added by board info? */
+ if (i3c_master_find_i2c_dev_by_addr(master, client->addr))
+ return 0;
+
+ status = i3c_bus_get_addr_slot_status(&master->bus, client->addr);
+ if (status != I3C_ADDR_SLOT_FREE)
+ return -EBUSY;
+
+ i3c_bus_set_addr_slot_status(&master->bus, client->addr,
+ I3C_ADDR_SLOT_I2C_DEV);
+
+ i2cdev = i3c_master_alloc_i2c_dev(master, client->addr,
+ i3c_master_i2c_get_lvr(client));
+ if (IS_ERR(i2cdev)) {
+ ret = PTR_ERR(i2cdev);
+ goto out_clear_status;
+ }
+
+ ret = i3c_master_attach_i2c_dev(master, i2cdev);
+ if (ret)
+ goto out_free_dev;
+
+ return 0;
+
+out_free_dev:
+ i3c_master_free_i2c_dev(i2cdev);
+out_clear_status:
+ i3c_bus_set_addr_slot_status(&master->bus, client->addr,
+ I3C_ADDR_SLOT_FREE);
+
+ return ret;
+}
+
+static int i3c_master_i2c_detach(struct i2c_adapter *adap, struct i2c_client *client)
+{
+ struct i3c_master_controller *master = i2c_adapter_to_i3c_master(adap);
+ struct i2c_dev_desc *dev;
+
+ dev = i3c_master_find_i2c_dev_by_addr(master, client->addr);
+ if (!dev)
+ return -ENODEV;
+
+ i3c_master_detach_i2c_dev(dev);
+ i3c_bus_set_addr_slot_status(&master->bus, dev->addr,
+ I3C_ADDR_SLOT_FREE);
+ i3c_master_free_i2c_dev(dev);
+
+ return 0;
+}
+
static const struct i2c_algorithm i3c_master_i2c_algo = {
.master_xfer = i3c_master_i2c_adapter_xfer,
.functionality = i3c_master_i2c_funcs,
};
+static int i3c_i2c_notifier_call(struct notifier_block *nb, unsigned long action,
+ void *data)
+{
+ struct i2c_adapter *adap;
+ struct i2c_client *client;
+ struct device *dev = data;
+ struct i3c_master_controller *master;
+ int ret;
+
+ if (dev->type != &i2c_client_type)
+ return 0;
+
+ client = to_i2c_client(dev);
+ adap = client->adapter;
+
+ if (adap->algo != &i3c_master_i2c_algo)
+ return 0;
+
+ master = i2c_adapter_to_i3c_master(adap);
+
+ i3c_bus_maintenance_lock(&master->bus);
+ switch (action) {
+ case BUS_NOTIFY_ADD_DEVICE:
+ ret = i3c_master_i2c_attach(adap, client);
+ break;
+ case BUS_NOTIFY_DEL_DEVICE:
+ ret = i3c_master_i2c_detach(adap, client);
+ break;
+ }
+ i3c_bus_maintenance_unlock(&master->bus);
+
+ return ret;
+}
+
+static struct notifier_block i2cdev_notifier = {
+ .notifier_call = i3c_i2c_notifier_call,
+};
+
static int i3c_master_i2c_adapter_init(struct i3c_master_controller *master)
{
struct i2c_adapter *adap = i3c_master_to_i2c_adapter(master);
@@ -2705,12 +2816,27 @@ void i3c_dev_free_ibi_locked(struct i3c_dev_desc *dev)
static int __init i3c_init(void)
{
- return bus_register(&i3c_bus_type);
+ int res = bus_register_notifier(&i2c_bus_type, &i2cdev_notifier);
+
+ if (res)
+ return res;
+
+ res = bus_register(&i3c_bus_type);
+ if (res)
+ goto out_unreg_notifier;
+
+ return 0;
+
+out_unreg_notifier:
+ bus_unregister_notifier(&i2c_bus_type, &i2cdev_notifier);
+
+ return res;
}
subsys_initcall(i3c_init);
static void __exit i3c_exit(void)
{
+ bus_unregister_notifier(&i2c_bus_type, &i2cdev_notifier);
idr_destroy(&i3c_bus_idr);
bus_unregister(&i3c_bus_type);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 064/554] i3c: Allow OF-alias-based persistent bus numbering
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 063/554] i3c: support dynamically added i2c devices Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 065/554] i3c: master: Inherit DMA masks and parameters from parent device Greg Kroah-Hartman
` (495 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Kerr, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Kerr <jk@codeconstruct.com.au>
[ Upstream commit 7dc2e0a875645a79f5c1c063019397e8e94008f5 ]
Parse the /aliases node to assign any fixed bus numbers, as is done with
the i2c subsystem. Numbering for non-aliased busses will start after the
highest fixed bus number.
This allows an alias node such as:
aliases {
i3c0 = &bus_a,
i3c4 = &bus_b,
};
to set the numbering for a set of i3c controllers:
/* fixed-numbered bus, assigned "i3c-0" */
bus_a: i3c-master {
};
/* another fixed-numbered bus, assigned "i3c-4" */
bus_b: i3c-master {
};
/* dynamic-numbered bus, likely assigned "i3c-5" */
bus_c: i3c-master {
};
If no i3c device aliases are present, the numbering will stay as-is,
starting from 0.
Signed-off-by: Jeremy Kerr <jk@codeconstruct.com.au>
Link: https://lore.kernel.org/r/20230405094149.1513209-1-jk@codeconstruct.com.au
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 9d4f219807d5 ("i3c: fix refcount inconsistency in i3c_master_register")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 30 +++++++++++++++++++++++++-----
1 file changed, 25 insertions(+), 5 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index ae60eb7b27601..209aa1e889044 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -21,6 +21,7 @@
static DEFINE_IDR(i3c_bus_idr);
static DEFINE_MUTEX(i3c_core_lock);
+static int __i3c_first_dynamic_bus_num;
/**
* i3c_bus_maintenance_lock - Lock the bus for a maintenance operation
@@ -420,9 +421,9 @@ static void i3c_bus_cleanup(struct i3c_bus *i3cbus)
mutex_unlock(&i3c_core_lock);
}
-static int i3c_bus_init(struct i3c_bus *i3cbus)
+static int i3c_bus_init(struct i3c_bus *i3cbus, struct device_node *np)
{
- int ret;
+ int ret, start, end, id = -1;
init_rwsem(&i3cbus->lock);
INIT_LIST_HEAD(&i3cbus->devs.i2c);
@@ -430,8 +431,19 @@ static int i3c_bus_init(struct i3c_bus *i3cbus)
i3c_bus_init_addrslots(i3cbus);
i3cbus->mode = I3C_BUS_MODE_PURE;
+ if (np)
+ id = of_alias_get_id(np, "i3c");
+
mutex_lock(&i3c_core_lock);
- ret = idr_alloc(&i3c_bus_idr, i3cbus, 0, 0, GFP_KERNEL);
+ if (id >= 0) {
+ start = id;
+ end = start + 1;
+ } else {
+ start = __i3c_first_dynamic_bus_num;
+ end = 0;
+ }
+
+ ret = idr_alloc(&i3c_bus_idr, i3cbus, start, end, GFP_KERNEL);
mutex_unlock(&i3c_core_lock);
if (ret < 0)
@@ -2607,7 +2619,7 @@ int i3c_master_register(struct i3c_master_controller *master,
INIT_LIST_HEAD(&master->boardinfo.i2c);
INIT_LIST_HEAD(&master->boardinfo.i3c);
- ret = i3c_bus_init(i3cbus);
+ ret = i3c_bus_init(i3cbus, master->dev.of_node);
if (ret)
return ret;
@@ -2816,8 +2828,16 @@ void i3c_dev_free_ibi_locked(struct i3c_dev_desc *dev)
static int __init i3c_init(void)
{
- int res = bus_register_notifier(&i2c_bus_type, &i2cdev_notifier);
+ int res;
+
+ res = of_alias_get_highest_id("i3c");
+ if (res >= 0) {
+ mutex_lock(&i3c_core_lock);
+ __i3c_first_dynamic_bus_num = res + 1;
+ mutex_unlock(&i3c_core_lock);
+ }
+ res = bus_register_notifier(&i2c_bus_type, &i2cdev_notifier);
if (res)
return res;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 065/554] i3c: master: Inherit DMA masks and parameters from parent device
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 064/554] i3c: Allow OF-alias-based persistent bus numbering Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 066/554] i3c: fix refcount inconsistency in i3c_master_register Greg Kroah-Hartman
` (494 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jarkko Nikula, Alexandre Belloni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
[ Upstream commit 0c35691551387e060e6ae7a6652b4101270c73cf ]
Copy the DMA masks and parameters for an I3C master device from parent
device so that the master device has them set for the DMA buffer and
mapping API.
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Link: https://lore.kernel.org/r/20230921055704.1087277-2-jarkko.nikula@linux.intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 9d4f219807d5 ("i3c: fix refcount inconsistency in i3c_master_register")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 209aa1e889044..459399cd70da7 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2626,6 +2626,10 @@ int i3c_master_register(struct i3c_master_controller *master,
device_initialize(&master->dev);
dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
+ master->dev.dma_mask = parent->dma_mask;
+ master->dev.coherent_dma_mask = parent->coherent_dma_mask;
+ master->dev.dma_parms = parent->dma_parms;
+
ret = of_populate_i3c_bus(master);
if (ret)
goto err_put_dev;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 066/554] i3c: fix refcount inconsistency in i3c_master_register
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 065/554] i3c: master: Inherit DMA masks and parameters from parent device Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 067/554] i3c: master: svc: Prevent incomplete IBI transaction Greg Kroah-Hartman
` (493 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Frank Li,
Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Li <Frank.Li@nxp.com>
[ Upstream commit 9d4f219807d5ac11fb1d596e4ddb09336b040067 ]
In `i3c_master_register`, a possible refcount inconsistency has been
identified, causing possible resource leak.
Function `of_node_get` increases the refcount of `parent->of_node`. If
function `i3c_bus_init` fails, the function returns immediately without
a corresponding decrease, resulting in an inconsistent refcounter.
Move call i3c_bus_init() after device_initialize() to let callback
i3c_masterdev_release() release of_node.
Reported-by: Shuhao Fu <sfual@cse.ust.hk>
Closes: https://lore.kernel.org/linux-i3c/aO2tjp_FsV_WohPG@osx.local/T/#m2c05a982beeb14e7bf039c1d8db856734bf234c7
Fixes: 3a379bbcea0a ("i3c: Add core I3C infrastructure")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20251016143814.2551256-1-Frank.Li@nxp.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index 459399cd70da7..e5a282053e2a9 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2619,10 +2619,6 @@ int i3c_master_register(struct i3c_master_controller *master,
INIT_LIST_HEAD(&master->boardinfo.i2c);
INIT_LIST_HEAD(&master->boardinfo.i3c);
- ret = i3c_bus_init(i3cbus, master->dev.of_node);
- if (ret)
- return ret;
-
device_initialize(&master->dev);
dev_set_name(&master->dev, "i3c-%d", i3cbus->id);
@@ -2630,6 +2626,10 @@ int i3c_master_register(struct i3c_master_controller *master,
master->dev.coherent_dma_mask = parent->coherent_dma_mask;
master->dev.dma_parms = parent->dma_parms;
+ ret = i3c_bus_init(i3cbus, master->dev.of_node);
+ if (ret)
+ goto err_put_dev;
+
ret = of_populate_i3c_bus(master);
if (ret)
goto err_put_dev;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 067/554] i3c: master: svc: Prevent incomplete IBI transaction
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 066/554] i3c: fix refcount inconsistency in i3c_master_register Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 068/554] power: supply: wm831x: Check wm831x_set_bits() return value Greg Kroah-Hartman
` (492 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanley Chu, Frank Li, Miquel Raynal,
Alexandre Belloni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanley Chu <yschu@nuvoton.com>
[ Upstream commit 3a36273e5a07dda0ccec193800f3b78c3c0380af ]
If no free IBI slot is available, svc_i3c_master_handle_ibi returns
immediately. This causes the STOP condition to be missed because the
EmitStop request is sent when the transfer is not complete. To resolve
this, svc_i3c_master_handle_ibi must wait for the transfer to complete
before returning.
Fixes: dd3c52846d59 ("i3c: master: svc: Add Silvaco I3C master driver")
Signed-off-by: Stanley Chu <yschu@nuvoton.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20251027034715.708243-1-yschu@nuvoton.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i3c/master/svc-i3c-master.c | 22 ++++++++++++++--------
1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/drivers/i3c/master/svc-i3c-master.c b/drivers/i3c/master/svc-i3c-master.c
index 27f55b5e388d9..d12b4ff2a4495 100644
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -297,21 +297,27 @@ static int svc_i3c_master_handle_ibi(struct svc_i3c_master *master,
int ret, val;
u8 *buf;
- slot = i3c_generic_ibi_get_free_slot(data->ibi_pool);
- if (!slot)
- return -ENOSPC;
-
- slot->len = 0;
- buf = slot->data;
-
+ /*
+ * Wait for transfer to complete before returning. Otherwise, the EmitStop
+ * request might be sent when the transfer is not complete.
+ */
ret = readl_relaxed_poll_timeout(master->regs + SVC_I3C_MSTATUS, val,
SVC_I3C_MSTATUS_COMPLETE(val), 0, 1000);
if (ret) {
dev_err(master->dev, "Timeout when polling for COMPLETE\n");
- i3c_generic_ibi_recycle_slot(data->ibi_pool, slot);
return ret;
}
+ slot = i3c_generic_ibi_get_free_slot(data->ibi_pool);
+ if (!slot) {
+ dev_dbg(master->dev, "No free ibi slot, drop the data\n");
+ writel(SVC_I3C_MDATACTRL_FLUSHRB, master->regs + SVC_I3C_MDATACTRL);
+ return -ENOSPC;
+ }
+
+ slot->len = 0;
+ buf = slot->data;
+
while (SVC_I3C_MSTATUS_RXPEND(readl(master->regs + SVC_I3C_MSTATUS)) &&
slot->len < SVC_I3C_FIFO_SIZE) {
mdatactrl = readl(master->regs + SVC_I3C_MDATACTRL);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 068/554] power: supply: wm831x: Check wm831x_set_bits() return value
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 067/554] i3c: master: svc: Prevent incomplete IBI transaction Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 069/554] power: supply: apm_power: only unset own apm_get_power_status Greg Kroah-Hartman
` (491 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Sebastian Reichel,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
[ Upstream commit ea14bae6df18942bccb467fcf5ff33ca677b8253 ]
Since wm831x_set_bits() may return error, log failure and exit from
wm831x_usb_limit_change() in such case.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 626b6cd5f52e ("power: wm831x_power: Support USB charger current limit management")
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Link: https://patch.msgid.link/20251009170553.566561-1-i.abramov@mt-integration.ru
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/wm831x_power.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/power/supply/wm831x_power.c b/drivers/power/supply/wm831x_power.c
index 4cd2dd8700395..902e01a3fc730 100644
--- a/drivers/power/supply/wm831x_power.c
+++ b/drivers/power/supply/wm831x_power.c
@@ -144,6 +144,7 @@ static int wm831x_usb_limit_change(struct notifier_block *nb,
struct wm831x_power,
usb_notify);
unsigned int i, best;
+ int ret;
/* Find the highest supported limit */
best = 0;
@@ -156,8 +157,13 @@ static int wm831x_usb_limit_change(struct notifier_block *nb,
dev_dbg(wm831x_power->wm831x->dev,
"Limiting USB current to %umA", wm831x_usb_limits[best]);
- wm831x_set_bits(wm831x_power->wm831x, WM831X_POWER_STATE,
- WM831X_USB_ILIM_MASK, best);
+ ret = wm831x_set_bits(wm831x_power->wm831x, WM831X_POWER_STATE,
+ WM831X_USB_ILIM_MASK, best);
+ if (ret < 0) {
+ dev_err(wm831x_power->wm831x->dev,
+ "Failed to set USB current limit: %d\n", ret);
+ return ret;
+ }
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 069/554] power: supply: apm_power: only unset own apm_get_power_status
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 068/554] power: supply: wm831x: Check wm831x_set_bits() return value Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 070/554] scsi: target: Do not write NUL characters into ASCII configfs output Greg Kroah-Hartman
` (490 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahelenia Ziemiańska,
Sebastian Reichel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
[ Upstream commit bd44ea12919ac4e83c9f3997240fe58266aa8799 ]
Mirroring drivers/macintosh/apm_emu.c, this means that
modprobe apm_power && modprobe $anotherdriver && modprobe -r apm_power
leaves $anotherdriver's apm_get_power_status instead of deleting it.
Fixes: 3788ec932bfd ("[BATTERY] APM emulation driver for class batteries")
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
Link: https://patch.msgid.link/xczpgox57hxbunkcbdl5fxhc4gnsajsipldfidi7355afezk64@tarta.nabijaczleweli.xyz
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/apm_power.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/power/supply/apm_power.c b/drivers/power/supply/apm_power.c
index 9d1a7fbcaed42..50b9636945599 100644
--- a/drivers/power/supply/apm_power.c
+++ b/drivers/power/supply/apm_power.c
@@ -365,7 +365,8 @@ static int __init apm_battery_init(void)
static void __exit apm_battery_exit(void)
{
- apm_get_power_status = NULL;
+ if (apm_get_power_status == apm_battery_apm_get_power_status)
+ apm_get_power_status = NULL;
}
module_init(apm_battery_init);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 070/554] scsi: target: Do not write NUL characters into ASCII configfs output
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 069/554] power: supply: apm_power: only unset own apm_get_power_status Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 071/554] spi: tegra210-quad: use device_reset method Greg Kroah-Hartman
` (489 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bart Van Assche, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit c03b55f235e283cae49c88b9602fd11096b92eba ]
NUL characters are not allowed in ASCII configfs output. Hence this
patch.
Fixes: c66ac9db8d4a ("[SCSI] target: Add LIO target core v4.0.0-rc6")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://patch.msgid.link/20251027184639.3501254-2-bvanassche@acm.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_configfs.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index 73a9e7b0ecbc7..120c19e41012b 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -2677,7 +2677,6 @@ static ssize_t target_lu_gp_members_show(struct config_item *item, char *page)
cur_len = snprintf(buf, LU_GROUP_NAME_BUF, "%s/%s\n",
config_item_name(&hba->hba_group.cg_item),
config_item_name(&dev->dev_group.cg_item));
- cur_len++; /* Extra byte for NULL terminator */
if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) {
pr_warn("Ran out of lu_gp_show_attr"
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 071/554] spi: tegra210-quad: use device_reset method
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 070/554] scsi: target: Do not write NUL characters into ASCII configfs output Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 072/554] spi: tegra210-quad: add new chips to compatible Greg Kroah-Hartman
` (488 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna Yarlagadda, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Yarlagadda <kyarlagadda@nvidia.com>
[ Upstream commit ac982578e7d340dc4f4fd243f4a4b24787d28c3f ]
Use device_reset api to replace duplicate code in driver to call
reset_control_get api with reset handle.
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Link: https://lore.kernel.org/r/20220222175611.58051-2-kyarlagadda@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index 3432058b0a7bd..c3867c70c61d4 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -137,7 +137,6 @@ struct tegra_qspi {
spinlock_t lock;
struct clk *clk;
- struct reset_control *rst;
void __iomem *base;
phys_addr_t phys;
unsigned int irq;
@@ -956,9 +955,8 @@ static void tegra_qspi_handle_error(struct tegra_qspi *tqspi)
dev_err(tqspi->dev, "error in transfer, fifo status 0x%08x\n", tqspi->status_reg);
tegra_qspi_dump_regs(tqspi);
tegra_qspi_flush_fifos(tqspi, true);
- reset_control_assert(tqspi->rst);
- udelay(2);
- reset_control_deassert(tqspi->rst);
+ if (device_reset(tqspi->dev) < 0)
+ dev_warn_once(tqspi->dev, "device reset failed\n");
}
static void tegra_qspi_transfer_end(struct spi_device *spi)
@@ -1260,13 +1258,6 @@ static int tegra_qspi_probe(struct platform_device *pdev)
return ret;
}
- tqspi->rst = devm_reset_control_get_exclusive(&pdev->dev, NULL);
- if (IS_ERR(tqspi->rst)) {
- ret = PTR_ERR(tqspi->rst);
- dev_err(&pdev->dev, "failed to get reset control: %d\n", ret);
- return ret;
- }
-
tqspi->max_buf_size = QSPI_FIFO_DEPTH << 2;
tqspi->dma_buf_size = DEFAULT_QSPI_DMA_BUF_LEN;
@@ -1288,9 +1279,8 @@ static int tegra_qspi_probe(struct platform_device *pdev)
goto exit_pm_disable;
}
- reset_control_assert(tqspi->rst);
- udelay(2);
- reset_control_deassert(tqspi->rst);
+ if (device_reset(tqspi->dev) < 0)
+ dev_warn_once(tqspi->dev, "device reset failed\n");
tqspi->def_command1_reg = QSPI_M_S | QSPI_CS_SW_HW | QSPI_CS_SW_VAL;
tegra_qspi_writel(tqspi, tqspi->def_command1_reg, QSPI_COMMAND1);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 072/554] spi: tegra210-quad: add new chips to compatible
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 071/554] spi: tegra210-quad: use device_reset method Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 073/554] spi: tegra210-quad: combined sequence mode Greg Kroah-Hartman
` (487 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna Yarlagadda, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Yarlagadda <kyarlagadda@nvidia.com>
[ Upstream commit ea23f0e148b82e5bcbc6c814926f53133552f0f3 ]
Add support for Tegra234 and soc data to select capabilities.
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Link: https://lore.kernel.org/r/20220222175611.58051-4-kyarlagadda@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 33 ++++++++++++++++++++++++++++++---
1 file changed, 30 insertions(+), 3 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index c3867c70c61d4..325ff5c1926c4 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -125,6 +125,10 @@
#define QSPI_DMA_TIMEOUT (msecs_to_jiffies(1000))
#define DEFAULT_QSPI_DMA_BUF_LEN (64 * 1024)
+struct tegra_qspi_soc_data {
+ bool has_dma;
+};
+
struct tegra_qspi_client_data {
int tx_clk_tap_delay;
int rx_clk_tap_delay;
@@ -184,6 +188,7 @@ struct tegra_qspi {
u32 *tx_dma_buf;
dma_addr_t tx_dma_phys;
struct dma_async_tx_descriptor *tx_dma_desc;
+ const struct tegra_qspi_soc_data *soc_data;
};
static inline u32 tegra_qspi_readl(struct tegra_qspi *tqspi, unsigned long offset)
@@ -1199,10 +1204,32 @@ static irqreturn_t tegra_qspi_isr_thread(int irq, void *context_data)
return handle_dma_based_xfer(tqspi);
}
+static struct tegra_qspi_soc_data tegra210_qspi_soc_data = {
+ .has_dma = true,
+};
+
+static struct tegra_qspi_soc_data tegra186_qspi_soc_data = {
+ .has_dma = true,
+};
+
+static struct tegra_qspi_soc_data tegra234_qspi_soc_data = {
+ .has_dma = false,
+};
+
static const struct of_device_id tegra_qspi_of_match[] = {
- { .compatible = "nvidia,tegra210-qspi", },
- { .compatible = "nvidia,tegra186-qspi", },
- { .compatible = "nvidia,tegra194-qspi", },
+ {
+ .compatible = "nvidia,tegra210-qspi",
+ .data = &tegra210_qspi_soc_data,
+ }, {
+ .compatible = "nvidia,tegra186-qspi",
+ .data = &tegra186_qspi_soc_data,
+ }, {
+ .compatible = "nvidia,tegra194-qspi",
+ .data = &tegra186_qspi_soc_data,
+ }, {
+ .compatible = "nvidia,tegra234-qspi",
+ .data = &tegra234_qspi_soc_data,
+ },
{}
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 073/554] spi: tegra210-quad: combined sequence mode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 072/554] spi: tegra210-quad: add new chips to compatible Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 074/554] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
` (486 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krishna Yarlagadda,
kernel test robot, Dan Carpenter, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Yarlagadda <kyarlagadda@nvidia.com>
[ Upstream commit 1b8342cc4a387933780c50f0cf51c94455be7d11 ]
Add combined sequence mode supported by Tegra QSPI controller.
For commands which contain cmd, addr, data parts to it, controller
can accept all 3 transfers at once and avoid interrupt for each
transfer. This would improve read & write performance.
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20220307165519.38380-3-kyarlagadda@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 238 +++++++++++++++++++++++++++++++-
1 file changed, 233 insertions(+), 5 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index 325ff5c1926c4..ff6a2c297b8af 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -119,14 +119,39 @@
#define QSPI_NUM_DUMMY_CYCLE(x) (((x) & 0xff) << 0)
#define QSPI_DUMMY_CYCLES_MAX 0xff
+#define QSPI_CMB_SEQ_CMD 0x19c
+#define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0)
+
+#define QSPI_CMB_SEQ_CMD_CFG 0x1a0
+#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13)
+#define QSPI_COMMAND_SDR_DDR BIT(12)
+#define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0)
+
+#define QSPI_GLOBAL_CONFIG 0X1a4
+#define QSPI_CMB_SEQ_EN BIT(0)
+
+#define QSPI_CMB_SEQ_ADDR 0x1a8
+#define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0)
+
+#define QSPI_CMB_SEQ_ADDR_CFG 0x1ac
+#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13)
+#define QSPI_ADDRESS_SDR_DDR BIT(12)
+#define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0)
+
#define DATA_DIR_TX BIT(0)
#define DATA_DIR_RX BIT(1)
#define QSPI_DMA_TIMEOUT (msecs_to_jiffies(1000))
#define DEFAULT_QSPI_DMA_BUF_LEN (64 * 1024)
+#define CMD_TRANSFER 0
+#define ADDR_TRANSFER 1
+#define DATA_TRANSFER 2
struct tegra_qspi_soc_data {
bool has_dma;
+ bool cmb_xfer_capable;
};
struct tegra_qspi_client_data {
@@ -918,7 +943,6 @@ static int tegra_qspi_setup(struct spi_device *spi)
cdata = tegra_qspi_parse_cdata_dt(spi);
spi->controller_data = cdata;
}
-
spin_lock_irqsave(&tqspi->lock, flags);
/* keep default cs state to inactive */
@@ -977,19 +1001,179 @@ static void tegra_qspi_transfer_end(struct spi_device *spi)
tegra_qspi_writel(tqspi, tqspi->def_command1_reg, QSPI_COMMAND1);
}
-static int tegra_qspi_transfer_one_message(struct spi_master *master, struct spi_message *msg)
+static u32 tegra_qspi_cmd_config(bool is_ddr, u8 bus_width, u8 len)
+{
+ u32 cmd_config = 0;
+
+ /* Extract Command configuration and value */
+ if (is_ddr)
+ cmd_config |= QSPI_COMMAND_SDR_DDR;
+ else
+ cmd_config &= ~QSPI_COMMAND_SDR_DDR;
+
+ cmd_config |= QSPI_COMMAND_X1_X2_X4(bus_width);
+ cmd_config |= QSPI_COMMAND_SIZE_SET((len * 8) - 1);
+
+ return cmd_config;
+}
+
+static u32 tegra_qspi_addr_config(bool is_ddr, u8 bus_width, u8 len)
+{
+ u32 addr_config = 0;
+
+ /* Extract Address configuration and value */
+ is_ddr = 0; //Only SDR mode supported
+ bus_width = 0; //X1 mode
+
+ if (is_ddr)
+ addr_config |= QSPI_ADDRESS_SDR_DDR;
+ else
+ addr_config &= ~QSPI_ADDRESS_SDR_DDR;
+
+ addr_config |= QSPI_ADDRESS_X1_X2_X4(bus_width);
+ addr_config |= QSPI_ADDRESS_SIZE_SET((len * 8) - 1);
+
+ return addr_config;
+}
+
+static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
+ struct spi_message *msg)
+{
+ bool is_first_msg = true;
+ struct spi_transfer *xfer;
+ struct spi_device *spi = msg->spi;
+ u8 transfer_phase = 0;
+ u32 cmd1 = 0, dma_ctl = 0;
+ int ret = 0;
+ u32 address_value = 0;
+ u32 cmd_config = 0, addr_config = 0;
+ u8 cmd_value = 0, val = 0;
+
+ /* Enable Combined sequence mode */
+ val = tegra_qspi_readl(tqspi, QSPI_GLOBAL_CONFIG);
+ val |= QSPI_CMB_SEQ_EN;
+ tegra_qspi_writel(tqspi, val, QSPI_GLOBAL_CONFIG);
+ /* Process individual transfer list */
+ list_for_each_entry(xfer, &msg->transfers, transfer_list) {
+ switch (transfer_phase) {
+ case CMD_TRANSFER:
+ /* X1 SDR mode */
+ cmd_config = tegra_qspi_cmd_config(false, 0,
+ xfer->len);
+ cmd_value = *((const u8 *)(xfer->tx_buf));
+ break;
+ case ADDR_TRANSFER:
+ /* X1 SDR mode */
+ addr_config = tegra_qspi_addr_config(false, 0,
+ xfer->len);
+ address_value = *((const u32 *)(xfer->tx_buf));
+ break;
+ case DATA_TRANSFER:
+ /* Program Command, Address value in register */
+ tegra_qspi_writel(tqspi, cmd_value, QSPI_CMB_SEQ_CMD);
+ tegra_qspi_writel(tqspi, address_value,
+ QSPI_CMB_SEQ_ADDR);
+ /* Program Command and Address config in register */
+ tegra_qspi_writel(tqspi, cmd_config,
+ QSPI_CMB_SEQ_CMD_CFG);
+ tegra_qspi_writel(tqspi, addr_config,
+ QSPI_CMB_SEQ_ADDR_CFG);
+
+ reinit_completion(&tqspi->xfer_completion);
+ cmd1 = tegra_qspi_setup_transfer_one(spi, xfer,
+ is_first_msg);
+ ret = tegra_qspi_start_transfer_one(spi, xfer,
+ cmd1);
+
+ if (ret < 0) {
+ dev_err(tqspi->dev, "Failed to start transfer-one: %d\n",
+ ret);
+ return ret;
+ }
+
+ is_first_msg = false;
+ ret = wait_for_completion_timeout
+ (&tqspi->xfer_completion,
+ QSPI_DMA_TIMEOUT);
+
+ if (WARN_ON(ret == 0)) {
+ dev_err(tqspi->dev, "QSPI Transfer failed with timeout: %d\n",
+ ret);
+ if (tqspi->is_curr_dma_xfer &&
+ (tqspi->cur_direction & DATA_DIR_TX))
+ dmaengine_terminate_all
+ (tqspi->tx_dma_chan);
+
+ if (tqspi->is_curr_dma_xfer &&
+ (tqspi->cur_direction & DATA_DIR_RX))
+ dmaengine_terminate_all
+ (tqspi->rx_dma_chan);
+
+ /* Abort transfer by resetting pio/dma bit */
+ if (!tqspi->is_curr_dma_xfer) {
+ cmd1 = tegra_qspi_readl
+ (tqspi,
+ QSPI_COMMAND1);
+ cmd1 &= ~QSPI_PIO;
+ tegra_qspi_writel
+ (tqspi, cmd1,
+ QSPI_COMMAND1);
+ } else {
+ dma_ctl = tegra_qspi_readl
+ (tqspi,
+ QSPI_DMA_CTL);
+ dma_ctl &= ~QSPI_DMA_EN;
+ tegra_qspi_writel(tqspi, dma_ctl,
+ QSPI_DMA_CTL);
+ }
+
+ /* Reset controller if timeout happens */
+ if (device_reset(tqspi->dev) < 0)
+ dev_warn_once(tqspi->dev,
+ "device reset failed\n");
+ ret = -EIO;
+ goto exit;
+ }
+
+ if (tqspi->tx_status || tqspi->rx_status) {
+ dev_err(tqspi->dev, "QSPI Transfer failed\n");
+ tqspi->tx_status = 0;
+ tqspi->rx_status = 0;
+ ret = -EIO;
+ goto exit;
+ }
+ break;
+ default:
+ ret = -EINVAL;
+ goto exit;
+ }
+ msg->actual_length += xfer->len;
+ transfer_phase++;
+ }
+
+exit:
+ msg->status = ret;
+
+ return ret;
+}
+
+static int tegra_qspi_non_combined_seq_xfer(struct tegra_qspi *tqspi,
+ struct spi_message *msg)
{
- struct tegra_qspi *tqspi = spi_master_get_devdata(master);
struct spi_device *spi = msg->spi;
struct spi_transfer *transfer;
bool is_first_msg = true;
- int ret;
+ int ret = 0, val = 0;
msg->status = 0;
msg->actual_length = 0;
tqspi->tx_status = 0;
tqspi->rx_status = 0;
+ /* Disable Combined sequence mode */
+ val = tegra_qspi_readl(tqspi, QSPI_GLOBAL_CONFIG);
+ val &= ~QSPI_CMB_SEQ_EN;
+ tegra_qspi_writel(tqspi, val, QSPI_GLOBAL_CONFIG);
list_for_each_entry(transfer, &msg->transfers, transfer_list) {
struct spi_transfer *xfer = transfer;
u8 dummy_bytes = 0;
@@ -1027,7 +1211,6 @@ static int tegra_qspi_transfer_one_message(struct spi_master *master, struct spi
goto complete_xfer;
}
- is_first_msg = false;
ret = wait_for_completion_timeout(&tqspi->xfer_completion,
QSPI_DMA_TIMEOUT);
if (WARN_ON(ret == 0)) {
@@ -1072,7 +1255,48 @@ static int tegra_qspi_transfer_one_message(struct spi_master *master, struct spi
ret = 0;
exit:
msg->status = ret;
+
+ return ret;
+}
+
+static bool tegra_qspi_validate_cmb_seq(struct tegra_qspi *tqspi,
+ struct spi_message *msg)
+{
+ int transfer_count = 0;
+ struct spi_transfer *xfer;
+
+ list_for_each_entry(xfer, &msg->transfers, transfer_list) {
+ transfer_count++;
+ }
+ if (!tqspi->soc_data->cmb_xfer_capable || transfer_count != 3)
+ return false;
+ xfer = list_first_entry(&msg->transfers, typeof(*xfer),
+ transfer_list);
+ if (xfer->len > 2)
+ return false;
+ xfer = list_next_entry(xfer, transfer_list);
+ if (xfer->len > 4 || xfer->len < 3)
+ return false;
+ xfer = list_next_entry(xfer, transfer_list);
+ if (!tqspi->soc_data->has_dma || xfer->len > (QSPI_FIFO_DEPTH << 2))
+ return false;
+
+ return true;
+}
+
+static int tegra_qspi_transfer_one_message(struct spi_master *master,
+ struct spi_message *msg)
+{
+ struct tegra_qspi *tqspi = spi_master_get_devdata(master);
+ int ret;
+
+ if (tegra_qspi_validate_cmb_seq(tqspi, msg))
+ ret = tegra_qspi_combined_seq_xfer(tqspi, msg);
+ else
+ ret = tegra_qspi_non_combined_seq_xfer(tqspi, msg);
+
spi_finalize_current_message(master);
+
return ret;
}
@@ -1206,14 +1430,17 @@ static irqreturn_t tegra_qspi_isr_thread(int irq, void *context_data)
static struct tegra_qspi_soc_data tegra210_qspi_soc_data = {
.has_dma = true,
+ .cmb_xfer_capable = false,
};
static struct tegra_qspi_soc_data tegra186_qspi_soc_data = {
.has_dma = true,
+ .cmb_xfer_capable = true,
};
static struct tegra_qspi_soc_data tegra234_qspi_soc_data = {
.has_dma = false,
+ .cmb_xfer_capable = true,
};
static const struct of_device_id tegra_qspi_of_match[] = {
@@ -1267,6 +1494,7 @@ static int tegra_qspi_probe(struct platform_device *pdev)
tqspi->dev = &pdev->dev;
spin_lock_init(&tqspi->lock);
+ tqspi->soc_data = device_get_match_data(&pdev->dev);
r = platform_get_resource(pdev, IORESOURCE_MEM, 0);
tqspi->base = devm_ioremap_resource(&pdev->dev, r);
if (IS_ERR(tqspi->base))
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 074/554] spi: tegra210-quad: modify chip select (CS) deactivation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 073/554] spi: tegra210-quad: combined sequence mode Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 075/554] spi: tegra210-quad: Fix timeout handling Greg Kroah-Hartman
` (485 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit d8966b65413390d1b5b706886987caac05fbe024 ]
Modify the chip select (CS) deactivation and inter-transfer delay
execution only during the DATA_TRANSFER phase when the cs_change
flag is not set. This ensures proper CS handling and timing between
transfers while eliminating redundant operations.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-4-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index ff6a2c297b8af..50243a520158c 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -1148,6 +1148,10 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
goto exit;
}
msg->actual_length += xfer->len;
+ if (!xfer->cs_change && transfer_phase == DATA_TRANSFER) {
+ tegra_qspi_transfer_end(spi);
+ spi_transfer_delay_exec(xfer);
+ }
transfer_phase++;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 075/554] spi: tegra210-quad: Fix timeout handling
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 074/554] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 076/554] mfd: da9055: Fix missing regmap_del_irq_chip() in error path Greg Kroah-Hartman
` (484 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thierry Reding, Vishwaroop A,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
[ Upstream commit b4e002d8a7cee3b1d70efad0e222567f92a73000 ]
When the CPU that the QSPI interrupt handler runs on (typically CPU 0)
is excessively busy, it can lead to rare cases of the IRQ thread not
running before the transfer timeout is reached.
While handling the timeouts, any pending transfers are cleaned up and
the message that they correspond to is marked as failed, which leaves
the curr_xfer field pointing at stale memory.
To avoid this, clear curr_xfer to NULL upon timeout and check for this
condition when the IRQ thread is finally run.
While at it, also make sure to clear interrupts on failure so that new
interrupts can be run.
A better, more involved, fix would move the interrupt clearing into a
hard IRQ handler. Ideally we would also want to signal that the IRQ
thread no longer needs to be run after the timeout is hit to avoid the
extra check for a valid transfer.
Fixes: 921fc1838fb0 ("spi: tegra210-quad: Add support for Tegra210 QSPI controller")
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20251028155703.4151791-2-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra210-quad.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-quad.c
index 50243a520158c..9111430469786 100644
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -984,8 +984,10 @@ static void tegra_qspi_handle_error(struct tegra_qspi *tqspi)
dev_err(tqspi->dev, "error in transfer, fifo status 0x%08x\n", tqspi->status_reg);
tegra_qspi_dump_regs(tqspi);
tegra_qspi_flush_fifos(tqspi, true);
- if (device_reset(tqspi->dev) < 0)
+ if (device_reset(tqspi->dev) < 0) {
dev_warn_once(tqspi->dev, "device reset failed\n");
+ tegra_qspi_mask_clear_irq(tqspi);
+ }
}
static void tegra_qspi_transfer_end(struct spi_device *spi)
@@ -1128,9 +1130,11 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
}
/* Reset controller if timeout happens */
- if (device_reset(tqspi->dev) < 0)
+ if (device_reset(tqspi->dev) < 0) {
dev_warn_once(tqspi->dev,
"device reset failed\n");
+ tegra_qspi_mask_clear_irq(tqspi);
+ }
ret = -EIO;
goto exit;
}
@@ -1152,10 +1156,12 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_qspi *tqspi,
tegra_qspi_transfer_end(spi);
spi_transfer_delay_exec(xfer);
}
+ tqspi->curr_xfer = NULL;
transfer_phase++;
}
exit:
+ tqspi->curr_xfer = NULL;
msg->status = ret;
return ret;
@@ -1237,6 +1243,8 @@ static int tegra_qspi_non_combined_seq_xfer(struct tegra_qspi *tqspi,
msg->actual_length += xfer->len + dummy_bytes;
complete_xfer:
+ tqspi->curr_xfer = NULL;
+
if (ret < 0) {
tegra_qspi_transfer_end(spi);
spi_transfer_delay_exec(xfer);
@@ -1333,6 +1341,7 @@ static irqreturn_t handle_cpu_based_xfer(struct tegra_qspi *tqspi)
tegra_qspi_calculate_curr_xfer_param(tqspi, t);
tegra_qspi_start_cpu_based_transfer(tqspi, t);
exit:
+ tqspi->curr_xfer = NULL;
spin_unlock_irqrestore(&tqspi->lock, flags);
return IRQ_HANDLED;
}
@@ -1416,6 +1425,15 @@ static irqreturn_t tegra_qspi_isr_thread(int irq, void *context_data)
{
struct tegra_qspi *tqspi = context_data;
+ /*
+ * Occasionally the IRQ thread takes a long time to wake up (usually
+ * when the CPU that it's running on is excessively busy) and we have
+ * already reached the timeout before and cleaned up the timed out
+ * transfer. Avoid any processing in that case and bail out early.
+ */
+ if (!tqspi->curr_xfer)
+ return IRQ_NONE;
+
tqspi->status_reg = tegra_qspi_readl(tqspi, QSPI_FIFO_STATUS);
if (tqspi->cur_direction & DATA_DIR_TX)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 076/554] mfd: da9055: Fix missing regmap_del_irq_chip() in error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 075/554] spi: tegra210-quad: Fix timeout handling Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 077/554] ext4: minor defrag code improvements Greg Kroah-Hartman
` (483 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 1b58acfd067ca16116b9234cd6b2d30cc8ab7502 ]
When da9055_device_init() fails after regmap_add_irq_chip()
succeeds but mfd_add_devices() fails, the error handling path
only calls mfd_remove_devices() but forgets to call
regmap_del_irq_chip(). This results in a resource leak.
Fix this by adding regmap_del_irq_chip() to the error path so
that resources are released properly.
Fixes: 2896434cf272 ("mfd: DA9055 core driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251010011737.1078-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/da9055-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/da9055-core.c b/drivers/mfd/da9055-core.c
index c3bcbd8905c6c..a520890090ba4 100644
--- a/drivers/mfd/da9055-core.c
+++ b/drivers/mfd/da9055-core.c
@@ -388,6 +388,7 @@ int da9055_device_init(struct da9055 *da9055)
err:
mfd_remove_devices(da9055->dev);
+ regmap_del_irq_chip(da9055->chip_irq, da9055->irq_data);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 077/554] ext4: minor defrag code improvements
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 076/554] mfd: da9055: Fix missing regmap_del_irq_chip() in error path Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 078/554] ext4: correct the checking of quota files before moving extents Greg Kroah-Hartman
` (482 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Whitney, Theodore Tso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Whitney <enwlinux@gmail.com>
[ Upstream commit d412df530f77d0f61c41b83f925997452fc3944c ]
Modify the error returns for two file types that can't be defragged to
more clearly communicate those restrictions to a caller. When the
defrag code is applied to swap files, return -ETXTBSY, and when applied
to quota files, return -EOPNOTSUPP. Move an extent tree search whose
results are only occasionally required to the site always requiring them
for improved efficiency. Address a few typos.
Signed-off-by: Eric Whitney <enwlinux@gmail.com>
Link: https://lore.kernel.org/r/20220722163910.268564-1-enwlinux@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a2e5a3cea4b1 ("ext4: correct the checking of quota files before moving extents")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/move_extent.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index 661a8544d7817..4cb1872c9af43 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -466,19 +466,17 @@ mext_check_arguments(struct inode *orig_inode,
if (IS_IMMUTABLE(donor_inode) || IS_APPEND(donor_inode))
return -EPERM;
- /* Ext4 move extent does not support swapfile */
+ /* Ext4 move extent does not support swap files */
if (IS_SWAPFILE(orig_inode) || IS_SWAPFILE(donor_inode)) {
- ext4_debug("ext4 move extent: The argument files should "
- "not be swapfile [ino:orig %lu, donor %lu]\n",
+ ext4_debug("ext4 move extent: The argument files should not be swap files [ino:orig %lu, donor %lu]\n",
orig_inode->i_ino, donor_inode->i_ino);
- return -EBUSY;
+ return -ETXTBSY;
}
if (ext4_is_quota_file(orig_inode) && ext4_is_quota_file(donor_inode)) {
- ext4_debug("ext4 move extent: The argument files should "
- "not be quota files [ino:orig %lu, donor %lu]\n",
+ ext4_debug("ext4 move extent: The argument files should not be quota files [ino:orig %lu, donor %lu]\n",
orig_inode->i_ino, donor_inode->i_ino);
- return -EBUSY;
+ return -EOPNOTSUPP;
}
/* Ext4 move extent supports only extent based file */
@@ -626,11 +624,11 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk,
if (ret)
goto out;
ex = path[path->p_depth].p_ext;
- next_blk = ext4_ext_next_allocated_block(path);
cur_blk = le32_to_cpu(ex->ee_block);
cur_len = ext4_ext_get_actual_len(ex);
/* Check hole before the start pos */
if (cur_blk + cur_len - 1 < o_start) {
+ next_blk = ext4_ext_next_allocated_block(path);
if (next_blk == EXT_MAX_BLOCKS) {
o_start = o_end;
ret = -ENODATA;
@@ -659,7 +657,7 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, __u64 orig_blk,
donor_page_index = d_start >> (PAGE_SHIFT -
donor_inode->i_blkbits);
offset_in_page = o_start % blocks_per_page;
- if (cur_len > blocks_per_page- offset_in_page)
+ if (cur_len > blocks_per_page - offset_in_page)
cur_len = blocks_per_page - offset_in_page;
/*
* Up semaphore to avoid following problems:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 078/554] ext4: correct the checking of quota files before moving extents
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 077/554] ext4: minor defrag code improvements Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 079/554] perf/x86/intel: Correct large PEBS flag check Greg Kroah-Hartman
` (481 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yi, Jan Kara, Theodore Tso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Yi <yi.zhang@huawei.com>
[ Upstream commit a2e5a3cea4b18f6e2575acc444a5e8cce1fc8260 ]
The move extent operation should return -EOPNOTSUPP if any of the inodes
is a quota inode, rather than requiring both to be quota inodes.
Fixes: 02749a4c2082 ("ext4: add ext4_is_quota_file()")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251013015128.499308-2-yi.zhang@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/move_extent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index 4cb1872c9af43..b1ad339165e41 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -473,7 +473,7 @@ mext_check_arguments(struct inode *orig_inode,
return -ETXTBSY;
}
- if (ext4_is_quota_file(orig_inode) && ext4_is_quota_file(donor_inode)) {
+ if (ext4_is_quota_file(orig_inode) || ext4_is_quota_file(donor_inode)) {
ext4_debug("ext4 move extent: The argument files should not be quota files [ino:orig %lu, donor %lu]\n",
orig_inode->i_ino, donor_inode->i_ino);
return -EOPNOTSUPP;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 079/554] perf/x86/intel: Correct large PEBS flag check
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 078/554] ext4: correct the checking of quota files before moving extents Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 080/554] regulator: core: disable supply if enabling main regulator fails Greg Kroah-Hartman
` (480 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dapeng Mi, Peter Zijlstra (Intel),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dapeng Mi <dapeng1.mi@linux.intel.com>
[ Upstream commit 5e4e355ae7cdeb0fef5dbe908866e1f895abfacc ]
current large PEBS flag check only checks if sample_regs_user contains
unsupported GPRs but doesn't check if sample_regs_intr contains
unsupported GPRs.
Of course, currently PEBS HW supports to sample all perf supported GPRs,
the missed check doesn't cause real issue. But it won't be true any more
after the subsequent patches support to sample SSP register. SSP
sampling is not supported by adaptive PEBS HW and it would be supported
until arch-PEBS HW. So correct this issue.
Fixes: a47ba4d77e12 ("perf/x86: Enable free running PEBS for REGS_USER/INTR")
Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://patch.msgid.link/20251029102136.61364-5-dapeng1.mi@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/core.c b/arch/x86/events/intel/core.c
index 767c60af13be3..589c850fe4b00 100644
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3639,7 +3639,9 @@ static unsigned long intel_pmu_large_pebs_flags(struct perf_event *event)
if (!event->attr.exclude_kernel)
flags &= ~PERF_SAMPLE_REGS_USER;
if (event->attr.sample_regs_user & ~PEBS_GP_REGS)
- flags &= ~(PERF_SAMPLE_REGS_USER | PERF_SAMPLE_REGS_INTR);
+ flags &= ~PERF_SAMPLE_REGS_USER;
+ if (event->attr.sample_regs_intr & ~PEBS_GP_REGS)
+ flags &= ~PERF_SAMPLE_REGS_INTR;
return flags;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 080/554] regulator: core: disable supply if enabling main regulator fails
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 079/554] perf/x86/intel: Correct large PEBS flag check Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 081/554] nbd: clean up return value checking of sock_xmit() Greg Kroah-Hartman
` (479 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabor Juhos, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabor Juhos <j4g8y7@gmail.com>
[ Upstream commit fb1ebb10468da414d57153ddebaab29c38ef1a78 ]
For 'always-on' and 'boot-on' regulators, the set_machine_constraints()
may enable supply before enabling the main regulator, however if the
latter fails, the function returns with an error but the supply remains
enabled.
When this happens, the regulator_register() function continues on the
error path where it puts the supply regulator. Since enabling the supply
is not balanced with a disable call, a warning similar to the following
gets issued from _regulator_put():
[ 1.603889] WARNING: CPU: 2 PID: 44 at _regulator_put+0x8c/0xa0
[ 1.603908] Modules linked in:
[ 1.603926] CPU: 2 UID: 0 PID: 44 Comm: kworker/u16:3 Not tainted 6.18.0-rc4 #0 NONE
[ 1.603938] Hardware name: Qualcomm Technologies, Inc. IPQ9574/AP-AL02-C7 (DT)
[ 1.603945] Workqueue: async async_run_entry_fn
[ 1.603958] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 1.603967] pc : _regulator_put+0x8c/0xa0
[ 1.603976] lr : _regulator_put+0x7c/0xa0
...
[ 1.604140] Call trace:
[ 1.604145] _regulator_put+0x8c/0xa0 (P)
[ 1.604156] regulator_register+0x2ec/0xbf0
[ 1.604166] devm_regulator_register+0x60/0xb0
[ 1.604178] rpm_reg_probe+0x120/0x208
[ 1.604187] platform_probe+0x64/0xa8
...
In order to avoid this, change the set_machine_constraints() function to
disable the supply if enabling the main regulator fails.
Fixes: 05f224ca6693 ("regulator: core: Clean enabling always-on regulators + their supplies")
Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
Link: https://patch.msgid.link/20251107-regulator-disable-supply-v1-1-c95f0536f1b5@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index ed5d58baa1f75..6c5913a1a6821 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1616,6 +1616,8 @@ static int set_machine_constraints(struct regulator_dev *rdev)
* and we have control then make sure it is enabled.
*/
if (rdev->constraints->always_on || rdev->constraints->boot_on) {
+ bool supply_enabled = false;
+
/* If we want to enable this regulator, make sure that we know
* the supplying regulator.
*/
@@ -1635,11 +1637,14 @@ static int set_machine_constraints(struct regulator_dev *rdev)
rdev->supply = NULL;
return ret;
}
+ supply_enabled = true;
}
ret = _regulator_do_enable(rdev);
if (ret < 0 && ret != -EINVAL) {
rdev_err(rdev, "failed to enable: %pe\n", ERR_PTR(ret));
+ if (supply_enabled)
+ regulator_disable(rdev->supply);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 081/554] nbd: clean up return value checking of sock_xmit()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 080/554] regulator: core: disable supply if enabling main regulator fails Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 082/554] nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply() Greg Kroah-Hartman
` (478 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Ming Lei, Josef Bacik,
Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit f52c0e08237e7864a44311fc78bc9bf2e045611b ]
Check if sock_xmit() return 0 is useless because it'll never return
0, comment it and remove such checkings.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20210916093350.1410403-6-yukuai3@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 9517b82d8d42 ("nbd: defer config put in recv_work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index eca713f87614f..3f5c5e122bf78 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -487,7 +487,8 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req,
}
/*
- * Send or receive packet.
+ * Send or receive packet. Return a positive value on success and
+ * negtive value on failue, and never return 0.
*/
static int sock_xmit(struct nbd_device *nbd, int index, int send,
struct iov_iter *iter, int msg_flags, int *sent)
@@ -613,7 +614,7 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index)
result = sock_xmit(nbd, index, 1, &from,
(type == NBD_CMD_WRITE) ? MSG_MORE : 0, &sent);
trace_nbd_header_sent(req, handle);
- if (result <= 0) {
+ if (result < 0) {
if (was_interrupted(result)) {
/* If we havne't sent anything we can just return BUSY,
* however if we have sent something we need to make
@@ -657,7 +658,7 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index)
skip = 0;
}
result = sock_xmit(nbd, index, 1, &from, flags, &sent);
- if (result <= 0) {
+ if (result < 0) {
if (was_interrupted(result)) {
/* We've already sent the header, we
* have no choice but to set pending and
@@ -709,7 +710,7 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
reply.magic = 0;
iov_iter_kvec(&to, READ, &iov, 1, sizeof(reply));
result = sock_xmit(nbd, index, 0, &to, MSG_WAITALL, NULL);
- if (result <= 0) {
+ if (result < 0) {
if (!nbd_disconnected(config))
dev_err(disk_to_dev(nbd->disk),
"Receive control failed (result %d)\n", result);
@@ -770,7 +771,7 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
rq_for_each_segment(bvec, req, iter) {
iov_iter_bvec(&to, READ, &bvec, 1, bvec.bv_len);
result = sock_xmit(nbd, index, 0, &to, MSG_WAITALL, NULL);
- if (result <= 0) {
+ if (result < 0) {
dev_err(disk_to_dev(nbd->disk), "Receive data failed (result %d)\n",
result);
/*
@@ -1216,7 +1217,7 @@ static void send_disconnects(struct nbd_device *nbd)
iov_iter_kvec(&from, WRITE, &iov, 1, sizeof(request));
mutex_lock(&nsock->tx_lock);
ret = sock_xmit(nbd, i, 1, &from, 0, NULL);
- if (ret <= 0)
+ if (ret < 0)
dev_err(disk_to_dev(nbd->disk),
"Send disconnect failed %d\n", ret);
mutex_unlock(&nsock->tx_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 082/554] nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 081/554] nbd: clean up return value checking of sock_xmit() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 083/554] nbd: defer config put in recv_work Greg Kroah-Hartman
` (477 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Ming Lei, Josef Bacik,
Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit 3fe1db626a56cdf259c348404f2c5429e2f065a1 ]
Prepare to fix uaf in nbd_read_stat(), no functional changes.
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20210916093350.1410403-7-yukuai3@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Stable-dep-of: 9517b82d8d42 ("nbd: defer config put in recv_work")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 74 +++++++++++++++++++++++++++------------------
1 file changed, 44 insertions(+), 30 deletions(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 3f5c5e122bf78..eb37427a3c019 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -692,38 +692,45 @@ static int nbd_send_cmd(struct nbd_device *nbd, struct nbd_cmd *cmd, int index)
return 0;
}
-/* NULL returned = something went wrong, inform userspace */
-static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
+static int nbd_read_reply(struct nbd_device *nbd, int index,
+ struct nbd_reply *reply)
{
- struct nbd_config *config = nbd->config;
- int result;
- struct nbd_reply reply;
- struct nbd_cmd *cmd;
- struct request *req = NULL;
- u64 handle;
- u16 hwq;
- u32 tag;
- struct kvec iov = {.iov_base = &reply, .iov_len = sizeof(reply)};
+ struct kvec iov = {.iov_base = reply, .iov_len = sizeof(*reply)};
struct iov_iter to;
- int ret = 0;
+ int result;
- reply.magic = 0;
- iov_iter_kvec(&to, READ, &iov, 1, sizeof(reply));
+ reply->magic = 0;
+ iov_iter_kvec(&to, READ, &iov, 1, sizeof(*reply));
result = sock_xmit(nbd, index, 0, &to, MSG_WAITALL, NULL);
if (result < 0) {
- if (!nbd_disconnected(config))
+ if (!nbd_disconnected(nbd->config))
dev_err(disk_to_dev(nbd->disk),
"Receive control failed (result %d)\n", result);
- return ERR_PTR(result);
+ return result;
}
- if (ntohl(reply.magic) != NBD_REPLY_MAGIC) {
+ if (ntohl(reply->magic) != NBD_REPLY_MAGIC) {
dev_err(disk_to_dev(nbd->disk), "Wrong magic (0x%lx)\n",
- (unsigned long)ntohl(reply.magic));
- return ERR_PTR(-EPROTO);
+ (unsigned long)ntohl(reply->magic));
+ return -EPROTO;
}
- memcpy(&handle, reply.handle, sizeof(handle));
+ return 0;
+}
+
+/* NULL returned = something went wrong, inform userspace */
+static struct nbd_cmd *nbd_handle_reply(struct nbd_device *nbd, int index,
+ struct nbd_reply *reply)
+{
+ int result;
+ struct nbd_cmd *cmd;
+ struct request *req = NULL;
+ u64 handle;
+ u16 hwq;
+ u32 tag;
+ int ret = 0;
+
+ memcpy(&handle, reply->handle, sizeof(handle));
tag = nbd_handle_to_tag(handle);
hwq = blk_mq_unique_tag_to_hwq(tag);
if (hwq < nbd->tag_set.nr_hw_queues)
@@ -756,9 +763,9 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
ret = -ENOENT;
goto out;
}
- if (ntohl(reply.error)) {
+ if (ntohl(reply->error)) {
dev_err(disk_to_dev(nbd->disk), "Other side returned error (%d)\n",
- ntohl(reply.error));
+ ntohl(reply->error));
cmd->status = BLK_STS_IOERR;
goto out;
}
@@ -767,6 +774,7 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
if (rq_data_dir(req) != WRITE) {
struct req_iterator iter;
struct bio_vec bvec;
+ struct iov_iter to;
rq_for_each_segment(bvec, req, iter) {
iov_iter_bvec(&to, READ, &bvec, 1, bvec.bv_len);
@@ -780,7 +788,7 @@ static struct nbd_cmd *nbd_read_stat(struct nbd_device *nbd, int index)
* and let the timeout stuff handle resubmitting
* this request onto another connection.
*/
- if (nbd_disconnected(config)) {
+ if (nbd_disconnected(nbd->config)) {
cmd->status = BLK_STS_IOERR;
goto out;
}
@@ -804,24 +812,30 @@ static void recv_work(struct work_struct *work)
work);
struct nbd_device *nbd = args->nbd;
struct nbd_config *config = nbd->config;
+ struct nbd_sock *nsock;
struct nbd_cmd *cmd;
struct request *rq;
while (1) {
- cmd = nbd_read_stat(nbd, args->index);
- if (IS_ERR(cmd)) {
- struct nbd_sock *nsock = config->socks[args->index];
+ struct nbd_reply reply;
- mutex_lock(&nsock->tx_lock);
- nbd_mark_nsock_dead(nbd, nsock, 1);
- mutex_unlock(&nsock->tx_lock);
+ if (nbd_read_reply(nbd, args->index, &reply))
+ break;
+
+ cmd = nbd_handle_reply(nbd, args->index, &reply);
+ if (IS_ERR(cmd))
break;
- }
rq = blk_mq_rq_from_pdu(cmd);
if (likely(!blk_should_fake_timeout(rq->q)))
blk_mq_complete_request(rq);
}
+
+ nsock = config->socks[args->index];
+ mutex_lock(&nsock->tx_lock);
+ nbd_mark_nsock_dead(nbd, nsock, 1);
+ mutex_unlock(&nsock->tx_lock);
+
nbd_config_put(nbd);
atomic_dec(&config->recv_threads);
wake_up(&config->recv_wq);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 083/554] nbd: defer config put in recv_work
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 082/554] nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 084/554] scsi: stex: Fix reboot_notifier leak in probe error path Greg Kroah-Hartman
` (476 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+56fbf4c7ddf65e95c7cc,
Zheng Qixing, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Qixing <zhengqixing@huawei.com>
[ Upstream commit 9517b82d8d422d426a988b213fdd45c6b417b86d ]
There is one uaf issue in recv_work when running NBD_CLEAR_SOCK and
NBD_CMD_RECONFIGURE:
nbd_genl_connect // conf_ref=2 (connect and recv_work A)
nbd_open // conf_ref=3
recv_work A done // conf_ref=2
NBD_CLEAR_SOCK // conf_ref=1
nbd_genl_reconfigure // conf_ref=2 (trigger recv_work B)
close nbd // conf_ref=1
recv_work B
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Or only running NBD_CLEAR_SOCK:
nbd_genl_connect // conf_ref=2
nbd_open // conf_ref=3
NBD_CLEAR_SOCK // conf_ref=2
close nbd
nbd_release
config_put // conf_ref=1
recv_work
config_put // conf_ref=0
atomic_dec(&config->recv_threads); -> UAF
Commit 87aac3a80af5 ("nbd: call nbd_config_put() before notifying the
waiter") moved nbd_config_put() to run before waking up the waiter in
recv_work, in order to ensure that nbd_start_device_ioctl() would not
be woken up while nbd->task_recv was still uncleared.
However, in nbd_start_device_ioctl(), after being woken up it explicitly
calls flush_workqueue() to make sure all current works are finished.
Therefore, there is no need to move the config put ahead of the wakeup.
Move nbd_config_put() to the end of recv_work, so that the reference is
held for the whole lifetime of the worker thread. This makes sure the
config cannot be freed while recv_work is still running, even if clear
+ reconfigure interleave.
In addition, we don't need to worry about recv_work dropping the last
nbd_put (which causes deadlock):
path A (netlink with NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=1 (trigger recv_work)
open nbd // nbd_refs=2
NBD_CLEAR_SOCK
close nbd
nbd_release
nbd_disconnect_and_put
flush_workqueue // recv_work done
nbd_config_put
nbd_put // nbd_refs=1
nbd_put // nbd_refs=0
queue_work
path B (netlink without NBD_CFLAG_DESTROY_ON_DISCONNECT):
connect // nbd_refs=2 (trigger recv_work)
open nbd // nbd_refs=3
NBD_CLEAR_SOCK // conf_refs=2
close nbd
nbd_release
nbd_config_put // conf_refs=1
nbd_put // nbd_refs=2
recv_work done // conf_refs=0, nbd_refs=1
rmmod // nbd_refs=0
Reported-by: syzbot+56fbf4c7ddf65e95c7cc@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/6907edce.a70a0220.37351b.0014.GAE@google.com/T/
Fixes: 87aac3a80af5 ("nbd: make the config put is called before the notifying the waiter")
Depends-on: e2daec488c57 ("nbd: Fix hungtask when nbd_config_put")
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index eb37427a3c019..ae89f6124cc6b 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -836,9 +836,9 @@ static void recv_work(struct work_struct *work)
nbd_mark_nsock_dead(nbd, nsock, 1);
mutex_unlock(&nsock->tx_lock);
- nbd_config_put(nbd);
atomic_dec(&config->recv_threads);
wake_up(&config->recv_wq);
+ nbd_config_put(nbd);
kfree(args);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 084/554] scsi: stex: Fix reboot_notifier leak in probe error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 083/554] nbd: defer config put in recv_work Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 085/554] dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema Greg Kroah-Hartman
` (475 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 20da637eb545b04753e20c675cfe97b04c7b600b ]
In stex_probe(), register_reboot_notifier() is called at the beginning,
but if any subsequent initialization step fails, the function returns
without unregistering the notifier, resulting in a resource leak.
Add unregister_reboot_notifier() in the out_disable error path to ensure
proper cleanup on all failure paths.
Fixes: 61b745fa63db ("scsi: stex: Add S6 support")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251104094847.270-1-vulab@iscas.ac.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/stex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/stex.c b/drivers/scsi/stex.c
index 1ff9b8e85b09c..8ff92ab9b27b1 100644
--- a/drivers/scsi/stex.c
+++ b/drivers/scsi/stex.c
@@ -1848,6 +1848,7 @@ static int stex_probe(struct pci_dev *pdev, const struct pci_device_id *id)
out_scsi_host_put:
scsi_host_put(host);
out_disable:
+ unregister_reboot_notifier(&stex_notifier);
pci_disable_device(pdev);
return err;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 085/554] dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 084/554] scsi: stex: Fix reboot_notifier leak in probe error path Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 086/554] dt-bindings: PCI: amlogic: Fix the register name of the DBI region Greg Kroah-Hartman
` (474 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Lorenzo Pieralisi,
Krzysztof Kozlowski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
[ Upstream commit b80b848bdf56bd402b7a91aea5b77cec93dfe4c2 ]
Convert the Amlogic Meson AXG DWC PCIe SoC controller bindings to
dt-schema.
Link: https://lore.kernel.org/r/20221117-b4-amlogic-bindings-convert-v4-5-34e623dbf789@linaro.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Stable-dep-of: 4813dea9e272 ("dt-bindings: PCI: amlogic: Fix the register name of the DBI region")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../bindings/pci/amlogic,axg-pcie.yaml | 134 ++++++++++++++++++
.../bindings/pci/amlogic,meson-pcie.txt | 70 ---------
2 files changed, 134 insertions(+), 70 deletions(-)
create mode 100644 Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
delete mode 100644 Documentation/devicetree/bindings/pci/amlogic,meson-pcie.txt
diff --git a/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml b/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
new file mode 100644
index 0000000000000..a5bd90bc0712e
--- /dev/null
+++ b/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
@@ -0,0 +1,134 @@
+# SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+%YAML 1.2
+---
+$id: http://devicetree.org/schemas/pci/amlogic,axg-pcie.yaml#
+$schema: http://devicetree.org/meta-schemas/core.yaml#
+
+title: Amlogic Meson AXG DWC PCIe SoC controller
+
+maintainers:
+ - Neil Armstrong <neil.armstrong@linaro.org>
+
+description:
+ Amlogic Meson PCIe host controller is based on the Synopsys DesignWare PCI core.
+
+allOf:
+ - $ref: /schemas/pci/pci-bus.yaml#
+ - $ref: /schemas/pci/snps,dw-pcie-common.yaml#
+
+# We need a select here so we don't match all nodes with 'snps,dw-pcie'
+select:
+ properties:
+ compatible:
+ enum:
+ - amlogic,axg-pcie
+ - amlogic,g12a-pcie
+ required:
+ - compatible
+
+properties:
+ compatible:
+ items:
+ - enum:
+ - amlogic,axg-pcie
+ - amlogic,g12a-pcie
+ - const: snps,dw-pcie
+
+ reg:
+ items:
+ - description: External local bus interface registers
+ - description: Meson designed configuration registers
+ - description: PCIe configuration space
+
+ reg-names:
+ items:
+ - const: elbi
+ - const: cfg
+ - const: config
+
+ interrupts:
+ maxItems: 1
+
+ clocks:
+ items:
+ - description: PCIe GEN 100M PLL clock
+ - description: PCIe RC clock gate
+ - description: PCIe PHY clock
+
+ clock-names:
+ items:
+ - const: pclk
+ - const: port
+ - const: general
+
+ phys:
+ maxItems: 1
+
+ phy-names:
+ const: pcie
+
+ resets:
+ items:
+ - description: Port Reset
+ - description: Shared APB reset
+
+ reset-names:
+ items:
+ - const: port
+ - const: apb
+
+ num-lanes:
+ const: 1
+
+ power-domains:
+ maxItems: 1
+
+required:
+ - compatible
+ - reg
+ - reg-names
+ - interrupts
+ - clock
+ - clock-names
+ - "#address-cells"
+ - "#size-cells"
+ - "#interrupt-cells"
+ - interrupt-map
+ - interrupt-map-mask
+ - ranges
+ - bus-range
+ - device_type
+ - num-lanes
+ - phys
+ - phy-names
+ - resets
+ - reset-names
+
+unevaluatedProperties: false
+
+examples:
+ - |
+ #include <dt-bindings/interrupt-controller/irq.h>
+ #include <dt-bindings/interrupt-controller/arm-gic.h>
+ pcie: pcie@f9800000 {
+ compatible = "amlogic,axg-pcie", "snps,dw-pcie";
+ reg = <0xf9800000 0x400000>, <0xff646000 0x2000>, <0xf9f00000 0x100000>;
+ reg-names = "elbi", "cfg", "config";
+ interrupts = <GIC_SPI 177 IRQ_TYPE_EDGE_RISING>;
+ clocks = <&pclk>, <&clk_port>, <&clk_phy>;
+ clock-names = "pclk", "port", "general";
+ resets = <&reset_pcie_port>, <&reset_pcie_apb>;
+ reset-names = "port", "apb";
+ phys = <&pcie_phy>;
+ phy-names = "pcie";
+ #interrupt-cells = <1>;
+ interrupt-map-mask = <0 0 0 0>;
+ interrupt-map = <0 0 0 0 &gic GIC_SPI 179 IRQ_TYPE_EDGE_RISING>;
+ bus-range = <0x0 0xff>;
+ #address-cells = <3>;
+ #size-cells = <2>;
+ device_type = "pci";
+ num-lanes = <1>;
+ ranges = <0x82000000 0 0 0xf9c00000 0 0x00300000>;
+ };
+...
diff --git a/Documentation/devicetree/bindings/pci/amlogic,meson-pcie.txt b/Documentation/devicetree/bindings/pci/amlogic,meson-pcie.txt
deleted file mode 100644
index c3a75ac6e59d1..0000000000000
--- a/Documentation/devicetree/bindings/pci/amlogic,meson-pcie.txt
+++ /dev/null
@@ -1,70 +0,0 @@
-Amlogic Meson AXG DWC PCIE SoC controller
-
-Amlogic Meson PCIe host controller is based on the Synopsys DesignWare PCI core.
-It shares common functions with the PCIe DesignWare core driver and
-inherits common properties defined in
-Documentation/devicetree/bindings/pci/snps,dw-pcie.yaml.
-
-Additional properties are described here:
-
-Required properties:
-- compatible:
- should contain :
- - "amlogic,axg-pcie" for AXG SoC Family
- - "amlogic,g12a-pcie" for G12A SoC Family
- to identify the core.
-- reg:
- should contain the configuration address space.
-- reg-names: Must be
- - "elbi" External local bus interface registers
- - "cfg" Meson specific registers
- - "config" PCIe configuration space
-- reset-gpios: The GPIO to generate PCIe PERST# assert and deassert signal.
-- clocks: Must contain an entry for each entry in clock-names.
-- clock-names: Must include the following entries:
- - "pclk" PCIe GEN 100M PLL clock
- - "port" PCIe_x(A or B) RC clock gate
- - "general" PCIe Phy clock
-- resets: phandle to the reset lines.
-- reset-names: must contain "port" and "apb"
- - "port" Port A or B reset
- - "apb" Share APB reset
-- phys: should contain a phandle to the PCIE phy
-- phy-names: must contain "pcie"
-
-- device_type:
- should be "pci". As specified in snps,dw-pcie.yaml
-
-
-Example configuration:
-
- pcie: pcie@f9800000 {
- compatible = "amlogic,axg-pcie", "snps,dw-pcie";
- reg = <0x0 0xf9800000 0x0 0x400000
- 0x0 0xff646000 0x0 0x2000
- 0x0 0xf9f00000 0x0 0x100000>;
- reg-names = "elbi", "cfg", "config";
- reset-gpios = <&gpio GPIOX_19 GPIO_ACTIVE_HIGH>;
- interrupts = <GIC_SPI 177 IRQ_TYPE_EDGE_RISING>;
- #interrupt-cells = <1>;
- interrupt-map-mask = <0 0 0 0>;
- interrupt-map = <0 0 0 0 &gic GIC_SPI 179 IRQ_TYPE_EDGE_RISING>;
- bus-range = <0x0 0xff>;
- #address-cells = <3>;
- #size-cells = <2>;
- device_type = "pci";
- ranges = <0x82000000 0 0 0x0 0xf9c00000 0 0x00300000>;
-
- clocks = <&clkc CLKID_USB
- &clkc CLKID_PCIE_A
- &clkc CLKID_PCIE_CML_EN0>;
- clock-names = "general",
- "pclk",
- "port";
- resets = <&reset RESET_PCIE_A>,
- <&reset RESET_PCIE_APB>;
- reset-names = "port",
- "apb";
- phys = <&pcie_phy>;
- phy-names = "pcie";
- };
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 086/554] dt-bindings: PCI: amlogic: Fix the register name of the DBI region
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 085/554] dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 087/554] RDMA/rtrs: server: Fix error handling in get_or_create_srv Greg Kroah-Hartman
` (473 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Manivannan Sadhasivam, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
[ Upstream commit 4813dea9e272ba0a57c50b8d51d440dd8e3ccdd7 ]
Binding incorrectly specifies the 'DBI' region as 'ELBI'. DBI is a must
have region for DWC controllers as it has the Root Port and controller
specific registers, while ELBI has optional registers.
Hence, fix the binding. Though this is an ABI break, this change is needed
to accurately describe the PCI memory map.
Fixes: 7cd210391101 ("dt-bindings: PCI: meson: add DT bindings for Amlogic Meson PCIe controller")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@oss.qualcomm.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Link: https://patch.msgid.link/20251101-pci-meson-fix-v1-1-c50dcc56ed6a@oss.qualcomm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml b/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
index a5bd90bc0712e..9c3b8e65c42a3 100644
--- a/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
+++ b/Documentation/devicetree/bindings/pci/amlogic,axg-pcie.yaml
@@ -36,13 +36,13 @@ properties:
reg:
items:
- - description: External local bus interface registers
+ - description: Data Bus Interface registers
- description: Meson designed configuration registers
- description: PCIe configuration space
reg-names:
items:
- - const: elbi
+ - const: dbi
- const: cfg
- const: config
@@ -113,7 +113,7 @@ examples:
pcie: pcie@f9800000 {
compatible = "amlogic,axg-pcie", "snps,dw-pcie";
reg = <0xf9800000 0x400000>, <0xff646000 0x2000>, <0xf9f00000 0x100000>;
- reg-names = "elbi", "cfg", "config";
+ reg-names = "dbi", "cfg", "config";
interrupts = <GIC_SPI 177 IRQ_TYPE_EDGE_RISING>;
clocks = <&pclk>, <&clk_port>, <&clk_phy>;
clock-names = "pclk", "port", "general";
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 087/554] RDMA/rtrs: server: Fix error handling in get_or_create_srv
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 086/554] dt-bindings: PCI: amlogic: Fix the register name of the DBI region Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 088/554] ntfs3: init run lock for extend inode Greg Kroah-Hartman
` (472 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Jack Wang, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
[ Upstream commit a338d6e849ab31f32c08b4fcac11c0c72afbb150 ]
After device_initialize() is called, use put_device() to release the
device according to kernel device management rules. While direct
kfree() work in this case, using put_device() is more correct.
Found by code review.
Fixes: 9cb837480424 ("RDMA/rtrs: server: main functionality")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251110005158.13394-1-make24@iscas.ac.cn
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-srv.c b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
index 96fe7c97bc713..ec3ab8df32f7d 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-srv.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-srv.c
@@ -1453,7 +1453,7 @@ static struct rtrs_srv *get_or_create_srv(struct rtrs_srv_ctx *ctx,
kfree(srv->chunks);
err_free_srv:
- kfree(srv);
+ put_device(&srv->dev);
return ERR_PTR(-ENOMEM);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 088/554] ntfs3: init run lock for extend inode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 087/554] RDMA/rtrs: server: Fix error handling in get_or_create_srv Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 089/554] powerpc/32: Fix unpaired stwcx. on interrupt exit Greg Kroah-Hartman
` (471 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bdeb22a4b9a09ab9aa45,
Edward Adam Davis, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit be99c62ac7e7af514e4b13f83c891a3cccefaa48 ]
After setting the inode mode of $Extend to a regular file, executing the
truncate system call will enter the do_truncate() routine, causing the
run_lock uninitialized error reported by syzbot.
Prior to patch 4e8011ffec79, if the inode mode of $Extend was not set to
a regular file, the do_truncate() routine would not be entered.
Add the run_lock initialization when loading $Extend.
syzbot reported:
INFO: trying to register non-static key.
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
assign_lock_key+0x133/0x150 kernel/locking/lockdep.c:984
register_lock_class+0x105/0x320 kernel/locking/lockdep.c:1299
__lock_acquire+0x99/0xd20 kernel/locking/lockdep.c:5112
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
down_write+0x96/0x1f0 kernel/locking/rwsem.c:1590
ntfs_set_size+0x140/0x200 fs/ntfs3/inode.c:860
ntfs_extend+0x1d9/0x970 fs/ntfs3/file.c:387
ntfs_setattr+0x2e8/0xbe0 fs/ntfs3/file.c:808
Fixes: 4e8011ffec79 ("ntfs3: pretend $Extend records as regular files")
Reported-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=bdeb22a4b9a09ab9aa45
Tested-by: syzbot+bdeb22a4b9a09ab9aa45@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/inode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 7797e35364495..0f4e166112de1 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -457,6 +457,7 @@ static struct inode *ntfs_read_mft(struct inode *inode,
/* Records in $Extend are not a files or general directories. */
inode->i_op = &ntfs_file_inode_operations;
mode = S_IFREG;
+ init_rwsem(&ni->file.run_lock);
} else {
err = -EINVAL;
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 089/554] powerpc/32: Fix unpaired stwcx. on interrupt exit
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 088/554] ntfs3: init run lock for extend inode Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 090/554] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse Greg Kroah-Hartman
` (470 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 10e1c77c3636d815db802ceef588522c2d2d947c ]
Commit b96bae3ae2cb ("powerpc/32: Replace ASM exception exit by C
exception exit from ppc64") erroneouly copied to powerpc/32 the logic
from powerpc/64 based on feature CPU_FTR_STCX_CHECKS_ADDRESS which is
always 0 on powerpc/32.
Re-instate the logic implemented by commit b64f87c16f3c ("[POWERPC]
Avoid unpaired stwcx. on some processors") which is based on
CPU_FTR_NEED_PAIRED_STWCX feature.
Fixes: b96bae3ae2cb ("powerpc/32: Replace ASM exception exit by C exception exit from ppc64")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/6040b5dbcf5cdaa1cd919fcf0790f12974ea6e5a.1757666244.git.christophe.leroy@csgroup.eu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/entry_32.S | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/arch/powerpc/kernel/entry_32.S b/arch/powerpc/kernel/entry_32.S
index 3eb3c74e402b5..c23b2b0046970 100644
--- a/arch/powerpc/kernel/entry_32.S
+++ b/arch/powerpc/kernel/entry_32.S
@@ -314,10 +314,9 @@ interrupt_return:
mtspr SPRN_SRR1,r12
BEGIN_FTR_SECTION
+ lwarx r0,0,r1
+END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX)
stwcx. r0,0,r1 /* to clear the reservation */
-FTR_SECTION_ELSE
- lwarx r0,0,r1
-ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
lwz r3,_CCR(r1)
lwz r4,_LINK(r1)
@@ -360,10 +359,9 @@ ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
mtspr SPRN_SRR1,r12
BEGIN_FTR_SECTION
+ lwarx r0,0,r1
+END_FTR_SECTION_IFSET(CPU_FTR_NEED_PAIRED_STWCX)
stwcx. r0,0,r1 /* to clear the reservation */
-FTR_SECTION_ELSE
- lwarx r0,0,r1
-ALT_FTR_SECTION_END_IFCLR(CPU_FTR_STCX_CHECKS_ADDRESS)
lwz r3,_LINK(r1)
lwz r4,_CTR(r1)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 090/554] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 089/554] powerpc/32: Fix unpaired stwcx. on interrupt exit Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 091/554] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() Greg Kroah-Hartman
` (469 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Long Li, Madhavan Srinivasan,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <leo.lilong@huawei.com>
[ Upstream commit 1e4b207ffe54cf33a4b7a2912c4110f89c73bf3f ]
The following warning appears when running syzkaller, and this issue also
exists in the mainline code.
------------[ cut here ]------------
list_add double add: new=ffffffffa57eee28, prev=ffffffffa57eee28, next=ffffffffa5e63100.
WARNING: CPU: 0 PID: 1491 at lib/list_debug.c:35 __list_add_valid_or_report+0xf7/0x130
Modules linked in:
CPU: 0 PID: 1491 Comm: syz.1.28 Not tainted 6.6.0+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:__list_add_valid_or_report+0xf7/0x130
RSP: 0018:ff1100010dfb7b78 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffffa57eee18 RCX: ffffffff97fc9817
RDX: 0000000000040000 RSI: ffa0000002383000 RDI: 0000000000000001
RBP: ffffffffa57eee28 R08: 0000000000000001 R09: ffe21c0021bf6f2c
R10: 0000000000000001 R11: 6464615f7473696c R12: ffffffffa5e63100
R13: ffffffffa57eee28 R14: ffffffffa57eee28 R15: ff1100010dfb7d48
FS: 00007fb14398b640(0000) GS:ff11000119600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000010d096005 CR4: 0000000000773ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
input_register_handler+0xb3/0x210
mac_hid_start_emulation+0x1c5/0x290
mac_hid_toggle_emumouse+0x20a/0x240
proc_sys_call_handler+0x4c2/0x6e0
new_sync_write+0x1b1/0x2d0
vfs_write+0x709/0x950
ksys_write+0x12a/0x250
do_syscall_64+0x5a/0x110
entry_SYSCALL_64_after_hwframe+0x78/0xe2
The WARNING occurs when two processes concurrently write to the mac-hid
emulation sysctl, causing a race condition in mac_hid_toggle_emumouse().
Both processes read old_val=0, then both try to register the input handler,
leading to a double list_add of the same handler.
CPU0 CPU1
------------------------- -------------------------
vfs_write() //write 1 vfs_write() //write 1
proc_sys_write() proc_sys_write()
mac_hid_toggle_emumouse() mac_hid_toggle_emumouse()
old_val = *valp // old_val=0
old_val = *valp // old_val=0
mutex_lock_killable()
proc_dointvec() // *valp=1
mac_hid_start_emulation()
input_register_handler()
mutex_unlock()
mutex_lock_killable()
proc_dointvec()
mac_hid_start_emulation()
input_register_handler() //Trigger Warning
mutex_unlock()
Fix this by moving the old_val read inside the mutex lock region.
Fixes: 99b089c3c38a ("Input: Mac button emulation - implement as an input filter")
Signed-off-by: Long Li <leo.lilong@huawei.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/20250819091035.2263329-1-leo.lilong@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/macintosh/mac_hid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/macintosh/mac_hid.c b/drivers/macintosh/mac_hid.c
index 28b8581b44dda..b622df9f4b231 100644
--- a/drivers/macintosh/mac_hid.c
+++ b/drivers/macintosh/mac_hid.c
@@ -186,13 +186,14 @@ static int mac_hid_toggle_emumouse(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
int *valp = table->data;
- int old_val = *valp;
+ int old_val;
int rc;
rc = mutex_lock_killable(&mac_hid_emumouse_mutex);
if (rc)
return rc;
+ old_val = *valp;
rc = proc_dointvec(table, write, buffer, lenp, ppos);
if (rc == 0 && write && *valp != old_val) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 091/554] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 090/554] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 092/554] nbd: defer config unlock in nbd_genl_connect Greg Kroah-Hartman
` (468 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 5e88e864118c20e63a1571d0ff0a152e5d684959 ]
In one of the error paths, the memory allocated for skb_rx is not freed.
Fix that by freeing it before returning.
Fixes: a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Link: https://patch.msgid.link/20251110175316.106591-1-nihaal@cse.iitm.ac.in
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/st/cw1200/bh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/st/cw1200/bh.c b/drivers/net/wireless/st/cw1200/bh.c
index 10e019cddcc65..cbb95682d21b2 100644
--- a/drivers/net/wireless/st/cw1200/bh.c
+++ b/drivers/net/wireless/st/cw1200/bh.c
@@ -317,10 +317,12 @@ static int cw1200_bh_rx_helper(struct cw1200_common *priv,
if (wsm_id & 0x0400) {
int rc = wsm_release_tx_buffer(priv, 1);
- if (WARN_ON(rc < 0))
+ if (WARN_ON(rc < 0)) {
+ dev_kfree_skb(skb_rx);
return rc;
- else if (rc > 0)
+ } else if (rc > 0) {
*tx = 1;
+ }
}
/* cw1200_wsm_rx takes care on SKB livetime */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 092/554] nbd: defer config unlock in nbd_genl_connect
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 091/554] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 093/554] coresight: etm4x: Save restore TRFCR_EL1 Greg Kroah-Hartman
` (467 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Qixing, Yu Kuai, Jens Axboe,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Qixing <zhengqixing@huawei.com>
[ Upstream commit 1649714b930f9ea6233ce0810ba885999da3b5d4 ]
There is one use-after-free warning when running NBD_CMD_CONNECT and
NBD_CLEAR_SOCK:
nbd_genl_connect
nbd_alloc_and_init_config // config_refs=1
nbd_start_device // config_refs=2
set NBD_RT_HAS_CONFIG_REF open nbd // config_refs=3
recv_work done // config_refs=2
NBD_CLEAR_SOCK // config_refs=1
close nbd // config_refs=0
refcount_inc -> uaf
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 24 PID: 1014 at lib/refcount.c:25 refcount_warn_saturate+0x12e/0x290
nbd_genl_connect+0x16d0/0x1ab0
genl_family_rcv_msg_doit+0x1f3/0x310
genl_rcv_msg+0x44a/0x790
The issue can be easily reproduced by adding a small delay before
refcount_inc(&nbd->config_refs) in nbd_genl_connect():
mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
+ printk("before sleep\n");
+ mdelay(5 * 1000);
+ printk("after sleep\n");
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface")
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
Reviewed-by: Yu Kuai <yukuai@fnnas.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index ae89f6124cc6b..79b0056edbafe 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -2045,12 +2045,13 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
ret = nbd_start_device(nbd);
out:
- mutex_unlock(&nbd->config_lock);
if (!ret) {
set_bit(NBD_RT_HAS_CONFIG_REF, &config->runtime_flags);
refcount_inc(&nbd->config_refs);
nbd_connect_reply(info, nbd->index);
}
+ mutex_unlock(&nbd->config_lock);
+
nbd_config_put(nbd);
if (put_dev)
nbd_put(nbd);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 093/554] coresight: etm4x: Save restore TRFCR_EL1
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 092/554] nbd: defer config unlock in nbd_genl_connect Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 094/554] coresight: etm4x: Use Trace Filtering controls dynamically Greg Kroah-Hartman
` (466 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Poirier, Anshuman Khandual,
Mike Leach, Leo Yan, Suzuki K Poulose, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suzuki K Poulose <suzuki.poulose@arm.com>
[ Upstream commit 937d3f58cacf377cab7c32e475e1ffa91d611dce ]
When the CPU enters a low power mode, the TRFCR_EL1 contents could be
reset. Thus we need to save/restore the TRFCR_EL1 along with the ETM4x
registers to allow the tracing.
The TRFCR related helpers are in a new header file, as we need to use
them for TRBE in the later patches.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Leo Yan <leo.yan@linaro.org>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20210914102641.1852544-2-suzuki.poulose@arm.com
[Fixed cosmetic details]
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Stable-dep-of: 64eb04ae5452 ("coresight: etm4x: Add context synchronization before enabling trace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../coresight/coresight-etm4x-core.c | 43 +++++++++++++------
drivers/hwtracing/coresight/coresight-etm4x.h | 2 +
.../coresight/coresight-self-hosted-trace.h | 24 +++++++++++
3 files changed, 57 insertions(+), 12 deletions(-)
create mode 100644 drivers/hwtracing/coresight/coresight-self-hosted-trace.h
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index 84734c7c19158..d124931ee2be5 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -40,6 +40,7 @@
#include "coresight-etm4x.h"
#include "coresight-etm-perf.h"
#include "coresight-etm4x-cfg.h"
+#include "coresight-self-hosted-trace.h"
#include "coresight-syscfg.h"
static int boot_enable;
@@ -1009,7 +1010,7 @@ static void cpu_enable_tracing(struct etmv4_drvdata *drvdata)
if (is_kernel_in_hyp_mode())
trfcr |= TRFCR_EL2_CX;
- write_sysreg_s(trfcr, SYS_TRFCR_EL1);
+ write_trfcr(trfcr);
}
static void etm4_init_arch_data(void *info)
@@ -1534,7 +1535,7 @@ static void etm4_init_trace_id(struct etmv4_drvdata *drvdata)
drvdata->trcid = coresight_get_trace_id(drvdata->cpu);
}
-static int etm4_cpu_save(struct etmv4_drvdata *drvdata)
+static int __etm4_cpu_save(struct etmv4_drvdata *drvdata)
{
int i, ret = 0;
struct etmv4_save_state *state;
@@ -1674,7 +1675,23 @@ static int etm4_cpu_save(struct etmv4_drvdata *drvdata)
return ret;
}
-static void etm4_cpu_restore(struct etmv4_drvdata *drvdata)
+static int etm4_cpu_save(struct etmv4_drvdata *drvdata)
+{
+ int ret = 0;
+
+ /* Save the TRFCR irrespective of whether the ETM is ON */
+ if (drvdata->trfc)
+ drvdata->save_trfcr = read_trfcr();
+ /*
+ * Save and restore the ETM Trace registers only if
+ * the ETM is active.
+ */
+ if (local_read(&drvdata->mode) && drvdata->save_state)
+ ret = __etm4_cpu_save(drvdata);
+ return ret;
+}
+
+static void __etm4_cpu_restore(struct etmv4_drvdata *drvdata)
{
int i;
struct etmv4_save_state *state = drvdata->save_state;
@@ -1773,6 +1790,14 @@ static void etm4_cpu_restore(struct etmv4_drvdata *drvdata)
etm4_cs_lock(drvdata, csa);
}
+static void etm4_cpu_restore(struct etmv4_drvdata *drvdata)
+{
+ if (drvdata->trfc)
+ write_trfcr(drvdata->save_trfcr);
+ if (drvdata->state_needs_restore)
+ __etm4_cpu_restore(drvdata);
+}
+
static int etm4_cpu_pm_notify(struct notifier_block *nb, unsigned long cmd,
void *v)
{
@@ -1784,23 +1809,17 @@ static int etm4_cpu_pm_notify(struct notifier_block *nb, unsigned long cmd,
drvdata = etmdrvdata[cpu];
- if (!drvdata->save_state)
- return NOTIFY_OK;
-
if (WARN_ON_ONCE(drvdata->cpu != cpu))
return NOTIFY_BAD;
switch (cmd) {
case CPU_PM_ENTER:
- /* save the state if self-hosted coresight is in use */
- if (local_read(&drvdata->mode))
- if (etm4_cpu_save(drvdata))
- return NOTIFY_BAD;
+ if (etm4_cpu_save(drvdata))
+ return NOTIFY_BAD;
break;
case CPU_PM_EXIT:
case CPU_PM_ENTER_FAILED:
- if (drvdata->state_needs_restore)
- etm4_cpu_restore(drvdata);
+ etm4_cpu_restore(drvdata);
break;
default:
return NOTIFY_DONE;
diff --git a/drivers/hwtracing/coresight/coresight-etm4x.h b/drivers/hwtracing/coresight/coresight-etm4x.h
index 3ab528c6b91f1..74f1ba8ed148d 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x.h
+++ b/drivers/hwtracing/coresight/coresight-etm4x.h
@@ -901,6 +901,7 @@ struct etmv4_save_state {
* @lpoverride: If the implementation can support low-power state over.
* @trfc: If the implementation supports Arm v8.4 trace filter controls.
* @config: structure holding configuration parameters.
+ * @save_trfcr: Saved TRFCR_EL1 register during a CPU PM event.
* @save_state: State to be preserved across power loss
* @state_needs_restore: True when there is context to restore after PM exit
* @skip_power_up: Indicates if an implementation can skip powering up
@@ -954,6 +955,7 @@ struct etmv4_drvdata {
bool lpoverride;
bool trfc;
struct etmv4_config config;
+ u64 save_trfcr;
struct etmv4_save_state *save_state;
bool state_needs_restore;
bool skip_power_up;
diff --git a/drivers/hwtracing/coresight/coresight-self-hosted-trace.h b/drivers/hwtracing/coresight/coresight-self-hosted-trace.h
new file mode 100644
index 0000000000000..303d71911870f
--- /dev/null
+++ b/drivers/hwtracing/coresight/coresight-self-hosted-trace.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Arm v8 Self-Hosted trace support.
+ *
+ * Copyright (C) 2021 ARM Ltd.
+ */
+
+#ifndef __CORESIGHT_SELF_HOSTED_TRACE_H
+#define __CORESIGHT_SELF_HOSTED_TRACE_H
+
+#include <asm/sysreg.h>
+
+static inline u64 read_trfcr(void)
+{
+ return read_sysreg_s(SYS_TRFCR_EL1);
+}
+
+static inline void write_trfcr(u64 val)
+{
+ write_sysreg_s(val, SYS_TRFCR_EL1);
+ isb();
+}
+
+#endif /* __CORESIGHT_SELF_HOSTED_TRACE_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 094/554] coresight: etm4x: Use Trace Filtering controls dynamically
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 093/554] coresight: etm4x: Save restore TRFCR_EL1 Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 095/554] coresight-etm4x: add isb() before reading the TRCSTATR Greg Kroah-Hartman
` (465 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Poirier, Al Grant,
Mike Leach, Leo Yan, Suzuki K Poulose, Anshuman Khandual,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suzuki K Poulose <suzuki.poulose@arm.com>
[ Upstream commit 5f6fd1aa8cc147b111af1a833574487a87237dc0 ]
The Trace Filtering support (FEAT_TRF) ensures that the ETM
can be prohibited from generating any trace for a given EL.
This is much stricter knob, than the TRCVICTLR exception level
masks, which doesn't prevent the ETM from generating Context
packets for an "excluded" EL. At the moment, we do a onetime
enable trace at user and kernel and leave it untouched for the
kernel life time. This implies that the ETM could potentially
generate trace packets containing the kernel addresses, and
thus leaking the kernel virtual address in the trace.
This patch makes the switch dynamic, by honoring the filters
set by the user and enforcing them in the TRFCR controls.
We also rename the cpu_enable_tracing() appropriately to
cpu_detect_trace_filtering() and the drvdata member
trfc => trfcr to indicate the "value" of the TRFCR_EL1.
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Al Grant <al.grant@arm.com>
Cc: Mike Leach <mike.leach@linaro.org>
Cc: Leo Yan <leo.yan@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
Link: https://lore.kernel.org/r/20210914102641.1852544-3-suzuki.poulose@arm.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Stable-dep-of: 64eb04ae5452 ("coresight: etm4x: Add context synchronization before enabling trace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../coresight/coresight-etm4x-core.c | 63 ++++++++++++++-----
drivers/hwtracing/coresight/coresight-etm4x.h | 7 ++-
.../coresight/coresight-self-hosted-trace.h | 7 +++
3 files changed, 59 insertions(+), 18 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index d124931ee2be5..54e5be46973a3 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -239,6 +239,45 @@ struct etm4_enable_arg {
int rc;
};
+/*
+ * etm4x_prohibit_trace - Prohibit the CPU from tracing at all ELs.
+ * When the CPU supports FEAT_TRF, we could move the ETM to a trace
+ * prohibited state by filtering the Exception levels via TRFCR_EL1.
+ */
+static void etm4x_prohibit_trace(struct etmv4_drvdata *drvdata)
+{
+ /* If the CPU doesn't support FEAT_TRF, nothing to do */
+ if (!drvdata->trfcr)
+ return;
+ cpu_prohibit_trace();
+}
+
+/*
+ * etm4x_allow_trace - Allow CPU tracing in the respective ELs,
+ * as configured by the drvdata->config.mode for the current
+ * session. Even though we have TRCVICTLR bits to filter the
+ * trace in the ELs, it doesn't prevent the ETM from generating
+ * a packet (e.g, TraceInfo) that might contain the addresses from
+ * the excluded levels. Thus we use the additional controls provided
+ * via the Trace Filtering controls (FEAT_TRF) to make sure no trace
+ * is generated for the excluded ELs.
+ */
+static void etm4x_allow_trace(struct etmv4_drvdata *drvdata)
+{
+ u64 trfcr = drvdata->trfcr;
+
+ /* If the CPU doesn't support FEAT_TRF, nothing to do */
+ if (!trfcr)
+ return;
+
+ if (drvdata->config.mode & ETM_MODE_EXCL_KERN)
+ trfcr &= ~TRFCR_ELx_ExTRE;
+ if (drvdata->config.mode & ETM_MODE_EXCL_USER)
+ trfcr &= ~TRFCR_ELx_E0TRE;
+
+ write_trfcr(trfcr);
+}
+
#ifdef CONFIG_ETM4X_IMPDEF_FEATURE
#define HISI_HIP08_AMBA_ID 0x000b6d01
@@ -445,6 +484,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
if (etm4x_is_ete(drvdata))
etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
+ etm4x_allow_trace(drvdata);
/* Enable the trace unit */
etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
@@ -740,7 +780,6 @@ static int etm4_enable(struct coresight_device *csdev,
static void etm4_disable_hw(void *info)
{
u32 control;
- u64 trfcr;
struct etmv4_drvdata *drvdata = info;
struct etmv4_config *config = &drvdata->config;
struct coresight_device *csdev = drvdata->csdev;
@@ -767,12 +806,7 @@ static void etm4_disable_hw(void *info)
* If the CPU supports v8.4 Trace filter Control,
* set the ETM to trace prohibited region.
*/
- if (drvdata->trfc) {
- trfcr = read_sysreg_s(SYS_TRFCR_EL1);
- write_sysreg_s(trfcr & ~(TRFCR_ELx_ExTRE | TRFCR_ELx_E0TRE),
- SYS_TRFCR_EL1);
- isb();
- }
+ etm4x_prohibit_trace(drvdata);
/*
* Make sure everything completes before disabling, as recommended
* by section 7.3.77 ("TRCVICTLR, ViewInst Main Control Register,
@@ -788,9 +822,6 @@ static void etm4_disable_hw(void *info)
if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1))
dev_err(etm_dev,
"timeout while waiting for PM stable Trace Status\n");
- if (drvdata->trfc)
- write_sysreg_s(trfcr, SYS_TRFCR_EL1);
-
/* read the status of the single shot comparators */
for (i = 0; i < drvdata->nr_ss_cmp; i++) {
config->ss_status[i] =
@@ -988,15 +1019,15 @@ static bool etm4_init_csdev_access(struct etmv4_drvdata *drvdata,
return false;
}
-static void cpu_enable_tracing(struct etmv4_drvdata *drvdata)
+static void cpu_detect_trace_filtering(struct etmv4_drvdata *drvdata)
{
u64 dfr0 = read_sysreg(id_aa64dfr0_el1);
u64 trfcr;
+ drvdata->trfcr = 0;
if (!cpuid_feature_extract_unsigned_field(dfr0, ID_AA64DFR0_TRACE_FILT_SHIFT))
return;
- drvdata->trfc = true;
/*
* If the CPU supports v8.4 SelfHosted Tracing, enable
* tracing at the kernel EL and EL0, forcing to use the
@@ -1010,7 +1041,7 @@ static void cpu_enable_tracing(struct etmv4_drvdata *drvdata)
if (is_kernel_in_hyp_mode())
trfcr |= TRFCR_EL2_CX;
- write_trfcr(trfcr);
+ drvdata->trfcr = trfcr;
}
static void etm4_init_arch_data(void *info)
@@ -1183,7 +1214,7 @@ static void etm4_init_arch_data(void *info)
/* NUMCNTR, bits[30:28] number of counters available for tracing */
drvdata->nr_cntr = BMVAL(etmidr5, 28, 30);
etm4_cs_lock(drvdata, csa);
- cpu_enable_tracing(drvdata);
+ cpu_detect_trace_filtering(drvdata);
}
static inline u32 etm4_get_victlr_access_type(struct etmv4_config *config)
@@ -1680,7 +1711,7 @@ static int etm4_cpu_save(struct etmv4_drvdata *drvdata)
int ret = 0;
/* Save the TRFCR irrespective of whether the ETM is ON */
- if (drvdata->trfc)
+ if (drvdata->trfcr)
drvdata->save_trfcr = read_trfcr();
/*
* Save and restore the ETM Trace registers only if
@@ -1792,7 +1823,7 @@ static void __etm4_cpu_restore(struct etmv4_drvdata *drvdata)
static void etm4_cpu_restore(struct etmv4_drvdata *drvdata)
{
- if (drvdata->trfc)
+ if (drvdata->trfcr)
write_trfcr(drvdata->save_trfcr);
if (drvdata->state_needs_restore)
__etm4_cpu_restore(drvdata);
diff --git a/drivers/hwtracing/coresight/coresight-etm4x.h b/drivers/hwtracing/coresight/coresight-etm4x.h
index 74f1ba8ed148d..85bf733a21bab 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x.h
+++ b/drivers/hwtracing/coresight/coresight-etm4x.h
@@ -899,7 +899,10 @@ struct etmv4_save_state {
* @nooverflow: Indicate if overflow prevention is supported.
* @atbtrig: If the implementation can support ATB triggers
* @lpoverride: If the implementation can support low-power state over.
- * @trfc: If the implementation supports Arm v8.4 trace filter controls.
+ * @trfcr: If the CPU supports FEAT_TRF, value of the TRFCR_ELx that
+ * allows tracing at all ELs. We don't want to compute this
+ * at runtime, due to the additional setting of TRFCR_CX when
+ * in EL2. Otherwise, 0.
* @config: structure holding configuration parameters.
* @save_trfcr: Saved TRFCR_EL1 register during a CPU PM event.
* @save_state: State to be preserved across power loss
@@ -953,7 +956,7 @@ struct etmv4_drvdata {
bool nooverflow;
bool atbtrig;
bool lpoverride;
- bool trfc;
+ u64 trfcr;
struct etmv4_config config;
u64 save_trfcr;
struct etmv4_save_state *save_state;
diff --git a/drivers/hwtracing/coresight/coresight-self-hosted-trace.h b/drivers/hwtracing/coresight/coresight-self-hosted-trace.h
index 303d71911870f..23f05df3f1730 100644
--- a/drivers/hwtracing/coresight/coresight-self-hosted-trace.h
+++ b/drivers/hwtracing/coresight/coresight-self-hosted-trace.h
@@ -21,4 +21,11 @@ static inline void write_trfcr(u64 val)
isb();
}
+static inline void cpu_prohibit_trace(void)
+{
+ u64 trfcr = read_trfcr();
+
+ /* Prohibit tracing at EL0 & the kernel EL */
+ write_trfcr(trfcr & ~(TRFCR_ELx_ExTRE | TRFCR_ELx_E0TRE));
+}
#endif /* __CORESIGHT_SELF_HOSTED_TRACE_H */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 095/554] coresight-etm4x: add isb() before reading the TRCSTATR
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 094/554] coresight: etm4x: Use Trace Filtering controls dynamically Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 096/554] coresight: etm4x: Extract the trace unit controlling Greg Kroah-Hartman
` (464 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuanfang Zhang, Suzuki K Poulose,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuanfang Zhang <quic_yuanfang@quicinc.com>
[ Upstream commit 4ff6039ffb79a4a8a44b63810a8a2f2b43264856 ]
As recommended by section 4.3.7 ("Synchronization when using system
instructions to progrom the trace unit") of ARM IHI 0064H.b, the
self-hosted trace analyzer must perform a Context synchronization
event between writing to the TRCPRGCTLR and reading the TRCSTATR.
Additionally, add an ISB between the each read of TRCSTATR on
coresight_timeout() when using system instructions to program the
trace unit.
Fixes: 1ab3bb9df5e3 ("coresight: etm4x: Add necessary synchronization for sysreg access")
Signed-off-by: Yuanfang Zhang <quic_yuanfang@quicinc.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250116-etm_sync-v4-1-39f2b05e9514@quicinc.com
Stable-dep-of: 64eb04ae5452 ("coresight: etm4x: Add context synchronization before enabling trace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwtracing/coresight/coresight-core.c | 20 ++++++--
.../coresight/coresight-etm4x-core.c | 48 +++++++++++++++++--
include/linux/coresight.h | 4 ++
3 files changed, 62 insertions(+), 10 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-core.c b/drivers/hwtracing/coresight/coresight-core.c
index f6989a74fec94..1d8bad32c5ad5 100644
--- a/drivers/hwtracing/coresight/coresight-core.c
+++ b/drivers/hwtracing/coresight/coresight-core.c
@@ -1454,18 +1454,20 @@ static void coresight_remove_conns(struct coresight_device *csdev)
}
/**
- * coresight_timeout - loop until a bit has changed to a specific register
- * state.
+ * coresight_timeout_action - loop until a bit has changed to a specific register
+ * state, with a callback after every trial.
* @csa: coresight device access for the device
* @offset: Offset of the register from the base of the device.
* @position: the position of the bit of interest.
* @value: the value the bit should have.
+ * @cb: Call back after each trial.
*
* Return: 0 as soon as the bit has taken the desired state or -EAGAIN if
* TIMEOUT_US has elapsed, which ever happens first.
*/
-int coresight_timeout(struct csdev_access *csa, u32 offset,
- int position, int value)
+int coresight_timeout_action(struct csdev_access *csa, u32 offset,
+ int position, int value,
+ coresight_timeout_cb_t cb)
{
int i;
u32 val;
@@ -1481,7 +1483,8 @@ int coresight_timeout(struct csdev_access *csa, u32 offset,
if (!(val & BIT(position)))
return 0;
}
-
+ if (cb)
+ cb(csa, offset, position, value);
/*
* Delay is arbitrary - the specification doesn't say how long
* we are expected to wait. Extra check required to make sure
@@ -1493,6 +1496,13 @@ int coresight_timeout(struct csdev_access *csa, u32 offset,
return -EAGAIN;
}
+EXPORT_SYMBOL_GPL(coresight_timeout_action);
+
+int coresight_timeout(struct csdev_access *csa, u32 offset,
+ int position, int value)
+{
+ return coresight_timeout_action(csa, offset, position, value, NULL);
+}
EXPORT_SYMBOL_GPL(coresight_timeout);
u32 coresight_relaxed_read32(struct coresight_device *csdev, u32 offset)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index 54e5be46973a3..0b7aceb96d753 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -369,6 +369,29 @@ static void etm4_check_arch_features(struct etmv4_drvdata *drvdata,
}
#endif /* CONFIG_ETM4X_IMPDEF_FEATURE */
+static void etm4x_sys_ins_barrier(struct csdev_access *csa, u32 offset, int pos, int val)
+{
+ if (!csa->io_mem)
+ isb();
+}
+
+/*
+ * etm4x_wait_status: Poll for TRCSTATR.<pos> == <val>. While using system
+ * instruction to access the trace unit, each access must be separated by a
+ * synchronization barrier. See ARM IHI0064H.b section "4.3.7 Synchronization of
+ * register updates", for system instructions section, in "Notes":
+ *
+ * "In particular, whenever disabling or enabling the trace unit, a poll of
+ * TRCSTATR needs explicit synchronization between each read of TRCSTATR"
+ */
+static int etm4x_wait_status(struct csdev_access *csa, int pos, int val)
+{
+ if (!csa->io_mem)
+ return coresight_timeout_action(csa, TRCSTATR, pos, val,
+ etm4x_sys_ins_barrier);
+ return coresight_timeout(csa, TRCSTATR, pos, val);
+}
+
static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
{
int i, rc;
@@ -400,7 +423,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
isb();
/* wait for TRCSTATR.IDLE to go up */
- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 1))
+ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 1))
dev_err(etm_dev,
"timeout while waiting for Idle Trace Status\n");
if (drvdata->nr_pe)
@@ -493,7 +516,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
isb();
/* wait for TRCSTATR.IDLE to go back down to '0' */
- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 0))
+ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0))
dev_err(etm_dev,
"timeout while waiting for Idle Trace Status\n");
@@ -818,10 +841,25 @@ static void etm4_disable_hw(void *info)
tsb_csync();
etm4x_relaxed_write32(csa, control, TRCPRGCTLR);
+ /*
+ * As recommended by section 4.3.7 ("Synchronization when using system
+ * instructions to progrom the trace unit") of ARM IHI 0064H.b, the
+ * self-hosted trace analyzer must perform a Context synchronization
+ * event between writing to the TRCPRGCTLR and reading the TRCSTATR.
+ */
+ if (!csa->io_mem)
+ isb();
+
/* wait for TRCSTATR.PMSTABLE to go to '1' */
- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1))
+ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1))
dev_err(etm_dev,
"timeout while waiting for PM stable Trace Status\n");
+ /*
+ * As recommended by section 4.3.7 (Synchronization of register updates)
+ * of ARM IHI 0064H.b.
+ */
+ isb();
+
/* read the status of the single shot comparators */
for (i = 0; i < drvdata->nr_ss_cmp; i++) {
config->ss_status[i] =
@@ -1592,7 +1630,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata)
etm4_os_lock(drvdata);
/* wait for TRCSTATR.PMSTABLE to go up */
- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_PMSTABLE_BIT, 1)) {
+ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) {
dev_err(etm_dev,
"timeout while waiting for PM Stable Status\n");
etm4_os_unlock(drvdata);
@@ -1683,7 +1721,7 @@ static int __etm4_cpu_save(struct etmv4_drvdata *drvdata)
state->trcpdcr = etm4x_read32(csa, TRCPDCR);
/* wait for TRCSTATR.IDLE to go up */
- if (coresight_timeout(csa, TRCSTATR, TRCSTATR_IDLE_BIT, 1)) {
+ if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) {
dev_err(etm_dev,
"timeout while waiting for Idle Trace Status\n");
etm4_os_unlock(drvdata);
diff --git a/include/linux/coresight.h b/include/linux/coresight.h
index 93a2922b76534..c0a0db99a6896 100644
--- a/include/linux/coresight.h
+++ b/include/linux/coresight.h
@@ -484,6 +484,10 @@ extern int coresight_enable(struct coresight_device *csdev);
extern void coresight_disable(struct coresight_device *csdev);
extern int coresight_timeout(struct csdev_access *csa, u32 offset,
int position, int value);
+typedef void (*coresight_timeout_cb_t) (struct csdev_access *, u32, int, int);
+extern int coresight_timeout_action(struct csdev_access *csa, u32 offset,
+ int position, int value,
+ coresight_timeout_cb_t cb);
extern int coresight_claim_device(struct coresight_device *csdev);
extern int coresight_claim_device_unlocked(struct coresight_device *csdev);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 096/554] coresight: etm4x: Extract the trace unit controlling
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 095/554] coresight-etm4x: add isb() before reading the TRCSTATR Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 097/554] coresight: etm4x: Add context synchronization before enabling trace Greg Kroah-Hartman
` (463 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Mike Leach, James Clark,
Suzuki K Poulose, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 40f682ae5086366d51e29e66eb8a344501245d0d ]
The trace unit is controlled in the ETM hardware enabling and disabling.
The sequential changes for support AUX pause and resume will reuse the
same operations.
Extract the operations in the etm4_{enable|disable}_trace_unit()
functions. A minor improvement in etm4_enable_trace_unit() is for
returning the timeout error to callers.
Signed-off-by: Leo Yan <leo.yan@arm.com>
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Reviewed-by: James Clark <james.clark@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20250401180708.385396-2-leo.yan@arm.com
Stable-dep-of: 64eb04ae5452 ("coresight: etm4x: Add context synchronization before enabling trace")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../coresight/coresight-etm4x-core.c | 103 +++++++++++-------
1 file changed, 62 insertions(+), 41 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index 0b7aceb96d753..7cc854da81988 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -392,6 +392,44 @@ static int etm4x_wait_status(struct csdev_access *csa, int pos, int val)
return coresight_timeout(csa, TRCSTATR, pos, val);
}
+static int etm4_enable_trace_unit(struct etmv4_drvdata *drvdata)
+{
+ struct coresight_device *csdev = drvdata->csdev;
+ struct device *etm_dev = &csdev->dev;
+ struct csdev_access *csa = &csdev->access;
+
+ /*
+ * ETE mandates that the TRCRSR is written to before
+ * enabling it.
+ */
+ if (etm4x_is_ete(drvdata))
+ etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
+
+ etm4x_allow_trace(drvdata);
+ /* Enable the trace unit */
+ etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
+
+ /* Synchronize the register updates for sysreg access */
+ if (!csa->io_mem)
+ isb();
+
+ /* wait for TRCSTATR.IDLE to go back down to '0' */
+ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0)) {
+ dev_err(etm_dev,
+ "timeout while waiting for Idle Trace Status\n");
+ return -ETIME;
+ }
+
+ /*
+ * As recommended by section 4.3.7 ("Synchronization when using the
+ * memory-mapped interface") of ARM IHI 0064D
+ */
+ dsb(sy);
+ isb();
+
+ return 0;
+}
+
static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
{
int i, rc;
@@ -500,33 +538,7 @@ static int etm4_enable_hw(struct etmv4_drvdata *drvdata)
etm4x_relaxed_write32(csa, trcpdcr | TRCPDCR_PU, TRCPDCR);
}
- /*
- * ETE mandates that the TRCRSR is written to before
- * enabling it.
- */
- if (etm4x_is_ete(drvdata))
- etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
-
- etm4x_allow_trace(drvdata);
- /* Enable the trace unit */
- etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
-
- /* Synchronize the register updates for sysreg access */
- if (!csa->io_mem)
- isb();
-
- /* wait for TRCSTATR.IDLE to go back down to '0' */
- if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 0))
- dev_err(etm_dev,
- "timeout while waiting for Idle Trace Status\n");
-
- /*
- * As recommended by section 4.3.7 ("Synchronization when using the
- * memory-mapped interface") of ARM IHI 0064D
- */
- dsb(sy);
- isb();
-
+ rc = etm4_enable_trace_unit(drvdata);
done:
etm4_cs_lock(drvdata, csa);
@@ -800,25 +812,12 @@ static int etm4_enable(struct coresight_device *csdev,
return ret;
}
-static void etm4_disable_hw(void *info)
+static void etm4_disable_trace_unit(struct etmv4_drvdata *drvdata)
{
u32 control;
- struct etmv4_drvdata *drvdata = info;
- struct etmv4_config *config = &drvdata->config;
struct coresight_device *csdev = drvdata->csdev;
struct device *etm_dev = &csdev->dev;
struct csdev_access *csa = &csdev->access;
- int i;
-
- etm4_cs_unlock(drvdata, csa);
- etm4_disable_arch_specific(drvdata);
-
- if (!drvdata->skip_power_up) {
- /* power can be removed from the trace unit now */
- control = etm4x_relaxed_read32(csa, TRCPDCR);
- control &= ~TRCPDCR_PU;
- etm4x_relaxed_write32(csa, control, TRCPDCR);
- }
control = etm4x_relaxed_read32(csa, TRCPRGCTLR);
@@ -859,6 +858,28 @@ static void etm4_disable_hw(void *info)
* of ARM IHI 0064H.b.
*/
isb();
+}
+
+static void etm4_disable_hw(void *info)
+{
+ u32 control;
+ struct etmv4_drvdata *drvdata = info;
+ struct etmv4_config *config = &drvdata->config;
+ struct coresight_device *csdev = drvdata->csdev;
+ struct csdev_access *csa = &csdev->access;
+ int i;
+
+ etm4_cs_unlock(drvdata, csa);
+ etm4_disable_arch_specific(drvdata);
+
+ if (!drvdata->skip_power_up) {
+ /* power can be removed from the trace unit now */
+ control = etm4x_relaxed_read32(csa, TRCPDCR);
+ control &= ~TRCPDCR_PU;
+ etm4x_relaxed_write32(csa, control, TRCPDCR);
+ }
+
+ etm4_disable_trace_unit(drvdata);
/* read the status of the single shot comparators */
for (i = 0; i < drvdata->nr_ss_cmp; i++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 097/554] coresight: etm4x: Add context synchronization before enabling trace
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 096/554] coresight: etm4x: Extract the trace unit controlling Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 098/554] clk: renesas: r9a06g032: Export function to set dmamux Greg Kroah-Hartman
` (462 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Leach, Yeoreun Yun, James Clark,
Leo Yan, Suzuki K Poulose, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
[ Upstream commit 64eb04ae545294e105ad91714dc3167a0b660731 ]
According to the software usage PKLXF in Arm ARM (ARM DDI 0487 L.a), a
Context synchronization event is required before enabling the trace
unit.
An ISB is added to meet this requirement, particularly for guarding the
operations in the flow:
etm4x_allow_trace()
`> kvm_tracing_set_el1_configuration()
`> write_sysreg_s(trfcr_while_in_guest, SYS_TRFCR_EL12)
Improved the barrier comments to provide more accurate information.
Fixes: 1ab3bb9df5e3 ("coresight: etm4x: Add necessary synchronization for sysreg access")
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Reviewed-by: Yeoreun Yun <yeoreum.yun@arm.com>
Tested-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20251111-arm_coresight_power_management_fix-v6-5-f55553b6c8b3@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../coresight/coresight-etm4x-core.c | 27 ++++++++++++++++---
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/drivers/hwtracing/coresight/coresight-etm4x-core.c b/drivers/hwtracing/coresight/coresight-etm4x-core.c
index 7cc854da81988..ce03a53fea7ad 100644
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -406,10 +406,24 @@ static int etm4_enable_trace_unit(struct etmv4_drvdata *drvdata)
etm4x_relaxed_write32(csa, TRCRSR_TA, TRCRSR);
etm4x_allow_trace(drvdata);
+
+ /*
+ * According to software usage PKLXF in Arm ARM (ARM DDI 0487 L.a),
+ * execute a Context synchronization event to guarantee the trace unit
+ * will observe the new values of the System registers.
+ */
+ if (!csa->io_mem)
+ isb();
+
/* Enable the trace unit */
etm4x_relaxed_write32(csa, 1, TRCPRGCTLR);
- /* Synchronize the register updates for sysreg access */
+ /*
+ * As recommended by section 4.3.7 ("Synchronization when using system
+ * instructions to progrom the trace unit") of ARM IHI 0064H.b, the
+ * self-hosted trace analyzer must perform a Context synchronization
+ * event between writing to the TRCPRGCTLR and reading the TRCSTATR.
+ */
if (!csa->io_mem)
isb();
@@ -830,11 +844,16 @@ static void etm4_disable_trace_unit(struct etmv4_drvdata *drvdata)
*/
etm4x_prohibit_trace(drvdata);
/*
- * Make sure everything completes before disabling, as recommended
- * by section 7.3.77 ("TRCVICTLR, ViewInst Main Control Register,
- * SSTATUS") of ARM IHI 0064D
+ * Prevent being speculative at the point of disabling the trace unit,
+ * as recommended by section 7.3.77 ("TRCVICTLR, ViewInst Main Control
+ * Register, SSTATUS") of ARM IHI 0064D
*/
dsb(sy);
+ /*
+ * According to software usage VKHHY in Arm ARM (ARM DDI 0487 L.a),
+ * execute a Context synchronization event to guarantee no new
+ * program-flow trace is generated.
+ */
isb();
/* Trace synchronization barrier, is a nop if not supported */
tsb_csync();
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 098/554] clk: renesas: r9a06g032: Export function to set dmamux
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 097/554] coresight: etm4x: Add context synchronization before enabling trace Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 099/554] soc: renesas: r9a06g032-sysctrl: Handle h2mode setting based on USBF presence Greg Kroah-Hartman
` (461 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Stephen Boyd,
Geert Uytterhoeven, Vinod Koul, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
[ Upstream commit 885525c1e7e27ea6207d648a8db20dfbbd9e4238 ]
The dmamux register is located within the system controller.
Without syscon, we need an extra helper in order to give write access to
this register to a dmamux driver.
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Acked-by: Stephen Boyd <sboyd@kernel.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20220427095653.91804-5-miquel.raynal@bootlin.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Stable-dep-of: f8def051bbcf ("clk: renesas: r9a06g032: Fix memory leak in error path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a06g032-clocks.c | 35 ++++++++++++++++++-
include/linux/soc/renesas/r9a06g032-sysctrl.h | 11 ++++++
2 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 include/linux/soc/renesas/r9a06g032-sysctrl.h
diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c
index 3e43ae8480ddf..9f42d46ce6192 100644
--- a/drivers/clk/renesas/r9a06g032-clocks.c
+++ b/drivers/clk/renesas/r9a06g032-clocks.c
@@ -20,9 +20,12 @@
#include <linux/pm_clock.h>
#include <linux/pm_domain.h>
#include <linux/slab.h>
+#include <linux/soc/renesas/r9a06g032-sysctrl.h>
#include <linux/spinlock.h>
#include <dt-bindings/clock/r9a06g032-sysctrl.h>
+#define R9A06G032_SYSCTRL_DMAMUX 0xA0
+
struct r9a06g032_gate {
u16 gate, reset, ready, midle,
scon, mirack, mistat;
@@ -315,6 +318,30 @@ struct r9a06g032_priv {
void __iomem *reg;
};
+static struct r9a06g032_priv *sysctrl_priv;
+
+/* Exported helper to access the DMAMUX register */
+int r9a06g032_sysctrl_set_dmamux(u32 mask, u32 val)
+{
+ unsigned long flags;
+ u32 dmamux;
+
+ if (!sysctrl_priv)
+ return -EPROBE_DEFER;
+
+ spin_lock_irqsave(&sysctrl_priv->lock, flags);
+
+ dmamux = readl(sysctrl_priv->reg + R9A06G032_SYSCTRL_DMAMUX);
+ dmamux &= ~mask;
+ dmamux |= val & mask;
+ writel(dmamux, sysctrl_priv->reg + R9A06G032_SYSCTRL_DMAMUX);
+
+ spin_unlock_irqrestore(&sysctrl_priv->lock, flags);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(r9a06g032_sysctrl_set_dmamux);
+
/* register/bit pairs are encoded as an uint16_t */
static void
clk_rdesc_set(struct r9a06g032_priv *clocks,
@@ -962,7 +989,13 @@ static int __init r9a06g032_clocks_probe(struct platform_device *pdev)
if (error)
return error;
- return r9a06g032_add_clk_domain(dev);
+ error = r9a06g032_add_clk_domain(dev);
+ if (error)
+ return error;
+
+ sysctrl_priv = clocks;
+
+ return 0;
}
static const struct of_device_id r9a06g032_match[] = {
diff --git a/include/linux/soc/renesas/r9a06g032-sysctrl.h b/include/linux/soc/renesas/r9a06g032-sysctrl.h
new file mode 100644
index 0000000000000..066dfb15cbddd
--- /dev/null
+++ b/include/linux/soc/renesas/r9a06g032-sysctrl.h
@@ -0,0 +1,11 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __LINUX_SOC_RENESAS_R9A06G032_SYSCTRL_H__
+#define __LINUX_SOC_RENESAS_R9A06G032_SYSCTRL_H__
+
+#ifdef CONFIG_CLK_R9A06G032
+int r9a06g032_sysctrl_set_dmamux(u32 mask, u32 val);
+#else
+static inline int r9a06g032_sysctrl_set_dmamux(u32 mask, u32 val) { return -ENODEV; }
+#endif
+
+#endif /* __LINUX_SOC_RENESAS_R9A06G032_SYSCTRL_H__ */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 099/554] soc: renesas: r9a06g032-sysctrl: Handle h2mode setting based on USBF presence
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 098/554] clk: renesas: r9a06g032: Export function to set dmamux Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 100/554] clk: renesas: r9a06g032: Fix memory leak in error path Greg Kroah-Hartman
` (460 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Herve Codina, Geert Uytterhoeven,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herve Codina <herve.codina@bootlin.com>
[ Upstream commit e9fee814b054e4f6f2faf3d9c1944869fe41c9dd ]
The CFG_USB[H2MODE] allows to switch the USB configuration. The
configuration supported are:
- One host and one device
or
- Two hosts
Set CFG_USB[H2MODE] based on the USBF controller (USB device)
availability.
Signed-off-by: Herve Codina <herve.codina@bootlin.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20230105152257.310642-3-herve.codina@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: f8def051bbcf ("clk: renesas: r9a06g032: Fix memory leak in error path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a06g032-clocks.c | 28 ++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c
index 9f42d46ce6192..e46280059db79 100644
--- a/drivers/clk/renesas/r9a06g032-clocks.c
+++ b/drivers/clk/renesas/r9a06g032-clocks.c
@@ -24,6 +24,8 @@
#include <linux/spinlock.h>
#include <dt-bindings/clock/r9a06g032-sysctrl.h>
+#define R9A06G032_SYSCTRL_USB 0x00
+#define R9A06G032_SYSCTRL_USB_H2MODE (1<<1)
#define R9A06G032_SYSCTRL_DMAMUX 0xA0
struct r9a06g032_gate {
@@ -919,6 +921,29 @@ static void r9a06g032_clocks_del_clk_provider(void *data)
of_clk_del_provider(data);
}
+static void __init r9a06g032_init_h2mode(struct r9a06g032_priv *clocks)
+{
+ struct device_node *usbf_np = NULL;
+ u32 usb;
+
+ while ((usbf_np = of_find_compatible_node(usbf_np, NULL,
+ "renesas,rzn1-usbf"))) {
+ if (of_device_is_available(usbf_np))
+ break;
+ }
+
+ usb = readl(clocks->reg + R9A06G032_SYSCTRL_USB);
+ if (usbf_np) {
+ /* 1 host and 1 device mode */
+ usb &= ~R9A06G032_SYSCTRL_USB_H2MODE;
+ of_node_put(usbf_np);
+ } else {
+ /* 2 hosts mode */
+ usb |= R9A06G032_SYSCTRL_USB_H2MODE;
+ }
+ writel(usb, clocks->reg + R9A06G032_SYSCTRL_USB);
+}
+
static int __init r9a06g032_clocks_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
@@ -948,6 +973,9 @@ static int __init r9a06g032_clocks_probe(struct platform_device *pdev)
clocks->reg = of_iomap(np, 0);
if (WARN_ON(!clocks->reg))
return -ENOMEM;
+
+ r9a06g032_init_h2mode(clocks);
+
for (i = 0; i < ARRAY_SIZE(r9a06g032_clocks); ++i) {
const struct r9a06g032_clkdesc *d = &r9a06g032_clocks[i];
const char *parent_name = d->source ?
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 100/554] clk: renesas: r9a06g032: Fix memory leak in error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 099/554] soc: renesas: r9a06g032-sysctrl: Handle h2mode setting based on USBF presence Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 101/554] lib/vsprintf: Check pointer before dereferencing in time_and_date() Greg Kroah-Hartman
` (459 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Geert Uytterhoeven,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit f8def051bbcf8677f64701e9699bf6d11e2780cd ]
The current code uses of_iomap() to map registers but never calls
iounmap() on any error path after the mapping. This causes a memory
leak when probe fails after successful ioremap, for example when
of_clk_add_provider() or r9a06g032_add_clk_domain() fails.
Replace of_iomap() with devm_of_iomap() to automatically unmap the
region on probe failure. Update the error check accordingly to use
IS_ERR() and PTR_ERR() since devm_of_iomap() returns ERR_PTR on error.
Fixes: 4c3d88526eba ("clk: renesas: Renesas R9A06G032 clock driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20251030061603.1954-1-vulab@iscas.ac.cn
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a06g032-clocks.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c
index e46280059db79..7ee8443a38041 100644
--- a/drivers/clk/renesas/r9a06g032-clocks.c
+++ b/drivers/clk/renesas/r9a06g032-clocks.c
@@ -970,9 +970,9 @@ static int __init r9a06g032_clocks_probe(struct platform_device *pdev)
if (IS_ERR(mclk))
return PTR_ERR(mclk);
- clocks->reg = of_iomap(np, 0);
- if (WARN_ON(!clocks->reg))
- return -ENOMEM;
+ clocks->reg = devm_of_iomap(dev, np, 0, NULL);
+ if (IS_ERR(clocks->reg))
+ return PTR_ERR(clocks->reg);
r9a06g032_init_h2mode(clocks);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 101/554] lib/vsprintf: Check pointer before dereferencing in time_and_date()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 100/554] clk: renesas: r9a06g032: Fix memory leak in error path Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 102/554] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() Greg Kroah-Hartman
` (458 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Petr Mladek,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 372a12bd5df0199aa234eaf8ef31ed7ecd61d40f ]
The pointer may be invalid when gets to the printf(). In particular
the time_and_date() dereferencing it in some cases without checking.
Move the check from rtc_str() to time_and_date() to cover all cases.
Fixes: 7daac5b2fdf8 ("lib/vsprintf: Print time64_t in human readable format")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Link: https://patch.msgid.link/20251110132118.4113976-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/vsprintf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index e46eb93c115dd..fc1cf66fffdb3 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1889,9 +1889,6 @@ char *rtc_str(char *buf, char *end, const struct rtc_time *tm,
bool found = true;
int count = 2;
- if (check_pointer(&buf, end, tm, spec))
- return buf;
-
switch (fmt[count]) {
case 'd':
have_t = false;
@@ -1957,6 +1954,9 @@ static noinline_for_stack
char *time_and_date(char *buf, char *end, void *ptr, struct printf_spec spec,
const char *fmt)
{
+ if (check_pointer(&buf, end, ptr, spec))
+ return buf;
+
switch (fmt[1]) {
case 'R':
return rtc_str(buf, end, (const struct rtc_time *)ptr, spec, fmt);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 102/554] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 101/554] lib/vsprintf: Check pointer before dereferencing in time_and_date() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 103/554] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() Greg Kroah-Hartman
` (457 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
syzbot+727d161855d11d81e411, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 8a7d58845fae061c62b50bc5eeb9bae4a1dedc3d ]
In '__ocfs2_move_extent()', relax 'BUG()' to 'ocfs2_error()' just
to avoid crashing the whole kernel due to a filesystem corruption.
Fixes: 8f603e567aa7 ("Ocfs2/move_extents: move a range of extent.")
Link: https://lkml.kernel.org/r/20251009102349.181126-2-dmantipov@yandex.ru
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Closes: https://syzkaller.appspot.com/bug?extid=727d161855d11d81e411
Reported-by: syzbot+727d161855d11d81e411@syzkaller.appspotmail.com
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/move_extents.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c
index 866d57dfe9f74..1ac42064657d5 100644
--- a/fs/ocfs2/move_extents.c
+++ b/fs/ocfs2/move_extents.c
@@ -98,7 +98,13 @@ static int __ocfs2_move_extent(handle_t *handle,
rec = &el->l_recs[index];
- BUG_ON(ext_flags != rec->e_flags);
+ if (ext_flags != rec->e_flags) {
+ ret = ocfs2_error(inode->i_sb,
+ "Inode %llu has corrupted extent %d with flags 0x%x at cpos %u\n",
+ (unsigned long long)ino, index, rec->e_flags, cpos);
+ goto out;
+ }
+
/*
* after moving/defraging to new location, the extent is not going
* to be refcounted anymore.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 103/554] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 102/554] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 104/554] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls Greg Kroah-Hartman
` (456 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Sakari Ailus,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 593ee49222a0d751062fd9a5e4a963ade4ec028a ]
acpi_fwnode_graph_parse_endpoint() calls fwnode_get_parent() to obtain the
parent fwnode but returns without calling fwnode_handle_put() on it. This
potentially leads to a fwnode refcount leak and prevents the parent node
from being released properly.
Call fwnode_handle_put() on the parent fwnode before returning to prevent
the leak from occurring.
Fixes: 3b27d00e7b6d ("device property: Move fwnode graph ops to firmware specific locations")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20251111075000.1828-1-vulab@iscas.ac.cn
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/property.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
index 4205c7fdc4cc9..7f0fa58b634a3 100644
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -1402,6 +1402,7 @@ static int acpi_fwnode_graph_parse_endpoint(const struct fwnode_handle *fwnode,
if (fwnode_property_read_u32(fwnode, "reg", &endpoint->id))
fwnode_property_read_u32(fwnode, "endpoint", &endpoint->id);
+ fwnode_handle_put(port_fwnode);
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 104/554] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 103/554] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 105/554] leds: netxbig: Fix GPIO descriptor leak in error paths Greg Kroah-Hartman
` (455 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit acd194d9b5bac419e04968ffa44351afabb50bac ]
The driver calls ioport_map() to map I/O ports in sim710_probe_common()
but never calls ioport_unmap() to release the mapping. This causes
resource leaks in both the error path when request_irq() fails and in
the normal device removal path via sim710_device_remove().
Add ioport_unmap() calls in the out_release error path and in
sim710_device_remove().
Fixes: 56fece20086e ("[PATCH] finally fix 53c700 to use the generic iomem infrastructure")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251029032555.1476-1-vulab@iscas.ac.cn
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sim710.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/sim710.c b/drivers/scsi/sim710.c
index e519df68d603d..70c75ab1453a1 100644
--- a/drivers/scsi/sim710.c
+++ b/drivers/scsi/sim710.c
@@ -133,6 +133,7 @@ static int sim710_probe_common(struct device *dev, unsigned long base_addr,
out_put_host:
scsi_host_put(host);
out_release:
+ ioport_unmap(hostdata->base);
release_region(base_addr, 64);
out_free:
kfree(hostdata);
@@ -148,6 +149,7 @@ static int sim710_device_remove(struct device *dev)
scsi_remove_host(host);
NCR_700_release(host);
+ ioport_unmap(hostdata->base);
kfree(hostdata);
free_irq(host->irq, host);
release_region(host->base, 64);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 105/554] leds: netxbig: Fix GPIO descriptor leak in error paths
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 104/554] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 106/554] PCI: keystone: Exit ks_pcie_probe() for invalid mode Greg Kroah-Hartman
` (454 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Elfring, Haotian Zhang,
Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 03865dd8af52eb16c38062df2ed30a91b604780e ]
The function netxbig_gpio_ext_get() acquires GPIO descriptors but
fails to release them when errors occur mid-way through initialization.
The cleanup callback registered by devm_add_action_or_reset() only
runs on success, leaving acquired GPIOs leaked on error paths.
Add goto-based error handling to release all acquired GPIOs before
returning errors.
Fixes: 9af512e81964 ("leds: netxbig: Convert to use GPIO descriptors")
Suggested-by: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251031021620.781-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-netxbig.c | 36 ++++++++++++++++++++++++++----------
1 file changed, 26 insertions(+), 10 deletions(-)
diff --git a/drivers/leds/leds-netxbig.c b/drivers/leds/leds-netxbig.c
index 6692de0af68f1..ea0801b9cb010 100644
--- a/drivers/leds/leds-netxbig.c
+++ b/drivers/leds/leds-netxbig.c
@@ -364,6 +364,9 @@ static int netxbig_gpio_ext_get(struct device *dev,
if (!addr)
return -ENOMEM;
+ gpio_ext->addr = addr;
+ gpio_ext->num_addr = 0;
+
/*
* We cannot use devm_ managed resources with these GPIO descriptors
* since they are associated with the "GPIO extension device" which
@@ -375,45 +378,58 @@ static int netxbig_gpio_ext_get(struct device *dev,
gpiod = gpiod_get_index(gpio_ext_dev, "addr", i,
GPIOD_OUT_LOW);
if (IS_ERR(gpiod))
- return PTR_ERR(gpiod);
+ goto err_set_code;
gpiod_set_consumer_name(gpiod, "GPIO extension addr");
addr[i] = gpiod;
+ gpio_ext->num_addr++;
}
- gpio_ext->addr = addr;
- gpio_ext->num_addr = num_addr;
ret = gpiod_count(gpio_ext_dev, "data");
if (ret < 0) {
dev_err(dev,
"Failed to count GPIOs in DT property data-gpios\n");
- return ret;
+ goto err_free_addr;
}
num_data = ret;
data = devm_kcalloc(dev, num_data, sizeof(*data), GFP_KERNEL);
- if (!data)
- return -ENOMEM;
+ if (!data) {
+ ret = -ENOMEM;
+ goto err_free_addr;
+ }
+
+ gpio_ext->data = data;
+ gpio_ext->num_data = 0;
for (i = 0; i < num_data; i++) {
gpiod = gpiod_get_index(gpio_ext_dev, "data", i,
GPIOD_OUT_LOW);
if (IS_ERR(gpiod))
- return PTR_ERR(gpiod);
+ goto err_free_data;
gpiod_set_consumer_name(gpiod, "GPIO extension data");
data[i] = gpiod;
+ gpio_ext->num_data++;
}
- gpio_ext->data = data;
- gpio_ext->num_data = num_data;
gpiod = gpiod_get(gpio_ext_dev, "enable", GPIOD_OUT_LOW);
if (IS_ERR(gpiod)) {
dev_err(dev,
"Failed to get GPIO from DT property enable-gpio\n");
- return PTR_ERR(gpiod);
+ goto err_free_data;
}
gpiod_set_consumer_name(gpiod, "GPIO extension enable");
gpio_ext->enable = gpiod;
return devm_add_action_or_reset(dev, netxbig_gpio_ext_remove, gpio_ext);
+
+err_free_data:
+ for (i = 0; i < gpio_ext->num_data; i++)
+ gpiod_put(gpio_ext->data[i]);
+err_set_code:
+ ret = PTR_ERR(gpiod);
+err_free_addr:
+ for (i = 0; i < gpio_ext->num_addr; i++)
+ gpiod_put(gpio_ext->addr[i]);
+ return ret;
}
static int netxbig_leds_get_of_pdata(struct device *dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 106/554] PCI: keystone: Exit ks_pcie_probe() for invalid mode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 105/554] leds: netxbig: Fix GPIO descriptor leak in error paths Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 107/554] ps3disk: use memcpy_{from,to}_bvec index Greg Kroah-Hartman
` (453 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Siddharth Vadapalli,
Manivannan Sadhasivam, Bjorn Helgaas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Siddharth Vadapalli <s-vadapalli@ti.com>
[ Upstream commit 95d9c3f0e4546eaec0977f3b387549a8463cd49f ]
Commit under Fixes introduced support for PCIe EP mode on AM654x platforms.
When the mode happens to be either "DW_PCIE_RC_TYPE" or "DW_PCIE_EP_TYPE",
the PCIe Controller is configured accordingly. However, when the mode is
neither of them, an error message is displayed, but the driver probe
succeeds. Since this "invalid" mode is not associated with a functional
PCIe Controller, the probe should fail.
Fix the behavior by exiting "ks_pcie_probe()" with the return value of
"-EINVAL" in addition to displaying the existing error message when the
mode is invalid.
Fixes: 23284ad677a9 ("PCI: keystone: Add support for PCIe EP in AM654x Platforms")
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/20251029080547.1253757-4-s-vadapalli@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pci-keystone.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
index c277f76276ab1..ad399e9ce5dc5 100644
--- a/drivers/pci/controller/dwc/pci-keystone.c
+++ b/drivers/pci/controller/dwc/pci-keystone.c
@@ -1328,6 +1328,8 @@ static int ks_pcie_probe(struct platform_device *pdev)
break;
default:
dev_err(dev, "INVALID device type %d\n", mode);
+ ret = -EINVAL;
+ goto err_get_sync;
}
ks_pcie_enable_error_irq(ks_pcie);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 107/554] ps3disk: use memcpy_{from,to}_bvec index
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 106/554] PCI: keystone: Exit ks_pcie_probe() for invalid mode Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 108/554] selftests/bpf: Fix failure paths in send_signal test Greg Kroah-Hartman
` (452 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Christoph Hellwig,
Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
[ Upstream commit 79bd8c9814a273fa7ba43399e1c07adec3fc95db ]
With 6e0a48552b8c (ps3disk: use memcpy_{from,to}_bvec) converting
ps3disk to new bvec helpers, incrementing the offset was accidently
lost, corrupting consecutive buffers. Restore index for non-corrupted
data transfers.
Fixes: 6e0a48552b8c (ps3disk: use memcpy_{from,to}_bvec)
Signed-off-by: René Rebe <rene@exactco.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/ps3disk.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/block/ps3disk.c b/drivers/block/ps3disk.c
index 8d51efbe045dd..8628ee818da96 100644
--- a/drivers/block/ps3disk.c
+++ b/drivers/block/ps3disk.c
@@ -85,10 +85,14 @@ static void ps3disk_scatter_gather(struct ps3_storage_device *dev,
struct bio_vec bvec;
rq_for_each_segment(bvec, req, iter) {
+ dev_dbg(&dev->sbd.core, "%s:%u: %u sectors from %llu\n",
+ __func__, __LINE__, bio_sectors(iter.bio),
+ iter.bio->bi_iter.bi_sector);
if (gather)
memcpy_from_bvec(dev->bounce_buf + offset, &bvec);
else
memcpy_to_bvec(&bvec, dev->bounce_buf + offset);
+ offset += bvec.bv_len;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 108/554] selftests/bpf: Fix failure paths in send_signal test
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 107/554] ps3disk: use memcpy_{from,to}_bvec index Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 109/554] watchdog: wdat_wdt: Stop watchdog when uninstalling module Greg Kroah-Hartman
` (451 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Starovoitov, Andrii Nakryiko,
Eduard Zingerman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@kernel.org>
[ Upstream commit c13339039891dbdfa6c1972f0483bd07f610b776 ]
When test_send_signal_kern__open_and_load() fails parent closes the
pipe which cases ASSERT_EQ(read(pipe_p2c...)) to fail, but child
continues and enters infinite loop, while parent is stuck in wait(NULL).
Other error paths have similar issue, so kill the child before waiting on it.
The bug was discovered while compiling all of selftests with -O1 instead of -O2
which caused progs/test_send_signal_kern.c to fail to load.
Fixes: ab8b7f0cb358 ("tools/bpf: Add self tests for bpf_send_signal_thread()")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20251113171153.2583-1-alexei.starovoitov@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/send_signal.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/send_signal.c b/tools/testing/selftests/bpf/prog_tests/send_signal.c
index 7b1343f70e65a..ab5fedc5741e8 100644
--- a/tools/testing/selftests/bpf/prog_tests/send_signal.c
+++ b/tools/testing/selftests/bpf/prog_tests/send_signal.c
@@ -138,6 +138,11 @@ static void test_send_signal_common(struct perf_event_attr *attr,
skel_open_load_failure:
close(pipe_c2p[0]);
close(pipe_p2c[1]);
+ /*
+ * Child is either about to exit cleanly or stuck in case of errors.
+ * Nudge it to exit.
+ */
+ kill(pid, SIGKILL);
wait(NULL);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 109/554] watchdog: wdat_wdt: Stop watchdog when uninstalling module
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 108/554] selftests/bpf: Fix failure paths in send_signal test Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 110/554] watchdog: wdat_wdt: Fix ACPI table leak in probe function Greg Kroah-Hartman
` (450 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Xinpeng, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liu Xinpeng <liuxp11@chinatelecom.cn>
[ Upstream commit 330415ebea81b65842e4cc6d2fd985c1b369e650 ]
Test shows that wachdog still reboots machine after the module
is removed. Use watchdog_stop_on_unregister to stop the watchdog
on removing.
Signed-off-by: Liu Xinpeng <liuxp11@chinatelecom.cn>
eviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1650984810-6247-4-git-send-email-liuxp11@chinatelecom.cn
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Stable-dep-of: 25c0b472eab8 ("watchdog: wdat_wdt: Fix ACPI table leak in probe function")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/wdat_wdt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/watchdog/wdat_wdt.c b/drivers/watchdog/wdat_wdt.c
index 4fac8148a8e62..51cd99428940a 100644
--- a/drivers/watchdog/wdat_wdt.c
+++ b/drivers/watchdog/wdat_wdt.c
@@ -463,6 +463,7 @@ static int wdat_wdt_probe(struct platform_device *pdev)
watchdog_set_nowayout(&wdat->wdd, nowayout);
watchdog_stop_on_reboot(&wdat->wdd);
+ watchdog_stop_on_unregister(&wdat->wdd);
return devm_watchdog_register_device(dev, &wdat->wdd);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 110/554] watchdog: wdat_wdt: Fix ACPI table leak in probe function
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 109/554] watchdog: wdat_wdt: Stop watchdog when uninstalling module Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 111/554] NFSD/blocklayout: Fix minlength check in proc_layoutget Greg Kroah-Hartman
` (449 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Haotian Zhang,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 25c0b472eab8379683d4eef681185c104bed8ffd ]
wdat_wdt_probe() calls acpi_get_table() to obtain the WDAT ACPI table but
never calls acpi_put_table() on any paths. This causes a permanent ACPI
table memory leak.
Add a single cleanup path which calls acpi_put_table() to ensure
the ACPI table is always released.
Fixes: 058dfc767008 ("ACPI / watchdog: Add support for WDAT hardware watchdog")
Suggested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/wdat_wdt.c | 64 +++++++++++++++++++++++++------------
1 file changed, 43 insertions(+), 21 deletions(-)
diff --git a/drivers/watchdog/wdat_wdt.c b/drivers/watchdog/wdat_wdt.c
index 51cd99428940a..88e87cab5966a 100644
--- a/drivers/watchdog/wdat_wdt.c
+++ b/drivers/watchdog/wdat_wdt.c
@@ -327,19 +327,27 @@ static int wdat_wdt_probe(struct platform_device *pdev)
return -ENODEV;
wdat = devm_kzalloc(dev, sizeof(*wdat), GFP_KERNEL);
- if (!wdat)
- return -ENOMEM;
+ if (!wdat) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
regs = devm_kcalloc(dev, pdev->num_resources, sizeof(*regs),
GFP_KERNEL);
- if (!regs)
- return -ENOMEM;
+ if (!regs) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
/* WDAT specification wants to have >= 1ms period */
- if (tbl->timer_period < 1)
- return -EINVAL;
- if (tbl->min_count > tbl->max_count)
- return -EINVAL;
+ if (tbl->timer_period < 1) {
+ ret = -EINVAL;
+ goto out_put_table;
+ }
+ if (tbl->min_count > tbl->max_count) {
+ ret = -EINVAL;
+ goto out_put_table;
+ }
wdat->period = tbl->timer_period;
wdat->wdd.min_hw_heartbeat_ms = wdat->period * tbl->min_count;
@@ -356,15 +364,20 @@ static int wdat_wdt_probe(struct platform_device *pdev)
res = &pdev->resource[i];
if (resource_type(res) == IORESOURCE_MEM) {
reg = devm_ioremap_resource(dev, res);
- if (IS_ERR(reg))
- return PTR_ERR(reg);
+ if (IS_ERR(reg)) {
+ ret = PTR_ERR(reg);
+ goto out_put_table;
+ }
} else if (resource_type(res) == IORESOURCE_IO) {
reg = devm_ioport_map(dev, res->start, 1);
- if (!reg)
- return -ENOMEM;
+ if (!reg) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
} else {
dev_err(dev, "Unsupported resource\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_put_table;
}
regs[i] = reg;
@@ -386,8 +399,10 @@ static int wdat_wdt_probe(struct platform_device *pdev)
}
instr = devm_kzalloc(dev, sizeof(*instr), GFP_KERNEL);
- if (!instr)
- return -ENOMEM;
+ if (!instr) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
INIT_LIST_HEAD(&instr->node);
instr->entry = entries[i];
@@ -418,7 +433,8 @@ static int wdat_wdt_probe(struct platform_device *pdev)
if (!instr->reg) {
dev_err(dev, "I/O resource not found\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_put_table;
}
instructions = wdat->instructions[action];
@@ -426,8 +442,10 @@ static int wdat_wdt_probe(struct platform_device *pdev)
instructions = devm_kzalloc(dev,
sizeof(*instructions),
GFP_KERNEL);
- if (!instructions)
- return -ENOMEM;
+ if (!instructions) {
+ ret = -ENOMEM;
+ goto out_put_table;
+ }
INIT_LIST_HEAD(instructions);
wdat->instructions[action] = instructions;
@@ -441,7 +459,7 @@ static int wdat_wdt_probe(struct platform_device *pdev)
ret = wdat_wdt_enable_reboot(wdat);
if (ret)
- return ret;
+ goto out_put_table;
platform_set_drvdata(pdev, wdat);
@@ -459,12 +477,16 @@ static int wdat_wdt_probe(struct platform_device *pdev)
ret = wdat_wdt_set_timeout(&wdat->wdd, timeout);
if (ret)
- return ret;
+ goto out_put_table;
watchdog_set_nowayout(&wdat->wdd, nowayout);
watchdog_stop_on_reboot(&wdat->wdd);
watchdog_stop_on_unregister(&wdat->wdd);
- return devm_watchdog_register_device(dev, &wdat->wdd);
+ ret = devm_watchdog_register_device(dev, &wdat->wdd);
+
+out_put_table:
+ acpi_put_table((struct acpi_table_header *)tbl);
+ return ret;
}
#ifdef CONFIG_PM_SLEEP
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 111/554] NFSD/blocklayout: Fix minlength check in proc_layoutget
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 110/554] watchdog: wdat_wdt: Fix ACPI table leak in probe function Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 112/554] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() Greg Kroah-Hartman
` (448 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sergey Bashirov, Christoph Hellwig,
Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Bashirov <sergeybashirov@gmail.com>
[ Upstream commit 3524b021b0ec620a76c89aee78e9d4b4130fb711 ]
The extent returned by the file system may have a smaller offset than
the segment offset requested by the client. In this case, the minimum
segment length must be checked against the requested range. Otherwise,
the client may not be able to continue the read/write operation.
Fixes: 8650b8a05850 ("nfsd: pNFS block layout driver")
Signed-off-by: Sergey Bashirov <sergeybashirov@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/blocklayout.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/blocklayout.c b/fs/nfsd/blocklayout.c
index ba8961e72feaa..735fd1cdf4771 100644
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -27,6 +27,7 @@ nfsd4_block_proc_layoutget(struct inode *inode, const struct svc_fh *fhp,
{
struct nfsd4_layout_seg *seg = &args->lg_seg;
struct super_block *sb = inode->i_sb;
+ u64 length;
u32 block_size = i_blocksize(inode);
struct pnfs_block_extent *bex;
struct iomap iomap;
@@ -57,7 +58,8 @@ nfsd4_block_proc_layoutget(struct inode *inode, const struct svc_fh *fhp,
goto out_error;
}
- if (iomap.length < args->lg_minlength) {
+ length = iomap.offset + iomap.length - seg->offset;
+ if (length < args->lg_minlength) {
dprintk("pnfsd: extent smaller than minlength\n");
goto out_layoutunavailable;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 112/554] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 111/554] NFSD/blocklayout: Fix minlength check in proc_layoutget Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 113/554] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format Greg Kroah-Hartman
` (447 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 9b5b9c042b30befc5b37e4539ace95af70843473 ]
In rtl8180_init_rx_ring(), memory is allocated for skb packets and DMA
allocations in a loop. When an allocation fails, the previously
successful allocations are not freed on exit.
Fix that by jumping to err_free_rings label on error, which calls
rtl8180_free_rx_ring() to free the allocations. Remove the free of
rx_ring in rtl8180_init_rx_ring() error path, and set the freed
priv->rx_buf entry to null, to avoid double free.
Fixes: f653211197f3 ("Add rtl8180 wireless driver")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20251114094527.79842-1-nihaal@cse.iitm.ac.in
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
index 025619cd14e82..acd6743f3827f 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8180/dev.c
@@ -1023,9 +1023,6 @@ static int rtl8180_init_rx_ring(struct ieee80211_hw *dev)
dma_addr_t *mapping;
entry = priv->rx_ring + priv->rx_ring_sz*i;
if (!skb) {
- dma_free_coherent(&priv->pdev->dev,
- priv->rx_ring_sz * 32,
- priv->rx_ring, priv->rx_ring_dma);
wiphy_err(dev->wiphy, "Cannot allocate RX skb\n");
return -ENOMEM;
}
@@ -1037,9 +1034,7 @@ static int rtl8180_init_rx_ring(struct ieee80211_hw *dev)
if (dma_mapping_error(&priv->pdev->dev, *mapping)) {
kfree_skb(skb);
- dma_free_coherent(&priv->pdev->dev,
- priv->rx_ring_sz * 32,
- priv->rx_ring, priv->rx_ring_dma);
+ priv->rx_buf[i] = NULL;
wiphy_err(dev->wiphy, "Cannot map DMA for RX skb\n");
return -ENOMEM;
}
@@ -1130,7 +1125,7 @@ static int rtl8180_start(struct ieee80211_hw *dev)
ret = rtl8180_init_rx_ring(dev);
if (ret)
- return ret;
+ goto err_free_rings;
for (i = 0; i < (dev->queues + 1); i++)
if ((ret = rtl8180_init_tx_ring(dev, i, 16)))
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 113/554] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 112/554] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() Greg Kroah-Hartman
@ 2026-01-15 16:42 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 114/554] fs/ntfs3: Remove unused mi_mark_free Greg Kroah-Hartman
` (446 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:42 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM),
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
[ Upstream commit eae40a6da63faa9fb63ff61f8fa2b3b57da78a84 ]
HPTE format was changed since Power9 (ISA 3.0) onwards. While dumping
kernel hash page tables, nothing gets printed on powernv P9+. This patch
utilizes the helpers added in the patch tagged as fixes, to convert new
format to old format and dump the hptes. This fix is only needed for
native_find() (powernv), since pseries continues to work fine with the
old format.
Fixes: 6b243fcfb5f1e ("powerpc/64: Simplify adaptation to new ISA v3.00 HPTE format")
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/4c2bb9e5b3cfbc0dd80b61b67cdd3ccfc632684c.1761834163.git.ritesh.list@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/ptdump/hashpagetable.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/powerpc/mm/ptdump/hashpagetable.c b/arch/powerpc/mm/ptdump/hashpagetable.c
index c7f824d294b25..5e482b90c4007 100644
--- a/arch/powerpc/mm/ptdump/hashpagetable.c
+++ b/arch/powerpc/mm/ptdump/hashpagetable.c
@@ -216,6 +216,8 @@ static int native_find(unsigned long ea, int psize, bool primary, u64 *v, u64
vpn = hpt_vpn(ea, vsid, ssize);
hash = hpt_hash(vpn, shift, ssize);
want_v = hpte_encode_avpn(vpn, psize, ssize);
+ if (cpu_has_feature(CPU_FTR_ARCH_300))
+ want_v = hpte_old_to_new_v(want_v);
/* to check in the secondary hash table, we invert the hash */
if (!primary)
@@ -229,6 +231,10 @@ static int native_find(unsigned long ea, int psize, bool primary, u64 *v, u64
/* HPTE matches */
*v = be64_to_cpu(hptep->v);
*r = be64_to_cpu(hptep->r);
+ if (cpu_has_feature(CPU_FTR_ARCH_300)) {
+ *v = hpte_new_to_old_v(*v, *r);
+ *r = hpte_new_to_old_r(*r);
+ }
return 0;
}
++hpte_group;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 114/554] fs/ntfs3: Remove unused mi_mark_free
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-01-15 16:42 ` [PATCH 5.15 113/554] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 115/554] fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free Greg Kroah-Hartman
` (445 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 6700eabb90d50c50be21ecbb71131cd6ecf91ded ]
Cleaning up dead code
Fix wrong comments
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Stable-dep-of: 4d78d1173a65 ("fs/ntfs3: out1 also needs to put mi")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/namei.c | 2 +-
fs/ntfs3/ntfs_fs.h | 1 -
fs/ntfs3/record.c | 22 ----------------------
fs/ntfs3/super.c | 2 +-
4 files changed, 2 insertions(+), 25 deletions(-)
diff --git a/fs/ntfs3/namei.c b/fs/ntfs3/namei.c
index c1bce9d656cff..b66694b84caa0 100644
--- a/fs/ntfs3/namei.c
+++ b/fs/ntfs3/namei.c
@@ -218,7 +218,7 @@ static int ntfs_mkdir(struct user_namespace *mnt_userns, struct inode *dir,
}
/*
- * ntfs_rmdir - inode_operations::rm_dir
+ * ntfs_rmdir - inode_operations::rmdir
*/
static int ntfs_rmdir(struct inode *dir, struct dentry *dentry)
{
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index 7b46926e920c6..f7ef60bed6d84 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -740,7 +740,6 @@ static inline struct ATTRIB *rec_find_attr_le(struct mft_inode *rec,
int mi_write(struct mft_inode *mi, int wait);
int mi_format_new(struct mft_inode *mi, struct ntfs_sb_info *sbi, CLST rno,
__le16 flags, bool is_mft);
-void mi_mark_free(struct mft_inode *mi);
struct ATTRIB *mi_insert_attr(struct mft_inode *mi, enum ATTR_TYPE type,
const __le16 *name, u8 name_len, u32 asize,
u16 name_off);
diff --git a/fs/ntfs3/record.c b/fs/ntfs3/record.c
index 383fc3437f02e..cef53583f9a16 100644
--- a/fs/ntfs3/record.c
+++ b/fs/ntfs3/record.c
@@ -405,28 +405,6 @@ int mi_format_new(struct mft_inode *mi, struct ntfs_sb_info *sbi, CLST rno,
return err;
}
-/*
- * mi_mark_free - Mark record as unused and marks it as free in bitmap.
- */
-void mi_mark_free(struct mft_inode *mi)
-{
- CLST rno = mi->rno;
- struct ntfs_sb_info *sbi = mi->sbi;
-
- if (rno >= MFT_REC_RESERVED && rno < MFT_REC_FREE) {
- ntfs_clear_mft_tail(sbi, rno, rno + 1);
- mi->dirty = false;
- return;
- }
-
- if (mi->mrec) {
- clear_rec_inuse(mi->mrec);
- mi->dirty = true;
- mi_write(mi, 0);
- }
- ntfs_mark_rec_free(sbi, rno);
-}
-
/*
* mi_insert_attr - Reserve space for new attribute.
*
diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c
index 78b0865273317..a9952b0321837 100644
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -1382,7 +1382,7 @@ static const struct fs_context_operations ntfs_context_ops = {
/*
* ntfs_init_fs_context - Initialize spi and opts
*
- * This will called when mount/remount. We will first initiliaze
+ * This will called when mount/remount. We will first initialize
* options so that if remount we can use just that.
*/
static int ntfs_init_fs_context(struct fs_context *fc)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 115/554] fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 114/554] fs/ntfs3: Remove unused mi_mark_free Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 116/554] fs/ntfs3: Make ni_ins_new_attr return error Greg Kroah-Hartman
` (444 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 071100ea0e6c353258f322cb2f8dde9be62d6808 ]
This argument helps in avoiding double locking
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Stable-dep-of: 4d78d1173a65 ("fs/ntfs3: out1 also needs to put mi")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/frecord.c | 12 ++++++------
fs/ntfs3/fsntfs.c | 9 ++++++---
fs/ntfs3/inode.c | 2 +-
fs/ntfs3/ntfs_fs.h | 2 +-
4 files changed, 14 insertions(+), 11 deletions(-)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index a74bbfec8e3ac..b5f3e7bc5d6da 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -1037,7 +1037,7 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
err = -EINVAL;
out1:
- ntfs_mark_rec_free(sbi, rno);
+ ntfs_mark_rec_free(sbi, rno, is_mft);
out:
return err;
@@ -1232,7 +1232,7 @@ static int ni_expand_mft_list(struct ntfs_inode *ni)
mft_min = mft_new;
mi_min = mi_new;
} else {
- ntfs_mark_rec_free(sbi, mft_new);
+ ntfs_mark_rec_free(sbi, mft_new, true);
mft_new = 0;
ni_remove_mi(ni, mi_new);
}
@@ -1315,7 +1315,7 @@ static int ni_expand_mft_list(struct ntfs_inode *ni)
out:
if (mft_new) {
- ntfs_mark_rec_free(sbi, mft_new);
+ ntfs_mark_rec_free(sbi, mft_new, true);
ni_remove_mi(ni, mi_new);
}
@@ -1577,7 +1577,7 @@ int ni_delete_all(struct ntfs_inode *ni)
mi->dirty = true;
mi_write(mi, 0);
- ntfs_mark_rec_free(sbi, mi->rno);
+ ntfs_mark_rec_free(sbi, mi->rno, false);
ni_remove_mi(ni, mi);
mi_put(mi);
node = next;
@@ -1588,7 +1588,7 @@ int ni_delete_all(struct ntfs_inode *ni)
ni->mi.dirty = true;
err = mi_write(&ni->mi, 0);
- ntfs_mark_rec_free(sbi, ni->mi.rno);
+ ntfs_mark_rec_free(sbi, ni->mi.rno, false);
return err;
}
@@ -3292,7 +3292,7 @@ int ni_write_inode(struct inode *inode, int sync, const char *hint)
err = err2;
if (is_empty) {
- ntfs_mark_rec_free(sbi, mi->rno);
+ ntfs_mark_rec_free(sbi, mi->rno, false);
rb_erase(node, &ni->mi_tree);
mi_put(mi);
}
diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c
index c82398194cd10..7dc2ae7dec591 100644
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -703,12 +703,14 @@ int ntfs_look_free_mft(struct ntfs_sb_info *sbi, CLST *rno, bool mft,
/*
* ntfs_mark_rec_free - Mark record as free.
+ * is_mft - true if we are changing MFT
*/
-void ntfs_mark_rec_free(struct ntfs_sb_info *sbi, CLST rno)
+void ntfs_mark_rec_free(struct ntfs_sb_info *sbi, CLST rno, bool is_mft)
{
struct wnd_bitmap *wnd = &sbi->mft.bitmap;
- down_write_nested(&wnd->rw_lock, BITMAP_MUTEX_MFT);
+ if (!is_mft)
+ down_write_nested(&wnd->rw_lock, BITMAP_MUTEX_MFT);
if (rno >= wnd->nbits)
goto out;
@@ -727,7 +729,8 @@ void ntfs_mark_rec_free(struct ntfs_sb_info *sbi, CLST rno)
sbi->mft.next_free = rno;
out:
- up_write(&wnd->rw_lock);
+ if (!is_mft)
+ up_write(&wnd->rw_lock);
}
/*
diff --git a/fs/ntfs3/inode.c b/fs/ntfs3/inode.c
index 0f4e166112de1..7ac76e6c35dcf 100644
--- a/fs/ntfs3/inode.c
+++ b/fs/ntfs3/inode.c
@@ -1668,7 +1668,7 @@ struct inode *ntfs_create_inode(struct user_namespace *mnt_userns,
ni->mi.dirty = false;
discard_new_inode(inode);
out3:
- ntfs_mark_rec_free(sbi, ino);
+ ntfs_mark_rec_free(sbi, ino, false);
out2:
__putname(new_de);
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index f7ef60bed6d84..69d1442eea623 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -596,7 +596,7 @@ int ntfs_look_for_free_space(struct ntfs_sb_info *sbi, CLST lcn, CLST len,
enum ALLOCATE_OPT opt);
int ntfs_look_free_mft(struct ntfs_sb_info *sbi, CLST *rno, bool mft,
struct ntfs_inode *ni, struct mft_inode **mi);
-void ntfs_mark_rec_free(struct ntfs_sb_info *sbi, CLST rno);
+void ntfs_mark_rec_free(struct ntfs_sb_info *sbi, CLST rno, bool is_mft);
int ntfs_clear_mft_tail(struct ntfs_sb_info *sbi, size_t from, size_t to);
int ntfs_refresh_zone(struct ntfs_sb_info *sbi);
int ntfs_update_mftmirr(struct ntfs_sb_info *sbi, int wait);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 116/554] fs/ntfs3: Make ni_ins_new_attr return error
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 115/554] fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 117/554] fs/ntfs3: out1 also needs to put mi Greg Kroah-Hartman
` (443 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 451e45a0e6df21e63acfd493feb5194f4697ce11 ]
Function ni_ins_new_attr now returns ERR_PTR(err),
so we check it now in other functions like ni_expand_mft_list
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Stable-dep-of: 4d78d1173a65 ("fs/ntfs3: out1 also needs to put mi")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/frecord.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index b5f3e7bc5d6da..4db52dfde6328 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -470,7 +470,7 @@ ni_ins_new_attr(struct ntfs_inode *ni, struct mft_inode *mi,
&ref, &le);
if (err) {
/* No memory or no space. */
- return NULL;
+ return ERR_PTR(err);
}
le_added = true;
@@ -1000,6 +1000,8 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
name_off, svcn, ins_le);
if (!attr)
continue;
+ if (IS_ERR(attr))
+ return PTR_ERR(attr);
if (ins_attr)
*ins_attr = attr;
@@ -1021,8 +1023,15 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
attr = ni_ins_new_attr(ni, mi, le, type, name, name_len, asize,
name_off, svcn, ins_le);
- if (!attr)
+ if (!attr) {
+ err = -EINVAL;
goto out2;
+ }
+
+ if (IS_ERR(attr)) {
+ err = PTR_ERR(attr);
+ goto out2;
+ }
if (ins_attr)
*ins_attr = attr;
@@ -1034,7 +1043,6 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
out2:
ni_remove_mi(ni, mi);
mi_put(mi);
- err = -EINVAL;
out1:
ntfs_mark_rec_free(sbi, rno, is_mft);
@@ -1090,6 +1098,11 @@ static int ni_insert_attr(struct ntfs_inode *ni, enum ATTR_TYPE type,
if (asize <= free) {
attr = ni_ins_new_attr(ni, &ni->mi, NULL, type, name, name_len,
asize, name_off, svcn, ins_le);
+ if (IS_ERR(attr)) {
+ err = PTR_ERR(attr);
+ goto out;
+ }
+
if (attr) {
if (ins_attr)
*ins_attr = attr;
@@ -1187,6 +1200,11 @@ static int ni_insert_attr(struct ntfs_inode *ni, enum ATTR_TYPE type,
goto out;
}
+ if (IS_ERR(attr)) {
+ err = PTR_ERR(attr);
+ goto out;
+ }
+
if (ins_attr)
*ins_attr = attr;
if (ins_mi)
@@ -1302,6 +1320,11 @@ static int ni_expand_mft_list(struct ntfs_inode *ni)
goto out;
}
+ if (IS_ERR(attr)) {
+ err = PTR_ERR(attr);
+ goto out;
+ }
+
attr->non_res = 1;
attr->name_off = SIZEOF_NONRESIDENT_LE;
attr->flags = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 117/554] fs/ntfs3: out1 also needs to put mi
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 116/554] fs/ntfs3: Make ni_ins_new_attr return error Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 118/554] fs/ntfs3: Prevent memory leaks in add sub record Greg Kroah-Hartman
` (442 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis,
Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit 4d78d1173a653acdaf7500a32b8dc530ca4ad075 ]
After ntfs_look_free_mft() executes successfully, all subsequent code
that fails to execute must put mi.
Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/frecord.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 4db52dfde6328..89ee218706678 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -1042,9 +1042,9 @@ static int ni_ins_attr_ext(struct ntfs_inode *ni, struct ATTR_LIST_ENTRY *le,
out2:
ni_remove_mi(ni, mi);
- mi_put(mi);
out1:
+ mi_put(mi);
ntfs_mark_rec_free(sbi, rno, is_mft);
out:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 118/554] fs/ntfs3: Prevent memory leaks in add sub record
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 117/554] fs/ntfs3: out1 also needs to put mi Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 119/554] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue Greg Kroah-Hartman
` (441 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3932ccb896e06f7414c9,
Edward Adam Davis, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit ccc4e86d1c24260c18ae94541198c3711c140da6 ]
If a rb node with the same ino already exists in the rb tree, the newly
alloced mft_inode in ni_add_subrecord() will not have its memory cleaned
up, which leads to the memory leak issue reported by syzbot.
The best option to avoid this issue is to put the newly alloced mft node
when a rb node with the same ino already exists in the rb tree and return
the rb node found in the rb tree to the parent layer.
syzbot reported:
BUG: memory leak
unreferenced object 0xffff888110bef280 (size 128):
backtrace (crc 126a088f):
ni_add_subrecord+0x31/0x180 fs/ntfs3/frecord.c:317
ntfs_look_free_mft+0xf0/0x790 fs/ntfs3/fsntfs.c:715
BUG: memory leak
unreferenced object 0xffff888109093400 (size 1024):
backtrace (crc 7197c55e):
mi_init+0x2b/0x50 fs/ntfs3/record.c:105
mi_format_new+0x40/0x220 fs/ntfs3/record.c:422
Fixes: 4342306f0f0d ("fs/ntfs3: Add file operations and implementation")
Reported-by: syzbot+3932ccb896e06f7414c9@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/frecord.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/ntfs3/frecord.c b/fs/ntfs3/frecord.c
index 89ee218706678..62874e7f8d8f1 100644
--- a/fs/ntfs3/frecord.c
+++ b/fs/ntfs3/frecord.c
@@ -376,8 +376,10 @@ bool ni_add_subrecord(struct ntfs_inode *ni, CLST rno, struct mft_inode **mi)
mi_get_ref(&ni->mi, &m->mrec->parent_ref);
- ni_add_mi(ni, m);
- *mi = m;
+ *mi = ni_ins_mi(ni, &ni->mi_tree, m->rno, &m->node);
+ if (*mi != m)
+ mi_put(m);
+
return true;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 119/554] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 118/554] fs/ntfs3: Prevent memory leaks in add sub record Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 120/554] pwm: bcm2835: Make sure the channel is enabled after pwm_request() Greg Kroah-Hartman
` (440 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno, Jay Liu,
Chun-Kuang Hu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jay Liu <jay.liu@mediatek.com>
[ Upstream commit 20ac36b71c53b8c36c6903b5ca87c75226700a97 ]
if matrixbit is 11,
The range of color matrix is from 0 to (BIT(12) - 1).
Values from 0 to (BIT(11) - 1) represent positive numbers,
values from BIT(11) to (BIT(12) - 1) represent negative numbers.
For example, -1 need converted to 8191.
so convert S31.32 to HW Q2.11 format by drm_color_ctm_s31_32_to_qm_n,
and set int_bits to 2.
Fixes: 738ed4156fba ("drm/mediatek: Add matrix_bits private data for ccorr")
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Jay Liu <jay.liu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20250921055416.25588-2-jay.liu@mediatek.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_disp_ccorr.c | 23 +----------------------
1 file changed, 1 insertion(+), 22 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c b/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c
index 141cb36b9c07b..f1c7d16d30f63 100644
--- a/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c
+++ b/drivers/gpu/drm/mediatek/mtk_disp_ccorr.c
@@ -85,27 +85,6 @@ void mtk_ccorr_stop(struct device *dev)
writel_relaxed(0x0, ccorr->regs + DISP_CCORR_EN);
}
-/* Converts a DRM S31.32 value to the HW S1.n format. */
-static u16 mtk_ctm_s31_32_to_s1_n(u64 in, u32 n)
-{
- u16 r;
-
- /* Sign bit. */
- r = in & BIT_ULL(63) ? BIT(n + 1) : 0;
-
- if ((in & GENMASK_ULL(62, 33)) > 0) {
- /* identity value 0x100000000 -> 0x400(mt8183), */
- /* identity value 0x100000000 -> 0x800(mt8192), */
- /* if bigger this, set it to max 0x7ff. */
- r |= GENMASK(n, 0);
- } else {
- /* take the n+1 most important bits. */
- r |= (in >> (32 - n)) & GENMASK(n, 0);
- }
-
- return r;
-}
-
void mtk_ccorr_ctm_set(struct device *dev, struct drm_crtc_state *state)
{
struct mtk_disp_ccorr *ccorr = dev_get_drvdata(dev);
@@ -124,7 +103,7 @@ void mtk_ccorr_ctm_set(struct device *dev, struct drm_crtc_state *state)
input = ctm->matrix;
for (i = 0; i < ARRAY_SIZE(coeffs); i++)
- coeffs[i] = mtk_ctm_s31_32_to_s1_n(input[i], matrix_bits);
+ coeffs[i] = drm_color_ctm_s31_32_to_qm_n(input[i], 2, matrix_bits);
mtk_ddp_write(cmdq_pkt, coeffs[0] << 16 | coeffs[1],
&ccorr->cmdq_reg, ccorr->regs, DISP_CCORR_COEF_0);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 120/554] pwm: bcm2835: Make sure the channel is enabled after pwm_request()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 119/554] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 121/554] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path Greg Kroah-Hartman
` (439 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König,
Florian Fainelli, Uwe Kleine-König, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
[ Upstream commit cda323dbda76600bf9761970d58517648f0de67d ]
The .free callback cleared among others the enable bit PWENx in the
control register. When the PWM is requested later again this bit isn't
restored but the core assumes the PWM is enabled and thus skips a
request to configure the same state as before.
To fix that don't touch the hardware configuration in .free(). For
symmetry also drop .request() and configure the mode completely in
.apply().
Fixes: e5a06dc5ac1f ("pwm: Add BCM2835 PWM driver")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20251118174303.1761577-2-u.kleine-koenig@baylibre.com
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-bcm2835.c | 28 +++-------------------------
1 file changed, 3 insertions(+), 25 deletions(-)
diff --git a/drivers/pwm/pwm-bcm2835.c b/drivers/pwm/pwm-bcm2835.c
index 50b8594be31d8..4541d63d57c40 100644
--- a/drivers/pwm/pwm-bcm2835.c
+++ b/drivers/pwm/pwm-bcm2835.c
@@ -35,29 +35,6 @@ static inline struct bcm2835_pwm *to_bcm2835_pwm(struct pwm_chip *chip)
return container_of(chip, struct bcm2835_pwm, chip);
}
-static int bcm2835_pwm_request(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct bcm2835_pwm *pc = to_bcm2835_pwm(chip);
- u32 value;
-
- value = readl(pc->base + PWM_CONTROL);
- value &= ~(PWM_CONTROL_MASK << PWM_CONTROL_SHIFT(pwm->hwpwm));
- value |= (PWM_MODE << PWM_CONTROL_SHIFT(pwm->hwpwm));
- writel(value, pc->base + PWM_CONTROL);
-
- return 0;
-}
-
-static void bcm2835_pwm_free(struct pwm_chip *chip, struct pwm_device *pwm)
-{
- struct bcm2835_pwm *pc = to_bcm2835_pwm(chip);
- u32 value;
-
- value = readl(pc->base + PWM_CONTROL);
- value &= ~(PWM_CONTROL_MASK << PWM_CONTROL_SHIFT(pwm->hwpwm));
- writel(value, pc->base + PWM_CONTROL);
-}
-
static int bcm2835_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
const struct pwm_state *state)
{
@@ -109,6 +86,9 @@ static int bcm2835_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
/* set polarity */
val = readl(pc->base + PWM_CONTROL);
+ val &= ~(PWM_CONTROL_MASK << PWM_CONTROL_SHIFT(pwm->hwpwm));
+ val |= PWM_MODE << PWM_CONTROL_SHIFT(pwm->hwpwm);
+
if (state->polarity == PWM_POLARITY_NORMAL)
val &= ~(PWM_POLARITY << PWM_CONTROL_SHIFT(pwm->hwpwm));
else
@@ -126,8 +106,6 @@ static int bcm2835_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm,
}
static const struct pwm_ops bcm2835_pwm_ops = {
- .request = bcm2835_pwm_request,
- .free = bcm2835_pwm_free,
.apply = bcm2835_pwm_apply,
.owner = THIS_MODULE,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 121/554] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 120/554] pwm: bcm2835: Make sure the channel is enabled after pwm_request() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 122/554] mfd: mt6358-irq: " Greg Kroah-Hartman
` (438 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit b4b1bd1f330fdd13706382be6c90ce9f58cee3f5 ]
If devm_request_threaded_irq() fails after irq_domain_create_linear()
succeeds in mt6397_irq_init(), the function returns without removing
the created IRQ domain, leading to a resource leak.
Call irq_domain_remove() in the error path after a successful
irq_domain_create_linear() to properly release the IRQ domain.
Fixes: a4872e80ce7d ("mfd: mt6397: Extract IRQ related code from core driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251118121500.605-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mt6397-irq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/mt6397-irq.c b/drivers/mfd/mt6397-irq.c
index 2924919da991a..e1daed7edc841 100644
--- a/drivers/mfd/mt6397-irq.c
+++ b/drivers/mfd/mt6397-irq.c
@@ -206,6 +206,7 @@ int mt6397_irq_init(struct mt6397_chip *chip)
if (ret) {
dev_err(chip->dev, "failed to register irq=%d; err: %d\n",
chip->irq, ret);
+ irq_domain_remove(chip->irq_domain);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 122/554] mfd: mt6358-irq: Fix missing irq_domain_remove() in error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 121/554] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 123/554] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Greg Kroah-Hartman
` (437 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Lee Jones,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 384bd58bf7095e4c4c8fcdbcede316ef342c630c ]
If devm_request_threaded_irq() fails after irq_domain_add_linear()
succeeds in mt6358_irq_init(), the function returns without removing
the created IRQ domain, leading to a resource leak.
Call irq_domain_remove() in the error path after a successful
irq_domain_add_linear() to properly release the IRQ domain.
Fixes: 2b91c28f2abd ("mfd: Add support for the MediaTek MT6358 PMIC")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251118121427.583-1-vulab@iscas.ac.cn
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mt6358-irq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/mt6358-irq.c b/drivers/mfd/mt6358-irq.c
index 83f3ffbdbb4ca..1129f4ea54529 100644
--- a/drivers/mfd/mt6358-irq.c
+++ b/drivers/mfd/mt6358-irq.c
@@ -262,6 +262,7 @@ int mt6358_irq_init(struct mt6397_chip *chip)
if (ret) {
dev_err(chip->dev, "Failed to register IRQ=%d, ret=%d\n",
chip->irq, ret);
+ irq_domain_remove(chip->irq_domain);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 123/554] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 122/554] mfd: mt6358-irq: " Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 124/554] ima: Handle error code returned by ima_filter_rule_match() Greg Kroah-Hartman
` (436 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Seungjin Bae, Ping-Ke Shih,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seungjin Bae <eeodqql09@gmail.com>
[ Upstream commit b647d2574e4583c2e3b0ab35568f60c88e910840 ]
The rtl8187_rx_cb() calculates the rx descriptor header address
by subtracting its size from the skb tail pointer.
However, it does not validate if the received packet
(skb->len from urb->actual_length) is large enough to contain this
header.
If a truncated packet is received, this will lead to a buffer
underflow, reading memory before the start of the skb data area,
and causing a kernel panic.
Add length checks for both rtl8187 and rtl8187b descriptor headers
before attempting to access them, dropping the packet cleanly if the
check fails.
Fixes: 6f7853f3cbe4 ("rtl8187: change rtl8187_dev.c to support RTL8187B (part 2)")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20251118013258.1789949-2-eeodqql09@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/realtek/rtl818x/rtl8187/dev.c | 27 +++++++++++++------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
index c9df185dc3f4f..00493a2391179 100644
--- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
+++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c
@@ -338,14 +338,16 @@ static void rtl8187_rx_cb(struct urb *urb)
spin_unlock_irqrestore(&priv->rx_queue.lock, f);
skb_put(skb, urb->actual_length);
- if (unlikely(urb->status)) {
- dev_kfree_skb_irq(skb);
- return;
- }
+ if (unlikely(urb->status))
+ goto free_skb;
if (!priv->is_rtl8187b) {
- struct rtl8187_rx_hdr *hdr =
- (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+ struct rtl8187_rx_hdr *hdr;
+
+ if (skb->len < sizeof(struct rtl8187_rx_hdr))
+ goto free_skb;
+
+ hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
flags = le32_to_cpu(hdr->flags);
/* As with the RTL8187B below, the AGC is used to calculate
* signal strength. In this case, the scaling
@@ -355,8 +357,12 @@ static void rtl8187_rx_cb(struct urb *urb)
rx_status.antenna = (hdr->signal >> 7) & 1;
rx_status.mactime = le64_to_cpu(hdr->mac_time);
} else {
- struct rtl8187b_rx_hdr *hdr =
- (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
+ struct rtl8187b_rx_hdr *hdr;
+
+ if (skb->len < sizeof(struct rtl8187b_rx_hdr))
+ goto free_skb;
+
+ hdr = (typeof(hdr))(skb_tail_pointer(skb) - sizeof(*hdr));
/* The Realtek datasheet for the RTL8187B shows that the RX
* header contains the following quantities: signal quality,
* RSSI, AGC, the received power in dB, and the measured SNR.
@@ -409,6 +415,11 @@ static void rtl8187_rx_cb(struct urb *urb)
skb_unlink(skb, &priv->rx_queue);
dev_kfree_skb_irq(skb);
}
+ return;
+
+free_skb:
+ dev_kfree_skb_irq(skb);
+ return;
}
static int rtl8187_init_urbs(struct ieee80211_hw *dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 124/554] ima: Handle error code returned by ima_filter_rule_match()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 123/554] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 125/554] usb: chaoskey: fix locking for O_NONBLOCK Greg Kroah-Hartman
` (435 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhao Yipeng, Roberto Sassu,
Mimi Zohar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Yipeng <zhaoyipeng5@huawei.com>
[ Upstream commit 738c9738e690f5cea24a3ad6fd2d9a323cf614f6 ]
In ima_match_rules(), if ima_filter_rule_match() returns -ENOENT due to
the rule being NULL, the function incorrectly skips the 'if (!rc)' check
and sets 'result = true'. The LSM rule is considered a match, causing
extra files to be measured by IMA.
This issue can be reproduced in the following scenario:
After unloading the SELinux policy module via 'semodule -d', if an IMA
measurement is triggered before ima_lsm_rules is updated,
in ima_match_rules(), the first call to ima_filter_rule_match() returns
-ESTALE. This causes the code to enter the 'if (rc == -ESTALE &&
!rule_reinitialized)' block, perform ima_lsm_copy_rule() and retry. In
ima_lsm_copy_rule(), since the SELinux module has been removed, the rule
becomes NULL, and the second call to ima_filter_rule_match() returns
-ENOENT. This bypasses the 'if (!rc)' check and results in a false match.
Call trace:
selinux_audit_rule_match+0x310/0x3b8
security_audit_rule_match+0x60/0xa0
ima_match_rules+0x2e4/0x4a0
ima_match_policy+0x9c/0x1e8
ima_get_action+0x48/0x60
process_measurement+0xf8/0xa98
ima_bprm_check+0x98/0xd8
security_bprm_check+0x5c/0x78
search_binary_handler+0x6c/0x318
exec_binprm+0x58/0x1b8
bprm_execve+0xb8/0x130
do_execveat_common.isra.0+0x1a8/0x258
__arm64_sys_execve+0x48/0x68
invoke_syscall+0x50/0x128
el0_svc_common.constprop.0+0xc8/0xf0
do_el0_svc+0x24/0x38
el0_svc+0x44/0x200
el0t_64_sync_handler+0x100/0x130
el0t_64_sync+0x3c8/0x3d0
Fix this by changing 'if (!rc)' to 'if (rc <= 0)' to ensure that error
codes like -ENOENT do not bypass the check and accidentally result in a
successful match.
Fixes: 4af4662fa4a9d ("integrity: IMA policy")
Signed-off-by: Zhao Yipeng <zhaoyipeng5@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 6beef8ce311e0..8936e08711c25 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -626,7 +626,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
goto retry;
}
}
- if (!rc) {
+ if (rc <= 0) {
result = false;
goto out;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 125/554] usb: chaoskey: fix locking for O_NONBLOCK
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 124/554] ima: Handle error code returned by ima_filter_rule_match() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 126/554] usb: dwc2: disable platform lowlevel hw resources during shutdown Greg Kroah-Hartman
` (434 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oliver Neukum, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
[ Upstream commit a2fa8a12e6bc9d89c0505b8dd7ae38ec173d25de ]
A failure to take a lock with O_NONBLOCK needs to result
in -EAGAIN. Change it.
Fixes: 66e3e591891da ("usb: Add driver for Altus Metrum ChaosKey device (v2)")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://patch.msgid.link/20251030093918.2248104-1-oneukum@suse.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/misc/chaoskey.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/misc/chaoskey.c b/drivers/usb/misc/chaoskey.c
index d99d424c05a7a..50909cc9a0bb2 100644
--- a/drivers/usb/misc/chaoskey.c
+++ b/drivers/usb/misc/chaoskey.c
@@ -445,9 +445,19 @@ static ssize_t chaoskey_read(struct file *file,
goto bail;
mutex_unlock(&dev->rng_lock);
- result = mutex_lock_interruptible(&dev->lock);
- if (result)
- goto bail;
+ if (file->f_flags & O_NONBLOCK) {
+ result = mutex_trylock(&dev->lock);
+ if (result == 0) {
+ result = -EAGAIN;
+ goto bail;
+ } else {
+ result = 0;
+ }
+ } else {
+ result = mutex_lock_interruptible(&dev->lock);
+ if (result)
+ goto bail;
+ }
if (dev->valid == dev->used) {
result = _chaoskey_fill(dev);
if (result < 0) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 126/554] usb: dwc2: disable platform lowlevel hw resources during shutdown
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 125/554] usb: chaoskey: fix locking for O_NONBLOCK Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 127/554] usb: dwc2: fix hang during shutdown if set as peripheral Greg Kroah-Hartman
` (433 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Minas Harutyunyan,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit 7481a97c5f49f10c7490bb990d0e863f23b9bb71 ]
On some SoC platforms, in shutdown stage, most components' power is cut
off, but there's still power supply to the so called always-on
domain, so if the dwc2's regulator is from the always-on domain, we
need to explicitly disable it to save power.
Disable platform lowlevel hw resources such as phy, clock and
regulators etc. in device shutdown hook to reduce non-necessary power
consumption when the platform enters shutdown stage.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Acked-by: Minas Harutyunyan <hminas@synopsys.com>
Link: https://lore.kernel.org/r/20250629094655.747-1-jszhang@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: b6ebcfdcac40 ("usb: dwc2: fix hang during shutdown if set as peripheral")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc2/platform.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
index 5ff8186936790..8bdbae4c77b0a 100644
--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -386,6 +386,9 @@ static void dwc2_driver_shutdown(struct platform_device *dev)
dwc2_disable_global_interrupts(hsotg);
synchronize_irq(hsotg->irq);
+
+ if (hsotg->ll_hw_enabled)
+ dwc2_lowlevel_hw_disable(hsotg);
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 127/554] usb: dwc2: fix hang during shutdown if set as peripheral
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 126/554] usb: dwc2: disable platform lowlevel hw resources during shutdown Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 128/554] usb: dwc2: fix hang during suspend " Greg Kroah-Hartman
` (432 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit b6ebcfdcac40a27953f052e4269ce75a18825ffc ]
dwc2 on most platforms needs phy controller, clock and power supply.
All of them must be enabled/activated to properly operate. If dwc2
is configured as peripheral mode, then all the above three hardware
resources are disabled at the end of the probe:
/* Gadget code manages lowlevel hw on its own */
if (hsotg->dr_mode == USB_DR_MODE_PERIPHERAL)
dwc2_lowlevel_hw_disable(hsotg);
But dwc2_driver_shutdown() tries to disable the interrupts on HW IP
level. This would result in hang during shutdown if dwc2 is configured
as peripheral mode.
Fix this hang by only disable and sync irq when lowlevel hw is enabled.
Fixes: 4fdf228cdf69 ("usb: dwc2: Fix shutdown callback in platform")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://patch.msgid.link/20251104002503.17158-2-jszhang@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc2/platform.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
index 8bdbae4c77b0a..ae2d73c5aa811 100644
--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -384,11 +384,11 @@ static void dwc2_driver_shutdown(struct platform_device *dev)
{
struct dwc2_hsotg *hsotg = platform_get_drvdata(dev);
- dwc2_disable_global_interrupts(hsotg);
- synchronize_irq(hsotg->irq);
-
- if (hsotg->ll_hw_enabled)
+ if (hsotg->ll_hw_enabled) {
+ dwc2_disable_global_interrupts(hsotg);
+ synchronize_irq(hsotg->irq);
dwc2_lowlevel_hw_disable(hsotg);
+ }
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 128/554] usb: dwc2: fix hang during suspend if set as peripheral
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 127/554] usb: dwc2: fix hang during shutdown if set as peripheral Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 129/554] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Greg Kroah-Hartman
` (431 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
[ Upstream commit 2b94b054ac4974ad2f89f7f7461840c851933adb ]
dwc2 on most platforms needs phy controller, clock and power supply.
All of them must be enabled/activated to properly operate. If dwc2
is configured as peripheral mode, then all the above three hardware
resources are disabled at the end of the probe:
/* Gadget code manages lowlevel hw on its own */
if (hsotg->dr_mode == USB_DR_MODE_PERIPHERAL)
dwc2_lowlevel_hw_disable(hsotg);
But the dwc2_suspend() tries to read the dwc2's reg to check whether
is_device_mode or not, this would result in hang during suspend if dwc2
is configured as peripheral mode.
Fix this hang by bypassing suspend/resume if lowlevel hw isn't
enabled.
Fixes: 09a75e857790 ("usb: dwc2: refactor common low-level hw code to platform.c")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Link: https://patch.msgid.link/20251104002503.17158-3-jszhang@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc2/platform.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
index ae2d73c5aa811..c9fa8c3ff425a 100644
--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -669,9 +669,13 @@ static int dwc2_driver_probe(struct platform_device *dev)
static int __maybe_unused dwc2_suspend(struct device *dev)
{
struct dwc2_hsotg *dwc2 = dev_get_drvdata(dev);
- bool is_device_mode = dwc2_is_device_mode(dwc2);
+ bool is_device_mode;
int ret = 0;
+ if (!dwc2->ll_hw_enabled)
+ return 0;
+
+ is_device_mode = dwc2_is_device_mode(dwc2);
if (is_device_mode)
dwc2_hsotg_suspend(dwc2);
@@ -722,6 +726,9 @@ static int __maybe_unused dwc2_resume(struct device *dev)
struct dwc2_hsotg *dwc2 = dev_get_drvdata(dev);
int ret = 0;
+ if (!dwc2->ll_hw_enabled)
+ return 0;
+
if (dwc2->phy_off_for_suspend && dwc2->ll_hw_enabled) {
ret = __dwc2_lowlevel_hw_enable(dwc2);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 129/554] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 128/554] usb: dwc2: fix hang during suspend " Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 130/554] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms Greg Kroah-Hartman
` (430 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d8fd35fa6177afa8c92b,
Gopi Krishna Menon, Andrey Konovalov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gopi Krishna Menon <krishnagopi487@gmail.com>
[ Upstream commit a5160af78be7fcf3ade6caab0a14e349560c96d7 ]
The previous commit removed the PAGE_SIZE limit on transfer length of
raw_io buffer in order to avoid any problems with emulating USB devices
whose full configuration descriptor exceeds PAGE_SIZE in length. However
this also removes the upperbound on user supplied length, allowing very
large values to be passed to the allocator.
syzbot on fuzzing the transfer length with very large value (1.81GB)
results in kmalloc() to fall back to the page allocator, which triggers
a kernel warning as the page allocator cannot handle allocations more
than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
Since there is no limit imposed on the size of buffer for both control
and non control transfers, cap the raw_io transfer length to
KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
prevent any warnings from the page allocator.
Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
Link: https://patch.msgid.link/20251028165659.50962-1-krishnagopi487@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 17e39f3e908b2..db700db32eef2 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -39,6 +39,7 @@ MODULE_LICENSE("GPL");
static DEFINE_IDA(driver_id_numbers);
#define DRIVER_DRIVER_NAME_LENGTH_MAX 32
+#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
#define RAW_EVENT_QUEUE_SIZE 16
@@ -620,6 +621,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
return ERR_PTR(-EINVAL);
if (!usb_raw_io_flags_valid(io->flags))
return ERR_PTR(-EINVAL);
+ if (io->length > USB_RAW_IO_LENGTH_MAX)
+ return ERR_PTR(-EINVAL);
if (get_from_user)
data = memdup_user(ptr + sizeof(*io), io->length);
else {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 130/554] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 129/554] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 131/554] selftests/bpf: Improve reliability of test_perf_branches_no_hw() Greg Kroah-Hartman
` (429 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Bobrowski, Song Liu,
Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Bobrowski <mattbobrowski@google.com>
[ Upstream commit 27746aaf1b20172f0859546c4a3e82eca459f680 ]
Gracefully skip the test_perf_branches_hw subtest on platforms that
do not support LBR or require specialized perf event attributes
to enable branch sampling.
For example, AMD's Milan (Zen 3) supports BRS rather than traditional
LBR. This requires specific configurations (attr.type = PERF_TYPE_RAW,
attr.config = RETIRED_TAKEN_BRANCH_INSTRUCTIONS) that differ from the
generic setup used within this test. Notably, it also probably doesn't
hold much value to special case perf event configurations for selected
micro architectures.
Fixes: 67306f84ca78c ("selftests/bpf: Add bpf_read_branch_records() selftest")
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Acked-by: Song Liu <song@kernel.org>
Link: https://lore.kernel.org/r/20251120142059.2836181-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/bpf/prog_tests/perf_branches.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/perf_branches.c b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
index 12c4f45cee1a8..4a17253413a3a 100644
--- a/tools/testing/selftests/bpf/prog_tests/perf_branches.c
+++ b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
@@ -116,11 +116,11 @@ static void test_perf_branches_hw(void)
pfd = syscall(__NR_perf_event_open, &attr, -1, 0, -1, PERF_FLAG_FD_CLOEXEC);
/*
- * Some setups don't support branch records (virtual machines, !x86),
- * so skip test in this case.
+ * Some setups don't support LBR (virtual machines, !x86, AMD Milan Zen
+ * 3 which only supports BRS), so skip test in this case.
*/
if (pfd < 0) {
- if (errno == ENOENT || errno == EOPNOTSUPP) {
+ if (errno == ENOENT || errno == EOPNOTSUPP || errno == EINVAL) {
printf("%s:SKIP:no PERF_SAMPLE_BRANCH_STACK\n",
__func__);
test__skip();
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 131/554] selftests/bpf: Improve reliability of test_perf_branches_no_hw()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 130/554] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 132/554] crypto: ccree - Correctly handle return of sg_nents_for_len Greg Kroah-Hartman
` (428 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Bobrowski, Jiri Olsa,
Alexei Starovoitov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Bobrowski <mattbobrowski@google.com>
[ Upstream commit ae24fc8a16b0481ea8c5acbc66453c49ec0431c4 ]
Currently, test_perf_branches_no_hw() relies on the busy loop within
test_perf_branches_common() being slow enough to allow at least one
perf event sample tick to occur before starting to tear down the
backing perf event BPF program. With a relatively small fixed
iteration count of 1,000,000, this is not guaranteed on modern fast
CPUs, resulting in the test run to subsequently fail with the
following:
bpf_testmod.ko is already unloaded.
Loading bpf_testmod.ko...
Successfully loaded bpf_testmod.ko.
test_perf_branches_common:PASS:test_perf_branches_load 0 nsec
test_perf_branches_common:PASS:attach_perf_event 0 nsec
test_perf_branches_common:PASS:set_affinity 0 nsec
check_good_sample:PASS:output not valid 0 nsec
check_good_sample:PASS:read_branches_size 0 nsec
check_good_sample:PASS:read_branches_stack 0 nsec
check_good_sample:PASS:read_branches_stack 0 nsec
check_good_sample:PASS:read_branches_global 0 nsec
check_good_sample:PASS:read_branches_global 0 nsec
check_good_sample:PASS:read_branches_size 0 nsec
test_perf_branches_no_hw:PASS:perf_event_open 0 nsec
test_perf_branches_common:PASS:test_perf_branches_load 0 nsec
test_perf_branches_common:PASS:attach_perf_event 0 nsec
test_perf_branches_common:PASS:set_affinity 0 nsec
check_bad_sample:FAIL:output not valid no valid sample from prog
Summary: 0/1 PASSED, 0 SKIPPED, 1 FAILED
Successfully unloaded bpf_testmod.ko.
On a modern CPU (i.e. one with a 3.5 GHz clock rate), executing 1
million increments of a volatile integer can take significantly less
than 1 millisecond. If the spin loop and detachment of the perf event
BPF program elapses before the first 1 ms sampling interval elapses,
the perf event will never end up firing. Fix this by bumping the loop
iteration counter a little within test_perf_branches_common(), along
with ensuring adding another loop termination condition which is
directly influenced by the backing perf event BPF program
executing. Notably, a concious decision was made to not adjust the
sample_freq value as that is just not a reliable way to go about
fixing the problem. It effectively still leaves the race window open.
Fixes: 67306f84ca78c ("selftests/bpf: Add bpf_read_branch_records() selftest")
Signed-off-by: Matt Bobrowski <mattbobrowski@google.com>
Reviewed-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/r/20251119143540.2911424-1-mattbobrowski@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/bpf/prog_tests/perf_branches.c | 16 ++++++++++++++--
.../selftests/bpf/progs/test_perf_branches.c | 3 +++
2 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/perf_branches.c b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
index 4a17253413a3a..67cf46056ffe9 100644
--- a/tools/testing/selftests/bpf/prog_tests/perf_branches.c
+++ b/tools/testing/selftests/bpf/prog_tests/perf_branches.c
@@ -15,6 +15,10 @@ static void check_good_sample(struct test_perf_branches *skel)
int pbe_size = sizeof(struct perf_branch_entry);
int duration = 0;
+ if (CHECK(!skel->bss->run_cnt, "invalid run_cnt",
+ "checked sample validity before prog run"))
+ return;
+
if (CHECK(!skel->bss->valid, "output not valid",
"no valid sample from prog"))
return;
@@ -45,6 +49,10 @@ static void check_bad_sample(struct test_perf_branches *skel)
int written_stack = skel->bss->written_stack_out;
int duration = 0;
+ if (CHECK(!skel->bss->run_cnt, "invalid run_cnt",
+ "checked sample validity before prog run"))
+ return;
+
if (CHECK(!skel->bss->valid, "output not valid",
"no valid sample from prog"))
return;
@@ -83,8 +91,12 @@ static void test_perf_branches_common(int perf_fd,
err = pthread_setaffinity_np(pthread_self(), sizeof(cpu_set), &cpu_set);
if (CHECK(err, "set_affinity", "cpu #0, err %d\n", err))
goto out_destroy;
- /* spin the loop for a while (random high number) */
- for (i = 0; i < 1000000; ++i)
+
+ /* Spin the loop for a while by using a high iteration count, and by
+ * checking whether the specific run count marker has been explicitly
+ * incremented at least once by the backing perf_event BPF program.
+ */
+ for (i = 0; i < 100000000 && !*(volatile int *)&skel->bss->run_cnt; ++i)
++j;
test_perf_branches__detach(skel);
diff --git a/tools/testing/selftests/bpf/progs/test_perf_branches.c b/tools/testing/selftests/bpf/progs/test_perf_branches.c
index a1ccc831c882f..05ac9410cd68c 100644
--- a/tools/testing/selftests/bpf/progs/test_perf_branches.c
+++ b/tools/testing/selftests/bpf/progs/test_perf_branches.c
@@ -8,6 +8,7 @@
#include <bpf/bpf_tracing.h>
int valid = 0;
+int run_cnt = 0;
int required_size_out = 0;
int written_stack_out = 0;
int written_global_out = 0;
@@ -24,6 +25,8 @@ int perf_branches(void *ctx)
__u64 entries[4 * 3] = {0};
int required_size, written_stack, written_global;
+ ++run_cnt;
+
/* write to stack */
written_stack = bpf_read_branch_records(ctx, entries, sizeof(entries), 0);
/* ignore spurious events */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 132/554] crypto: ccree - Correctly handle return of sg_nents_for_len
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 131/554] selftests/bpf: Improve reliability of test_perf_branches_no_hw() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 133/554] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Greg Kroah-Hartman
` (427 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 8700ce07c5c6bf27afa7b59a8d9cf58d783a7d5c ]
Fix error handling in cc_map_hash_request_update where sg_nents_for_len
return value was assigned to u32, converting negative errors to large
positive values before passing to sg_copy_to_buffer.
Check sg_nents_for_len return value and propagate errors before
assigning to areq_ctx->in_nents.
Fixes: b7ec8530687a ("crypto: ccree - use std api when possible")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccree/cc_buffer_mgr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_buffer_mgr.c b/drivers/crypto/ccree/cc_buffer_mgr.c
index 6140e49273226..5754dc88c684c 100644
--- a/drivers/crypto/ccree/cc_buffer_mgr.c
+++ b/drivers/crypto/ccree/cc_buffer_mgr.c
@@ -1235,6 +1235,7 @@ int cc_map_hash_request_update(struct cc_drvdata *drvdata, void *ctx,
int rc = 0;
u32 dummy = 0;
u32 mapped_nents = 0;
+ int sg_nents;
dev_dbg(dev, " update params : curr_buff=%pK curr_buff_cnt=0x%X nbytes=0x%X src=%pK curr_index=%u\n",
curr_buff, *curr_buff_cnt, nbytes, src, areq_ctx->buff_index);
@@ -1248,7 +1249,10 @@ int cc_map_hash_request_update(struct cc_drvdata *drvdata, void *ctx,
if (total_in_len < block_size) {
dev_dbg(dev, " less than one block: curr_buff=%pK *curr_buff_cnt=0x%X copy_to=%pK\n",
curr_buff, *curr_buff_cnt, &curr_buff[*curr_buff_cnt]);
- areq_ctx->in_nents = sg_nents_for_len(src, nbytes);
+ sg_nents = sg_nents_for_len(src, nbytes);
+ if (sg_nents < 0)
+ return sg_nents;
+ areq_ctx->in_nents = sg_nents;
sg_copy_to_buffer(src, areq_ctx->in_nents,
&curr_buff[*curr_buff_cnt], nbytes);
*curr_buff_cnt += nbytes;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 133/554] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 132/554] crypto: ccree - Correctly handle return of sg_nents_for_len Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 134/554] staging: fbtft: core: fix potential memory leak in fbtft_probe_common() Greg Kroah-Hartman
` (426 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Lorenzo Bianconi,
Felix Fietkau, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 53d1548612670aa8b5d89745116cc33d9d172863 ]
In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
returns an error without freeing sskb, leading to a memory leak.
Fix this by calling dev_kfree_skb() on sskb in the error handling path
to ensure it is properly released.
Fixes: 99c457d902cf9 ("mt76: mt7615: move mt7615_mcu_set_bmc to mt7615_mcu_ops")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20251113062415.103611-1-zilin@seu.edu.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
index bde65af72feda..0776af7f74d94 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -1045,8 +1045,10 @@ mt7615_mcu_wtbl_sta_add(struct mt7615_phy *phy, struct ieee80211_vif *vif,
wtbl_hdr = mt76_connac_mcu_alloc_wtbl_req(&dev->mt76, &msta->wcid,
WTBL_RESET_AND_SET, NULL,
&wskb);
- if (IS_ERR(wtbl_hdr))
+ if (IS_ERR(wtbl_hdr)) {
+ dev_kfree_skb(sskb);
return PTR_ERR(wtbl_hdr);
+ }
if (enable) {
mt76_connac_mcu_wtbl_generic_tlv(&dev->mt76, wskb, vif, sta,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 134/554] staging: fbtft: core: fix potential memory leak in fbtft_probe_common()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 133/554] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 135/554] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition Greg Kroah-Hartman
` (425 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianglei Nie, Andy Shevchenko,
Abdun Nihaal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianglei Nie <niejianglei2021@163.com>
[ Upstream commit 47d3949a9b04cbcb0e10abae30c2b53e98706e11 ]
fbtft_probe_common() allocates a memory chunk for "info" with
fbtft_framebuffer_alloc(). When "display->buswidth == 0" is true, the
function returns without releasing the "info", which will lead to a
memory leak.
Fix it by calling fbtft_framebuffer_release() when "display->buswidth
== 0" is true.
Fixes: c296d5f9957c ("staging: fbtft: core support")
Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Link: https://patch.msgid.link/20251112192235.2088654-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/fbtft/fbtft-core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
index 54620ae6919bc..67604a4d9a39f 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -1228,8 +1228,8 @@ int fbtft_probe_common(struct fbtft_display *display,
par->pdev = pdev;
if (display->buswidth == 0) {
- dev_err(dev, "buswidth is not set\n");
- return -EINVAL;
+ ret = dev_err_probe(dev, -EINVAL, "buswidth is not set\n");
+ goto out_release;
}
/* write register functions */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 135/554] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 134/554] staging: fbtft: core: fix potential memory leak in fbtft_probe_common() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 136/554] wifi: ieee80211: correct FILS status codes Greg Kroah-Hartman
` (424 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shawn Lin, Manivannan Sadhasivam,
Bjorn Helgaas, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shawn Lin <shawn.lin@rock-chips.com>
[ Upstream commit bcc9a4a0bca3aee4303fa4a20302e57b24ac8f68 ]
As per DesignWare Cores PCI Express Controller Databook, section 5.50,
SII: Debug Signals, cxpl_debug_info[63:0]:
[5:0] smlh_ltssm_state: LTSSM current state. Encoding is same as the
dedicated smlh_ltssm_state output.
The mask should be 6 bits, from 0 to 5. Hence, fix the mask definition.
Fixes: 23fe5bd4be90 ("PCI: keystone: Cleanup ks_pcie_link_up()")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
[mani: reworded description]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Link: https://patch.msgid.link/1763122140-203068-1-git-send-email-shawn.lin@rock-chips.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.h b/drivers/pci/controller/dwc/pcie-designware.h
index 8ba2392926346..5960ae40b0f2d 100644
--- a/drivers/pci/controller/dwc/pcie-designware.h
+++ b/drivers/pci/controller/dwc/pcie-designware.h
@@ -52,7 +52,7 @@
#define PORT_LINK_MODE_8_LANES PORT_LINK_MODE(0xf)
#define PCIE_PORT_DEBUG0 0x728
-#define PORT_LOGIC_LTSSM_STATE_MASK 0x1f
+#define PORT_LOGIC_LTSSM_STATE_MASK 0x3f
#define PORT_LOGIC_LTSSM_STATE_L0 0x11
#define PCIE_PORT_DEBUG1 0x72C
#define PCIE_PORT_DEBUG1_LINK_UP BIT(4)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 136/554] wifi: ieee80211: correct FILS status codes
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 135/554] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 137/554] backlight: led_bl: Take led_access lock when required Greg Kroah-Hartman
` (423 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ria Thomas, Jeff Johnson,
Johannes Berg, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ria Thomas <ria.thomas@morsemicro.com>
[ Upstream commit 24d4da5c2565313c2ad3c43449937a9351a64407 ]
The FILS status codes are set to 108/109, but the IEEE 802.11-2020
spec defines them as 112/113. Update the enum so it matches the
specification and keeps the kernel consistent with standard values.
Fixes: a3caf7440ded ("cfg80211: Add support for FILS shared key authentication offload")
Signed-off-by: Ria Thomas <ria.thomas@morsemicro.com>
Reviewed-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Link: https://patch.msgid.link/20251124125637.3936154-1-ria.thomas@morsemicro.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/ieee80211.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
index 00ed7c17698d1..0c00a628cbde7 100644
--- a/include/linux/ieee80211.h
+++ b/include/linux/ieee80211.h
@@ -2720,8 +2720,8 @@ enum ieee80211_statuscode {
WLAN_STATUS_DENIED_WITH_SUGGESTED_BAND_AND_CHANNEL = 99,
WLAN_STATUS_DENIED_DUE_TO_SPECTRUM_MANAGEMENT = 103,
/* 802.11ai */
- WLAN_STATUS_FILS_AUTHENTICATION_FAILURE = 108,
- WLAN_STATUS_UNKNOWN_AUTHENTICATION_SERVER = 109,
+ WLAN_STATUS_FILS_AUTHENTICATION_FAILURE = 112,
+ WLAN_STATUS_UNKNOWN_AUTHENTICATION_SERVER = 113,
WLAN_STATUS_SAE_HASH_TO_ELEMENT = 126,
WLAN_STATUS_SAE_PK = 127,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 137/554] backlight: led_bl: Take led_access lock when required
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 136/554] wifi: ieee80211: correct FILS status codes Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 138/554] backlight: led-bl: Add devlink to supplier LEDs Greg Kroah-Hartman
` (422 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mans Rullgard, Daniel Thompson,
Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mans Rullgard <mans@mansr.com>
[ Upstream commit a33677b9211b6c328ad359b072043af94f7c9592 ]
The led_access lock must be held when calling led_sysfs_enable() and
led_sysfs_disable(). This fixes warnings such as this:
[ 2.432495] ------------[ cut here ]------------
[ 2.437316] WARNING: CPU: 0 PID: 22 at drivers/leds/led-core.c:349 led_sysfs_disable+0x54/0x58
[ 2.446105] Modules linked in:
[ 2.449218] CPU: 0 PID: 22 Comm: kworker/u2:1 Not tainted 6.3.8+ #1
[ 2.456268] Hardware name: Generic AM3517 (Flattened Device Tree)
[ 2.462402] Workqueue: events_unbound deferred_probe_work_func
[ 2.468353] unwind_backtrace from show_stack+0x10/0x14
[ 2.473632] show_stack from dump_stack_lvl+0x24/0x2c
[ 2.478759] dump_stack_lvl from __warn+0x9c/0xc4
[ 2.483551] __warn from warn_slowpath_fmt+0x64/0xc0
[ 2.488586] warn_slowpath_fmt from led_sysfs_disable+0x54/0x58
[ 2.494567] led_sysfs_disable from led_bl_probe+0x20c/0x3b0
[ 2.500305] led_bl_probe from platform_probe+0x5c/0xb8
[ 2.505615] platform_probe from really_probe+0xc8/0x2a0
[ 2.510986] really_probe from __driver_probe_device+0x88/0x19c
[ 2.516967] __driver_probe_device from driver_probe_device+0x30/0xcc
[ 2.523498] driver_probe_device from __device_attach_driver+0x94/0xc4
[ 2.530090] __device_attach_driver from bus_for_each_drv+0x80/0xcc
[ 2.536437] bus_for_each_drv from __device_attach+0xf8/0x19c
[ 2.542236] __device_attach from bus_probe_device+0x8c/0x90
[ 2.547973] bus_probe_device from deferred_probe_work_func+0x80/0xb0
[ 2.554504] deferred_probe_work_func from process_one_work+0x228/0x4c0
[ 2.561187] process_one_work from worker_thread+0x1fc/0x4d0
[ 2.566925] worker_thread from kthread+0xb4/0xd0
[ 2.571685] kthread from ret_from_fork+0x14/0x2c
[ 2.576446] Exception stack(0xd0079fb0 to 0xd0079ff8)
[ 2.581573] 9fa0: 00000000 00000000 00000000 00000000
[ 2.589813] 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 2.598052] 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[ 2.604888] ---[ end trace 0000000000000000 ]---
Signed-off-by: Mans Rullgard <mans@mansr.com>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Link: https://lore.kernel.org/r/20230619160249.10414-1-mans@mansr.com
Signed-off-by: Lee Jones <lee@kernel.org>
Stable-dep-of: 9341d6698f4c ("backlight: led-bl: Add devlink to supplier LEDs")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/led_bl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/video/backlight/led_bl.c b/drivers/video/backlight/led_bl.c
index 589dae9ebb638..d360def24747d 100644
--- a/drivers/video/backlight/led_bl.c
+++ b/drivers/video/backlight/led_bl.c
@@ -209,8 +209,11 @@ static int led_bl_probe(struct platform_device *pdev)
return PTR_ERR(priv->bl_dev);
}
- for (i = 0; i < priv->nb_leds; i++)
+ for (i = 0; i < priv->nb_leds; i++) {
+ mutex_lock(&priv->leds[i]->led_access);
led_sysfs_disable(priv->leds[i]);
+ mutex_unlock(&priv->leds[i]->led_access);
+ }
backlight_update_status(priv->bl_dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 138/554] backlight: led-bl: Add devlink to supplier LEDs
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 137/554] backlight: led_bl: Take led_access lock when required Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 139/554] backlight: lp855x: Fix lp855x.h kernel-doc warnings Greg Kroah-Hartman
` (421 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Ceresoli,
Daniel Thompson (RISCstar), Herve Codina, Alexander Sverdlin,
Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit 9341d6698f4cfdfc374fb6944158d111ebe16a9d ]
LED Backlight is a consumer of one or multiple LED class devices, but
devlink is currently unable to create correct supplier-producer links when
the supplier is a class device. It creates instead a link where the
supplier is the parent of the expected device.
One consequence is that removal order is not correctly enforced.
Issues happen for example with the following sections in a device tree
overlay:
// An LED driver chip
pca9632@62 {
compatible = "nxp,pca9632";
reg = <0x62>;
// ...
addon_led_pwm: led-pwm@3 {
reg = <3>;
label = "addon:led:pwm";
};
};
backlight-addon {
compatible = "led-backlight";
leds = <&addon_led_pwm>;
brightness-levels = <255>;
default-brightness-level = <255>;
};
In this example, the devlink should be created between the backlight-addon
(consumer) and the pca9632@62 (supplier). Instead it is created between the
backlight-addon (consumer) and the parent of the pca9632@62, which is
typically the I2C bus adapter.
On removal of the above overlay, the LED driver can be removed before the
backlight device, resulting in:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
...
Call trace:
led_put+0xe0/0x140
devm_led_release+0x6c/0x98
Another way to reproduce the bug without any device tree overlays is
unbinding the LED class device (pca9632@62) before unbinding the consumer
(backlight-addon):
echo 11-0062 >/sys/bus/i2c/drivers/leds-pca963x/unbind
echo ...backlight-dock >/sys/bus/platform/drivers/led-backlight/unbind
Fix by adding a devlink between the consuming led-backlight device and the
supplying LED device, as other drivers and subsystems do as well.
Fixes: ae232e45acf9 ("backlight: add led-backlight driver")
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Reviewed-by: Herve Codina <herve.codina@bootlin.com>
Tested-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://patch.msgid.link/20250519-led-backlight-add-devlink-to-supplier-class-device-v6-1-845224aeb2ce@bootlin.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/backlight/led_bl.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/drivers/video/backlight/led_bl.c b/drivers/video/backlight/led_bl.c
index d360def24747d..223f078acfd9f 100644
--- a/drivers/video/backlight/led_bl.c
+++ b/drivers/video/backlight/led_bl.c
@@ -209,6 +209,19 @@ static int led_bl_probe(struct platform_device *pdev)
return PTR_ERR(priv->bl_dev);
}
+ for (i = 0; i < priv->nb_leds; i++) {
+ struct device_link *link;
+
+ link = device_link_add(&pdev->dev, priv->leds[i]->dev->parent,
+ DL_FLAG_AUTOREMOVE_CONSUMER);
+ if (!link) {
+ dev_err(&pdev->dev, "Failed to add devlink (consumer %s, supplier %s)\n",
+ dev_name(&pdev->dev), dev_name(priv->leds[i]->dev->parent));
+ backlight_device_unregister(priv->bl_dev);
+ return -EINVAL;
+ }
+ }
+
for (i = 0; i < priv->nb_leds; i++) {
mutex_lock(&priv->leds[i]->led_access);
led_sysfs_disable(priv->leds[i]);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 139/554] backlight: lp855x: Fix lp855x.h kernel-doc warnings
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 138/554] backlight: led-bl: Add devlink to supplier LEDs Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 140/554] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal Greg Kroah-Hartman
` (420 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap,
Daniel Thompson (RISCstar), Lee Jones, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 2d45db63260c6ae3cf007361e04a1c41bd265084 ]
Add a missing struct short description and a missing leading " *" to
lp855x.h to avoid kernel-doc warnings:
Warning: include/linux/platform_data/lp855x.h:126 missing initial short
description on line:
* struct lp855x_platform_data
Warning: include/linux/platform_data/lp855x.h:131 bad line:
Only valid when mode is PWM_BASED.
Fixes: 7be865ab8634 ("backlight: new backlight driver for LP855x devices")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Daniel Thompson (RISCstar) <danielt@kernel.org>
Link: https://patch.msgid.link/20251111060916.1995920-1-rdunlap@infradead.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/platform_data/lp855x.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/platform_data/lp855x.h b/include/linux/platform_data/lp855x.h
index ab222dd05bbc2..3b4a891acefe9 100644
--- a/include/linux/platform_data/lp855x.h
+++ b/include/linux/platform_data/lp855x.h
@@ -124,12 +124,12 @@ struct lp855x_rom_data {
};
/**
- * struct lp855x_platform_data
+ * struct lp855x_platform_data - lp855 platform-specific data
* @name : Backlight driver name. If it is not defined, default name is set.
* @device_control : value of DEVICE CONTROL register
* @initial_brightness : initial value of backlight brightness
* @period_ns : platform specific pwm period value. unit is nano.
- Only valid when mode is PWM_BASED.
+ * Only valid when mode is PWM_BASED.
* @size_program : total size of lp855x_rom_data
* @rom_data : list of new eeprom/eprom registers
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 140/554] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 139/554] backlight: lp855x: Fix lp855x.h kernel-doc warnings Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 141/554] RDMA/irdma: Fix data race in irdma_sc_ccq_arm Greg Kroah-Hartman
` (419 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Will Deacon,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephan Gerhold <stephan.gerhold@linaro.org>
[ Upstream commit 5583a55e074b33ccd88ac0542fd7cd656a7e2c8c ]
Some platforms (e.g. SC8280XP and X1E) support more than 128 stream
matching groups. This is more than what is defined as maximum by the ARM
SMMU architecture specification. Commit 122611347326 ("iommu/arm-smmu-qcom:
Limit the SMR groups to 128") disabled use of the additional groups because
they don't exhibit the same behavior as the architecture supported ones.
It seems like this is just another quirk of the hypervisor: When running
bare-metal without the hypervisor, the additional groups appear to behave
just like all others. The boot firmware uses some of the additional groups,
so ignoring them in this situation leads to stream match conflicts whenever
we allocate a new SMR group for the same SID.
The workaround exists primarily because the bypass quirk detection fails
when using a S2CR register from the additional matching groups, so let's
perform the test with the last reliable S2CR (127) and then limit the
number of SMR groups only if we detect that we are running below the
hypervisor (because of the bypass quirk).
Fixes: 122611347326 ("iommu/arm-smmu-qcom: Limit the SMR groups to 128")
Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 27 ++++++++++++++--------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
index da249140ed2a1..d145e0df01a98 100644
--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
@@ -263,17 +263,19 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
/*
* Some platforms support more than the Arm SMMU architected maximum of
- * 128 stream matching groups. For unknown reasons, the additional
- * groups don't exhibit the same behavior as the architected registers,
- * so limit the groups to 128 until the behavior is fixed for the other
- * groups.
+ * 128 stream matching groups. The additional registers appear to have
+ * the same behavior as the architected registers in the hardware.
+ * However, on some firmware versions, the hypervisor does not
+ * correctly trap and emulate accesses to the additional registers,
+ * resulting in unexpected behavior.
+ *
+ * If there are more than 128 groups, use the last reliable group to
+ * detect if we need to apply the bypass quirk.
*/
- if (smmu->num_mapping_groups > 128) {
- dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n");
- smmu->num_mapping_groups = 128;
- }
-
- last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
+ if (smmu->num_mapping_groups > 128)
+ last_s2cr = ARM_SMMU_GR0_S2CR(127);
+ else
+ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
/*
* With some firmware versions writes to S2CR of type FAULT are
@@ -296,6 +298,11 @@ static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
reg = FIELD_PREP(ARM_SMMU_CBAR_TYPE, CBAR_TYPE_S1_TRANS_S2_BYPASS);
arm_smmu_gr1_write(smmu, ARM_SMMU_GR1_CBAR(qsmmu->bypass_cbndx), reg);
+
+ if (smmu->num_mapping_groups > 128) {
+ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n");
+ smmu->num_mapping_groups = 128;
+ }
}
for (i = 0; i < smmu->num_mapping_groups; i++) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 141/554] RDMA/irdma: Fix data race in irdma_sc_ccq_arm
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 140/554] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 142/554] RDMA/irdma: Fix data race in irdma_free_pble Greg Kroah-Hartman
` (418 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Czurylo, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
[ Upstream commit a521928164433de44fed5aaf5f49aeb3f1fb96f5 ]
Adds a lock around irdma_sc_ccq_arm body to prevent inter-thread data race.
Fixes data race in irdma_sc_ccq_arm() reported by KCSAN:
BUG: KCSAN: data-race in irdma_sc_ccq_arm [irdma] / irdma_sc_ccq_arm [irdma]
read to 0xffff9d51b4034220 of 8 bytes by task 255 on cpu 11:
irdma_sc_ccq_arm+0x36/0xd0 [irdma]
irdma_cqp_ce_handler+0x300/0x310 [irdma]
cqp_compl_worker+0x2a/0x40 [irdma]
process_one_work+0x402/0x7e0
worker_thread+0xb3/0x6d0
kthread+0x178/0x1a0
ret_from_fork+0x2c/0x50
write to 0xffff9d51b4034220 of 8 bytes by task 89 on cpu 3:
irdma_sc_ccq_arm+0x7e/0xd0 [irdma]
irdma_cqp_ce_handler+0x300/0x310 [irdma]
irdma_wait_event+0xd4/0x3e0 [irdma]
irdma_handle_cqp_op+0xa5/0x220 [irdma]
irdma_hw_flush_wqes+0xb1/0x300 [irdma]
irdma_flush_wqes+0x22e/0x3a0 [irdma]
irdma_cm_disconn_true+0x4c7/0x5d0 [irdma]
irdma_disconnect_worker+0x35/0x50 [irdma]
process_one_work+0x402/0x7e0
worker_thread+0xb3/0x6d0
kthread+0x178/0x1a0
ret_from_fork+0x2c/0x50
value changed: 0x0000000000024000 -> 0x0000000000034000
Fixes: 3f49d6842569 ("RDMA/irdma: Implement HW Admin Queue OPs")
Signed-off-by: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Link: https://patch.msgid.link/20251125025350.180-2-tatyana.e.nikolova@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/ctrl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/hw/irdma/ctrl.c b/drivers/infiniband/hw/irdma/ctrl.c
index e6851cffa40af..e1c40776de440 100644
--- a/drivers/infiniband/hw/irdma/ctrl.c
+++ b/drivers/infiniband/hw/irdma/ctrl.c
@@ -3354,11 +3354,13 @@ enum irdma_status_code irdma_sc_cqp_destroy(struct irdma_sc_cqp *cqp)
*/
void irdma_sc_ccq_arm(struct irdma_sc_cq *ccq)
{
+ unsigned long flags;
u64 temp_val;
u16 sw_cq_sel;
u8 arm_next_se;
u8 arm_seq_num;
+ spin_lock_irqsave(&ccq->dev->cqp_lock, flags);
get_64bit_val(ccq->cq_uk.shadow_area, 32, &temp_val);
sw_cq_sel = (u16)FIELD_GET(IRDMA_CQ_DBSA_SW_CQ_SELECT, temp_val);
arm_next_se = (u8)FIELD_GET(IRDMA_CQ_DBSA_ARM_NEXT_SE, temp_val);
@@ -3369,6 +3371,7 @@ void irdma_sc_ccq_arm(struct irdma_sc_cq *ccq)
FIELD_PREP(IRDMA_CQ_DBSA_ARM_NEXT_SE, arm_next_se) |
FIELD_PREP(IRDMA_CQ_DBSA_ARM_NEXT, 1);
set_64bit_val(ccq->cq_uk.shadow_area, 32, temp_val);
+ spin_unlock_irqrestore(&ccq->dev->cqp_lock, flags);
dma_wmb(); /* make sure shadow area is updated before arming */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 142/554] RDMA/irdma: Fix data race in irdma_free_pble
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 141/554] RDMA/irdma: Fix data race in irdma_sc_ccq_arm Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 143/554] ASoC: fsl_xcvr: Add Counter registers Greg Kroah-Hartman
` (417 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Czurylo, Tatyana Nikolova,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
[ Upstream commit 81f44409fb4f027d1e6d54edbeba5156ad94b214 ]
Protects pble_rsrc counters with mutex to prevent data race.
Fixes the following data race in irdma_free_pble reported by KCSAN:
BUG: KCSAN: data-race in irdma_free_pble [irdma] / irdma_free_pble [irdma]
write to 0xffff91430baa0078 of 8 bytes by task 16956 on cpu 5:
irdma_free_pble+0x3b/0xb0 [irdma]
irdma_dereg_mr+0x108/0x110 [irdma]
ib_dereg_mr_user+0x74/0x160 [ib_core]
uverbs_free_mr+0x26/0x30 [ib_uverbs]
destroy_hw_idr_uobject+0x4a/0x90 [ib_uverbs]
uverbs_destroy_uobject+0x7b/0x330 [ib_uverbs]
uobj_destroy+0x61/0xb0 [ib_uverbs]
ib_uverbs_run_method+0x1f2/0x380 [ib_uverbs]
ib_uverbs_cmd_verbs+0x365/0x440 [ib_uverbs]
ib_uverbs_ioctl+0x111/0x190 [ib_uverbs]
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x44/0xa0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
read to 0xffff91430baa0078 of 8 bytes by task 16953 on cpu 2:
irdma_free_pble+0x23/0xb0 [irdma]
irdma_dereg_mr+0x108/0x110 [irdma]
ib_dereg_mr_user+0x74/0x160 [ib_core]
uverbs_free_mr+0x26/0x30 [ib_uverbs]
destroy_hw_idr_uobject+0x4a/0x90 [ib_uverbs]
uverbs_destroy_uobject+0x7b/0x330 [ib_uverbs]
uobj_destroy+0x61/0xb0 [ib_uverbs]
ib_uverbs_run_method+0x1f2/0x380 [ib_uverbs]
ib_uverbs_cmd_verbs+0x365/0x440 [ib_uverbs]
ib_uverbs_ioctl+0x111/0x190 [ib_uverbs]
__x64_sys_ioctl+0xc9/0x100
do_syscall_64+0x44/0xa0
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
value changed: 0x0000000000005a62 -> 0x0000000000005a68
Fixes: e8c4dbc2fcac ("RDMA/irdma: Add PBLE resource manager")
Signed-off-by: Krzysztof Czurylo <krzysztof.czurylo@intel.com>
Signed-off-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Link: https://patch.msgid.link/20251125025350.180-3-tatyana.e.nikolova@intel.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/pble.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/irdma/pble.c b/drivers/infiniband/hw/irdma/pble.c
index 6562592695b70..f4d5d1cee681f 100644
--- a/drivers/infiniband/hw/irdma/pble.c
+++ b/drivers/infiniband/hw/irdma/pble.c
@@ -507,12 +507,14 @@ enum irdma_status_code irdma_get_pble(struct irdma_hmc_pble_rsrc *pble_rsrc,
void irdma_free_pble(struct irdma_hmc_pble_rsrc *pble_rsrc,
struct irdma_pble_alloc *palloc)
{
- pble_rsrc->freedpbles += palloc->total_cnt;
-
if (palloc->level == PBLE_LEVEL_2)
free_lvl2(pble_rsrc, palloc);
else
irdma_prm_return_pbles(&pble_rsrc->pinfo,
&palloc->level1.chunkinfo);
+
+ mutex_lock(&pble_rsrc->pble_mutex_lock);
+ pble_rsrc->freedpbles += palloc->total_cnt;
pble_rsrc->stats_alloc_freed++;
+ mutex_unlock(&pble_rsrc->pble_mutex_lock);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 143/554] ASoC: fsl_xcvr: Add Counter registers
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 142/554] RDMA/irdma: Fix data race in irdma_free_pble Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 144/554] ASoC: fsl_xcvr: Add support for i.MX93 platform Greg Kroah-Hartman
` (416 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 107d170dc46e14cfa575d1b995107ef2f2e51dfe ]
These counter registers are part of register list,
add them to complete the register map
- DMAC counter control registers
- Data path Timestamp counter register
- Data path bit counter register
- Data path bit count timestamp register
- Data path bit read timestamp register
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://lore.kernel.org/r/1666940627-7611-1-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 73b97d46dde6 ("ASoC: fsl_xcvr: clear the channel status control memory")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 40 ++++++++++++++++++++++++++++++++++++++++
sound/soc/fsl/fsl_xcvr.h | 21 +++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index d0556c79fdb15..1feb5758245f0 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -933,6 +933,14 @@ static const struct reg_default fsl_xcvr_reg_defaults[] = {
{ FSL_XCVR_RX_DPTH_CTRL_SET, 0x00002C89 },
{ FSL_XCVR_RX_DPTH_CTRL_CLR, 0x00002C89 },
{ FSL_XCVR_RX_DPTH_CTRL_TOG, 0x00002C89 },
+ { FSL_XCVR_RX_DPTH_CNTR_CTRL, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_CNTR_CTRL_SET, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_CNTR_CTRL_TOG, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_TSCR, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_BCR, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_BCTR, 0x00000000 },
+ { FSL_XCVR_RX_DPTH_BCRR, 0x00000000 },
{ FSL_XCVR_TX_DPTH_CTRL, 0x00000000 },
{ FSL_XCVR_TX_DPTH_CTRL_SET, 0x00000000 },
{ FSL_XCVR_TX_DPTH_CTRL_CLR, 0x00000000 },
@@ -943,6 +951,14 @@ static const struct reg_default fsl_xcvr_reg_defaults[] = {
{ FSL_XCVR_TX_CS_DATA_3, 0x00000000 },
{ FSL_XCVR_TX_CS_DATA_4, 0x00000000 },
{ FSL_XCVR_TX_CS_DATA_5, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_CNTR_CTRL, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_CNTR_CTRL_SET, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_CNTR_CTRL_CLR, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_CNTR_CTRL_TOG, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_TSCR, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_BCR, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_BCTR, 0x00000000 },
+ { FSL_XCVR_TX_DPTH_BCRR, 0x00000000 },
{ FSL_XCVR_DEBUG_REG_0, 0x00000000 },
{ FSL_XCVR_DEBUG_REG_1, 0x00000000 },
};
@@ -974,6 +990,14 @@ static bool fsl_xcvr_readable_reg(struct device *dev, unsigned int reg)
case FSL_XCVR_RX_DPTH_CTRL_SET:
case FSL_XCVR_RX_DPTH_CTRL_CLR:
case FSL_XCVR_RX_DPTH_CTRL_TOG:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL_SET:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL_TOG:
+ case FSL_XCVR_RX_DPTH_TSCR:
+ case FSL_XCVR_RX_DPTH_BCR:
+ case FSL_XCVR_RX_DPTH_BCTR:
+ case FSL_XCVR_RX_DPTH_BCRR:
case FSL_XCVR_TX_DPTH_CTRL:
case FSL_XCVR_TX_DPTH_CTRL_SET:
case FSL_XCVR_TX_DPTH_CTRL_CLR:
@@ -984,6 +1008,14 @@ static bool fsl_xcvr_readable_reg(struct device *dev, unsigned int reg)
case FSL_XCVR_TX_CS_DATA_3:
case FSL_XCVR_TX_CS_DATA_4:
case FSL_XCVR_TX_CS_DATA_5:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL_SET:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL_CLR:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL_TOG:
+ case FSL_XCVR_TX_DPTH_TSCR:
+ case FSL_XCVR_TX_DPTH_BCR:
+ case FSL_XCVR_TX_DPTH_BCTR:
+ case FSL_XCVR_TX_DPTH_BCRR:
case FSL_XCVR_DEBUG_REG_0:
case FSL_XCVR_DEBUG_REG_1:
return true;
@@ -1016,6 +1048,10 @@ static bool fsl_xcvr_writeable_reg(struct device *dev, unsigned int reg)
case FSL_XCVR_RX_DPTH_CTRL_SET:
case FSL_XCVR_RX_DPTH_CTRL_CLR:
case FSL_XCVR_RX_DPTH_CTRL_TOG:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL_SET:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR:
+ case FSL_XCVR_RX_DPTH_CNTR_CTRL_TOG:
case FSL_XCVR_TX_DPTH_CTRL_SET:
case FSL_XCVR_TX_DPTH_CTRL_CLR:
case FSL_XCVR_TX_DPTH_CTRL_TOG:
@@ -1025,6 +1061,10 @@ static bool fsl_xcvr_writeable_reg(struct device *dev, unsigned int reg)
case FSL_XCVR_TX_CS_DATA_3:
case FSL_XCVR_TX_CS_DATA_4:
case FSL_XCVR_TX_CS_DATA_5:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL_SET:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL_CLR:
+ case FSL_XCVR_TX_DPTH_CNTR_CTRL_TOG:
return true;
default:
return false;
diff --git a/sound/soc/fsl/fsl_xcvr.h b/sound/soc/fsl/fsl_xcvr.h
index 7f2853c60085e..4769b0fca21de 100644
--- a/sound/soc/fsl/fsl_xcvr.h
+++ b/sound/soc/fsl/fsl_xcvr.h
@@ -49,6 +49,16 @@
#define FSL_XCVR_RX_DPTH_CTRL_CLR 0x188
#define FSL_XCVR_RX_DPTH_CTRL_TOG 0x18c
+#define FSL_XCVR_RX_DPTH_CNTR_CTRL 0x1C0
+#define FSL_XCVR_RX_DPTH_CNTR_CTRL_SET 0x1C4
+#define FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR 0x1C8
+#define FSL_XCVR_RX_DPTH_CNTR_CTRL_TOG 0x1CC
+
+#define FSL_XCVR_RX_DPTH_TSCR 0x1D0
+#define FSL_XCVR_RX_DPTH_BCR 0x1D4
+#define FSL_XCVR_RX_DPTH_BCTR 0x1D8
+#define FSL_XCVR_RX_DPTH_BCRR 0x1DC
+
#define FSL_XCVR_TX_DPTH_CTRL 0x220 /* TX datapath ctrl reg */
#define FSL_XCVR_TX_DPTH_CTRL_SET 0x224
#define FSL_XCVR_TX_DPTH_CTRL_CLR 0x228
@@ -59,6 +69,17 @@
#define FSL_XCVR_TX_CS_DATA_3 0x23C
#define FSL_XCVR_TX_CS_DATA_4 0x240
#define FSL_XCVR_TX_CS_DATA_5 0x244
+
+#define FSL_XCVR_TX_DPTH_CNTR_CTRL 0x260
+#define FSL_XCVR_TX_DPTH_CNTR_CTRL_SET 0x264
+#define FSL_XCVR_TX_DPTH_CNTR_CTRL_CLR 0x268
+#define FSL_XCVR_TX_DPTH_CNTR_CTRL_TOG 0x26C
+
+#define FSL_XCVR_TX_DPTH_TSCR 0x270
+#define FSL_XCVR_TX_DPTH_BCR 0x274
+#define FSL_XCVR_TX_DPTH_BCTR 0x278
+#define FSL_XCVR_TX_DPTH_BCRR 0x27C
+
#define FSL_XCVR_DEBUG_REG_0 0x2E0
#define FSL_XCVR_DEBUG_REG_1 0x2F0
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 144/554] ASoC: fsl_xcvr: Add support for i.MX93 platform
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 143/554] ASoC: fsl_xcvr: Add Counter registers Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 145/554] ASoC: fsl_xcvr: clear the channel status control memory Greg Kroah-Hartman
` (415 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chancel Liu, Shengjiu Wang,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chancel Liu <chancel.liu@nxp.com>
[ Upstream commit e240b9329a300af7b7c1eba2ce0abbf19e6c540b ]
Add compatible string and specific soc data to support XCVR on i.MX93
platform. XCVR IP on i.MX93 is cut to SPDIF only by removing external
PHY.
Signed-off-by: Chancel Liu <chancel.liu@nxp.com>
Acked-by: Shengjiu Wang <shengjiu.wang@gmail.com>
Link: https://lore.kernel.org/r/20230104023953.2973362-3-chancel.liu@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 73b97d46dde6 ("ASoC: fsl_xcvr: clear the channel status control memory")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 143 ++++++++++++++++++++++++++-------------
sound/soc/fsl/fsl_xcvr.h | 7 ++
2 files changed, 102 insertions(+), 48 deletions(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 1feb5758245f0..3fee1aa03363b 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -21,6 +21,7 @@
struct fsl_xcvr_soc_data {
const char *fw_name;
+ bool spdif_only;
};
struct fsl_xcvr {
@@ -261,6 +262,9 @@ static int fsl_xcvr_en_phy_pll(struct fsl_xcvr *xcvr, u32 freq, bool tx)
u32 i, div = 0, log2;
int ret;
+ if (xcvr->soc_data->spdif_only)
+ return 0;
+
for (i = 0; i < ARRAY_SIZE(fsl_xcvr_pll_cfg); i++) {
if (fsl_xcvr_pll_cfg[i].fout % freq == 0) {
div = fsl_xcvr_pll_cfg[i].fout / freq;
@@ -353,6 +357,7 @@ static int fsl_xcvr_en_aud_pll(struct fsl_xcvr *xcvr, u32 freq)
struct device *dev = &xcvr->pdev->dev;
int ret;
+ freq = xcvr->soc_data->spdif_only ? freq / 10 : freq;
clk_disable_unprepare(xcvr->phy_clk);
ret = clk_set_rate(xcvr->phy_clk, freq);
if (ret < 0) {
@@ -365,6 +370,8 @@ static int fsl_xcvr_en_aud_pll(struct fsl_xcvr *xcvr, u32 freq)
return ret;
}
+ if (xcvr->soc_data->spdif_only)
+ return 0;
/* Release AI interface from reset */
ret = regmap_write(xcvr->regmap, FSL_XCVR_PHY_AI_CTRL_SET,
FSL_XCVR_PHY_AI_CTRL_AI_RESETN);
@@ -547,10 +554,12 @@ static int fsl_xcvr_startup(struct snd_pcm_substream *substream,
xcvr->streams |= BIT(substream->stream);
- /* Disable XCVR controls if there is stream started */
- fsl_xcvr_activate_ctl(dai, fsl_xcvr_mode_kctl.name, false);
- fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, false);
- fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, false);
+ if (!xcvr->soc_data->spdif_only) {
+ /* Disable XCVR controls if there is stream started */
+ fsl_xcvr_activate_ctl(dai, fsl_xcvr_mode_kctl.name, false);
+ fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name, false);
+ fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name, false);
+ }
return 0;
}
@@ -567,12 +576,13 @@ static void fsl_xcvr_shutdown(struct snd_pcm_substream *substream,
/* Enable XCVR controls if there is no stream started */
if (!xcvr->streams) {
- fsl_xcvr_activate_ctl(dai, fsl_xcvr_mode_kctl.name, true);
- fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name,
- (xcvr->mode == FSL_XCVR_MODE_ARC));
- fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name,
- (xcvr->mode == FSL_XCVR_MODE_EARC));
-
+ if (!xcvr->soc_data->spdif_only) {
+ fsl_xcvr_activate_ctl(dai, fsl_xcvr_mode_kctl.name, true);
+ fsl_xcvr_activate_ctl(dai, fsl_xcvr_arc_mode_kctl.name,
+ (xcvr->mode == FSL_XCVR_MODE_ARC));
+ fsl_xcvr_activate_ctl(dai, fsl_xcvr_earc_capds_kctl.name,
+ (xcvr->mode == FSL_XCVR_MODE_EARC));
+ }
ret = regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_IER0,
FSL_XCVR_IRQ_EARC_ALL, 0);
if (ret < 0) {
@@ -673,7 +683,10 @@ static int fsl_xcvr_trigger(struct snd_pcm_substream *substream, int cmd,
dev_err(dai->dev, "Failed to stop DATA_TX: %d\n", ret);
return ret;
}
- fallthrough;
+ if (xcvr->soc_data->spdif_only)
+ break;
+ else
+ fallthrough;
case FSL_XCVR_MODE_EARC:
/* clear ISR_CMDC_TX_EN, W1C */
ret = regmap_write(xcvr->regmap,
@@ -877,9 +890,13 @@ static int fsl_xcvr_dai_probe(struct snd_soc_dai *dai)
snd_soc_dai_init_dma_data(dai, &xcvr->dma_prms_tx, &xcvr->dma_prms_rx);
- snd_soc_add_dai_controls(dai, &fsl_xcvr_mode_kctl, 1);
- snd_soc_add_dai_controls(dai, &fsl_xcvr_arc_mode_kctl, 1);
- snd_soc_add_dai_controls(dai, &fsl_xcvr_earc_capds_kctl, 1);
+ if (xcvr->soc_data->spdif_only)
+ xcvr->mode = FSL_XCVR_MODE_SPDIF;
+ else {
+ snd_soc_add_dai_controls(dai, &fsl_xcvr_mode_kctl, 1);
+ snd_soc_add_dai_controls(dai, &fsl_xcvr_arc_mode_kctl, 1);
+ snd_soc_add_dai_controls(dai, &fsl_xcvr_earc_capds_kctl, 1);
+ }
snd_soc_add_dai_controls(dai, fsl_xcvr_tx_ctls,
ARRAY_SIZE(fsl_xcvr_tx_ctls));
snd_soc_add_dai_controls(dai, fsl_xcvr_rx_ctls,
@@ -929,10 +946,11 @@ static const struct reg_default fsl_xcvr_reg_defaults[] = {
{ FSL_XCVR_ISR_SET, 0x00000000 },
{ FSL_XCVR_ISR_CLR, 0x00000000 },
{ FSL_XCVR_ISR_TOG, 0x00000000 },
- { FSL_XCVR_RX_DPTH_CTRL, 0x00002C89 },
- { FSL_XCVR_RX_DPTH_CTRL_SET, 0x00002C89 },
- { FSL_XCVR_RX_DPTH_CTRL_CLR, 0x00002C89 },
- { FSL_XCVR_RX_DPTH_CTRL_TOG, 0x00002C89 },
+ { FSL_XCVR_CLK_CTRL, 0x0000018F },
+ { FSL_XCVR_RX_DPTH_CTRL, 0x00040CC1 },
+ { FSL_XCVR_RX_DPTH_CTRL_SET, 0x00040CC1 },
+ { FSL_XCVR_RX_DPTH_CTRL_CLR, 0x00040CC1 },
+ { FSL_XCVR_RX_DPTH_CTRL_TOG, 0x00040CC1 },
{ FSL_XCVR_RX_DPTH_CNTR_CTRL, 0x00000000 },
{ FSL_XCVR_RX_DPTH_CNTR_CTRL_SET, 0x00000000 },
{ FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR, 0x00000000 },
@@ -965,6 +983,12 @@ static const struct reg_default fsl_xcvr_reg_defaults[] = {
static bool fsl_xcvr_readable_reg(struct device *dev, unsigned int reg)
{
+ struct fsl_xcvr *xcvr = dev_get_drvdata(dev);
+
+ if (xcvr->soc_data->spdif_only)
+ if ((reg >= FSL_XCVR_IER && reg <= FSL_XCVR_PHY_AI_RDATA) ||
+ reg > FSL_XCVR_TX_DPTH_BCRR)
+ return false;
switch (reg) {
case FSL_XCVR_VERSION:
case FSL_XCVR_EXT_CTRL:
@@ -990,6 +1014,12 @@ static bool fsl_xcvr_readable_reg(struct device *dev, unsigned int reg)
case FSL_XCVR_RX_DPTH_CTRL_SET:
case FSL_XCVR_RX_DPTH_CTRL_CLR:
case FSL_XCVR_RX_DPTH_CTRL_TOG:
+ case FSL_XCVR_RX_CS_DATA_0:
+ case FSL_XCVR_RX_CS_DATA_1:
+ case FSL_XCVR_RX_CS_DATA_2:
+ case FSL_XCVR_RX_CS_DATA_3:
+ case FSL_XCVR_RX_CS_DATA_4:
+ case FSL_XCVR_RX_CS_DATA_5:
case FSL_XCVR_RX_DPTH_CNTR_CTRL:
case FSL_XCVR_RX_DPTH_CNTR_CTRL_SET:
case FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR:
@@ -1026,6 +1056,11 @@ static bool fsl_xcvr_readable_reg(struct device *dev, unsigned int reg)
static bool fsl_xcvr_writeable_reg(struct device *dev, unsigned int reg)
{
+ struct fsl_xcvr *xcvr = dev_get_drvdata(dev);
+
+ if (xcvr->soc_data->spdif_only)
+ if (reg >= FSL_XCVR_IER && reg <= FSL_XCVR_PHY_AI_RDATA)
+ return false;
switch (reg) {
case FSL_XCVR_EXT_CTRL:
case FSL_XCVR_EXT_IER0:
@@ -1102,32 +1137,34 @@ static irqreturn_t irq0_isr(int irq, void *devid)
if (isr & FSL_XCVR_IRQ_NEW_CS) {
dev_dbg(dev, "Received new CS block\n");
isr_clr |= FSL_XCVR_IRQ_NEW_CS;
- /* Data RAM is 4KiB, last two pages: 8 and 9. Select page 8. */
- regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_CTRL,
- FSL_XCVR_EXT_CTRL_PAGE_MASK,
- FSL_XCVR_EXT_CTRL_PAGE(8));
-
- /* Find updated CS buffer */
- reg_ctrl = xcvr->ram_addr + FSL_XCVR_RX_CS_CTRL_0;
- reg_buff = xcvr->ram_addr + FSL_XCVR_RX_CS_BUFF_0;
- memcpy_fromio(&val, reg_ctrl, sizeof(val));
- if (!val) {
- reg_ctrl = xcvr->ram_addr + FSL_XCVR_RX_CS_CTRL_1;
- reg_buff = xcvr->ram_addr + FSL_XCVR_RX_CS_BUFF_1;
+ if (!xcvr->soc_data->spdif_only) {
+ /* Data RAM is 4KiB, last two pages: 8 and 9. Select page 8. */
+ regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_CTRL,
+ FSL_XCVR_EXT_CTRL_PAGE_MASK,
+ FSL_XCVR_EXT_CTRL_PAGE(8));
+
+ /* Find updated CS buffer */
+ reg_ctrl = xcvr->ram_addr + FSL_XCVR_RX_CS_CTRL_0;
+ reg_buff = xcvr->ram_addr + FSL_XCVR_RX_CS_BUFF_0;
memcpy_fromio(&val, reg_ctrl, sizeof(val));
- }
+ if (!val) {
+ reg_ctrl = xcvr->ram_addr + FSL_XCVR_RX_CS_CTRL_1;
+ reg_buff = xcvr->ram_addr + FSL_XCVR_RX_CS_BUFF_1;
+ memcpy_fromio(&val, reg_ctrl, sizeof(val));
+ }
- if (val) {
- /* copy CS buffer */
- memcpy_fromio(&xcvr->rx_iec958.status, reg_buff,
- sizeof(xcvr->rx_iec958.status));
- for (i = 0; i < 6; i++) {
- val = *(u32 *)(xcvr->rx_iec958.status + i*4);
- *(u32 *)(xcvr->rx_iec958.status + i*4) =
- bitrev32(val);
+ if (val) {
+ /* copy CS buffer */
+ memcpy_fromio(&xcvr->rx_iec958.status, reg_buff,
+ sizeof(xcvr->rx_iec958.status));
+ for (i = 0; i < 6; i++) {
+ val = *(u32 *)(xcvr->rx_iec958.status + i*4);
+ *(u32 *)(xcvr->rx_iec958.status + i*4) =
+ bitrev32(val);
+ }
+ /* clear CS control register */
+ memset_io(reg_ctrl, 0, sizeof(val));
}
- /* clear CS control register */
- memset_io(reg_ctrl, 0, sizeof(val));
}
}
if (isr & FSL_XCVR_IRQ_NEW_UD) {
@@ -1167,8 +1204,13 @@ static const struct fsl_xcvr_soc_data fsl_xcvr_imx8mp_data = {
.fw_name = "imx/xcvr/xcvr-imx8mp.bin",
};
+static const struct fsl_xcvr_soc_data fsl_xcvr_imx93_data = {
+ .spdif_only = true,
+};
+
static const struct of_device_id fsl_xcvr_dt_ids[] = {
{ .compatible = "fsl,imx8mp-xcvr", .data = &fsl_xcvr_imx8mp_data },
+ { .compatible = "fsl,imx93-xcvr", .data = &fsl_xcvr_imx93_data},
{ /* sentinel */ }
};
MODULE_DEVICE_TABLE(of, fsl_xcvr_dt_ids);
@@ -1228,7 +1270,7 @@ static int fsl_xcvr_probe(struct platform_device *pdev)
return PTR_ERR(xcvr->regmap);
}
- xcvr->reset = devm_reset_control_get_exclusive(dev, NULL);
+ xcvr->reset = devm_reset_control_get_optional_exclusive(dev, NULL);
if (IS_ERR(xcvr->reset)) {
dev_err(dev, "failed to get XCVR reset control\n");
return PTR_ERR(xcvr->reset);
@@ -1297,12 +1339,14 @@ static __maybe_unused int fsl_xcvr_runtime_suspend(struct device *dev)
if (ret < 0)
dev_err(dev, "Failed to clear IER0: %d\n", ret);
- /* Assert M0+ reset */
- ret = regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_CTRL,
- FSL_XCVR_EXT_CTRL_CORE_RESET,
- FSL_XCVR_EXT_CTRL_CORE_RESET);
- if (ret < 0)
- dev_err(dev, "Failed to assert M0+ core: %d\n", ret);
+ if (!xcvr->soc_data->spdif_only) {
+ /* Assert M0+ reset */
+ ret = regmap_update_bits(xcvr->regmap, FSL_XCVR_EXT_CTRL,
+ FSL_XCVR_EXT_CTRL_CORE_RESET,
+ FSL_XCVR_EXT_CTRL_CORE_RESET);
+ if (ret < 0)
+ dev_err(dev, "Failed to assert M0+ core: %d\n", ret);
+ }
regcache_cache_only(xcvr->regmap, true);
@@ -1358,6 +1402,9 @@ static __maybe_unused int fsl_xcvr_runtime_resume(struct device *dev)
goto stop_spba_clk;
}
+ if (xcvr->soc_data->spdif_only)
+ return 0;
+
ret = reset_control_deassert(xcvr->reset);
if (ret) {
dev_err(dev, "failed to deassert M0+ reset.\n");
diff --git a/sound/soc/fsl/fsl_xcvr.h b/sound/soc/fsl/fsl_xcvr.h
index 4769b0fca21de..044058fc6aa24 100644
--- a/sound/soc/fsl/fsl_xcvr.h
+++ b/sound/soc/fsl/fsl_xcvr.h
@@ -49,6 +49,13 @@
#define FSL_XCVR_RX_DPTH_CTRL_CLR 0x188
#define FSL_XCVR_RX_DPTH_CTRL_TOG 0x18c
+#define FSL_XCVR_RX_CS_DATA_0 0x190
+#define FSL_XCVR_RX_CS_DATA_1 0x194
+#define FSL_XCVR_RX_CS_DATA_2 0x198
+#define FSL_XCVR_RX_CS_DATA_3 0x19C
+#define FSL_XCVR_RX_CS_DATA_4 0x1A0
+#define FSL_XCVR_RX_CS_DATA_5 0x1A4
+
#define FSL_XCVR_RX_DPTH_CNTR_CTRL 0x1C0
#define FSL_XCVR_RX_DPTH_CNTR_CTRL_SET 0x1C4
#define FSL_XCVR_RX_DPTH_CNTR_CTRL_CLR 0x1C8
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 145/554] ASoC: fsl_xcvr: clear the channel status control memory
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 144/554] ASoC: fsl_xcvr: Add support for i.MX93 platform Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 146/554] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() Greg Kroah-Hartman
` (414 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 73b97d46dde64fa184d47865d4a532d818c3a007 ]
memset_io() writes memory byte by byte with __raw_writeb() on the arm
platform if the size is word. but XCVR data RAM memory can't be accessed
with byte address, so with memset_io() the channel status control memory
is not really cleared, use writel_relaxed() instead.
Fixes: 28564486866f ("ASoC: fsl_xcvr: Add XCVR ASoC CPU DAI driver")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251126064509.1900974-1-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_xcvr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/fsl/fsl_xcvr.c b/sound/soc/fsl/fsl_xcvr.c
index 3fee1aa03363b..8065fa5c95e10 100644
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -1163,7 +1163,7 @@ static irqreturn_t irq0_isr(int irq, void *devid)
bitrev32(val);
}
/* clear CS control register */
- memset_io(reg_ctrl, 0, sizeof(val));
+ writel_relaxed(0, reg_ctrl);
}
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 146/554] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 145/554] ASoC: fsl_xcvr: clear the channel status control memory Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 147/554] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 Greg Kroah-Hartman
` (413 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Alex Hung,
Alex Deucher, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 1a79482699b4d1e43948d14f0c7193dc1dcad858 ]
The .H_SYNC_POLARITY and .V_SYNC_POLARITY variables are 1 bit bitfields
of a u32. The ATOM_HSYNC_POLARITY define is 0x2 and the
ATOM_VSYNC_POLARITY is 0x4. When we do a bitwise negate of 0, 2, or 4
then the last bit is always 1 so this code always sets .H_SYNC_POLARITY
and .V_SYNC_POLARITY to true.
This code is instead intended to check if the ATOM_HSYNC_POLARITY or
ATOM_VSYNC_POLARITY flags are set and reverse the result. In other
words, it's supposed to be a logical negate instead of a bitwise negate.
Fixes: ae79c310b1a6 ("drm/amd/display: Add DCE12 bios parser support")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index 6bc8c6bee411e..bebdc9b53bb6b 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -1156,10 +1156,10 @@ static enum bp_result get_embedded_panel_info_v2_1(
/* not provided by VBIOS */
info->lcd_timing.misc_info.HORIZONTAL_CUT_OFF = 0;
- info->lcd_timing.misc_info.H_SYNC_POLARITY = ~(uint32_t) (lvds->lcd_timing.miscinfo
- & ATOM_HSYNC_POLARITY);
- info->lcd_timing.misc_info.V_SYNC_POLARITY = ~(uint32_t) (lvds->lcd_timing.miscinfo
- & ATOM_VSYNC_POLARITY);
+ info->lcd_timing.misc_info.H_SYNC_POLARITY = !(lvds->lcd_timing.miscinfo &
+ ATOM_HSYNC_POLARITY);
+ info->lcd_timing.misc_info.V_SYNC_POLARITY = !(lvds->lcd_timing.miscinfo &
+ ATOM_VSYNC_POLARITY);
/* not provided by VBIOS */
info->lcd_timing.misc_info.VERTICAL_CUT_OFF = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 147/554] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 146/554] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 148/554] ext4: remove unused return value of __mb_check_buddy Greg Kroah-Hartman
` (412 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit 17e7972979e147cc51d4a165e6b6b0f93273ca68 ]
On all AMD AM4 systems I have seen, e.g ASUS X470-i, Pro WS X570 Ace
and equivalent Gigabyte, amd-pstate does not initialize when the
x2apic is enabled in the BIOS. Kernel debug messages include:
[ 0.315438] acpi LNXCPU:00: Failed to get CPU physical ID.
[ 0.354756] ACPI CPPC: No CPC descriptor for CPU:0
[ 0.714951] amd_pstate: the _CPC object is not present in SBIOS or ACPI disabled
I tracked this down to map_x2apic_id() checking device_declaration
passed in via the type argument of acpi_get_phys_id() via
map_madt_entry() while map_lapic_id() does not.
It appears these BIOSes use Processor statements for declaring the CPUs
in the ACPI namespace instead of processor device objects (which should
have been used). CPU declarations via Processor statements were
deprecated in ACPI 6.0 that was released 10 years ago. They should not
be used any more in any contemporary platform firmware.
I tried to contact Asus support multiple times, but never received a
reply nor did any BIOS update ever change this.
Fix amd-pstate w/ x2apic on am4 by allowing map_x2apic_id() to work with
CPUs declared via Processor statements for IDs less than 255, which is
consistent with ACPI 5.0 that still allowed Processor statements to be
used for declaring CPUs.
Fixes: 7237d3de78ff ("x86, ACPI: add support for x2apic ACPI extensions")
Signed-off-by: René Rebe <rene@exactco.de>
[ rjw: Changelog edits ]
Link: https://patch.msgid.link/20251126.165513.1373131139292726554.rene@exactco.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/processor_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/acpi/processor_core.c b/drivers/acpi/processor_core.c
index 2ac48cda5b201..eae7efae3b5cf 100644
--- a/drivers/acpi/processor_core.c
+++ b/drivers/acpi/processor_core.c
@@ -54,7 +54,7 @@ static int map_x2apic_id(struct acpi_subtable_header *entry,
if (!(apic->lapic_flags & ACPI_MADT_ENABLED))
return -ENODEV;
- if (device_declaration && (apic->uid == acpi_id)) {
+ if (apic->uid == acpi_id && (device_declaration || acpi_id < 255)) {
*apic_id = apic->local_apic_id;
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 148/554] ext4: remove unused return value of __mb_check_buddy
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 147/554] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 149/554] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation Greg Kroah-Hartman
` (411 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Jan Kara, Theodore Tso,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit 133de5a0d8f8e32b34feaa8beae7a189482f1856 ]
Remove unused return value of __mb_check_buddy.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20240105092102.496631-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: d9ee3ff810f1 ("ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 1a8d72c5e327a..93ff3220511e7 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -663,7 +663,7 @@ do { \
} \
} while (0)
-static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
+static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
const char *function, int line)
{
struct super_block *sb = e4b->bd_sb;
@@ -682,7 +682,7 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
void *buddy2;
if (e4b->bd_info->bb_check_counter++ % 10)
- return 0;
+ return;
while (order > 1) {
buddy = mb_find_buddy(e4b, order, &max);
@@ -747,7 +747,7 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
grp = ext4_get_group_info(sb, e4b->bd_group);
if (!grp)
- return NULL;
+ return;
list_for_each(cur, &grp->bb_prealloc_list) {
ext4_group_t groupnr;
struct ext4_prealloc_space *pa;
@@ -757,7 +757,6 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
for (i = 0; i < pa->pa_len; i++)
MB_CHECK_ASSERT(mb_test_bit(k + i, buddy));
}
- return 0;
}
#undef MB_CHECK_ASSERT
#define mb_check_buddy(e4b) __mb_check_buddy(e4b, \
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 149/554] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 148/554] ext4: remove unused return value of __mb_check_buddy Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 150/554] vdpa: Introduce and use vdpa device get, set config helpers Greg Kroah-Hartman
` (410 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Yongjian Sun, Baokun Li,
Theodore Tso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
[ Upstream commit d9ee3ff810f1cc0e253c9f2b17b668b973cb0e06 ]
When the MB_CHECK_ASSERT macro is enabled, we found that the
current validation logic in __mb_check_buddy has a gap in
detecting certain invalid buddy states, particularly related
to order-0 (bitmap) bits.
The original logic consists of three steps:
1. Validates higher-order buddies: if a higher-order bit is
set, at most one of the two corresponding lower-order bits
may be free; if a higher-order bit is clear, both lower-order
bits must be allocated (and their bitmap bits must be 0).
2. For any set bit in order-0, ensures all corresponding
higher-order bits are not free.
3. Verifies that all preallocated blocks (pa) in the group
have pa_pstart within bounds and their bitmap bits marked as
allocated.
However, this approach fails to properly validate cases where
order-0 bits are incorrectly cleared (0), allowing some invalid
configurations to pass:
corrupt integral
order 3 1 1
order 2 1 1 1 1
order 1 1 1 1 1 1 1 1 1
order 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Here we get two adjacent free blocks at order-0 with inconsistent
higher-order state, and the right one shows the correct scenario.
The root cause is insufficient validation of order-0 zero bits.
To fix this and improve completeness without significant performance
cost, we refine the logic:
1. Maintain the top-down higher-order validation, but we no longer
check the cases where the higher-order bit is 0, as this case will
be covered in step 2.
2. Enhance order-0 checking by examining pairs of bits:
- If either bit in a pair is set (1), all corresponding
higher-order bits must not be free.
- If both bits are clear (0), then exactly one of the
corresponding higher-order bits must be free
3. Keep the preallocation (pa) validation unchanged.
This change closes the validation gap, ensuring illegal buddy states
involving order-0 are correctly detected, while removing redundant
checks and maintaining efficiency.
Fixes: c9de560ded61f ("ext4: Add multi block allocator for ext4")
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251106060614.631382-3-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 49 +++++++++++++++++++++++++++++++----------------
1 file changed, 32 insertions(+), 17 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 93ff3220511e7..702a3229c39b0 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -663,6 +663,24 @@ do { \
} \
} while (0)
+/*
+ * Perform buddy integrity check with the following steps:
+ *
+ * 1. Top-down validation (from highest order down to order 1, excluding order-0 bitmap):
+ * For each pair of adjacent orders, if a higher-order bit is set (indicating a free block),
+ * at most one of the two corresponding lower-order bits may be clear (free).
+ *
+ * 2. Order-0 (bitmap) validation, performed on bit pairs:
+ * - If either bit in a pair is set (1, allocated), then all corresponding higher-order bits
+ * must not be free (0).
+ * - If both bits in a pair are clear (0, free), then exactly one of the corresponding
+ * higher-order bits must be free (0).
+ *
+ * 3. Preallocation (pa) list validation:
+ * For each preallocated block (pa) in the group:
+ * - Verify that pa_pstart falls within the bounds of this block group.
+ * - Ensure the corresponding bit(s) in the order-0 bitmap are marked as allocated (1).
+ */
static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
const char *function, int line)
{
@@ -707,15 +725,6 @@ static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
continue;
}
- /* both bits in buddy2 must be 1 */
- MB_CHECK_ASSERT(mb_test_bit(i << 1, buddy2));
- MB_CHECK_ASSERT(mb_test_bit((i << 1) + 1, buddy2));
-
- for (j = 0; j < (1 << order); j++) {
- k = (i * (1 << order)) + j;
- MB_CHECK_ASSERT(
- !mb_test_bit(k, e4b->bd_bitmap));
- }
count++;
}
MB_CHECK_ASSERT(e4b->bd_info->bb_counters[order] == count);
@@ -731,15 +740,21 @@ static void __mb_check_buddy(struct ext4_buddy *e4b, char *file,
fragments++;
fstart = i;
}
- continue;
+ } else {
+ fstart = -1;
}
- fstart = -1;
- /* check used bits only */
- for (j = 0; j < e4b->bd_blkbits + 1; j++) {
- buddy2 = mb_find_buddy(e4b, j, &max2);
- k = i >> j;
- MB_CHECK_ASSERT(k < max2);
- MB_CHECK_ASSERT(mb_test_bit(k, buddy2));
+ if (!(i & 1)) {
+ int in_use, zero_bit_count = 0;
+
+ in_use = mb_test_bit(i, buddy) || mb_test_bit(i + 1, buddy);
+ for (j = 1; j < e4b->bd_blkbits + 2; j++) {
+ buddy2 = mb_find_buddy(e4b, j, &max2);
+ k = i >> j;
+ MB_CHECK_ASSERT(k < max2);
+ if (!mb_test_bit(k, buddy2))
+ zero_bit_count++;
+ }
+ MB_CHECK_ASSERT(zero_bit_count == !in_use);
}
}
MB_CHECK_ASSERT(!EXT4_MB_GRP_NEED_INIT(e4b->bd_info));
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 150/554] vdpa: Introduce and use vdpa device get, set config helpers
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 149/554] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 151/554] vdpa: Introduce query of device config layout Greg Kroah-Hartman
` (409 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Parav Pandit, Eli Cohen, Jason Wang,
Stefano Garzarella, Michael S. Tsirkin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Parav Pandit <parav@nvidia.com>
[ Upstream commit 6dbb1f1687a2ccdfc5b84b0a35bbc6dfefc4de3b ]
Subsequent patches enable get and set configuration either
via management device or via vdpa device' config ops.
This requires synchronization between multiple callers to get and set
config callbacks. Features setting also influence the layout of the
configuration fields endianness.
To avoid exposing synchronization primitives to callers, introduce
helper for setting the configuration and use it.
Signed-off-by: Parav Pandit <parav@nvidia.com>
Reviewed-by: Eli Cohen <elic@nvidia.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/20211026175519.87795-2-parav@nvidia.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Stable-dep-of: e40b6abe0b12 ("virtio_vdpa: fix misleading return in void function")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/vdpa.c | 36 ++++++++++++++++++++++++++++++++++++
drivers/vhost/vdpa.c | 3 +--
drivers/virtio/virtio_vdpa.c | 3 +--
include/linux/vdpa.h | 19 ++++---------------
4 files changed, 42 insertions(+), 19 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 86571498c1c23..563b06563e17a 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -289,6 +289,42 @@ void vdpa_mgmtdev_unregister(struct vdpa_mgmt_dev *mdev)
}
EXPORT_SYMBOL_GPL(vdpa_mgmtdev_unregister);
+/**
+ * vdpa_get_config - Get one or more device configuration fields.
+ * @vdev: vdpa device to operate on
+ * @offset: starting byte offset of the field
+ * @buf: buffer pointer to read to
+ * @len: length of the configuration fields in bytes
+ */
+void vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
+ void *buf, unsigned int len)
+{
+ const struct vdpa_config_ops *ops = vdev->config;
+
+ /*
+ * Config accesses aren't supposed to trigger before features are set.
+ * If it does happen we assume a legacy guest.
+ */
+ if (!vdev->features_valid)
+ vdpa_set_features(vdev, 0);
+ ops->get_config(vdev, offset, buf, len);
+}
+EXPORT_SYMBOL_GPL(vdpa_get_config);
+
+/**
+ * vdpa_set_config - Set one or more device configuration fields.
+ * @vdev: vdpa device to operate on
+ * @offset: starting byte offset of the field
+ * @buf: buffer pointer to read from
+ * @length: length of the configuration fields in bytes
+ */
+void vdpa_set_config(struct vdpa_device *vdev, unsigned int offset,
+ const void *buf, unsigned int length)
+{
+ vdev->config->set_config(vdev, offset, buf, length);
+}
+EXPORT_SYMBOL_GPL(vdpa_set_config);
+
static bool mgmtdev_handle_match(const struct vdpa_mgmt_dev *mdev,
const char *busname, const char *devname)
{
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index 58ba684037f9e..0f61ca0598b71 100644
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -238,7 +238,6 @@ static long vhost_vdpa_set_config(struct vhost_vdpa *v,
struct vhost_vdpa_config __user *c)
{
struct vdpa_device *vdpa = v->vdpa;
- const struct vdpa_config_ops *ops = vdpa->config;
struct vhost_vdpa_config config;
unsigned long size = offsetof(struct vhost_vdpa_config, buf);
u8 *buf;
@@ -252,7 +251,7 @@ static long vhost_vdpa_set_config(struct vhost_vdpa *v,
if (IS_ERR(buf))
return PTR_ERR(buf);
- ops->set_config(vdpa, config.off, buf, config.len);
+ vdpa_set_config(vdpa, config.off, buf, config.len);
kvfree(buf);
return 0;
diff --git a/drivers/virtio/virtio_vdpa.c b/drivers/virtio/virtio_vdpa.c
index 1c29446aafb44..b5ab5f59f96ac 100644
--- a/drivers/virtio/virtio_vdpa.c
+++ b/drivers/virtio/virtio_vdpa.c
@@ -65,9 +65,8 @@ static void virtio_vdpa_set(struct virtio_device *vdev, unsigned offset,
const void *buf, unsigned len)
{
struct vdpa_device *vdpa = vd_get_vdpa(vdev);
- const struct vdpa_config_ops *ops = vdpa->config;
- ops->set_config(vdpa, offset, buf, len);
+ vdpa_set_config(vdpa, offset, buf, len);
}
static u32 virtio_vdpa_generation(struct virtio_device *vdev)
diff --git a/include/linux/vdpa.h b/include/linux/vdpa.h
index 4fb198c8dbf61..88ed82e03b666 100644
--- a/include/linux/vdpa.h
+++ b/include/linux/vdpa.h
@@ -388,21 +388,10 @@ static inline int vdpa_set_features(struct vdpa_device *vdev, u64 features)
return ops->set_features(vdev, features);
}
-static inline void vdpa_get_config(struct vdpa_device *vdev,
- unsigned int offset, void *buf,
- unsigned int len)
-{
- const struct vdpa_config_ops *ops = vdev->config;
-
- /*
- * Config accesses aren't supposed to trigger before features are set.
- * If it does happen we assume a legacy guest.
- */
- if (!vdev->features_valid)
- vdpa_set_features(vdev, 0);
- ops->get_config(vdev, offset, buf, len);
-}
-
+void vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
+ void *buf, unsigned int len);
+void vdpa_set_config(struct vdpa_device *dev, unsigned int offset,
+ const void *buf, unsigned int length);
/**
* struct vdpa_mgmtdev_ops - vdpa device ops
* @dev_add: Add a vdpa device using alloc and register
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 151/554] vdpa: Introduce query of device config layout
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 150/554] vdpa: Introduce and use vdpa device get, set config helpers Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 152/554] vdpa: Sync calls set/get config/status with cf_mutex Greg Kroah-Hartman
` (408 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Parav Pandit, Eli Cohen, Jason Wang,
Michael S. Tsirkin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Parav Pandit <parav@nvidia.com>
[ Upstream commit ad69dd0bf26b88ec6ab26f8bbe5cd74fbed7672a ]
Introduce a command to query a device config layout.
An example query of network vdpa device:
$ vdpa dev add name bar mgmtdev vdpasim_net
$ vdpa dev config show
bar: mac 00:35:09:19:48:05 link up link_announce false mtu 1500
$ vdpa dev config show -jp
{
"config": {
"bar": {
"mac": "00:35:09:19:48:05",
"link ": "up",
"link_announce ": false,
"mtu": 1500,
}
}
}
Signed-off-by: Parav Pandit <parav@nvidia.com>
Signed-off-by: Eli Cohen <elic@nvidia.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20211026175519.87795-3-parav@nvidia.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Stable-dep-of: e40b6abe0b12 ("virtio_vdpa: fix misleading return in void function")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/vdpa.c | 176 ++++++++++++++++++++++++++++++++++++++
include/linux/vdpa.h | 2 +
include/uapi/linux/vdpa.h | 6 ++
3 files changed, 184 insertions(+)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 563b06563e17a..b12fc70510bb7 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -14,6 +14,8 @@
#include <uapi/linux/vdpa.h>
#include <net/genetlink.h>
#include <linux/mod_devicetable.h>
+#include <linux/virtio_net.h>
+#include <linux/virtio_ids.h>
static LIST_HEAD(mdev_head);
/* A global mutex that protects vdpa management device and device level operations. */
@@ -58,6 +60,7 @@ static void vdpa_release_dev(struct device *d)
ops->free(vdev);
ida_simple_remove(&vdpa_index_ida, vdev->index);
+ mutex_destroy(&vdev->cf_mutex);
kfree(vdev);
}
@@ -119,6 +122,7 @@ struct vdpa_device *__vdpa_alloc_device(struct device *parent,
if (err)
goto err_name;
+ mutex_init(&vdev->cf_mutex);
device_initialize(&vdev->dev);
return vdev;
@@ -301,6 +305,7 @@ void vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
{
const struct vdpa_config_ops *ops = vdev->config;
+ mutex_lock(&vdev->cf_mutex);
/*
* Config accesses aren't supposed to trigger before features are set.
* If it does happen we assume a legacy guest.
@@ -308,6 +313,7 @@ void vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
if (!vdev->features_valid)
vdpa_set_features(vdev, 0);
ops->get_config(vdev, offset, buf, len);
+ mutex_unlock(&vdev->cf_mutex);
}
EXPORT_SYMBOL_GPL(vdpa_get_config);
@@ -321,7 +327,9 @@ EXPORT_SYMBOL_GPL(vdpa_get_config);
void vdpa_set_config(struct vdpa_device *vdev, unsigned int offset,
const void *buf, unsigned int length)
{
+ mutex_lock(&vdev->cf_mutex);
vdev->config->set_config(vdev, offset, buf, length);
+ mutex_unlock(&vdev->cf_mutex);
}
EXPORT_SYMBOL_GPL(vdpa_set_config);
@@ -654,6 +662,168 @@ static int vdpa_nl_cmd_dev_get_dumpit(struct sk_buff *msg, struct netlink_callba
return msg->len;
}
+static int vdpa_dev_net_mq_config_fill(struct vdpa_device *vdev,
+ struct sk_buff *msg, u64 features,
+ const struct virtio_net_config *config)
+{
+ u16 val_u16;
+
+ if ((features & (1ULL << VIRTIO_NET_F_MQ)) == 0)
+ return 0;
+
+ val_u16 = le16_to_cpu(config->max_virtqueue_pairs);
+ return nla_put_u16(msg, VDPA_ATTR_DEV_NET_CFG_MAX_VQP, val_u16);
+}
+
+static int vdpa_dev_net_config_fill(struct vdpa_device *vdev, struct sk_buff *msg)
+{
+ struct virtio_net_config config = {};
+ u64 features;
+ u16 val_u16;
+
+ vdpa_get_config(vdev, 0, &config, sizeof(config));
+
+ if (nla_put(msg, VDPA_ATTR_DEV_NET_CFG_MACADDR, sizeof(config.mac),
+ config.mac))
+ return -EMSGSIZE;
+
+ val_u16 = le16_to_cpu(config.status);
+ if (nla_put_u16(msg, VDPA_ATTR_DEV_NET_STATUS, val_u16))
+ return -EMSGSIZE;
+
+ val_u16 = le16_to_cpu(config.mtu);
+ if (nla_put_u16(msg, VDPA_ATTR_DEV_NET_CFG_MTU, val_u16))
+ return -EMSGSIZE;
+
+ features = vdev->config->get_features(vdev);
+
+ return vdpa_dev_net_mq_config_fill(vdev, msg, features, &config);
+}
+
+static int
+vdpa_dev_config_fill(struct vdpa_device *vdev, struct sk_buff *msg, u32 portid, u32 seq,
+ int flags, struct netlink_ext_ack *extack)
+{
+ u32 device_id;
+ void *hdr;
+ int err;
+
+ hdr = genlmsg_put(msg, portid, seq, &vdpa_nl_family, flags,
+ VDPA_CMD_DEV_CONFIG_GET);
+ if (!hdr)
+ return -EMSGSIZE;
+
+ if (nla_put_string(msg, VDPA_ATTR_DEV_NAME, dev_name(&vdev->dev))) {
+ err = -EMSGSIZE;
+ goto msg_err;
+ }
+
+ device_id = vdev->config->get_device_id(vdev);
+ if (nla_put_u32(msg, VDPA_ATTR_DEV_ID, device_id)) {
+ err = -EMSGSIZE;
+ goto msg_err;
+ }
+
+ switch (device_id) {
+ case VIRTIO_ID_NET:
+ err = vdpa_dev_net_config_fill(vdev, msg);
+ break;
+ default:
+ err = -EOPNOTSUPP;
+ break;
+ }
+ if (err)
+ goto msg_err;
+
+ genlmsg_end(msg, hdr);
+ return 0;
+
+msg_err:
+ genlmsg_cancel(msg, hdr);
+ return err;
+}
+
+static int vdpa_nl_cmd_dev_config_get_doit(struct sk_buff *skb, struct genl_info *info)
+{
+ struct vdpa_device *vdev;
+ struct sk_buff *msg;
+ const char *devname;
+ struct device *dev;
+ int err;
+
+ if (!info->attrs[VDPA_ATTR_DEV_NAME])
+ return -EINVAL;
+ devname = nla_data(info->attrs[VDPA_ATTR_DEV_NAME]);
+ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+ if (!msg)
+ return -ENOMEM;
+
+ mutex_lock(&vdpa_dev_mutex);
+ dev = bus_find_device(&vdpa_bus, NULL, devname, vdpa_name_match);
+ if (!dev) {
+ NL_SET_ERR_MSG_MOD(info->extack, "device not found");
+ err = -ENODEV;
+ goto dev_err;
+ }
+ vdev = container_of(dev, struct vdpa_device, dev);
+ if (!vdev->mdev) {
+ NL_SET_ERR_MSG_MOD(info->extack, "unmanaged vdpa device");
+ err = -EINVAL;
+ goto mdev_err;
+ }
+ err = vdpa_dev_config_fill(vdev, msg, info->snd_portid, info->snd_seq,
+ 0, info->extack);
+ if (!err)
+ err = genlmsg_reply(msg, info);
+
+mdev_err:
+ put_device(dev);
+dev_err:
+ mutex_unlock(&vdpa_dev_mutex);
+ if (err)
+ nlmsg_free(msg);
+ return err;
+}
+
+static int vdpa_dev_config_dump(struct device *dev, void *data)
+{
+ struct vdpa_device *vdev = container_of(dev, struct vdpa_device, dev);
+ struct vdpa_dev_dump_info *info = data;
+ int err;
+
+ if (!vdev->mdev)
+ return 0;
+ if (info->idx < info->start_idx) {
+ info->idx++;
+ return 0;
+ }
+ err = vdpa_dev_config_fill(vdev, info->msg, NETLINK_CB(info->cb->skb).portid,
+ info->cb->nlh->nlmsg_seq, NLM_F_MULTI,
+ info->cb->extack);
+ if (err)
+ return err;
+
+ info->idx++;
+ return 0;
+}
+
+static int
+vdpa_nl_cmd_dev_config_get_dumpit(struct sk_buff *msg, struct netlink_callback *cb)
+{
+ struct vdpa_dev_dump_info info;
+
+ info.msg = msg;
+ info.cb = cb;
+ info.start_idx = cb->args[0];
+ info.idx = 0;
+
+ mutex_lock(&vdpa_dev_mutex);
+ bus_for_each_dev(&vdpa_bus, NULL, &info, vdpa_dev_config_dump);
+ mutex_unlock(&vdpa_dev_mutex);
+ cb->args[0] = info.idx;
+ return msg->len;
+}
+
static const struct nla_policy vdpa_nl_policy[VDPA_ATTR_MAX + 1] = {
[VDPA_ATTR_MGMTDEV_BUS_NAME] = { .type = NLA_NUL_STRING },
[VDPA_ATTR_MGMTDEV_DEV_NAME] = { .type = NLA_STRING },
@@ -685,6 +855,12 @@ static const struct genl_ops vdpa_nl_ops[] = {
.doit = vdpa_nl_cmd_dev_get_doit,
.dumpit = vdpa_nl_cmd_dev_get_dumpit,
},
+ {
+ .cmd = VDPA_CMD_DEV_CONFIG_GET,
+ .validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
+ .doit = vdpa_nl_cmd_dev_config_get_doit,
+ .dumpit = vdpa_nl_cmd_dev_config_get_dumpit,
+ },
};
static struct genl_family vdpa_nl_family __ro_after_init = {
diff --git a/include/linux/vdpa.h b/include/linux/vdpa.h
index 88ed82e03b666..d26f5777f30f7 100644
--- a/include/linux/vdpa.h
+++ b/include/linux/vdpa.h
@@ -69,6 +69,7 @@ struct vdpa_mgmt_dev;
* @dev: underlying device
* @dma_dev: the actual device that is performing DMA
* @config: the configuration ops for this device.
+ * @cf_mutex: Protects get and set access to configuration layout.
* @index: device index
* @features_valid: were features initialized? for legacy guests
* @use_va: indicate whether virtual address must be used by this device
@@ -80,6 +81,7 @@ struct vdpa_device {
struct device dev;
struct device *dma_dev;
const struct vdpa_config_ops *config;
+ struct mutex cf_mutex; /* Protects get/set config */
unsigned int index;
bool features_valid;
bool use_va;
diff --git a/include/uapi/linux/vdpa.h b/include/uapi/linux/vdpa.h
index 66a41e4ec163a..37ef30130a283 100644
--- a/include/uapi/linux/vdpa.h
+++ b/include/uapi/linux/vdpa.h
@@ -17,6 +17,7 @@ enum vdpa_command {
VDPA_CMD_DEV_NEW,
VDPA_CMD_DEV_DEL,
VDPA_CMD_DEV_GET, /* can dump */
+ VDPA_CMD_DEV_CONFIG_GET, /* can dump */
};
enum vdpa_attr {
@@ -33,6 +34,11 @@ enum vdpa_attr {
VDPA_ATTR_DEV_MAX_VQS, /* u32 */
VDPA_ATTR_DEV_MAX_VQ_SIZE, /* u16 */
+ VDPA_ATTR_DEV_NET_CFG_MACADDR, /* binary */
+ VDPA_ATTR_DEV_NET_STATUS, /* u8 */
+ VDPA_ATTR_DEV_NET_CFG_MAX_VQP, /* u16 */
+ VDPA_ATTR_DEV_NET_CFG_MTU, /* u16 */
+
/* new attributes must be added above here */
VDPA_ATTR_MAX,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 152/554] vdpa: Sync calls set/get config/status with cf_mutex
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 151/554] vdpa: Introduce query of device config layout Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 153/554] virtio_vdpa: fix misleading return in void function Greg Kroah-Hartman
` (407 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eli Cohen, Michael S. Tsirkin,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eli Cohen <elic@nvidia.com>
[ Upstream commit 73bc0dbb591baea322a7319c735e5f6c7dba9cfb ]
Add wrappers to get/set status and protect these operations with
cf_mutex to serialize these operations with respect to get/set config
operations.
Signed-off-by: Eli Cohen <elic@nvidia.com>
Link: https://lore.kernel.org/r/20220105114646.577224-4-elic@nvidia.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Stable-dep-of: e40b6abe0b12 ("virtio_vdpa: fix misleading return in void function")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vdpa/vdpa.c | 19 +++++++++++++++++++
drivers/vhost/vdpa.c | 7 +++----
drivers/virtio/virtio_vdpa.c | 3 +--
include/linux/vdpa.h | 3 +++
4 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index b12fc70510bb7..58eb448bf5b0c 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -22,6 +22,25 @@ static LIST_HEAD(mdev_head);
static DEFINE_MUTEX(vdpa_dev_mutex);
static DEFINE_IDA(vdpa_index_ida);
+u8 vdpa_get_status(struct vdpa_device *vdev)
+{
+ u8 status;
+
+ mutex_lock(&vdev->cf_mutex);
+ status = vdev->config->get_status(vdev);
+ mutex_unlock(&vdev->cf_mutex);
+ return status;
+}
+EXPORT_SYMBOL(vdpa_get_status);
+
+void vdpa_set_status(struct vdpa_device *vdev, u8 status)
+{
+ mutex_lock(&vdev->cf_mutex);
+ vdev->config->set_status(vdev, status);
+ mutex_unlock(&vdev->cf_mutex);
+}
+EXPORT_SYMBOL(vdpa_set_status);
+
static struct genl_family vdpa_nl_family;
static int vdpa_dev_probe(struct device *d)
diff --git a/drivers/vhost/vdpa.c b/drivers/vhost/vdpa.c
index 0f61ca0598b71..802c84e296e21 100644
--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -143,10 +143,9 @@ static long vhost_vdpa_get_device_id(struct vhost_vdpa *v, u8 __user *argp)
static long vhost_vdpa_get_status(struct vhost_vdpa *v, u8 __user *statusp)
{
struct vdpa_device *vdpa = v->vdpa;
- const struct vdpa_config_ops *ops = vdpa->config;
u8 status;
- status = ops->get_status(vdpa);
+ status = vdpa_get_status(vdpa);
if (copy_to_user(statusp, &status, sizeof(status)))
return -EFAULT;
@@ -165,7 +164,7 @@ static long vhost_vdpa_set_status(struct vhost_vdpa *v, u8 __user *statusp)
if (copy_from_user(&status, statusp, sizeof(status)))
return -EFAULT;
- status_old = ops->get_status(vdpa);
+ status_old = vdpa_get_status(vdpa);
/*
* Userspace shouldn't remove status bits unless reset the
@@ -183,7 +182,7 @@ static long vhost_vdpa_set_status(struct vhost_vdpa *v, u8 __user *statusp)
if (ret)
return ret;
} else
- ops->set_status(vdpa, status);
+ vdpa_set_status(vdpa, status);
if ((status & VIRTIO_CONFIG_S_DRIVER_OK) && !(status_old & VIRTIO_CONFIG_S_DRIVER_OK))
for (i = 0; i < nvqs; i++)
diff --git a/drivers/virtio/virtio_vdpa.c b/drivers/virtio/virtio_vdpa.c
index b5ab5f59f96ac..a85a10d65973f 100644
--- a/drivers/virtio/virtio_vdpa.c
+++ b/drivers/virtio/virtio_vdpa.c
@@ -91,9 +91,8 @@ static u8 virtio_vdpa_get_status(struct virtio_device *vdev)
static void virtio_vdpa_set_status(struct virtio_device *vdev, u8 status)
{
struct vdpa_device *vdpa = vd_get_vdpa(vdev);
- const struct vdpa_config_ops *ops = vdpa->config;
- return ops->set_status(vdpa, status);
+ return vdpa_set_status(vdpa, status);
}
static void virtio_vdpa_reset(struct virtio_device *vdev)
diff --git a/include/linux/vdpa.h b/include/linux/vdpa.h
index d26f5777f30f7..c0c8ed2c62fd8 100644
--- a/include/linux/vdpa.h
+++ b/include/linux/vdpa.h
@@ -394,6 +394,9 @@ void vdpa_get_config(struct vdpa_device *vdev, unsigned int offset,
void *buf, unsigned int len);
void vdpa_set_config(struct vdpa_device *dev, unsigned int offset,
const void *buf, unsigned int length);
+u8 vdpa_get_status(struct vdpa_device *vdev);
+void vdpa_set_status(struct vdpa_device *vdev, u8 status);
+
/**
* struct vdpa_mgmtdev_ops - vdpa device ops
* @dev_add: Add a vdpa device using alloc and register
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 153/554] virtio_vdpa: fix misleading return in void function
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 152/554] vdpa: Sync calls set/get config/status with cf_mutex Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 154/554] virtio: fix virtqueue_set_affinity() docs Greg Kroah-Hartman
` (406 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Michael S. Tsirkin,
Jason Wang, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit e40b6abe0b1247d43bc61942aa7534fca7209e44 ]
virtio_vdpa_set_status() is declared as returning void, but it used
"return vdpa_set_status()" Since vdpa_set_status() also returns
void, the return statement is unnecessary and misleading.
Remove it.
Fixes: c043b4a8cf3b ("virtio: introduce a vDPA based transport")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Message-Id: <20251001191653.1713923-1-alok.a.tiwari@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/virtio/virtio_vdpa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/virtio/virtio_vdpa.c b/drivers/virtio/virtio_vdpa.c
index a85a10d65973f..af085b3df4562 100644
--- a/drivers/virtio/virtio_vdpa.c
+++ b/drivers/virtio/virtio_vdpa.c
@@ -92,7 +92,7 @@ static void virtio_vdpa_set_status(struct virtio_device *vdev, u8 status)
{
struct vdpa_device *vdpa = vd_get_vdpa(vdev);
- return vdpa_set_status(vdpa, status);
+ vdpa_set_status(vdpa, status);
}
static void virtio_vdpa_reset(struct virtio_device *vdev)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 154/554] virtio: fix virtqueue_set_affinity() docs
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 153/554] virtio_vdpa: fix misleading return in void function Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 155/554] ASoC: Intel: catpt: Fix error path in hw_params() Greg Kroah-Hartman
` (405 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Michael S. Tsirkin,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael S. Tsirkin <mst@redhat.com>
[ Upstream commit 43236d8bbafff94b423afecc4a692dd90602d426 ]
Rewrite the comment for better grammar and clarity.
Fixes: 75a0a52be3c2 ("virtio: introduce an API to set affinity for a virtqueue")
Message-Id: <e317e91bd43b070e5eaec0ebbe60c5749d02e2dd.1763026134.git.mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_config.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/virtio_config.h b/include/linux/virtio_config.h
index b341dd62aa4da..f971986fa0e9a 100644
--- a/include/linux/virtio_config.h
+++ b/include/linux/virtio_config.h
@@ -247,7 +247,7 @@ const char *virtio_bus_name(struct virtio_device *vdev)
* @vq: the virtqueue
* @cpu: the cpu no.
*
- * Pay attention the function are best-effort: the affinity hint may not be set
+ * Note that this function is best-effort: the affinity hint may not be set
* due to config support, irq type and sharing.
*
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 155/554] ASoC: Intel: catpt: Fix error path in hw_params()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 154/554] virtio: fix virtqueue_set_affinity() docs Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 156/554] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Greg Kroah-Hartman
` (404 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cezary Rojewski, Andy Shevchenko,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 86a5b621be658fc8fe594ca6db317d64de30cce1 ]
Do not leave any resources hanging on the DSP side if
applying user settings fails.
Fixes: 768a3a3b327d ("ASoC: Intel: catpt: Optimize applying user settings")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://patch.msgid.link/20251126095523.3925364-4-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/catpt/pcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/catpt/pcm.c b/sound/soc/intel/catpt/pcm.c
index ebb27daeb1c77..1e737df264d99 100644
--- a/sound/soc/intel/catpt/pcm.c
+++ b/sound/soc/intel/catpt/pcm.c
@@ -417,8 +417,10 @@ static int catpt_dai_hw_params(struct snd_pcm_substream *substream,
return CATPT_IPC_ERROR(ret);
ret = catpt_dai_apply_usettings(dai, stream);
- if (ret)
+ if (ret) {
+ catpt_ipc_free_stream(cdev, stream->info.stream_hw_id);
return ret;
+ }
stream->allocated = true;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 156/554] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 155/554] ASoC: Intel: catpt: Fix error path in hw_params() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 157/554] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Greg Kroah-Hartman
` (403 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, sparkhuang, Charles Keepax,
Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: sparkhuang <huangshaobo3@xiaomi.com>
[ Upstream commit 0cc15a10c3b4ab14cd71b779fd5c9ca0cb2bc30d ]
regulator_supply_alias_list was accessed without any locking in
regulator_supply_alias(), regulator_register_supply_alias(), and
regulator_unregister_supply_alias(). Concurrent registration,
unregistration and lookups can race, leading to:
1 use-after-free if an alias entry is removed while being read,
2 duplicate entries when two threads register the same alias,
3 inconsistent alias mappings observed by consumers.
Protect all traversals, insertions and deletions on
regulator_supply_alias_list with the existing regulator_list_mutex.
Fixes: a06ccd9c3785f ("regulator: core: Add ability to create a lookup alias for supply")
Signed-off-by: sparkhuang <huangshaobo3@xiaomi.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20251127025716.5440-1-huangshaobo3@xiaomi.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 6c5913a1a6821..af0218227a8c7 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1933,6 +1933,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply)
{
struct regulator_supply_alias *map;
+ mutex_lock(®ulator_list_mutex);
map = regulator_find_supply_alias(*dev, *supply);
if (map) {
dev_dbg(*dev, "Mapping supply %s to %s,%s\n",
@@ -1941,6 +1942,7 @@ static void regulator_supply_alias(struct device **dev, const char **supply)
*dev = map->alias_dev;
*supply = map->alias_supply;
}
+ mutex_unlock(®ulator_list_mutex);
}
static int regulator_match(struct device *dev, const void *data)
@@ -2419,22 +2421,26 @@ int regulator_register_supply_alias(struct device *dev, const char *id,
const char *alias_id)
{
struct regulator_supply_alias *map;
+ struct regulator_supply_alias *new_map;
- map = regulator_find_supply_alias(dev, id);
- if (map)
- return -EEXIST;
-
- map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL);
- if (!map)
+ new_map = kzalloc(sizeof(struct regulator_supply_alias), GFP_KERNEL);
+ if (!new_map)
return -ENOMEM;
- map->src_dev = dev;
- map->src_supply = id;
- map->alias_dev = alias_dev;
- map->alias_supply = alias_id;
-
- list_add(&map->list, ®ulator_supply_alias_list);
+ mutex_lock(®ulator_list_mutex);
+ map = regulator_find_supply_alias(dev, id);
+ if (map) {
+ mutex_unlock(®ulator_list_mutex);
+ kfree(new_map);
+ return -EEXIST;
+ }
+ new_map->src_dev = dev;
+ new_map->src_supply = id;
+ new_map->alias_dev = alias_dev;
+ new_map->alias_supply = alias_id;
+ list_add(&new_map->list, ®ulator_supply_alias_list);
+ mutex_unlock(®ulator_list_mutex);
pr_info("Adding alias for supply %s,%s -> %s,%s\n",
id, dev_name(dev), alias_id, dev_name(alias_dev));
@@ -2454,11 +2460,13 @@ void regulator_unregister_supply_alias(struct device *dev, const char *id)
{
struct regulator_supply_alias *map;
+ mutex_lock(®ulator_list_mutex);
map = regulator_find_supply_alias(dev, id);
if (map) {
list_del(&map->list);
kfree(map);
}
+ mutex_unlock(®ulator_list_mutex);
}
EXPORT_SYMBOL_GPL(regulator_unregister_supply_alias);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 157/554] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 156/554] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 158/554] netfilter: nf_conncount: reduce unnecessary GC Greg Kroah-Hartman
` (402 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 634f3853cc98d73bdec8918010ee29b06981583e ]
Add a sanity check to skip path discovery if the maximum number of
encapsulation is reached. While at it, check for underflow too.
Fixes: 26267bf9bb57 ("netfilter: flowtable: bridge vlan hardware offload and switchdev")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_flow_offload.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 41d04fa12f67d..e1d7231b87748 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -140,12 +140,19 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
info->ingress_vlans |= BIT(info->num_encaps - 1);
break;
case DEV_PATH_BR_VLAN_TAG:
+ if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) {
+ info->indev = NULL;
+ break;
+ }
info->encap[info->num_encaps].id = path->bridge.vlan_id;
info->encap[info->num_encaps].proto = path->bridge.vlan_proto;
info->num_encaps++;
break;
case DEV_PATH_BR_VLAN_UNTAG:
- info->num_encaps--;
+ if (WARN_ON_ONCE(info->num_encaps-- == 0)) {
+ info->indev = NULL;
+ break;
+ }
break;
case DEV_PATH_BR_VLAN_KEEP:
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 158/554] netfilter: nf_conncount: reduce unnecessary GC
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 157/554] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 159/554] netfilter: nf_conncount: rework API to use sk_buff directly Greg Kroah-Hartman
` (401 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Tu, Greg Rose,
Florian Westphal, Pablo Neira Ayuso, Sasha Levin, Yifeng Sun
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: William Tu <u9012063@gmail.com>
[ Upstream commit d265929930e2ffafc744c0ae05fb70acd53be1ee ]
Currently nf_conncount can trigger garbage collection (GC)
at multiple places. Each GC process takes a spin_lock_bh
to traverse the nf_conncount_list. We found that when testing
port scanning use two parallel nmap, because the number of
connection increase fast, the nf_conncount_count and its
subsequent call to __nf_conncount_add take too much time,
causing several CPU lockup. This happens when user set the
conntrack limit to +20,000, because the larger the limit,
the longer the list that GC has to traverse.
The patch mitigate the performance issue by avoiding unnecessary
GC with a timestamp. Whenever nf_conncount has done a GC,
a timestamp is updated, and beforce the next time GC is
triggered, we make sure it's more than a jiffies.
By doin this we can greatly reduce the CPU cycles and
avoid the softirq lockup.
To reproduce it in OVS,
$ ovs-appctl dpctl/ct-set-limits zone=1,limit=20000
$ ovs-appctl dpctl/ct-get-limits
At another machine, runs two nmap
$ nmap -p1- <IP>
$ nmap -p1- <IP>
Signed-off-by: William Tu <u9012063@gmail.com>
Co-authored-by: Yifeng Sun <pkusunyifeng@gmail.com>
Reported-by: Greg Rose <gvrose8192@gmail.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 69894e5b4c5e ("netfilter: nft_connlimit: update the count if add was skipped")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_conntrack_count.h | 1 +
net/netfilter/nf_conncount.c | 11 +++++++++++
2 files changed, 12 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index 9645b47fa7e41..e227d997fc716 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -10,6 +10,7 @@ struct nf_conncount_data;
struct nf_conncount_list {
spinlock_t list_lock;
+ u32 last_gc; /* jiffies at most recent gc */
struct list_head head; /* connections with the same filtering key */
unsigned int count; /* length of list */
};
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index a66a27fe7f458..ee808b018e4e1 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -132,6 +132,9 @@ static int __nf_conncount_add(struct net *net,
struct nf_conn *found_ct;
unsigned int collect = 0;
+ if (time_is_after_eq_jiffies((unsigned long)list->last_gc))
+ goto add_new_node;
+
/* check the saved connections */
list_for_each_entry_safe(conn, conn_n, &list->head, node) {
if (collect > CONNCOUNT_GC_MAX_NODES)
@@ -177,6 +180,7 @@ static int __nf_conncount_add(struct net *net,
nf_ct_put(found_ct);
}
+add_new_node:
if (WARN_ON_ONCE(list->count > INT_MAX))
return -EOVERFLOW;
@@ -190,6 +194,7 @@ static int __nf_conncount_add(struct net *net,
conn->jiffies32 = (u32)jiffies;
list_add_tail(&conn->node, &list->head);
list->count++;
+ list->last_gc = (u32)jiffies;
return 0;
}
@@ -214,6 +219,7 @@ void nf_conncount_list_init(struct nf_conncount_list *list)
spin_lock_init(&list->list_lock);
INIT_LIST_HEAD(&list->head);
list->count = 0;
+ list->last_gc = (u32)jiffies;
}
EXPORT_SYMBOL_GPL(nf_conncount_list_init);
@@ -227,6 +233,10 @@ bool nf_conncount_gc_list(struct net *net,
unsigned int collected = 0;
bool ret = false;
+ /* don't bother if we just did GC */
+ if (time_is_after_eq_jiffies((unsigned long)READ_ONCE(list->last_gc)))
+ return false;
+
/* don't bother if other cpu is already doing GC */
if (!spin_trylock(&list->list_lock))
return false;
@@ -258,6 +268,7 @@ bool nf_conncount_gc_list(struct net *net,
if (!list->count)
ret = true;
+ list->last_gc = (u32)jiffies;
spin_unlock(&list->list_lock);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 159/554] netfilter: nf_conncount: rework API to use sk_buff directly
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 158/554] netfilter: nf_conncount: reduce unnecessary GC Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 160/554] netfilter: nft_connlimit: update the count if add was skipped Greg Kroah-Hartman
` (400 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit be102eb6a0e7c03db00e50540622f4e43b2d2844 ]
When using nf_conncount infrastructure for non-confirmed connections a
duplicated track is possible due to an optimization introduced since
commit d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC").
In order to fix this introduce a new conncount API that receives
directly an sk_buff struct. It fetches the tuple and zone and the
corresponding ct from it. It comes with both existing conncount variants
nf_conncount_count_skb() and nf_conncount_add_skb(). In addition remove
the old API and adjust all the users to use the new one.
This way, for each sk_buff struct it is possible to check if there is a
ct present and already confirmed. If so, skip the add operation.
Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Stable-dep-of: 69894e5b4c5e ("netfilter: nft_connlimit: update the count if add was skipped")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_conntrack_count.h | 17 +-
net/netfilter/nf_conncount.c | 177 ++++++++++++++-------
net/netfilter/nft_connlimit.c | 21 +--
net/netfilter/xt_connlimit.c | 14 +-
net/openvswitch/conntrack.c | 16 +-
5 files changed, 142 insertions(+), 103 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h
index e227d997fc716..115bb7e572f7d 100644
--- a/include/net/netfilter/nf_conntrack_count.h
+++ b/include/net/netfilter/nf_conntrack_count.h
@@ -20,15 +20,14 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family
void nf_conncount_destroy(struct net *net, unsigned int family,
struct nf_conncount_data *data);
-unsigned int nf_conncount_count(struct net *net,
- struct nf_conncount_data *data,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone);
-
-int nf_conncount_add(struct net *net, struct nf_conncount_list *list,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone);
+unsigned int nf_conncount_count_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_data *data,
+ const u32 *key);
+
+int nf_conncount_add_skb(struct net *net, const struct sk_buff *skb,
+ u16 l3num, struct nf_conncount_list *list);
void nf_conncount_list_init(struct nf_conncount_list *list);
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index ee808b018e4e1..5fdf451f2322c 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -122,15 +122,65 @@ find_or_evict(struct net *net, struct nf_conncount_list *list,
return ERR_PTR(-EAGAIN);
}
+static bool get_ct_or_tuple_from_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conn **ct,
+ struct nf_conntrack_tuple *tuple,
+ const struct nf_conntrack_zone **zone,
+ bool *refcounted)
+{
+ const struct nf_conntrack_tuple_hash *h;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *found_ct;
+
+ found_ct = nf_ct_get(skb, &ctinfo);
+ if (found_ct && !nf_ct_is_template(found_ct)) {
+ *tuple = found_ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ *zone = nf_ct_zone(found_ct);
+ *ct = found_ct;
+ return true;
+ }
+
+ if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), l3num, net, tuple))
+ return false;
+
+ if (found_ct)
+ *zone = nf_ct_zone(found_ct);
+
+ h = nf_conntrack_find_get(net, *zone, tuple);
+ if (!h)
+ return true;
+
+ found_ct = nf_ct_tuplehash_to_ctrack(h);
+ *refcounted = true;
+ *ct = found_ct;
+
+ return true;
+}
+
static int __nf_conncount_add(struct net *net,
- struct nf_conncount_list *list,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_list *list)
{
+ const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
const struct nf_conntrack_tuple_hash *found;
struct nf_conncount_tuple *conn, *conn_n;
+ struct nf_conntrack_tuple tuple;
+ struct nf_conn *ct = NULL;
struct nf_conn *found_ct;
unsigned int collect = 0;
+ bool refcounted = false;
+
+ if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
+ return -ENOENT;
+
+ if (ct && nf_ct_is_confirmed(ct)) {
+ if (refcounted)
+ nf_ct_put(ct);
+ return 0;
+ }
if (time_is_after_eq_jiffies((unsigned long)list->last_gc))
goto add_new_node;
@@ -144,10 +194,10 @@ static int __nf_conncount_add(struct net *net,
if (IS_ERR(found)) {
/* Not found, but might be about to be confirmed */
if (PTR_ERR(found) == -EAGAIN) {
- if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
+ if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
nf_ct_zone_id(zone, zone->dir))
- return 0; /* already exists */
+ goto out_put; /* already exists */
} else {
collect++;
}
@@ -156,7 +206,7 @@ static int __nf_conncount_add(struct net *net,
found_ct = nf_ct_tuplehash_to_ctrack(found);
- if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
+ if (nf_ct_tuple_equal(&conn->tuple, &tuple) &&
nf_ct_zone_equal(found_ct, zone, zone->dir)) {
/*
* We should not see tuples twice unless someone hooks
@@ -165,7 +215,7 @@ static int __nf_conncount_add(struct net *net,
* Attempt to avoid a re-add in this case.
*/
nf_ct_put(found_ct);
- return 0;
+ goto out_put;
} else if (already_closed(found_ct)) {
/*
* we do not care about connections which are
@@ -188,31 +238,35 @@ static int __nf_conncount_add(struct net *net,
if (conn == NULL)
return -ENOMEM;
- conn->tuple = *tuple;
+ conn->tuple = tuple;
conn->zone = *zone;
conn->cpu = raw_smp_processor_id();
conn->jiffies32 = (u32)jiffies;
list_add_tail(&conn->node, &list->head);
list->count++;
list->last_gc = (u32)jiffies;
+
+out_put:
+ if (refcounted)
+ nf_ct_put(ct);
return 0;
}
-int nf_conncount_add(struct net *net,
- struct nf_conncount_list *list,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+int nf_conncount_add_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_list *list)
{
int ret;
/* check the saved connections */
spin_lock_bh(&list->list_lock);
- ret = __nf_conncount_add(net, list, tuple, zone);
+ ret = __nf_conncount_add(net, skb, l3num, list);
spin_unlock_bh(&list->list_lock);
return ret;
}
-EXPORT_SYMBOL_GPL(nf_conncount_add);
+EXPORT_SYMBOL_GPL(nf_conncount_add_skb);
void nf_conncount_list_init(struct nf_conncount_list *list)
{
@@ -309,19 +363,22 @@ static void schedule_gc_worker(struct nf_conncount_data *data, int tree)
static unsigned int
insert_tree(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
struct nf_conncount_data *data,
struct rb_root *root,
unsigned int hash,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+ const u32 *key)
{
struct nf_conncount_rb *gc_nodes[CONNCOUNT_GC_MAX_NODES];
+ const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
+ bool do_gc = true, refcounted = false;
+ unsigned int count = 0, gc_count = 0;
struct rb_node **rbnode, *parent;
- struct nf_conncount_rb *rbconn;
+ struct nf_conntrack_tuple tuple;
struct nf_conncount_tuple *conn;
- unsigned int count = 0, gc_count = 0;
- bool do_gc = true;
+ struct nf_conncount_rb *rbconn;
+ struct nf_conn *ct = NULL;
spin_lock_bh(&nf_conncount_locks[hash]);
restart:
@@ -340,7 +397,7 @@ insert_tree(struct net *net,
} else {
int ret;
- ret = nf_conncount_add(net, &rbconn->list, tuple, zone);
+ ret = nf_conncount_add_skb(net, skb, l3num, &rbconn->list);
if (ret)
count = 0; /* hotdrop */
else
@@ -364,30 +421,35 @@ insert_tree(struct net *net,
goto restart;
}
- /* expected case: match, insert new node */
- rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
- if (rbconn == NULL)
- goto out_unlock;
+ if (get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted)) {
+ /* expected case: match, insert new node */
+ rbconn = kmem_cache_alloc(conncount_rb_cachep, GFP_ATOMIC);
+ if (rbconn == NULL)
+ goto out_unlock;
- conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
- if (conn == NULL) {
- kmem_cache_free(conncount_rb_cachep, rbconn);
- goto out_unlock;
- }
+ conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
+ if (conn == NULL) {
+ kmem_cache_free(conncount_rb_cachep, rbconn);
+ goto out_unlock;
+ }
- conn->tuple = *tuple;
- conn->zone = *zone;
- conn->cpu = raw_smp_processor_id();
- conn->jiffies32 = (u32)jiffies;
- memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+ conn->tuple = tuple;
+ conn->zone = *zone;
+ conn->cpu = raw_smp_processor_id();
+ conn->jiffies32 = (u32)jiffies;
+ memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+
+ nf_conncount_list_init(&rbconn->list);
+ list_add(&conn->node, &rbconn->list.head);
+ count = 1;
+ rbconn->list.count = count;
- nf_conncount_list_init(&rbconn->list);
- list_add(&conn->node, &rbconn->list.head);
- count = 1;
- rbconn->list.count = count;
+ rb_link_node_rcu(&rbconn->node, parent, rbnode);
+ rb_insert_color(&rbconn->node, root);
- rb_link_node_rcu(&rbconn->node, parent, rbnode);
- rb_insert_color(&rbconn->node, root);
+ if (refcounted)
+ nf_ct_put(ct);
+ }
out_unlock:
spin_unlock_bh(&nf_conncount_locks[hash]);
return count;
@@ -395,10 +457,10 @@ insert_tree(struct net *net,
static unsigned int
count_tree(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
struct nf_conncount_data *data,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+ const u32 *key)
{
struct rb_root *root;
struct rb_node *parent;
@@ -422,7 +484,7 @@ count_tree(struct net *net,
} else {
int ret;
- if (!tuple) {
+ if (!skb) {
nf_conncount_gc_list(net, &rbconn->list);
return rbconn->list.count;
}
@@ -437,7 +499,7 @@ count_tree(struct net *net,
}
/* same source network -> be counted! */
- ret = __nf_conncount_add(net, &rbconn->list, tuple, zone);
+ ret = __nf_conncount_add(net, skb, l3num, &rbconn->list);
spin_unlock_bh(&rbconn->list.list_lock);
if (ret)
return 0; /* hotdrop */
@@ -446,10 +508,10 @@ count_tree(struct net *net,
}
}
- if (!tuple)
+ if (!skb)
return 0;
- return insert_tree(net, data, root, hash, key, tuple, zone);
+ return insert_tree(net, skb, l3num, data, root, hash, key);
}
static void tree_gc_worker(struct work_struct *work)
@@ -511,18 +573,19 @@ static void tree_gc_worker(struct work_struct *work)
}
/* Count and return number of conntrack entries in 'net' with particular 'key'.
- * If 'tuple' is not null, insert it into the accounting data structure.
- * Call with RCU read lock.
+ * If 'skb' is not null, insert the corresponding tuple into the accounting
+ * data structure. Call with RCU read lock.
*/
-unsigned int nf_conncount_count(struct net *net,
- struct nf_conncount_data *data,
- const u32 *key,
- const struct nf_conntrack_tuple *tuple,
- const struct nf_conntrack_zone *zone)
+unsigned int nf_conncount_count_skb(struct net *net,
+ const struct sk_buff *skb,
+ u16 l3num,
+ struct nf_conncount_data *data,
+ const u32 *key)
{
- return count_tree(net, data, key, tuple, zone);
+ return count_tree(net, skb, l3num, data, key);
+
}
-EXPORT_SYMBOL_GPL(nf_conncount_count);
+EXPORT_SYMBOL_GPL(nf_conncount_count_skb);
struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,
unsigned int keylen)
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index 403fffa14fa3b..d7dbc1ce6bd36 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -24,26 +24,11 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
const struct nft_pktinfo *pkt,
const struct nft_set_ext *ext)
{
- const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
- const struct nf_conntrack_tuple *tuple_ptr;
- struct nf_conntrack_tuple tuple;
- enum ip_conntrack_info ctinfo;
- const struct nf_conn *ct;
unsigned int count;
+ int err;
- tuple_ptr = &tuple;
-
- ct = nf_ct_get(pkt->skb, &ctinfo);
- if (ct != NULL) {
- tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
- zone = nf_ct_zone(ct);
- } else if (!nf_ct_get_tuplepr(pkt->skb, skb_network_offset(pkt->skb),
- nft_pf(pkt), nft_net(pkt), &tuple)) {
- regs->verdict.code = NF_DROP;
- return;
- }
-
- if (nf_conncount_add(nft_net(pkt), priv->list, tuple_ptr, zone)) {
+ err = nf_conncount_add_skb(nft_net(pkt), pkt->skb, nft_pf(pkt), priv->list);
+ if (err) {
regs->verdict.code = NF_DROP;
return;
}
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 9943a2bf7a7b8..489f101875584 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -31,8 +31,6 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
struct net *net = xt_net(par);
const struct xt_connlimit_info *info = par->matchinfo;
- struct nf_conntrack_tuple tuple;
- const struct nf_conntrack_tuple *tuple_ptr = &tuple;
const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
enum ip_conntrack_info ctinfo;
const struct nf_conn *ct;
@@ -40,13 +38,8 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
u32 key[5];
ct = nf_ct_get(skb, &ctinfo);
- if (ct != NULL) {
- tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+ if (ct)
zone = nf_ct_zone(ct);
- } else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
- xt_family(par), net, &tuple)) {
- goto hotdrop;
- }
if (xt_family(par) == NFPROTO_IPV6) {
const struct ipv6hdr *iph = ipv6_hdr(skb);
@@ -69,10 +62,9 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
key[1] = zone->id;
}
- connections = nf_conncount_count(net, info->data, key, tuple_ptr,
- zone);
+ connections = nf_conncount_count_skb(net, skb, xt_family(par), info->data, key);
if (connections == 0)
- /* kmalloc failed, drop it entirely */
+ /* kmalloc failed or tuple couldn't be found, drop it entirely */
goto hotdrop;
return (connections > info->limit) ^ !!(info->flags & XT_CONNLIMIT_INVERT);
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 85a338b681780..4c5480a345c9f 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1161,8 +1161,8 @@ static u32 ct_limit_get(const struct ovs_ct_limit_info *info, u16 zone)
}
static int ovs_ct_check_limit(struct net *net,
- const struct ovs_conntrack_info *info,
- const struct nf_conntrack_tuple *tuple)
+ const struct sk_buff *skb,
+ const struct ovs_conntrack_info *info)
{
struct ovs_net *ovs_net = net_generic(net, ovs_net_id);
const struct ovs_ct_limit_info *ct_limit_info = ovs_net->ct_limit_info;
@@ -1175,8 +1175,9 @@ static int ovs_ct_check_limit(struct net *net,
if (per_zone_limit == OVS_CT_LIMIT_UNLIMITED)
return 0;
- connections = nf_conncount_count(net, ct_limit_info->data,
- &conncount_key, tuple, &info->zone);
+ connections = nf_conncount_count_skb(net, skb, info->family,
+ ct_limit_info->data,
+ &conncount_key);
if (connections > per_zone_limit)
return -ENOMEM;
@@ -1205,8 +1206,7 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
#if IS_ENABLED(CONFIG_NETFILTER_CONNCOUNT)
if (static_branch_unlikely(&ovs_ct_limit_enabled)) {
if (!nf_ct_is_confirmed(ct)) {
- err = ovs_ct_check_limit(net, info,
- &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+ err = ovs_ct_check_limit(net, skb, info);
if (err) {
net_warn_ratelimited("openvswitch: zone: %u "
"exceeds conntrack limit\n",
@@ -2058,8 +2058,8 @@ static int __ovs_ct_limit_get_zone_limit(struct net *net,
zone_limit.limit = limit;
nf_ct_zone_init(&ct_zone, zone_id, NF_CT_DEFAULT_ZONE_DIR, 0);
- zone_limit.count = nf_conncount_count(net, data, &conncount_key, NULL,
- &ct_zone);
+ zone_limit.count = nf_conncount_count_skb(net, NULL, 0, data,
+ &conncount_key);
return nla_put_nohdr(reply, sizeof(zone_limit), &zone_limit);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 160/554] netfilter: nft_connlimit: update the count if add was skipped
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 159/554] netfilter: nf_conncount: rework API to use sk_buff directly Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 161/554] net: stmmac: fix rx limit check in stmmac_rx_zc() Greg Kroah-Hartman
` (399 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Pablo Neira Ayuso, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 69894e5b4c5e28cda5f32af33d4a92b7a4b93b0e ]
Connlimit expression can be used for all kind of packets and not only
for packets with connection state new. See this ruleset as example:
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
tcp dport 22 ct count over 4 counter
}
}
Currently, if the connection count goes over the limit the counter will
count the packets. When a connection is closed, the connection count
won't decrement as it should because it is only updated for new
connections due to an optimization on __nf_conncount_add() that prevents
updating the list if the connection is duplicated.
To solve this problem, check whether the connection was skipped and if
so, update the list. Adjust count_tree() too so the same fix is applied
for xt_connlimit.
Fixes: 976afca1ceba ("netfilter: nf_conncount: Early exit in nf_conncount_lookup() and cleanup")
Closes: https://lore.kernel.org/netfilter/trinity-85c72a88-d762-46c3-be97-36f10e5d9796-1761173693813@3c-app-mailcom-bs12/
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 12 ++++++++----
net/netfilter/nft_connlimit.c | 13 +++++++++++--
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 5fdf451f2322c..3e8828bdcd1b3 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -179,7 +179,7 @@ static int __nf_conncount_add(struct net *net,
if (ct && nf_ct_is_confirmed(ct)) {
if (refcounted)
nf_ct_put(ct);
- return 0;
+ return -EEXIST;
}
if (time_is_after_eq_jiffies((unsigned long)list->last_gc))
@@ -398,7 +398,7 @@ insert_tree(struct net *net,
int ret;
ret = nf_conncount_add_skb(net, skb, l3num, &rbconn->list);
- if (ret)
+ if (ret && ret != -EEXIST)
count = 0; /* hotdrop */
else
count = rbconn->list.count;
@@ -501,10 +501,14 @@ count_tree(struct net *net,
/* same source network -> be counted! */
ret = __nf_conncount_add(net, skb, l3num, &rbconn->list);
spin_unlock_bh(&rbconn->list.list_lock);
- if (ret)
+ if (ret && ret != -EEXIST) {
return 0; /* hotdrop */
- else
+ } else {
+ /* -EEXIST means add was skipped, update the list */
+ if (ret == -EEXIST)
+ nf_conncount_gc_list(net, &rbconn->list);
return rbconn->list.count;
+ }
}
}
diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c
index d7dbc1ce6bd36..ef5099441a822 100644
--- a/net/netfilter/nft_connlimit.c
+++ b/net/netfilter/nft_connlimit.c
@@ -29,8 +29,17 @@ static inline void nft_connlimit_do_eval(struct nft_connlimit *priv,
err = nf_conncount_add_skb(nft_net(pkt), pkt->skb, nft_pf(pkt), priv->list);
if (err) {
- regs->verdict.code = NF_DROP;
- return;
+ if (err == -EEXIST) {
+ /* Call gc to update the list count if any connection has
+ * been closed already. This is useful for softlimit
+ * connections like limiting bandwidth based on a number
+ * of open connections.
+ */
+ nf_conncount_gc_list(nft_net(pkt), priv->list);
+ } else {
+ regs->verdict.code = NF_DROP;
+ return;
+ }
}
count = priv->list->count;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 161/554] net: stmmac: fix rx limit check in stmmac_rx_zc()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 160/554] netfilter: nft_connlimit: update the count if add was skipped Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 162/554] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds Greg Kroah-Hartman
` (398 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Kodanev,
Russell King (Oracle), Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
[ Upstream commit 8048168df56e225c94e50b04cb7b0514135d7a1c ]
The extra "count >= limit" check in stmmac_rx_zc() is redundant and
has no effect because the value of "count" doesn't change after the
while condition at this point.
However, it can change after "read_again:" label:
while (count < limit) {
...
if (count >= limit)
break;
read_again:
...
/* XSK pool expects RX frame 1:1 mapped to XSK buffer */
if (likely(status & rx_not_ls)) {
xsk_buff_free(buf->xdp);
buf->xdp = NULL;
dirty++;
count++;
goto read_again;
}
...
This patch addresses the same issue previously resolved in stmmac_rx()
by commit fa02de9e7588 ("net: stmmac: fix rx budget limit check").
The fix is the same: move the check after the label to ensure that it
bounds the goto loop.
Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy")
Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20251126104327.175590-1-aleksei.kodanev@bell-sw.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
index 973c60e013344..e056b512c1277 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -4983,10 +4983,10 @@ static int stmmac_rx_zc(struct stmmac_priv *priv, int limit, u32 queue)
len = 0;
}
+read_again:
if (count >= limit)
break;
-read_again:
buf1_len = 0;
entry = next_entry;
buf = &rx_q->buf_pool[entry];
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 162/554] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 161/554] net: stmmac: fix rx limit check in stmmac_rx_zc() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 163/554] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs Greg Kroah-Hartman
` (397 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivan Stepchenko, Miquel Raynal,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Stepchenko <sid@itb.spb.ru>
[ Upstream commit c909fec69f84b39e63876c69b9df2c178c6b76ba ]
There are several places where a value of type 'int' is shifted by
lpddr->chipshift. lpddr->chipshift is derived from QINFO geometry and
might reach 31 when QINFO reports a 2 GiB size - the maximum supported by
LPDDR(1) compliant chips. This may cause unexpected sign-extensions when
casting the integer value to the type of 'unsigned long'.
Use '1UL << lpddr->chipshift' and cast 'j' to unsigned long before
shifting so the computation is performed at the destination width.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c68264711ca6 ("[MTD] LPDDR Command set driver")
Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/lpddr/lpddr_cmds.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mtd/lpddr/lpddr_cmds.c b/drivers/mtd/lpddr/lpddr_cmds.c
index ee063baed136c..5c39c9c653233 100644
--- a/drivers/mtd/lpddr/lpddr_cmds.c
+++ b/drivers/mtd/lpddr/lpddr_cmds.c
@@ -79,7 +79,7 @@ struct mtd_info *lpddr_cmdset(struct map_info *map)
mutex_init(&shared[i].lock);
for (j = 0; j < lpddr->qinfo->HWPartsNum; j++) {
*chip = lpddr->chips[i];
- chip->start += j << lpddr->chipshift;
+ chip->start += (unsigned long)j << lpddr->chipshift;
chip->oldstate = chip->state = FL_READY;
chip->priv = &shared[i];
/* those should be reset too since
@@ -562,7 +562,7 @@ static int lpddr_point(struct mtd_info *mtd, loff_t adr, size_t len,
break;
if ((len + ofs - 1) >> lpddr->chipshift)
- thislen = (1<<lpddr->chipshift) - ofs;
+ thislen = (1UL << lpddr->chipshift) - ofs;
else
thislen = len;
/* get the chip */
@@ -578,7 +578,7 @@ static int lpddr_point(struct mtd_info *mtd, loff_t adr, size_t len,
len -= thislen;
ofs = 0;
- last_end += 1 << lpddr->chipshift;
+ last_end += 1UL << lpddr->chipshift;
chipnum++;
chip = &lpddr->chips[chipnum];
}
@@ -604,7 +604,7 @@ static int lpddr_unpoint (struct mtd_info *mtd, loff_t adr, size_t len)
break;
if ((len + ofs - 1) >> lpddr->chipshift)
- thislen = (1<<lpddr->chipshift) - ofs;
+ thislen = (1UL << lpddr->chipshift) - ofs;
else
thislen = len;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 163/554] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 162/554] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 164/554] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop Greg Kroah-Hartman
` (396 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandru Gagniuc, Bjorn Andersson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[ Upstream commit 7e81fa8d809ed1e67ae9ecd52d20a20c2c65d877 ]
The "qcom,halt-regs" consists of a phandle reference followed by the
three offsets within syscon for halt registers. Thus, we need to
request 4 integers from of_property_read_variable_u32_array(), with
the halt_reg ofsets at indexes 1, 2, and 3. Offset 0 is the phandle.
With MAX_HALT_REG at 3, of_property_read_variable_u32_array() returns
-EOVERFLOW, causing .probe() to fail.
Increase MAX_HALT_REG to 4, and update the indexes accordingly.
Fixes: 0af65b9b915e ("remoteproc: qcom: wcss: Add non pas wcss Q6 support for QCS404")
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Link: https://lore.kernel.org/r/20251129013207.3981517-1-mr.nuke.me@gmail.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_wcss.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/remoteproc/qcom_q6v5_wcss.c b/drivers/remoteproc/qcom_q6v5_wcss.c
index cfd34ffcbb121..d900ef12ada43 100644
--- a/drivers/remoteproc/qcom_q6v5_wcss.c
+++ b/drivers/remoteproc/qcom_q6v5_wcss.c
@@ -85,7 +85,7 @@
#define TCSR_WCSS_CLK_MASK 0x1F
#define TCSR_WCSS_CLK_ENABLE 0x14
-#define MAX_HALT_REG 3
+#define MAX_HALT_REG 4
enum {
WCSS_IPQ8074,
WCSS_QCS404,
@@ -864,9 +864,9 @@ static int q6v5_wcss_init_mmio(struct q6v5_wcss *wcss,
return -EINVAL;
}
- wcss->halt_q6 = halt_reg[0];
- wcss->halt_wcss = halt_reg[1];
- wcss->halt_nc = halt_reg[2];
+ wcss->halt_q6 = halt_reg[1];
+ wcss->halt_wcss = halt_reg[2];
+ wcss->halt_nc = halt_reg[3];
return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 164/554] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 163/554] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 165/554] perf tools: Fix split kallsyms DSO counting Greg Kroah-Hartman
` (395 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei,
Toke Høiland-Jørgensen, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit 9fefc78f7f02d71810776fdeb119a05a946a27cc ]
In cake_drop(), qdisc_tree_reduce_backlog() is used to update the qlen
and backlog of the qdisc hierarchy. Its caller, cake_enqueue(), assumes
that the parent qdisc will enqueue the current packet. However, this
assumption breaks when cake_enqueue() returns NET_XMIT_CN: the parent
qdisc stops enqueuing current packet, leaving the tree qlen/backlog
accounting inconsistent. This mismatch can lead to a NULL dereference
(e.g., when the parent Qdisc is qfq_qdisc).
This patch computes the qlen/backlog delta in a more robust way by
observing the difference before and after the series of cake_drop()
calls, and then compensates the qdisc tree accounting if cake_enqueue()
returns NET_XMIT_CN.
To ensure correct compensation when ACK thinning is enabled, a new
variable is introduced to keep qlen unchanged.
Fixes: 15de71d06a40 ("net/sched: Make cake_enqueue return NET_XMIT_CN when past buffer_limit")
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Reviewed-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20251128001415.377823-1-xmei5@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cake.c | 58 ++++++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 26 deletions(-)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 73b840762afb2..cfeda7b50cc2e 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1608,7 +1608,6 @@ static unsigned int cake_drop(struct Qdisc *sch, struct sk_buff **to_free)
__qdisc_drop(skb, to_free);
sch->q.qlen--;
- qdisc_tree_reduce_backlog(sch, 1, len);
cake_heapify(q, 0);
@@ -1754,14 +1753,14 @@ static void cake_reconfigure(struct Qdisc *sch);
static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
struct sk_buff **to_free)
{
+ u32 idx, tin, prev_qlen, prev_backlog, drop_id;
struct cake_sched_data *q = qdisc_priv(sch);
- int len = qdisc_pkt_len(skb);
- int ret;
+ int len = qdisc_pkt_len(skb), ret;
struct sk_buff *ack = NULL;
ktime_t now = ktime_get();
struct cake_tin_data *b;
struct cake_flow *flow;
- u32 idx, tin;
+ bool same_flow = false;
/* choose flow to insert into */
idx = cake_classify(sch, &b, skb, q->flow_mode, &ret);
@@ -1834,6 +1833,8 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
consume_skb(skb);
} else {
/* not splitting */
+ int ack_pkt_len = 0;
+
cobalt_set_enqueue_time(skb, now);
get_cobalt_cb(skb)->adjusted_len = cake_overhead(q, skb);
flow_queue_add(flow, skb);
@@ -1844,13 +1845,13 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (ack) {
b->ack_drops++;
sch->qstats.drops++;
- b->bytes += qdisc_pkt_len(ack);
- len -= qdisc_pkt_len(ack);
+ ack_pkt_len = qdisc_pkt_len(ack);
+ b->bytes += ack_pkt_len;
q->buffer_used += skb->truesize - ack->truesize;
if (q->rate_flags & CAKE_FLAG_INGRESS)
cake_advance_shaper(q, b, ack, now, true);
- qdisc_tree_reduce_backlog(sch, 1, qdisc_pkt_len(ack));
+ qdisc_tree_reduce_backlog(sch, 1, ack_pkt_len);
consume_skb(ack);
} else {
sch->q.qlen++;
@@ -1859,11 +1860,11 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
/* stats */
b->packets++;
- b->bytes += len;
- b->backlogs[idx] += len;
- b->tin_backlog += len;
- sch->qstats.backlog += len;
- q->avg_window_bytes += len;
+ b->bytes += len - ack_pkt_len;
+ b->backlogs[idx] += len - ack_pkt_len;
+ b->tin_backlog += len - ack_pkt_len;
+ sch->qstats.backlog += len - ack_pkt_len;
+ q->avg_window_bytes += len - ack_pkt_len;
}
if (q->overflow_timeout)
@@ -1938,24 +1939,29 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
if (q->buffer_used > q->buffer_max_used)
q->buffer_max_used = q->buffer_used;
- if (q->buffer_used > q->buffer_limit) {
- bool same_flow = false;
- u32 dropped = 0;
- u32 drop_id;
+ if (q->buffer_used <= q->buffer_limit)
+ return NET_XMIT_SUCCESS;
- while (q->buffer_used > q->buffer_limit) {
- dropped++;
- drop_id = cake_drop(sch, to_free);
+ prev_qlen = sch->q.qlen;
+ prev_backlog = sch->qstats.backlog;
- if ((drop_id >> 16) == tin &&
- (drop_id & 0xFFFF) == idx)
- same_flow = true;
- }
- b->drop_overlimit += dropped;
+ while (q->buffer_used > q->buffer_limit) {
+ drop_id = cake_drop(sch, to_free);
+ if ((drop_id >> 16) == tin &&
+ (drop_id & 0xFFFF) == idx)
+ same_flow = true;
+ }
+
+ prev_qlen -= sch->q.qlen;
+ prev_backlog -= sch->qstats.backlog;
+ b->drop_overlimit += prev_qlen;
- if (same_flow)
- return NET_XMIT_CN;
+ if (same_flow) {
+ qdisc_tree_reduce_backlog(sch, prev_qlen - 1,
+ prev_backlog - len);
+ return NET_XMIT_CN;
}
+ qdisc_tree_reduce_backlog(sch, prev_qlen, prev_backlog);
return NET_XMIT_SUCCESS;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 165/554] perf tools: Fix split kallsyms DSO counting
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 164/554] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 166/554] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling Greg Kroah-Hartman
` (394 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Rogers, Namhyung Kim,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
[ Upstream commit ad0b9c4865b98dc37f4d606d26b1c19808796805 ]
It's counted twice as it's increased after calling maps__insert(). I
guess we want to increase it only after it's added properly.
Reviewed-by: Ian Rogers <irogers@google.com>
Fixes: 2e538c4a1847291cf ("perf tools: Improve kernel/modules symbol lookup")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c
index 80c54196e0e4f..b48d237124e12 100644
--- a/tools/perf/util/symbol.c
+++ b/tools/perf/util/symbol.c
@@ -893,11 +893,11 @@ static int maps__split_kallsyms(struct maps *kmaps, struct dso *dso, u64 delta,
if (dso->kernel == DSO_SPACE__KERNEL_GUEST)
snprintf(dso_name, sizeof(dso_name),
"[guest.kernel].%d",
- kernel_range++);
+ kernel_range);
else
snprintf(dso_name, sizeof(dso_name),
"[kernel].%d",
- kernel_range++);
+ kernel_range);
ndso = dso__new(dso_name);
if (ndso == NULL)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 166/554] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 165/554] perf tools: Fix split kallsyms DSO counting Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 167/554] pinctrl: single: Fix incorrect type for error return variable Greg Kroah-Hartman
` (393 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthijs Kooijman, Haojian Zhuang,
Tony Lindgren, Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthijs Kooijman <matthijs@stdin.nl>
[ Upstream commit b5fe46efc147516a908d2d31bf40eb858ab76d51 ]
The pinctrl-single driver handles pin_config_set by looking up the
requested setting in a DT-defined lookup table, which defines what bits
correspond to each setting. There is no way to add
PIN_CONFIG_BIAS_DISABLE entries to the table, since there is instead
code to disable the bias by applying the disable values of both the
pullup and pulldown entries in the table.
However, this code is inside the table-lookup loop, so it would only
execute if there is an entry for PIN_CONFIG_BIAS_DISABLE in the table,
which can never exist, so this code never runs.
This commit lifts the offending code out of the loop, so it just
executes directly whenever PIN_CONFIG_BIAS_DISABLE is requested,
skippipng the table lookup loop.
This also introduces a new `param` variable to make the code slightly
more readable.
This bug seems to have existed when this code was first merged in commit
9dddb4df90d13 ("pinctrl: single: support generic pinconf"). Earlier
versions of this patch did have an entry for PIN_CONFIG_BIAS_DISABLE in
the lookup table, but that was removed, which is probably how this bug
was introduced.
Signed-off-by: Matthijs Kooijman <matthijs@stdin.nl>
Reviewed-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Message-ID: <20240319110633.230329-1-matthijs@stdin.nl>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Stable-dep-of: 61d1bb53547d ("pinctrl: single: Fix incorrect type for error return variable")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-single.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
index a72911e8ea82d..b81297084f097 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -557,21 +557,30 @@ static int pcs_pinconf_set(struct pinctrl_dev *pctldev,
unsigned offset = 0, shift = 0, i, data, ret;
u32 arg;
int j;
+ enum pin_config_param param;
ret = pcs_get_function(pctldev, pin, &func);
if (ret)
return ret;
for (j = 0; j < num_configs; j++) {
+ param = pinconf_to_config_param(configs[j]);
+
+ /* BIAS_DISABLE has no entry in the func->conf table */
+ if (param == PIN_CONFIG_BIAS_DISABLE) {
+ /* This just disables all bias entries */
+ pcs_pinconf_clear_bias(pctldev, pin);
+ continue;
+ }
+
for (i = 0; i < func->nconfs; i++) {
- if (pinconf_to_config_param(configs[j])
- != func->conf[i].param)
+ if (param != func->conf[i].param)
continue;
offset = pin * (pcs->width / BITS_PER_BYTE);
data = pcs->read(pcs->base + offset);
arg = pinconf_to_config_argument(configs[j]);
- switch (func->conf[i].param) {
+ switch (param) {
/* 2 parameters */
case PIN_CONFIG_INPUT_SCHMITT:
case PIN_CONFIG_DRIVE_STRENGTH:
@@ -583,9 +592,6 @@ static int pcs_pinconf_set(struct pinctrl_dev *pctldev,
data |= (arg << shift) & func->conf[i].mask;
break;
/* 4 parameters */
- case PIN_CONFIG_BIAS_DISABLE:
- pcs_pinconf_clear_bias(pctldev, pin);
- break;
case PIN_CONFIG_BIAS_PULL_DOWN:
case PIN_CONFIG_BIAS_PULL_UP:
if (arg) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 167/554] pinctrl: single: Fix incorrect type for error return variable
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 166/554] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 168/554] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() Greg Kroah-Hartman
` (392 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Linus Walleij,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 61d1bb53547d42c6bdaec9da4496beb3a1a05264 ]
pcs_pinconf_get() and pcs_pinconf_set() declare ret as unsigned int,
but assign it the return values of pcs_get_function() that may return
negative error codes. This causes negative error codes to be
converted to large positive values.
Change ret from unsigned int to int in both functions.
Fixes: 9dddb4df90d1 ("pinctrl: single: support generic pinconf")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-single.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
index b81297084f097..0659cd3aa3a5a 100644
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -490,7 +490,8 @@ static int pcs_pinconf_get(struct pinctrl_dev *pctldev,
struct pcs_device *pcs = pinctrl_dev_get_drvdata(pctldev);
struct pcs_function *func;
enum pin_config_param param;
- unsigned offset = 0, data = 0, i, j, ret;
+ unsigned offset = 0, data = 0, i, j;
+ int ret;
ret = pcs_get_function(pctldev, pin, &func);
if (ret)
@@ -554,9 +555,9 @@ static int pcs_pinconf_set(struct pinctrl_dev *pctldev,
{
struct pcs_device *pcs = pinctrl_dev_get_drvdata(pctldev);
struct pcs_function *func;
- unsigned offset = 0, shift = 0, i, data, ret;
+ unsigned offset = 0, shift = 0, i, data;
u32 arg;
- int j;
+ int j, ret;
enum pin_config_param param;
ret = pcs_get_function(pctldev, pin, &func);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 168/554] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 167/554] pinctrl: single: Fix incorrect type for error return variable Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 169/554] NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() Greg Kroah-Hartman
` (391 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abdun Nihaal, Helge Deller,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abdun Nihaal <nihaal@cse.iitm.ac.in>
[ Upstream commit 164312662ae9764b83b84d97afb25c42eb2be473 ]
The page allocated for vmem using __get_free_pages() is not freed on the
error paths after it. Fix that by adding a corresponding __free_pages()
call to the error path.
Fixes: facd94bc458a ("fbdev: ssd1307fb: Allocate page aligned video memory.")
Signed-off-by: Abdun Nihaal <nihaal@cse.iitm.ac.in>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/ssd1307fb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/ssd1307fb.c b/drivers/video/fbdev/ssd1307fb.c
index 7acf7c0b263e6..212494b0a4ba8 100644
--- a/drivers/video/fbdev/ssd1307fb.c
+++ b/drivers/video/fbdev/ssd1307fb.c
@@ -732,7 +732,7 @@ static int ssd1307fb_probe(struct i2c_client *client)
if (!ssd1307fb_defio) {
dev_err(dev, "Couldn't allocate deferred io.\n");
ret = -ENOMEM;
- goto fb_alloc_error;
+ goto fb_defio_error;
}
ssd1307fb_defio->delay = HZ / refreshrate;
@@ -812,6 +812,8 @@ static int ssd1307fb_probe(struct i2c_client *client)
regulator_disable(par->vbat_reg);
reset_oled_error:
fb_deferred_io_cleanup(info);
+fb_defio_error:
+ __free_pages(vmem, get_order(vmem_size));
fb_alloc_error:
framebuffer_release(info);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 169/554] NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 168/554] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 170/554] NFS: dont unhash dentry during unlink/rename Greg Kroah-Hartman
` (390 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 9019fb391de02cbff422090768b73afe9f6174df ]
After the success of an operation such as rmdir() or unlink(), we expect
to add the dentry back to the dcache as an ordinary negative dentry.
However in NFS, unless it is labelled with the appropriate verifier for
the parent directory state, then nfs_lookup_revalidate will end up
discarding that dentry and forcing a new lookup.
The fix is to ensure that we relabel the dentry appropriately on
success.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 32c3d0c454b19..9dceb6cb10417 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2212,6 +2212,18 @@ static void nfs_dentry_handle_enoent(struct dentry *dentry)
d_delete(dentry);
}
+static void nfs_dentry_remove_handle_error(struct inode *dir,
+ struct dentry *dentry, int error)
+{
+ switch (error) {
+ case -ENOENT:
+ d_delete(dentry);
+ fallthrough;
+ case 0:
+ nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
+ }
+}
+
int nfs_rmdir(struct inode *dir, struct dentry *dentry)
{
int error;
@@ -2234,6 +2246,7 @@ int nfs_rmdir(struct inode *dir, struct dentry *dentry)
up_write(&NFS_I(d_inode(dentry))->rmdir_sem);
} else
error = NFS_PROTO(dir)->rmdir(dir, &dentry->d_name);
+ nfs_dentry_remove_handle_error(dir, dentry, error);
trace_nfs_rmdir_exit(dir, dentry, error);
return error;
@@ -2303,9 +2316,8 @@ int nfs_unlink(struct inode *dir, struct dentry *dentry)
}
spin_unlock(&dentry->d_lock);
error = nfs_safe_remove(dentry);
- if (!error || error == -ENOENT) {
- nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
- } else if (need_rehash)
+ nfs_dentry_remove_handle_error(dir, dentry, error);
+ if (need_rehash)
d_rehash(dentry);
out:
trace_nfs_unlink_exit(dir, dentry, error);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 170/554] NFS: dont unhash dentry during unlink/rename
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 169/554] NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 171/554] NFS: Avoid changing nlink when file removes and attribute updates race Greg Kroah-Hartman
` (389 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, NeilBrown, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
[ Upstream commit 3c59366c207e4c6c6569524af606baf017a55c61 ]
NFS unlink() (and rename over existing target) must determine if the
file is open, and must perform a "silly rename" instead of an unlink (or
before rename) if it is. Otherwise the client might hold a file open
which has been removed on the server.
Consequently if it determines that the file isn't open, it must block
any subsequent opens until the unlink/rename has been completed on the
server.
This is currently achieved by unhashing the dentry. This forces any
open attempt to the slow-path for lookup which will block on i_rwsem on
the directory until the unlink/rename completes. A future patch will
change the VFS to only get a shared lock on i_rwsem for unlink, so this
will no longer work.
Instead we introduce an explicit interlock. A special value is stored
in dentry->d_fsdata while the unlink/rename is running and
->d_revalidate blocks while that value is present. When ->d_revalidate
unblocks, the dentry will be invalid. This closes the race
without requiring exclusion on i_rwsem.
d_fsdata is already used in two different ways.
1/ an IS_ROOT directory dentry might have a "devname" stored in
d_fsdata. Such a dentry doesn't have a name and so cannot be the
target of unlink or rename. For safety we check if an old devname
is still stored, and remove it if it is.
2/ a dentry with DCACHE_NFSFS_RENAMED set will have a 'struct
nfs_unlinkdata' stored in d_fsdata. While this is set maydelete()
will fail, so an unlink or rename will never proceed on such
a dentry.
Neither of these can be in effect when a dentry is the target of unlink
or rename. So we can expect d_fsdata to be NULL, and store a special
value ((void*)1) which is given the name NFS_FSDATA_BLOCKED to indicate
that any lookup will be blocked.
The d_count() is incremented under d_lock() when a lookup finds the
dentry, so we check d_count() is low, and set NFS_FSDATA_BLOCKED under
the same lock to avoid any races.
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Stable-dep-of: bd4928ec799b ("NFS: Avoid changing nlink when file removes and attribute updates race")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 72 +++++++++++++++++++++++++++++++-----------
include/linux/nfs_fs.h | 9 ++++++
2 files changed, 63 insertions(+), 18 deletions(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 9dceb6cb10417..671b427b7b97a 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1626,6 +1626,8 @@ __nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags,
int ret;
if (flags & LOOKUP_RCU) {
+ if (dentry->d_fsdata == NFS_FSDATA_BLOCKED)
+ return -ECHILD;
parent = READ_ONCE(dentry->d_parent);
dir = d_inode_rcu(parent);
if (!dir)
@@ -1634,6 +1636,9 @@ __nfs_lookup_revalidate(struct dentry *dentry, unsigned int flags,
if (parent != READ_ONCE(dentry->d_parent))
return -ECHILD;
} else {
+ /* Wait for unlink to complete */
+ wait_var_event(&dentry->d_fsdata,
+ dentry->d_fsdata != NFS_FSDATA_BLOCKED);
parent = dget_parent(dentry);
ret = reval(d_inode(parent), dentry, flags);
dput(parent);
@@ -2296,7 +2301,6 @@ static int nfs_safe_remove(struct dentry *dentry)
int nfs_unlink(struct inode *dir, struct dentry *dentry)
{
int error;
- int need_rehash = 0;
dfprintk(VFS, "NFS: unlink(%s/%lu, %pd)\n", dir->i_sb->s_id,
dir->i_ino, dentry);
@@ -2310,15 +2314,25 @@ int nfs_unlink(struct inode *dir, struct dentry *dentry)
error = nfs_sillyrename(dir, dentry);
goto out;
}
- if (!d_unhashed(dentry)) {
- __d_drop(dentry);
- need_rehash = 1;
- }
+ /* We must prevent any concurrent open until the unlink
+ * completes. ->d_revalidate will wait for ->d_fsdata
+ * to clear. We set it here to ensure no lookup succeeds until
+ * the unlink is complete on the server.
+ */
+ error = -ETXTBSY;
+ if (WARN_ON(dentry->d_flags & DCACHE_NFSFS_RENAMED) ||
+ WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED))
+ goto out;
+ if (dentry->d_fsdata)
+ /* old devname */
+ kfree(dentry->d_fsdata);
+ dentry->d_fsdata = NFS_FSDATA_BLOCKED;
+
spin_unlock(&dentry->d_lock);
error = nfs_safe_remove(dentry);
nfs_dentry_remove_handle_error(dir, dentry, error);
- if (need_rehash)
- d_rehash(dentry);
+ dentry->d_fsdata = NULL;
+ wake_up_var(&dentry->d_fsdata);
out:
trace_nfs_unlink_exit(dir, dentry, error);
return error;
@@ -2422,6 +2436,15 @@ nfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry)
}
EXPORT_SYMBOL_GPL(nfs_link);
+static void
+nfs_unblock_rename(struct rpc_task *task, struct nfs_renamedata *data)
+{
+ struct dentry *new_dentry = data->new_dentry;
+
+ new_dentry->d_fsdata = NULL;
+ wake_up_var(&new_dentry->d_fsdata);
+}
+
/*
* RENAME
* FIXME: Some nfsds, like the Linux user space nfsd, may generate a
@@ -2452,8 +2475,9 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
{
struct inode *old_inode = d_inode(old_dentry);
struct inode *new_inode = d_inode(new_dentry);
- struct dentry *dentry = NULL, *rehash = NULL;
+ struct dentry *dentry = NULL;
struct rpc_task *task;
+ bool must_unblock = false;
int error = -EBUSY;
if (flags)
@@ -2471,18 +2495,27 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
* the new target.
*/
if (new_inode && !S_ISDIR(new_inode->i_mode)) {
- /*
- * To prevent any new references to the target during the
- * rename, we unhash the dentry in advance.
+ /* We must prevent any concurrent open until the unlink
+ * completes. ->d_revalidate will wait for ->d_fsdata
+ * to clear. We set it here to ensure no lookup succeeds until
+ * the unlink is complete on the server.
*/
- if (!d_unhashed(new_dentry)) {
- d_drop(new_dentry);
- rehash = new_dentry;
+ error = -ETXTBSY;
+ if (WARN_ON(new_dentry->d_flags & DCACHE_NFSFS_RENAMED) ||
+ WARN_ON(new_dentry->d_fsdata == NFS_FSDATA_BLOCKED))
+ goto out;
+ if (new_dentry->d_fsdata) {
+ /* old devname */
+ kfree(new_dentry->d_fsdata);
+ new_dentry->d_fsdata = NULL;
}
+ spin_lock(&new_dentry->d_lock);
if (d_count(new_dentry) > 2) {
int err;
+ spin_unlock(&new_dentry->d_lock);
+
/* copy the target dentry's name */
dentry = d_alloc(new_dentry->d_parent,
&new_dentry->d_name);
@@ -2495,14 +2528,19 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
goto out;
new_dentry = dentry;
- rehash = NULL;
new_inode = NULL;
+ } else {
+ new_dentry->d_fsdata = NFS_FSDATA_BLOCKED;
+ must_unblock = true;
+ spin_unlock(&new_dentry->d_lock);
}
+
}
if (S_ISREG(old_inode->i_mode))
nfs_sync_inode(old_inode);
- task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry, NULL);
+ task = nfs_async_rename(old_dir, new_dir, old_dentry, new_dentry,
+ must_unblock ? nfs_unblock_rename : NULL);
if (IS_ERR(task)) {
error = PTR_ERR(task);
goto out;
@@ -2526,8 +2564,6 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
spin_unlock(&old_inode->i_lock);
}
out:
- if (rehash)
- d_rehash(rehash);
trace_nfs_rename_exit(old_dir, old_dentry,
new_dir, new_dentry, error);
if (!error) {
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index 218e79ba263b2..d7c23708f7da4 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -673,6 +673,15 @@ static inline bool nfs_ooo_test(struct nfs_inode *nfsi)
#define NFS_JUKEBOX_RETRY_TIME (5 * HZ)
+/* We need to block new opens while a file is being unlinked.
+ * If it is opened *before* we decide to unlink, we will silly-rename
+ * instead. If it is opened *after*, then we need to create or will fail.
+ * If we allow the two to race, we could end up with a file that is open
+ * but deleted on the server resulting in ESTALE.
+ * So use ->d_fsdata to record when the unlink is happening
+ * and block dentry revalidation while it is set.
+ */
+#define NFS_FSDATA_BLOCKED ((void*)1)
# undef ifdebug
# ifdef NFS_DEBUG
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 171/554] NFS: Avoid changing nlink when file removes and attribute updates race
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 170/554] NFS: dont unhash dentry during unlink/rename Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 172/554] fs/nls: Fix utf16 to utf8 conversion Greg Kroah-Hartman
` (388 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aiden Lambert, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit bd4928ec799b31c492eb63f9f4a0c1e0bb4bb3f7 ]
If a file removal races with another operation that updates its
attributes, then skip the change to nlink, and just mark the attributes
as being stale.
Reported-by: Aiden Lambert <alambert48@gatech.edu>
Fixes: 59a707b0d42e ("NFS: Ensure we revalidate the inode correctly after remove or rename")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 671b427b7b97a..2a325a79327bc 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1714,13 +1714,15 @@ static int nfs_dentry_delete(const struct dentry *dentry)
}
/* Ensure that we revalidate inode->i_nlink */
-static void nfs_drop_nlink(struct inode *inode)
+static void nfs_drop_nlink(struct inode *inode, unsigned long gencount)
{
+ struct nfs_inode *nfsi = NFS_I(inode);
+
spin_lock(&inode->i_lock);
/* drop the inode if we're reasonably sure this is the last link */
- if (inode->i_nlink > 0)
+ if (inode->i_nlink > 0 && gencount == nfsi->attr_gencount)
drop_nlink(inode);
- NFS_I(inode)->attr_gencount = nfs_inc_attr_generation_counter();
+ nfsi->attr_gencount = nfs_inc_attr_generation_counter();
nfs_set_cache_invalid(
inode, NFS_INO_INVALID_CHANGE | NFS_INO_INVALID_CTIME |
NFS_INO_INVALID_NLINK);
@@ -1738,8 +1740,9 @@ static void nfs_dentry_iput(struct dentry *dentry, struct inode *inode)
nfs_set_cache_invalid(inode, NFS_INO_INVALID_DATA);
if (dentry->d_flags & DCACHE_NFSFS_RENAMED) {
+ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount);
nfs_complete_unlink(dentry, inode);
- nfs_drop_nlink(inode);
+ nfs_drop_nlink(inode, gencount);
}
iput(inode);
}
@@ -2281,9 +2284,11 @@ static int nfs_safe_remove(struct dentry *dentry)
trace_nfs_remove_enter(dir, dentry);
if (inode != NULL) {
+ unsigned long gencount = READ_ONCE(NFS_I(inode)->attr_gencount);
+
error = NFS_PROTO(dir)->remove(dir, dentry);
if (error == 0)
- nfs_drop_nlink(inode);
+ nfs_drop_nlink(inode, gencount);
} else
error = NFS_PROTO(dir)->remove(dir, dentry);
if (error == -ENOENT)
@@ -2475,6 +2480,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
{
struct inode *old_inode = d_inode(old_dentry);
struct inode *new_inode = d_inode(new_dentry);
+ unsigned long new_gencount = 0;
struct dentry *dentry = NULL;
struct rpc_task *task;
bool must_unblock = false;
@@ -2532,6 +2538,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
} else {
new_dentry->d_fsdata = NFS_FSDATA_BLOCKED;
must_unblock = true;
+ new_gencount = NFS_I(new_inode)->attr_gencount;
spin_unlock(&new_dentry->d_lock);
}
@@ -2568,7 +2575,7 @@ int nfs_rename(struct user_namespace *mnt_userns, struct inode *old_dir,
new_dir, new_dentry, error);
if (!error) {
if (new_inode != NULL)
- nfs_drop_nlink(new_inode);
+ nfs_drop_nlink(new_inode, new_gencount);
/*
* The d_move() should be here instead of in an async RPC completion
* handler because we need the proper locks to move the dentry. If
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 172/554] fs/nls: Fix utf16 to utf8 conversion
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 171/554] NFS: Avoid changing nlink when file removes and attribute updates race Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 173/554] NFSv4: Add some support for case insensitive filesystems Greg Kroah-Hartman
` (387 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Ilpo Järvinen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 25524b6190295577e4918c689644451365e6466d ]
Currently the function responsible for converting between utf16 and
utf8 strings will ignore any characters that cannot be converted. This
however also includes multi-byte characters that do not fit into the
provided string buffer.
This can cause problems if such a multi-byte character is followed by
a single-byte character. In such a case the multi-byte character might
be ignored when the provided string buffer is too small, but the
single-byte character might fit and is thus still copied into the
resulting string.
Fix this by stop filling the provided string buffer once a character
does not fit. In order to be able to do this extend utf32_to_utf8()
to return useful errno codes instead of -1.
Fixes: 74675a58507e ("NLS: update handling of Unicode")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20251111131125.3379-2-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nls/nls_base.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
index a026dbd3593f6..7eacded3c17d1 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -94,7 +94,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout)
l = u;
if (l > UNICODE_MAX || (l & SURROGATE_MASK) == SURROGATE_PAIR)
- return -1;
+ return -EILSEQ;
nc = 0;
for (t = utf8_table; t->cmask && maxout; t++, maxout--) {
@@ -110,7 +110,7 @@ int utf32_to_utf8(unicode_t u, u8 *s, int maxout)
return nc;
}
}
- return -1;
+ return -EOVERFLOW;
}
EXPORT_SYMBOL(utf32_to_utf8);
@@ -217,8 +217,16 @@ int utf16s_to_utf8s(const wchar_t *pwcs, int inlen, enum utf16_endian endian,
inlen--;
}
size = utf32_to_utf8(u, op, maxout);
- if (size == -1) {
- /* Ignore character and move on */
+ if (size < 0) {
+ if (size == -EILSEQ) {
+ /* Ignore character and move on */
+ continue;
+ }
+ /*
+ * Stop filling the buffer with data once a character
+ * does not fit anymore.
+ */
+ break;
} else {
op += size;
maxout -= size;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 173/554] NFSv4: Add some support for case insensitive filesystems
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 172/554] fs/nls: Fix utf16 to utf8 conversion Greg Kroah-Hartman
@ 2026-01-15 16:43 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 174/554] NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open() Greg Kroah-Hartman
` (386 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:43 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Anna Schumaker,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
[ Upstream commit 1ab5be4ac5b1c9ce39ce1037c45b68d2ce6eede0 ]
Add capabilities to allow the NFS client to recognise when it is dealing
with case insensitive and case preserving filesystems.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Stable-dep-of: 518c32a1bc4f ("NFS: Initialise verifiers for visible dentries in nfs_atomic_open()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 8 +++++++-
fs/nfs/nfs4xdr.c | 40 +++++++++++++++++++++++++++++++++++++++
include/linux/nfs_fs_sb.h | 2 ++
include/linux/nfs_xdr.h | 2 ++
4 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 768433688cb2f..883e4106fbcd9 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3887,7 +3887,9 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
FATTR4_WORD0_FH_EXPIRE_TYPE |
FATTR4_WORD0_LINK_SUPPORT |
FATTR4_WORD0_SYMLINK_SUPPORT |
- FATTR4_WORD0_ACLSUPPORT;
+ FATTR4_WORD0_ACLSUPPORT |
+ FATTR4_WORD0_CASE_INSENSITIVE |
+ FATTR4_WORD0_CASE_PRESERVING;
if (minorversion)
bitmask[2] = FATTR4_WORD2_SUPPATTR_EXCLCREAT;
@@ -3917,6 +3919,10 @@ static int _nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *f
server->caps |= NFS_CAP_HARDLINKS;
if (res.has_symlinks != 0)
server->caps |= NFS_CAP_SYMLINKS;
+ if (res.case_insensitive)
+ server->caps |= NFS_CAP_CASE_INSENSITIVE;
+ if (res.case_preserving)
+ server->caps |= NFS_CAP_CASE_PRESERVING;
#ifdef CONFIG_NFS_V4_SECURITY_LABEL
if (res.attr_bitmask[2] & FATTR4_WORD2_SECURITY_LABEL)
server->caps |= NFS_CAP_SECURITY_LABEL;
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 0ae9e06a0bba2..0b9fa58dd7cd7 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -3530,6 +3530,42 @@ static int decode_attr_aclsupport(struct xdr_stream *xdr, uint32_t *bitmap, uint
return 0;
}
+static int decode_attr_case_insensitive(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
+{
+ __be32 *p;
+
+ *res = 0;
+ if (unlikely(bitmap[0] & (FATTR4_WORD0_CASE_INSENSITIVE - 1U)))
+ return -EIO;
+ if (likely(bitmap[0] & FATTR4_WORD0_CASE_INSENSITIVE)) {
+ p = xdr_inline_decode(xdr, 4);
+ if (unlikely(!p))
+ return -EIO;
+ *res = be32_to_cpup(p);
+ bitmap[0] &= ~FATTR4_WORD0_CASE_INSENSITIVE;
+ }
+ dprintk("%s: case_insensitive=%s\n", __func__, *res == 0 ? "false" : "true");
+ return 0;
+}
+
+static int decode_attr_case_preserving(struct xdr_stream *xdr, uint32_t *bitmap, uint32_t *res)
+{
+ __be32 *p;
+
+ *res = 0;
+ if (unlikely(bitmap[0] & (FATTR4_WORD0_CASE_PRESERVING - 1U)))
+ return -EIO;
+ if (likely(bitmap[0] & FATTR4_WORD0_CASE_PRESERVING)) {
+ p = xdr_inline_decode(xdr, 4);
+ if (unlikely(!p))
+ return -EIO;
+ *res = be32_to_cpup(p);
+ bitmap[0] &= ~FATTR4_WORD0_CASE_PRESERVING;
+ }
+ dprintk("%s: case_preserving=%s\n", __func__, *res == 0 ? "false" : "true");
+ return 0;
+}
+
static int decode_attr_fileid(struct xdr_stream *xdr, uint32_t *bitmap, uint64_t *fileid)
{
__be32 *p;
@@ -4406,6 +4442,10 @@ static int decode_server_caps(struct xdr_stream *xdr, struct nfs4_server_caps_re
goto xdr_error;
if ((status = decode_attr_aclsupport(xdr, bitmap, &res->acl_bitmask)) != 0)
goto xdr_error;
+ if ((status = decode_attr_case_insensitive(xdr, bitmap, &res->case_insensitive)) != 0)
+ goto xdr_error;
+ if ((status = decode_attr_case_preserving(xdr, bitmap, &res->case_preserving)) != 0)
+ goto xdr_error;
if ((status = decode_attr_exclcreat_supported(xdr, bitmap,
res->exclcreat_bitmask)) != 0)
goto xdr_error;
diff --git a/include/linux/nfs_fs_sb.h b/include/linux/nfs_fs_sb.h
index 091fefc5e3615..6b770affcfb2f 100644
--- a/include/linux/nfs_fs_sb.h
+++ b/include/linux/nfs_fs_sb.h
@@ -273,6 +273,8 @@ struct nfs_server {
#define NFS_CAP_ACLS (1U << 3)
#define NFS_CAP_ATOMIC_OPEN (1U << 4)
#define NFS_CAP_LGOPEN (1U << 5)
+#define NFS_CAP_CASE_INSENSITIVE (1U << 6)
+#define NFS_CAP_CASE_PRESERVING (1U << 7)
#define NFS_CAP_POSIX_LOCK (1U << 14)
#define NFS_CAP_UIDGID_NOMAP (1U << 15)
#define NFS_CAP_STATEID_NFSV41 (1U << 16)
diff --git a/include/linux/nfs_xdr.h b/include/linux/nfs_xdr.h
index 7fcd56c6ded65..7321a5a95087f 100644
--- a/include/linux/nfs_xdr.h
+++ b/include/linux/nfs_xdr.h
@@ -1202,6 +1202,8 @@ struct nfs4_server_caps_res {
u32 has_links;
u32 has_symlinks;
u32 fh_expire_type;
+ u32 case_insensitive;
+ u32 case_preserving;
};
#define NFS4_PATHNAME_MAXCOMPONENTS 512
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 174/554] NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-01-15 16:43 ` [PATCH 5.15 173/554] NFSv4: Add some support for case insensitive filesystems Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 175/554] NFS: Initialise verifiers for visible dentries " Greg Kroah-Hartman
` (385 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Anna Schumaker,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 68eaba4ca924a97a863c5c81c0b23a11dcb6db90 ]
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Stable-dep-of: 518c32a1bc4f ("NFS: Initialise verifiers for visible dentries in nfs_atomic_open()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index 2a325a79327bc..dc0c50b97643b 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1887,6 +1887,7 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
struct iattr attr = { .ia_valid = ATTR_OPEN };
struct inode *inode;
unsigned int lookup_flags = 0;
+ unsigned long dir_verifier;
bool switched = false;
int created = 0;
int err;
@@ -1960,7 +1961,11 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
switch (err) {
case -ENOENT:
d_splice_alias(NULL, dentry);
- nfs_set_verifier(dentry, nfs_save_change_attribute(dir));
+ if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE))
+ dir_verifier = inode_peek_iversion_raw(dir);
+ else
+ dir_verifier = nfs_save_change_attribute(dir);
+ nfs_set_verifier(dentry, dir_verifier);
break;
case -EISDIR:
case -ENOTDIR:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 175/554] NFS: Initialise verifiers for visible dentries in nfs_atomic_open()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 174/554] NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 176/554] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Greg Kroah-Hartman
` (384 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Stoler, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 518c32a1bc4f8df1a8442ee8cdfea3e2fcff20a0 ]
Ensure that the verifiers are initialised before calling
d_splice_alias() in nfs_atomic_open().
Reported-by: Michael Stoler <michael.stoler@vastdata.com>
Fixes: 809fd143de88 ("NFSv4: Ensure nfs_atomic_open set the dentry verifier on ENOENT")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
index dc0c50b97643b..6dd56841feab9 100644
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -1960,12 +1960,12 @@ int nfs_atomic_open(struct inode *dir, struct dentry *dentry,
d_drop(dentry);
switch (err) {
case -ENOENT:
- d_splice_alias(NULL, dentry);
if (nfs_server_capable(dir, NFS_CAP_CASE_INSENSITIVE))
dir_verifier = inode_peek_iversion_raw(dir);
else
dir_verifier = nfs_save_change_attribute(dir);
nfs_set_verifier(dentry, dir_verifier);
+ d_splice_alias(NULL, dentry);
break;
case -EISDIR:
case -ENOTDIR:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 176/554] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 175/554] NFS: Initialise verifiers for visible dentries " Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 177/554] Revert "nfs: ignore SB_RDONLY when remounting nfs" Greg Kroah-Hartman
` (383 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Curley, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Curley <jcurley@purestorage.com>
[ Upstream commit e0f8058f2cb56de0b7572f51cd563ca5debce746 ]
Fixes a crash when layout is null during this call stack:
write_inode
-> nfs4_write_inode
-> pnfs_layoutcommit_inode
pnfs_set_layoutcommit relies on the lseg refcount to keep the layout
around. Need to clear NFS_INO_LAYOUTCOMMIT otherwise we might attempt
to reference a null layout.
Fixes: fe1cf9469d7bc ("pNFS: Clear all layout segment state in pnfs_mark_layout_stateid_invalid")
Signed-off-by: Jonathan Curley <jcurley@purestorage.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/pnfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index ef273b71f0198..50d608f6c6906 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -465,6 +465,7 @@ pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo,
struct pnfs_layout_segment *lseg, *next;
set_bit(NFS_LAYOUT_INVALID_STID, &lo->plh_flags);
+ clear_bit(NFS_INO_LAYOUTCOMMIT, &NFS_I(lo->plh_inode)->flags);
list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list)
pnfs_clear_lseg_state(lseg, lseg_list);
pnfs_clear_layoutreturn_info(lo);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 177/554] Revert "nfs: ignore SB_RDONLY when remounting nfs"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 176/554] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 178/554] Revert "nfs: clear SB_RDONLY before getting superblock" Greg Kroah-Hartman
` (382 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alkis Georgopoulos, Li Lingfeng,
Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 400fa37afbb11a601c204b72af0f0e5bc2db695c ]
This reverts commit 80c4de6ab44c14e910117a02f2f8241ffc6ec54a.
Silently ignoring the "ro" and "rw" mount options causes user confusion,
and regressions.
Reported-by: Alkis Georgopoulos<alkisg@gmail.com>
Cc: Li Lingfeng <lilingfeng3@huawei.com>
Fixes: 80c4de6ab44c ("nfs: ignore SB_RDONLY when remounting nfs")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index cc70800b9a4b2..aa11a6dcf6ce7 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1017,16 +1017,6 @@ int nfs_reconfigure(struct fs_context *fc)
sync_filesystem(sb);
- /*
- * The SB_RDONLY flag has been removed from the superblock during
- * mounts to prevent interference between different filesystems.
- * Similarly, it is also necessary to ignore the SB_RDONLY flag
- * during reconfiguration; otherwise, it may also result in the
- * creation of redundant superblocks when mounting a directory with
- * different rw and ro flags multiple times.
- */
- fc->sb_flags_mask &= ~SB_RDONLY;
-
/*
* Userspace mount programs that send binary options generally send
* them populated with default values. We have no way to know which
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 178/554] Revert "nfs: clear SB_RDONLY before getting superblock"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 177/554] Revert "nfs: ignore SB_RDONLY when remounting nfs" Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 179/554] Revert "nfs: ignore SB_RDONLY when mounting nfs" Greg Kroah-Hartman
` (381 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alkis Georgopoulos, Li Lingfeng,
Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit d216b698d44e33417ad4cc796cb04ccddbb8c0ee ]
This reverts commit 8cd9b785943c57a136536250da80ba1eb6f8eb18.
Silently ignoring the "ro" and "rw" mount options causes user confusion,
and regressions.
Reported-by: Alkis Georgopoulos<alkisg@gmail.com>
Cc: Li Lingfeng <lilingfeng3@huawei.com>
Fixes: 8cd9b785943c ("nfs: clear SB_RDONLY before getting superblock")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/super.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index aa11a6dcf6ce7..f91cb1267b44e 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1269,17 +1269,8 @@ int nfs_get_tree_common(struct fs_context *fc)
if (IS_ERR(server))
return PTR_ERR(server);
- /*
- * When NFS_MOUNT_UNSHARED is not set, NFS forces the sharing of a
- * superblock among each filesystem that mounts sub-directories
- * belonging to a single exported root path.
- * To prevent interference between different filesystems, the
- * SB_RDONLY flag should be removed from the superblock.
- */
if (server->flags & NFS_MOUNT_UNSHARED)
compare_super = NULL;
- else
- fc->sb_flags &= ~SB_RDONLY;
/* -o noac implies -o sync */
if (server->flags & NFS_MOUNT_NOAC)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 179/554] Revert "nfs: ignore SB_RDONLY when mounting nfs"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 178/554] Revert "nfs: clear SB_RDONLY before getting superblock" Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 180/554] fs_context: drop the unused lsm_flags member Greg Kroah-Hartman
` (380 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alkis Georgopoulos, Li Lingfeng,
Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit d4a26d34f1946142f9d32e540490e4926ae9a46b ]
This reverts commit 52cb7f8f177878b4f22397b9c4d2c8f743766be3.
Silently ignoring the "ro" and "rw" mount options causes user confusion,
and regressions.
Reported-by: Alkis Georgopoulos<alkisg@gmail.com>
Cc: Li Lingfeng <lilingfeng3@huawei.com>
Fixes: 52cb7f8f1778 ("nfs: ignore SB_RDONLY when mounting nfs")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/internal.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/internal.h b/fs/nfs/internal.h
index 00066057b1415..fc0a34e488617 100644
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -11,7 +11,7 @@
#include <linux/nfs_page.h>
#include <linux/wait_bit.h>
-#define NFS_SB_MASK (SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS)
+#define NFS_SB_MASK (SB_RDONLY|SB_NOSUID|SB_NODEV|SB_NOEXEC|SB_SYNCHRONOUS)
extern const struct export_operations nfs_export_ops;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 180/554] fs_context: drop the unused lsm_flags member
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 179/554] Revert "nfs: ignore SB_RDONLY when mounting nfs" Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 181/554] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags Greg Kroah-Hartman
` (379 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek,
Christian Brauner (Microsoft), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 4e04143c869c5b6d499fbd5083caa860d5c942c3 ]
This isn't ever used by VFS now, and it couldn't even work. Any FS that
uses the SECURITY_LSM_NATIVE_LABELS flag needs to also process the
value returned back from the LSM, so it needs to do its
security_sb_set_mnt_opts() call on its own anyway.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Stable-dep-of: 8675c69816e4 ("NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/filesystems/mount_api.rst | 1 -
fs/nfs/super.c | 3 ---
include/linux/fs_context.h | 1 -
include/linux/security.h | 2 +-
4 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/Documentation/filesystems/mount_api.rst b/Documentation/filesystems/mount_api.rst
index 12e30da6a511c..1dc90a83b5fd0 100644
--- a/Documentation/filesystems/mount_api.rst
+++ b/Documentation/filesystems/mount_api.rst
@@ -79,7 +79,6 @@ context. This is represented by the fs_context structure::
unsigned int sb_flags;
unsigned int sb_flags_mask;
unsigned int s_iflags;
- unsigned int lsm_flags;
enum fs_context_purpose purpose:8;
...
};
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index f91cb1267b44e..0faed67d61bde 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1280,9 +1280,6 @@ int nfs_get_tree_common(struct fs_context *fc)
if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS)
fc->sb_flags |= SB_SYNCHRONOUS;
- if (server->caps & NFS_CAP_SECURITY_LABEL)
- fc->lsm_flags |= SECURITY_LSM_NATIVE_LABELS;
-
/* Get a superblock - note that we may end up sharing one that already exists */
fc->s_fs_info = server;
s = sget_fc(fc, compare_super, nfs_set_super);
diff --git a/include/linux/fs_context.h b/include/linux/fs_context.h
index c861b2c894ba3..0b386c5c03342 100644
--- a/include/linux/fs_context.h
+++ b/include/linux/fs_context.h
@@ -104,7 +104,6 @@ struct fs_context {
unsigned int sb_flags; /* Proposed superblock flags (SB_*) */
unsigned int sb_flags_mask; /* Superblock flags that were changed */
unsigned int s_iflags; /* OR'd with sb->s_iflags */
- unsigned int lsm_flags; /* Information flags from the fs to the LSM */
enum fs_context_purpose purpose:8;
enum fs_context_phase phase:8; /* The phase the context is in */
bool need_free:1; /* Need to call ops->free() */
diff --git a/include/linux/security.h b/include/linux/security.h
index 946fa58eb05a4..95102b9f75c98 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -67,7 +67,7 @@ struct watch_notification;
/* If capable is being called by a setid function */
#define CAP_OPT_INSETID BIT(2)
-/* LSM Agnostic defines for fs_context::lsm_flags */
+/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */
#define SECURITY_LSM_NATIVE_LABELS 1
struct ctl_table;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 181/554] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 180/554] fs_context: drop the unused lsm_flags member Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 182/554] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() Greg Kroah-Hartman
` (378 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Trond Myklebust,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 8675c69816e4276b979ff475ee5fac4688f80125 ]
When a filesystem is being automounted, it needs to preserve the
user-set superblock mount options, such as the "ro" flag.
Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
Link: https://lore.kernel.org/all/20240604112636.236517-3-lilingfeng@huaweicloud.com/
Fixes: f2aedb713c28 ("NFS: Add fs_context support.")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/namespace.c | 6 ++++++
fs/nfs/super.c | 4 ----
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 565421c6682ed..8fb570fd376a1 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -149,6 +149,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
struct vfsmount *mnt = ERR_PTR(-ENOMEM);
struct nfs_server *server = NFS_SB(path->dentry->d_sb);
struct nfs_client *client = server->nfs_client;
+ unsigned long s_flags = path->dentry->d_sb->s_flags;
int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout);
int ret;
@@ -174,6 +175,11 @@ struct vfsmount *nfs_d_automount(struct path *path)
fc->net_ns = get_net(client->cl_net);
}
+ /* Inherit the flags covered by NFS_SB_MASK */
+ fc->sb_flags_mask |= NFS_SB_MASK;
+ fc->sb_flags &= ~NFS_SB_MASK;
+ fc->sb_flags |= s_flags & NFS_SB_MASK;
+
/* for submounts we want the same server; referrals will reassign */
memcpy(&ctx->nfs_server.address, &client->cl_addr, client->cl_addrlen);
ctx->nfs_server.addrlen = client->cl_addrlen;
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 0faed67d61bde..d9d6f055771a9 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -1276,10 +1276,6 @@ int nfs_get_tree_common(struct fs_context *fc)
if (server->flags & NFS_MOUNT_NOAC)
fc->sb_flags |= SB_SYNCHRONOUS;
- if (ctx->clone_data.sb)
- if (ctx->clone_data.sb->s_flags & SB_SYNCHRONOUS)
- fc->sb_flags |= SB_SYNCHRONOUS;
-
/* Get a superblock - note that we may end up sharing one that already exists */
fc->s_fs_info = server;
s = sget_fc(fc, compare_super, nfs_set_super);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 182/554] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 181/554] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 183/554] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led Greg Kroah-Hartman
` (377 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Armin Wolf,
Ilpo Järvinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit c36f9d7b2869a003a2f7d6ff2c6bac9e62fd7d68 ]
After commit 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion"),
the return values of utf8_to_utf32() and utf32_to_utf8() are
inconsistent when encountering an error: utf8_to_utf32() returns -1,
while utf32_to_utf8() returns errno codes. Fix this inconsistency
by modifying utf8_to_utf32() to return errno codes as well.
Fixes: 25524b619029 ("fs/nls: Fix utf16 to utf8 conversion")
Suggested-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20251129111535.8984-1-W_Armin@gmx.de
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nls/nls_base.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
index 7eacded3c17d1..f072eb6b563f6 100644
--- a/fs/nls/nls_base.c
+++ b/fs/nls/nls_base.c
@@ -67,19 +67,22 @@ int utf8_to_utf32(const u8 *s, int inlen, unicode_t *pu)
l &= t->lmask;
if (l < t->lval || l > UNICODE_MAX ||
(l & SURROGATE_MASK) == SURROGATE_PAIR)
- return -1;
+ return -EILSEQ;
+
*pu = (unicode_t) l;
return nc;
}
if (inlen <= nc)
- return -1;
+ return -EOVERFLOW;
+
s++;
c = (*s ^ 0x80) & 0xFF;
if (c & 0xC0)
- return -1;
+ return -EILSEQ;
+
l = (l << 6) | c;
}
- return -1;
+ return -EILSEQ;
}
EXPORT_SYMBOL(utf8_to_utf32);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 183/554] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 182/554] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 184/554] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() Greg Kroah-Hartman
` (376 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Khirnov, Andy Shevchenko,
Denis Benato, Ilpo Järvinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Khirnov <anton@khirnov.net>
[ Upstream commit ccb61a328321ba3f8567e350664c9ca7a42b6c70 ]
kbd_led_set() can sleep, and so may not be used as the brightness_set()
callback.
Otherwise using this led with a trigger leads to system hangs
accompanied by:
BUG: scheduling while atomic: acpi_fakekeyd/2588/0x00000003
CPU: 4 UID: 0 PID: 2588 Comm: acpi_fakekeyd Not tainted 6.17.9+deb14-amd64 #1 PREEMPT(lazy) Debian 6.17.9-1
Hardware name: ASUSTeK COMPUTER INC. ASUS EXPERTBOOK B9403CVAR/B9403CVAR, BIOS B9403CVAR.311 12/24/2024
Call Trace:
<TASK>
[...]
schedule_timeout+0xbd/0x100
__down_common+0x175/0x290
down_timeout+0x67/0x70
acpi_os_wait_semaphore+0x57/0x90
[...]
asus_wmi_evaluate_method3+0x87/0x190 [asus_wmi]
led_trigger_event+0x3f/0x60
[...]
Fixes: 9fe44fc98ce4 ("platform/x86: asus-wmi: Simplify the keyboard brightness updating process")
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Denis Benato <benato.denis96@gmail.com>
Link: https://patch.msgid.link/20251129101307.18085-3-anton@khirnov.net
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/asus-wmi.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
index d9933d3718129..7714a8327021f 100644
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -822,14 +822,14 @@ static void do_kbd_led_set(struct led_classdev *led_cdev, int value)
kbd_led_update(asus);
}
-static void kbd_led_set(struct led_classdev *led_cdev,
- enum led_brightness value)
+static int kbd_led_set(struct led_classdev *led_cdev, enum led_brightness value)
{
/* Prevent disabling keyboard backlight on module unregister */
if (led_cdev->flags & LED_UNREGISTERING)
- return;
+ return 0;
do_kbd_led_set(led_cdev, value);
+ return 0;
}
static void kbd_led_set_by_kbd(struct asus_wmi *asus, enum led_brightness value)
@@ -966,7 +966,7 @@ static int asus_wmi_led_init(struct asus_wmi *asus)
asus->kbd_led_wk = led_val;
asus->kbd_led.name = "asus::kbd_backlight";
asus->kbd_led.flags = LED_BRIGHT_HW_CHANGED;
- asus->kbd_led.brightness_set = kbd_led_set;
+ asus->kbd_led.brightness_set_blocking = kbd_led_set;
asus->kbd_led.brightness_get = kbd_led_get;
asus->kbd_led.max_brightness = 3;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 184/554] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 183/554] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 185/554] ASoC: ak4458: Disable regulator when error happens Greg Kroah-Hartman
` (375 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 0ebbd45c33d0049ebf5a22c1434567f0c420b333 ]
bcm63xx_soc_pcm_new() does not check the return value of
of_dma_configure(), which may fail with -EPROBE_DEFER or
other errors, allowing PCM setup to continue with incomplete
DMA configuration.
Add error checking for of_dma_configure() and return on failure.
Fixes: 88eb404ccc3e ("ASoC: brcm: Add DSL/PON SoC audio driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251202101642.492-1-vulab@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/bcm/bcm63xx-pcm-whistler.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/bcm/bcm63xx-pcm-whistler.c b/sound/soc/bcm/bcm63xx-pcm-whistler.c
index b5096f64c576e..456aacc59e507 100644
--- a/sound/soc/bcm/bcm63xx-pcm-whistler.c
+++ b/sound/soc/bcm/bcm63xx-pcm-whistler.c
@@ -353,7 +353,9 @@ static int bcm63xx_soc_pcm_new(struct snd_soc_component *component,
i2s_priv = dev_get_drvdata(asoc_rtd_to_cpu(rtd, 0)->dev);
- of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1);
+ ret = of_dma_configure(pcm->card->dev, pcm->card->dev->of_node, 1);
+ if (ret)
+ return ret;
ret = dma_coerce_mask_and_coherent(pcm->card->dev, DMA_BIT_MASK(32));
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 185/554] ASoC: ak4458: Disable regulator when error happens
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 184/554] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 186/554] ASoC: ak5558: " Greg Kroah-Hartman
` (374 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit ae585fabb9713a43e358cf606451386757225c95 ]
Disable regulator in runtime resume when error happens to balance
the reference count of regulator.
Fixes: 7e3096e8f823 ("ASoC: ak4458: Add regulator support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251203100529.3841203-2-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ak4458.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/ak4458.c b/sound/soc/codecs/ak4458.c
index 29eb78702bf35..1c179df6f0926 100644
--- a/sound/soc/codecs/ak4458.c
+++ b/sound/soc/codecs/ak4458.c
@@ -709,7 +709,15 @@ static int __maybe_unused ak4458_runtime_resume(struct device *dev)
regcache_cache_only(ak4458->regmap, false);
regcache_mark_dirty(ak4458->regmap);
- return regcache_sync(ak4458->regmap);
+ ret = regcache_sync(ak4458->regmap);
+ if (ret)
+ goto err;
+
+ return 0;
+err:
+ regcache_cache_only(ak4458->regmap, true);
+ regulator_bulk_disable(ARRAY_SIZE(ak4458->supplies), ak4458->supplies);
+ return ret;
}
#endif /* CONFIG_PM */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 186/554] ASoC: ak5558: Disable regulator when error happens
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 185/554] ASoC: ak4458: Disable regulator when error happens Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 187/554] blk-mq: Abort suspend when wakeup events are pending Greg Kroah-Hartman
` (373 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
[ Upstream commit 1f8f726a2a29c28f65b30880335a1610c5e63594 ]
Disable regulator in runtime resume when error happens to balance
the reference count of regulator.
Fixes: 2ff6d5a108c6 ("ASoC: ak5558: Add regulator support")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20251203100529.3841203-3-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/ak5558.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/ak5558.c b/sound/soc/codecs/ak5558.c
index 37d4600b6f2c2..ba32cef2bf8ad 100644
--- a/sound/soc/codecs/ak5558.c
+++ b/sound/soc/codecs/ak5558.c
@@ -372,7 +372,15 @@ static int __maybe_unused ak5558_runtime_resume(struct device *dev)
regcache_cache_only(ak5558->regmap, false);
regcache_mark_dirty(ak5558->regmap);
- return regcache_sync(ak5558->regmap);
+ ret = regcache_sync(ak5558->regmap);
+ if (ret)
+ goto err;
+
+ return 0;
+err:
+ regcache_cache_only(ak5558->regmap, true);
+ regulator_bulk_disable(ARRAY_SIZE(ak5558->supplies), ak5558->supplies);
+ return ret;
}
static const struct dev_pm_ops ak5558_pm = {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 187/554] blk-mq: Abort suspend when wakeup events are pending
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 186/554] ASoC: ak5558: " Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 188/554] block: fix comment for op_is_zone_mgmt() to include RESET_ALL Greg Kroah-Hartman
` (372 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Cong Zhang, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Zhang <cong.zhang@oss.qualcomm.com>
[ Upstream commit c196bf43d706592d8801a7513603765080e495fb ]
During system suspend, wakeup capable IRQs for block device can be
delayed, which can cause blk_mq_hctx_notify_offline() to hang
indefinitely while waiting for pending request to complete.
Skip the request waiting loop and abort suspend when wakeup events are
pending to prevent the deadlock.
Fixes: bf0beec0607d ("blk-mq: drain I/O when all CPUs in a hctx are offline")
Signed-off-by: Cong Zhang <cong.zhang@oss.qualcomm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 46cb802cfcf05..48827708200b3 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -23,6 +23,7 @@
#include <linux/sched/sysctl.h>
#include <linux/sched/topology.h>
#include <linux/sched/signal.h>
+#include <linux/suspend.h>
#include <linux/delay.h>
#include <linux/crash_dump.h>
#include <linux/prefetch.h>
@@ -2585,6 +2586,7 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
{
struct blk_mq_hw_ctx *hctx = hlist_entry_safe(node,
struct blk_mq_hw_ctx, cpuhp_online);
+ int ret = 0;
if (!cpumask_test_cpu(cpu, hctx->cpumask) ||
!blk_mq_last_cpu_in_hctx(cpu, hctx))
@@ -2606,12 +2608,24 @@ static int blk_mq_hctx_notify_offline(unsigned int cpu, struct hlist_node *node)
* frozen and there are no requests.
*/
if (percpu_ref_tryget(&hctx->queue->q_usage_counter)) {
- while (blk_mq_hctx_has_requests(hctx))
+ while (blk_mq_hctx_has_requests(hctx)) {
+ /*
+ * The wakeup capable IRQ handler of block device is
+ * not called during suspend. Skip the loop by checking
+ * pm_wakeup_pending to prevent the deadlock and improve
+ * suspend latency.
+ */
+ if (pm_wakeup_pending()) {
+ clear_bit(BLK_MQ_S_INACTIVE, &hctx->state);
+ ret = -EBUSY;
+ break;
+ }
msleep(5);
+ }
percpu_ref_put(&hctx->queue->q_usage_counter);
}
- return 0;
+ return ret;
}
static int blk_mq_hctx_notify_online(unsigned int cpu, struct hlist_node *node)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 188/554] block: fix comment for op_is_zone_mgmt() to include RESET_ALL
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 187/554] blk-mq: Abort suspend when wakeup events are pending Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 189/554] dma/pool: eliminate alloc_pages warning in atomic_pool_expand Greg Kroah-Hartman
` (371 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, shechenglong, Damien Le Moal,
Johannes Thumshirn, Jens Axboe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: shechenglong <shechenglong@xfusion.com>
[ Upstream commit 8a32282175c964eb15638e8dfe199fc13c060f67 ]
REQ_OP_ZONE_RESET_ALL is a zone management request, and op_is_zone_mgmt()
has returned true for it.
Update the comment to remove the misleading exception note so
the documentation matches the implementation.
Fixes: 12a1c9353c47 ("block: fix op_is_zone_mgmt() to handle REQ_OP_ZONE_RESET_ALL")
Signed-off-by: shechenglong <shechenglong@xfusion.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/blk_types.h | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h
index 2d21af10a9df9..a9e554ef3c4a8 100644
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -472,10 +472,7 @@ static inline bool op_is_discard(unsigned int op)
}
/*
- * Check if a bio or request operation is a zone management operation, with
- * the exception of REQ_OP_ZONE_RESET_ALL which is treated as a special case
- * due to its different handling in the block layer and device response in
- * case of command failure.
+ * Check if a bio or request operation is a zone management operation.
*/
static inline bool op_is_zone_mgmt(enum req_opf op)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 189/554] dma/pool: eliminate alloc_pages warning in atomic_pool_expand
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 188/554] block: fix comment for op_is_zone_mgmt() to include RESET_ALL Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 190/554] ALSA: uapi: Fix typo in asound.h comment Greg Kroah-Hartman
` (370 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Kleikamp, Robin Murphy,
Marek Szyprowski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Kleikamp <dave.kleikamp@oracle.com>
[ Upstream commit 463d439becb81383f3a5a5d840800131f265a09c ]
atomic_pool_expand iteratively tries the allocation while decrementing
the page order. There is no need to issue a warning if an attempted
allocation fails.
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone")
[mszyprow: fixed typo]
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: https://lore.kernel.org/r/20251202152810.142370-1-dave.kleikamp@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/dma/pool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/dma/pool.c b/kernel/dma/pool.c
index 37d3ddd36ae5b..1e9d4cb018693 100644
--- a/kernel/dma/pool.c
+++ b/kernel/dma/pool.c
@@ -93,7 +93,7 @@ static int atomic_pool_expand(struct gen_pool *pool, size_t pool_size,
page = dma_alloc_from_contiguous(NULL, 1 << order,
order, false);
if (!page)
- page = alloc_pages(gfp, order);
+ page = alloc_pages(gfp | __GFP_NOWARN, order);
} while (!page && order-- > 0);
if (!page)
goto out;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 190/554] ALSA: uapi: Fix typo in asound.h comment
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 189/554] dma/pool: eliminate alloc_pages warning in atomic_pool_expand Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 191/554] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() Greg Kroah-Hartman
` (369 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andres J Rosa, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andres J Rosa <andyrosa@gmail.com>
[ Upstream commit 9a97857db0c5655b8932f86b5d18bb959079b0ee ]
Fix 'level-shit' to 'level-shift' in struct snd_cea_861_aud_if comment.
Fixes: 7ba1c40b536e ("ALSA: Add definitions for CEA-861 Audio InfoFrames")
Signed-off-by: Andres J Rosa <andyrosa@gmail.com>
Link: https://patch.msgid.link/20251203162509.1822-1-andyrosa@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/sound/asound.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/sound/asound.h b/include/uapi/sound/asound.h
index 93e40f91bd49a..6b9d4e0befa9d 100644
--- a/include/uapi/sound/asound.h
+++ b/include/uapi/sound/asound.h
@@ -76,7 +76,7 @@ struct snd_cea_861_aud_if {
unsigned char db2_sf_ss; /* sample frequency and size */
unsigned char db3; /* not used, all zeros */
unsigned char db4_ca; /* channel allocation code */
- unsigned char db5_dminh_lsv; /* downmix inhibit & level-shit values */
+ unsigned char db5_dminh_lsv; /* downmix inhibit & level-shift values */
};
/****************************************************************************
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 191/554] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 190/554] ALSA: uapi: Fix typo in asound.h comment Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 192/554] dm-raid: fix possible NULL dereference with undefined raid type Greg Kroah-Hartman
` (368 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xie Yuanbin, Liyuan Pang,
Russell King (Oracle), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liyuan Pang <pangliyuan1@huawei.com>
[ Upstream commit edb924a7211c9aa7a4a415e03caee4d875e46b8e ]
In the inline assembly inside load_unaligned_zeropad(), the "addr" is
constrained as input-only operand. The compiler assumes that on exit
from the asm statement these operands contain the same values as they
had before executing the statement, but when kernel page fault happened, the assembly fixup code "bic %2 %2, #0x3" modify the value of "addr", which may lead to an unexpected behavior.
Use a temporary variable "tmp" to handle it, instead of modifying the
input-only operand, just like what arm64's load_unaligned_zeropad()
does.
Fixes: b9a50f74905a ("ARM: 7450/1: dcache: select DCACHE_WORD_ACCESS for little-endian ARMv6+ CPUs")
Co-developed-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Xie Yuanbin <xieyuanbin1@huawei.com>
Signed-off-by: Liyuan Pang <pangliyuan1@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/include/asm/word-at-a-time.h | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/include/asm/word-at-a-time.h b/arch/arm/include/asm/word-at-a-time.h
index 352ab213520d2..2e6d0b4349f47 100644
--- a/arch/arm/include/asm/word-at-a-time.h
+++ b/arch/arm/include/asm/word-at-a-time.h
@@ -66,7 +66,7 @@ static inline unsigned long find_zero(unsigned long mask)
*/
static inline unsigned long load_unaligned_zeropad(const void *addr)
{
- unsigned long ret, offset;
+ unsigned long ret, tmp;
/* Load word from unaligned pointer addr */
asm(
@@ -74,9 +74,9 @@ static inline unsigned long load_unaligned_zeropad(const void *addr)
"2:\n"
" .pushsection .text.fixup,\"ax\"\n"
" .align 2\n"
- "3: and %1, %2, #0x3\n"
- " bic %2, %2, #0x3\n"
- " ldr %0, [%2]\n"
+ "3: bic %1, %2, #0x3\n"
+ " ldr %0, [%1]\n"
+ " and %1, %2, #0x3\n"
" lsl %1, %1, #0x3\n"
#ifndef __ARMEB__
" lsr %0, %0, %1\n"
@@ -89,7 +89,7 @@ static inline unsigned long load_unaligned_zeropad(const void *addr)
" .align 3\n"
" .long 1b, 3b\n"
" .popsection"
- : "=&r" (ret), "=&r" (offset)
+ : "=&r" (ret), "=&r" (tmp)
: "r" (addr), "Qo" (*(unsigned long *)addr));
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 192/554] dm-raid: fix possible NULL dereference with undefined raid type
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 191/554] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 193/554] dm log-writes: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
` (367 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Simakov, Mikulas Patocka,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 2f6cfd6d7cb165a7af8877b838a9f6aab4159324 ]
rs->raid_type is assigned from get_raid_type_by_ll(), which may return
NULL. This NULL value could be dereferenced later in the condition
'if (!(rs_is_raid10(rs) && rt_is_raid0(rs->raid_type)))'.
Add a fail-fast check to return early with an error if raid_type is NULL,
similar to other uses of this function.
Found by Linux Verification Center (linuxtesting.org) with Svace.
Fixes: 33e53f06850f ("dm raid: introduce extended superblock and new raid types to support takeover/reshaping")
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-raid.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index 8f02fa6d3301f..d4a44dca33fd5 100644
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -2259,6 +2259,8 @@ static int super_init_validation(struct raid_set *rs, struct md_rdev *rdev)
mddev->reshape_position = le64_to_cpu(sb->reshape_position);
rs->raid_type = get_raid_type_by_ll(mddev->level, mddev->layout);
+ if (!rs->raid_type)
+ return -EINVAL;
}
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 193/554] dm log-writes: Add missing set_freezable() for freezable kthread
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 192/554] dm-raid: fix possible NULL dereference with undefined raid type Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 194/554] efi/cper: Add a new helper function to print bitmasks Greg Kroah-Hartman
` (366 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Benjamin Marzinski,
Mikulas Patocka, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit ab08f9c8b363297cafaf45475b08f78bf19b88ef ]
The log_writes_kthread() calls try_to_freeze() but lacks set_freezable(),
rendering the freeze attempt ineffective since kernel threads are
non-freezable by default. This prevents proper thread suspension during
system suspend/hibernate.
Add set_freezable() to explicitly mark the thread as freezable.
Fixes: 0e9cebe72459 ("dm: add log writes target")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/dm-log-writes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-log-writes.c b/drivers/md/dm-log-writes.c
index d93a4db235124..d9e17fd5fe764 100644
--- a/drivers/md/dm-log-writes.c
+++ b/drivers/md/dm-log-writes.c
@@ -454,6 +454,7 @@ static int log_writes_kthread(void *arg)
struct log_writes_c *lc = (struct log_writes_c *)arg;
sector_t sector = 0;
+ set_freezable();
while (!kthread_should_stop()) {
bool super = false;
bool logging_enabled;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 194/554] efi/cper: Add a new helper function to print bitmasks
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 193/554] dm log-writes: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 195/554] efi/cper: Adjust infopfx size to accept an extra space Greg Kroah-Hartman
` (365 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron,
Mauro Carvalho Chehab, Borislav Petkov (AMD), Ard Biesheuvel,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[ Upstream commit a976d790f49499ccaa0f991788ad8ebf92e7fd5c ]
Add a helper function to print a string with names associated
to each bit field.
A typical example is:
const char * const bits[] = {
"bit 3 name",
"bit 4 name",
"bit 5 name",
};
char str[120];
unsigned int bitmask = BIT(3) | BIT(5);
#define MASK GENMASK(5,3)
cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
bits, ARRAY_SIZE(bits));
The above code fills string "str" with "bit 3 name|bit 5 name".
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/cper.c | 60 +++++++++++++++++++++++++++++++++++++
include/linux/cper.h | 2 ++
2 files changed, 62 insertions(+)
diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
index 6ec8edec63296..d0668452dca9e 100644
--- a/drivers/firmware/efi/cper.c
+++ b/drivers/firmware/efi/cper.c
@@ -12,6 +12,7 @@
* Specification version 2.4.
*/
+#include <linux/bitmap.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/time.h>
@@ -105,6 +106,65 @@ void cper_print_bits(const char *pfx, unsigned int bits,
printk("%s\n", buf);
}
+/**
+ * cper_bits_to_str - return a string for set bits
+ * @buf: buffer to store the output string
+ * @buf_size: size of the output string buffer
+ * @bits: bit mask
+ * @strs: string array, indexed by bit position
+ * @strs_size: size of the string array: @strs
+ *
+ * Add to @buf the bitmask in hexadecimal. Then, for each set bit in @bits,
+ * add the corresponding string describing the bit in @strs to @buf.
+ *
+ * A typical example is::
+ *
+ * const char * const bits[] = {
+ * "bit 3 name",
+ * "bit 4 name",
+ * "bit 5 name",
+ * };
+ * char str[120];
+ * unsigned int bitmask = BIT(3) | BIT(5);
+ * #define MASK GENMASK(5,3)
+ *
+ * cper_bits_to_str(str, sizeof(str), FIELD_GET(MASK, bitmask),
+ * bits, ARRAY_SIZE(bits));
+ *
+ * The above code fills the string ``str`` with ``bit 3 name|bit 5 name``.
+ *
+ * Return: number of bytes stored or an error code if lower than zero.
+ */
+int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
+ const char * const strs[], unsigned int strs_size)
+{
+ int len = buf_size;
+ char *str = buf;
+ int i, size;
+
+ *buf = '\0';
+
+ for_each_set_bit(i, &bits, strs_size) {
+ if (!(bits & BIT_ULL(i)))
+ continue;
+
+ if (*buf && len > 0) {
+ *str = '|';
+ len--;
+ str++;
+ }
+
+ size = strscpy(str, strs[i], len);
+ if (size < 0)
+ return size;
+
+ len -= size;
+ str += size;
+ }
+ return len - buf_size;
+}
+EXPORT_SYMBOL_GPL(cper_bits_to_str);
+
static const char * const proc_type_strs[] = {
"IA32/X64",
"IA64",
diff --git a/include/linux/cper.h b/include/linux/cper.h
index 6a511a1078ca0..724a5e3c122d6 100644
--- a/include/linux/cper.h
+++ b/include/linux/cper.h
@@ -560,6 +560,8 @@ const char *cper_severity_str(unsigned int);
const char *cper_mem_err_type_str(unsigned int);
void cper_print_bits(const char *prefix, unsigned int bits,
const char * const strs[], unsigned int strs_size);
+int cper_bits_to_str(char *buf, int buf_size, unsigned long bits,
+ const char * const strs[], unsigned int strs_size);
void cper_mem_err_pack(const struct cper_sec_mem_err *,
struct cper_mem_err_compact *);
const char *cper_mem_err_unpack(struct trace_seq *,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 195/554] efi/cper: Adjust infopfx size to accept an extra space
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 194/554] efi/cper: Add a new helper function to print bitmasks Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 196/554] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs Greg Kroah-Hartman
` (364 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mauro Carvalho Chehab,
Jonathan Cameron, Borislav Petkov (AMD), Ard Biesheuvel,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[ Upstream commit 8ad2c72e21efb3dc76c5b14089fa7984cdd87898 ]
Compiling with W=1 with werror enabled produces an error:
drivers/firmware/efi/cper-arm.c: In function ‘cper_print_proc_arm’:
drivers/firmware/efi/cper-arm.c:298:64: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=]
298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
| ^
drivers/firmware/efi/cper-arm.c:298:25: note: ‘snprintf’ output between 2 and 65 bytes into a destination of size 64
298 | snprintf(infopfx, sizeof(infopfx), "%s ", newpfx);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As the logic there adds an space at the end of infopx buffer.
Add an extra space to avoid such warning.
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/cper-arm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
index 36d3b8b9da47e..f4b7a48327fbb 100644
--- a/drivers/firmware/efi/cper-arm.c
+++ b/drivers/firmware/efi/cper-arm.c
@@ -241,7 +241,7 @@ void cper_print_proc_arm(const char *pfx,
int i, len, max_ctx_type;
struct cper_arm_err_info *err_info;
struct cper_arm_ctx_info *ctx_info;
- char newpfx[64], infopfx[64];
+ char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 196/554] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 195/554] efi/cper: Adjust infopfx size to accept an extra space Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 197/554] ocfs2: fix memory leak in ocfs2_merge_rec_left() Greg Kroah-Hartman
` (363 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mauro Carvalho Chehab,
Jonathan Cameron, Borislav Petkov (AMD), Ard Biesheuvel,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
[ Upstream commit 96b010536ee020e716d28d9b359a4bcd18800aeb ]
Up to UEFI spec 2.9, the type byte of CPER struct for ARM processor
was defined simply as:
Type at byte offset 4:
- Cache error
- TLB Error
- Bus Error
- Micro-architectural Error
All other values are reserved
Yet, there was no information about how this would be encoded.
Spec 2.9A errata corrected it by defining:
- Bit 1 - Cache Error
- Bit 2 - TLB Error
- Bit 3 - Bus Error
- Bit 4 - Micro-architectural Error
All other values are reserved
That actually aligns with the values already defined on older
versions at N.2.4.1. Generic Processor Error Section.
Spec 2.10 also preserve the same encoding as 2.9A.
Adjust CPER and GHES handling code for both generic and ARM
processors to properly handle UEFI 2.9A and 2.10 encoding.
Link: https://uefi.org/specs/UEFI/2.10/Apx_N_Common_Platform_Error_Record.html#arm-processor-error-information
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/apei/ghes.c | 16 +++++++----
drivers/firmware/efi/cper-arm.c | 50 ++++++++++++++++-----------------
include/linux/cper.h | 10 +++----
3 files changed, 39 insertions(+), 37 deletions(-)
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index 250ea9ec5f0c2..bdb23ca251e23 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -22,6 +22,7 @@
#include <linux/moduleparam.h>
#include <linux/init.h>
#include <linux/acpi.h>
+#include <linux/bitfield.h>
#include <linux/io.h>
#include <linux/interrupt.h>
#include <linux/timer.h>
@@ -500,6 +501,7 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
{
struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata);
int flags = sync ? MF_ACTION_REQUIRED : 0;
+ char error_type[120];
bool queued = false;
int sec_sev, i;
char *p;
@@ -513,9 +515,8 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
p = (char *)(err + 1);
for (i = 0; i < err->err_info_num; i++) {
struct cper_arm_err_info *err_info = (struct cper_arm_err_info *)p;
- bool is_cache = (err_info->type == CPER_ARM_CACHE_ERROR);
+ bool is_cache = err_info->type & CPER_ARM_CACHE_ERROR;
bool has_pa = (err_info->validation_bits & CPER_ARM_INFO_VALID_PHYSICAL_ADDR);
- const char *error_type = "unknown error";
/*
* The field (err_info->error_info & BIT(26)) is fixed to set to
@@ -529,12 +530,15 @@ static bool ghes_handle_arm_hw_error(struct acpi_hest_generic_data *gdata,
continue;
}
- if (err_info->type < ARRAY_SIZE(cper_proc_error_type_strs))
- error_type = cper_proc_error_type_strs[err_info->type];
+ cper_bits_to_str(error_type, sizeof(error_type),
+ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
+ cper_proc_error_type_strs,
+ ARRAY_SIZE(cper_proc_error_type_strs));
pr_warn_ratelimited(FW_WARN GHES_PFX
- "Unhandled processor error type: %s\n",
- error_type);
+ "Unhandled processor error type 0x%02x: %s%s\n",
+ err_info->type, error_type,
+ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
p += err_info->length;
}
diff --git a/drivers/firmware/efi/cper-arm.c b/drivers/firmware/efi/cper-arm.c
index f4b7a48327fbb..ea43589944ba5 100644
--- a/drivers/firmware/efi/cper-arm.c
+++ b/drivers/firmware/efi/cper-arm.c
@@ -94,15 +94,11 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
bool proc_context_corrupt, corrected, precise_pc, restartable_pc;
bool time_out, access_mode;
- /* If the type is unknown, bail. */
- if (type > CPER_ARM_MAX_TYPE)
- return;
-
/*
* Vendor type errors have error information values that are vendor
* specific.
*/
- if (type == CPER_ARM_VENDOR_ERROR)
+ if (type & CPER_ARM_VENDOR_ERROR)
return;
if (error_info & CPER_ARM_ERR_VALID_TRANSACTION_TYPE) {
@@ -117,43 +113,38 @@ static void cper_print_arm_err_info(const char *pfx, u32 type,
if (error_info & CPER_ARM_ERR_VALID_OPERATION_TYPE) {
op_type = ((error_info >> CPER_ARM_ERR_OPERATION_SHIFT)
& CPER_ARM_ERR_OPERATION_MASK);
- switch (type) {
- case CPER_ARM_CACHE_ERROR:
+ if (type & CPER_ARM_CACHE_ERROR) {
if (op_type < ARRAY_SIZE(arm_cache_err_op_strs)) {
- printk("%soperation type: %s\n", pfx,
+ printk("%scache error, operation type: %s\n", pfx,
arm_cache_err_op_strs[op_type]);
}
- break;
- case CPER_ARM_TLB_ERROR:
+ }
+ if (type & CPER_ARM_TLB_ERROR) {
if (op_type < ARRAY_SIZE(arm_tlb_err_op_strs)) {
- printk("%soperation type: %s\n", pfx,
+ printk("%sTLB error, operation type: %s\n", pfx,
arm_tlb_err_op_strs[op_type]);
}
- break;
- case CPER_ARM_BUS_ERROR:
+ }
+ if (type & CPER_ARM_BUS_ERROR) {
if (op_type < ARRAY_SIZE(arm_bus_err_op_strs)) {
- printk("%soperation type: %s\n", pfx,
+ printk("%sbus error, operation type: %s\n", pfx,
arm_bus_err_op_strs[op_type]);
}
- break;
}
}
if (error_info & CPER_ARM_ERR_VALID_LEVEL) {
level = ((error_info >> CPER_ARM_ERR_LEVEL_SHIFT)
& CPER_ARM_ERR_LEVEL_MASK);
- switch (type) {
- case CPER_ARM_CACHE_ERROR:
+ if (type & CPER_ARM_CACHE_ERROR)
printk("%scache level: %d\n", pfx, level);
- break;
- case CPER_ARM_TLB_ERROR:
+
+ if (type & CPER_ARM_TLB_ERROR)
printk("%sTLB level: %d\n", pfx, level);
- break;
- case CPER_ARM_BUS_ERROR:
+
+ if (type & CPER_ARM_BUS_ERROR)
printk("%saffinity level at which the bus error occurred: %d\n",
pfx, level);
- break;
- }
}
if (error_info & CPER_ARM_ERR_VALID_PROC_CONTEXT_CORRUPT) {
@@ -242,6 +233,7 @@ void cper_print_proc_arm(const char *pfx,
struct cper_arm_err_info *err_info;
struct cper_arm_ctx_info *ctx_info;
char newpfx[64], infopfx[ARRAY_SIZE(newpfx) + 1];
+ char error_type[120];
printk("%sMIDR: 0x%016llx\n", pfx, proc->midr);
@@ -290,9 +282,15 @@ void cper_print_proc_arm(const char *pfx,
newpfx);
}
- printk("%serror_type: %d, %s\n", newpfx, err_info->type,
- err_info->type < ARRAY_SIZE(cper_proc_error_type_strs) ?
- cper_proc_error_type_strs[err_info->type] : "unknown");
+ cper_bits_to_str(error_type, sizeof(error_type),
+ FIELD_GET(CPER_ARM_ERR_TYPE_MASK, err_info->type),
+ cper_proc_error_type_strs,
+ ARRAY_SIZE(cper_proc_error_type_strs));
+
+ printk("%serror_type: 0x%02x: %s%s\n", newpfx, err_info->type,
+ error_type,
+ (err_info->type & ~CPER_ARM_ERR_TYPE_MASK) ? " with reserved bit(s)" : "");
+
if (err_info->validation_bits & CPER_ARM_INFO_VALID_ERR_INFO) {
printk("%serror_info: 0x%016llx\n", newpfx,
err_info->error_info);
diff --git a/include/linux/cper.h b/include/linux/cper.h
index 724a5e3c122d6..a31e22cc839eb 100644
--- a/include/linux/cper.h
+++ b/include/linux/cper.h
@@ -270,11 +270,11 @@ enum {
#define CPER_ARM_INFO_FLAGS_PROPAGATED BIT(2)
#define CPER_ARM_INFO_FLAGS_OVERFLOW BIT(3)
-#define CPER_ARM_CACHE_ERROR 0
-#define CPER_ARM_TLB_ERROR 1
-#define CPER_ARM_BUS_ERROR 2
-#define CPER_ARM_VENDOR_ERROR 3
-#define CPER_ARM_MAX_TYPE CPER_ARM_VENDOR_ERROR
+#define CPER_ARM_ERR_TYPE_MASK GENMASK(4,1)
+#define CPER_ARM_CACHE_ERROR BIT(1)
+#define CPER_ARM_TLB_ERROR BIT(2)
+#define CPER_ARM_BUS_ERROR BIT(3)
+#define CPER_ARM_VENDOR_ERROR BIT(4)
#define CPER_ARM_ERR_VALID_TRANSACTION_TYPE BIT(0)
#define CPER_ARM_ERR_VALID_OPERATION_TYPE BIT(1)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 197/554] ocfs2: fix memory leak in ocfs2_merge_rec_left()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 196/554] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 198/554] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt Greg Kroah-Hartman
` (362 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Antipov,
syzbot+cfc7cab3bb6eaa7c4de2, Heming Zhao, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Jun Piao, Andrew Morton,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit 2214ec4bf89d0fd27717322d3983a2f3b469c7f3 ]
In 'ocfs2_merge_rec_left()', do not reset 'left_path' to NULL after
move, thus allowing 'ocfs2_free_path()' to free it before return.
Link: https://lkml.kernel.org/r/20251205065159.392749-1-dmantipov@yandex.ru
Fixes: 677b975282e4 ("ocfs2: Add support for cross extent block")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Reported-by: syzbot+cfc7cab3bb6eaa7c4de2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cfc7cab3bb6eaa7c4de2
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/alloc.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/ocfs2/alloc.c b/fs/ocfs2/alloc.c
index 9c95d911a14b1..9589b462b5913 100644
--- a/fs/ocfs2/alloc.c
+++ b/fs/ocfs2/alloc.c
@@ -3647,7 +3647,6 @@ static int ocfs2_merge_rec_left(struct ocfs2_path *right_path,
* So we use the new rightmost path.
*/
ocfs2_mv_path(right_path, left_path);
- left_path = NULL;
} else
ocfs2_complete_edge_insert(handle, left_path,
right_path, subtree_index);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 198/554] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 197/554] ocfs2: fix memory leak in ocfs2_merge_rec_left() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 199/554] usb: phy: Initialize struct usb_phy list_head Greg Kroah-Hartman
` (361 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haotien Hsu, Wayne Chang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotien Hsu <haotienh@nvidia.com>
commit 2585973c7f9ee31d21e5848c996fab2521fd383d upstream.
The driver previously skipped handling ClearFeature(ENDPOINT_HALT)
when the endpoint was already not halted. This prevented the
controller from resetting the data sequence number and reinitializing
the endpoint state.
According to USB 3.2 specification Rev. 1.1, section 9.4.5,
ClearFeature(ENDPOINT_HALT) must always reset the data sequence and
set the stream state machine to Disabled, regardless of whether the
endpoint was halted.
Remove the early return so that ClearFeature(ENDPOINT_HALT) always
resets the endpoint sequence state as required by the specification.
Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller")
Cc: stable <stable@kernel.org>
Signed-off-by: Haotien Hsu <haotienh@nvidia.com>
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Link: https://patch.msgid.link/20251127033540.2287517-1-waynec@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/tegra-xudc.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/usb/gadget/udc/tegra-xudc.c
+++ b/drivers/usb/gadget/udc/tegra-xudc.c
@@ -1542,12 +1542,6 @@ static int __tegra_xudc_ep_set_halt(stru
return -ENOTSUPP;
}
- if (!!(xudc_readl(xudc, EP_HALT) & BIT(ep->index)) == halt) {
- dev_dbg(xudc->dev, "EP %u already %s\n", ep->index,
- halt ? "halted" : "not halted");
- return 0;
- }
-
if (halt) {
ep_halt(xudc, ep->index);
} else {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 199/554] usb: phy: Initialize struct usb_phy list_head
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 198/554] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 200/554] ALSA: dice: fix buffer overflow in detect_stream_formats() Greg Kroah-Hartman
` (360 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Diogo Ivo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
commit c69ff68b097b0f53333114f1b2c3dc128f389596 upstream.
As part of the registration of a new 'struct usb_phy' with the USB PHY core
via either usb_add_phy(struct usb_phy *x, ...) or usb_add_phy_dev(struct
usb_phy *x) these functions call list_add_tail(&x->head, phy_list) in
order for the new instance x to be stored in phy_list, a static list
kept internally by the core.
After 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
when executing either of the registration functions above it is possible
that usb_add_extcon() fails, leading to either function returning before
the call to list_add_tail(), leaving x->head uninitialized.
Then, when a driver tries to undo the failed registration by calling
usb_remove_phy(struct usb_phy *x) there will be an unconditional call to
list_del(&x->head) acting on an uninitialized variable, and thus a
possible NULL pointer dereference.
Fix this by initializing x->head before usb_add_extcon() has a
chance to fail. Note that this was not needed before 7d21114dc6a2 since
list_add_phy() was executed unconditionally and it guaranteed that x->head
was initialized.
Fixes: 7d21114dc6a2 ("usb: phy: Introduce one extcon device into usb phy")
Cc: stable <stable@kernel.org>
Signed-off-by: Diogo Ivo <diogo.ivo@tecnico.ulisboa.pt>
Link: https://patch.msgid.link/20251121-diogo-smaug_typec-v2-1-5c37c1169d57@tecnico.ulisboa.pt
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/phy/phy.c
+++ b/drivers/usb/phy/phy.c
@@ -672,6 +672,8 @@ int usb_add_phy(struct usb_phy *x, enum
return -EINVAL;
}
+ INIT_LIST_HEAD(&x->head);
+
usb_charger_init(x);
ret = usb_add_extcon(x);
if (ret)
@@ -722,6 +724,8 @@ int usb_add_phy_dev(struct usb_phy *x)
return -EINVAL;
}
+ INIT_LIST_HEAD(&x->head);
+
usb_charger_init(x);
ret = usb_add_extcon(x);
if (ret)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 200/554] ALSA: dice: fix buffer overflow in detect_stream_formats()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 199/554] usb: phy: Initialize struct usb_phy list_head Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 201/554] ASoC: fsl_xcvr: get channel status data when PHY is not exists Greg Kroah-Hartman
` (359 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Takashi Sakamoto, Takashi Iwai
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit 324f3e03e8a85931ce0880654e3c3eb38b0f0bba upstream.
The function detect_stream_formats() reads the stream_count value directly
from a FireWire device without validating it. This can lead to
out-of-bounds writes when a malicious device provides a stream_count value
greater than MAX_STREAMS.
Fix by applying the same validation to both TX and RX stream counts in
detect_stream_formats().
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 58579c056c1c ("ALSA: dice: use extended protocol to detect available stream formats")
Cc: stable@vger.kernel.org
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881B043FC68B4C0DA40B73DAFDCA@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/firewire/dice/dice-extension.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/firewire/dice/dice-extension.c
+++ b/sound/firewire/dice/dice-extension.c
@@ -116,7 +116,7 @@ static int detect_stream_formats(struct
break;
base_offset += EXT_APP_STREAM_ENTRIES;
- stream_count = be32_to_cpu(reg[0]);
+ stream_count = min_t(unsigned int, be32_to_cpu(reg[0]), MAX_STREAMS);
err = read_stream_entries(dice, section_addr, base_offset,
stream_count, mode,
dice->tx_pcm_chs,
@@ -125,7 +125,7 @@ static int detect_stream_formats(struct
break;
base_offset += stream_count * EXT_APP_STREAM_ENTRY_SIZE;
- stream_count = be32_to_cpu(reg[1]);
+ stream_count = min_t(unsigned int, be32_to_cpu(reg[1]), MAX_STREAMS);
err = read_stream_entries(dice, section_addr, base_offset,
stream_count,
mode, dice->rx_pcm_chs,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 201/554] ASoC: fsl_xcvr: get channel status data when PHY is not exists
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 200/554] ALSA: dice: fix buffer overflow in detect_stream_formats() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 202/554] NFS: Fix missing unlock in nfs_unlink() Greg Kroah-Hartman
` (358 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shengjiu Wang, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shengjiu Wang <shengjiu.wang@nxp.com>
commit ca592e20659e0304ebd8f4dabb273da4f9385848 upstream.
There is no PHY for the XCVR module on i.MX93, the channel status needs
to be obtained from FSL_XCVR_RX_CS_DATA_* registers. And channel status
acknowledge (CSA) bit should be set once channel status is processed.
Fixes: e240b9329a30 ("ASoC: fsl_xcvr: Add support for i.MX93 platform")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Link: https://patch.msgid.link/20250710030405.3370671-2-shengjiu.wang@nxp.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/fsl/fsl_xcvr.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
--- a/sound/soc/fsl/fsl_xcvr.c
+++ b/sound/soc/fsl/fsl_xcvr.c
@@ -1165,6 +1165,26 @@ static irqreturn_t irq0_isr(int irq, voi
/* clear CS control register */
writel_relaxed(0, reg_ctrl);
}
+ } else {
+ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_0,
+ (u32 *)&xcvr->rx_iec958.status[0]);
+ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_1,
+ (u32 *)&xcvr->rx_iec958.status[4]);
+ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_2,
+ (u32 *)&xcvr->rx_iec958.status[8]);
+ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_3,
+ (u32 *)&xcvr->rx_iec958.status[12]);
+ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_4,
+ (u32 *)&xcvr->rx_iec958.status[16]);
+ regmap_read(xcvr->regmap, FSL_XCVR_RX_CS_DATA_5,
+ (u32 *)&xcvr->rx_iec958.status[20]);
+ for (i = 0; i < 6; i++) {
+ val = *(u32 *)(xcvr->rx_iec958.status + i * 4);
+ *(u32 *)(xcvr->rx_iec958.status + i * 4) =
+ bitrev32(val);
+ }
+ regmap_set_bits(xcvr->regmap, FSL_XCVR_RX_DPTH_CTRL,
+ FSL_XCVR_RX_DPTH_CTRL_CSA);
}
}
if (isr & FSL_XCVR_IRQ_NEW_UD) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 202/554] NFS: Fix missing unlock in nfs_unlink()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 201/554] ASoC: fsl_xcvr: get channel status data when PHY is not exists Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 203/554] netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Greg Kroah-Hartman
` (357 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sun Ke, Trond Myklebust
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sun Ke <sunke32@huawei.com>
commit 2067231a9e2cbbcae0a4aca6ac36ff2dd6a7b701 upstream.
Add the missing unlock before goto.
Fixes: 3c59366c207e ("NFS: don't unhash dentry during unlink/rename")
Signed-off-by: Sun Ke <sunke32@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/dir.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/nfs/dir.c
+++ b/fs/nfs/dir.c
@@ -2331,8 +2331,10 @@ int nfs_unlink(struct inode *dir, struct
*/
error = -ETXTBSY;
if (WARN_ON(dentry->d_flags & DCACHE_NFSFS_RENAMED) ||
- WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED))
+ WARN_ON(dentry->d_fsdata == NFS_FSDATA_BLOCKED)) {
+ spin_unlock(&dentry->d_lock);
goto out;
+ }
if (dentry->d_fsdata)
/* old devname */
kfree(dentry->d_fsdata);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 203/554] netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 202/554] NFS: Fix missing unlock in nfs_unlink() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 204/554] coresight: etm4x: Correct polling IDLE bit Greg Kroah-Hartman
` (356 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicklas Bo Jensen, Florian Westphal,
Pablo Neira Ayuso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicklas Bo Jensen <njensen@akamai.com>
commit df08c94baafb001de6cf44bb7098bb557f36c335 upstream.
nf_conncount is supposed to skip garbage collection if it has already
run garbage collection in the same jiffy. Unfortunately, this is broken
when jiffies wrap around which this patch fixes.
The problem is that last_gc in the nf_conncount_list struct is an u32,
but jiffies is an unsigned long which is 8 bytes on my systems. When
those two are compared it only works until last_gc wraps around.
See bug report: https://bugzilla.netfilter.org/show_bug.cgi?id=1778
for more details.
Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Nicklas Bo Jensen <njensen@akamai.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_conncount.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -182,7 +182,7 @@ static int __nf_conncount_add(struct net
return -EEXIST;
}
- if (time_is_after_eq_jiffies((unsigned long)list->last_gc))
+ if ((u32)jiffies == list->last_gc)
goto add_new_node;
/* check the saved connections */
@@ -288,7 +288,7 @@ bool nf_conncount_gc_list(struct net *ne
bool ret = false;
/* don't bother if we just did GC */
- if (time_is_after_eq_jiffies((unsigned long)READ_ONCE(list->last_gc)))
+ if ((u32)jiffies == READ_ONCE(list->last_gc))
return false;
/* don't bother if other cpu is already doing GC */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 204/554] coresight: etm4x: Correct polling IDLE bit
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 203/554] netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 205/554] spi: tegra210-quad: Fix validate combined sequence Greg Kroah-Hartman
` (355 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Mike Leach, James Clark,
Leo Yan, Suzuki K Poulose
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leo Yan <leo.yan@arm.com>
commit 4dc4e22f9536341255f5de6047977a80ff47eaef upstream.
Since commit 4ff6039ffb79 ("coresight-etm4x: add isb() before reading
the TRCSTATR"), the code has incorrectly been polling the PMSTABLE bit
instead of the IDLE bit.
This commit corrects the typo.
Fixes: 4ff6039ffb79 ("coresight-etm4x: add isb() before reading the TRCSTATR")
Reviewed-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Mike Leach <mike.leach@linaro.org>
Tested-by: James Clark <james.clark@linaro.org>
Signed-off-by: Leo Yan <leo.yan@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20251111-arm_coresight_power_management_fix-v6-4-f55553b6c8b3@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-etm4x-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwtracing/coresight/coresight-etm4x-core.c
+++ b/drivers/hwtracing/coresight/coresight-etm4x-core.c
@@ -1761,7 +1761,7 @@ static int __etm4_cpu_save(struct etmv4_
state->trcpdcr = etm4x_read32(csa, TRCPDCR);
/* wait for TRCSTATR.IDLE to go up */
- if (etm4x_wait_status(csa, TRCSTATR_PMSTABLE_BIT, 1)) {
+ if (etm4x_wait_status(csa, TRCSTATR_IDLE_BIT, 1)) {
dev_err(etm_dev,
"timeout while waiting for Idle Trace Status\n");
etm4_os_unlock(drvdata);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 205/554] spi: tegra210-quad: Fix validate combined sequence
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 204/554] coresight: etm4x: Correct polling IDLE bit Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 206/554] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
` (354 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krishna Yarlagadda, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krishna Yarlagadda <kyarlagadda@nvidia.com>
commit 047ee71ae4f412d8819e39e4b08c588fa299cfc2 upstream.
Check for non dma transfers that do not fit in FIFO has issue and skips
combined sequence for Tegra234 & Tegra241 which does not have GPCDMA.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Link: https://lore.kernel.org/r/20230224164034.56933-1-kyarlagadda@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra210-quad.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -1290,7 +1290,7 @@ static bool tegra_qspi_validate_cmb_seq(
if (xfer->len > 4 || xfer->len < 3)
return false;
xfer = list_next_entry(xfer, transfer_list);
- if (!tqspi->soc_data->has_dma || xfer->len > (QSPI_FIFO_DEPTH << 2))
+ if (!tqspi->soc_data->has_dma && xfer->len > (QSPI_FIFO_DEPTH << 2))
return false;
return true;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 206/554] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 205/554] spi: tegra210-quad: Fix validate combined sequence Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 207/554] i3c: fix uninitialized variable use in i2c setup Greg Kroah-Hartman
` (353 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vishwaroop A, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishwaroop A <va@nvidia.com>
commit dcb06c638a1174008a985849fa30fc0da7d08904 upstream.
This patch corrects the QSPI_COMMAND_X1_X2_X4 and QSPI_ADDRESS_X1_X2_X4
macros to properly encode the bus width for x1, x2, and x4 transfers.
Although these macros were previously incorrect, they were not being
used in the driver, so no functionality was affected.
The patch updates tegra_qspi_cmd_config() and tegra_qspi_addr_config()
function calls to use the actual bus width from the transfer, instead of
hardcoding it to 0 (which implied x1 mode). This change enables proper
support for x1, x2, and x4 data transfers by correctly configuring the
interface width for commands and addresses.
These modifications improve the QSPI driver's flexibility and prepare it
for future use cases that may require different bus widths for commands
and addresses.
Fixes: 1b8342cc4a38 ("spi: tegra210-quad: combined sequence mode")
Signed-off-by: Vishwaroop A <va@nvidia.com>
Link: https://patch.msgid.link/20250416110606.2737315-2-va@nvidia.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-tegra210-quad.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/drivers/spi/spi-tegra210-quad.c
+++ b/drivers/spi/spi-tegra210-quad.c
@@ -123,7 +123,7 @@
#define QSPI_COMMAND_VALUE_SET(X) (((x) & 0xFF) << 0)
#define QSPI_CMB_SEQ_CMD_CFG 0x1a0
-#define QSPI_COMMAND_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_COMMAND_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
#define QSPI_COMMAND_X1_X2_X4_MASK (0x03 << 13)
#define QSPI_COMMAND_SDR_DDR BIT(12)
#define QSPI_COMMAND_SIZE_SET(x) (((x) & 0xFF) << 0)
@@ -135,7 +135,7 @@
#define QSPI_ADDRESS_VALUE_SET(X) (((x) & 0xFFFF) << 0)
#define QSPI_CMB_SEQ_ADDR_CFG 0x1ac
-#define QSPI_ADDRESS_X1_X2_X4(x) (((x) & 0x3) << 13)
+#define QSPI_ADDRESS_X1_X2_X4(x) ((((x) >> 1) & 0x3) << 13)
#define QSPI_ADDRESS_X1_X2_X4_MASK (0x03 << 13)
#define QSPI_ADDRESS_SDR_DDR BIT(12)
#define QSPI_ADDRESS_SIZE_SET(x) (((x) & 0xFF) << 0)
@@ -1023,10 +1023,6 @@ static u32 tegra_qspi_addr_config(bool i
{
u32 addr_config = 0;
- /* Extract Address configuration and value */
- is_ddr = 0; //Only SDR mode supported
- bus_width = 0; //X1 mode
-
if (is_ddr)
addr_config |= QSPI_ADDRESS_SDR_DDR;
else
@@ -1060,13 +1056,13 @@ static int tegra_qspi_combined_seq_xfer(
switch (transfer_phase) {
case CMD_TRANSFER:
/* X1 SDR mode */
- cmd_config = tegra_qspi_cmd_config(false, 0,
+ cmd_config = tegra_qspi_cmd_config(false, xfer->tx_nbits,
xfer->len);
cmd_value = *((const u8 *)(xfer->tx_buf));
break;
case ADDR_TRANSFER:
/* X1 SDR mode */
- addr_config = tegra_qspi_addr_config(false, 0,
+ addr_config = tegra_qspi_addr_config(false, xfer->tx_nbits,
xfer->len);
address_value = *((const u32 *)(xfer->tx_buf));
break;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 207/554] i3c: fix uninitialized variable use in i2c setup
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 206/554] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 208/554] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
` (352 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Alexandre Belloni,
Jamie Iles
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamie Iles <quic_jiles@quicinc.com>
commit 6cbf8b38dfe3aabe330f2c356949bc4d6a1f034f upstream.
Commit 31b9887c7258 ("i3c: remove i2c board info from i2c_dev_desc")
removed the boardinfo from i2c_dev_desc to decouple device enumeration from
setup but did not correctly lookup the i2c_dev_desc to store the new
device, instead dereferencing an uninitialized variable.
Lookup the device that has already been registered by address to store
the i2c client device.
Fixes: 31b9887c7258 ("i3c: remove i2c board info from i2c_dev_desc")
Reported-by: kernel test robot <lkp@intel.com>
Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20220308134226.1042367-1-quic_jiles@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -2322,8 +2322,13 @@ static int i3c_master_i2c_adapter_init(s
* We silently ignore failures here. The bus should keep working
* correctly even if one or more i2c devices are not registered.
*/
- list_for_each_entry(i2cboardinfo, &master->boardinfo.i2c, node)
+ list_for_each_entry(i2cboardinfo, &master->boardinfo.i2c, node) {
+ i2cdev = i3c_master_find_i2c_dev_by_addr(master,
+ i2cboardinfo->base.addr);
+ if (WARN_ON(!i2cdev))
+ continue;
i2cdev->dev = i2c_new_client_device(adap, &i2cboardinfo->base);
+ }
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 208/554] bpf, arm64: Do not audit capability check in do_jit()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 207/554] i3c: fix uninitialized variable use in i2c setup Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 209/554] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
` (351 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Mosnacek, Alexei Starovoitov,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 189e5deb944a6f9c7992355d60bffd8ec2e54a9c ]
Analogically to the x86 commit 881a9c9cb785 ("bpf: Do not audit
capability check in do_jit()"), change the capable() call to
ns_capable_noaudit() in order to avoid spurious SELinux denials in audit
log.
The commit log from that commit applies here as well:
"""
The failure of this check only results in a security mitigation being
applied, slightly affecting performance of the compiled BPF program. It
doesn't result in a failed syscall, an thus auditing a failed LSM
permission check for it is unwanted. For example with SELinux, it causes
a denial to be reported for confined processes running as root, which
tends to be flagged as a problem to be fixed in the policy. Yet
dontauditing or allowing CAP_SYS_ADMIN to the domain may not be
desirable, as it would allow/silence also other checks - either going
against the principle of least privilege or making debugging potentially
harder.
Fix it by changing it from capable() to ns_capable_noaudit(), which
instructs the LSMs to not audit the resulting denials.
"""
Fixes: f300769ead03 ("arm64: bpf: Only mitigate cBPF programs loaded by unprivileged users")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Link: https://lore.kernel.org/r/20251204125916.441021-1-omosnace@redhat.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/net/bpf_jit_comp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 654e7ed2d1a64..e934ad5837d08 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -341,7 +341,7 @@ static void __maybe_unused build_bhb_mitigation(struct jit_ctx *ctx)
arm64_get_spectre_v2_state() == SPECTRE_VULNERABLE)
return;
- if (capable(CAP_SYS_ADMIN))
+ if (ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN))
return;
if (supports_clearbhb(SCOPE_SYSTEM)) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 209/554] btrfs: fix memory leak of fs_devices in degraded seed device path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 208/554] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 210/554] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
` (350 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+eadd98df8bceb15d7fed,
Qu Wenruo, Deepanshu Kartikey, David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit b57f2ddd28737db6ff0e9da8467f0ab9d707e997 ]
In open_seed_devices(), when find_fsid() fails and we're in DEGRADED
mode, a new fs_devices is allocated via alloc_fs_devices() but is never
added to the seed_list before returning. This contrasts with the normal
path where fs_devices is properly added via list_add().
If any error occurs later in read_one_dev() or btrfs_read_chunk_tree(),
the cleanup code iterates seed_list to free seed devices, but this
orphaned fs_devices is never found and never freed, causing a memory
leak. Any devices allocated via add_missing_dev() and attached to this
fs_devices are also leaked.
Fix this by adding the newly allocated fs_devices to seed_list in the
degraded path, consistent with the normal path.
Fixes: 5f37583569442 ("Btrfs: move the missing device to its own fs device list")
Reported-by: syzbot+eadd98df8bceb15d7fed@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=eadd98df8bceb15d7fed
Tested-by: syzbot+eadd98df8bceb15d7fed@syzkaller.appspotmail.com
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/volumes.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 316f099a0bcfe..c18918ce8edde 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -7322,6 +7322,7 @@ static struct btrfs_fs_devices *open_seed_devices(struct btrfs_fs_info *fs_info,
fs_devices->seeding = true;
fs_devices->opened = 1;
+ list_add(&fs_devices->seed_list, &fs_info->fs_devices->seed_list);
return fs_devices;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 210/554] sched/deadline: only set free_cpus for online runqueues
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 209/554] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 211/554] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
` (349 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Berger, Peter Zijlstra (Intel),
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Doug Berger <opendmb@gmail.com>
[ Upstream commit 382748c05e58a9f1935f5a653c352422375566ea ]
Commit 16b269436b72 ("sched/deadline: Modify cpudl::free_cpus
to reflect rd->online") introduced the cpudl_set/clear_freecpu
functions to allow the cpu_dl::free_cpus mask to be manipulated
by the deadline scheduler class rq_on/offline callbacks so the
mask would also reflect this state.
Commit 9659e1eeee28 ("sched/deadline: Remove cpu_active_mask
from cpudl_find()") removed the check of the cpu_active_mask to
save some processing on the premise that the cpudl::free_cpus
mask already reflected the runqueue online state.
Unfortunately, there are cases where it is possible for the
cpudl_clear function to set the free_cpus bit for a CPU when the
deadline runqueue is offline. When this occurs while a CPU is
connected to the default root domain the flag may retain the bad
state after the CPU has been unplugged. Later, a different CPU
that is transitioning through the default root domain may push a
deadline task to the powered down CPU when cpudl_find sees its
free_cpus bit is set. If this happens the task will not have the
opportunity to run.
One example is outlined here:
https://lore.kernel.org/lkml/20250110233010.2339521-1-opendmb@gmail.com
Another occurs when the last deadline task is migrated from a
CPU that has an offlined runqueue. The dequeue_task member of
the deadline scheduler class will eventually call cpudl_clear
and set the free_cpus bit for the CPU.
This commit modifies the cpudl_clear function to be aware of the
online state of the deadline runqueue so that the free_cpus mask
can be updated appropriately.
It is no longer necessary to manage the mask outside of the
cpudl_set/clear functions so the cpudl_set/clear_freecpu
functions are removed. In addition, since the free_cpus mask is
now only updated under the cpudl lock the code was changed to
use the non-atomic __cpumask functions.
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpudeadline.c | 34 +++++++++-------------------------
kernel/sched/cpudeadline.h | 4 +---
kernel/sched/deadline.c | 8 ++++----
3 files changed, 14 insertions(+), 32 deletions(-)
diff --git a/kernel/sched/cpudeadline.c b/kernel/sched/cpudeadline.c
index 221ca10505738..219cec91ecee4 100644
--- a/kernel/sched/cpudeadline.c
+++ b/kernel/sched/cpudeadline.c
@@ -166,12 +166,13 @@ int cpudl_find(struct cpudl *cp, struct task_struct *p,
* cpudl_clear - remove a CPU from the cpudl max-heap
* @cp: the cpudl max-heap context
* @cpu: the target CPU
+ * @online: the online state of the deadline runqueue
*
* Notes: assumes cpu_rq(cpu)->lock is locked
*
* Returns: (void)
*/
-void cpudl_clear(struct cpudl *cp, int cpu)
+void cpudl_clear(struct cpudl *cp, int cpu, bool online)
{
int old_idx, new_cpu;
unsigned long flags;
@@ -184,7 +185,7 @@ void cpudl_clear(struct cpudl *cp, int cpu)
if (old_idx == IDX_INVALID) {
/*
* Nothing to remove if old_idx was invalid.
- * This could happen if a rq_offline_dl is
+ * This could happen if rq_online_dl or rq_offline_dl is
* called for a CPU without -dl tasks running.
*/
} else {
@@ -195,9 +196,12 @@ void cpudl_clear(struct cpudl *cp, int cpu)
cp->elements[new_cpu].idx = old_idx;
cp->elements[cpu].idx = IDX_INVALID;
cpudl_heapify(cp, old_idx);
-
- cpumask_set_cpu(cpu, cp->free_cpus);
}
+ if (likely(online))
+ __cpumask_set_cpu(cpu, cp->free_cpus);
+ else
+ __cpumask_clear_cpu(cpu, cp->free_cpus);
+
raw_spin_unlock_irqrestore(&cp->lock, flags);
}
@@ -228,7 +232,7 @@ void cpudl_set(struct cpudl *cp, int cpu, u64 dl)
cp->elements[new_idx].cpu = cpu;
cp->elements[cpu].idx = new_idx;
cpudl_heapify_up(cp, new_idx);
- cpumask_clear_cpu(cpu, cp->free_cpus);
+ __cpumask_clear_cpu(cpu, cp->free_cpus);
} else {
cp->elements[old_idx].dl = dl;
cpudl_heapify(cp, old_idx);
@@ -237,26 +241,6 @@ void cpudl_set(struct cpudl *cp, int cpu, u64 dl)
raw_spin_unlock_irqrestore(&cp->lock, flags);
}
-/*
- * cpudl_set_freecpu - Set the cpudl.free_cpus
- * @cp: the cpudl max-heap context
- * @cpu: rd attached CPU
- */
-void cpudl_set_freecpu(struct cpudl *cp, int cpu)
-{
- cpumask_set_cpu(cpu, cp->free_cpus);
-}
-
-/*
- * cpudl_clear_freecpu - Clear the cpudl.free_cpus
- * @cp: the cpudl max-heap context
- * @cpu: rd attached CPU
- */
-void cpudl_clear_freecpu(struct cpudl *cp, int cpu)
-{
- cpumask_clear_cpu(cpu, cp->free_cpus);
-}
-
/*
* cpudl_init - initialize the cpudl structure
* @cp: the cpudl max-heap context
diff --git a/kernel/sched/cpudeadline.h b/kernel/sched/cpudeadline.h
index 0adeda93b5fb5..ecff718d94aea 100644
--- a/kernel/sched/cpudeadline.h
+++ b/kernel/sched/cpudeadline.h
@@ -18,9 +18,7 @@ struct cpudl {
#ifdef CONFIG_SMP
int cpudl_find(struct cpudl *cp, struct task_struct *p, struct cpumask *later_mask);
void cpudl_set(struct cpudl *cp, int cpu, u64 dl);
-void cpudl_clear(struct cpudl *cp, int cpu);
+void cpudl_clear(struct cpudl *cp, int cpu, bool online);
int cpudl_init(struct cpudl *cp);
-void cpudl_set_freecpu(struct cpudl *cp, int cpu);
-void cpudl_clear_freecpu(struct cpudl *cp, int cpu);
void cpudl_cleanup(struct cpudl *cp);
#endif /* CONFIG_SMP */
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index 708c3960bd06e..923ac2244d4b5 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -1418,7 +1418,7 @@ static void dec_dl_deadline(struct dl_rq *dl_rq, u64 deadline)
if (!dl_rq->dl_nr_running) {
dl_rq->earliest_dl.curr = 0;
dl_rq->earliest_dl.next = 0;
- cpudl_clear(&rq->rd->cpudl, rq->cpu);
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, rq->online);
cpupri_set(&rq->rd->cpupri, rq->cpu, rq->rt.highest_prio.curr);
} else {
struct rb_node *leftmost = dl_rq->root.rb_leftmost;
@@ -2377,9 +2377,10 @@ static void rq_online_dl(struct rq *rq)
if (rq->dl.overloaded)
dl_set_overload(rq);
- cpudl_set_freecpu(&rq->rd->cpudl, rq->cpu);
if (rq->dl.dl_nr_running > 0)
cpudl_set(&rq->rd->cpudl, rq->cpu, rq->dl.earliest_dl.curr);
+ else
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, true);
}
/* Assumes rq->lock is held */
@@ -2388,8 +2389,7 @@ static void rq_offline_dl(struct rq *rq)
if (rq->dl.overloaded)
dl_clear_overload(rq);
- cpudl_clear(&rq->rd->cpudl, rq->cpu);
- cpudl_clear_freecpu(&rq->rd->cpudl, rq->cpu);
+ cpudl_clear(&rq->rd->cpudl, rq->cpu, false);
}
void __init init_sched_dl_class(void)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 211/554] x86/ptrace: Always inline trivial accessors
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 210/554] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 212/554] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
` (348 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Ingo Molnar,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 1fe4002cf7f23d70c79bda429ca2a9423ebcfdfa ]
A KASAN build bloats these single load/store helpers such that
it fails to inline them:
vmlinux.o: error: objtool: irqentry_exit+0x5e8: call to instruction_pointer_set() with UACCESS enabled
Make sure the compiler isn't allowed to do stupid.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://patch.msgid.link/20251031105435.GU4068168@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/ptrace.h | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
index b94f615600d57..d5186653311da 100644
--- a/arch/x86/include/asm/ptrace.h
+++ b/arch/x86/include/asm/ptrace.h
@@ -109,12 +109,12 @@ convert_ip_to_linear(struct task_struct *child, struct pt_regs *regs);
extern void send_sigtrap(struct pt_regs *regs, int error_code, int si_code);
-static inline unsigned long regs_return_value(struct pt_regs *regs)
+static __always_inline unsigned long regs_return_value(struct pt_regs *regs)
{
return regs->ax;
}
-static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
+static __always_inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
{
regs->ax = rc;
}
@@ -195,34 +195,34 @@ static inline bool ip_within_syscall_gap(struct pt_regs *regs)
}
#endif
-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
+static __always_inline unsigned long kernel_stack_pointer(struct pt_regs *regs)
{
return regs->sp;
}
-static inline unsigned long instruction_pointer(struct pt_regs *regs)
+static __always_inline unsigned long instruction_pointer(struct pt_regs *regs)
{
return regs->ip;
}
-static inline void instruction_pointer_set(struct pt_regs *regs,
- unsigned long val)
+static __always_inline
+void instruction_pointer_set(struct pt_regs *regs, unsigned long val)
{
regs->ip = val;
}
-static inline unsigned long frame_pointer(struct pt_regs *regs)
+static __always_inline unsigned long frame_pointer(struct pt_regs *regs)
{
return regs->bp;
}
-static inline unsigned long user_stack_pointer(struct pt_regs *regs)
+static __always_inline unsigned long user_stack_pointer(struct pt_regs *regs)
{
return regs->sp;
}
-static inline void user_stack_pointer_set(struct pt_regs *regs,
- unsigned long val)
+static __always_inline
+void user_stack_pointer_set(struct pt_regs *regs, unsigned long val)
{
regs->sp = val;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 212/554] ACPICA: Avoid walking the Namespace if start_node is NULL
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 211/554] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 213/554] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
` (347 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cryolitia PukNgae, WangYuli,
Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
[ Upstream commit 9d6c58dae8f6590c746ac5d0012ffe14a77539f0 ]
Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace
if it is not there") fixed the situation when both start_node and
acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed
on Honor Magicbook 14 Pro [1].
That happens due to the access to the member of parent_node in
acpi_ns_get_next_node(). The NULL pointer dereference will always
happen, no matter whether or not the start_node is equal to
ACPI_ROOT_OBJECT, so move the check of start_node being NULL
out of the if block.
Unfortunately, all the attempts to contact Honor have failed, they
refused to provide any technical support for Linux.
The bad DSDT table's dump could be found on GitHub [2].
DMI: HONOR FMB-P/FMB-P-PCB, BIOS 1.13 05/08/2025
Link: https://github.com/acpica/acpica/commit/1c1b57b9eba4554cb132ee658dd942c0210ed20d
Link: https://gist.github.com/Cryolitia/a860ffc97437dcd2cd988371d5b73ed7 [1]
Link: https://github.com/denis-bb/honor-fmb-p-dsdt [2]
Signed-off-by: Cryolitia PukNgae <cryolitia.pukngae@linux.dev>
Reviewed-by: WangYuli <wangyl5933@chinaunicom.cn>
[ rjw: Subject adjustment, changelog edits ]
Link: https://patch.msgid.link/20251125-acpica-v1-1-99e63b1b25f8@linux.dev
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/nswalk.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/acpica/nswalk.c b/drivers/acpi/acpica/nswalk.c
index e7c30ce06e189..dee2cb5fb9617 100644
--- a/drivers/acpi/acpica/nswalk.c
+++ b/drivers/acpi/acpica/nswalk.c
@@ -169,9 +169,12 @@ acpi_ns_walk_namespace(acpi_object_type type,
if (start_node == ACPI_ROOT_OBJECT) {
start_node = acpi_gbl_root_node;
- if (!start_node) {
- return_ACPI_STATUS(AE_NO_NAMESPACE);
- }
+ }
+
+ /* Avoid walking the namespace if the StartNode is NULL */
+
+ if (!start_node) {
+ return_ACPI_STATUS(AE_NO_NAMESPACE);
}
/* Null child means "get first node" */
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 213/554] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 212/554] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 214/554] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
` (346 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sakari Ailus, Laurent Pinchart,
Jonathan Cameron, Rafael J. Wysocki, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sakari Ailus <sakari.ailus@linux.intel.com>
[ Upstream commit 5d010473cdeaabf6a2d3a9e2aed2186c1b73c213 ]
Calling fwnode_get_next_child_node() in ACPI implementation of the fwnode
property API is somewhat problematic as the latter is used in the
impelementation of the former. Instead of using
fwnode_get_next_child_node() in acpi_graph_get_next_endpoint(), call
acpi_get_next_subnode() directly instead.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Link: https://patch.msgid.link/20251001104320.1272752-3-sakari.ailus@linux.intel.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/property.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/acpi/property.c b/drivers/acpi/property.c
index 7f0fa58b634a3..cb4bcc90d4be5 100644
--- a/drivers/acpi/property.c
+++ b/drivers/acpi/property.c
@@ -1168,7 +1168,7 @@ static struct fwnode_handle *acpi_graph_get_next_endpoint(
if (!prev) {
do {
- port = fwnode_get_next_child_node(fwnode, port);
+ port = acpi_get_next_subnode(fwnode, port);
/*
* The names of the port nodes begin with "port@"
* followed by the number of the port node and they also
@@ -1186,13 +1186,13 @@ static struct fwnode_handle *acpi_graph_get_next_endpoint(
if (!port)
return NULL;
- endpoint = fwnode_get_next_child_node(port, prev);
+ endpoint = acpi_get_next_subnode(port, prev);
while (!endpoint) {
- port = fwnode_get_next_child_node(fwnode, port);
+ port = acpi_get_next_subnode(fwnode, port);
if (!port)
break;
if (is_acpi_graph_node(port, "port"))
- endpoint = fwnode_get_next_child_node(port, NULL);
+ endpoint = acpi_get_next_subnode(port, NULL);
}
/*
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 214/554] cpufreq: s5pv210: fix refcount leak
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 213/554] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 215/554] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
` (345 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuhao Fu, Viresh Kumar, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shuhao Fu <sfual@cse.ust.hk>
[ Upstream commit 2de5cb96060a1664880d65b120e59485a73588a8 ]
In function `s5pv210_cpu_init`, a possible refcount inconsistency has
been identified, causing a resource leak.
Why it is a bug:
1. For every clk_get, there should be a matching clk_put on every
successive error handling path.
2. After calling `clk_get(dmc1_clk)`, variable `dmc1_clk` will not be
freed even if any error happens.
How it is fixed: For every failed path, an extra goto label is added to
ensure `dmc1_clk` will be freed regardlessly.
Signed-off-by: Shuhao Fu <sfual@cse.ust.hk>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/s5pv210-cpufreq.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/cpufreq/s5pv210-cpufreq.c b/drivers/cpufreq/s5pv210-cpufreq.c
index ad7d4f272ddcb..f51b2e84ef63d 100644
--- a/drivers/cpufreq/s5pv210-cpufreq.c
+++ b/drivers/cpufreq/s5pv210-cpufreq.c
@@ -518,7 +518,7 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
if (policy->cpu != 0) {
ret = -EINVAL;
- goto out_dmc1;
+ goto out;
}
/*
@@ -530,7 +530,7 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
if ((mem_type != LPDDR) && (mem_type != LPDDR2)) {
pr_err("CPUFreq doesn't support this memory type\n");
ret = -EINVAL;
- goto out_dmc1;
+ goto out;
}
/* Find current refresh counter and frequency each DMC */
@@ -544,6 +544,8 @@ static int s5pv210_cpu_init(struct cpufreq_policy *policy)
cpufreq_generic_init(policy, s5pv210_freq_table, 40000);
return 0;
+out:
+ clk_put(dmc1_clk);
out_dmc1:
clk_put(dmc0_clk);
out_dmc0:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 215/554] livepatch: Match old_sympos 0 and 1 in klp_find_func()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 214/554] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 216/554] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
` (344 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Song Liu, Josh Poimboeuf,
Petr Mladek, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Song Liu <song@kernel.org>
[ Upstream commit 139560e8b973402140cafeb68c656c1374bd4c20 ]
When there is only one function of the same name, old_sympos of 0 and 1
are logically identical. Match them in klp_find_func().
This is to avoid a corner case with different toolchain behavior.
In this specific issue, two versions of kpatch-build were used to
build livepatch for the same kernel. One assigns old_sympos == 0 for
unique local functions, the other assigns old_sympos == 1 for unique
local functions. Both versions work fine by themselves. (PS: This
behavior change was introduced in a downstream version of kpatch-build.
This change does not exist in upstream kpatch-build.)
However, during livepatch upgrade (with the replace flag set) from a
patch built with one version of kpatch-build to the same fix built with
the other version of kpatch-build, livepatching fails with errors like:
[ 14.218706] sysfs: cannot create duplicate filename 'xxx/somefunc,1'
...
[ 14.219466] Call Trace:
[ 14.219468] <TASK>
[ 14.219469] dump_stack_lvl+0x47/0x60
[ 14.219474] sysfs_warn_dup.cold+0x17/0x27
[ 14.219476] sysfs_create_dir_ns+0x95/0xb0
[ 14.219479] kobject_add_internal+0x9e/0x260
[ 14.219483] kobject_add+0x68/0x80
[ 14.219485] ? kstrdup+0x3c/0xa0
[ 14.219486] klp_enable_patch+0x320/0x830
[ 14.219488] patch_init+0x443/0x1000 [ccc_0_6]
[ 14.219491] ? 0xffffffffa05eb000
[ 14.219492] do_one_initcall+0x2e/0x190
[ 14.219494] do_init_module+0x67/0x270
[ 14.219496] init_module_from_file+0x75/0xa0
[ 14.219499] idempotent_init_module+0x15a/0x240
[ 14.219501] __x64_sys_finit_module+0x61/0xc0
[ 14.219503] do_syscall_64+0x5b/0x160
[ 14.219505] entry_SYSCALL_64_after_hwframe+0x4b/0x53
[ 14.219507] RIP: 0033:0x7f545a4bd96d
...
[ 14.219516] kobject: kobject_add_internal failed for somefunc,1 with
-EEXIST, don't try to register things with the same name ...
This happens because klp_find_func() thinks somefunc with old_sympos==0
is not the same as somefunc with old_sympos==1, and klp_add_object_nops
adds another xxx/func,1 to the list of functions to patch.
Signed-off-by: Song Liu <song@kernel.org>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
[pmladek@suse.com: Fixed some typos.]
Reviewed-by: Petr Mladek <pmladek@suse.com>
Tested-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/livepatch/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
index 147ed154ebc77..c49042f5e71ec 100644
--- a/kernel/livepatch/core.c
+++ b/kernel/livepatch/core.c
@@ -89,8 +89,14 @@ static struct klp_func *klp_find_func(struct klp_object *obj,
struct klp_func *func;
klp_for_each_func(obj, func) {
+ /*
+ * Besides identical old_sympos, also consider old_sympos
+ * of 0 and 1 are identical.
+ */
if ((strcmp(old_func->old_name, func->old_name) == 0) &&
- (old_func->old_sympos == func->old_sympos)) {
+ ((old_func->old_sympos == func->old_sympos) ||
+ (old_func->old_sympos == 0 && func->old_sympos == 1) ||
+ (old_func->old_sympos == 1 && func->old_sympos == 0))) {
return func;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 216/554] fs/ntfs3: Support timestamps prior to epoch
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 215/554] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 217/554] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
` (343 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
[ Upstream commit 5180138604323895b5c291eca6aa7c20be494ade ]
Before it used an unsigned 64-bit type, which prevented proper handling
of timestamps earlier than 1970-01-01. Switch to a signed 64-bit type to
support pre-epoch timestamps. The issue was caught by xfstests.
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ntfs3/ntfs_fs.h | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h
index 69d1442eea623..d93cba03a65aa 100644
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -975,11 +975,12 @@ static inline __le64 kernel2nt(const struct timespec64 *ts)
*/
static inline void nt2kernel(const __le64 tm, struct timespec64 *ts)
{
- u64 t = le64_to_cpu(tm) - _100ns2seconds * SecondsToStartOf1970;
+ s32 t32;
+ /* use signed 64 bit to support timestamps prior to epoch. xfstest 258. */
+ s64 t = le64_to_cpu(tm) - _100ns2seconds * SecondsToStartOf1970;
- // WARNING: do_div changes its first argument(!)
- ts->tv_nsec = do_div(t, _100ns2seconds) * 100;
- ts->tv_sec = t;
+ ts->tv_sec = div_s64_rem(t, _100ns2seconds, &t32);
+ ts->tv_nsec = t32 * 100;
}
static inline struct ntfs_sb_info *ntfs_sb(struct super_block *sb)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 217/554] hfsplus: fix volume corruption issue for generic/070
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 216/554] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 218/554] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
` (342 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit ed490f36f439b877393c12a2113601e4145a5a56 ]
The xfstests' test-case generic/070 leaves HFS+ volume
in corrupted state:
sudo ./check generic/070
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.17.0-rc1+ #4 SMP PREEMPT_DYNAMIC Wed Oct 1 15:02:44 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/070 _check_generic_filesystem: filesystem on /dev/loop50 is inconsistent
(see xfstests-dev/results//generic/070.full for details)
Ran: generic/070
Failures: generic/070
Failed 1 of 1 tests
sudo fsck.hfsplus -d /dev/loop50
** /dev/loop50
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking non-journaled HFS Plus Volume.
The volume name is test
** Checking extents overflow file.
Unused node is not erased (node = 1)
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0004
CBTStat = 0x0000 CatStat = 0x00000000
** Repairing volume.
** Rechecking volume.
** Checking non-journaled HFS Plus Volume.
The volume name is test
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume test was repaired successfully.
It is possible to see that fsck.hfsplus detected not
erased and unused node for the case of extents overflow file.
The HFS+ logic has special method that defines if the node
should be erased:
bool hfs_bnode_need_zeroout(struct hfs_btree *tree)
{
struct super_block *sb = tree->inode->i_sb;
struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);
const u32 volume_attr = be32_to_cpu(sbi->s_vhdr->attributes);
return tree->cnid == HFSPLUS_CAT_CNID &&
volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
}
However, it is possible to see that this method works
only for the case of catalog file. But debugging of the issue
has shown that HFSPLUS_VOL_UNUSED_NODE_FIX attribute has been
requested for the extents overflow file too:
catalog file
kernel: hfsplus: node 4, num_recs 0, flags 0x10
kernel: hfsplus: tree->cnid 4, volume_attr 0x80000800
extents overflow file
kernel: hfsplus: node 1, num_recs 0, flags 0x10
kernel: hfsplus: tree->cnid 3, volume_attr 0x80000800
This patch modifies the hfs_bnode_need_zeroout() by checking
only volume_attr but not the b-tree ID because node zeroing
can be requested for all HFS+ b-tree types.
sudo ./check generic/070
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.18.0-rc3+ #79 SMP PREEMPT_DYNAMIC Fri Oct 31 16:07:42 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/070 33s ... 34s
Ran: generic/070
Passed all 1 tests
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251101001229.247432-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index e566cea238279..358294726ff17 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -717,6 +717,5 @@ bool hfs_bnode_need_zeroout(struct hfs_btree *tree)
struct hfsplus_sb_info *sbi = HFSPLUS_SB(sb);
const u32 volume_attr = be32_to_cpu(sbi->s_vhdr->attributes);
- return tree->cnid == HFSPLUS_CAT_CNID &&
- volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
+ return volume_attr & HFSPLUS_VOL_UNUSED_NODE_FIX;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 218/554] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 217/554] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 219/554] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
` (341 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+005d2a9ecd9fbf525f6a,
Yang Chenzhi, Viacheslav Dubeyko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Chenzhi <yang.chenzhi@vivo.com>
[ Upstream commit 152af114287851583cf7e0abc10129941f19466a ]
When sync() and link() are called concurrently, both threads may
enter hfs_bnode_find() without finding the node in the hash table
and proceed to create it.
Thread A:
hfsplus_write_inode()
-> hfsplus_write_system_inode()
-> hfs_btree_write()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
Thread B:
hfsplus_create_cat()
-> hfs_brec_insert()
-> hfs_bnode_split()
-> hfs_bmap_alloc()
-> hfs_bnode_find(tree, 0)
-> __hfs_bnode_create(tree, 0)
In this case, thread A creates the bnode, sets refcnt=1, and hashes it.
Thread B also tries to create the same bnode, notices it has already
been inserted, drops its own instance, and uses the hashed one without
getting the node.
```
node2 = hfs_bnode_findhash(tree, cnid);
if (!node2) { <- Thread A
hash = hfs_bnode_hash(cnid);
node->next_hash = tree->node_hash[hash];
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else { <- Thread B
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
!test_bit(HFS_BNODE_NEW, &node2->flags));
return node2;
}
```
However, hfs_bnode_find() requires each call to take a reference.
Here both threads end up setting refcnt=1. When they later put the node,
this triggers:
BUG_ON(!atomic_read(&node->refcnt))
In this scenario, Thread B in fact finds the node in the hash table
rather than creating a new one, and thus must take a reference.
Fix this by calling hfs_bnode_get() when reusing a bnode newly created by
another thread to ensure the refcount is updated correctly.
A similar bug was fixed in HFS long ago in commit
a9dc087fd3c4 ("fix missing hfs_bnode_get() in __hfs_bnode_create")
but the same issue remained in HFS+ until now.
Reported-by: syzbot+005d2a9ecd9fbf525f6a@syzkaller.appspotmail.com
Signed-off-by: Yang Chenzhi <yang.chenzhi@vivo.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/20250829093912.611853-1-yang.chenzhi@vivo.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/bnode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c
index 358294726ff17..7c127922ac0c7 100644
--- a/fs/hfsplus/bnode.c
+++ b/fs/hfsplus/bnode.c
@@ -488,6 +488,7 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid)
tree->node_hash[hash] = node;
tree->node_hash_cnt++;
} else {
+ hfs_bnode_get(node2);
spin_unlock(&tree->hash_lock);
kfree(node);
wait_event(node2->lock_wq,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 219/554] hfsplus: Verify inode mode when loading from disk
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 218/554] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 220/554] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
` (340 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa,
Viacheslav Dubeyko, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 005d4b0d33f6b4a23d382b7930f7a96b95b01f39 ]
syzbot is reporting that S_IFMT bits of inode->i_mode can become bogus when
the S_IFMT bits of the 16bits "mode" field loaded from disk are corrupted.
According to [1], the permissions field was treated as reserved in Mac OS
8 and 9. According to [2], the reserved field was explicitly initialized
with 0, and that field must remain 0 as long as reserved. Therefore, when
the "mode" field is not 0 (i.e. no longer reserved), the file must be
S_IFDIR if dir == 1, and the file must be one of S_IFREG/S_IFLNK/S_IFCHR/
S_IFBLK/S_IFIFO/S_IFSOCK if dir == 0.
Reported-by: syzbot <syzbot+895c23f6917da440ed0d@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=895c23f6917da440ed0d
Link: https://developer.apple.com/library/archive/technotes/tn/tn1150.html#HFSPlusPermissions [1]
Link: https://developer.apple.com/library/archive/technotes/tn/tn1150.html#ReservedAndPadFields [2]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Link: https://lore.kernel.org/r/04ded9f9-73fb-496c-bfa5-89c4f5d1d7bb@I-love.SAKURA.ne.jp
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/inode.c | 32 ++++++++++++++++++++++++++++----
1 file changed, 28 insertions(+), 4 deletions(-)
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index 87bc222dc9062..98a80ec5faa91 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -181,13 +181,29 @@ const struct dentry_operations hfsplus_dentry_operations = {
.d_compare = hfsplus_compare_dentry,
};
-static void hfsplus_get_perms(struct inode *inode,
- struct hfsplus_perm *perms, int dir)
+static int hfsplus_get_perms(struct inode *inode,
+ struct hfsplus_perm *perms, int dir)
{
struct hfsplus_sb_info *sbi = HFSPLUS_SB(inode->i_sb);
u16 mode;
mode = be16_to_cpu(perms->mode);
+ if (dir) {
+ if (mode && !S_ISDIR(mode))
+ goto bad_type;
+ } else if (mode) {
+ switch (mode & S_IFMT) {
+ case S_IFREG:
+ case S_IFLNK:
+ case S_IFCHR:
+ case S_IFBLK:
+ case S_IFIFO:
+ case S_IFSOCK:
+ break;
+ default:
+ goto bad_type;
+ }
+ }
i_uid_write(inode, be32_to_cpu(perms->owner));
if ((test_bit(HFSPLUS_SB_UID, &sbi->flags)) || (!i_uid_read(inode) && !mode))
@@ -213,6 +229,10 @@ static void hfsplus_get_perms(struct inode *inode,
inode->i_flags |= S_APPEND;
else
inode->i_flags &= ~S_APPEND;
+ return 0;
+bad_type:
+ pr_err("invalid file type 0%04o for inode %lu\n", mode, inode->i_ino);
+ return -EIO;
}
static int hfsplus_file_open(struct inode *inode, struct file *file)
@@ -516,7 +536,9 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
}
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_folder));
- hfsplus_get_perms(inode, &folder->permissions, 1);
+ res = hfsplus_get_perms(inode, &folder->permissions, 1);
+ if (res)
+ goto out;
set_nlink(inode, 1);
inode->i_size = 2 + be32_to_cpu(folder->valence);
inode->i_atime = hfsp_mt2ut(folder->access_date);
@@ -543,7 +565,9 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
hfsplus_inode_read_fork(inode, HFSPLUS_IS_RSRC(inode) ?
&file->rsrc_fork : &file->data_fork);
- hfsplus_get_perms(inode, &file->permissions, 0);
+ res = hfsplus_get_perms(inode, &file->permissions, 0);
+ if (res)
+ goto out;
set_nlink(inode, 1);
if (S_ISREG(inode->i_mode)) {
if (file->permissions.dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 220/554] hfsplus: fix volume corruption issue for generic/073
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 219/554] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 221/554] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
` (339 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Viacheslav Dubeyko,
John Paul Adrian Glaubitz, Yangtao Li, linux-fsdevel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Viacheslav Dubeyko <slava@dubeyko.com>
[ Upstream commit 24e17a29cf7537f0947f26a50f85319abd723c6c ]
The xfstests' test-case generic/073 leaves HFS+ volume
in corrupted state:
sudo ./check generic/073
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.17.0-rc1+ #4 SMP PREEMPT_DYNAMIC Wed Oct 1 15:02:44 PDT 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/073 _check_generic_filesystem: filesystem on /dev/loop51 is inconsistent
(see XFSTESTS-2/xfstests-dev/results//generic/073.full for details)
Ran: generic/073
Failures: generic/073
Failed 1 of 1 tests
sudo fsck.hfsplus -d /dev/loop51
** /dev/loop51
Using cacheBlockSize=32K cacheTotalBlock=1024 cacheSize=32768K.
Executing fsck_hfs (version 540.1-Linux).
** Checking non-journaled HFS Plus Volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
Invalid directory item count
(It should be 1 instead of 0)
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
Verify Status: VIStat = 0x0000, ABTStat = 0x0000 EBTStat = 0x0000
CBTStat = 0x0000 CatStat = 0x00004000
** Repairing volume.
** Rechecking volume.
** Checking non-journaled HFS Plus Volume.
The volume name is untitled
** Checking extents overflow file.
** Checking catalog file.
** Checking multi-linked files.
** Checking catalog hierarchy.
** Checking extended attributes file.
** Checking volume bitmap.
** Checking volume information.
** The volume untitled was repaired successfully.
The test is doing these steps on final phase:
mv $SCRATCH_MNT/testdir_1/bar $SCRATCH_MNT/testdir_2/bar
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/testdir_1
$XFS_IO_PROG -c "fsync" $SCRATCH_MNT/foo
So, we move file bar from testdir_1 into testdir_2 folder. It means that HFS+
logic decrements the number of entries in testdir_1 and increments number of
entries in testdir_2. Finally, we do fsync only for testdir_1 and foo but not
for testdir_2. As a result, this is the reason why fsck.hfsplus detects the
volume corruption afterwards.
This patch fixes the issue by means of adding the
hfsplus_cat_write_inode() call for old_dir and new_dir in
hfsplus_rename() after the successful ending of
hfsplus_rename_cat(). This method makes modification of in-core
inode objects for old_dir and new_dir but it doesn't save these
modifications in Catalog File's entries. It was expected that
hfsplus_write_inode() will save these modifications afterwards.
However, because generic/073 does fsync only for testdir_1 and foo
then testdir_2 modification hasn't beed saved into Catalog File's
entry and it was flushed without this modification. And it was
detected by fsck.hfsplus. Now, hfsplus_rename() stores in Catalog
File all modified entries and correct state of Catalog File will
be flushed during hfsplus_file_fsync() call. Finally, it makes
fsck.hfsplus happy.
sudo ./check generic/073
FSTYP -- hfsplus
PLATFORM -- Linux/x86_64 hfsplus-testing-0001 6.18.0-rc3+ #93 SMP PREEMPT_DYNAMIC Wed Nov 12 14:37:49 PST 2025
MKFS_OPTIONS -- /dev/loop51
MOUNT_OPTIONS -- /dev/loop51 /mnt/scratch
generic/073 32s ... 32s
Ran: generic/073
Passed all 1 tests
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
cc: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
cc: Yangtao Li <frank.li@vivo.com>
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20251112232522.814038-1-slava@dubeyko.com
Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/dir.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index 84714bbccc123..98a30ca6354ce 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -552,8 +552,13 @@ static int hfsplus_rename(struct user_namespace *mnt_userns,
res = hfsplus_rename_cat((u32)(unsigned long)old_dentry->d_fsdata,
old_dir, &old_dentry->d_name,
new_dir, &new_dentry->d_name);
- if (!res)
+ if (!res) {
new_dentry->d_fsdata = old_dentry->d_fsdata;
+
+ res = hfsplus_cat_write_inode(old_dir);
+ if (!res)
+ res = hfsplus_cat_write_inode(new_dir);
+ }
return res;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 221/554] btrfs: scrub: always update btrfs_scrub_progress::last_physical
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 220/554] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 222/554] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
` (338 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 54df8b80cc63aa0f22c4590cad11542731ed43ff ]
[BUG]
When a scrub failed immediately without any byte scrubbed, the returned
btrfs_scrub_progress::last_physical will always be 0, even if there is a
non-zero @start passed into btrfs_scrub_dev() for resume cases.
This will reset the progress and make later scrub resume start from the
beginning.
[CAUSE]
The function btrfs_scrub_dev() accepts a @progress parameter to copy its
updated progress to the caller, there are cases where we either don't
touch progress::last_physical at all or copy 0 into last_physical:
- last_physical not updated at all
If some error happened before scrubbing any super block or chunk, we
will not copy the progress, leaving the @last_physical untouched.
E.g. failed to allocate @sctx, scrubbing a missing device or even
there is already a running scrub and so on.
All those cases won't touch @progress at all, resulting the
last_physical untouched and will be left as 0 for most cases.
- Error out before scrubbing any bytes
In those case we allocated @sctx, and sctx->stat.last_physical is all
zero (initialized by kvzalloc()).
Unfortunately some critical errors happened during
scrub_enumerate_chunks() or scrub_supers() before any stripe is really
scrubbed.
In that case although we will copy sctx->stat back to @progress, since
no byte is really scrubbed, last_physical will be overwritten to 0.
[FIX]
Make sure the parameter @progress always has its @last_physical member
updated to @start parameter inside btrfs_scrub_dev().
At the very beginning of the function, set @progress->last_physical to
@start, so that even if we error out without doing progress copying,
last_physical is still at @start.
Then after we got @sctx allocated, set sctx->stat.last_physical to
@start, this will make sure even if we didn't get any byte scrubbed, at
the progress copying stage the @last_physical is not left as zero.
This should resolve the resume progress reset problem.
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/scrub.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
index aac4ee5880952..3d5cb6e6b3bbe 100644
--- a/fs/btrfs/scrub.c
+++ b/fs/btrfs/scrub.c
@@ -4090,6 +4090,10 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
unsigned int nofs_flag;
bool need_commit = false;
+ /* Set the basic fallback @last_physical before we got a sctx. */
+ if (progress)
+ progress->last_physical = start;
+
if (btrfs_fs_closing(fs_info))
return -EAGAIN;
@@ -4126,6 +4130,7 @@ int btrfs_scrub_dev(struct btrfs_fs_info *fs_info, u64 devid, u64 start,
sctx = scrub_setup_ctx(fs_info, is_dev_replace);
if (IS_ERR(sctx))
return PTR_ERR(sctx);
+ sctx->stat.last_physical = start;
ret = scrub_workers_get(fs_info, is_dev_replace);
if (ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 222/554] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 221/554] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 223/554] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
` (337 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gongwei Li, Luiz Augusto von Dentz,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gongwei Li <ligongwei@kylinos.cn>
[ Upstream commit 525459da4bd62a81142fea3f3d52188ceb4d8907 ]
Add VID 13d3 & PID 3533 for Realtek RTL8821CE USB Bluetooth chip.
The information in /sys/kernel/debug/usb/devices about the Bluetooth
device is listed as the below.
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=13d3 ProdID=3533 Rev= 1.10
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Gongwei Li <ligongwei@kylinos.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index c8c638aa47262..95483a8d7b1e9 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -403,6 +403,8 @@ static const struct usb_device_id blacklist_table[] = {
/* Realtek 8821CE Bluetooth devices */
{ USB_DEVICE(0x13d3, 0x3529), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x13d3, 0x3533), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8822CE Bluetooth devices */
{ USB_DEVICE(0x0bda, 0xb00c), .driver_info = BTUSB_REALTEK |
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 223/554] netrom: Fix memory leak in nr_sendmsg()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 222/554] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 224/554] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
` (336 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d7abc36bbbb6d7d40b58,
Wang Liang, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wang Liang <wangliang74@huawei.com>
[ Upstream commit 613d12dd794e078be8ff3cf6b62a6b9acf7f4619 ]
syzbot reported a memory leak [1].
When function sock_alloc_send_skb() return NULL in nr_output(), the
original skb is not freed, which was allocated in nr_sendmsg(). Fix this
by freeing it before return.
[1]
BUG: memory leak
unreferenced object 0xffff888129f35500 (size 240):
comm "syz.0.17", pid 6119, jiffies 4294944652
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 10 52 28 81 88 ff ff ..........R(....
backtrace (crc 1456a3e4):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0x69/0x3f0 net/core/skbuff.c:6671
sock_alloc_send_pskb+0x379/0x3e0 net/core/sock.c:2965
sock_alloc_send_skb include/net/sock.h:1859 [inline]
nr_sendmsg+0x287/0x450 net/netrom/af_netrom.c:1105
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
sock_write_iter+0x293/0x2a0 net/socket.c:1195
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x45d/0x710 fs/read_write.c:686
ksys_write+0x143/0x170 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xa4/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Reported-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d7abc36bbbb6d7d40b58
Tested-by: syzbot+d7abc36bbbb6d7d40b58@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Wang Liang <wangliang74@huawei.com>
Link: https://patch.msgid.link/20251129041315.1550766-1-wangliang74@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netrom/nr_out.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netrom/nr_out.c b/net/netrom/nr_out.c
index 5e531394a724b..2b3cbceb0b52d 100644
--- a/net/netrom/nr_out.c
+++ b/net/netrom/nr_out.c
@@ -43,8 +43,10 @@ void nr_output(struct sock *sk, struct sk_buff *skb)
frontlen = skb_headroom(skb);
while (skb->len > 0) {
- if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL)
+ if ((skbn = sock_alloc_send_skb(sk, frontlen + NR_MAX_PACKET_SIZE, 0, &err)) == NULL) {
+ kfree_skb(skb);
return;
+ }
skb_reserve(skbn, frontlen);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 224/554] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 223/554] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 225/554] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
` (335 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, zdi-disclosures, Victor Nogueira,
Jamal Hadi Salim, Davide Caratti, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit ce052b9402e461a9aded599f5b47e76bc727f7de ]
zdi-disclosures@trendmicro.com says:
The vulnerability is a race condition between `ets_qdisc_dequeue` and
`ets_qdisc_change`. It leads to UAF on `struct Qdisc` object.
Attacker requires the capability to create new user and network namespace
in order to trigger the bug.
See my additional commentary at the end of the analysis.
Analysis:
static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
struct netlink_ext_ack *extack)
{
...
// (1) this lock is preventing .change handler (`ets_qdisc_change`)
//to race with .dequeue handler (`ets_qdisc_dequeue`)
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
WRITE_ONCE(q->nbands, nbands);
for (i = nstrict; i < q->nstrict; i++) {
if (q->classes[i].qdisc->q.qlen) {
// (2) the class is added to the q->active
list_add_tail(&q->classes[i].alist, &q->active);
q->classes[i].deficit = quanta[i];
}
}
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
for (i = 0; i < q->nbands; i++)
WRITE_ONCE(q->classes[i].quantum, quanta[i]);
for (i = oldbands; i < q->nbands; i++) {
q->classes[i].qdisc = queues[i];
if (q->classes[i].qdisc != &noop_qdisc)
qdisc_hash_add(q->classes[i].qdisc, true);
}
// (3) the qdisc is unlocked, now dequeue can be called in parallel
// to the rest of .change handler
sch_tree_unlock(sch);
ets_offload_change(sch);
for (i = q->nbands; i < oldbands; i++) {
// (4) we're reducing the refcount for our class's qdisc and
// freeing it
qdisc_put(q->classes[i].qdisc);
// (5) If we call .dequeue between (4) and (5), we will have
// a strong UAF and we can control RIP
q->classes[i].qdisc = NULL;
WRITE_ONCE(q->classes[i].quantum, 0);
q->classes[i].deficit = 0;
gnet_stats_basic_sync_init(&q->classes[i].bstats);
memset(&q->classes[i].qstats, 0, sizeof(q->classes[i].qstats));
}
return 0;
}
Comment:
This happens because some of the classes have their qdiscs assigned to
NULL, but remain in the active list. This commit fixes this issue by always
removing the class from the active list before deleting and freeing its
associated qdisc
Reproducer Steps
(trimmed version of what was sent by zdi-disclosures@trendmicro.com)
```
DEV="${DEV:-lo}"
ROOT_HANDLE="${ROOT_HANDLE:-1:}"
BAND2_HANDLE="${BAND2_HANDLE:-20:}" # child under 1:2
PING_BYTES="${PING_BYTES:-48}"
PING_COUNT="${PING_COUNT:-200000}"
PING_DST="${PING_DST:-127.0.0.1}"
SLOW_TBF_RATE="${SLOW_TBF_RATE:-8bit}"
SLOW_TBF_BURST="${SLOW_TBF_BURST:-100b}"
SLOW_TBF_LAT="${SLOW_TBF_LAT:-1s}"
cleanup() {
tc qdisc del dev "$DEV" root 2>/dev/null
}
trap cleanup EXIT
ip link set "$DEV" up
tc qdisc del dev "$DEV" root 2>/dev/null || true
tc qdisc add dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc qdisc add dev "$DEV" parent 1:2 handle "$BAND2_HANDLE" \
tbf rate "$SLOW_TBF_RATE" burst "$SLOW_TBF_BURST" latency "$SLOW_TBF_LAT"
tc filter add dev "$DEV" parent 1: protocol all prio 1 u32 match u32 0 0 flowid 1:2
tc -s qdisc ls dev $DEV
ping -I "$DEV" -f -c "$PING_COUNT" -s "$PING_BYTES" -W 0.001 "$PING_DST" \
>/dev/null 2>&1 &
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 0
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 2 strict 2
tc -s qdisc ls dev $DEV
tc qdisc del dev "$DEV" parent 1:2 || true
tc -s qdisc ls dev $DEV
tc qdisc change dev "$DEV" root handle "$ROOT_HANDLE" ets bands 1 strict 1
```
KASAN report
```
==================================================================
BUG: KASAN: slab-use-after-free in ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
Read of size 8 at addr ffff8880502fc018 by task ping/12308
>
CPU: 0 UID: 0 PID: 12308 Comm: ping Not tainted 6.18.0-rc4-dirty #1 PREEMPT(full)
Hardware name: QEMU Ubuntu 25.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack kernel/lib/dump_stack.c:94
dump_stack_lvl+0x100/0x190 kernel/lib/dump_stack.c:120
print_address_description kernel/mm/kasan/report.c:378
print_report+0x156/0x4c9 kernel/mm/kasan/report.c:482
kasan_report+0xdf/0x110 kernel/mm/kasan/report.c:595
ets_qdisc_dequeue+0x1071/0x11b0 kernel/net/sched/sch_ets.c:481
dequeue_skb kernel/net/sched/sch_generic.c:294
qdisc_restart kernel/net/sched/sch_generic.c:399
__qdisc_run+0x1c9/0x1b00 kernel/net/sched/sch_generic.c:417
__dev_xmit_skb kernel/net/core/dev.c:4221
__dev_queue_xmit+0x2848/0x4410 kernel/net/core/dev.c:4729
dev_queue_xmit kernel/./include/linux/netdevice.h:3365
[...]
Allocated by task 17115:
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
poison_kmalloc_redzone kernel/mm/kasan/common.c:400
__kasan_kmalloc+0xaa/0xb0 kernel/mm/kasan/common.c:417
kasan_kmalloc kernel/./include/linux/kasan.h:262
__do_kmalloc_node kernel/mm/slub.c:5642
__kmalloc_node_noprof+0x34e/0x990 kernel/mm/slub.c:5648
kmalloc_node_noprof kernel/./include/linux/slab.h:987
qdisc_alloc+0xb8/0xc30 kernel/net/sched/sch_generic.c:950
qdisc_create_dflt+0x93/0x490 kernel/net/sched/sch_generic.c:1012
ets_class_graft+0x4fd/0x800 kernel/net/sched/sch_ets.c:261
qdisc_graft+0x3e4/0x1780 kernel/net/sched/sch_api.c:1196
[...]
Freed by task 9905:
kasan_save_stack+0x30/0x50 kernel/mm/kasan/common.c:56
kasan_save_track+0x14/0x30 kernel/mm/kasan/common.c:77
__kasan_save_free_info+0x3b/0x70 kernel/mm/kasan/generic.c:587
kasan_save_free_info kernel/mm/kasan/kasan.h:406
poison_slab_object kernel/mm/kasan/common.c:252
__kasan_slab_free+0x5f/0x80 kernel/mm/kasan/common.c:284
kasan_slab_free kernel/./include/linux/kasan.h:234
slab_free_hook kernel/mm/slub.c:2539
slab_free kernel/mm/slub.c:6630
kfree+0x144/0x700 kernel/mm/slub.c:6837
rcu_do_batch kernel/kernel/rcu/tree.c:2605
rcu_core+0x7c0/0x1500 kernel/kernel/rcu/tree.c:2861
handle_softirqs+0x1ea/0x8a0 kernel/kernel/softirq.c:622
__do_softirq kernel/kernel/softirq.c:656
[...]
Commentary:
1. Maher Azzouzi working with Trend Micro Zero Day Initiative was reported as
the person who found the issue. I requested to get a proper email to add to the
reported-by tag but got no response. For this reason i will credit the person
i exchanged emails with i.e zdi-disclosures@trendmicro.com
2. Neither i nor Victor who did a much more thorough testing was able to
reproduce a UAF with the PoC or other approaches we tried. We were both able to
reproduce a null ptr deref. After exchange with zdi-disclosures@trendmicro.com
they sent a small change to be made to the code to add an extra delay which
was able to simulate the UAF. i.e, this:
qdisc_put(q->classes[i].qdisc);
mdelay(90);
q->classes[i].qdisc = NULL;
I was informed by Thomas Gleixner(tglx@linutronix.de) that adding delays was
acceptable approach for demonstrating the bug, quote:
"Adding such delays is common exploit validation practice"
The equivalent delay could happen "by virt scheduling the vCPU out, SMIs,
NMIs, PREEMPT_RT enabled kernel"
3. I asked the OP to test and report back but got no response and after a
few days gave up and proceeded to submit this fix.
Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'")
Reported-by: zdi-disclosures@trendmicro.com
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Link: https://patch.msgid.link/20251128151919.576920-1-jhs@mojatatu.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index d95d127975254..bcd91ffe9bc6a 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -665,7 +665,7 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
sch_tree_lock(sch);
for (i = nbands; i < oldbands; i++) {
- if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
+ if (cl_is_active(&q->classes[i]))
list_del_init(&q->classes[i].alist);
qdisc_purge_queue(q->classes[i].qdisc);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 225/554] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 224/554] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 226/554] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
` (334 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Skorodumov, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
[ Upstream commit 0c57ff008a11f24f7f05fa760222692a00465fec ]
Packets with pkt_type == PACKET_LOOPBACK are captured by
handle_frame() function, but they don't have L2 header.
We should not process them in handle_mode_l2().
This doesn't affect old L2 functionality, since handling
was anyway incorrect.
Handle them the same way as in br_handle_frame():
just pass the skb.
To observe invalid behaviour, just start "ping -b" on bcast address
of port-interface.
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: Dmitry Skorodumov <skorodumov.dmitry@huawei.com>
Link: https://patch.msgid.link/20251202103906.4087675-1-skorodumov.dmitry@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipvlan/ipvlan_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index a18b49db38ee0..35ec6d1af6ea6 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -725,6 +725,9 @@ static rx_handler_result_t ipvlan_handle_mode_l2(struct sk_buff **pskb,
struct ethhdr *eth = eth_hdr(skb);
rx_handler_result_t ret = RX_HANDLER_PASS;
+ if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
+ return RX_HANDLER_PASS;
+
if (is_multicast_ether_addr(eth->h_dest)) {
if (ipvlan_external_frame(skb, port)) {
struct sk_buff *nskb = skb_clone(skb, GFP_ATOMIC);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 226/554] mlxsw: spectrum_router: Fix neighbour use-after-free
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 225/554] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 227/554] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
` (333 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Petr Machata,
Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8b0e69763ef948fb872a7767df4be665d18f5fd4 ]
We sometimes observe use-after-free when dereferencing a neighbour [1].
The problem seems to be that the driver stores a pointer to the
neighbour, but without holding a reference on it. A reference is only
taken when the neighbour is used by a nexthop.
Fix by simplifying the reference counting scheme. Always take a
reference when storing a neighbour pointer in a neighbour entry. Avoid
taking a referencing when the neighbour is used by a nexthop as the
neighbour entry associated with the nexthop already holds a reference.
Tested by running the test that uncovered the problem over 300 times.
Without this patch the problem was reproduced after a handful of
iterations.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_neigh_entry_update+0x2d4/0x310
Read of size 8 at addr ffff88817f8e3420 by task ip/3929
CPU: 3 UID: 0 PID: 3929 Comm: ip Not tainted 6.18.0-rc4-virtme-g36b21a067510 #3 PREEMPT(full)
Hardware name: Nvidia SN5600/VMOD0013, BIOS 5.13 05/31/2023
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xa0
print_address_description.constprop.0+0x6e/0x300
print_report+0xfc/0x1fb
kasan_report+0xe4/0x110
mlxsw_sp_neigh_entry_update+0x2d4/0x310
mlxsw_sp_router_rif_gone_sync+0x35f/0x510
mlxsw_sp_rif_destroy+0x1ea/0x730
mlxsw_sp_inetaddr_port_vlan_event+0xa1/0x1b0
__mlxsw_sp_inetaddr_lag_event+0xcc/0x130
__mlxsw_sp_inetaddr_event+0xf5/0x3c0
mlxsw_sp_router_netdevice_event+0x1015/0x1580
notifier_call_chain+0xcc/0x150
call_netdevice_notifiers_info+0x7e/0x100
__netdev_upper_dev_unlink+0x10b/0x210
netdev_upper_dev_unlink+0x79/0xa0
vrf_del_slave+0x18/0x50
do_set_master+0x146/0x7d0
do_setlink.isra.0+0x9a0/0x2880
rtnl_newlink+0x637/0xb20
rtnetlink_rcv_msg+0x6fe/0xb90
netlink_rcv_skb+0x123/0x380
netlink_unicast+0x4a3/0x770
netlink_sendmsg+0x75b/0xc90
__sock_sendmsg+0xbe/0x160
____sys_sendmsg+0x5b2/0x7d0
___sys_sendmsg+0xfd/0x180
__sys_sendmsg+0x124/0x1c0
do_syscall_64+0xbb/0xfd0
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[...]
Allocated by task 109:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7b/0x90
__kmalloc_noprof+0x2c1/0x790
neigh_alloc+0x6af/0x8f0
___neigh_create+0x63/0xe90
mlxsw_sp_nexthop_neigh_init+0x430/0x7e0
mlxsw_sp_nexthop_type_init+0x212/0x960
mlxsw_sp_nexthop6_group_info_init.constprop.0+0x81f/0x1280
mlxsw_sp_nexthop6_group_get+0x392/0x6a0
mlxsw_sp_fib6_entry_create+0x46a/0xfd0
mlxsw_sp_router_fib6_replace+0x1ed/0x5f0
mlxsw_sp_router_fib6_event_work+0x10a/0x2a0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Freed by task 154:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x60
__kasan_slab_free+0x43/0x70
kmem_cache_free_bulk.part.0+0x1eb/0x5e0
kvfree_rcu_bulk+0x1f2/0x260
kfree_rcu_work+0x130/0x1b0
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Last potentially related work creation:
kasan_save_stack+0x30/0x50
kasan_record_aux_stack+0x8c/0xa0
kvfree_call_rcu+0x93/0x5b0
mlxsw_sp_router_neigh_event_work+0x67d/0x860
process_one_work+0xd57/0x1390
worker_thread+0x4d6/0xd40
kthread+0x355/0x5b0
ret_from_fork+0x1d4/0x270
ret_from_fork_asm+0x11/0x20
Fixes: 6cf3c971dc84 ("mlxsw: spectrum_router: Add private neigh table")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/92d75e21d95d163a41b5cea67a15cd33f547cba6.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/mellanox/mlxsw/spectrum_router.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 55de90d5ae591..487ea65417b4a 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -2137,6 +2137,7 @@ mlxsw_sp_neigh_entry_alloc(struct mlxsw_sp *mlxsw_sp, struct neighbour *n,
if (!neigh_entry)
return NULL;
+ neigh_hold(n);
neigh_entry->key.n = n;
neigh_entry->rif = rif;
INIT_LIST_HEAD(&neigh_entry->nexthop_list);
@@ -2146,6 +2147,7 @@ mlxsw_sp_neigh_entry_alloc(struct mlxsw_sp *mlxsw_sp, struct neighbour *n,
static void mlxsw_sp_neigh_entry_free(struct mlxsw_sp_neigh_entry *neigh_entry)
{
+ neigh_release(neigh_entry->key.n);
kfree(neigh_entry);
}
@@ -3995,6 +3997,8 @@ mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
if (err)
goto err_neigh_entry_insert;
+ neigh_release(old_n);
+
read_lock_bh(&n->lock);
nud_state = n->nud_state;
dead = n->dead;
@@ -4003,14 +4007,10 @@ mlxsw_sp_nexthop_dead_neigh_replace(struct mlxsw_sp *mlxsw_sp,
list_for_each_entry(nh, &neigh_entry->nexthop_list,
neigh_list_node) {
- neigh_release(old_n);
- neigh_clone(n);
__mlxsw_sp_nexthop_neigh_update(nh, !entry_connected);
mlxsw_sp_nexthop_group_refresh(mlxsw_sp, nh->nhgi->nh_grp);
}
- neigh_release(n);
-
return 0;
err_neigh_entry_insert:
@@ -4098,6 +4098,11 @@ static int mlxsw_sp_nexthop_neigh_init(struct mlxsw_sp *mlxsw_sp,
}
}
+ /* Release the reference taken by neigh_lookup() / neigh_create() since
+ * neigh_entry already holds one.
+ */
+ neigh_release(n);
+
/* If that is the first nexthop connected to that neigh, add to
* nexthop_neighs_list
*/
@@ -4124,11 +4129,9 @@ static void mlxsw_sp_nexthop_neigh_fini(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_nexthop *nh)
{
struct mlxsw_sp_neigh_entry *neigh_entry = nh->neigh_entry;
- struct neighbour *n;
if (!neigh_entry)
return;
- n = neigh_entry->key.n;
__mlxsw_sp_nexthop_neigh_update(nh, true);
list_del(&nh->neigh_list_node);
@@ -4142,8 +4145,6 @@ static void mlxsw_sp_nexthop_neigh_fini(struct mlxsw_sp *mlxsw_sp,
if (!neigh_entry->connected && list_empty(&neigh_entry->nexthop_list))
mlxsw_sp_neigh_entry_destroy(mlxsw_sp, neigh_entry);
-
- neigh_release(n);
}
static bool mlxsw_sp_ipip_netdev_ul_up(struct net_device *ol_dev)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 227/554] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 226/554] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 228/554] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
` (332 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Petr Machata,
Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8ac1dacec458f55f871f7153242ed6ab60373b90 ]
Cited commit added a dedicated mutex (instead of RTNL) to protect the
multicast route list, so that it will not change while the driver
periodically traverses it in order to update the kernel about multicast
route stats that were queried from the device.
One instance of list entry deletion (during route replace) was missed
and it can result in a use-after-free [1].
Fix by acquiring the mutex before deleting the entry from the list and
releasing it afterwards.
[1]
BUG: KASAN: slab-use-after-free in mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
Read of size 8 at addr ffff8881523c2fa8 by task kworker/2:5/22043
CPU: 2 UID: 0 PID: 22043 Comm: kworker/2:5 Not tainted 6.18.0-rc1-custom-g1a3d6d7cd014 #1 PREEMPT(full)
Hardware name: Mellanox Technologies Ltd. MSN2010/SA002610, BIOS 5.6.5 08/24/2017
Workqueue: mlxsw_core mlxsw_sp_mr_stats_update [mlxsw_spectrum]
Call Trace:
<TASK>
dump_stack_lvl+0xba/0x110
print_report+0x174/0x4f5
kasan_report+0xdf/0x110
mlxsw_sp_mr_stats_update+0x4a5/0x540 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:1006 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x8f/0xa0
mlxsw_sp_mr_route_add+0xd8/0x4770 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Freed by task 29933:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_save_free_info+0x3b/0x70
__kasan_slab_free+0x43/0x70
kfree+0x14e/0x700
mlxsw_sp_mr_route_add+0x2dea/0x4770 drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c:444 [mlxsw_spectrum]
mlxsw_sp_router_fibmr_event_work+0x371/0xad0 drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:7965 [mlxsw_spectrum]
process_one_work+0x9cc/0x18e0
worker_thread+0x5df/0xe40
kthread+0x3b8/0x730
ret_from_fork+0x3e9/0x560
ret_from_fork_asm+0x1a/0x30
Fixes: f38656d06725 ("mlxsw: spectrum_mr: Protect multicast route list with a lock")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/f996feecfd59fde297964bfc85040b6d83ec6089.1764695650.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
index 1f6bc0c7e91dd..c39aca54a0d6b 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_mr.c
@@ -440,7 +440,9 @@ int mlxsw_sp_mr_route_add(struct mlxsw_sp_mr_table *mr_table,
rhashtable_remove_fast(&mr_table->route_ht,
&mr_orig_route->ht_node,
mlxsw_sp_mr_route_ht_params);
+ mutex_lock(&mr_table->route_list_lock);
list_del(&mr_orig_route->node);
+ mutex_unlock(&mr_table->route_list_lock);
mlxsw_sp_mr_route_destroy(mr_table, mr_orig_route);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 228/554] net: openvswitch: fix middle attribute validation in push_nsh() action
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 227/554] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 229/554] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
` (331 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Junvy Yang, Ilya Maximets,
Aaron Conole, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Maximets <i.maximets@ovn.org>
[ Upstream commit 5ace7ef87f059d68b5f50837ef3e8a1a4870c36e ]
The push_nsh() action structure looks like this:
OVS_ACTION_ATTR_PUSH_NSH(OVS_KEY_ATTR_NSH(OVS_NSH_KEY_ATTR_BASE,...))
The outermost OVS_ACTION_ATTR_PUSH_NSH attribute is OK'ed by the
nla_for_each_nested() inside __ovs_nla_copy_actions(). The innermost
OVS_NSH_KEY_ATTR_BASE/MD1/MD2 are OK'ed by the nla_for_each_nested()
inside nsh_key_put_from_nlattr(). But nothing checks if the attribute
in the middle is OK. We don't even check that this attribute is the
OVS_KEY_ATTR_NSH. We just do a double unwrap with a pair of nla_data()
calls - first time directly while calling validate_push_nsh() and the
second time as part of the nla_for_each_nested() macro, which isn't
safe, potentially causing invalid memory access if the size of this
attribute is incorrect. The failure may not be noticed during
validation due to larger netlink buffer, but cause trouble later during
action execution where the buffer is allocated exactly to the size:
BUG: KASAN: slab-out-of-bounds in nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
Read of size 184 at addr ffff88816459a634 by task a.out/22624
CPU: 8 UID: 0 PID: 22624 6.18.0-rc7+ #115 PREEMPT(voluntary)
Call Trace:
<TASK>
dump_stack_lvl+0x51/0x70
print_address_description.constprop.0+0x2c/0x390
kasan_report+0xdd/0x110
kasan_check_range+0x35/0x1b0
__asan_memcpy+0x20/0x60
nsh_hdr_from_nlattr+0x1dd/0x6a0 [openvswitch]
push_nsh+0x82/0x120 [openvswitch]
do_execute_actions+0x1405/0x2840 [openvswitch]
ovs_execute_actions+0xd5/0x3b0 [openvswitch]
ovs_packet_cmd_execute+0x949/0xdb0 [openvswitch]
genl_family_rcv_msg_doit+0x1d6/0x2b0
genl_family_rcv_msg+0x336/0x580
genl_rcv_msg+0x9f/0x130
netlink_rcv_skb+0x11f/0x370
genl_rcv+0x24/0x40
netlink_unicast+0x73e/0xaa0
netlink_sendmsg+0x744/0xbf0
__sys_sendto+0x3d6/0x450
do_syscall_64+0x79/0x2c0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
</TASK>
Let's add some checks that the attribute is properly sized and it's
the only one attribute inside the action. Technically, there is no
real reason for OVS_KEY_ATTR_NSH to be there, as we know that we're
pushing an NSH header already, it just creates extra nesting, but
that's how uAPI works today. So, keeping as it is.
Fixes: b2d0f5d5dc53 ("openvswitch: enable NSH support")
Reported-by: Junvy Yang <zhuque@tencent.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Eelco Chaudron echaudro@redhat.com
Reviewed-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20251204105334.900379-1-i.maximets@ovn.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/flow_netlink.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 7c2692f897f99..a7a9e4df3f600 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2757,13 +2757,20 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
return err;
}
-static bool validate_push_nsh(const struct nlattr *attr, bool log)
+static bool validate_push_nsh(const struct nlattr *a, bool log)
{
+ struct nlattr *nsh_key = nla_data(a);
struct sw_flow_match match;
struct sw_flow_key key;
+ /* There must be one and only one NSH header. */
+ if (!nla_ok(nsh_key, nla_len(a)) ||
+ nla_total_size(nla_len(nsh_key)) != nla_len(a) ||
+ nla_type(nsh_key) != OVS_KEY_ATTR_NSH)
+ return false;
+
ovs_match_init(&match, &key, true, NULL);
- return !nsh_key_put_from_nlattr(attr, &match, false, true, log);
+ return !nsh_key_put_from_nlattr(nsh_key, &match, false, true, log);
}
/* Return false if there are any non-masked bits set.
@@ -3317,7 +3324,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
return -EINVAL;
}
mac_proto = MAC_PROTO_NONE;
- if (!validate_push_nsh(nla_data(a), log))
+ if (!validate_push_nsh(a, log))
return -EINVAL;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 229/554] broadcom: b44: prevent uninitialized value usage
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 228/554] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 230/554] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
` (330 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Andrew Lunn,
Alexey Simakov, Michael Chan, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Simakov <bigalex934@gmail.com>
[ Upstream commit 50b3db3e11864cb4e18ff099cfb38e11e7f87a68 ]
On execution path with raised B44_FLAG_EXTERNAL_PHY, b44_readphy()
leaves bmcr value uninitialized and it is used later in the code.
Add check of this flag at the beginning of the b44_nway_reset() and
exit early of the function with restarting autonegotiation if an
external PHY is used.
Fixes: 753f492093da ("[B44]: port to native ssb support")
Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Alexey Simakov <bigalex934@gmail.com>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20251205155815.4348-1-bigalex934@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/b44.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/b44.c b/drivers/net/ethernet/broadcom/b44.c
index ce370ef641f01..3c4e0a78b8a03 100644
--- a/drivers/net/ethernet/broadcom/b44.c
+++ b/drivers/net/ethernet/broadcom/b44.c
@@ -1811,6 +1811,9 @@ static int b44_nway_reset(struct net_device *dev)
u32 bmcr;
int r;
+ if (bp->flags & B44_FLAG_EXTERNAL_PHY)
+ return phy_ethtool_nway_reset(dev);
+
spin_lock_irq(&bp->lock);
b44_readphy(bp, MII_BMCR, &bmcr);
b44_readphy(bp, MII_BMCR, &bmcr);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 230/554] netfilter: nf_conncount: fix leaked ct in error paths
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 229/554] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 231/554] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
` (329 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 2e2a720766886190a6d35c116794693aabd332b6 ]
There are some situations where ct might be leaked as error paths are
skipping the refcounted check and return immediately. In order to solve
it make sure that the check is always called.
Fixes: be102eb6a0e7 ("netfilter: nf_conncount: rework API to use sk_buff directly")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 97b631a81484d..c00b8e522c5a7 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -172,14 +172,14 @@ static int __nf_conncount_add(struct net *net,
struct nf_conn *found_ct;
unsigned int collect = 0;
bool refcounted = false;
+ int err = 0;
if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted))
return -ENOENT;
if (ct && nf_ct_is_confirmed(ct)) {
- if (refcounted)
- nf_ct_put(ct);
- return -EEXIST;
+ err = -EEXIST;
+ goto out_put;
}
if ((u32)jiffies == list->last_gc)
@@ -231,12 +231,16 @@ static int __nf_conncount_add(struct net *net,
}
add_new_node:
- if (WARN_ON_ONCE(list->count > INT_MAX))
- return -EOVERFLOW;
+ if (WARN_ON_ONCE(list->count > INT_MAX)) {
+ err = -EOVERFLOW;
+ goto out_put;
+ }
conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC);
- if (conn == NULL)
- return -ENOMEM;
+ if (conn == NULL) {
+ err = -ENOMEM;
+ goto out_put;
+ }
conn->tuple = tuple;
conn->zone = *zone;
@@ -249,7 +253,7 @@ static int __nf_conncount_add(struct net *net,
out_put:
if (refcounted)
nf_ct_put(ct);
- return 0;
+ return err;
}
int nf_conncount_add_skb(struct net *net,
@@ -446,11 +450,10 @@ insert_tree(struct net *net,
rb_link_node_rcu(&rbconn->node, parent, rbnode);
rb_insert_color(&rbconn->node, root);
-
- if (refcounted)
- nf_ct_put(ct);
}
out_unlock:
+ if (refcounted)
+ nf_ct_put(ct);
spin_unlock_bh(&nf_conncount_locks[hash]);
return count;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 231/554] ipvs: fix ipv4 null-ptr-deref in route error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 230/554] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 232/554] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
` (328 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Slavin Liu, Julian Anastasov,
Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Slavin Liu <slavin452@gmail.com>
[ Upstream commit ad891bb3d079a46a821bf2b8867854645191bab0 ]
The IPv4 code path in __ip_vs_get_out_rt() calls dst_link_failure()
without ensuring skb->dev is set, leading to a NULL pointer dereference
in fib_compute_spec_dst() when ipv4_link_failure() attempts to send
ICMP destination unreachable messages.
The issue emerged after commit ed0de45a1008 ("ipv4: recompile ip options
in ipv4_link_failure") started calling __ip_options_compile() from
ipv4_link_failure(). This code path eventually calls fib_compute_spec_dst()
which dereferences skb->dev. An attempt was made to fix the NULL skb->dev
dereference in commit 0113d9c9d1cc ("ipv4: fix null-deref in
ipv4_link_failure"), but it only addressed the immediate dev_net(skb->dev)
dereference by using a fallback device. The fix was incomplete because
fib_compute_spec_dst() later in the call chain still accesses skb->dev
directly, which remains NULL when IPVS calls dst_link_failure().
The crash occurs when:
1. IPVS processes a packet in NAT mode with a misconfigured destination
2. Route lookup fails in __ip_vs_get_out_rt() before establishing a route
3. The error path calls dst_link_failure(skb) with skb->dev == NULL
4. ipv4_link_failure() → ipv4_send_dest_unreach() →
__ip_options_compile() → fib_compute_spec_dst()
5. fib_compute_spec_dst() dereferences NULL skb->dev
Apply the same fix used for IPv6 in commit 326bf17ea5d4 ("ipvs: fix
ipv6 route unreach panic"): set skb->dev from skb_dst(skb)->dev before
calling dst_link_failure().
KASAN: null-ptr-deref in range [0x0000000000000328-0x000000000000032f]
CPU: 1 PID: 12732 Comm: syz.1.3469 Not tainted 6.6.114 #2
RIP: 0010:__in_dev_get_rcu include/linux/inetdevice.h:233
RIP: 0010:fib_compute_spec_dst+0x17a/0x9f0 net/ipv4/fib_frontend.c:285
Call Trace:
<TASK>
spec_dst_fill net/ipv4/ip_options.c:232
spec_dst_fill net/ipv4/ip_options.c:229
__ip_options_compile+0x13a1/0x17d0 net/ipv4/ip_options.c:330
ipv4_send_dest_unreach net/ipv4/route.c:1252
ipv4_link_failure+0x702/0xb80 net/ipv4/route.c:1265
dst_link_failure include/net/dst.h:437
__ip_vs_get_out_rt+0x15fd/0x19e0 net/netfilter/ipvs/ip_vs_xmit.c:412
ip_vs_nat_xmit+0x1d8/0xc80 net/netfilter/ipvs/ip_vs_xmit.c:764
Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Slavin Liu <slavin452@gmail.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipvs/ip_vs_xmit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index c87dbc8970023..f82834349ca2c 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -420,6 +420,9 @@ __ip_vs_get_out_rt(struct netns_ipvs *ipvs, int skb_af, struct sk_buff *skb,
return -1;
err_unreach:
+ if (!skb->dev)
+ skb->dev = skb_dst(skb)->dev;
+
dst_link_failure(skb);
return -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 232/554] caif: fix integer underflow in cffrml_receive()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 231/554] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 233/554] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
` (327 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Simon Horman, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 8a11ff0948b5ad09b71896b7ccc850625f9878d1 ]
The cffrml_receive() function extracts a length field from the packet
header and, when FCS is disabled, subtracts 2 from this length without
validating that len >= 2.
If an attacker sends a malicious packet with a length field of 0 or 1
to an interface with FCS disabled, the subtraction causes an integer
underflow.
This can lead to memory exhaustion and kernel instability, potential
information disclosure if padding contains uninitialized kernel memory.
Fix this by validating that len >= 2 before performing the subtraction.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/SYBPR01MB7881511122BAFEA8212A1608AFA6A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/caif/cffrml.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
index 6651a8dc62e04..d4d63586053ad 100644
--- a/net/caif/cffrml.c
+++ b/net/caif/cffrml.c
@@ -92,8 +92,15 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
len = le16_to_cpu(tmp);
/* Subtract for FCS on length if FCS is not used. */
- if (!this->dofcs)
+ if (!this->dofcs) {
+ if (len < 2) {
+ ++cffrml_rcv_error;
+ pr_err("Invalid frame length (%d)\n", len);
+ cfpkt_destroy(pkt);
+ return -EPROTO;
+ }
len -= 2;
+ }
if (cfpkt_setlen(pkt, len) < 0) {
++cffrml_rcv_error;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 233/554] net/sched: ets: Remove drr class from the active list if it changes to strict
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 232/554] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
@ 2026-01-15 16:44 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 234/554] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
` (326 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:44 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Victor Nogueira,
Petr Machata, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Nogueira <victor@mojatatu.com>
[ Upstream commit b1e125ae425aba9b45252e933ca8df52a843ec70 ]
Whenever a user issues an ets qdisc change command, transforming a
drr class into a strict one, the ets code isn't checking whether that
class was in the active list and removing it. This means that, if a
user changes a strict class (which was in the active list) back to a drr
one, that class will be added twice to the active list [1].
Doing so with the following commands:
tc qdisc add dev lo root handle 1: ets bands 2 strict 1
tc qdisc add dev lo parent 1:2 handle 20: \
tbf rate 8bit burst 100b latency 1s
tc filter add dev lo parent 1: basic classid 1:2
ping -c1 -W0.01 -s 56 127.0.0.1
tc qdisc change dev lo root handle 1: ets bands 2 strict 2
tc qdisc change dev lo root handle 1: ets bands 2 strict 1
ping -c1 -W0.01 -s 56 127.0.0.1
Will trigger the following splat with list debug turned on:
[ 59.279014][ T365] ------------[ cut here ]------------
[ 59.279452][ T365] list_add double add: new=ffff88801d60e350, prev=ffff88801d60e350, next=ffff88801d60e2c0.
[ 59.280153][ T365] WARNING: CPU: 3 PID: 365 at lib/list_debug.c:35 __list_add_valid_or_report+0x17f/0x220
[ 59.280860][ T365] Modules linked in:
[ 59.281165][ T365] CPU: 3 UID: 0 PID: 365 Comm: tc Not tainted 6.18.0-rc7-00105-g7e9f13163c13-dirty #239 PREEMPT(voluntary)
[ 59.281977][ T365] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 59.282391][ T365] RIP: 0010:__list_add_valid_or_report+0x17f/0x220
[ 59.282842][ T365] Code: 89 c6 e8 d4 b7 0d ff 90 0f 0b 90 90 31 c0 e9 31 ff ff ff 90 48 c7 c7 e0 a0 22 9f 48 89 f2 48 89 c1 4c 89 c6 e8 b2 b7 0d ff 90 <0f> 0b 90 90 31 c0 e9 0f ff ff ff 48 89 f7 48 89 44 24 10 4c 89 44
...
[ 59.288812][ T365] Call Trace:
[ 59.289056][ T365] <TASK>
[ 59.289224][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.289546][ T365] ets_qdisc_change+0xd2b/0x1e80
[ 59.289891][ T365] ? __lock_acquire+0x7e7/0x1be0
[ 59.290223][ T365] ? __pfx_ets_qdisc_change+0x10/0x10
[ 59.290546][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.290898][ T365] ? __mutex_trylock_common+0xda/0x240
[ 59.291228][ T365] ? __pfx___mutex_trylock_common+0x10/0x10
[ 59.291655][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.291993][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.292313][ T365] ? trace_contention_end+0xc8/0x110
[ 59.292656][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293022][ T365] ? srso_alias_return_thunk+0x5/0xfbef5
[ 59.293351][ T365] tc_modify_qdisc+0x63a/0x1cf0
Fix this by always checking and removing an ets class from the active list
when changing it to strict.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/tree/net/sched/sch_ets.c?id=ce052b9402e461a9aded599f5b47e76bc727f7de#n663
Fixes: cd9b50adc6bb9 ("net/sched: ets: fix crash when flipping from 'strict' to 'quantum'")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/20251208190125.1868423-1-victor@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_ets.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index bcd91ffe9bc6a..ce3d41a4d4f6a 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -677,6 +677,10 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
q->classes[i].deficit = quanta[i];
}
}
+ for (i = q->nstrict; i < nstrict; i++) {
+ if (cl_is_active(&q->classes[i]))
+ list_del_init(&q->classes[i].alist);
+ }
WRITE_ONCE(q->nstrict, nstrict);
memcpy(q->prio2band, priomap, sizeof(priomap));
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 234/554] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2026-01-15 16:44 ` [PATCH 5.15 233/554] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 235/554] ethtool: use phydev variable Greg Kroah-Hartman
` (325 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit 885bebac9909994050bbbeed0829c727e42bd1b7 ]
Set the error code if "transferred != sizeof(cmd)" instead of
returning success.
Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/aTfIJ9tZPmeUF4W1@stanley.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/pn533/usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nfc/pn533/usb.c b/drivers/nfc/pn533/usb.c
index 47d423cc26081..11d3c4045c1e1 100644
--- a/drivers/nfc/pn533/usb.c
+++ b/drivers/nfc/pn533/usb.c
@@ -407,7 +407,7 @@ static int pn533_acr122_poweron_rdr(struct pn533_usb_phy *phy)
if (rc || (transferred != sizeof(cmd))) {
nfc_err(&phy->udev->dev,
"Reader power on cmd error %d\n", rc);
- return rc;
+ return rc ?: -EINVAL;
}
rc = usb_submit_urb(phy->in_urb, GFP_KERNEL);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 235/554] ethtool: use phydev variable
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 234/554] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 236/554] net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats Greg Kroah-Hartman
` (324 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Rix, Andrew Lunn,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Rix <trix@redhat.com>
[ Upstream commit ccd21ec5b8dd9b8a528a70315cee95fc1dd79d20 ]
In ethtool_get_phy_stats(), the phydev varaible is set to
dev->phydev but dev->phydev is still used. Replace
dev->phydev uses with phydev.
Signed-off-by: Tom Rix <trix@redhat.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 7b07be1ff1cb ("ethtool: Avoid overflowing userspace buffer on stats query")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 1e9e70a633d1c..4b736385912ef 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -2068,9 +2068,9 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
if (!phydev && (!ops->get_ethtool_phy_stats || !ops->get_sset_count))
return -EOPNOTSUPP;
- if (dev->phydev && !ops->get_ethtool_phy_stats &&
+ if (phydev && !ops->get_ethtool_phy_stats &&
phy_ops && phy_ops->get_sset_count)
- n_stats = phy_ops->get_sset_count(dev->phydev);
+ n_stats = phy_ops->get_sset_count(phydev);
else
n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
if (n_stats < 0)
@@ -2090,9 +2090,9 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
if (!data)
return -ENOMEM;
- if (dev->phydev && !ops->get_ethtool_phy_stats &&
+ if (phydev && !ops->get_ethtool_phy_stats &&
phy_ops && phy_ops->get_stats) {
- ret = phy_ops->get_stats(dev->phydev, &stats, data);
+ ret = phy_ops->get_stats(phydev, &stats, data);
if (ret < 0)
goto out;
} else {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 236/554] net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 235/554] ethtool: use phydev variable Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 237/554] net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers Greg Kroah-Hartman
` (323 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniil Tatianin, Andrew Lunn,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniil Tatianin <d-tatianin@yandex-team.ru>
[ Upstream commit fd4778581d61d8848b532f8cdc9b325138748437 ]
Now that we always early return if we don't have any stats we can remove
these checks as they're no longer necessary.
Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 7b07be1ff1cb ("ethtool: Avoid overflowing userspace buffer on stats query")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 4b736385912ef..2ffd52d886cfc 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -2085,28 +2085,24 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
stats.n_stats = n_stats;
- if (n_stats) {
- data = vzalloc(array_size(n_stats, sizeof(u64)));
- if (!data)
- return -ENOMEM;
+ data = vzalloc(array_size(n_stats, sizeof(u64)));
+ if (!data)
+ return -ENOMEM;
- if (phydev && !ops->get_ethtool_phy_stats &&
- phy_ops && phy_ops->get_stats) {
- ret = phy_ops->get_stats(phydev, &stats, data);
- if (ret < 0)
- goto out;
- } else {
- ops->get_ethtool_phy_stats(dev, &stats, data);
- }
+ if (phydev && !ops->get_ethtool_phy_stats &&
+ phy_ops && phy_ops->get_stats) {
+ ret = phy_ops->get_stats(phydev, &stats, data);
+ if (ret < 0)
+ goto out;
} else {
- data = NULL;
+ ops->get_ethtool_phy_stats(dev, &stats, data);
}
ret = -EFAULT;
if (copy_to_user(useraddr, &stats, sizeof(stats)))
goto out;
useraddr += sizeof(stats);
- if (n_stats && copy_to_user(useraddr, data, array_size(n_stats, sizeof(u64))))
+ if (copy_to_user(useraddr, data, array_size(n_stats, sizeof(u64))))
goto out;
ret = 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 237/554] net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 236/554] net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 238/554] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
` (322 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniil Tatianin, Andrew Lunn,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniil Tatianin <d-tatianin@yandex-team.ru>
[ Upstream commit 201ed315f9676809cd5b20a39206e964106d4f27 ]
So that it's easier to follow and make sense of the branching and
various conditions.
Stats retrieval has been split into two separate functions
ethtool_get_phy_stats_phydev & ethtool_get_phy_stats_ethtool.
The former attempts to retrieve the stats using phydev & phy_ops, while
the latter uses ethtool_ops.
Actual n_stats validation & array allocation has been moved into a new
ethtool_vzalloc_stats_array helper.
This also fixes a potential NULL dereference of
ops->get_ethtool_phy_stats where it was getting called in an else branch
unconditionally without making sure it was actually present.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 7b07be1ff1cb ("ethtool: Avoid overflowing userspace buffer on stats query")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 102 ++++++++++++++++++++++++++++++--------------
1 file changed, 69 insertions(+), 33 deletions(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 2ffd52d886cfc..33b5c3d8f2f7f 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -2056,23 +2056,8 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
return ret;
}
-static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
+static int ethtool_vzalloc_stats_array(int n_stats, u64 **data)
{
- const struct ethtool_phy_ops *phy_ops = ethtool_phy_ops;
- const struct ethtool_ops *ops = dev->ethtool_ops;
- struct phy_device *phydev = dev->phydev;
- struct ethtool_stats stats;
- u64 *data;
- int ret, n_stats;
-
- if (!phydev && (!ops->get_ethtool_phy_stats || !ops->get_sset_count))
- return -EOPNOTSUPP;
-
- if (phydev && !ops->get_ethtool_phy_stats &&
- phy_ops && phy_ops->get_sset_count)
- n_stats = phy_ops->get_sset_count(phydev);
- else
- n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
if (n_stats < 0)
return n_stats;
if (n_stats > S32_MAX / sizeof(u64))
@@ -2080,31 +2065,82 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
if (WARN_ON_ONCE(!n_stats))
return -EOPNOTSUPP;
+ *data = vzalloc(array_size(n_stats, sizeof(u64)));
+ if (!*data)
+ return -ENOMEM;
+
+ return 0;
+}
+
+static int ethtool_get_phy_stats_phydev(struct phy_device *phydev,
+ struct ethtool_stats *stats,
+ u64 **data)
+ {
+ const struct ethtool_phy_ops *phy_ops = ethtool_phy_ops;
+ int n_stats, ret;
+
+ if (!phy_ops || !phy_ops->get_sset_count || !phy_ops->get_stats)
+ return -EOPNOTSUPP;
+
+ n_stats = phy_ops->get_sset_count(phydev);
+
+ ret = ethtool_vzalloc_stats_array(n_stats, data);
+ if (ret)
+ return ret;
+
+ stats->n_stats = n_stats;
+ return phy_ops->get_stats(phydev, stats, *data);
+}
+
+static int ethtool_get_phy_stats_ethtool(struct net_device *dev,
+ struct ethtool_stats *stats,
+ u64 **data)
+{
+ const struct ethtool_ops *ops = dev->ethtool_ops;
+ int n_stats, ret;
+
+ if (!ops || !ops->get_sset_count || ops->get_ethtool_phy_stats)
+ return -EOPNOTSUPP;
+
+ n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
+
+ ret = ethtool_vzalloc_stats_array(n_stats, data);
+ if (ret)
+ return ret;
+
+ stats->n_stats = n_stats;
+ ops->get_ethtool_phy_stats(dev, stats, *data);
+
+ return 0;
+}
+
+static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
+{
+ struct phy_device *phydev = dev->phydev;
+ struct ethtool_stats stats;
+ u64 *data = NULL;
+ int ret = -EOPNOTSUPP;
+
if (copy_from_user(&stats, useraddr, sizeof(stats)))
return -EFAULT;
- stats.n_stats = n_stats;
+ if (phydev)
+ ret = ethtool_get_phy_stats_phydev(phydev, &stats, &data);
- data = vzalloc(array_size(n_stats, sizeof(u64)));
- if (!data)
- return -ENOMEM;
+ if (ret == -EOPNOTSUPP)
+ ret = ethtool_get_phy_stats_ethtool(dev, &stats, &data);
- if (phydev && !ops->get_ethtool_phy_stats &&
- phy_ops && phy_ops->get_stats) {
- ret = phy_ops->get_stats(phydev, &stats, data);
- if (ret < 0)
- goto out;
- } else {
- ops->get_ethtool_phy_stats(dev, &stats, data);
- }
+ if (ret)
+ goto out;
- ret = -EFAULT;
- if (copy_to_user(useraddr, &stats, sizeof(stats)))
+ if (copy_to_user(useraddr, &stats, sizeof(stats))) {
+ ret = -EFAULT;
goto out;
+ }
+
useraddr += sizeof(stats);
- if (copy_to_user(useraddr, data, array_size(n_stats, sizeof(u64))))
- goto out;
- ret = 0;
+ if (copy_to_user(useraddr, data, array_size(stats.n_stats, sizeof(u64))))
+ ret = -EFAULT;
out:
vfree(data);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 238/554] ethtool: Avoid overflowing userspace buffer on stats query
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 237/554] net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 239/554] net/mlx5: fw_tracer, Add support for unrecognized string Greg Kroah-Hartman
` (321 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Gal Pressman, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 7b07be1ff1cb6c49869910518650e8d0abc7d25f ]
The ethtool -S command operates across three ioctl calls:
ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and
ETHTOOL_GSTATS for the values.
If the number of stats changes between these calls (e.g., due to device
reconfiguration), userspace's buffer allocation will be incorrect,
potentially leading to buffer overflow.
Drivers are generally expected to maintain stable stat counts, but some
drivers (e.g., mlx5, bnx2x, bna, ksz884x) use dynamic counters, making
this scenario possible.
Some drivers try to handle this internally:
- bnad_get_ethtool_stats() returns early in case stats.n_stats is not
equal to the driver's stats count.
- micrel/ksz884x also makes sure not to write anything beyond
stats.n_stats and overflow the buffer.
However, both use stats.n_stats which is already assigned with the value
returned from get_sset_count(), hence won't solve the issue described
here.
Change ethtool_get_strings(), ethtool_get_stats(),
ethtool_get_phy_stats() to not return anything in case of a mismatch
between userspace's size and get_sset_size(), to prevent buffer
overflow.
The returned n_stats value will be equal to zero, to reflect that
nothing has been returned.
This could result in one of two cases when using upstream ethtool,
depending on when the size change is detected:
1. When detected in ethtool_get_strings():
# ethtool -S eth2
no stats available
2. When detected in get stats, all stats will be reported as zero.
Both cases are presumably transient, and a subsequent ethtool call
should succeed.
Other than the overflow avoidance, these two cases are very evident (no
output/cleared stats), which is arguably better than presenting
incorrect/shifted stats.
I also considered returning an error instead of a "silent" response, but
that seems more destructive towards userspace apps.
Notes:
- This patch does not claim to fix the inherent race, it only makes sure
that we do not overflow the userspace buffer, and makes for a more
predictable behavior.
- RTNL lock is held during each ioctl, the race window exists between
the separate ioctl calls when the lock is released.
- Userspace ethtool always fills stats.n_stats, but it is likely that
these stats ioctls are implemented in other userspace applications
which might not fill it. The added code checks that it's not zero,
to prevent any regressions.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Link: https://patch.msgid.link/20251208121901.3203692-1-gal@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 30 ++++++++++++++++++++++++------
1 file changed, 24 insertions(+), 6 deletions(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 33b5c3d8f2f7f..81fe585ddfa91 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -1919,7 +1919,10 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
return -ENOMEM;
WARN_ON_ONCE(!ret);
- gstrings.len = ret;
+ if (gstrings.len && gstrings.len != ret)
+ gstrings.len = 0;
+ else
+ gstrings.len = ret;
if (gstrings.len) {
data = vzalloc(array_size(gstrings.len, ETH_GSTRING_LEN));
@@ -2032,10 +2035,13 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
if (copy_from_user(&stats, useraddr, sizeof(stats)))
return -EFAULT;
- stats.n_stats = n_stats;
+ if (stats.n_stats && stats.n_stats != n_stats)
+ stats.n_stats = 0;
+ else
+ stats.n_stats = n_stats;
- if (n_stats) {
- data = vzalloc(array_size(n_stats, sizeof(u64)));
+ if (stats.n_stats) {
+ data = vzalloc(array_size(stats.n_stats, sizeof(u64)));
if (!data)
return -ENOMEM;
ops->get_ethtool_stats(dev, &stats, data);
@@ -2047,7 +2053,9 @@ static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
if (copy_to_user(useraddr, &stats, sizeof(stats)))
goto out;
useraddr += sizeof(stats);
- if (n_stats && copy_to_user(useraddr, data, array_size(n_stats, sizeof(u64))))
+ if (stats.n_stats &&
+ copy_to_user(useraddr, data,
+ array_size(stats.n_stats, sizeof(u64))))
goto out;
ret = 0;
@@ -2083,6 +2091,10 @@ static int ethtool_get_phy_stats_phydev(struct phy_device *phydev,
return -EOPNOTSUPP;
n_stats = phy_ops->get_sset_count(phydev);
+ if (stats->n_stats && stats->n_stats != n_stats) {
+ stats->n_stats = 0;
+ return 0;
+ }
ret = ethtool_vzalloc_stats_array(n_stats, data);
if (ret)
@@ -2103,6 +2115,10 @@ static int ethtool_get_phy_stats_ethtool(struct net_device *dev,
return -EOPNOTSUPP;
n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
+ if (stats->n_stats && stats->n_stats != n_stats) {
+ stats->n_stats = 0;
+ return 0;
+ }
ret = ethtool_vzalloc_stats_array(n_stats, data);
if (ret)
@@ -2139,7 +2155,9 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
}
useraddr += sizeof(stats);
- if (copy_to_user(useraddr, data, array_size(stats.n_stats, sizeof(u64))))
+ if (stats.n_stats &&
+ copy_to_user(useraddr, data,
+ array_size(stats.n_stats, sizeof(u64))))
ret = -EFAULT;
out:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 239/554] net/mlx5: fw_tracer, Add support for unrecognized string
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 238/554] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 240/554] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
` (320 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Moshe Shemesh,
Saeed Mahameed, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit f7133135235dbd11e7cb5fe62fe5d05ce5e82eeb ]
In case FW is publishing a string which isn't found in the driver's
string DBs, keep the string as raw data.
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Stable-dep-of: b35966042d20 ("net/mlx5: fw_tracer, Validate format string parameters")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 25 +++++++++++++++++--
.../mellanox/mlx5/core/diag/fw_tracer.h | 1 +
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index efa2e0a8fa1d1..d982b468dcc1d 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -460,6 +460,7 @@ static void poll_trace(struct mlx5_fw_tracer *tracer,
tracer_event->event_id = MLX5_GET(tracer_event, trace, event_id);
tracer_event->lost_event = MLX5_GET(tracer_event, trace, lost);
+ tracer_event->out = trace;
switch (tracer_event->event_id) {
case TRACER_EVENT_TYPE_TIMESTAMP:
@@ -582,6 +583,26 @@ void mlx5_tracer_print_trace(struct tracer_string_format *str_frmt,
mlx5_tracer_clean_message(str_frmt);
}
+static int mlx5_tracer_handle_raw_string(struct mlx5_fw_tracer *tracer,
+ struct tracer_event *tracer_event)
+{
+ struct tracer_string_format *cur_string;
+
+ cur_string = mlx5_tracer_message_insert(tracer, tracer_event);
+ if (!cur_string)
+ return -1;
+
+ cur_string->event_id = tracer_event->event_id;
+ cur_string->timestamp = tracer_event->string_event.timestamp;
+ cur_string->lost = tracer_event->lost_event;
+ cur_string->string = "0x%08x%08x";
+ cur_string->num_of_params = 2;
+ cur_string->params[0] = upper_32_bits(*tracer_event->out);
+ cur_string->params[1] = lower_32_bits(*tracer_event->out);
+ list_add_tail(&cur_string->list, &tracer->ready_strings_list);
+ return 0;
+}
+
static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
struct tracer_event *tracer_event)
{
@@ -590,7 +611,7 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
if (tracer_event->string_event.tdsn == 0) {
cur_string = mlx5_tracer_get_string(tracer, tracer_event);
if (!cur_string)
- return -1;
+ return mlx5_tracer_handle_raw_string(tracer, tracer_event);
cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
cur_string->last_param_num = 0;
@@ -605,7 +626,7 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
if (!cur_string) {
pr_debug("%s Got string event for unknown string tmsn: %d\n",
__func__, tracer_event->string_event.tmsn);
- return -1;
+ return mlx5_tracer_handle_raw_string(tracer, tracer_event);
}
cur_string->last_param_num += 1;
if (cur_string->last_param_num > TRACER_MAX_PARAMS) {
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
index 97252a85d65e6..568efb1e2bd24 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
@@ -158,6 +158,7 @@ struct tracer_event {
struct tracer_string_event string_event;
struct tracer_timestamp_event timestamp_event;
};
+ u64 *out;
};
struct mlx5_ifc_tracer_event_bits {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 240/554] net/mlx5: fw_tracer, Validate format string parameters
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 239/554] net/mlx5: fw_tracer, Add support for unrecognized string Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 241/554] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
` (319 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Moshe Shemesh,
Breno Leitao, Tariq Toukan, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit b35966042d20b14e2d83330049f77deec5229749 ]
Add validation for format string parameters in the firmware tracer to
prevent potential security vulnerabilities and crashes from malformed
format strings received from firmware.
The firmware tracer receives format strings from the device firmware and
uses them to format trace messages. Without proper validation, bad
firmware could provide format strings with invalid format specifiers
(e.g., %s, %p, %n) that could lead to crashes, or other undefined
behavior.
Add mlx5_tracer_validate_params() to validate that all format specifiers
in trace strings are limited to safe integer/hex formats (%x, %d, %i,
%u, %llx, %lx, etc.). Reject strings containing other format types that
could be used to access arbitrary memory or cause crashes.
Invalid format strings are added to the trace output for visibility with
"BAD_FORMAT: " prefix.
Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Reported-by: Breno Leitao <leitao@debian.org>
Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5slqvelp@t3s3erottr6s/
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-4-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 83 ++++++++++++++++---
.../mellanox/mlx5/core/diag/fw_tracer.h | 1 +
2 files changed, 74 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index d982b468dcc1d..6b49bda8bea2a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -33,6 +33,7 @@
#include "lib/eq.h"
#include "fw_tracer.h"
#include "fw_tracer_tracepoint.h"
+#include <linux/ctype.h>
static int mlx5_query_mtrc_caps(struct mlx5_fw_tracer *tracer)
{
@@ -354,6 +355,43 @@ static const char *VAL_PARM = "%llx";
static const char *REPLACE_64_VAL_PARM = "%x%x";
static const char *PARAM_CHAR = "%";
+static bool mlx5_is_valid_spec(const char *str)
+{
+ /* Parse format specifiers to find the actual type.
+ * Structure: %[flags][width][.precision][length]type
+ * Skip flags, width, precision & length.
+ */
+ while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l')
+ str++;
+
+ /* Check if it's a valid integer/hex specifier:
+ * Valid formats: %x, %d, %i, %u, etc.
+ */
+ if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' &&
+ *str != 'u' && *str != 'c')
+ return false;
+
+ return true;
+}
+
+static bool mlx5_tracer_validate_params(const char *str)
+{
+ const char *substr = str;
+
+ if (!str)
+ return false;
+
+ substr = strstr(substr, PARAM_CHAR);
+ while (substr) {
+ if (!mlx5_is_valid_spec(substr + 1))
+ return false;
+
+ substr = strstr(substr + 1, PARAM_CHAR);
+ }
+
+ return true;
+}
+
static int mlx5_tracer_message_hash(u32 message_id)
{
return jhash_1word(message_id, 0) & (MESSAGE_HASH_SIZE - 1);
@@ -413,6 +451,10 @@ static int mlx5_tracer_get_num_of_params(char *str)
char *substr, *pstr = str;
int num_of_params = 0;
+ /* Validate that all parameters are valid before processing */
+ if (!mlx5_tracer_validate_params(str))
+ return -EINVAL;
+
/* replace %llx with %x%x */
substr = strstr(pstr, VAL_PARM);
while (substr) {
@@ -564,14 +606,17 @@ void mlx5_tracer_print_trace(struct tracer_string_format *str_frmt,
{
char tmp[512];
- snprintf(tmp, sizeof(tmp), str_frmt->string,
- str_frmt->params[0],
- str_frmt->params[1],
- str_frmt->params[2],
- str_frmt->params[3],
- str_frmt->params[4],
- str_frmt->params[5],
- str_frmt->params[6]);
+ if (str_frmt->invalid_string)
+ snprintf(tmp, sizeof(tmp), "BAD_FORMAT: %s", str_frmt->string);
+ else
+ snprintf(tmp, sizeof(tmp), str_frmt->string,
+ str_frmt->params[0],
+ str_frmt->params[1],
+ str_frmt->params[2],
+ str_frmt->params[3],
+ str_frmt->params[4],
+ str_frmt->params[5],
+ str_frmt->params[6]);
trace_mlx5_fw(dev->tracer, trace_timestamp, str_frmt->lost,
str_frmt->event_id, tmp);
@@ -603,6 +648,13 @@ static int mlx5_tracer_handle_raw_string(struct mlx5_fw_tracer *tracer,
return 0;
}
+static void mlx5_tracer_handle_bad_format_string(struct mlx5_fw_tracer *tracer,
+ struct tracer_string_format *cur_string)
+{
+ cur_string->invalid_string = true;
+ list_add_tail(&cur_string->list, &tracer->ready_strings_list);
+}
+
static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
struct tracer_event *tracer_event)
{
@@ -613,12 +665,18 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
if (!cur_string)
return mlx5_tracer_handle_raw_string(tracer, tracer_event);
- cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
- cur_string->last_param_num = 0;
cur_string->event_id = tracer_event->event_id;
cur_string->tmsn = tracer_event->string_event.tmsn;
cur_string->timestamp = tracer_event->string_event.timestamp;
cur_string->lost = tracer_event->lost_event;
+ cur_string->last_param_num = 0;
+ cur_string->num_of_params = mlx5_tracer_get_num_of_params(cur_string->string);
+ if (cur_string->num_of_params < 0) {
+ pr_debug("%s Invalid format string parameters\n",
+ __func__);
+ mlx5_tracer_handle_bad_format_string(tracer, cur_string);
+ return 0;
+ }
if (cur_string->num_of_params == 0) /* trace with no params */
list_add_tail(&cur_string->list, &tracer->ready_strings_list);
} else {
@@ -628,6 +686,11 @@ static int mlx5_tracer_handle_string_trace(struct mlx5_fw_tracer *tracer,
__func__, tracer_event->string_event.tmsn);
return mlx5_tracer_handle_raw_string(tracer, tracer_event);
}
+ if (cur_string->num_of_params < 0) {
+ pr_debug("%s string parameter of invalid string, dumping\n",
+ __func__);
+ return 0;
+ }
cur_string->last_param_num += 1;
if (cur_string->last_param_num > TRACER_MAX_PARAMS) {
pr_debug("%s Number of params exceeds the max (%d)\n",
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
index 568efb1e2bd24..603ef441f1b21 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.h
@@ -117,6 +117,7 @@ struct tracer_string_format {
struct list_head list;
u32 timestamp;
bool lost;
+ bool invalid_string;
};
enum mlx5_fw_tracer_ownership_state {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 241/554] net/mlx5: fw_tracer, Handle escaped percent properly
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 240/554] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 242/554] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
` (318 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Breno Leitao,
Moshe Shemesh, Tariq Toukan, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit c0289f67f7d6a0dfba0e92cfe661a5c70c8c6e92 ]
The firmware tracer's format string validation and parameter counting
did not properly handle escaped percent signs (%%). This caused
fw_tracer to count more parameters when trace format strings contained
literal percent characters.
To fix it, allow %% to pass string validation and skip %% sequences when
counting parameters since they represent literal percent signs rather
than format specifiers.
Fixes: 70dd6fdb8987 ("net/mlx5: FW tracer, parse traces and kernel tracing support")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Closes: https://lore.kernel.org/netdev/hanz6rzrb2bqbplryjrakvkbmv4y5jlmtthnvi3thg5slqvelp@t3s3erottr6s/
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/1765284977-1363052-5-git-send-email-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../mellanox/mlx5/core/diag/fw_tracer.c | 20 +++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index 6b49bda8bea2a..1779ff98b5892 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -364,11 +364,11 @@ static bool mlx5_is_valid_spec(const char *str)
while (isdigit(*str) || *str == '#' || *str == '.' || *str == 'l')
str++;
- /* Check if it's a valid integer/hex specifier:
+ /* Check if it's a valid integer/hex specifier or %%:
* Valid formats: %x, %d, %i, %u, etc.
*/
if (*str != 'x' && *str != 'X' && *str != 'd' && *str != 'i' &&
- *str != 'u' && *str != 'c')
+ *str != 'u' && *str != 'c' && *str != '%')
return false;
return true;
@@ -386,7 +386,11 @@ static bool mlx5_tracer_validate_params(const char *str)
if (!mlx5_is_valid_spec(substr + 1))
return false;
- substr = strstr(substr + 1, PARAM_CHAR);
+ if (*(substr + 1) == '%')
+ substr = strstr(substr + 2, PARAM_CHAR);
+ else
+ substr = strstr(substr + 1, PARAM_CHAR);
+
}
return true;
@@ -463,11 +467,15 @@ static int mlx5_tracer_get_num_of_params(char *str)
substr = strstr(pstr, VAL_PARM);
}
- /* count all the % characters */
+ /* count all the % characters, but skip %% (escaped percent) */
substr = strstr(str, PARAM_CHAR);
while (substr) {
- num_of_params += 1;
- str = substr + 1;
+ if (*(substr + 1) != '%') {
+ num_of_params += 1;
+ str = substr + 1;
+ } else {
+ str = substr + 2;
+ }
substr = strstr(str, PARAM_CHAR);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 242/554] net: hns3: using the num_tqps in the vf driver to apply for resources
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 241/554] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 243/554] net: hns3: Align type of some variables with their print type Greg Kroah-Hartman
` (317 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit c2a16269742e176fccdd0ef9c016a233491a49ad ]
Currently, hdev->htqp is allocated using hdev->num_tqps, and kinfo->tqp
is allocated using kinfo->num_tqps. However, kinfo->num_tqps is set to
min(new_tqps, hdev->num_tqps); Therefore, kinfo->num_tqps may be smaller
than hdev->num_tqps, which causes some hdev->htqp[i] to remain
uninitialized in hclgevf_knic_setup().
Thus, this patch allocates hdev->htqp and kinfo->tqp using hdev->num_tqps,
ensuring that the lengths of hdev->htqp and kinfo->tqp are consistent
and that all elements are properly initialized.
Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-2-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index 94e615177ff14..0f3c91afba02b 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -458,12 +458,12 @@ static int hclgevf_knic_setup(struct hclgevf_dev *hdev)
new_tqps = kinfo->rss_size * num_tc;
kinfo->num_tqps = min(new_tqps, hdev->num_tqps);
- kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, kinfo->num_tqps,
+ kinfo->tqp = devm_kcalloc(&hdev->pdev->dev, hdev->num_tqps,
sizeof(struct hnae3_queue *), GFP_KERNEL);
if (!kinfo->tqp)
return -ENOMEM;
- for (i = 0; i < kinfo->num_tqps; i++) {
+ for (i = 0; i < hdev->num_tqps; i++) {
hdev->htqp[i].q.handle = &hdev->nic;
hdev->htqp[i].q.tqp_index = i;
kinfo->tqp[i] = &hdev->htqp[i].q;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 243/554] net: hns3: Align type of some variables with their print type
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 242/554] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 244/554] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
` (316 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao Chen, Guangbin Huang,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hao Chen <chenhao288@hisilicon.com>
[ Upstream commit 0cc25c6a14efd709f2cfcde345e3d5c6aa20f80e ]
The c language has a set of implicit type conversions, when
two variables perform bitwise or arithmetic operations.
For example, variable A (type u16/u8) -1, its output is int type variable.
u16/u8 will convert to int type implicitly before it does arithmetic
operations. So, change 1 to unsigned type.
Signed-off-by: Hao Chen <chenhao288@hisilicon.com>
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: d180c11aa8a6 ("net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c | 2 +-
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 4 ++--
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
index 63665e8a7c718..016cd7cf11931 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
@@ -99,7 +99,7 @@ static void hclge_dbg_fill_content(char *content, u16 len,
static char *hclge_dbg_get_func_id_str(char *buf, u8 id)
{
if (id)
- sprintf(buf, "vf%u", id - 1);
+ sprintf(buf, "vf%u", id - 1U);
else
sprintf(buf, "pf");
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 492a754f84a94..1dffd1532bd76 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -6692,7 +6692,7 @@ static int hclge_fd_parse_ring_cookie(struct hclge_dev *hdev, u64 ring_cookie,
if (vf > hdev->num_req_vfs) {
dev_err(&hdev->pdev->dev,
"Error: vf id (%u) should be less than %u\n",
- vf - 1, hdev->num_req_vfs);
+ vf - 1U, hdev->num_req_vfs);
return -EINVAL;
}
@@ -6702,7 +6702,7 @@ static int hclge_fd_parse_ring_cookie(struct hclge_dev *hdev, u64 ring_cookie,
if (ring >= tqps) {
dev_err(&hdev->pdev->dev,
"Error: queue id (%u) > max tqp num (%u)\n",
- ring, tqps - 1);
+ ring, tqps - 1U);
return -EINVAL;
}
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index e2fe41d3972fb..e2cd0eb124bac 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -190,7 +190,7 @@ static int hclge_get_ring_chain_from_mbx(
if (req->msg.param[i].tqp_index >= vport->nic.kinfo.rss_size) {
dev_err(&hdev->pdev->dev, "tqp index(%u) is out of range(0-%u)\n",
req->msg.param[i].tqp_index,
- vport->nic.kinfo.rss_size - 1);
+ vport->nic.kinfo.rss_size - 1U);
return -EINVAL;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 244/554] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 243/554] net: hns3: Align type of some variables with their print type Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 245/554] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
` (315 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit d180c11aa8a6fa735f9ac2c72c61364a9afc2ba7 ]
Currently, rss_size = num_tqps / tc_num. If tc_num is 1, then num_tqps
equals rss_size. However, if the tc_num is greater than 1, then rss_size
will be less than num_tqps, causing the tqp_index check for subsequent TCs
using rss_size to always fail.
This patch uses the num_tqps to check whether tqp_index is out of range,
instead of rss_size.
Fixes: 326334aad024 ("net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-3-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index e2cd0eb124bac..f1823dd4473f7 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -187,10 +187,10 @@ static int hclge_get_ring_chain_from_mbx(
return -EINVAL;
for (i = 0; i < ring_num; i++) {
- if (req->msg.param[i].tqp_index >= vport->nic.kinfo.rss_size) {
+ if (req->msg.param[i].tqp_index >= vport->nic.kinfo.num_tqps) {
dev_err(&hdev->pdev->dev, "tqp index(%u) is out of range(0-%u)\n",
req->msg.param[i].tqp_index,
- vport->nic.kinfo.rss_size - 1U);
+ vport->nic.kinfo.num_tqps - 1U);
return -EINVAL;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 245/554] net: hns3: add VLAN id validation before using
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 244/554] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 246/554] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
` (314 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jian Shen, Jijie Shao, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jian Shen <shenjian15@huawei.com>
[ Upstream commit 6ef935e65902bfed53980ad2754b06a284ea8ac1 ]
Currently, the VLAN id may be used without validation when
receive a VLAN configuration mailbox from VF. The length of
vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID). It may cause
out-of-bounds memory access once the VLAN id is bigger than
or equal to VLAN_N_VID.
Therefore, VLAN id needs to be checked to ensure it is within
the range of VLAN_N_VID.
Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211023737.2327018-4-shaojijie@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 1dffd1532bd76..dd9d5df31905a 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -10682,6 +10682,9 @@ int hclge_set_vlan_filter(struct hnae3_handle *handle, __be16 proto,
bool writen_to_tbl = false;
int ret = 0;
+ if (vlan_id >= VLAN_N_VID)
+ return -EINVAL;
+
/* When device is resetting or reset failed, firmware is unable to
* handle mailbox. Just record the vlan id, and remove it after
* reset finished.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 246/554] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 245/554] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 247/554] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
` (313 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping Cheng, stable, Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ping Cheng <pinglinux@gmail.com>
commit 7953794f741e94d30df9dafaaa4c031c85b891d6 upstream.
HID_GD_Z is mapped to ABS_Z for stylus and pen in hid-input.c. But HID_GD_Z
should be used to report ABS_DISTANCE for stylus and pen as described at:
Documentation/input/event-codes.rst#n226
* ABS_DISTANCE:
- Used to describe the distance of a tool from an interaction surface. This
event should only be emitted while the tool is hovering, meaning in close
proximity of the device and while the value of the BTN_TOUCH code is 0. If
the input device may be used freely in three dimensions, consider ABS_Z
instead.
- BTN_TOOL_<name> should be set to 1 when the tool comes into detectable
proximity and set to 0 when the tool leaves detectable proximity.
BTN_TOOL_<name> signals the type of tool that is currently detected by the
hardware and is otherwise independent of ABS_DISTANCE and/or BTN_TOUCH.
This patch makes the correct mapping. The ABS_DISTANCE is currently not mapped
by any HID usage in hid-generic driver.
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-input.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -752,7 +752,7 @@ static void hidinput_configure_usage(str
switch (usage->hid) {
/* These usage IDs map directly to the usage codes. */
- case HID_GD_X: case HID_GD_Y: case HID_GD_Z:
+ case HID_GD_X: case HID_GD_Y:
case HID_GD_RX: case HID_GD_RY: case HID_GD_RZ:
if (field->flags & HID_MAIN_ITEM_RELATIVE)
map_rel(usage->hid & 0xf);
@@ -760,6 +760,22 @@ static void hidinput_configure_usage(str
map_abs_clear(usage->hid & 0xf);
break;
+ case HID_GD_Z:
+ /* HID_GD_Z is mapped to ABS_DISTANCE for stylus/pen */
+ if (field->flags & HID_MAIN_ITEM_RELATIVE) {
+ map_rel(usage->hid & 0xf);
+ } else {
+ if (field->application == HID_DG_PEN ||
+ field->physical == HID_DG_PEN ||
+ field->logical == HID_DG_STYLUS ||
+ field->physical == HID_DG_STYLUS ||
+ field->application == HID_DG_DIGITIZER)
+ map_abs_clear(ABS_DISTANCE);
+ else
+ map_abs_clear(usage->hid & 0xf);
+ }
+ break;
+
case HID_GD_WHEEL:
if (field->flags & HID_MAIN_ITEM_RELATIVE) {
set_bit(REL_WHEEL, input->relbit);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 247/554] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 246/554] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 248/554] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
` (312 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junjie Cao, Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junjie Cao <junjie.cao@intel.com>
commit 248d3a73a0167dce15ba100477c3e778c4787178 upstream.
The current validation 'wire_order[i] > ARRAY_SIZE(config_pins)' allows
wire_order[i] to equal ARRAY_SIZE(config_pins), which causes out-of-bounds
access when used as index in 'config_pins[wire_order[i]]'.
Since config_pins has 4 elements (indices 0-3), the valid range for
wire_order should be 0-3. Fix the off-by-one error by using >= instead
of > in the validation check.
Signed-off-by: Junjie Cao <junjie.cao@intel.com>
Link: https://patch.msgid.link/20251114062817.852698-1-junjie.cao@intel.com
Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made configurable")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/ti_am335x_tsc.c
+++ b/drivers/input/touchscreen/ti_am335x_tsc.c
@@ -86,7 +86,7 @@ static int titsc_config_wires(struct tit
wire_order[i] = ts_dev->config_inp[i] & 0x0F;
if (WARN_ON(analog_line[i] > 7))
return -EINVAL;
- if (WARN_ON(wire_order[i] > ARRAY_SIZE(config_pins)))
+ if (WARN_ON(wire_order[i] >= ARRAY_SIZE(config_pins)))
return -EINVAL;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 248/554] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 247/554] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 249/554] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
` (311 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoffer Sandberg, Werner Sembach,
Dmitry Torokhov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Sandberg <cs@tuxedo.de>
commit aed3716db7fff74919cc5775ca3a80c8bb246489 upstream.
The device occasionally wakes up from suspend with missing input on the
internal keyboard and the following suspend attempt results in an instant
wake-up. The quirks fix both issues for this device.
Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251124203336.64072-1-wse@tuxedocomputers.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/serio/i8042-acpipnpio.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/input/serio/i8042-acpipnpio.h
+++ b/drivers/input/serio/i8042-acpipnpio.h
@@ -1161,6 +1161,13 @@ static const struct dmi_system_id i8042_
.driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "X5KK45xS_X5SP45xS"),
+ },
+ .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
/*
* A lot of modern Clevo barebones have touchpad and/or keyboard issues
* after suspend fixable with nomux + reset + noloop + nopnp. Luckily,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 249/554] ACPI: CPPC: Fix missing PCC check for guaranteed_perf
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 248/554] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 250/554] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
` (310 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pengjie Zhang, Rafael J. Wysocki
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pengjie Zhang <zhangpengjie2@huawei.com>
commit 6ea3a44cef28add2d93b1ef119d84886cb1e3c9b upstream.
The current implementation overlooks the 'guaranteed_perf'
register in this check.
If the Guaranteed Performance register is located in the PCC
subspace, the function currently attempts to read it without
acquiring the lock and without sending the CMD_READ doorbell
to the firmware. This can result in reading stale data.
Fixes: 29523f095397 ("ACPI / CPPC: Add support for guaranteed performance")
Signed-off-by: Pengjie Zhang <zhangpengjie2@huawei.com>
Cc: 4.20+ <stable@vger.kernel.org> # 4.20+
[ rjw: Subject and changelog edits ]
Link: https://patch.msgid.link/20251210132227.1988380-1-zhangpengjie2@huawei.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/cppc_acpi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -1198,7 +1198,8 @@ int cppc_get_perf_caps(int cpunum, struc
/* Are any of the regs PCC ?*/
if (CPC_IN_PCC(highest_reg) || CPC_IN_PCC(lowest_reg) ||
CPC_IN_PCC(lowest_non_linear_reg) || CPC_IN_PCC(nominal_reg) ||
- CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg)) {
+ CPC_IN_PCC(low_freq_reg) || CPC_IN_PCC(nom_freq_reg) ||
+ CPC_IN_PCC(guaranteed_reg)) {
if (pcc_ss_id < 0) {
pr_debug("Invalid pcc_ss_id\n");
return -ENODEV;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 250/554] spi: fsl-cpm: Check length parity before switching to 16 bit mode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 249/554] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 251/554] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
` (309 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Sverdlin Alexander,
Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
commit 1417927df8049a0194933861e9b098669a95c762 upstream.
Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
with even size") failed to make sure that the size is really even
before switching to 16 bit mode. Until recently the problem went
unnoticed because kernfs uses a pre-allocated bounce buffer of size
PAGE_SIZE for reading EEPROM.
But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
introduced an additional dynamically allocated bounce buffer whose size
is exactly the size of the transfer, leading to a buffer overrun in
the fsl-cpm driver when that size is odd.
Add the missing length parity verification and remain in 8 bit mode
when the length is not even.
Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/all/638496dd-ec60-4e53-bad7-eb657f67d580@csgroup.eu/
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Reviewed-by: Sverdlin Alexander <alexander.sverdlin@siemens.com>
Link: https://patch.msgid.link/3c4d81c3923c93f95ec56702a454744a4bad3cfc.1763627618.git.christophe.leroy@csgroup.eu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -369,7 +369,7 @@ static int fsl_spi_do_one_msg(struct spi
if (t->bits_per_word == 16 || t->bits_per_word == 32)
t->bits_per_word = 8; /* pretend its 8 bits */
if (t->bits_per_word == 8 && t->len >= 256 &&
- (mpc8xxx_spi->flags & SPI_CPM1))
+ !(t->len & 1) && (mpc8xxx_spi->flags & SPI_CPM1))
t->bits_per_word = 16;
}
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 251/554] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 250/554] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 252/554] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
` (308 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jared Kangas, Haibo Chen,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jared Kangas <jkangas@redhat.com>
commit d3ecb12e2e04ce53c95f933c462f2d8b150b965b upstream.
MMC_SDHCI_ESDHC_IMX requires ARCH_MXC despite also being used on
ARCH_S32, which results in unmet dependencies when compiling strictly
for ARCH_S32. Resolve this by adding ARCH_S32 as an alternative to
ARCH_MXC in the driver's dependencies.
Fixes: 5c4f00627c9a ("mmc: sdhci-esdhc-imx: add NXP S32G2 support")
Cc: stable@bvger.kernel.org
Signed-off-by: Jared Kangas <jkangas@redhat.com>
Reviewed-by: Haibo Chen <haibo.chen@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/host/Kconfig
+++ b/drivers/mmc/host/Kconfig
@@ -276,14 +276,14 @@ config MMC_SDHCI_ESDHC_MCF
config MMC_SDHCI_ESDHC_IMX
tristate "SDHCI support for the Freescale eSDHC/uSDHC i.MX controller"
- depends on ARCH_MXC || COMPILE_TEST
+ depends on ARCH_MXC || ARCH_S32 || COMPILE_TEST
depends on MMC_SDHCI_PLTFM
depends on OF
select MMC_SDHCI_IO_ACCESSORS
select MMC_CQHCI
help
This selects the Freescale eSDHC/uSDHC controller support
- found on i.MX25, i.MX35 i.MX5x and i.MX6x.
+ found on i.MX25, i.MX35, i.MX5x, i.MX6x, and S32G.
If you have a controller with this interface, say Y or M here.
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 252/554] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 251/554] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 253/554] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
` (307 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+2fa344348a579b779e05,
Shaurya Rane, Felix Maurer, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
commit 188e0fa5a679570ea35474575e724d8211423d17 upstream.
prp_get_untagged_frame() calls __pskb_copy() to create frame->skb_std
but doesn't check if the allocation failed. If __pskb_copy() returns
NULL, skb_clone() is called with a NULL pointer, causing a crash:
Oops: general protection fault, probably for non-canonical address 0xdffffc000000000f: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000078-0x000000000000007f]
CPU: 0 UID: 0 PID: 5625 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:skb_clone+0xd7/0x3a0 net/core/skbuff.c:2041
Code: 03 42 80 3c 20 00 74 08 4c 89 f7 e8 23 29 05 f9 49 83 3e 00 0f 85 a0 01 00 00 e8 94 dd 9d f8 48 8d 6b 7e 49 89 ee 49 c1 ee 03 <43> 0f b6 04 26 84 c0 0f 85 d1 01 00 00 44 0f b6 7d 00 41 83 e7 0c
RSP: 0018:ffffc9000d00f200 EFLAGS: 00010207
RAX: ffffffff892235a1 RBX: 0000000000000000 RCX: ffff88803372a480
RDX: 0000000000000000 RSI: 0000000000000820 RDI: 0000000000000000
RBP: 000000000000007e R08: ffffffff8f7d0f77 R09: 1ffffffff1efa1ee
R10: dffffc0000000000 R11: fffffbfff1efa1ef R12: dffffc0000000000
R13: 0000000000000820 R14: 000000000000000f R15: ffff88805144cc00
FS: 0000555557f6d500(0000) GS:ffff88808d72f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555581d35808 CR3: 000000005040e000 CR4: 0000000000352ef0
Call Trace:
<TASK>
hsr_forward_do net/hsr/hsr_forward.c:-1 [inline]
hsr_forward_skb+0x1013/0x2860 net/hsr/hsr_forward.c:741
hsr_handle_frame+0x6ce/0xa70 net/hsr/hsr_slave.c:84
__netif_receive_skb_core+0x10b9/0x4380 net/core/dev.c:5966
__netif_receive_skb_one_core net/core/dev.c:6077 [inline]
__netif_receive_skb+0x72/0x380 net/core/dev.c:6192
netif_receive_skb_internal net/core/dev.c:6278 [inline]
netif_receive_skb+0x1cb/0x790 net/core/dev.c:6337
tun_rx_batched+0x1b9/0x730 drivers/net/tun.c:1485
tun_get_user+0x2b65/0x3e90 drivers/net/tun.c:1953
tun_chr_write_iter+0x113/0x200 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5c9/0xb30 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0449f8e1ff
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007ffd7ad94c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f044a1e5fa0 RCX: 00007f0449f8e1ff
RDX: 000000000000003e RSI: 0000200000000500 RDI: 00000000000000c8
RBP: 00007ffd7ad94d20 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000003e R11: 0000000000000293 R12: 0000000000000001
R13: 00007f044a1e5fa0 R14: 00007f044a1e5fa0 R15: 0000000000000003
</TASK>
Add a NULL check immediately after __pskb_copy() to handle allocation
failures gracefully.
Reported-by: syzbot+2fa344348a579b779e05@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2fa344348a579b779e05
Fixes: f266a683a480 ("net/hsr: Better frame dispatch")
Cc: stable@vger.kernel.org
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Reviewed-by: Felix Maurer <fmaurer@redhat.com>
Tested-by: Felix Maurer <fmaurer@redhat.com>
Link: https://patch.msgid.link/20251129093718.25320-1-ssrane_b23@ee.vjti.ac.in
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/hsr/hsr_forward.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -134,6 +134,8 @@ struct sk_buff *prp_get_untagged_frame(s
__pskb_copy(frame->skb_prp,
skb_headroom(frame->skb_prp),
GFP_ATOMIC);
+ if (!frame->skb_std)
+ return NULL;
} else {
/* Unexpected */
WARN_ONCE(1, "%s:%d: Unexpected frame received (port_src %s)\n",
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 253/554] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 252/554] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 254/554] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
` (306 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 2a03b40deacbd293ac9aed0f9b11197dad54fe5f ]
When vxpocket_config() fails, vxpocket_probe() returns the error code
directly without freeing the sound card resources allocated by
snd_card_new(), which leads to a memory leak.
Add proper error handling to free the sound card and clear the
allocation bit when vxpocket_config() fails.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251215042652.695-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pcmcia/vx/vxpocket.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pcmcia/vx/vxpocket.c b/sound/pcmcia/vx/vxpocket.c
index 7a0f0e73ceb2..867a477d53ae 100644
--- a/sound/pcmcia/vx/vxpocket.c
+++ b/sound/pcmcia/vx/vxpocket.c
@@ -295,7 +295,13 @@ static int vxpocket_probe(struct pcmcia_device *p_dev)
vxp->p_dev = p_dev;
- return vxpocket_config(p_dev);
+ err = vxpocket_config(p_dev);
+ if (err < 0) {
+ card_alloc &= ~(1 << i);
+ snd_card_free(card);
+ return err;
+ }
+ return 0;
}
static void vxpocket_detach(struct pcmcia_device *link)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 254/554] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 253/554] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 255/554] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
` (305 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Haotian Zhang,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 5032347c04ba7ff9ba878f262e075d745c06a2a8 ]
When pdacf_config() fails, snd_pdacf_probe() returns the error code
directly without freeing the sound card resources allocated by
snd_card_new(), which leads to a memory leak.
Add proper error handling to free the sound card and clear the card
list entry when pdacf_config() fails.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251215090433.211-1-vulab@iscas.ac.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pcmcia/pdaudiocf/pdaudiocf.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/pcmcia/pdaudiocf/pdaudiocf.c b/sound/pcmcia/pdaudiocf/pdaudiocf.c
index 8363ec08df5d..4468d81683ec 100644
--- a/sound/pcmcia/pdaudiocf/pdaudiocf.c
+++ b/sound/pcmcia/pdaudiocf/pdaudiocf.c
@@ -132,7 +132,13 @@ static int snd_pdacf_probe(struct pcmcia_device *link)
link->config_index = 1;
link->config_regs = PRESENT_OPTION;
- return pdacf_config(link);
+ err = pdacf_config(link);
+ if (err < 0) {
+ card_list[i] = NULL;
+ snd_card_free(card);
+ return err;
+ }
+ return 0;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 255/554] ALSA: usb-mixer: us16x08: validate meter packet indices
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 254/554] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 256/554] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
` (304 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, DARKNAVY (@DarkNavyOrg), Shipei Qu,
Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shipei Qu <qu@darknavy.com>
[ Upstream commit 5526c1c6ba1d0913c7dfcbbd6fe1744ea7c55f1e ]
get_meter_levels_from_urb() parses the 64-byte meter packets sent by
the device and fills the per-channel arrays meter_level[],
comp_level[] and master_level[] in struct snd_us16x08_meter_store.
Currently the function derives the channel index directly from the
meter packet (MUB2(meter_urb, s) - 1) and uses it to index those
arrays without validating the range. If the packet contains a
negative or out-of-range channel number, the driver may write past
the end of these arrays.
Introduce a local channel variable and validate it before updating the
arrays. We reject negative indices, limit meter_level[] and
comp_level[] to SND_US16X08_MAX_CHANNELS, and guard master_level[]
updates with ARRAY_SIZE(master_level).
Fixes: d2bb390a2081 ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Closes: https://lore.kernel.org/tencent_21C112743C44C1A2517FF219@qq.com
Signed-off-by: Shipei Qu <qu@darknavy.com>
Link: https://patch.msgid.link/20251217024630.59576-1-qu@darknavy.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer_us16x08.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/sound/usb/mixer_us16x08.c b/sound/usb/mixer_us16x08.c
index 2f6fa722442f..c13bc858e282 100644
--- a/sound/usb/mixer_us16x08.c
+++ b/sound/usb/mixer_us16x08.c
@@ -656,17 +656,25 @@ static void get_meter_levels_from_urb(int s,
u8 *meter_urb)
{
int val = MUC2(meter_urb, s) + (MUC3(meter_urb, s) << 8);
+ int ch = MUB2(meter_urb, s) - 1;
+
+ if (ch < 0)
+ return;
if (MUA0(meter_urb, s) == 0x61 && MUA1(meter_urb, s) == 0x02 &&
MUA2(meter_urb, s) == 0x04 && MUB0(meter_urb, s) == 0x62) {
- if (MUC0(meter_urb, s) == 0x72)
- store->meter_level[MUB2(meter_urb, s) - 1] = val;
- if (MUC0(meter_urb, s) == 0xb2)
- store->comp_level[MUB2(meter_urb, s) - 1] = val;
+ if (ch < SND_US16X08_MAX_CHANNELS) {
+ if (MUC0(meter_urb, s) == 0x72)
+ store->meter_level[ch] = val;
+ if (MUC0(meter_urb, s) == 0xb2)
+ store->comp_level[ch] = val;
+ }
}
if (MUA0(meter_urb, s) == 0x61 && MUA1(meter_urb, s) == 0x02 &&
- MUA2(meter_urb, s) == 0x02 && MUB0(meter_urb, s) == 0x62)
- store->master_level[MUB2(meter_urb, s) - 1] = val;
+ MUA2(meter_urb, s) == 0x02 && MUB0(meter_urb, s) == 0x62) {
+ if (ch < ARRAY_SIZE(store->master_level))
+ store->master_level[ch] = val;
+ }
}
/* Function to retrieve current meter values from the device.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 256/554] ipmi: Fix the race between __scan_channels() and deliver_response()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 255/554] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 257/554] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
` (303 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Corey Minyard,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit 936750fdba4c45e13bbd17f261bb140dd55f5e93 ]
The race window between __scan_channels() and deliver_response() causes
the parameters of some channels to be set to 0.
1.[CPUA] __scan_channels() issues an IPMI request and waits with
wait_event() until all channels have been scanned.
wait_event() internally calls might_sleep(), which might
yield the CPU. (Moreover, an interrupt can preempt
wait_event() and force the task to yield the CPU.)
2.[CPUB] deliver_response() is invoked when the CPU receives the
IPMI response. After processing a IPMI response,
deliver_response() directly assigns intf->wchannels to
intf->channel_list and sets intf->channels_ready to true.
However, not all channels are actually ready for use.
3.[CPUA] Since intf->channels_ready is already true, wait_event()
never enters __wait_event(). __scan_channels() immediately
clears intf->null_user_handler and exits.
4.[CPUB] Once intf->null_user_handler is set to NULL, deliver_response()
ignores further IPMI responses, leaving the remaining
channels zero-initialized and unusable.
CPUA CPUB
------------------------------- -----------------------------
__scan_channels()
intf->null_user_handler
= channel_handler;
send_channel_info_cmd(intf,
0);
wait_event(intf->waitq,
intf->channels_ready);
do {
might_sleep();
deliver_response()
channel_handler()
intf->channel_list =
intf->wchannels + set;
intf->channels_ready = true;
send_channel_info_cmd(intf,
intf->curr_channel);
if (condition)
break;
__wait_event(wq_head,
condition);
} while(0)
intf->null_user_handler
= NULL;
deliver_response()
if (!msg->user)
if (intf->null_user_handler)
rv = -EINVAL;
return rv;
------------------------------- -----------------------------
Fix the race between __scan_channels() and deliver_response() by
deferring both the assignment intf->channel_list = intf->wchannels
and the flag intf->channels_ready = true until all channels have
been successfully scanned or until the IPMI request has failed.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Message-ID: <20250930074239.2353-2-guojinhui.liam@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index af563ee827aa..98ccba19292a 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -3292,8 +3292,6 @@ channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
intf->channels_ready = true;
wake_up(&intf->waitq);
} else {
- intf->channel_list = intf->wchannels + set;
- intf->channels_ready = true;
rv = send_channel_info_cmd(intf, intf->curr_channel);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 257/554] ipmi: Fix __scan_channels() failing to rescan channels
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 256/554] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 258/554] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
` (302 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinhui Guo, Corey Minyard,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinhui Guo <guojinhui.liam@bytedance.com>
[ Upstream commit 6bd30d8fc523fb880b4be548e8501bc0fe8f42d4 ]
channel_handler() sets intf->channels_ready to true but never
clears it, so __scan_channels() skips any rescan. When the BMC
firmware changes a rescan is required. Allow it by clearing
the flag before starting a new scan.
Signed-off-by: Jinhui Guo <guojinhui.liam@bytedance.com>
Message-ID: <20250930074239.2353-3-guojinhui.liam@bytedance.com>
Signed-off-by: Corey Minyard <corey@minyard.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 98ccba19292a..d680e4d46992 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -593,7 +593,8 @@ static void __ipmi_bmc_unregister(struct ipmi_smi *intf);
static int __ipmi_bmc_register(struct ipmi_smi *intf,
struct ipmi_device_id *id,
bool guid_set, guid_t *guid, int intf_num);
-static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id);
+static int __scan_channels(struct ipmi_smi *intf,
+ struct ipmi_device_id *id, bool rescan);
/**
@@ -2543,7 +2544,7 @@ static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
if (__ipmi_bmc_register(intf, &id, guid_set, &guid, intf_num))
need_waiter(intf); /* Retry later on an error. */
else
- __scan_channels(intf, &id);
+ __scan_channels(intf, &id, false);
if (!intf_set) {
@@ -2563,7 +2564,7 @@ static int __bmc_get_device_id(struct ipmi_smi *intf, struct bmc_device *bmc,
goto out_noprocessing;
} else if (memcmp(&bmc->fetch_id, &bmc->id, sizeof(bmc->id)))
/* Version info changes, scan the channels again. */
- __scan_channels(intf, &bmc->fetch_id);
+ __scan_channels(intf, &bmc->fetch_id, true);
bmc->dyn_id_expiry = jiffies + IPMI_DYN_DEV_ID_EXPIRY;
@@ -3313,10 +3314,17 @@ channel_handler(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
/*
* Must be holding intf->bmc_reg_mutex to call this.
*/
-static int __scan_channels(struct ipmi_smi *intf, struct ipmi_device_id *id)
+static int __scan_channels(struct ipmi_smi *intf,
+ struct ipmi_device_id *id,
+ bool rescan)
{
int rv;
+ if (rescan) {
+ /* Clear channels_ready to force channels rescan. */
+ intf->channels_ready = false;
+ }
+
if (ipmi_version_major(id) > 1
|| (ipmi_version_major(id) == 1
&& ipmi_version_minor(id) >= 5)) {
@@ -3488,7 +3496,7 @@ int ipmi_add_smi(struct module *owner,
}
mutex_lock(&intf->bmc_reg_mutex);
- rv = __scan_channels(intf, &id);
+ rv = __scan_channels(intf, &id, false);
mutex_unlock(&intf->bmc_reg_mutex);
if (rv)
goto out_err_bmc_reg;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 258/554] firmware: imx: scu-irq: Init workqueue before request mbox channel
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 257/554] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 259/554] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
` (301 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Peng Fan, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 81fb53feb66a3aefbf6fcab73bb8d06f5b0c54ad ]
With mailbox channel requested, there is possibility that interrupts may
come in, so need to make sure the workqueue is initialized before
the queue is scheduled by mailbox rx callback.
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/imx/imx-scu-irq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/imx/imx-scu-irq.c b/drivers/firmware/imx/imx-scu-irq.c
index 32b1ca4e1050..06c49a61a079 100644
--- a/drivers/firmware/imx/imx-scu-irq.c
+++ b/drivers/firmware/imx/imx-scu-irq.c
@@ -148,6 +148,8 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
cl->dev = dev;
cl->rx_callback = imx_scu_irq_callback;
+ INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
+
/* SCU general IRQ uses general interrupt channel 3 */
ch = mbox_request_channel_byname(cl, "gip3");
if (IS_ERR(ch)) {
@@ -157,8 +159,6 @@ int imx_scu_enable_general_irq_channel(struct device *dev)
return ret;
}
- INIT_WORK(&imx_sc_irq_work, imx_scu_irq_work_handler);
-
if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
"#mbox-cells", 0, &spec)) {
i = of_alias_get_id(spec.np, "mu");
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 259/554] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 258/554] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 260/554] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
` (300 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthias Schiffer, Alexander Stein,
Kevin Hilman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <matthias.schiffer@tq-group.com>
[ Upstream commit 3f61783920504b2cf99330b372d82914bb004d8e ]
am33xx.dtsi has the same clock setup as am35xx.dtsi, setting
ti,no-reset-on-init and ti,no-idle on timer1_target and timer2_target,
so AM33 needs the same workaround as AM35 to avoid ti-sysc probe
failing on certain target modules.
Signed-off-by: Matthias Schiffer <matthias.schiffer@tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20250825131114.2206804-1-alexander.stein@ew.tq-group.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/ti-sysc.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
index 20e090723485..12ab9bf160c9 100644
--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -37,6 +37,7 @@ enum sysc_soc {
SOC_UNKNOWN,
SOC_2420,
SOC_2430,
+ SOC_AM33,
SOC_3430,
SOC_AM35,
SOC_3630,
@@ -2946,6 +2947,7 @@ static void ti_sysc_idle(struct work_struct *work)
static const struct soc_device_attribute sysc_soc_match[] = {
SOC_FLAG("OMAP242*", SOC_2420),
SOC_FLAG("OMAP243*", SOC_2430),
+ SOC_FLAG("AM33*", SOC_AM33),
SOC_FLAG("AM35*", SOC_AM35),
SOC_FLAG("OMAP3[45]*", SOC_3430),
SOC_FLAG("OMAP3[67]*", SOC_3630),
@@ -3153,10 +3155,15 @@ static int sysc_check_active_timer(struct sysc *ddata)
* can be dropped if we stop supporting old beagleboard revisions
* A to B4 at some point.
*/
- if (sysc_soc->soc == SOC_3430 || sysc_soc->soc == SOC_AM35)
+ switch (sysc_soc->soc) {
+ case SOC_AM33:
+ case SOC_3430:
+ case SOC_AM35:
error = -ENXIO;
- else
+ break;
+ default:
error = -EBUSY;
+ }
if ((ddata->cfg.quirks & SYSC_QUIRK_NO_RESET_ON_INIT) &&
(ddata->cfg.quirks & SYSC_QUIRK_NO_IDLE))
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 260/554] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 259/554] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 261/554] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
` (299 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josua Mayer, Andrew Lunn,
Gregory CLEMENT, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
[ Upstream commit f0e6bc0c3ef4b4afb299bd6912586cafd5d864e9 ]
CP110 based platforms rely on the bootloader for pci port
initialization.
TF-A actively prevents non-uboot re-configuration of pci lanes, and many
boards do not have software control over the pci card reset.
If a pci port had link at boot-time and the clock is stopped at a later
point, the link fails and can not be recovered.
PCI controller driver probe - and by extension ownership of a driver for
the pci clocks - may be delayed especially on large modular kernels,
causing the clock core to start disabling unused clocks.
Add the CLK_IGNORE_UNUSED flag to the three pci port's clocks to ensure
they are not stopped before the pci controller driver has taken
ownership and tested for an existing link.
This fixes failed pci link detection when controller driver probes late,
e.g. with arm64 defconfig and CONFIG_PHY_MVEBU_CP110_COMPHY=m.
Closes: https://lore.kernel.org/r/b71596c7-461b-44b6-89ab-3cfbd492639f@solid-run.com
Signed-off-by: Josua Mayer <josua@solid-run.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/mvebu/cp110-system-controller.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/drivers/clk/mvebu/cp110-system-controller.c b/drivers/clk/mvebu/cp110-system-controller.c
index 84c8900542e4..b477396917ad 100644
--- a/drivers/clk/mvebu/cp110-system-controller.c
+++ b/drivers/clk/mvebu/cp110-system-controller.c
@@ -110,6 +110,25 @@ static const char * const gate_base_names[] = {
[CP110_GATE_EIP197] = "eip197"
};
+static unsigned long gate_flags(const u8 bit_idx)
+{
+ switch (bit_idx) {
+ case CP110_GATE_PCIE_X1_0:
+ case CP110_GATE_PCIE_X1_1:
+ case CP110_GATE_PCIE_X4:
+ /*
+ * If a port had an active link at boot time, stopping
+ * the clock creates a failed state from which controller
+ * driver can not recover.
+ * Prevent stopping this clock till after a driver has taken
+ * ownership.
+ */
+ return CLK_IGNORE_UNUSED;
+ default:
+ return 0;
+ }
+};
+
struct cp110_gate_clk {
struct clk_hw hw;
struct regmap *regmap;
@@ -171,6 +190,7 @@ static struct clk_hw *cp110_register_gate(const char *name,
init.ops = &cp110_gate_ops;
init.parent_names = &parent_name;
init.num_parents = 1;
+ init.flags = gate_flags(bit_idx);
gate->regmap = regmap;
gate->bit_idx = bit_idx;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 261/554] powerpc/addnote: Fix overflow on 32-bit builds
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 260/554] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 262/554] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
` (298 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Collins, Christophe Leroy,
Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Collins <bcollins@kernel.org>
[ Upstream commit 825ce89a3ef17f84cf2c0eacfa6b8dc9fd11d13f ]
The PUT_64[LB]E() macros need to cast the value to unsigned long long
like the GET_64[LB]E() macros. Caused lots of warnings when compiled
on 32-bit, and clobbered addresses (36-bit P4080).
Signed-off-by: Ben Collins <bcollins@kernel.org>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/2025042122-mustard-wrasse-694572@boujee-and-buff
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/boot/addnote.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
index 53b3b2621457..78704927453a 100644
--- a/arch/powerpc/boot/addnote.c
+++ b/arch/powerpc/boot/addnote.c
@@ -68,8 +68,8 @@ static int e_class = ELFCLASS32;
#define PUT_16BE(off, v)(buf[off] = ((v) >> 8) & 0xff, \
buf[(off) + 1] = (v) & 0xff)
#define PUT_32BE(off, v)(PUT_16BE((off), (v) >> 16L), PUT_16BE((off) + 2, (v)))
-#define PUT_64BE(off, v)((PUT_32BE((off), (v) >> 32L), \
- PUT_32BE((off) + 4, (v))))
+#define PUT_64BE(off, v)((PUT_32BE((off), (unsigned long long)(v) >> 32L), \
+ PUT_32BE((off) + 4, (unsigned long long)(v))))
#define GET_16LE(off) ((buf[off]) + (buf[(off)+1] << 8))
#define GET_32LE(off) (GET_16LE(off) + (GET_16LE((off)+2U) << 16U))
@@ -78,7 +78,8 @@ static int e_class = ELFCLASS32;
#define PUT_16LE(off, v) (buf[off] = (v) & 0xff, \
buf[(off) + 1] = ((v) >> 8) & 0xff)
#define PUT_32LE(off, v) (PUT_16LE((off), (v)), PUT_16LE((off) + 2, (v) >> 16L))
-#define PUT_64LE(off, v) (PUT_32LE((off), (v)), PUT_32LE((off) + 4, (v) >> 32L))
+#define PUT_64LE(off, v) (PUT_32LE((off), (unsigned long long)(v)), \
+ PUT_32LE((off) + 4, (unsigned long long)(v) >> 32L))
#define GET_16(off) (e_data == ELFDATA2MSB ? GET_16BE(off) : GET_16LE(off))
#define GET_32(off) (e_data == ELFDATA2MSB ? GET_32BE(off) : GET_32LE(off))
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 262/554] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 261/554] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 263/554] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
` (297 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 4f6aaade2a22ac428fa99ed716cf2b87e79c9837 ]
When qla2xxx is loaded with qlini_mode=disabled,
ha->flags.disable_msix_handshake is used before it is set, resulting in
the wrong interrupt handler being used on certain HBAs
(qla2xxx_msix_rsp_q_hs() is used when qla2xxx_msix_rsp_q() should be
used). The only difference between these two interrupt handlers is that
the _hs() version writes to a register to clear the "RISC" interrupt,
whereas the other version does not. So this bug results in the RISC
interrupt being cleared when it should not be. This occasionally causes
a different interrupt handler qla24xx_msix_default() for a different
vector to see ((stat & HSRX_RISC_INT) == 0) and ignore its interrupt,
which then causes problems like:
qla2xxx [0000:02:00.0]-d04c:6: MBX Command timeout for cmd 20,
iocontrol=8 jiffies=1090c0300 mb[0-3]=[0x4000 0x0 0x40 0xda] mb7 0x500
host_status 0x40000010 hccr 0x3f00
qla2xxx [0000:02:00.0]-101e:6: Mailbox cmd timeout occurred, cmd=0x20,
mb[0]=0x20. Scheduling ISP abort
(the cmd varies; sometimes it is 0x20, 0x22, 0x54, 0x5a, 0x5d, or 0x6a)
This problem can be reproduced with a 16 or 32 Gbps HBA by loading
qla2xxx with qlini_mode=disabled and running a high IOPS test while
triggering frequent RSCN database change events.
While analyzing the problem I discovered that even with
disable_msix_handshake forced to 0, it is not necessary to clear the
RISC interrupt from qla2xxx_msix_rsp_q_hs() (more below). So just
completely remove qla2xxx_msix_rsp_q_hs() and the logic for selecting
it, which also fixes the bug with qlini_mode=disabled.
The test below describes the justification for not needing
qla2xxx_msix_rsp_q_hs():
Force disable_msix_handshake to 0:
qla24xx_config_rings():
if (0 && (ha->fw_attributes & BIT_6) && (IS_MSIX_NACK_CAPABLE(ha)) &&
(ha->flags.msix_enabled)) {
In qla24xx_msix_rsp_q() and qla2xxx_msix_rsp_q_hs(), check:
(rd_reg_dword(®->host_status) & HSRX_RISC_INT)
Count the number of calls to each function with HSRX_RISC_INT set and
the number with HSRX_RISC_INT not set while performing some I/O.
If qla2xxx_msix_rsp_q_hs() clears the RISC interrupt (original code):
qla24xx_msix_rsp_q: 50% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 5% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
If qla2xxx_msix_rsp_q_hs() does not clear the RISC interrupt (patched
code):
qla24xx_msix_rsp_q: 100% of calls have HSRX_RISC_INT set
qla2xxx_msix_rsp_q_hs: 9% of calls have HSRX_RISC_INT set
(# of qla2xxx_msix_rsp_q_hs interrupts) =
(# of qla24xx_msix_rsp_q interrupts) * 3
In the case of the original code, qla24xx_msix_rsp_q() was seeing
HSRX_RISC_INT set only 50% of the time because qla2xxx_msix_rsp_q_hs()
was clearing it when it shouldn't have been. In the patched code,
qla24xx_msix_rsp_q() sees HSRX_RISC_INT set 100% of the time, which
makes sense if that interrupt handler needs to clear the RISC interrupt
(which it does). qla2xxx_msix_rsp_q_hs() sees HSRX_RISC_INT only 9% of
the time, which is just overlap from the other interrupt during the
high IOPS test.
Tested with SCST on:
QLE2742 FW:v9.08.02 (32 Gbps 2-port)
QLE2694L FW:v9.10.11 (16 Gbps 4-port)
QLE2694L FW:v9.08.02 (16 Gbps 4-port)
QLE2672 FW:v8.07.12 (16 Gbps 2-port)
both initiator and target mode
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/56d378eb-14ad-49c7-bae9-c649b6c7691e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_def.h | 1 -
drivers/scsi/qla2xxx/qla_gbl.h | 2 +-
drivers/scsi/qla2xxx/qla_isr.c | 32 +++-----------------------------
drivers/scsi/qla2xxx/qla_mid.c | 4 +---
4 files changed, 5 insertions(+), 34 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
index a6ea7c775092..02a2fd1b150a 100644
--- a/drivers/scsi/qla2xxx/qla_def.h
+++ b/drivers/scsi/qla2xxx/qla_def.h
@@ -3447,7 +3447,6 @@ struct isp_operations {
#define QLA_MSIX_RSP_Q 0x01
#define QLA_ATIO_VECTOR 0x02
#define QLA_MSIX_QPAIR_MULTIQ_RSP_Q 0x03
-#define QLA_MSIX_QPAIR_MULTIQ_RSP_Q_HS 0x04
#define QLA_MIDX_DEFAULT 0
#define QLA_MIDX_RSP_Q 1
diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
index d1c290f3f56a..e8c66cc4b71b 100644
--- a/drivers/scsi/qla2xxx/qla_gbl.h
+++ b/drivers/scsi/qla2xxx/qla_gbl.h
@@ -769,7 +769,7 @@ extern int qla2x00_dfs_remove(scsi_qla_host_t *);
/* Globa function prototypes for multi-q */
extern int qla25xx_request_irq(struct qla_hw_data *, struct qla_qpair *,
- struct qla_msix_entry *, int);
+ struct qla_msix_entry *);
extern int qla25xx_init_req_que(struct scsi_qla_host *, struct req_que *);
extern int qla25xx_init_rsp_que(struct scsi_qla_host *, struct rsp_que *);
extern int qla25xx_create_req_que(struct qla_hw_data *, uint16_t, uint8_t,
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 51e906fa8694..1459ae380389 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -4284,32 +4284,6 @@ qla2xxx_msix_rsp_q(int irq, void *dev_id)
return IRQ_HANDLED;
}
-irqreturn_t
-qla2xxx_msix_rsp_q_hs(int irq, void *dev_id)
-{
- struct qla_hw_data *ha;
- struct qla_qpair *qpair;
- struct device_reg_24xx __iomem *reg;
- unsigned long flags;
-
- qpair = dev_id;
- if (!qpair) {
- ql_log(ql_log_info, NULL, 0x505b,
- "%s: NULL response queue pointer.\n", __func__);
- return IRQ_NONE;
- }
- ha = qpair->hw;
-
- reg = &ha->iobase->isp24;
- spin_lock_irqsave(&ha->hardware_lock, flags);
- wrt_reg_dword(®->hccr, HCCRX_CLR_RISC_INT);
- spin_unlock_irqrestore(&ha->hardware_lock, flags);
-
- queue_work(ha->wq, &qpair->q_work);
-
- return IRQ_HANDLED;
-}
-
/* Interrupt handling helpers. */
struct qla_init_msix_entry {
@@ -4322,7 +4296,6 @@ static const struct qla_init_msix_entry msix_entries[] = {
{ "rsp_q", qla24xx_msix_rsp_q },
{ "atio_q", qla83xx_msix_atio_q },
{ "qpair_multiq", qla2xxx_msix_rsp_q },
- { "qpair_multiq_hs", qla2xxx_msix_rsp_q_hs },
};
static const struct qla_init_msix_entry qla82xx_msix_entries[] = {
@@ -4609,9 +4582,10 @@ qla2x00_free_irqs(scsi_qla_host_t *vha)
}
int qla25xx_request_irq(struct qla_hw_data *ha, struct qla_qpair *qpair,
- struct qla_msix_entry *msix, int vector_type)
+ struct qla_msix_entry *msix)
{
- const struct qla_init_msix_entry *intr = &msix_entries[vector_type];
+ const struct qla_init_msix_entry *intr =
+ &msix_entries[QLA_MSIX_QPAIR_MULTIQ_RSP_Q];
scsi_qla_host_t *vha = pci_get_drvdata(ha->pdev);
int ret;
diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c
index cb52841c5105..7e1956d0435d 100644
--- a/drivers/scsi/qla2xxx/qla_mid.c
+++ b/drivers/scsi/qla2xxx/qla_mid.c
@@ -910,9 +910,7 @@ qla25xx_create_rsp_que(struct qla_hw_data *ha, uint16_t options,
rsp->options, rsp->id, rsp->rsp_q_in,
rsp->rsp_q_out);
- ret = qla25xx_request_irq(ha, qpair, qpair->msix,
- ha->flags.disable_msix_handshake ?
- QLA_MSIX_QPAIR_MULTIQ_RSP_Q : QLA_MSIX_QPAIR_MULTIQ_RSP_Q_HS);
+ ret = qla25xx_request_irq(ha, qpair, qpair->msix);
if (ret)
goto que_failed;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 263/554] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 262/554] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 264/554] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
` (296 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 8f58fc64d559b5fda1b0a5e2a71422be61e79ab9 ]
When given the module parameter qlini_mode=exclusive, qla2xxx in
initiator mode is initially unable to successfully send SCSI commands to
devices it finds while scanning, resulting in an escalating series of
resets until an adapter reset clears the issue. Fix by checking the
active mode instead of the module parameter.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/1715ec14-ba9a-45dc-9cf2-d41aa6b81b5e@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_os.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 9267e7e73478..97a1aeb07947 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -3425,13 +3425,7 @@ qla2x00_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
base_vha->mgmt_svr_loop_id, host->sg_tablesize);
if (ha->mqenable) {
- bool startit = false;
-
- if (QLA_TGT_MODE_ENABLED())
- startit = false;
-
- if (ql2x_ini_mode == QLA2XXX_INI_MODE_ENABLED)
- startit = true;
+ bool startit = !!(host->active_mode & MODE_INITIATOR);
/* Create start of day qpairs for Block MQ */
for (i = 0; i < ha->max_qpairs; i++)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 264/554] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 263/554] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 265/554] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
` (295 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
[ Upstream commit 957aa5974989fba4ae4f807ebcb27f12796edd4d ]
If a mailbox command completes immediately after
wait_for_completion_timeout() times out, ha->mbx_intr_comp could be left
in an inconsistent state, causing the next mailbox command not to wait
for the hardware. Fix by reinitializing the completion before use.
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/11b6485e-0bfd-4784-8f99-c06a196dad94@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla2xxx/qla_mbx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_mbx.c b/drivers/scsi/qla2xxx/qla_mbx.c
index 7a28582b1f73..771b323a5194 100644
--- a/drivers/scsi/qla2xxx/qla_mbx.c
+++ b/drivers/scsi/qla2xxx/qla_mbx.c
@@ -253,6 +253,7 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
/* Issue set host interrupt command to send cmd out. */
ha->flags.mbox_int = 0;
clear_bit(MBX_INTERRUPT, &ha->mbx_cmd_flags);
+ reinit_completion(&ha->mbx_intr_comp);
/* Unlock mbx registers and wait for interrupt */
ql_dbg(ql_dbg_mbx, vha, 0x100f,
@@ -279,6 +280,7 @@ qla2x00_mailbox_command(scsi_qla_host_t *vha, mbx_cmd_t *mcp)
"cmd=%x Timeout.\n", command);
spin_lock_irqsave(&ha->hardware_lock, flags);
clear_bit(MBX_INTR_WAIT, &ha->mbx_cmd_flags);
+ reinit_completion(&ha->mbx_intr_comp);
spin_unlock_irqrestore(&ha->hardware_lock, flags);
if (chip_reset != ha->chip_reset) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 265/554] via_wdt: fix critical boot hang due to unnamed resource allocation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 264/554] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 266/554] reset: fix BIT macro reference Greg Kroah-Hartman
` (294 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Qiang, Guenter Roeck,
Wim Van Sebroeck, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Qiang <liqiang01@kylinos.cn>
[ Upstream commit 7aa31ee9ec92915926e74731378c009c9cc04928 ]
The VIA watchdog driver uses allocate_resource() to reserve a MMIO
region for the watchdog control register. However, the allocated
resource was not given a name, which causes the kernel resource tree
to contain an entry marked as "<BAD>" under /proc/iomem on x86
platforms.
During boot, this unnamed resource can lead to a critical hang because
subsequent resource lookups and conflict checks fail to handle the
invalid entry properly.
Signed-off-by: Li Qiang <liqiang01@kylinos.cn>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/watchdog/via_wdt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/watchdog/via_wdt.c b/drivers/watchdog/via_wdt.c
index eeb39f96e72e..c1ed3ce153cf 100644
--- a/drivers/watchdog/via_wdt.c
+++ b/drivers/watchdog/via_wdt.c
@@ -165,6 +165,7 @@ static int wdt_probe(struct pci_dev *pdev,
dev_err(&pdev->dev, "cannot enable PCI device\n");
return -ENODEV;
}
+ wdt_res.name = "via_wdt";
/*
* Allocate a MMIO region which contains watchdog control register
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 266/554] reset: fix BIT macro reference
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 265/554] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 267/554] exfat: fix remount failure in different process environments Greg Kroah-Hartman
` (293 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Troy Mitchell, Philipp Zabel,
Encrow Thorne, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Encrow Thorne <jyc0019@gmail.com>
[ Upstream commit f3d8b64ee46c9b4b0b82b1a4642027728bac95b8 ]
RESET_CONTROL_FLAGS_BIT_* macros use BIT(), but reset.h does not
include bits.h. This causes compilation errors when including
reset.h standalone.
Include bits.h to make reset.h self-contained.
Suggested-by: Troy Mitchell <troy.mitchell@linux.dev>
Reviewed-by: Troy Mitchell <troy.mitchell@linux.dev>
Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Encrow Thorne <jyc0019@gmail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/reset.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/reset.h b/include/linux/reset.h
index 7bb583737528..23abb90398ad 100644
--- a/include/linux/reset.h
+++ b/include/linux/reset.h
@@ -2,6 +2,7 @@
#ifndef _LINUX_RESET_H_
#define _LINUX_RESET_H_
+#include <linux/bits.h>
#include <linux/err.h>
#include <linux/errno.h>
#include <linux/types.h>
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 267/554] exfat: fix remount failure in different process environments
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 266/554] reset: fix BIT macro reference Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 268/554] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
` (292 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Yuezhang Mo,
Namjae Jeon, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
[ Upstream commit 51fc7b4ce10ccab8ea5e4876bcdc42cf5202a0ef ]
The kernel test robot reported that the exFAT remount operation
failed. The reason for the failure was that the process's umask
is different between mount and remount, causing fs_fmask and
fs_dmask are changed.
Potentially, both gid and uid may also be changed. Therefore, when
initializing fs_context for remount, inherit these mount options
from the options used during mount.
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202511251637.81670f5c-lkp@intel.com
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/exfat/super.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/fs/exfat/super.c b/fs/exfat/super.c
index 816ba7e1607f..39e999c0de75 100644
--- a/fs/exfat/super.c
+++ b/fs/exfat/super.c
@@ -758,10 +758,21 @@ static int exfat_init_fs_context(struct fs_context *fc)
ratelimit_state_init(&sbi->ratelimit, DEFAULT_RATELIMIT_INTERVAL,
DEFAULT_RATELIMIT_BURST);
- sbi->options.fs_uid = current_uid();
- sbi->options.fs_gid = current_gid();
- sbi->options.fs_fmask = current->fs->umask;
- sbi->options.fs_dmask = current->fs->umask;
+ if (fc->purpose == FS_CONTEXT_FOR_RECONFIGURE && fc->root) {
+ struct super_block *sb = fc->root->d_sb;
+ struct exfat_mount_options *cur_opts = &EXFAT_SB(sb)->options;
+
+ sbi->options.fs_uid = cur_opts->fs_uid;
+ sbi->options.fs_gid = cur_opts->fs_gid;
+ sbi->options.fs_fmask = cur_opts->fs_fmask;
+ sbi->options.fs_dmask = cur_opts->fs_dmask;
+ } else {
+ sbi->options.fs_uid = current_uid();
+ sbi->options.fs_gid = current_gid();
+ sbi->options.fs_fmask = current->fs->umask;
+ sbi->options.fs_dmask = current->fs->umask;
+ }
+
sbi->options.allow_utime = -1;
sbi->options.iocharset = exfat_default_iocharset;
sbi->options.errors = EXFAT_ERRORS_RO;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 268/554] usbip: Fix locking bug in RT-enabled kernels
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 267/554] exfat: fix remount failure in different process environments Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 269/554] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
` (291 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+205ef33a3b636b4181fb,
Lizhi Xu, Shuah Khan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
[ Upstream commit 09bf21bf5249880f62fe759b53b14b4b52900c6c ]
Interrupts are disabled before entering usb_hcd_giveback_urb().
A spinlock_t becomes a sleeping lock on PREEMPT_RT, so it cannot be
acquired with disabled interrupts.
Save the interrupt status and restore it after usb_hcd_giveback_urb().
syz reported:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
Call Trace:
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
rt_spin_lock+0xc7/0x2c0 kernel/locking/spinlock_rt.c:57
spin_lock include/linux/spinlock_rt.h:44 [inline]
mon_bus_complete drivers/usb/mon/mon_main.c:134 [inline]
mon_complete+0x5c/0x200 drivers/usb/mon/mon_main.c:147
usbmon_urb_complete include/linux/usb/hcd.h:738 [inline]
__usb_hcd_giveback_urb+0x254/0x5e0 drivers/usb/core/hcd.c:1647
vhci_urb_enqueue+0xb4f/0xe70 drivers/usb/usbip/vhci_hcd.c:818
Reported-by: syzbot+205ef33a3b636b4181fb@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=205ef33a3b636b4181fb
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20250916014143.1439759-1-lizhi.xu@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/usbip/vhci_hcd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
index e3c8483d7ba4..cfe51672ca41 100644
--- a/drivers/usb/usbip/vhci_hcd.c
+++ b/drivers/usb/usbip/vhci_hcd.c
@@ -830,15 +830,15 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag
no_need_xmit:
usb_hcd_unlink_urb_from_ep(hcd, urb);
no_need_unlink:
- spin_unlock_irqrestore(&vhci->lock, flags);
if (!ret) {
/* usb_hcd_giveback_urb() should be called with
* irqs disabled
*/
- local_irq_disable();
+ spin_unlock(&vhci->lock);
usb_hcd_giveback_urb(hcd, urb, urb->status);
- local_irq_enable();
+ spin_lock(&vhci->lock);
}
+ spin_unlock_irqrestore(&vhci->lock, flags);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 269/554] usb: typec: ucsi: Handle incorrect num_connectors capability
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 268/554] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 270/554] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
` (290 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Heikki Krogerus,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Pearson <mpearson-lenovo@squebb.ca>
[ Upstream commit 30cd2cb1abf4c4acdb1ddb468c946f68939819fb ]
The UCSI spec states that the num_connectors field is 7 bits, and the
8th bit is reserved and should be set to zero.
Some buggy FW has been known to set this bit, and it can lead to a
system not booting.
Flag that the FW is not behaving correctly, and auto-fix the value
so that the system boots correctly.
Found on Lenovo P1 G8 during Linux enablement program. The FW will
be fixed, but seemed worth addressing in case it hit platforms that
aren't officially Linux supported.
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20250821185319.2585023-1-mpearson-lenovo@squebb.ca
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/ucsi/ucsi.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c
index 62124882b21a..05a2909e84fd 100644
--- a/drivers/usb/typec/ucsi/ucsi.c
+++ b/drivers/usb/typec/ucsi/ucsi.c
@@ -1270,6 +1270,12 @@ static int ucsi_init(struct ucsi *ucsi)
ret = -ENODEV;
goto err_reset;
}
+ /* Check if reserved bit set. This is out of spec but happens in buggy FW */
+ if (ucsi->cap.num_connectors & 0x80) {
+ dev_warn(ucsi->dev, "UCSI: Invalid num_connectors %d. Likely buggy FW\n",
+ ucsi->cap.num_connectors);
+ ucsi->cap.num_connectors &= 0x7f; // clear bit and carry on
+ }
/* Allocate the connectors. Released in ucsi_unregister() */
ucsi->connector = kcalloc(ucsi->cap.num_connectors + 1,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 270/554] usb: xhci: limit run_graceperiod for only usb 3.0 devices
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 269/554] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 271/554] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
` (289 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hongyu Xie, Mathias Nyman,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hongyu Xie <xiehongyu1@kylinos.cn>
[ Upstream commit 8d34983720155b8f05de765f0183d9b0e1345cc0 ]
run_graceperiod blocks usb 2.0 devices from auto suspending after
xhci_start for 500ms.
Log shows:
[ 13.387170] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.387177] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.387182] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.387188] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.387191] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.387193] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.387296] hub_event:5779: hub 3-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.393343] handle_port_status:2034: xhci-hcd PNP0D10:02: handle_port_status: starting usb5 port polling.
[ 13.393353] xhci_hub_control:1271: xhci-hcd PNP0D10:02: Get port status 5-1 read: 0x206e1, return 0x10101
[ 13.400047] hub_suspend:3903: hub 3-0:1.0: hub_suspend
[ 13.403077] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.403080] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.403085] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.403087] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.403090] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.403093] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.403095] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.405002] handle_port_status:1913: xhci-hcd PNP0D10:04: Port change event, 9-1, id 1, portsc: 0x6e1
[ 13.405016] hub_activate:1169: usb usb5-port1: status 0101 change 0001
[ 13.405026] xhci_clear_port_change_bit:658: xhci-hcd PNP0D10:02: clear port1 connect change, portsc: 0x6e1
[ 13.413275] hcd_bus_suspend:2250: usb usb3: bus auto-suspend, wakeup 1
[ 13.419081] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.419086] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.419095] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.419100] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.419106] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.419110] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
[ 13.419112] hcd_bus_resume:2303: usb usb7: usb auto-resume
[ 13.420455] handle_port_status:2034: xhci-hcd PNP0D10:04: handle_port_status: starting usb9 port polling.
[ 13.420493] handle_port_status:1913: xhci-hcd PNP0D10:05: Port change event, 10-1, id 1, portsc: 0x6e1
[ 13.425332] hcd_bus_suspend:2279: usb usb3: suspend raced with wakeup event
[ 13.431931] handle_port_status:2034: xhci-hcd PNP0D10:05: handle_port_status: starting usb10 port polling.
[ 13.435080] hub_resume:3948: hub 7-0:1.0: hub_resume
[ 13.435084] xhci_hub_control:1271: xhci-hcd PNP0D10:03: Get port status 7-1 read: 0x2a0, return 0x100
[ 13.435092] hub_event:5779: hub 7-0:1.0: state 7 ports 1 chg 0000 evt 0000
[ 13.435096] hub_suspend:3903: hub 7-0:1.0: hub_suspend
[ 13.435102] hcd_bus_suspend:2250: usb usb7: bus auto-suspend, wakeup 1
[ 13.435106] hcd_bus_suspend:2279: usb usb7: suspend raced with wakeup event
usb7 and other usb 2.0 root hub were rapidly toggling between suspend
and resume states. More, "suspend raced with wakeup event" confuses people.
So, limit run_graceperiod for only usb 3.0 devices
Signed-off-by: Hongyu Xie <xiehongyu1@kylinos.cn>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20251119142417.2820519-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/xhci-hub.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
index b226b5487694..f10ab11616ac 100644
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1650,7 +1650,7 @@ int xhci_hub_status_data(struct usb_hcd *hcd, char *buf)
* SS devices are only visible to roothub after link training completes.
* Keep polling roothubs for a grace period after xHC start
*/
- if (xhci->run_graceperiod) {
+ if (hcd->speed >= HCD_USB3 && xhci->run_graceperiod) {
if (time_before(jiffies, xhci->run_graceperiod))
status = 1;
else
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 271/554] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 270/554] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 272/554] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
` (288 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Changcheng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Changcheng <chenchangcheng@kylinos.cn>
[ Upstream commit 955a48a5353f4fe009704a9a4272a3adf627cd35 ]
The optical drive of EL-R12 has the same vid and pid as INIC-3069,
as follows:
T: Bus=02 Lev=02 Prnt=02 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=13fd ProdID=3940 Rev= 3.10
S: Manufacturer=HL-DT-ST
S: Product= DVD+-RW GT80N
S: SerialNumber=423349524E4E38303338323439202020
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=144mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=02 Prot=50 Driver=usb-storage
E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=0a(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
This will result in the optical drive device also adding
the quirks of US_FL_NO_ATA_1X. When performing an erase operation,
it will fail, and the reason for the failure is as follows:
[ 388.967742] sr 5:0:0:0: [sr0] tag#0 Send: scmd 0x00000000d20c33a7
[ 388.967742] sr 5:0:0:0: [sr0] tag#0 CDB: ATA command pass through(12)/Blank a1 11 00 00 00 00 00 00 00 00 00 00
[ 388.967773] sr 5:0:0:0: [sr0] tag#0 Done: SUCCESS Result: hostbyte=DID_TARGET_FAILURE driverbyte=DRIVER_OK cmd_age=0s
[ 388.967773] sr 5:0:0:0: [sr0] tag#0 CDB: ATA command pass through(12)/Blank a1 11 00 00 00 00 00 00 00 00 00 00
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 Sense Key : Illegal Request [current]
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 Add. Sense: Invalid field in cdb
[ 388.967803] sr 5:0:0:0: [sr0] tag#0 scsi host busy 1 failed 0
[ 388.967803] sr 5:0:0:0: Notifying upper driver of completion (result 8100002)
[ 388.967834] sr 5:0:0:0: [sr0] tag#0 0 sectors total, 0 bytes done.
For the EL-R12 standard optical drive, all operational commands
and usage scenarios were tested without adding the IGNORE_RESIDUE quirks,
and no issues were encountered. It can be reasonably concluded
that removing the IGNORE_RESIDUE quirks has no impact.
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251121064020.29332-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/unusual_uas.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h
index 1477e31d7763..b695f5ba9a40 100644
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160,
US_FL_NO_ATA_1X),
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
-UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
+UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
"Initio Corporation",
"INIC-3069",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 272/554] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 271/554] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 273/554] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
` (287 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wenhua Lin, Cixi Geng, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wenhua Lin <Wenhua.Lin@unisoc.com>
[ Upstream commit 29e8a0c587e328ed458380a45d6028adf64d7487 ]
In sprd_clk_init(), when devm_clk_get() returns -EPROBE_DEFER
for either uart or source clock, we should propagate the
error instead of just warning and continuing with NULL clocks.
Currently the driver only emits a warning when clock acquisition
fails and proceeds with NULL clock pointers. This can lead to
issues later when the clocks are actually needed. More importantly,
when the clock provider is not ready yet and returns -EPROBE_DEFER,
we should return this error to allow deferred probing.
This change adds explicit checks for -EPROBE_DEFER after both:
1. devm_clk_get(uport->dev, uart)
2. devm_clk_get(uport->dev, source)
When -EPROBE_DEFER is encountered, the function now returns
-EPROBE_DEFER to let the driver framework retry probing
later when the clock dependencies are resolved.
Signed-off-by: Wenhua Lin <Wenhua.Lin@unisoc.com>
Link: https://patch.msgid.link/20251022030840.956589-1-Wenhua.Lin@unisoc.com
Reviewed-by: Cixi Geng <cixi.geng@linux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sprd_serial.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c
index a1952e4f1fcb..e850959ecf55 100644
--- a/drivers/tty/serial/sprd_serial.c
+++ b/drivers/tty/serial/sprd_serial.c
@@ -1137,6 +1137,9 @@ static int sprd_clk_init(struct uart_port *uport)
clk_uart = devm_clk_get(uport->dev, "uart");
if (IS_ERR(clk_uart)) {
+ if (PTR_ERR(clk_uart) == -EPROBE_DEFER)
+ return -EPROBE_DEFER;
+
dev_warn(uport->dev, "uart%d can't get uart clock\n",
uport->line);
clk_uart = NULL;
@@ -1144,6 +1147,9 @@ static int sprd_clk_init(struct uart_port *uport)
clk_parent = devm_clk_get(uport->dev, "source");
if (IS_ERR(clk_parent)) {
+ if (PTR_ERR(clk_parent) == -EPROBE_DEFER)
+ return -EPROBE_DEFER;
+
dev_warn(uport->dev, "uart%d can't get source clock\n",
uport->line);
clk_parent = NULL;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 273/554] nvme-fc: dont hold rport lock when putting ctrl
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 272/554] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 274/554] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
` (286 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Christoph Hellwig,
Daniel Wagner, Keith Busch, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <wagi@kernel.org>
[ Upstream commit b71cbcf7d170e51148d5467820ae8a72febcb651 ]
nvme_fc_ctrl_put can acquire the rport lock when freeing the
ctrl object:
nvme_fc_ctrl_put
nvme_fc_ctrl_free
spin_lock_irqsave(rport->lock)
Thus we can't hold the rport lock when calling nvme_fc_ctrl_put.
Justin suggested use the safe list iterator variant because
nvme_fc_ctrl_put will also modify the rport->list.
Cc: Justin Tee <justin.tee@broadcom.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Daniel Wagner <wagi@kernel.org>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/fc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/fc.c b/drivers/nvme/host/fc.c
index 3fe4db3c9c34..0bbc226ea4f4 100644
--- a/drivers/nvme/host/fc.c
+++ b/drivers/nvme/host/fc.c
@@ -1500,14 +1500,14 @@ nvme_fc_match_disconn_ls(struct nvme_fc_rport *rport,
{
struct fcnvme_ls_disconnect_assoc_rqst *rqst =
&lsop->rqstbuf->rq_dis_assoc;
- struct nvme_fc_ctrl *ctrl, *ret = NULL;
+ struct nvme_fc_ctrl *ctrl, *tmp, *ret = NULL;
struct nvmefc_ls_rcv_op *oldls = NULL;
u64 association_id = be64_to_cpu(rqst->associd.association_id);
unsigned long flags;
spin_lock_irqsave(&rport->lock, flags);
- list_for_each_entry(ctrl, &rport->ctrl_list, ctrl_list) {
+ list_for_each_entry_safe(ctrl, tmp, &rport->ctrl_list, ctrl_list) {
if (!nvme_fc_ctrl_get(ctrl))
continue;
spin_lock(&ctrl->lock);
@@ -1520,7 +1520,9 @@ nvme_fc_match_disconn_ls(struct nvme_fc_rport *rport,
if (ret)
/* leave the ctrl get reference */
break;
+ spin_unlock_irqrestore(&rport->lock, flags);
nvme_fc_ctrl_put(ctrl);
+ spin_lock_irqsave(&rport->lock, flags);
}
spin_unlock_irqrestore(&rport->lock, flags);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 274/554] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 273/554] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 275/554] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
` (285 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chia-Lin Kao (AceLan), Hans de Goede,
Ilpo Järvinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
[ Upstream commit b169e1733cadb614e87f69d7a5ae1b186c50d313 ]
Dell Pro Rugged 10/12 tablets has a reliable VGBS method.
If VGBS is not called on boot, the on-screen keyboard won't appear if the
device is booted without a keyboard.
Call VGBS on boot on thess devices to get the initial state of
SW_TABLET_MODE in a reliable way.
Signed-off-by: Chia-Lin Kao (AceLan) <acelan.kao@canonical.com>
Reviewed-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Link: https://patch.msgid.link/20251127070407.656463-1-acelan.kao@canonical.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel/hid.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/platform/x86/intel/hid.c b/drivers/platform/x86/intel/hid.c
index f59a3cc9767b..4d488e985dc5 100644
--- a/drivers/platform/x86/intel/hid.c
+++ b/drivers/platform/x86/intel/hid.c
@@ -144,6 +144,18 @@ static const struct dmi_system_id dmi_vgbs_allow_list[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "HP Elite Dragonfly G2 Notebook PC"),
},
},
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 10 Tablet RA00260"),
+ },
+ },
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Dell Pro Rugged 12 Tablet RA02260"),
+ },
+ },
{ }
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 275/554] vhost/vsock: improve RCU read sections around vhost_vsock_get()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 274/554] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 276/554] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
` (284 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stefanha, Stefano Garzarella,
Jason Wang, Michael S. Tsirkin, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit d8ee3cfdc89b75dc059dc21c27bef2c1440f67eb ]
vhost_vsock_get() uses hash_for_each_possible_rcu() to find the
`vhost_vsock` associated with the `guest_cid`. hash_for_each_possible_rcu()
should only be called within an RCU read section, as mentioned in the
following comment in include/linux/rculist.h:
/**
* hlist_for_each_entry_rcu - iterate over rcu list of given type
* @pos: the type * to use as a loop cursor.
* @head: the head for your list.
* @member: the name of the hlist_node within the struct.
* @cond: optional lockdep expression if called from non-RCU protection.
*
* This list-traversal primitive may safely run concurrently with
* the _rcu list-mutation primitives such as hlist_add_head_rcu()
* as long as the traversal is guarded by rcu_read_lock().
*/
Currently, all calls to vhost_vsock_get() are between rcu_read_lock()
and rcu_read_unlock() except for calls in vhost_vsock_set_cid() and
vhost_vsock_reset_orphans(). In both cases, the current code is safe,
but we can make improvements to make it more robust.
About vhost_vsock_set_cid(), when building the kernel with
CONFIG_PROVE_RCU_LIST enabled, we get the following RCU warning when the
user space issues `ioctl(dev, VHOST_VSOCK_SET_GUEST_CID, ...)` :
WARNING: suspicious RCU usage
6.18.0-rc7 #62 Not tainted
-----------------------------
drivers/vhost/vsock.c:74 RCU-list traversed in non-reader section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by rpc-libvirtd/3443:
#0: ffffffffc05032a8 (vhost_vsock_mutex){+.+.}-{4:4}, at: vhost_vsock_dev_ioctl+0x2ff/0x530 [vhost_vsock]
stack backtrace:
CPU: 2 UID: 0 PID: 3443 Comm: rpc-libvirtd Not tainted 6.18.0-rc7 #62 PREEMPT(none)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-7.fc42 06/10/2025
Call Trace:
<TASK>
dump_stack_lvl+0x75/0xb0
dump_stack+0x14/0x1a
lockdep_rcu_suspicious.cold+0x4e/0x97
vhost_vsock_get+0x8f/0xa0 [vhost_vsock]
vhost_vsock_dev_ioctl+0x307/0x530 [vhost_vsock]
__x64_sys_ioctl+0x4f2/0xa00
x64_sys_call+0xed0/0x1da0
do_syscall_64+0x73/0xfa0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
...
</TASK>
This is not a real problem, because the vhost_vsock_get() caller, i.e.
vhost_vsock_set_cid(), holds the `vhost_vsock_mutex` used by the hash
table writers. Anyway, to prevent that warning, add lockdep_is_held()
condition to hash_for_each_possible_rcu() to verify that either the
caller is in an RCU read section or `vhost_vsock_mutex` is held when
CONFIG_PROVE_RCU_LIST is enabled; and also clarify the comment for
vhost_vsock_get() to better describe the locking requirements and the
scope of the returned pointer validity.
About vhost_vsock_reset_orphans(), currently this function is only
called via vsock_for_each_connected_socket(), which holds the
`vsock_table_lock` spinlock (which is also an RCU read-side critical
section). However, add an explicit RCU read lock there to make the code
more robust and explicit about the RCU requirements, and to prevent
issues if the calling context changes in the future or if
vhost_vsock_reset_orphans() is called from other contexts.
Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
Cc: stefanha@redhat.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-Id: <20251126133826.142496-1-sgarzare@redhat.com>
Message-ID: <20251126210313.GA499503@fedora>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vsock.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index 531e3e139c0d..a53d7bf40461 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -65,14 +65,15 @@ static u32 vhost_transport_get_local_cid(void)
return VHOST_VSOCK_DEFAULT_HOST_CID;
}
-/* Callers that dereference the return value must hold vhost_vsock_mutex or the
- * RCU read lock.
+/* Callers must be in an RCU read section or hold the vhost_vsock_mutex.
+ * The return value can only be dereferenced while within the section.
*/
static struct vhost_vsock *vhost_vsock_get(u32 guest_cid)
{
struct vhost_vsock *vsock;
- hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid) {
+ hash_for_each_possible_rcu(vhost_vsock_hash, vsock, hash, guest_cid,
+ lockdep_is_held(&vhost_vsock_mutex)) {
u32 other_cid = vsock->guest_cid;
/* Skip instances that have no CID yet */
@@ -727,9 +728,15 @@ static void vhost_vsock_reset_orphans(struct sock *sk)
* executing.
*/
+ rcu_read_lock();
+
/* If the peer is still valid, no need to reset connection */
- if (vhost_vsock_get(vsk->remote_addr.svm_cid))
+ if (vhost_vsock_get(vsk->remote_addr.svm_cid)) {
+ rcu_read_unlock();
return;
+ }
+
+ rcu_read_unlock();
/* If the close timeout is pending, let it expire. This avoids races
* with the timeout callback.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 276/554] KEYS: trusted: Fix a memory leak in tpm2_load_cmd
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 275/554] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 277/554] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
` (283 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jarkko Sakkinen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko@kernel.org>
commit 62cd5d480b9762ce70d720a81fa5b373052ae05f upstream.
'tpm2_load_cmd' allocates a tempoary blob indirectly via 'tpm2_key_decode'
but it is not freed in the failure paths. Address this by wrapping the blob
into with a cleanup helper.
Cc: stable@vger.kernel.org # v5.13+
Fixes: f2219745250f ("security: keys: trusted: use ASN.1 TPM2 key format for the blobs")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/keys/trusted-keys/trusted_tpm2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/security/keys/trusted-keys/trusted_tpm2.c
+++ b/security/keys/trusted-keys/trusted_tpm2.c
@@ -375,6 +375,7 @@ static int tpm2_load_cmd(struct tpm_chip
struct trusted_key_options *options,
u32 *blob_handle)
{
+ u8 *blob_ref __free(kfree) = NULL;
struct tpm_buf buf;
unsigned int private_len;
unsigned int public_len;
@@ -388,6 +389,9 @@ static int tpm2_load_cmd(struct tpm_chip
/* old form */
blob = payload->blob;
payload->old_format = 1;
+ } else {
+ /* Bind for cleanup: */
+ blob_ref = blob;
}
/* new format carries keyhandle but old format doesn't */
@@ -446,8 +450,6 @@ static int tpm2_load_cmd(struct tpm_chip
(__be32 *) &buf.data[TPM_HEADER_SIZE]);
out:
- if (blob != payload->blob)
- kfree(blob);
tpm_buf_destroy(&buf);
if (rc > 0)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 277/554] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 276/554] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 278/554] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
` (282 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sarthak Garg, Bjorn Andersson,
Adrian Hunter, Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sarthak Garg <sarthak.garg@oss.qualcomm.com>
commit b1f856b1727c2eaa4be2c6d7cd7a8ed052bbeb87 upstream.
According to the hardware programming guide, the clock frequency must
remain below 52MHz during the transition to HS400 mode.
However,in the current implementation, the timing is set to HS400 (a
DDR mode) before adjusting the clock. This causes the clock to double
prematurely to 104MHz during the transition phase, violating the
specification and potentially resulting in CRC errors or CMD timeouts.
This change ensures that clock doubling is avoided during intermediate
transitions and is applied only when the card requires a 200MHz clock
for HS400 operation.
Signed-off-by: Sarthak Garg <sarthak.garg@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-msm.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/drivers/mmc/host/sdhci-msm.c
+++ b/drivers/mmc/host/sdhci-msm.c
@@ -340,41 +340,43 @@ static void sdhci_msm_v5_variant_writel_
writel_relaxed(val, host->ioaddr + offset);
}
-static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host)
+static unsigned int msm_get_clock_mult_for_bus_mode(struct sdhci_host *host,
+ unsigned int clock,
+ unsigned int timing)
{
- struct mmc_ios ios = host->mmc->ios;
/*
* The SDHC requires internal clock frequency to be double the
* actual clock that will be set for DDR mode. The controller
* uses the faster clock(100/400MHz) for some of its parts and
* send the actual required clock (50/200MHz) to the card.
*/
- if (ios.timing == MMC_TIMING_UHS_DDR50 ||
- ios.timing == MMC_TIMING_MMC_DDR52 ||
- ios.timing == MMC_TIMING_MMC_HS400 ||
+ if (timing == MMC_TIMING_UHS_DDR50 ||
+ timing == MMC_TIMING_MMC_DDR52 ||
+ (timing == MMC_TIMING_MMC_HS400 &&
+ clock == MMC_HS200_MAX_DTR) ||
host->flags & SDHCI_HS400_TUNING)
return 2;
return 1;
}
static void msm_set_clock_rate_for_bus_mode(struct sdhci_host *host,
- unsigned int clock)
+ unsigned int clock,
+ unsigned int timing)
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
- struct mmc_ios curr_ios = host->mmc->ios;
struct clk *core_clk = msm_host->bulk_clks[0].clk;
unsigned long achieved_rate;
unsigned int desired_rate;
unsigned int mult;
int rc;
- mult = msm_get_clock_mult_for_bus_mode(host);
+ mult = msm_get_clock_mult_for_bus_mode(host, clock, timing);
desired_rate = clock * mult;
rc = dev_pm_opp_set_rate(mmc_dev(host->mmc), desired_rate);
if (rc) {
pr_err("%s: Failed to set clock at rate %u at timing %d\n",
- mmc_hostname(host->mmc), desired_rate, curr_ios.timing);
+ mmc_hostname(host->mmc), desired_rate, timing);
return;
}
@@ -393,7 +395,7 @@ static void msm_set_clock_rate_for_bus_m
msm_host->clk_rate = desired_rate;
pr_debug("%s: Setting clock at rate %lu at timing %d\n",
- mmc_hostname(host->mmc), achieved_rate, curr_ios.timing);
+ mmc_hostname(host->mmc), achieved_rate, timing);
}
/* Platform specific tuning */
@@ -1235,7 +1237,7 @@ static int sdhci_msm_execute_tuning(stru
*/
if (host->flags & SDHCI_HS400_TUNING) {
sdhci_msm_hc_select_mode(host);
- msm_set_clock_rate_for_bus_mode(host, ios.clock);
+ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing);
host->flags &= ~SDHCI_HS400_TUNING;
}
@@ -1860,6 +1862,7 @@ static void sdhci_msm_set_clock(struct s
{
struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
+ struct mmc_ios ios = host->mmc->ios;
if (!clock) {
host->mmc->actual_clock = msm_host->clk_rate = 0;
@@ -1868,7 +1871,7 @@ static void sdhci_msm_set_clock(struct s
sdhci_msm_hc_select_mode(host);
- msm_set_clock_rate_for_bus_mode(host, clock);
+ msm_set_clock_rate_for_bus_mode(host, ios.clock, ios.timing);
out:
__sdhci_msm_set_clock(host, clock);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 278/554] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 277/554] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 279/554] block: rate-limit capacity change info log Greg Kroah-Hartman
` (281 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Eric Biggers
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 2f22115709fc7ebcfa40af3367a508fbbd2f71e9 upstream.
In the C code, the 'inc' argument to the assembly functions
blake2s_compress_ssse3() and blake2s_compress_avx512() is declared with
type u32, matching blake2s_compress(). The assembly code then reads it
from the 64-bit %rcx. However, the ABI doesn't guarantee zero-extension
to 64 bits, nor do gcc or clang guarantee it. Therefore, fix these
functions to read this argument from the 32-bit %ecx.
In theory, this bug could have caused the wrong 'inc' value to be used,
causing incorrect BLAKE2s hashes. In practice, probably not: I've fixed
essentially this same bug in many other assembly files too, but there's
never been a real report of it having caused a problem. In x86_64, all
writes to 32-bit registers are zero-extended to 64 bits. That results
in zero-extension in nearly all situations. I've only been able to
demonstrate a lack of zero-extension with a somewhat contrived example
involving truncation, e.g. when the C code has a u64 variable holding
0x1234567800000040 and passes it as a u32 expecting it to be truncated
to 0x40 (64). But that's not what the real code does, of course.
Fixes: ed0356eda153 ("crypto: blake2s - x86_64 SIMD implementation")
Cc: stable@vger.kernel.org
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251102234209.62133-2-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/crypto/blake2s-core.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/crypto/blake2s-core.S
+++ b/arch/x86/crypto/blake2s-core.S
@@ -54,7 +54,7 @@ SYM_FUNC_START(blake2s_compress_ssse3)
movdqa ROT16(%rip),%xmm12
movdqa ROR328(%rip),%xmm13
movdqu 0x20(%rdi),%xmm14
- movq %rcx,%xmm15
+ movd %ecx,%xmm15
leaq SIGMA+0xa0(%rip),%r8
jmp .Lbeginofloop
.align 32
@@ -179,7 +179,7 @@ SYM_FUNC_START(blake2s_compress_avx512)
vmovdqu (%rdi),%xmm0
vmovdqu 0x10(%rdi),%xmm1
vmovdqu 0x20(%rdi),%xmm4
- vmovq %rcx,%xmm5
+ vmovd %ecx,%xmm5
vmovdqa IV(%rip),%xmm14
vmovdqa IV+16(%rip),%xmm15
jmp .Lblake2s_compress_avx512_mainloop
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 279/554] block: rate-limit capacity change info log
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 278/554] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 280/554] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
` (280 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Chen, Chaitanya Kulkarni,
Bart Van Assche, Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Chen <chenl311@chinatelecom.cn>
commit 3179a5f7f86bcc3acd5d6fb2a29f891ef5615852 upstream.
loop devices under heavy stress-ng loop streessor can trigger many
capacity change events in a short time. Each event prints an info
message from set_capacity_and_notify(), flooding the console and
contributing to soft lockups on slow consoles.
Switch the printk in set_capacity_and_notify() to
pr_info_ratelimited() so frequent capacity changes do not spam
the log while still reporting occasional changes.
Cc: stable@vger.kernel.org
Signed-off-by: Li Chen <chenl311@chinatelecom.cn>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/genhd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -83,7 +83,7 @@ bool set_capacity_and_notify(struct gend
(disk->flags & GENHD_FL_HIDDEN))
return false;
- pr_info("%s: detected capacity change from %lld to %lld\n",
+ pr_info_ratelimited("%s: detected capacity change from %lld to %lld\n",
disk->disk_name, capacity, size);
/*
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 280/554] floppy: fix for PAGE_SIZE != 4KB
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 279/554] block: rate-limit capacity change info log Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 281/554] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
` (279 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
commit 82d20481024cbae2ea87fe8b86d12961bfda7169 upstream.
For years I wondered why the floppy driver does not just work on
sparc64, e.g:
root@SUNW_375_0066:# disktype /dev/fd0
disktype: Can't open /dev/fd0: No such device or address
[ 525.341906] disktype: attempt to access beyond end of device
fd0: rw=0, sector=0, nr_sectors = 16 limit=8
[ 525.341991] floppy: error 10 while reading block 0
Turns out floppy.c __floppy_read_block_0 tries to read one page for
the first test read to determine the disk size and thus fails if that
is greater than 4k. Adjust minimum MAX_DISK_SIZE to PAGE_SIZE to fix
floppy on sparc64 and likely all other PAGE_SIZE != 4KB configs.
Cc: stable@vger.kernel.org
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/floppy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -331,7 +331,7 @@ static bool initialized;
* This default is used whenever the current disk size is unknown.
* [Now it is rather a minimum]
*/
-#define MAX_DISK_SIZE 4 /* 3984 */
+#define MAX_DISK_SIZE (PAGE_SIZE / 1024)
/*
* globals used by 'result()'
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 281/554] fs/ntfs3: fix mount failure for sparse runs in run_unpack()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 280/554] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 282/554] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
` (278 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konstantin Komarov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 801f614ba263cb37624982b27b4c82f3c3c597a9 upstream.
Some NTFS volumes failed to mount because sparse data runs were not
handled correctly during runlist unpacking. The code performed arithmetic
on the special SPARSE_LCN64 marker, leading to invalid LCN values and
mount errors.
Add an explicit check for the case described above, marking the run as
sparse without applying arithmetic.
Fixes: 736fc7bf5f68 ("fs: ntfs3: Fix integer overflow in run_unpack()")
Cc: stable@vger.kernel.org
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/run.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ntfs3/run.c
+++ b/fs/ntfs3/run.c
@@ -937,8 +937,12 @@ int run_unpack(struct runs_tree *run, st
if (!dlcn)
return -EINVAL;
- if (check_add_overflow(prev_lcn, dlcn, &lcn))
+ /* Check special combination: 0 + SPARSE_LCN64. */
+ if (!prev_lcn && dlcn == SPARSE_LCN64) {
+ lcn = SPARSE_LCN64;
+ } else if (check_add_overflow(prev_lcn, dlcn, &lcn)) {
return -EINVAL;
+ }
prev_lcn = lcn;
} else
return -EINVAL;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 282/554] ktest.pl: Fix uninitialized var in config-bisect.pl
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 281/554] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 283/554] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
` (277 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley, John W. Krahn,
Steven Rostedt
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit d3042cbe84a060b4df764eb6c5300bbe20d125ca upstream.
The error path of copying the old config used the wrong variable in the
error message:
$ mkdir /tmp/build
$ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad
$ chmod 0 /tmp/build
$ ./tools/testing/ktest/config-bisect.pl -b /tmp/build config-good /tmp/config-bad good
cp /tmp/build//.config config-good.tmp ... [0 seconds] FAILED!
Use of uninitialized value $config in concatenation (.) or string at ./tools/testing/ktest/config-bisect.pl line 744.
failed to copy to config-good.tmp
When it should have shown:
failed to copy /tmp/build//.config to config-good.tmp
Cc: stable@vger.kernel.org
Cc: John 'Warthog9' Hawley <warthog9@kernel.org>
Fixes: 0f0db065999cf ("ktest: Add standalone config-bisect.pl program")
Link: https://patch.msgid.link/20251203180924.6862bd26@gandalf.local.home
Reported-by: "John W. Krahn" <jwkrahn@shaw.ca>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/config-bisect.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/tools/testing/ktest/config-bisect.pl
+++ b/tools/testing/ktest/config-bisect.pl
@@ -741,9 +741,9 @@ if ($start) {
die "Can not find file $bad\n";
}
if ($val eq "good") {
- run_command "cp $output_config $good" or die "failed to copy $config to $good\n";
+ run_command "cp $output_config $good" or die "failed to copy $output_config to $good\n";
} elsif ($val eq "bad") {
- run_command "cp $output_config $bad" or die "failed to copy $config to $bad\n";
+ run_command "cp $output_config $bad" or die "failed to copy $output_config to $bad\n";
}
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 283/554] ext4: xattr: fix null pointer deref in ext4_raw_inode()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 282/554] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 284/554] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
` (276 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Karina Yankevich,
Sergey Shtylyov, Baokun Li, Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karina Yankevich <k.yankevich@omp.ru>
commit b97cb7d6a051aa6ebd57906df0e26e9e36c26d14 upstream.
If ext4_get_inode_loc() fails (e.g. if it returns -EFSCORRUPTED),
iloc.bh will remain set to NULL. Since ext4_xattr_inode_dec_ref_all()
lacks error checking, this will lead to a null pointer dereference
in ext4_raw_inode(), called right after ext4_get_inode_loc().
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: c8e008b60492 ("ext4: ignore xattrs past end")
Cc: stable@kernel.org
Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Message-ID: <20251022093253.3546296-1-k.yankevich@omp.ru>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1138,7 +1138,11 @@ ext4_xattr_inode_dec_ref_all(handle_t *h
if (block_csum)
end = (void *)bh->b_data + bh->b_size;
else {
- ext4_get_inode_loc(parent, &iloc);
+ err = ext4_get_inode_loc(parent, &iloc);
+ if (err) {
+ EXT4_ERROR_INODE(parent, "parent inode loc (error %d)", err);
+ return;
+ }
end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 284/554] ext4: clear i_state_flags when alloc inode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 283/554] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 285/554] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
` (275 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Baokun Li, Zhang Yi,
Jan Kara, Theodore Tso, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit 4091c8206cfd2e3bb529ef260887296b90d9b6a2 upstream.
i_state_flags used on 32-bit archs, need to clear this flag when
alloc inode.
Find this issue when umount ext4, sometimes track the inode as orphan
accidently, cause ext4 mesg dump.
Fixes: acf943e9768e ("ext4: fix checks for orphan inodes")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251104-ext4-v1-1-73691a0800f9@nxp.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ialloc.c | 1 -
fs/ext4/inode.c | 1 -
fs/ext4/super.c | 1 +
3 files changed, 1 insertion(+), 2 deletions(-)
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -1301,7 +1301,6 @@ got:
sizeof(gen));
}
- ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
ext4_set_inode_state(inode, EXT4_STATE_NEW);
ei->i_extra_isize = sbi->s_want_extra_isize;
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4754,7 +4754,6 @@ struct inode *__ext4_iget(struct super_b
ei->i_projid = make_kprojid(&init_user_ns, i_projid);
set_nlink(inode, le16_to_cpu(raw_inode->i_links_count));
- ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
ei->i_inline_off = 0;
ei->i_dir_start_lookup = 0;
ei->i_dtime = le32_to_cpu(raw_inode->i_dtime);
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1300,6 +1300,7 @@ static struct inode *ext4_alloc_inode(st
inode_set_iversion(&ei->vfs_inode, 1);
ei->i_flags = 0;
+ ext4_clear_state_flags(ei); /* Only relevant on 32-bit archs */
spin_lock_init(&ei->i_raw_lock);
INIT_LIST_HEAD(&ei->i_prealloc_list);
atomic_set(&ei->i_prealloc_active, 0);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 285/554] ext4: fix incorrect group number assertion in mb_check_buddy
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 284/554] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 286/554] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
` (274 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongjian Sun, Baokun Li, Jan Kara,
Theodore Tso, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yongjian Sun <sunyongjian1@huawei.com>
commit 3f7a79d05c692c7cfec70bf104b1b3c3d0ce6247 upstream.
When the MB_CHECK_ASSERT macro is enabled, an assertion failure can
occur in __mb_check_buddy when checking preallocated blocks (pa) in
a block group:
Assertion failure in mb_free_blocks() : "groupnr == e4b->bd_group"
This happens when a pa at the very end of a block group (e.g.,
pa_pstart=32765, pa_len=3 in a group of 32768 blocks) becomes
exhausted - its pa_pstart is advanced by pa_len to 32768, which
lies in the next block group. If this exhausted pa (with pa_len == 0)
is still in the bb_prealloc_list during the buddy check, the assertion
incorrectly flags it as belonging to the wrong group. A possible
sequence is as follows:
ext4_mb_new_blocks
ext4_mb_release_context
pa->pa_pstart += EXT4_C2B(sbi, ac->ac_b_ex.fe_len)
pa->pa_len -= ac->ac_b_ex.fe_len
__mb_check_buddy
for each pa in group
ext4_get_group_no_and_offset
MB_CHECK_ASSERT(groupnr == e4b->bd_group)
To fix this, we modify the check to skip block group validation for
exhausted preallocations (where pa_len == 0). Such entries are in a
transitional state and will be removed from the list soon, so they
should not trigger an assertion. This change prevents the false
positive while maintaining the integrity of the checks for active
allocations.
Fixes: c9de560ded61f ("ext4: Add multi block allocator for ext4")
Signed-off-by: Yongjian Sun <sunyongjian1@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251106060614.631382-2-sunyongjian@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/mballoc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -767,6 +767,8 @@ static void __mb_check_buddy(struct ext4
ext4_group_t groupnr;
struct ext4_prealloc_space *pa;
pa = list_entry(cur, struct ext4_prealloc_space, pa_group_list);
+ if (!pa->pa_len)
+ continue;
ext4_get_group_no_and_offset(sb, pa->pa_pstart, &groupnr, &k);
MB_CHECK_ASSERT(groupnr == e4b->bd_group);
for (i = 0; i < pa->pa_len; i++)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 286/554] ext4: align max orphan file size with e2fsprogs limit
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 285/554] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 287/554] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
` (273 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 7c11c56eb32eae96893eebafdbe3decadefe88ad upstream.
Kernel commit 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
limits the maximum supported orphan file size to 8 << 20.
However, in e2fsprogs, the orphan file size is set to 32–512 filesystem
blocks when creating a filesystem.
With 64k block size, formatting an ext4 fs >32G gives an orphan file bigger
than the kernel allows, so mount prints an error and fails:
EXT4-fs (vdb): orphan file too big: 8650752
EXT4-fs (vdb): mount failed
To prevent this issue and allow previously created 64KB filesystems to
mount, we updates the maximum allowed orphan file size in the kernel to
512 filesystem blocks.
Fixes: 0a6ce20c1564 ("ext4: verify orphan file size is not too big")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251120134233.2994147-1-libaokun@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/orphan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/ext4/orphan.c
+++ b/fs/ext4/orphan.c
@@ -8,6 +8,8 @@
#include "ext4.h"
#include "ext4_jbd2.h"
+#define EXT4_MAX_ORPHAN_FILE_BLOCKS 512
+
static int ext4_orphan_file_add(handle_t *handle, struct inode *inode)
{
int i, j, start;
@@ -589,7 +591,7 @@ int ext4_init_orphan_info(struct super_b
* consuming absurd amounts of memory when pinning blocks of orphan
* file in memory.
*/
- if (inode->i_size > 8 << 20) {
+ if (inode->i_size > (EXT4_MAX_ORPHAN_FILE_BLOCKS << inode->i_blkbits)) {
ext4_msg(sb, KERN_ERR, "orphan file too big: %llu",
(unsigned long long)inode->i_size);
ret = -EFSCORRUPTED;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 287/554] jbd2: use a weaker annotation in journal handling
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 286/554] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 288/554] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
` (272 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Byungchul Park, Jan Kara, stable,
Theodore Tso
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Byungchul Park <byungchul@sk.com>
commit 40a71b53d5a6d4ea17e4d54b99b2ac03a7f5e783 upstream.
jbd2 journal handling code doesn't want jbd2_might_wait_for_commit()
to be placed between start_this_handle() and stop_this_handle(). So it
marks the region with rwsem_acquire_read() and rwsem_release().
However, the annotation is too strong for that purpose. We don't have
to use more than try lock annotation for that.
rwsem_acquire_read() implies:
1. might be a waiter on contention of the lock.
2. enter to the critical section of the lock.
All we need in here is to act 2, not 1. So trylock version of
annotation is sufficient for that purpose. Now that dept partially
relies on lockdep annotaions, dept interpets rwsem_acquire_read() as a
potential wait and might report a deadlock by the wait.
Replace it with trylock version of annotation.
Signed-off-by: Byungchul Park <byungchul@sk.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Message-ID: <20251024073940.1063-1-byungchul@sk.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/transaction.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -461,7 +461,7 @@ repeat:
read_unlock(&journal->j_state_lock);
current->journal_info = handle;
- rwsem_acquire_read(&journal->j_trans_commit_map, 0, 0, _THIS_IP_);
+ rwsem_acquire_read(&journal->j_trans_commit_map, 0, 1, _THIS_IP_);
jbd2_journal_free_transaction(new_transaction);
/*
* Ensure that no allocations done while the transaction is open are
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 288/554] media: v4l2-mem2mem: Fix outdated documentation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 287/554] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 289/554] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
` (271 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
commit 082b86919b7a94de01d849021b4da820a6cb89dc upstream.
Commit cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in
v4l2_m2m_job_finish") deferred calls to .device_run() to a work queue to
avoid recursive calls when a job is finished right away from
.device_run(). It failed to update the v4l2_m2m_job_finish()
documentation that still states the function must not be called from
.device_run(). Fix it.
Fixes: cbd9463da1b1 ("media: v4l2-mem2mem: Avoid calling .device_run in v4l2_m2m_job_finish")
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/media/v4l2-mem2mem.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/include/media/v4l2-mem2mem.h
+++ b/include/media/v4l2-mem2mem.h
@@ -185,8 +185,7 @@ void v4l2_m2m_try_schedule(struct v4l2_m
* other instances to take control of the device.
*
* This function has to be called only after &v4l2_m2m_ops->device_run
- * callback has been called on the driver. To prevent recursion, it should
- * not be called directly from the &v4l2_m2m_ops->device_run callback though.
+ * callback has been called on the driver.
*/
void v4l2_m2m_job_finish(struct v4l2_m2m_dev *m2m_dev,
struct v4l2_m2m_ctx *m2m_ctx);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 289/554] usb: usb-storage: Maintain minimal modifications to the bcdDevice range.
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 288/554] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 290/554] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
` (270 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Changcheng
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Changcheng <chenchangcheng@kylinos.cn>
commit 0831269b5f71594882accfceb02638124f88955d upstream.
We cannot determine which models require the NO_ATA_1X and
IGNORE_RESIDUE quirks aside from the EL-R12 optical drive device.
Fixes: 955a48a5353f ("usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive.")
Signed-off-by: Chen Changcheng <chenchangcheng@kylinos.cn>
Link: https://patch.msgid.link/20251218012318.15978-1-chenchangcheng@kylinos.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/unusual_uas.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -98,7 +98,7 @@ UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x01
US_FL_NO_ATA_1X),
/* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
-UNUSUAL_DEV(0x13fd, 0x3940, 0x0309, 0x0309,
+UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x0309,
"Initio Corporation",
"INIC-3069",
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 290/554] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 289/554] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 291/554] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
` (269 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit b91e6aafe8d356086cc621bc03e35ba2299e4788 upstream.
rlen value is a user-controlled value, but dtv5100_i2c_msg() does not
check the size of the rlen value. Therefore, if it is set to a value
larger than sizeof(st->data), an out-of-bounds vuln occurs for st->data.
Therefore, we need to add proper range checking to prevent this vuln.
Fixes: 60688d5e6e6e ("V4L/DVB (8735): dtv5100: replace dummy frontend by zl10353")
Cc: stable@vger.kernel.org
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/dvb-usb/dtv5100.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/media/usb/dvb-usb/dtv5100.c
+++ b/drivers/media/usb/dvb-usb/dtv5100.c
@@ -55,6 +55,11 @@ static int dtv5100_i2c_msg(struct dvb_us
}
index = (addr << 8) + wbuf[0];
+ if (rlen > sizeof(st->data)) {
+ warn("rlen = %x is too big!\n", rlen);
+ return -EINVAL;
+ }
+
memcpy(st->data, rbuf, rlen);
msleep(1); /* avoid I2C errors */
return usb_control_msg(d->udev, pipe, request,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 291/554] media: pvrusb2: Fix incorrect variable used in trace message
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 290/554] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 292/554] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
` (268 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Colin Ian King, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
commit be440980eace19c035a0745fd6b6e42707bc4f49 upstream.
The pvr2_trace message is reporting an error about control read
transfers, however it is using the incorrect variable write_len
instead of read_lean. Fix this by using the correct variable
read_len.
Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
Cc: stable@vger.kernel.org
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -3617,7 +3617,7 @@ static int pvr2_send_request_ex(struct p
pvr2_trace(
PVR2_TRACE_ERROR_LEGS,
"Attempted to execute %d byte control-read transfer (limit=%d)",
- write_len,PVR2_CTL_BUFFSIZE);
+ read_len, PVR2_CTL_BUFFSIZE);
return -EINVAL;
}
if ((!write_len) && (!read_len)) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 292/554] phy: broadcom: bcm63xx-usbh: fix section mismatches
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 291/554] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 293/554] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
` (267 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Álvaro Fernández Rojas,
Johan Hovold, Neil Armstrong, Vinod Koul
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 356d1924b9a6bc2164ce2bf1fad147b0c37ae085 upstream.
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function and match table must not live in init.
Fixes: 783f6d3dcf35 ("phy: bcm63xx-usbh: Add BCM63xx USBH driver")
Cc: stable@vger.kernel.org # 5.9
Cc: Álvaro Fernández Rojas <noltari@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20251017054537.6884-1-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/broadcom/phy-bcm63xx-usbh.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/phy/broadcom/phy-bcm63xx-usbh.c
+++ b/drivers/phy/broadcom/phy-bcm63xx-usbh.c
@@ -374,7 +374,7 @@ static struct phy *bcm63xx_usbh_phy_xlat
return of_phy_simple_xlate(dev, args);
}
-static int __init bcm63xx_usbh_phy_probe(struct platform_device *pdev)
+static int bcm63xx_usbh_phy_probe(struct platform_device *pdev)
{
struct device *dev = &pdev->dev;
struct bcm63xx_usbh_phy *usbh;
@@ -431,7 +431,7 @@ static int __init bcm63xx_usbh_phy_probe
return 0;
}
-static const struct of_device_id bcm63xx_usbh_phy_ids[] __initconst = {
+static const struct of_device_id bcm63xx_usbh_phy_ids[] = {
{ .compatible = "brcm,bcm6318-usbh-phy", .data = &usbh_bcm6318 },
{ .compatible = "brcm,bcm6328-usbh-phy", .data = &usbh_bcm6328 },
{ .compatible = "brcm,bcm6358-usbh-phy", .data = &usbh_bcm6358 },
@@ -442,7 +442,7 @@ static const struct of_device_id bcm63xx
};
MODULE_DEVICE_TABLE(of, bcm63xx_usbh_phy_ids);
-static struct platform_driver bcm63xx_usbh_phy_driver __refdata = {
+static struct platform_driver bcm63xx_usbh_phy_driver = {
.driver = {
.name = "bcm63xx-usbh-phy",
.of_match_table = bcm63xx_usbh_phy_ids,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 293/554] USB: lpc32xx_udc: Fix error handling in probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 292/554] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
@ 2026-01-15 16:45 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 294/554] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
` (266 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ma Ke
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit c84117912bddd9e5d87e68daf182410c98181407 upstream.
lpc32xx_udc_probe() acquires an i2c_client reference through
isp1301_get_client() but fails to release it in both error handling
paths and the normal removal path. This could result in a reference
count leak for the I2C device, preventing proper cleanup and potentially
leading to resource exhaustion. Add put_device() to release the
reference in the probe failure path and in the remove function.
Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
i2c_find_device_by_fwnode(). As comments of i2c_find_device_by_fwnode()
says, 'The user must call put_device(&client->dev) once done with the
i2c client.'
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251215020931.15324-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -3025,7 +3025,7 @@ static int lpc32xx_udc_probe(struct plat
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- return retval;
+ goto i2c_fail;
udc->board = &lpc32xx_usbddata;
@@ -3043,28 +3043,32 @@ static int lpc32xx_udc_probe(struct plat
/* Get IRQs */
for (i = 0; i < 4; i++) {
udc->udp_irq[i] = platform_get_irq(pdev, i);
- if (udc->udp_irq[i] < 0)
- return udc->udp_irq[i];
+ if (udc->udp_irq[i] < 0) {
+ retval = udc->udp_irq[i];
+ goto i2c_fail;
+ }
}
udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
- return PTR_ERR(udc->udp_baseaddr);
+ retval = PTR_ERR(udc->udp_baseaddr);
+ goto i2c_fail;
}
/* Get USB device clock */
udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
- return PTR_ERR(udc->usb_slv_clk);
+ retval = PTR_ERR(udc->usb_slv_clk);
+ goto i2c_fail;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- return retval;
+ goto i2c_fail;
}
/* Setup deferred workqueue data */
@@ -3166,6 +3170,8 @@ dma_alloc_fail:
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
+ if (udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
@@ -3191,6 +3197,9 @@ static int lpc32xx_udc_remove(struct pla
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
+ if (udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
+
clk_disable_unprepare(udc->usb_slv_clk);
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 294/554] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2026-01-15 16:45 ` [PATCH 5.15 293/554] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 295/554] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
` (265 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Duoming Zhou
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 41ca62e3e21e48c2903b3b45e232cf4f2ff7434f upstream.
The delayed work item otg_event is initialized in fsl_otg_conf() and
scheduled under two conditions:
1. When a host controller binds to the OTG controller.
2. When the USB ID pin state changes (cable insertion/removal).
A race condition occurs when the device is removed via fsl_otg_remove():
the fsl_otg instance may be freed while the delayed work is still pending
or executing. This leads to use-after-free when the work function
fsl_otg_event() accesses the already freed memory.
The problematic scenario:
(detach thread) | (delayed work)
fsl_otg_remove() |
kfree(fsl_otg_dev) //FREE| fsl_otg_event()
| og = container_of(...) //USE
| og-> //USE
Fix this by calling disable_delayed_work_sync() in fsl_otg_remove()
before deallocating the fsl_otg structure. This ensures the delayed work
is properly canceled and completes execution prior to memory deallocation.
This bug was identified through static analysis.
Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver")
Cc: stable <stable@kernel.org>
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Link: https://patch.msgid.link/20251205034831.12846-1-duoming@zju.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy-fsl-usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/phy/phy-fsl-usb.c
+++ b/drivers/usb/phy/phy-fsl-usb.c
@@ -987,6 +987,7 @@ static int fsl_otg_remove(struct platfor
{
struct fsl_usb2_platform_data *pdata = dev_get_platdata(&pdev->dev);
+ disable_delayed_work_sync(&fsl_otg_dev->otg_event);
usb_remove_phy(&fsl_otg_dev->phy);
free_irq(fsl_otg_dev->irq, fsl_otg_dev);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 295/554] usb: phy: isp1301: fix non-OF device reference imbalance
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 294/554] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 296/554] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
` (264 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold,
Vladimir Zapolskiy
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 upstream.
A recent change fixing a device reference leak in a UDC driver
introduced a potential use-after-free in the non-OF case as the
isp1301_get_client() helper only increases the reference count for the
returned I2C device in the OF case.
Increment the reference count also for non-OF so that the caller can
decrement it unconditionally.
Note that this is inherently racy just as using the returned I2C device
is since nothing is preventing the PHY driver from being unbound while
in use.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/phy/phy-isp1301.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/phy/phy-isp1301.c
+++ b/drivers/usb/phy/phy-isp1301.c
@@ -152,7 +152,12 @@ struct i2c_client *isp1301_get_client(st
return client;
/* non-DT: only one ISP1301 chip supported */
- return isp1301_i2c_client;
+ if (isp1301_i2c_client) {
+ get_device(&isp1301_i2c_client->dev);
+ return isp1301_i2c_client;
+ }
+
+ return NULL;
}
EXPORT_SYMBOL_GPL(isp1301_get_client);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 296/554] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 295/554] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 297/554] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
` (263 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Miaoqian Lin, Thinh Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 3b4961313d31e200c9e974bb1536cdea217f78b5 upstream.
When clk_bulk_prepare_enable() fails, the error path jumps to
err_resetc_assert, skipping clk_bulk_put_all() and leaking the
clock references acquired by clk_bulk_get_all().
Add err_clk_put_all label to properly release clock resources
in all error paths.
Found via static analysis and code review.
Fixes: c0c61471ef86 ("usb: dwc3: of-simple: Convert to bulk clk API")
Cc: stable <stable@kernel.org>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251211064937.2360510-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-of-simple.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/usb/dwc3/dwc3-of-simple.c
+++ b/drivers/usb/dwc3/dwc3-of-simple.c
@@ -71,11 +71,11 @@ static int dwc3_of_simple_probe(struct p
simple->num_clocks = ret;
ret = clk_bulk_prepare_enable(simple->num_clocks, simple->clks);
if (ret)
- goto err_resetc_assert;
+ goto err_clk_put_all;
ret = of_platform_populate(np, NULL, NULL, dev);
if (ret)
- goto err_clk_put;
+ goto err_clk_disable;
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
@@ -83,8 +83,9 @@ static int dwc3_of_simple_probe(struct p
return 0;
-err_clk_put:
+err_clk_disable:
clk_bulk_disable_unprepare(simple->num_clocks, simple->clks);
+err_clk_put_all:
clk_bulk_put_all(simple->num_clocks, simple->clks);
err_resetc_assert:
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 297/554] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 296/554] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 298/554] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
` (262 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Haoxiang Li
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
commit 36cc7e09df9e43db21b46519b740145410dd9f4a upstream.
usbhsp_get_pipe() set pipe's flags to IS_USED. In error paths,
usbhsp_put_pipe() is required to clear pipe's flags to prevent
pipe exhaustion.
Fixes: f1407d5c6624 ("usb: renesas_usbhs: Add Renesas USBHS common code")
Cc: stable <stable@kernel.org>
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Link: https://patch.msgid.link/20251204132129.109234-1-haoxiang_li2024@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/renesas_usbhs/pipe.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/renesas_usbhs/pipe.c
+++ b/drivers/usb/renesas_usbhs/pipe.c
@@ -713,11 +713,13 @@ struct usbhs_pipe *usbhs_pipe_malloc(str
/* make sure pipe is not busy */
ret = usbhsp_pipe_barrier(pipe);
if (ret < 0) {
+ usbhsp_put_pipe(pipe);
dev_err(dev, "pipe setup failed %d\n", usbhs_pipe_number(pipe));
return NULL;
}
if (usbhsp_setup_pipecfg(pipe, is_host, dir_in, &pipecfg)) {
+ usbhsp_put_pipe(pipe);
dev_err(dev, "can't setup pipe\n");
return NULL;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 298/554] char: applicom: fix NULL pointer dereference in ac_ioctl
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 297/554] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 299/554] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
` (261 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tianchu Chen, Arnd Bergmann, stable
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tianchu Chen <flynnnchen@tencent.com>
commit 82d12088c297fa1cef670e1718b3d24f414c23f7 upstream.
Discovered by Atuin - Automated Vulnerability Discovery Engine.
In ac_ioctl, the validation of IndexCard and the check for a valid
RamIO pointer are skipped when cmd is 6. However, the function
unconditionally executes readb(apbs[IndexCard].RamIO + VERS) at the
end.
If cmd is 6, IndexCard may reference a board that does not exist
(where RamIO is NULL), leading to a NULL pointer dereference.
Fix this by skipping the readb access when cmd is 6, as this
command is a global information query and does not target a specific
board context.
Signed-off-by: Tianchu Chen <flynnnchen@tencent.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Cc: stable <stable@kernel.org>
Link: https://patch.msgid.link/20251128155323.a786fde92ebb926cbe96fcb1@linux.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/applicom.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/char/applicom.c
+++ b/drivers/char/applicom.c
@@ -836,7 +836,10 @@ static long ac_ioctl(struct file *file,
ret = -ENOTTY;
break;
}
- Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
+ if (cmd != 6)
+ Dummy = readb(apbs[IndexCard].RamIO + VERS);
+
kfree(adgl);
mutex_unlock(&ac_mutex);
return ret;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 299/554] intel_th: Fix error handling in intel_th_output_open
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 298/554] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 300/554] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
` (260 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ma Ke
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 6d5925b667e4ed9e77c8278cc215191d29454a3f upstream.
intel_th_output_open() calls bus_find_device_by_devt() which
internally increments the device reference count via get_device(), but
this reference is not properly released in several error paths. When
device driver is unavailable, file operations cannot be obtained, or
the driver's open method fails, the function returns without calling
put_device(), leading to a permanent device reference count leak. This
prevents the device from being properly released and could cause
resource exhaustion over time.
Found by code review.
Cc: stable <stable@kernel.org>
Fixes: 39f4034693b7 ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://patch.msgid.link/20251112091723.35963-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/core.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/drivers/hwtracing/intel_th/core.c
+++ b/drivers/hwtracing/intel_th/core.c
@@ -810,13 +810,17 @@ static int intel_th_output_open(struct i
int err;
dev = bus_find_device_by_devt(&intel_th_bus, inode->i_rdev);
- if (!dev || !dev->driver)
- return -ENODEV;
+ if (!dev || !dev->driver) {
+ err = -ENODEV;
+ goto out_no_device;
+ }
thdrv = to_intel_th_driver(dev->driver);
fops = fops_get(thdrv->fops);
- if (!fops)
- return -ENODEV;
+ if (!fops) {
+ err = -ENODEV;
+ goto out_put_device;
+ }
replace_fops(file, fops);
@@ -824,10 +828,16 @@ static int intel_th_output_open(struct i
if (file->f_op->open) {
err = file->f_op->open(inode, file);
- return err;
+ if (err)
+ goto out_put_device;
}
return 0;
+
+out_put_device:
+ put_device(dev);
+out_no_device:
+ return err;
}
static const struct file_operations intel_th_output_fops = {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 300/554] cpufreq: nforce2: fix reference count leak in nforce2
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 299/554] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 301/554] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
` (259 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Viresh Kumar
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 9600156bb99852c216a2128cdf9f114eb67c350f upstream.
There are two reference count leaks in this driver:
1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count
of the PCI device, but pci_dev_put() is never called to release it,
thus leaking the reference.
2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the
nforce2_dev which is stored in a global variable, but the reference
is never released when the module is unloaded.
Fix both by:
- Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading
the configuration.
- Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the
global device reference.
Found via static analysis.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq-nforce2.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/cpufreq/cpufreq-nforce2.c
+++ b/drivers/cpufreq/cpufreq-nforce2.c
@@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int
pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb);
fsb /= 1000000;
+ pci_dev_put(nforce2_sub5);
+
/* Check if PLL register is already set */
pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp);
@@ -432,6 +434,7 @@ static int __init nforce2_init(void)
static void __exit nforce2_exit(void)
{
cpufreq_unregister_driver(&nforce2_driver);
+ pci_dev_put(nforce2_dev);
}
module_init(nforce2_init);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 301/554] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 300/554] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 302/554] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
` (258 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tony Battersby, Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Battersby <tonyb@cybernetics.com>
commit b57fbc88715b6d18f379463f48a15b560b087ffe upstream.
This reverts commit 0367076b0817d5c75dfb83001ce7ce5c64d803a9.
The commit being reverted added code to __qla2x00_abort_all_cmds() to
call sp->done() without holding a spinlock. But unlike the older code
below it, this new code failed to check sp->cmd_type and just assumed
TYPE_SRB, which results in a jump to an invalid pointer in target-mode
with TYPE_TGT_CMD:
qla2xxx [0000:65:00.0]-d034:8: qla24xx_do_nack_work create sess success
0000000009f7a79b
qla2xxx [0000:65:00.0]-5003:8: ISP System Error - mbx1=1ff5h mbx2=10h
mbx3=0h mbx4=0h mbx5=191h mbx6=0h mbx7=0h.
qla2xxx [0000:65:00.0]-d01e:8: -> fwdump no buffer
qla2xxx [0000:65:00.0]-f03a:8: qla_target(0): System error async event
0x8002 occurred
qla2xxx [0000:65:00.0]-00af:8: Performing ISP error recovery -
ha=0000000058183fda.
BUG: kernel NULL pointer dereference, address: 0000000000000000
PF: supervisor instruction fetch in kernel mode
PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: 0010 [#1] SMP
CPU: 2 PID: 9446 Comm: qla2xxx_8_dpc Tainted: G O 6.1.133 #1
Hardware name: Supermicro Super Server/X11SPL-F, BIOS 4.2 12/15/2023
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc90001f93dc8 EFLAGS: 00010206
RAX: 0000000000000282 RBX: 0000000000000355 RCX: ffff88810d16a000
RDX: ffff88810dbadaa8 RSI: 0000000000080000 RDI: ffff888169dc38c0
RBP: ffff888169dc38c0 R08: 0000000000000001 R09: 0000000000000045
R10: ffffffffa034bdf0 R11: 0000000000000000 R12: ffff88810800bb40
R13: 0000000000001aa8 R14: ffff888100136610 R15: ffff8881070f7400
FS: 0000000000000000(0000) GS:ffff88bf80080000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000010c8ff006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __die+0x4d/0x8b
? page_fault_oops+0x91/0x180
? trace_buffer_unlock_commit_regs+0x38/0x1a0
? exc_page_fault+0x391/0x5e0
? asm_exc_page_fault+0x22/0x30
__qla2x00_abort_all_cmds+0xcb/0x3e0 [qla2xxx_scst]
qla2x00_abort_all_cmds+0x50/0x70 [qla2xxx_scst]
qla2x00_abort_isp_cleanup+0x3b7/0x4b0 [qla2xxx_scst]
qla2x00_abort_isp+0xfd/0x860 [qla2xxx_scst]
qla2x00_do_dpc+0x581/0xa40 [qla2xxx_scst]
kthread+0xa8/0xd0
</TASK>
Then commit 4475afa2646d ("scsi: qla2xxx: Complete command early within
lock") added the spinlock back, because not having the lock caused a
race and a crash. But qla2x00_abort_srb() in the switch below already
checks for qla2x00_chip_is_down() and handles it the same way, so the
code above the switch is now redundant and still buggy in target-mode.
Remove it.
Cc: stable@vger.kernel.org
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Link: https://patch.msgid.link/3a8022dc-bcfd-4b01-9f9b-7a9ec61fa2a3@cybernetics.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qla2xxx/qla_os.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1861,12 +1861,6 @@ __qla2x00_abort_all_cmds(struct qla_qpai
for (cnt = 1; cnt < req->num_outstanding_cmds; cnt++) {
sp = req->outstanding_cmds[cnt];
if (sp) {
- if (qla2x00_chip_is_down(vha)) {
- req->outstanding_cmds[cnt] = NULL;
- sp->done(sp, res);
- continue;
- }
-
switch (sp->cmd_type) {
case TYPE_SRB:
qla2x00_abort_srb(qp, sp, res, &flags);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 302/554] scsi: aic94xx: fix use-after-free in device removal path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 301/554] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 303/554] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
` (257 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
commit f6ab594672d4cba08540919a4e6be2e202b60007 upstream.
The asd_pci_remove() function fails to synchronize with pending tasklets
before freeing the asd_ha structure, leading to a potential
use-after-free vulnerability.
When a device removal is triggered (via hot-unplug or module unload),
race condition can occur.
The fix adds tasklet_kill() before freeing the asd_ha structure,
ensuring all scheduled tasklets complete before cleanup proceeds.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/ME2PR01MB3156AB7DCACA206C845FC7E8AFFDA@ME2PR01MB3156.ausprd01.prod.outlook.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/aic94xx/aic94xx_init.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/scsi/aic94xx/aic94xx_init.c
+++ b/drivers/scsi/aic94xx/aic94xx_init.c
@@ -897,6 +897,9 @@ static void asd_pci_remove(struct pci_de
asd_disable_ints(asd_ha);
+ /* Ensure all scheduled tasklets complete before freeing resources */
+ tasklet_kill(&asd_ha->seq.dl_tasklet);
+
asd_remove_dev_attrs(asd_ha);
/* XXX more here as needed */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 303/554] NFSD: use correct reservation type in nfsd4_scsi_fence_client
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 302/554] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 304/554] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
` (256 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dai Ngo, Christoph Hellwig,
Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit 6f52063db9aabdaabea929b1e998af98c2e8d917 upstream.
The reservation type argument for the pr_preempt call should match the
one used in nfsd4_block_get_device_info_scsi.
Fixes: f99d4fbdae67 ("nfsd: add SCSI layout support")
Cc: stable@vger.kernel.org
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/blocklayout.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -410,7 +410,8 @@ nfsd4_scsi_fence_client(struct nfs4_layo
struct block_device *bdev = ls->ls_file->nf_file->f_path.mnt->mnt_sb->s_bdev;
bdev->bd_disk->fops->pr_ops->pr_preempt(bdev, NFSD_MDS_PR_KEY,
- nfsd4_scsi_pr_key(clp), 0, true);
+ nfsd4_scsi_pr_key(clp),
+ PR_EXCLUSIVE_ACCESS_REG_ONLY, true);
}
const struct nfsd4_layout_ops scsi_layout_ops = {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 304/554] scsi: target: Reset t_task_cdb pointer in error case
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 303/554] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 305/554] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
` (255 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrey Vatoropin, Mike Christie,
Martin K. Petersen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Vatoropin <a.vatoropin@crpt.ru>
commit 5053eab38a4c4543522d0c320c639c56a8b59908 upstream.
If allocation of cmd->t_task_cdb fails, it remains NULL but is later
dereferenced in the 'err' path.
In case of error, reset NULL t_task_cdb value to point at the default
fixed-size buffer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 9e95fb805dc0 ("scsi: target: Fix NULL pointer dereference")
Cc: stable@vger.kernel.org
Signed-off-by: Andrey Vatoropin <a.vatoropin@crpt.ru>
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Link: https://patch.msgid.link/20251118084014.324940-1-a.vatoropin@crpt.ru
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/target/target_core_transport.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -1492,6 +1492,7 @@ target_cmd_init_cdb(struct se_cmd *cmd,
if (scsi_command_size(cdb) > sizeof(cmd->__t_task_cdb)) {
cmd->t_task_cdb = kzalloc(scsi_command_size(cdb), gfp);
if (!cmd->t_task_cdb) {
+ cmd->t_task_cdb = &cmd->__t_task_cdb[0];
pr_err("Unable to allocate cmd->t_task_cdb"
" %u > sizeof(cmd->__t_task_cdb): %lu ops\n",
scsi_command_size(cdb),
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 305/554] f2fs: invalidate dentry cache on failed whiteout creation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 304/554] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 306/554] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
` (254 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+632cf32276a9a564188d, Chao Yu,
Deepanshu Kartikey, Jaegeuk Kim
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit d33f89b34aa313f50f9a512d58dd288999f246b0 upstream.
F2FS can mount filesystems with corrupted directory depth values that
get runtime-clamped to MAX_DIR_HASH_DEPTH. When RENAME_WHITEOUT
operations are performed on such directories, f2fs_rename performs
directory modifications (updating target entry and deleting source
entry) before attempting to add the whiteout entry via f2fs_add_link.
If f2fs_add_link fails due to the corrupted directory structure, the
function returns an error to VFS, but the partial directory
modifications have already been committed to disk. VFS assumes the
entire rename operation failed and does not update the dentry cache,
leaving stale mappings.
In the error path, VFS does not call d_move() to update the dentry
cache. This results in new_dentry still pointing to the old inode
(new_inode) which has already had its i_nlink decremented to zero.
The stale cache causes subsequent operations to incorrectly reference
the freed inode.
This causes subsequent operations to use cached dentry information that
no longer matches the on-disk state. When a second rename targets the
same entry, VFS attempts to decrement i_nlink on the stale inode, which
may already have i_nlink=0, triggering a WARNING in drop_nlink().
Example sequence:
1. First rename (RENAME_WHITEOUT): file2 → file1
- f2fs updates file1 entry on disk (points to inode 8)
- f2fs deletes file2 entry on disk
- f2fs_add_link(whiteout) fails (corrupted directory)
- Returns error to VFS
- VFS does not call d_move() due to error
- VFS cache still has: file1 → inode 7 (stale!)
- inode 7 has i_nlink=0 (already decremented)
2. Second rename: file3 → file1
- VFS uses stale cache: file1 → inode 7
- Tries to drop_nlink on inode 7 (i_nlink already 0)
- WARNING in drop_nlink()
Fix this by explicitly invalidating old_dentry and new_dentry when
f2fs_add_link fails during whiteout creation. This forces VFS to
refresh from disk on subsequent operations, ensuring cache consistency
even when the rename partially succeeds.
Reproducer:
1. Mount F2FS image with corrupted i_current_depth
2. renameat2(file2, file1, RENAME_WHITEOUT)
3. renameat2(file3, file1, 0)
4. System triggers WARNING in drop_nlink()
Fixes: 7e01e7ad746b ("f2fs: support RENAME_WHITEOUT")
Reported-by: syzbot+632cf32276a9a564188d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=632cf32276a9a564188d
Suggested-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/all/20251022233349.102728-1-kartikey406@gmail.com/ [v1]
Cc: stable@vger.kernel.org
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/namei.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/f2fs/namei.c
+++ b/fs/f2fs/namei.c
@@ -1017,9 +1017,11 @@ static int f2fs_rename(struct inode *old
if (whiteout) {
set_inode_flag(whiteout, FI_INC_LINK);
err = f2fs_add_link(old_dentry, whiteout);
- if (err)
+ if (err) {
+ d_invalidate(old_dentry);
+ d_invalidate(new_dentry);
goto put_out_dir;
-
+ }
spin_lock(&whiteout->i_lock);
whiteout->i_state &= ~I_LINKABLE;
spin_unlock(&whiteout->i_lock);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 306/554] f2fs: fix return value of f2fs_recover_fsync_data()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 305/554] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 307/554] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
` (253 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
commit 01fba45deaddcce0d0b01c411435d1acf6feab7b upstream.
With below scripts, it will trigger panic in f2fs:
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync
echo 111 >> /mnt/f2fs/foo
f2fs_io fsync /mnt/f2fs/foo
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
mount -o ro,norecovery /dev/vdd /mnt/f2fs
or
mount -o ro,disable_roll_forward /dev/vdd /mnt/f2fs
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 0
F2FS-fs (vdd): Mounted with checkpoint version = 7f5c361f
F2FS-fs (vdd): Stopped filesystem due to reason: 0
F2FS-fs (vdd): f2fs_recover_fsync_data: recovery fsync data, check_only: 1
Filesystem f2fs get_tree() didn't set fc->root, returned 1
------------[ cut here ]------------
kernel BUG at fs/super.c:1761!
Oops: invalid opcode: 0000 [#1] SMP PTI
CPU: 3 UID: 0 PID: 722 Comm: mount Not tainted 6.18.0-rc2+ #721 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vfs_get_tree.cold+0x18/0x1a
Call Trace:
<TASK>
fc_mount+0x13/0xa0
path_mount+0x34e/0xc50
__x64_sys_mount+0x121/0x150
do_syscall_64+0x84/0x800
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fa6cc126cfe
The root cause is we missed to handle error number returned from
f2fs_recover_fsync_data() when mounting image w/ ro,norecovery or
ro,disable_roll_forward mount option, result in returning a positive
error number to vfs_get_tree(), fix it.
Cc: stable@kernel.org
Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -4374,11 +4374,15 @@ try_onemore:
}
} else {
err = f2fs_recover_fsync_data(sbi, true);
-
- if (!f2fs_readonly(sb) && err > 0) {
- err = -EINVAL;
- f2fs_err(sbi, "Need to recover fsync data");
- goto free_meta;
+ if (err > 0) {
+ if (!f2fs_readonly(sb)) {
+ f2fs_err(sbi, "Need to recover fsync data");
+ err = -EINVAL;
+ goto free_meta;
+ } else {
+ f2fs_info(sbi, "drop all fsynced data");
+ err = 0;
+ }
}
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 307/554] tools/testing/nvdimm: Use per-DIMM device handle
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 306/554] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 308/554] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
` (252 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alison Schofield, Ira Weiny,
Dave Jiang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alison Schofield <alison.schofield@intel.com>
commit f59b701b4674f7955170b54c4167c5590f4714eb upstream.
KASAN reports a global-out-of-bounds access when running these nfit
tests: clear.sh, pmem-errors.sh, pfn-meta-errors.sh, btt-errors.sh,
daxdev-errors.sh, and inject-error.sh.
[] BUG: KASAN: global-out-of-bounds in nfit_test_ctl+0x769f/0x7840 [nfit_test]
[] Read of size 4 at addr ffffffffc03ea01c by task ndctl/1215
[] The buggy address belongs to the variable:
[] handle+0x1c/0x1df4 [nfit_test]
nfit_test_search_spa() uses handle[nvdimm->id] to retrieve a device
handle and triggers a KASAN error when it reads past the end of the
handle array. It should not be indexing the handle array at all.
The correct device handle is stored in per-DIMM test data. Each DIMM
has a struct nfit_mem that embeds a struct acpi_nfit_memdev that
describes the NFIT device handle. Use that device handle here.
Fixes: 10246dc84dfc ("acpi nfit: nfit_test supports translate SPA")
Cc: stable@vger.kernel.org
Signed-off-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>> ---
Link: https://patch.msgid.link/20251031234227.1303113-1-alison.schofield@intel.com
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/nvdimm/test/nfit.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/tools/testing/nvdimm/test/nfit.c
+++ b/tools/testing/nvdimm/test/nfit.c
@@ -672,6 +672,7 @@ static int nfit_test_search_spa(struct n
.addr = spa->spa,
.region = NULL,
};
+ struct nfit_mem *nfit_mem;
u64 dpa;
ret = device_for_each_child(&bus->dev, &ctx,
@@ -689,8 +690,12 @@ static int nfit_test_search_spa(struct n
*/
nd_mapping = &nd_region->mapping[nd_region->ndr_mappings - 1];
nvdimm = nd_mapping->nvdimm;
+ nfit_mem = nvdimm_provider_data(nvdimm);
+ if (!nfit_mem)
+ return -EINVAL;
- spa->devices[0].nfit_device_handle = handle[nvdimm->id];
+ spa->devices[0].nfit_device_handle =
+ __to_nfit_memdev(nfit_mem)->device_handle;
spa->num_nvdimms = 1;
spa->devices[0].dpa = dpa;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 308/554] media: vidtv: initialize local pointers upon transfer of memory ownership
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 307/554] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 309/554] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
` (251 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1d9c0edea5907af239e0,
Jeongjun Park, Daniel Almeida, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
commit 98aabfe2d79f74613abc2b0b1cef08f97eaf5322 upstream.
vidtv_channel_si_init() creates a temporary list (program, service, event)
and ownership of the memory itself is transferred to the PAT/SDT/EIT
tables through vidtv_psi_pat_program_assign(),
vidtv_psi_sdt_service_assign(), vidtv_psi_eit_event_assign().
The problem here is that the local pointer where the memory ownership
transfer was completed is not initialized to NULL. This causes the
vidtv_psi_pmt_create_sec_for_each_pat_entry() function to fail, and
in the flow that jumps to free_eit, the memory that was freed by
vidtv_psi_*_table_destroy() can be accessed again by
vidtv_psi_*_event_destroy() due to the uninitialized local pointer, so it
is freed once again.
Therefore, to prevent use-after-free and double-free vulnerability,
local pointers must be initialized to NULL when transferring memory
ownership.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+1d9c0edea5907af239e0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1d9c0edea5907af239e0
Fixes: 3be8037960bc ("media: vidtv: add error checks")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reviewed-by: Daniel Almeida <daniel.almeida@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -461,12 +461,15 @@ int vidtv_channel_si_init(struct vidtv_m
/* assemble all programs and assign to PAT */
vidtv_psi_pat_program_assign(m->si.pat, programs);
+ programs = NULL;
/* assemble all services and assign to SDT */
vidtv_psi_sdt_service_assign(m->si.sdt, services);
+ services = NULL;
/* assemble all events and assign to EIT */
vidtv_psi_eit_event_assign(m->si.eit, events);
+ events = NULL;
m->si.pmt_secs = vidtv_psi_pmt_create_sec_for_each_pat_entry(m->si.pat,
m->pcr_pid);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 309/554] ocfs2: fix kernel BUG in ocfs2_find_victim_chain
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 308/554] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 310/554] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
` (250 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Prithvi Tambewagh,
syzbot+96d38c6e1655c1420a72, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Jun Piao, Heming Zhao, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
commit 039bef30e320827bac8990c9f29d2a68cd8adb5f upstream.
syzbot reported a kernel BUG in ocfs2_find_victim_chain() because the
`cl_next_free_rec` field of the allocation chain list (next free slot in
the chain list) is 0, triggring the BUG_ON(!cl->cl_next_free_rec)
condition in ocfs2_find_victim_chain() and panicking the kernel.
To fix this, an if condition is introduced in ocfs2_claim_suballoc_bits(),
just before calling ocfs2_find_victim_chain(), the code block in it being
executed when either of the following conditions is true:
1. `cl_next_free_rec` is equal to 0, indicating that there are no free
chains in the allocation chain list
2. `cl_next_free_rec` is greater than `cl_count` (the total number of
chains in the allocation chain list)
Either of them being true is indicative of the fact that there are no
chains left for usage.
This is addressed using ocfs2_error(), which prints
the error log for debugging purposes, rather than panicking the kernel.
Link: https://lkml.kernel.org/r/20251201130711.143900-1-activprithvi@gmail.com
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Reported-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=96d38c6e1655c1420a72
Tested-by: syzbot+96d38c6e1655c1420a72@syzkaller.appspotmail.com
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/suballoc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1923,6 +1923,16 @@ static int ocfs2_claim_suballoc_bits(str
}
cl = (struct ocfs2_chain_list *) &fe->id2.i_chain;
+ if (!le16_to_cpu(cl->cl_next_free_rec) ||
+ le16_to_cpu(cl->cl_next_free_rec) > le16_to_cpu(cl->cl_count)) {
+ status = ocfs2_error(ac->ac_inode->i_sb,
+ "Chain allocator dinode %llu has invalid next "
+ "free chain record %u, but only %u total\n",
+ (unsigned long long)le64_to_cpu(fe->i_blkno),
+ le16_to_cpu(cl->cl_next_free_rec),
+ le16_to_cpu(cl->cl_count));
+ goto bail;
+ }
victim = ocfs2_find_victim_chain(cl);
ac->ac_chain = victim;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 310/554] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 309/554] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 311/554] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
` (249 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tzung-Bi Shih
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tzung-Bi Shih <tzungbi@kernel.org>
commit 944edca81e7aea15f83cf9a13a6ab67f711e8abd upstream.
After unbinding the driver, another kthread `cros_ec_console_log_work`
is still accessing the device, resulting an UAF and crash.
The driver doesn't unregister the EC device in .remove() which should
shutdown sub-devices synchronously. Fix it.
Fixes: 26a14267aff2 ("platform/chrome: Add ChromeOS EC ISHTP driver")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20251031033900.3577394-1-tzungbi@kernel.org
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec_ishtp.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/platform/chrome/cros_ec_ishtp.c
+++ b/drivers/platform/chrome/cros_ec_ishtp.c
@@ -710,6 +710,7 @@ static void cros_ec_ishtp_remove(struct
cancel_work_sync(&client_data->work_ishtp_reset);
cancel_work_sync(&client_data->work_ec_evt);
+ cros_ec_unregister(client_data->ec_dev);
cros_ish_deinit(cros_ish_cl);
ishtp_put_device(cl_device);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 311/554] scs: fix a wrong parameter in __scs_magic
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 310/554] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 312/554] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
` (248 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiyuan Xie, Zhichi Lin,
Sami Tolvanen, Will Deacon, Andrey Konovalov, Kees Cook,
Marco Elver, Yee Lee, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhichi Lin <zhichi.lin@vivo.com>
commit 08bd4c46d5e63b78e77f2605283874bbe868ab19 upstream.
__scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is
given. 'task_scs(tsk)' is the starting address of the task's shadow call
stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's
shadow call stack. Here should be '__scs_magic(task_scs(tsk))'.
The user-visible effect of this bug is that when CONFIG_DEBUG_STACK_USAGE
is enabled, the shadow call stack usage checking function
(scs_check_usage) would scan an incorrect memory range. This could lead
to:
1. **Inaccurate stack usage reporting**: The function would calculate
wrong usage statistics for the shadow call stack, potentially showing
incorrect value in kmsg.
2. **Potential kernel crash**: If the value of __scs_magic(tsk)is
greater than that of __scs_magic(task_scs(tsk)), the for loop may
access unmapped memory, potentially causing a kernel panic. However,
this scenario is unlikely because task_struct is allocated via the slab
allocator (which typically returns lower addresses), while the shadow
call stack returned by task_scs(tsk) is allocated via vmalloc(which
typically returns higher addresses).
However, since this is purely a debugging feature
(CONFIG_DEBUG_STACK_USAGE), normal production systems should be not
unaffected. The bug only impacts developers and testers who are actively
debugging stack usage with this configuration enabled.
Link: https://lkml.kernel.org/r/20251011082222.12965-1-zhichi.lin@vivo.com
Fixes: 5bbaf9d1fcb9 ("scs: Add support for stack usage debugging")
Signed-off-by: Jiyuan Xie <xiejiyuan@vivo.com>
Signed-off-by: Zhichi Lin <zhichi.lin@vivo.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Acked-by: Will Deacon <will@kernel.org>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Marco Elver <elver@google.com>
Cc: Will Deacon <will@kernel.org>
Cc: Yee Lee <yee.lee@mediatek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/scs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/scs.c
+++ b/kernel/scs.c
@@ -121,7 +121,7 @@ static void scs_check_usage(struct task_
if (!IS_ENABLED(CONFIG_DEBUG_STACK_USAGE))
return;
- for (p = task_scs(tsk); p < __scs_magic(tsk); ++p) {
+ for (p = task_scs(tsk); p < __scs_magic(task_scs(tsk)); ++p) {
if (!READ_ONCE_NOCHECK(*p))
break;
used += sizeof(*p);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 312/554] parisc: Do not reprogram affinitiy on ASP chip
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 311/554] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 313/554] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
` (247 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit dca7da244349eef4d78527cafc0bf80816b261f5 upstream.
The ASP chip is a very old variant of the GSP chip and is used e.g. in
HP 730 workstations. When trying to reprogram the affinity it will crash
with a HPMC as the relevant registers don't seem to be at the usual
location. Let's avoid the crash by checking the sversion. Also note,
that reprogramming isn't necessary either, as the HP730 is a just a
single-CPU machine.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/gsc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/parisc/gsc.c
+++ b/drivers/parisc/gsc.c
@@ -154,7 +154,9 @@ static int gsc_set_affinity_irq(struct i
gsc_dev->eim = ((u32) gsc_dev->gsc_irq.txn_addr) | gsc_dev->gsc_irq.txn_data;
/* switch IRQ's for devices below LASI/WAX to other CPU */
- gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR);
+ /* ASP chip (svers 0x70) does not support reprogramming */
+ if (gsc_dev->gsc->id.sversion != 0x70)
+ gsc_writel(gsc_dev->eim, gsc_dev->hpa + OFFSET_IAR);
irq_data_update_effective_affinity(d, &tmask);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 313/554] libceph: make decode_pool() more resilient against corrupted osdmaps
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 312/554] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 314/554] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
` (246 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov, Xiubo Li
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit 8c738512714e8c0aa18f8a10c072d5b01c83db39 upstream.
If the osdmap is (maliciously) corrupted such that the encoded length
of ceph_pg_pool envelope is less than what is expected for a particular
encoding version, out-of-bounds reads may ensue because the only bounds
check that is there is based on that length value.
This patch adds explicit bounds checks for each field that is decoded
or skipped.
Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Tested-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 118 ++++++++++++++++++++++++------------------------------
1 file changed, 53 insertions(+), 65 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -790,51 +790,49 @@ static int decode_pool(void **p, void *e
ceph_decode_need(p, end, len, bad);
pool_end = *p + len;
+ ceph_decode_need(p, end, 4 + 4 + 4, bad);
pi->type = ceph_decode_8(p);
pi->size = ceph_decode_8(p);
pi->crush_ruleset = ceph_decode_8(p);
pi->object_hash = ceph_decode_8(p);
-
pi->pg_num = ceph_decode_32(p);
pi->pgp_num = ceph_decode_32(p);
- *p += 4 + 4; /* skip lpg* */
- *p += 4; /* skip last_change */
- *p += 8 + 4; /* skip snap_seq, snap_epoch */
+ /* lpg*, last_change, snap_seq, snap_epoch */
+ ceph_decode_skip_n(p, end, 8 + 4 + 8 + 4, bad);
/* skip snaps */
- num = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, num, bad);
while (num--) {
- *p += 8; /* snapid key */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* snapid key, pool snap (with versions) */
+ ceph_decode_skip_n(p, end, 8 + 2, bad);
+ ceph_decode_skip_string(p, end, bad);
}
- /* skip removed_snaps */
- num = ceph_decode_32(p);
- *p += num * (8 + 8);
+ /* removed_snaps */
+ ceph_decode_skip_map(p, end, 64, 64, bad);
+ ceph_decode_need(p, end, 8 + 8 + 4, bad);
*p += 8; /* skip auid */
pi->flags = ceph_decode_64(p);
*p += 4; /* skip crash_replay_interval */
if (ev >= 7)
- pi->min_size = ceph_decode_8(p);
+ ceph_decode_8_safe(p, end, pi->min_size, bad);
else
pi->min_size = pi->size - pi->size / 2;
if (ev >= 8)
- *p += 8 + 8; /* skip quota_max_* */
+ /* quota_max_* */
+ ceph_decode_skip_n(p, end, 8 + 8, bad);
if (ev >= 9) {
- /* skip tiers */
- num = ceph_decode_32(p);
- *p += num * 8;
+ /* tiers */
+ ceph_decode_skip_set(p, end, 64, bad);
+ ceph_decode_need(p, end, 8 + 1 + 8 + 8, bad);
*p += 8; /* skip tier_of */
*p += 1; /* skip cache_mode */
-
pi->read_tier = ceph_decode_64(p);
pi->write_tier = ceph_decode_64(p);
} else {
@@ -842,86 +840,76 @@ static int decode_pool(void **p, void *e
pi->write_tier = -1;
}
- if (ev >= 10) {
- /* skip properties */
- num = ceph_decode_32(p);
- while (num--) {
- len = ceph_decode_32(p);
- *p += len; /* key */
- len = ceph_decode_32(p);
- *p += len; /* val */
- }
- }
+ if (ev >= 10)
+ /* properties */
+ ceph_decode_skip_map(p, end, string, string, bad);
if (ev >= 11) {
- /* skip hit_set_params */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* hit_set_params (with versions) */
+ ceph_decode_skip_n(p, end, 2, bad);
+ ceph_decode_skip_string(p, end, bad);
- *p += 4; /* skip hit_set_period */
- *p += 4; /* skip hit_set_count */
+ /* hit_set_period, hit_set_count */
+ ceph_decode_skip_n(p, end, 4 + 4, bad);
}
if (ev >= 12)
- *p += 4; /* skip stripe_width */
+ /* stripe_width */
+ ceph_decode_skip_32(p, end, bad);
- if (ev >= 13) {
- *p += 8; /* skip target_max_bytes */
- *p += 8; /* skip target_max_objects */
- *p += 4; /* skip cache_target_dirty_ratio_micro */
- *p += 4; /* skip cache_target_full_ratio_micro */
- *p += 4; /* skip cache_min_flush_age */
- *p += 4; /* skip cache_min_evict_age */
- }
-
- if (ev >= 14) {
- /* skip erasure_code_profile */
- len = ceph_decode_32(p);
- *p += len;
- }
+ if (ev >= 13)
+ /* target_max_*, cache_target_*, cache_min_* */
+ ceph_decode_skip_n(p, end, 16 + 8 + 8, bad);
+
+ if (ev >= 14)
+ /* erasure_code_profile */
+ ceph_decode_skip_string(p, end, bad);
/*
* last_force_op_resend_preluminous, will be overridden if the
* map was encoded with RESEND_ON_SPLIT
*/
if (ev >= 15)
- pi->last_force_request_resend = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, pi->last_force_request_resend, bad);
else
pi->last_force_request_resend = 0;
if (ev >= 16)
- *p += 4; /* skip min_read_recency_for_promote */
+ /* min_read_recency_for_promote */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 17)
- *p += 8; /* skip expected_num_objects */
+ /* expected_num_objects */
+ ceph_decode_skip_64(p, end, bad);
if (ev >= 19)
- *p += 4; /* skip cache_target_dirty_high_ratio_micro */
+ /* cache_target_dirty_high_ratio_micro */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 20)
- *p += 4; /* skip min_write_recency_for_promote */
+ /* min_write_recency_for_promote */
+ ceph_decode_skip_32(p, end, bad);
if (ev >= 21)
- *p += 1; /* skip use_gmt_hitset */
+ /* use_gmt_hitset */
+ ceph_decode_skip_8(p, end, bad);
if (ev >= 22)
- *p += 1; /* skip fast_read */
+ /* fast_read */
+ ceph_decode_skip_8(p, end, bad);
- if (ev >= 23) {
- *p += 4; /* skip hit_set_grade_decay_rate */
- *p += 4; /* skip hit_set_search_last_n */
- }
+ if (ev >= 23)
+ /* hit_set_grade_decay_rate, hit_set_search_last_n */
+ ceph_decode_skip_n(p, end, 4 + 4, bad);
if (ev >= 24) {
- /* skip opts */
- *p += 1 + 1; /* versions */
- len = ceph_decode_32(p);
- *p += len;
+ /* opts (with versions) */
+ ceph_decode_skip_n(p, end, 2, bad);
+ ceph_decode_skip_string(p, end, bad);
}
if (ev >= 25)
- pi->last_force_request_resend = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, pi->last_force_request_resend, bad);
/* ignore the rest */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 314/554] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 313/554] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 315/554] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
` (245 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 0ea9494be9c931ddbc084ad5e11fda91b554cf47 upstream.
WARN and don't restart the hrtimer if KVM's callback runs with the guest's
APIC timer in periodic mode but with a period of '0', as not advancing the
hrtimer's deadline would put the CPU into an infinite loop of hrtimer
events. Observing a period of '0' should be impossible, even when the
hrtimer is running on a different CPU than the vCPU, as KVM is supposed to
cancel the hrtimer before changing (or zeroing) the period, e.g. when
switching from periodic to one-shot.
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251113205114.1647493-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2449,7 +2449,7 @@ static enum hrtimer_restart apic_timer_f
apic_timer_expired(apic, true);
- if (lapic_is_periodic(apic)) {
+ if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) {
advance_periodic_target_expiration(apic);
hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);
return HRTIMER_RESTART;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 315/554] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 314/554] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 316/554] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
` (244 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, fuqiang wang, Sean Christopherson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: fuqiang wang <fuqiang.wng@gmail.com>
commit 9633f180ce994ab293ce4924a9b7aaf4673aa114 upstream.
When restarting an hrtimer to emulate a the guest's APIC timer in periodic
mode, explicitly set the expiration using the target expiration computed
by advance_periodic_target_expiration() instead of adding the period to
the existing timer. This will allow making adjustments to the expiration,
e.g. to deal with expirations far in the past, without having to implement
the same logic in both advance_periodic_target_expiration() and
apic_timer_fn().
Cc: stable@vger.kernel.org
Signed-off-by: fuqiang wang <fuqiang.wng@gmail.com>
[sean: split to separate patch, write changelog]
Link: https://patch.msgid.link/20251113205114.1647493-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2451,7 +2451,7 @@ static enum hrtimer_restart apic_timer_f
if (lapic_is_periodic(apic) && !WARN_ON_ONCE(!apic->lapic_timer.period)) {
advance_periodic_target_expiration(apic);
- hrtimer_add_expires_ns(&ktimer->timer, ktimer->period);
+ hrtimer_set_expires(&ktimer->timer, ktimer->target_expiration);
return HRTIMER_RESTART;
} else
return HRTIMER_NORESTART;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 316/554] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 315/554] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 317/554] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
` (243 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, fuqiang wang, Sean Christopherson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: fuqiang wang <fuqiang.wng@gmail.com>
commit 18ab3fc8e880791aa9f7c000261320fc812b5465 upstream.
When advancing the target expiration for the guest's APIC timer in periodic
mode, set the expiration to "now" if the target expiration is in the past
(similar to what is done in update_target_expiration()). Blindly adding
the period to the previous target expiration can result in KVM generating
a practically unbounded number of hrtimer IRQs due to programming an
expired timer over and over. In extreme scenarios, e.g. if userspace
pauses/suspends a VM for an extended duration, this can even cause hard
lockups in the host.
Currently, the bug only affects Intel CPUs when using the hypervisor timer
(HV timer), a.k.a. the VMX preemption timer. Unlike the software timer,
a.k.a. hrtimer, which KVM keeps running even on exits to userspace, the
HV timer only runs while the guest is active. As a result, if the vCPU
does not run for an extended duration, there will be a huge gap between
the target expiration and the current time the vCPU resumes running.
Because the target expiration is incremented by only one period on each
timer expiration, this leads to a series of timer expirations occurring
rapidly after the vCPU/VM resumes.
More critically, when the vCPU first triggers a periodic HV timer
expiration after resuming, advancing the expiration by only one period
will result in a target expiration in the past. As a result, the delta
may be calculated as a negative value. When the delta is converted into
an absolute value (tscdeadline is an unsigned u64), the resulting value
can overflow what the HV timer is capable of programming. I.e. the large
value will exceed the VMX Preemption Timer's maximum bit width of
cpu_preemption_timer_multi + 32, and thus cause KVM to switch from the
HV timer to the software timer (hrtimers).
After switching to the software timer, periodic timer expiration callbacks
may be executed consecutively within a single clock interrupt handler,
because hrtimers honors KVM's request for an expiration in the past and
immediately re-invokes KVM's callback after reprogramming. And because
the interrupt handler runs with IRQs disabled, restarting KVM's hrtimer
over and over until the target expiration is advanced to "now" can result
in a hard lockup.
E.g. the following hard lockup was triggered in the host when running a
Windows VM (only relevant because it used the APIC timer in periodic mode)
after resuming the VM from a long suspend (in the host).
NMI watchdog: Watchdog detected hard LOCKUP on cpu 45
...
RIP: 0010:advance_periodic_target_expiration+0x4d/0x80 [kvm]
...
RSP: 0018:ff4f88f5d98d8ef0 EFLAGS: 00000046
RAX: fff0103f91be678e RBX: fff0103f91be678e RCX: 00843a7d9e127bcc
RDX: 0000000000000002 RSI: 0052ca4003697505 RDI: ff440d5bfbdbd500
RBP: ff440d5956f99200 R08: ff2ff2a42deb6a84 R09: 000000000002a6c0
R10: 0122d794016332b3 R11: 0000000000000000 R12: ff440db1af39cfc0
R13: ff440db1af39cfc0 R14: ffffffffc0d4a560 R15: ff440db1af39d0f8
FS: 00007f04a6ffd700(0000) GS:ff440db1af380000(0000) knlGS:000000e38a3b8000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000d5651feff8 CR3: 000000684e038002 CR4: 0000000000773ee0
PKRU: 55555554
Call Trace:
<IRQ>
apic_timer_fn+0x31/0x50 [kvm]
__hrtimer_run_queues+0x100/0x280
hrtimer_interrupt+0x100/0x210
? ttwu_do_wakeup+0x19/0x160
smp_apic_timer_interrupt+0x6a/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
Moreover, if the suspend duration of the virtual machine is not long enough
to trigger a hard lockup in this scenario, since commit 98c25ead5eda
("KVM: VMX: Move preemption timer <=> hrtimer dance to common x86"), KVM
will continue using the software timer until the guest reprograms the APIC
timer in some way. Since the periodic timer does not require frequent APIC
timer register programming, the guest may continue to use the software
timer in perpetuity.
Fixes: d8f2f498d9ed ("x86/kvm: fix LAPIC timer drift when guest uses periodic mode")
Cc: stable@vger.kernel.org
Signed-off-by: fuqiang wang <fuqiang.wng@gmail.com>
[sean: massage comments and changelog]
Link: https://patch.msgid.link/20251113205114.1647493-4-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1803,15 +1803,33 @@ static void advance_periodic_target_expi
ktime_t delta;
/*
- * Synchronize both deadlines to the same time source or
- * differences in the periods (caused by differences in the
- * underlying clocks or numerical approximation errors) will
- * cause the two to drift apart over time as the errors
- * accumulate.
+ * Use kernel time as the time source for both the hrtimer deadline and
+ * TSC-based deadline so that they stay synchronized. Computing each
+ * deadline independently will cause the two deadlines to drift apart
+ * over time as differences in the periods accumulate, e.g. due to
+ * differences in the underlying clocks or numerical approximation errors.
*/
apic->lapic_timer.target_expiration =
ktime_add_ns(apic->lapic_timer.target_expiration,
apic->lapic_timer.period);
+
+ /*
+ * If the new expiration is in the past, e.g. because userspace stopped
+ * running the VM for an extended duration, then force the expiration
+ * to "now" and don't try to play catch-up with the missed events. KVM
+ * will only deliver a single interrupt regardless of how many events
+ * are pending, i.e. restarting the timer with an expiration in the
+ * past will do nothing more than waste host cycles, and can even lead
+ * to a hard lockup in extreme cases.
+ */
+ if (ktime_before(apic->lapic_timer.target_expiration, now))
+ apic->lapic_timer.target_expiration = now;
+
+ /*
+ * Note, ensuring the expiration isn't in the past also prevents delta
+ * from going negative, which could cause the TSC deadline to become
+ * excessively large due to it an unsigned value.
+ */
delta = ktime_sub(apic->lapic_timer.target_expiration, now);
apic->lapic_timer.tscdeadline = kvm_read_l1_tsc(apic->vcpu, tscl) +
nsec_to_cycles(apic->vcpu, delta);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 317/554] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 316/554] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 318/554] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
` (242 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matteo Rizzo, Yosry Ahmed,
Sean Christopherson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosry.ahmed@linux.dev>
commit 5674a76db0213f9db1e4d08e847ff649b46889c0 upstream.
When emulating L2 instructions, svm_check_intercept() checks whether a
write to CR0 should trigger a synthesized #VMEXIT with
SVM_EXIT_CR0_SEL_WRITE. For MOV-to-CR0, SVM_EXIT_CR0_SEL_WRITE is only
triggered if any bit other than CR0.MP and CR0.TS is updated. However,
according to the APM (24593—Rev. 3.42—March 2024, Table 15-7):
The LMSW instruction treats the selective CR0-write
intercept as a non-selective intercept (i.e., it intercepts
regardless of the value being written).
Skip checking the changed bits for x86_intercept_lmsw and always inject
SVM_EXIT_CR0_SEL_WRITE.
Fixes: cfec82cb7d31 ("KVM: SVM: Add intercept check for emulated cr accesses")
Cc: stable@vger.kernel.org
Reported-by: Matteo Rizzo <matteorizzo@google.com>
Signed-off-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251024192918.3191141-3-yosry.ahmed@linux.dev
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -4214,20 +4214,20 @@ static int svm_check_intercept(struct kv
INTERCEPT_SELECTIVE_CR0)))
break;
- cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
- val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
-
+ /* LMSW always triggers INTERCEPT_SELECTIVE_CR0 */
if (info->intercept == x86_intercept_lmsw) {
- cr0 &= 0xfUL;
- val &= 0xfUL;
- /* lmsw can't clear PE - catch this here */
- if (cr0 & X86_CR0_PE)
- val |= X86_CR0_PE;
+ icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+ break;
}
+ /*
+ * MOV-to-CR0 only triggers INTERCEPT_SELECTIVE_CR0 if any bit
+ * other than SVM_CR0_SELECTIVE_MASK is changed.
+ */
+ cr0 = vcpu->arch.cr0 & ~SVM_CR0_SELECTIVE_MASK;
+ val = info->src_val & ~SVM_CR0_SELECTIVE_MASK;
if (cr0 ^ val)
icpt_info.exit_code = SVM_EXIT_CR0_SEL_WRITE;
-
break;
}
case SVM_EXIT_READ_DR0:
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 318/554] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN)
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 317/554] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 319/554] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
` (241 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit f402ecd7a8b6446547076f4bd24bd5d4dcc94481 upstream.
Set exit_code_hi to -1u as a temporary band-aid to fix a long-standing
(effectively since KVM's inception) bug where KVM treats the exit code as
a 32-bit value, when in reality it's a 64-bit value. Per the APM, offset
0x70 is a single 64-bit value:
070h 63:0 EXITCODE
And a sane reading of the error values defined in "Table C-1. SVM Intercept
Codes" is that negative values use the full 64 bits:
–1 VMEXIT_INVALID Invalid guest state in VMCB.
–2 VMEXIT_BUSYBUSY bit was set in the VMSA
–3 VMEXIT_IDLE_REQUIREDThe sibling thread is not in an idle state
-4 VMEXIT_INVALID_PMC Invalid PMC state
And that interpretation is confirmed by testing on Milan and Turin (by
setting bits in CR0[63:32] to generate VMEXIT_INVALID on VMRUN).
Furthermore, Xen has treated exitcode as a 64-bit value since HVM support
was adding in 2006 (see Xen commit d1bd157fbc ("Big merge the HVM
full-virtualisation abstractions.")).
Cc: Jim Mattson <jmattson@google.com>
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251113225621.1688428-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -667,7 +667,7 @@ int nested_svm_vmrun(struct kvm_vcpu *vc
if (!nested_vmcb_valid_sregs(vcpu, &vmcb12->save) ||
!nested_vmcb_check_controls(vcpu, &svm->nested.ctl)) {
vmcb12->control.exit_code = SVM_EXIT_ERR;
- vmcb12->control.exit_code_hi = 0;
+ vmcb12->control.exit_code_hi = -1u;
vmcb12->control.exit_info_1 = 0;
vmcb12->control.exit_info_2 = 0;
goto out;
@@ -698,7 +698,7 @@ out_exit_err:
svm->nested.nested_run_pending = 0;
svm->vmcb->control.exit_code = SVM_EXIT_ERR;
- svm->vmcb->control.exit_code_hi = 0;
+ svm->vmcb->control.exit_code_hi = -1u;
svm->vmcb->control.exit_info_1 = 0;
svm->vmcb->control.exit_info_2 = 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 319/554] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 318/554] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 320/554] tracing: Do not register unsupported perf events Greg Kroah-Hartman
` (240 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Yosry Ahmed,
Sean Christopherson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit da01f64e7470988f8607776aa7afa924208863fb upstream.
Explicitly clear exit_code_hi in the VMCB when synthesizing "normal"
nested VM-Exits, as the full exit code is a 64-bit value (spoiler alert),
and all exit codes for non-failing VMRUN use only bits 31:0.
Cc: Jim Mattson <jmattson@google.com>
Cc: Yosry Ahmed <yosry.ahmed@linux.dev>
Cc: stable@vger.kernel.org
Reviewed-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Link: https://patch.msgid.link/20251113225621.1688428-2-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 2 ++
arch/x86/kvm/svm/svm.h | 7 ++++---
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -2496,6 +2496,7 @@ static bool check_selective_cr0_intercep
if (cr0 ^ val) {
svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE;
+ svm->vmcb->control.exit_code_hi = 0;
ret = (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE);
}
@@ -4288,6 +4289,7 @@ static int svm_check_intercept(struct kv
if (static_cpu_has(X86_FEATURE_NRIPS))
vmcb->control.next_rip = info->next_rip;
vmcb->control.exit_code = icpt_info.exit_code;
+ vmcb->control.exit_code_hi = 0;
vmexit = nested_svm_exit_handled(svm);
ret = (vmexit == NESTED_EXIT_DONE) ? X86EMUL_INTERCEPTED
--- a/arch/x86/kvm/svm/svm.h
+++ b/arch/x86/kvm/svm/svm.h
@@ -474,9 +474,10 @@ int nested_svm_vmexit(struct vcpu_svm *s
static inline int nested_svm_simple_vmexit(struct vcpu_svm *svm, u32 exit_code)
{
- svm->vmcb->control.exit_code = exit_code;
- svm->vmcb->control.exit_info_1 = 0;
- svm->vmcb->control.exit_info_2 = 0;
+ svm->vmcb->control.exit_code = exit_code;
+ svm->vmcb->control.exit_code_hi = 0;
+ svm->vmcb->control.exit_info_1 = 0;
+ svm->vmcb->control.exit_info_2 = 0;
return nested_svm_vmexit(svm);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 320/554] tracing: Do not register unsupported perf events
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 319/554] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 321/554] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
` (239 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim, Ian Rogers,
Steven Rostedt (Google)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit ef7f38df890f5dcd2ae62f8dbde191d72f3bebae upstream.
Synthetic events currently do not have a function to register perf events.
This leads to calling the tracepoint register functions with a NULL
function pointer which triggers:
------------[ cut here ]------------
WARNING: kernel/tracepoint.c:175 at tracepoint_add_func+0x357/0x370, CPU#2: perf/2272
Modules linked in: kvm_intel kvm irqbypass
CPU: 2 UID: 0 PID: 2272 Comm: perf Not tainted 6.18.0-ftest-11964-ge022764176fc-dirty #323 PREEMPTLAZY
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
RIP: 0010:tracepoint_add_func+0x357/0x370
Code: 28 9c e8 4c 0b f5 ff eb 0f 4c 89 f7 48 c7 c6 80 4d 28 9c e8 ab 89 f4 ff 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc <0f> 0b 49 c7 c6 ea ff ff ff e9 ee fe ff ff 0f 0b e9 f9 fe ff ff 0f
RSP: 0018:ffffabc0c44d3c40 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff9380aa9e4060 RCX: 0000000000000000
RDX: 000000000000000a RSI: ffffffff9e1d4a98 RDI: ffff937fcf5fd6c8
RBP: 0000000000000001 R08: 0000000000000007 R09: ffff937fcf5fc780
R10: 0000000000000003 R11: ffffffff9c193910 R12: 000000000000000a
R13: ffffffff9e1e5888 R14: 0000000000000000 R15: ffffabc0c44d3c78
FS: 00007f6202f5f340(0000) GS:ffff93819f00f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055d3162281a8 CR3: 0000000106a56003 CR4: 0000000000172ef0
Call Trace:
<TASK>
tracepoint_probe_register+0x5d/0x90
synth_event_reg+0x3c/0x60
perf_trace_event_init+0x204/0x340
perf_trace_init+0x85/0xd0
perf_tp_event_init+0x2e/0x50
perf_try_init_event+0x6f/0x230
? perf_event_alloc+0x4bb/0xdc0
perf_event_alloc+0x65a/0xdc0
__se_sys_perf_event_open+0x290/0x9f0
do_syscall_64+0x93/0x7b0
? entry_SYSCALL_64_after_hwframe+0x76/0x7e
? trace_hardirqs_off+0x53/0xc0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Instead, have the code return -ENODEV, which doesn't warn and has perf
error out with:
# perf record -e synthetic:futex_wait
Error:
The sys_perf_event_open() syscall returned with 19 (No such device) for event (synthetic:futex_wait).
"dmesg | grep -i perf" may provide additional information.
Ideally perf should support synthetic events, but for now just fix the
warning. The support can come later.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: https://patch.msgid.link/20251216182440.147e4453@gandalf.local.home
Fixes: 4b147936fa509 ("tracing: Add support for 'synthetic' events")
Reported-by: Ian Rogers <irogers@google.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -655,6 +655,8 @@ int trace_event_reg(struct trace_event_c
#ifdef CONFIG_PERF_EVENTS
case TRACE_REG_PERF_REGISTER:
+ if (!call->class->perf_probe)
+ return -ENODEV;
return tracepoint_probe_register(call->tp,
call->class->perf_probe,
call);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 321/554] PM: runtime: Do not clear needs_force_resume with enabled runtime PM
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 320/554] tracing: Do not register unsupported perf events Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 322/554] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
` (238 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ed Tsai, Rafael J. Wysocki,
Ulf Hansson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
commit 359afc8eb02a518fbdd0cbd462c8c2827c6cbec2 upstream.
Commit 89d9cec3b1e9 ("PM: runtime: Clear power.needs_force_resume in
pm_runtime_reinit()") added provisional clearing of power.needs_force_resume
to pm_runtime_reinit(), but it is done unconditionally which is a
mistake because pm_runtime_reinit() may race with driver probing
and removal [1].
To address this, notice that power.needs_force_resume should never
be set when runtime PM is enabled and so it only needs to be cleared
when runtime PM is disabled, and update pm_runtime_init() to only
clear that flag when runtime PM is disabled.
Fixes: 89d9cec3b1e9 ("PM: runtime: Clear power.needs_force_resume in pm_runtime_reinit()")
Reported-by: Ed Tsai <ed.tsai@mediatek.com>
Closes: https://lore.kernel.org/linux-pm/20251215122154.3180001-1-ed.tsai@mediatek.com/ [1]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: 6.17+ <stable@vger.kernel.org> # 6.17+
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://patch.msgid.link/12807571.O9o76ZdvQC@rafael.j.wysocki
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/power/runtime.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1747,16 +1747,18 @@ void pm_runtime_init(struct device *dev)
*/
void pm_runtime_reinit(struct device *dev)
{
- if (!pm_runtime_enabled(dev)) {
- if (dev->power.runtime_status == RPM_ACTIVE)
- pm_runtime_set_suspended(dev);
- if (dev->power.irq_safe) {
- spin_lock_irq(&dev->power.lock);
- dev->power.irq_safe = 0;
- spin_unlock_irq(&dev->power.lock);
- if (dev->parent)
- pm_runtime_put(dev->parent);
- }
+ if (pm_runtime_enabled(dev))
+ return;
+
+ if (dev->power.runtime_status == RPM_ACTIVE)
+ pm_runtime_set_suspended(dev);
+
+ if (dev->power.irq_safe) {
+ spin_lock_irq(&dev->power.lock);
+ dev->power.irq_safe = 0;
+ spin_unlock_irq(&dev->power.lock);
+ if (dev->parent)
+ pm_runtime_put(dev->parent);
}
/*
* Clear power.needs_force_resume in case it has been set by
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 322/554] fsnotify: do not generate ACCESS/MODIFY events on child for special files
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 321/554] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 323/554] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
` (237 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sudheendra Raghav Neela,
Amir Goldstein, Jan Kara
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 635bc4def026a24e071436f4f356ea08c0eed6ff upstream.
inotify/fanotify do not allow users with no read access to a file to
subscribe to events (e.g. IN_ACCESS/IN_MODIFY), but they do allow the
same user to subscribe for watching events on children when the user
has access to the parent directory (e.g. /dev).
Users with no read access to a file but with read access to its parent
directory can still stat the file and see if it was accessed/modified
via atime/mtime change.
The same is not true for special files (e.g. /dev/null). Users will not
generally observe atime/mtime changes when other users read/write to
special files, only when someone sets atime/mtime via utimensat().
Align fsnotify events with this stat behavior and do not generate
ACCESS/MODIFY events to parent watchers on read/write of special files.
The events are still generated to parent watchers on utimensat(). This
closes some side-channels that could be possibly used for information
exfiltration [1].
[1] https://snee.la/pdf/pubs/file-notification-attacks.pdf
Reported-by: Sudheendra Raghav Neela <sneela@tugraz.at>
CC: stable@vger.kernel.org
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fsnotify.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/notify/fsnotify.c
+++ b/fs/notify/fsnotify.c
@@ -224,8 +224,15 @@ int __fsnotify_parent(struct dentry *den
/*
* Include parent/name in notification either if some notification
* groups require parent info or the parent is interested in this event.
+ * The parent interest in ACCESS/MODIFY events does not apply to special
+ * files, where read/write are not on the filesystem of the parent and
+ * events can provide an undesirable side-channel for information
+ * exfiltration.
*/
- parent_interested = mask & p_mask & ALL_FSNOTIFY_EVENTS;
+ parent_interested = mask & p_mask & ALL_FSNOTIFY_EVENTS &&
+ !(data_type == FSNOTIFY_EVENT_PATH &&
+ d_is_special(dentry) &&
+ (mask & (FS_ACCESS | FS_MODIFY)));
if (parent_needed || parent_interested) {
/* When notifying parent, child should be passed as data */
WARN_ON_ONCE(inode != fsnotify_data_inode(data, data_type));
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 323/554] nfsd: Mark variable __maybe_unused to avoid W=1 build break
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 322/554] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 324/554] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
` (236 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit ebae102897e760e9e6bc625f701dd666b2163bd1 upstream.
Clang is not happy about set but (in some cases) unused variable:
fs/nfsd/export.c:1027:17: error: variable 'inode' set but not used [-Werror,-Wunused-but-set-variable]
since it's used as a parameter to dprintk() which might be configured
a no-op. To avoid uglifying code with the specific ifdeffery just mark
the variable __maybe_unused.
The commit [1], which introduced this behaviour, is quite old and hence
the Fixes tag points to the first of the Git era.
Link: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0431923fb7a1 [1]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/export.c
+++ b/fs/nfsd/export.c
@@ -990,7 +990,7 @@ exp_rootfh(struct net *net, struct auth_
{
struct svc_export *exp;
struct path path;
- struct inode *inode;
+ struct inode *inode __maybe_unused;
struct svc_fh fh;
int err;
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 324/554] svcrdma: return 0 on success from svc_rdma_copy_inline_range
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 323/554] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 325/554] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
` (235 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
commit 94972027ab55b200e031059fd6c7a649f8248020 upstream.
The function comment specifies 0 on success and -EINVAL on invalid
parameters. Make the tail return 0 after a successful copy loop.
Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -808,7 +808,7 @@ static int svc_rdma_copy_inline_range(st
offset += page_len;
}
- return -EINVAL;
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 325/554] io_uring: fix filename leak in __io_openat_prep()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 324/554] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 326/554] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
` (234 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+00e61c43eb5e4740438f,
Prithvi Tambewagh, Jens Axboe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Prithvi Tambewagh <activprithvi@gmail.com>
__io_openat_prep() allocates a struct filename using getname(). However,
for the condition of the file being installed in the fixed file table as
well as having O_CLOEXEC flag set, the function returns early. At that
point, the request doesn't have REQ_F_NEED_CLEANUP flag set. Due to this,
the memory for the newly allocated struct filename is not cleaned up,
causing a memory leak.
Fix this by setting the REQ_F_NEED_CLEANUP for the request just after the
successful getname() call, so that when the request is torn down, the
filename will be cleaned up, along with other resources needing cleanup.
Reported-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=00e61c43eb5e4740438f
Tested-by: syzbot+00e61c43eb5e4740438f@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Prithvi Tambewagh <activprithvi@gmail.com>
Fixes: b9445598d8c6 ("io_uring: openat directly into fixed fd table")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4326,13 +4326,13 @@ static int __io_openat_prep(struct io_ki
req->open.filename = NULL;
return ret;
}
+ req->flags |= REQ_F_NEED_CLEANUP;
req->open.file_slot = READ_ONCE(sqe->file_index);
if (req->open.file_slot && (req->open.how.flags & O_CLOEXEC))
return -EINVAL;
req->open.nofile = rlimit(RLIMIT_NOFILE);
- req->flags |= REQ_F_NEED_CLEANUP;
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 326/554] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 325/554] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 327/554] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
` (233 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harry Wentland, Alex Deucher
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 3c41114dcdabb7b25f5bc33273c6db9c7af7f4a7 upstream.
This can get called from an atomic context.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4470
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8acdad9344cc7b4e7bc01f0dfea80093eb3768db)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_surface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/dc/core/dc_surface.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_surface.c
@@ -104,7 +104,7 @@ void enable_surface_flip_reporting(struc
struct dc_plane_state *dc_create_plane_state(struct dc *dc)
{
struct dc_plane_state *plane_state = kvzalloc(sizeof(*plane_state),
- GFP_KERNEL);
+ GFP_ATOMIC);
if (NULL == plane_state)
return NULL;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 327/554] amba: tegra-ahb: Fix device leak on SMMU enable
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 326/554] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 328/554] soc: qcom: ocmem: fix device leak on lookup Greg Kroah-Hartman
` (232 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Thierry Reding
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 500e1368e46928f4b2259612dcabb6999afae2a6 upstream.
Make sure to drop the reference taken to the AHB platform device when
looking up its driver data while enabling the SMMU.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: 89c788bab1f0 ("ARM: tegra: Add SMMU enabler in AHB")
Cc: stable@vger.kernel.org # 3.5
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/amba/tegra-ahb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/amba/tegra-ahb.c
+++ b/drivers/amba/tegra-ahb.c
@@ -144,6 +144,7 @@ int tegra_ahb_enable_smmu(struct device_
if (!dev)
return -EPROBE_DEFER;
ahb = dev_get_drvdata(dev);
+ put_device(dev);
val = gizmo_readl(ahb, AHB_ARBITRATION_XBAR_CTRL);
val |= AHB_ARBITRATION_XBAR_CTRL_SMMU_INIT_DONE;
gizmo_writel(ahb, val, AHB_ARBITRATION_XBAR_CTRL);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 328/554] soc: qcom: ocmem: fix device leak on lookup
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 327/554] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 329/554] soc: amlogic: canvas: " Greg Kroah-Hartman
` (231 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Masney, Miaoqian Lin,
Johan Hovold, Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b5c16ea57b030b8e9428ec726e26219dfe05c3d9 upstream.
Make sure to drop the reference taken to the ocmem platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Also note that commit 0ff027027e05 ("soc: qcom: ocmem: Fix missing
put_device() call in of_get_ocmem") fixed the leak in a lookup error
path, but the reference is still leaking on success.
Fixes: 88c1e9404f1d ("soc: qcom: add OCMEM driver")
Cc: stable@vger.kernel.org # 5.5: 0ff027027e05
Cc: Brian Masney <bmasney@redhat.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Brian Masney <bmasney@redhat.com>
Link: https://lore.kernel.org/r/20250926143511.6715-2-johan@kernel.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/ocmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/qcom/ocmem.c
+++ b/drivers/soc/qcom/ocmem.c
@@ -211,9 +211,9 @@ struct ocmem *of_get_ocmem(struct device
of_node_put(devnode);
ocmem = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!ocmem) {
dev_err(dev, "Cannot get ocmem\n");
- put_device(&pdev->dev);
return ERR_PTR(-ENODEV);
}
return ocmem;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 329/554] soc: amlogic: canvas: fix device leak on lookup
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 328/554] soc: qcom: ocmem: fix device leak on lookup Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 330/554] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
` (230 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Johan Hovold,
Martin Blumenstingl, Neil Armstrong
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 32200f4828de9d7e6db379909898e718747f4e18 upstream.
Make sure to drop the reference taken to the canvas platform device when
looking up its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Also note that commit 28f851e6afa8 ("soc: amlogic: canvas: add missing
put_device() call in meson_canvas_get()") fixed the leak in a lookup
error path, but the reference is still leaking on success.
Fixes: d4983983d987 ("soc: amlogic: add meson-canvas driver")
Cc: stable@vger.kernel.org # 4.20: 28f851e6afa8
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://patch.msgid.link/20250926142454.5929-2-johan@kernel.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/amlogic/meson-canvas.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/soc/amlogic/meson-canvas.c
+++ b/drivers/soc/amlogic/meson-canvas.c
@@ -72,10 +72,9 @@ struct meson_canvas *meson_canvas_get(st
* current state, this driver probe cannot return -EPROBE_DEFER
*/
canvas = dev_get_drvdata(&canvas_pdev->dev);
- if (!canvas) {
- put_device(&canvas_pdev->dev);
+ put_device(&canvas_pdev->dev);
+ if (!canvas)
return ERR_PTR(-EINVAL);
- }
return canvas;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 330/554] rpmsg: glink: fix rpmsg device leak
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 329/554] soc: amlogic: canvas: " Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 331/554] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
` (229 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Dmitry Baryshkov, Bjorn Andersson
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit a53e356df548f6b0e82529ef3cc6070f42622189 upstream.
While testing rpmsg-char interface it was noticed that duplicate sysfs
entries are getting created and below warning is noticed.
Reason for this is that we are leaking rpmsg device pointer, setting it
null without actually unregistering device.
Any further attempts to unregister fail because rpdev is NULL,
resulting in a leak.
Fix this by unregistering rpmsg device before removing its reference
from rpmsg channel.
sysfs: cannot create duplicate filename '/devices/platform/soc@0/3700000.remot
eproc/remoteproc/remoteproc1/3700000.remoteproc:glink-edge/3700000.remoteproc:
glink-edge.adsp_apps.-1.-1'
[ 114.115347] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not
tainted 6.16.0-rc4 #7 PREEMPT
[ 114.115355] Hardware name: Qualcomm Technologies, Inc. Robotics RB3gen2 (DT)
[ 114.115358] Workqueue: events qcom_glink_work
[ 114.115371] Call trace:8
[ 114.115374] show_stack+0x18/0x24 (C)
[ 114.115382] dump_stack_lvl+0x60/0x80
[ 114.115388] dump_stack+0x18/0x24
[ 114.115393] sysfs_warn_dup+0x64/0x80
[ 114.115402] sysfs_create_dir_ns+0xf4/0x120
[ 114.115409] kobject_add_internal+0x98/0x260
[ 114.115416] kobject_add+0x9c/0x108
[ 114.115421] device_add+0xc4/0x7a0
[ 114.115429] rpmsg_register_device+0x5c/0xb0
[ 114.115434] qcom_glink_work+0x4bc/0x820
[ 114.115438] process_one_work+0x148/0x284
[ 114.115446] worker_thread+0x2c4/0x3e0
[ 114.115452] kthread+0x12c/0x204
[ 114.115457] ret_from_fork+0x10/0x20
[ 114.115464] kobject: kobject_add_internal failed for 3700000.remoteproc:
glink-edge.adsp_apps.-1.-1 with -EEXIST, don't try to register things with
the same name in the same directory.
[ 114.250045] rpmsg 3700000.remoteproc:glink-edge.adsp_apps.-1.-1:
device_add failed: -17
Fixes: 835764ddd9af ("rpmsg: glink: Move the common glink protocol implementation to glink_native.c")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Link: https://lore.kernel.org/r/20250822100043.2604794-2-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/qcom_glink_native.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -1244,6 +1244,7 @@ static void qcom_glink_destroy_ept(struc
{
struct glink_channel *channel = to_glink_channel(ept);
struct qcom_glink *glink = channel->glink;
+ struct rpmsg_channel_info chinfo;
unsigned long flags;
spin_lock_irqsave(&channel->recv_lock, flags);
@@ -1251,6 +1252,13 @@ static void qcom_glink_destroy_ept(struc
spin_unlock_irqrestore(&channel->recv_lock, flags);
/* Decouple the potential rpdev from the channel */
+ if (channel->rpdev) {
+ strscpy_pad(chinfo.name, channel->name, sizeof(chinfo.name));
+ chinfo.src = RPMSG_ADDR_ANY;
+ chinfo.dst = RPMSG_ADDR_ANY;
+
+ rpmsg_unregister_device(glink->dev, &chinfo);
+ }
channel->rpdev = NULL;
qcom_glink_send_close_req(glink, channel);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 331/554] i2c: amd-mp2: fix reference leak in MP2 PCI device
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 330/554] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 332/554] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
` (228 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Andi Shyti
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit a6ee6aac66fb394b7f6e6187c73bdcd873f2d139 upstream.
In i2c_amd_probe(), amd_mp2_find_device() utilizes
driver_find_next_device() which internally calls driver_find_device()
to locate the matching device. driver_find_device() increments the
reference count of the found device by calling get_device(), but
amd_mp2_find_device() fails to call put_device() to decrement the
reference count before returning. This results in a reference count
leak of the PCI device each time i2c_amd_probe() is executed, which
may prevent the device from being properly released and cause a memory
leak.
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 529766e0a011 ("i2c: Add drivers for the AMD PCIe MP2 I2C controller")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://lore.kernel.org/r/20251022095402.8846-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-amd-mp2-pci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-amd-mp2-pci.c
+++ b/drivers/i2c/busses/i2c-amd-mp2-pci.c
@@ -452,13 +452,16 @@ struct amd_mp2_dev *amd_mp2_find_device(
{
struct device *dev;
struct pci_dev *pci_dev;
+ struct amd_mp2_dev *mp2_dev;
dev = driver_find_next_device(&amd_mp2_pci_driver.driver, NULL);
if (!dev)
return NULL;
pci_dev = to_pci_dev(dev);
- return (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
+ mp2_dev = (struct amd_mp2_dev *)pci_get_drvdata(pci_dev);
+ put_device(dev);
+ return mp2_dev;
}
EXPORT_SYMBOL_GPL(amd_mp2_find_device);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 332/554] hwmon: (max16065) Use local variable to avoid TOCTOU
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 331/554] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 333/554] hwmon: (w83791d) Convert macros to functions " Greg Kroah-Hartman
` (227 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit b8d5acdcf525f44e521ca4ef51dce4dac403dab4 upstream.
In max16065_current_show, data->curr_sense is read twice: once for the
error check and again for the calculation. Since
i2c_smbus_read_byte_data returns negative error codes on failure, if the
data changes to an error code between the check and the use, ADC_TO_CURR
results in an incorrect calculation.
Read data->curr_sense into a local variable to ensure consistency. Note
that data->curr_gain is constant and safe to access directly.
This aligns max16065_current_show with max16065_input_show, which
already uses a local variable for the same reason.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251128124709.3876-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/max16065.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/hwmon/max16065.c
+++ b/drivers/hwmon/max16065.c
@@ -216,12 +216,13 @@ static ssize_t max16065_current_show(str
struct device_attribute *da, char *buf)
{
struct max16065_data *data = max16065_update_device(dev);
+ int curr_sense = data->curr_sense;
- if (unlikely(data->curr_sense < 0))
- return data->curr_sense;
+ if (unlikely(curr_sense < 0))
+ return curr_sense;
return sysfs_emit(buf, "%d\n",
- ADC_TO_CURR(data->curr_sense, data->curr_gain));
+ ADC_TO_CURR(curr_sense, data->curr_gain));
}
static ssize_t max16065_limit_store(struct device *dev,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 333/554] hwmon: (w83791d) Convert macros to functions to avoid TOCTOU
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 332/554] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 334/554] hwmon: (w83l786ng) " Greg Kroah-Hartman
` (226 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 670d7ef945d3a84683594429aea6ab2cdfa5ceb4 upstream.
The macro FAN_FROM_REG evaluates its arguments multiple times. When used
in lockless contexts involving shared driver data, this leads to
Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially
causing divide-by-zero errors.
Convert the macro to a static function. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Additionally, in store_fan_div, move the calculation of the minimum
limit inside the update lock. This ensures that the read-modify-write
sequence operates on consistent data.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 9873964d6eb2 ("[PATCH] HWMON: w83791d: New hardware monitoring driver for the Winbond W83791D")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251202180105.12842-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/w83791d.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/drivers/hwmon/w83791d.c
+++ b/drivers/hwmon/w83791d.c
@@ -218,9 +218,14 @@ static u8 fan_to_reg(long rpm, int div)
return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
}
-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
- ((val) == 255 ? 0 : \
- 1350000 / ((val) * (div))))
+static int fan_from_reg(int val, int div)
+{
+ if (val == 0)
+ return -1;
+ if (val == 255)
+ return 0;
+ return 1350000 / (val * div);
+}
/* for temp1 which is 8-bit resolution, LSB = 1 degree Celsius */
#define TEMP1_FROM_REG(val) ((val) * 1000)
@@ -521,7 +526,7 @@ static ssize_t show_##reg(struct device
struct w83791d_data *data = w83791d_update_device(dev); \
int nr = sensor_attr->index; \
return sprintf(buf, "%d\n", \
- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
@@ -585,10 +590,10 @@ static ssize_t store_fan_div(struct devi
if (err)
return err;
+ mutex_lock(&data->update_lock);
/* Save fan_min */
- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
- mutex_lock(&data->update_lock);
data->fan_div[nr] = div_to_reg(nr, val);
switch (nr) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 334/554] hwmon: (w83l786ng) Convert macros to functions to avoid TOCTOU
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 333/554] hwmon: (w83791d) Convert macros to functions " Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 335/554] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
` (225 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gui-Dong Han, Guenter Roeck
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gui-Dong Han <hanguidong02@gmail.com>
commit 07272e883fc61574b8367d44de48917f622cdd83 upstream.
The macros FAN_FROM_REG and TEMP_FROM_REG evaluate their arguments
multiple times. When used in lockless contexts involving shared driver
data, this causes Time-of-Check to Time-of-Use (TOCTOU) race
conditions.
Convert the macros to static functions. This guarantees that arguments
are evaluated only once (pass-by-value), preventing the race
conditions.
Adhere to the principle of minimal changes by only converting macros
that evaluate arguments multiple times and are used in lockless
contexts.
Link: https://lore.kernel.org/all/CALbr=LYJ_ehtp53HXEVkSpYoub+XYSTU8Rg=o1xxMJ8=5z8B-g@mail.gmail.com/
Fixes: 85f03bccd6e0 ("hwmon: Add support for Winbond W83L786NG/NR")
Cc: stable@vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02@gmail.com>
Link: https://lore.kernel.org/r/20251128123816.3670-1-hanguidong02@gmail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/w83l786ng.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/hwmon/w83l786ng.c
+++ b/drivers/hwmon/w83l786ng.c
@@ -77,15 +77,25 @@ FAN_TO_REG(long rpm, int div)
return clamp_val((1350000 + rpm * div / 2) / (rpm * div), 1, 254);
}
-#define FAN_FROM_REG(val, div) ((val) == 0 ? -1 : \
- ((val) == 255 ? 0 : \
- 1350000 / ((val) * (div))))
+static int fan_from_reg(int val, int div)
+{
+ if (val == 0)
+ return -1;
+ if (val == 255)
+ return 0;
+ return 1350000 / (val * div);
+}
/* for temp */
#define TEMP_TO_REG(val) (clamp_val(((val) < 0 ? (val) + 0x100 * 1000 \
: (val)) / 1000, 0, 0xff))
-#define TEMP_FROM_REG(val) (((val) & 0x80 ? \
- (val) - 0x100 : (val)) * 1000)
+
+static int temp_from_reg(int val)
+{
+ if (val & 0x80)
+ return (val - 0x100) * 1000;
+ return val * 1000;
+}
/*
* The analog voltage inputs have 8mV LSB. Since the sysfs output is
@@ -281,7 +291,7 @@ static ssize_t show_##reg(struct device
int nr = to_sensor_dev_attr(attr)->index; \
struct w83l786ng_data *data = w83l786ng_update_device(dev); \
return sprintf(buf, "%d\n", \
- FAN_FROM_REG(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
+ fan_from_reg(data->reg[nr], DIV_FROM_REG(data->fan_div[nr]))); \
}
show_fan_reg(fan);
@@ -348,7 +358,7 @@ store_fan_div(struct device *dev, struct
/* Save fan_min */
mutex_lock(&data->update_lock);
- min = FAN_FROM_REG(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
+ min = fan_from_reg(data->fan_min[nr], DIV_FROM_REG(data->fan_div[nr]));
data->fan_div[nr] = DIV_TO_REG(val);
@@ -410,7 +420,7 @@ show_temp(struct device *dev, struct dev
int nr = sensor_attr->nr;
int index = sensor_attr->index;
struct w83l786ng_data *data = w83l786ng_update_device(dev);
- return sprintf(buf, "%d\n", TEMP_FROM_REG(data->temp[nr][index]));
+ return sprintf(buf, "%d\n", temp_from_reg(data->temp[nr][index]));
}
static ssize_t
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 335/554] i40e: fix scheduling in set_rx_mode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 334/554] hwmon: (w83l786ng) " Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 336/554] i40e: Refactor argument of several client notification functions Greg Kroah-Hartman
` (224 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grzegorz Nitka, Jacob Keller,
Aleksandr Loktionov, Przemyslaw Korba, Tony Nguyen, Sasha Levin,
Rinitha S
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Przemyslaw Korba <przemyslaw.korba@intel.com>
[ Upstream commit be43abc5514167cc129a8d8e9727b89b8e1d9719 ]
Add service task schedule to set_rx_mode.
In some cases there are error messages printed out in PTP application
(ptp4l):
ptp4l[13848.762]: port 1 (ens2f3np3): received SYNC without timestamp
ptp4l[13848.825]: port 1 (ens2f3np3): received SYNC without timestamp
ptp4l[13848.887]: port 1 (ens2f3np3): received SYNC without timestamp
This happens when service task would not run immediately after
set_rx_mode, and we need it for setup tasks. This service task checks, if
PTP RX packets are hung in firmware, and propagate correct settings such
as multicast address for IEEE 1588 Precision Time Protocol.
RX timestamping depends on some of these filters set. Bug happens only
with high PTP packets frequency incoming, and not every run since
sometimes service task is being ran from a different place immediately
after starting ptp4l.
Fixes: 0e4425ed641f ("i40e: fix: do not sleep in netdev_ops")
Reviewed-by: Grzegorz Nitka <grzegorz.nitka@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Przemyslaw Korba <przemyslaw.korba@intel.com>
Tested-by: Rinitha S <sx.rinitha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 4c50e18707c7..8f9cbbfec63e 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -2216,6 +2216,7 @@ static void i40e_set_rx_mode(struct net_device *netdev)
vsi->flags |= I40E_VSI_FLAG_FILTER_CHANGED;
set_bit(__I40E_MACVLAN_SYNC_PENDING, vsi->back->state);
}
+ i40e_service_event_schedule(vsi->back);
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 336/554] i40e: Refactor argument of several client notification functions
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 335/554] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 337/554] i40e: Refactor argument of i40e_detect_recover_hung() Greg Kroah-Hartman
` (223 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt,
Pucha Himasekhar Reddy, Ivan Vecera, Simon Horman, Tony Nguyen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
[ Upstream commit 54c4664e48eea52f2b296c73ddb8f5629b958678 ]
Commit 0ef2d5afb12d ("i40e: KISS the client interface") simplified
the client interface so in practice it supports only one client
per i40e netdev. But we have still 2 notification functions that
uses as parameter a pointer to VSI of netdevice associated with
the client. After the mentioned commit only possible and used
VSI is the main (LAN) VSI.
So refactor these functions so they are called with PF pointer argument
and the associated VSI (LAN) is taken inside them.
Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e.h | 4 ++--
drivers/net/ethernet/intel/i40e/i40e_client.c | 20 +++++++++----------
drivers/net/ethernet/intel/i40e/i40e_main.c | 12 +++++------
3 files changed, 17 insertions(+), 19 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
index e031906f23a4..bbd95b3d7326 100644
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -1198,8 +1198,8 @@ static inline void i40e_dbg_exit(void) {}
int i40e_lan_add_device(struct i40e_pf *pf);
int i40e_lan_del_device(struct i40e_pf *pf);
void i40e_client_subtask(struct i40e_pf *pf);
-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi);
-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset);
+void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf);
+void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset);
void i40e_notify_client_of_vf_enable(struct i40e_pf *pf, u32 num_vfs);
void i40e_notify_client_of_vf_reset(struct i40e_pf *pf, u32 vf_id);
void i40e_client_update_msix_info(struct i40e_pf *pf);
diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
index 4af2a4c59106..126223d28152 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
@@ -102,25 +102,26 @@ i40e_notify_client_of_vf_msg(struct i40e_vsi *vsi, u32 vf_id, u8 *msg, u16 len)
/**
* i40e_notify_client_of_l2_param_changes - call the client notify callback
- * @vsi: the VSI with l2 param changes
+ * @pf: PF device pointer
*
- * If there is a client to this VSI, call the client
+ * If there is a client, call its callback
**/
-void i40e_notify_client_of_l2_param_changes(struct i40e_vsi *vsi)
+void i40e_notify_client_of_l2_param_changes(struct i40e_pf *pf)
{
- struct i40e_pf *pf = vsi->back;
struct i40e_client_instance *cdev = pf->cinst;
+ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
struct i40e_params params;
if (!cdev || !cdev->client)
return;
if (!cdev->client->ops || !cdev->client->ops->l2_param_change) {
- dev_dbg(&vsi->back->pdev->dev,
+ dev_dbg(&pf->pdev->dev,
"Cannot locate client instance l2_param_change routine\n");
return;
}
if (!test_bit(__I40E_CLIENT_INSTANCE_OPENED, &cdev->state)) {
- dev_dbg(&vsi->back->pdev->dev, "Client is not open, abort l2 param change\n");
+ dev_dbg(&pf->pdev->dev,
+ "Client is not open, abort l2 param change\n");
return;
}
memset(¶ms, 0, sizeof(params));
@@ -160,20 +161,19 @@ static void i40e_client_release_qvlist(struct i40e_info *ldev)
/**
* i40e_notify_client_of_netdev_close - call the client close callback
- * @vsi: the VSI with netdev closed
+ * @pf: PF device pointer
* @reset: true when close called due to a reset pending
*
* If there is a client to this netdev, call the client with close
**/
-void i40e_notify_client_of_netdev_close(struct i40e_vsi *vsi, bool reset)
+void i40e_notify_client_of_netdev_close(struct i40e_pf *pf, bool reset)
{
- struct i40e_pf *pf = vsi->back;
struct i40e_client_instance *cdev = pf->cinst;
if (!cdev || !cdev->client)
return;
if (!cdev->client->ops || !cdev->client->ops->close) {
- dev_dbg(&vsi->back->pdev->dev,
+ dev_dbg(&pf->pdev->dev,
"Cannot locate client instance close routine\n");
return;
}
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 8f9cbbfec63e..9671058cda40 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -11284,14 +11284,12 @@ static void i40e_service_task(struct work_struct *work)
i40e_fdir_reinit_subtask(pf);
if (test_and_clear_bit(__I40E_CLIENT_RESET, pf->state)) {
/* Client subtask will reopen next time through. */
- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi],
- true);
+ i40e_notify_client_of_netdev_close(pf, true);
} else {
i40e_client_subtask(pf);
if (test_and_clear_bit(__I40E_CLIENT_L2_CHANGE,
pf->state))
- i40e_notify_client_of_l2_param_changes(
- pf->vsi[pf->lan_vsi]);
+ i40e_notify_client_of_l2_param_changes(pf);
}
i40e_sync_filters_subtask(pf);
} else {
@@ -16263,7 +16261,7 @@ static void i40e_remove(struct pci_dev *pdev)
/* Client close must be called explicitly here because the timer
* has been stopped.
*/
- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
+ i40e_notify_client_of_netdev_close(pf, false);
i40e_fdir_teardown(pf);
@@ -16529,7 +16527,7 @@ static void i40e_shutdown(struct pci_dev *pdev)
/* Client close must be called explicitly here because the timer
* has been stopped.
*/
- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
+ i40e_notify_client_of_netdev_close(pf, false);
if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
i40e_enable_mc_magic_wake(pf);
@@ -16582,7 +16580,7 @@ static int __maybe_unused i40e_suspend(struct device *dev)
/* Client close must be called explicitly here because the timer
* has been stopped.
*/
- i40e_notify_client_of_netdev_close(pf->vsi[pf->lan_vsi], false);
+ i40e_notify_client_of_netdev_close(pf, false);
if (pf->wol_en && (pf->hw_features & I40E_HW_WOL_MC_MAGIC_PKT_WAKE))
i40e_enable_mc_magic_wake(pf);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 337/554] i40e: Refactor argument of i40e_detect_recover_hung()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 336/554] i40e: Refactor argument of several client notification functions Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 338/554] i40e: validate ring_len parameter against hardware-specific values Greg Kroah-Hartman
` (222 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt,
Pucha Himasekhar Reddy, Ivan Vecera, Simon Horman, Tony Nguyen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
[ Upstream commit 7033ada04e33048c8b33294fecbb0d73f3cd1088 ]
Commit 07d44190a389 ("i40e/i40evf: Detect and recover hung queue
scenario") changes i40e_detect_recover_hung() argument type from
i40e_pf* to i40e_vsi* to be shareable by both i40e and i40evf.
Because the i40evf does not exist anymore and the function is
exclusively used by i40e we can revert this change.
Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: 699428342153 ("i40e: validate ring_len parameter against hardware-specific values")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
drivers/net/ethernet/intel/i40e/i40e_txrx.c | 10 ++++++----
drivers/net/ethernet/intel/i40e/i40e_txrx.h | 2 +-
3 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 9671058cda40..b2e185357ab2 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -11275,7 +11275,7 @@ static void i40e_service_task(struct work_struct *work)
return;
if (!test_bit(__I40E_RECOVERY_MODE, pf->state)) {
- i40e_detect_recover_hung(pf->vsi[pf->lan_vsi]);
+ i40e_detect_recover_hung(pf);
i40e_sync_filters_subtask(pf);
i40e_reset_subtask(pf);
i40e_handle_mdd_event(pf);
diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
index b94d67729283..dabeeffd06fc 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -867,13 +867,15 @@ u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw)
/**
* i40e_detect_recover_hung - Function to detect and recover hung_queues
- * @vsi: pointer to vsi struct with tx queues
+ * @pf: pointer to PF struct
*
- * VSI has netdev and netdev has TX queues. This function is to check each of
- * those TX queues if they are hung, trigger recovery by issuing SW interrupt.
+ * LAN VSI has netdev and netdev has TX queues. This function is to check
+ * each of those TX queues if they are hung, trigger recovery by issuing
+ * SW interrupt.
**/
-void i40e_detect_recover_hung(struct i40e_vsi *vsi)
+void i40e_detect_recover_hung(struct i40e_pf *pf)
{
+ struct i40e_vsi *vsi = pf->vsi[pf->lan_vsi];
struct i40e_ring *tx_ring = NULL;
struct net_device *netdev;
unsigned int i;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.h b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
index 054b7d1632e1..2ea4138099be 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.h
@@ -462,7 +462,7 @@ void i40e_free_rx_resources(struct i40e_ring *rx_ring);
int i40e_napi_poll(struct napi_struct *napi, int budget);
void i40e_force_wb(struct i40e_vsi *vsi, struct i40e_q_vector *q_vector);
u32 i40e_get_tx_pending(struct i40e_ring *ring, bool in_sw);
-void i40e_detect_recover_hung(struct i40e_vsi *vsi);
+void i40e_detect_recover_hung(struct i40e_pf *pf);
int __i40e_maybe_stop_tx(struct i40e_ring *tx_ring, int size);
bool __i40e_chk_linearize(struct sk_buff *skb);
int i40e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 338/554] i40e: validate ring_len parameter against hardware-specific values
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 337/554] i40e: Refactor argument of i40e_detect_recover_hung() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 339/554] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
` (221 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregory Herrero, Rafal Romanowski,
Aleksandr Loktionov, Tony Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gregory Herrero <gregory.herrero@oracle.com>
[ Upstream commit 69942834215323cd9131db557091b4dec43f19c5 ]
The maximum number of descriptors supported by the hardware is
hardware-dependent and can be retrieved using
i40e_get_max_num_descriptors(). Move this function to a shared header
and use it when checking for valid ring_len parameter rather than using
hardcoded value.
By fixing an over-acceptance issue, behavior change could be seen where
ring_len could now be rejected while configuring rx and tx queues if its
size is larger than the hardware-dependent maximum number of
descriptors.
Fixes: 55d225670def ("i40e: add validation for ring_len param")
Signed-off-by: Gregory Herrero <gregory.herrero@oracle.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e.h | 11 +++++++++++
drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 12 ------------
drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 4 ++--
3 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/intel/i40e/i40e.h b/drivers/net/ethernet/intel/i40e/i40e.h
index bbd95b3d7326..022bf6e86164 100644
--- a/drivers/net/ethernet/intel/i40e/i40e.h
+++ b/drivers/net/ethernet/intel/i40e/i40e.h
@@ -1305,4 +1305,15 @@ static inline u32 i40e_is_tc_mqprio_enabled(struct i40e_pf *pf)
return pf->flags & I40E_FLAG_TC_MQPRIO;
}
+static inline u32 i40e_get_max_num_descriptors(const struct i40e_pf *pf)
+{
+ const struct i40e_hw *hw = &pf->hw;
+
+ switch (hw->mac.type) {
+ case I40E_MAC_XL710:
+ return I40E_MAX_NUM_DESCRIPTORS_XL710;
+ default:
+ return I40E_MAX_NUM_DESCRIPTORS;
+ }
+}
#endif /* _I40E_H_ */
diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index 74a18b8df11f..04d304eef379 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -1918,18 +1918,6 @@ static void i40e_get_drvinfo(struct net_device *netdev,
drvinfo->n_priv_flags += I40E_GL_PRIV_FLAGS_STR_LEN;
}
-static u32 i40e_get_max_num_descriptors(struct i40e_pf *pf)
-{
- struct i40e_hw *hw = &pf->hw;
-
- switch (hw->mac.type) {
- case I40E_MAC_XL710:
- return I40E_MAX_NUM_DESCRIPTORS_XL710;
- default:
- return I40E_MAX_NUM_DESCRIPTORS;
- }
-}
-
static void i40e_get_ringparam(struct net_device *netdev,
struct ethtool_ringparam *ring)
{
diff --git a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
index 5cd7a2bc40fd..907727604c70 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c
@@ -656,7 +656,7 @@ static int i40e_config_vsi_tx_queue(struct i40e_vf *vf, u16 vsi_id,
/* ring_len has to be multiple of 8 */
if (!IS_ALIGNED(info->ring_len, 8) ||
- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
+ info->ring_len > i40e_get_max_num_descriptors(pf)) {
ret = -EINVAL;
goto error_context;
}
@@ -728,7 +728,7 @@ static int i40e_config_vsi_rx_queue(struct i40e_vf *vf, u16 vsi_id,
/* ring_len has to be multiple of 32 */
if (!IS_ALIGNED(info->ring_len, 32) ||
- info->ring_len > I40E_MAX_NUM_DESCRIPTORS_XL710) {
+ info->ring_len > i40e_get_max_num_descriptors(pf)) {
ret = -EINVAL;
goto error_param;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 339/554] iavf: fix off-by-one issues in iavf_config_rss_reg()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 338/554] i40e: validate ring_len parameter against hardware-specific values Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 340/554] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
` (220 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kohei Enju, Aleksandr Loktionov,
Przemek Kitszel, Rafal Romanowski, Tony Nguyen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kohei Enju <enjuk@amazon.com>
[ Upstream commit 6daa2893f323981c7894c68440823326e93a7d61 ]
There are off-by-one bugs when configuring RSS hash key and lookup
table, causing out-of-bounds reads to memory [1] and out-of-bounds
writes to device registers.
Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS"),
the loop upper bounds were:
i <= I40E_VFQF_{HKEY,HLUT}_MAX_INDEX
which is safe since the value is the last valid index.
That commit changed the bounds to:
i <= adapter->rss_{key,lut}_size / 4
where `rss_{key,lut}_size / 4` is the number of dwords, so the last
valid index is `(rss_{key,lut}_size / 4) - 1`. Therefore, using `<=`
accesses one element past the end.
Fix the issues by using `<` instead of `<=`, ensuring we do not exceed
the bounds.
[1] KASAN splat about rss_key_size off-by-one
BUG: KASAN: slab-out-of-bounds in iavf_config_rss+0x619/0x800
Read of size 4 at addr ffff888102c50134 by task kworker/u8:6/63
CPU: 0 UID: 0 PID: 63 Comm: kworker/u8:6 Not tainted 6.18.0-rc2-enjuk-tnguy-00378-g3005f5b77652-dirty #156 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: iavf iavf_watchdog_task
Call Trace:
<TASK>
dump_stack_lvl+0x6f/0xb0
print_report+0x170/0x4f3
kasan_report+0xe1/0x1a0
iavf_config_rss+0x619/0x800
iavf_watchdog_task+0x2be7/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
</TASK>
Allocated by task 63:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
__kmalloc_noprof+0x246/0x6f0
iavf_watchdog_task+0x28fc/0x3230
process_one_work+0x7fd/0x1420
worker_thread+0x4d1/0xd40
kthread+0x344/0x660
ret_from_fork+0x249/0x320
ret_from_fork_asm+0x1a/0x30
The buggy address belongs to the object at ffff888102c50100
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes to the right of
allocated 52-byte region [ffff888102c50100, ffff888102c50134)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c50
flags: 0x200000000000000(node=0|zone=2)
page_type: f5(slab)
raw: 0200000000000000 ffff8881000418c0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888102c50000: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
ffff888102c50080: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff888102c50100: 00 00 00 00 00 00 04 fc fc fc fc fc fc fc fc fc
^
ffff888102c50180: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888102c50200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 43a3d9ba34c9 ("i40evf: Allow PF driver to configure RSS")
Signed-off-by: Kohei Enju <enjuk@amazon.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Rafal Romanowski <rafal.romanowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/iavf/iavf_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index 6073dcc414d6..10970001db56 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -1393,11 +1393,11 @@ static int iavf_config_rss_reg(struct iavf_adapter *adapter)
u16 i;
dw = (u32 *)adapter->rss_key;
- for (i = 0; i <= adapter->rss_key_size / 4; i++)
+ for (i = 0; i < adapter->rss_key_size / 4; i++)
wr32(hw, IAVF_VFQF_HKEY(i), dw[i]);
dw = (u32 *)adapter->rss_lut;
- for (i = 0; i <= adapter->rss_lut_size / 4; i++)
+ for (i = 0; i < adapter->rss_lut_size / 4; i++)
wr32(hw, IAVF_VFQF_HLUT(i), dw[i]);
iavf_flush(hw);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 340/554] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 339/554] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 341/554] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
` (219 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiumei Mu, Xin Long, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 50fdb78b7c0bcc550910ef69c0984e751cac72fa ]
As soon as crypto_aead_encrypt is called, the underlying request
may be freed by an asynchronous completion. Thus dereferencing
req->iv after it returns is invalid.
Instead of checking req->iv against info, create a new variable
unaligned_info and use it for that purpose instead.
Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator")
Reported-by: Xiumei Mu <xmu@redhat.com>
Reported-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/seqiv.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/crypto/seqiv.c b/crypto/seqiv.c
index b1bcfe537daf..562ab102226a 100644
--- a/crypto/seqiv.c
+++ b/crypto/seqiv.c
@@ -51,6 +51,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
struct aead_geniv_ctx *ctx = crypto_aead_ctx(geniv);
struct aead_request *subreq = aead_request_ctx(req);
crypto_completion_t compl;
+ bool unaligned_info;
void *data;
u8 *info;
unsigned int ivsize = 8;
@@ -80,8 +81,9 @@ static int seqiv_aead_encrypt(struct aead_request *req)
return err;
}
- if (unlikely(!IS_ALIGNED((unsigned long)info,
- crypto_aead_alignmask(geniv) + 1))) {
+ unaligned_info = !IS_ALIGNED((unsigned long)info,
+ crypto_aead_alignmask(geniv) + 1);
+ if (unlikely(unaligned_info)) {
info = kmemdup(req->iv, ivsize, req->base.flags &
CRYPTO_TFM_REQ_MAY_SLEEP ? GFP_KERNEL :
GFP_ATOMIC);
@@ -101,7 +103,7 @@ static int seqiv_aead_encrypt(struct aead_request *req)
scatterwalk_map_and_copy(info, req->dst, req->assoclen, ivsize, 1);
err = crypto_aead_encrypt(subreq);
- if (unlikely(info != req->iv))
+ if (unlikely(unaligned_info))
seqiv_aead_encrypt_complete2(req, err);
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 341/554] Bluetooth: btusb: revert use of devm_kzalloc in btusb
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 340/554] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 342/554] net: mdio: aspeed: move reg accessing part into separate functions Greg Kroah-Hartman
` (218 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Pinsonneault-Thibeault,
Luiz Augusto von Dentz, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
[ Upstream commit 252714f1e8bdd542025b16321c790458014d6880 ]
This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in
btusb.c file").
In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This
ties the lifetime of all the btusb data to the binding of a driver to
one interface, INTF. In a driver that binds to other interfaces, ISOC
and DIAG, this is an accident waiting to happen.
The issue is revealed in btusb_disconnect(), where calling
usb_driver_release_interface(&btusb_driver, data->intf) will have devm
free the data that is also being used by the other interfaces of the
driver that may not be released yet.
To fix this, revert the use of devm and go back to freeing memory
explicitly.
Fixes: 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 95483a8d7b1e..c447e2e9417b 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -3788,7 +3788,7 @@ static int btusb_probe(struct usb_interface *intf,
return -ENODEV;
}
- data = devm_kzalloc(&intf->dev, sizeof(*data), GFP_KERNEL);
+ data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
@@ -3811,8 +3811,10 @@ static int btusb_probe(struct usb_interface *intf,
}
}
- if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep)
+ if (!data->intr_ep || !data->bulk_tx_ep || !data->bulk_rx_ep) {
+ kfree(data);
return -ENODEV;
+ }
if (id->driver_info & BTUSB_AMP) {
data->cmdreq_type = USB_TYPE_CLASS | 0x01;
@@ -3855,8 +3857,10 @@ static int btusb_probe(struct usb_interface *intf,
data->recv_acl = hci_recv_frame;
hdev = hci_alloc_dev_priv(priv_size);
- if (!hdev)
+ if (!hdev) {
+ kfree(data);
return -ENOMEM;
+ }
hdev->bus = HCI_USB;
hci_set_drvdata(hdev, data);
@@ -4104,6 +4108,7 @@ static int btusb_probe(struct usb_interface *intf,
if (data->reset_gpio)
gpiod_put(data->reset_gpio);
hci_free_dev(hdev);
+ kfree(data);
return err;
}
@@ -4149,6 +4154,7 @@ static void btusb_disconnect(struct usb_interface *intf)
}
hci_free_dev(hdev);
+ kfree(data);
}
#ifdef CONFIG_PM
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 342/554] net: mdio: aspeed: move reg accessing part into separate functions
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 341/554] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 343/554] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
` (217 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Potin Lai, Andrew Lunn,
David S. Miller, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Potin Lai <potin.lai@quantatw.com>
[ Upstream commit 737ca352569e744bf753b4522a6f91b120a734f1 ]
Add aspeed_mdio_op() and aseed_mdio_get_data() for register accessing.
aspeed_mdio_op() handles operations, write command to control register,
then check and wait operations is finished (bit 31 is cleared).
aseed_mdio_get_data() fetchs the result value of operation from data
register.
Signed-off-by: Potin Lai <potin.lai@quantatw.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: d1a1a4bade4b ("net: mdio: aspeed: add dummy read to avoid read-after-write issue")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mdio/mdio-aspeed.c | 70 ++++++++++++++++++----------------
1 file changed, 38 insertions(+), 32 deletions(-)
diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
index e2273588c75b..f22be2f069e9 100644
--- a/drivers/net/mdio/mdio-aspeed.c
+++ b/drivers/net/mdio/mdio-aspeed.c
@@ -39,34 +39,35 @@ struct aspeed_mdio {
void __iomem *base;
};
-static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
+static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
+ u16 data)
{
struct aspeed_mdio *ctx = bus->priv;
u32 ctrl;
- u32 data;
- int rc;
- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr,
- regnum);
-
- /* Just clause 22 for the moment */
- if (regnum & MII_ADDR_C45)
- return -EOPNOTSUPP;
+ dev_dbg(&bus->dev, "%s: st: %u op: %u, phyad: %u, regad: %u, data: %u\n",
+ __func__, st, op, phyad, regad, data);
ctrl = ASPEED_MDIO_CTRL_FIRE
- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22)
- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_READ)
- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr)
- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum);
+ | FIELD_PREP(ASPEED_MDIO_CTRL_ST, st)
+ | FIELD_PREP(ASPEED_MDIO_CTRL_OP, op)
+ | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, phyad)
+ | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regad)
+ | FIELD_PREP(ASPEED_MDIO_DATA_MIIRDATA, data);
iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
- rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
+ return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
!(ctrl & ASPEED_MDIO_CTRL_FIRE),
ASPEED_MDIO_INTERVAL_US,
ASPEED_MDIO_TIMEOUT_US);
- if (rc < 0)
- return rc;
+}
+
+static int aspeed_mdio_get_data(struct mii_bus *bus)
+{
+ struct aspeed_mdio *ctx = bus->priv;
+ int rc;
+ u32 data;
rc = readl_poll_timeout(ctx->base + ASPEED_MDIO_DATA, data,
data & ASPEED_MDIO_DATA_IDLE,
@@ -78,31 +79,36 @@ static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
return FIELD_GET(ASPEED_MDIO_DATA_MIIRDATA, data);
}
-static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
+static int aspeed_mdio_read(struct mii_bus *bus, int addr, int regnum)
{
- struct aspeed_mdio *ctx = bus->priv;
- u32 ctrl;
+ int rc;
- dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n",
- __func__, addr, regnum, val);
+ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d\n", __func__, addr,
+ regnum);
/* Just clause 22 for the moment */
if (regnum & MII_ADDR_C45)
return -EOPNOTSUPP;
- ctrl = ASPEED_MDIO_CTRL_FIRE
- | FIELD_PREP(ASPEED_MDIO_CTRL_ST, ASPEED_MDIO_CTRL_ST_C22)
- | FIELD_PREP(ASPEED_MDIO_CTRL_OP, MDIO_C22_OP_WRITE)
- | FIELD_PREP(ASPEED_MDIO_CTRL_PHYAD, addr)
- | FIELD_PREP(ASPEED_MDIO_CTRL_REGAD, regnum)
- | FIELD_PREP(ASPEED_MDIO_CTRL_MIIWDATA, val);
+ rc = aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_READ,
+ addr, regnum, 0);
+ if (rc < 0)
+ return rc;
- iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+ return aspeed_mdio_get_data(bus);
+}
- return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
- !(ctrl & ASPEED_MDIO_CTRL_FIRE),
- ASPEED_MDIO_INTERVAL_US,
- ASPEED_MDIO_TIMEOUT_US);
+static int aspeed_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val)
+{
+ dev_dbg(&bus->dev, "%s: addr: %d, regnum: %d, val: 0x%x\n",
+ __func__, addr, regnum, val);
+
+ /* Just clause 22 for the moment */
+ if (regnum & MII_ADDR_C45)
+ return -EOPNOTSUPP;
+
+ return aspeed_mdio_op(bus, ASPEED_MDIO_CTRL_ST_C22, MDIO_C22_OP_WRITE,
+ addr, regnum, val);
}
static int aspeed_mdio_probe(struct platform_device *pdev)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 343/554] net: mdio: aspeed: add dummy read to avoid read-after-write issue
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 342/554] net: mdio: aspeed: move reg accessing part into separate functions Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 344/554] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
` (216 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacky Chou, Andrew Lunn, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacky Chou <jacky_chou@aspeedtech.com>
[ Upstream commit d1a1a4bade4b20c0858d0b2f81d2611de055f675 ]
The Aspeed MDIO controller may return incorrect data when a read operation
follows immediately after a write. Due to a controller bug, the subsequent
read can latch stale data, causing the polling logic to terminate earlier
than expected.
To work around this hardware issue, insert a dummy read after each write
operation. This ensures that the next actual read returns the correct
data and prevents premature polling exit.
This workaround has been verified to stabilize MDIO transactions on
affected Aspeed platforms.
Fixes: f160e99462c6 ("net: phy: Add mdio-aspeed")
Signed-off-by: Jacky Chou <jacky_chou@aspeedtech.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251211-aspeed_mdio_add_dummy_read-v3-1-382868869004@aspeedtech.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mdio/mdio-aspeed.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/mdio/mdio-aspeed.c b/drivers/net/mdio/mdio-aspeed.c
index f22be2f069e9..a929399a10d1 100644
--- a/drivers/net/mdio/mdio-aspeed.c
+++ b/drivers/net/mdio/mdio-aspeed.c
@@ -57,6 +57,13 @@ static int aspeed_mdio_op(struct mii_bus *bus, u8 st, u8 op, u8 phyad, u8 regad,
iowrite32(ctrl, ctx->base + ASPEED_MDIO_CTRL);
+ /* Workaround for read-after-write issue.
+ * The controller may return stale data if a read follows immediately
+ * after a write. A dummy read forces the hardware to update its
+ * internal state, ensuring that the next real read returns correct data.
+ */
+ ioread32(ctx->base + ASPEED_MDIO_CTRL);
+
return readl_poll_timeout(ctx->base + ASPEED_MDIO_CTRL, ctrl,
!(ctrl & ASPEED_MDIO_CTRL_FIRE),
ASPEED_MDIO_INTERVAL_US,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 344/554] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 343/554] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 345/554] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
` (215 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Moreno,
Toke Høiland-Jørgensen, Eelco Chaudron, Aaron Conole,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 5498227676303e3ffa9a3a46214af96bc3e81314 ]
The openvswitch teardown code will immediately call
ovs_netdev_detach_dev() in response to a NETDEV_UNREGISTER notification.
It will then start the dp_notify_work workqueue, which will later end up
calling the vport destroy() callback. This callback takes the RTNL to do
another ovs_netdev_detach_port(), which in this case is unnecessary.
This causes extra pressure on the RTNL, in some cases leading to
"unregister_netdevice: waiting for XX to become free" warnings on
teardown.
We can straight-forwardly avoid the extra RTNL lock acquisition by
checking the device flags before taking the lock, and skip the locking
altogether if the IFF_OVS_DATAPATH flag has already been unset.
Fixes: b07c26511e94 ("openvswitch: fix vport-netdev unregister")
Tested-by: Adrian Moreno <amorenoz@redhat.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Aaron Conole <aconole@redhat.com>
Link: https://patch.msgid.link/20251211115006.228876-1-toke@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/vport-netdev.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/net/openvswitch/vport-netdev.c b/net/openvswitch/vport-netdev.c
index 8e1a88f13622..3beec619283a 100644
--- a/net/openvswitch/vport-netdev.c
+++ b/net/openvswitch/vport-netdev.c
@@ -154,10 +154,19 @@ void ovs_netdev_detach_dev(struct vport *vport)
static void netdev_destroy(struct vport *vport)
{
- rtnl_lock();
- if (netif_is_ovs_port(vport->dev))
- ovs_netdev_detach_dev(vport);
- rtnl_unlock();
+ /* When called from ovs_db_notify_wq() after a dp_device_event(), the
+ * port has already been detached, so we can avoid taking the RTNL by
+ * checking this first.
+ */
+ if (netif_is_ovs_port(vport->dev)) {
+ rtnl_lock();
+ /* Check again while holding the lock to ensure we don't race
+ * with the netdev notifier and detach twice.
+ */
+ if (netif_is_ovs_port(vport->dev))
+ ovs_netdev_detach_dev(vport);
+ rtnl_unlock();
+ }
call_rcu(&vport->rcu, vport_netdev_free);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 345/554] ip6_gre: make ip6gre_header() robust
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 344/554] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 346/554] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
` (214 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+43a2ebcf2a64b1102d64,
Eric Dumazet, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit db5b4e39c4e63700c68a7e65fc4e1f1375273476 ]
Over the years, syzbot found many ways to crash the kernel
in ip6gre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ip6gre device.
[1]
skbuff: skb_under_panic: text:ffffffff8a1d69a8 len:136 put:40 head:ffff888059bc7000 data:ffff888059bc6fe8 tail:0x70 end:0x6c0 dev:team0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:213 !
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ip6gre_header+0xc8/0x790 net/ipv6/ip6_gre.c:1371
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
neigh_output include/net/neighbour.h:556 [inline]
ip6_finish_output2+0xfb3/0x1480 net/ipv6/ip6_output.c:136
__ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:220
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reported-by: syzbot+43a2ebcf2a64b1102d64@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/693b002c.a70a0220.33cd7b.0033.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251211173550.2032674-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_gre.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 501630e3f1b6..84ba9ad00135 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1383,9 +1383,16 @@ static int ip6gre_header(struct sk_buff *skb, struct net_device *dev,
{
struct ip6_tnl *t = netdev_priv(dev);
struct ipv6hdr *ipv6h;
+ int needed;
__be16 *p;
- ipv6h = skb_push(skb, t->hlen + sizeof(*ipv6h));
+ needed = t->hlen + sizeof(*ipv6h);
+ if (skb_headroom(skb) < needed &&
+ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
+ 0, GFP_ATOMIC))
+ return -needed;
+
+ ipv6h = skb_push(skb, needed);
ip6_flow_hdr(ipv6h, 0, ip6_make_flowlabel(dev_net(dev), skb,
t->fl.u.ip6.flowlabel,
true, &t->fl.u.ip6));
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 346/554] platform/x86: msi-laptop: add missing sysfs_remove_group()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 345/554] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 347/554] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
` (213 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Ilpo Järvinen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit 1461209cf813b6ee6d40f29b96b544587df6d2b1 ]
A sysfs group is created in msi_init() when old_ec_model is enabled, but
never removed. Remove the msipf_old_attribute_group in that case.
Fixes: 03696e51d75a ("msi-laptop: Disable brightness control for new EC")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20251217103617.27668-2-fourier.thomas@gmail.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/msi-laptop.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
index dfb4af759aa7..fd6b3383ac4f 100644
--- a/drivers/platform/x86/msi-laptop.c
+++ b/drivers/platform/x86/msi-laptop.c
@@ -1146,6 +1146,9 @@ static void __exit msi_cleanup(void)
sysfs_remove_group(&msipf_device->dev.kobj, &msipf_attribute_group);
if (!quirks->old_ec_model && threeg_exists)
device_remove_file(&msipf_device->dev, &dev_attr_threeg);
+ if (quirks->old_ec_model)
+ sysfs_remove_group(&msipf_device->dev.kobj,
+ &msipf_old_attribute_group);
platform_device_unregister(msipf_device);
platform_driver_unregister(&msipf_driver);
backlight_device_unregister(msibl_device);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 347/554] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 346/554] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 348/554] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
` (212 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Ilpo Järvinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 15dd100349b8526cbdf2de0ce3e72e700eb6c208 ]
The ibm_rtl_init() function searches for the signature but has a pointer
arithmetic error. The loop counter suggests searching at 4-byte intervals
but the implementation only advances by 1 byte per iteration.
Fix by properly advancing the pointer by sizeof(unsigned int) bytes
each iteration.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 35f0ce032b0f ("IBM Real-Time "SMI Free" mode driver -v7")
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB78812D887A92DE3802D0D06EAFA9A@SYBPR01MB7881.ausprd01.prod.outlook.com
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/ibm_rtl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
index 5fc665f7d9b3..10cab7bdfe15 100644
--- a/drivers/platform/x86/ibm_rtl.c
+++ b/drivers/platform/x86/ibm_rtl.c
@@ -262,7 +262,7 @@ static int __init ibm_rtl_init(void) {
/* search for the _RTL_ signature at the start of the table */
for (i = 0 ; i < ebda_size/sizeof(unsigned int); i++) {
struct ibm_rtl_table __iomem * tmp;
- tmp = (struct ibm_rtl_table __iomem *) (ebda_map+i);
+ tmp = (struct ibm_rtl_table __iomem *) (ebda_map + i*sizeof(unsigned int));
if ((readq(&tmp->signature) & RTL_MASK) == RTL_SIGNATURE) {
phys_addr_t addr;
unsigned int plen;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 348/554] team: fix check for port enabled in team_queue_override_port_prio_changed()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 347/554] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 349/554] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
` (211 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+422806e5f4cce722a71f,
Jiri Pirko, Simon Horman, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Pirko <jiri@nvidia.com>
[ Upstream commit 932ac51d9953eaf77a1252f79b656d4ca86163c6 ]
There has been a syzkaller bug reported recently with the following
trace:
list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:59!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 21246 Comm: syz.0.2928 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__list_del_entry_valid_or_report+0x13e/0x200 lib/list_debug.c:59
Code: 48 c7 c7 e0 71 f0 8b e8 30 08 ef fc 90 0f 0b 48 89 ef e8 a5 02 55 fd 48 89 ea 48 89 de 48 c7 c7 40 72 f0 8b e8 13 08 ef fc 90 <0f> 0b 48 89 ef e8 88 02 55 fd 48 89 ea 48 b8 00 00 00 00 00 fc ff
RSP: 0018:ffffc9000d49f370 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff888058bea080 RCX: ffffc9002817d000
RDX: 0000000000000000 RSI: ffffffff819becc6 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff888039e9c230
R13: ffff888058bea088 R14: ffff888058bea080 R15: ffff888055461480
FS: 00007fbbcfe6f6c0(0000) GS:ffff8880d6d0a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c3afcb0 CR3: 00000000382c7000 CR4: 0000000000352ef0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del_rcu include/linux/rculist.h:178 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:826 [inline]
__team_queue_override_port_del drivers/net/team/team_core.c:821 [inline]
team_queue_override_port_prio_changed drivers/net/team/team_core.c:883 [inline]
team_priority_option_set+0x171/0x2f0 drivers/net/team/team_core.c:1534
team_option_set drivers/net/team/team_core.c:376 [inline]
team_nl_options_set_doit+0x8ae/0xe60 drivers/net/team/team_core.c:2653
genl_family_rcv_msg_doit+0x209/0x2f0 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x55c/0x800 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x5aa/0x870 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8c8/0xdd0 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
____sys_sendmsg+0xa98/0xc70 net/socket.c:2630
___sys_sendmsg+0x134/0x1d0 net/socket.c:2684
__sys_sendmsg+0x16d/0x220 net/socket.c:2716
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The problem is in this flow:
1) Port is enabled, queue_id != 0, in qom_list
2) Port gets disabled
-> team_port_disable()
-> team_queue_override_port_del()
-> del (removed from list)
3) Port is disabled, queue_id != 0, not in any list
4) Priority changes
-> team_queue_override_port_prio_changed()
-> checks: port disabled && queue_id != 0
-> calls del - hits the BUG as it is removed already
To fix this, change the check in team_queue_override_port_prio_changed()
so it returns early if port is not enabled.
Reported-by: syzbot+422806e5f4cce722a71f@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=422806e5f4cce722a71f
Fixes: 6c31ff366c11 ("team: remove synchronize_rcu() called during queue override change")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251212102953.167287-1-jiri@resnulli.us
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/team/team.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 1e0adeb5e177..f866f7a4be31 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -873,7 +873,7 @@ static void __team_queue_override_enabled_check(struct team *team)
static void team_queue_override_port_prio_changed(struct team *team,
struct team_port *port)
{
- if (!port->queue_id || team_port_enabled(port))
+ if (!port->queue_id || !team_port_enabled(port))
return;
__team_queue_override_port_del(team, port);
__team_queue_override_port_add(team, port);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 349/554] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 348/554] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 350/554] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
` (210 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8dd915c7cb0490fc8c52,
Deepakkumar Karn, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepakkumar Karn <dkarn@redhat.com>
[ Upstream commit 12cab1191d9890097171156d06bfa8d31f1e39c8 ]
In async_set_registers(), when usb_submit_urb() fails, the allocated
async_req structure and URB are not freed, causing a memory leak.
The completion callback async_set_reg_cb() is responsible for freeing
these allocations, but it is only called after the URB is successfully
submitted and completes (successfully or with error). If submission
fails, the callback never runs and the memory is leaked.
Fix this by freeing both the URB and the request structure in the error
path when usb_submit_urb() fails.
Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
Link: https://patch.msgid.link/20251216151304.59865-2-dkarn@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rtl8150.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 011cf3a35378..fa69d59a309a 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
if (res == -ENODEV)
netif_device_detach(dev->netdev);
dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
+ kfree(req);
+ usb_free_urb(async_urb);
}
return res;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 350/554] smc91x: fix broken irq-context in PREEMPT_RT
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 349/554] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 351/554] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
` (209 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yeoreum Yun, Simon Horman,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yeoreum Yun <yeoreum.yun@arm.com>
[ Upstream commit 6402078bd9d1ed46e79465e1faaa42e3458f8a33 ]
When smc91x.c is built with PREEMPT_RT, the following splat occurs
in FVP_RevC:
[ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000
[ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106]
[ 13.062137] preempt=0x00000000 lock=0->0 RCU=0->1 workfn=mld_ifc_work
[ 13.062266] C
** replaying previous printk message **
[ 13.062266] CPU: 2 UID: 0 PID: 106 Comm: kworker/2:1 Not tainted 6.18.0-dirty #179 PREEMPT_{RT,(full)}
[ 13.062353] Hardware name: , BIOS
[ 13.062382] Workqueue: mld mld_ifc_work
[ 13.062469] Call trace:
[ 13.062494] show_stack+0x24/0x40 (C)
[ 13.062602] __dump_stack+0x28/0x48
[ 13.062710] dump_stack_lvl+0x7c/0xb0
[ 13.062818] dump_stack+0x18/0x34
[ 13.062926] process_scheduled_works+0x294/0x450
[ 13.063043] worker_thread+0x260/0x3d8
[ 13.063124] kthread+0x1c4/0x228
[ 13.063235] ret_from_fork+0x10/0x20
This happens because smc_special_trylock() disables IRQs even on PREEMPT_RT,
but smc_special_unlock() does not restore IRQs on PREEMPT_RT.
The reason is that smc_special_unlock() calls spin_unlock_irqrestore(),
and rcu_read_unlock_bh() in __dev_queue_xmit() cannot invoke
rcu_read_unlock() through __local_bh_enable_ip() when current->softirq_disable_cnt becomes zero.
To address this issue, replace smc_special_trylock() with spin_trylock_irqsave().
Fixes: 342a93247e08 ("locking/spinlock: Provide RT variant header: <linux/spinlock_rt.h>")
Signed-off-by: Yeoreum Yun <yeoreum.yun@arm.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251217085115.1730036-1-yeoreum.yun@arm.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/smsc/smc91x.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c
index 813ea941b91a..c63783516202 100644
--- a/drivers/net/ethernet/smsc/smc91x.c
+++ b/drivers/net/ethernet/smsc/smc91x.c
@@ -515,15 +515,7 @@ static inline void smc_rcv(struct net_device *dev)
* any other concurrent access and C would always interrupt B. But life
* isn't that easy in a SMP world...
*/
-#define smc_special_trylock(lock, flags) \
-({ \
- int __ret; \
- local_irq_save(flags); \
- __ret = spin_trylock(lock); \
- if (!__ret) \
- local_irq_restore(flags); \
- __ret; \
-})
+#define smc_special_trylock(lock, flags) spin_trylock_irqsave(lock, flags)
#define smc_special_lock(lock, flags) spin_lock_irqsave(lock, flags)
#define smc_special_unlock(lock, flags) spin_unlock_irqrestore(lock, flags)
#else
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 351/554] genalloc.h: fix htmldocs warning
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 350/554] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 352/554] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
` (208 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Randy Dunlap,
Alexey Skidanov, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Morton <akpm@linux-foundation.org>
[ Upstream commit 5393802c94e0ab1295c04c94c57bcb00222d4674 ]
WARNING: include/linux/genalloc.h:52 function parameter 'start_addr' not described in 'genpool_algo_t'
Fixes: 52fbf1134d47 ("lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Closes: https://lkml.kernel.org/r/20251127130624.563597e3@canb.auug.org.au
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Alexey Skidanov <alexey.skidanov@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/genalloc.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/genalloc.h b/include/linux/genalloc.h
index 0bd581003cd5..60de63e46b33 100644
--- a/include/linux/genalloc.h
+++ b/include/linux/genalloc.h
@@ -44,6 +44,7 @@ struct gen_pool;
* @nr: The number of zeroed bits we're looking for
* @data: optional additional data used by the callback
* @pool: the pool being allocated from
+ * @start_addr: start address of memory chunk
*/
typedef unsigned long (*genpool_algo_t)(unsigned long *map,
unsigned long size,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 352/554] firewire: nosy: Fix dma_free_coherent() size
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 351/554] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 353/554] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
` (207 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Christophe JAILLET,
Takashi Sakamoto, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit c48c0fd0e19684b6ecdb4108a429e3a4e73f5e21 ]
It looks like the buffer allocated and mapped in add_card() is done
with size RCV_BUFFER_SIZE which is 16 KB and 4KB.
Fixes: 286468210d83 ("firewire: new driver: nosy - IEEE 1394 traffic sniffer")
Co-developed-by: Thomas Fourier <fourier.thomas@gmail.com>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Co-developed-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/20251216165420.38355-2-fourier.thomas@gmail.com
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firewire/nosy.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/firewire/nosy.c b/drivers/firewire/nosy.c
index ea31ac7ac1ca..e59053738a43 100644
--- a/drivers/firewire/nosy.c
+++ b/drivers/firewire/nosy.c
@@ -36,6 +36,8 @@
static char driver_name[] = KBUILD_MODNAME;
+#define RCV_BUFFER_SIZE (16 * 1024)
+
/* this is the physical layout of a PCL, its size is 128 bytes */
struct pcl {
__le32 next;
@@ -517,16 +519,14 @@ remove_card(struct pci_dev *dev)
lynx->rcv_start_pcl, lynx->rcv_start_pcl_bus);
dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
lynx->rcv_pcl, lynx->rcv_pcl_bus);
- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE, lynx->rcv_buffer,
- lynx->rcv_buffer_bus);
+ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
+ lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
pci_disable_device(dev);
lynx_put(lynx);
}
-#define RCV_BUFFER_SIZE (16 * 1024)
-
static int
add_card(struct pci_dev *dev, const struct pci_device_id *unused)
{
@@ -680,7 +680,7 @@ add_card(struct pci_dev *dev, const struct pci_device_id *unused)
dma_free_coherent(&lynx->pci_device->dev, sizeof(struct pcl),
lynx->rcv_pcl, lynx->rcv_pcl_bus);
if (lynx->rcv_buffer)
- dma_free_coherent(&lynx->pci_device->dev, PAGE_SIZE,
+ dma_free_coherent(&lynx->pci_device->dev, RCV_BUFFER_SIZE,
lynx->rcv_buffer, lynx->rcv_buffer_bus);
iounmap(lynx->registers);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 353/554] net: dsa: b53: skip multicast entries for fdb_dump()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 352/554] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
@ 2026-01-15 16:46 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 354/554] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
` (206 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonas Gorski, Florian Fainelli,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Gorski <jonas.gorski@gmail.com>
[ Upstream commit d42bce414d1c5c0b536758466a1f63ac358e613c ]
port_fdb_dump() is supposed to only add fdb entries, but we iterate over
the full ARL table, which also includes multicast entries.
So check if the entry is a multicast entry before passing it on to the
callback().
Additionally, the port of those entries is a bitmask, not a port number,
so any included entries would have even be for the wrong port.
Fixes: 1da6df85c6fb ("net: dsa: b53: Implement ARL add/del/dump operations")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20251217205756.172123-1-jonas.gorski@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/b53/b53_common.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
index d5ed733c0c97..a43cbb481529 100644
--- a/drivers/net/dsa/b53/b53_common.c
+++ b/drivers/net/dsa/b53/b53_common.c
@@ -1832,6 +1832,9 @@ static int b53_fdb_copy(int port, const struct b53_arl_entry *ent,
if (!ent->is_valid)
return 0;
+ if (is_multicast_ether_addr(ent->mac))
+ return 0;
+
if (port != ent->port)
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 354/554] net: usb: asix: validate PHY address before use
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2026-01-15 16:46 ` [PATCH 5.15 353/554] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 355/554] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
` (205 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+3d43c9066a5b54902232,
Deepanshu Kartikey, Andrew Lunn, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
[ Upstream commit a1e077a3f76eea0dc671ed6792e7d543946227e8 ]
The ASIX driver reads the PHY address from the USB device via
asix_read_phy_addr(). A malicious or faulty device can return an
invalid address (>= PHY_MAX_ADDR), which causes a warning in
mdiobus_get_phy():
addr 207 out of range
WARNING: drivers/net/phy/mdio_bus.c:76
Validate the PHY address in asix_read_phy_addr() and remove the
now-redundant check in ax88172a.c.
Reported-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d43c9066a5b54902232
Tested-by: syzbot+3d43c9066a5b54902232@syzkaller.appspotmail.com
Fixes: 7e88b11a862a ("net: usb: asix: refactor asix_read_phy_addr() and handle errors on return")
Link: https://lore.kernel.org/all/20251217085057.270704-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20251218011156.276824-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/asix_common.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/usb/asix_common.c b/drivers/net/usb/asix_common.c
index 00c23f1d1c94..8c613e3ea05a 100644
--- a/drivers/net/usb/asix_common.c
+++ b/drivers/net/usb/asix_common.c
@@ -333,6 +333,11 @@ int asix_read_phy_addr(struct usbnet *dev, bool internal)
offset = (internal ? 1 : 0);
ret = buf[offset];
+ if (ret >= PHY_MAX_ADDR) {
+ netdev_err(dev->net, "invalid PHY address: %d\n", ret);
+ return -ENODEV;
+ }
+
netdev_dbg(dev->net, "%s PHY address 0x%x\n",
internal ? "internal" : "external", ret);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 355/554] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 354/554] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 356/554] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
` (204 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Nikolay Aleksandrov,
Ido Schimmel, Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit f79f9b7ace1713e4b83888c385f5f55519dfb687 ]
Sphinx reports kernel-doc warning:
WARNING: ./net/bridge/br_private.h:267 struct member 'tunnel_hash' not described in 'net_bridge_vlan_group'
Fix it by describing @tunnel_hash member.
Fixes: efa5356b0d9753 ("bridge: per vlan dst_metadata netlink support")
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20251218042936.24175-2-bagasdotme@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_private.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 8acb427ae6de..0fd8dad7eca4 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -221,6 +221,7 @@ struct net_bridge_vlan {
* struct net_bridge_vlan_group
*
* @vlan_hash: VLAN entry rhashtable
+ * @tunnel_hash: Hash table to map from tunnel key ID (e.g. VXLAN VNI) to VLAN
* @vlan_list: sorted VLAN entry list
* @num_vlans: number of total VLAN entries
* @pvid: PVID VLAN id
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 356/554] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 355/554] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 357/554] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
` (203 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anshumali Gaur, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anshumali Gaur <agaur@marvell.com>
[ Upstream commit 85f4b0c650d9f9db10bda8d3acfa1af83bf78cf7 ]
This patch ensures that the RX ring size (rx_pending) is not
set below the permitted length. This avoids UBSAN
shift-out-of-bounds errors when users passes small or zero
ring sizes via ethtool -G.
Fixes: d45d8979840d ("octeontx2-pf: Add basic ethtool support")
Signed-off-by: Anshumali Gaur <agaur@marvell.com>
Link: https://patch.msgid.link/20251219062226.524844-1-agaur@marvell.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
index db4a9fc399f3..e0c108d48d2e 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_ethtool.c
@@ -391,6 +391,14 @@ static int otx2_set_ringparam(struct net_device *netdev,
*/
if (rx_count < pfvf->hw.rq_skid)
rx_count = pfvf->hw.rq_skid;
+
+ if (ring->rx_pending < 16) {
+ netdev_err(netdev,
+ "rx ring size %u invalid, min is 16\n",
+ ring->rx_pending);
+ return -EINVAL;
+ }
+
rx_count = Q_COUNT(Q_SIZE(rx_count, 3));
/* Due pipelining impact minimum 2000 unused SQ CQE's
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 357/554] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 356/554] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 358/554] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
` (202 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moore, Will Rosenberg,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Will Rosenberg <whrosenb@asu.edu>
[ Upstream commit 58fc7342b529803d3c221101102fe913df7adb83 ]
There exists a kernel oops caused by a BUG_ON(nhead < 0) at
net/core/skbuff.c:2232 in pskb_expand_head().
This bug is triggered as part of the calipso_skbuff_setattr()
routine when skb_cow() is passed headroom > INT_MAX
(i.e. (int)(skb_headroom(skb) + len_delta) < 0).
The root cause of the bug is due to an implicit integer cast in
__skb_cow(). The check (headroom > skb_headroom(skb)) is meant to ensure
that delta = headroom - skb_headroom(skb) is never negative, otherwise
we will trigger a BUG_ON in pskb_expand_head(). However, if
headroom > INT_MAX and delta <= -NET_SKB_PAD, the check passes, delta
becomes negative, and pskb_expand_head() is passed a negative value for
nhead.
Fix the trigger condition in calipso_skbuff_setattr(). Avoid passing
"negative" headroom sizes to skb_cow() within calipso_skbuff_setattr()
by only using skb_cow() to grow headroom.
PoC:
Using `netlabelctl` tool:
netlabelctl map del default
netlabelctl calipso add pass doi:7
netlabelctl map add default address:0::1/128 protocol:calipso,7
Then run the following PoC:
int fd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_UDP);
// setup msghdr
int cmsg_size = 2;
int cmsg_len = 0x60;
struct msghdr msg;
struct sockaddr_in6 dest_addr;
struct cmsghdr * cmsg = (struct cmsghdr *) calloc(1,
sizeof(struct cmsghdr) + cmsg_len);
msg.msg_name = &dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = NULL;
msg.msg_iovlen = 0;
msg.msg_control = cmsg;
msg.msg_controllen = cmsg_len;
msg.msg_flags = 0;
// setup sockaddr
dest_addr.sin6_family = AF_INET6;
dest_addr.sin6_port = htons(31337);
dest_addr.sin6_flowinfo = htonl(31337);
dest_addr.sin6_addr = in6addr_loopback;
dest_addr.sin6_scope_id = 31337;
// setup cmsghdr
cmsg->cmsg_len = cmsg_len;
cmsg->cmsg_level = IPPROTO_IPV6;
cmsg->cmsg_type = IPV6_HOPOPTS;
char * hop_hdr = (char *)cmsg + sizeof(struct cmsghdr);
hop_hdr[1] = 0x9; //set hop size - (0x9 + 1) * 8 = 80
sendmsg(fd, &msg, 0);
Fixes: 2917f57b6bc1 ("calipso: Allow the lsm to label the skbuff directly.")
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Will Rosenberg <whrosenb@asu.edu>
Acked-by: Paul Moore <paul@paul-moore.com>
Link: https://patch.msgid.link/20251219173637.797418-1-whrosenb@asu.edu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/calipso.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index 24666291c54a..72079ef2959b 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1345,7 +1345,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
/* At this point new_end aligns to 4n, so (new_end & 4) pads to 8n */
pad = ((new_end & 4) + (end & 7)) & 7;
len_delta = new_end - (int)end + pad;
- ret_val = skb_cow(skb, skb_headroom(skb) + len_delta);
+ ret_val = skb_cow(skb,
+ skb_headroom(skb) + (len_delta > 0 ? len_delta : 0));
if (ret_val < 0)
return ret_val;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 358/554] ipv4: Fix reference count leak when using error routes with nexthop objects
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 357/554] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 359/554] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
` (201 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tetsuo Handa,
syzbot+881d65229ca4f9ae8c84, Ido Schimmel, David Ahern,
Paolo Abeni, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit ac782f4e3bfcde145b8a7f8af31d9422d94d172a ]
When a nexthop object is deleted, it is marked as dead and then
fib_table_flush() is called to flush all the routes that are using the
dead nexthop.
The current logic in fib_table_flush() is to only flush error routes
(e.g., blackhole) when it is called as part of network namespace
dismantle (i.e., with flush_all=true). Therefore, error routes are not
flushed when their nexthop object is deleted:
# ip link add name dummy1 up type dummy
# ip nexthop add id 1 dev dummy1
# ip route add 198.51.100.1/32 nhid 1
# ip route add blackhole 198.51.100.2/32 nhid 1
# ip nexthop del id 1
# ip route show
blackhole 198.51.100.2 nhid 1 dev dummy1
As such, they keep holding a reference on the nexthop object which in
turn holds a reference on the nexthop device, resulting in a reference
count leak:
# ip link del dev dummy1
[ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2
Fix by flushing error routes when their nexthop is marked as dead.
IPv6 does not suffer from this problem.
Fixes: 493ced1ac47c ("ipv4: Allow routes to use nexthop objects")
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Closes: https://lore.kernel.org/netdev/d943f806-4da6-4970-ac28-b9373b0e63ac@I-love.SAKURA.ne.jp/
Reported-by: syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20251221144829.197694-1-idosch@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/fib_trie.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 8ab6ad65d0b8..2cec18cb5c48 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2049,10 +2049,11 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
continue;
}
- /* Do not flush error routes if network namespace is
- * not being dismantled
+ /* When not flushing the entire table, skip error
+ * routes that are not marked for deletion.
*/
- if (!flush_all && fib_props[fa->fa_type].error) {
+ if (!flush_all && fib_props[fa->fa_type].error &&
+ !(fi->fib_flags & RTNH_F_DEAD)) {
slen = fa->fa_slen;
continue;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 359/554] net: rose: fix invalid array index in rose_kill_by_device()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 358/554] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 360/554] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
` (200 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fatma Alwasmi, Pwnverse, Paolo Abeni,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pwnverse <stanksal@purdue.edu>
[ Upstream commit 6595beb40fb0ec47223d3f6058ee40354694c8e4 ]
rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.
The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().
Fix the index to use i.
Fixes: 64b8bc7d5f143 ("net/rose: fix races in rose_kill_by_device()")
Co-developed-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Fatma Alwasmi <falwasmi@purdue.edu>
Signed-off-by: Pwnverse <stanksal@purdue.edu>
Link: https://patch.msgid.link/20251222212227.4116041-1-ritviktanksalkar@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rose/af_rose.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index f8cd085c4234..04173c85d92b 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -204,7 +204,7 @@ static void rose_kill_by_device(struct net_device *dev)
spin_unlock_bh(&rose_list_lock);
for (i = 0; i < cnt; i++) {
- sk = array[cnt];
+ sk = array[i];
rose = rose_sk(sk);
lock_sock(sk);
spin_lock_bh(&rose_list_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 360/554] RDMA/irdma: avoid invalid read in irdma_net_event
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 359/554] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 361/554] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
` (199 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Jason Gunthorpe,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
[ Upstream commit 6f05611728e9d0ab024832a4f1abb74a5f5d0bb0 ]
irdma_net_event() should not dereference anything from "neigh" (alias
"ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.
Other events come with different structures pointed to by "ptr" and they
may be smaller than struct neighbour.
Move the read of neigh->dev under the NETEVENT_NEIGH_UPDATE case.
The bug is mostly harmless, but it triggers KASAN on debug kernels:
BUG: KASAN: stack-out-of-bounds in irdma_net_event+0x32e/0x3b0 [irdma]
Read of size 8 at addr ffffc900075e07f0 by task kworker/27:2/542554
CPU: 27 PID: 542554 Comm: kworker/27:2 Kdump: loaded Not tainted 5.14.0-630.el9.x86_64+debug #1
Hardware name: [...]
Workqueue: events rt6_probe_deferred
Call Trace:
<IRQ>
dump_stack_lvl+0x60/0xb0
print_address_description.constprop.0+0x2c/0x3f0
print_report+0xb4/0x270
kasan_report+0x92/0xc0
irdma_net_event+0x32e/0x3b0 [irdma]
notifier_call_chain+0x9e/0x180
atomic_notifier_call_chain+0x5c/0x110
rt6_do_redirect+0xb91/0x1080
tcp_v6_err+0xe9b/0x13e0
icmpv6_notify+0x2b2/0x630
ndisc_redirect_rcv+0x328/0x530
icmpv6_rcv+0xc16/0x1360
ip6_protocol_deliver_rcu+0xb84/0x12e0
ip6_input_finish+0x117/0x240
ip6_input+0xc4/0x370
ipv6_rcv+0x420/0x7d0
__netif_receive_skb_one_core+0x118/0x1b0
process_backlog+0xd1/0x5d0
__napi_poll.constprop.0+0xa3/0x440
net_rx_action+0x78a/0xba0
handle_softirqs+0x2d4/0x9c0
do_softirq+0xad/0xe0
</IRQ>
Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions")
Link: https://patch.msgid.link/r/20251127143150.121099-1-mschmidt@redhat.com
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/irdma/utils.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/irdma/utils.c b/drivers/infiniband/hw/irdma/utils.c
index a47eedb6df82..235515e8bf9b 100644
--- a/drivers/infiniband/hw/irdma/utils.c
+++ b/drivers/infiniband/hw/irdma/utils.c
@@ -251,7 +251,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
void *ptr)
{
struct neighbour *neigh = ptr;
- struct net_device *real_dev, *netdev = (struct net_device *)neigh->dev;
+ struct net_device *real_dev, *netdev;
struct irdma_device *iwdev;
struct ib_device *ibdev;
__be32 *p;
@@ -260,6 +260,7 @@ int irdma_net_event(struct notifier_block *notifier, unsigned long event,
switch (event) {
case NETEVENT_NEIGH_UPDATE:
+ netdev = neigh->dev;
real_dev = rdma_vlan_dev_real_dev(netdev);
if (!real_dev)
real_dev = netdev;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 361/554] RDMA/efa: Remove possible negative shift
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 360/554] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 362/554] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
` (198 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Sela, Yonatan Nachum,
Michael Margolin, Gal Pressman, Jason Gunthorpe, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Margolin <mrgolin@amazon.com>
[ Upstream commit 85463eb6a46caf2f1e0e1a6d0731f2f3bab17780 ]
The page size used for device might in some cases be smaller than
PAGE_SIZE what results in a negative shift when calculating the number of
host pages in PAGE_SIZE for a debug log. Remove the debug line together
with the calculation.
Fixes: 40909f664d27 ("RDMA/efa: Add EFA verbs implementation")
Link: https://patch.msgid.link/r/20251210173656.8180-1-mrgolin@amazon.com
Reviewed-by: Tom Sela <tomsela@amazon.com>
Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
Signed-off-by: Michael Margolin <mrgolin@amazon.com>
Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/efa/efa_verbs.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/infiniband/hw/efa/efa_verbs.c b/drivers/infiniband/hw/efa/efa_verbs.c
index 1aab6c3e9f53..6fca145f1e8a 100644
--- a/drivers/infiniband/hw/efa/efa_verbs.c
+++ b/drivers/infiniband/hw/efa/efa_verbs.c
@@ -1151,13 +1151,9 @@ static int umem_to_page_list(struct efa_dev *dev,
u32 hp_cnt,
u8 hp_shift)
{
- u32 pages_in_hp = BIT(hp_shift - PAGE_SHIFT);
struct ib_block_iter biter;
unsigned int hp_idx = 0;
- ibdev_dbg(&dev->ibdev, "hp_cnt[%u], pages_in_hp[%u]\n",
- hp_cnt, pages_in_hp);
-
rdma_umem_for_each_dma_block(umem, &biter, BIT(hp_shift))
page_list[hp_idx++] = rdma_block_iter_dma_address(&biter);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 362/554] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 361/554] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 363/554] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
` (197 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jang Ingyu, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jang Ingyu <ingyujang25@korea.ac.kr>
[ Upstream commit 8aaa848eaddd9ef8680fc6aafbd3a0646da5df40 ]
Fix missing comparison operator for RDMA_NETWORK_ROCE_V1 in the
conditional statement. The constant was used directly instead of
being compared with net_type, causing the condition to always
evaluate to true.
Fixes: 1c15b4f2a42f ("RDMA/core: Modify enum ib_gid_type and enum rdma_network_type")
Signed-off-by: Jang Ingyu <ingyujang25@korea.ac.kr>
Link: https://patch.msgid.link/20251219041508.1725947-1-ingyujang25@korea.ac.kr
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/verbs.c b/drivers/infiniband/core/verbs.c
index bdc9564f0ff8..53552559917c 100644
--- a/drivers/infiniband/core/verbs.c
+++ b/drivers/infiniband/core/verbs.c
@@ -740,7 +740,7 @@ int ib_get_gids_from_rdma_hdr(const union rdma_network_hdr *hdr,
(struct in6_addr *)dgid);
return 0;
} else if (net_type == RDMA_NETWORK_IPV6 ||
- net_type == RDMA_NETWORK_IB || RDMA_NETWORK_ROCE_V1) {
+ net_type == RDMA_NETWORK_IB || net_type == RDMA_NETWORK_ROCE_V1) {
*dgid = hdr->ibgrh.dgid;
*sgid = hdr->ibgrh.sgid;
return 0;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 363/554] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 362/554] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 364/554] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
` (196 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Kalesh AP,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit 145a417a39d7efbc881f52e829817376972b278c ]
RCFW_COMM_CONS_PCI_BAR_REGION is defined as BAR 2, so checking
!creq_db->reg.bar_id is incorrect and always false.
pci_resource_start() returns the BAR base address, and a value of 0
indicates that the BAR is unassigned. Update the condition to test
bar_base == 0 instead.
This ensures the driver detects and logs an error for an unassigned
RCFW communication BAR.
Fixes: cee0c7bba486 ("RDMA/bnxt_re: Refactor command queue management code")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251217100158.752504-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
index 2394dcc0338c..67c12e604e9b 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
@@ -779,7 +779,7 @@ static int bnxt_qplib_map_creq_db(struct bnxt_qplib_rcfw *rcfw, u32 reg_offt)
creq_db->reg.bar_id = RCFW_COMM_CONS_PCI_BAR_REGION;
creq_db->reg.bar_base = pci_resource_start(pdev, creq_db->reg.bar_id);
- if (!creq_db->reg.bar_id)
+ if (!creq_db->reg.bar_base)
dev_err(&pdev->dev,
"QPLIB: CREQ BAR region %d resc start is 0!",
creq_db->reg.bar_id);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 364/554] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 363/554] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 365/554] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
` (195 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Kalesh AP,
Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit f01765a2361323e78e3d91b1cb1d5527a83c5cf7 ]
The bnxt_re SEND path checks wr->send_flags to enable features such as
IP checksum offload. However, send_flags is a bitmask and may contain
multiple flags (e.g. IB_SEND_SIGNALED | IB_SEND_IP_CSUM), while the
existing code uses a switch() statement that only matches when
send_flags is exactly IB_SEND_IP_CSUM.
As a result, checksum offload is not enabled when additional SEND
flags are present.
Replace the switch() with a bitmask test:
if (wr->send_flags & IB_SEND_IP_CSUM)
This ensures IP checksum offload is enabled correctly when multiple
SEND flags are used.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Link: https://patch.msgid.link/20251219093308.2415620-1-alok.a.tiwari@oracle.com
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/ib_verbs.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
index cb733fc497c8..83bc013c8f79 100644
--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c
+++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c
@@ -2644,14 +2644,9 @@ int bnxt_re_post_send(struct ib_qp *ib_qp, const struct ib_send_wr *wr,
wqe.rawqp1.lflags |=
SQ_SEND_RAWETH_QP1_LFLAGS_ROCE_CRC;
}
- switch (wr->send_flags) {
- case IB_SEND_IP_CSUM:
+ if (wr->send_flags & IB_SEND_IP_CSUM)
wqe.rawqp1.lflags |=
SQ_SEND_RAWETH_QP1_LFLAGS_IP_CHKSUM;
- break;
- default:
- break;
- }
fallthrough;
case IB_WR_SEND_WITH_INV:
rc = bnxt_re_build_send_wqe(qp, wr, &wqe);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 365/554] RDMA/bnxt_re: Fix to use correct page size for PDE table
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 364/554] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 366/554] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
` (194 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damodharam Ammepalli, Kalesh AP,
Selvin Xavier, Leon Romanovsky, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
[ Upstream commit 3d70e0fb0f289b0c778041c5bb04d099e1aa7c1c ]
In bnxt_qplib_alloc_init_hwq(), while allocating memory for PDE table
driver incorrectly is using the "pg_size" value passed to the function.
Fixed to use the right value 4K. Also, fixed the allocation size for
PBL table.
Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
Signed-off-by: Damodharam Ammepalli <damodharam.ammepalli@broadcom.com>
Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Link: https://patch.msgid.link/20251223131855.145955-1-kalesh-anakkur.purayil@broadcom.com
Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 7585d5a55db2..76fbe52a957c 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -242,7 +242,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
if (npbl % BIT(MAX_PDL_LVL_SHIFT))
npde++;
/* Alloc PDE pages */
- sginfo.pgsize = npde * pg_size;
+ sginfo.pgsize = npde * ROCE_PG_SIZE_4K;
sginfo.npages = 1;
rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_0], &sginfo);
if (rc)
@@ -250,7 +250,7 @@ int bnxt_qplib_alloc_init_hwq(struct bnxt_qplib_hwq *hwq,
/* Alloc PBL pages */
sginfo.npages = npbl;
- sginfo.pgsize = PAGE_SIZE;
+ sginfo.pgsize = ROCE_PG_SIZE_4K;
rc = __alloc_pbl(res, &hwq->pbl[PBL_LVL_1], &sginfo);
if (rc)
goto fail;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 366/554] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 365/554] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 367/554] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
` (193 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honggang LI, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Honggang LI <honggangli@163.com>
[ Upstream commit 43bd09d5b750f700499ae8ec45fd41a4c48673e6 ]
If device max_mr_size bits in the range [mr_page_shift+31:mr_page_shift]
are zero, the `min3` function will set clt_path::max_pages_per_mr to
zero.
`alloc_path_reqs` will pass zero, which is invalid, as the third parameter
to `ib_alloc_mr`.
Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality")
Signed-off-by: Honggang LI <honggangli@163.com>
Link: https://patch.msgid.link/20251229025617.13241-1-honggangli@163.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/rtrs/rtrs-clt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
index e8f5a1f104cf..cda7849e2133 100644
--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c
+++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c
@@ -1469,6 +1469,7 @@ static void query_fast_reg_mode(struct rtrs_clt_path *clt_path)
mr_page_shift = max(12, ffs(ib_dev->attrs.page_size_cap) - 1);
max_pages_per_mr = ib_dev->attrs.max_mr_size;
do_div(max_pages_per_mr, (1ull << mr_page_shift));
+ max_pages_per_mr = min_not_zero((u32)max_pages_per_mr, U32_MAX);
clt_path->max_pages_per_mr =
min3(clt_path->max_pages_per_mr, (u32)max_pages_per_mr,
ib_dev->attrs.max_fast_reg_page_list_len);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 367/554] RDMA/bnxt_re: fix dma_free_coherent() pointer
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 366/554] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 368/554] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
` (192 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Leon Romanovsky,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
[ Upstream commit fcd431a9627f272b4c0bec445eba365fe2232a94 ]
The dma_alloc_coherent() allocates a dma-mapped buffer, pbl->pg_arr[i].
The dma_free_coherent() should pass the same buffer to
dma_free_coherent() and not page-aligned.
Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20251230085121.8023-2-fourier.thomas@gmail.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 76fbe52a957c..2bdb428fd273 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -70,9 +70,7 @@ static void __free_pbl(struct bnxt_qplib_res *res, struct bnxt_qplib_pbl *pbl,
for (i = 0; i < pbl->pg_count; i++) {
if (pbl->pg_arr[i])
dma_free_coherent(&pdev->dev, pbl->pg_size,
- (void *)((unsigned long)
- pbl->pg_arr[i] &
- PAGE_MASK),
+ pbl->pg_arr[i],
pbl->pg_map_arr[i]);
else
dev_warn(&pdev->dev,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 368/554] selftests/ftrace: traceonoff_triggers: strip off names
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 367/554] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 369/554] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
` (191 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Rostedt (Google), Yipeng Zou,
Masami Hiramatsu (Google), Shuah Khan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yipeng Zou <zouyipeng@huawei.com>
[ Upstream commit b889b4fb4cbea3ca7eb9814075d6a51936394bd9 ]
The func_traceonoff_triggers.tc sometimes goes to fail
on my board, Kunpeng-920.
[root@localhost]# ./ftracetest ./test.d/ftrace/func_traceonoff_triggers.tc -l fail.log
=== Ftrace unit tests ===
[1] ftrace - test for function traceon/off triggers [FAIL]
[2] (instance) ftrace - test for function traceon/off triggers [UNSUPPORTED]
I look up the log, and it shows that the md5sum is different between csum1 and csum2.
++ cnt=611
++ sleep .1
+++ cnt_trace
+++ grep -v '^#' trace
+++ wc -l
++ cnt2=611
++ '[' 611 -ne 611 ']'
+++ cat tracing_on
++ on=0
++ '[' 0 '!=' 0 ']'
+++ md5sum trace
++ csum1='76896aa74362fff66a6a5f3cf8a8a500 trace'
++ sleep .1
+++ md5sum trace
++ csum2='ee8625a21c058818fc26e45c1ed3f6de trace'
++ '[' '76896aa74362fff66a6a5f3cf8a8a500 trace' '!=' 'ee8625a21c058818fc26e45c1ed3f6de trace' ']'
++ fail 'Tracing file is still changing'
++ echo Tracing file is still changing
Tracing file is still changing
++ exit_fail
++ exit 1
So I directly dump the trace file before md5sum, the diff shows that:
[root@localhost]# diff trace_1.log trace_2.log -y --suppress-common-lines
dockerd-12285 [036] d.... 18385.510290: sched_stat | <...>-12285 [036] d.... 18385.510290: sched_stat
dockerd-12285 [036] d.... 18385.510291: sched_swit | <...>-12285 [036] d.... 18385.510291: sched_swit
<...>-740 [044] d.... 18385.602859: sched_stat | kworker/44:1-740 [044] d.... 18385.602859: sched_stat
<...>-740 [044] d.... 18385.602860: sched_swit | kworker/44:1-740 [044] d.... 18385.602860: sched_swit
And we can see that <...> filed be filled with names.
We can strip off the names there to fix that.
After strip off the names:
kworker/u257:0-12 [019] d..2. 2528.758910: sched_stat | -12 [019] d..2. 2528.758910: sched_stat_runtime: comm=k
kworker/u257:0-12 [019] d..2. 2528.758912: sched_swit | -12 [019] d..2. 2528.758912: sched_switch: prev_comm=kw
<idle>-0 [000] d.s5. 2528.762318: sched_waki | -0 [000] d.s5. 2528.762318: sched_waking: comm=sshd pi
<idle>-0 [037] dNh2. 2528.762326: sched_wake | -0 [037] dNh2. 2528.762326: sched_wakeup: comm=sshd pi
<idle>-0 [037] d..2. 2528.762334: sched_swit | -0 [037] d..2. 2528.762334: sched_switch: prev_comm=sw
Link: https://lore.kernel.org/r/20230818013226.2182299-1-zouyipeng@huawei.com
Fixes: d87b29179aa0 ("selftests: ftrace: Use md5sum to take less time of checking logs")
Suggested-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ftrace/test.d/ftrace/func_traceonoff_triggers.tc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
index aee22289536b..1b57771dbfdf 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_traceonoff_triggers.tc
@@ -90,9 +90,10 @@ if [ $on != "0" ]; then
fail "Tracing is not off"
fi
-csum1=`md5sum trace`
+# Cannot rely on names being around as they are only cached, strip them
+csum1=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
sleep $SLEEP_TIME
-csum2=`md5sum trace`
+csum2=`cat trace | sed -e 's/^ *[^ ]*\(-[0-9][0-9]*\)/\1/' | md5sum`
if [ "$csum1" != "$csum2" ]; then
fail "Tracing file is still changing"
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 369/554] ASoC: stm32: sai: fix device leak on probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 368/554] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 370/554] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
` (190 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, olivier moysan, Wen Yang,
Johan Hovold, olivier moysan, Mark Brown
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit e26ff429eaf10c4ef1bc3dabd9bf27eb54b7e1f4 upstream.
Make sure to drop the reference taken when looking up the sync provider
device and its driver data during DAI probe on probe failures and on
unbind.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 7dd0d835582f ("ASoC: stm32: sai: simplify sync modes management")
Fixes: 1c3816a19487 ("ASoC: stm32: sai: add missing put_device()")
Cc: stable@vger.kernel.org # 4.16: 1c3816a19487
Cc: olivier moysan <olivier.moysan@st.com>
Cc: Wen Yang <yellowriver2010@hotmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -127,6 +127,7 @@ static int stm32_sai_set_sync(struct stm
}
sai_provider = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!sai_provider) {
dev_err(&sai_client->pdev->dev,
"SAI sync provider data not found\n");
@@ -143,7 +144,6 @@ static int stm32_sai_set_sync(struct stm
ret = stm32_sai_sync_conf_provider(sai_provider, synco);
error:
- put_device(&pdev->dev);
of_node_put(np_provider);
return ret;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 370/554] ASoC: qcom: q6asm-dai: perform correct state check before closing
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 369/554] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 371/554] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
` (189 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit bfbb12dfa144d45575bcfe139a71360b3ce80237 upstream.
Do not stop a q6asm stream if its not started, this can result in
unnecessary dsp command which will timeout anyway something like below:
q6asm-dai ab00000.remoteproc:glink-edge:apr:service@7:dais: CMD 10bcd timeout
Fix this by correctly checking the state.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-5-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -237,13 +237,14 @@ static int q6asm_dai_prepare(struct snd_
prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
prtd->pcm_irq_pos = 0;
/* rate and channels are sent to audio driver */
- if (prtd->state) {
+ if (prtd->state == Q6ASM_STREAM_RUNNING) {
/* clear the previous setup if any */
q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
q6asm_unmap_memory_regions(substream->stream,
prtd->audio_client);
q6routing_stream_close(soc_prtd->dai_link->id,
substream->stream);
+ prtd->state = Q6ASM_STREAM_STOPPED;
}
ret = q6asm_map_memory_regions(substream->stream, prtd->audio_client,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 371/554] ASoC: qcom: q6adm: the the copp device only during last instance
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 370/554] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 372/554] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
` (188 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Martino Facchin,
Srinivas Kandagatla, Mark Brown, Alexey Klimov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 74cc4f3ea4e99262ba0d619c6a4ee33e2cd47f65 upstream.
A matching Common object post processing instance is normally resused
across multiple streams. However currently we close this on DSP
even though there is a refcount on this copp object, this can result in
below error.
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0
qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2]
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: Found Matching Copp 0x0
qcom-q6adm aprsvc:service:4:8: cmd = 0x10325 return error = 0x2
q6routing ab00000.remoteproc:glink-edge:apr:service@8:routing: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2
qcom-q6adm aprsvc:service:4:8: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: Failed to close copp -22
qcom-q6adm aprsvc:service:4:8: cmd = 0x10327 return error = 0x2
qcom-q6adm aprsvc:service:4:8: DSP returned error[2]
qcom-q6adm aprsvc:service:4:8: Failed to close copp -22
Fix this by addressing moving the adm_close to copp_kref destructor
callback.
Fixes: 7b20b2be51e1 ("ASoC: qdsp6: q6adm: Add q6adm driver")
Cc: Stable@vger.kernel.org
Reported-by: Martino Facchin <m.facchin@arduino.cc>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-3-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6adm.c | 146 ++++++++++++++++++++-----------------------
1 file changed, 71 insertions(+), 75 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6adm.c
+++ b/sound/soc/qcom/qdsp6/q6adm.c
@@ -109,11 +109,75 @@ static struct q6copp *q6adm_find_copp(st
}
+static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp,
+ struct apr_pkt *pkt, uint32_t rsp_opcode)
+{
+ struct device *dev = adm->dev;
+ uint32_t opcode = pkt->hdr.opcode;
+ int ret;
+
+ mutex_lock(&adm->lock);
+ copp->result.opcode = 0;
+ copp->result.status = 0;
+ ret = apr_send_pkt(adm->apr, pkt);
+ if (ret < 0) {
+ dev_err(dev, "Failed to send APR packet\n");
+ ret = -EINVAL;
+ goto err;
+ }
+
+ /* Wait for the callback with copp id */
+ if (rsp_opcode)
+ ret = wait_event_timeout(copp->wait,
+ (copp->result.opcode == opcode) ||
+ (copp->result.opcode == rsp_opcode),
+ msecs_to_jiffies(TIMEOUT_MS));
+ else
+ ret = wait_event_timeout(copp->wait,
+ (copp->result.opcode == opcode),
+ msecs_to_jiffies(TIMEOUT_MS));
+
+ if (!ret) {
+ dev_err(dev, "ADM copp cmd timedout\n");
+ ret = -ETIMEDOUT;
+ } else if (copp->result.status > 0) {
+ dev_err(dev, "DSP returned error[%d]\n",
+ copp->result.status);
+ ret = -EINVAL;
+ }
+
+err:
+ mutex_unlock(&adm->lock);
+ return ret;
+}
+
+static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp,
+ int port_id, int copp_idx)
+{
+ struct apr_pkt close;
+
+ close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
+ APR_HDR_LEN(APR_HDR_SIZE),
+ APR_PKT_VER);
+ close.hdr.pkt_size = sizeof(close);
+ close.hdr.src_port = port_id;
+ close.hdr.dest_port = copp->id;
+ close.hdr.token = port_id << 16 | copp_idx;
+ close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5;
+
+ return q6adm_apr_send_copp_pkt(adm, copp, &close, 0);
+}
+
static void q6adm_free_copp(struct kref *ref)
{
struct q6copp *c = container_of(ref, struct q6copp, refcount);
struct q6adm *adm = c->adm;
unsigned long flags;
+ int ret;
+
+ ret = q6adm_device_close(adm, c, c->afe_port, c->copp_idx);
+ if (ret < 0)
+ dev_err(adm->dev, "Failed to close copp %d\n", ret);
spin_lock_irqsave(&adm->copps_list_lock, flags);
clear_bit(c->copp_idx, &adm->copp_bitmap[c->afe_port]);
@@ -155,13 +219,13 @@ static int q6adm_callback(struct apr_dev
switch (result->opcode) {
case ADM_CMD_DEVICE_OPEN_V5:
case ADM_CMD_DEVICE_CLOSE_V5:
- copp = q6adm_find_copp(adm, port_idx, copp_idx);
- if (!copp)
- return 0;
-
- copp->result = *result;
- wake_up(&copp->wait);
- kref_put(&copp->refcount, q6adm_free_copp);
+ list_for_each_entry(copp, &adm->copps_list, node) {
+ if ((port_idx == copp->afe_port) && (copp_idx == copp->copp_idx)) {
+ copp->result = *result;
+ wake_up(&copp->wait);
+ break;
+ }
+ }
break;
case ADM_CMD_MATRIX_MAP_ROUTINGS_V5:
adm->result = *result;
@@ -234,65 +298,6 @@ static struct q6copp *q6adm_alloc_copp(s
return c;
}
-static int q6adm_apr_send_copp_pkt(struct q6adm *adm, struct q6copp *copp,
- struct apr_pkt *pkt, uint32_t rsp_opcode)
-{
- struct device *dev = adm->dev;
- uint32_t opcode = pkt->hdr.opcode;
- int ret;
-
- mutex_lock(&adm->lock);
- copp->result.opcode = 0;
- copp->result.status = 0;
- ret = apr_send_pkt(adm->apr, pkt);
- if (ret < 0) {
- dev_err(dev, "Failed to send APR packet\n");
- ret = -EINVAL;
- goto err;
- }
-
- /* Wait for the callback with copp id */
- if (rsp_opcode)
- ret = wait_event_timeout(copp->wait,
- (copp->result.opcode == opcode) ||
- (copp->result.opcode == rsp_opcode),
- msecs_to_jiffies(TIMEOUT_MS));
- else
- ret = wait_event_timeout(copp->wait,
- (copp->result.opcode == opcode),
- msecs_to_jiffies(TIMEOUT_MS));
-
- if (!ret) {
- dev_err(dev, "ADM copp cmd timedout\n");
- ret = -ETIMEDOUT;
- } else if (copp->result.status > 0) {
- dev_err(dev, "DSP returned error[%d]\n",
- copp->result.status);
- ret = -EINVAL;
- }
-
-err:
- mutex_unlock(&adm->lock);
- return ret;
-}
-
-static int q6adm_device_close(struct q6adm *adm, struct q6copp *copp,
- int port_id, int copp_idx)
-{
- struct apr_pkt close;
-
- close.hdr.hdr_field = APR_HDR_FIELD(APR_MSG_TYPE_SEQ_CMD,
- APR_HDR_LEN(APR_HDR_SIZE),
- APR_PKT_VER);
- close.hdr.pkt_size = sizeof(close);
- close.hdr.src_port = port_id;
- close.hdr.dest_port = copp->id;
- close.hdr.token = port_id << 16 | copp_idx;
- close.hdr.opcode = ADM_CMD_DEVICE_CLOSE_V5;
-
- return q6adm_apr_send_copp_pkt(adm, copp, &close, 0);
-}
-
static struct q6copp *q6adm_find_matching_copp(struct q6adm *adm,
int port_id, int topology,
int mode, int rate,
@@ -567,15 +572,6 @@ EXPORT_SYMBOL_GPL(q6adm_matrix_map);
*/
int q6adm_close(struct device *dev, struct q6copp *copp)
{
- struct q6adm *adm = dev_get_drvdata(dev->parent);
- int ret = 0;
-
- ret = q6adm_device_close(adm, copp, copp->afe_port, copp->copp_idx);
- if (ret < 0) {
- dev_err(adm->dev, "Failed to close copp %d\n", ret);
- return ret;
- }
-
kref_put(&copp->refcount, q6adm_free_copp);
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 372/554] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment.
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 371/554] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 373/554] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
` (187 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stable, Srinivas Kandagatla,
Mark Brown, Alexey Klimov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
commit 81c53b52de21b8d5a3de55ebd06b6bf188bf7efd upstream.
DSP expects the periods to be aligned to fragment sizes, currently
setting up to hw constriants on periods bytes is not going to work
correctly as we can endup with periods sizes aligned to 32 bytes however
not aligned to fragment size.
Update the constriants to use fragment size, and also set at step of
10ms for period size to accommodate DSP requirements of 10ms latency.
Fixes: 2a9e92d371db ("ASoC: qdsp6: q6asm: Add q6asm dai driver")
Cc: Stable@vger.kernel.org
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Tested-by: Alexey Klimov <alexey.klimov@linaro.org> # RB5, RB3
Link: https://patch.msgid.link/20251023102444.88158-4-srinivas.kandagatla@oss.qualcomm.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/qcom/qdsp6/q6asm-dai.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
+++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
@@ -413,13 +413,13 @@ static int q6asm_dai_open(struct snd_soc
}
ret = snd_pcm_hw_constraint_step(runtime, 0,
- SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
+ SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for period bytes step ret = %d\n",
ret);
}
ret = snd_pcm_hw_constraint_step(runtime, 0,
- SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
+ SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
if (ret < 0) {
dev_err(dev, "constraint for buffer bytes step ret = %d\n",
ret);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 373/554] iommu/apple-dart: fix device leak on of_xlate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 372/554] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 374/554] iommu/exynos: " Greg Kroah-Hartman
` (186 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Peter, Robin Murphy,
Johan Hovold, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit a6eaa872c52a181ae9a290fd4e40c9df91166d7a upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 46d1fb072e76 ("iommu/dart: Add DART iommu driver")
Cc: stable@vger.kernel.org # 5.15
Cc: Sven Peter <sven@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/apple-dart.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/apple-dart.c
+++ b/drivers/iommu/apple-dart.c
@@ -611,6 +611,8 @@ static int apple_dart_of_xlate(struct de
struct apple_dart *cfg_dart;
int i, sid;
+ put_device(&iommu_pdev->dev);
+
if (args->args_count != 1)
return -EINVAL;
sid = args->args[0];
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 374/554] iommu/exynos: fix device leak on of_xlate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 373/554] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 375/554] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
` (185 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Robin Murphy,
Marek Szyprowski, Johan Hovold, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 05913cc43cb122f9afecdbe775115c058b906e1b upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Note that commit 1a26044954a6 ("iommu/exynos: add missing put_device()
call in exynos_iommu_of_xlate()") fixed the leak in a couple of error
paths, but the reference is still leaking on success.
Fixes: aa759fd376fb ("iommu/exynos: Add callback for initializing devices from device tree")
Cc: stable@vger.kernel.org # 4.2: 1a26044954a6
Cc: Yu Kuai <yukuai3@huawei.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/exynos-iommu.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/iommu/exynos-iommu.c
+++ b/drivers/iommu/exynos-iommu.c
@@ -1284,17 +1284,14 @@ static int exynos_iommu_of_xlate(struct
return -ENODEV;
data = platform_get_drvdata(sysmmu);
- if (!data) {
- put_device(&sysmmu->dev);
+ put_device(&sysmmu->dev);
+ if (!data)
return -ENODEV;
- }
if (!owner) {
owner = kzalloc(sizeof(*owner), GFP_KERNEL);
- if (!owner) {
- put_device(&sysmmu->dev);
+ if (!owner)
return -ENOMEM;
- }
INIT_LIST_HEAD(&owner->controllers);
mutex_init(&owner->rpm_lock);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 375/554] iommu/ipmmu-vmsa: fix device leak on of_xlate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 374/554] iommu/exynos: " Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 376/554] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
` (184 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Magnus Damm, Robin Murphy,
Johan Hovold, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 80aa518452c4aceb9459f9a8e3184db657d1b441 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 7b2d59611fef ("iommu/ipmmu-vmsa: Replace local utlb code with fwspec ids")
Cc: stable@vger.kernel.org # 4.14
Cc: Magnus Damm <damm+renesas@opensource.se>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/ipmmu-vmsa.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/ipmmu-vmsa.c
+++ b/drivers/iommu/ipmmu-vmsa.c
@@ -710,6 +710,8 @@ static int ipmmu_init_platform_device(st
dev_iommu_priv_set(dev, platform_get_drvdata(ipmmu_pdev));
+ put_device(&ipmmu_pdev->dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 376/554] iommu/mediatek-v1: fix device leak on probe_device()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 375/554] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 377/554] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
` (183 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Honghui Zhang, Robin Murphy, Yong Wu,
Johan Hovold, AngeloGioacchino Del Regno, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c77ad28bfee0df9cbc719eb5adc9864462cfb65b upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during probe_device().
Fixes: b17336c55d89 ("iommu/mediatek: add support for mtk iommu generation one HW")
Cc: stable@vger.kernel.org # 4.8
Cc: Honghui Zhang <honghui.zhang@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu_v1.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/mtk_iommu_v1.c
+++ b/drivers/iommu/mtk_iommu_v1.c
@@ -393,6 +393,8 @@ static int mtk_iommu_create_mapping(stru
return -EINVAL;
dev_iommu_priv_set(dev, platform_get_drvdata(m4updev));
+
+ put_device(&m4updev->dev);
}
ret = iommu_fwspec_add_ids(dev, args->args, 1);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 377/554] iommu/mediatek: fix device leak on of_xlate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 376/554] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 378/554] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
` (182 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robin Murphy, Yong Wu, Johan Hovold,
AngeloGioacchino Del Regno, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b3f1ee18280363ef17f82b564fc379ceba9ec86f upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 0df4fabe208d ("iommu/mediatek: Add mt8173 IOMMU driver")
Cc: stable@vger.kernel.org # 4.6
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Yong Wu <yong.wu@mediatek.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/mtk_iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/mtk_iommu.c
+++ b/drivers/iommu/mtk_iommu.c
@@ -669,6 +669,8 @@ static int mtk_iommu_of_xlate(struct dev
return -EINVAL;
dev_iommu_priv_set(dev, platform_get_drvdata(m4updev));
+
+ put_device(&m4updev->dev);
}
return iommu_fwspec_add_ids(dev, args->args, 1);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 378/554] iommu/omap: fix device leaks on probe_device()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 377/554] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 379/554] iommu/sun50i: fix device leak on of_xlate() Greg Kroah-Hartman
` (181 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suman Anna, Robin Murphy,
Johan Hovold, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b5870691065e6bbe6ba0650c0412636c6a239c5a upstream.
Make sure to drop the references taken to the iommu platform devices
when looking up their driver data during probe_device().
Note that the arch data device pointer added by commit 604629bcb505
("iommu/omap: add support for late attachment of iommu devices") has
never been used. Remove it to underline that the references are not
needed.
Fixes: 9d5018deec86 ("iommu/omap: Add support to program multiple iommus")
Fixes: 7d6827748d54 ("iommu/omap: Fix iommu archdata name for DT-based devices")
Cc: stable@vger.kernel.org # 3.18
Cc: Suman Anna <s-anna@ti.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/omap-iommu.c | 2 +-
drivers/iommu/omap-iommu.h | 2 --
2 files changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/iommu/omap-iommu.c
+++ b/drivers/iommu/omap-iommu.c
@@ -1682,6 +1682,7 @@ static struct iommu_device *omap_iommu_p
}
oiommu = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!oiommu) {
of_node_put(np);
kfree(arch_data);
@@ -1689,7 +1690,6 @@ static struct iommu_device *omap_iommu_p
}
tmp->iommu_dev = oiommu;
- tmp->dev = &pdev->dev;
of_node_put(np);
}
--- a/drivers/iommu/omap-iommu.h
+++ b/drivers/iommu/omap-iommu.h
@@ -88,7 +88,6 @@ struct omap_iommu {
/**
* struct omap_iommu_arch_data - omap iommu private data
* @iommu_dev: handle of the OMAP iommu device
- * @dev: handle of the iommu device
*
* This is an omap iommu private data object, which binds an iommu user
* to its iommu device. This object should be placed at the iommu user's
@@ -97,7 +96,6 @@ struct omap_iommu {
*/
struct omap_iommu_arch_data {
struct omap_iommu *iommu_dev;
- struct device *dev;
};
struct cr_regs {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 379/554] iommu/sun50i: fix device leak on of_xlate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 378/554] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 380/554] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
` (180 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Ripard, Robin Murphy,
Johan Hovold, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit f916109bf53864605d10bf6f4215afa023a80406 upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Cc: stable@vger.kernel.org # 5.8
Cc: Maxime Ripard <mripard@kernel.org>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/sun50i-iommu.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -756,6 +756,8 @@ static int sun50i_iommu_of_xlate(struct
dev_iommu_priv_set(dev, platform_get_drvdata(iommu_pdev));
+ put_device(&iommu_pdev->dev);
+
return iommu_fwspec_add_ids(dev, &id, 1);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 380/554] iommu/tegra: fix device leak on probe_device()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 379/554] iommu/sun50i: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 381/554] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
` (179 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Robin Murphy,
Thierry Reding, Johan Hovold, Joerg Roedel
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit c08934a61201db8f1d1c66fcc63fb2eb526b656d upstream.
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during probe_device().
Note that commit 9826e393e4a8 ("iommu/tegra-smmu: Fix missing
put_device() call in tegra_smmu_find") fixed the leak in an error path,
but the reference is still leaking on success.
Fixes: 891846516317 ("memory: Add NVIDIA Tegra memory controller support")
Cc: stable@vger.kernel.org # 3.19: 9826e393e4a8
Cc: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/tegra-smmu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -808,10 +808,9 @@ static struct tegra_smmu *tegra_smmu_fin
return NULL;
mc = platform_get_drvdata(pdev);
- if (!mc) {
- put_device(&pdev->dev);
+ put_device(&pdev->dev);
+ if (!mc)
return NULL;
- }
return mc->smmu;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 381/554] HID: logitech-dj: Remove duplicate error logging
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 380/554] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 382/554] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
` (178 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Jiri Kosina
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <johannes.goede@oss.qualcomm.com>
commit ca389a55d8b2d86a817433bf82e0602b68c4d541 upstream.
logi_dj_recv_query_paired_devices() and logi_dj_recv_switch_to_dj_mode()
both have 2 callers which all log an error if the function fails. Move
the error logging to inside these 2 functions to remove the duplicated
error logging in the callers.
While at it also move the logi_dj_recv_send_report() call error handling
in logi_dj_recv_switch_to_dj_mode() to directly after the call. That call
only fails if the report cannot be found and in that case it does nothing,
so the msleep() is not necessary on failures.
Fixes: 6f20d3261265 ("HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode()")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <johannes.goede@oss.qualcomm.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-logitech-dj.c | 56 +++++++++++++++++-------------------------
1 file changed, 23 insertions(+), 33 deletions(-)
--- a/drivers/hid/hid-logitech-dj.c
+++ b/drivers/hid/hid-logitech-dj.c
@@ -805,7 +805,6 @@ static void delayedwork_callback(struct
struct dj_workitem workitem;
unsigned long flags;
int count;
- int retval;
dbg_hid("%s\n", __func__);
@@ -842,11 +841,7 @@ static void delayedwork_callback(struct
logi_dj_recv_destroy_djhid_device(djrcv_dev, &workitem);
break;
case WORKITEM_TYPE_UNKNOWN:
- retval = logi_dj_recv_query_paired_devices(djrcv_dev);
- if (retval) {
- hid_err(djrcv_dev->hidpp, "%s: logi_dj_recv_query_paired_devices error: %d\n",
- __func__, retval);
- }
+ logi_dj_recv_query_paired_devices(djrcv_dev);
break;
case WORKITEM_TYPE_EMPTY:
dbg_hid("%s: device list is empty\n", __func__);
@@ -1239,8 +1234,10 @@ static int logi_dj_recv_query_paired_dev
djrcv_dev->last_query = jiffies;
- if (djrcv_dev->type != recvr_type_dj)
- return logi_dj_recv_query_hidpp_devices(djrcv_dev);
+ if (djrcv_dev->type != recvr_type_dj) {
+ retval = logi_dj_recv_query_hidpp_devices(djrcv_dev);
+ goto out;
+ }
dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL);
if (!dj_report)
@@ -1250,6 +1247,10 @@ static int logi_dj_recv_query_paired_dev
dj_report->report_type = REPORT_TYPE_CMD_GET_PAIRED_DEVICES;
retval = logi_dj_recv_send_report(djrcv_dev, dj_report);
kfree(dj_report);
+out:
+ if (retval < 0)
+ hid_err(djrcv_dev->hidpp, "%s error:%d\n", __func__, retval);
+
return retval;
}
@@ -1275,6 +1276,8 @@ static int logi_dj_recv_switch_to_dj_mod
(u8)timeout;
retval = logi_dj_recv_send_report(djrcv_dev, dj_report);
+ if (retval)
+ goto out;
/*
* Ugly sleep to work around a USB 3.0 bug when the receiver is
@@ -1283,11 +1286,6 @@ static int logi_dj_recv_switch_to_dj_mod
* 50 msec should gives enough time to the receiver to be ready.
*/
msleep(50);
-
- if (retval) {
- kfree(dj_report);
- return retval;
- }
}
/*
@@ -1313,7 +1311,12 @@ static int logi_dj_recv_switch_to_dj_mod
HIDPP_REPORT_SHORT_LENGTH, HID_OUTPUT_REPORT,
HID_REQ_SET_REPORT);
+out:
kfree(dj_report);
+
+ if (retval < 0)
+ hid_err(hdev, "%s error:%d\n", __func__, retval);
+
return retval;
}
@@ -1835,11 +1838,8 @@ static int logi_dj_probe(struct hid_devi
if (has_hidpp) {
retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_switch_to_dj_mode returned error:%d\n",
- __func__, retval);
+ if (retval < 0)
goto switch_to_dj_mode_fail;
- }
}
/* This is enabling the polling urb on the IN endpoint */
@@ -1857,15 +1857,11 @@ static int logi_dj_probe(struct hid_devi
spin_lock_irqsave(&djrcv_dev->lock, flags);
djrcv_dev->ready = true;
spin_unlock_irqrestore(&djrcv_dev->lock, flags);
- retval = logi_dj_recv_query_paired_devices(djrcv_dev);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_query_paired_devices error:%d\n",
- __func__, retval);
- /*
- * This can happen with a KVM, let the probe succeed,
- * logi_dj_recv_queue_unknown_work will retry later.
- */
- }
+ /*
+ * This can fail with a KVM. Ignore errors to let the probe
+ * succeed, logi_dj_recv_queue_unknown_work will retry later.
+ */
+ logi_dj_recv_query_paired_devices(djrcv_dev);
}
return 0;
@@ -1882,18 +1878,12 @@ hid_hw_start_fail:
#ifdef CONFIG_PM
static int logi_dj_reset_resume(struct hid_device *hdev)
{
- int retval;
struct dj_receiver_dev *djrcv_dev = hid_get_drvdata(hdev);
if (!djrcv_dev || djrcv_dev->hidpp != hdev)
return 0;
- retval = logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
- if (retval < 0) {
- hid_err(hdev, "%s: logi_dj_recv_switch_to_dj_mode returned error:%d\n",
- __func__, retval);
- }
-
+ logi_dj_recv_switch_to_dj_mode(djrcv_dev, 0);
return 0;
}
#endif
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 382/554] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 381/554] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 383/554] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
` (177 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lukas Wunner, Bjorn Helgaas,
Rafael J. Wysocki (Intel)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 894f475f88e06c0f352c829849560790dbdedbe5 upstream.
When a PCI device is suspended, it is normally the PCI core's job to save
Config Space and put the device into a low power state. However drivers
are allowed to assume these responsibilities. When they do, the PCI core
can tell by looking at the state_saved flag in struct pci_dev: The flag
is cleared before commencing the suspend sequence and it is set when
pci_save_state() is called. If the PCI core finds the flag set late in
the suspend sequence, it refrains from calling pci_save_state() itself.
But there are two corner cases where the PCI core neglects to clear the
flag before commencing the suspend sequence:
* If a driver has legacy PCI PM callbacks, pci_legacy_suspend() neglects
to clear the flag. The (stale) flag is subsequently queried by
pci_legacy_suspend() itself and pci_legacy_suspend_late().
* If a device has no driver or its driver has no PCI PM callbacks,
pci_pm_freeze() neglects to clear the flag. The (stale) flag is
subsequently queried by pci_pm_freeze_noirq().
The flag may be set prior to suspend if the device went through error
recovery: Drivers commonly invoke pci_restore_state() + pci_save_state()
to restore Config Space after reset.
The flag may also be set if drivers call pci_save_state() on probe to
allow for recovery from subsequent errors.
The result is that pci_legacy_suspend_late() and pci_pm_freeze_noirq()
don't call pci_save_state() and so the state that will be restored on
resume is the one recorded on last error recovery or on probe, not the one
that the device had on suspend. If the two states happen to be identical,
there's no problem.
Reinstate clearing the flag in pci_legacy_suspend() and pci_pm_freeze().
The two functions used to do that until commit 4b77b0a2ba27 ("PCI: Clear
saved_state after the state has been restored") deemed it unnecessary
because it assumed that it's sufficient to clear the flag on resume in
pci_restore_state(). The commit seemingly did not take into account that
pci_save_state() and pci_restore_state() are not only used by power
management code, but also for error recovery.
Devices without driver or whose driver has no PCI PM callbacks may be in
runtime suspend when pci_pm_freeze() is called. Their state has already
been saved, so don't clear the flag to skip a pointless pci_save_state()
in pci_pm_freeze_noirq().
None of the drivers with legacy PCI PM callbacks seem to use runtime PM,
so clear the flag unconditionally in their case.
Fixes: 4b77b0a2ba27 ("PCI: Clear saved_state after the state has been restored")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki (Intel) <rafael@kernel.org>
Cc: stable@vger.kernel.org # v2.6.32+
Link: https://patch.msgid.link/094f2aad64418710daf0940112abe5a0afdc6bce.1763483367.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-driver.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/pci/pci-driver.c
+++ b/drivers/pci/pci-driver.c
@@ -598,6 +598,8 @@ static int pci_legacy_suspend(struct dev
struct pci_dev *pci_dev = to_pci_dev(dev);
struct pci_driver *drv = pci_dev->driver;
+ pci_dev->state_saved = false;
+
if (drv && drv->suspend) {
pci_power_t prev = pci_dev->current_state;
int error;
@@ -999,6 +1001,8 @@ static int pci_pm_freeze(struct device *
if (!pm) {
pci_pm_default_suspend(pci_dev);
+ if (!pm_runtime_suspended(dev))
+ pci_dev->state_saved = false;
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 383/554] leds: leds-lp50xx: Allow LED 0 to be added to module bank
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 382/554] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 384/554] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
` (176 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Hitz, Jacek Anaszewski,
Lee Jones
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 26fe74d598c32e7bc6f150edfc4aa43e1bee55db upstream.
led_banks contains LED module number(s) that should be grouped into the
module bank. led_banks is 0-initialized.
By checking the led_banks entries for 0, un-set entries are detected.
But a 0-entry also indicates that LED module 0 should be grouped into the
module bank.
By only iterating over the available entries no check for unused entries
is required and LED module 0 can be added to bank.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Link: https://patch.msgid.link/20251008123222.1117331-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -347,17 +347,15 @@ out:
return ret;
}
-static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[])
+static int lp50xx_set_banks(struct lp50xx *priv, u32 led_banks[], int num_leds)
{
u8 led_config_lo, led_config_hi;
u32 bank_enable_mask = 0;
int ret;
int i;
- for (i = 0; i < priv->chip_info->max_modules; i++) {
- if (led_banks[i])
- bank_enable_mask |= (1 << led_banks[i]);
- }
+ for (i = 0; i < num_leds; i++)
+ bank_enable_mask |= (1 << led_banks[i]);
led_config_lo = bank_enable_mask;
led_config_hi = bank_enable_mask >> 8;
@@ -413,7 +411,7 @@ static int lp50xx_probe_leds(struct fwno
return ret;
}
- ret = lp50xx_set_banks(priv, led_banks);
+ ret = lp50xx_set_banks(priv, led_banks, num_leds);
if (ret) {
dev_err(priv->dev, "Cannot setup banked LEDs\n");
return ret;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 384/554] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 383/554] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 385/554] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
` (175 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian Hitz, Lee Jones
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Hitz <christian.hitz@bbv.ch>
commit 5246e3673eeeccb4f5bf4f42375dd495d465ac15 upstream.
LP5009 supports 9 LED outputs that are grouped into 3 modules.
Cc: stable@vger.kernel.org
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED driver")
Signed-off-by: Christian Hitz <christian.hitz@bbv.ch>
Link: https://patch.msgid.link/20251022063305.972190-1-christian@klarinett.li
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/leds/leds-lp50xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -56,7 +56,7 @@
/* There are 3 LED outputs per bank */
#define LP50XX_LEDS_PER_MODULE 3
-#define LP5009_MAX_LED_MODULES 2
+#define LP5009_MAX_LED_MODULES 3
#define LP5012_MAX_LED_MODULES 4
#define LP5018_MAX_LED_MODULES 6
#define LP5024_MAX_LED_MODULES 8
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 385/554] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 384/554] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 386/554] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
` (174 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Lee Jones
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ccb7cd3218e48665f3c7e19eede0da5f069c323d upstream.
Make sure to drop the reference taken to the sysmgr platform device when
retrieving its driver data.
Note that holding a reference to a device does not prevent its driver
data from going away.
Fixes: f36e789a1f8d ("mfd: altera-sysmgr: Add SOCFPGA System Manager")
Cc: stable@vger.kernel.org # 5.2
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/altera-sysmgr.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mfd/altera-sysmgr.c
+++ b/drivers/mfd/altera-sysmgr.c
@@ -118,6 +118,8 @@ struct regmap *altr_sysmgr_regmap_lookup
sysmgr = dev_get_drvdata(dev);
+ put_device(dev);
+
return sysmgr->regmap;
}
EXPORT_SYMBOL_GPL(altr_sysmgr_regmap_lookup_by_phandle);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 386/554] mfd: max77620: Fix potential IRQ chip conflict when probing two devices
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 385/554] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 387/554] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
` (173 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Lee Jones
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2bac49bad1f3553cc3b3bfb22cc194e9bd9e8427 upstream.
MAX77620 is most likely always a single device on the board, however
nothing stops board designers to have two of them, thus same device
driver could probe twice. Or user could manually try to probing second
time.
Device driver is not ready for that case, because it allocates
statically 'struct regmap_irq_chip' as non-const and stores during
probe in 'irq_drv_data' member a pointer to per-probe state
container ('struct max77620_chip'). devm_regmap_add_irq_chip() does not
make a copy of 'struct regmap_irq_chip' but store the pointer.
Second probe - either successful or failure - would overwrite the
'irq_drv_data' from previous device probe, so interrupts would be
executed in a wrong context.
Cc: stable@vger.kernel.org
Fixes: 3df140d11c6d ("mfd: max77620: Mask/unmask interrupt before/after servicing it")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20251023101939.67991-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mfd/max77620.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/mfd/max77620.c
+++ b/drivers/mfd/max77620.c
@@ -254,7 +254,7 @@ static int max77620_irq_global_unmask(vo
return ret;
}
-static struct regmap_irq_chip max77620_top_irq_chip = {
+static const struct regmap_irq_chip max77620_top_irq_chip = {
.name = "max77620-top",
.irqs = max77620_top_irqs,
.num_irqs = ARRAY_SIZE(max77620_top_irqs),
@@ -499,6 +499,7 @@ static int max77620_probe(struct i2c_cli
{
const struct regmap_config *rmap_config;
struct max77620_chip *chip;
+ struct regmap_irq_chip *chip_desc;
const struct mfd_cell *mfd_cells;
int n_mfd_cells;
bool pm_off;
@@ -509,6 +510,14 @@ static int max77620_probe(struct i2c_cli
return -ENOMEM;
i2c_set_clientdata(client, chip);
+
+ chip_desc = devm_kmemdup(&client->dev, &max77620_top_irq_chip,
+ sizeof(max77620_top_irq_chip),
+ GFP_KERNEL);
+ if (!chip_desc)
+ return -ENOMEM;
+ chip_desc->irq_drv_data = chip;
+
chip->dev = &client->dev;
chip->chip_irq = client->irq;
chip->chip_id = (enum max77620_chip_id)id->driver_data;
@@ -545,11 +554,9 @@ static int max77620_probe(struct i2c_cli
if (ret < 0)
return ret;
- max77620_top_irq_chip.irq_drv_data = chip;
ret = devm_regmap_add_irq_chip(chip->dev, chip->rmap, client->irq,
IRQF_ONESHOT | IRQF_SHARED, 0,
- &max77620_top_irq_chip,
- &chip->top_irq_data);
+ chip_desc, &chip->top_irq_data);
if (ret < 0) {
dev_err(chip->dev, "Failed to add regmap irq: %d\n", ret);
return ret;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 387/554] media: rc: st_rc: Fix reset control resource leak
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 386/554] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 388/554] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
` (172 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Patrice Chotard,
Sean Young, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit 1240abf4b71f632f0117b056e22488e4d9808938 upstream.
The driver calls reset_control_get_optional_exclusive() but never calls
reset_control_put() in error paths or in the remove function. This causes
a resource leak when probe fails after successfully acquiring the reset
control, or when the driver is unloaded.
Switch to devm_reset_control_get_optional_exclusive() to automatically
manage the reset control resource.
Fixes: a4b80242d046 ("media: st-rc: explicitly request exclusive reset control")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/rc/st_rc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/rc/st_rc.c
+++ b/drivers/media/rc/st_rc.c
@@ -287,7 +287,7 @@ static int st_rc_probe(struct platform_d
else
rc_dev->rx_base = rc_dev->base;
- rc_dev->rstc = reset_control_get_optional_exclusive(dev, NULL);
+ rc_dev->rstc = devm_reset_control_get_optional_exclusive(dev, NULL);
if (IS_ERR(rc_dev->rstc)) {
ret = PTR_ERR(rc_dev->rstc);
goto err;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 388/554] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 387/554] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 389/554] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
` (171 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@stackframe.org>
commit 1aa4524c0c1b54842c4c0a370171d11b12d0709b upstream.
In wide mode, the IASQ contain the upper part of the GVA
during interruption. This needs to be reversed before
the space is used - otherwise it contains parts of IAOQ.
See Page 2-13 "Processing Resources / Interruption Instruction
Address Queues" in the Parisc 2.0 Architecture Manual page 2-13
for an explanation.
The IAOQ/IASQ space_adjust was skipped for other interruptions
than itlb misses. However, the code in handle_interruption()
checks whether iasq[0] contains a valid space. Due to the not
masked out bits this match failed and the process was killed.
Also add space_adjust for IAOQ1/IASQ1 so ptregs contains sane values.
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org # v6.0+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/entry.S | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1072,8 +1072,6 @@ ENTRY_CFI(intr_save) /* for os_hpmc */
STREG %r17, PT_IOR(%r29)
#if defined(CONFIG_64BIT)
- b,n intr_save2
-
skip_save_ior:
/* We have a itlb miss, and when executing code above 4 Gb on ILP64, we
* need to adjust iasq/iaoq here in the same way we adjusted isr/ior
@@ -1082,10 +1080,17 @@ skip_save_ior:
bb,COND(>=),n %r8,PSW_W_BIT,intr_save2
LDREG PT_IASQ0(%r29), %r16
LDREG PT_IAOQ0(%r29), %r17
- /* adjust iasq/iaoq */
+ /* adjust iasq0/iaoq0 */
space_adjust %r16,%r17,%r1
STREG %r16, PT_IASQ0(%r29)
STREG %r17, PT_IAOQ0(%r29)
+
+ LDREG PT_IASQ1(%r29), %r16
+ LDREG PT_IAOQ1(%r29), %r17
+ /* adjust iasq1/iaoq1 */
+ space_adjust %r16,%r17,%r1
+ STREG %r16, PT_IASQ1(%r29)
+ STREG %r17, PT_IAOQ1(%r29)
#else
skip_save_ior:
#endif
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 389/554] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 388/554] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 390/554] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
` (170 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sven Schnelle, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven Schnelle <svens@stackframe.org>
commit 5fb1d3ce3e74a4530042795e1e065422295f1371 upstream.
When the kernel leaves to userspace via syscall_restore_rfi(), the
W bit is not set in the new PSW. This doesn't cause any problems
because there's no 64 bit userspace for parisc. Simple static binaries
are usually loaded at addresses way below the 32 bit limit so the W bit
doesn't matter.
Fix this by setting the W bit when TIF_32BIT is not set.
Signed-off-by: Sven Schnelle <svens@stackframe.org>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/asm-offsets.c | 2 ++
arch/parisc/kernel/entry.S | 5 ++++-
2 files changed, 6 insertions(+), 1 deletion(-)
--- a/arch/parisc/kernel/asm-offsets.c
+++ b/arch/parisc/kernel/asm-offsets.c
@@ -260,6 +260,8 @@ int main(void)
BLANK();
DEFINE(TIF_BLOCKSTEP_PA_BIT, 31-TIF_BLOCKSTEP);
DEFINE(TIF_SINGLESTEP_PA_BIT, 31-TIF_SINGLESTEP);
+ DEFINE(TIF_32BIT_PA_BIT, 31-TIF_32BIT);
+
BLANK();
DEFINE(ASM_PMD_SHIFT, PMD_SHIFT);
DEFINE(ASM_PGDIR_SHIFT, PGDIR_SHIFT);
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1913,6 +1913,10 @@ syscall_restore_rfi:
extru,= %r19,TIF_BLOCKSTEP_PA_BIT,1,%r0
depi -1,7,1,%r20 /* T bit */
+#ifdef CONFIG_64BIT
+ extru,<> %r19,TIF_32BIT_PA_BIT,1,%r0
+ depi -1,4,1,%r20 /* W bit */
+#endif
STREG %r20,TASK_PT_PSW(%r1)
/* Always store space registers, since sr3 can be changed (e.g. fork) */
@@ -1926,7 +1930,6 @@ syscall_restore_rfi:
STREG %r25,TASK_PT_IASQ0(%r1)
STREG %r25,TASK_PT_IASQ1(%r1)
- /* XXX W bit??? */
/* Now if old D bit is clear, it means we didn't save all registers
* on syscall entry, so do that now. This only happens on TRACEME
* calls, or if someone attached to us while we were on a syscall.
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 390/554] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 389/554] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 391/554] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
` (169 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
commit 8163419e3e05d71dcfa8fb49c8fdf8d76908fe51 upstream.
It's possible for cp_read() and hdmi_read() to return -EIO. Those
values are further used as indexes for accessing arrays.
Fix that by checking return values where it's needed.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7842.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -2690,6 +2690,7 @@ static int adv7842_cp_log_status(struct
/* CP block */
struct adv7842_state *state = to_state(sd);
struct v4l2_dv_timings timings;
+ int temp;
u8 reg_io_0x02 = io_read(sd, 0x02);
u8 reg_io_0x21 = io_read(sd, 0x21);
u8 reg_rep_0x77 = rep_read(sd, 0x77);
@@ -2812,8 +2813,9 @@ static int adv7842_cp_log_status(struct
(((reg_io_0x02 >> 2) & 0x01) ^ (reg_io_0x02 & 0x01)) ?
"(16-235)" : "(0-255)",
(reg_io_0x02 & 0x08) ? "enabled" : "disabled");
+ temp = cp_read(sd, 0xf4) >> 4;
v4l2_info(sd, "Color space conversion: %s\n",
- csc_coeff_sel_rb[cp_read(sd, 0xf4) >> 4]);
+ temp < 0 ? "" : csc_coeff_sel_rb[temp]);
if (!is_digital_input(sd))
return 0;
@@ -2843,8 +2845,9 @@ static int adv7842_cp_log_status(struct
hdmi_read(sd, 0x5f));
v4l2_info(sd, "AV Mute: %s\n",
(hdmi_read(sd, 0x04) & 0x40) ? "on" : "off");
+ temp = hdmi_read(sd, 0x0b) >> 6;
v4l2_info(sd, "Deep color mode: %s\n",
- deep_color_mode_txt[hdmi_read(sd, 0x0b) >> 6]);
+ temp < 0 ? "" : deep_color_mode_txt[temp]);
adv7842_log_infoframes(sd);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 391/554] dm-ebs: Mark full buffer dirty even on partial write
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 390/554] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 392/554] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
` (168 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uladzislau Rezki (Sony),
Mikulas Patocka
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uladzislau Rezki (Sony) <urezki@gmail.com>
commit 7fa3e7d114abc9cc71cc35d768e116641074ddb4 upstream.
When performing a read-modify-write(RMW) operation, any modification
to a buffered block must cause the entire buffer to be marked dirty.
Marking only a subrange as dirty is incorrect because the underlying
device block size(ubs) defines the minimum read/write granularity. A
lower device can perform I/O only on regions which are fully aligned
and sized to ubs.
This change ensures that write-back operations always occur in full
ubs-sized chunks, matching the intended emulation semantics of the
EBS target.
As for user space visible impact, submitting sub-ubs and misaligned
I/O for devices which are tuned to ubs sizes only, will reject such
requests, therefore it can lead to losing data. Example:
1) Create a 8K nvme device in qemu by adding
-device nvme,drive=drv0,serial=foo,logical_block_size=8192,physical_block_size=8192
2) Setup dm-ebs to emulate 512B to 8K mapping
urezki@pc638:~/bin$ cat dmsetup.sh
lower=/dev/nvme0n1
len=$(blockdev --getsz "$lower")
echo "0 $len ebs $lower 0 1 16" | dmsetup create nvme-8k
urezki@pc638:~/bin$
offset 0, ebs=1 and ubs=16(in sectors).
3) Create an ext4 filesystem(default 4K block size)
urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 2072576 4k blocks and 518144 inodes
Filesystem UUID: bd0b6ca6-0506-4e31-86da-8d22c9d50b63
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: mkfs.ext4: Input/output error while writing out and closing file system
urezki@pc638:~/bin$ dmesg
<snip>
[ 1618.875449] buffer_io_error: 1028 callbacks suppressed
[ 1618.875456] Buffer I/O error on dev dm-0, logical block 0, lost async page write
[ 1618.875527] Buffer I/O error on dev dm-0, logical block 1, lost async page write
[ 1618.875602] Buffer I/O error on dev dm-0, logical block 2, lost async page write
[ 1618.875620] Buffer I/O error on dev dm-0, logical block 3, lost async page write
[ 1618.875639] Buffer I/O error on dev dm-0, logical block 4, lost async page write
[ 1618.894316] Buffer I/O error on dev dm-0, logical block 5, lost async page write
[ 1618.894358] Buffer I/O error on dev dm-0, logical block 6, lost async page write
[ 1618.894380] Buffer I/O error on dev dm-0, logical block 7, lost async page write
[ 1618.894405] Buffer I/O error on dev dm-0, logical block 8, lost async page write
[ 1618.894427] Buffer I/O error on dev dm-0, logical block 9, lost async page write
<snip>
Many I/O errors because the lower 8K device rejects sub-ubs/misaligned
requests.
with a patch:
urezki@pc638:~/bin$ sudo mkfs.ext4 -F /dev/dm-0
mke2fs 1.47.0 (5-Feb-2023)
Discarding device blocks: done
Creating filesystem with 2072576 4k blocks and 518144 inodes
Filesystem UUID: 9b54f44f-ef55-4bd4-9e40-c8b775a616ac
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632
Allocating group tables: done
Writing inode tables: done
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done
urezki@pc638:~/bin$ sudo mount /dev/dm-0 /mnt/
urezki@pc638:~/bin$ ls -al /mnt/
total 24
drwxr-xr-x 3 root root 4096 Oct 17 15:13 .
drwxr-xr-x 19 root root 4096 Jul 10 19:42 ..
drwx------ 2 root root 16384 Oct 17 15:13 lost+found
urezki@pc638:~/bin$
After this change: mkfs completes; mount succeeds.
Signed-off-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ebs-target.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/dm-ebs-target.c
+++ b/drivers/md/dm-ebs-target.c
@@ -101,7 +101,7 @@ static int __ebs_rw_bvec(struct ebs_c *e
} else {
flush_dcache_page(bv->bv_page);
memcpy(ba, pa, cur_len);
- dm_bufio_mark_partial_buffer_dirty(b, buf_off, buf_off + cur_len);
+ dm_bufio_mark_buffer_dirty(b);
}
dm_bufio_release(b);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 392/554] fbdev: gbefb: fix to use physical address instead of dma address
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 391/554] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 393/554] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
` (167 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rene Rebe <rene@exactco.de>
commit e3f44742bbb10537fe53d83d20dea2a7c167674d upstream.
While debuggigng why X would not start on mips64 Sgi/O2 I found the
phys adress being off. Turns out the gbefb passed the internal
dma_addr as phys. May be broken pre git history. Fix by converting
dma_to_phys.
Signed-off-by: René Rebe <rene@exactco.de>
Cc: <stable@vger.kernel.org> # v4.0+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/gbefb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/gbefb.c
+++ b/drivers/video/fbdev/gbefb.c
@@ -12,6 +12,7 @@
#include <linux/delay.h>
#include <linux/platform_device.h>
#include <linux/dma-mapping.h>
+#include <linux/dma-direct.h>
#include <linux/errno.h>
#include <linux/gfp.h>
#include <linux/fb.h>
@@ -65,7 +66,7 @@ struct gbefb_par {
static unsigned int gbe_mem_size = CONFIG_FB_GBE_MEM * 1024*1024;
static void *gbe_mem;
static dma_addr_t gbe_dma_addr;
-static unsigned long gbe_mem_phys;
+static phys_addr_t gbe_mem_phys;
static struct {
uint16_t *cpu;
@@ -1187,7 +1188,7 @@ static int gbefb_probe(struct platform_d
goto out_release_mem_region;
}
- gbe_mem_phys = (unsigned long) gbe_dma_addr;
+ gbe_mem_phys = dma_to_phys(&p_dev->dev, gbe_dma_addr);
}
par = info->par;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 393/554] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 392/554] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 394/554] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
` (166 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thorsten Blum, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thorsten Blum <thorsten.blum@linux.dev>
commit 0155e868cbc111846cc2809c1546ea53810a56ae upstream.
The variables were never clamped because the return value of clamp_val()
was not used. Fix this by assigning the clamped values, and use clamp()
instead of clamp_val().
Cc: stable@vger.kernel.org
Fixes: 3f16ff608a75 ("[ARM] pxafb: cleanup of the timing checking code")
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/pxafb.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/video/fbdev/pxafb.c
+++ b/drivers/video/fbdev/pxafb.c
@@ -418,12 +418,12 @@ static int pxafb_adjust_timing(struct px
var->yres = max_t(int, var->yres, MIN_YRES);
if (!(fbi->lccr0 & LCCR0_LCDT)) {
- clamp_val(var->hsync_len, 1, 64);
- clamp_val(var->vsync_len, 1, 64);
- clamp_val(var->left_margin, 1, 255);
- clamp_val(var->right_margin, 1, 255);
- clamp_val(var->upper_margin, 1, 255);
- clamp_val(var->lower_margin, 1, 255);
+ var->hsync_len = clamp(var->hsync_len, 1, 64);
+ var->vsync_len = clamp(var->vsync_len, 1, 64);
+ var->left_margin = clamp(var->left_margin, 1, 255);
+ var->right_margin = clamp(var->right_margin, 1, 255);
+ var->upper_margin = clamp(var->upper_margin, 1, 255);
+ var->lower_margin = clamp(var->lower_margin, 1, 255);
}
/* make sure each line is aligned on word boundary */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 394/554] fbdev: tcx.c fix mem_map to correct smem_start offset
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 393/554] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 395/554] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
` (165 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, René Rebe, Helge Deller
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
commit 35fa2b4bf96415b88d7edaa5cf8af5185d9ce76e upstream.
403ae52ac047 ("sparc: fix drivers/video/tcx.c warning") changed the
physbase initializing breaking the user-space mmap, e.g. for Xorg
entirely.
Fix fbdev mmap table so the sbus mmap helper work correctly, and
not try to map vastly (physbase) offset memory.
Fixes: 403ae52ac047 ("sparc: fix drivers/video/tcx.c warning")
Cc: <stable@vger.kernel.org>
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/tcx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/tcx.c
+++ b/drivers/video/fbdev/tcx.c
@@ -436,7 +436,7 @@ static int tcx_probe(struct platform_dev
j = i;
break;
}
- par->mmap_map[i].poff = op->resource[j].start;
+ par->mmap_map[i].poff = op->resource[j].start - info->fix.smem_start;
}
info->flags = FBINFO_DEFAULT;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 395/554] media: cec: Fix debugfs leak on bus_register() failure
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 394/554] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 396/554] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
` (164 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
commit c43bcd2b2aa3c2ca9d2433c3990ecbc2c47d10eb upstream.
In cec_devnode_init(), the debugfs directory created with
debugfs_create_dir() is not removed if bus_register() fails.
This leaves a stale "cec" entry in debugfs and prevents
proper module reloading.
Fix this by removing the debugfs directory in the error path.
Fixes: a56960e8b406 ("[media] cec: add HDMI CEC framework (core)")
Cc: stable@vger.kernel.org
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/cec/core/cec-core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/cec/core/cec-core.c
+++ b/drivers/media/cec/core/cec-core.c
@@ -433,6 +433,7 @@ static int __init cec_devnode_init(void)
ret = bus_register(&cec_bus_type);
if (ret < 0) {
+ debugfs_remove_recursive(top_cec_dir);
unregister_chrdev_region(cec_dev_t, CEC_NUM_DEVICES);
pr_warn("cec: bus_register failed\n");
return -EIO;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 396/554] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 395/554] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 397/554] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
` (163 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ivan Abramov, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Abramov <i.abramov@mt-integration.ru>
commit d2bceb2e20e783d57e739c71e4e50b4b9f4a3953 upstream.
It's possible for max1 to remain -1 if msp_read() always fail. This
variable is further used as index for accessing arrays.
Fix that by checking max1 prior to array accesses.
It seems that restart is the preferable action in case of out-of-bounds
value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 8a4b275f9c19 ("V4L/DVB (3427): audmode and rxsubchans fixes (VIDIOC_G/S_TUNER)")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Abramov <i.abramov@mt-integration.ru>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/msp3400-kthreads.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/msp3400-kthreads.c
+++ b/drivers/media/i2c/msp3400-kthreads.c
@@ -596,6 +596,8 @@ restart:
"carrier2 val: %5d / %s\n", val, cd[i].name);
}
+ if (max1 < 0 || max1 > 3)
+ goto restart;
/* program the msp3400 according to the results */
state->main = msp3400c_carrier_detect_main[max1].cdo;
switch (max1) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 397/554] media: TDA1997x: Remove redundant cancel_delayed_work in probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 396/554] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 398/554] media: i2c: ADV7604: " Greg Kroah-Hartman
` (162 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 29de195ca39fc2ac0af6fd45522994df9f431f80 upstream.
The delayed_work delayed_work_enable_hpd is initialized with
INIT_DELAYED_WORK(), but it is never scheduled in tda1997x_probe().
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path in tda1997x_probe() to avoid potential confusion.
Fixes: 9ac0038db9a7 ("media: i2c: Add TDA1997x HDMI receiver driver")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/tda1997x.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/media/i2c/tda1997x.c
+++ b/drivers/media/i2c/tda1997x.c
@@ -2780,7 +2780,6 @@ err_free_media:
err_free_handler:
v4l2_ctrl_handler_free(&state->hdl);
err_free_mutex:
- cancel_delayed_work(&state->delayed_work_enable_hpd);
mutex_destroy(&state->page_lock);
mutex_destroy(&state->lock);
err_free_state:
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 398/554] media: i2c: ADV7604: Remove redundant cancel_delayed_work in probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 397/554] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 399/554] media: i2c: adv7842: " Greg Kroah-Hartman
` (161 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit 8f34f24355a607b98ecd9924837aab13c676eeca upstream.
The delayed_work delayed_work_enable_hotplug is initialized with
INIT_DELAYED_WORK() in adv76xx_probe(), but it is never scheduled
anywhere in the probe function.
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path and adjust the goto label accordingly to simplify the code
and avoid potential confusion.
Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7604.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/i2c/adv7604.c
+++ b/drivers/media/i2c/adv7604.c
@@ -3615,7 +3615,7 @@ static int adv76xx_probe(struct i2c_clie
err = media_entity_pads_init(&sd->entity, state->source_pad + 1,
state->pads);
if (err)
- goto err_work_queues;
+ goto err_i2c;
/* Configure regmaps */
err = configure_regmaps(state);
@@ -3656,8 +3656,6 @@ static int adv76xx_probe(struct i2c_clie
err_entity:
media_entity_cleanup(&sd->entity);
-err_work_queues:
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
err_i2c:
adv76xx_unregister_clients(state);
err_hdl:
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 399/554] media: i2c: adv7842: Remove redundant cancel_delayed_work in probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 398/554] media: i2c: ADV7604: " Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 400/554] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
` (160 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Hans Verkuil
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Duoming Zhou <duoming@zju.edu.cn>
commit e66a5cc606c58e72f18f9cdd868a3672e918f9f8 upstream.
The delayed_work delayed_work_enable_hotplug is initialized with
INIT_DELAYED_WORK() in adv7842_probe(), but it is never scheduled
anywhere in the probe function.
Calling cancel_delayed_work() on a work that has never been
scheduled is redundant and unnecessary, as there is no pending
work to cancel.
Remove the redundant cancel_delayed_work() from error handling
path and adjust the goto label accordingly to simplify the code
and avoid potential confusion.
Fixes: a89bcd4c6c20 ("[media] adv7842: add new video decoder driver")
Cc: stable@vger.kernel.org
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/adv7842.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/media/i2c/adv7842.c
+++ b/drivers/media/i2c/adv7842.c
@@ -3575,7 +3575,7 @@ static int adv7842_probe(struct i2c_clie
err = media_entity_pads_init(&sd->entity, ADV7842_PAD_SOURCE + 1,
state->pads);
if (err)
- goto err_work_queues;
+ goto err_i2c;
err = adv7842_core_init(sd);
if (err)
@@ -3596,8 +3596,6 @@ static int adv7842_probe(struct i2c_clie
err_entity:
media_entity_cleanup(&sd->entity);
-err_work_queues:
- cancel_delayed_work(&state->delayed_work_enable_hotplug);
err_i2c:
adv7842_unregister_clients(sd);
err_hdl:
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 400/554] idr: fix idr_alloc() returning an ID out of range
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 399/554] media: i2c: adv7842: " Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 401/554] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
` (159 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Wilcox (Oracle),
Jan Sokolowski, Koen Koning, Peter Senna Tschudin,
Christian König, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Wilcox (Oracle) <willy@infradead.org>
commit c6e8e595a0798ad67da0f7bebaf69c31ef70dfff upstream.
If you use an IDR with a non-zero base, and specify a range that lies
entirely below the base, 'max - base' becomes very large and
idr_get_free() can return an ID that lies outside of the requested range.
Link: https://lkml.kernel.org/r/20251128161853.3200058-1-willy@infradead.org
Fixes: 6ce711f27500 ("idr: Make 1-based IDRs more efficient")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reported-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reported-by: Koen Koning <koen.koning@intel.com>
Reported-by: Peter Senna Tschudin <peter.senna@linux.intel.com>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6449
Reviewed-by: Christian König <christian.koenig@amd.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/idr.c | 2 ++
tools/testing/radix-tree/idr-test.c | 21 +++++++++++++++++++++
2 files changed, 23 insertions(+)
--- a/lib/idr.c
+++ b/lib/idr.c
@@ -40,6 +40,8 @@ int idr_alloc_u32(struct idr *idr, void
if (WARN_ON_ONCE(!(idr->idr_rt.xa_flags & ROOT_IS_IDR)))
idr->idr_rt.xa_flags |= IDR_RT_MARKER;
+ if (max < base)
+ return -ENOSPC;
id = (id < base) ? 0 : id - base;
radix_tree_iter_init(&iter, id);
--- a/tools/testing/radix-tree/idr-test.c
+++ b/tools/testing/radix-tree/idr-test.c
@@ -57,6 +57,26 @@ void idr_alloc_test(void)
idr_destroy(&idr);
}
+void idr_alloc2_test(void)
+{
+ int id;
+ struct idr idr = IDR_INIT_BASE(idr, 1);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 1, 2, GFP_KERNEL);
+ assert(id == 1);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 1, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ id = idr_alloc(&idr, idr_alloc2_test, 0, 2, GFP_KERNEL);
+ assert(id == -ENOSPC);
+
+ idr_destroy(&idr);
+}
+
void idr_replace_test(void)
{
DEFINE_IDR(idr);
@@ -409,6 +429,7 @@ void idr_checks(void)
idr_replace_test();
idr_alloc_test();
+ idr_alloc2_test();
idr_null_test();
idr_nowait_test();
idr_get_next_test(0);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 401/554] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 400/554] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 402/554] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
` (158 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+938fcd548c303fe33c1a,
Jason Gunthorpe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit a7b8e876e0ef0232b8076972c57ce9a7286b47ca upstream.
The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a
LS_NLA_TYPE_DGID attribute, it is invalid if it does not.
Use the nl parsing logic properly and call nla_parse_deprecated() to fill
the nlattrs array and then directly index that array to get the data for
the DGID. Just fail if it is NULL.
Remove the for loop searching for the nla, and squash the validation and
parsing into one function.
Fixes an uninitialized read from the stack triggered by userspace if it
does not provide the DGID to a kernel initiated RDMA_NL_LS_OP_IP_RESOLVE
query.
BUG: KMSAN: uninit-value in hex_byte_pack include/linux/hex.h:13 [inline]
BUG: KMSAN: uninit-value in ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
hex_byte_pack include/linux/hex.h:13 [inline]
ip6_string+0xef4/0x13a0 lib/vsprintf.c:1490
ip6_addr_string+0x18a/0x3e0 lib/vsprintf.c:1509
ip_addr_string+0x245/0xee0 lib/vsprintf.c:1633
pointer+0xc09/0x1bd0 lib/vsprintf.c:2542
vsnprintf+0xf8a/0x1bd0 lib/vsprintf.c:2930
vprintk_store+0x3ae/0x1530 kernel/printk/printk.c:2279
vprintk_emit+0x307/0xcd0 kernel/printk/printk.c:2426
vprintk_default+0x3f/0x50 kernel/printk/printk.c:2465
vprintk+0x36/0x50 kernel/printk/printk_safe.c:82
_printk+0x17e/0x1b0 kernel/printk/printk.c:2475
ib_nl_process_good_ip_rsep drivers/infiniband/core/addr.c:128 [inline]
ib_nl_handle_ip_res_resp+0x963/0x9d0 drivers/infiniband/core/addr.c:141
rdma_nl_rcv_msg drivers/infiniband/core/netlink.c:-1 [inline]
rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]
rdma_nl_rcv+0xefa/0x11c0 drivers/infiniband/core/netlink.c:259
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0xf04/0x12b0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x10b3/0x1250 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
__sock_sendmsg+0x333/0x3d0 net/socket.c:729
____sys_sendmsg+0x7e0/0xd80 net/socket.c:2617
___sys_sendmsg+0x271/0x3b0 net/socket.c:2671
__sys_sendmsg+0x1aa/0x300 net/socket.c:2703
__compat_sys_sendmsg net/compat.c:346 [inline]
__do_compat_sys_sendmsg net/compat.c:353 [inline]
__se_compat_sys_sendmsg net/compat.c:350 [inline]
__ia32_compat_sys_sendmsg+0xa4/0x100 net/compat.c:350
ia32_sys_call+0x3f6c/0x4310 arch/x86/include/generated/asm/syscalls_32.h:371
do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
__do_fast_syscall_32+0xb0/0x150 arch/x86/entry/syscall_32.c:306
do_fast_syscall_32+0x38/0x80 arch/x86/entry/syscall_32.c:331
do_SYSENTER_32+0x1f/0x30 arch/x86/entry/syscall_32.c:3
Link: https://patch.msgid.link/r/0-v1-3fbaef094271+2cf-rdma_op_ip_rslv_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload")
Reported-by: syzbot+938fcd548c303fe33c1a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/r/68dc3dac.a00a0220.102ee.004f.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/addr.c | 33 ++++++++++-----------------------
1 file changed, 10 insertions(+), 23 deletions(-)
--- a/drivers/infiniband/core/addr.c
+++ b/drivers/infiniband/core/addr.c
@@ -81,37 +81,25 @@ static const struct nla_policy ib_nl_add
.min = sizeof(struct rdma_nla_ls_gid)},
};
-static inline bool ib_nl_is_good_ip_resp(const struct nlmsghdr *nlh)
+static void ib_nl_process_ip_rsep(const struct nlmsghdr *nlh)
{
struct nlattr *tb[LS_NLA_TYPE_MAX] = {};
+ union ib_gid gid;
+ struct addr_req *req;
+ int found = 0;
int ret;
if (nlh->nlmsg_flags & RDMA_NL_LS_F_ERR)
- return false;
+ return;
ret = nla_parse_deprecated(tb, LS_NLA_TYPE_MAX - 1, nlmsg_data(nlh),
nlmsg_len(nlh), ib_nl_addr_policy, NULL);
if (ret)
- return false;
-
- return true;
-}
-
-static void ib_nl_process_good_ip_rsep(const struct nlmsghdr *nlh)
-{
- const struct nlattr *head, *curr;
- union ib_gid gid;
- struct addr_req *req;
- int len, rem;
- int found = 0;
-
- head = (const struct nlattr *)nlmsg_data(nlh);
- len = nlmsg_len(nlh);
+ return;
- nla_for_each_attr(curr, head, len, rem) {
- if (curr->nla_type == LS_NLA_TYPE_DGID)
- memcpy(&gid, nla_data(curr), nla_len(curr));
- }
+ if (!tb[LS_NLA_TYPE_DGID])
+ return;
+ memcpy(&gid, nla_data(tb[LS_NLA_TYPE_DGID]), sizeof(gid));
spin_lock_bh(&lock);
list_for_each_entry(req, &req_list, list) {
@@ -138,8 +126,7 @@ int ib_nl_handle_ip_res_resp(struct sk_b
!(NETLINK_CB(skb).sk))
return -EPERM;
- if (ib_nl_is_good_ip_resp(nlh))
- ib_nl_process_good_ip_rsep(nlh);
+ ib_nl_process_ip_rsep(nlh);
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 402/554] RDMA/cm: Fix leaking the multicast GID table reference
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 401/554] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 403/554] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
` (157 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+b0da83a6c0e2e2bddbd4,
Jason Gunthorpe
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 57f3cb6c84159d12ba343574df2115fb18dd83ca upstream.
If the CM ID is destroyed while the CM event for multicast creating is
still queued the cancel_work_sync() will prevent the work from running
which also prevents destroying the ah_attr. This leaks a refcount and
triggers a WARN:
GID entry ref leak for dev syz1 index 2 ref=573
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 release_gid_table drivers/infiniband/core/cache.c:806 [inline]
WARNING: CPU: 1 PID: 655 at drivers/infiniband/core/cache.c:809 gid_table_release_one+0x284/0x3cc drivers/infiniband/core/cache.c:886
Destroy the ah_attr after canceling the work, it is safe to call this
twice.
Link: https://patch.msgid.link/r/0-v1-4285d070a6b2+20a-rdma_mc_gid_leak_syz_jgg@nvidia.com
Cc: stable@vger.kernel.org
Fixes: fe454dc31e84 ("RDMA/ucma: Fix use-after-free bug in ucma_create_uevent")
Reported-by: syzbot+b0da83a6c0e2e2bddbd4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68232e7b.050a0220.f2294.09f6.GAE@google.com
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/cma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -1836,6 +1836,7 @@ static void destroy_mc(struct rdma_id_pr
ib_sa_free_multicast(mc->sa_mc);
if (rdma_protocol_roce(id_priv->id.device, id_priv->id.port_num)) {
+ struct rdma_cm_event *event = &mc->iboe_join.event;
struct rdma_dev_addr *dev_addr =
&id_priv->id.route.addr.dev_addr;
struct net_device *ndev = NULL;
@@ -1858,6 +1859,8 @@ static void destroy_mc(struct rdma_id_pr
dev_put(ndev);
cancel_work_sync(&mc->iboe_join.work);
+ if (event->event == RDMA_CM_EVENT_MULTICAST_JOIN)
+ rdma_destroy_ah_attr(&event->param.ud.ah_attr);
}
kfree(mc);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 403/554] e1000: fix OOB in e1000_tbi_should_accept()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 402/554] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 404/554] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
` (156 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangshuo Li, Simon Horman,
Aleksandr Loktionov, Tony Nguyen
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangshuo Li <lgs201920130244@gmail.com>
commit 9c72a5182ed92904d01057f208c390a303f00a0f upstream.
In e1000_tbi_should_accept() we read the last byte of the frame via
'data[length - 1]' to evaluate the TBI workaround. If the descriptor-
reported length is zero or larger than the actual RX buffer size, this
read goes out of bounds and can hit unrelated slab objects. The issue
is observed from the NAPI receive path (e1000_clean_rx_irq):
==================================================================
BUG: KASAN: slab-out-of-bounds in e1000_tbi_should_accept+0x610/0x790
Read of size 1 at addr ffff888014114e54 by task sshd/363
CPU: 0 PID: 363 Comm: sshd Not tainted 5.18.0-rc1 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x5a/0x74
print_address_description+0x7b/0x440
print_report+0x101/0x200
kasan_report+0xc1/0xf0
e1000_tbi_should_accept+0x610/0x790
e1000_clean_rx_irq+0xa8c/0x1110
e1000_clean+0xde2/0x3c10
__napi_poll+0x98/0x380
net_rx_action+0x491/0xa20
__do_softirq+0x2c9/0x61d
do_softirq+0xd1/0x120
</IRQ>
<TASK>
__local_bh_enable_ip+0xfe/0x130
ip_finish_output2+0x7d5/0xb00
__ip_queue_xmit+0xe24/0x1ab0
__tcp_transmit_skb+0x1bcb/0x3340
tcp_write_xmit+0x175d/0x6bd0
__tcp_push_pending_frames+0x7b/0x280
tcp_sendmsg_locked+0x2e4f/0x32d0
tcp_sendmsg+0x24/0x40
sock_write_iter+0x322/0x430
vfs_write+0x56c/0xa60
ksys_write+0xd1/0x190
do_syscall_64+0x43/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f511b476b10
Code: 73 01 c3 48 8b 0d 88 d3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d f9 2b 2c 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e 9b 01 00 48 89 04 24
RSP: 002b:00007ffc9211d4e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000004024 RCX: 00007f511b476b10
RDX: 0000000000004024 RSI: 0000559a9385962c RDI: 0000000000000003
RBP: 0000559a9383a400 R08: fffffffffffffff0 R09: 0000000000004f00
R10: 0000000000000070 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc9211d57f R14: 0000559a9347bde7 R15: 0000000000000003
</TASK>
Allocated by task 1:
__kasan_krealloc+0x131/0x1c0
krealloc+0x90/0xc0
add_sysfs_param+0xcb/0x8a0
kernel_add_sysfs_param+0x81/0xd4
param_sysfs_builtin+0x138/0x1a6
param_sysfs_init+0x57/0x5b
do_one_initcall+0x104/0x250
do_initcall_level+0x102/0x132
do_initcalls+0x46/0x74
kernel_init_freeable+0x28f/0x393
kernel_init+0x14/0x1a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888014114000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1620 bytes to the right of
2048-byte region [ffff888014114000, ffff888014114800]
The buggy address belongs to the physical page:
page:ffffea0000504400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14110
head:ffffea0000504400 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 0000000000000000 dead000000000001 ffff888013442000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
==================================================================
This happens because the TBI check unconditionally dereferences the last
byte without validating the reported length first:
u8 last_byte = *(data + length - 1);
Fix by rejecting the frame early if the length is zero, or if it exceeds
adapter->rx_buffer_len. This preserves the TBI workaround semantics for
valid frames and prevents touching memory beyond the RX buffer.
Fixes: 2037110c96d5 ("e1000: move tbi workaround code into helper function")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -4089,7 +4089,15 @@ static bool e1000_tbi_should_accept(stru
u32 length, const u8 *data)
{
struct e1000_hw *hw = &adapter->hw;
- u8 last_byte = *(data + length - 1);
+ u8 last_byte;
+
+ /* Guard against OOB on data[length - 1] */
+ if (unlikely(!length))
+ return false;
+ /* Upper bound: length must not exceed rx_buffer_len */
+ if (unlikely(length > adapter->rx_buffer_len))
+ return false;
+ last_byte = *(data + length - 1);
if (TBI_ACCEPT(hw, status, errors, length, last_byte)) {
unsigned long irq_flags;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 404/554] fjes: Add missing iounmap in fjes_hw_init()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 403/554] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 405/554] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
` (155 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Simon Horman,
Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 15ef641a0c6728d25a400df73922e80ab2cf029c upstream.
In error paths, add fjes_hw_iounmap() to release the
resource acquired by fjes_hw_iomap(). Add a goto label
to do so.
Fixes: 8cdc3f6c5d22 ("fjes: Hardware initialization routine")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251211073756.101824-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/fjes/fjes_hw.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/fjes/fjes_hw.c
+++ b/drivers/net/fjes/fjes_hw.c
@@ -333,7 +333,7 @@ int fjes_hw_init(struct fjes_hw *hw)
ret = fjes_hw_reset(hw);
if (ret)
- return ret;
+ goto err_iounmap;
fjes_hw_set_irqmask(hw, REG_ICTL_MASK_ALL, true);
@@ -346,8 +346,10 @@ int fjes_hw_init(struct fjes_hw *hw)
hw->max_epid = fjes_hw_get_max_epid(hw);
hw->my_epid = fjes_hw_get_my_epid(hw);
- if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid))
- return -ENXIO;
+ if ((hw->max_epid == 0) || (hw->my_epid >= hw->max_epid)) {
+ ret = -ENXIO;
+ goto err_iounmap;
+ }
ret = fjes_hw_setup(hw);
@@ -355,6 +357,10 @@ int fjes_hw_init(struct fjes_hw *hw)
hw->hw_info.trace_size = FJES_DEBUG_BUFFER_SIZE;
return ret;
+
+err_iounmap:
+ fjes_hw_iounmap(hw);
+ return ret;
}
void fjes_hw_exit(struct fjes_hw *hw)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 405/554] nfsd: Drop the client reference in client_states_open()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 404/554] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 406/554] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
` (154 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Haoxiang Li,
Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 1f941b2c23fd34c6f3b76d36f9d0a2528fa92b8f upstream.
In error path, call drop_client() to drop the reference
obtained by get_nfsdfs_clp().
Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -2802,8 +2802,10 @@ static int client_states_open(struct ino
return -ENXIO;
ret = seq_open(file, &states_seq_ops);
- if (ret)
+ if (ret) {
+ drop_client(clp);
return ret;
+ }
s = file->private_data;
s->private = clp;
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 406/554] net: usb: sr9700: fix incorrect command used to write single register
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 405/554] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 407/554] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
` (153 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
commit fa0b198be1c6775bc7804731a43be5d899d19e7a upstream.
This fixes the device failing to initialize with "error reading MAC
address" for me, probably because the incorrect write of NCR_RST to
SR_NCR is not actually resetting the device.
Fixes: c9b37458e95629b1d1171457afdcc1bf1eb7881d ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
Cc: stable@vger.kernel.org
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Link: https://patch.msgid.link/20251221082400.50688-1-enelsonmoore@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/sr9700.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/sr9700.c
+++ b/drivers/net/usb/sr9700.c
@@ -52,7 +52,7 @@ static int sr_read_reg(struct usbnet *de
static int sr_write_reg(struct usbnet *dev, u8 reg, u8 value)
{
- return usbnet_write_cmd(dev, SR_WR_REGS, SR_REQ_WR_REG,
+ return usbnet_write_cmd(dev, SR_WR_REG, SR_REQ_WR_REG,
value, reg, NULL, 0);
}
@@ -65,7 +65,7 @@ static void sr_write_async(struct usbnet
static void sr_write_reg_async(struct usbnet *dev, u8 reg, u8 value)
{
- usbnet_write_cmd_async(dev, SR_WR_REGS, SR_REQ_WR_REG,
+ usbnet_write_cmd_async(dev, SR_WR_REG, SR_REQ_WR_REG,
value, reg, NULL, 0);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 407/554] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 406/554] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 408/554] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
` (152 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4ef89409a235d804c6c2,
Deepanshu Kartikey, Krzysztof Kozlowski, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Deepanshu Kartikey <kartikey406@gmail.com>
commit 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 upstream.
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.
Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
Cc: stable@vger.kernel.org
Reported-by: syzbot+4ef89409a235d804c6c2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4ef89409a235d804c6c2
Link: https://lore.kernel.org/all/20251217054908.178907-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20251218012355.279940-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/core.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/nfc/core.c
+++ b/net/nfc/core.c
@@ -1154,6 +1154,7 @@ EXPORT_SYMBOL(nfc_register_device);
void nfc_unregister_device(struct nfc_dev *dev)
{
int rc;
+ struct rfkill *rfk = NULL;
pr_debug("dev_name=%s\n", dev_name(&dev->dev));
@@ -1164,13 +1165,17 @@ void nfc_unregister_device(struct nfc_de
device_lock(&dev->dev);
if (dev->rfkill) {
- rfkill_unregister(dev->rfkill);
- rfkill_destroy(dev->rfkill);
+ rfk = dev->rfkill;
dev->rfkill = NULL;
}
dev->shutting_down = true;
device_unlock(&dev->dev);
+ if (rfk) {
+ rfkill_unregister(rfk);
+ rfkill_destroy(rfk);
+ }
+
if (dev->ops->check_presence) {
del_timer_sync(&dev->check_pres_timer);
cancel_work_sync(&dev->check_pres_work);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 408/554] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 407/554] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 409/554] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
` (151 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kevin Hao, Xiaolei Wang, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
commit 99537d5c476cada9cf75aef9fa75579a31faadb9 upstream.
In the non-RT kernel, local_bh_disable() merely disables preemption,
whereas it maps to an actual spin lock in the RT kernel. Consequently,
when attempting to refill RX buffers via netdev_alloc_skb() in
macb_mac_link_up(), a deadlock scenario arises as follows:
WARNING: possible circular locking dependency detected
6.18.0-08691-g2061f18ad76e #39 Not tainted
------------------------------------------------------
kworker/0:0/8 is trying to acquire lock:
ffff00080369bbe0 (&bp->lock){+.+.}-{3:3}, at: macb_start_xmit+0x808/0xb7c
but task is already holding lock:
ffff000803698e58 (&queue->tx_ptr_lock){+...}-{3:3}, at: macb_start_xmit
+0x148/0xb7c
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&queue->tx_ptr_lock){+...}-{3:3}:
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x148/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #2 (_xmit_ETHER#2){+...}-{3:3}:
rt_spin_lock+0x50/0x1f0
sch_direct_xmit+0x11c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #1 ((softirq_ctrl.lock)){+.+.}-{3:3}:
lock_release+0x250/0x348
__local_bh_enable_ip+0x7c/0x240
__netdev_alloc_skb+0x1b4/0x1d8
gem_rx_refill+0xdc/0x240
gem_init_rings+0xb4/0x108
macb_mac_link_up+0x9c/0x2b4
phylink_resolve+0x170/0x614
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
-> #0 (&bp->lock){+.+.}-{3:3}:
__lock_acquire+0x15a8/0x2084
lock_acquire+0x1cc/0x350
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x808/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
other info that might help us debug this:
Chain exists of:
&bp->lock --> _xmit_ETHER#2 --> &queue->tx_ptr_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&queue->tx_ptr_lock);
lock(_xmit_ETHER#2);
lock(&queue->tx_ptr_lock);
lock(&bp->lock);
*** DEADLOCK ***
Call trace:
show_stack+0x18/0x24 (C)
dump_stack_lvl+0xa0/0xf0
dump_stack+0x18/0x24
print_circular_bug+0x28c/0x370
check_noncircular+0x198/0x1ac
__lock_acquire+0x15a8/0x2084
lock_acquire+0x1cc/0x350
rt_spin_lock+0x50/0x1f0
macb_start_xmit+0x808/0xb7c
dev_hard_start_xmit+0x94/0x284
sch_direct_xmit+0x8c/0x37c
__dev_queue_xmit+0x708/0x1120
neigh_resolve_output+0x148/0x28c
ip6_finish_output2+0x2c0/0xb2c
__ip6_finish_output+0x114/0x308
ip6_output+0xc4/0x4a4
mld_sendpack+0x220/0x68c
mld_ifc_work+0x2a8/0x4f4
process_one_work+0x20c/0x5f8
worker_thread+0x1b0/0x35c
kthread+0x144/0x200
ret_from_fork+0x10/0x20
Notably, invoking the mog_init_rings() callback upon link establishment
is unnecessary. Instead, we can exclusively call mog_init_rings() within
the ndo_open() callback. This adjustment resolves the deadlock issue.
Furthermore, since MACB_CAPS_MACB_IS_EMAC cases do not use mog_init_rings()
when opening the network interface via at91ether_open(), moving
mog_init_rings() to macb_open() also eliminates the MACB_CAPS_MACB_IS_EMAC
check.
Fixes: 633e98a711ac ("net: macb: use resolved link config in mac_link_up()")
Cc: stable@vger.kernel.org
Suggested-by: Kevin Hao <kexin.hao@windriver.com>
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Link: https://patch.msgid.link/20251222015624.1994551-1-xiaolei.wang@windriver.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/cadence/macb_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/cadence/macb_main.c
+++ b/drivers/net/ethernet/cadence/macb_main.c
@@ -777,7 +777,6 @@ static void macb_mac_link_up(struct phyl
/* Initialize rings & buffers as clearing MACB_BIT(TE) in link down
* cleared the pipeline and control registers.
*/
- bp->macbgem_ops.mog_init_rings(bp);
macb_init_buffers(bp);
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue)
@@ -2478,6 +2477,8 @@ static void gem_init_rings(struct macb *
unsigned int q;
int i;
+ bp->macbgem_ops.mog_init_rings(bp);
+
for (q = 0, queue = bp->queues; q < bp->num_queues; ++q, ++queue) {
for (i = 0; i < bp->tx_ring_size; i++) {
desc = macb_tx_desc(queue, i);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 409/554] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 408/554] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 410/554] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
` (150 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akhil P Oommen, Konrad Dybcio,
Rob Clark
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Akhil P Oommen <akhilpo@oss.qualcomm.com>
commit 779b68a5bf2764c8ed3aa800e41ba0d5d007e1e7 upstream.
REG_A6XX_GMU_AO_AHB_FENCE_CTRL register falls under GMU's register
range. So, use gmu_write() routines to write to this register.
Fixes: 1707add81551 ("drm/msm/a6xx: Add a6xx gpu state")
Cc: stable@vger.kernel.org
Signed-off-by: Akhil P Oommen <akhilpo@oss.qualcomm.com>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Patchwork: https://patchwork.freedesktop.org/patch/688993/
Message-ID: <20251118-kaana-gpu-support-v4-1-86eeb8e93fb6@oss.qualcomm.com>
Signed-off-by: Rob Clark <robin.clark@oss.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
+++ b/drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c
@@ -794,7 +794,7 @@ static void a6xx_get_gmu_registers(struc
return;
/* Set the fence to ALLOW mode so we can access the registers */
- gpu_write(gpu, REG_A6XX_GMU_AO_AHB_FENCE_CTRL, 0);
+ gmu_write(&a6xx_gpu->gmu, REG_A6XX_GMU_AO_AHB_FENCE_CTRL, 0);
_a6xx_get_gmu_registers(gpu, a6xx_state, &a6xx_gmu_reglist[2],
&a6xx_state->gmu_registers[2], false);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 410/554] drm/ttm: Avoid NULL pointer deref for evicted BOs
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 409/554] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 411/554] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
` (149 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Simon Richter, Matthew Brost,
Shuicheng Lin, Christian König
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Richter <Simon.Richter@hogyros.de>
commit 491adc6a0f9903c32b05f284df1148de39e8e644 upstream.
It is possible for a BO to exist that is not currently associated with a
resource, e.g. because it has been evicted.
When devcoredump tries to read the contents of all BOs for dumping, we need
to expect this as well -- in this case, ENODATA is recorded instead of the
buffer contents.
Fixes: 7d08df5d0bd3 ("drm/ttm: Add ttm_bo_access")
Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2")
Cc: stable <stable@kernel.org>
Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/6271
Signed-off-by: Simon Richter <Simon.Richter@hogyros.de>
Reviewed-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Shuicheng Lin <shuicheng.lin@intel.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Link: https://patch.msgid.link/20251013161241.709916-1-Simon.Richter@hogyros.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/ttm/ttm_bo_vm.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c
@@ -427,6 +427,11 @@ int ttm_bo_vm_access(struct vm_area_stru
if (ret)
return ret;
+ if (!bo->resource) {
+ ret = -ENODATA;
+ goto unlock;
+ }
+
switch (bo->resource->mem_type) {
case TTM_PL_SYSTEM:
fallthrough;
@@ -441,6 +446,7 @@ int ttm_bo_vm_access(struct vm_area_stru
ret = -EIO;
}
+unlock:
ttm_bo_unreserve(bo);
return ret;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 411/554] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 410/554] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 412/554] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
` (148 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lyude Paul, Dave Airlie
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyude Paul <lyude@redhat.com>
commit 560271e10b2c86e95ea35afa9e79822e4847f07a upstream.
Since we recently started warning about uses of this function after the
atomic check phase completes, we've started getting warnings about this in
nouveau. It appears a misplaced drm_atomic_get_crtc_state() call has been
hiding in our .prepare_fb callback for a while.
So, fix this by adding a new nv50_head_atom_get_new() function and use that
in our .prepare_fb callback instead.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Fixes: 1590700d94ac ("drm/nouveau/kms/nv50-: split each resource type into their own source files")
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://patch.msgid.link/20251211190256.396742-1-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/dispnv50/atom.h | 13 +++++++++++++
drivers/gpu/drm/nouveau/dispnv50/wndw.c | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/dispnv50/atom.h
+++ b/drivers/gpu/drm/nouveau/dispnv50/atom.h
@@ -152,8 +152,21 @@ static inline struct nv50_head_atom *
nv50_head_atom_get(struct drm_atomic_state *state, struct drm_crtc *crtc)
{
struct drm_crtc_state *statec = drm_atomic_get_crtc_state(state, crtc);
+
if (IS_ERR(statec))
return (void *)statec;
+
+ return nv50_head_atom(statec);
+}
+
+static inline struct nv50_head_atom *
+nv50_head_atom_get_new(struct drm_atomic_state *state, struct drm_crtc *crtc)
+{
+ struct drm_crtc_state *statec = drm_atomic_get_new_crtc_state(state, crtc);
+
+ if (!statec)
+ return NULL;
+
return nv50_head_atom(statec);
}
--- a/drivers/gpu/drm/nouveau/dispnv50/wndw.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/wndw.c
@@ -565,7 +565,7 @@ nv50_wndw_prepare_fb(struct drm_plane *p
asyw->image.offset[0] = nvbo->offset;
if (wndw->func->prepare) {
- asyh = nv50_head_atom_get(asyw->state.state, asyw->state.crtc);
+ asyh = nv50_head_atom_get_new(asyw->state.state, asyw->state.crtc);
if (IS_ERR(asyh))
return PTR_ERR(asyh);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 412/554] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 411/554] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 413/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
` (147 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 7890e5b5bb6e386155c6e755fe70e0cdcc77f18e upstream.
damon_test_split_evenly_fail() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-19-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr-test.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/mm/damon/vaddr-test.h
+++ b/mm/damon/vaddr-test.h
@@ -256,7 +256,16 @@ static void damon_test_split_evenly_fail
unsigned long start, unsigned long end, unsigned int nr_pieces)
{
struct damon_target *t = damon_new_target(42);
- struct damon_region *r = damon_new_region(start, end);
+ struct damon_region *r;
+
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+
+ r = damon_new_region(start, end);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
KUNIT_EXPECT_EQ(test,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 413/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 412/554] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
@ 2026-01-15 16:47 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 414/554] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Greg Kroah-Hartman
` (146 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 2b22d0fcc6320ba29b2122434c1d2f0785fb0a25 upstream.
damon_do_test_apply_three_regions() is assuming all dynamic memory
allocation in it will succeed. Those are indeed likely in the real use
cases since those allocations are too small to fail, but theoretically
those could fail. In the case, inappropriate memory access can happen.
Fix it by appropriately cleanup pre-allocated memory and skip the
execution of the remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-18-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: SeongJae Park <sj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr-test.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/vaddr-test.h
+++ b/mm/damon/vaddr-test.h
@@ -141,8 +141,14 @@ static void damon_do_test_apply_three_re
int i;
t = damon_new_target(42);
+ if (!t)
+ kunit_skip(test, "target alloc fail");
for (i = 0; i < nr_regions / 2; i++) {
r = damon_new_region(regions[i * 2], regions[i * 2 + 1]);
+ if (!r) {
+ damon_destroy_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
}
damon_add_target(ctx, t);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 414/554] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2026-01-15 16:47 ` [PATCH 5.15 413/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 415/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
` (145 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e2ce9e275ecc70a30b72,
Zhu Yanjun, Jason Gunthorpe, Sasha Levin, Ajay Kaher,
Shivani Agarwal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhu Yanjun <yanjun.zhu@linux.dev>
commit d0706bfd3ee40923c001c6827b786a309e2a8713 upstream.
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
strlen+0x93/0xa0 lib/string.c:420
__fortify_strlen include/linux/fortify-string.h:268 [inline]
get_kobj_path_length lib/kobject.c:118 [inline]
kobject_get_path+0x3f/0x2a0 lib/kobject.c:158
kobject_uevent_env+0x289/0x1870 lib/kobject_uevent.c:545
ib_register_device drivers/infiniband/core/device.c:1472 [inline]
ib_register_device+0x8cf/0xe00 drivers/infiniband/core/device.c:1393
rxe_register_device+0x275/0x320 drivers/infiniband/sw/rxe/rxe_verbs.c:1552
rxe_net_add+0x8e/0xe0 drivers/infiniband/sw/rxe/rxe_net.c:550
rxe_newlink+0x70/0x190 drivers/infiniband/sw/rxe/rxe.c:225
nldev_newlink+0x3a3/0x680 drivers/infiniband/core/nldev.c:1796
rdma_nl_rcv_msg+0x387/0x6e0 drivers/infiniband/core/netlink.c:195
rdma_nl_rcv_skb.constprop.0.isra.0+0x2e5/0x450
netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]
netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339
netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg net/socket.c:727 [inline]
____sys_sendmsg+0xa95/0xc70 net/socket.c:2566
___sys_sendmsg+0x134/0x1d0 net/socket.c:2620
__sys_sendmsg+0x16d/0x220 net/socket.c:2652
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This problem is similar to the problem that the
commit 1d6a9e7449e2 ("RDMA/core: Fix use-after-free when rename device name")
fixes.
The root cause is: the function ib_device_rename() renames the name with
lock. But in the function kobject_uevent(), this name is accessed without
lock protection at the same time.
The solution is to add the lock protection when this name is accessed in
the function kobject_uevent().
Fixes: 779e0bf47632 ("RDMA/core: Do not indicate device ready when device enablement fails")
Link: https://patch.msgid.link/r/20250506151008.75701-1-yanjun.zhu@linux.dev
Reported-by: syzbot+e2ce9e275ecc70a30b72@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e2ce9e275ecc70a30b72
Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Ajay: Modified to apply on v5.10.y-v6.6.y
ib_device_notify_register() not present in v5.10.y-v6.6.y,
so directly added lock for kobject_uevent() ]
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/core/device.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -1449,8 +1449,13 @@ int ib_register_device(struct ib_device
return ret;
}
dev_set_uevent_suppress(&device->dev, false);
+
+ down_read(&devices_rwsem);
+
/* Mark for userspace that device is ready */
kobject_uevent(&device->dev.kobj, KOBJ_ADD);
+
+ up_read(&devices_rwsem);
ib_device_put(device);
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 415/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 414/554] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 416/554] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
` (144 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0a63a0e7570b9b2631dfb8d836dc572709dce39e upstream.
damon_test_split_evenly_succ() is assuming all dynamic memory allocation
in it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-20-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr-test.h | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/mm/damon/vaddr-test.h
+++ b/mm/damon/vaddr-test.h
@@ -290,10 +290,17 @@ static void damon_test_split_evenly_succ
unsigned long start, unsigned long end, unsigned int nr_pieces)
{
struct damon_target *t = damon_new_target(42);
- struct damon_region *r = damon_new_region(start, end);
+ struct damon_region *r;
unsigned long expected_width = (end - start) / nr_pieces;
unsigned long i = 0;
+ if (!t)
+ kunit_skip(test, "target alloc fail");
+ r = damon_new_region(start, end);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
KUNIT_EXPECT_EQ(test,
damon_va_evenly_split_region(t, r, nr_pieces), 0);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 416/554] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 415/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 417/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
` (143 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit e16fdd4f754048d6e23c56bd8d920b71e41e3777 upstream.
damon_test_regions() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-3-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -20,11 +20,17 @@ static void damon_test_regions(struct ku
struct damon_target *t;
r = damon_new_region(1, 2);
+ if (!r)
+ kunit_skip(test, "region alloc fail");
KUNIT_EXPECT_EQ(test, 1ul, r->ar.start);
KUNIT_EXPECT_EQ(test, 2ul, r->ar.end);
KUNIT_EXPECT_EQ(test, 0u, r->nr_accesses);
t = damon_new_target(42);
+ if (!t) {
+ damon_free_region(r);
+ kunit_skip(test, "target alloc fail");
+ }
KUNIT_EXPECT_EQ(test, 0u, damon_nr_regions(t));
damon_add_region(r, t);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 417/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 416/554] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 418/554] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
` (142 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 5e80d73f22043c59c8ad36452a3253937ed77955 upstream.
damon_test_split_at() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-6-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -128,8 +128,19 @@ static void damon_test_split_at(struct k
struct damon_target *t;
struct damon_region *r;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
t = damon_new_target(42);
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(0, 100);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
damon_split_region_at(c, t, r, 25);
KUNIT_EXPECT_EQ(test, r->ar.start, 0ul);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 418/554] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 417/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 419/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
` (141 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 0998d2757218771c59d5ca59ccf13d1542a38f17 upstream.
damon_test_merge_regions_of() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-8-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -209,8 +209,14 @@ static void damon_test_merge_regions_of(
int i;
t = damon_new_target(42);
+ if (!t)
+ kunit_skip(test, "target alloc fail");
for (i = 0; i < ARRAY_SIZE(sa); i++) {
r = damon_new_region(sa[i], ea[i]);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = nrs[i];
damon_add_region(r, t);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 419/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 418/554] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 420/554] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
` (140 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 3d443dd29a1db7efa587a4bb0c06a497e13ca9e4 upstream.
damon_test_merge_two() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-7-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -161,10 +161,20 @@ static void damon_test_merge_two(struct
int i;
t = damon_new_target(42);
+ if (!t)
+ kunit_skip(test, "target alloc fail");
r = damon_new_region(0, 100);
+ if (!r) {
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = 10;
damon_add_region(r, t);
r2 = damon_new_region(100, 300);
+ if (!r2) {
+ damon_free_target(t);
+ kunit_skip(test, "second region alloc fail");
+ }
r2->nr_accesses = 20;
damon_add_region(r2, t);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 420/554] mm/damon/tests/core-kunit: handle memory failure from damon_test_target()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 419/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 421/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
` (139 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit fafe953de2c661907c94055a2497c6b8dbfd26f3 upstream.
damon_test_target() is assuming all dynamic memory allocation in it will
succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-4-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -58,7 +58,14 @@ static void damon_test_target(struct kun
struct damon_ctx *c = damon_new_ctx();
struct damon_target *t;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
t = damon_new_target(42);
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
KUNIT_EXPECT_EQ(test, 42ul, t->id);
KUNIT_EXPECT_EQ(test, 0u, nr_damon_targets(c));
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 421/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 420/554] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 422/554] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
` (138 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit eded254cb69044bd4abde87394ea44909708d7c0 upstream.
damon_test_split_regions_of() is assuming all dynamic memory allocation in
it will succeed. Those are indeed likely in the real use cases since
those allocations are too small to fail, but theoretically those could
fail. In the case, inappropriate memory access can happen. Fix it by
appropriately cleanup pre-allocated memory and skip the execution of the
remaining tests in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-9-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -255,15 +255,36 @@ static void damon_test_split_regions_of(
struct damon_target *t;
struct damon_region *r;
+ if (!c)
+ kunit_skip(test, "ctx alloc fail");
+
t = damon_new_target(42);
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "target alloc fail");
+ }
r = damon_new_region(0, 22);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "region alloc fail");
+ }
damon_add_region(r, t);
damon_split_regions_of(c, t, 2);
KUNIT_EXPECT_LE(test, damon_nr_regions(t), 2u);
damon_free_target(t);
t = damon_new_target(42);
+ if (!t) {
+ damon_destroy_ctx(c);
+ kunit_skip(test, "second target alloc fail");
+ }
r = damon_new_region(0, 220);
+ if (!r) {
+ damon_destroy_ctx(c);
+ damon_free_target(t);
+ kunit_skip(test, "second region alloc fail");
+ }
damon_add_region(r, t);
damon_split_regions_of(c, t, 4);
KUNIT_EXPECT_LE(test, damon_nr_regions(t), 4u);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 422/554] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 421/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 423/554] kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules Greg Kroah-Hartman
` (137 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, Brendan Higgins,
David Gow, Kefeng Wang, Andrew Morton
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit f79f2fc44ebd0ed655239046be3e80e8804b5545 upstream.
damon_test_aggregate() is assuming all dynamic memory allocation in it
will succeed. Those are indeed likely in the real use cases since those
allocations are too small to fail, but theoretically those could fail. In
the case, inappropriate memory access can happen. Fix it by appropriately
cleanup pre-allocated memory and skip the execution of the remaining tests
in the failure cases.
Link: https://lkml.kernel.org/r/20251101182021.74868-5-sj@kernel.org
Fixes: 17ccae8bb5c9 ("mm/damon: add kunit tests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendan.higgins@linux.dev>
Cc: David Gow <davidgow@google.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: <stable@vger.kernel.org> [5.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core-test.h | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/mm/damon/core-test.h
+++ b/mm/damon/core-test.h
@@ -99,12 +99,22 @@ static void damon_test_aggregate(struct
struct damon_region *r;
int it, ir;
- damon_set_targets(ctx, target_ids, 3);
+ if (!ctx)
+ kunit_skip(test, "ctx alloc fail");
+
+ if (damon_set_targets(ctx, target_ids, 3)) {
+ damon_destroy_ctx(ctx);
+ kunit_skip(test, "target alloc fail");
+ }
it = 0;
damon_for_each_target(t, ctx) {
for (ir = 0; ir < 3; ir++) {
r = damon_new_region(saddr[it][ir], eaddr[it][ir]);
+ if (!r) {
+ damon_destroy_ctx(ctx);
+ kunit_skip(test, "region alloc fail");
+ }
r->nr_accesses = accesses[it][ir];
damon_add_region(r, t);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 423/554] kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 422/554] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 424/554] virtio_console: fix order of fields cols and rows Greg Kroah-Hartman
` (136 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Nybo Andersen,
Masahiro Yamada, Christoph Biedl
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Nybo Andersen <tweek@tweek.dk>
commit fbf5892df21a8ccfcb2fda0fd65bc3169c89ed28 upstream.
Kmod is now (since kmod commit 09c9f8c5df04 ("libkmod: Use kernel
decompression when available")) using the kernel decompressor, when
loading compressed modules.
However, the kernel XZ decompressor is XZ Embedded, which doesn't
handle CRC64 and dictionaries larger than 1MiB.
Use CRC32 and 1MiB dictionary when XZ compressing and installing
kernel modules.
Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050582
Signed-off-by: Martin Nybo Andersen <tweek@tweek.dk>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
scripts/Makefile.modinst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/Makefile.modinst
+++ b/scripts/Makefile.modinst
@@ -95,7 +95,7 @@ endif
quiet_cmd_gzip = GZIP $@
cmd_gzip = $(KGZIP) -n -f $<
quiet_cmd_xz = XZ $@
- cmd_xz = $(XZ) --lzma2=dict=2MiB -f $<
+ cmd_xz = $(XZ) --check=crc32 --lzma2=dict=1MiB -f $<
quiet_cmd_zstd = ZSTD $@
cmd_zstd = $(ZSTD) -T0 --rm -f -q $<
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 424/554] virtio_console: fix order of fields cols and rows
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 423/554] kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 425/554] drm/vmwgfx: Fix a null-ptr access in the cursor snooper Greg Kroah-Hartman
` (135 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maximilian Immanuel Brandtner,
Michael S. Tsirkin, Filip Hejsek
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maximilian Immanuel Brandtner <maxbr@linux.ibm.com>
commit 5326ab737a47278dbd16ed3ee7380b26c7056ddd upstream.
According to section 5.3.6.2 (Multiport Device Operation) of the virtio
spec(version 1.2) a control buffer with the event VIRTIO_CONSOLE_RESIZE
is followed by a virtio_console_resize struct containing cols then rows.
The kernel implements this the wrong way around (rows then cols) resulting
in the two values being swapped.
Signed-off-by: Maximilian Immanuel Brandtner <maxbr@linux.ibm.com>
Message-Id: <20250324144300.905535-1-maxbr@linux.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Filip Hejsek <filip.hejsek@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/virtio_console.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1614,8 +1614,8 @@ static void handle_control_message(struc
break;
case VIRTIO_CONSOLE_RESIZE: {
struct {
- __virtio16 rows;
__virtio16 cols;
+ __virtio16 rows;
} size;
if (!is_console_port(port))
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 425/554] drm/vmwgfx: Fix a null-ptr access in the cursor snooper
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 424/554] virtio_console: fix order of fields cols and rows Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 426/554] usb: xhci: move link chain bit quirk checks into one helper function Greg Kroah-Hartman
` (134 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zack Rusin, Kuzey Arda Bulut,
Broadcom internal kernel review list, dri-devel, Ian Forbes,
Sasha Levin, Shivani Agarwal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zack Rusin <zack.rusin@broadcom.com>
[ Upstream commit 5ac2c0279053a2c5265d46903432fb26ae2d0da2 ]
Check that the resource which is converted to a surface exists before
trying to use the cursor snooper on it.
vmw_cmd_res_check allows explicit invalid (SVGA3D_INVALID_ID) identifiers
because some svga commands accept SVGA3D_INVALID_ID to mean "no surface",
unfortunately functions that accept the actual surfaces as objects might
(and in case of the cursor snooper, do not) be able to handle null
objects. Make sure that we validate not only the identifier (via the
vmw_cmd_res_check) but also check that the actual resource exists before
trying to do something with it.
Fixes unchecked null-ptr reference in the snooping code.
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Fixes: c0951b797e7d ("drm/vmwgfx: Refactor resource management")
Reported-by: Kuzey Arda Bulut <kuzeyardabulut@gmail.com>
Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
Cc: dri-devel@lists.freedesktop.org
Reviewed-by: Ian Forbes <ian.forbes@broadcom.com>
Link: https://lore.kernel.org/r/20250917153655.1968583-1-zack.rusin@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Shivani: Modified to apply on v5.10.y-v6.1.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
@@ -1525,6 +1525,7 @@ static int vmw_cmd_dma(struct vmw_privat
SVGA3dCmdHeader *header)
{
struct vmw_buffer_object *vmw_bo = NULL;
+ struct vmw_resource *res;
struct vmw_surface *srf = NULL;
VMW_DECLARE_CMD_VAR(*cmd, SVGA3dCmdSurfaceDMA);
int ret;
@@ -1560,18 +1561,24 @@ static int vmw_cmd_dma(struct vmw_privat
dirty = (cmd->body.transfer == SVGA3D_WRITE_HOST_VRAM) ?
VMW_RES_DIRTY_SET : 0;
- ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface,
- dirty, user_surface_converter,
- &cmd->body.host.sid, NULL);
+ ret = vmw_cmd_res_check(dev_priv, sw_context, vmw_res_surface, dirty,
+ user_surface_converter, &cmd->body.host.sid,
+ NULL);
if (unlikely(ret != 0)) {
if (unlikely(ret != -ERESTARTSYS))
VMW_DEBUG_USER("could not find surface for DMA.\n");
return ret;
}
- srf = vmw_res_to_srf(sw_context->res_cache[vmw_res_surface].res);
+ res = sw_context->res_cache[vmw_res_surface].res;
+ if (!res) {
+ VMW_DEBUG_USER("Invalid DMA surface.\n");
+ return -EINVAL;
+ }
- vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->base, header);
+ srf = vmw_res_to_srf(res);
+ vmw_kms_cursor_snoop(srf, sw_context->fp->tfile, &vmw_bo->base,
+ header);
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 426/554] usb: xhci: move link chain bit quirk checks into one helper function.
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 425/554] drm/vmwgfx: Fix a null-ptr access in the cursor snooper Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 427/554] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
` (133 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Niklas Neronin, Mathias Nyman,
Shivani Agarwal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Neronin <niklas.neronin@linux.intel.com>
commit 7476a2215c07703db5e95efaa3fc5b9f957b9417 upstream.
Older 0.95 xHCI hosts and some other specific newer hosts require the
chain bit to be set for Link TRBs even if the link TRB is not in the
middle of a transfer descriptor (TD).
move the checks for all those cases into one xhci_link_chain_quirk()
function to clean up and avoid code duplication.
No functional changes.
[skip renaming chain_links flag, reword commit message -Mathias]
Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20240626124835.1023046-10-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Shivani: Modified to apply on v5.10.y-v6.1.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-mem.c | 10 ++--------
drivers/usb/host/xhci-ring.c | 8 ++------
drivers/usb/host/xhci.h | 7 +++++--
3 files changed, 9 insertions(+), 16 deletions(-)
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -133,10 +133,7 @@ static void xhci_link_rings(struct xhci_
if (!ring || !first || !last)
return;
- /* Set chain bit for 0.95 hosts, and for isoc rings on AMD 0.96 host */
- chain_links = !!(xhci_link_trb_quirk(xhci) ||
- (ring->type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)));
+ chain_links = xhci_link_chain_quirk(xhci, ring->type);
next = ring->enq_seg->next;
xhci_link_segments(ring->enq_seg, first, ring->type, chain_links);
@@ -326,10 +323,7 @@ static int xhci_alloc_segments_for_ring(
struct xhci_segment *prev;
bool chain_links;
- /* Set chain bit for 0.95 hosts, and for isoc rings on AMD 0.96 host */
- chain_links = !!(xhci_link_trb_quirk(xhci) ||
- (type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)));
+ chain_links = xhci_link_chain_quirk(xhci, type);
prev = xhci_segment_alloc(xhci, cycle_state, max_packet, flags);
if (!prev)
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -250,9 +250,7 @@ static void inc_enq(struct xhci_hcd *xhc
* AMD 0.96 host, carry over the chain bit of the previous TRB
* (which may mean the chain bit is cleared).
*/
- if (!(ring->type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)) &&
- !xhci_link_trb_quirk(xhci)) {
+ if (!xhci_link_chain_quirk(xhci, ring->type)) {
next->link.control &= cpu_to_le32(~TRB_CHAIN);
next->link.control |= cpu_to_le32(chain);
}
@@ -3425,9 +3423,7 @@ static int prepare_ring(struct xhci_hcd
/* If we're not dealing with 0.95 hardware or isoc rings
* on AMD 0.96 host, clear the chain bit.
*/
- if (!xhci_link_trb_quirk(xhci) &&
- !(ep_ring->type == TYPE_ISOC &&
- (xhci->quirks & XHCI_AMD_0x96_HOST)))
+ if (!xhci_link_chain_quirk(xhci, ep_ring->type))
ep_ring->enqueue->link.control &=
cpu_to_le32(~TRB_CHAIN);
else
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1768,9 +1768,12 @@ static inline void xhci_write_64(struct
lo_hi_writeq(val, regs);
}
-static inline int xhci_link_trb_quirk(struct xhci_hcd *xhci)
+
+/* Link TRB chain should always be set on 0.95 hosts, and AMD 0.96 ISOC rings */
+static inline bool xhci_link_chain_quirk(struct xhci_hcd *xhci, enum xhci_ring_type type)
{
- return xhci->quirks & XHCI_LINK_TRB_QUIRK;
+ return (xhci->quirks & XHCI_LINK_TRB_QUIRK) ||
+ (type == TYPE_ISOC && (xhci->quirks & XHCI_AMD_0x96_HOST));
}
/* xHCI debugging */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 427/554] usb: xhci: Apply the link chain quirk on NEC isoc endpoints
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 426/554] usb: xhci: move link chain bit quirk checks into one helper function Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 428/554] usb: gadget: udc: fix use-after-free in usb_gadget_state_work Greg Kroah-Hartman
` (132 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Pecio, Mathias Nyman,
Shivani Agarwal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Pecio <michal.pecio@gmail.com>
commit bb0ba4cb1065e87f9cc75db1fa454e56d0894d01 upstream.
Two clearly different specimens of NEC uPD720200 (one with start/stop
bug, one without) were seen to cause IOMMU faults after some Missed
Service Errors. Faulting address is immediately after a transfer ring
segment and patched dynamic debug messages revealed that the MSE was
received when waiting for a TD near the end of that segment:
[ 1.041954] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ffa08fe0
[ 1.042120] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09000 flags=0x0000]
[ 1.042146] xhci_hcd: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x0005 address=0xffa09040 flags=0x0000]
It gets even funnier if the next page is a ring segment accessible to
the HC. Below, it reports MSE in segment at ff1e8000, plows through a
zero-filled page at ff1e9000 and starts reporting events for TRBs in
page at ff1ea000 every microframe, instead of jumping to seg ff1e6000.
[ 7.041671] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.041999] xhci_hcd: Miss service interval error for slot 1 ep 2 expected TD DMA ff1e8fe0
[ 7.042011] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042028] xhci_hcd: All TDs skipped for slot 1 ep 2. Clear skip flag.
[ 7.042134] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042138] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042144] xhci_hcd: Looking for event-dma 00000000ff1ea040 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.042259] xhci_hcd: WARN: buffer overrun event for slot 1 ep 2 on endpoint
[ 7.042262] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 31
[ 7.042266] xhci_hcd: Looking for event-dma 00000000ff1ea050 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
At some point completion events change from Isoch Buffer Overrun to
Short Packet and the HC finally finds cycle bit mismatch in ff1ec000.
[ 7.098130] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098132] xhci_hcd: Looking for event-dma 00000000ff1ecc50 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098254] xhci_hcd: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 2 comp_code 13
[ 7.098256] xhci_hcd: Looking for event-dma 00000000ff1ecc60 trb-start 00000000ff1e6820 trb-end 00000000ff1e6820
[ 7.098379] xhci_hcd: Overrun event on slot 1 ep 2
It's possible that data from the isochronous device were written to
random buffers of pending TDs on other endpoints (either IN or OUT),
other devices or even other HCs in the same IOMMU domain.
Lastly, an error from a different USB device on another HC. Was it
caused by the above? I don't know, but it may have been. The disk
was working without any other issues and generated PCIe traffic to
starve the NEC of upstream BW and trigger those MSEs. The two HCs
shared one x1 slot by means of a commercial "PCIe splitter" board.
[ 7.162604] usb 10-2: reset SuperSpeed USB device number 3 using xhci_hcd
[ 7.178990] sd 9:0:0:0: [sdb] tag#0 UNKNOWN(0x2003) Result: hostbyte=0x07 driverbyte=DRIVER_OK cmd_age=0s
[ 7.179001] sd 9:0:0:0: [sdb] tag#0 CDB: opcode=0x28 28 00 04 02 ae 00 00 02 00 00
[ 7.179004] I/O error, dev sdb, sector 67284480 op 0x0:(READ) flags 0x80700 phys_seg 5 prio class 0
Fortunately, it appears that this ridiculous bug is avoided by setting
the chain bit of Link TRBs on isochronous rings. Other ancient HCs are
known which also expect the bit to be set and they ignore Link TRBs if
it's not. Reportedly, 0.95 spec guaranteed that the bit is set.
The bandwidth-starved NEC HC running a 32KB/uframe UVC endpoint reports
tens of MSEs per second and runs into the bug within seconds. Chaining
Link TRBs allows the same workload to run for many minutes, many times.
No negative side effects seen in UVC recording and UAC playback with a
few devices at full speed, high speed and SuperSpeed.
The problem doesn't reproduce on the newer Renesas uPD720201/uPD720202
and on old Etron EJ168 and VIA VL805 (but the VL805 has other bug).
[shorten line length of log snippets in commit messge -Mathias]
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20250306144954.3507700-14-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Shivani: Modified to apply on v5.10.y-v6.1.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.h | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1769,11 +1769,20 @@ static inline void xhci_write_64(struct
}
-/* Link TRB chain should always be set on 0.95 hosts, and AMD 0.96 ISOC rings */
+/*
+ * Reportedly, some chapters of v0.95 spec said that Link TRB always has its chain bit set.
+ * Other chapters and later specs say that it should only be set if the link is inside a TD
+ * which continues from the end of one segment to the next segment.
+ *
+ * Some 0.95 hardware was found to misbehave if any link TRB doesn't have the chain bit set.
+ *
+ * 0.96 hardware from AMD and NEC was found to ignore unchained isochronous link TRBs when
+ * "resynchronizing the pipe" after a Missed Service Error.
+ */
static inline bool xhci_link_chain_quirk(struct xhci_hcd *xhci, enum xhci_ring_type type)
{
return (xhci->quirks & XHCI_LINK_TRB_QUIRK) ||
- (type == TYPE_ISOC && (xhci->quirks & XHCI_AMD_0x96_HOST));
+ (type == TYPE_ISOC && (xhci->quirks & (XHCI_AMD_0x96_HOST | XHCI_NEC_HOST)));
}
/* xHCI debugging */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 428/554] usb: gadget: udc: fix use-after-free in usb_gadget_state_work
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 427/554] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 429/554] xhci: dbgtty: use IDR to support several dbc instances Greg Kroah-Hartman
` (131 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Jimmy Hu, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jimmy Hu <hhhuuu@google.com>
[ Upstream commit baeb66fbd4201d1c4325074e78b1f557dff89b5b ]
A race condition during gadget teardown can lead to a use-after-free
in usb_gadget_state_work(), as reported by KASAN:
BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0
Workqueue: events usb_gadget_state_work
The fundamental race occurs because a concurrent event (e.g., an
interrupt) can call usb_gadget_set_state() and schedule gadget->work
at any time during the cleanup process in usb_del_gadget().
Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after
device removal") attempted to fix this by moving flush_work() to after
device_del(). However, this does not fully solve the race, as a new
work item can still be scheduled *after* flush_work() completes but
before the gadget's memory is freed, leading to the same use-after-free.
This patch fixes the race condition robustly by introducing a 'teardown'
flag and a 'state_lock' spinlock to the usb_gadget struct. The flag is
set during cleanup in usb_del_gadget() *before* calling flush_work() to
prevent any new work from being scheduled once cleanup has commenced.
The scheduling site, usb_gadget_set_state(), now checks this flag under
the lock before queueing the work, thus safely closing the race window.
Fixes: 5702f75375aa9 ("usb: gadget: udc-core: move sysfs_notify() to a workqueue")
Cc: stable <stable@kernel.org>
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Link: https://patch.msgid.link/20251023054945.233861-1-hhhuuu@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/core.c | 17 ++++++++++++++++-
include/linux/usb/gadget.h | 5 +++++
2 files changed, 21 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1066,8 +1066,13 @@ static void usb_gadget_state_work(struct
void usb_gadget_set_state(struct usb_gadget *gadget,
enum usb_device_state state)
{
+ unsigned long flags;
+
+ spin_lock_irqsave(&gadget->state_lock, flags);
gadget->state = state;
- schedule_work(&gadget->work);
+ if (!gadget->teardown)
+ schedule_work(&gadget->work);
+ spin_unlock_irqrestore(&gadget->state_lock, flags);
}
EXPORT_SYMBOL_GPL(usb_gadget_set_state);
@@ -1298,6 +1303,8 @@ void usb_initialize_gadget(struct device
void (*release)(struct device *dev))
{
dev_set_name(&gadget->dev, "gadget");
+ spin_lock_init(&gadget->state_lock);
+ gadget->teardown = false;
INIT_WORK(&gadget->work, usb_gadget_state_work);
gadget->dev.parent = parent;
@@ -1478,6 +1485,7 @@ static void usb_gadget_remove_driver(str
void usb_del_gadget(struct usb_gadget *gadget)
{
struct usb_udc *udc = gadget->udc;
+ unsigned long flags;
if (!udc)
return;
@@ -1496,6 +1504,13 @@ void usb_del_gadget(struct usb_gadget *g
mutex_unlock(&udc_lock);
kobject_uevent(&udc->dev.kobj, KOBJ_REMOVE);
+ /*
+ * Set the teardown flag before flushing the work to prevent new work
+ * from being scheduled while we are cleaning up.
+ */
+ spin_lock_irqsave(&gadget->state_lock, flags);
+ gadget->teardown = true;
+ spin_unlock_irqrestore(&gadget->state_lock, flags);
flush_work(&gadget->work);
device_unregister(&udc->dev);
device_del(&gadget->dev);
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -375,6 +375,9 @@ struct usb_gadget_ops {
* can handle. The UDC must support this and all slower speeds and lower
* number of lanes.
* @state: the state we are now (attached, suspended, configured, etc)
+ * @state_lock: Spinlock protecting the `state` and `teardown` members.
+ * @teardown: True if the device is undergoing teardown, used to prevent
+ * new work from being scheduled during cleanup.
* @name: Identifies the controller hardware type. Used in diagnostics
* and sometimes configuration.
* @dev: Driver model state for this abstract device.
@@ -449,6 +452,8 @@ struct usb_gadget {
enum usb_ssp_rate max_ssp_rate;
enum usb_device_state state;
+ spinlock_t state_lock;
+ bool teardown;
const char *name;
struct device dev;
unsigned isoch_delay;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 429/554] xhci: dbgtty: use IDR to support several dbc instances.
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 428/554] usb: gadget: udc: fix use-after-free in usb_gadget_state_work Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 430/554] xhci: dbgtty: fix device unregister Greg Kroah-Hartman
` (130 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
[ Upstream commit e1ec140f273e1e30cea7e6d5f50934d877232121 ]
To support systems with several xhci controllers with active
dbc on each xhci we need to use IDR to identify and give
an index to each port.
Avoid using global struct tty_driver.driver_state for storing
dbc port pointer as it won't work with several dbc ports
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220216095153.1303105-6-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 1f73b8b56cf3 ("xhci: dbgtty: fix device unregister")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgcap.h | 1
drivers/usb/host/xhci-dbgtty.c | 46 ++++++++++++++++++++++++++++++++++-------
2 files changed, 40 insertions(+), 7 deletions(-)
--- a/drivers/usb/host/xhci-dbgcap.h
+++ b/drivers/usb/host/xhci-dbgcap.h
@@ -102,6 +102,7 @@ struct dbc_ep {
struct dbc_port {
struct tty_port port;
spinlock_t port_lock; /* port access */
+ int minor;
struct list_head read_pool;
struct list_head read_queue;
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -10,6 +10,7 @@
#include <linux/slab.h>
#include <linux/tty.h>
#include <linux/tty_flip.h>
+#include <linux/idr.h>
#include "xhci.h"
#include "xhci-dbgcap.h"
@@ -18,6 +19,8 @@ static int dbc_tty_init(void);
static void dbc_tty_exit(void);
static struct tty_driver *dbc_tty_driver;
+static struct idr dbc_tty_minors;
+static DEFINE_MUTEX(dbc_tty_minors_lock);
static inline struct dbc_port *dbc_to_port(struct xhci_dbc *dbc)
{
@@ -195,7 +198,14 @@ xhci_dbc_free_requests(struct list_head
static int dbc_tty_install(struct tty_driver *driver, struct tty_struct *tty)
{
- struct dbc_port *port = driver->driver_state;
+ struct dbc_port *port;
+
+ mutex_lock(&dbc_tty_minors_lock);
+ port = idr_find(&dbc_tty_minors, tty->index);
+ mutex_unlock(&dbc_tty_minors_lock);
+
+ if (!port)
+ return -ENXIO;
tty->driver_data = port;
@@ -424,6 +434,15 @@ static int xhci_dbc_tty_register_device(
xhci_dbc_tty_init_port(dbc, port);
+ mutex_lock(&dbc_tty_minors_lock);
+ port->minor = idr_alloc(&dbc_tty_minors, port, 0, 64, GFP_KERNEL);
+ mutex_unlock(&dbc_tty_minors_lock);
+
+ if (port->minor < 0) {
+ ret = port->minor;
+ goto err_idr;
+ }
+
ret = kfifo_alloc(&port->write_fifo, DBC_WRITE_BUF_SIZE, GFP_KERNEL);
if (ret)
goto err_exit_port;
@@ -439,7 +458,7 @@ static int xhci_dbc_tty_register_device(
goto err_free_requests;
tty_dev = tty_port_register_device(&port->port,
- dbc_tty_driver, 0, NULL);
+ dbc_tty_driver, port->minor, NULL);
if (IS_ERR(tty_dev)) {
ret = PTR_ERR(tty_dev);
goto err_free_requests;
@@ -455,6 +474,8 @@ err_free_requests:
err_free_fifo:
kfifo_free(&port->write_fifo);
err_exit_port:
+ idr_remove(&dbc_tty_minors, port->minor);
+err_idr:
xhci_dbc_tty_exit_port(port);
dev_err(dbc->dev, "can't register tty port, err %d\n", ret);
@@ -468,10 +489,14 @@ static void xhci_dbc_tty_unregister_devi
if (!port->registered)
return;
- tty_unregister_device(dbc_tty_driver, 0);
+ tty_unregister_device(dbc_tty_driver, port->minor);
xhci_dbc_tty_exit_port(port);
port->registered = false;
+ mutex_lock(&dbc_tty_minors_lock);
+ idr_remove(&dbc_tty_minors, port->minor);
+ mutex_unlock(&dbc_tty_minors_lock);
+
kfifo_free(&port->write_fifo);
xhci_dbc_free_requests(&port->read_pool);
xhci_dbc_free_requests(&port->read_queue);
@@ -500,9 +525,8 @@ int xhci_dbc_tty_probe(struct device *de
goto out;
}
- dbc_tty_driver->driver_state = port;
-
dbc = xhci_alloc_dbc(dev, base, &dbc_driver);
+
if (!dbc) {
status = -ENOMEM;
goto out2;
@@ -541,10 +565,14 @@ static int dbc_tty_init(void)
{
int ret;
- dbc_tty_driver = tty_alloc_driver(1, TTY_DRIVER_REAL_RAW |
+ idr_init(&dbc_tty_minors);
+
+ dbc_tty_driver = tty_alloc_driver(64, TTY_DRIVER_REAL_RAW |
TTY_DRIVER_DYNAMIC_DEV);
- if (IS_ERR(dbc_tty_driver))
+ if (IS_ERR(dbc_tty_driver)) {
+ idr_destroy(&dbc_tty_minors);
return PTR_ERR(dbc_tty_driver);
+ }
dbc_tty_driver->driver_name = "dbc_serial";
dbc_tty_driver->name = "ttyDBC";
@@ -564,7 +592,9 @@ static int dbc_tty_init(void)
if (ret) {
pr_err("Can't register dbc tty driver\n");
tty_driver_kref_put(dbc_tty_driver);
+ idr_destroy(&dbc_tty_minors);
}
+
return ret;
}
@@ -575,4 +605,6 @@ static void dbc_tty_exit(void)
tty_driver_kref_put(dbc_tty_driver);
dbc_tty_driver = NULL;
}
+
+ idr_destroy(&dbc_tty_minors);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 430/554] xhci: dbgtty: fix device unregister
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 429/554] xhci: dbgtty: use IDR to support several dbc instances Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 431/554] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
` (129 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Łukasz Bartosik,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Łukasz Bartosik <ukaszb@chromium.org>
[ Upstream commit 1f73b8b56cf35de29a433aee7bfff26cea98be3f ]
When DbC is disconnected then xhci_dbc_tty_unregister_device()
is called. However if there is any user space process blocked
on write to DbC terminal device then it will never be signalled
and thus stay blocked indifinitely.
This fix adds a tty_vhangup() call in xhci_dbc_tty_unregister_device().
The tty_vhangup() wakes up any blocked writers and causes subsequent
write attempts to DbC terminal device to fail.
Cc: stable <stable@kernel.org>
Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver")
Signed-off-by: Łukasz Bartosik <ukaszb@chromium.org>
Link: https://patch.msgid.link/20251119212910.1245694-1-ukaszb@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgtty.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/usb/host/xhci-dbgtty.c
+++ b/drivers/usb/host/xhci-dbgtty.c
@@ -489,6 +489,12 @@ static void xhci_dbc_tty_unregister_devi
if (!port->registered)
return;
+ /*
+ * Hang up the TTY. This wakes up any blocked
+ * writers and causes subsequent writes to fail.
+ */
+ tty_vhangup(port->port.tty);
+
tty_unregister_device(dbc_tty_driver, port->minor);
xhci_dbc_tty_exit_port(port);
port->registered = false;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 431/554] jbd2: fix the inconsistency between checksum and data in memory for journal sb
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 430/554] xhci: dbgtty: fix device unregister Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 432/554] tpm: Cap the number of PCR banks Greg Kroah-Hartman
` (128 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Baokun Li, Darrick J. Wong,
Jan Kara, Theodore Tso, stable, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 6abfe107894af7e8ce3a2e120c619d81ee764ad5 ]
Copying the file system while it is mounted as read-only results in
a mount failure:
[~]# mkfs.ext4 -F /dev/sdc
[~]# mount /dev/sdc -o ro /mnt/test
[~]# dd if=/dev/sdc of=/dev/sda bs=1M
[~]# mount /dev/sda /mnt/test1
[ 1094.849826] JBD2: journal checksum error
[ 1094.850927] EXT4-fs (sda): Could not load journal inode
mount: mount /dev/sda on /mnt/test1 failed: Bad message
The process described above is just an abstracted way I came up with to
reproduce the issue. In the actual scenario, the file system was mounted
read-only and then copied while it was still mounted. It was found that
the mount operation failed. The user intended to verify the data or use
it as a backup, and this action was performed during a version upgrade.
Above issue may happen as follows:
ext4_fill_super
set_journal_csum_feature_set(sb)
if (ext4_has_metadata_csum(sb))
incompat = JBD2_FEATURE_INCOMPAT_CSUM_V3;
if (test_opt(sb, JOURNAL_CHECKSUM)
jbd2_journal_set_features(sbi->s_journal, compat, 0, incompat);
lock_buffer(journal->j_sb_buffer);
sb->s_feature_incompat |= cpu_to_be32(incompat);
//The data in the journal sb was modified, but the checksum was not
updated, so the data remaining in memory has a mismatch between the
data and the checksum.
unlock_buffer(journal->j_sb_buffer);
In this case, the journal sb copied over is in a state where the checksum
and data are inconsistent, so mounting fails.
To solve the above issue, update the checksum in memory after modifying
the journal sb.
Fixes: 4fd5ea43bc11 ("jbd2: checksum journal superblock")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-ID: <20251103010123.3753631-1-yebin@huaweicloud.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[ Changed jbd2_superblock_csum(sb) to jbd2_superblock_csum(journal, sb) ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -2390,6 +2390,12 @@ int jbd2_journal_set_features(journal_t
sb->s_feature_compat |= cpu_to_be32(compat);
sb->s_feature_ro_compat |= cpu_to_be32(ro);
sb->s_feature_incompat |= cpu_to_be32(incompat);
+ /*
+ * Update the checksum now so that it is valid even for read-only
+ * filesystems where jbd2_write_superblock() doesn't get called.
+ */
+ if (jbd2_journal_has_csum_v2or3(journal))
+ sb->s_checksum = jbd2_superblock_csum(journal, sb);
unlock_buffer(journal->j_sb_buffer);
journal->j_revoke_records_per_block =
journal_revoke_records_per_block(journal);
@@ -2420,9 +2426,17 @@ void jbd2_journal_clear_features(journal
sb = journal->j_superblock;
+ lock_buffer(journal->j_sb_buffer);
sb->s_feature_compat &= ~cpu_to_be32(compat);
sb->s_feature_ro_compat &= ~cpu_to_be32(ro);
sb->s_feature_incompat &= ~cpu_to_be32(incompat);
+ /*
+ * Update the checksum now so that it is valid even for read-only
+ * filesystems where jbd2_write_superblock() doesn't get called.
+ */
+ if (jbd2_journal_has_csum_v2or3(journal))
+ sb->s_checksum = jbd2_superblock_csum(journal, sb);
+ unlock_buffer(journal->j_sb_buffer);
journal->j_revoke_records_per_block =
journal_revoke_records_per_block(journal);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 432/554] tpm: Cap the number of PCR banks
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 431/554] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 433/554] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
` (127 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lai Yi, Jonathan McDowell,
Roberto Sassu, Jarkko Sakkinen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
[ Upstream commit faf07e611dfa464b201223a7253e9dc5ee0f3c9e ]
tpm2_get_pcr_allocation() does not cap any upper limit for the number of
banks. Cap the limit to eight banks so that out of bounds values coming
from external I/O cause on only limited harm.
Cc: stable@vger.kernel.org # v5.10+
Fixes: bcfff8384f6c ("tpm: dynamically allocate the allocated_banks array")
Tested-by: Lai Yi <yi1.lai@linux.intel.com>
Reviewed-by: Jonathan McDowell <noodles@meta.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@opinsys.com>
[ added backward-compatible define for TPM_MAX_DIGEST_SIZE to support older ima_init.c code still using that macro name ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm-chip.c | 1 -
drivers/char/tpm/tpm1-cmd.c | 5 -----
drivers/char/tpm/tpm2-cmd.c | 8 +++-----
include/linux/tpm.h | 9 ++++++---
4 files changed, 9 insertions(+), 14 deletions(-)
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -269,7 +269,6 @@ static void tpm_dev_release(struct devic
kfree(chip->work_space.context_buf);
kfree(chip->work_space.session_buf);
- kfree(chip->allocated_banks);
kfree(chip);
}
--- a/drivers/char/tpm/tpm1-cmd.c
+++ b/drivers/char/tpm/tpm1-cmd.c
@@ -794,11 +794,6 @@ int tpm1_pm_suspend(struct tpm_chip *chi
*/
int tpm1_get_pcr_allocation(struct tpm_chip *chip)
{
- chip->allocated_banks = kcalloc(1, sizeof(*chip->allocated_banks),
- GFP_KERNEL);
- if (!chip->allocated_banks)
- return -ENOMEM;
-
chip->allocated_banks[0].alg_id = TPM_ALG_SHA1;
chip->allocated_banks[0].digest_size = hash_digest_size[HASH_ALGO_SHA1];
chip->allocated_banks[0].crypto_id = HASH_ALGO_SHA1;
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -574,11 +574,9 @@ ssize_t tpm2_get_pcr_allocation(struct t
nr_possible_banks = be32_to_cpup(
(__be32 *)&buf.data[TPM_HEADER_SIZE + 5]);
-
- chip->allocated_banks = kcalloc(nr_possible_banks,
- sizeof(*chip->allocated_banks),
- GFP_KERNEL);
- if (!chip->allocated_banks) {
+ if (nr_possible_banks > TPM2_MAX_PCR_BANKS) {
+ pr_err("tpm: out of bank capacity: %u > %u\n",
+ nr_possible_banks, TPM2_MAX_PCR_BANKS);
rc = -ENOMEM;
goto out;
}
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -25,7 +25,10 @@
#include <crypto/hash_info.h>
#define TPM_DIGEST_SIZE 20 /* Max TPM v1.2 PCR size */
-#define TPM_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
+
+#define TPM2_MAX_DIGEST_SIZE SHA512_DIGEST_SIZE
+#define TPM2_MAX_PCR_BANKS 8
+#define TPM_MAX_DIGEST_SIZE TPM2_MAX_DIGEST_SIZE
struct tpm_chip;
struct trusted_key_payload;
@@ -51,7 +54,7 @@ enum tpm_algorithms {
struct tpm_digest {
u16 alg_id;
- u8 digest[TPM_MAX_DIGEST_SIZE];
+ u8 digest[TPM2_MAX_DIGEST_SIZE];
} __packed;
struct tpm_bank_info {
@@ -157,7 +160,7 @@ struct tpm_chip {
unsigned int groups_cnt;
u32 nr_allocated_banks;
- struct tpm_bank_info *allocated_banks;
+ struct tpm_bank_info allocated_banks[TPM2_MAX_PCR_BANKS];
#ifdef CONFIG_ACPI
acpi_handle acpi_dev_handle;
char ppi_version[TPM_PPI_VERSION_LEN + 1];
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 433/554] btrfs: dont rewrite ret from inode_permission
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 432/554] tpm: Cap the number of PCR banks Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 434/554] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
` (126 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Josef Bacik,
Daniel Vacek, David Sterba, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 0185c2292c600993199bc6b1f342ad47a9e8c678 ]
In our user safe ino resolve ioctl we'll just turn any ret into -EACCES
from inode_permission(). This is redundant, and could potentially be
wrong if we had an ENOMEM in the security layer or some such other
error, so simply return the actual return value.
Note: The patch was taken from v5 of fscrypt patchset
(https://lore.kernel.org/linux-btrfs/cover.1706116485.git.josef@toxicpanda.com/)
which was handled over time by various people: Omar Sandoval, Sweet Tea
Dorminy, Josef Bacik.
Fixes: 23d0b79dfaed ("btrfs: Add unprivileged version of ino_lookup ioctl")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Daniel Vacek <neelx@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add note ]
Signed-off-by: David Sterba <dsterba@suse.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/ioctl.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2553,10 +2553,8 @@ static int btrfs_search_path_in_tree_use
ret = inode_permission(mnt_userns, temp_inode,
MAY_READ | MAY_EXEC);
iput(temp_inode);
- if (ret) {
- ret = -EACCES;
+ if (ret)
goto out_put;
- }
if (key.offset == upper_limit.objectid)
break;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 434/554] wifi: mt76: Fix DTS power-limits on little endian systems
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 433/554] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 435/554] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
` (125 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Eckelmann (Plasma Cloud),
Felix Fietkau, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Sven Eckelmann (Plasma Cloud)" <se@simonwunderlich.de>
[ Upstream commit 38b845e1f9e810869b0a0b69f202b877b7b7fb12 ]
The power-limits for ru and mcs and stored in the devicetree as bytewise
array (often with sizes which are not a multiple of 4). These arrays have a
prefix which defines for how many modes a line is applied. This prefix is
also only a byte - but the code still tried to fix the endianness of this
byte with a be32 operation. As result, loading was mostly failing or was
sending completely unexpected values to the firmware.
Since the other rates are also stored in the devicetree as bytewise arrays,
just drop the u32 access + be32_to_cpu conversion and directly access them
as bytes arrays.
Cc: stable@vger.kernel.org
Fixes: 22b980badc0f ("mt76: add functions for parsing rate power limits from DT")
Fixes: a9627d992b5e ("mt76: extend DT rate power limits to support 11ax devices")
Signed-off-by: Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mediatek/mt76/eeprom.c | 37 ++++++++++++++++++----------
1 file changed, 24 insertions(+), 13 deletions(-)
--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
+++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
@@ -173,6 +173,19 @@ mt76_get_of_array(struct device_node *np
return prop->value;
}
+static const s8 *
+mt76_get_of_array_s8(struct device_node *np, char *name, size_t *len, int min)
+{
+ struct property *prop = of_find_property(np, name, NULL);
+
+ if (!prop || !prop->value || prop->length < min)
+ return NULL;
+
+ *len = prop->length;
+
+ return prop->value;
+}
+
static struct device_node *
mt76_find_channel_node(struct device_node *np, struct ieee80211_channel *chan)
{
@@ -212,7 +225,7 @@ mt76_get_txs_delta(struct device_node *n
}
static void
-mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const __be32 *data,
+mt76_apply_array_limit(s8 *pwr, size_t pwr_len, const s8 *data,
s8 target_power, s8 nss_delta, s8 *max_power)
{
int i;
@@ -221,15 +234,14 @@ mt76_apply_array_limit(s8 *pwr, size_t p
return;
for (i = 0; i < pwr_len; i++) {
- pwr[i] = min_t(s8, target_power,
- be32_to_cpu(data[i]) + nss_delta);
+ pwr[i] = min_t(s8, target_power, data[i] + nss_delta);
*max_power = max(*max_power, pwr[i]);
}
}
static void
mt76_apply_multi_array_limit(s8 *pwr, size_t pwr_len, s8 pwr_num,
- const __be32 *data, size_t len, s8 target_power,
+ const s8 *data, size_t len, s8 target_power,
s8 nss_delta, s8 *max_power)
{
int i, cur;
@@ -237,8 +249,7 @@ mt76_apply_multi_array_limit(s8 *pwr, si
if (!data)
return;
- len /= 4;
- cur = be32_to_cpu(data[0]);
+ cur = data[0];
for (i = 0; i < pwr_num; i++) {
if (len < pwr_len + 1)
break;
@@ -253,7 +264,7 @@ mt76_apply_multi_array_limit(s8 *pwr, si
if (!len)
break;
- cur = be32_to_cpu(data[0]);
+ cur = data[0];
}
}
@@ -264,7 +275,7 @@ s8 mt76_get_rate_power_limits(struct mt7
{
struct mt76_dev *dev = phy->dev;
struct device_node *np;
- const __be32 *val;
+ const s8 *val;
char name[16];
u32 mcs_rates = dev->drv->mcs_rates;
u32 ru_rates = ARRAY_SIZE(dest->ru[0]);
@@ -307,21 +318,21 @@ s8 mt76_get_rate_power_limits(struct mt7
txs_delta = mt76_get_txs_delta(np, hweight8(phy->antenna_mask));
- val = mt76_get_of_array(np, "rates-cck", &len, ARRAY_SIZE(dest->cck));
+ val = mt76_get_of_array_s8(np, "rates-cck", &len, ARRAY_SIZE(dest->cck));
mt76_apply_array_limit(dest->cck, ARRAY_SIZE(dest->cck), val,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-ofdm",
- &len, ARRAY_SIZE(dest->ofdm));
+ val = mt76_get_of_array_s8(np, "rates-ofdm",
+ &len, ARRAY_SIZE(dest->ofdm));
mt76_apply_array_limit(dest->ofdm, ARRAY_SIZE(dest->ofdm), val,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-mcs", &len, mcs_rates + 1);
+ val = mt76_get_of_array_s8(np, "rates-mcs", &len, mcs_rates + 1);
mt76_apply_multi_array_limit(dest->mcs[0], ARRAY_SIZE(dest->mcs[0]),
ARRAY_SIZE(dest->mcs), val, len,
target_power, txs_delta, &max_power);
- val = mt76_get_of_array(np, "rates-ru", &len, ru_rates + 1);
+ val = mt76_get_of_array_s8(np, "rates-ru", &len, ru_rates + 1);
mt76_apply_multi_array_limit(dest->ru[0], ARRAY_SIZE(dest->ru[0]),
ARRAY_SIZE(dest->ru), val, len,
target_power, txs_delta, &max_power);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 435/554] ALSA: wavefront: Clear substream pointers on close
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 434/554] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 436/554] ALSA: wavefront: Use standard print API Greg Kroah-Hartman
` (124 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuhao Jiang, Junrui Luo,
Takashi Iwai, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit e11c5c13ce0ab2325d38fe63500be1dd88b81e38 ]
Clear substream pointers in close functions to avoid leaving dangling
pointers, helping to improve code safety and
prevents potential issues.
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Reported-by: Junrui Luo <moonafterrain@outlook.com>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881DF762CAB45EE42F6D812AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[ No guard() in older trees ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_midi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -294,6 +294,7 @@ static int snd_wavefront_midi_input_clos
return -EIO;
spin_lock_irqsave (&midi->open, flags);
+ midi->substream_input[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_INPUT;
spin_unlock_irqrestore (&midi->open, flags);
@@ -318,6 +319,7 @@ static int snd_wavefront_midi_output_clo
return -EIO;
spin_lock_irqsave (&midi->open, flags);
+ midi->substream_output[mpu] = NULL;
midi->mode[mpu] &= ~MPU401_MODE_OUTPUT;
spin_unlock_irqrestore (&midi->open, flags);
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 436/554] ALSA: wavefront: Use standard print API
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 435/554] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 437/554] ALSA: wavefront: Fix integer overflow in sample size validation Greg Kroah-Hartman
` (123 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jaroslav Kysela, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 8b4ac5429938dd5f1fbf2eea0687f08cbcccb6be ]
Use the standard print API with dev_*() instead of the old house-baked
one. It gives better information and allows dynamically control of
debug prints.
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20240807133452.9424-36-tiwai@suse.de
Stable-dep-of: 0c4a13ba8859 ("ALSA: wavefront: Fix integer overflow in sample size validation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/sound/snd_wavefront.h | 4
sound/isa/wavefront/wavefront.c | 61 +++++-----
sound/isa/wavefront/wavefront_fx.c | 36 +++---
sound/isa/wavefront/wavefront_midi.c | 15 +-
sound/isa/wavefront/wavefront_synth.c | 196 +++++++++++++++++-----------------
5 files changed, 158 insertions(+), 154 deletions(-)
--- a/include/sound/snd_wavefront.h
+++ b/include/sound/snd_wavefront.h
@@ -137,8 +137,4 @@ extern int snd_wavefront_fx_ioctl (str
extern int snd_wavefront_fx_open (struct snd_hwdep *, struct file *);
extern int snd_wavefront_fx_release (struct snd_hwdep *, struct file *);
-/* prefix in all snd_printk() delivered messages */
-
-#define LOGNAME "WaveFront: "
-
#endif /* __SOUND_SND_WAVEFRONT_H__ */
--- a/sound/isa/wavefront/wavefront.c
+++ b/sound/isa/wavefront/wavefront.c
@@ -140,7 +140,7 @@ snd_wavefront_pnp (int dev, snd_wavefron
err = pnp_activate_dev(pdev);
if (err < 0) {
- snd_printk(KERN_ERR "PnP WSS pnp configure failure\n");
+ dev_err(&pdev->dev, "PnP WSS pnp configure failure\n");
return err;
}
@@ -156,7 +156,7 @@ snd_wavefront_pnp (int dev, snd_wavefron
err = pnp_activate_dev(pdev);
if (err < 0) {
- snd_printk(KERN_ERR "PnP ICS2115 pnp configure failure\n");
+ dev_err(&pdev->dev, "PnP ICS2115 pnp configure failure\n");
return err;
}
@@ -174,26 +174,27 @@ snd_wavefront_pnp (int dev, snd_wavefron
err = pnp_activate_dev(pdev);
if (err < 0) {
- snd_printk(KERN_ERR "PnP MPU401 pnp configure failure\n");
+ dev_err(&pdev->dev, "PnP MPU401 pnp configure failure\n");
cs4232_mpu_port[dev] = SNDRV_AUTO_PORT;
} else {
cs4232_mpu_port[dev] = pnp_port_start(pdev, 0);
cs4232_mpu_irq[dev] = pnp_irq(pdev, 0);
}
- snd_printk (KERN_INFO "CS4232 MPU: port=0x%lx, irq=%i\n",
- cs4232_mpu_port[dev],
- cs4232_mpu_irq[dev]);
+ dev_info(&pdev->dev, "CS4232 MPU: port=0x%lx, irq=%i\n",
+ cs4232_mpu_port[dev],
+ cs4232_mpu_irq[dev]);
}
- snd_printdd ("CS4232: pcm port=0x%lx, fm port=0x%lx, dma1=%i, dma2=%i, irq=%i\nICS2115: port=0x%lx, irq=%i\n",
- cs4232_pcm_port[dev],
- fm_port[dev],
- dma1[dev],
- dma2[dev],
- cs4232_pcm_irq[dev],
- ics2115_port[dev],
- ics2115_irq[dev]);
+ dev_dbg(&pdev->dev,
+ "CS4232: pcm port=0x%lx, fm port=0x%lx, dma1=%i, dma2=%i, irq=%i\nICS2115: port=0x%lx, irq=%i\n",
+ cs4232_pcm_port[dev],
+ fm_port[dev],
+ dma1[dev],
+ dma2[dev],
+ cs4232_pcm_irq[dev],
+ ics2115_port[dev],
+ ics2115_irq[dev]);
return 0;
}
@@ -251,7 +252,7 @@ static struct snd_hwdep *snd_wavefront_n
struct snd_hwdep *fx_processor;
if (snd_wavefront_fx_start (&acard->wavefront)) {
- snd_printk (KERN_ERR "cannot initialize YSS225 FX processor");
+ dev_err(card->dev, "cannot initialize YSS225 FX processor");
return NULL;
}
@@ -282,7 +283,7 @@ static struct snd_rawmidi *snd_wavefront
first = 0;
acard->wavefront.midi.base = port;
if (snd_wavefront_midi_start (acard)) {
- snd_printk (KERN_ERR "cannot initialize MIDI interface\n");
+ dev_err(card->dev, "cannot initialize MIDI interface\n");
return NULL;
}
}
@@ -349,7 +350,7 @@ snd_wavefront_probe (struct snd_card *ca
cs4232_pcm_irq[dev], dma1[dev], dma2[dev],
WSS_HW_DETECT, 0, &chip);
if (err < 0) {
- snd_printk(KERN_ERR "can't allocate WSS device\n");
+ dev_err(card->dev, "can't allocate WSS device\n");
return err;
}
@@ -369,7 +370,7 @@ snd_wavefront_probe (struct snd_card *ca
err = snd_opl3_create(card, fm_port[dev], fm_port[dev] + 2,
OPL3_HW_OPL3_CS, 0, &opl3);
if (err < 0) {
- snd_printk (KERN_ERR "can't allocate or detect OPL3 synth\n");
+ dev_err(card->dev, "can't allocate or detect OPL3 synth\n");
return err;
}
@@ -385,14 +386,14 @@ snd_wavefront_probe (struct snd_card *ca
devm_request_region(card->dev, ics2115_port[dev], 16,
"ICS2115");
if (acard->wavefront.res_base == NULL) {
- snd_printk(KERN_ERR "unable to grab ICS2115 i/o region 0x%lx-0x%lx\n",
- ics2115_port[dev], ics2115_port[dev] + 16 - 1);
+ dev_err(card->dev, "unable to grab ICS2115 i/o region 0x%lx-0x%lx\n",
+ ics2115_port[dev], ics2115_port[dev] + 16 - 1);
return -EBUSY;
}
if (devm_request_irq(card->dev, ics2115_irq[dev],
snd_wavefront_ics2115_interrupt,
0, "ICS2115", acard)) {
- snd_printk(KERN_ERR "unable to use ICS2115 IRQ %d\n", ics2115_irq[dev]);
+ dev_err(card->dev, "unable to use ICS2115 IRQ %d\n", ics2115_irq[dev]);
return -EBUSY;
}
@@ -402,7 +403,7 @@ snd_wavefront_probe (struct snd_card *ca
wavefront_synth = snd_wavefront_new_synth(card, hw_dev, acard);
if (wavefront_synth == NULL) {
- snd_printk (KERN_ERR "can't create WaveFront synth device\n");
+ dev_err(card->dev, "can't create WaveFront synth device\n");
return -ENOMEM;
}
@@ -414,7 +415,7 @@ snd_wavefront_probe (struct snd_card *ca
err = snd_wss_mixer(chip);
if (err < 0) {
- snd_printk (KERN_ERR "can't allocate mixer device\n");
+ dev_err(card->dev, "can't allocate mixer device\n");
return err;
}
@@ -425,7 +426,7 @@ snd_wavefront_probe (struct snd_card *ca
cs4232_mpu_port[dev], 0,
cs4232_mpu_irq[dev], NULL);
if (err < 0) {
- snd_printk (KERN_ERR "can't allocate CS4232 MPU-401 device\n");
+ dev_err(card->dev, "can't allocate CS4232 MPU-401 device\n");
return err;
}
midi_dev++;
@@ -441,7 +442,7 @@ snd_wavefront_probe (struct snd_card *ca
ics2115_port[dev],
internal_mpu);
if (ics2115_internal_rmidi == NULL) {
- snd_printk (KERN_ERR "can't setup ICS2115 internal MIDI device\n");
+ dev_err(card->dev, "can't setup ICS2115 internal MIDI device\n");
return -ENOMEM;
}
midi_dev++;
@@ -457,7 +458,7 @@ snd_wavefront_probe (struct snd_card *ca
ics2115_port[dev],
external_mpu);
if (ics2115_external_rmidi == NULL) {
- snd_printk (KERN_ERR "can't setup ICS2115 external MIDI device\n");
+ dev_err(card->dev, "can't setup ICS2115 external MIDI device\n");
return -ENOMEM;
}
midi_dev++;
@@ -471,7 +472,7 @@ snd_wavefront_probe (struct snd_card *ca
acard,
ics2115_port[dev]);
if (fx_processor == NULL) {
- snd_printk (KERN_ERR "can't setup FX device\n");
+ dev_err(card->dev, "can't setup FX device\n");
return -ENOMEM;
}
@@ -525,11 +526,11 @@ static int snd_wavefront_isa_match(struc
return 0;
#endif
if (cs4232_pcm_port[dev] == SNDRV_AUTO_PORT) {
- snd_printk(KERN_ERR "specify CS4232 port\n");
+ dev_err(pdev, "specify CS4232 port\n");
return 0;
}
if (ics2115_port[dev] == SNDRV_AUTO_PORT) {
- snd_printk(KERN_ERR "specify ICS2115 port\n");
+ dev_err(pdev, "specify ICS2115 port\n");
return 0;
}
return 1;
@@ -585,7 +586,7 @@ static int snd_wavefront_pnp_detect(stru
if (snd_wavefront_pnp (dev, card->private_data, pcard, pid) < 0) {
if (cs4232_pcm_port[dev] == SNDRV_AUTO_PORT) {
- snd_printk (KERN_ERR "isapnp detection failed\n");
+ dev_err(card->dev, "isapnp detection failed\n");
return -ENODEV;
}
}
--- a/sound/isa/wavefront/wavefront_fx.c
+++ b/sound/isa/wavefront/wavefront_fx.c
@@ -38,7 +38,7 @@ wavefront_fx_idle (snd_wavefront_t *dev)
}
if (x & 0x80) {
- snd_printk ("FX device never idle.\n");
+ dev_err(dev->card->dev, "FX device never idle.\n");
return 0;
}
@@ -64,14 +64,14 @@ wavefront_fx_memset (snd_wavefront_t *de
unsigned short *data)
{
if (page < 0 || page > 7) {
- snd_printk ("FX memset: "
- "page must be >= 0 and <= 7\n");
+ dev_err(dev->card->dev,
+ "FX memset: page must be >= 0 and <= 7\n");
return -EINVAL;
}
if (addr < 0 || addr > 0x7f) {
- snd_printk ("FX memset: "
- "addr must be >= 0 and <= 7f\n");
+ dev_err(dev->card->dev,
+ "FX memset: addr must be >= 0 and <= 7f\n");
return -EINVAL;
}
@@ -83,7 +83,7 @@ wavefront_fx_memset (snd_wavefront_t *de
outb ((data[0] >> 8), dev->fx_dsp_msb);
outb ((data[0] & 0xff), dev->fx_dsp_lsb);
- snd_printk ("FX: addr %d:%x set to 0x%x\n",
+ dev_err(dev->card->dev, "FX: addr %d:%x set to 0x%x\n",
page, addr, data[0]);
} else {
@@ -102,9 +102,9 @@ wavefront_fx_memset (snd_wavefront_t *de
}
if (i != cnt) {
- snd_printk ("FX memset "
- "(0x%x, 0x%x, 0x%lx, %d) incomplete\n",
- page, addr, (unsigned long) data, cnt);
+ dev_err(dev->card->dev,
+ "FX memset (0x%x, 0x%x, 0x%lx, %d) incomplete\n",
+ page, addr, (unsigned long) data, cnt);
return -EIO;
}
}
@@ -123,7 +123,7 @@ snd_wavefront_fx_detect (snd_wavefront_t
*/
if (inb (dev->fx_status) & 0x80) {
- snd_printk ("Hmm, probably a Maui or Tropez.\n");
+ dev_err(dev->card->dev, "Hmm, probably a Maui or Tropez.\n");
return -1;
}
@@ -180,15 +180,15 @@ snd_wavefront_fx_ioctl (struct snd_hwdep
case WFFX_MEMSET:
if (r.data[2] <= 0) {
- snd_printk ("cannot write "
- "<= 0 bytes to FX\n");
+ dev_err(dev->card->dev,
+ "cannot write <= 0 bytes to FX\n");
return -EIO;
} else if (r.data[2] == 1) {
pd = (unsigned short *) &r.data[3];
} else {
if (r.data[2] > 256) {
- snd_printk ("cannot write "
- "> 512 bytes to FX\n");
+ dev_err(dev->card->dev,
+ "cannot write > 512 bytes to FX\n");
return -EIO;
}
page_data = memdup_user((unsigned char __user *)
@@ -208,8 +208,8 @@ snd_wavefront_fx_ioctl (struct snd_hwdep
break;
default:
- snd_printk ("FX: ioctl %d not yet supported\n",
- r.request);
+ dev_err(dev->card->dev, "FX: ioctl %d not yet supported\n",
+ r.request);
return -ENOTTY;
}
return err;
@@ -254,8 +254,8 @@ snd_wavefront_fx_start (snd_wavefront_t
goto out;
}
} else {
- snd_printk(KERN_ERR "invalid address"
- " in register data\n");
+ dev_err(dev->card->dev,
+ "invalid address in register data\n");
err = -1;
goto out;
}
--- a/sound/isa/wavefront/wavefront_midi.c
+++ b/sound/isa/wavefront/wavefront_midi.c
@@ -503,7 +503,8 @@ snd_wavefront_midi_start (snd_wavefront_
for (i = 0; i < 30000 && !output_ready (midi); i++);
if (!output_ready (midi)) {
- snd_printk ("MIDI interface not ready for command\n");
+ dev_err(card->wavefront.card->dev,
+ "MIDI interface not ready for command\n");
return -1;
}
@@ -525,7 +526,8 @@ snd_wavefront_midi_start (snd_wavefront_
}
if (!ok) {
- snd_printk ("cannot set UART mode for MIDI interface");
+ dev_err(card->wavefront.card->dev,
+ "cannot set UART mode for MIDI interface");
dev->interrupts_are_midi = 0;
return -1;
}
@@ -533,7 +535,8 @@ snd_wavefront_midi_start (snd_wavefront_
/* Route external MIDI to WaveFront synth (by default) */
if (snd_wavefront_cmd (dev, WFC_MISYNTH_ON, rbuf, wbuf)) {
- snd_printk ("can't enable MIDI-IN-2-synth routing.\n");
+ dev_warn(card->wavefront.card->dev,
+ "can't enable MIDI-IN-2-synth routing.\n");
/* XXX error ? */
}
@@ -549,14 +552,16 @@ snd_wavefront_midi_start (snd_wavefront_
*/
if (snd_wavefront_cmd (dev, WFC_VMIDI_OFF, rbuf, wbuf)) {
- snd_printk ("virtual MIDI mode not disabled\n");
+ dev_warn(card->wavefront.card->dev,
+ "virtual MIDI mode not disabled\n");
return 0; /* We're OK, but missing the external MIDI dev */
}
snd_wavefront_midi_enable_virtual (card);
if (snd_wavefront_cmd (dev, WFC_VMIDI_ON, rbuf, wbuf)) {
- snd_printk ("cannot enable virtual MIDI mode.\n");
+ dev_warn(card->wavefront.card->dev,
+ "cannot enable virtual MIDI mode.\n");
snd_wavefront_midi_disable_virtual (card);
}
return 0;
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -116,7 +116,7 @@ MODULE_PARM_DESC(osrun_time, "how many s
#define DPRINT(cond, ...) \
if ((dev->debug & (cond)) == (cond)) { \
- snd_printk (__VA_ARGS__); \
+ pr_debug(__VA_ARGS__); \
}
#else
#define DPRINT(cond, args...)
@@ -341,7 +341,7 @@ snd_wavefront_cmd (snd_wavefront_t *dev,
wfcmd = wavefront_get_command(cmd);
if (!wfcmd) {
- snd_printk ("command 0x%x not supported.\n",
+ dev_err(dev->card->dev, "command 0x%x not supported.\n",
cmd);
return 1;
}
@@ -625,7 +625,7 @@ wavefront_get_sample_status (snd_wavefro
/* check sample status */
if (snd_wavefront_cmd (dev, WFC_GET_NSAMPLES, rbuf, wbuf)) {
- snd_printk ("cannot request sample count.\n");
+ dev_err(dev->card->dev, "cannot request sample count.\n");
return -1;
}
@@ -637,8 +637,8 @@ wavefront_get_sample_status (snd_wavefro
wbuf[1] = i >> 7;
if (snd_wavefront_cmd (dev, WFC_IDENTIFY_SAMPLE_TYPE, rbuf, wbuf)) {
- snd_printk(KERN_WARNING "cannot identify sample "
- "type of slot %d\n", i);
+ dev_warn(dev->card->dev,
+ "cannot identify sample type of slot %d\n", i);
dev->sample_status[i] = WF_ST_EMPTY;
continue;
}
@@ -663,9 +663,9 @@ wavefront_get_sample_status (snd_wavefro
break;
default:
- snd_printk ("unknown sample type for "
- "slot %d (0x%x)\n",
- i, rbuf[0]);
+ dev_err(dev->card->dev,
+ "unknown sample type for slot %d (0x%x)\n",
+ i, rbuf[0]);
}
if (rbuf[0] != WF_ST_EMPTY) {
@@ -673,9 +673,10 @@ wavefront_get_sample_status (snd_wavefro
}
}
- snd_printk ("%d samples used (%d real, %d aliases, %d multi), "
- "%d empty\n", dev->samples_used, sc_real, sc_alias, sc_multi,
- WF_MAX_SAMPLE - dev->samples_used);
+ dev_info(dev->card->dev,
+ "%d samples used (%d real, %d aliases, %d multi), %d empty\n",
+ dev->samples_used, sc_real, sc_alias, sc_multi,
+ WF_MAX_SAMPLE - dev->samples_used);
return (0);
@@ -708,8 +709,8 @@ wavefront_get_patch_status (snd_wavefron
} else if (x == 3) { /* Bad patch number */
dev->patch_status[i] = 0;
} else {
- snd_printk ("upload patch "
- "error 0x%x\n", x);
+ dev_err(dev->card->dev,
+ "upload patch error 0x%x\n", x);
dev->patch_status[i] = 0;
return 1;
}
@@ -726,7 +727,8 @@ wavefront_get_patch_status (snd_wavefron
}
}
- snd_printk ("%d patch slots filled, %d in use\n", cnt, cnt2);
+ dev_info(dev->card->dev, "%d patch slots filled, %d in use\n",
+ cnt, cnt2);
return (0);
}
@@ -762,8 +764,8 @@ wavefront_get_program_status (snd_wavefr
} else if (x == 1) { /* Bad program number */
dev->prog_status[i] = 0;
} else {
- snd_printk ("upload program "
- "error 0x%x\n", x);
+ dev_err(dev->card->dev,
+ "upload program error 0x%x\n", x);
dev->prog_status[i] = 0;
}
}
@@ -774,7 +776,7 @@ wavefront_get_program_status (snd_wavefr
}
}
- snd_printk ("%d programs slots in use\n", cnt);
+ dev_info(dev->card->dev, "%d programs slots in use\n", cnt);
return (0);
}
@@ -798,7 +800,7 @@ wavefront_send_patch (snd_wavefront_t *d
munge_buf ((unsigned char *)&header->hdr.p, bptr, WF_PATCH_BYTES);
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_PATCH, NULL, buf)) {
- snd_printk ("download patch failed\n");
+ dev_err(dev->card->dev, "download patch failed\n");
return -EIO;
}
@@ -839,7 +841,7 @@ wavefront_send_program (snd_wavefront_t
munge_buf ((unsigned char *)&header->hdr.pr, &buf[1], WF_PROGRAM_BYTES);
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_PROGRAM, NULL, buf)) {
- snd_printk ("download patch failed\n");
+ dev_err(dev->card->dev, "download patch failed\n");
return -EIO;
}
@@ -853,7 +855,7 @@ wavefront_freemem (snd_wavefront_t *dev)
char rbuf[8];
if (snd_wavefront_cmd (dev, WFC_REPORT_FREE_MEMORY, rbuf, NULL)) {
- snd_printk ("can't get memory stats.\n");
+ dev_err(dev->card->dev, "can't get memory stats.\n");
return -1;
} else {
return demunge_int32 (rbuf, 4);
@@ -903,7 +905,7 @@ wavefront_send_sample (snd_wavefront_t *
x = wavefront_find_free_sample(dev);
if (x < 0)
return -ENOMEM;
- snd_printk ("unspecified sample => %d\n", x);
+ dev_info(dev->card->dev, "unspecified sample => %d\n", x);
header->number = x;
}
@@ -937,9 +939,9 @@ wavefront_send_sample (snd_wavefront_t *
if (dev->rom_samples_rdonly) {
if (dev->sample_status[header->number] & WF_SLOT_ROM) {
- snd_printk ("sample slot %d "
- "write protected\n",
- header->number);
+ dev_err(dev->card->dev,
+ "sample slot %d write protected\n",
+ header->number);
return -EACCES;
}
}
@@ -951,9 +953,9 @@ wavefront_send_sample (snd_wavefront_t *
dev->freemem = wavefront_freemem (dev);
if (dev->freemem < (int)header->size) {
- snd_printk ("insufficient memory to "
- "load %d byte sample.\n",
- header->size);
+ dev_err(dev->card->dev,
+ "insufficient memory to load %d byte sample.\n",
+ header->size);
return -ENOMEM;
}
@@ -962,8 +964,8 @@ wavefront_send_sample (snd_wavefront_t *
skip = WF_GET_CHANNEL(&header->hdr.s);
if (skip > 0 && header->hdr.s.SampleResolution != LINEAR_16BIT) {
- snd_printk ("channel selection only "
- "possible on 16-bit samples");
+ dev_err(dev->card->dev,
+ "channel selection only possible on 16-bit samples");
return -EINVAL;
}
@@ -1059,8 +1061,8 @@ wavefront_send_sample (snd_wavefront_t *
header->size ?
WFC_DOWNLOAD_SAMPLE : WFC_DOWNLOAD_SAMPLE_HEADER,
NULL, sample_hdr)) {
- snd_printk ("sample %sdownload refused.\n",
- header->size ? "" : "header ");
+ dev_err(dev->card->dev, "sample %sdownload refused.\n",
+ header->size ? "" : "header ");
return -EIO;
}
@@ -1085,8 +1087,8 @@ wavefront_send_sample (snd_wavefront_t *
}
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_BLOCK, NULL, NULL)) {
- snd_printk ("download block "
- "request refused.\n");
+ dev_err(dev->card->dev,
+ "download block request refused.\n");
return -EIO;
}
@@ -1147,13 +1149,13 @@ wavefront_send_sample (snd_wavefront_t *
dma_ack = wavefront_read(dev);
if (dma_ack != WF_DMA_ACK) {
if (dma_ack == -1) {
- snd_printk ("upload sample "
- "DMA ack timeout\n");
+ dev_err(dev->card->dev,
+ "upload sample DMA ack timeout\n");
return -EIO;
} else {
- snd_printk ("upload sample "
- "DMA ack error 0x%x\n",
- dma_ack);
+ dev_err(dev->card->dev,
+ "upload sample DMA ack error 0x%x\n",
+ dma_ack);
return -EIO;
}
}
@@ -1197,7 +1199,7 @@ wavefront_send_alias (snd_wavefront_t *d
munge_int32 (*(&header->hdr.a.FrequencyBias+1), &alias_hdr[23], 2);
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_SAMPLE_ALIAS, NULL, alias_hdr)) {
- snd_printk ("download alias failed.\n");
+ dev_err(dev->card->dev, "download alias failed.\n");
return -EIO;
}
@@ -1250,7 +1252,7 @@ wavefront_send_multisample (snd_wavefron
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_MULTISAMPLE,
(unsigned char *) (long) ((num_samples*2)+3),
msample_hdr)) {
- snd_printk ("download of multisample failed.\n");
+ dev_err(dev->card->dev, "download of multisample failed.\n");
kfree(msample_hdr);
return -EIO;
}
@@ -1273,7 +1275,7 @@ wavefront_fetch_multisample (snd_wavefro
munge_int32 (header->number, number, 2);
if (snd_wavefront_cmd (dev, WFC_UPLOAD_MULTISAMPLE, log_ns, number)) {
- snd_printk ("upload multisample failed.\n");
+ dev_err(dev->card->dev, "upload multisample failed.\n");
return -EIO;
}
@@ -1292,16 +1294,16 @@ wavefront_fetch_multisample (snd_wavefro
val = wavefront_read(dev);
if (val == -1) {
- snd_printk ("upload multisample failed "
- "during sample loop.\n");
+ dev_err(dev->card->dev,
+ "upload multisample failed during sample loop.\n");
return -EIO;
}
d[0] = val;
val = wavefront_read(dev);
if (val == -1) {
- snd_printk ("upload multisample failed "
- "during sample loop.\n");
+ dev_err(dev->card->dev,
+ "upload multisample failed during sample loop.\n");
return -EIO;
}
d[1] = val;
@@ -1336,7 +1338,7 @@ wavefront_send_drum (snd_wavefront_t *de
}
if (snd_wavefront_cmd (dev, WFC_DOWNLOAD_EDRUM_PROGRAM, NULL, drumbuf)) {
- snd_printk ("download drum failed.\n");
+ dev_err(dev->card->dev, "download drum failed.\n");
return -EIO;
}
@@ -1354,7 +1356,7 @@ wavefront_find_free_sample (snd_wavefron
return i;
}
}
- snd_printk ("no free sample slots!\n");
+ dev_err(dev->card->dev, "no free sample slots!\n");
return -1;
}
@@ -1370,7 +1372,7 @@ wavefront_find_free_patch (snd_wavefront
return i;
}
}
- snd_printk ("no free patch slots!\n");
+ dev_err(dev->card->dev, "no free patch slots!\n");
return -1;
}
#endif
@@ -1387,7 +1389,7 @@ wavefront_load_patch (snd_wavefront_t *d
if (copy_from_user (header, addr, sizeof(wavefront_patch_info) -
sizeof(wavefront_any))) {
- snd_printk ("bad address for load patch.\n");
+ dev_err(dev->card->dev, "bad address for load patch.\n");
err = -EFAULT;
goto __error;
}
@@ -1465,8 +1467,8 @@ wavefront_load_patch (snd_wavefront_t *d
break;
default:
- snd_printk ("unknown patch type %d.\n",
- header->subkey);
+ dev_err(dev->card->dev, "unknown patch type %d.\n",
+ header->subkey);
err = -EINVAL;
break;
}
@@ -1529,13 +1531,13 @@ wavefront_synth_control (snd_wavefront_c
switch (wc->cmd) {
case WFC_DISABLE_INTERRUPTS:
- snd_printk ("interrupts disabled.\n");
+ dev_dbg(dev->card->dev, "interrupts disabled.\n");
outb (0x80|0x20, dev->control_port);
dev->interrupts_are_midi = 1;
return 0;
case WFC_ENABLE_INTERRUPTS:
- snd_printk ("interrupts enabled.\n");
+ dev_dbg(dev->card->dev, "interrupts enabled.\n");
outb (0x80|0x40|0x20, dev->control_port);
dev->interrupts_are_midi = 1;
return 0;
@@ -1552,7 +1554,7 @@ wavefront_synth_control (snd_wavefront_c
case WFC_IDENTIFY_SLOT_TYPE:
i = wc->wbuf[0] | (wc->wbuf[1] << 7);
if (i <0 || i >= WF_MAX_SAMPLE) {
- snd_printk ("invalid slot ID %d\n",
+ dev_err(dev->card->dev, "invalid slot ID %d\n",
i);
wc->status = EINVAL;
return -EINVAL;
@@ -1563,7 +1565,7 @@ wavefront_synth_control (snd_wavefront_c
case WFC_DEBUG_DRIVER:
dev->debug = wc->wbuf[0];
- snd_printk ("debug = 0x%x\n", dev->debug);
+ dev_dbg(dev->card->dev, "debug = 0x%x\n", dev->debug);
return 0;
case WFC_UPLOAD_PATCH:
@@ -1580,8 +1582,8 @@ wavefront_synth_control (snd_wavefront_c
return 0;
case WFC_UPLOAD_SAMPLE_ALIAS:
- snd_printk ("support for sample alias upload "
- "being considered.\n");
+ dev_err(dev->card->dev,
+ "support for sample alias upload being considered.\n");
wc->status = EINVAL;
return -EINVAL;
}
@@ -1622,9 +1624,8 @@ wavefront_synth_control (snd_wavefront_c
break;
case WFC_UPLOAD_SAMPLE_ALIAS:
- snd_printk ("support for "
- "sample aliases still "
- "being considered.\n");
+ dev_err(dev->card->dev,
+ "support for sample aliases still being considered.\n");
break;
case WFC_VMIDI_OFF:
@@ -1762,7 +1763,7 @@ snd_wavefront_internal_interrupt (snd_wa
*/
static int
-snd_wavefront_interrupt_bits (int irq)
+snd_wavefront_interrupt_bits(snd_wavefront_t *dev, int irq)
{
int bits;
@@ -1782,7 +1783,7 @@ snd_wavefront_interrupt_bits (int irq)
break;
default:
- snd_printk ("invalid IRQ %d\n", irq);
+ dev_err(dev->card->dev, "invalid IRQ %d\n", irq);
bits = -1;
}
@@ -1817,7 +1818,7 @@ wavefront_reset_to_cleanliness (snd_wave
/* IRQ already checked */
- bits = snd_wavefront_interrupt_bits (dev->irq);
+ bits = snd_wavefront_interrupt_bits(dev, dev->irq);
/* try reset of port */
@@ -1887,7 +1888,7 @@ wavefront_reset_to_cleanliness (snd_wave
*/
if (!dev->irq_ok) {
- snd_printk ("intr not received after h/w un-reset.\n");
+ dev_err(dev->card->dev, "intr not received after h/w un-reset.\n");
goto gone_bad;
}
@@ -1911,18 +1912,18 @@ wavefront_reset_to_cleanliness (snd_wave
dev->data_port, ramcheck_time*HZ);
if (!dev->irq_ok) {
- snd_printk ("post-RAM-check interrupt not received.\n");
+ dev_err(dev->card->dev, "post-RAM-check interrupt not received.\n");
goto gone_bad;
}
if (!wavefront_wait (dev, STAT_CAN_READ)) {
- snd_printk ("no response to HW version cmd.\n");
+ dev_err(dev->card->dev, "no response to HW version cmd.\n");
goto gone_bad;
}
hwv[0] = wavefront_read(dev);
if (hwv[0] == -1) {
- snd_printk ("board not responding correctly.\n");
+ dev_err(dev->card->dev, "board not responding correctly.\n");
goto gone_bad;
}
@@ -1934,11 +1935,11 @@ wavefront_reset_to_cleanliness (snd_wave
hwv[0] = wavefront_read(dev);
if (hwv[0] == -1) {
- snd_printk ("on-board RAM test failed "
- "(bad error code).\n");
+ dev_err(dev->card->dev,
+ "on-board RAM test failed (bad error code).\n");
} else {
- snd_printk ("on-board RAM test failed "
- "(error code: 0x%x).\n",
+ dev_err(dev->card->dev,
+ "on-board RAM test failed (error code: 0x%x).\n",
hwv[0]);
}
goto gone_bad;
@@ -1948,12 +1949,12 @@ wavefront_reset_to_cleanliness (snd_wave
hwv[1] = wavefront_read(dev);
if (hwv[1] == -1) {
- snd_printk ("incorrect h/w response.\n");
+ dev_err(dev->card->dev, "incorrect h/w response.\n");
goto gone_bad;
}
- snd_printk ("hardware version %d.%d\n",
- hwv[0], hwv[1]);
+ dev_info(dev->card->dev, "hardware version %d.%d\n",
+ hwv[0], hwv[1]);
return 0;
@@ -1973,7 +1974,7 @@ wavefront_download_firmware (snd_wavefro
err = request_firmware(&firmware, path, dev->card->dev);
if (err < 0) {
- snd_printk(KERN_ERR "firmware (%s) download failed!!!\n", path);
+ dev_err(dev->card->dev, "firmware (%s) download failed!!!\n", path);
return 1;
}
@@ -1984,16 +1985,16 @@ wavefront_download_firmware (snd_wavefro
if (section_length == 0)
break;
if (section_length < 0 || section_length > WF_SECTION_MAX) {
- snd_printk(KERN_ERR
- "invalid firmware section length %d\n",
- section_length);
+ dev_err(dev->card->dev,
+ "invalid firmware section length %d\n",
+ section_length);
goto failure;
}
buf++;
len++;
if (firmware->size < len + section_length) {
- snd_printk(KERN_ERR "firmware section read error.\n");
+ dev_err(dev->card->dev, "firmware section read error.\n");
goto failure;
}
@@ -2010,15 +2011,14 @@ wavefront_download_firmware (snd_wavefro
/* get ACK */
if (!wavefront_wait(dev, STAT_CAN_READ)) {
- snd_printk(KERN_ERR "time out for firmware ACK.\n");
+ dev_err(dev->card->dev, "time out for firmware ACK.\n");
goto failure;
}
err = inb(dev->data_port);
if (err != WF_ACK) {
- snd_printk(KERN_ERR
- "download of section #%d not "
- "acknowledged, ack = 0x%x\n",
- section_cnt_downloaded + 1, err);
+ dev_err(dev->card->dev,
+ "download of section #%d not acknowledged, ack = 0x%x\n",
+ section_cnt_downloaded + 1, err);
goto failure;
}
@@ -2030,7 +2030,7 @@ wavefront_download_firmware (snd_wavefro
failure:
release_firmware(firmware);
- snd_printk(KERN_ERR "firmware download failed!!!\n");
+ dev_err(dev->card->dev, "firmware download failed!!!\n");
return 1;
}
@@ -2042,7 +2042,7 @@ wavefront_do_reset (snd_wavefront_t *dev
char voices[1];
if (wavefront_reset_to_cleanliness (dev)) {
- snd_printk ("hw reset failed.\n");
+ dev_err(dev->card->dev, "hw reset failed.\n");
goto gone_bad;
}
@@ -2066,7 +2066,7 @@ wavefront_do_reset (snd_wavefront_t *dev
(osrun_time*HZ));
if (!dev->irq_ok) {
- snd_printk ("no post-OS interrupt.\n");
+ dev_err(dev->card->dev, "no post-OS interrupt.\n");
goto gone_bad;
}
@@ -2076,7 +2076,7 @@ wavefront_do_reset (snd_wavefront_t *dev
dev->data_port, (10*HZ));
if (!dev->irq_ok) {
- snd_printk ("no post-OS interrupt(2).\n");
+ dev_err(dev->card->dev, "no post-OS interrupt(2).\n");
goto gone_bad;
}
@@ -2096,20 +2096,20 @@ wavefront_do_reset (snd_wavefront_t *dev
if (dev->freemem < 0)
goto gone_bad;
- snd_printk ("available DRAM %dk\n", dev->freemem / 1024);
+ dev_info(dev->card->dev, "available DRAM %dk\n", dev->freemem / 1024);
if (wavefront_write (dev, 0xf0) ||
wavefront_write (dev, 1) ||
(wavefront_read (dev) < 0)) {
dev->debug = 0;
- snd_printk ("MPU emulation mode not set.\n");
+ dev_err(dev->card->dev, "MPU emulation mode not set.\n");
goto gone_bad;
}
voices[0] = 32;
if (snd_wavefront_cmd (dev, WFC_SET_NVOICES, NULL, voices)) {
- snd_printk ("cannot set number of voices to 32.\n");
+ dev_err(dev->card->dev, "cannot set number of voices to 32.\n");
goto gone_bad;
}
@@ -2189,8 +2189,8 @@ snd_wavefront_detect (snd_wavefront_card
dev->fw_version[0] = rbuf[0];
dev->fw_version[1] = rbuf[1];
- snd_printk ("firmware %d.%d already loaded.\n",
- rbuf[0], rbuf[1]);
+ dev_info(dev->card->dev, "firmware %d.%d already loaded.\n",
+ rbuf[0], rbuf[1]);
/* check that a command actually works */
@@ -2199,22 +2199,24 @@ snd_wavefront_detect (snd_wavefront_card
dev->hw_version[0] = rbuf[0];
dev->hw_version[1] = rbuf[1];
} else {
- snd_printk ("not raw, but no "
- "hardware version!\n");
+ dev_err(dev->card->dev,
+ "not raw, but no hardware version!\n");
return -1;
}
if (!wf_raw) {
return 0;
} else {
- snd_printk ("reloading firmware as you requested.\n");
+ dev_info(dev->card->dev,
+ "reloading firmware as you requested.\n");
dev->israw = 1;
}
} else {
dev->israw = 1;
- snd_printk ("no response to firmware probe, assume raw.\n");
+ dev_info(dev->card->dev,
+ "no response to firmware probe, assume raw.\n");
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 437/554] ALSA: wavefront: Fix integer overflow in sample size validation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 436/554] ALSA: wavefront: Use standard print API Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 438/554] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
` (122 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junrui Luo, Takashi Iwai,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Junrui Luo <moonafterrain@outlook.com>
[ Upstream commit 0c4a13ba88594fd4a27292853e736c6b4349823d ]
The wavefront_send_sample() function has an integer overflow issue
when validating sample size. The header->size field is u32 but gets
cast to int for comparison with dev->freemem
Fix by using unsigned comparison to avoid integer overflow.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://patch.msgid.link/SYBPR01MB7881B47789D1B060CE8BF4C3AFC2A@SYBPR01MB7881.ausprd01.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/isa/wavefront/wavefront_synth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/isa/wavefront/wavefront_synth.c
+++ b/sound/isa/wavefront/wavefront_synth.c
@@ -952,9 +952,9 @@ wavefront_send_sample (snd_wavefront_t *
if (header->size) {
dev->freemem = wavefront_freemem (dev);
- if (dev->freemem < (int)header->size) {
+ if (dev->freemem < 0 || dev->freemem < header->size) {
dev_err(dev->card->dev,
- "insufficient memory to load %d byte sample.\n",
+ "insufficient memory to load %u byte sample.\n",
header->size);
return -ENOMEM;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 438/554] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 437/554] ALSA: wavefront: Fix integer overflow in sample size validation Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 439/554] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
` (121 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 27d17641cacfedd816789b75d342430f6b912bd2 ]
>>From RFC 8881:
5.8.1.14. Attribute 75: suppattr_exclcreat
> The bit vector that would set all REQUIRED and RECOMMENDED
> attributes that are supported by the EXCLUSIVE4_1 method of file
> creation via the OPEN operation. The scope of this attribute
> applies to all objects with a matching fsid.
There's nothing in RFC 8881 that states that suppattr_exclcreat is
or is not allowed to contain bits for attributes that are clear in
the reported supported_attrs bitmask. But it doesn't make sense for
an NFS server to indicate that it /doesn't/ implement an attribute,
but then also indicate that clients /are/ allowed to set that
attribute using OPEN(create) with EXCLUSIVE4_1.
Ensure that the SECURITY_LABEL and ACL bits are not set in the
suppattr_exclcreat bitmask when they are also not set in the
supported_attrs bitmask.
Fixes: 8c18f2052e75 ("nfsd41: SUPPATTR_EXCLCREAT attribute")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3409,6 +3409,11 @@ out_acl:
u32 supp[3];
memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp));
+ if (!IS_POSIXACL(d_inode(dentry)))
+ supp[0] &= ~FATTR4_WORD0_ACL;
+ if (!contextsupport)
+ supp[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
+
supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0;
supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1;
supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 439/554] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 438/554] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 440/554] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
` (120 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chao Gao, Dongli Zhang,
Sean Christopherson, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dongli Zhang <dongli.zhang@oracle.com>
[ Upstream commit 29763138830916f46daaa50e83e7f4f907a3236b ]
If an APICv status updated was pended while L2 was active, immediately
refresh vmcs01's controls instead of pending KVM_REQ_APICV_UPDATE as
kvm_vcpu_update_apicv() only calls into vendor code if a change is
necessary.
E.g. if APICv is inhibited, and then activated while L2 is running:
kvm_vcpu_update_apicv()
|
-> __kvm_vcpu_update_apicv()
|
-> apic->apicv_active = true
|
-> vmx_refresh_apicv_exec_ctrl()
|
-> vmx->nested.update_vmcs01_apicv_status = true
|
-> return
Then L2 exits to L1:
__nested_vmx_vmexit()
|
-> kvm_make_request(KVM_REQ_APICV_UPDATE)
vcpu_enter_guest(): KVM_REQ_APICV_UPDATE
-> kvm_vcpu_update_apicv()
|
-> __kvm_vcpu_update_apicv()
|
-> return // because if (apic->apicv_active == activate)
Reported-by: Chao Gao <chao.gao@intel.com>
Closes: https://lore.kernel.org/all/aQ2jmnN8wUYVEawF@intel.com
Fixes: 7c69661e225c ("KVM: nVMX: Defer APICv updates while L2 is active until L1 is active")
Cc: stable@vger.kernel.org
Signed-off-by: Dongli Zhang <dongli.zhang@oracle.com>
[sean: write changelog]
Link: https://patch.msgid.link/20251205231913.441872-3-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ exported vmx_refresh_apicv_exec_ctrl() and added declaration in vmx.h ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 2 +-
arch/x86/kvm/vmx/vmx.c | 2 +-
arch/x86/kvm/vmx/vmx.h | 1 +
3 files changed, 3 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4684,7 +4684,7 @@ void nested_vmx_vmexit(struct kvm_vcpu *
if (vmx->nested.update_vmcs01_apicv_status) {
vmx->nested.update_vmcs01_apicv_status = false;
- kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
+ vmx_refresh_apicv_exec_ctrl(vcpu);
}
if ((vm_exit_reason != -1) &&
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4217,7 +4217,7 @@ static u32 vmx_vmexit_ctrl(void)
~(VM_EXIT_LOAD_IA32_PERF_GLOBAL_CTRL | VM_EXIT_LOAD_IA32_EFER);
}
-static void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
+void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu)
{
struct vcpu_vmx *vmx = to_vmx(vcpu);
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -386,6 +386,7 @@ void __vmx_set_segment(struct kvm_vcpu *
u64 construct_eptp(struct kvm_vcpu *vcpu, hpa_t root_hpa, int root_level);
bool vmx_guest_inject_ac(struct kvm_vcpu *vcpu);
+void vmx_refresh_apicv_exec_ctrl(struct kvm_vcpu *vcpu);
void vmx_update_exception_bitmap(struct kvm_vcpu *vcpu);
bool vmx_nmi_blocked(struct kvm_vcpu *vcpu);
bool __vmx_interrupt_blocked(struct kvm_vcpu *vcpu);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 440/554] xfs: fix a memory leak in xfs_buf_item_init()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 439/554] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 441/554] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
` (119 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Christoph Hellwig,
Carlos Maiolino, Carlos Maiolino, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
[ Upstream commit fc40459de82543b565ebc839dca8f7987f16f62e ]
xfs_buf_item_get_format() may allocate memory for bip->bli_formats,
free the memory in the error path.
Fixes: c3d5f0c2fb85 ("xfs: complain if anyone tries to create a too-large buffer log item")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_buf_item.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -825,6 +825,7 @@ xfs_buf_item_init(
map_size = DIV_ROUND_UP(chunks, NBWORD);
if (map_size > XFS_BLF_DATAMAP_SIZE) {
+ xfs_buf_item_free_format(bip);
kmem_cache_free(xfs_buf_item_zone, bip);
xfs_err(mp,
"buffer item dirty bitmap (%u uints) too small to reflect %u bytes!",
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 441/554] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 440/554] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 442/554] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
` (118 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 68d05693f8c031257a0822464366e1c2a239a512 ]
mkfs.f2fs -f /dev/vdd
mount /dev/vdd /mnt/f2fs
touch /mnt/f2fs/foo
sync # avoid CP_UMOUNT_FLAG in last f2fs_checkpoint.ckpt_flags
touch /mnt/f2fs/bar
f2fs_io fsync /mnt/f2fs/bar
f2fs_io shutdown 2 /mnt/f2fs
umount /mnt/f2fs
blockdev --setro /dev/vdd
mount /dev/vdd /mnt/f2fs
mount: /mnt/f2fs: WARNING: source write-protected, mounted read-only.
For the case if we create and fsync a new inode before sudden power-cut,
without norecovery or disable_roll_forward mount option, the following
mount will succeed w/o recovering last fsynced inode.
The problem here is that we only check inode_list list after
find_fsync_dnodes() in f2fs_recover_fsync_data() to find out whether
there is recoverable data in the iamge, but there is a missed case, if
last fsynced inode is not existing in last checkpoint, then, we will
fail to get its inode due to nat of inode node is not existing in last
checkpoint, so the inode won't be linked in inode_list.
Let's detect such case in dyrun mode to fix this issue.
After this change, mount will fail as expected below:
mount: /mnt/f2fs: cannot mount /dev/vdd read-only.
dmesg(1) may have more information after failed mount system call.
demsg:
F2FS-fs (vdd): Need to recover fsync data, but write access unavailable, please try mount w/ disable_roll_forward or norecovery
Cc: stable@kernel.org
Fixes: 6781eabba1bd ("f2fs: give -EINVAL for norecovery and rw mount")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/recovery.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -343,7 +343,7 @@ static int recover_inode(struct inode *i
}
static int find_fsync_dnodes(struct f2fs_sb_info *sbi, struct list_head *head,
- bool check_only)
+ bool check_only, bool *new_inode)
{
struct curseg_info *curseg;
struct page *page = NULL;
@@ -400,6 +400,8 @@ static int find_fsync_dnodes(struct f2fs
if (IS_ERR(entry)) {
err = PTR_ERR(entry);
if (err == -ENOENT) {
+ if (check_only)
+ *new_inode = true;
err = 0;
goto next;
}
@@ -805,6 +807,7 @@ int f2fs_recover_fsync_data(struct f2fs_
unsigned long s_flags = sbi->sb->s_flags;
bool need_writecp = false;
bool fix_curseg_write_pointer = false;
+ bool new_inode = false;
#ifdef CONFIG_QUOTA
int quota_enabled;
#endif
@@ -829,8 +832,8 @@ int f2fs_recover_fsync_data(struct f2fs_
down_write(&sbi->cp_global_sem);
/* step #1: find fsynced inode numbers */
- err = find_fsync_dnodes(sbi, &inode_list, check_only);
- if (err || list_empty(&inode_list))
+ err = find_fsync_dnodes(sbi, &inode_list, check_only, &new_inode);
+ if (err < 0 || (list_empty(&inode_list) && (!check_only || !new_inode)))
goto skip;
if (check_only) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 442/554] f2fs: use global inline_xattr_slab instead of per-sb slab cache
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 441/554] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 443/554] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
` (117 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Hong Yun, Chao Yu,
Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 1f27ef42bb0b7c0740c5616ec577ec188b8a1d05 ]
As Hong Yun reported in mailing list:
loop7: detected capacity change from 0 to 131072
------------[ cut here ]------------
kmem_cache of name 'f2fs_xattr_entry-7:7' already exists
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 kmem_cache_sanity_check mm/slab_common.c:109 [inline]
WARNING: CPU: 0 PID: 24426 at mm/slab_common.c:110 __kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
CPU: 0 UID: 0 PID: 24426 Comm: syz.7.1370 Not tainted 6.17.0-rc4 #1 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kmem_cache_sanity_check mm/slab_common.c:109 [inline]
RIP: 0010:__kmem_cache_create_args+0xa6/0x320 mm/slab_common.c:307
Call Trace:
__kmem_cache_create include/linux/slab.h:353 [inline]
f2fs_kmem_cache_create fs/f2fs/f2fs.h:2943 [inline]
f2fs_init_xattr_caches+0xa5/0xe0 fs/f2fs/xattr.c:843
f2fs_fill_super+0x1645/0x2620 fs/f2fs/super.c:4918
get_tree_bdev_flags+0x1fb/0x260 fs/super.c:1692
vfs_get_tree+0x43/0x140 fs/super.c:1815
do_new_mount+0x201/0x550 fs/namespace.c:3808
do_mount fs/namespace.c:4136 [inline]
__do_sys_mount fs/namespace.c:4347 [inline]
__se_sys_mount+0x298/0x2f0 fs/namespace.c:4324
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8e/0x3a0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The bug can be reproduced w/ below scripts:
- mount /dev/vdb /mnt1
- mount /dev/vdc /mnt2
- umount /mnt1
- mounnt /dev/vdb /mnt1
The reason is if we created two slab caches, named f2fs_xattr_entry-7:3
and f2fs_xattr_entry-7:7, and they have the same slab size. Actually,
slab system will only create one slab cache core structure which has
slab name of "f2fs_xattr_entry-7:3", and two slab caches share the same
structure and cache address.
So, if we destroy f2fs_xattr_entry-7:3 cache w/ cache address, it will
decrease reference count of slab cache, rather than release slab cache
entirely, since there is one more user has referenced the cache.
Then, if we try to create slab cache w/ name "f2fs_xattr_entry-7:3" again,
slab system will find that there is existed cache which has the same name
and trigger the warning.
Let's changes to use global inline_xattr_slab instead of per-sb slab cache
for fixing.
Fixes: a999150f4fe3 ("f2fs: use kmem_cache pool during inline xattr lookups")
Cc: stable@kernel.org
Reported-by: Hong Yun <yhong@link.cuhk.edu.hk>
Tested-by: Hong Yun <yhong@link.cuhk.edu.hk>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ folio => page + different module init/exit ordering ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 3 ---
fs/f2fs/super.c | 15 +++++++--------
fs/f2fs/xattr.c | 32 +++++++++++---------------------
fs/f2fs/xattr.h | 10 ++++++----
4 files changed, 24 insertions(+), 36 deletions(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -1763,9 +1763,6 @@ struct f2fs_sb_info {
struct workqueue_struct *post_read_wq; /* post read workqueue */
- struct kmem_cache *inline_xattr_slab; /* inline xattr entry */
- unsigned int inline_xattr_slab_size; /* default inline xattr slab size */
-
/* For reclaimed segs statistics per each GC mode */
unsigned int gc_segment_mode; /* GC state for reclaimed segments */
unsigned int gc_reclaimed_segs[MAX_GC_MODE]; /* Reclaimed segs for each mode */
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1655,7 +1655,6 @@ static void f2fs_put_super(struct super_
destroy_device_list(sbi);
f2fs_destroy_page_array_cache(sbi);
- f2fs_destroy_xattr_caches(sbi);
mempool_destroy(sbi->write_io_dummy);
#ifdef CONFIG_QUOTA
for (i = 0; i < MAXQUOTAS; i++)
@@ -4166,13 +4165,9 @@ try_onemore:
}
}
- /* init per sbi slab cache */
- err = f2fs_init_xattr_caches(sbi);
- if (err)
- goto free_io_dummy;
err = f2fs_init_page_array_cache(sbi);
if (err)
- goto free_xattr_cache;
+ goto free_io_dummy;
/* get an inode for meta space */
sbi->meta_inode = f2fs_iget(sb, F2FS_META_INO(sbi));
@@ -4492,8 +4487,6 @@ free_meta_inode:
sbi->meta_inode = NULL;
free_page_array_cache:
f2fs_destroy_page_array_cache(sbi);
-free_xattr_cache:
- f2fs_destroy_xattr_caches(sbi);
free_io_dummy:
mempool_destroy(sbi->write_io_dummy);
free_percpu:
@@ -4660,7 +4653,12 @@ static int __init init_f2fs_fs(void)
err = f2fs_create_casefold_cache();
if (err)
goto free_compress_cache;
+ err = f2fs_init_xattr_cache();
+ if (err)
+ goto free_casefold_cache;
return 0;
+free_casefold_cache:
+ f2fs_destroy_casefold_cache();
free_compress_cache:
f2fs_destroy_compress_cache();
free_compress_mempool:
@@ -4700,6 +4698,7 @@ fail:
static void __exit exit_f2fs_fs(void)
{
+ f2fs_destroy_xattr_cache();
f2fs_destroy_casefold_cache();
f2fs_destroy_compress_cache();
f2fs_destroy_compress_mempool();
--- a/fs/f2fs/xattr.c
+++ b/fs/f2fs/xattr.c
@@ -23,11 +23,12 @@
#include "xattr.h"
#include "segment.h"
+static struct kmem_cache *inline_xattr_slab;
static void *xattr_alloc(struct f2fs_sb_info *sbi, int size, bool *is_inline)
{
- if (likely(size == sbi->inline_xattr_slab_size)) {
+ if (likely(size == DEFAULT_XATTR_SLAB_SIZE)) {
*is_inline = true;
- return f2fs_kmem_cache_alloc(sbi->inline_xattr_slab,
+ return f2fs_kmem_cache_alloc(inline_xattr_slab,
GFP_F2FS_ZERO, false, sbi);
}
*is_inline = false;
@@ -38,7 +39,7 @@ static void xattr_free(struct f2fs_sb_in
bool is_inline)
{
if (is_inline)
- kmem_cache_free(sbi->inline_xattr_slab, xattr_addr);
+ kmem_cache_free(inline_xattr_slab, xattr_addr);
else
kfree(xattr_addr);
}
@@ -818,25 +819,14 @@ int f2fs_setxattr(struct inode *inode, i
return err;
}
-int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi)
+int __init f2fs_init_xattr_cache(void)
{
- dev_t dev = sbi->sb->s_bdev->bd_dev;
- char slab_name[32];
-
- sprintf(slab_name, "f2fs_xattr_entry-%u:%u", MAJOR(dev), MINOR(dev));
-
- sbi->inline_xattr_slab_size = F2FS_OPTION(sbi).inline_xattr_size *
- sizeof(__le32) + XATTR_PADDING_SIZE;
-
- sbi->inline_xattr_slab = f2fs_kmem_cache_create(slab_name,
- sbi->inline_xattr_slab_size);
- if (!sbi->inline_xattr_slab)
- return -ENOMEM;
-
- return 0;
+ inline_xattr_slab = f2fs_kmem_cache_create("f2fs_xattr_entry",
+ DEFAULT_XATTR_SLAB_SIZE);
+ return inline_xattr_slab ? 0 : -ENOMEM;
}
-void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi)
+void f2fs_destroy_xattr_cache(void)
{
- kmem_cache_destroy(sbi->inline_xattr_slab);
-}
+ kmem_cache_destroy(inline_xattr_slab);
+}
\ No newline at end of file
--- a/fs/f2fs/xattr.h
+++ b/fs/f2fs/xattr.h
@@ -88,6 +88,8 @@ struct f2fs_xattr_entry {
F2FS_TOTAL_EXTRA_ATTR_SIZE / sizeof(__le32) - \
DEF_INLINE_RESERVED_SIZE - \
MIN_INLINE_DENTRY_SIZE / sizeof(__le32))
+#define DEFAULT_XATTR_SLAB_SIZE (DEFAULT_INLINE_XATTR_ADDRS * \
+ sizeof(__le32) + XATTR_PADDING_SIZE)
/*
* On-disk structure of f2fs_xattr
@@ -131,8 +133,8 @@ extern int f2fs_setxattr(struct inode *,
extern int f2fs_getxattr(struct inode *, int, const char *, void *,
size_t, struct page *);
extern ssize_t f2fs_listxattr(struct dentry *, char *, size_t);
-extern int f2fs_init_xattr_caches(struct f2fs_sb_info *);
-extern void f2fs_destroy_xattr_caches(struct f2fs_sb_info *);
+int __init f2fs_init_xattr_cache(void);
+void f2fs_destroy_xattr_cache(void);
#else
#define f2fs_xattr_handlers NULL
@@ -149,8 +151,8 @@ static inline int f2fs_getxattr(struct i
{
return -EOPNOTSUPP;
}
-static inline int f2fs_init_xattr_caches(struct f2fs_sb_info *sbi) { return 0; }
-static inline void f2fs_destroy_xattr_caches(struct f2fs_sb_info *sbi) { }
+static inline int __init f2fs_init_xattr_cache(void) { return 0; }
+static inline void f2fs_destroy_xattr_cache(void) { }
#endif
#ifdef CONFIG_F2FS_FS_SECURITY
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 443/554] f2fs: fix to propagate error from f2fs_enable_checkpoint()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 442/554] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 444/554] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
` (116 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Chao Yu, Jaegeuk Kim,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit be112e7449a6e1b54aa9feac618825d154b3a5c7 ]
In order to let userspace detect such error rather than suffering
silent failure.
Fixes: 4354994f097d ("f2fs: checkpoint disabling")
Cc: stable@kernel.org
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[ Adjust context, no rollback ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2177,9 +2177,10 @@ restore_flag:
return err;
}
-static void f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
+static int f2fs_enable_checkpoint(struct f2fs_sb_info *sbi)
{
int retry = DEFAULT_RETRY_IO_COUNT;
+ int ret;
/* we should flush all the data to keep data consistency */
do {
@@ -2197,10 +2198,14 @@ static void f2fs_enable_checkpoint(struc
set_sbi_flag(sbi, SBI_IS_DIRTY);
up_write(&sbi->gc_lock);
- f2fs_sync_fs(sbi->sb, 1);
+ ret = f2fs_sync_fs(sbi->sb, 1);
+ if (ret)
+ f2fs_err(sbi, "%s sync_fs failed, ret: %d", __func__, ret);
/* Let's ensure there's no pending checkpoint anymore */
f2fs_flush_ckpt_thread(sbi);
+
+ return ret;
}
static int f2fs_remount(struct super_block *sb, int *flags, char *data)
@@ -2416,7 +2421,9 @@ static int f2fs_remount(struct super_blo
if (err)
goto restore_discard;
} else {
- f2fs_enable_checkpoint(sbi);
+ err = f2fs_enable_checkpoint(sbi);
+ if (err)
+ goto restore_discard;
}
}
@@ -4397,13 +4404,12 @@ reset_checkpoint:
/* f2fs_recover_fsync_data() cleared this already */
clear_sbi_flag(sbi, SBI_POR_DOING);
- if (test_opt(sbi, DISABLE_CHECKPOINT)) {
+ if (test_opt(sbi, DISABLE_CHECKPOINT))
err = f2fs_disable_checkpoint(sbi);
- if (err)
- goto sync_free_meta;
- } else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)) {
- f2fs_enable_checkpoint(sbi);
- }
+ else if (is_set_ckpt_flags(sbi, CP_DISABLED_FLAG))
+ err = f2fs_enable_checkpoint(sbi);
+ if (err)
+ goto sync_free_meta;
/*
* If filesystem is not mounted as read-only then
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 444/554] f2fs: fix to avoid updating zero-sized extent in extent cache
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 443/554] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 445/554] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
` (115 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+24124df3170c3638b35f,
Chao Yu, Jaegeuk Kim, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chao Yu <chao@kernel.org>
[ Upstream commit 7c37c79510329cd951a4dedf3f7bf7e2b18dccec ]
As syzbot reported:
F2FS-fs (loop0): __update_extent_tree_range: extent len is zero, type: 0, extent [0, 0, 0], age [0, 0]
------------[ cut here ]------------
kernel BUG at fs/f2fs/extent_cache.c:678!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__update_extent_tree_range+0x13bc/0x1500 fs/f2fs/extent_cache.c:678
Call Trace:
<TASK>
f2fs_update_read_extent_cache_range+0x192/0x3e0 fs/f2fs/extent_cache.c:1085
f2fs_do_zero_range fs/f2fs/file.c:1657 [inline]
f2fs_zero_range+0x10c1/0x1580 fs/f2fs/file.c:1737
f2fs_fallocate+0x583/0x990 fs/f2fs/file.c:2030
vfs_fallocate+0x669/0x7e0 fs/open.c:342
ioctl_preallocate fs/ioctl.c:289 [inline]
file_ioctl+0x611/0x780 fs/ioctl.c:-1
do_vfs_ioctl+0xb33/0x1430 fs/ioctl.c:576
__do_sys_ioctl fs/ioctl.c:595 [inline]
__se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f07bc58eec9
In error path of f2fs_zero_range(), it may add a zero-sized extent
into extent cache, it should be avoided.
Fixes: 6e9619499f53 ("f2fs: support in batch fzero in dnode page")
Cc: stable@kernel.org
Reported-by: syzbot+24124df3170c3638b35f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/68e5d698.050a0220.256323.0032.GAE@google.com
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/file.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1470,7 +1470,8 @@ static int f2fs_do_zero_range(struct dno
f2fs_set_data_blkaddr(dn);
}
- f2fs_update_extent_cache_range(dn, start, 0, index - start);
+ if (index > start)
+ f2fs_update_extent_cache_range(dn, start, 0, index - start);
return ret;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 445/554] usb: dwc3: keep susphy enabled during exit to avoid controller faults
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 444/554] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 446/554] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
` (114 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Udipto Goswami,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
[ Upstream commit e1003aa7ec9eccdde4c926bd64ef42816ad55f25 ]
On some platforms, switching USB roles from host to device can trigger
controller faults due to premature PHY power-down. This occurs when the
PHY is disabled too early during teardown, causing synchronization
issues between the PHY and controller.
Keep susphy enabled during dwc3_host_exit() and dwc3_gadget_exit()
ensures the PHY remains in a low-power state capable of handling
required commands during role switch.
Cc: stable <stable@kernel.org>
Fixes: 6d735722063a ("usb: dwc3: core: Prevent phy suspend during init")
Suggested-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Udipto Goswami <udipto.goswami@oss.qualcomm.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/20251126054221.120638-1-udipto.goswami@oss.qualcomm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/dwc3/host.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -4585,7 +4585,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
if (!dwc->gadget)
return;
- dwc3_enable_susphy(dwc, false);
+ dwc3_enable_susphy(dwc, true);
usb_del_gadget(dwc->gadget);
dwc3_gadget_free_endpoints(dwc);
usb_put_gadget(dwc->gadget);
--- a/drivers/usb/dwc3/host.c
+++ b/drivers/usb/dwc3/host.c
@@ -157,7 +157,7 @@ err:
void dwc3_host_exit(struct dwc3 *dwc)
{
- dwc3_enable_susphy(dwc, false);
+ dwc3_enable_susphy(dwc, true);
platform_device_unregister(dwc->xhci);
dwc->xhci = NULL;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 446/554] mptcp: pm: ignore unknown endpoint flags
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 445/554] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 447/554] usb: ohci-nxp: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
` (113 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
[ Upstream commit 0ace3297a7301911e52d8195cb1006414897c859 ]
Before this patch, the kernel was saving any flags set by the userspace,
even unknown ones. This doesn't cause critical issues because the kernel
is only looking at specific ones. But on the other hand, endpoints dumps
could tell the userspace some recent flags seem to be supported on older
kernel versions.
Instead, ignore all unknown flags when parsing them. By doing that, the
userspace can continue to set unsupported flags, but it has a way to
verify what is supported by the kernel.
Note that it sounds better to continue accepting unsupported flags not
to change the behaviour, but also that eases things on the userspace
side by adding "optional" endpoint types only supported by newer kernel
versions without having to deal with the different kernel versions.
A note for the backports: there will be conflicts in mptcp.h on older
versions not having the mentioned flags, the new line should still be
added last, and the '5' needs to be adapted to have the same value as
the last entry.
Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20251205-net-mptcp-misc-fixes-6-19-rc1-v1-1-9e4781a6c1b8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ GENMASK(5, 0) => GENMASK(3, 0) + context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/mptcp.h | 1 +
net/mptcp/pm_netlink.c | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
--- a/include/uapi/linux/mptcp.h
+++ b/include/uapi/linux/mptcp.h
@@ -74,6 +74,7 @@ enum {
#define MPTCP_PM_ADDR_FLAG_SUBFLOW (1 << 1)
#define MPTCP_PM_ADDR_FLAG_BACKUP (1 << 2)
#define MPTCP_PM_ADDR_FLAG_FULLMESH (1 << 3)
+#define MPTCP_PM_ADDR_FLAGS_MASK GENMASK(3, 0)
enum {
MPTCP_PM_CMD_UNSPEC,
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1294,7 +1294,8 @@ skip_family:
entry->addr.id = nla_get_u8(tb[MPTCP_PM_ADDR_ATTR_ID]);
if (tb[MPTCP_PM_ADDR_ATTR_FLAGS])
- entry->flags = nla_get_u32(tb[MPTCP_PM_ADDR_ATTR_FLAGS]);
+ entry->flags = nla_get_u32(tb[MPTCP_PM_ADDR_ATTR_FLAGS]) &
+ MPTCP_PM_ADDR_FLAGS_MASK;
if (tb[MPTCP_PM_ADDR_ATTR_PORT]) {
if (!(entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL)) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 447/554] usb: ohci-nxp: Use helper function devm_clk_get_enabled()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 446/554] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 448/554] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
` (112 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Zekun, Alan Stern, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Zekun <zhangzekun11@huawei.com>
[ Upstream commit c146ede472717f352b7283a525bd9a1a2b15e2cf ]
devm_clk_get() and clk_prepare_enable() can be replaced by helper
function devm_clk_get_enabled(). Let's use devm_clk_get_enabled() to
simplify code and avoid calling clk_disable_unprepare().
Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20240902123020.29267-3-zhangzekun11@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: b4c61e542faf ("usb: ohci-nxp: fix device leak on probe failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-nxp.c | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
--- a/drivers/usb/host/ohci-nxp.c
+++ b/drivers/usb/host/ohci-nxp.c
@@ -51,8 +51,6 @@ static struct hc_driver __read_mostly oh
static struct i2c_client *isp1301_i2c_client;
-static struct clk *usb_host_clk;
-
static void isp1301_configure_lpc32xx(void)
{
/* LPC32XX only supports DAT_SE0 USB mode */
@@ -155,6 +153,7 @@ static int ohci_hcd_nxp_probe(struct pla
struct resource *res;
int ret = 0, irq;
struct device_node *isp1301_node;
+ struct clk *usb_host_clk;
if (pdev->dev.of_node) {
isp1301_node = of_parse_phandle(pdev->dev.of_node,
@@ -180,26 +179,20 @@ static int ohci_hcd_nxp_probe(struct pla
}
/* Enable USB host clock */
- usb_host_clk = devm_clk_get(&pdev->dev, NULL);
+ usb_host_clk = devm_clk_get_enabled(&pdev->dev, NULL);
if (IS_ERR(usb_host_clk)) {
- dev_err(&pdev->dev, "failed to acquire USB OHCI clock\n");
+ dev_err(&pdev->dev, "failed to acquire and start USB OHCI clock\n");
ret = PTR_ERR(usb_host_clk);
goto fail_disable;
}
- ret = clk_prepare_enable(usb_host_clk);
- if (ret < 0) {
- dev_err(&pdev->dev, "failed to start USB OHCI clock\n");
- goto fail_disable;
- }
-
isp1301_configure();
hcd = usb_create_hcd(driver, &pdev->dev, dev_name(&pdev->dev));
if (!hcd) {
dev_err(&pdev->dev, "Failed to allocate HC buffer\n");
ret = -ENOMEM;
- goto fail_hcd;
+ goto fail_disable;
}
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
@@ -230,8 +223,6 @@ static int ohci_hcd_nxp_probe(struct pla
ohci_nxp_stop_hc();
fail_resource:
usb_put_hcd(hcd);
-fail_hcd:
- clk_disable_unprepare(usb_host_clk);
fail_disable:
isp1301_i2c_client = NULL;
return ret;
@@ -244,7 +235,6 @@ static int ohci_hcd_nxp_remove(struct pl
usb_remove_hcd(hcd);
ohci_nxp_stop_hc();
usb_put_hcd(hcd);
- clk_disable_unprepare(usb_host_clk);
isp1301_i2c_client = NULL;
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 448/554] usb: ohci-nxp: fix device leak on probe failure
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 447/554] usb: ohci-nxp: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 449/554] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
` (111 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold, Alan Stern,
Vladimir Zapolskiy, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit b4c61e542faf8c9131d69ecfc3ad6de96d1b2ab8 ]
Make sure to drop the reference taken when looking up the PHY I2C device
during probe on probe failure (e.g. probe deferral) and on driver
unbind.
Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver")
Cc: stable@vger.kernel.org # 3.5
Reported-by: Ma Ke <make24@iscas.ac.cn>
Link: https://lore.kernel.org/lkml/20251117013428.21840-1-make24@iscas.ac.cn/
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-4-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-nxp.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/host/ohci-nxp.c
+++ b/drivers/usb/host/ohci-nxp.c
@@ -224,6 +224,7 @@ static int ohci_hcd_nxp_probe(struct pla
fail_resource:
usb_put_hcd(hcd);
fail_disable:
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
return ret;
}
@@ -235,6 +236,7 @@ static int ohci_hcd_nxp_remove(struct pl
usb_remove_hcd(hcd);
ohci_nxp_stop_hc();
usb_put_hcd(hcd);
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 449/554] fuse: fix readahead reclaim deadlock
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 448/554] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 450/554] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
` (110 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joanne Koong, Omar Sandoval,
Miklos Szeredi, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joanne Koong <joannelkoong@gmail.com>
[ Upstream commit bd5603eaae0aabf527bfb3ce1bb07e979ce5bd50 ]
Commit e26ee4efbc79 ("fuse: allocate ff->release_args only if release is
needed") skips allocating ff->release_args if the server does not
implement open. However in doing so, fuse_prepare_release() now skips
grabbing the reference on the inode, which makes it possible for an
inode to be evicted from the dcache while there are inflight readahead
requests. This causes a deadlock if the server triggers reclaim while
servicing the readahead request and reclaim attempts to evict the inode
of the file being read ahead. Since the folio is locked during
readahead, when reclaim evicts the fuse inode and fuse_evict_inode()
attempts to remove all folios associated with the inode from the page
cache (truncate_inode_pages_range()), reclaim will block forever waiting
for the lock since readahead cannot relinquish the lock because it is
itself blocked in reclaim:
>>> stack_trace(1504735)
folio_wait_bit_common (mm/filemap.c:1308:4)
folio_lock (./include/linux/pagemap.h:1052:3)
truncate_inode_pages_range (mm/truncate.c:336:10)
fuse_evict_inode (fs/fuse/inode.c:161:2)
evict (fs/inode.c:704:3)
dentry_unlink_inode (fs/dcache.c:412:3)
__dentry_kill (fs/dcache.c:615:3)
shrink_kill (fs/dcache.c:1060:12)
shrink_dentry_list (fs/dcache.c:1087:3)
prune_dcache_sb (fs/dcache.c:1168:2)
super_cache_scan (fs/super.c:221:10)
do_shrink_slab (mm/shrinker.c:435:9)
shrink_slab (mm/shrinker.c:626:10)
shrink_node (mm/vmscan.c:5951:2)
shrink_zones (mm/vmscan.c:6195:3)
do_try_to_free_pages (mm/vmscan.c:6257:3)
do_swap_page (mm/memory.c:4136:11)
handle_pte_fault (mm/memory.c:5562:10)
handle_mm_fault (mm/memory.c:5870:9)
do_user_addr_fault (arch/x86/mm/fault.c:1338:10)
handle_page_fault (arch/x86/mm/fault.c:1481:3)
exc_page_fault (arch/x86/mm/fault.c:1539:2)
asm_exc_page_fault+0x22/0x27
Fix this deadlock by allocating ff->release_args and grabbing the
reference on the inode when preparing the file for release even if the
server does not implement open. The inode reference will be dropped when
the last reference on the fuse file is dropped (see fuse_file_put() ->
fuse_release_end()).
Fixes: e26ee4efbc79 ("fuse: allocate ff->release_args only if release is needed")
Cc: stable@vger.kernel.org
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
Reported-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -112,7 +112,9 @@ static void fuse_file_put(struct fuse_fi
struct fuse_args *args = (ra ? &ra->args : NULL);
if (!args) {
- /* Do nothing when server does not implement 'open' */
+ /* Do nothing when server does not implement 'opendir' */
+ } else if (args->opcode == FUSE_RELEASE && ff->fm->fc->no_open) {
+ fuse_release_end(ff->fm, args, 0);
} else if (sync) {
fuse_simple_request(ff->fm, args);
fuse_release_end(ff->fm, args, 0);
@@ -133,8 +135,17 @@ struct fuse_file *fuse_file_open(struct
struct fuse_file *ff;
int opcode = isdir ? FUSE_OPENDIR : FUSE_OPEN;
bool open = isdir ? !fc->no_opendir : !fc->no_open;
+ bool release = !isdir || open;
- ff = fuse_file_alloc(fm, open);
+ /*
+ * ff->args->release_args still needs to be allocated (so we can hold an
+ * inode reference while there are pending inflight file operations when
+ * ->release() is called, see fuse_prepare_release()) even if
+ * fc->no_open is set else it becomes possible for reclaim to deadlock
+ * if while servicing the readahead request the server triggers reclaim
+ * and reclaim evicts the inode of the file being read ahead.
+ */
+ ff = fuse_file_alloc(fm, release);
if (!ff)
return ERR_PTR(-ENOMEM);
@@ -153,13 +164,14 @@ struct fuse_file *fuse_file_open(struct
fuse_file_free(ff);
return ERR_PTR(err);
} else {
- /* No release needed */
- kfree(ff->release_args);
- ff->release_args = NULL;
- if (isdir)
+ if (isdir) {
+ /* No release needed */
+ kfree(ff->release_args);
+ ff->release_args = NULL;
fc->no_opendir = 1;
- else
+ } else {
fc->no_open = 1;
+ }
}
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 450/554] ARM: dts: microchip: sama7g5: fix uart fifo size to 32
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 449/554] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 451/554] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
` (109 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Ferre, Claudiu Beznea,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@microchip.com>
[ Upstream commit 5654889a94b0de5ad6ceae3793e7f5e0b61b50b6 ]
On some flexcom nodes related to uart, the fifo sizes were wrong: fix
them to 32 data.
Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek")
Cc: stable@vger.kernel.org # 5.15+
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20251114103313.20220-2-nicolas.ferre@microchip.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/sama7g5.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/boot/dts/sama7g5.dtsi
+++ b/arch/arm/boot/dts/sama7g5.dtsi
@@ -375,7 +375,7 @@
dma-names = "tx", "rx";
atmel,use-dma-rx;
atmel,use-dma-tx;
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
};
@@ -400,7 +400,7 @@
dma-names = "tx", "rx";
atmel,use-dma-rx;
atmel,use-dma-tx;
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
};
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 451/554] svcrdma: bound check rq_pages index in inline path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 450/554] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 452/554] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
` (108 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
[ Upstream commit d1bea0ce35b6095544ee82bb54156fc62c067e58 ]
svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without
verifying rc_curpage stays within the allocated page array. Add guards
before the first use and after advancing to a new page.
Fixes: d7cc73972661 ("svcrdma: support multiple Read chunks per RPC")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ adapted rc_curpage and rq_maxpages fields to ri_pageno and RPCSVC_MAXPAGES constant ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/xprtrdma/svc_rdma_rw.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c
@@ -789,6 +789,9 @@ static int svc_rdma_copy_inline_range(st
for (page_no = 0; page_no < numpages; page_no++) {
unsigned int page_len;
+ if (info->ri_pageno >= RPCSVC_MAXPAGES)
+ return -EINVAL;
+
page_len = min_t(unsigned int, remaining,
PAGE_SIZE - info->ri_pageoff);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 452/554] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 451/554] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 453/554] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
` (107 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicolas Ferre, Claudiu Beznea,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Ferre <nicolas.ferre@microchip.com>
[ Upstream commit 7d5864dc5d5ea6a35983dd05295fb17f2f2f44ce ]
Unlike standalone spi peripherals, on sama5d2, the flexcom spi have fifo
size of 32 data. Fix flexcom/spi nodes where this property is wrong.
Fixes: 6b9a3584c7ed ("ARM: dts: at91: sama5d2: Add missing flexcom definitions")
Cc: stable@vger.kernel.org # 5.8+
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20251114140225.30372-1-nicolas.ferre@microchip.com
Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/sama5d2.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/arch/arm/boot/dts/sama5d2.dtsi
+++ b/arch/arm/boot/dts/sama5d2.dtsi
@@ -555,7 +555,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(12))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -625,7 +625,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(14))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -835,7 +835,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(16))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -925,7 +925,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(18))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
@@ -976,7 +976,7 @@
AT91_XDMAC_DT_PER_IF(1) |
AT91_XDMAC_DT_PERID(20))>;
dma-names = "tx", "rx";
- atmel,fifo-size = <16>;
+ atmel,fifo-size = <32>;
status = "disabled";
};
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 453/554] crypto: af_alg - zero initialize memory allocated via sock_kmalloc
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 452/554] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 454/554] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
` (106 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shivani Agarwal, Herbert Xu,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivani Agarwal <shivani.agarwal@broadcom.com>
[ Upstream commit 6f6e309328d53a10c0fe1f77dec2db73373179b6 ]
Several crypto user API contexts and requests allocated with
sock_kmalloc() were left uninitialized, relying on callers to
set fields explicitly. This resulted in the use of uninitialized
data in certain error paths or when new fields are added in the
future.
The ACVP patches also contain two user-space interface files:
algif_kpp.c and algif_akcipher.c. These too rely on proper
initialization of their context structures.
A particular issue has been observed with the newly added
'inflight' variable introduced in af_alg_ctx by commit:
67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Because the context is not memset to zero after allocation,
the inflight variable has contained garbage values. As a result,
af_alg_alloc_areq() has incorrectly returned -EBUSY randomly when
the garbage value was interpreted as true:
https://github.com/gregkh/linux/blame/master/crypto/af_alg.c#L1209
The check directly tests ctx->inflight without explicitly
comparing against true/false. Since inflight is only ever set to
true or false later, an uninitialized value has triggered
-EBUSY failures. Zero-initializing memory allocated with
sock_kmalloc() ensures inflight and other fields start in a known
state, removing random issues caused by uninitialized data.
Fixes: fe869cdb89c9 ("crypto: algif_hash - User-space interface for hash operations")
Fixes: 5afdfd22e6ba ("crypto: algif_rng - add random number generator support")
Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")
Fixes: 67b164a871af ("crypto: af_alg - Disallow multiple in-flight AIO requests")
Cc: stable@vger.kernel.org
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/af_alg.c | 5 ++---
crypto/algif_hash.c | 3 +--
crypto/algif_rng.c | 3 +--
3 files changed, 4 insertions(+), 7 deletions(-)
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1139,14 +1139,13 @@ struct af_alg_async_req *af_alg_alloc_ar
if (unlikely(!areq))
return ERR_PTR(-ENOMEM);
+ memset(areq, 0, areqlen);
+
ctx->inflight = true;
areq->areqlen = areqlen;
areq->sk = sk;
- areq->last_rsgl = NULL;
INIT_LIST_HEAD(&areq->rsgl_list);
- areq->tsgl = NULL;
- areq->tsgl_entries = 0;
return areq;
}
--- a/crypto/algif_hash.c
+++ b/crypto/algif_hash.c
@@ -423,9 +423,8 @@ static int hash_accept_parent_nokey(void
if (!ctx)
return -ENOMEM;
- ctx->result = NULL;
+ memset(ctx, 0, len);
ctx->len = len;
- ctx->more = false;
crypto_init_wait(&ctx->wait);
ask->private = ctx;
--- a/crypto/algif_rng.c
+++ b/crypto/algif_rng.c
@@ -250,9 +250,8 @@ static int rng_accept_parent(void *priva
if (!ctx)
return -ENOMEM;
+ memset(ctx, 0, len);
ctx->len = len;
- ctx->addtl = NULL;
- ctx->addtl_len = 0;
/*
* No seeding done at that point -- if multiple accepts are
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 454/554] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 453/554] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 455/554] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
` (105 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Sean Christopherson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
[ Upstream commit 7c8b465a1c91f674655ea9cec5083744ec5f796a ]
Mark the VMCB_NPT bit as dirty in nested_vmcb02_prepare_save()
on every nested VMRUN.
If L1 changes the PAT MSR between two VMRUN instructions on the same
L1 vCPU, the g_pat field in the associated vmcb02 will change, and the
VMCB_NPT clean bit should be cleared.
Fixes: 4bb170a5430b ("KVM: nSVM: do not mark all VMCB02 fields dirty on nested vmexit")
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Link: https://lore.kernel.org/r/20250922162935.621409-3-jmattson@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ adapted vmcb02 local variable to svm->vmcb direct access pattern ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -456,6 +456,7 @@ static void nested_vmcb02_prepare_save(s
bool new_vmcb12 = false;
nested_vmcb02_compute_g_pat(svm);
+ vmcb_mark_dirty(svm->vmcb, VMCB_NPT);
/* Load the nested guest state */
if (svm->nested.vmcb12_gpa != svm->nested.last_vmcb12_gpa) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 455/554] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 454/554] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 456/554] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
` (104 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Rogers, Chuck Lever,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Rogers <linux@joshua.hu>
[ Upstream commit d4b69a6186b215d2dc1ebcab965ed88e8d41768d ]
A zero length gss_token results in pages == 0 and in_token->pages[0]
is NULL. The code unconditionally evaluates
page_address(in_token->pages[0]) for the initial memcpy, which can
dereference NULL even when the copy length is 0. Guard the first
memcpy so it only runs when length > 0.
Fixes: 5866efa8cbfb ("SUNRPC: Fix svcauth_gss_proxy_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Rogers <linux@joshua.hu>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ adapted xdr buffer pointer API to older argv iov_base/iov_len API ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/auth_gss/svcauth_gss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1179,7 +1179,8 @@ static int gss_read_proxy_verf(struct sv
}
length = min_t(unsigned int, inlen, argv->iov_len);
- memcpy(page_address(in_token->pages[0]), argv->iov_base, length);
+ if (length)
+ memcpy(page_address(in_token->pages[0]), argv->iov_base, length);
inlen -= length;
to_offs = length;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 456/554] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 455/554] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 457/554] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
` (103 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li,
AngeloGioacchino Del Regno, Tzung-Bi Shih, Nicolas Dufresne,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <haoxiang_li2024@163.com>
[ Upstream commit cdd0f118ef87db8a664fb5ea366fd1766d2df1cd ]
vpu_get_plat_device() increases the reference count of the returned
platform device. However, when devm_kzalloc() fails, the reference
is not released, causing a reference leak.
Fix this by calling put_device() on fw_pdev->dev before returning
on the error path.
Fixes: e25a89f743b1 ("media: mtk-vcodec: potential dereference of null pointer")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
[ adapted file path from common/ subdirectory and adjusted devm_kzalloc target from plat_dev->dev to dev->plat_dev->dev ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
@@ -94,8 +94,10 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_
vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_handler, dev, rst_id);
fw = devm_kzalloc(&dev->plat_dev->dev, sizeof(*fw), GFP_KERNEL);
- if (!fw)
+ if (!fw) {
+ put_device(&fw_pdev->dev);
return ERR_PTR(-ENOMEM);
+ }
fw->type = VPU;
fw->ops = &mtk_vcodec_vpu_msg;
fw->pdev = fw_pdev;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 457/554] media: vpif_capture: fix section mismatch
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 456/554] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 458/554] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
` (102 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Hans Verkuil,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 0ef841113724166c3c484d0e9ae6db1eb5634fde ]
Platform drivers can be probed after their init sections have been
discarded (e.g. on probe deferral or manual rebind through sysfs) so the
probe function must not live in init.
Note that commit ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section
mismatch warning") incorrectly suppressed the modpost warning.
Fixes: ffa1b391c61b ("V4L/DVB: vpif_cap/disp: Removed section mismatch warning")
Fixes: 6ffefff5a9e7 ("V4L/DVB (12906c): V4L : vpif capture driver for DM6467")
Cc: stable@vger.kernel.org # 2.6.32
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/davinci/vpif_capture.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/davinci/vpif_capture.c
+++ b/drivers/media/platform/davinci/vpif_capture.c
@@ -1614,7 +1614,7 @@ err_cleanup:
* This creates device entries by register itself to the V4L2 driver and
* initializes fields of each channel objects
*/
-static __init int vpif_probe(struct platform_device *pdev)
+static int vpif_probe(struct platform_device *pdev)
{
struct vpif_subdev_info *subdevdata;
struct i2c_adapter *i2c_adap;
@@ -1817,7 +1817,7 @@ static int vpif_resume(struct device *de
static SIMPLE_DEV_PM_OPS(vpif_pm_ops, vpif_suspend, vpif_resume);
-static __refdata struct platform_driver vpif_driver = {
+static struct platform_driver vpif_driver = {
.driver = {
.name = VPIF_DRIVER_NAME,
.pm = &vpif_pm_ops,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 458/554] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 457/554] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 459/554] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
` (101 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Nicolas Dufresne,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
[ Upstream commit 47825b1646a6a9eca0f90baa3d4f98947c2add96 ]
Fix the Hantro G2 HEVC decoder so that we use DPB index 0 whenever a
ninvalid index is received from user space. This protects the hardware
from doing faulty memory access which then leads to bus errors.
To be noted that when a reference is missing, userspace such as GStreamer
passes an invalid DPB index of 255. This issue was found by seeking to a
CRA picture using GStreamer. The framework is currently missing the code
to skip over RASL pictures placed after the CRA. This situation can also
occur while doing live streaming over lossy transport.
Fixes: cb5dd5a0fa518 ("media: hantro: Introduce G2/HEVC decoder")
Cc: stable@vger.kernel.org
Reviewed-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/hantro/hantro_g2_hevc_dec.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/hantro/hantro_g2_hevc_dec.c
+++ b/drivers/staging/media/hantro/hantro_g2_hevc_dec.c
@@ -264,6 +264,15 @@ static void set_params(struct hantro_ctx
hantro_reg_write(vpu, &g2_apf_threshold, 8);
}
+static u32 get_dpb_index(const struct v4l2_ctrl_hevc_decode_params *decode_params,
+ const u32 index)
+{
+ if (index > decode_params->num_active_dpb_entries)
+ return 0;
+
+ return index;
+}
+
static void set_ref_pic_list(struct hantro_ctx *ctx)
{
const struct hantro_hevc_dec_ctrls *ctrls = &ctx->hevc_dec.ctrls;
@@ -336,8 +345,10 @@ static void set_ref_pic_list(struct hant
list1[j++] = list1[i++];
for (i = 0; i < V4L2_HEVC_DPB_ENTRIES_NUM_MAX; i++) {
- hantro_reg_write(vpu, &ref_pic_regs0[i], list0[i]);
- hantro_reg_write(vpu, &ref_pic_regs1[i], list1[i]);
+ hantro_reg_write(vpu, &ref_pic_regs0[i],
+ get_dpb_index(decode_params, list0[i]));
+ hantro_reg_write(vpu, &ref_pic_regs1[i],
+ get_dpb_index(decode_params, list1[i]));
}
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 459/554] NFSD: NFSv4 file creation neglects setting ACL
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 458/554] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 460/554] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
` (100 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aurelien Couderc, Chuck Lever
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 913f7cf77bf14c13cfea70e89bcb6d0b22239562 ]
An NFSv4 client that sets an ACL with a named principal during file
creation retrieves the ACL afterwards, and finds that it is only a
default ACL (based on the mode bits) and not the ACL that was
requested during file creation. This violates RFC 8881 section
6.4.1.3: "the ACL attribute is set as given".
The issue occurs in nfsd_create_setattr(). On 6.1.y, the check to
determine whether nfsd_setattr() should be called is simply
"iap->ia_valid", which only accounts for iattr changes. When only
an ACL is present (and no iattr fields are set), nfsd_setattr() is
skipped and the POSIX ACL is never applied to the inode.
Subsequently, when the client retrieves the ACL, the server finds
no POSIX ACL on the inode and returns one generated from the file's
mode bits rather than returning the originally-specified ACL.
Reported-by: Aurelien Couderc <aurelien.couderc2002@gmail.com>
Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs")
Cc: stable@vger.kernel.org
[ cel: Adjust nfsd_create_setattr() instead of nfsd_attrs_valid() ]
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/vfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -1319,7 +1319,7 @@ nfsd_create_setattr(struct svc_rqst *rqs
* Callers expect new file metadata to be committed even
* if the attributes have not changed.
*/
- if (iap->ia_valid)
+ if (iap->ia_valid || attrs->na_pacl || attrs->na_dpacl)
status = nfsd_setattr(rqstp, resfhp, attrs, 0, (time64_t)0);
else
status = nfserrno(commit_metadata(resfhp));
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 460/554] media: samsung: exynos4-is: fix potential ABBA deadlock on init
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 459/554] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 461/554] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
` (99 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Sylwester Nawrocki,
Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 17dc8ccd6dd5ffe30aa9b0d36e2af1389344ce2b ]
v4l2_device_register_subdev_nodes() must called without taking
media_dev->graph_mutex to avoid potential AB-BA deadlock on further
subdevice driver initialization.
Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration")
Cc: stable@vger.kernel.org
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/exynos4-is/media-dev.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -1411,12 +1411,14 @@ static int subdev_notifier_complete(stru
mutex_lock(&fmd->media_dev.graph_mutex);
ret = fimc_md_create_links(fmd);
- if (ret < 0)
- goto unlock;
+ if (ret < 0) {
+ mutex_unlock(&fmd->media_dev.graph_mutex);
+ return ret;
+ }
- ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
-unlock:
mutex_unlock(&fmd->media_dev.graph_mutex);
+
+ ret = v4l2_device_register_subdev_nodes(&fmd->v4l2_dev);
if (ret < 0)
return ret;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 461/554] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 460/554] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 462/554] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
` (98 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Geert Uytterhoeven,
Fabrizio Castro, Hans Verkuil, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 445e1658894fd74eab7e53071fa16233887574ed ]
The function calls of_parse_phandle() which returns
a device node with an incremented reference count. When the bonded device
is not available, the function
returns NULL without releasing the reference, causing a reference leak.
Add of_node_put(np) to release the device node reference.
The of_node_put function handles NULL pointers.
Found through static analysis by reviewing the doc of of_parse_phandle()
and cross-checking its usage patterns across the codebase.
Fixes: 7625ee981af1 ("[media] media: platform: rcar_drif: Add DRIF support")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/rcar_drif.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/rcar_drif.c
+++ b/drivers/media/platform/rcar_drif.c
@@ -1253,6 +1253,7 @@ static struct device_node *rcar_drif_bon
if (np && of_device_is_available(np))
return np;
+ of_node_put(np);
return NULL;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 462/554] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 461/554] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 463/554] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
` (97 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Ritesh Harjani (IBM), Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit fc6bcf9ac4de76f5e7bcd020b3c0a86faff3f2d5 ]
Patch series "powerpc/pseries/cmm: two smaller fixes".
Two smaller fixes identified while doing a bigger rework.
This patch (of 2):
We always have to initialize the balloon_dev_info, even when compaction is
not configured in: otherwise the containing list and the lock are left
uninitialized.
Likely not many such configs exist in practice, but let's CC stable to
be sure.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20251021100606.148294-1-david@redhat.com
Link: https://lkml.kernel.org/r/20251021100606.148294-2-david@redhat.com
Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ moved balloon_devinfo_init() call from inside cmm_balloon_compaction_init() to cmm_init() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -570,7 +570,6 @@ static int cmm_balloon_compaction_init(v
{
int rc;
- balloon_devinfo_init(&b_dev_info);
b_dev_info.migratepage = cmm_migratepage;
balloon_mnt = kern_mount(&balloon_fs);
@@ -624,6 +623,7 @@ static int cmm_init(void)
if (!firmware_has_feature(FW_FEATURE_CMO) && !simulate)
return -EOPNOTSUPP;
+ balloon_devinfo_init(&b_dev_info);
rc = cmm_balloon_compaction_init();
if (rc)
return rc;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 463/554] PCI: brcmstb: Fix disabling L0s capability
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 462/554] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 464/554] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
` (96 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bjorn Helgaas, Jim Quinlan,
Manivannan Sadhasivam, Florian Fainelli, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Quinlan <james.quinlan@broadcom.com>
[ Upstream commit 9583f9d22991d2cfb5cc59a2552040c4ae98d998 ]
caab002d5069 ("PCI: brcmstb: Disable L0s component of ASPM if requested")
set PCI_EXP_LNKCAP_ASPM_L1 and (optionally) PCI_EXP_LNKCAP_ASPM_L0S in
PCI_EXP_LNKCAP (aka PCIE_RC_CFG_PRIV1_LINK_CAPABILITY in brcmstb).
But instead of using PCI_EXP_LNKCAP_ASPM_L1 and PCI_EXP_LNKCAP_ASPM_L0S
directly, it used PCIE_LINK_STATE_L1 and PCIE_LINK_STATE_L0S, which are
Linux-created values that only coincidentally matched the PCIe spec.
b478e162f227 ("PCI/ASPM: Consolidate link state defines") later changed
them so they no longer matched the PCIe spec, so the bits ended up in the
wrong place in PCI_EXP_LNKCAP.
Use PCI_EXP_LNKCAP_ASPM_L0S to clear L0s support when there's an
'aspm-no-l0s' property. Rely on brcmstb hardware to advertise L0s and/or
L1 support otherwise.
Fixes: caab002d5069 ("PCI: brcmstb: Disable L0s component of ASPM if requested")
Reported-by: Bjorn Helgaas <bhelgaas@google.com>
Closes: https://lore.kernel.org/linux-pci/20250925194424.GA2197200@bhelgaas
Signed-off-by: Jim Quinlan <james.quinlan@broadcom.com>
[mani: reworded subject and description, added closes tag and CCed stable]
Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
[bhelgaas: commit log]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251003170436.1446030-1-james.quinlan@broadcom.com
[ Adjust context in variable declaration ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/controller/pcie-brcmstb.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
--- a/drivers/pci/controller/pcie-brcmstb.c
+++ b/drivers/pci/controller/pcie-brcmstb.c
@@ -44,7 +44,6 @@
#define PCIE_RC_CFG_PRIV1_ID_VAL3_CLASS_CODE_MASK 0xffffff
#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY 0x04dc
-#define PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK 0xc00
#define PCIE_RC_DL_MDIO_ADDR 0x1100
#define PCIE_RC_DL_MDIO_WR_DATA 0x1104
@@ -873,7 +872,7 @@ static int brcm_pcie_setup(struct brcm_p
int num_out_wins = 0;
u16 nlw, cls, lnksta;
int i, ret, memc;
- u32 tmp, burst, aspm_support;
+ u32 tmp, burst;
/* Reset the bridge */
pcie->bridge_sw_init_set(pcie, 1);
@@ -995,12 +994,9 @@ static int brcm_pcie_setup(struct brcm_p
}
/* Don't advertise L0s capability if 'aspm-no-l0s' */
- aspm_support = PCIE_LINK_STATE_L1;
- if (!of_property_read_bool(pcie->np, "aspm-no-l0s"))
- aspm_support |= PCIE_LINK_STATE_L0S;
tmp = readl(base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
- u32p_replace_bits(&tmp, aspm_support,
- PCIE_RC_CFG_PRIV1_LINK_CAPABILITY_ASPM_SUPPORT_MASK);
+ if (of_property_read_bool(pcie->np, "aspm-no-l0s"))
+ tmp &= ~PCI_EXP_LNKCAP_ASPM_L0S;
writel(tmp, base + PCIE_RC_CFG_PRIV1_LINK_CAPABILITY);
/*
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 464/554] powerpc/64s/slb: Fix SLB multihit issue during SLB preload
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 463/554] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 465/554] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
` (95 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Piggin, Donet Tom,
Ritesh Harjani (IBM), Madhavan Srinivasan, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Donet Tom <donettom@linux.ibm.com>
[ Upstream commit 00312419f0863964625d6dcda8183f96849412c6 ]
On systems using the hash MMU, there is a software SLB preload cache that
mirrors the entries loaded into the hardware SLB buffer. This preload
cache is subject to periodic eviction — typically after every 256 context
switches — to remove old entry.
To optimize performance, the kernel skips switch_mmu_context() in
switch_mm_irqs_off() when the prev and next mm_struct are the same.
However, on hash MMU systems, this can lead to inconsistencies between
the hardware SLB and the software preload cache.
If an SLB entry for a process is evicted from the software cache on one
CPU, and the same process later runs on another CPU without executing
switch_mmu_context(), the hardware SLB may retain stale entries. If the
kernel then attempts to reload that entry, it can trigger an SLB
multi-hit error.
The following timeline shows how stale SLB entries are created and can
cause a multi-hit error when a process moves between CPUs without a
MMU context switch.
CPU 0 CPU 1
----- -----
Process P
exec swapper/1
load_elf_binary
begin_new_exc
activate_mm
switch_mm_irqs_off
switch_mmu_context
switch_slb
/*
* This invalidates all
* the entries in the HW
* and setup the new HW
* SLB entries as per the
* preload cache.
*/
context_switch
sched_migrate_task migrates process P to cpu-1
Process swapper/0 context switch (to process P)
(uses mm_struct of Process P) switch_mm_irqs_off()
switch_slb
load_slb++
/*
* load_slb becomes 0 here
* and we evict an entry from
* the preload cache with
* preload_age(). We still
* keep HW SLB and preload
* cache in sync, that is
* because all HW SLB entries
* anyways gets evicted in
* switch_slb during SLBIA.
* We then only add those
* entries back in HW SLB,
* which are currently
* present in preload_cache
* (after eviction).
*/
load_elf_binary continues...
setup_new_exec()
slb_setup_new_exec()
sched_switch event
sched_migrate_task migrates
process P to cpu-0
context_switch from swapper/0 to Process P
switch_mm_irqs_off()
/*
* Since both prev and next mm struct are same we don't call
* switch_mmu_context(). This will cause the HW SLB and SW preload
* cache to go out of sync in preload_new_slb_context. Because there
* was an SLB entry which was evicted from both HW and preload cache
* on cpu-1. Now later in preload_new_slb_context(), when we will try
* to add the same preload entry again, we will add this to the SW
* preload cache and then will add it to the HW SLB. Since on cpu-0
* this entry was never invalidated, hence adding this entry to the HW
* SLB will cause a SLB multi-hit error.
*/
load_elf_binary continues...
START_THREAD
start_thread
preload_new_slb_context
/*
* This tries to add a new EA to preload cache which was earlier
* evicted from both cpu-1 HW SLB and preload cache. This caused the
* HW SLB of cpu-0 to go out of sync with the SW preload cache. The
* reason for this was, that when we context switched back on CPU-0,
* we should have ideally called switch_mmu_context() which will
* bring the HW SLB entries on CPU-0 in sync with SW preload cache
* entries by setting up the mmu context properly. But we didn't do
* that since the prev mm_struct running on cpu-0 was same as the
* next mm_struct (which is true for swapper / kernel threads). So
* now when we try to add this new entry into the HW SLB of cpu-0,
* we hit a SLB multi-hit error.
*/
WARNING: CPU: 0 PID: 1810970 at arch/powerpc/mm/book3s64/slb.c:62
assert_slb_presence+0x2c/0x50(48 results) 02:47:29 [20157/42149]
Modules linked in:
CPU: 0 UID: 0 PID: 1810970 Comm: dd Not tainted 6.16.0-rc3-dirty #12
VOLUNTARY
Hardware name: IBM pSeries (emulated by qemu) POWER8 (architected)
0x4d0200 0xf000004 of:SLOF,HEAD hv:linux,kvm pSeries
NIP: c00000000015426c LR: c0000000001543b4 CTR: 0000000000000000
REGS: c0000000497c77e0 TRAP: 0700 Not tainted (6.16.0-rc3-dirty)
MSR: 8000000002823033 <SF,VEC,VSX,FP,ME,IR,DR,RI,LE> CR: 28888482 XER: 00000000
CFAR: c0000000001543b0 IRQMASK: 3
<...>
NIP [c00000000015426c] assert_slb_presence+0x2c/0x50
LR [c0000000001543b4] slb_insert_entry+0x124/0x390
Call Trace:
0x7fffceb5ffff (unreliable)
preload_new_slb_context+0x100/0x1a0
start_thread+0x26c/0x420
load_elf_binary+0x1b04/0x1c40
bprm_execve+0x358/0x680
do_execveat_common+0x1f8/0x240
sys_execve+0x58/0x70
system_call_exception+0x114/0x300
system_call_common+0x160/0x2c4
>>From the above analysis, during early exec the hardware SLB is cleared,
and entries from the software preload cache are reloaded into hardware
by switch_slb. However, preload_new_slb_context and slb_setup_new_exec
also attempt to load some of the same entries, which can trigger a
multi-hit. In most cases, these additional preloads simply hit existing
entries and add nothing new. Removing these functions avoids redundant
preloads and eliminates the multi-hit issue. This patch removes these
two functions.
We tested process switching performance using the context_switch
benchmark on POWER9/hash, and observed no regression.
Without this patch: 129041 ops/sec
With this patch: 129341 ops/sec
We also measured SLB faults during boot, and the counts are essentially
the same with and without this patch.
SLB faults without this patch: 19727
SLB faults with this patch: 19786
Fixes: 5434ae74629a ("powerpc/64s/hash: Add a SLB preload cache")
cc: stable@vger.kernel.org
Suggested-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Donet Tom <donettom@linux.ibm.com>
Signed-off-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Link: https://patch.msgid.link/0ac694ae683494fe8cadbd911a1a5018d5d3c541.1761834163.git.ritesh.list@gmail.com
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/book3s/64/mmu-hash.h | 1
arch/powerpc/kernel/process.c | 5 -
arch/powerpc/mm/book3s64/internal.h | 1
arch/powerpc/mm/book3s64/mmu_context.c | 2
arch/powerpc/mm/book3s64/slb.c | 88 --------------------------
5 files changed, 97 deletions(-)
--- a/arch/powerpc/include/asm/book3s/64/mmu-hash.h
+++ b/arch/powerpc/include/asm/book3s/64/mmu-hash.h
@@ -524,7 +524,6 @@ void slb_dump_contents(struct slb_entry
extern void slb_vmalloc_update(void);
extern void slb_set_size(u16 size);
-void preload_new_slb_context(unsigned long start, unsigned long sp);
#endif /* __ASSEMBLY__ */
/*
--- a/arch/powerpc/kernel/process.c
+++ b/arch/powerpc/kernel/process.c
@@ -1794,8 +1794,6 @@ int copy_thread(unsigned long clone_flag
return 0;
}
-void preload_new_slb_context(unsigned long start, unsigned long sp);
-
/*
* Set up a thread for executing a new program
*/
@@ -1803,9 +1801,6 @@ void start_thread(struct pt_regs *regs,
{
#ifdef CONFIG_PPC64
unsigned long load_addr = regs->gpr[2]; /* saved by ELF_PLAT_INIT */
-
- if (IS_ENABLED(CONFIG_PPC_BOOK3S_64) && !radix_enabled())
- preload_new_slb_context(start, sp);
#endif
#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
--- a/arch/powerpc/mm/book3s64/internal.h
+++ b/arch/powerpc/mm/book3s64/internal.h
@@ -13,7 +13,6 @@ static inline bool stress_slb(void)
return static_branch_unlikely(&stress_slb_key);
}
-void slb_setup_new_exec(void);
void exit_lazy_flush_tlb(struct mm_struct *mm, bool always_flush);
--- a/arch/powerpc/mm/book3s64/mmu_context.c
+++ b/arch/powerpc/mm/book3s64/mmu_context.c
@@ -147,8 +147,6 @@ static int hash__init_new_context(struct
void hash__setup_new_exec(void)
{
slice_setup_new_exec();
-
- slb_setup_new_exec();
}
static int radix__init_new_context(struct mm_struct *mm)
--- a/arch/powerpc/mm/book3s64/slb.c
+++ b/arch/powerpc/mm/book3s64/slb.c
@@ -329,94 +329,6 @@ static void preload_age(struct thread_in
ti->slb_preload_tail = (ti->slb_preload_tail + 1) % SLB_PRELOAD_NR;
}
-void slb_setup_new_exec(void)
-{
- struct thread_info *ti = current_thread_info();
- struct mm_struct *mm = current->mm;
- unsigned long exec = 0x10000000;
-
- WARN_ON(irqs_disabled());
-
- /*
- * preload cache can only be used to determine whether a SLB
- * entry exists if it does not start to overflow.
- */
- if (ti->slb_preload_nr + 2 > SLB_PRELOAD_NR)
- return;
-
- hard_irq_disable();
-
- /*
- * We have no good place to clear the slb preload cache on exec,
- * flush_thread is about the earliest arch hook but that happens
- * after we switch to the mm and have aleady preloaded the SLBEs.
- *
- * For the most part that's probably okay to use entries from the
- * previous exec, they will age out if unused. It may turn out to
- * be an advantage to clear the cache before switching to it,
- * however.
- */
-
- /*
- * preload some userspace segments into the SLB.
- * Almost all 32 and 64bit PowerPC executables are linked at
- * 0x10000000 so it makes sense to preload this segment.
- */
- if (!is_kernel_addr(exec)) {
- if (preload_add(ti, exec))
- slb_allocate_user(mm, exec);
- }
-
- /* Libraries and mmaps. */
- if (!is_kernel_addr(mm->mmap_base)) {
- if (preload_add(ti, mm->mmap_base))
- slb_allocate_user(mm, mm->mmap_base);
- }
-
- /* see switch_slb */
- asm volatile("isync" : : : "memory");
-
- local_irq_enable();
-}
-
-void preload_new_slb_context(unsigned long start, unsigned long sp)
-{
- struct thread_info *ti = current_thread_info();
- struct mm_struct *mm = current->mm;
- unsigned long heap = mm->start_brk;
-
- WARN_ON(irqs_disabled());
-
- /* see above */
- if (ti->slb_preload_nr + 3 > SLB_PRELOAD_NR)
- return;
-
- hard_irq_disable();
-
- /* Userspace entry address. */
- if (!is_kernel_addr(start)) {
- if (preload_add(ti, start))
- slb_allocate_user(mm, start);
- }
-
- /* Top of stack, grows down. */
- if (!is_kernel_addr(sp)) {
- if (preload_add(ti, sp))
- slb_allocate_user(mm, sp);
- }
-
- /* Bottom of heap, grows up. */
- if (heap && !is_kernel_addr(heap)) {
- if (preload_add(ti, heap))
- slb_allocate_user(mm, heap);
- }
-
- /* see switch_slb */
- asm volatile("isync" : : : "memory");
-
- local_irq_enable();
-}
-
static void slb_cache_slbie_kernel(unsigned int index)
{
unsigned long slbie_data = get_paca()->slb_cache[index];
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 465/554] iommu/qcom: fix device leak on of_xlate()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 464/554] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 466/554] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
` (94 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Yu Kuai, Robin Murphy,
Johan Hovold, Joerg Roedel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 6a3908ce56e6879920b44ef136252b2f0c954194 ]
Make sure to drop the reference taken to the iommu platform device when
looking up its driver data during of_xlate().
Note that commit e2eae09939a8 ("iommu/qcom: add missing put_device()
call in qcom_iommu_of_xlate()") fixed the leak in a couple of error
paths, but the reference is still leaking on success and late failures.
Fixes: 0ae349a0f33f ("iommu/qcom: Add qcom_iommu")
Cc: stable@vger.kernel.org # 4.14: e2eae09939a8
Cc: Rob Clark <robin.clark@oss.qualcomm.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
[ adapted validation logic from max_asid to num_ctxs ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/arm/arm-smmu/qcom_iommu.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/iommu/arm/arm-smmu/qcom_iommu.c
+++ b/drivers/iommu/arm/arm-smmu/qcom_iommu.c
@@ -568,15 +568,15 @@ static int qcom_iommu_of_xlate(struct de
qcom_iommu = platform_get_drvdata(iommu_pdev);
+ put_device(&iommu_pdev->dev);
+
/* make sure the asid specified in dt is valid, so we don't have
* to sanity check this elsewhere, since 'asid - 1' is used to
* index into qcom_iommu->ctxs:
*/
if (WARN_ON(asid < 1) ||
- WARN_ON(asid > qcom_iommu->num_ctxs)) {
- put_device(&iommu_pdev->dev);
+ WARN_ON(asid > qcom_iommu->num_ctxs))
return -EINVAL;
- }
if (!dev_iommu_priv_get(dev)) {
dev_iommu_priv_set(dev, qcom_iommu);
@@ -585,10 +585,8 @@ static int qcom_iommu_of_xlate(struct de
* multiple different iommu devices. Multiple context
* banks are ok, but multiple devices are not:
*/
- if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev))) {
- put_device(&iommu_pdev->dev);
+ if (WARN_ON(qcom_iommu != dev_iommu_priv_get(dev)))
return -EINVAL;
- }
}
return iommu_fwspec_add_ids(dev, &asid, 1);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 466/554] r8169: fix RTL8117 Wake-on-Lan in DASH mode
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 465/554] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 467/554] ASoC: stm: Use dev_err_probe() helper Greg Kroah-Hartman
` (93 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Heiner Kallweit,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit dd75c723ef566f7f009c047f47e0eee95fe348ab ]
Wake-on-Lan does currently not work for r8169 in DASH mode, e.g. the
ASUS Pro WS X570-ACE with RTL8168fp/RTL8117.
Fix by not returning early in rtl_prepare_power_down when dash_enabled.
While this fixes WoL, it still kills the OOB RTL8117 remote management
BMC connection. Fix by not calling rtl8168_driver_stop if WoL is enabled.
Fixes: 065c27c184d6 ("r8169: phy power ops")
Signed-off-by: René Rebe <rene@exactco.de>
Cc: stable@vger.kernel.org
Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://patch.msgid.link/20251202.194137.1647877804487085954.rene@exactco.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ adapted tp->dash_enabled check to tp->dash_type != RTL_DASH_NONE comparison ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -2513,9 +2513,6 @@ static void rtl_wol_enable_rx(struct rtl
static void rtl_prepare_power_down(struct rtl8169_private *tp)
{
- if (tp->dash_type != RTL_DASH_NONE)
- return;
-
if (tp->mac_version == RTL_GIGA_MAC_VER_32 ||
tp->mac_version == RTL_GIGA_MAC_VER_33)
rtl_ephy_write(tp, 0x19, 0xff64);
@@ -4763,7 +4760,7 @@ static void rtl8169_down(struct rtl8169_
rtl_prepare_power_down(tp);
- if (tp->dash_type != RTL_DASH_NONE)
+ if (tp->dash_type != RTL_DASH_NONE && !tp->saved_wolopts)
rtl8168_driver_stop(tp);
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 467/554] ASoC: stm: Use dev_err_probe() helper
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 466/554] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 468/554] ASoC: stm32: sai: Use the devm_clk_get_optional() helper Greg Kroah-Hartman
` (92 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuninori Morimoto, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
[ Upstream commit efc162cbd480f1fb47d439c193ec9731bcc6c749 ]
Use the dev_err_probe() helper, instead of open-coding the same
operation.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/20211214020843.2225831-22-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 312ec2f0d9d1 ("ASoC: stm32: sai: fix clk prepare imbalance on probe failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_i2s.c | 62 ++++++++++++++----------------------------
sound/soc/stm/stm32_sai.c | 37 ++++++++-----------------
sound/soc/stm/stm32_sai_sub.c | 25 +++++-----------
sound/soc/stm/stm32_spdifrx.c | 44 ++++++++++-------------------
4 files changed, 57 insertions(+), 111 deletions(-)
--- a/sound/soc/stm/stm32_i2s.c
+++ b/sound/soc/stm/stm32_i2s.c
@@ -1044,36 +1044,24 @@ static int stm32_i2s_parse_dt(struct pla
/* Get clocks */
i2s->pclk = devm_clk_get(&pdev->dev, "pclk");
- if (IS_ERR(i2s->pclk)) {
- if (PTR_ERR(i2s->pclk) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Could not get pclk: %ld\n",
- PTR_ERR(i2s->pclk));
- return PTR_ERR(i2s->pclk);
- }
+ if (IS_ERR(i2s->pclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->pclk),
+ "Could not get pclk\n");
i2s->i2sclk = devm_clk_get(&pdev->dev, "i2sclk");
- if (IS_ERR(i2s->i2sclk)) {
- if (PTR_ERR(i2s->i2sclk) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Could not get i2sclk: %ld\n",
- PTR_ERR(i2s->i2sclk));
- return PTR_ERR(i2s->i2sclk);
- }
+ if (IS_ERR(i2s->i2sclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->i2sclk),
+ "Could not get i2sclk\n");
i2s->x8kclk = devm_clk_get(&pdev->dev, "x8k");
- if (IS_ERR(i2s->x8kclk)) {
- if (PTR_ERR(i2s->x8kclk) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Could not get x8k parent clock: %ld\n",
- PTR_ERR(i2s->x8kclk));
- return PTR_ERR(i2s->x8kclk);
- }
+ if (IS_ERR(i2s->x8kclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->x8kclk),
+ "Could not get x8k parent clock\n");
i2s->x11kclk = devm_clk_get(&pdev->dev, "x11k");
- if (IS_ERR(i2s->x11kclk)) {
- if (PTR_ERR(i2s->x11kclk) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Could not get x11k parent clock: %ld\n",
- PTR_ERR(i2s->x11kclk));
- return PTR_ERR(i2s->x11kclk);
- }
+ if (IS_ERR(i2s->x11kclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->x11kclk),
+ "Could not get x11k parent clock\n");
/* Register mclk provider if requested */
if (of_find_property(np, "#clock-cells", NULL)) {
@@ -1096,12 +1084,10 @@ static int stm32_i2s_parse_dt(struct pla
/* Reset */
rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL);
- if (IS_ERR(rst)) {
- if (PTR_ERR(rst) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Reset controller error %ld\n",
- PTR_ERR(rst));
- return PTR_ERR(rst);
- }
+ if (IS_ERR(rst))
+ return dev_err_probe(&pdev->dev, PTR_ERR(rst),
+ "Reset controller error\n");
+
reset_control_assert(rst);
udelay(2);
reset_control_deassert(rst);
@@ -1143,19 +1129,13 @@ static int stm32_i2s_probe(struct platfo
i2s->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "pclk",
i2s->base, i2s->regmap_conf);
- if (IS_ERR(i2s->regmap)) {
- if (PTR_ERR(i2s->regmap) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Regmap init error %ld\n",
- PTR_ERR(i2s->regmap));
- return PTR_ERR(i2s->regmap);
- }
+ if (IS_ERR(i2s->regmap))
+ return dev_err_probe(&pdev->dev, PTR_ERR(i2s->regmap),
+ "Regmap init error\n");
ret = snd_dmaengine_pcm_register(&pdev->dev, &stm32_i2s_pcm_config, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- dev_err(&pdev->dev, "PCM DMA register error %d\n", ret);
- return ret;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n");
ret = snd_soc_register_component(&pdev->dev, &stm32_i2s_component,
i2s->dai_drv, 1);
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -173,29 +173,20 @@ static int stm32_sai_probe(struct platfo
if (!STM_SAI_IS_F4(sai)) {
sai->pclk = devm_clk_get(&pdev->dev, "pclk");
- if (IS_ERR(sai->pclk)) {
- if (PTR_ERR(sai->pclk) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "missing bus clock pclk: %ld\n",
- PTR_ERR(sai->pclk));
- return PTR_ERR(sai->pclk);
- }
+ if (IS_ERR(sai->pclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(sai->pclk),
+ "missing bus clock pclk\n");
}
sai->clk_x8k = devm_clk_get(&pdev->dev, "x8k");
- if (IS_ERR(sai->clk_x8k)) {
- if (PTR_ERR(sai->clk_x8k) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "missing x8k parent clock: %ld\n",
- PTR_ERR(sai->clk_x8k));
- return PTR_ERR(sai->clk_x8k);
- }
+ if (IS_ERR(sai->clk_x8k))
+ return dev_err_probe(&pdev->dev, PTR_ERR(sai->clk_x8k),
+ "missing x8k parent clock\n");
sai->clk_x11k = devm_clk_get(&pdev->dev, "x11k");
- if (IS_ERR(sai->clk_x11k)) {
- if (PTR_ERR(sai->clk_x11k) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "missing x11k parent clock: %ld\n",
- PTR_ERR(sai->clk_x11k));
- return PTR_ERR(sai->clk_x11k);
- }
+ if (IS_ERR(sai->clk_x11k))
+ return dev_err_probe(&pdev->dev, PTR_ERR(sai->clk_x11k),
+ "missing x11k parent clock\n");
/* init irqs */
sai->irq = platform_get_irq(pdev, 0);
@@ -204,12 +195,10 @@ static int stm32_sai_probe(struct platfo
/* reset */
rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL);
- if (IS_ERR(rst)) {
- if (PTR_ERR(rst) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Reset controller error %ld\n",
- PTR_ERR(rst));
- return PTR_ERR(rst);
- }
+ if (IS_ERR(rst))
+ return dev_err_probe(&pdev->dev, PTR_ERR(rst),
+ "Reset controller error\n");
+
reset_control_assert(rst);
udelay(2);
reset_control_deassert(rst);
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1379,12 +1379,9 @@ static int stm32_sai_sub_parse_of(struct
*/
sai->regmap = devm_regmap_init_mmio(&pdev->dev, base,
sai->regmap_config);
- if (IS_ERR(sai->regmap)) {
- if (PTR_ERR(sai->regmap) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Regmap init error %ld\n",
- PTR_ERR(sai->regmap));
- return PTR_ERR(sai->regmap);
- }
+ if (IS_ERR(sai->regmap))
+ return dev_err_probe(&pdev->dev, PTR_ERR(sai->regmap),
+ "Regmap init error\n");
/* Get direction property */
if (of_property_match_string(np, "dma-names", "tx") >= 0) {
@@ -1472,12 +1469,9 @@ static int stm32_sai_sub_parse_of(struct
of_node_put(args.np);
sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck");
- if (IS_ERR(sai->sai_ck)) {
- if (PTR_ERR(sai->sai_ck) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Missing kernel clock sai_ck: %ld\n",
- PTR_ERR(sai->sai_ck));
- return PTR_ERR(sai->sai_ck);
- }
+ if (IS_ERR(sai->sai_ck))
+ return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
+ "Missing kernel clock sai_ck\n");
ret = clk_prepare(sai->pdata->pclk);
if (ret < 0)
@@ -1551,11 +1545,8 @@ static int stm32_sai_sub_probe(struct pl
conf = &stm32_sai_pcm_config_spdif;
ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Could not register pcm dma\n");
- return ret;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
ret = snd_soc_register_component(&pdev->dev, &stm32_component,
&sai->cpu_dai_drv, 1);
--- a/sound/soc/stm/stm32_spdifrx.c
+++ b/sound/soc/stm/stm32_spdifrx.c
@@ -405,12 +405,9 @@ static int stm32_spdifrx_dma_ctrl_regist
int ret;
spdifrx->ctrl_chan = dma_request_chan(dev, "rx-ctrl");
- if (IS_ERR(spdifrx->ctrl_chan)) {
- if (PTR_ERR(spdifrx->ctrl_chan) != -EPROBE_DEFER)
- dev_err(dev, "dma_request_slave_channel error %ld\n",
- PTR_ERR(spdifrx->ctrl_chan));
- return PTR_ERR(spdifrx->ctrl_chan);
- }
+ if (IS_ERR(spdifrx->ctrl_chan))
+ return dev_err_probe(dev, PTR_ERR(spdifrx->ctrl_chan),
+ "dma_request_slave_channel error\n");
spdifrx->dmab = devm_kzalloc(dev, sizeof(struct snd_dma_buffer),
GFP_KERNEL);
@@ -929,12 +926,9 @@ static int stm32_spdifrx_parse_of(struct
spdifrx->phys_addr = res->start;
spdifrx->kclk = devm_clk_get(&pdev->dev, "kclk");
- if (IS_ERR(spdifrx->kclk)) {
- if (PTR_ERR(spdifrx->kclk) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Could not get kclk: %ld\n",
- PTR_ERR(spdifrx->kclk));
- return PTR_ERR(spdifrx->kclk);
- }
+ if (IS_ERR(spdifrx->kclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(spdifrx->kclk),
+ "Could not get kclk\n");
spdifrx->irq = platform_get_irq(pdev, 0);
if (spdifrx->irq < 0)
@@ -985,12 +979,9 @@ static int stm32_spdifrx_probe(struct pl
spdifrx->regmap = devm_regmap_init_mmio_clk(&pdev->dev, "kclk",
spdifrx->base,
spdifrx->regmap_conf);
- if (IS_ERR(spdifrx->regmap)) {
- if (PTR_ERR(spdifrx->regmap) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Regmap init error %ld\n",
- PTR_ERR(spdifrx->regmap));
- return PTR_ERR(spdifrx->regmap);
- }
+ if (IS_ERR(spdifrx->regmap))
+ return dev_err_probe(&pdev->dev, PTR_ERR(spdifrx->regmap),
+ "Regmap init error\n");
ret = devm_request_irq(&pdev->dev, spdifrx->irq, stm32_spdifrx_isr, 0,
dev_name(&pdev->dev), spdifrx);
@@ -1000,23 +991,18 @@ static int stm32_spdifrx_probe(struct pl
}
rst = devm_reset_control_get_optional_exclusive(&pdev->dev, NULL);
- if (IS_ERR(rst)) {
- if (PTR_ERR(rst) != -EPROBE_DEFER)
- dev_err(&pdev->dev, "Reset controller error %ld\n",
- PTR_ERR(rst));
- return PTR_ERR(rst);
- }
+ if (IS_ERR(rst))
+ return dev_err_probe(&pdev->dev, PTR_ERR(rst),
+ "Reset controller error\n");
+
reset_control_assert(rst);
udelay(2);
reset_control_deassert(rst);
pcm_config = &stm32_spdifrx_pcm_config;
ret = snd_dmaengine_pcm_register(&pdev->dev, pcm_config, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- dev_err(&pdev->dev, "PCM DMA register error %d\n", ret);
- return ret;
- }
+ if (ret)
+ return dev_err_probe(&pdev->dev, ret, "PCM DMA register error\n");
ret = snd_soc_register_component(&pdev->dev,
&stm32_spdifrx_component,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 468/554] ASoC: stm32: sai: Use the devm_clk_get_optional() helper
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 467/554] ASoC: stm: Use dev_err_probe() helper Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 469/554] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
` (91 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 374628fb668e50b42fe81f2a63af616182415bcd ]
Use devm_clk_get_optional() instead of hand writing it.
This saves some LoC and improves the semantic.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/f7987f18dadf77bfa09969fd4c82d5a0f4e4e3b7.1684594838.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 312ec2f0d9d1 ("ASoC: stm32: sai: fix clk prepare imbalance on probe failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai_sub.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1486,12 +1486,9 @@ static int stm32_sai_sub_parse_of(struct
if (ret < 0)
return ret;
} else {
- sai->sai_mclk = devm_clk_get(&pdev->dev, "MCLK");
- if (IS_ERR(sai->sai_mclk)) {
- if (PTR_ERR(sai->sai_mclk) != -ENOENT)
- return PTR_ERR(sai->sai_mclk);
- sai->sai_mclk = NULL;
- }
+ sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK");
+ if (IS_ERR(sai->sai_mclk))
+ return PTR_ERR(sai->sai_mclk);
}
return 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 469/554] ASoC: stm32: sai: fix clk prepare imbalance on probe failure
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 468/554] ASoC: stm32: sai: Use the devm_clk_get_optional() helper Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 470/554] mm/balloon_compaction: make balloon page compaction callbacks static Greg Kroah-Hartman
` (90 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Johan Hovold,
olivier moysan, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 312ec2f0d9d1a5656f76d770bbf1d967e9289aa7 ]
Make sure to unprepare the parent clock also on probe failures (e.g.
probe deferral).
Fixes: a14bf98c045b ("ASoC: stm32: sai: fix possible circular locking")
Cc: stable@vger.kernel.org # 5.5
Cc: Olivier Moysan <olivier.moysan@st.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai_sub.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1484,14 +1484,21 @@ static int stm32_sai_sub_parse_of(struct
if (of_find_property(np, "#clock-cells", NULL)) {
ret = stm32_sai_add_mclk_provider(sai);
if (ret < 0)
- return ret;
+ goto err_unprepare_pclk;
} else {
sai->sai_mclk = devm_clk_get_optional(&pdev->dev, "MCLK");
- if (IS_ERR(sai->sai_mclk))
- return PTR_ERR(sai->sai_mclk);
+ if (IS_ERR(sai->sai_mclk)) {
+ ret = PTR_ERR(sai->sai_mclk);
+ goto err_unprepare_pclk;
+ }
}
return 0;
+
+err_unprepare_pclk:
+ clk_unprepare(sai->pdata->pclk);
+
+ return ret;
}
static int stm32_sai_sub_probe(struct platform_device *pdev)
@@ -1535,26 +1542,33 @@ static int stm32_sai_sub_probe(struct pl
IRQF_SHARED, dev_name(&pdev->dev), sai);
if (ret) {
dev_err(&pdev->dev, "IRQ request returned %d\n", ret);
- return ret;
+ goto err_unprepare_pclk;
}
if (STM_SAI_PROTOCOL_IS_SPDIF(sai))
conf = &stm32_sai_pcm_config_spdif;
ret = snd_dmaengine_pcm_register(&pdev->dev, conf, 0);
- if (ret)
- return dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ if (ret) {
+ ret = dev_err_probe(&pdev->dev, ret, "Could not register pcm dma\n");
+ goto err_unprepare_pclk;
+ }
ret = snd_soc_register_component(&pdev->dev, &stm32_component,
&sai->cpu_dai_drv, 1);
if (ret) {
snd_dmaengine_pcm_unregister(&pdev->dev);
- return ret;
+ goto err_unprepare_pclk;
}
pm_runtime_enable(&pdev->dev);
return 0;
+
+err_unprepare_pclk:
+ clk_unprepare(sai->pdata->pclk);
+
+ return ret;
}
static int stm32_sai_sub_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 470/554] mm/balloon_compaction: make balloon page compaction callbacks static
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 469/554] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 471/554] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
` (89 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaohe Lin, Michael S. Tsirkin,
Muchun Song, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaohe Lin <linmiaohe@huawei.com>
[ Upstream commit 504c1cabe325df65c18ef38365ddd1a41c6b591b ]
Since commit b1123ea6d3b3 ("mm: balloon: use general non-lru movable page
feature"), these functions are called via balloon_aops callbacks. They're
not called directly outside this file. So make them static and clean up
the relevant code.
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Link: https://lore.kernel.org/r/20220125132221.2220-1-linmiaohe@huawei.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/balloon_compaction.h | 22 ----------------------
mm/balloon_compaction.c | 6 +++---
2 files changed, 3 insertions(+), 25 deletions(-)
--- a/include/linux/balloon_compaction.h
+++ b/include/linux/balloon_compaction.h
@@ -80,12 +80,6 @@ static inline void balloon_devinfo_init(
#ifdef CONFIG_BALLOON_COMPACTION
extern const struct address_space_operations balloon_aops;
-extern bool balloon_page_isolate(struct page *page,
- isolate_mode_t mode);
-extern void balloon_page_putback(struct page *page);
-extern int balloon_page_migrate(struct address_space *mapping,
- struct page *newpage,
- struct page *page, enum migrate_mode mode);
/*
* balloon_page_insert - insert a page into the balloon's page list and make
@@ -155,22 +149,6 @@ static inline void balloon_page_delete(s
list_del(&page->lru);
}
-static inline bool balloon_page_isolate(struct page *page)
-{
- return false;
-}
-
-static inline void balloon_page_putback(struct page *page)
-{
- return;
-}
-
-static inline int balloon_page_migrate(struct page *newpage,
- struct page *page, enum migrate_mode mode)
-{
- return 0;
-}
-
static inline gfp_t balloon_mapping_gfp_mask(void)
{
return GFP_HIGHUSER;
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -203,7 +203,7 @@ EXPORT_SYMBOL_GPL(balloon_page_dequeue);
#ifdef CONFIG_BALLOON_COMPACTION
-bool balloon_page_isolate(struct page *page, isolate_mode_t mode)
+static bool balloon_page_isolate(struct page *page, isolate_mode_t mode)
{
struct balloon_dev_info *b_dev_info = balloon_page_device(page);
@@ -217,7 +217,7 @@ bool balloon_page_isolate(struct page *p
return true;
}
-void balloon_page_putback(struct page *page)
+static void balloon_page_putback(struct page *page)
{
struct balloon_dev_info *b_dev_info = balloon_page_device(page);
unsigned long flags;
@@ -230,7 +230,7 @@ void balloon_page_putback(struct page *p
/* move_to_new_page() counterpart for a ballooned page */
-int balloon_page_migrate(struct address_space *mapping,
+static int balloon_page_migrate(struct address_space *mapping,
struct page *newpage, struct page *page,
enum migrate_mode mode)
{
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 471/554] mm/balloon_compaction: we cannot have isolated pages in the balloon list
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 470/554] mm/balloon_compaction: make balloon page compaction callbacks static Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 472/554] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
` (88 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Zi Yan,
Lorenzo Stoakes, Alistair Popple, Al Viro, Arnd Bergmann,
Brendan Jackman, Byungchul Park, Chengming Zhou,
Christian Brauner, Christophe Leroy, Eugenio Pé rez,
Gregory Price, Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Harry Yoo, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit fb05f992b6bbb4702307d96f00703ee637b24dbf ]
Patch series "mm/migration: rework movable_ops page migration (part 1)",
v2.
In the future, as we decouple "struct page" from "struct folio", pages
that support "non-lru page migration" -- movable_ops page migration such
as memory balloons and zsmalloc -- will no longer be folios. They will
not have ->mapping, ->lru, and likely no refcount and no page lock. But
they will have a type and flags 🙂
This is the first part (other parts not written yet) of decoupling
movable_ops page migration from folio migration.
In this series, we get rid of the ->mapping usage, and start cleaning up
the code + separating it from folio migration.
Migration core will have to be further reworked to not treat movable_ops
pages like folios. This is the first step into that direction.
This patch (of 29):
The core will set PG_isolated only after mops->isolate_page() was called.
In case of the balloon, that is where we will remove it from the balloon
list. So we cannot have isolated pages in the balloon list.
Let's drop this unnecessary check.
Link: https://lkml.kernel.org/r/20250704102524.326966-2-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Zi Yan <ziy@nvidia.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: Harry Yoo <harry.yoo@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/balloon_compaction.c | 6 ------
1 file changed, 6 deletions(-)
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -93,12 +93,6 @@ size_t balloon_page_list_dequeue(struct
if (!trylock_page(page))
continue;
- if (IS_ENABLED(CONFIG_BALLOON_COMPACTION) &&
- PageIsolated(page)) {
- /* raced with isolation */
- unlock_page(page);
- continue;
- }
balloon_page_delete(page);
__count_vm_event(BALLOON_DEFLATE);
list_add(&page->lru, pages);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 472/554] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 471/554] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 473/554] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
` (87 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Lorenzo Stoakes,
Alistair Popple, Al Viro, Arnd Bergmann, Brendan Jackman,
Byungchul Park, Chengming Zhou, Christian Brauner,
Christophe Leroy, Eugenio Pé rez, Gregory Price, Harry Yoo,
Huang, Ying, Jan Kara, Jason Gunthorpe, Jason Wang,
Jerrin Shaji George, Johannes Weiner, John Hubbard,
Jonathan Corbet, Joshua Hahn, Liam Howlett, Madhavan Srinivasan,
Mathew Brost, Matthew Wilcox (Oracle), Miaohe Lin,
Michael Ellerman, Michael S. Tsirkin, Michal Hocko, Mike Rapoport,
Minchan Kim, Naoya Horiguchi, Nicholas Piggin, Oscar Salvador,
Peter Xu, Qi Zheng, Rakie Kim, Rik van Riel, Sergey Senozhatsky,
Shakeel Butt, Suren Baghdasaryan, Vlastimil Babka, Xuan Zhuo,
xu xin, Zi Yan, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 15504b1163007bbfbd9a63460d5c14737c16e96d ]
Let's move the removal of the page from the balloon list into the single
caller, to remove the dependency on the PG_isolated flag and clarify
locking requirements.
Note that for now, balloon_page_delete() was used on two paths:
(1) Removing a page from the balloon for deflation through
balloon_page_list_dequeue()
(2) Removing an isolated page from the balloon for migration in the
per-driver migration handlers. Isolated pages were already removed from
the balloon list during isolation.
So instead of relying on the flag, we can just distinguish both cases
directly and handle it accordingly in the caller.
We'll shuffle the operations a bit such that they logically make more
sense (e.g., remove from the list before clearing flags).
In balloon migration functions we can now move the balloon_page_finalize()
out of the balloon lock and perform the finalization just before dropping
the balloon reference.
Document that the page lock is currently required when modifying the
movability aspects of a page; hopefully we can soon decouple this from the
page lock.
Link: https://lkml.kernel.org/r/20250704102524.326966-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Byungchul Park <byungchul@sk.com>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Eugenio Pé rez <eperezma@redhat.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Gregory Price <gourry@gourry.net>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: "Huang, Ying" <ying.huang@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Jason Wang <jasowang@redhat.com>
Cc: Jerrin Shaji George <jerrin.shaji-george@broadcom.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Joshua Hahn <joshua.hahnjy@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Mathew Brost <matthew.brost@intel.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: Qi Zheng <zhengqi.arch@bytedance.com>
Cc: Rakie Kim <rakie.kim@sk.com>
Cc: Rik van Riel <riel@surriel.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: Shakeel Butt <shakeel.butt@linux.dev>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Cc: xu xin <xu.xin16@zte.com.cn>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 0da2ba35c0d5 ("powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 2 -
drivers/misc/vmw_balloon.c | 3 --
drivers/virtio/virtio_balloon.c | 4 ---
include/linux/balloon_compaction.h | 43 +++++++++++++----------------------
mm/balloon_compaction.c | 3 +-
5 files changed, 21 insertions(+), 34 deletions(-)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -550,7 +550,6 @@ static int cmm_migratepage(struct balloo
spin_lock_irqsave(&b_dev_info->pages_lock, flags);
balloon_page_insert(b_dev_info, newpage);
- balloon_page_delete(page);
b_dev_info->isolated_pages--;
spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
@@ -560,6 +559,7 @@ static int cmm_migratepage(struct balloo
*/
plpar_page_set_active(page);
+ balloon_page_finalize(page);
/* balloon page list reference */
put_page(page);
--- a/drivers/misc/vmw_balloon.c
+++ b/drivers/misc/vmw_balloon.c
@@ -1805,8 +1805,7 @@ static int vmballoon_migratepage(struct
* @pages_lock . We keep holding @comm_lock since we will need it in a
* second.
*/
- balloon_page_delete(page);
-
+ balloon_page_finalize(page);
put_page(page);
/* Inflate */
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -796,15 +796,13 @@ static int virtballoon_migratepage(struc
tell_host(vb, vb->inflate_vq);
/* balloon's page migration 2nd step -- deflate "page" */
- spin_lock_irqsave(&vb_dev_info->pages_lock, flags);
- balloon_page_delete(page);
- spin_unlock_irqrestore(&vb_dev_info->pages_lock, flags);
vb->num_pfns = VIRTIO_BALLOON_PAGES_PER_PAGE;
set_page_pfns(vb, vb->pfns, page);
tell_host(vb, vb->deflate_vq);
mutex_unlock(&vb->balloon_lock);
+ balloon_page_finalize(page);
put_page(page); /* balloon reference */
return MIGRATEPAGE_SUCCESS;
--- a/include/linux/balloon_compaction.h
+++ b/include/linux/balloon_compaction.h
@@ -100,27 +100,6 @@ static inline void balloon_page_insert(s
}
/*
- * balloon_page_delete - delete a page from balloon's page list and clear
- * the page->private assignement accordingly.
- * @page : page to be released from balloon's page list
- *
- * Caller must ensure the page is locked and the spin_lock protecting balloon
- * pages list is held before deleting a page from the balloon device.
- */
-static inline void balloon_page_delete(struct page *page)
-{
- __ClearPageOffline(page);
- __ClearPageMovable(page);
- set_page_private(page, 0);
- /*
- * No touch page.lru field once @page has been isolated
- * because VM is using the field.
- */
- if (!PageIsolated(page))
- list_del(&page->lru);
-}
-
-/*
* balloon_page_device - get the b_dev_info descriptor for the balloon device
* that enqueues the given page.
*/
@@ -143,12 +122,6 @@ static inline void balloon_page_insert(s
list_add(&page->lru, &balloon->pages);
}
-static inline void balloon_page_delete(struct page *page)
-{
- __ClearPageOffline(page);
- list_del(&page->lru);
-}
-
static inline gfp_t balloon_mapping_gfp_mask(void)
{
return GFP_HIGHUSER;
@@ -157,6 +130,22 @@ static inline gfp_t balloon_mapping_gfp_
#endif /* CONFIG_BALLOON_COMPACTION */
/*
+ * balloon_page_finalize - prepare a balloon page that was removed from the
+ * balloon list for release to the page allocator
+ * @page: page to be released to the page allocator
+ *
+ * Caller must ensure that the page is locked.
+ */
+static inline void balloon_page_finalize(struct page *page)
+{
+ if (IS_ENABLED(CONFIG_BALLOON_COMPACTION)) {
+ __ClearPageMovable(page);
+ set_page_private(page, 0);
+ }
+ __ClearPageOffline(page);
+}
+
+/*
* balloon_page_push - insert a page into a page list.
* @head : pointer to list
* @page : page to be added
--- a/mm/balloon_compaction.c
+++ b/mm/balloon_compaction.c
@@ -93,7 +93,8 @@ size_t balloon_page_list_dequeue(struct
if (!trylock_page(page))
continue;
- balloon_page_delete(page);
+ list_del(&page->lru);
+ balloon_page_finalize(page);
__count_vm_event(BALLOON_DEFLATE);
list_add(&page->lru, pages);
unlock_page(page);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 473/554] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 472/554] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
@ 2026-01-15 16:48 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 474/554] pmdomain: Use device_get_match_data() Greg Kroah-Hartman
` (86 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand,
Ritesh Harjani (IBM), Christophe Leroy, Madhavan Srinivasan,
Michael Ellerman, Nicholas Piggin, Andrew Morton, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit 0da2ba35c0d532ca0fe7af698b17d74c4d084b9a ]
Let's properly adjust BALLOON_MIGRATE like the other drivers.
Note that the INFLATE/DEFLATE events are triggered from the core when
enqueueing/dequeueing pages.
This was found by code inspection.
Link: https://lkml.kernel.org/r/20251021100606.148294-3-david@redhat.com
Fixes: fe030c9b85e6 ("powerpc/pseries/cmm: Implement balloon compaction")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/platforms/pseries/cmm.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/powerpc/platforms/pseries/cmm.c
+++ b/arch/powerpc/platforms/pseries/cmm.c
@@ -550,6 +550,7 @@ static int cmm_migratepage(struct balloo
spin_lock_irqsave(&b_dev_info->pages_lock, flags);
balloon_page_insert(b_dev_info, newpage);
+ __count_vm_event(BALLOON_MIGRATE);
b_dev_info->isolated_pages--;
spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 474/554] pmdomain: Use device_get_match_data()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2026-01-15 16:48 ` [PATCH 5.15 473/554] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 475/554] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
` (85 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rob Herring, Ulf Hansson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring <robh@kernel.org>
[ Upstream commit 3ba9fdfaa550936837b50b73d6c27ac401fde875 ]
Use preferred device_get_match_data() instead of of_match_device() to
get the driver match data. With this, adjust the includes to explicitly
include the correct headers.
Signed-off-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20231006224614.444488-1-robh@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Stable-dep-of: 73cb5f6eafb0 ("pmdomain: imx: Fix reference count leak in imx_gpc_probe()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/actions/owl-sps.c | 16 +++++-----------
drivers/soc/imx/gpc.c | 7 +++----
drivers/soc/rockchip/pm_domains.c | 13 ++++---------
3 files changed, 12 insertions(+), 24 deletions(-)
--- a/drivers/soc/actions/owl-sps.c
+++ b/drivers/soc/actions/owl-sps.c
@@ -8,8 +8,10 @@
* Copyright (c) 2017 Andreas Färber
*/
+#include <linux/mod_devicetable.h>
#include <linux/of_address.h>
-#include <linux/of_platform.h>
+#include <linux/platform_device.h>
+#include <linux/property.h>
#include <linux/pm_domain.h>
#include <linux/soc/actions/owl-sps.h>
#include <dt-bindings/power/owl-s500-powergate.h>
@@ -96,24 +98,16 @@ static int owl_sps_init_domain(struct ow
static int owl_sps_probe(struct platform_device *pdev)
{
- const struct of_device_id *match;
const struct owl_sps_info *sps_info;
struct owl_sps *sps;
int i, ret;
- if (!pdev->dev.of_node) {
- dev_err(&pdev->dev, "no device node\n");
- return -ENODEV;
- }
-
- match = of_match_device(pdev->dev.driver->of_match_table, &pdev->dev);
- if (!match || !match->data) {
+ sps_info = device_get_match_data(&pdev->dev);
+ if (!sps_info) {
dev_err(&pdev->dev, "unknown compatible or missing data\n");
return -EINVAL;
}
- sps_info = match->data;
-
sps = devm_kzalloc(&pdev->dev,
struct_size(sps, domains, sps_info->num_domains),
GFP_KERNEL);
--- a/drivers/soc/imx/gpc.c
+++ b/drivers/soc/imx/gpc.c
@@ -7,9 +7,10 @@
#include <linux/clk.h>
#include <linux/delay.h>
#include <linux/io.h>
-#include <linux/of_device.h>
+#include <linux/of.h>
#include <linux/platform_device.h>
#include <linux/pm_domain.h>
+#include <linux/property.h>
#include <linux/regmap.h>
#include <linux/regulator/consumer.h>
@@ -403,9 +404,7 @@ clk_err:
static int imx_gpc_probe(struct platform_device *pdev)
{
- const struct of_device_id *of_id =
- of_match_device(imx_gpc_dt_ids, &pdev->dev);
- const struct imx_gpc_dt_data *of_id_data = of_id->data;
+ const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
struct device_node *pgc_node;
struct regmap *regmap;
void __iomem *base;
--- a/drivers/soc/rockchip/pm_domains.c
+++ b/drivers/soc/rockchip/pm_domains.c
@@ -8,11 +8,13 @@
#include <linux/io.h>
#include <linux/iopoll.h>
#include <linux/err.h>
+#include <linux/platform_device.h>
#include <linux/pm_clock.h>
#include <linux/pm_domain.h>
+#include <linux/property.h>
+#include <linux/of.h>
#include <linux/of_address.h>
#include <linux/of_clk.h>
-#include <linux/of_platform.h>
#include <linux/clk.h>
#include <linux/regmap.h>
#include <linux/mfd/syscon.h>
@@ -634,7 +636,6 @@ static int rockchip_pm_domain_probe(stru
struct device_node *node;
struct device *parent;
struct rockchip_pmu *pmu;
- const struct of_device_id *match;
const struct rockchip_pmu_info *pmu_info;
int error;
@@ -643,13 +644,7 @@ static int rockchip_pm_domain_probe(stru
return -ENODEV;
}
- match = of_match_device(dev->driver->of_match_table, dev);
- if (!match || !match->data) {
- dev_err(dev, "missing pmu data\n");
- return -EINVAL;
- }
-
- pmu_info = match->data;
+ pmu_info = device_get_match_data(dev);
pmu = devm_kzalloc(dev,
struct_size(pmu, domains, pmu_info->num_domains),
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 475/554] pmdomain: imx: Fix reference count leak in imx_gpc_probe()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 474/554] pmdomain: Use device_get_match_data() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 476/554] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
` (84 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Frank Li, Ulf Hansson,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
[ Upstream commit 73cb5f6eafb0ac7aea8cdeb8ff12981aa741d8fb ]
of_get_child_by_name() returns a node pointer with refcount incremented.
Use the __free() attribute to manage the pgc_node reference, ensuring
automatic of_node_put() cleanup when pgc_node goes out of scope.
This eliminates the need for explicit error handling paths and avoids
reference count leaks.
Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/imx/gpc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/soc/imx/gpc.c
+++ b/drivers/soc/imx/gpc.c
@@ -405,13 +405,12 @@ clk_err:
static int imx_gpc_probe(struct platform_device *pdev)
{
const struct imx_gpc_dt_data *of_id_data = device_get_match_data(&pdev->dev);
- struct device_node *pgc_node;
+ struct device_node *pgc_node __free(device_node)
+ = of_get_child_by_name(pdev->dev.of_node, "pgc");
struct regmap *regmap;
void __iomem *base;
int ret;
- pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc");
-
/* bail out if DT too old and doesn't provide the necessary info */
if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") &&
!pgc_node)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 476/554] lockd: fix vfs_test_lock() calls
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 475/554] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void Greg Kroah-Hartman
` (83 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, NeilBrown,
Jeff Layton, Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
[ Upstream commit a49a2a1baa0c553c3548a1c414b6a3c005a8deba ]
Usage of vfs_test_lock() is somewhat confused. Documentation suggests
it is given a "lock" but this is not the case. It is given a struct
file_lock which contains some details of the sort of lock it should be
looking for.
In particular passing a "file_lock" containing fl_lmops or fl_ops is
meaningless and possibly confusing.
This is particularly problematic in lockd. nlmsvc_testlock() receives
an initialised "file_lock" from xdr-decode, including manager ops and an
owner. It then mistakenly passes this to vfs_test_lock() which might
replace the owner and the ops. This can lead to confusion when freeing
the lock.
The primary role of the 'struct file_lock' passed to vfs_test_lock() is
to report a conflicting lock that was found, so it makes more sense for
nlmsvc_testlock() to pass "conflock", which it uses for returning the
conflicting lock.
With this change, freeing of the lock is not confused and code in
__nlm4svc_proc_test() and __nlmsvc_proc_test() can be simplified.
Documentation for vfs_test_lock() is improved to reflect its real
purpose, and a WARN_ON_ONCE() is added to avoid a similar problem in the
future.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Closes: https://lore.kernel.org/all/20251021130506.45065-1-okorniev@redhat.com
Signed-off-by: NeilBrown <neil@brown.name>
Fixes: 20fa19027286 ("nfs: add export operations")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ adapted c.flc_* field accesses to direct fl_* fields ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/lockd/svc4proc.c | 4 +---
fs/lockd/svclock.c | 21 ++++++++++++---------
fs/lockd/svcproc.c | 5 +----
fs/locks.c | 13 +++++++++++--
4 files changed, 25 insertions(+), 18 deletions(-)
--- a/fs/lockd/svc4proc.c
+++ b/fs/lockd/svc4proc.c
@@ -96,7 +96,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
struct nlm_args *argp = rqstp->rq_argp;
struct nlm_host *host;
struct nlm_file *file;
- struct nlm_lockowner *test_owner;
__be32 rc = rpc_success;
dprintk("lockd: TEST4 called\n");
@@ -106,7 +105,6 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
if ((resp->status = nlm4svc_retrieve_args(rqstp, argp, &host, &file)))
return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
- test_owner = argp->lock.fl.fl_owner;
/* Now check for conflicting locks */
resp->status = nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie);
if (resp->status == nlm_drop_reply)
@@ -114,7 +112,7 @@ __nlm4svc_proc_test(struct svc_rqst *rqs
else
dprintk("lockd: TEST4 status %d\n", ntohl(resp->status));
- nlmsvc_put_lockowner(test_owner);
+ nlmsvc_release_lockowner(&argp->lock);
nlmsvc_release_host(host);
nlm_release_file(file);
return rc;
--- a/fs/lockd/svclock.c
+++ b/fs/lockd/svclock.c
@@ -604,7 +604,13 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
}
mode = lock_to_openmode(&lock->fl);
- error = vfs_test_lock(file->f_file[mode], &lock->fl);
+ locks_init_lock(&conflock->fl);
+ /* vfs_test_lock only uses start, end, and owner, but tests fl_file */
+ conflock->fl.fl_file = lock->fl.fl_file;
+ conflock->fl.fl_start = lock->fl.fl_start;
+ conflock->fl.fl_end = lock->fl.fl_end;
+ conflock->fl.fl_owner = lock->fl.fl_owner;
+ error = vfs_test_lock(file->f_file[mode], &conflock->fl);
if (error) {
/* We can't currently deal with deferred test requests */
if (error == FILE_LOCK_DEFERRED)
@@ -614,22 +620,19 @@ nlmsvc_testlock(struct svc_rqst *rqstp,
goto out;
}
- if (lock->fl.fl_type == F_UNLCK) {
+ if (conflock->fl.fl_type == F_UNLCK) {
ret = nlm_granted;
goto out;
}
dprintk("lockd: conflicting lock(ty=%d, %Ld-%Ld)\n",
- lock->fl.fl_type, (long long)lock->fl.fl_start,
- (long long)lock->fl.fl_end);
+ conflock->fl.fl_type, (long long)conflock->fl.fl_start,
+ (long long)conflock->fl.fl_end);
conflock->caller = "somehost"; /* FIXME */
conflock->len = strlen(conflock->caller);
conflock->oh.len = 0; /* don't return OH info */
- conflock->svid = lock->fl.fl_pid;
- conflock->fl.fl_type = lock->fl.fl_type;
- conflock->fl.fl_start = lock->fl.fl_start;
- conflock->fl.fl_end = lock->fl.fl_end;
- locks_release_private(&lock->fl);
+ conflock->svid = conflock->fl.fl_pid;
+ locks_release_private(&conflock->fl);
ret = nlm_lck_denied;
out:
--- a/fs/lockd/svcproc.c
+++ b/fs/lockd/svcproc.c
@@ -117,7 +117,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
struct nlm_args *argp = rqstp->rq_argp;
struct nlm_host *host;
struct nlm_file *file;
- struct nlm_lockowner *test_owner;
__be32 rc = rpc_success;
dprintk("lockd: TEST called\n");
@@ -127,8 +126,6 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
if ((resp->status = nlmsvc_retrieve_args(rqstp, argp, &host, &file)))
return resp->status == nlm_drop_reply ? rpc_drop_reply :rpc_success;
- test_owner = argp->lock.fl.fl_owner;
-
/* Now check for conflicting locks */
resp->status = cast_status(nlmsvc_testlock(rqstp, file, host, &argp->lock, &resp->lock, &resp->cookie));
if (resp->status == nlm_drop_reply)
@@ -137,7 +134,7 @@ __nlmsvc_proc_test(struct svc_rqst *rqst
dprintk("lockd: TEST status %d vers %d\n",
ntohl(resp->status), rqstp->rq_vers);
- nlmsvc_put_lockowner(test_owner);
+ nlmsvc_release_lockowner(&argp->lock);
nlmsvc_release_host(host);
nlm_release_file(file);
return rc;
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -2229,13 +2229,22 @@ SYSCALL_DEFINE2(flock, unsigned int, fd,
/**
* vfs_test_lock - test file byte range lock
* @filp: The file to test lock for
- * @fl: The lock to test; also used to hold result
+ * @fl: The byte-range in the file to test; also used to hold result
*
+ * On entry, @fl does not contain a lock, but identifies a range (fl_start, fl_end)
+ * in the file (c.flc_file), and an owner (c.flc_owner) for whom existing locks
+ * should be ignored. c.flc_type and c.flc_flags are ignored.
+ * Both fl_lmops and fl_ops in @fl must be NULL.
* Returns -ERRNO on failure. Indicates presence of conflicting lock by
- * setting conf->fl_type to something other than F_UNLCK.
+ * setting fl->fl_type to something other than F_UNLCK.
+ *
+ * If vfs_test_lock() does find a lock and return it, the caller must
+ * use locks_free_lock() or locks_release_private() on the returned lock.
*/
int vfs_test_lock(struct file *filp, struct file_lock *fl)
{
+ WARN_ON_ONCE(fl->fl_ops || fl->fl_lmops);
+ WARN_ON_ONCE(filp != fl->fl_file);
if (filp->f_op->lock)
return filp->f_op->lock(filp, F_GETLK, fl);
posix_test_lock(filp, fl);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 476/554] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-16 9:00 ` Uwe Kleine-König
2026-01-15 16:49 ` [PATCH 5.15 478/554] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
` (82 subsequent siblings)
559 siblings, 1 reply; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Takashi Iwai,
Nicolas Ferre, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit a3bd37e2e2bce4fb1757a940fa985d556662ba80 ]
The .remove() callback for a platform driver returns an int which makes
many driver authors wrongly assume it's possible to do error handling by
returning an error code. However the value returned is (mostly) ignored
and this typically results in resource leaks. To improve here there is a
quest to make the remove callback return void. In the first step of this
quest all drivers are converted to .remove_new() which already returns
void.
Trivially convert this driver from always returning zero in the remove
callback to the void returning variant.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20230315150745.67084-139-u.kleine-koenig@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 23261f0de094 ("ASoC: stm32: sai: fix OF node leak on probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai_sub.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1571,7 +1571,7 @@ err_unprepare_pclk:
return ret;
}
-static int stm32_sai_sub_remove(struct platform_device *pdev)
+static void stm32_sai_sub_remove(struct platform_device *pdev)
{
struct stm32_sai_sub_data *sai = dev_get_drvdata(&pdev->dev);
@@ -1579,8 +1579,6 @@ static int stm32_sai_sub_remove(struct p
snd_dmaengine_pcm_unregister(&pdev->dev);
snd_soc_unregister_component(&pdev->dev);
pm_runtime_disable(&pdev->dev);
-
- return 0;
}
#ifdef CONFIG_PM_SLEEP
@@ -1630,7 +1628,7 @@ static struct platform_driver stm32_sai_
.pm = &stm32_sai_sub_pm_ops,
},
.probe = stm32_sai_sub_probe,
- .remove = stm32_sai_sub_remove,
+ .remove_new = stm32_sai_sub_remove,
};
module_platform_driver(stm32_sai_sub_driver);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 478/554] ASoC: stm32: sai: fix OF node leak on probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 479/554] wifi: mac80211: Discard Beacon frames to non-broadcast address Greg Kroah-Hartman
` (81 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Johan Hovold,
olivier moysan, Mark Brown, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
[ Upstream commit 23261f0de09427367e99f39f588e31e2856a690e ]
The reference taken to the sync provider OF node when probing the
platform device is currently only dropped if the set_sync() callback
fails during DAI probe.
Make sure to drop the reference on platform probe failures (e.g. probe
deferral) and on driver unbind.
This also avoids a potential use-after-free in case the DAI is ever
reprobed without first rebinding the platform driver.
Fixes: 5914d285f6b7 ("ASoC: stm32: sai: Add synchronization support")
Fixes: d4180b4c02e7 ("ASoC: stm32: sai: fix set_sync service")
Cc: Olivier Moysan <olivier.moysan@st.com>
Cc: stable@vger.kernel.org # 4.16: d4180b4c02e7
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: olivier moysan <olivier.moysan@foss.st.com>
Link: https://patch.msgid.link/20251124104908.15754-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/stm/stm32_sai.c | 12 +++---------
sound/soc/stm/stm32_sai_sub.c | 23 ++++++++++++++++-------
2 files changed, 19 insertions(+), 16 deletions(-)
--- a/sound/soc/stm/stm32_sai.c
+++ b/sound/soc/stm/stm32_sai.c
@@ -122,7 +122,6 @@ static int stm32_sai_set_sync(struct stm
if (!pdev) {
dev_err(&sai_client->pdev->dev,
"Device not found for node %pOFn\n", np_provider);
- of_node_put(np_provider);
return -ENODEV;
}
@@ -131,21 +130,16 @@ static int stm32_sai_set_sync(struct stm
if (!sai_provider) {
dev_err(&sai_client->pdev->dev,
"SAI sync provider data not found\n");
- ret = -EINVAL;
- goto error;
+ return -EINVAL;
}
/* Configure sync client */
ret = stm32_sai_sync_conf_client(sai_client, synci);
if (ret < 0)
- goto error;
+ return ret;
/* Configure sync provider */
- ret = stm32_sai_sync_conf_provider(sai_provider, synco);
-
-error:
- of_node_put(np_provider);
- return ret;
+ return stm32_sai_sync_conf_provider(sai_provider, synco);
}
static int stm32_sai_probe(struct platform_device *pdev)
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@ -1436,7 +1436,8 @@ static int stm32_sai_sub_parse_of(struct
dev_err(&pdev->dev,
"External synchro not supported\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
sai->sync = SAI_SYNC_EXTERNAL;
@@ -1445,7 +1446,8 @@ static int stm32_sai_sub_parse_of(struct
(sai->synci > (SAI_GCR_SYNCIN_MAX + 1))) {
dev_err(&pdev->dev, "Wrong SAI index\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
if (of_property_match_string(args.np, "compatible",
@@ -1459,7 +1461,8 @@ static int stm32_sai_sub_parse_of(struct
if (!sai->synco) {
dev_err(&pdev->dev, "Unknown SAI sub-block\n");
of_node_put(args.np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_sync_provider;
}
}
@@ -1469,13 +1472,15 @@ static int stm32_sai_sub_parse_of(struct
of_node_put(args.np);
sai->sai_ck = devm_clk_get(&pdev->dev, "sai_ck");
- if (IS_ERR(sai->sai_ck))
- return dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
- "Missing kernel clock sai_ck\n");
+ if (IS_ERR(sai->sai_ck)) {
+ ret = dev_err_probe(&pdev->dev, PTR_ERR(sai->sai_ck),
+ "Missing kernel clock sai_ck\n");
+ goto err_put_sync_provider;
+ }
ret = clk_prepare(sai->pdata->pclk);
if (ret < 0)
- return ret;
+ goto err_put_sync_provider;
if (STM_SAI_IS_F4(sai->pdata))
return 0;
@@ -1497,6 +1502,8 @@ static int stm32_sai_sub_parse_of(struct
err_unprepare_pclk:
clk_unprepare(sai->pdata->pclk);
+err_put_sync_provider:
+ of_node_put(sai->np_sync_provider);
return ret;
}
@@ -1567,6 +1574,7 @@ static int stm32_sai_sub_probe(struct pl
err_unprepare_pclk:
clk_unprepare(sai->pdata->pclk);
+ of_node_put(sai->np_sync_provider);
return ret;
}
@@ -1579,6 +1587,7 @@ static void stm32_sai_sub_remove(struct
snd_dmaengine_pcm_unregister(&pdev->dev);
snd_soc_unregister_component(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ of_node_put(sai->np_sync_provider);
}
#ifdef CONFIG_PM_SLEEP
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 479/554] wifi: mac80211: Discard Beacon frames to non-broadcast address
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 478/554] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 480/554] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
` (80 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jouni Malinen, Johannes Berg,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
[ Upstream commit 193d18f60588e95d62e0f82b6a53893e5f2f19f8 ]
Beacon frames are required to be sent to the broadcast address, see IEEE
Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame
shall be set to the broadcast address"). A unicast Beacon frame might be
used as a targeted attack to get one of the associated STAs to do
something (e.g., using CSA to move it to another channel). As such, it
is better have strict filtering for this on the received side and
discard all Beacon frames that are sent to an unexpected address.
This is even more important for cases where beacon protection is used.
The current implementation in mac80211 is correctly discarding unicast
Beacon frames if the Protected Frame bit in the Frame Control field is
set to 0. However, if that bit is set to 1, the logic used for checking
for configured BIGTK(s) does not actually work. If the driver does not
have logic for dropping unicast Beacon frames with Protected Frame bit
1, these frames would be accepted in mac80211 processing as valid Beacon
frames even though they are not protected. This would allow beacon
protection to be bypassed. While the logic for checking beacon
protection could be extended to cover this corner case, a more generic
check for discard all Beacon frames based on A1=unicast address covers
this without needing additional changes.
Address all these issues by dropping received Beacon frames if they are
sent to a non-broadcast address.
Cc: stable@vger.kernel.org
Fixes: af2d14b01c32 ("mac80211: Beacon protection using the new BIGTK (STA)")
Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Link: https://patch.msgid.link/20251215151134.104501-1-jouni.malinen@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
[ adapted RX_DROP return value to RX_DROP_MONITOR ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/rx.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3193,6 +3193,11 @@ ieee80211_rx_h_mgmt_check(struct ieee802
if (!ieee80211_is_mgmt(mgmt->frame_control))
return RX_DROP_MONITOR;
+ /* Drop non-broadcast Beacon frames */
+ if (ieee80211_is_beacon(mgmt->frame_control) &&
+ !is_broadcast_ether_addr(mgmt->da))
+ return RX_DROP_MONITOR;
+
if (rx->sdata->vif.type == NL80211_IFTYPE_AP &&
ieee80211_is_beacon(mgmt->frame_control) &&
!(rx->flags & IEEE80211_RX_BEACON_REPORTED)) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 480/554] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 479/554] wifi: mac80211: Discard Beacon frames to non-broadcast address Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 481/554] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF Greg Kroah-Hartman
` (79 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrik Jakobsson, Stefan Christ,
Daniel Vetter, dri-devel, Thomas Zimmermann, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
[ Upstream commit be729f9de6c64240645dc80a24162ac4d3fe00a8 ]
Remove psb_fbdev_fb_setcolreg(), which hasn't been called in almost
a decade.
Gma500 commit 4d8d096e9ae8 ("gma500: introduce the framebuffer support
code") added the helper psb_fbdev_fb_setcolreg() for setting the fbdev
palette via fbdev's fb_setcolreg callback. Later
commit 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for
fb_ops") set several default helpers for fbdev emulation, including
fb_setcmap.
The fbdev subsystem always prefers fb_setcmap over fb_setcolreg. [1]
Hence, the gma500 code is no longer in use and gma500 has been using
drm_fb_helper_setcmap() for several years without issues.
Fixes: 3da6c2f3b730 ("drm/gma500: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops")
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: Stefan Christ <contact@stefanchrist.eu>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v4.10+
Link: https://elixir.bootlin.com/linux/v6.16.9/source/drivers/video/fbdev/core/fbcmap.c#L246 # [1]
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Acked-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://lore.kernel.org/r/20250929082338.18845-1-tzimmermann@suse.de
[ adapted patch from fbdev.c to framebuffer.c where the function was named psbfb_setcolreg() instead of psb_fbdev_fb_setcolreg() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/framebuffer.c | 42 -----------------------------------
1 file changed, 42 deletions(-)
--- a/drivers/gpu/drm/gma500/framebuffer.c
+++ b/drivers/gpu/drm/gma500/framebuffer.c
@@ -35,47 +35,6 @@ static const struct drm_framebuffer_func
.create_handle = drm_gem_fb_create_handle,
};
-#define CMAP_TOHW(_val, _width) ((((_val) << (_width)) + 0x7FFF - (_val)) >> 16)
-
-static int psbfb_setcolreg(unsigned regno, unsigned red, unsigned green,
- unsigned blue, unsigned transp,
- struct fb_info *info)
-{
- struct drm_fb_helper *fb_helper = info->par;
- struct drm_framebuffer *fb = fb_helper->fb;
- uint32_t v;
-
- if (!fb)
- return -ENOMEM;
-
- if (regno > 255)
- return 1;
-
- red = CMAP_TOHW(red, info->var.red.length);
- blue = CMAP_TOHW(blue, info->var.blue.length);
- green = CMAP_TOHW(green, info->var.green.length);
- transp = CMAP_TOHW(transp, info->var.transp.length);
-
- v = (red << info->var.red.offset) |
- (green << info->var.green.offset) |
- (blue << info->var.blue.offset) |
- (transp << info->var.transp.offset);
-
- if (regno < 16) {
- switch (fb->format->cpp[0] * 8) {
- case 16:
- ((uint32_t *) info->pseudo_palette)[regno] = v;
- break;
- case 24:
- case 32:
- ((uint32_t *) info->pseudo_palette)[regno] = v;
- break;
- }
- }
-
- return 0;
-}
-
static vm_fault_t psbfb_vm_fault(struct vm_fault *vmf)
{
struct vm_area_struct *vma = vmf->vma;
@@ -147,7 +106,6 @@ static int psbfb_mmap(struct fb_info *in
static const struct fb_ops psbfb_unaccel_ops = {
.owner = THIS_MODULE,
DRM_FB_HELPER_DEFAULT_OPS,
- .fb_setcolreg = psbfb_setcolreg,
.fb_fillrect = drm_fb_helper_cfb_fillrect,
.fb_copyarea = drm_fb_helper_cfb_copyarea,
.fb_imageblit = drm_fb_helper_cfb_imageblit,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 481/554] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF.
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 480/554] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 482/554] mmc: core: use sysfs_emit() instead of sprintf() Greg Kroah-Hartman
` (78 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, yan kang, yue sun,
Kuniyuki Iwashima, Stanislav Fomichev, Ido Schimmel,
Nikolay Aleksandrov, Paolo Abeni, Thadeu Lima de Souza Cascardo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
commit ed3ba9b6e280e14cc3148c1b226ba453f02fa76c upstream.
SIOCBRDELIF is passed to dev_ioctl() first and later forwarded to
br_ioctl_call(), which causes unnecessary RTNL dance and the splat
below [0] under RTNL pressure.
Let's say Thread A is trying to detach a device from a bridge and
Thread B is trying to remove the bridge.
In dev_ioctl(), Thread A bumps the bridge device's refcnt by
netdev_hold() and releases RTNL because the following br_ioctl_call()
also re-acquires RTNL.
In the race window, Thread B could acquire RTNL and try to remove
the bridge device. Then, rtnl_unlock() by Thread B will release RTNL
and wait for netdev_put() by Thread A.
Thread A, however, must hold RTNL after the unlock in dev_ifsioc(),
which may take long under RTNL pressure, resulting in the splat by
Thread B.
Thread A (SIOCBRDELIF) Thread B (SIOCBRDELBR)
---------------------- ----------------------
sock_ioctl sock_ioctl
`- sock_do_ioctl `- br_ioctl_call
`- dev_ioctl `- br_ioctl_stub
|- rtnl_lock |
|- dev_ifsioc '
' |- dev = __dev_get_by_name(...)
|- netdev_hold(dev, ...) .
/ |- rtnl_unlock ------. |
| |- br_ioctl_call `---> |- rtnl_lock
Race | | `- br_ioctl_stub |- br_del_bridge
Window | | | |- dev = __dev_get_by_name(...)
| | | May take long | `- br_dev_delete(dev, ...)
| | | under RTNL pressure | `- unregister_netdevice_queue(dev, ...)
| | | | `- rtnl_unlock
\ | |- rtnl_lock <-' `- netdev_run_todo
| |- ... `- netdev_run_todo
| `- rtnl_unlock |- __rtnl_unlock
| |- netdev_wait_allrefs_any
|- netdev_put(dev, ...) <----------------'
Wait refcnt decrement
and log splat below
To avoid blocking SIOCBRDELBR unnecessarily, let's not call
dev_ioctl() for SIOCBRADDIF and SIOCBRDELIF.
In the dev_ioctl() path, we do the following:
1. Copy struct ifreq by get_user_ifreq in sock_do_ioctl()
2. Check CAP_NET_ADMIN in dev_ioctl()
3. Call dev_load() in dev_ioctl()
4. Fetch the master dev from ifr.ifr_name in dev_ifsioc()
3. can be done by request_module() in br_ioctl_call(), so we move
1., 2., and 4. to br_ioctl_stub().
Note that 2. is also checked later in add_del_if(), but it's better
performed before RTNL.
SIOCBRADDIF and SIOCBRDELIF have been processed in dev_ioctl() since
the pre-git era, and there seems to be no specific reason to process
them there.
[0]:
unregister_netdevice: waiting for wpan3 to become free. Usage count = 2
ref_tracker: wpan3@ffff8880662d8608 has 1/1 users at
__netdev_tracker_alloc include/linux/netdevice.h:4282 [inline]
netdev_hold include/linux/netdevice.h:4311 [inline]
dev_ifsioc+0xc6a/0x1160 net/core/dev_ioctl.c:624
dev_ioctl+0x255/0x10c0 net/core/dev_ioctl.c:826
sock_do_ioctl+0x1ca/0x260 net/socket.c:1213
sock_ioctl+0x23a/0x6c0 net/socket.c:1318
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:906 [inline]
__se_sys_ioctl fs/ioctl.c:892 [inline]
__x64_sys_ioctl+0x1a4/0x210 fs/ioctl.c:892
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcb/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Fixes: 893b19587534 ("net: bridge: fix ioctl locking")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: yan kang <kangyan91@outlook.com>
Reported-by: yue sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/netdev/SY8P300MB0421225D54EB92762AE8F0F2A1D32@SY8P300MB0421.AUSP300.PROD.OUTLOOK.COM/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20250316192851.19781-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[cascardo: fixed conflict at dev_ifsioc]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/if_bridge.h | 6 ++----
net/bridge/br_ioctl.c | 36 +++++++++++++++++++++++++++++++++---
net/bridge/br_private.h | 3 +--
net/core/dev_ioctl.c | 15 ---------------
net/socket.c | 19 +++++++++----------
5 files changed, 45 insertions(+), 34 deletions(-)
--- a/include/linux/if_bridge.h
+++ b/include/linux/if_bridge.h
@@ -62,11 +62,9 @@ struct br_ip_list {
#define BR_DEFAULT_AGEING_TIME (300 * HZ)
struct net_bridge;
-void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br,
- unsigned int cmd, struct ifreq *ifr,
+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd,
void __user *uarg));
-int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg);
+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg);
#if IS_ENABLED(CONFIG_BRIDGE) && IS_ENABLED(CONFIG_BRIDGE_IGMP_SNOOPING)
int br_multicast_list_adjacent(struct net_device *dev,
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -368,10 +368,26 @@ static int old_deviceless(struct net *ne
return -EOPNOTSUPP;
}
-int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg)
+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg)
{
int ret = -EOPNOTSUPP;
+ struct ifreq ifr;
+
+ if (cmd == SIOCBRADDIF || cmd == SIOCBRDELIF) {
+ void __user *data;
+ char *colon;
+
+ if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
+
+ if (get_user_ifreq(&ifr, &data, uarg))
+ return -EFAULT;
+
+ ifr.ifr_name[IFNAMSIZ - 1] = 0;
+ colon = strchr(ifr.ifr_name, ':');
+ if (colon)
+ *colon = 0;
+ }
rtnl_lock();
@@ -404,7 +420,21 @@ int br_ioctl_stub(struct net *net, struc
break;
case SIOCBRADDIF:
case SIOCBRDELIF:
- ret = add_del_if(br, ifr->ifr_ifindex, cmd == SIOCBRADDIF);
+ {
+ struct net_device *dev;
+
+ dev = __dev_get_by_name(net, ifr.ifr_name);
+ if (!dev || !netif_device_present(dev)) {
+ ret = -ENODEV;
+ break;
+ }
+ if (!netif_is_bridge_master(dev)) {
+ ret = -EOPNOTSUPP;
+ break;
+ }
+
+ ret = add_del_if(netdev_priv(dev), ifr.ifr_ifindex, cmd == SIOCBRADDIF);
+ }
break;
}
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -875,8 +875,7 @@ br_port_get_check_rtnl(const struct net_
/* br_ioctl.c */
int br_dev_siocdevprivate(struct net_device *dev, struct ifreq *rq,
void __user *data, int cmd);
-int br_ioctl_stub(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg);
+int br_ioctl_stub(struct net *net, unsigned int cmd, void __user *uarg);
/* br_multicast.c */
#ifdef CONFIG_BRIDGE_IGMP_SNOOPING
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -375,19 +375,6 @@ static int dev_ifsioc(struct net *net, s
case SIOCWANDEV:
return dev_siocwandev(dev, &ifr->ifr_settings);
- case SIOCBRADDIF:
- case SIOCBRDELIF:
- if (!netif_device_present(dev))
- return -ENODEV;
- if (!netif_is_bridge_master(dev))
- return -EOPNOTSUPP;
- dev_hold(dev);
- rtnl_unlock();
- err = br_ioctl_call(net, netdev_priv(dev), cmd, ifr, NULL);
- dev_put(dev);
- rtnl_lock();
- return err;
-
case SIOCSHWTSTAMP:
err = net_hwtstamp_validate(ifr);
if (err)
@@ -574,8 +561,6 @@ int dev_ioctl(struct net *net, unsigned
case SIOCBONDRELEASE:
case SIOCBONDSETHWADDR:
case SIOCBONDCHANGEACTIVE:
- case SIOCBRADDIF:
- case SIOCBRDELIF:
case SIOCSHWTSTAMP:
if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
return -EPERM;
--- a/net/socket.c
+++ b/net/socket.c
@@ -1097,12 +1097,10 @@ static ssize_t sock_write_iter(struct ki
*/
static DEFINE_MUTEX(br_ioctl_mutex);
-static int (*br_ioctl_hook)(struct net *net, struct net_bridge *br,
- unsigned int cmd, struct ifreq *ifr,
+static int (*br_ioctl_hook)(struct net *net, unsigned int cmd,
void __user *uarg);
-void brioctl_set(int (*hook)(struct net *net, struct net_bridge *br,
- unsigned int cmd, struct ifreq *ifr,
+void brioctl_set(int (*hook)(struct net *net, unsigned int cmd,
void __user *uarg))
{
mutex_lock(&br_ioctl_mutex);
@@ -1111,8 +1109,7 @@ void brioctl_set(int (*hook)(struct net
}
EXPORT_SYMBOL(brioctl_set);
-int br_ioctl_call(struct net *net, struct net_bridge *br, unsigned int cmd,
- struct ifreq *ifr, void __user *uarg)
+int br_ioctl_call(struct net *net, unsigned int cmd, void __user *uarg)
{
int err = -ENOPKG;
@@ -1121,7 +1118,7 @@ int br_ioctl_call(struct net *net, struc
mutex_lock(&br_ioctl_mutex);
if (br_ioctl_hook)
- err = br_ioctl_hook(net, br, cmd, ifr, uarg);
+ err = br_ioctl_hook(net, cmd, uarg);
mutex_unlock(&br_ioctl_mutex);
return err;
@@ -1218,7 +1215,9 @@ static long sock_ioctl(struct file *file
case SIOCSIFBR:
case SIOCBRADDBR:
case SIOCBRDELBR:
- err = br_ioctl_call(net, NULL, cmd, NULL, argp);
+ case SIOCBRADDIF:
+ case SIOCBRDELIF:
+ err = br_ioctl_call(net, cmd, argp);
break;
case SIOCGIFVLAN:
case SIOCSIFVLAN:
@@ -3321,6 +3320,8 @@ static int compat_sock_ioctl_trans(struc
case SIOCGPGRP:
case SIOCBRADDBR:
case SIOCBRDELBR:
+ case SIOCBRADDIF:
+ case SIOCBRDELIF:
case SIOCGIFVLAN:
case SIOCSIFVLAN:
case SIOCGSKNS:
@@ -3358,8 +3359,6 @@ static int compat_sock_ioctl_trans(struc
case SIOCGIFPFLAGS:
case SIOCGIFTXQLEN:
case SIOCSIFTXQLEN:
- case SIOCBRADDIF:
- case SIOCBRDELIF:
case SIOCGIFNAME:
case SIOCSIFNAME:
case SIOCGMIIPHY:
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 482/554] mmc: core: use sysfs_emit() instead of sprintf()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 481/554] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 483/554] drm/i915/selftests: fix subtraction overflow bug Greg Kroah-Hartman
` (77 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sergey Shtylyov, Ulf Hansson,
Chen Yu
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sergey Shtylyov <s.shtylyov@omp.ru>
[ Upstream commit f5d8a5fe77ce933f53eb8f2e22bb7a1a2019ea11 ]
sprintf() (still used in the MMC core for the sysfs output) is vulnerable
to the buffer overflow. Use the new-fangled sysfs_emit() instead.
Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/717729b2-d65b-c72e-9fac-471d28d00b5a@omp.ru
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Chen Yu <xnguchen@sina.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/bus.c | 9 +++++----
drivers/mmc/core/bus.h | 3 ++-
drivers/mmc/core/mmc.c | 16 ++++++++--------
drivers/mmc/core/sd.c | 27 +++++++++++++--------------
drivers/mmc/core/sdio.c | 5 +++--
drivers/mmc/core/sdio_bus.c | 7 ++++---
6 files changed, 35 insertions(+), 32 deletions(-)
--- a/drivers/mmc/core/bus.c
+++ b/drivers/mmc/core/bus.c
@@ -15,6 +15,7 @@
#include <linux/stat.h>
#include <linux/of.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
@@ -34,13 +35,13 @@ static ssize_t type_show(struct device *
switch (card->type) {
case MMC_TYPE_MMC:
- return sprintf(buf, "MMC\n");
+ return sysfs_emit(buf, "MMC\n");
case MMC_TYPE_SD:
- return sprintf(buf, "SD\n");
+ return sysfs_emit(buf, "SD\n");
case MMC_TYPE_SDIO:
- return sprintf(buf, "SDIO\n");
+ return sysfs_emit(buf, "SDIO\n");
case MMC_TYPE_SD_COMBO:
- return sprintf(buf, "SDcombo\n");
+ return sysfs_emit(buf, "SDcombo\n");
default:
return -EFAULT;
}
--- a/drivers/mmc/core/bus.h
+++ b/drivers/mmc/core/bus.h
@@ -9,6 +9,7 @@
#define _MMC_CORE_BUS_H
#include <linux/device.h>
+#include <linux/sysfs.h>
struct mmc_host;
struct mmc_card;
@@ -17,7 +18,7 @@ struct mmc_card;
static ssize_t mmc_##name##_show (struct device *dev, struct device_attribute *attr, char *buf) \
{ \
struct mmc_card *card = mmc_dev_to_card(dev); \
- return sprintf(buf, fmt, args); \
+ return sysfs_emit(buf, fmt, args); \
} \
static DEVICE_ATTR(name, S_IRUGO, mmc_##name##_show, NULL)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -12,6 +12,7 @@
#include <linux/slab.h>
#include <linux/stat.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
#include <linux/mmc/host.h>
#include <linux/mmc/card.h>
@@ -812,12 +813,11 @@ static ssize_t mmc_fwrev_show(struct dev
{
struct mmc_card *card = mmc_dev_to_card(dev);
- if (card->ext_csd.rev < 7) {
- return sprintf(buf, "0x%x\n", card->cid.fwrev);
- } else {
- return sprintf(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
- card->ext_csd.fwrev);
- }
+ if (card->ext_csd.rev < 7)
+ return sysfs_emit(buf, "0x%x\n", card->cid.fwrev);
+ else
+ return sysfs_emit(buf, "0x%*phN\n", MMC_FIRMWARE_LEN,
+ card->ext_csd.fwrev);
}
static DEVICE_ATTR(fwrev, S_IRUGO, mmc_fwrev_show, NULL);
@@ -830,10 +830,10 @@ static ssize_t mmc_dsr_show(struct devic
struct mmc_host *host = card->host;
if (card->csd.dsr_imp && host->dsr_req)
- return sprintf(buf, "0x%x\n", host->dsr);
+ return sysfs_emit(buf, "0x%x\n", host->dsr);
else
/* return default DSR value */
- return sprintf(buf, "0x%x\n", 0x404);
+ return sysfs_emit(buf, "0x%x\n", 0x404);
}
static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -12,6 +12,7 @@
#include <linux/slab.h>
#include <linux/stat.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
#include <linux/mmc/host.h>
#include <linux/mmc/card.h>
@@ -707,18 +708,16 @@ MMC_DEV_ATTR(ocr, "0x%08x\n", card->ocr)
MMC_DEV_ATTR(rca, "0x%04x\n", card->rca);
-static ssize_t mmc_dsr_show(struct device *dev,
- struct device_attribute *attr,
- char *buf)
-{
- struct mmc_card *card = mmc_dev_to_card(dev);
- struct mmc_host *host = card->host;
-
- if (card->csd.dsr_imp && host->dsr_req)
- return sprintf(buf, "0x%x\n", host->dsr);
- else
- /* return default DSR value */
- return sprintf(buf, "0x%x\n", 0x404);
+static ssize_t mmc_dsr_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+{
+ struct mmc_card *card = mmc_dev_to_card(dev);
+ struct mmc_host *host = card->host;
+
+ if (card->csd.dsr_imp && host->dsr_req)
+ return sysfs_emit(buf, "0x%x\n", host->dsr);
+ /* return default DSR value */
+ return sysfs_emit(buf, "0x%x\n", 0x404);
}
static DEVICE_ATTR(dsr, S_IRUGO, mmc_dsr_show, NULL);
@@ -734,9 +733,9 @@ static ssize_t info##num##_show(struct d
\
if (num > card->num_info) \
return -ENODATA; \
- if (!card->info[num-1][0]) \
+ if (!card->info[num - 1][0]) \
return 0; \
- return sprintf(buf, "%s\n", card->info[num-1]); \
+ return sysfs_emit(buf, "%s\n", card->info[num - 1]); \
} \
static DEVICE_ATTR_RO(info##num)
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -7,6 +7,7 @@
#include <linux/err.h>
#include <linux/pm_runtime.h>
+#include <linux/sysfs.h>
#include <linux/mmc/host.h>
#include <linux/mmc/card.h>
@@ -40,9 +41,9 @@ static ssize_t info##num##_show(struct d
\
if (num > card->num_info) \
return -ENODATA; \
- if (!card->info[num-1][0]) \
+ if (!card->info[num - 1][0]) \
return 0; \
- return sprintf(buf, "%s\n", card->info[num-1]); \
+ return sysfs_emit(buf, "%s\n", card->info[num - 1]); \
} \
static DEVICE_ATTR_RO(info##num)
--- a/drivers/mmc/core/sdio_bus.c
+++ b/drivers/mmc/core/sdio_bus.c
@@ -14,6 +14,7 @@
#include <linux/pm_runtime.h>
#include <linux/pm_domain.h>
#include <linux/acpi.h>
+#include <linux/sysfs.h>
#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
@@ -35,7 +36,7 @@ field##_show(struct device *dev, struct
struct sdio_func *func; \
\
func = dev_to_sdio_func (dev); \
- return sprintf(buf, format_string, args); \
+ return sysfs_emit(buf, format_string, args); \
} \
static DEVICE_ATTR_RO(field)
@@ -52,9 +53,9 @@ static ssize_t info##num##_show(struct d
\
if (num > func->num_info) \
return -ENODATA; \
- if (!func->info[num-1][0]) \
+ if (!func->info[num - 1][0]) \
return 0; \
- return sprintf(buf, "%s\n", func->info[num-1]); \
+ return sysfs_emit(buf, "%s\n", func->info[num - 1]); \
} \
static DEVICE_ATTR_RO(info##num)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 483/554] drm/i915/selftests: fix subtraction overflow bug
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 482/554] mmc: core: use sysfs_emit() instead of sprintf() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 484/554] page_pool: Fix use-after-free in page_pool_recycle_in_ring Greg Kroah-Hartman
` (76 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrzej Hajda, Andi Shyti,
Rodrigo Vivi, Rajani Kantha
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrzej Hajda <andrzej.hajda@intel.com>
[ Upstream commit ab3edc679c552a466e4bf0b11af3666008bd65a2 ]
On some machines hole_end can be small enough to cause subtraction
overflow. On the other side (addr + 2 * min_alignment) can overflow
in case of mock tests. This patch should handle both cases.
Fixes: e1c5f754067b59 ("drm/i915: Avoid overflow in computing pot_hole loop termination")
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/3674
Signed-off-by: Andrzej Hajda <andrzej.hajda@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220624113528.2159210-1-andrzej.hajda@intel.com
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
[ Using I915_GTT_PAGE_SIZE instead of min_alignment due to 5.15 missing commit:87bd701ee268 ("drm/i915: enforce min GTT alignment for discrete cards")]
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
+++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
@@ -715,7 +715,7 @@ static int pot_hole(struct i915_address_
u64 addr;
for (addr = round_up(hole_start + I915_GTT_PAGE_SIZE, step) - I915_GTT_PAGE_SIZE;
- addr <= round_down(hole_end - 2*I915_GTT_PAGE_SIZE, step) - I915_GTT_PAGE_SIZE;
+ hole_end > addr && hole_end - addr >= 2 * I915_GTT_PAGE_SIZE;
addr += step) {
err = i915_vma_pin(vma, 0, 0, addr | flags);
if (err) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 484/554] page_pool: Fix use-after-free in page_pool_recycle_in_ring
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 483/554] drm/i915/selftests: fix subtraction overflow bug Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 485/554] KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Greg Kroah-Hartman
` (75 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski,
syzbot+204a4382fcb3311f3858, Dong Chenchen,
Toke Høiland-Jørgensen, Mina Almasry, Ruohan Lan
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dong Chenchen <dongchenchen2@huawei.com>
[ Upstream commit 271683bb2cf32e5126c592b5d5e6a756fa374fd9 ]
syzbot reported a uaf in page_pool_recycle_in_ring:
BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943
CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0x169/0x550 mm/kasan/report.c:489
kasan_report+0x143/0x180 mm/kasan/report.c:602
lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline]
_raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline]
page_pool_recycle_in_ring net/core/page_pool.c:707 [inline]
page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826
page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline]
page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline]
napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036
skb_pp_recycle net/core/skbuff.c:1047 [inline]
skb_free_head net/core/skbuff.c:1094 [inline]
skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125
skb_release_all net/core/skbuff.c:1190 [inline]
__kfree_skb net/core/skbuff.c:1204 [inline]
sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242
kfree_skb_reason include/linux/skbuff.h:1263 [inline]
__skb_queue_purge_reason include/linux/skbuff.h:3343 [inline]
root cause is:
page_pool_recycle_in_ring
ptr_ring_produce
spin_lock(&r->producer_lock);
WRITE_ONCE(r->queue[r->producer++], ptr)
//recycle last page to pool
page_pool_release
page_pool_scrub
page_pool_empty_ring
ptr_ring_consume
page_pool_return_page //release all page
__page_pool_destroy
free_percpu(pool->recycle_stats);
free(pool) //free
spin_unlock(&r->producer_lock); //pool->ring uaf read
recycle_stat_inc(pool, ring);
page_pool can be free while page pool recycle the last page in ring.
Add producer-lock barrier to page_pool_release to prevent the page
pool from being free before all pages have been recycled.
recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not
enabled, which will trigger Wempty-body build warning. Add definition
for pool stat macro to fix warning.
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/netdev/20250513083123.3514193-1-dongchenchen2@huawei.com
Fixes: ff7d6b27f894 ("page_pool: refurbish version of page_pool code")
Reported-by: syzbot+204a4382fcb3311f3858@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=204a4382fcb3311f3858
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Link: https://patch.msgid.link/20250527114152.3119109-1-dongchenchen2@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Linux 5.15.y does not support page pool statistics
(CONFIG_PAGE_POOL_STATS), so remove the related source code
changes from the patch. ]
Signed-off-by: Ruohan Lan <ruohanlan@aliyun.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/page_pool.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -414,14 +414,14 @@ static void page_pool_return_page(struct
static bool page_pool_recycle_in_ring(struct page_pool *pool, struct page *page)
{
- int ret;
+ bool in_softirq, ret;
+
/* BH protection not needed if current is softirq */
- if (in_softirq())
- ret = ptr_ring_produce(&pool->ring, page);
- else
- ret = ptr_ring_produce_bh(&pool->ring, page);
+ in_softirq = page_pool_producer_lock(pool);
+ ret = !__ptr_ring_produce(&pool->ring, page);
+ page_pool_producer_unlock(pool, in_softirq);
- return (ret == 0) ? true : false;
+ return ret;
}
/* Only allow direct recycling in special circumstances, into the
@@ -684,10 +684,14 @@ static void page_pool_scrub(struct page_
static int page_pool_release(struct page_pool *pool)
{
+ bool in_softirq;
int inflight;
page_pool_scrub(pool);
inflight = page_pool_inflight(pool);
+ /* Acquire producer lock to make sure producers have exited. */
+ in_softirq = page_pool_producer_lock(pool);
+ page_pool_producer_unlock(pool, in_softirq);
if (!inflight)
page_pool_free(pool);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 485/554] KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 484/554] page_pool: Fix use-after-free in page_pool_recycle_in_ring Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 486/554] HID: core: Harden s32ton() against conversion to 0 bits Greg Kroah-Hartman
` (74 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable, seanjc; +Cc: Greg Kroah-Hartman, patches, Rajani Kantha
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 4bcdd831d9d01e0fb64faea50732b59b2ee88da1 upstream.
Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forcibly
leave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMX
reads guest memory.
Note, kvm_vcpu_ioctl_x86_set_vcpu_events() can also be called from KVM_RUN
via sync_regs(), which already holds SRCU. I.e. trying to precisely use
kvm_vcpu_srcu_read_lock() around the problematic SMM code would cause
problems. Acquiring SRCU isn't all that expensive, so for simplicity,
grab it unconditionally for KVM_SET_VCPU_EVENTS.
=============================
WARNING: suspicious RCU usage
6.10.0-rc7-332d2c1d713e-next-vm #552 Not tainted
-----------------------------
include/linux/kvm_host.h:1027 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by repro/1071:
#0: ffff88811e424430 (&vcpu->mutex){+.+.}-{3:3}, at: kvm_vcpu_ioctl+0x7d/0x970 [kvm]
stack backtrace:
CPU: 15 PID: 1071 Comm: repro Not tainted 6.10.0-rc7-332d2c1d713e-next-vm #552
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Call Trace:
<TASK>
dump_stack_lvl+0x7f/0x90
lockdep_rcu_suspicious+0x13f/0x1a0
kvm_vcpu_gfn_to_memslot+0x168/0x190 [kvm]
kvm_vcpu_read_guest+0x3e/0x90 [kvm]
nested_vmx_load_msr+0x6b/0x1d0 [kvm_intel]
load_vmcs12_host_state+0x432/0xb40 [kvm_intel]
vmx_leave_nested+0x30/0x40 [kvm_intel]
kvm_vcpu_ioctl_x86_set_vcpu_events+0x15d/0x2b0 [kvm]
kvm_arch_vcpu_ioctl+0x1107/0x1750 [kvm]
? mark_held_locks+0x49/0x70
? kvm_vcpu_ioctl+0x7d/0x970 [kvm]
? kvm_vcpu_ioctl+0x497/0x970 [kvm]
kvm_vcpu_ioctl+0x497/0x970 [kvm]
? lock_acquire+0xba/0x2d0
? find_held_lock+0x2b/0x80
? do_user_addr_fault+0x40c/0x6f0
? lock_release+0xb7/0x270
__x64_sys_ioctl+0x82/0xb0
do_syscall_64+0x6c/0x170
entry_SYSCALL_64_after_hwframe+0x4b/0x53
RIP: 0033:0x7ff11eb1b539
</TASK>
Fixes: f7e570780efc ("KVM: x86: Forcibly leave nested virt when SMM state is toggled")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240723232055.3643811-1-seanjc@google.com
Signed-off-by: Sean Christopherson <seanjc@google.com>
[ Based on kernel 5.15 available functions, using srcu_read_lock/srcu_read_unlock instead of
kvm_vcpu_srcu_read_lock/kvm_vcpu_srcu_read_unlock ]
Signed-off-by: Rajani Kantha <681739313@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5294,7 +5294,9 @@ long kvm_arch_vcpu_ioctl(struct file *fi
if (copy_from_user(&events, argp, sizeof(struct kvm_vcpu_events)))
break;
+ vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
r = kvm_vcpu_ioctl_x86_set_vcpu_events(vcpu, &events);
+ srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
break;
}
case KVM_GET_DEBUGREGS: {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 486/554] HID: core: Harden s32ton() against conversion to 0 bits
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 485/554] KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 487/554] mm/mprotect: use long for page accountings and retval Greg Kroah-Hartman
` (73 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern,
syzbot+b63d677d63bcac06cf90, Benjamin Tissoires, Wenshan Lan
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
[ Upstream commit a6b87bfc2ab5bccb7ad953693c85d9062aef3fdd ]
Testing by the syzbot fuzzer showed that the HID core gets a
shift-out-of-bounds exception when it tries to convert a 32-bit
quantity to a 0-bit quantity. Ideally this should never occur, but
there are buggy devices and some might have a report field with size
set to zero; we shouldn't reject the report or the device just because
of that.
Instead, harden the s32ton() routine so that it returns a reasonable
result instead of crashing when it is called with the number of bits
set to 0 -- the same as what snto32() does.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-usb/68753a08.050a0220.33d347.0008.GAE@google.com/
Tested-by: syzbot+b63d677d63bcac06cf90@syzkaller.appspotmail.com
Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/613a66cd-4309-4bce-a4f7-2905f9bce0c9@rowland.harvard.edu
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
[ s32ton() was moved by c653ffc28340 ("HID: stop exporting hid_snto32()").
Minor context change fixed. ]
Signed-off-by: Wenshan Lan <jetlan9@163.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1349,7 +1349,12 @@ EXPORT_SYMBOL_GPL(hid_snto32);
static u32 s32ton(__s32 value, unsigned n)
{
- s32 a = value >> (n - 1);
+ s32 a;
+
+ if (!value || !n)
+ return 0;
+
+ a = value >> (n - 1);
if (a && a != -1)
return value < 0 ? 1 << (n - 1) : (1 << (n - 1)) - 1;
return value & ((1 << n) - 1);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 487/554] mm/mprotect: use long for page accountings and retval
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 486/554] HID: core: Harden s32ton() against conversion to 0 bits Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 488/554] KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning Greg Kroah-Hartman
` (72 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Xu, Mike Kravetz,
James Houghton, Andrea Arcangeli, Axel Rasmussen,
David Hildenbrand, Muchun Song, Nadav Amit, Andrew Morton,
Harry Yoo, David Hildenbrand (Red Hat)
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Xu <peterx@redhat.com>
commit a79390f5d6a78647fd70856bd42b22d994de0ba2 upstream.
Switch to use type "long" for page accountings and retval across the whole
procedure of change_protection().
The change should have shrinked the possible maximum page number to be
half comparing to previous (ULONG_MAX / 2), but it shouldn't overflow on
any system either because the maximum possible pages touched by change
protection should be ULONG_MAX / PAGE_SIZE.
Two reasons to switch from "unsigned long" to "long":
1. It suites better on count_vm_numa_events(), whose 2nd parameter takes
a long type.
2. It paves way for returning negative (error) values in the future.
Currently the only caller that consumes this retval is change_prot_numa(),
where the unsigned long was converted to an int. Since at it, touching up
the numa code to also take a long, so it'll avoid any possible overflow
too during the int-size convertion.
Link: https://lkml.kernel.org/r/20230104225207.1066932-3-peterx@redhat.com
Signed-off-by: Peter Xu <peterx@redhat.com>
Acked-by: Mike Kravetz <mike.kravetz@oracle.com>
Acked-by: James Houghton <jthoughton@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ Adjust context ]
Signed-off-by: Harry Yoo <harry.yoo@oracle.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 4 ++--
include/linux/mm.h | 2 +-
mm/hugetlb.c | 4 ++--
mm/mempolicy.c | 2 +-
mm/mprotect.c | 26 +++++++++++++-------------
5 files changed, 19 insertions(+), 19 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -208,7 +208,7 @@ struct page *follow_huge_pgd(struct mm_s
int pmd_huge(pmd_t pmd);
int pud_huge(pud_t pud);
-unsigned long hugetlb_change_protection(struct vm_area_struct *vma,
+long hugetlb_change_protection(struct vm_area_struct *vma,
unsigned long address, unsigned long end, pgprot_t newprot);
bool is_hugetlb_entry_migration(pte_t pte);
@@ -379,7 +379,7 @@ static inline void move_hugetlb_state(st
{
}
-static inline unsigned long hugetlb_change_protection(
+static inline long hugetlb_change_protection(
struct vm_area_struct *vma, unsigned long address,
unsigned long end, pgprot_t newprot)
{
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1910,7 +1910,7 @@ extern unsigned long move_page_tables(st
#define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \
MM_CP_UFFD_WP_RESOLVE)
-extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
+extern long change_protection(struct vm_area_struct *vma, unsigned long start,
unsigned long end, pgprot_t newprot,
unsigned long cp_flags);
extern int mprotect_fixup(struct vm_area_struct *vma,
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5644,7 +5644,7 @@ long follow_hugetlb_page(struct mm_struc
return i ? i : err;
}
-unsigned long hugetlb_change_protection(struct vm_area_struct *vma,
+long hugetlb_change_protection(struct vm_area_struct *vma,
unsigned long address, unsigned long end, pgprot_t newprot)
{
struct mm_struct *mm = vma->vm_mm;
@@ -5652,7 +5652,7 @@ unsigned long hugetlb_change_protection(
pte_t *ptep;
pte_t pte;
struct hstate *h = hstate_vma(vma);
- unsigned long pages = 0;
+ long pages = 0;
bool shared_pmd = false;
struct mmu_notifier_range range;
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -634,7 +634,7 @@ unlock:
unsigned long change_prot_numa(struct vm_area_struct *vma,
unsigned long addr, unsigned long end)
{
- int nr_updated;
+ long nr_updated;
nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA);
if (nr_updated)
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -35,13 +35,13 @@
#include "internal.h"
-static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
+static long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
unsigned long addr, unsigned long end, pgprot_t newprot,
unsigned long cp_flags)
{
pte_t *pte, oldpte;
spinlock_t *ptl;
- unsigned long pages = 0;
+ long pages = 0;
int target_node = NUMA_NO_NODE;
bool dirty_accountable = cp_flags & MM_CP_DIRTY_ACCT;
bool prot_numa = cp_flags & MM_CP_PROT_NUMA;
@@ -219,13 +219,13 @@ static inline int pmd_none_or_clear_bad_
return 0;
}
-static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+static inline long change_pmd_range(struct vm_area_struct *vma,
pud_t *pud, unsigned long addr, unsigned long end,
pgprot_t newprot, unsigned long cp_flags)
{
pmd_t *pmd;
unsigned long next;
- unsigned long pages = 0;
+ long pages = 0;
unsigned long nr_huge_updates = 0;
struct mmu_notifier_range range;
@@ -233,7 +233,7 @@ static inline unsigned long change_pmd_r
pmd = pmd_offset(pud, addr);
do {
- unsigned long this_pages;
+ long this_pages;
next = pmd_addr_end(addr, end);
@@ -291,13 +291,13 @@ next:
return pages;
}
-static inline unsigned long change_pud_range(struct vm_area_struct *vma,
+static inline long change_pud_range(struct vm_area_struct *vma,
p4d_t *p4d, unsigned long addr, unsigned long end,
pgprot_t newprot, unsigned long cp_flags)
{
pud_t *pud;
unsigned long next;
- unsigned long pages = 0;
+ long pages = 0;
pud = pud_offset(p4d, addr);
do {
@@ -311,13 +311,13 @@ static inline unsigned long change_pud_r
return pages;
}
-static inline unsigned long change_p4d_range(struct vm_area_struct *vma,
+static inline long change_p4d_range(struct vm_area_struct *vma,
pgd_t *pgd, unsigned long addr, unsigned long end,
pgprot_t newprot, unsigned long cp_flags)
{
p4d_t *p4d;
unsigned long next;
- unsigned long pages = 0;
+ long pages = 0;
p4d = p4d_offset(pgd, addr);
do {
@@ -331,7 +331,7 @@ static inline unsigned long change_p4d_r
return pages;
}
-static unsigned long change_protection_range(struct vm_area_struct *vma,
+static long change_protection_range(struct vm_area_struct *vma,
unsigned long addr, unsigned long end, pgprot_t newprot,
unsigned long cp_flags)
{
@@ -339,7 +339,7 @@ static unsigned long change_protection_r
pgd_t *pgd;
unsigned long next;
unsigned long start = addr;
- unsigned long pages = 0;
+ long pages = 0;
BUG_ON(addr >= end);
pgd = pgd_offset(mm, addr);
@@ -361,11 +361,11 @@ static unsigned long change_protection_r
return pages;
}
-unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
+long change_protection(struct vm_area_struct *vma, unsigned long start,
unsigned long end, pgprot_t newprot,
unsigned long cp_flags)
{
- unsigned long pages;
+ long pages;
BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 488/554] KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 487/554] mm/mprotect: use long for page accountings and retval Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 489/554] ipv6: Fix potential uninit-value access in __ip6_make_skb() Greg Kroah-Hartman
` (71 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, stable@vger.kernel.org, Justin Stitt,
Nathan Chancellor, Justin Stitt
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Stitt <justinstitt@google.com>
A new warning in Clang 22 [1] complains that @clidr passed to
get_clidr_el1() is an uninitialized const pointer. get_clidr_el1()
doesn't really care since it casts away the const-ness anyways -- it is
a false positive.
| ../arch/arm64/kvm/sys_regs.c:2838:23: warning: variable 'clidr' is uninitialized when passed as a const pointer argument here [-Wuninitialized-const-pointer]
| 2838 | get_clidr_el1(NULL, &clidr); /* Ugly... */
| | ^~~~~
This patch isn't needed for anything past 6.1 as this code section was
reworked in Commit 7af0c2534f4c ("KVM: arm64: Normalize cache
configuration"). Since there is no upstream equivalent, this patch just
needs to be applied to 5.15.
Disable this warning for sys_regs.o with an iron fist as it doesn't make
sense to waste maintainer's time or potentially break builds by
backporting large changelists from 6.2+.
Cc: stable@vger.kernel.org
Fixes: 7c8c5e6a9101e ("arm64: KVM: system register handling")
Link: https://github.com/llvm/llvm-project/commit/00dacf8c22f065cb52efb14cd091d441f19b319e [1]
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Justin Stitt <justinstitt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kvm/Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm64/kvm/Makefile
+++ b/arch/arm64/kvm/Makefile
@@ -25,3 +25,6 @@ kvm-y := $(KVM)/kvm_main.o $(KVM)/coales
vgic/vgic-its.o vgic/vgic-debug.o
kvm-$(CONFIG_HW_PERF_EVENTS) += pmu-emul.o
+
+# Work around a false positive Clang 22 -Wuninitialized-const-pointer warning
+CFLAGS_sys_regs.o := $(call cc-disable-warning, uninitialized-const-pointer)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 489/554] ipv6: Fix potential uninit-value access in __ip6_make_skb()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 488/554] KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 490/554] ipv4: Fix uninit-value access in __ip_make_skb() Greg Kroah-Hartman
` (70 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shigeru Yoshida, David S. Miller,
Shubham Kulkarni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c upstream.
As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in
__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags
instead of testing HDRINCL on the socket to avoid a race condition which
causes uninit-value access.
Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ Referred stable v6.1.y version of the patch to generate this one
v6.1 link: https://github.com/gregkh/linux/commit/a05c1ede50e9656f0752e523c7b54f3a3489e9a8 ]
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1928,7 +1928,8 @@ struct sk_buff *__ip6_make_skb(struct so
struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
u8 icmp6_type;
- if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl)
+ if (sk->sk_socket->type == SOCK_RAW &&
+ !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH))
icmp6_type = fl6->fl6_icmp_type;
else
icmp6_type = icmp6_hdr(skb)->icmp6_type;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 490/554] ipv4: Fix uninit-value access in __ip_make_skb()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 489/554] ipv6: Fix potential uninit-value access in __ip6_make_skb() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 491/554] selftests: net: test_vxlan_under_vrf: fix HV connectivity test Greg Kroah-Hartman
` (69 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzkaller, Shigeru Yoshida,
Paolo Abeni, Shubham Kulkarni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
commit fc1092f51567277509563800a3c56732070b6aa4 upstream.
KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()
tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
while __ip_make_skb() is running, the function will access icmphdr in the
skb even if it is not included. This causes the issue reported by KMSAN.
Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
on the socket.
Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
are union in struct flowi4 and are implicitly initialized by
flowi4_init_output(), but we should not rely on specific union layout.
Initialize these explicitly in raw_sendmsg().
[1]
BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
__ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
ip_finish_skb include/net/ip.h:243 [inline]
ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x274/0x3c0 net/socket.c:745
__sys_sendto+0x62c/0x7b0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x130/0x200 net/socket.c:2199
do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
Uninit was created at:
slab_post_alloc_hook mm/slub.c:3804 [inline]
slab_alloc_node mm/slub.c:3845 [inline]
kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
__alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1318 [inline]
__ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x274/0x3c0 net/socket.c:745
__sys_sendto+0x62c/0x7b0 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0x130/0x200 net/socket.c:2199
do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6d/0x75
CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
Fixes: 99e5acae193e ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[ Referred stable v6.1.y version of the patch to generate this one
v6.1 link: https://github.com/gregkh/linux/commit/55bf541e018b76b3750cb6c6ea18c46e1ac5562e ]
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/ip_output.c | 3 ++-
net/ipv4/raw.c | 3 +++
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1562,7 +1562,8 @@ struct sk_buff *__ip_make_skb(struct soc
* so icmphdr does not in skb linear region and can not get icmp_type
* by icmp_hdr(skb)->type.
*/
- if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
+ if (sk->sk_type == SOCK_RAW &&
+ !(fl4->flowi4_flags & FLOWI_FLAG_KNOWN_NH))
icmp_type = fl4->fl4_icmp_type;
else
icmp_type = icmp_hdr(skb)->type;
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -634,6 +634,9 @@ static int raw_sendmsg(struct sock *sk,
(hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
daddr, saddr, 0, 0, sk->sk_uid);
+ fl4.fl4_icmp_type = 0;
+ fl4.fl4_icmp_code = 0;
+
if (!hdrincl) {
rfv.msg = msg;
rfv.hlen = 0;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 491/554] selftests: net: test_vxlan_under_vrf: fix HV connectivity test
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 490/554] ipv4: Fix uninit-value access in __ip_make_skb() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 492/554] x86: remove __range_not_ok() Greg Kroah-Hartman
` (68 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Righi, David S. Miller,
Cao Jiaqiang
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrea Righi <andrea.righi@canonical.com>
[ Upstream commit e7e4785fa30f9b5d1b60ed2d8e221891325dfc5f ]
It looks like test_vxlan_under_vrf.sh is always failing to verify the
connectivity test during the ping between the two simulated VMs.
This is due to the fact that veth-hv in each VM should have a distinct
MAC address.
Fix by setting a unique MAC address on each simulated VM interface.
Without this fix:
$ sudo ./tools/testing/selftests/net/test_vxlan_under_vrf.sh
Checking HV connectivity [ OK ]
Check VM connectivity through VXLAN (underlay in the default VRF) [FAIL]
With this fix applied:
$ sudo ./tools/testing/selftests/net/test_vxlan_under_vrf.sh
Checking HV connectivity [ OK ]
Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ]
Check VM connectivity through VXLAN (underlay in a VRF) [FAIL]
NOTE: the connectivity test with the underlay VRF is still failing; it
seems that ARP requests are blocked at the simulated hypervisor level,
probably due to some missing ARP forwarding rules. This requires more
investigation (in the meantime we may consider to set that test as
expected failure - XFAIL).
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Cao Jiaqiang <caojiaqiang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/test_vxlan_under_vrf.sh | 2 ++
1 file changed, 2 insertions(+)
--- a/tools/testing/selftests/net/test_vxlan_under_vrf.sh
+++ b/tools/testing/selftests/net/test_vxlan_under_vrf.sh
@@ -101,6 +101,8 @@ setup-vm() {
ip -netns hv-$id link set veth-tap master br0
ip -netns hv-$id link set veth-tap up
+ ip link set veth-hv address 02:1d:8d:dd:0c:6$id
+
ip link set veth-hv netns vm-$id
ip -netns vm-$id addr add 10.0.0.$id/24 dev veth-hv
ip -netns vm-$id link set veth-hv up
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 492/554] x86: remove __range_not_ok()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 491/554] selftests: net: test_vxlan_under_vrf: fix HV connectivity test Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 493/554] pwm: stm32: Always program polarity Greg Kroah-Hartman
` (67 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Viro, Christoph Hellwig,
Arnd Bergmann, Thadeu Lima de Souza Cascardo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 36903abedfe8d419e90ce349b2b4ce6dc2883e17 upstream.
The __range_not_ok() helper is an x86 (and sparc64) specific interface
that does roughly the same thing as __access_ok(), but with different
calling conventions.
Change this to use the normal interface in order for consistency as we
clean up all access_ok() implementations.
This changes the limit from TASK_SIZE to TASK_SIZE_MAX, which Al points
out is the right thing do do here anyway.
The callers have to use __access_ok() instead of the normal access_ok()
though, because on x86 that contains a WARN_ON_IN_IRQ() check that cannot
be used inside of NMI context while tracing.
The check in copy_code() is not needed any more, because this one is
already done by copy_from_user_nmi().
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Suggested-by: Christoph Hellwig <hch@infradead.org>
Link: https://lore.kernel.org/lkml/YgsUKcXGR7r4nINj@zeniv-ca.linux.org.uk/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Stable-dep-of: d319f344561d ("mm: Fix copy_from_user_nofault().")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/events/core.c | 2 +-
arch/x86/include/asm/uaccess.h | 10 ++++++----
arch/x86/kernel/dumpstack.c | 6 ------
arch/x86/kernel/stacktrace.c | 2 +-
arch/x86/lib/usercopy.c | 2 +-
5 files changed, 9 insertions(+), 13 deletions(-)
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -2790,7 +2790,7 @@ perf_callchain_kernel(struct perf_callch
static inline int
valid_user_frame(const void __user *fp, unsigned long size)
{
- return (__range_not_ok(fp, size, TASK_SIZE) == 0);
+ return __access_ok(fp, size);
}
static unsigned long get_segment_base(unsigned int segment)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -16,8 +16,10 @@
* Test whether a block of memory is a valid user space address.
* Returns 0 if the range is valid, nonzero otherwise.
*/
-static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, unsigned long limit)
+static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size)
{
+ unsigned long limit = TASK_SIZE_MAX;
+
/*
* If we have used "sizeof()" for the size,
* we know it won't overflow the limit (but
@@ -35,10 +37,10 @@ static inline bool __chk_range_not_ok(un
return unlikely(addr > limit);
}
-#define __range_not_ok(addr, size, limit) \
+#define __access_ok(addr, size) \
({ \
__chk_user_ptr(addr); \
- __chk_range_not_ok((unsigned long __force)(addr), size, limit); \
+ !__chk_range_not_ok((unsigned long __force)(addr), size); \
})
#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
@@ -69,7 +71,7 @@ static inline bool pagefault_disabled(vo
#define access_ok(addr, size) \
({ \
WARN_ON_IN_IRQ(); \
- likely(!__range_not_ok(addr, size, TASK_SIZE_MAX)); \
+ likely(__access_ok(addr, size)); \
})
extern int __get_user_1(void);
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -81,12 +81,6 @@ static int copy_code(struct pt_regs *reg
/* The user space code from other tasks cannot be accessed. */
if (regs != task_pt_regs(current))
return -EPERM;
- /*
- * Make sure userspace isn't trying to trick us into dumping kernel
- * memory by pointing the userspace instruction pointer at it.
- */
- if (__chk_range_not_ok(src, nbytes, TASK_SIZE_MAX))
- return -EINVAL;
/*
* Even if named copy_from_user_nmi() this can be invoked from
--- a/arch/x86/kernel/stacktrace.c
+++ b/arch/x86/kernel/stacktrace.c
@@ -90,7 +90,7 @@ copy_stack_frame(const struct stack_fram
{
int ret;
- if (__range_not_ok(fp, sizeof(*frame), TASK_SIZE))
+ if (!__access_ok(fp, sizeof(*frame)))
return 0;
ret = 1;
--- a/arch/x86/lib/usercopy.c
+++ b/arch/x86/lib/usercopy.c
@@ -32,7 +32,7 @@ copy_from_user_nmi(void *to, const void
{
unsigned long ret;
- if (__range_not_ok(from, n, TASK_SIZE))
+ if (!__access_ok(from, n))
return n;
if (!nmi_uaccess_okay())
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 493/554] pwm: stm32: Always program polarity
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 492/554] x86: remove __range_not_ok() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 494/554] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
` (66 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Nyekjaer,
Uwe Kleine-K�nig
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=UTF-8, Size: 1178 bytes --]
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Nyekjaer <sean@geanix.com>
Commit 7346e7a058a2 ("pwm: stm32: Always do lazy disabling") triggered a
regression where PWM polarity changes could be ignored.
stm32_pwm_set_polarity() was skipped due to a mismatch between the
cached pwm->state.polarity and the actual hardware state, leaving the
hardware polarity unchanged.
Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm")
Cc: stable@vger.kernel.org # <= 6.12
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Co-developed-by: Uwe Kleine-König <ukleinek@kernel.org>
Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
---
drivers/pwm/pwm-stm32.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/pwm/pwm-stm32.c
+++ b/drivers/pwm/pwm-stm32.c
@@ -458,8 +458,7 @@ static int stm32_pwm_apply(struct pwm_ch
return 0;
}
- if (state->polarity != pwm->state.polarity)
- stm32_pwm_set_polarity(priv, pwm->hwpwm, state->polarity);
+ stm32_pwm_set_polarity(priv, pwm->hwpwm, state->polarity);
ret = stm32_pwm_config(priv, pwm->hwpwm,
state->duty_cycle, state->period);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 494/554] ext4: filesystems without casefold feature cannot be mounted with siphash
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 493/554] pwm: stm32: Always program polarity Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 495/554] ext4: factor out ext4_hash_info_init() Greg Kroah-Hartman
` (65 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+340581ba9dceb7e06fb3,
Lizhi Xu, Theodore Tso, Thadeu Lima de Souza Cascardo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
commit 985b67cd86392310d9e9326de941c22fc9340eec upstream.
When mounting the ext4 filesystem, if the default hash version is set to
DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.
Reported-by: syzbot+340581ba9dceb7e06fb3@syzkaller.appspotmail.com
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Link: https://patch.msgid.link/20240605012335.44086-1-lizhi.xu@windriver.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[cascardo: small conflict fixup]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3191,6 +3191,14 @@ int ext4_feature_set_ok(struct super_blo
}
#endif
+ if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH &&
+ !ext4_has_feature_casefold(sb)) {
+ ext4_msg(sb, KERN_ERR,
+ "Filesystem without casefold feature cannot be "
+ "mounted with siphash");
+ return 0;
+ }
+
if (readonly)
return 1;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 495/554] ext4: factor out ext4_hash_info_init()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 494/554] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 496/554] ext4: fix error message when rejecting the default hash Greg Kroah-Hartman
` (64 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Yan, Theodore Tso,
Thadeu Lima de Souza Cascardo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan <yanaijie@huawei.com>
commit db9345d9e6f075e1ec26afadf744078ead935fec upstream.
Factor out ext4_hash_info_init() to simplify __ext4_fill_super(). No
functional change.
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Link: https://lore.kernel.org/r/20230323140517.1070239-2-yanaijie@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a2187431c395 ("ext4: fix error message when rejecting the default hash")
[cascardo: conflicts due to other parts of ext4_fill_super having been factored out]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 50 ++++++++++++++++++++++++++++++--------------------
1 file changed, 30 insertions(+), 20 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3897,6 +3897,35 @@ static void ext4_setup_csum_trigger(stru
sbi->s_journal_triggers[type].tr_triggers.t_frozen = trigger;
}
+static void ext4_hash_info_init(struct super_block *sb)
+{
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct ext4_super_block *es = sbi->s_es;
+ unsigned int i;
+
+ for (i = 0; i < 4; i++)
+ sbi->s_hash_seed[i] = le32_to_cpu(es->s_hash_seed[i]);
+
+ sbi->s_def_hash_version = es->s_def_hash_version;
+ if (ext4_has_feature_dir_index(sb)) {
+ i = le32_to_cpu(es->s_flags);
+ if (i & EXT2_FLAGS_UNSIGNED_HASH)
+ sbi->s_hash_unsigned = 3;
+ else if ((i & EXT2_FLAGS_SIGNED_HASH) == 0) {
+#ifdef __CHAR_UNSIGNED__
+ if (!sb_rdonly(sb))
+ es->s_flags |=
+ cpu_to_le32(EXT2_FLAGS_UNSIGNED_HASH);
+ sbi->s_hash_unsigned = 3;
+#else
+ if (!sb_rdonly(sb))
+ es->s_flags |=
+ cpu_to_le32(EXT2_FLAGS_SIGNED_HASH);
+#endif
+ }
+ }
+}
+
static int ext4_fill_super(struct super_block *sb, void *data, int silent)
{
struct dax_device *dax_dev = fs_dax_get_by_bdev(sb->s_bdev);
@@ -4415,26 +4444,7 @@ static int ext4_fill_super(struct super_
sbi->s_addr_per_block_bits = ilog2(EXT4_ADDR_PER_BLOCK(sb));
sbi->s_desc_per_block_bits = ilog2(EXT4_DESC_PER_BLOCK(sb));
- for (i = 0; i < 4; i++)
- sbi->s_hash_seed[i] = le32_to_cpu(es->s_hash_seed[i]);
- sbi->s_def_hash_version = es->s_def_hash_version;
- if (ext4_has_feature_dir_index(sb)) {
- i = le32_to_cpu(es->s_flags);
- if (i & EXT2_FLAGS_UNSIGNED_HASH)
- sbi->s_hash_unsigned = 3;
- else if ((i & EXT2_FLAGS_SIGNED_HASH) == 0) {
-#ifdef __CHAR_UNSIGNED__
- if (!sb_rdonly(sb))
- es->s_flags |=
- cpu_to_le32(EXT2_FLAGS_UNSIGNED_HASH);
- sbi->s_hash_unsigned = 3;
-#else
- if (!sb_rdonly(sb))
- es->s_flags |=
- cpu_to_le32(EXT2_FLAGS_SIGNED_HASH);
-#endif
- }
- }
+ ext4_hash_info_init(sb);
/* Handle clustersize */
clustersize = BLOCK_SIZE << le32_to_cpu(es->s_log_cluster_size);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 496/554] ext4: fix error message when rejecting the default hash
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 495/554] ext4: factor out ext4_hash_info_init() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 497/554] firmware: arm_scmi: Fix unused notifier-block in unregister Greg Kroah-Hartman
` (63 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gabriel Krisman Bertazi,
Theodore Tso, Thadeu Lima de Souza Cascardo
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabriel Krisman Bertazi <krisman@suse.de>
commit a2187431c395cdfbf144e3536f25468c64fc7cfa upstream.
Commit 985b67cd8639 ("ext4: filesystems without casefold feature cannot
be mounted with siphash") properly rejects volumes where
s_def_hash_version is set to DX_HASH_SIPHASH, but the check and the
error message should not look into casefold setup - a filesystem should
never have DX_HASH_SIPHASH as the default hash. Fix it and, since we
are there, move the check to ext4_hash_info_init.
Fixes:985b67cd8639 ("ext4: filesystems without casefold feature cannot
be mounted with siphash")
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Link: https://patch.msgid.link/87jzg1en6j.fsf_-_@mailhost.krisman.be
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[cascardo: conflicts due to other parts of ext4_fill_super having been factored out]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 1 +
fs/ext4/super.c | 28 +++++++++++++++++-----------
2 files changed, 18 insertions(+), 11 deletions(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2443,6 +2443,7 @@ static inline __le16 ext4_rec_len_to_dis
#define DX_HASH_HALF_MD4_UNSIGNED 4
#define DX_HASH_TEA_UNSIGNED 5
#define DX_HASH_SIPHASH 6
+#define DX_HASH_LAST DX_HASH_SIPHASH
static inline u32 ext4_chksum(struct ext4_sb_info *sbi, u32 crc,
const void *address, unsigned int length)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3191,14 +3191,6 @@ int ext4_feature_set_ok(struct super_blo
}
#endif
- if (EXT4_SB(sb)->s_es->s_def_hash_version == DX_HASH_SIPHASH &&
- !ext4_has_feature_casefold(sb)) {
- ext4_msg(sb, KERN_ERR,
- "Filesystem without casefold feature cannot be "
- "mounted with siphash");
- return 0;
- }
-
if (readonly)
return 1;
@@ -3897,16 +3889,27 @@ static void ext4_setup_csum_trigger(stru
sbi->s_journal_triggers[type].tr_triggers.t_frozen = trigger;
}
-static void ext4_hash_info_init(struct super_block *sb)
+static int ext4_hash_info_init(struct super_block *sb)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
struct ext4_super_block *es = sbi->s_es;
unsigned int i;
+ sbi->s_def_hash_version = es->s_def_hash_version;
+
+ if (sbi->s_def_hash_version > DX_HASH_LAST) {
+ ext4_msg(sb, KERN_ERR,
+ "Invalid default hash set in the superblock");
+ return -EINVAL;
+ } else if (sbi->s_def_hash_version == DX_HASH_SIPHASH) {
+ ext4_msg(sb, KERN_ERR,
+ "SIPHASH is not a valid default hash value");
+ return -EINVAL;
+ }
+
for (i = 0; i < 4; i++)
sbi->s_hash_seed[i] = le32_to_cpu(es->s_hash_seed[i]);
- sbi->s_def_hash_version = es->s_def_hash_version;
if (ext4_has_feature_dir_index(sb)) {
i = le32_to_cpu(es->s_flags);
if (i & EXT2_FLAGS_UNSIGNED_HASH)
@@ -3924,6 +3927,7 @@ static void ext4_hash_info_init(struct s
#endif
}
}
+ return 0;
}
static int ext4_fill_super(struct super_block *sb, void *data, int silent)
@@ -4444,7 +4448,9 @@ static int ext4_fill_super(struct super_
sbi->s_addr_per_block_bits = ilog2(EXT4_ADDR_PER_BLOCK(sb));
sbi->s_desc_per_block_bits = ilog2(EXT4_DESC_PER_BLOCK(sb));
- ext4_hash_info_init(sb);
+ err = ext4_hash_info_init(sb);
+ if (err)
+ goto failed_mount;
/* Handle clustersize */
clustersize = BLOCK_SIZE << le32_to_cpu(es->s_log_cluster_size);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 497/554] firmware: arm_scmi: Fix unused notifier-block in unregister
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 496/554] ext4: fix error message when rejecting the default hash Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 498/554] Revert "iommu/amd: Skip enabling command/event buffers for kdump" Greg Kroah-Hartman
` (62 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Cristian Marussi,
Amitai Gottlieb, Sudeep Holla
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amitai Gottlieb <amitaig@hailo.ai>
In scmi_devm_notifier_unregister(), the notifier-block argument was ignored
and never passed to devres_release(). As a result, the function always
returned -ENOENT and failed to unregister the notifier.
Drivers that depend on this helper for teardown could therefore hit
unexpected failures, including kernel panics.
Commit 264a2c520628 ("firmware: arm_scmi: Simplify scmi_devm_notifier_unregister")
removed the faulty code path during refactoring and hence this fix is not
required upstream.
Cc: <stable@vger.kernel.org> # 5.15.x, 6.1.x, and 6.6.x
Fixes: 5ad3d1cf7d34 ("firmware: arm_scmi: Introduce new devres notification ops")
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Amitai Gottlieb <amitaig@hailo.ai>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/arm_scmi/notify.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/firmware/arm_scmi/notify.c
+++ b/drivers/firmware/arm_scmi/notify.c
@@ -1539,6 +1539,7 @@ static int scmi_devm_notifier_unregister
dres.handle = sdev->handle;
dres.proto_id = proto_id;
dres.evt_id = evt_id;
+ dres.nb = nb;
if (src_id) {
dres.__src_id = *src_id;
dres.src_id = &dres.__src_id;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 498/554] Revert "iommu/amd: Skip enabling command/event buffers for kdump"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 497/554] firmware: arm_scmi: Fix unused notifier-block in unregister Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 499/554] net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() Greg Kroah-Hartman
` (61 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashish Kalra, Vasant Hegde,
Sairaj Kodilkar, Joerg Roedel, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit bb8f9de71c9bd442ec5e1d52ce830428860892f0 which is
commit 9be15fbfc6c5c89c22cf6e209f66ea43ee0e58bb upstream.
This causes problems in older kernel trees as SNP host kdump is not
supported in them, so drop it from the stable branches.
Reported-by: Ashish Kalra <ashish.kalra@amd.com>
Link: https://lore.kernel.org/r/dacdff7f-0606-4ed5-b056-2de564404d51@amd.com
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Sairaj Kodilkar <sarunkod@amd.com>
Cc: Joerg Roedel <joerg.roedel@amd.com>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/init.c | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -696,16 +696,11 @@ static void iommu_enable_command_buffer(
BUG_ON(iommu->cmd_buf == NULL);
- if (!is_kdump_kernel()) {
- /*
- * Command buffer is re-used for kdump kernel and setting
- * of MMIO register is not required.
- */
- entry = iommu_virt_to_phys(iommu->cmd_buf);
- entry |= MMIO_CMD_SIZE_512;
- memcpy_toio(iommu->mmio_base + MMIO_CMD_BUF_OFFSET,
- &entry, sizeof(entry));
- }
+ entry = iommu_virt_to_phys(iommu->cmd_buf);
+ entry |= MMIO_CMD_SIZE_512;
+
+ memcpy_toio(iommu->mmio_base + MMIO_CMD_BUF_OFFSET,
+ &entry, sizeof(entry));
amd_iommu_reset_cmd_buffer(iommu);
}
@@ -754,15 +749,10 @@ static void iommu_enable_event_buffer(st
BUG_ON(iommu->evt_buf == NULL);
- if (!is_kdump_kernel()) {
- /*
- * Event buffer is re-used for kdump kernel and setting
- * of MMIO register is not required.
- */
- entry = iommu_virt_to_phys(iommu->evt_buf) | EVT_LEN_MASK;
- memcpy_toio(iommu->mmio_base + MMIO_EVT_BUF_OFFSET,
- &entry, sizeof(entry));
- }
+ entry = iommu_virt_to_phys(iommu->evt_buf) | EVT_LEN_MASK;
+
+ memcpy_toio(iommu->mmio_base + MMIO_EVT_BUF_OFFSET,
+ &entry, sizeof(entry));
/* set head and tail to zero manually */
writel(0x00, iommu->mmio_base + MMIO_EVT_HEAD_OFFSET);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 499/554] net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 498/554] Revert "iommu/amd: Skip enabling command/event buffers for kdump" Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 500/554] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
` (60 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Su Hui, Przemek Kitszel,
Hariprasad Kelam, Paolo Abeni
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Su Hui <suhui@nfschina.com>
commit 0dcc53abf58d572d34c5313de85f607cd33fc691 upstream.
Clang static checker (scan-build) warning:
net/ethtool/ioctl.c:line 2233, column 2
Called function pointer is null (null dereference).
Return '-EOPNOTSUPP' when 'ops->get_ethtool_phy_stats' is NULL to fix
this typo error.
Fixes: 201ed315f967 ("net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers")
Signed-off-by: Su Hui <suhui@nfschina.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
Link: https://lore.kernel.org/r/20240605034742.921751-1-suhui@nfschina.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ethtool/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -2111,7 +2111,7 @@ static int ethtool_get_phy_stats_ethtool
const struct ethtool_ops *ops = dev->ethtool_ops;
int n_stats, ret;
- if (!ops || !ops->get_sset_count || ops->get_ethtool_phy_stats)
+ if (!ops || !ops->get_sset_count || !ops->get_ethtool_phy_stats)
return -EOPNOTSUPP;
n_stats = ops->get_sset_count(dev, ETH_SS_PHY_STATS);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 500/554] usb: gadget: lpc32xx_udc: fix clock imbalance in error path
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 499/554] net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 501/554] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
` (59 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Johan Hovold,
Vladimir Zapolskiy
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 782be79e4551550d7a82b1957fc0f7347e6d461f upstream.
A recent change fixing a device reference leak introduced a clock
imbalance by reusing an error path so that the clock may be disabled
before having been enabled.
Note that the clock framework allows for passing in NULL clocks so there
is no risk for a NULL pointer dereference.
Also drop the bogus I2C client NULL check added by the offending commit
as the pointer has already been verified to be non-NULL.
Fixes: c84117912bdd ("USB: lpc32xx_udc: Fix error handling in probe")
Cc: stable@vger.kernel.org
Cc: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251218153519.19453-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -3025,7 +3025,7 @@ static int lpc32xx_udc_probe(struct plat
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- goto i2c_fail;
+ goto err_put_client;
udc->board = &lpc32xx_usbddata;
@@ -3045,7 +3045,7 @@ static int lpc32xx_udc_probe(struct plat
udc->udp_irq[i] = platform_get_irq(pdev, i);
if (udc->udp_irq[i] < 0) {
retval = udc->udp_irq[i];
- goto i2c_fail;
+ goto err_put_client;
}
}
@@ -3053,7 +3053,7 @@ static int lpc32xx_udc_probe(struct plat
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
retval = PTR_ERR(udc->udp_baseaddr);
- goto i2c_fail;
+ goto err_put_client;
}
/* Get USB device clock */
@@ -3061,14 +3061,14 @@ static int lpc32xx_udc_probe(struct plat
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
retval = PTR_ERR(udc->usb_slv_clk);
- goto i2c_fail;
+ goto err_put_client;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- goto i2c_fail;
+ goto err_put_client;
}
/* Setup deferred workqueue data */
@@ -3170,9 +3170,10 @@ dma_alloc_fail:
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
- if (udc->isp1301_i2c_client)
- put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
+err_put_client:
+ put_device(&udc->isp1301_i2c_client->dev);
+
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
return retval;
@@ -3197,11 +3198,9 @@ static int lpc32xx_udc_remove(struct pla
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
- if (udc->isp1301_i2c_client)
- put_device(&udc->isp1301_i2c_client->dev);
-
clk_disable_unprepare(udc->usb_slv_clk);
+ put_device(&udc->isp1301_i2c_client->dev);
return 0;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 501/554] atm: Fix dma_free_coherent() size
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 500/554] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 502/554] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
` (58 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit 4d984b0574ff708e66152763fbfdef24ea40933f upstream.
The size of the buffer is not the same when alloc'd with
dma_alloc_coherent() in he_init_tpdrq() and freed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260107090141.80900-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/atm/he.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/atm/he.c
+++ b/drivers/atm/he.c
@@ -1590,7 +1590,8 @@ he_stop(struct he_dev *he_dev)
he_dev->tbrq_base, he_dev->tbrq_phys);
if (he_dev->tpdrq_base)
- dma_free_coherent(&he_dev->pci_dev->dev, CONFIG_TBRQ_SIZE * sizeof(struct he_tbrq),
+ dma_free_coherent(&he_dev->pci_dev->dev,
+ CONFIG_TPDRQ_SIZE * sizeof(struct he_tpdrq),
he_dev->tpdrq_base, he_dev->tpdrq_phys);
dma_pool_destroy(he_dev->tpd_pool);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 502/554] net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 501/554] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 503/554] mei: me: add nova lake point S DID Greg Kroah-Hartman
` (57 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Fourier, Jakub Kicinski
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Fourier <fourier.thomas@gmail.com>
commit a4e305ed60f7c41bbf9aabc16dd75267194e0de3 upstream.
pdev can be null and free_ring: can be called in 1297 with a null
pdev.
Fixes: 55c82617c3e8 ("3c59x: convert to generic DMA API")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Link: https://patch.msgid.link/20260106094731.25819-2-fourier.thomas@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/3com/3c59x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/3com/3c59x.c
+++ b/drivers/net/ethernet/3com/3c59x.c
@@ -1471,7 +1471,7 @@ static int vortex_probe1(struct device *
return 0;
free_ring:
- dma_free_coherent(&pdev->dev,
+ dma_free_coherent(gendev,
sizeof(struct boom_rx_desc) * RX_RING_SIZE +
sizeof(struct boom_tx_desc) * TX_RING_SIZE,
vp->rx_ring, vp->rx_ring_dma);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 503/554] mei: me: add nova lake point S DID
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 502/554] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 504/554] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
` (56 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Tomas Winkler,
Alexander Usyskin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Usyskin <alexander.usyskin@intel.com>
commit 420f423defcf6d0af2263d38da870ca4a20c0990 upstream.
Add Nova Lake S device id.
Cc: stable <stable@kernel.org>
Co-developed-by: Tomas Winkler <tomasw@gmail.com>
Signed-off-by: Tomas Winkler <tomasw@gmail.com>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Link: https://patch.msgid.link/20251215105915.1672659-1-alexander.usyskin@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/mei/hw-me-regs.h | 2 ++
drivers/misc/mei/pci-me.c | 2 ++
2 files changed, 4 insertions(+)
--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -122,6 +122,8 @@
#define MEI_DEV_ID_WCL_P 0x4D70 /* Wildcat Lake P */
+#define MEI_DEV_ID_NVL_S 0x6E68 /* Nova Lake Point S */
+
/*
* MEI HW Section
*/
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -128,6 +128,8 @@ static const struct pci_device_id mei_me
{MEI_PCI_DEVICE(MEI_DEV_ID_WCL_P, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_NVL_S, MEI_ME_PCH15_CFG)},
+
/* required last entry */
{0, }
};
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 504/554] lib/crypto: aes: Fix missing MMU protection for AES S-box
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 503/554] mei: me: add nova lake point S DID Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 505/554] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
` (55 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang Deng, Ard Biesheuvel,
Eric Biggers
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@kernel.org>
commit 74d74bb78aeccc9edc10db216d6be121cf7ec176 upstream.
__cacheline_aligned puts the data in the ".data..cacheline_aligned"
section, which isn't marked read-only i.e. it doesn't receive MMU
protection. Replace it with ____cacheline_aligned which does the right
thing and just aligns the data while keeping it in ".rodata".
Fixes: b5e0b032b6c3 ("crypto: aes - add generic time invariant AES cipher")
Cc: stable@vger.kernel.org
Reported-by: Qingfang Deng <dqfext@gmail.com>
Closes: https://lore.kernel.org/r/20260105074712.498-1-dqfext@gmail.com/
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260107052023.174620-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/crypto/aes.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/lib/crypto/aes.c
+++ b/lib/crypto/aes.c
@@ -12,7 +12,7 @@
* Emit the sbox as volatile const to prevent the compiler from doing
* constant folding on sbox references involving fixed indexes.
*/
-static volatile const u8 __cacheline_aligned aes_sbox[] = {
+static volatile const u8 ____cacheline_aligned aes_sbox[] = {
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
@@ -47,7 +47,7 @@ static volatile const u8 __cacheline_ali
0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
};
-static volatile const u8 __cacheline_aligned aes_inv_sbox[] = {
+static volatile const u8 ____cacheline_aligned aes_inv_sbox[] = {
0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 505/554] drm/pl111: Fix error handling in pl111_amba_probe
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 504/554] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 506/554] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
` (54 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin,
Javier Martinez Canillas, Linus Walleij
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 0ddd3bb4b14c9102c0267b3fd916c81fe5ab89c1 upstream.
Jump to the existing dev_put label when devm_request_irq() fails
so drm_dev_put() and of_reserved_mem_device_release() run
instead of returning early and leaking resources.
Found via static analysis and code review.
Fixes: bed41005e617 ("drm/pl111: Initial drm/kms driver for pl111")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Link: https://patch.msgid.link/20251211123345.2392065-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/pl111/pl111_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/pl111/pl111_drv.c
+++ b/drivers/gpu/drm/pl111/pl111_drv.c
@@ -297,7 +297,7 @@ static int pl111_amba_probe(struct amba_
variant->name, priv);
if (ret != 0) {
dev_err(dev, "%s failed irq %d\n", __func__, ret);
- return ret;
+ goto dev_put;
}
ret = pl111_modeset_init(drm);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 506/554] wifi: avoid kernel-infoleak from struct iw_point
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 505/554] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 507/554] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
` (53 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bfc7323743ca6dbcc3d3,
Eric Dumazet, Johannes Berg
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 21cbf883d073abbfe09e3924466aa5e0449e7261 upstream.
struct iw_point has a 32bit hole on 64bit arches.
struct iw_point {
void __user *pointer; /* Pointer to the data (in user space) */
__u16 length; /* number of fields or size in bytes */
__u16 flags; /* Optional params */
};
Make sure to zero the structure to avoid disclosing 32bits of kernel data
to user space.
Fixes: 87de87d5e47f ("wext: Dispatch and handle compat ioctls entirely in net/wireless/wext.c")
Reported-by: syzbot+bfc7323743ca6dbcc3d3@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/695f83f3.050a0220.1c677c.0392.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260108101927.857582-1-edumazet@google.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/wext-core.c | 4 ++++
net/wireless/wext-priv.c | 4 ++++
2 files changed, 8 insertions(+)
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -1084,6 +1084,10 @@ static int compat_standard_call(struct n
return ioctl_standard_call(dev, iwr, cmd, info, handler);
iwp_compat = (struct compat_iw_point *) &iwr->u.data;
+
+ /* struct iw_point has a 32bit hole on 64bit arches. */
+ memset(&iwp, 0, sizeof(iwp));
+
iwp.pointer = compat_ptr(iwp_compat->pointer);
iwp.length = iwp_compat->length;
iwp.flags = iwp_compat->flags;
--- a/net/wireless/wext-priv.c
+++ b/net/wireless/wext-priv.c
@@ -228,6 +228,10 @@ int compat_private_call(struct net_devic
struct iw_point iwp;
iwp_compat = (struct compat_iw_point *) &iwr->u.data;
+
+ /* struct iw_point has a 32bit hole on 64bit arches. */
+ memset(&iwp, 0, sizeof(iwp));
+
iwp.pointer = compat_ptr(iwp_compat->pointer);
iwp.length = iwp_compat->length;
iwp.flags = iwp_compat->flags;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 507/554] libceph: prevent potential out-of-bounds reads in handle_auth_done()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 506/554] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 508/554] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
` (52 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: ziming zhang <ezrakiez@gmail.com>
commit 818156caffbf55cb4d368f9c3cac64e458fb49c9 upstream.
Perform an explicit bounds check on payload_len to avoid a possible
out-of-bounds access in the callout.
[ idryomov: changelog ]
Cc: stable@vger.kernel.org
Signed-off-by: ziming zhang <ezrakiez@gmail.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/messenger_v2.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ceph/messenger_v2.c
+++ b/net/ceph/messenger_v2.c
@@ -2068,7 +2068,9 @@ static int process_auth_done(struct ceph
ceph_decode_64_safe(&p, end, global_id, bad);
ceph_decode_32_safe(&p, end, con->v2.con_mode, bad);
+
ceph_decode_32_safe(&p, end, payload_len, bad);
+ ceph_decode_need(&p, end, payload_len, bad);
dout("%s con %p global_id %llu con_mode %d payload_len %d\n",
__func__, con, global_id, con->v2.con_mode, payload_len);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 508/554] libceph: replace overzealous BUG_ON in osdmap_apply_incremental()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (506 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 507/554] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 509/554] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
` (51 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ziming zhang, Ilya Dryomov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit e00c3f71b5cf75681dbd74ee3f982a99cb690c2b upstream.
If the osdmap is (maliciously) corrupted such that the incremental
osdmap epoch is different from what is expected, there is no need to
BUG. Instead, just declare the incremental osdmap to be invalid.
Cc: stable@vger.kernel.org
Reported-by: ziming zhang <ezrakiez@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1959,11 +1959,13 @@ struct ceph_osdmap *osdmap_apply_increme
sizeof(u64) + sizeof(u32), e_inval);
ceph_decode_copy(p, &fsid, sizeof(fsid));
epoch = ceph_decode_32(p);
- BUG_ON(epoch != map->epoch+1);
ceph_decode_copy(p, &modified, sizeof(modified));
new_pool_max = ceph_decode_64(p);
new_flags = ceph_decode_32(p);
+ if (epoch != map->epoch + 1)
+ goto e_inval;
+
/* full map? */
ceph_decode_32_safe(p, end, len, e_inval);
if (len > 0) {
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 509/554] libceph: make free_choose_arg_map() resilient to partial allocation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 508/554] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 510/554] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
` (50 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tuo Li, Viacheslav Dubeyko,
Ilya Dryomov
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tuo Li <islituo@gmail.com>
commit e3fe30e57649c551757a02e1cad073c47e1e075e upstream.
free_choose_arg_map() may dereference a NULL pointer if its caller fails
after a partial allocation.
For example, in decode_choose_args(), if allocation of arg_map->args
fails, execution jumps to the fail label and free_choose_arg_map() is
called. Since arg_map->size is updated to a non-zero value before memory
allocation, free_choose_arg_map() will iterate over arg_map->args and
dereference a NULL pointer.
To prevent this potential NULL pointer dereference and make
free_choose_arg_map() more resilient, add checks for pointers before
iterating.
Cc: stable@vger.kernel.org
Co-authored-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osdmap.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -225,22 +225,26 @@ static struct crush_choose_arg_map *allo
static void free_choose_arg_map(struct crush_choose_arg_map *arg_map)
{
- if (arg_map) {
- int i, j;
+ int i, j;
- WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
+ if (!arg_map)
+ return;
+ WARN_ON(!RB_EMPTY_NODE(&arg_map->node));
+
+ if (arg_map->args) {
for (i = 0; i < arg_map->size; i++) {
struct crush_choose_arg *arg = &arg_map->args[i];
-
- for (j = 0; j < arg->weight_set_size; j++)
- kfree(arg->weight_set[j].weights);
- kfree(arg->weight_set);
+ if (arg->weight_set) {
+ for (j = 0; j < arg->weight_set_size; j++)
+ kfree(arg->weight_set[j].weights);
+ kfree(arg->weight_set);
+ }
kfree(arg->ids);
}
kfree(arg_map->args);
- kfree(arg_map);
}
+ kfree(arg_map);
}
DEFINE_RB_FUNCS(choose_arg_map, struct crush_choose_arg_map, choose_args_index,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 510/554] libceph: return the handler error from mon_handle_auth_done()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 509/554] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 511/554] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
` (49 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ilya Dryomov, Viacheslav Dubeyko
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit e84b48d31b5008932c0a0902982809fbaa1d3b70 upstream.
Currently any error from ceph_auth_handle_reply_done() is propagated
via finish_auth() but isn't returned from mon_handle_auth_done(). This
results in higher layers learning that (despite the monitor considering
us to be successfully authenticated) something went wrong in the
authentication phase and reacting accordingly, but msgr2 still trying
to proceed with establishing the session in the background. In the
case of secure mode this can trigger a WARN in setup_crypto() and later
lead to a NULL pointer dereference inside of prepare_auth_signature().
Cc: stable@vger.kernel.org
Fixes: cd1a677cad99 ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/mon_client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -1418,7 +1418,7 @@ static int mon_handle_auth_done(struct c
if (!ret)
finish_hunting(monc);
mutex_unlock(&monc->mutex);
- return 0;
+ return ret;
}
static int mon_handle_auth_bad_method(struct ceph_connection *con,
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 511/554] libceph: make calc_target() set t->paused, not just clear it
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 510/554] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 512/554] ext4: introduce ITAIL helper Greg Kroah-Hartman
` (48 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raphael Zimmer, Ilya Dryomov,
Viacheslav Dubeyko
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 upstream.
Currently calc_target() clears t->paused if the request shouldn't be
paused anymore, but doesn't ever set t->paused even though it's able to
determine when the request should be paused. Setting t->paused is left
to __submit_request() which is fine for regular requests but doesn't
work for linger requests -- since __submit_request() doesn't operate
on linger requests, there is nowhere for lreq->t.paused to be set.
One consequence of this is that watches don't get reestablished on
paused -> unpaused transitions in cases where requests have been paused
long enough for the (paused) unwatch request to time out and for the
subsequent (re)watch request to enter the paused state. On top of the
watch not getting reestablished, rbd_reregister_watch() gets stuck with
rbd_dev->watch_mutex held:
rbd_register_watch
__rbd_register_watch
ceph_osdc_watch
linger_reg_commit_wait
It's waiting for lreq->reg_commit_wait to be completed, but for that to
happen the respective request needs to end up on need_resend_linger list
and be kicked when requests are unpaused. There is no chance for that
if the request in question is never marked paused in the first place.
The fact that rbd_dev->watch_mutex remains taken out forever then
prevents the image from getting unmapped -- "rbd unmap" would inevitably
hang in D state on an attempt to grab the mutex.
Cc: stable@vger.kernel.org
Reported-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Viacheslav Dubeyko <Slava.Dubeyko@ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ceph/osd_client.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1529,6 +1529,7 @@ static enum calc_target_result calc_targ
struct ceph_pg_pool_info *pi;
struct ceph_pg pgid, last_pgid;
struct ceph_osds up, acting;
+ bool should_be_paused;
bool is_read = t->flags & CEPH_OSD_FLAG_READ;
bool is_write = t->flags & CEPH_OSD_FLAG_WRITE;
bool force_resend = false;
@@ -1597,10 +1598,16 @@ static enum calc_target_result calc_targ
&last_pgid))
force_resend = true;
- if (t->paused && !target_should_be_paused(osdc, t, pi)) {
- t->paused = false;
+ should_be_paused = target_should_be_paused(osdc, t, pi);
+ if (t->paused && !should_be_paused) {
unpaused = true;
}
+ if (t->paused != should_be_paused) {
+ dout("%s t %p paused %d -> %d\n", __func__, t, t->paused,
+ should_be_paused);
+ t->paused = should_be_paused;
+ }
+
legacy_change = ceph_pg_compare(&t->pgid, &pgid) ||
ceph_osds_changed(&t->acting, &acting,
t->used_replica || any_change);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 512/554] ext4: introduce ITAIL helper
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 511/554] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 513/554] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
` (47 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
David Nyström
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 69f3a3039b0d0003de008659cafd5a1eaaa0a7a4 ]
Introduce ITAIL helper to get the bound of xattr in inode.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250208063141.1539283-2-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 10 +++++-----
fs/ext4/xattr.h | 3 +++
2 files changed, 8 insertions(+), 5 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -599,7 +599,7 @@ ext4_xattr_ibody_get(struct inode *inode
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
error = xattr_check_inode(inode, header, end);
if (error)
goto cleanup;
@@ -744,7 +744,7 @@ ext4_xattr_ibody_list(struct dentry *den
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
error = xattr_check_inode(inode, header, end);
if (error)
goto cleanup;
@@ -830,7 +830,7 @@ int ext4_get_inode_usage(struct inode *i
goto out;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
ret = xattr_check_inode(inode, header, end);
if (ret)
goto out;
@@ -2228,7 +2228,7 @@ int ext4_xattr_ibody_find(struct inode *
header = IHDR(inode, raw_inode);
is->s.base = is->s.first = IFIRST(header);
is->s.here = is->s.first;
- is->s.end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ is->s.end = ITAIL(inode, raw_inode);
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
error = xattr_check_inode(inode, header, is->s.end);
if (error)
@@ -2753,7 +2753,7 @@ retry:
*/
base = IFIRST(header);
- end = (void *)raw_inode + EXT4_SB(inode->i_sb)->s_inode_size;
+ end = ITAIL(inode, raw_inode);
min_offs = end - base;
total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -68,6 +68,9 @@ struct ext4_xattr_entry {
((void *)raw_inode + \
EXT4_GOOD_OLD_INODE_SIZE + \
EXT4_I(inode)->i_extra_isize))
+#define ITAIL(inode, raw_inode) \
+ ((void *)(raw_inode) + \
+ EXT4_SB((inode)->i_sb)->s_inode_size)
#define IFIRST(hdr) ((struct ext4_xattr_entry *)((hdr)+1))
/*
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 513/554] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 512/554] ext4: introduce ITAIL helper Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 514/554] net: Add locking to protect skb->dev access in ip_output Greg Kroah-Hartman
` (46 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso,
David Nyström
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 5701875f9609b000d91351eaa6bfd97fe2f157f4 ]
There's issue as follows:
BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790
Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172
CPU: 3 PID: 15172 Comm: syz-executor.0
Call Trace:
__dump_stack lib/dump_stack.c:82 [inline]
dump_stack+0xbe/0xfd lib/dump_stack.c:123
print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400
__kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
kasan_report+0x3a/0x50 mm/kasan/report.c:585
ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137
ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896
ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323
evict+0x39f/0x880 fs/inode.c:622
iput_final fs/inode.c:1746 [inline]
iput fs/inode.c:1772 [inline]
iput+0x525/0x6c0 fs/inode.c:1758
ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]
ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300
mount_bdev+0x355/0x410 fs/super.c:1446
legacy_get_tree+0xfe/0x220 fs/fs_context.c:611
vfs_get_tree+0x8d/0x2f0 fs/super.c:1576
do_new_mount fs/namespace.c:2983 [inline]
path_mount+0x119a/0x1ad0 fs/namespace.c:3316
do_mount+0xfc/0x110 fs/namespace.c:3329
__do_sys_mount fs/namespace.c:3540 [inline]
__se_sys_mount+0x219/0x2e0 fs/namespace.c:3514
do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Memory state around the buggy address:
ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Above issue happens as ext4_xattr_delete_inode() isn't check xattr
is valid if xattr is in inode.
To solve above issue call xattr_check_inode() check if xattr if valid
in inode. In fact, we can directly verify in ext4_iget_extra_inode(),
so that there is no divergent verification.
Fixes: e50e5129f384 ("ext4: xattr-in-inode support")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250208063141.1539283-3-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: David Nyström <david.nystrom@est.tech>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 5 +++++
fs/ext4/xattr.c | 26 +-------------------------
fs/ext4/xattr.h | 7 +++++++
3 files changed, 13 insertions(+), 25 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4562,6 +4562,11 @@ static inline int ext4_iget_extra_inode(
*magic == cpu_to_le32(EXT4_XATTR_MAGIC)) {
int err;
+ err = xattr_check_inode(inode, IHDR(inode, raw_inode),
+ ITAIL(inode, raw_inode));
+ if (err)
+ return err;
+
ext4_set_inode_state(inode, EXT4_STATE_XATTR);
err = ext4_find_inline_data_nolock(inode);
if (!err && ext4_has_inline_data(inode))
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -263,7 +263,7 @@ errout:
__ext4_xattr_check_block((inode), (bh), __func__, __LINE__)
-static int
+int
__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
void *end, const char *function, unsigned int line)
{
@@ -280,9 +280,6 @@ errout:
return error;
}
-#define xattr_check_inode(inode, header, end) \
- __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
-
static int
xattr_find_entry(struct inode *inode, struct ext4_xattr_entry **pentry,
void *end, int name_index, const char *name, int sorted)
@@ -600,9 +597,6 @@ ext4_xattr_ibody_get(struct inode *inode
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
end = ITAIL(inode, raw_inode);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
entry = IFIRST(header);
error = xattr_find_entry(inode, &entry, end, name_index, name, 0);
if (error)
@@ -734,7 +728,6 @@ ext4_xattr_ibody_list(struct dentry *den
struct ext4_xattr_ibody_header *header;
struct ext4_inode *raw_inode;
struct ext4_iloc iloc;
- void *end;
int error;
if (!ext4_test_inode_state(inode, EXT4_STATE_XATTR))
@@ -744,14 +737,9 @@ ext4_xattr_ibody_list(struct dentry *den
return error;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = ITAIL(inode, raw_inode);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
error = ext4_xattr_list_entries(dentry, IFIRST(header),
buffer, buffer_size);
-cleanup:
brelse(iloc.bh);
return error;
}
@@ -819,7 +807,6 @@ int ext4_get_inode_usage(struct inode *i
struct ext4_xattr_ibody_header *header;
struct ext4_xattr_entry *entry;
qsize_t ea_inode_refs = 0;
- void *end;
int ret;
lockdep_assert_held_read(&EXT4_I(inode)->xattr_sem);
@@ -830,10 +817,6 @@ int ext4_get_inode_usage(struct inode *i
goto out;
raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode);
- end = ITAIL(inode, raw_inode);
- ret = xattr_check_inode(inode, header, end);
- if (ret)
- goto out;
for (entry = IFIRST(header); !IS_LAST_ENTRY(entry);
entry = EXT4_XATTR_NEXT(entry))
@@ -2230,9 +2213,6 @@ int ext4_xattr_ibody_find(struct inode *
is->s.here = is->s.first;
is->s.end = ITAIL(inode, raw_inode);
if (ext4_test_inode_state(inode, EXT4_STATE_XATTR)) {
- error = xattr_check_inode(inode, header, is->s.end);
- if (error)
- return error;
/* Find the named attribute. */
error = xattr_find_entry(inode, &is->s.here, is->s.end,
i->name_index, i->name, 0);
@@ -2757,10 +2737,6 @@ retry:
min_offs = end - base;
total_ino = sizeof(struct ext4_xattr_ibody_header) + sizeof(u32);
- error = xattr_check_inode(inode, header, end);
- if (error)
- goto cleanup;
-
ifree = ext4_xattr_free_space(base, &min_offs, base, &total_ino);
if (ifree >= isize_diff)
goto shift;
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -210,6 +210,13 @@ extern int ext4_xattr_ibody_set(handle_t
extern struct mb_cache *ext4_xattr_create_cache(void);
extern void ext4_xattr_destroy_cache(struct mb_cache *);
+extern int
+__xattr_check_inode(struct inode *inode, struct ext4_xattr_ibody_header *header,
+ void *end, const char *function, unsigned int line);
+
+#define xattr_check_inode(inode, header, end) \
+ __xattr_check_inode((inode), (header), (end), __func__, __LINE__)
+
#ifdef CONFIG_EXT4_FS_SECURITY
extern int ext4_init_security(handle_t *handle, struct inode *inode,
struct inode *dir, const struct qstr *qstr);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 514/554] net: Add locking to protect skb->dev access in ip_output
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 513/554] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 515/554] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() Greg Kroah-Hartman
` (45 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sharath Chandra Vurukala,
Eric Dumazet, Jakub Kicinski, Keerthana K
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
[ Upstream commit 1dbf1d590d10a6d1978e8184f8dfe20af22d680a]
In ip_output() skb->dev is updated from the skb_dst(skb)->dev
this can become invalid when the interface is unregistered and freed,
Introduced new skb_dst_dev_rcu() function to be used instead of
skb_dst_dev() within rcu_locks in ip_output.This will ensure that
all the skb's associated with the dev being deregistered will
be transnmitted out first, before freeing the dev.
Given that ip_output() is called within an rcu_read_lock()
critical section or from a bottom-half context, it is safe to introduce
an RCU read-side critical section within it.
Multiple panic call stacks were observed when UL traffic was run
in concurrency with device deregistration from different functions,
pasting one sample for reference.
[496733.627565][T13385] Call trace:
[496733.627570][T13385] bpf_prog_ce7c9180c3b128ea_cgroupskb_egres+0x24c/0x7f0
[496733.627581][T13385] __cgroup_bpf_run_filter_skb+0x128/0x498
[496733.627595][T13385] ip_finish_output+0xa4/0xf4
[496733.627605][T13385] ip_output+0x100/0x1a0
[496733.627613][T13385] ip_send_skb+0x68/0x100
[496733.627618][T13385] udp_send_skb+0x1c4/0x384
[496733.627625][T13385] udp_sendmsg+0x7b0/0x898
[496733.627631][T13385] inet_sendmsg+0x5c/0x7c
[496733.627639][T13385] __sys_sendto+0x174/0x1e4
[496733.627647][T13385] __arm64_sys_sendto+0x28/0x3c
[496733.627653][T13385] invoke_syscall+0x58/0x11c
[496733.627662][T13385] el0_svc_common+0x88/0xf4
[496733.627669][T13385] do_el0_svc+0x2c/0xb0
[496733.627676][T13385] el0_svc+0x2c/0xa4
[496733.627683][T13385] el0t_64_sync_handler+0x68/0xb4
[496733.627689][T13385] el0t_64_sync+0x1a4/0x1a8
Changes in v3:
- Replaced WARN_ON() with WARN_ON_ONCE(), as suggested by Willem de Bruijn.
- Dropped legacy lines mistakenly pulled in from an outdated branch.
Changes in v2:
- Addressed review comments from Eric Dumazet
- Used READ_ONCE() to prevent potential load/store tearing
- Added skb_dst_dev_rcu() and used along with rcu_read_lock() in ip_output
Signed-off-by: Sharath Chandra Vurukala <quic_sharathv@quicinc.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20250730105118.GA26100@hu-sharathv-hyd.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Keerthana: Backported the patch to v5.15-v6.1 ]
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/dst.h | 12 ++++++++++++
net/ipv4/ip_output.c | 16 +++++++++++-----
2 files changed, 23 insertions(+), 5 deletions(-)
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -554,6 +554,18 @@ static inline void skb_dst_update_pmtu_n
dst->ops->update_pmtu(dst, NULL, skb, mtu, false);
}
+static inline struct net_device *dst_dev_rcu(const struct dst_entry *dst)
+{
+ /* In the future, use rcu_dereference(dst->dev) */
+ WARN_ON_ONCE(!rcu_read_lock_held());
+ return READ_ONCE(dst->dev);
+}
+
+static inline struct net_device *skb_dst_dev_rcu(const struct sk_buff *skb)
+{
+ return dst_dev_rcu(skb_dst(skb));
+}
+
struct dst_entry *dst_blackhole_check(struct dst_entry *dst, u32 cookie);
void dst_blackhole_update_pmtu(struct dst_entry *dst, struct sock *sk,
struct sk_buff *skb, u32 mtu, bool confirm_neigh);
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -420,17 +420,23 @@ int ip_mc_output(struct net *net, struct
int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)
{
- struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;
+ struct net_device *dev, *indev = skb->dev;
+ int ret_val;
+
+ rcu_read_lock();
+ dev = skb_dst_dev_rcu(skb);
IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len);
skb->dev = dev;
skb->protocol = htons(ETH_P_IP);
- return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
- net, sk, skb, indev, dev,
- ip_finish_output,
- !(IPCB(skb)->flags & IPSKB_REROUTED));
+ ret_val = NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,
+ net, sk, skb, indev, dev,
+ ip_finish_output,
+ !(IPCB(skb)->flags & IPSKB_REROUTED));
+ rcu_read_unlock();
+ return ret_val;
}
EXPORT_SYMBOL(ip_output);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 515/554] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock().
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (513 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 514/554] net: Add locking to protect skb->dev access in ip_output Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 516/554] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
` (44 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Eric Dumazet,
Sabrina Dubroca, Jakub Kicinski, Sasha Levin, Keerthana K
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit c65f27b9c3be2269918e1cbad6d8884741f835c5 ]
get_netdev_for_sock() is called during setsockopt(),
so not under RCU.
Using sk_dst_get(sk)->dev could trigger UAF.
Let's use __sk_dst_get() and dst_dev_rcu().
Note that the only ->ndo_sk_get_lower_dev() user is
bond_sk_get_lower_dev(), which uses RCU.
Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure")
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://patch.msgid.link/20250916214758.650211-6-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Keerthana: Backport to v5.15-v6.1 ]
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tls/tls_device.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -110,17 +110,19 @@ static void tls_device_queue_ctx_destruc
/* We assume that the socket is already connected */
static struct net_device *get_netdev_for_sock(struct sock *sk)
{
- struct dst_entry *dst = sk_dst_get(sk);
- struct net_device *netdev = NULL;
+ struct net_device *dev, *lowest_dev = NULL;
+ struct dst_entry *dst;
- if (likely(dst)) {
- netdev = netdev_sk_get_lowest_dev(dst->dev, sk);
- dev_hold(netdev);
+ rcu_read_lock();
+ dst = __sk_dst_get(sk);
+ dev = dst ? dst_dev_rcu(dst) : NULL;
+ if (likely(dev)) {
+ lowest_dev = netdev_sk_get_lowest_dev(dev, sk);
+ dev_hold(lowest_dev);
}
+ rcu_read_unlock();
- dst_release(dst);
-
- return netdev;
+ return lowest_dev;
}
static void destroy_record(struct tls_record_info *record)
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 516/554] csky: fix csky_cmpxchg_fixup not working
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 515/554] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 517/554] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
` (43 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Li, Guo Ren, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Li <yang.li85200@gmail.com>
[ Upstream commit 809ef03d6d21d5fea016bbf6babeec462e37e68c ]
In the csky_cmpxchg_fixup function, it is incorrect to use the global
variable csky_cmpxchg_stw to determine the address where the exception
occurred.The global variable csky_cmpxchg_stw stores the opcode at the
time of the exception, while &csky_cmpxchg_stw shows the address where
the exception occurred.
Signed-off-by: Yang Li <yang.li85200@gmail.com>
Signed-off-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/csky/mm/fault.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/csky/mm/fault.c b/arch/csky/mm/fault.c
index 7215a46b6b8eb..98699fdeeeb54 100644
--- a/arch/csky/mm/fault.c
+++ b/arch/csky/mm/fault.c
@@ -45,8 +45,8 @@ static inline void csky_cmpxchg_fixup(struct pt_regs *regs)
if (trap_no(regs) != VEC_TLBMODIFIED)
return;
- if (instruction_pointer(regs) == csky_cmpxchg_stw)
- instruction_pointer_set(regs, csky_cmpxchg_ldw);
+ if (instruction_pointer(regs) == (unsigned long)&csky_cmpxchg_stw)
+ instruction_pointer_set(regs, (unsigned long)&csky_cmpxchg_ldw);
return;
}
#endif
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 517/554] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 516/554] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 518/554] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
` (42 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Arnd Bergmann,
Sebastian Andrzej Siewior, Russell King (Oracle), Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit fedadc4137234c3d00c4785eeed3e747fe9036ae ]
gup_pgd_range() is invoked with disabled interrupts and invokes
__kmap_local_page_prot() via pte_offset_map(), gup_p4d_range().
With HIGHPTE enabled, __kmap_local_page_prot() invokes kmap_high_get()
which uses a spinlock_t via lock_kmap_any(). This leads to an
sleeping-while-atomic error on PREEMPT_RT because spinlock_t becomes a
sleeping lock and must not be acquired in atomic context.
The loop in map_new_virtual() uses wait_queue_head_t for wake up which
also is using a spinlock_t.
Since HIGHPTE is rarely needed at all, turn it off for PREEMPT_RT
to allow the use of get_user_pages_fast().
[arnd: rework patch to turn off HIGHPTE instead of HAVE_PAST_GUP]
Co-developed-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index f2fbb170d813c..74357ce8967b4 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -1473,7 +1473,7 @@ config HIGHMEM
config HIGHPTE
bool "Allocate 2nd-level pagetables from highmem" if EXPERT
- depends on HIGHMEM
+ depends on HIGHMEM && !PREEMPT_RT
default y
help
The VM uses one page of physical memory for each page table.
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 518/554] alpha: dont reference obsolete termio struct for TC* constants
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 517/554] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 519/554] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
` (41 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sam James, Magnus Lindholm,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sam James <sam@gentoo.org>
[ Upstream commit 9aeed9041929812a10a6d693af050846942a1d16 ]
Similar in nature to ab107276607af90b13a5994997e19b7b9731e251. glibc-2.42
drops the legacy termio struct, but the ioctls.h header still defines some
TC* constants in terms of termio (via sizeof). Hardcode the values instead.
This fixes building Python for example, which falls over like:
./Modules/termios.c:1119:16: error: invalid application of 'sizeof' to incomplete type 'struct termio'
Link: https://bugs.gentoo.org/961769
Link: https://bugs.gentoo.org/962600
Signed-off-by: Sam James <sam@gentoo.org>
Reviewed-by: Magnus Lindholm <linmag7@gmail.com>
Link: https://lore.kernel.org/r/6ebd3451908785cad53b50ca6bc46cfe9d6bc03c.1764922497.git.sam@gentoo.org
Signed-off-by: Magnus Lindholm <linmag7@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/alpha/include/uapi/asm/ioctls.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/alpha/include/uapi/asm/ioctls.h b/arch/alpha/include/uapi/asm/ioctls.h
index 971311605288f..a09d04b49cc65 100644
--- a/arch/alpha/include/uapi/asm/ioctls.h
+++ b/arch/alpha/include/uapi/asm/ioctls.h
@@ -23,10 +23,10 @@
#define TCSETSW _IOW('t', 21, struct termios)
#define TCSETSF _IOW('t', 22, struct termios)
-#define TCGETA _IOR('t', 23, struct termio)
-#define TCSETA _IOW('t', 24, struct termio)
-#define TCSETAW _IOW('t', 25, struct termio)
-#define TCSETAF _IOW('t', 28, struct termio)
+#define TCGETA 0x40127417
+#define TCSETA 0x80127418
+#define TCSETAW 0x80127419
+#define TCSETAF 0x8012741c
#define TCSBRK _IO('t', 29)
#define TCXONC _IO('t', 30)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 519/554] NFSv4: ensure the open stateid seqid doesnt go backwards
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 518/554] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 520/554] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
` (40 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Mayhew, Benjamin Coddington,
Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
[ Upstream commit 2e47c3cc64b44b0b06cd68c2801db92ff143f2b2 ]
We have observed an NFSv4 client receiving a LOCK reply with a status of
NFS4ERR_OLD_STATEID and subsequently retrying the LOCK request with an
earlier seqid value in the stateid. As this was for a new lockowner,
that would imply that nfs_set_open_stateid_locked() had updated the open
stateid seqid with an earlier value.
Looking at nfs_set_open_stateid_locked(), if the incoming seqid is out
of sequence, the task will sleep on the state->waitq for up to 5
seconds. If the task waits for the full 5 seconds, then after finishing
the wait it'll update the open stateid seqid with whatever value the
incoming seqid has. If there are multiple waiters in this scenario,
then the last one to perform said update may not be the one with the
highest seqid.
Add a check to ensure that the seqid can only be incremented, and add a
tracepoint to indicate when old seqids are skipped.
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Benjamin Coddington <bcodding@hammerspace.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 13 +++++++++++--
fs/nfs/nfs4trace.h | 1 +
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 883e4106fbcd9..cd97312860ce6 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -1709,8 +1709,17 @@ static void nfs_set_open_stateid_locked(struct nfs4_state *state,
if (nfs_stateid_is_sequential(state, stateid))
break;
- if (status)
- break;
+ if (status) {
+ if (nfs4_stateid_match_other(stateid, &state->open_stateid) &&
+ !nfs4_stateid_is_newer(stateid, &state->open_stateid)) {
+ trace_nfs4_open_stateid_update_skip(state->inode,
+ stateid, status);
+ return;
+ } else {
+ break;
+ }
+ }
+
/* Rely on seqids for serialisation with NFSv4.0 */
if (!nfs4_has_session(NFS_SERVER(state->inode)->nfs_client))
break;
diff --git a/fs/nfs/nfs4trace.h b/fs/nfs/nfs4trace.h
index 8565fa654f59a..d3d5842781da2 100644
--- a/fs/nfs/nfs4trace.h
+++ b/fs/nfs/nfs4trace.h
@@ -1205,6 +1205,7 @@ DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_setattr);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_delegreturn);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_open_stateid_update);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_open_stateid_update_wait);
+DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_open_stateid_update_skip);
DEFINE_NFS4_INODE_STATEID_EVENT(nfs4_close_stateid_update_wait);
DECLARE_EVENT_CLASS(nfs4_getattr_event,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 520/554] NFS: Fix up the automount fs_context to use the correct cred
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 519/554] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 521/554] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
` (39 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit a2a8fc27dd668e7562b5326b5ed2f1604cb1e2e9 ]
When automounting, the fs_context should be fixed up to use the cred
from the parent filesystem, since the operation is just extending the
namespace. Authorisation to enter that namespace will already have been
provided by the preceding lookup.
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/namespace.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 8fb570fd376a1..6367f067dd7be 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -170,6 +170,11 @@ struct vfsmount *nfs_d_automount(struct path *path)
if (!ctx->clone_data.fattr)
goto out_fc;
+ if (fc->cred != server->cred) {
+ put_cred(fc->cred);
+ fc->cred = get_cred(server->cred);
+ }
+
if (fc->net_ns != client->cl_net) {
put_net(fc->net_ns);
fc->net_ns = get_net(client->cl_net);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 521/554] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 520/554] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 522/554] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
` (38 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Mahlkuch, Wen Xiong,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Xiong <wenxiong@linux.ibm.com>
[ Upstream commit 6ac3484fb13b2fc7f31cfc7f56093e7d0ce646a5 ]
A dynamic remove/add storage adapter test hits EEH on PowerPC:
EEH: [c00000000004f75c] __eeh_send_failure_event+0x7c/0x160
EEH: [c000000000048444] eeh_dev_check_failure.part.0+0x254/0x650
EEH: [c008000001650678] eeh_readl+0x60/0x90 [ipr]
EEH: [c00800000166746c] ipr_cancel_op+0x2b8/0x524 [ipr]
EEH: [c008000001656524] ipr_eh_abort+0x6c/0x130 [ipr]
EEH: [c000000000ab0d20] scmd_eh_abort_handler+0x140/0x440
EEH: [c00000000017e558] process_one_work+0x298/0x590
EEH: [c00000000017eef8] worker_thread+0xa8/0x620
EEH: [c00000000018be34] kthread+0x124/0x130
EEH: [c00000000000cd64] ret_from_kernel_thread+0x5c/0x64
A PCIe bus trace reveals that a vector of MSI-X is cleared to 0 by
irqbalance daemon. If we disable irqbalance daemon, we won't see the
issue.
With debug enabled in ipr driver:
[ 44.103071] ipr: Entering __ipr_remove
[ 44.103083] ipr: Entering ipr_initiate_ioa_bringdown
[ 44.103091] ipr: Entering ipr_reset_shutdown_ioa
[ 44.103099] ipr: Leaving ipr_reset_shutdown_ioa
[ 44.103105] ipr: Leaving ipr_initiate_ioa_bringdown
[ 44.149918] ipr: Entering ipr_reset_ucode_download
[ 44.149935] ipr: Entering ipr_reset_alert
[ 44.150032] ipr: Entering ipr_reset_start_timer
[ 44.150038] ipr: Leaving ipr_reset_alert
[ 44.244343] scsi 1:2:3:0: alua: Detached
[ 44.254300] ipr: Entering ipr_reset_start_bist
[ 44.254320] ipr: Entering ipr_reset_start_timer
[ 44.254325] ipr: Leaving ipr_reset_start_bist
[ 44.364329] scsi 1:2:4:0: alua: Detached
[ 45.134341] scsi 1:2:5:0: alua: Detached
[ 45.860949] ipr: Entering ipr_reset_shutdown_ioa
[ 45.860962] ipr: Leaving ipr_reset_shutdown_ioa
[ 45.860966] ipr: Entering ipr_reset_alert
[ 45.861028] ipr: Entering ipr_reset_start_timer
[ 45.861035] ipr: Leaving ipr_reset_alert
[ 45.964302] ipr: Entering ipr_reset_start_bist
[ 45.964309] ipr: Entering ipr_reset_start_timer
[ 45.964313] ipr: Leaving ipr_reset_start_bist
[ 46.264301] ipr: Entering ipr_reset_bist_done
[ 46.264309] ipr: Leaving ipr_reset_bist_done
During adapter reset, ipr device driver blocks config space access but
can't block MMIO access for MSI-X entries. There is very small window:
irqbalance daemon kicks in during adapter reset before ipr driver calls
pci_restore_state(pdev) to restore MSI-X table.
irqbalance daemon reads back all 0 for that MSI-X vector in
__pci_read_msi_msg().
irqbalance daemon:
msi_domain_set_affinity()
->irq_chip_set_affinity_patent()
->xive_irq_set_affinity()
->irq_chip_compose_msi_msg()
->pseries_msi_compose_msg()
->__pci_read_msi_msg(): read all 0 since didn't call pci_restore_state
->irq_chip_write_msi_msg()
-> pci_write_msg_msi(): write 0 to the msix vector entry
When ipr driver calls pci_restore_state(pdev) in
ipr_reset_restore_cfg_space(), the MSI-X vector entry has been cleared
by irqbalance daemon in pci_write_msg_msix().
pci_restore_state()
->__pci_restore_msix_state()
Below is the MSI-X table for ipr adapter after irqbalance daemon kicked
in during adapter reset:
Dump MSIx table: index=0 address_lo=c800 address_hi=10000000 msg_data=0
Dump MSIx table: index=1 address_lo=c810 address_hi=10000000 msg_data=0
Dump MSIx table: index=2 address_lo=c820 address_hi=10000000 msg_data=0
Dump MSIx table: index=3 address_lo=c830 address_hi=10000000 msg_data=0
Dump MSIx table: index=4 address_lo=c840 address_hi=10000000 msg_data=0
Dump MSIx table: index=5 address_lo=c850 address_hi=10000000 msg_data=0
Dump MSIx table: index=6 address_lo=c860 address_hi=10000000 msg_data=0
Dump MSIx table: index=7 address_lo=c870 address_hi=10000000 msg_data=0
Dump MSIx table: index=8 address_lo=0 address_hi=0 msg_data=0
---------> Hit EEH since msix vector of index=8 are 0
Dump MSIx table: index=9 address_lo=c890 address_hi=10000000 msg_data=0
Dump MSIx table: index=10 address_lo=c8a0 address_hi=10000000 msg_data=0
Dump MSIx table: index=11 address_lo=c8b0 address_hi=10000000 msg_data=0
Dump MSIx table: index=12 address_lo=c8c0 address_hi=10000000 msg_data=0
Dump MSIx table: index=13 address_lo=c8d0 address_hi=10000000 msg_data=0
Dump MSIx table: index=14 address_lo=c8e0 address_hi=10000000 msg_data=0
Dump MSIx table: index=15 address_lo=c8f0 address_hi=10000000 msg_data=0
[ 46.264312] ipr: Entering ipr_reset_restore_cfg_space
[ 46.267439] ipr: Entering ipr_fail_all_ops
[ 46.267447] ipr: Leaving ipr_fail_all_ops
[ 46.267451] ipr: Leaving ipr_reset_restore_cfg_space
[ 46.267454] ipr: Entering ipr_ioa_bringdown_done
[ 46.267458] ipr: Leaving ipr_ioa_bringdown_done
[ 46.267467] ipr: Entering ipr_worker_thread
[ 46.267470] ipr: Leaving ipr_worker_thread
IRQ balancing is not required during adapter reset.
Enable "IRQ_NO_BALANCING" flag before starting adapter reset and disable
it after calling pci_restore_state(). The irqbalance daemon is disabled
for this short period of time (~2s).
Co-developed-by: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
Signed-off-by: Kyle Mahlkuch <Kyle.Mahlkuch@ibm.com>
Signed-off-by: Wen Xiong <wenxiong@linux.ibm.com>
Link: https://patch.msgid.link/20251028142427.3969819-2-wenxiong@linux.ibm.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ipr.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index e5e38431c5c73..acb5025b196de 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -62,8 +62,8 @@
#include <linux/hdreg.h>
#include <linux/reboot.h>
#include <linux/stringify.h>
+#include <linux/irq.h>
#include <asm/io.h>
-#include <asm/irq.h>
#include <asm/processor.h>
#include <scsi/scsi.h>
#include <scsi/scsi_host.h>
@@ -8665,6 +8665,30 @@ static int ipr_dump_mailbox_wait(struct ipr_cmnd *ipr_cmd)
return IPR_RC_JOB_RETURN;
}
+/**
+ * ipr_set_affinity_nobalance
+ * @ioa_cfg: ipr_ioa_cfg struct for an ipr device
+ * @flag: bool
+ * true: ensable "IRQ_NO_BALANCING" bit for msix interrupt
+ * false: disable "IRQ_NO_BALANCING" bit for msix interrupt
+ * Description: This function will be called to disable/enable
+ * "IRQ_NO_BALANCING" to avoid irqbalance daemon
+ * kicking in during adapter reset.
+ **/
+static void ipr_set_affinity_nobalance(struct ipr_ioa_cfg *ioa_cfg, bool flag)
+{
+ int irq, i;
+
+ for (i = 0; i < ioa_cfg->nvectors; i++) {
+ irq = pci_irq_vector(ioa_cfg->pdev, i);
+
+ if (flag)
+ irq_set_status_flags(irq, IRQ_NO_BALANCING);
+ else
+ irq_clear_status_flags(irq, IRQ_NO_BALANCING);
+ }
+}
+
/**
* ipr_reset_restore_cfg_space - Restore PCI config space.
* @ipr_cmd: ipr command struct
@@ -8689,6 +8713,7 @@ static int ipr_reset_restore_cfg_space(struct ipr_cmnd *ipr_cmd)
return IPR_RC_JOB_CONTINUE;
}
+ ipr_set_affinity_nobalance(ioa_cfg, false);
ipr_fail_all_ops(ioa_cfg);
if (ioa_cfg->sis64) {
@@ -8768,6 +8793,7 @@ static int ipr_reset_start_bist(struct ipr_cmnd *ipr_cmd)
rc = pci_write_config_byte(ioa_cfg->pdev, PCI_BIST, PCI_BIST_START);
if (rc == PCIBIOS_SUCCESSFUL) {
+ ipr_set_affinity_nobalance(ioa_cfg, true);
ipr_cmd->job_step = ipr_reset_bist_done;
ipr_reset_start_timer(ipr_cmd, IPR_WAIT_FOR_BIST_TIMEOUT);
rc = IPR_RC_JOB_RETURN;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 522/554] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed"
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 521/554] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 523/554] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
` (37 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xingui Yang, Jason Yan, John Garry,
Martin K. Petersen, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingui Yang <yangxingui@huawei.com>
[ Upstream commit 278712d20bc8ec29d1ad6ef9bdae9000ef2c220c ]
This reverts commit ab2068a6fb84751836a84c26ca72b3beb349619d.
When probing the exp-attached sata device, libsas/libata will issue a
hard reset in sas_probe_sata() -> ata_sas_async_probe(), then a
broadcast event will be received after the disk probe fails, and this
commit causes the probe will be re-executed on the disk, and a faulty
disk may get into an indefinite loop of probe.
Therefore, revert this commit, although it can fix some temporary issues
with disk probe failure.
Signed-off-by: Xingui Yang <yangxingui@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Link: https://patch.msgid.link/20251202065627.140361-1-yangxingui@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libsas/sas_internal.h | 14 --------------
1 file changed, 14 deletions(-)
diff --git a/drivers/scsi/libsas/sas_internal.h b/drivers/scsi/libsas/sas_internal.h
index 5028bc394c4f9..d7a1fb5c10c6e 100644
--- a/drivers/scsi/libsas/sas_internal.h
+++ b/drivers/scsi/libsas/sas_internal.h
@@ -111,20 +111,6 @@ static inline void sas_fail_probe(struct domain_device *dev, const char *func, i
func, dev->parent ? "exp-attached" :
"direct-attached",
SAS_ADDR(dev->sas_addr), err);
-
- /*
- * If the device probe failed, the expander phy attached address
- * needs to be reset so that the phy will not be treated as flutter
- * in the next revalidation
- */
- if (dev->parent && !dev_is_expander(dev->dev_type)) {
- struct sas_phy *phy = dev->phy;
- struct domain_device *parent = dev->parent;
- struct ex_phy *ex_phy = &parent->ex_dev.ex_phy[phy->number];
-
- memset(ex_phy->attached_sas_addr, 0, SAS_ADDR_SIZE);
- }
-
sas_unregister_dev(dev->port, dev);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 523/554] arm64: dts: add off-on-delay-us for usdhc2 regulator
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 522/554] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 524/554] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
` (36 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Haibo Chen, Shawn Guo,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
[ Upstream commit ca643894a37a25713029b36cfe7d1bae515cac08 ]
For SD card, according to the spec requirement, for sd card power reset
operation, it need sd card supply voltage to be lower than 0.5v and keep
over 1ms, otherwise, next time power back the sd card supply voltage to
3.3v, sd card can't support SD3.0 mode again.
To match such requirement on imx8qm-mek board, add 4.8ms delay between
sd power off and power on.
Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support")
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
index 470e4e4aa8c78..059f8c0ab93d9 100644
--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
@@ -34,6 +34,7 @@ reg_usdhc2_vmmc: usdhc2-vmmc {
regulator-max-microvolt = <3000000>;
gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>;
enable-active-high;
+ off-on-delay-us = <4800>;
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 524/554] ARM: dts: imx6q-ba16: fix RTC interrupt level
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 523/554] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 525/554] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
` (35 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Shawn Guo, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Ray <ian.ray@gehealthcare.com>
[ Upstream commit e6a4eedd49ce27c16a80506c66a04707e0ee0116 ]
RTC interrupt level should be set to "LOW". This was revealed by the
introduction of commit:
f181987ef477 ("rtc: m41t80: use IRQ flags obtained from fwnode")
which changed the way IRQ type is obtained.
Fixes: 56c27310c1b4 ("ARM: dts: imx: Add Advantech BA-16 Qseven module")
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/imx6q-ba16.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx6q-ba16.dtsi b/arch/arm/boot/dts/imx6q-ba16.dtsi
index f266f1b7e0cfc..0c033e69ecc04 100644
--- a/arch/arm/boot/dts/imx6q-ba16.dtsi
+++ b/arch/arm/boot/dts/imx6q-ba16.dtsi
@@ -335,7 +335,7 @@ rtc@32 {
pinctrl-0 = <&pinctrl_rtc>;
reg = <0x32>;
interrupt-parent = <&gpio4>;
- interrupts = <10 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts = <10 IRQ_TYPE_LEVEL_LOW>;
};
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 525/554] netfilter: nft_synproxy: avoid possible data-race on update operation
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 524/554] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 526/554] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
` (34 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 36a3200575642846a96436d503d46544533bb943 ]
During nft_synproxy eval we are reading nf_synproxy_info struct which
can be modified on update operation concurrently. As nf_synproxy_info
struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations.
Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_synproxy.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index 0806813d3a767..46d2eefb0b218 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv,
struct tcphdr *_tcph,
struct synproxy_options *opts)
{
- struct nf_synproxy_info info = priv->info;
+ struct nf_synproxy_info info = READ_ONCE(priv->info);
struct net *net = nft_net(pkt);
struct synproxy_net *snet = synproxy_pernet(net);
struct sk_buff *skb = pkt->skb;
@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv,
struct tcphdr *_tcph,
struct synproxy_options *opts)
{
- struct nf_synproxy_info info = priv->info;
+ struct nf_synproxy_info info = READ_ONCE(priv->info);
struct net *net = nft_net(pkt);
struct synproxy_net *snet = synproxy_pernet(net);
struct sk_buff *skb = pkt->skb;
@@ -339,7 +339,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj,
struct nft_synproxy *newpriv = nft_obj_data(newobj);
struct nft_synproxy *priv = nft_obj_data(obj);
- priv->info = newpriv->info;
+ WRITE_ONCE(priv->info, newpriv->info);
}
static struct nft_object_type nft_synproxy_obj_type;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 526/554] netfilter: nf_tables: fix memory leak in nf_tables_newrule()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 525/554] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 527/554] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
` (33 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Florian Westphal,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit d077e8119ddbb4fca67540f1a52453631a47f221 ]
In nf_tables_newrule(), if nft_use_inc() fails, the function jumps to
the err_release_rule label without freeing the allocated flow, leading
to a memory leak.
Fix this by adding a new label err_destroy_flow and jumping to it when
nft_use_inc() fails. This ensures that the flow is properly released
in this error case.
Fixes: 1689f25924ada ("netfilter: nf_tables: report use refcount overflow")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_tables_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 91b012e476be6..e37d2ef9538e5 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3741,7 +3741,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
if (!nft_use_inc(&chain->use)) {
err = -EMFILE;
- goto err_release_rule;
+ goto err_destroy_flow;
}
if (info->nlh->nlmsg_flags & NLM_F_REPLACE) {
@@ -3791,6 +3791,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info,
err_destroy_flow_rule:
nft_use_dec_restore(&chain->use);
+err_destroy_flow:
if (flow)
nft_flow_rule_destroy(flow);
err_release_rule:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 527/554] netfilter: nf_conncount: update last_gc only when GC has been performed
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 526/554] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 528/554] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
` (32 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fernando Fernandez Mancera,
Florian Westphal, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fernando Fernandez Mancera <fmancera@suse.de>
[ Upstream commit 7811ba452402d58628e68faedf38745b3d485e3c ]
Currently last_gc is being updated everytime a new connection is
tracked, that means that it is updated even if a GC wasn't performed.
With a sufficiently high packet rate, it is possible to always bypass
the GC, causing the list to grow infinitely.
Update the last_gc value only when a GC has been actually performed.
Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conncount.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index c00b8e522c5a7..a2c5a7ba0c6fc 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -229,6 +229,7 @@ static int __nf_conncount_add(struct net *net,
nf_ct_put(found_ct);
}
+ list->last_gc = (u32)jiffies;
add_new_node:
if (WARN_ON_ONCE(list->count > INT_MAX)) {
@@ -248,7 +249,6 @@ static int __nf_conncount_add(struct net *net,
conn->jiffies32 = (u32)jiffies;
list_add_tail(&conn->node, &list->head);
list->count++;
- list->last_gc = (u32)jiffies;
out_put:
if (refcounted)
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 528/554] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 527/554] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 529/554] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
` (31 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alok Tiwari, Elad Nachman,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alok Tiwari <alok.a.tiwari@oracle.com>
[ Upstream commit a428e0da1248c353557970848994f35fd3f005e2 ]
devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.
This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
Fixes: 34dd1710f5a3 ("net: marvell: prestera: Add basic devlink support")
Signed-off-by: Alok Tiwari <alok.a.tiwari@oracle.com>
Acked-by: Elad Nachman <enachman@marvell.com>
Link: https://patch.msgid.link/20251230052124.897012-1-alok.a.tiwari@oracle.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/prestera/prestera_devlink.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c
index 68b442eb6d694..59e865df6cee0 100644
--- a/drivers/net/ethernet/marvell/prestera/prestera_devlink.c
+++ b/drivers/net/ethernet/marvell/prestera/prestera_devlink.c
@@ -396,6 +396,8 @@ struct prestera_switch *prestera_devlink_alloc(struct prestera_device *dev)
dl = devlink_alloc(&prestera_dl_ops, sizeof(struct prestera_switch),
dev->dev);
+ if (!dl)
+ return NULL;
return devlink_priv(dl);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 529/554] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 528/554] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 530/554] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
` (30 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandre Knecht, Ido Schimmel,
Nikolay Aleksandrov, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Knecht <knecht.alexandre@gmail.com>
[ Upstream commit 3128df6be147768fe536986fbb85db1d37806a9f ]
When using an 802.1ad bridge with vlan_tunnel, the C-VLAN tag is
incorrectly stripped from frames during egress processing.
br_handle_egress_vlan_tunnel() uses skb_vlan_pop() to remove the S-VLAN
from hwaccel before VXLAN encapsulation. However, skb_vlan_pop() also
moves any "next" VLAN from the payload into hwaccel:
/* move next vlan tag to hw accel tag */
__skb_vlan_pop(skb, &vlan_tci);
__vlan_hwaccel_put_tag(skb, vlan_proto, vlan_tci);
For QinQ frames where the C-VLAN sits in the payload, this moves it to
hwaccel where it gets lost during VXLAN encapsulation.
Fix by calling __vlan_hwaccel_clear_tag() directly, which clears only
the hwaccel S-VLAN and leaves the payload untouched.
This path is only taken when vlan_tunnel is enabled and tunnel_info
is configured, so 802.1Q bridges are unaffected.
Tested with 802.1ad bridge + VXLAN vlan_tunnel, verified C-VLAN
preserved in VXLAN payload via tcpdump.
Fixes: 11538d039ac6 ("bridge: vlan dst_metadata hooks in ingress and egress paths")
Signed-off-by: Alexandre Knecht <knecht.alexandre@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20251228020057.2788865-1-knecht.alexandre@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_vlan_tunnel.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/bridge/br_vlan_tunnel.c b/net/bridge/br_vlan_tunnel.c
index 6399a8a69d076..0f03572d89d09 100644
--- a/net/bridge/br_vlan_tunnel.c
+++ b/net/bridge/br_vlan_tunnel.c
@@ -187,7 +187,6 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
{
struct metadata_dst *tunnel_dst;
__be64 tunnel_id;
- int err;
if (!vlan)
return 0;
@@ -197,9 +196,13 @@ int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
return 0;
skb_dst_drop(skb);
- err = skb_vlan_pop(skb);
- if (err)
- return err;
+ /* For 802.1ad (QinQ), skb_vlan_pop() incorrectly moves the C-VLAN
+ * from payload to hwaccel after clearing S-VLAN. We only need to
+ * clear the hwaccel S-VLAN; the C-VLAN must stay in payload for
+ * correct VXLAN encapsulation. This is also correct for 802.1Q
+ * where no C-VLAN exists in payload.
+ */
+ __vlan_hwaccel_clear_tag(skb);
tunnel_dst = rcu_dereference(vlan->tinfo.tunnel_dst);
if (tunnel_dst && dst_hold_safe(&tunnel_dst->dst))
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 530/554] net: mscc: ocelot: Fix crash when adding interface under a lag
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 529/554] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 531/554] inet: ping: Fix icmp out counting Greg Kroah-Hartman
` (29 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jerry Wu, Vladimir Oltean,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerry Wu <w.7erry@foxmail.com>
[ Upstream commit 34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 ]
Commit 15faa1f67ab4 ("lan966x: Fix crash when adding interface under a lag")
fixed a similar issue in the lan966x driver caused by a NULL pointer dereference.
The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic
and is susceptible to the same crash.
This issue specifically affects the ocelot_vsc7514.c frontend, which leaves
unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as
it uses the DSA framework which registers all ports.
Fix this by checking if the port pointer is valid before accessing it.
Fixes: 528d3f190c98 ("net: mscc: ocelot: drop the use of the "lags" array")
Signed-off-by: Jerry Wu <w.7erry@foxmail.com>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Link: https://patch.msgid.link/tencent_75EF812B305E26B0869C673DD1160866C90A@qq.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mscc/ocelot.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mscc/ocelot.c b/drivers/net/ethernet/mscc/ocelot.c
index 96b1e394a397f..f3bf7757302c0 100644
--- a/drivers/net/ethernet/mscc/ocelot.c
+++ b/drivers/net/ethernet/mscc/ocelot.c
@@ -1718,14 +1718,16 @@ static void ocelot_set_aggr_pgids(struct ocelot *ocelot)
/* Now, set PGIDs for each active LAG */
for (lag = 0; lag < ocelot->num_phys_ports; lag++) {
- struct net_device *bond = ocelot->ports[lag]->bond;
+ struct ocelot_port *ocelot_port = ocelot->ports[lag];
int num_active_ports = 0;
+ struct net_device *bond;
unsigned long bond_mask;
u8 aggr_idx[16];
- if (!bond || (visited & BIT(lag)))
+ if (!ocelot_port || !ocelot_port->bond || (visited & BIT(lag)))
continue;
+ bond = ocelot_port->bond;
bond_mask = ocelot_get_bond_mask(ocelot, bond);
for_each_set_bit(port, &bond_mask, ocelot->num_phys_ports) {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 531/554] inet: ping: Fix icmp out counting
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 530/554] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 532/554] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
` (28 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, yuan.gao, Ido Schimmel,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: yuan.gao <yuan.gao@ucloud.cn>
[ Upstream commit 4c0856c225b39b1def6c9a6bc56faca79550da13 ]
When the ping program uses an IPPROTO_ICMP socket to send ICMP_ECHO
messages, ICMP_MIB_OUTMSGS is counted twice.
ping_v4_sendmsg
ping_v4_push_pending_frames
ip_push_pending_frames
ip_finish_skb
__ip_make_skb
icmp_out_count(net, icmp_type); // first count
icmp_out_count(sock_net(sk), user_icmph.type); // second count
However, when the ping program uses an IPPROTO_RAW socket,
ICMP_MIB_OUTMSGS is counted correctly only once.
Therefore, the first count should be removed.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Signed-off-by: yuan.gao <yuan.gao@ucloud.cn>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20251224063145.3615282-1-yuan.gao@ucloud.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ping.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index c4a2565da2806..069ac54ef7565 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -844,10 +844,8 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
out_free:
if (free)
kfree(ipc.opt);
- if (!err) {
- icmp_out_count(sock_net(sk), user_icmph.type);
+ if (!err)
return len;
- }
return err;
do_confirm:
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 532/554] net: sock: fix hardened usercopy panic in sock_recv_errqueue
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 531/554] inet: ping: Fix icmp out counting Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 533/554] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
` (27 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiang Mei, Weiming Shi, Eric Dumazet,
Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Weiming Shi <bestswngs@gmail.com>
[ Upstream commit 2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 ]
skbuff_fclone_cache was created without defining a usercopy region,
[1] unlike skbuff_head_cache which properly whitelists the cb[] field.
[2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is
enabled and the kernel attempts to copy sk_buff.cb data to userspace
via sock_recv_errqueue() -> put_cmsg().
The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone()
(from skbuff_fclone_cache) [1]
2. The skb is cloned via skb_clone() using the pre-allocated fclone
[3] 3. The cloned skb is queued to sk_error_queue for timestamp
reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE)
5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb
[4] 6. __check_heap_object() fails because skbuff_fclone_cache has no
usercopy whitelist [5]
When cloned skbs allocated from skbuff_fclone_cache are used in the
socket error queue, accessing the sock_exterr_skb structure in skb->cb
via put_cmsg() triggers a usercopy hardening violation:
[ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object 'skbuff_fclone_cache' (offset 296, size 16)!
[ 5.382796] kernel BUG at mm/usercopy.c:102!
[ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
[ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7
[ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80
[ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490
[ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246
[ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74
[ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0
[ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74
[ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001
[ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00
[ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000
[ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0
[ 5.384903] PKRU: 55555554
[ 5.384903] Call Trace:
[ 5.384903] <TASK>
[ 5.384903] __check_heap_object+0x9a/0xd0
[ 5.384903] __check_object_size+0x46c/0x690
[ 5.384903] put_cmsg+0x129/0x5e0
[ 5.384903] sock_recv_errqueue+0x22f/0x380
[ 5.384903] tls_sw_recvmsg+0x7ed/0x1960
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? schedule+0x6d/0x270
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
[ 5.384903] ? mutex_unlock+0x81/0xd0
[ 5.384903] ? __pfx_mutex_unlock+0x10/0x10
[ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10
[ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0
[ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40
[ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5
The crash offset 296 corresponds to skb2->cb within skbuff_fclones:
- sizeof(struct sk_buff) = 232 - offsetof(struct sk_buff, cb) = 40 -
offset of skb2.cb in fclones = 232 + 40 = 272 - crash offset 296 =
272 + 24 (inside sock_exterr_skb.ee)
This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure.
[1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885
[2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104
[3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566
[4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491
[5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719
Fixes: 6d07d1cd300f ("usercopy: Restrict non-usercopy caches to size 0")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251223203534.1392218-2-bestswngs@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index b4e605ac79c9f..bf2bec10d5d6a 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3377,7 +3377,7 @@ void sock_enable_timestamp(struct sock *sk, enum sock_flags flag)
int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
int level, int type)
{
- struct sock_exterr_skb *serr;
+ struct sock_extended_err ee;
struct sk_buff *skb;
int copied, err;
@@ -3397,8 +3397,9 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
sock_recv_timestamp(msg, sk, skb);
- serr = SKB_EXT_ERR(skb);
- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee);
+ /* We must use a bounce buffer for CONFIG_HARDENED_USERCOPY=y */
+ ee = SKB_EXT_ERR(skb)->ee;
+ put_cmsg(msg, level, type, sizeof(ee), &ee);
msg->msg_flags |= MSG_ERRQUEUE;
err = copied;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 533/554] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 532/554] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
@ 2026-01-15 16:49 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 534/554] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
` (26 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Di Zhu, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Di Zhu <zhud@hygon.cn>
[ Upstream commit 02d1e1a3f9239cdb3ecf2c6d365fb959d1bf39df ]
Directly increment the TSO features incurs a side effect: it will also
directly clear the flags in NETIF_F_ALL_FOR_ALL on the master device,
which can cause issues such as the inability to enable the nocache copy
feature on the bonding driver.
The fix is to include NETIF_F_ALL_FOR_ALL in the update mask, thereby
preventing it from being cleared.
Fixes: b0ce3508b25e ("bonding: allow TSO being set on bonding master")
Signed-off-by: Di Zhu <zhud@hygon.cn>
Link: https://patch.msgid.link/20251224012224.56185-1-zhud@hygon.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 83bb0f21b1b02..dddb866d88075 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -5093,7 +5093,8 @@ netdev_features_t netdev_increment_features(netdev_features_t all,
static inline netdev_features_t netdev_add_tso_features(netdev_features_t features,
netdev_features_t mask)
{
- return netdev_increment_features(features, NETIF_F_ALL_TSO, mask);
+ return netdev_increment_features(features, NETIF_F_ALL_TSO |
+ NETIF_F_ALL_FOR_ALL, mask);
}
int __netdev_update_features(struct net_device *dev);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 534/554] net/mlx5e: Dont print error message due to invalid module
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2026-01-15 16:49 ` [PATCH 5.15 533/554] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 535/554] eth: bnxt: move and rename reset helpers Greg Kroah-Hartman
` (25 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gal Pressman, Tariq Toukan,
Mark Bloch, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit 144297e2a24e3e54aee1180ec21120ea38822b97 ]
Dumping module EEPROM on newer modules is supported through the netlink
interface only.
Querying with old userspace ethtool (or other tools, such as 'lshw')
which still uses the ioctl interface results in an error message that
could flood dmesg (in addition to the expected error return value).
The original message was added under the assumption that the driver
should be able to handle all module types, but now that such flows are
easily triggered from userspace, it doesn't serve its purpose.
Change the log level of the print in mlx5_query_module_eeprom() to
debug.
Fixes: bb64143eee8c ("net/mlx5e: Add ethtool support for dump module EEPROM")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Mark Bloch <mbloch@nvidia.com>
Link: https://patch.msgid.link/20251225132717.358820-5-mbloch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/port.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/port.c b/drivers/net/ethernet/mellanox/mlx5/core/port.c
index fd79860de723b..fdf708d642887 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/port.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/port.c
@@ -414,7 +414,8 @@ int mlx5_query_module_eeprom(struct mlx5_core_dev *dev,
mlx5_qsfp_eeprom_params_set(&query.i2c_address, &query.page, &offset);
break;
default:
- mlx5_core_err(dev, "Module ID not recognized: 0x%x\n", module_id);
+ mlx5_core_dbg(dev, "Module ID not recognized: 0x%x\n",
+ module_id);
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 535/554] eth: bnxt: move and rename reset helpers
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 534/554] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 536/554] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
` (24 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Chan, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit fea2993aecd74d5d11ede1ebbd60e478ebfed996 ]
Move the reset helpers, subsequent patches will need some
of them on the Tx path.
While at it rename bnxt_sched_reset(), on more recent chips
it schedules a queue reset, instead of a fuller reset.
Link: https://lore.kernel.org/r/20230720010440.1967136-2-kuba@kernel.org
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: ffeafa65b2b2 ("bnxt_en: Fix potential data corruption with HW GRO/LRO")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 72 +++++++++++------------
1 file changed, 36 insertions(+), 36 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 127f7d238a041..90719916184db 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -340,6 +340,38 @@ static void bnxt_db_cq(struct bnxt *bp, struct bnxt_db_info *db, u32 idx)
BNXT_DB_CQ(db, idx);
}
+static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay)
+{
+ if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)))
+ return;
+
+ if (BNXT_PF(bp))
+ queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay);
+ else
+ schedule_delayed_work(&bp->fw_reset_task, delay);
+}
+
+static void bnxt_queue_sp_work(struct bnxt *bp)
+{
+ if (BNXT_PF(bp))
+ queue_work(bnxt_pf_wq, &bp->sp_task);
+ else
+ schedule_work(&bp->sp_task);
+}
+
+static void bnxt_sched_reset_rxr(struct bnxt *bp, struct bnxt_rx_ring_info *rxr)
+{
+ if (!rxr->bnapi->in_reset) {
+ rxr->bnapi->in_reset = true;
+ if (bp->flags & BNXT_FLAG_CHIP_P5)
+ set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event);
+ else
+ set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event);
+ bnxt_queue_sp_work(bp);
+ }
+ rxr->rx_next_cons = 0xffff;
+}
+
const u16 bnxt_lhint_arr[] = {
TX_BD_FLAGS_LHINT_512_AND_SMALLER,
TX_BD_FLAGS_LHINT_512_TO_1023,
@@ -1227,38 +1259,6 @@ static int bnxt_discard_rx(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
return 0;
}
-static void bnxt_queue_fw_reset_work(struct bnxt *bp, unsigned long delay)
-{
- if (!(test_bit(BNXT_STATE_IN_FW_RESET, &bp->state)))
- return;
-
- if (BNXT_PF(bp))
- queue_delayed_work(bnxt_pf_wq, &bp->fw_reset_task, delay);
- else
- schedule_delayed_work(&bp->fw_reset_task, delay);
-}
-
-static void bnxt_queue_sp_work(struct bnxt *bp)
-{
- if (BNXT_PF(bp))
- queue_work(bnxt_pf_wq, &bp->sp_task);
- else
- schedule_work(&bp->sp_task);
-}
-
-static void bnxt_sched_reset(struct bnxt *bp, struct bnxt_rx_ring_info *rxr)
-{
- if (!rxr->bnapi->in_reset) {
- rxr->bnapi->in_reset = true;
- if (bp->flags & BNXT_FLAG_CHIP_P5)
- set_bit(BNXT_RESET_TASK_SP_EVENT, &bp->sp_event);
- else
- set_bit(BNXT_RST_RING_SP_EVENT, &bp->sp_event);
- bnxt_queue_sp_work(bp);
- }
- rxr->rx_next_cons = 0xffff;
-}
-
static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id)
{
struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map;
@@ -1313,7 +1313,7 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr,
netdev_warn(bp->dev, "TPA cons %x, expected cons %x, error code %x\n",
cons, rxr->rx_next_cons,
TPA_START_ERROR_CODE(tpa_start1));
- bnxt_sched_reset(bp, rxr);
+ bnxt_sched_reset_rxr(bp, rxr);
return;
}
/* Store cfa_code in tpa_info to use in tpa_end
@@ -1835,7 +1835,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
if (rxr->rx_next_cons != 0xffff)
netdev_warn(bp->dev, "RX cons %x != expected cons %x\n",
cons, rxr->rx_next_cons);
- bnxt_sched_reset(bp, rxr);
+ bnxt_sched_reset_rxr(bp, rxr);
if (rc1)
return rc1;
goto next_rx_no_prod_no_len;
@@ -1873,7 +1873,7 @@ static int bnxt_rx_pkt(struct bnxt *bp, struct bnxt_cp_ring_info *cpr,
!(bp->fw_cap & BNXT_FW_CAP_RING_MONITOR)) {
netdev_warn_once(bp->dev, "RX buffer error %x\n",
rx_err);
- bnxt_sched_reset(bp, rxr);
+ bnxt_sched_reset_rxr(bp, rxr);
}
}
goto next_rx_no_len;
@@ -2254,7 +2254,7 @@ static int bnxt_async_event_process(struct bnxt *bp,
goto async_event_process_exit;
}
rxr = bp->bnapi[grp_idx]->rx_ring;
- bnxt_sched_reset(bp, rxr);
+ bnxt_sched_reset_rxr(bp, rxr);
goto async_event_process_exit;
}
case ASYNC_EVENT_CMPL_EVENT_ID_ECHO_REQUEST: {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 536/554] bnxt_en: Fix potential data corruption with HW GRO/LRO
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 535/554] eth: bnxt: move and rename reset helpers Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 537/554] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
` (23 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ray Jui, Srijit Bose, Michael Chan,
Vadim Fedorenko, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srijit Bose <srijit.bose@broadcom.com>
[ Upstream commit ffeafa65b2b26df2f5b5a6118d3174f17bd12ec5 ]
Fix the max number of bits passed to find_first_zero_bit() in
bnxt_alloc_agg_idx(). We were incorrectly passing the number of
long words. find_first_zero_bit() may fail to find a zero bit and
cause a wrong ID to be used. If the wrong ID is already in use, this
can cause data corruption. Sometimes an error like this can also be
seen:
bnxt_en 0000:83:00.0 enp131s0np0: TPA end agg_buf 2 != expected agg_bufs 1
Fix it by passing the correct number of bits MAX_TPA_P5. Use
DECLARE_BITMAP() to more cleanly define the bitmap. Add a sanity
check to warn if a bit cannot be found and reset the ring [MChan].
Fixes: ec4d8e7cf024 ("bnxt_en: Add TPA ID mapping logic for 57500 chips.")
Reviewed-by: Ray Jui <ray.jui@broadcom.com>
Signed-off-by: Srijit Bose <srijit.bose@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/20251231083625.3911652-1-michael.chan@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 15 ++++++++++++---
drivers/net/ethernet/broadcom/bnxt/bnxt.h | 4 +---
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 90719916184db..74344722d63d1 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1264,9 +1264,11 @@ static u16 bnxt_alloc_agg_idx(struct bnxt_rx_ring_info *rxr, u16 agg_id)
struct bnxt_tpa_idx_map *map = rxr->rx_tpa_idx_map;
u16 idx = agg_id & MAX_TPA_P5_MASK;
- if (test_bit(idx, map->agg_idx_bmap))
- idx = find_first_zero_bit(map->agg_idx_bmap,
- BNXT_AGG_IDX_BMAP_SIZE);
+ if (test_bit(idx, map->agg_idx_bmap)) {
+ idx = find_first_zero_bit(map->agg_idx_bmap, MAX_TPA_P5);
+ if (idx >= MAX_TPA_P5)
+ return INVALID_HW_RING_ID;
+ }
__set_bit(idx, map->agg_idx_bmap);
map->agg_id_tbl[agg_id] = idx;
return idx;
@@ -1299,6 +1301,13 @@ static void bnxt_tpa_start(struct bnxt *bp, struct bnxt_rx_ring_info *rxr,
if (bp->flags & BNXT_FLAG_CHIP_P5) {
agg_id = TPA_START_AGG_ID_P5(tpa_start);
agg_id = bnxt_alloc_agg_idx(rxr, agg_id);
+ if (unlikely(agg_id == INVALID_HW_RING_ID)) {
+ netdev_warn(bp->dev, "Unable to allocate agg ID for ring %d, agg 0x%x\n",
+ rxr->bnapi->index,
+ TPA_START_AGG_ID_P5(tpa_start));
+ bnxt_sched_reset_rxr(bp, rxr);
+ return;
+ }
} else {
agg_id = TPA_START_AGG_ID(tpa_start);
}
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.h b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
index ae4695fc067d5..56aae0d654e8a 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.h
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.h
@@ -872,11 +872,9 @@ struct bnxt_tpa_info {
struct rx_agg_cmp *agg_arr;
};
-#define BNXT_AGG_IDX_BMAP_SIZE (MAX_TPA_P5 / BITS_PER_LONG)
-
struct bnxt_tpa_idx_map {
u16 agg_id_tbl[1024];
- unsigned long agg_idx_bmap[BNXT_AGG_IDX_BMAP_SIZE];
+ DECLARE_BITMAP(agg_idx_bmap, MAX_TPA_P5);
};
struct bnxt_rx_ring_info {
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 537/554] HID: quirks: work around VID/PID conflict for appledisplay
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 536/554] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 538/554] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
` (22 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, René Rebe, Jiri Kosina,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: René Rebe <rene@exactco.de>
[ Upstream commit c7fabe4ad9219866c203164a214c474c95b36bf2 ]
For years I wondered why the Apple Cinema Display driver would not
just work for me. Turns out the hidraw driver instantly takes it
over. Fix by adding appledisplay VID/PIDs to hid_have_special_driver.
Fixes: 069e8a65cd79 ("Driver for Apple Cinema Display")
Signed-off-by: René Rebe <rene@exactco.de>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-quirks.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
index 4b645db5cd4bc..cc2f462fced27 100644
--- a/drivers/hid/hid-quirks.c
+++ b/drivers/hid/hid-quirks.c
@@ -220,6 +220,15 @@ static const struct hid_device_id hid_quirks[] = {
* used as a driver. See hid_scan_report().
*/
static const struct hid_device_id hid_have_special_driver[] = {
+#if IS_ENABLED(CONFIG_APPLEDISPLAY)
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9218) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9219) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921c) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x921d) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9222) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9226) },
+ { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, 0x9236) },
+#endif
#if IS_ENABLED(CONFIG_HID_A4TECH)
{ HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_WCP32PU) },
{ HID_USB_DEVICE(USB_VENDOR_ID_A4TECH, USB_DEVICE_ID_A4TECH_X5_005D) },
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 538/554] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 537/554] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 539/554] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
` (21 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiang Mei, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiang Mei <xmei5@asu.edu>
[ Upstream commit c1d73b1480235731e35c81df70b08f4714a7d095 ]
`qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class
itself is active.
Two qfq_class objects may point to the same leaf_qdisc. This happens
when:
1. one QFQ qdisc is attached to the dev as the root qdisc, and
2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get()
/ qdisc_put()) and is pending to be destroyed, as in function
tc_new_tfilter.
When packets are enqueued through the root QFQ qdisc, the shared
leaf_qdisc->q.qlen increases. At the same time, the second QFQ
qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters
qfq_reset() with its own q->q.qlen == 0, but its class's leaf
qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate
an inactive aggregate and trigger a null-deref in qfq_deactivate_agg:
[ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 0.903571] #PF: supervisor write access in kernel mode
[ 0.903860] #PF: error_code(0x0002) - not-present page
[ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0
[ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI
[ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE
[ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
[ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.910247] PKRU: 55555554
[ 0.910391] Call Trace:
[ 0.910527] <TASK>
[ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485)
[ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036)
[ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076)
[ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447)
[ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958)
[ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861)
[ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550)
[ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344)
[ 0.912296] ? __alloc_skb (net/core/skbuff.c:706)
[ 0.912484] netlink_sendmsg (net/netlink/af_netlink.c:1894)
[ 0.912682] sock_write_iter (net/socket.c:727 (discriminator 1) net/socket.c:742 (discriminator 1) net/socket.c:1195 (discriminator 1))
[ 0.912880] vfs_write (fs/read_write.c:593 fs/read_write.c:686)
[ 0.913077] ksys_write (fs/read_write.c:738)
[ 0.913252] do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
[ 0.913438] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
[ 0.913687] RIP: 0033:0x424c34
[ 0.913844] Code: 89 02 48 c7 c0 ff ff ff ff eb bd 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 2d 44 09 00 00 74 13 b8 01 00 00 00 0f 05 9
Code starting with the faulting instruction
===========================================
0: 89 02 mov %eax,(%rdx)
2: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
9: eb bd jmp 0xffffffffffffffc8
b: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
12: 00 00 00
15: 90 nop
16: f3 0f 1e fa endbr64
1a: 80 3d 2d 44 09 00 00 cmpb $0x0,0x9442d(%rip) # 0x9444e
21: 74 13 je 0x36
23: b8 01 00 00 00 mov $0x1,%eax
28: 0f 05 syscall
2a: 09 .byte 0x9
[ 0.914807] RSP: 002b:00007ffea1938b78 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 0.915197] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000424c34
[ 0.915556] RDX: 000000000000003c RSI: 000000002af378c0 RDI: 0000000000000003
[ 0.915912] RBP: 00007ffea1938bc0 R08: 00000000004b8820 R09: 0000000000000000
[ 0.916297] R10: 0000000000000001 R11: 0000000000000202 R12: 00007ffea1938d28
[ 0.916652] R13: 00007ffea1938d38 R14: 00000000004b3828 R15: 0000000000000001
[ 0.917039] </TASK>
[ 0.917158] Modules linked in:
[ 0.917316] CR2: 0000000000000000
[ 0.917484] ---[ end trace 0000000000000000 ]---
[ 0.917717] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2))
[ 0.917978] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0
Code starting with the faulting instruction
===========================================
0: 0f 84 4d 01 00 00 je 0x153
6: 48 89 70 18 mov %rsi,0x18(%rax)
a: 8b 4b 10 mov 0x10(%rbx),%ecx
d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx
14: 48 8b 78 08 mov 0x8(%rax),%rdi
18: 48 d3 e2 shl %cl,%rdx
1b: 48 21 f2 and %rsi,%rdx
1e: 48 2b 13 sub (%rbx),%rdx
21: 48 8b 30 mov (%rax),%rsi
24: 48 d3 ea shr %cl,%rdx
27: 8b 4b 18 mov 0x18(%rbx),%ecx
...
[ 0.918902] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246
[ 0.919198] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000
[ 0.919559] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 0.919908] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000
[ 0.920289] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000
[ 0.920648] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880
[ 0.921014] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000
[ 0.921424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 0.921710] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0
[ 0.922097] PKRU: 55555554
[ 0.922240] Kernel panic - not syncing: Fatal exception
[ 0.922590] Kernel Offset: disabled
Fixes: 0545a3037773 ("pkt_sched: QFQ - quick fair queue scheduler")
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Link: https://patch.msgid.link/20260106034100.1780779-1-xmei5@asu.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_qfq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index 649cf7a7dce46..aa049dd33a74e 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -1491,7 +1491,7 @@ static void qfq_reset_qdisc(struct Qdisc *sch)
for (i = 0; i < q->clhash.hashsize; i++) {
hlist_for_each_entry(cl, &q->clhash.hash[i], common.hnode) {
- if (cl->qdisc->q.qlen > 0)
+ if (cl_is_active(cl))
qfq_deactivate_class(q, cl);
qdisc_reset(cl->qdisc);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 539/554] net: usb: pegasus: fix memory leak in update_eth_regs_async()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 538/554] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 540/554] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
` (20 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petko Manolov, Jakub Kicinski,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petko Manolov <petkan@nucleusys.com>
[ Upstream commit afa27621a28af317523e0836dad430bec551eb54 ]
When asynchronously writing to the device registers and if usb_submit_urb()
fail, the code fail to release allocated to this point resources.
Fixes: 323b34963d11 ("drivers: net: usb: pegasus: fix control urb submission")
Signed-off-by: Petko Manolov <petkan@nucleusys.com>
Link: https://patch.msgid.link/20260106084821.3746677-1-petko.manolov@konsulko.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/pegasus.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index cd063f45785b7..fd7b9776b4824 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -168,6 +168,8 @@ static int update_eth_regs_async(pegasus_t *pegasus)
netif_device_detach(pegasus->net);
netif_err(pegasus, drv, pegasus->net,
"%s returned %d\n", __func__, ret);
+ usb_free_urb(async_urb);
+ kfree(req);
}
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 540/554] net: enetc: fix build warning when PAGE_SIZE is greater than 128K
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 539/554] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 541/554] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
` (19 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Wei Fang,
Frank Li, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Fang <wei.fang@nxp.com>
[ Upstream commit 4b5bdabb5449b652122e43f507f73789041d4abe ]
The max buffer size of ENETC RX BD is 0xFFFF bytes, so if the PAGE_SIZE
is greater than 128K, ENETC_RXB_DMA_SIZE and ENETC_RXB_DMA_SIZE_XDP will
be greater than 0xFFFF, thus causing a build warning.
This will not cause any practical issues because ENETC is currently only
used on the ARM64 platform, and the max PAGE_SIZE is 64K. So this patch
is only for fixing the build warning that occurs when compiling ENETC
drivers for other platforms.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202601050637.kHEKKOG7-lkp@intel.com/
Fixes: e59bc32df2e9 ("net: enetc: correct the value of ENETC_RXB_TRUESIZE")
Signed-off-by: Wei Fang <wei.fang@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260107091204.1980222-1-wei.fang@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.h b/drivers/net/ethernet/freescale/enetc/enetc.h
index 40c8f0f026a5b..adcb53167d3f9 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.h
+++ b/drivers/net/ethernet/freescale/enetc/enetc.h
@@ -40,9 +40,9 @@ struct enetc_tx_swbd {
#define ENETC_RXB_TRUESIZE (PAGE_SIZE >> 1)
#define ENETC_RXB_PAD NET_SKB_PAD /* add extra space if needed */
#define ENETC_RXB_DMA_SIZE \
- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD)
+ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - ENETC_RXB_PAD, 0xffff)
#define ENETC_RXB_DMA_SIZE_XDP \
- (SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM)
+ min(SKB_WITH_OVERHEAD(ENETC_RXB_TRUESIZE) - XDP_PACKET_HEADROOM, 0xffff)
struct enetc_rx_swbd {
dma_addr_t dma;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 541/554] arp: do not assume dev_hard_header() does not change skb->head
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 540/554] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 542/554] NFS: trace: show TIMEDOUT instead of 0x6e Greg Kroah-Hartman
` (18 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+58b44a770a1585795351,
Eric Dumazet, Jakub Kicinski, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c92510f5e3f82ba11c95991824a41e59a9c5ed81 ]
arp_create() is the only dev_hard_header() caller
making assumption about skb->head being unchanged.
A recent commit broke this assumption.
Initialize @arp pointer after dev_hard_header() call.
Fixes: db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Reported-by: syzbot+58b44a770a1585795351@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260107212250.384552-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/arp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index ef69321886798..5a76164980344 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -542,7 +542,7 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
skb_reserve(skb, hlen);
skb_reset_network_header(skb);
- arp = skb_put(skb, arp_hdr_len(dev));
+ skb_put(skb, arp_hdr_len(dev));
skb->dev = dev;
skb->protocol = htons(ETH_P_ARP);
if (!src_hw)
@@ -550,12 +550,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
if (!dest_hw)
dest_hw = dev->broadcast;
- /*
- * Fill the device header for the ARP frame
+ /* Fill the device header for the ARP frame.
+ * Note: skb->head can be changed.
*/
if (dev_hard_header(skb, dev, ptype, dest_hw, src_hw, skb->len) < 0)
goto out;
+ arp = arp_hdr(skb);
/*
* Fill out the arp protocol part.
*
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 542/554] NFS: trace: show TIMEDOUT instead of 0x6e
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 541/554] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 543/554] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno Greg Kroah-Hartman
` (17 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Hanxiao, Jeff Layton,
Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Hanxiao <chenhx.fnst@fujitsu.com>
[ Upstream commit cef48236dfe55fa266d505e8a497963a7bc5ef2a ]
__nfs_revalidate_inode may return ETIMEDOUT.
print symbol of ETIMEDOUT in nfs trace:
before:
cat-5191 [005] 119.331127: nfs_revalidate_inode_exit: error=-110 (0x6e)
after:
cat-1738 [004] 44.365509: nfs_revalidate_inode_exit: error=-110 (TIMEDOUT)
Signed-off-by: Chen Hanxiao <chenhx.fnst@fujitsu.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Stable-dep-of: c6c209ceb87f ("NFSD: Remove NFSERR_EAGAIN")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/misc/nfs.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/trace/misc/nfs.h
+++ b/include/trace/misc/nfs.h
@@ -52,6 +52,7 @@ TRACE_DEFINE_ENUM(NFSERR_JUKEBOX);
{ NFSERR_IO, "IO" }, \
{ NFSERR_NXIO, "NXIO" }, \
{ ECHILD, "CHILD" }, \
+ { ETIMEDOUT, "TIMEDOUT" }, \
{ NFSERR_EAGAIN, "AGAIN" }, \
{ NFSERR_ACCES, "ACCES" }, \
{ NFSERR_EXIST, "EXIST" }, \
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 543/554] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 542/554] NFS: trace: show TIMEDOUT instead of 0x6e Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 544/554] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
` (16 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Snitzer, Jeff Layton, NeilBrown,
Anna Schumaker, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Snitzer <snitzer@kernel.org>
[ Upstream commit 4806ded4c14c5e8fdc6ce885d83221a78c06a428 ]
Common nfs_stat_to_errno() is used by both fs/nfs/nfs2xdr.c and
fs/nfs/nfs3xdr.c
Will also be used by fs/nfsd/localio.c
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: NeilBrown <neilb@suse.de>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Stable-dep-of: c6c209ceb87f ("NFSD: Remove NFSERR_EAGAIN")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/Kconfig | 1
fs/nfs/nfs2xdr.c | 70 -----------------------------
fs/nfs/nfs3xdr.c | 108 ++++++++-------------------------------------
fs/nfs/nfs4xdr.c | 4 -
fs/nfs_common/Makefile | 2
fs/nfs_common/common.c | 67 +++++++++++++++++++++++++++
fs/nfsd/Kconfig | 1
include/linux/nfs_common.h | 16 ++++++
8 files changed, 109 insertions(+), 160 deletions(-)
create mode 100644 fs/nfs_common/common.c
create mode 100644 include/linux/nfs_common.h
--- a/fs/nfs/Kconfig
+++ b/fs/nfs/Kconfig
@@ -5,6 +5,7 @@ config NFS_FS
select CRC32
select LOCKD
select SUNRPC
+ select NFS_COMMON
select NFS_ACL_SUPPORT if NFS_V3_ACL
help
Choose Y here if you want to access files residing on other
--- a/fs/nfs/nfs2xdr.c
+++ b/fs/nfs/nfs2xdr.c
@@ -22,14 +22,12 @@
#include <linux/nfs.h>
#include <linux/nfs2.h>
#include <linux/nfs_fs.h>
+#include <linux/nfs_common.h>
#include "nfstrace.h"
#include "internal.h"
#define NFSDBG_FACILITY NFSDBG_XDR
-/* Mapping from NFS error code to "errno" error code. */
-#define errno_NFSERR_IO EIO
-
/*
* Declare the space requirements for NFS arguments and replies as
* number of 32bit-words
@@ -64,8 +62,6 @@
#define NFS_readdirres_sz (1+NFS_pagepad_sz)
#define NFS_statfsres_sz (1+NFS_info_sz)
-static int nfs_stat_to_errno(enum nfs_stat);
-
/*
* Encode/decode NFSv2 basic data types
*
@@ -1055,70 +1051,6 @@ out_default:
return nfs_stat_to_errno(status);
}
-
-/*
- * We need to translate between nfs status return values and
- * the local errno values which may not be the same.
- */
-static const struct {
- int stat;
- int errno;
-} nfs_errtbl[] = {
- { NFS_OK, 0 },
- { NFSERR_PERM, -EPERM },
- { NFSERR_NOENT, -ENOENT },
- { NFSERR_IO, -errno_NFSERR_IO},
- { NFSERR_NXIO, -ENXIO },
-/* { NFSERR_EAGAIN, -EAGAIN }, */
- { NFSERR_ACCES, -EACCES },
- { NFSERR_EXIST, -EEXIST },
- { NFSERR_XDEV, -EXDEV },
- { NFSERR_NODEV, -ENODEV },
- { NFSERR_NOTDIR, -ENOTDIR },
- { NFSERR_ISDIR, -EISDIR },
- { NFSERR_INVAL, -EINVAL },
- { NFSERR_FBIG, -EFBIG },
- { NFSERR_NOSPC, -ENOSPC },
- { NFSERR_ROFS, -EROFS },
- { NFSERR_MLINK, -EMLINK },
- { NFSERR_NAMETOOLONG, -ENAMETOOLONG },
- { NFSERR_NOTEMPTY, -ENOTEMPTY },
- { NFSERR_DQUOT, -EDQUOT },
- { NFSERR_STALE, -ESTALE },
- { NFSERR_REMOTE, -EREMOTE },
-#ifdef EWFLUSH
- { NFSERR_WFLUSH, -EWFLUSH },
-#endif
- { NFSERR_BADHANDLE, -EBADHANDLE },
- { NFSERR_NOT_SYNC, -ENOTSYNC },
- { NFSERR_BAD_COOKIE, -EBADCOOKIE },
- { NFSERR_NOTSUPP, -ENOTSUPP },
- { NFSERR_TOOSMALL, -ETOOSMALL },
- { NFSERR_SERVERFAULT, -EREMOTEIO },
- { NFSERR_BADTYPE, -EBADTYPE },
- { NFSERR_JUKEBOX, -EJUKEBOX },
- { -1, -EIO }
-};
-
-/**
- * nfs_stat_to_errno - convert an NFS status code to a local errno
- * @status: NFS status code to convert
- *
- * Returns a local errno value, or -EIO if the NFS status code is
- * not recognized. This function is used jointly by NFSv2 and NFSv3.
- */
-static int nfs_stat_to_errno(enum nfs_stat status)
-{
- int i;
-
- for (i = 0; nfs_errtbl[i].stat != -1; i++) {
- if (nfs_errtbl[i].stat == (int)status)
- return nfs_errtbl[i].errno;
- }
- dprintk("NFS: Unrecognized nfs status value: %u\n", status);
- return nfs_errtbl[i].errno;
-}
-
#define PROC(proc, argtype, restype, timer) \
[NFSPROC_##proc] = { \
.p_proc = NFSPROC_##proc, \
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -21,14 +21,13 @@
#include <linux/nfs3.h>
#include <linux/nfs_fs.h>
#include <linux/nfsacl.h>
+#include <linux/nfs_common.h>
+
#include "nfstrace.h"
#include "internal.h"
#define NFSDBG_FACILITY NFSDBG_XDR
-/* Mapping from NFS error code to "errno" error code. */
-#define errno_NFSERR_IO EIO
-
/*
* Declare the space requirements for NFS arguments and replies as
* number of 32bit-words
@@ -91,8 +90,6 @@
NFS3_pagepad_sz)
#define ACL3_setaclres_sz (1+NFS3_post_op_attr_sz)
-static int nfs3_stat_to_errno(enum nfs_stat);
-
/*
* Map file type to S_IFMT bits
*/
@@ -1405,7 +1402,7 @@ static int nfs3_xdr_dec_getattr3res(stru
out:
return error;
out_default:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1444,7 +1441,7 @@ static int nfs3_xdr_dec_setattr3res(stru
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1494,7 +1491,7 @@ out_default:
error = decode_post_op_attr(xdr, result->dir_attr, userns);
if (unlikely(error))
goto out;
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1536,7 +1533,7 @@ static int nfs3_xdr_dec_access3res(struc
out:
return error;
out_default:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1577,7 +1574,7 @@ static int nfs3_xdr_dec_readlink3res(str
out:
return error;
out_default:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1657,7 +1654,7 @@ static int nfs3_xdr_dec_read3res(struct
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1727,7 +1724,7 @@ static int nfs3_xdr_dec_write3res(struct
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1794,7 +1791,7 @@ out_default:
error = decode_wcc_data(xdr, result->dir_attr, userns);
if (unlikely(error))
goto out;
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1834,7 +1831,7 @@ static int nfs3_xdr_dec_remove3res(struc
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1880,7 +1877,7 @@ static int nfs3_xdr_dec_rename3res(struc
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -1925,7 +1922,7 @@ static int nfs3_xdr_dec_link3res(struct
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/**
@@ -2101,7 +2098,7 @@ out_default:
error = decode_post_op_attr(xdr, result->dir_attr, rpc_rqst_userns(req));
if (unlikely(error))
goto out;
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -2167,7 +2164,7 @@ static int nfs3_xdr_dec_fsstat3res(struc
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -2243,7 +2240,7 @@ static int nfs3_xdr_dec_fsinfo3res(struc
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -2304,7 +2301,7 @@ static int nfs3_xdr_dec_pathconf3res(str
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
/*
@@ -2350,7 +2347,7 @@ static int nfs3_xdr_dec_commit3res(struc
out:
return error;
out_status:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
#ifdef CONFIG_NFS_V3_ACL
@@ -2416,7 +2413,7 @@ static int nfs3_xdr_dec_getacl3res(struc
out:
return error;
out_default:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
static int nfs3_xdr_dec_setacl3res(struct rpc_rqst *req,
@@ -2435,76 +2432,11 @@ static int nfs3_xdr_dec_setacl3res(struc
out:
return error;
out_default:
- return nfs3_stat_to_errno(status);
+ return nfs_stat_to_errno(status);
}
#endif /* CONFIG_NFS_V3_ACL */
-
-/*
- * We need to translate between nfs status return values and
- * the local errno values which may not be the same.
- */
-static const struct {
- int stat;
- int errno;
-} nfs_errtbl[] = {
- { NFS_OK, 0 },
- { NFSERR_PERM, -EPERM },
- { NFSERR_NOENT, -ENOENT },
- { NFSERR_IO, -errno_NFSERR_IO},
- { NFSERR_NXIO, -ENXIO },
-/* { NFSERR_EAGAIN, -EAGAIN }, */
- { NFSERR_ACCES, -EACCES },
- { NFSERR_EXIST, -EEXIST },
- { NFSERR_XDEV, -EXDEV },
- { NFSERR_NODEV, -ENODEV },
- { NFSERR_NOTDIR, -ENOTDIR },
- { NFSERR_ISDIR, -EISDIR },
- { NFSERR_INVAL, -EINVAL },
- { NFSERR_FBIG, -EFBIG },
- { NFSERR_NOSPC, -ENOSPC },
- { NFSERR_ROFS, -EROFS },
- { NFSERR_MLINK, -EMLINK },
- { NFSERR_NAMETOOLONG, -ENAMETOOLONG },
- { NFSERR_NOTEMPTY, -ENOTEMPTY },
- { NFSERR_DQUOT, -EDQUOT },
- { NFSERR_STALE, -ESTALE },
- { NFSERR_REMOTE, -EREMOTE },
-#ifdef EWFLUSH
- { NFSERR_WFLUSH, -EWFLUSH },
-#endif
- { NFSERR_BADHANDLE, -EBADHANDLE },
- { NFSERR_NOT_SYNC, -ENOTSYNC },
- { NFSERR_BAD_COOKIE, -EBADCOOKIE },
- { NFSERR_NOTSUPP, -ENOTSUPP },
- { NFSERR_TOOSMALL, -ETOOSMALL },
- { NFSERR_SERVERFAULT, -EREMOTEIO },
- { NFSERR_BADTYPE, -EBADTYPE },
- { NFSERR_JUKEBOX, -EJUKEBOX },
- { -1, -EIO }
-};
-
-/**
- * nfs3_stat_to_errno - convert an NFS status code to a local errno
- * @status: NFS status code to convert
- *
- * Returns a local errno value, or -EIO if the NFS status code is
- * not recognized. This function is used jointly by NFSv2 and NFSv3.
- */
-static int nfs3_stat_to_errno(enum nfs_stat status)
-{
- int i;
-
- for (i = 0; nfs_errtbl[i].stat != -1; i++) {
- if (nfs_errtbl[i].stat == (int)status)
- return nfs_errtbl[i].errno;
- }
- dprintk("NFS: Unrecognized nfs status value: %u\n", status);
- return nfs_errtbl[i].errno;
-}
-
-
#define PROC(proc, argtype, restype, timer) \
[NFS3PROC_##proc] = { \
.p_proc = NFS3PROC_##proc, \
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -52,6 +52,7 @@
#include <linux/nfs.h>
#include <linux/nfs4.h>
#include <linux/nfs_fs.h>
+#include <linux/nfs_common.h>
#include "nfs4_fs.h"
#include "nfs4trace.h"
@@ -63,9 +64,6 @@
#define NFSDBG_FACILITY NFSDBG_XDR
-/* Mapping from NFS error code to "errno" error code. */
-#define errno_NFSERR_IO EIO
-
struct compound_hdr;
static int nfs4_stat_to_errno(int);
static void encode_layoutget(struct xdr_stream *xdr,
--- a/fs/nfs_common/Makefile
+++ b/fs/nfs_common/Makefile
@@ -8,3 +8,5 @@ nfs_acl-objs := nfsacl.o
obj-$(CONFIG_GRACE_PERIOD) += grace.o
obj-$(CONFIG_NFS_V4_2_SSC_HELPER) += nfs_ssc.o
+
+obj-$(CONFIG_NFS_COMMON) += common.o
--- /dev/null
+++ b/fs/nfs_common/common.c
@@ -0,0 +1,67 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <linux/module.h>
+#include <linux/nfs_common.h>
+
+/*
+ * We need to translate between nfs status return values and
+ * the local errno values which may not be the same.
+ */
+static const struct {
+ int stat;
+ int errno;
+} nfs_errtbl[] = {
+ { NFS_OK, 0 },
+ { NFSERR_PERM, -EPERM },
+ { NFSERR_NOENT, -ENOENT },
+ { NFSERR_IO, -errno_NFSERR_IO},
+ { NFSERR_NXIO, -ENXIO },
+/* { NFSERR_EAGAIN, -EAGAIN }, */
+ { NFSERR_ACCES, -EACCES },
+ { NFSERR_EXIST, -EEXIST },
+ { NFSERR_XDEV, -EXDEV },
+ { NFSERR_NODEV, -ENODEV },
+ { NFSERR_NOTDIR, -ENOTDIR },
+ { NFSERR_ISDIR, -EISDIR },
+ { NFSERR_INVAL, -EINVAL },
+ { NFSERR_FBIG, -EFBIG },
+ { NFSERR_NOSPC, -ENOSPC },
+ { NFSERR_ROFS, -EROFS },
+ { NFSERR_MLINK, -EMLINK },
+ { NFSERR_NAMETOOLONG, -ENAMETOOLONG },
+ { NFSERR_NOTEMPTY, -ENOTEMPTY },
+ { NFSERR_DQUOT, -EDQUOT },
+ { NFSERR_STALE, -ESTALE },
+ { NFSERR_REMOTE, -EREMOTE },
+#ifdef EWFLUSH
+ { NFSERR_WFLUSH, -EWFLUSH },
+#endif
+ { NFSERR_BADHANDLE, -EBADHANDLE },
+ { NFSERR_NOT_SYNC, -ENOTSYNC },
+ { NFSERR_BAD_COOKIE, -EBADCOOKIE },
+ { NFSERR_NOTSUPP, -ENOTSUPP },
+ { NFSERR_TOOSMALL, -ETOOSMALL },
+ { NFSERR_SERVERFAULT, -EREMOTEIO },
+ { NFSERR_BADTYPE, -EBADTYPE },
+ { NFSERR_JUKEBOX, -EJUKEBOX },
+ { -1, -EIO }
+};
+
+/**
+ * nfs_stat_to_errno - convert an NFS status code to a local errno
+ * @status: NFS status code to convert
+ *
+ * Returns a local errno value, or -EIO if the NFS status code is
+ * not recognized. This function is used jointly by NFSv2 and NFSv3.
+ */
+int nfs_stat_to_errno(enum nfs_stat status)
+{
+ int i;
+
+ for (i = 0; nfs_errtbl[i].stat != -1; i++) {
+ if (nfs_errtbl[i].stat == (int)status)
+ return nfs_errtbl[i].errno;
+ }
+ return nfs_errtbl[i].errno;
+}
+EXPORT_SYMBOL_GPL(nfs_stat_to_errno);
--- a/fs/nfsd/Kconfig
+++ b/fs/nfsd/Kconfig
@@ -8,6 +8,7 @@ config NFSD
select LOCKD
select SUNRPC
select EXPORTFS
+ select NFS_COMMON
select NFS_ACL_SUPPORT if NFSD_V2_ACL
select NFS_ACL_SUPPORT if NFSD_V3_ACL
depends on MULTIUSER
--- /dev/null
+++ b/include/linux/nfs_common.h
@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * This file contains constants and methods used by both NFS client and server.
+ */
+#ifndef _LINUX_NFS_COMMON_H
+#define _LINUX_NFS_COMMON_H
+
+#include <linux/errno.h>
+#include <uapi/linux/nfs.h>
+
+/* Mapping from NFS error code to "errno" error code. */
+#define errno_NFSERR_IO EIO
+
+int nfs_stat_to_errno(enum nfs_stat status);
+
+#endif /* _LINUX_NFS_COMMON_H */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 544/554] NFSD: Remove NFSERR_EAGAIN
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 543/554] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 545/554] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
` (15 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NeilBrown, Jeff Layton, Chuck Lever,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit c6c209ceb87f64a6ceebe61761951dcbbf4a0baa ]
I haven't found an NFSERR_EAGAIN in RFCs 1094, 1813, 7530, or 8881.
None of these RFCs have an NFS status code that match the numeric
value "11".
Based on the meaning of the EAGAIN errno, I presume the use of this
status in NFSD means NFS4ERR_DELAY. So replace the one usage of
nfserr_eagain, and remove it from NFSD's NFS status conversion
tables.
As far as I can tell, NFSERR_EAGAIN has existed since the pre-git
era, but was not actually used by any code until commit f4e44b393389
("NFSD: delay unmount source's export after inter-server copy
completed."), at which time it become possible for NFSD to return
a status code of 11 (which is not valid NFS protocol).
Fixes: f4e44b393389 ("NFSD: delay unmount source's export after inter-server copy completed.")
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neil@brown.name>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs_common/common.c | 1 -
fs/nfsd/nfs4proc.c | 2 +-
fs/nfsd/nfsd.h | 1 -
include/trace/misc/nfs.h | 2 --
include/uapi/linux/nfs.h | 1 -
5 files changed, 1 insertion(+), 6 deletions(-)
--- a/fs/nfs_common/common.c
+++ b/fs/nfs_common/common.c
@@ -16,7 +16,6 @@ static const struct {
{ NFSERR_NOENT, -ENOENT },
{ NFSERR_IO, -errno_NFSERR_IO},
{ NFSERR_NXIO, -ENXIO },
-/* { NFSERR_EAGAIN, -EAGAIN }, */
{ NFSERR_ACCES, -EACCES },
{ NFSERR_EXIST, -EEXIST },
{ NFSERR_XDEV, -EXDEV },
--- a/fs/nfsd/nfs4proc.c
+++ b/fs/nfsd/nfs4proc.c
@@ -1322,7 +1322,7 @@ try_again:
(freezable_schedule_timeout(20*HZ) == 0)) {
finish_wait(&nn->nfsd_ssc_waitq, &wait);
kfree(work);
- return nfserr_eagain;
+ return nfserr_jukebox;
}
finish_wait(&nn->nfsd_ssc_waitq, &wait);
goto try_again;
--- a/fs/nfsd/nfsd.h
+++ b/fs/nfsd/nfsd.h
@@ -201,7 +201,6 @@ void nfsd_lockd_shutdown(void);
#define nfserr_noent cpu_to_be32(NFSERR_NOENT)
#define nfserr_io cpu_to_be32(NFSERR_IO)
#define nfserr_nxio cpu_to_be32(NFSERR_NXIO)
-#define nfserr_eagain cpu_to_be32(NFSERR_EAGAIN)
#define nfserr_acces cpu_to_be32(NFSERR_ACCES)
#define nfserr_exist cpu_to_be32(NFSERR_EXIST)
#define nfserr_xdev cpu_to_be32(NFSERR_XDEV)
--- a/include/trace/misc/nfs.h
+++ b/include/trace/misc/nfs.h
@@ -16,7 +16,6 @@ TRACE_DEFINE_ENUM(NFSERR_PERM);
TRACE_DEFINE_ENUM(NFSERR_NOENT);
TRACE_DEFINE_ENUM(NFSERR_IO);
TRACE_DEFINE_ENUM(NFSERR_NXIO);
-TRACE_DEFINE_ENUM(NFSERR_EAGAIN);
TRACE_DEFINE_ENUM(NFSERR_ACCES);
TRACE_DEFINE_ENUM(NFSERR_EXIST);
TRACE_DEFINE_ENUM(NFSERR_XDEV);
@@ -53,7 +52,6 @@ TRACE_DEFINE_ENUM(NFSERR_JUKEBOX);
{ NFSERR_NXIO, "NXIO" }, \
{ ECHILD, "CHILD" }, \
{ ETIMEDOUT, "TIMEDOUT" }, \
- { NFSERR_EAGAIN, "AGAIN" }, \
{ NFSERR_ACCES, "ACCES" }, \
{ NFSERR_EXIST, "EXIST" }, \
{ NFSERR_XDEV, "XDEV" }, \
--- a/include/uapi/linux/nfs.h
+++ b/include/uapi/linux/nfs.h
@@ -49,7 +49,6 @@
NFSERR_NOENT = 2, /* v2 v3 v4 */
NFSERR_IO = 5, /* v2 v3 v4 */
NFSERR_NXIO = 6, /* v2 v3 v4 */
- NFSERR_EAGAIN = 11, /* v2 v3 */
NFSERR_ACCES = 13, /* v2 v3 v4 */
NFSERR_EXIST = 17, /* v2 v3 v4 */
NFSERR_XDEV = 18, /* v3 v4 */
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 545/554] nfsd: provide locking for v4_end_grace
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 544/554] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 546/554] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
` (14 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Lingfeng, NeilBrown, Jeff Layton,
Chuck Lever, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neil@brown.name>
[ Upstream commit 2857bd59feb63fcf40fe4baf55401baea6b4feb4 ]
Writing to v4_end_grace can race with server shutdown and result in
memory being accessed after it was freed - reclaim_str_hashtbl in
particularly.
We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is
held while client_tracking_op->init() is called and that can wait for
an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a
deadlock.
nfsd4_end_grace() is also called by the landromat work queue and this
doesn't require locking as server shutdown will stop the work and wait
for it before freeing anything that nfsd4_end_grace() might access.
However, we must be sure that writing to v4_end_grace doesn't restart
the work item after shutdown has already waited for it. For this we
add a new flag protected with nn->client_lock. It is set only while it
is safe to make client tracking calls, and v4_end_grace only schedules
work while the flag is set with the spinlock held.
So this patch adds a nfsd_net field "client_tracking_active" which is
set as described. Another field "grace_end_forced", is set when
v4_end_grace is written. After this is set, and providing
client_tracking_active is set, the laundromat is scheduled.
This "grace_end_forced" field bypasses other checks for whether the
grace period has finished.
This resolves a race which can result in use-after-free.
Reported-by: Li Lingfeng <lilingfeng3@huawei.com>
Closes: https://lore.kernel.org/linux-nfs/20250623030015.2353515-1-neil@brown.name/T/#t
Fixes: 7f5ef2e900d9 ("nfsd: add a v4_end_grace file to /proc/fs/nfsd")
Cc: stable@vger.kernel.org
Signed-off-by: NeilBrown <neil@brown.name>
Tested-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
[ Adjust context ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/netns.h | 2 ++
fs/nfsd/nfs4state.c | 42 ++++++++++++++++++++++++++++++++++++++++--
fs/nfsd/nfsctl.c | 3 +--
fs/nfsd/state.h | 2 +-
4 files changed, 44 insertions(+), 5 deletions(-)
--- a/fs/nfsd/netns.h
+++ b/fs/nfsd/netns.h
@@ -64,6 +64,8 @@ struct nfsd_net {
struct lock_manager nfsd4_manager;
bool grace_ended;
+ bool grace_end_forced;
+ bool client_tracking_active;
time64_t boot_time;
struct dentry *nfsd_client_dir;
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -84,7 +84,7 @@ static u64 current_sessionid = 1;
/* forward declarations */
static bool check_for_locks(struct nfs4_file *fp, struct nfs4_lockowner *lowner);
static void nfs4_free_ol_stateid(struct nfs4_stid *stid);
-void nfsd4_end_grace(struct nfsd_net *nn);
+static void nfsd4_end_grace(struct nfsd_net *nn);
static void _free_cpntf_state_locked(struct nfsd_net *nn, struct nfs4_cpntf_state *cps);
static void nfsd4_file_hash_remove(struct nfs4_file *fi);
@@ -5883,7 +5883,7 @@ nfsd4_renew(struct svc_rqst *rqstp, stru
return nfs_ok;
}
-void
+static void
nfsd4_end_grace(struct nfsd_net *nn)
{
/* do nothing if grace period already ended */
@@ -5916,6 +5916,33 @@ nfsd4_end_grace(struct nfsd_net *nn)
*/
}
+/**
+ * nfsd4_force_end_grace - forcibly end the NFSv4 grace period
+ * @nn: network namespace for the server instance to be updated
+ *
+ * Forces bypass of normal grace period completion, then schedules
+ * the laundromat to end the grace period immediately. Does not wait
+ * for the grace period to fully terminate before returning.
+ *
+ * Return values:
+ * %true: Grace termination schedule
+ * %false: No action was taken
+ */
+bool nfsd4_force_end_grace(struct nfsd_net *nn)
+{
+ if (!nn->client_tracking_ops)
+ return false;
+ spin_lock(&nn->client_lock);
+ if (nn->grace_ended || !nn->client_tracking_active) {
+ spin_unlock(&nn->client_lock);
+ return false;
+ }
+ WRITE_ONCE(nn->grace_end_forced, true);
+ mod_delayed_work(laundry_wq, &nn->laundromat_work, 0);
+ spin_unlock(&nn->client_lock);
+ return true;
+}
+
/*
* If we've waited a lease period but there are still clients trying to
* reclaim, wait a little longer to give them a chance to finish.
@@ -5925,6 +5952,8 @@ static bool clients_still_reclaiming(str
time64_t double_grace_period_end = nn->boot_time +
2 * nn->nfsd4_lease;
+ if (READ_ONCE(nn->grace_end_forced))
+ return false;
if (nn->track_reclaim_completes &&
atomic_read(&nn->nr_reclaim_complete) ==
nn->reclaim_str_hashtbl_size)
@@ -8132,6 +8161,8 @@ static int nfs4_state_create_net(struct
nn->unconf_name_tree = RB_ROOT;
nn->boot_time = ktime_get_real_seconds();
nn->grace_ended = false;
+ nn->grace_end_forced = false;
+ nn->client_tracking_active = false;
nn->nfsd4_manager.block_opens = true;
INIT_LIST_HEAD(&nn->nfsd4_manager.list);
INIT_LIST_HEAD(&nn->client_lru);
@@ -8208,6 +8239,10 @@ nfs4_state_start_net(struct net *net)
return ret;
locks_start_grace(net, &nn->nfsd4_manager);
nfsd4_client_tracking_init(net);
+ /* safe for laundromat to run now */
+ spin_lock(&nn->client_lock);
+ nn->client_tracking_active = true;
+ spin_unlock(&nn->client_lock);
if (nn->track_reclaim_completes && nn->reclaim_str_hashtbl_size == 0)
goto skip_grace;
printk(KERN_INFO "NFSD: starting %lld-second grace period (net %x)\n",
@@ -8254,6 +8289,9 @@ nfs4_state_shutdown_net(struct net *net)
unregister_shrinker(&nn->nfsd_client_shrinker);
cancel_work_sync(&nn->nfsd_shrinker_work);
+ spin_lock(&nn->client_lock);
+ nn->client_tracking_active = false;
+ spin_unlock(&nn->client_lock);
cancel_delayed_work_sync(&nn->laundromat_work);
locks_end_grace(&nn->nfsd4_manager);
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1117,9 +1117,8 @@ static ssize_t write_v4_end_grace(struct
case 'Y':
case 'y':
case '1':
- if (!nn->nfsd_serv)
+ if (!nfsd4_force_end_grace(nn))
return -EBUSY;
- nfsd4_end_grace(nn);
break;
default:
return -EINVAL;
--- a/fs/nfsd/state.h
+++ b/fs/nfsd/state.h
@@ -719,7 +719,7 @@ static inline void get_nfs4_file(struct
struct nfsd_file *find_any_file(struct nfs4_file *f);
/* grace period management */
-void nfsd4_end_grace(struct nfsd_net *nn);
+bool nfsd4_force_end_grace(struct nfsd_net *nn);
/* nfs4recover operations */
extern int nfsd4_client_tracking_init(struct net *net);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 546/554] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 545/554] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 547/554] pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells Greg Kroah-Hartman
` (13 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Alexander Sverdlin, Oleksij Rempel, William Breathitt Gray,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
[ Upstream commit 23f9485510c338476b9735d516c1d4aacb810d46 ]
An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as
CONFIG_PROVE_RAW_LOCK_NESTING warns:
=============================
[ BUG: Invalid wait context ]
6.18.0-rc1+git... #1
-----------------------------
some-user-space-process/1251 is trying to lock:
(&counter->events_list_lock){....}-{3:3}, at: counter_push_event [counter]
other info that might help us debug this:
context-{2:2}
no locks held by some-user-space-process/....
stack backtrace:
CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git... #1 PREEMPT
Call trace:
show_stack (C)
dump_stack_lvl
dump_stack
__lock_acquire
lock_acquire
_raw_spin_lock_irqsave
counter_push_event [counter]
interrupt_cnt_isr [interrupt_cnt]
__handle_irq_event_percpu
handle_irq_event
handle_simple_irq
handle_irq_desc
generic_handle_domain_irq
gpio_irq_handler
handle_irq_desc
generic_handle_domain_irq
gic_handle_irq
call_on_irq_stack
do_interrupt_handler
el0_interrupt
__el0_irq_handler_common
el0t_64_irq_handler
el0t_64_irq
... and Sebastian correctly points out. Remove IRQF_NO_THREAD as an
alternative to switching to raw_spinlock_t, because the latter would limit
all potential nested locks to raw_spinlock_t only.
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20251117151314.xwLAZrWY@linutronix.de/
Fixes: a55ebd47f21f ("counter: add IRQ or GPIO based counter")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://lore.kernel.org/r/20251118083603.778626-1-alexander.sverdlin@siemens.com
Signed-off-by: William Breathitt Gray <wbg@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/counter/interrupt-cnt.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/counter/interrupt-cnt.c
+++ b/drivers/counter/interrupt-cnt.c
@@ -208,8 +208,7 @@ static int interrupt_cnt_probe(struct pl
irq_set_status_flags(priv->irq, IRQ_NOAUTOEN);
ret = devm_request_irq(dev, priv->irq, interrupt_cnt_isr,
- IRQF_TRIGGER_RISING | IRQF_NO_THREAD,
- dev_name(dev), priv);
+ IRQF_TRIGGER_RISING, dev_name(dev), priv);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 547/554] pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 546/554] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 548/554] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
` (12 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit a3fc976a2d68cb74ae4234314002e4e398e4c337 ]
The of_gpio_n_cells default is 2 when ->of_xlate() callback is
not defined. No need to assign it explicitly in the driver.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20230112184923.80442-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Stable-dep-of: ebc18e9854e5 ("pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
+++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
@@ -644,7 +644,6 @@ static int lpi_pinctrl_probe(struct plat
pctrl->chip.base = -1;
pctrl->chip.ngpio = data->npins;
pctrl->chip.label = dev_name(dev);
- pctrl->chip.of_gpio_n_cells = 2;
pctrl->chip.can_sleep = false;
mutex_init(&pctrl->lock);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 548/554] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 547/554] pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 549/554] blk-throttle: Set BIO_THROTTLED when bio has been throttled Greg Kroah-Hartman
` (11 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Val Packett, Bartosz Golaszewski,
Dmitry Baryshkov, Bjorn Andersson, Linus Walleij, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit ebc18e9854e5a2b62a041fb57b216a903af45b85 ]
The gpio_chip settings in this driver say the controller can't sleep
but it actually uses a mutex for synchronization. This triggers the
following BUG():
[ 9.233659] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:281
[ 9.233665] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 554, name: (udev-worker)
[ 9.233669] preempt_count: 1, expected: 0
[ 9.233673] RCU nest depth: 0, expected: 0
[ 9.233688] Tainted: [W]=WARN
[ 9.233690] Hardware name: Dell Inc. Latitude 7455/0FK7MX, BIOS 2.10.1 05/20/2025
[ 9.233694] Call trace:
[ 9.233696] show_stack+0x24/0x38 (C)
[ 9.233709] dump_stack_lvl+0x40/0x88
[ 9.233716] dump_stack+0x18/0x24
[ 9.233722] __might_resched+0x148/0x160
[ 9.233731] __might_sleep+0x38/0x98
[ 9.233736] mutex_lock+0x30/0xd8
[ 9.233749] lpi_config_set+0x2e8/0x3c8 [pinctrl_lpass_lpi]
[ 9.233757] lpi_gpio_direction_output+0x58/0x90 [pinctrl_lpass_lpi]
[ 9.233761] gpiod_direction_output_raw_commit+0x110/0x428
[ 9.233772] gpiod_direction_output_nonotify+0x234/0x358
[ 9.233779] gpiod_direction_output+0x38/0xd0
[ 9.233786] gpio_shared_proxy_direction_output+0xb8/0x2a8 [gpio_shared_proxy]
[ 9.233792] gpiod_direction_output_raw_commit+0x110/0x428
[ 9.233799] gpiod_direction_output_nonotify+0x234/0x358
[ 9.233806] gpiod_configure_flags+0x2c0/0x580
[ 9.233812] gpiod_find_and_request+0x358/0x4f8
[ 9.233819] gpiod_get_index+0x7c/0x98
[ 9.233826] devm_gpiod_get+0x34/0xb0
[ 9.233829] reset_gpio_probe+0x58/0x128 [reset_gpio]
[ 9.233836] auxiliary_bus_probe+0xb0/0xf0
[ 9.233845] really_probe+0x14c/0x450
[ 9.233853] __driver_probe_device+0xb0/0x188
[ 9.233858] driver_probe_device+0x4c/0x250
[ 9.233863] __driver_attach+0xf8/0x2a0
[ 9.233868] bus_for_each_dev+0xf8/0x158
[ 9.233872] driver_attach+0x30/0x48
[ 9.233876] bus_add_driver+0x158/0x2b8
[ 9.233880] driver_register+0x74/0x118
[ 9.233886] __auxiliary_driver_register+0x94/0xe8
[ 9.233893] init_module+0x34/0xfd0 [reset_gpio]
[ 9.233898] do_one_initcall+0xec/0x300
[ 9.233903] do_init_module+0x64/0x260
[ 9.233910] load_module+0x16c4/0x1900
[ 9.233915] __arm64_sys_finit_module+0x24c/0x378
[ 9.233919] invoke_syscall+0x4c/0xe8
[ 9.233925] el0_svc_common+0x8c/0xf0
[ 9.233929] do_el0_svc+0x28/0x40
[ 9.233934] el0_svc+0x38/0x100
[ 9.233938] el0t_64_sync_handler+0x84/0x130
[ 9.233943] el0t_64_sync+0x17c/0x180
Mark the controller as sleeping.
Fixes: 6e261d1090d6 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver")
Cc: stable@vger.kernel.org
Reported-by: Val Packett <val@packett.cool>
Closes: https://lore.kernel.org/all/98c0f185-b0e0-49ea-896c-f3972dd011ca@packett.cool/
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Linus Walleij <linusw@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
+++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
@@ -644,7 +644,7 @@ static int lpi_pinctrl_probe(struct plat
pctrl->chip.base = -1;
pctrl->chip.ngpio = data->npins;
pctrl->chip.label = dev_name(dev);
- pctrl->chip.can_sleep = false;
+ pctrl->chip.can_sleep = true;
mutex_init(&pctrl->lock);
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 549/554] blk-throttle: Set BIO_THROTTLED when bio has been throttled
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 548/554] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 550/554] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
` (10 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laibin Qiu, Ming Lei, Jens Axboe,
Sasha Levin, Keerthana K, Shivani Agarwal
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laibin Qiu <qiulaibin@huawei.com>
[ Upstream commit 5a011f889b4832aa80c2a872a5aade5c48d2756f ]
1.In current process, all bio will set the BIO_THROTTLED flag
after __blk_throtl_bio().
2.If bio needs to be throttled, it will start the timer and
stop submit bio directly. Bio will submit in
blk_throtl_dispatch_work_fn() when the timer expires.But in
the current process, if bio is throttled. The BIO_THROTTLED
will be set to bio after timer start. If the bio has been
completed, it may cause use-after-free blow.
BUG: KASAN: use-after-free in blk_throtl_bio+0x12f0/0x2c70
Read of size 2 at addr ffff88801b8902d4 by task fio/26380
dump_stack+0x9b/0xce
print_address_description.constprop.6+0x3e/0x60
kasan_report.cold.9+0x22/0x3a
blk_throtl_bio+0x12f0/0x2c70
submit_bio_checks+0x701/0x1550
submit_bio_noacct+0x83/0xc80
submit_bio+0xa7/0x330
mpage_readahead+0x380/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Allocated by task 26380:
kasan_save_stack+0x19/0x40
__kasan_kmalloc.constprop.2+0xc1/0xd0
kmem_cache_alloc+0x146/0x440
mempool_alloc+0x125/0x2f0
bio_alloc_bioset+0x353/0x590
mpage_alloc+0x3b/0x240
do_mpage_readpage+0xddf/0x1ef0
mpage_readahead+0x264/0x500
read_pages+0x1c1/0xbf0
page_cache_ra_unbounded+0x471/0x6f0
do_page_cache_ra+0xda/0x110
ondemand_readahead+0x442/0xae0
page_cache_async_ra+0x210/0x300
generic_file_buffered_read+0x4d9/0x2130
generic_file_read_iter+0x315/0x490
blkdev_read_iter+0x113/0x1b0
aio_read+0x2ad/0x450
io_submit_one+0xc8e/0x1d60
__se_sys_io_submit+0x125/0x350
do_syscall_64+0x2d/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 0:
kasan_save_stack+0x19/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x1b/0x30
__kasan_slab_free+0x111/0x160
kmem_cache_free+0x94/0x460
mempool_free+0xd6/0x320
bio_free+0xe0/0x130
bio_put+0xab/0xe0
bio_endio+0x3a6/0x5d0
blk_update_request+0x590/0x1370
scsi_end_request+0x7d/0x400
scsi_io_completion+0x1aa/0xe50
scsi_softirq_done+0x11b/0x240
blk_mq_complete_request+0xd4/0x120
scsi_mq_done+0xf0/0x200
virtscsi_vq_done+0xbc/0x150
vring_interrupt+0x179/0x390
__handle_irq_event_percpu+0xf7/0x490
handle_irq_event_percpu+0x7b/0x160
handle_irq_event+0xcc/0x170
handle_edge_irq+0x215/0xb20
common_interrupt+0x60/0x120
asm_common_interrupt+0x1e/0x40
Fix this by move BIO_THROTTLED set into the queue_lock.
Signed-off-by: Laibin Qiu <qiulaibin@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20220301123919.2381579-1-qiulaibin@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Keerthana: Remove 'out' and handle return with reference to commit 81c7a63 ]
Signed-off-by: Keerthana K <keerthana.kalyanasundaram@broadcom.com>
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-throttle.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -2222,8 +2222,10 @@ bool blk_throtl_bio(struct bio *bio)
rcu_read_lock();
/* see throtl_charge_bio() */
- if (bio_flagged(bio, BIO_THROTTLED))
- goto out;
+ if (bio_flagged(bio, BIO_THROTTLED)) {
+ rcu_read_unlock();
+ return false;
+ }
if (!cgroup_subsys_on_dfl(io_cgrp_subsys)) {
blkg_rwstat_add(&tg->stat_bytes, bio->bi_opf,
@@ -2231,8 +2233,10 @@ bool blk_throtl_bio(struct bio *bio)
blkg_rwstat_add(&tg->stat_ios, bio->bi_opf, 1);
}
- if (!tg->has_rules[rw])
- goto out;
+ if (!tg->has_rules[rw]) {
+ rcu_read_unlock();
+ return false;
+ }
spin_lock_irq(&q->queue_lock);
@@ -2316,14 +2320,14 @@ again:
}
out_unlock:
- spin_unlock_irq(&q->queue_lock);
-out:
bio_set_flag(bio, BIO_THROTTLED);
#ifdef CONFIG_BLK_DEV_THROTTLING_LOW
if (throttled || !td->track_bio_latency)
bio->bi_issue.value |= BIO_ISSUE_THROTL_SKIP_LATENCY;
#endif
+ spin_unlock_irq(&q->queue_lock);
+
rcu_read_unlock();
return throttled;
}
^ permalink raw reply [flat|nested] 564+ messages in thread
* [PATCH 5.15 550/554] powercap: fix race condition in register_control_type()
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 549/554] blk-throttle: Set BIO_THROTTLED when bio has been throttled Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 551/554] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
` (9 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumeet Pawnikar, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ Upstream commit 7bda1910c4bccd4b8d4726620bb3d6bbfb62286e ]
The device becomes visible to userspace via device_register()
even before it fully initialized by idr_init(). If userspace
or another thread tries to register a zone immediately after
device_register(), the control_type_valid() will fail because
the control_type is not yet in the list. The IDR is not yet
initialized, so this race condition causes zone registration
failure.
Move idr_init() and list addition before device_register()
fix the race condition.
Signed-off-by: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ rjw: Subject adjustment, empty line added ]
Link: https://patch.msgid.link/20251205190216.5032-1-sumeet4linux@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/powercap/powercap_sys.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
index fd475e463d1fa..d7dadcaa3736b 100644
--- a/drivers/powercap/powercap_sys.c
+++ b/drivers/powercap/powercap_sys.c
@@ -624,17 +624,23 @@ struct powercap_control_type *powercap_register_control_type(
INIT_LIST_HEAD(&control_type->node);
control_type->dev.class = &powercap_class;
dev_set_name(&control_type->dev, "%s", name);
- result = device_register(&control_type->dev);
- if (result) {
- put_device(&control_type->dev);
- return ERR_PTR(result);
- }
idr_init(&control_type->idr);
mutex_lock(&powercap_cntrl_list_lock);
list_add_tail(&control_type->node, &powercap_cntrl_list);
mutex_unlock(&powercap_cntrl_list_lock);
+ result = device_register(&control_type->dev);
+ if (result) {
+ mutex_lock(&powercap_cntrl_list_lock);
+ list_del(&control_type->node);
+ mutex_unlock(&powercap_cntrl_list_lock);
+
+ idr_destroy(&control_type->idr);
+ put_device(&control_type->dev);
+ return ERR_PTR(result);
+ }
+
return control_type;
}
EXPORT_SYMBOL_GPL(powercap_register_control_type);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 551/554] powercap: fix sscanf() error return value handling
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 550/554] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 552/554] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
` (8 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sumeet Pawnikar, Rafael J. Wysocki,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ Upstream commit efc4c35b741af973de90f6826bf35d3b3ac36bf1 ]
Fix inconsistent error handling for sscanf() return value check.
Implicit boolean conversion is used instead of explicit return
value checks. The code checks if (!sscanf(...)) which is incorrect
because:
1. sscanf returns the number of successfully parsed items
2. On success, it returns 1 (one item passed)
3. On failure, it returns 0 or EOF
4. The check 'if (!sscanf(...))' is wrong because it treats
success (1) as failure
All occurrences of sscanf() now uses explicit return value check.
With this behavior it returns '-EINVAL' when parsing fails (returns
0 or EOF), and continues when parsing succeeds (returns 1).
Signed-off-by: Sumeet Pawnikar <sumeet4linux@gmail.com>
[ rjw: Subject and changelog edits ]
Link: https://patch.msgid.link/20251207151549.202452-1-sumeet4linux@gmail.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/powercap/powercap_sys.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
index d7dadcaa3736b..72fa1f5affcea 100644
--- a/drivers/powercap/powercap_sys.c
+++ b/drivers/powercap/powercap_sys.c
@@ -67,7 +67,7 @@ static ssize_t show_constraint_##_attr(struct device *dev, \
int id; \
struct powercap_zone_constraint *pconst;\
\
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) \
+ if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) \
return -EINVAL; \
if (id >= power_zone->const_id_cnt) \
return -EINVAL; \
@@ -92,7 +92,7 @@ static ssize_t store_constraint_##_attr(struct device *dev,\
int id; \
struct powercap_zone_constraint *pconst;\
\
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id)) \
+ if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1) \
return -EINVAL; \
if (id >= power_zone->const_id_cnt) \
return -EINVAL; \
@@ -161,7 +161,7 @@ static ssize_t show_constraint_name(struct device *dev,
ssize_t len = -ENODATA;
struct powercap_zone_constraint *pconst;
- if (!sscanf(dev_attr->attr.name, "constraint_%d_", &id))
+ if (sscanf(dev_attr->attr.name, "constraint_%d_", &id) != 1)
return -EINVAL;
if (id >= power_zone->const_id_cnt)
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 552/554] can: j1939: make j1939_session_activate() fail if device is no longer registered
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 551/554] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 553/554] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
` (7 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Oleksij Rempel,
Marc Kleine-Budde, Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 5d5602236f5db19e8b337a2cd87a90ace5ea776d ]
syzbot is still reporting
unregister_netdevice: waiting for vcan0 to become free. Usage count = 2
even after commit 93a27b5891b8 ("can: j1939: add missing calls in
NETDEV_UNREGISTER notification handler") was added. A debug printk() patch
found that j1939_session_activate() can succeed even after
j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER)
has completed.
Since j1939_cancel_active_session() is processed with the session list lock
held, checking ndev->reg_state in j1939_session_activate() with the session
list lock held can reliably close the race window.
Reported-by: syzbot <syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Link: https://patch.msgid.link/b9653191-d479-4c8b-8536-1326d028db5c@I-love.SAKURA.ne.jp
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/can/j1939/transport.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
index 76d625c668e05..0522c223570c7 100644
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1571,6 +1571,8 @@ int j1939_session_activate(struct j1939_session *session)
if (active) {
j1939_session_put(active);
ret = -EAGAIN;
+ } else if (priv->ndev->reg_state != NETREG_REGISTERED) {
+ ret = -ENODEV;
} else {
WARN_ON_ONCE(session->state != J1939_SESSION_NEW);
list_add_tail(&session->active_session_list_entry,
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 553/554] ASoC: fsl_sai: Add missing registers to cache default
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 552/554] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 554/554] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
` (6 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Mark Brown,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit 90ed688792a6b7012b3e8a2f858bc3fe7454d0eb ]
Drivers does cache sync during runtime resume, setting all writable
registers. Not all writable registers are set in cache default, resulting
in the erorr message:
fsl-sai 30c30000.sai: using zero-initialized flat cache, this may cause
unexpected behavior
Fix this by adding missing writable register defaults.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://patch.msgid.link/20251216102246.676181-1-alexander.stein@ew.tq-group.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_sai.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
index 45d8ef029a638..82911e5ed1796 100644
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -779,6 +779,7 @@ static struct reg_default fsl_sai_reg_defaults_ofs0[] = {
{FSL_SAI_TDR6, 0},
{FSL_SAI_TDR7, 0},
{FSL_SAI_TMR, 0},
+ {FSL_SAI_TTCTL, 0},
{FSL_SAI_RCR1(0), 0},
{FSL_SAI_RCR2(0), 0},
{FSL_SAI_RCR3(0), 0},
@@ -802,12 +803,14 @@ static struct reg_default fsl_sai_reg_defaults_ofs8[] = {
{FSL_SAI_TDR6, 0},
{FSL_SAI_TDR7, 0},
{FSL_SAI_TMR, 0},
+ {FSL_SAI_TTCTL, 0},
{FSL_SAI_RCR1(8), 0},
{FSL_SAI_RCR2(8), 0},
{FSL_SAI_RCR3(8), 0},
{FSL_SAI_RCR4(8), 0},
{FSL_SAI_RCR5(8), 0},
{FSL_SAI_RMR, 0},
+ {FSL_SAI_RTCTL, 0},
{FSL_SAI_MCTL, 0},
{FSL_SAI_MDIV, 0},
};
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* [PATCH 5.15 554/554] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 553/554] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
@ 2026-01-15 16:50 ` Greg Kroah-Hartman
2026-01-15 19:15 ` [PATCH 5.15 000/554] 5.15.198-rc1 review Brett A C Sheffield
` (5 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-15 16:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Rábek, Tomas Henzl,
Changhui Zhong, Ewan D. Milne, John Meneghini, Martin K. Petersen,
Sasha Levin
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Rábek <mrabek@redhat.com>
[ Upstream commit 0e1677654259a2f3ccf728de1edde922a3c4ba57 ]
A race condition was found in sg_proc_debug_helper(). It was observed on
a system using an IBM LTO-9 SAS Tape Drive (ULTRIUM-TD9) and monitoring
/proc/scsi/sg/debug every second. A very large elapsed time would
sometimes appear. This is caused by two race conditions.
We reproduced the issue with an IBM ULTRIUM-HH9 tape drive on an x86_64
architecture. A patched kernel was built, and the race condition could
not be observed anymore after the application of this patch. A
reproducer C program utilising the scsi_debug module was also built by
Changhui Zhong and can be viewed here:
https://github.com/MichaelRabek/linux-tests/blob/master/drivers/scsi/sg/sg_race_trigger.c
The first race happens between the reading of hp->duration in
sg_proc_debug_helper() and request completion in sg_rq_end_io(). The
hp->duration member variable may hold either of two types of
information:
#1 - The start time of the request. This value is present while
the request is not yet finished.
#2 - The total execution time of the request (end_time - start_time).
If sg_proc_debug_helper() executes *after* the value of hp->duration was
changed from #1 to #2, but *before* srp->done is set to 1 in
sg_rq_end_io(), a fresh timestamp is taken in the else branch, and the
elapsed time (value type #2) is subtracted from a timestamp, which
cannot yield a valid elapsed time (which is a type #2 value as well).
To fix this issue, the value of hp->duration must change under the
protection of the sfp->rq_list_lock in sg_rq_end_io(). Since
sg_proc_debug_helper() takes this read lock, the change to srp->done and
srp->header.duration will happen atomically from the perspective of
sg_proc_debug_helper() and the race condition is thus eliminated.
The second race condition happens between sg_proc_debug_helper() and
sg_new_write(). Even though hp->duration is set to the current time
stamp in sg_add_request() under the write lock's protection, it gets
overwritten by a call to get_sg_io_hdr(), which calls copy_from_user()
to copy struct sg_io_hdr from userspace into kernel space. hp->duration
is set to the start time again in sg_common_write(). If
sg_proc_debug_helper() is called between these two calls, an arbitrary
value set by userspace (usually zero) is used to compute the elapsed
time.
To fix this issue, hp->duration must be set to the current timestamp
again after get_sg_io_hdr() returns successfully. A small race window
still exists between get_sg_io_hdr() and setting hp->duration, but this
window is only a few instructions wide and does not result in observable
issues in practice, as confirmed by testing.
Additionally, we fix the format specifier from %d to %u for printing
unsigned int values in sg_proc_debug_helper().
Signed-off-by: Michal Rábek <mrabek@redhat.com>
Suggested-by: Tomas Henzl <thenzl@redhat.com>
Tested-by: Changhui Zhong <czhong@redhat.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Link: https://patch.msgid.link/20251212160900.64924-1-mrabek@redhat.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/sg.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 4d54f2697bb4e..d74bb7b42de89 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -736,6 +736,8 @@ sg_new_write(Sg_fd *sfp, struct file *file, const char __user *buf,
sg_remove_request(sfp, srp);
return -EFAULT;
}
+ hp->duration = jiffies_to_msecs(jiffies);
+
if (hp->interface_id != 'S') {
sg_remove_request(sfp, srp);
return -ENOSYS;
@@ -821,7 +823,6 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
return -ENODEV;
}
- hp->duration = jiffies_to_msecs(jiffies);
if (hp->interface_id != '\0' && /* v3 (or later) interface */
(SG_FLAG_Q_AT_TAIL & hp->flags))
at_head = 0;
@@ -1343,9 +1344,6 @@ sg_rq_end_io(struct request *rq, blk_status_t status)
"sg_cmd_done: pack_id=%d, res=0x%x\n",
srp->header.pack_id, result));
srp->header.resid = resid;
- ms = jiffies_to_msecs(jiffies);
- srp->header.duration = (ms > srp->header.duration) ?
- (ms - srp->header.duration) : 0;
if (0 != result) {
struct scsi_sense_hdr sshdr;
@@ -1395,6 +1393,9 @@ sg_rq_end_io(struct request *rq, blk_status_t status)
done = 0;
}
srp->done = done;
+ ms = jiffies_to_msecs(jiffies);
+ srp->header.duration = (ms > srp->header.duration) ?
+ (ms - srp->header.duration) : 0;
write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
if (likely(done)) {
@@ -2523,6 +2524,7 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
const sg_io_hdr_t *hp;
const char * cp;
unsigned int ms;
+ unsigned int duration;
k = 0;
list_for_each_entry(fp, &sdp->sfds, sfd_siblings) {
@@ -2560,13 +2562,17 @@ static void sg_proc_debug_helper(struct seq_file *s, Sg_device * sdp)
seq_printf(s, " id=%d blen=%d",
srp->header.pack_id, blen);
if (srp->done)
- seq_printf(s, " dur=%d", hp->duration);
+ seq_printf(s, " dur=%u", hp->duration);
else {
ms = jiffies_to_msecs(jiffies);
- seq_printf(s, " t_o/elap=%d/%d",
+ duration = READ_ONCE(hp->duration);
+ if (duration)
+ duration = (ms > duration ?
+ ms - duration : 0);
+ seq_printf(s, " t_o/elap=%u/%u",
(new_interface ? hp->timeout :
jiffies_to_msecs(fp->timeout)),
- (ms > hp->duration ? ms - hp->duration : 0));
+ duration);
}
seq_printf(s, "ms sgat=%d op=0x%02x\n", usg,
(int) srp->data.cmd_opcode);
--
2.51.0
^ permalink raw reply related [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2026-01-15 16:50 ` [PATCH 5.15 554/554] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
@ 2026-01-15 19:15 ` Brett A C Sheffield
2026-01-15 19:33 ` Slade Watkins
` (4 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Brett A C Sheffield @ 2026-01-15 19:15 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 5.15.198-rc1-00555-g34877b74a3b0 #1 SMP Thu Jan 15 17:48:07 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2026-01-15 19:15 ` [PATCH 5.15 000/554] 5.15.198-rc1 review Brett A C Sheffield
@ 2026-01-15 19:33 ` Slade Watkins
2026-01-15 22:04 ` Florian Fainelli
` (3 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Slade Watkins @ 2026-01-15 19:33 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill
On Thu, Jan 15, 2026 at 12:14 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.198 release.
> There are 554 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
5.15.198-rc1 built and run on my x86_64 test system (AMD Ryzen 9
9900X, System76 thelio-mira-r4-n3). No errors or regressions.
Tested-by: Slade Watkins <sr@sladewatkins.com>
Thanks,
Slade
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2026-01-15 19:33 ` Slade Watkins
@ 2026-01-15 22:04 ` Florian Fainelli
2026-01-16 9:45 ` Jon Hunter
` (2 subsequent siblings)
559 siblings, 0 replies; 564+ messages in thread
From: Florian Fainelli @ 2026-01-15 22:04 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 1/15/26 08:41, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.198 release.
> There are 554 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.198-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void
2026-01-15 16:49 ` [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void Greg Kroah-Hartman
@ 2026-01-16 9:00 ` Uwe Kleine-König
2026-01-16 11:07 ` Greg Kroah-Hartman
0 siblings, 1 reply; 564+ messages in thread
From: Uwe Kleine-König @ 2026-01-16 9:00 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Takashi Iwai, Nicolas Ferre, Mark Brown,
Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 2622 bytes --]
Hello,
On Thu, Jan 15, 2026 at 05:49:03PM +0100, Greg Kroah-Hartman wrote:
> 5.15-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
>
> [ Upstream commit a3bd37e2e2bce4fb1757a940fa985d556662ba80 ]
>
> The .remove() callback for a platform driver returns an int which makes
> many driver authors wrongly assume it's possible to do error handling by
> returning an error code. However the value returned is (mostly) ignored
> and this typically results in resource leaks. To improve here there is a
> quest to make the remove callback return void. In the first step of this
> quest all drivers are converted to .remove_new() which already returns
> void.
>
> Trivially convert this driver from always returning zero in the remove
> callback to the void returning variant.
>
> Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
> Acked-by: Takashi Iwai <tiwai@suse.de>
> Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
> Link: https://lore.kernel.org/r/20230315150745.67084-139-u.kleine-koenig@pengutronix.de
> Signed-off-by: Mark Brown <broonie@kernel.org>
> Stable-dep-of: 23261f0de094 ("ASoC: stm32: sai: fix OF node leak on probe")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
While this patch is trivial and there are many patches like that in both
mainline and already backported to stable without any known problems, it
is also not very hard to backport 23261f0de094 to 5.15.y without this
patch. The merge resolution relevant is just:
diff --cc sound/soc/stm/stm32_sai_sub.c
index 2a2fc2f0ebbd,c7930d8f9ded..000000000000
--- a/sound/soc/stm/stm32_sai_sub.c
+++ b/sound/soc/stm/stm32_sai_sub.c
@@@ -1579,8 -1587,7 +1587,9 @@@ static int stm32_sai_sub_remove(struct
snd_dmaengine_pcm_unregister(&pdev->dev);
snd_soc_unregister_component(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ of_node_put(sai->np_sync_provider);
+
+ return 0;
}
#ifdef CONFIG_PM_SLEEP
I don't feel very strong here, but IMHO this is trivial enough to skip
backporting the conversion to .remove_new() and it would be the right
thing from a pedantic POV. OTOH I also don't want to reply to each such
backport, don't object getting patches into stable, don't know how
the stable maintainers feel here and don't want to impose additional
work on anyone if just picking up the conversion is considered ok and
easier with the established workflow.
Best regards
Uwe
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2026-01-15 22:04 ` Florian Fainelli
@ 2026-01-16 9:45 ` Jon Hunter
2026-01-16 11:08 ` Greg Kroah-Hartman
2026-01-16 17:38 ` Hardik Garg
2026-01-16 20:33 ` Shuah Khan
559 siblings, 1 reply; 564+ messages in thread
From: Jon Hunter @ 2026-01-16 9:45 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, f.fainelli, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr, linux-tegra@vger.kernel.org
Hi Greg,
On 15/01/2026 16:41, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.198 release.
> There are 554 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.198-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
> Pseudo-Shortlog of commits:
...
>
> Wentao Liang <vulab@iscas.ac.cn>
> pmdomain: imx: Fix reference count leak in imx_gpc_probe()
I am seeing a build failure for ARM with multi_v7_defconfig ...
drivers/soc/imx/gpc.c: In function ‘imx_gpc_probe’:
drivers/soc/imx/gpc.c:409:17: error: cleanup argument not a function
409 | = of_get_child_by_name(pdev->dev.of_node, "pgc");
| ^
Reverting the above commit resolves the issue.
Cheers
Jon
--
nvpublic
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void
2026-01-16 9:00 ` Uwe Kleine-König
@ 2026-01-16 11:07 ` Greg Kroah-Hartman
0 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-16 11:07 UTC (permalink / raw)
To: Uwe Kleine-König
Cc: stable, patches, Takashi Iwai, Nicolas Ferre, Mark Brown,
Sasha Levin
On Fri, Jan 16, 2026 at 10:00:16AM +0100, Uwe Kleine-König wrote:
> Hello,
>
> On Thu, Jan 15, 2026 at 05:49:03PM +0100, Greg Kroah-Hartman wrote:
> > 5.15-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
> >
> > [ Upstream commit a3bd37e2e2bce4fb1757a940fa985d556662ba80 ]
> >
> > The .remove() callback for a platform driver returns an int which makes
> > many driver authors wrongly assume it's possible to do error handling by
> > returning an error code. However the value returned is (mostly) ignored
> > and this typically results in resource leaks. To improve here there is a
> > quest to make the remove callback return void. In the first step of this
> > quest all drivers are converted to .remove_new() which already returns
> > void.
> >
> > Trivially convert this driver from always returning zero in the remove
> > callback to the void returning variant.
> >
> > Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
> > Acked-by: Takashi Iwai <tiwai@suse.de>
> > Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
> > Link: https://lore.kernel.org/r/20230315150745.67084-139-u.kleine-koenig@pengutronix.de
> > Signed-off-by: Mark Brown <broonie@kernel.org>
> > Stable-dep-of: 23261f0de094 ("ASoC: stm32: sai: fix OF node leak on probe")
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> While this patch is trivial and there are many patches like that in both
> mainline and already backported to stable without any known problems, it
> is also not very hard to backport 23261f0de094 to 5.15.y without this
> patch. The merge resolution relevant is just:
>
> diff --cc sound/soc/stm/stm32_sai_sub.c
> index 2a2fc2f0ebbd,c7930d8f9ded..000000000000
> --- a/sound/soc/stm/stm32_sai_sub.c
> +++ b/sound/soc/stm/stm32_sai_sub.c
> @@@ -1579,8 -1587,7 +1587,9 @@@ static int stm32_sai_sub_remove(struct
> snd_dmaengine_pcm_unregister(&pdev->dev);
> snd_soc_unregister_component(&pdev->dev);
> pm_runtime_disable(&pdev->dev);
> + of_node_put(sai->np_sync_provider);
> +
> + return 0;
> }
>
> #ifdef CONFIG_PM_SLEEP
>
> I don't feel very strong here, but IMHO this is trivial enough to skip
> backporting the conversion to .remove_new() and it would be the right
> thing from a pedantic POV. OTOH I also don't want to reply to each such
> backport, don't object getting patches into stable, don't know how
> the stable maintainers feel here and don't want to impose additional
> work on anyone if just picking up the conversion is considered ok and
> easier with the established workflow.
Good idea, now done, thanks.
greg k-h
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-16 9:45 ` Jon Hunter
@ 2026-01-16 11:08 ` Greg Kroah-Hartman
0 siblings, 0 replies; 564+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-16 11:08 UTC (permalink / raw)
To: Jon Hunter
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra@vger.kernel.org
On Fri, Jan 16, 2026 at 09:45:18AM +0000, Jon Hunter wrote:
> Hi Greg,
>
> On 15/01/2026 16:41, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 5.15.198 release.
> > There are 554 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.198-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> > and the diffstat can be found below.
> >
> > thanks,
> >
> > greg k-h
> >
> > -------------
> > Pseudo-Shortlog of commits:
>
> ...
>
> >
> > Wentao Liang <vulab@iscas.ac.cn>
> > pmdomain: imx: Fix reference count leak in imx_gpc_probe()
>
>
> I am seeing a build failure for ARM with multi_v7_defconfig ...
>
>
> drivers/soc/imx/gpc.c: In function ‘imx_gpc_probe’:
> drivers/soc/imx/gpc.c:409:17: error: cleanup argument not a function
> 409 | = of_get_child_by_name(pdev->dev.of_node, "pgc");
> | ^
>
> Reverting the above commit resolves the issue.
Now fixed up, thanks. I'll push out a new -rc soon.
greg k-h
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2026-01-16 9:45 ` Jon Hunter
@ 2026-01-16 17:38 ` Hardik Garg
2026-01-16 20:33 ` Shuah Khan
559 siblings, 0 replies; 564+ messages in thread
From: Hardik Garg @ 2026-01-16 17:38 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Hardik Garg
The kernel, bpf tool, perf tool, and kselftest builds fine for v5.15.198-rc1
on x86 and arm64 Azure VM.
Tested-by: Hardik Garg <hargar@linux.microsoft.com>
Thanks,
Hardik
^ permalink raw reply [flat|nested] 564+ messages in thread
* Re: [PATCH 5.15 000/554] 5.15.198-rc1 review
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2026-01-16 17:38 ` Hardik Garg
@ 2026-01-16 20:33 ` Shuah Khan
559 siblings, 0 replies; 564+ messages in thread
From: Shuah Khan @ 2026-01-16 20:33 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 1/15/26 09:41, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.198 release.
> There are 554 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 17 Jan 2026 16:41:26 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.198-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 564+ messages in thread
end of thread, other threads:[~2026-01-16 20:33 UTC | newest]
Thread overview: 564+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-15 16:41 [PATCH 5.15 000/554] 5.15.198-rc1 review Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 001/554] xfrm: delete x->tunnel as we delete x Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 002/554] Revert "xfrm: destroy xfrm_state synchronously on net exit path" Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 003/554] xfrm: also call xfrm_state_delete_tunnel at destroy time for states that were never added Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 004/554] xfrm: flush all states in xfrm_state_fini Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 005/554] dpaa2-mac: bail if the dpmacs fwnode is not found Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 006/554] drm/i915/selftests: Fix inconsistent IS_ERR and PTR_ERR Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 007/554] leds: Replace all non-returning strlcpy with strscpy Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 008/554] leds: spi-byte: Use devm_led_classdev_register_ext() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 009/554] Documentation: process: Also mention Sasha Levin as stable tree maintainer Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 010/554] jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 011/554] ext4: refresh inline data size before write operations Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 012/554] locking/spinlock/debug: Fix data-race in do_raw_write_lock Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 013/554] ext4: add i_data_sem protection in ext4_destroy_inline_data_nolock() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 014/554] comedi: pcl818: fix null-ptr-deref in pcl818_ai_cancel() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 015/554] USB: serial: option: add Foxconn T99W760 Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 016/554] USB: serial: option: add Telit Cinterion FE910C04 new compositions Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 017/554] USB: serial: option: move Telit 0x10c7 composition in the right place Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 018/554] USB: serial: ftdi_sio: match on interface number for jtag Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 019/554] serial: add support of CPCI cards Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 020/554] USB: serial: belkin_sa: fix TIOCMBIS and TIOCMBIC Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 021/554] USB: serial: kobil_sct: " Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 022/554] spi: xilinx: increase number of retries before declaring stall Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 023/554] spi: imx: keep dma request disabled before dma transfer setup Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 024/554] bfs: Reconstruct file type when loading from disk Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 025/554] pinctrl: qcom: msm: Fix deadlock in pinmux configuration Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 026/554] platform/x86: acer-wmi: Ignore backlight event Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 027/554] platform/x86: huawei-wmi: add keys for HONOR models Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 028/554] HID: elecom: Add support for ELECOM M-XT3URBK (018F) Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 029/554] samples: work around glibc redefining some of our defines wrong Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 030/554] comedi: c6xdigio: Fix invalid PNP driver unregistration Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 031/554] comedi: multiq3: sanitize config options in multiq3_attach() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 032/554] comedi: check devices attached status in compat ioctls Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 033/554] staging: rtl8723bs: fix stack buffer overflow in OnAssocReq IE parsing Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 034/554] staging: rtl8723bs: fix out-of-bounds read in OnBeacon ESR " Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 035/554] smack: fix bug: unprivileged task can create labels Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 036/554] gpu: host1x: Fix race in syncpt alloc/free Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 037/554] drm/panel: visionox-rm69299: Dont clear all mode flags Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 038/554] drm/vgem-fence: Fix potential deadlock on release Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 039/554] USB: Fix descriptor count when handling invalid MBIM extended descriptor Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 040/554] irqchip/qcom-irq-combiner: Fix section mismatch Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 041/554] ntfs3: fix uninit memory after failed mi_read in mi_format_new Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 042/554] ntfs3: Fix uninit buffer allocated by __getname() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 043/554] rculist: Add hlist_nulls_replace_rcu() and hlist_nulls_replace_init_rcu() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 044/554] inet: Avoid ehash lookup race in inet_ehash_insert() Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 045/554] iio: imu: st_lsm6dsx: introduce st_lsm6dsx_device_set_enable routine Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 046/554] iio: imu: st_lsm6dsx: discard samples during filters settling time Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 047/554] iio: imu: st_lsm6dsx: Fix measurement unit for odr struct member Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 048/554] arm64: dts: imx8mm-venice-gw72xx: remove unused sdhc1 pinctrl Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 049/554] uio: uio_fsl_elbc_gpcm:: Add null pointer check to uio_fsl_elbc_gpcm_probe Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 050/554] crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 051/554] crypto: hisilicon/qm - restore original qos values Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 052/554] s390/smp: Fix fallback CPU detection Greg Kroah-Hartman
2026-01-15 16:41 ` [PATCH 5.15 053/554] s390/ap: Dont leak debug feature files if AP instructions are not available Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 054/554] firmware: imx: scu-irq: fix OF node leak in Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 055/554] phy: mscc: Fix PTP for VSC8574 and VSC8572 Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 056/554] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 057/554] compiler-gcc.h: Define __SANITIZE_ADDRESS__ under hwaddress sanitizer Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 058/554] kmsan: introduce __no_sanitize_memory and __no_kmsan_checks Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 059/554] x86: kmsan: dont instrument stack walking functions Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 060/554] x86/dumpstack: Prevent KASAN false positive warnings in __show_regs() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 061/554] pinctrl: stm32: fix hwspinlock resource leak in probe function Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 062/554] i3c: remove i2c board info from i2c_dev_desc Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 063/554] i3c: support dynamically added i2c devices Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 064/554] i3c: Allow OF-alias-based persistent bus numbering Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 065/554] i3c: master: Inherit DMA masks and parameters from parent device Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 066/554] i3c: fix refcount inconsistency in i3c_master_register Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 067/554] i3c: master: svc: Prevent incomplete IBI transaction Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 068/554] power: supply: wm831x: Check wm831x_set_bits() return value Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 069/554] power: supply: apm_power: only unset own apm_get_power_status Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 070/554] scsi: target: Do not write NUL characters into ASCII configfs output Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 071/554] spi: tegra210-quad: use device_reset method Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 072/554] spi: tegra210-quad: add new chips to compatible Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 073/554] spi: tegra210-quad: combined sequence mode Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 074/554] spi: tegra210-quad: modify chip select (CS) deactivation Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 075/554] spi: tegra210-quad: Fix timeout handling Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 076/554] mfd: da9055: Fix missing regmap_del_irq_chip() in error path Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 077/554] ext4: minor defrag code improvements Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 078/554] ext4: correct the checking of quota files before moving extents Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 079/554] perf/x86/intel: Correct large PEBS flag check Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 080/554] regulator: core: disable supply if enabling main regulator fails Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 081/554] nbd: clean up return value checking of sock_xmit() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 082/554] nbd: partition nbd_read_stat() into nbd_read_reply() and nbd_handle_reply() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 083/554] nbd: defer config put in recv_work Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 084/554] scsi: stex: Fix reboot_notifier leak in probe error path Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 085/554] dt-bindings: PCI: convert amlogic,meson-pcie.txt to dt-schema Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 086/554] dt-bindings: PCI: amlogic: Fix the register name of the DBI region Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 087/554] RDMA/rtrs: server: Fix error handling in get_or_create_srv Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 088/554] ntfs3: init run lock for extend inode Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 089/554] powerpc/32: Fix unpaired stwcx. on interrupt exit Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 090/554] macintosh/mac_hid: fix race condition in mac_hid_toggle_emumouse Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 091/554] wifi: cw1200: Fix potential memory leak in cw1200_bh_rx_helper() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 092/554] nbd: defer config unlock in nbd_genl_connect Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 093/554] coresight: etm4x: Save restore TRFCR_EL1 Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 094/554] coresight: etm4x: Use Trace Filtering controls dynamically Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 095/554] coresight-etm4x: add isb() before reading the TRCSTATR Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 096/554] coresight: etm4x: Extract the trace unit controlling Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 097/554] coresight: etm4x: Add context synchronization before enabling trace Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 098/554] clk: renesas: r9a06g032: Export function to set dmamux Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 099/554] soc: renesas: r9a06g032-sysctrl: Handle h2mode setting based on USBF presence Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 100/554] clk: renesas: r9a06g032: Fix memory leak in error path Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 101/554] lib/vsprintf: Check pointer before dereferencing in time_and_date() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 102/554] ocfs2: relax BUG() to ocfs2_error() in __ocfs2_move_extent() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 103/554] ACPI: property: Fix fwnode refcount leak in acpi_fwnode_graph_parse_endpoint() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 104/554] scsi: sim710: Fix resource leak by adding missing ioport_unmap() calls Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 105/554] leds: netxbig: Fix GPIO descriptor leak in error paths Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 106/554] PCI: keystone: Exit ks_pcie_probe() for invalid mode Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 107/554] ps3disk: use memcpy_{from,to}_bvec index Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 108/554] selftests/bpf: Fix failure paths in send_signal test Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 109/554] watchdog: wdat_wdt: Stop watchdog when uninstalling module Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 110/554] watchdog: wdat_wdt: Fix ACPI table leak in probe function Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 111/554] NFSD/blocklayout: Fix minlength check in proc_layoutget Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 112/554] wifi: rtl818x: Fix potential memory leaks in rtl8180_init_rx_ring() Greg Kroah-Hartman
2026-01-15 16:42 ` [PATCH 5.15 113/554] powerpc/64s/ptdump: Fix kernel_hash_pagetable dump for ISA v3.00 HPTE format Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 114/554] fs/ntfs3: Remove unused mi_mark_free Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 115/554] fs/ntfs3: Add new argument is_mft to ntfs_mark_rec_free Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 116/554] fs/ntfs3: Make ni_ins_new_attr return error Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 117/554] fs/ntfs3: out1 also needs to put mi Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 118/554] fs/ntfs3: Prevent memory leaks in add sub record Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 119/554] drm/mediatek: Fix CCORR mtk_ctm_s31_32_to_s1_n function issue Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 120/554] pwm: bcm2835: Make sure the channel is enabled after pwm_request() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 121/554] mfd: mt6397-irq: Fix missing irq_domain_remove() in error path Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 122/554] mfd: mt6358-irq: " Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 123/554] wifi: rtl818x: rtl8187: Fix potential buffer underflow in rtl8187_rx_cb() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 124/554] ima: Handle error code returned by ima_filter_rule_match() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 125/554] usb: chaoskey: fix locking for O_NONBLOCK Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 126/554] usb: dwc2: disable platform lowlevel hw resources during shutdown Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 127/554] usb: dwc2: fix hang during shutdown if set as peripheral Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 128/554] usb: dwc2: fix hang during suspend " Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 129/554] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 130/554] selftests/bpf: skip test_perf_branches_hw() on unsupported platforms Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 131/554] selftests/bpf: Improve reliability of test_perf_branches_no_hw() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 132/554] crypto: ccree - Correctly handle return of sg_nents_for_len Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 133/554] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 134/554] staging: fbtft: core: fix potential memory leak in fbtft_probe_common() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 135/554] PCI: dwc: Fix wrong PORT_LOGIC_LTSSM_STATE_MASK definition Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 136/554] wifi: ieee80211: correct FILS status codes Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 137/554] backlight: led_bl: Take led_access lock when required Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 138/554] backlight: led-bl: Add devlink to supplier LEDs Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 139/554] backlight: lp855x: Fix lp855x.h kernel-doc warnings Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 140/554] iommu/arm-smmu-qcom: Enable use of all SMR groups when running bare-metal Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 141/554] RDMA/irdma: Fix data race in irdma_sc_ccq_arm Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 142/554] RDMA/irdma: Fix data race in irdma_free_pble Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 143/554] ASoC: fsl_xcvr: Add Counter registers Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 144/554] ASoC: fsl_xcvr: Add support for i.MX93 platform Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 145/554] ASoC: fsl_xcvr: clear the channel status control memory Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 146/554] drm/amd/display: Fix logical vs bitwise bug in get_embedded_panel_info_v2_1() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 147/554] ACPI: processor_core: fix map_x2apic_id for amd-pstate on am4 Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 148/554] ext4: remove unused return value of __mb_check_buddy Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 149/554] ext4: improve integrity checking in __mb_check_buddy by enhancing order-0 validation Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 150/554] vdpa: Introduce and use vdpa device get, set config helpers Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 151/554] vdpa: Introduce query of device config layout Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 152/554] vdpa: Sync calls set/get config/status with cf_mutex Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 153/554] virtio_vdpa: fix misleading return in void function Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 154/554] virtio: fix virtqueue_set_affinity() docs Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 155/554] ASoC: Intel: catpt: Fix error path in hw_params() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 156/554] regulator: core: Protect regulator_supply_alias_list with regulator_list_mutex Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 157/554] netfilter: flowtable: check for maximum number of encapsulations in bridge vlan Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 158/554] netfilter: nf_conncount: reduce unnecessary GC Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 159/554] netfilter: nf_conncount: rework API to use sk_buff directly Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 160/554] netfilter: nft_connlimit: update the count if add was skipped Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 161/554] net: stmmac: fix rx limit check in stmmac_rx_zc() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 162/554] mtd: lpddr_cmds: fix signed shifts in lpddr_cmds Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 163/554] remoteproc: qcom_q6v5_wcss: fix parsing of qcom,halt-regs Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 164/554] net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 165/554] perf tools: Fix split kallsyms DSO counting Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 166/554] pinctrl: single: Fix PIN_CONFIG_BIAS_DISABLE handling Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 167/554] pinctrl: single: Fix incorrect type for error return variable Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 168/554] fbdev: ssd1307fb: fix potential page leak in ssd1307fb_probe() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 169/554] NFS: Label the dentry with a verifier in nfs_rmdir() and nfs_unlink() Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 170/554] NFS: dont unhash dentry during unlink/rename Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 171/554] NFS: Avoid changing nlink when file removes and attribute updates race Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 172/554] fs/nls: Fix utf16 to utf8 conversion Greg Kroah-Hartman
2026-01-15 16:43 ` [PATCH 5.15 173/554] NFSv4: Add some support for case insensitive filesystems Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 174/554] NFS: Fix the verifier for case sensitive filesystem in nfs_atomic_open() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 175/554] NFS: Initialise verifiers for visible dentries " Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 176/554] NFSv4/pNFS: Clear NFS_INO_LAYOUTCOMMIT in pnfs_mark_layout_stateid_invalid Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 177/554] Revert "nfs: ignore SB_RDONLY when remounting nfs" Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 178/554] Revert "nfs: clear SB_RDONLY before getting superblock" Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 179/554] Revert "nfs: ignore SB_RDONLY when mounting nfs" Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 180/554] fs_context: drop the unused lsm_flags member Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 181/554] NFS: Automounted filesystems should inherit ro,noexec,nodev,sync flags Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 182/554] fs/nls: Fix inconsistency between utf8_to_utf32() and utf32_to_utf8() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 183/554] platform/x86: asus-wmi: use brightness_set_blocking() for kbd led Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 184/554] ASoC: bcm: bcm63xx-pcm-whistler: Check return value of of_dma_configure() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 185/554] ASoC: ak4458: Disable regulator when error happens Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 186/554] ASoC: ak5558: " Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 187/554] blk-mq: Abort suspend when wakeup events are pending Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 188/554] block: fix comment for op_is_zone_mgmt() to include RESET_ALL Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 189/554] dma/pool: eliminate alloc_pages warning in atomic_pool_expand Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 190/554] ALSA: uapi: Fix typo in asound.h comment Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 191/554] ARM: 9464/1: fix input-only operand modification in load_unaligned_zeropad() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 192/554] dm-raid: fix possible NULL dereference with undefined raid type Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 193/554] dm log-writes: Add missing set_freezable() for freezable kthread Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 194/554] efi/cper: Add a new helper function to print bitmasks Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 195/554] efi/cper: Adjust infopfx size to accept an extra space Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 196/554] efi/cper: align ARM CPER type with UEFI 2.9A/2.10 specs Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 197/554] ocfs2: fix memory leak in ocfs2_merge_rec_left() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 198/554] usb: gadget: tegra-xudc: Always reinitialize data toggle when clear halt Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 199/554] usb: phy: Initialize struct usb_phy list_head Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 200/554] ALSA: dice: fix buffer overflow in detect_stream_formats() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 201/554] ASoC: fsl_xcvr: get channel status data when PHY is not exists Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 202/554] NFS: Fix missing unlock in nfs_unlink() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 203/554] netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 204/554] coresight: etm4x: Correct polling IDLE bit Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 205/554] spi: tegra210-quad: Fix validate combined sequence Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 206/554] spi: tegra210-quad: Fix X1_X2_X4 encoding and support x4 transfers Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 207/554] i3c: fix uninitialized variable use in i2c setup Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 208/554] bpf, arm64: Do not audit capability check in do_jit() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 209/554] btrfs: fix memory leak of fs_devices in degraded seed device path Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 210/554] sched/deadline: only set free_cpus for online runqueues Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 211/554] x86/ptrace: Always inline trivial accessors Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 212/554] ACPICA: Avoid walking the Namespace if start_node is NULL Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 213/554] ACPI: property: Use ACPI functions in acpi_graph_get_next_endpoint() only Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 214/554] cpufreq: s5pv210: fix refcount leak Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 215/554] livepatch: Match old_sympos 0 and 1 in klp_find_func() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 216/554] fs/ntfs3: Support timestamps prior to epoch Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 217/554] hfsplus: fix volume corruption issue for generic/070 Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 218/554] hfsplus: fix missing hfs_bnode_get() in __hfs_bnode_create Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 219/554] hfsplus: Verify inode mode when loading from disk Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 220/554] hfsplus: fix volume corruption issue for generic/073 Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 221/554] btrfs: scrub: always update btrfs_scrub_progress::last_physical Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 222/554] Bluetooth: btusb: Add new VID/PID 13d3/3533 for RTL8821CE Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 223/554] netrom: Fix memory leak in nr_sendmsg() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 224/554] net/sched: ets: Always remove class from active list before deleting in ets_qdisc_change Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 225/554] ipvlan: Ignore PACKET_LOOPBACK in handle_mode_l2() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 226/554] mlxsw: spectrum_router: Fix neighbour use-after-free Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 227/554] mlxsw: spectrum_mr: Fix use-after-free when updating multicast route stats Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 228/554] net: openvswitch: fix middle attribute validation in push_nsh() action Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 229/554] broadcom: b44: prevent uninitialized value usage Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 230/554] netfilter: nf_conncount: fix leaked ct in error paths Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 231/554] ipvs: fix ipv4 null-ptr-deref in route error path Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 232/554] caif: fix integer underflow in cffrml_receive() Greg Kroah-Hartman
2026-01-15 16:44 ` [PATCH 5.15 233/554] net/sched: ets: Remove drr class from the active list if it changes to strict Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 234/554] nfc: pn533: Fix error code in pn533_acr122_poweron_rdr() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 235/554] ethtool: use phydev variable Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 236/554] net/ethtool/ioctl: remove if n_stats checks from ethtool_get_phy_stats Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 237/554] net/ethtool/ioctl: split ethtool_get_phy_stats into multiple helpers Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 238/554] ethtool: Avoid overflowing userspace buffer on stats query Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 239/554] net/mlx5: fw_tracer, Add support for unrecognized string Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 240/554] net/mlx5: fw_tracer, Validate format string parameters Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 241/554] net/mlx5: fw_tracer, Handle escaped percent properly Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 242/554] net: hns3: using the num_tqps in the vf driver to apply for resources Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 243/554] net: hns3: Align type of some variables with their print type Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 244/554] net: hns3: using the num_tqps to check whether tqp_index is out of range when vf get ring info from mbx Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 245/554] net: hns3: add VLAN id validation before using Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 246/554] HID: input: map HID_GD_Z to ABS_DISTANCE for stylus/pen Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 247/554] Input: ti_am335x_tsc - fix off-by-one error in wire_order validation Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 248/554] Input: i8042 - add TUXEDO InfinityBook Max Gen10 AMD to i8042 quirk table Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 249/554] ACPI: CPPC: Fix missing PCC check for guaranteed_perf Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 250/554] spi: fsl-cpm: Check length parity before switching to 16 bit mode Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 251/554] mmc: sdhci-esdhc-imx: add alternate ARCH_S32 dependency to Kconfig Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 252/554] net/hsr: fix NULL pointer dereference in prp_get_untagged_frame() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 253/554] ALSA: vxpocket: Fix resource leak in vxpocket_probe error path Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 254/554] ALSA: pcmcia: Fix resource leak in snd_pdacf_probe " Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 255/554] ALSA: usb-mixer: us16x08: validate meter packet indices Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 256/554] ipmi: Fix the race between __scan_channels() and deliver_response() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 257/554] ipmi: Fix __scan_channels() failing to rescan channels Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 258/554] firmware: imx: scu-irq: Init workqueue before request mbox channel Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 259/554] ti-sysc: allow OMAP2 and OMAP4 timers to be reserved on AM33xx Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 260/554] clk: mvebu: cp110 add CLK_IGNORE_UNUSED to pcie_x10, pcie_x11 & pcie_x4 Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 261/554] powerpc/addnote: Fix overflow on 32-bit builds Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 262/554] scsi: qla2xxx: Fix lost interrupts with qlini_mode=disabled Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 263/554] scsi: qla2xxx: Fix initiator mode with qlini_mode=exclusive Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 264/554] scsi: qla2xxx: Use reinit_completion on mbx_intr_comp Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 265/554] via_wdt: fix critical boot hang due to unnamed resource allocation Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 266/554] reset: fix BIT macro reference Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 267/554] exfat: fix remount failure in different process environments Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 268/554] usbip: Fix locking bug in RT-enabled kernels Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 269/554] usb: typec: ucsi: Handle incorrect num_connectors capability Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 270/554] usb: xhci: limit run_graceperiod for only usb 3.0 devices Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 271/554] usb: usb-storage: No additional quirks need to be added to the EL-R12 optical drive Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 272/554] serial: sprd: Return -EPROBE_DEFER when uart clock is not ready Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 273/554] nvme-fc: dont hold rport lock when putting ctrl Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 274/554] platform/x86/intel/hid: Add Dell Pro Rugged 10/12 tablet to VGBS DMI quirks Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 275/554] vhost/vsock: improve RCU read sections around vhost_vsock_get() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 276/554] KEYS: trusted: Fix a memory leak in tpm2_load_cmd Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 277/554] mmc: sdhci-msm: Avoid early clock doubling during HS400 transition Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 278/554] lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 279/554] block: rate-limit capacity change info log Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 280/554] floppy: fix for PAGE_SIZE != 4KB Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 281/554] fs/ntfs3: fix mount failure for sparse runs in run_unpack() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 282/554] ktest.pl: Fix uninitialized var in config-bisect.pl Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 283/554] ext4: xattr: fix null pointer deref in ext4_raw_inode() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 284/554] ext4: clear i_state_flags when alloc inode Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 285/554] ext4: fix incorrect group number assertion in mb_check_buddy Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 286/554] ext4: align max orphan file size with e2fsprogs limit Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 287/554] jbd2: use a weaker annotation in journal handling Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 288/554] media: v4l2-mem2mem: Fix outdated documentation Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 289/554] usb: usb-storage: Maintain minimal modifications to the bcdDevice range Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 290/554] media: dvb-usb: dtv5100: fix out-of-bounds in dtv5100_i2c_msg() Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 291/554] media: pvrusb2: Fix incorrect variable used in trace message Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 292/554] phy: broadcom: bcm63xx-usbh: fix section mismatches Greg Kroah-Hartman
2026-01-15 16:45 ` [PATCH 5.15 293/554] USB: lpc32xx_udc: Fix error handling in probe Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 294/554] usb: phy: fsl-usb: Fix use-after-free in delayed work during device removal Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 295/554] usb: phy: isp1301: fix non-OF device reference imbalance Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 296/554] usb: dwc3: of-simple: fix clock resource leak in dwc3_of_simple_probe Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 297/554] usb: renesas_usbhs: Fix a resource leak in usbhs_pipe_malloc() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 298/554] char: applicom: fix NULL pointer dereference in ac_ioctl Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 299/554] intel_th: Fix error handling in intel_th_output_open Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 300/554] cpufreq: nforce2: fix reference count leak in nforce2 Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 301/554] scsi: Revert "scsi: qla2xxx: Perform lockless command completion in abort path" Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 302/554] scsi: aic94xx: fix use-after-free in device removal path Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 303/554] NFSD: use correct reservation type in nfsd4_scsi_fence_client Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 304/554] scsi: target: Reset t_task_cdb pointer in error case Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 305/554] f2fs: invalidate dentry cache on failed whiteout creation Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 306/554] f2fs: fix return value of f2fs_recover_fsync_data() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 307/554] tools/testing/nvdimm: Use per-DIMM device handle Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 308/554] media: vidtv: initialize local pointers upon transfer of memory ownership Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 309/554] ocfs2: fix kernel BUG in ocfs2_find_victim_chain Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 310/554] platform/chrome: cros_ec_ishtp: Fix UAF after unbinding driver Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 311/554] scs: fix a wrong parameter in __scs_magic Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 312/554] parisc: Do not reprogram affinitiy on ASP chip Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 313/554] libceph: make decode_pool() more resilient against corrupted osdmaps Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 314/554] KVM: x86: WARN if hrtimer callback for periodic APIC timer fires with period=0 Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 315/554] KVM: x86: Explicitly set new periodic hrtimer expiration in apic_timer_fn() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 316/554] KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 317/554] KVM: nSVM: Propagate SVM_EXIT_CR0_SEL_WRITE correctly for LMSW emulation Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 318/554] KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR (failed VMRUN) Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 319/554] KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested VM-Exits Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 320/554] tracing: Do not register unsupported perf events Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 321/554] PM: runtime: Do not clear needs_force_resume with enabled runtime PM Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 322/554] fsnotify: do not generate ACCESS/MODIFY events on child for special files Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 323/554] nfsd: Mark variable __maybe_unused to avoid W=1 build break Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 324/554] svcrdma: return 0 on success from svc_rdma_copy_inline_range Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 325/554] io_uring: fix filename leak in __io_openat_prep() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 326/554] drm/amd/display: Use GFP_ATOMIC in dc_create_plane_state() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 327/554] amba: tegra-ahb: Fix device leak on SMMU enable Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 328/554] soc: qcom: ocmem: fix device leak on lookup Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 329/554] soc: amlogic: canvas: " Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 330/554] rpmsg: glink: fix rpmsg device leak Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 331/554] i2c: amd-mp2: fix reference leak in MP2 PCI device Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 332/554] hwmon: (max16065) Use local variable to avoid TOCTOU Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 333/554] hwmon: (w83791d) Convert macros to functions " Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 334/554] hwmon: (w83l786ng) " Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 335/554] i40e: fix scheduling in set_rx_mode Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 336/554] i40e: Refactor argument of several client notification functions Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 337/554] i40e: Refactor argument of i40e_detect_recover_hung() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 338/554] i40e: validate ring_len parameter against hardware-specific values Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 339/554] iavf: fix off-by-one issues in iavf_config_rss_reg() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 340/554] crypto: seqiv - Do not use req->iv after crypto_aead_encrypt Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 341/554] Bluetooth: btusb: revert use of devm_kzalloc in btusb Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 342/554] net: mdio: aspeed: move reg accessing part into separate functions Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 343/554] net: mdio: aspeed: add dummy read to avoid read-after-write issue Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 344/554] net: openvswitch: Avoid needlessly taking the RTNL on vport destroy Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 345/554] ip6_gre: make ip6gre_header() robust Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 346/554] platform/x86: msi-laptop: add missing sysfs_remove_group() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 347/554] platform/x86: ibm_rtl: fix EBDA signature search pointer arithmetic Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 348/554] team: fix check for port enabled in team_queue_override_port_prio_changed() Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 349/554] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 350/554] smc91x: fix broken irq-context in PREEMPT_RT Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 351/554] genalloc.h: fix htmldocs warning Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 352/554] firewire: nosy: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-15 16:46 ` [PATCH 5.15 353/554] net: dsa: b53: skip multicast entries for fdb_dump() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 354/554] net: usb: asix: validate PHY address before use Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 355/554] net: bridge: Describe @tunnel_hash member in net_bridge_vlan_group struct Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 356/554] octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 357/554] ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 358/554] ipv4: Fix reference count leak when using error routes with nexthop objects Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 359/554] net: rose: fix invalid array index in rose_kill_by_device() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 360/554] RDMA/irdma: avoid invalid read in irdma_net_event Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 361/554] RDMA/efa: Remove possible negative shift Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 362/554] RDMA/core: Fix logic error in ib_get_gids_from_rdma_hdr() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 363/554] RDMA/bnxt_re: Fix incorrect BAR check in bnxt_qplib_map_creq_db() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 364/554] RDMA/bnxt_re: Fix IB_SEND_IP_CSUM handling in post_send Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 365/554] RDMA/bnxt_re: Fix to use correct page size for PDE table Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 366/554] RDMA/rtrs: Fix clt_path::max_pages_per_mr calculation Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 367/554] RDMA/bnxt_re: fix dma_free_coherent() pointer Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 368/554] selftests/ftrace: traceonoff_triggers: strip off names Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 369/554] ASoC: stm32: sai: fix device leak on probe Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 370/554] ASoC: qcom: q6asm-dai: perform correct state check before closing Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 371/554] ASoC: qcom: q6adm: the the copp device only during last instance Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 372/554] ASoC: qcom: qdsp6: q6asm-dai: set 10 ms period and buffer alignment Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 373/554] iommu/apple-dart: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 374/554] iommu/exynos: " Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 375/554] iommu/ipmmu-vmsa: " Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 376/554] iommu/mediatek-v1: fix device leak on probe_device() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 377/554] iommu/mediatek: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 378/554] iommu/omap: fix device leaks on probe_device() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 379/554] iommu/sun50i: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 380/554] iommu/tegra: fix device leak on probe_device() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 381/554] HID: logitech-dj: Remove duplicate error logging Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 382/554] PCI/PM: Reinstate clearing state_saved in legacy and !PM codepaths Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 383/554] leds: leds-lp50xx: Allow LED 0 to be added to module bank Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 384/554] leds: leds-lp50xx: LP5009 supports 3 modules for a total of 9 LEDs Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 385/554] mfd: altera-sysmgr: Fix device leak on sysmgr regmap lookup Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 386/554] mfd: max77620: Fix potential IRQ chip conflict when probing two devices Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 387/554] media: rc: st_rc: Fix reset control resource leak Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 388/554] parisc: entry.S: fix space adjustment on interruption for 64-bit userspace Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 389/554] parisc: entry: set W bit for !compat tasks in syscall_restore_rfi() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 390/554] media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 391/554] dm-ebs: Mark full buffer dirty even on partial write Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 392/554] fbdev: gbefb: fix to use physical address instead of dma address Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 393/554] fbdev: pxafb: Fix multiple clamped values in pxafb_adjust_timing Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 394/554] fbdev: tcx.c fix mem_map to correct smem_start offset Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 395/554] media: cec: Fix debugfs leak on bus_register() failure Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 396/554] media: msp3400: Avoid possible out-of-bounds array accesses in msp3400c_thread() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 397/554] media: TDA1997x: Remove redundant cancel_delayed_work in probe Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 398/554] media: i2c: ADV7604: " Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 399/554] media: i2c: adv7842: " Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 400/554] idr: fix idr_alloc() returning an ID out of range Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 401/554] RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 402/554] RDMA/cm: Fix leaking the multicast GID table reference Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 403/554] e1000: fix OOB in e1000_tbi_should_accept() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 404/554] fjes: Add missing iounmap in fjes_hw_init() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 405/554] nfsd: Drop the client reference in client_states_open() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 406/554] net: usb: sr9700: fix incorrect command used to write single register Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 407/554] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 408/554] net: macb: Relocate mog_init_rings() callback from macb_mac_link_up() to macb_open() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 409/554] drm/msm/a6xx: Fix out of bound IO access in a6xx_get_gmu_registers Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 410/554] drm/ttm: Avoid NULL pointer deref for evicted BOs Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 411/554] drm/nouveau/dispnv50: Dont call drm_atomic_get_crtc_state() in prepare_fb Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 412/554] mm/damon/tests/vaddr-kunit: handle alloc failures in damon_test_split_evenly_fail() Greg Kroah-Hartman
2026-01-15 16:47 ` [PATCH 5.15 413/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_do_test_apply_three_regions() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 414/554] RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 415/554] mm/damon/tests/vaddr-kunit: handle alloc failures on damon_test_split_evenly_succ() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 416/554] mm/damon/tests/core-kunit: handle allocation failures in damon_test_regions() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 417/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_at() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 418/554] mm/damon/tests/core-kunit: handle alloc failures on dasmon_test_merge_regions_of() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 419/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_merge_two() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 420/554] mm/damon/tests/core-kunit: handle memory failure from damon_test_target() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 421/554] mm/damon/tests/core-kunit: handle alloc failures on damon_test_split_regions_of() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 422/554] mm/damon/tests/core-kunit: handle memory alloc failure from damon_test_aggregate() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 423/554] kbuild: Use CRC32 and a 1MiB dictionary for XZ compressed modules Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 424/554] virtio_console: fix order of fields cols and rows Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 425/554] drm/vmwgfx: Fix a null-ptr access in the cursor snooper Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 426/554] usb: xhci: move link chain bit quirk checks into one helper function Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 427/554] usb: xhci: Apply the link chain quirk on NEC isoc endpoints Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 428/554] usb: gadget: udc: fix use-after-free in usb_gadget_state_work Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 429/554] xhci: dbgtty: use IDR to support several dbc instances Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 430/554] xhci: dbgtty: fix device unregister Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 431/554] jbd2: fix the inconsistency between checksum and data in memory for journal sb Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 432/554] tpm: Cap the number of PCR banks Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 433/554] btrfs: dont rewrite ret from inode_permission Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 434/554] wifi: mt76: Fix DTS power-limits on little endian systems Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 435/554] ALSA: wavefront: Clear substream pointers on close Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 436/554] ALSA: wavefront: Use standard print API Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 437/554] ALSA: wavefront: Fix integer overflow in sample size validation Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 438/554] NFSD: Clear SECLABEL in the suppattr_exclcreat bitmap Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 439/554] KVM: nVMX: Immediately refresh APICv controls as needed on nested VM-Exit Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 440/554] xfs: fix a memory leak in xfs_buf_item_init() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 441/554] f2fs: fix to detect recoverable inode during dryrun of find_fsync_dnodes() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 442/554] f2fs: use global inline_xattr_slab instead of per-sb slab cache Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 443/554] f2fs: fix to propagate error from f2fs_enable_checkpoint() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 444/554] f2fs: fix to avoid updating zero-sized extent in extent cache Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 445/554] usb: dwc3: keep susphy enabled during exit to avoid controller faults Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 446/554] mptcp: pm: ignore unknown endpoint flags Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 447/554] usb: ohci-nxp: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 448/554] usb: ohci-nxp: fix device leak on probe failure Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 449/554] fuse: fix readahead reclaim deadlock Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 450/554] ARM: dts: microchip: sama7g5: fix uart fifo size to 32 Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 451/554] svcrdma: bound check rq_pages index in inline path Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 452/554] ARM: dts: microchip: sama5d2: fix spi flexcom fifo size to 32 Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 453/554] crypto: af_alg - zero initialize memory allocated via sock_kmalloc Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 454/554] KVM: SVM: Mark VMCB_NPT as dirty on nested VMRUN Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 455/554] SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 456/554] media: mediatek: vcodec: Fix a reference leak in mtk_vcodec_fw_vpu_init() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 457/554] media: vpif_capture: fix section mismatch Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 458/554] media: verisilicon: Protect G2 HEVC decoder against invalid DPB index Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 459/554] NFSD: NFSv4 file creation neglects setting ACL Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 460/554] media: samsung: exynos4-is: fix potential ABBA deadlock on init Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 461/554] media: renesas: rcar_drif: fix device node reference leak in rcar_drif_bond_enabled Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 462/554] powerpc/pseries/cmm: call balloon_devinfo_init() also without CONFIG_BALLOON_COMPACTION Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 463/554] PCI: brcmstb: Fix disabling L0s capability Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 464/554] powerpc/64s/slb: Fix SLB multihit issue during SLB preload Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 465/554] iommu/qcom: fix device leak on of_xlate() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 466/554] r8169: fix RTL8117 Wake-on-Lan in DASH mode Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 467/554] ASoC: stm: Use dev_err_probe() helper Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 468/554] ASoC: stm32: sai: Use the devm_clk_get_optional() helper Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 469/554] ASoC: stm32: sai: fix clk prepare imbalance on probe failure Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 470/554] mm/balloon_compaction: make balloon page compaction callbacks static Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 471/554] mm/balloon_compaction: we cannot have isolated pages in the balloon list Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 472/554] mm/balloon_compaction: convert balloon_page_delete() to balloon_page_finalize() Greg Kroah-Hartman
2026-01-15 16:48 ` [PATCH 5.15 473/554] powerpc/pseries/cmm: adjust BALLOON_MIGRATE when migrating pages Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 474/554] pmdomain: Use device_get_match_data() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 475/554] pmdomain: imx: Fix reference count leak in imx_gpc_probe() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 476/554] lockd: fix vfs_test_lock() calls Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 477/554] ASoC: stm: stm32_sai_sub: Convert to platform remove callback returning void Greg Kroah-Hartman
2026-01-16 9:00 ` Uwe Kleine-König
2026-01-16 11:07 ` Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 478/554] ASoC: stm32: sai: fix OF node leak on probe Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 479/554] wifi: mac80211: Discard Beacon frames to non-broadcast address Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 480/554] drm/gma500: Remove unused helper psb_fbdev_fb_setcolreg() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 481/554] net: Remove RTNL dance for SIOCBRADDIF and SIOCBRDELIF Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 482/554] mmc: core: use sysfs_emit() instead of sprintf() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 483/554] drm/i915/selftests: fix subtraction overflow bug Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 484/554] page_pool: Fix use-after-free in page_pool_recycle_in_ring Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 485/554] KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 486/554] HID: core: Harden s32ton() against conversion to 0 bits Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 487/554] mm/mprotect: use long for page accountings and retval Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 488/554] KVM: arm64: sys_regs: disable -Wuninitialized-const-pointer warning Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 489/554] ipv6: Fix potential uninit-value access in __ip6_make_skb() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 490/554] ipv4: Fix uninit-value access in __ip_make_skb() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 491/554] selftests: net: test_vxlan_under_vrf: fix HV connectivity test Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 492/554] x86: remove __range_not_ok() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 493/554] pwm: stm32: Always program polarity Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 494/554] ext4: filesystems without casefold feature cannot be mounted with siphash Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 495/554] ext4: factor out ext4_hash_info_init() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 496/554] ext4: fix error message when rejecting the default hash Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 497/554] firmware: arm_scmi: Fix unused notifier-block in unregister Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 498/554] Revert "iommu/amd: Skip enabling command/event buffers for kdump" Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 499/554] net: ethtool: fix the error condition in ethtool_get_phy_stats_ethtool() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 500/554] usb: gadget: lpc32xx_udc: fix clock imbalance in error path Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 501/554] atm: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 502/554] net: 3com: 3c59x: fix possible null dereference in vortex_probe1() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 503/554] mei: me: add nova lake point S DID Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 504/554] lib/crypto: aes: Fix missing MMU protection for AES S-box Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 505/554] drm/pl111: Fix error handling in pl111_amba_probe Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 506/554] wifi: avoid kernel-infoleak from struct iw_point Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 507/554] libceph: prevent potential out-of-bounds reads in handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 508/554] libceph: replace overzealous BUG_ON in osdmap_apply_incremental() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 509/554] libceph: make free_choose_arg_map() resilient to partial allocation Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 510/554] libceph: return the handler error from mon_handle_auth_done() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 511/554] libceph: make calc_target() set t->paused, not just clear it Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 512/554] ext4: introduce ITAIL helper Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 513/554] ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 514/554] net: Add locking to protect skb->dev access in ip_output Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 515/554] tls: Use __sk_dst_get() and dst_dev_rcu() in get_netdev_for_sock() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 516/554] csky: fix csky_cmpxchg_fixup not working Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 517/554] ARM: 9461/1: Disable HIGHPTE on PREEMPT_RT kernels Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 518/554] alpha: dont reference obsolete termio struct for TC* constants Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 519/554] NFSv4: ensure the open stateid seqid doesnt go backwards Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 520/554] NFS: Fix up the automount fs_context to use the correct cred Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 521/554] scsi: ipr: Enable/disable IRQD_NO_BALANCING during reset Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 522/554] scsi: Revert "scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed" Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 523/554] arm64: dts: add off-on-delay-us for usdhc2 regulator Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 524/554] ARM: dts: imx6q-ba16: fix RTC interrupt level Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 525/554] netfilter: nft_synproxy: avoid possible data-race on update operation Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 526/554] netfilter: nf_tables: fix memory leak in nf_tables_newrule() Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 527/554] netfilter: nf_conncount: update last_gc only when GC has been performed Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 528/554] net: marvell: prestera: fix NULL dereference on devlink_alloc() failure Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 529/554] bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 530/554] net: mscc: ocelot: Fix crash when adding interface under a lag Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 531/554] inet: ping: Fix icmp out counting Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 532/554] net: sock: fix hardened usercopy panic in sock_recv_errqueue Greg Kroah-Hartman
2026-01-15 16:49 ` [PATCH 5.15 533/554] netdev: preserve NETIF_F_ALL_FOR_ALL across TSO updates Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 534/554] net/mlx5e: Dont print error message due to invalid module Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 535/554] eth: bnxt: move and rename reset helpers Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 536/554] bnxt_en: Fix potential data corruption with HW GRO/LRO Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 537/554] HID: quirks: work around VID/PID conflict for appledisplay Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 538/554] net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 539/554] net: usb: pegasus: fix memory leak in update_eth_regs_async() Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 540/554] net: enetc: fix build warning when PAGE_SIZE is greater than 128K Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 541/554] arp: do not assume dev_hard_header() does not change skb->head Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 542/554] NFS: trace: show TIMEDOUT instead of 0x6e Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 543/554] nfs_common: factor out nfs_errtbl and nfs_stat_to_errno Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 544/554] NFSD: Remove NFSERR_EAGAIN Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 545/554] nfsd: provide locking for v4_end_grace Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 546/554] counter: interrupt-cnt: Drop IRQF_NO_THREAD flag Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 547/554] pinctrl: qcom: lpass-lpi: Remove duplicate assignment of of_gpio_n_cells Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 548/554] pinctrl: qcom: lpass-lpi: mark the GPIO controller as sleeping Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 549/554] blk-throttle: Set BIO_THROTTLED when bio has been throttled Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 550/554] powercap: fix race condition in register_control_type() Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 551/554] powercap: fix sscanf() error return value handling Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 552/554] can: j1939: make j1939_session_activate() fail if device is no longer registered Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 553/554] ASoC: fsl_sai: Add missing registers to cache default Greg Kroah-Hartman
2026-01-15 16:50 ` [PATCH 5.15 554/554] scsi: sg: Fix occasional bogus elapsed time that exceeds timeout Greg Kroah-Hartman
2026-01-15 19:15 ` [PATCH 5.15 000/554] 5.15.198-rc1 review Brett A C Sheffield
2026-01-15 19:33 ` Slade Watkins
2026-01-15 22:04 ` Florian Fainelli
2026-01-16 9:45 ` Jon Hunter
2026-01-16 11:08 ` Greg Kroah-Hartman
2026-01-16 17:38 ` Hardik Garg
2026-01-16 20:33 ` Shuah Khan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox