* [PATCH 6.18 000/198] 6.18.7-rc1 review
@ 2026-01-21 18:13 Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 001/198] firmware: imx: scu-irq: Set mu_resource_id before get handle Greg Kroah-Hartman
` (211 more replies)
0 siblings, 212 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
This is the start of the stable review cycle for the 6.18.7 release.
There are 198 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.18.7-rc1
Carlos Llamas <cmllamas@google.com>
iommu/sva: include mmu_notifier.h header
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "functionfs: fix the open/removal races"
Vlastimil Babka <vbabka@suse.cz>
mm/page_alloc: prevent pcp corruption with SMP=n
Joshua Hahn <joshua.hahnjy@gmail.com>
mm/page_alloc: batch page freeing in decay_pcp_high
Joshua Hahn <joshua.hahnjy@gmail.com>
mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection
Robbie Ko <robbieko@synology.com>
btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
Nathan Chancellor <nathan@kernel.org>
HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue()
Zhang Lixu <lixu.zhang@intel.com>
HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking
Lu Baolu <baolu.lu@linux.intel.com>
iommu/sva: invalidate stale IOTLB entries for kernel address space
Dave Hansen <dave.hansen@linux.intel.com>
mm: introduce deferred freeing for kernel page tables
Lu Baolu <baolu.lu@linux.intel.com>
x86/mm: use pagetable_free()
Dave Hansen <dave.hansen@linux.intel.com>
mm: introduce pure page table freeing function
Dave Hansen <dave.hansen@linux.intel.com>
x86/mm: use 'ptdesc' when freeing PMD pages
Dave Hansen <dave.hansen@linux.intel.com>
mm: actually mark kernel page table pages
Dave Hansen <dave.hansen@linux.intel.com>
mm: add a ptdesc flag to mark kernel page tables
Johan Hovold <johan@kernel.org>
dmaengine: ti: k3-udma: fix device leak on udma lookup
Johan Hovold <johan@kernel.org>
dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
Johan Hovold <johan@kernel.org>
dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
Johan Hovold <johan@kernel.org>
dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
Johan Hovold <johan@kernel.org>
dmaengine: stm32: dmamux: fix device leak on route allocation
Biju Das <biju.das.jz@bp.renesas.com>
dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
Johan Hovold <johan@kernel.org>
dmaengine: sh: rz-dmac: fix device leak on probe failure
Miaoqian Lin <linmq006@gmail.com>
dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
Johan Hovold <johan@kernel.org>
dmaengine: lpc32xx-dmamux: fix device leak on route allocation
Johan Hovold <johan@kernel.org>
dmaengine: lpc18xx-dmamux: fix device leak on route allocation
Johan Hovold <johan@kernel.org>
dmaengine: idxd: fix device leaks on compat bind and unbind
Zhen Ni <zhen.ni@easystack.cn>
dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure
Johan Hovold <johan@kernel.org>
dmaengine: dw: dmamux: fix OF node leak on route allocation failure
Johan Hovold <johan@kernel.org>
dmaengine: cv1800b-dmamux: fix device leak on route allocation
Johan Hovold <johan@kernel.org>
dmaengine: bcm-sba-raid: fix device leak on probe
Johan Hovold <johan@kernel.org>
dmaengine: at_hdmac: fix device leak on of_dma_xlate()
Janne Grunau <j@jannau.net>
dmaengine: apple-admac: Add "apple,t8103-admac" compatible
Qiang Ma <maqianga@uniontech.com>
LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
Qiang Ma <maqianga@uniontech.com>
LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
Qiang Ma <maqianga@uniontech.com>
LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
Binbin Zhou <zhoubinbin@loongson.cn>
LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells
Binbin Zhou <zhoubinbin@loongson.cn>
LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names
Binbin Zhou <zhoubinbin@loongson.cn>
LoongArch: dts: loongson-2k1000: Add default interrupt controller address cells
Binbin Zhou <zhoubinbin@loongson.cn>
LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
Thomas Zimmermann <tzimmermann@suse.de>
drm/sysfb: Remove duplicate declarations
Ludovic Desroches <ludovic.desroches@microchip.com>
drm/panel: simple: restore connector_type fallback
Marek Vasut <marex@nabladev.com>
drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
Lyude Paul <lyude@redhat.com>
drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
drm/amdkfd: fix a memory leak in device_queue_manager_init()
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: make sure userqs are enabled in userq IOCTLs
Philip Yang <Philip.Yang@amd.com>
drm/amdgpu: Fix gfx9 update PTE mtype flag
Mario Limonciello (AMD) <superm1@kernel.org>
drm/amd: Clean up kfd node on surprise disconnect
Vivek Das Mohapatra <vivek@collabora.com>
drm/amd/display: Initialise backlight level values from hw
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Bump the HDMI clock to 340MHz
Yao Zi <me@ziyao.cc>
LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended
Lisa Robinson <lisa@bytefly.space>
LoongArch: Fix PMU counter allocation for mixed-type event groups
SeongJae Park <sj@kernel.org>
mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
SeongJae Park <sj@kernel.org>
mm/damon/sysfs: cleanup intervals subdirs on attrs dir setup failure
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
SeongJae Park <sj@kernel.org>
mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure
SeongJae Park <sj@kernel.org>
mm/damon/core: remove call_control in inactive contexts
Aboorva Devarajan <aboorvad@linux.ibm.com>
mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
Pavel Butsykin <pbutsykin@cloudlinux.com>
mm/zswap: fix error pointer free in zswap_cpu_comp_prepare()
Ben Dooks <ben.dooks@codethink.co.uk>
mm: numa,memblock: include <asm/numa.h> for 'numa_nodes_parsed'
Ryan Roberts <ryan.roberts@arm.com>
mm: kmsan: fix poisoning of high-order non-compound pages
Nilay Shroff <nilay@linux.ibm.com>
nvme: fix PCIe subsystem reset controller state transition
Xiaochen Shen <shenxiaochen@open-hieco.net>
x86/resctrl: Fix memory bandwidth counter width for Hygon
Xiaochen Shen <shenxiaochen@open-hieco.net>
x86/resctrl: Add missing resctrl initialization for Hygon
Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
i2c: riic: Move suspend handling to NOIRQ phase
Arnaud Ferraris <arnaud.ferraris@collabora.com>
tcpm: allow looking for role_sw device in the main node
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
EDAC/i3200: Fix a resource leak in i3200_probe1()
Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
EDAC/x38: Fix a resource leak in x38_probe1()
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
hrtimer: Fix softirq base check in update_needs_ipi()
Yang Erkun <yangerkun@huawei.com>
ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
Arnd Bergmann <arnd@arndb.de>
ext4: fix ext4_tune_sb_params padding
Johan Hovold <johan@kernel.org>
ASoC: codecs: wsa881x: fix unnecessary initialisation
Ilikara Zheng <ilikara@aosc.io>
nvme-pci: disable secondary temp for Wodposit WPBSNM8
Ethan Nelson-Moore <enelsonmoore@gmail.com>
USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
Ulrich Mohr <u.mohr@semex-engcon.com>
USB: serial: option: add Telit LE910 MBIM composition
Huacai Chen <chenhuacai@kernel.org>
USB: OHCI/UHCI: Add soft dependencies on ehci_platform
Johannes Brüderl <johannes.bruederl@gmail.com>
usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: dwc3: Check for USB4 IP_NAME
Xu Yang <xu.yang_2@nxp.com>
usb: gadget: uvc: fix req_payload_size calculation
Xu Yang <xu.yang_2@nxp.com>
usb: gadget: uvc: fix interval_duration calculation
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: sideband: don't dereference freed ring when removing sideband endpoint
Wayne Chang <waynec@nvidia.com>
usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs
Wayne Chang <waynec@nvidia.com>
phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
Franz Schnyder <franz.schnyder@toradex.com>
phy: fsl-imx8mq-usb: fix typec orientation switch when built as module
Louis Chauvet <louis.chauvet@bootlin.com>
phy: rockchip: inno-usb2: fix disconnection in gadget mode
Rafael Beims <rafael.beims@toradex.com>
phy: freescale: imx8m-pcie: assert phy reset during power on
Wentao Liang <vulab@iscas.ac.cn>
phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
Johan Hovold <johan@kernel.org>
phy: ti: gmii-sel: fix regmap leak on probe failure
Luca Ceresoli <luca.ceresoli@bootlin.com>
phy: rockchip: inno-usb2: fix communication disruption in gadget mode
Dan Williams <dan.j.williams@intel.com>
x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
Shakeel Butt <shakeel.butt@linux.dev>
lib/buildid: use __kernel_read() for sleepable context
Bui Quang Minh <minhquangbui99@gmail.com>
virtio-net: don't schedule delayed refill worker
Nirjhar Roy (IBM) <nirjhar.roy.lists@gmail.com>
xfs: Fix the return value of xfs_rtcopy_summary()
Brian Foster <bfoster@redhat.com>
xfs: set max_agbno to allow sparse alloc of last full inode chunk
Guenter Roeck <linux@roeck-us.net>
ftrace: Do not over-allocate ftrace memory
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
tools/testing/selftests: fix gup_longterm for unknown fs
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
tools/testing/selftests: add forked (un)/faulted VMA merge tests
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
tools/testing/selftests: add tests for !tgt, src mremap() merges
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
Ondrej Ille <ondrej.ille@gmail.com>
can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit.
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
Nilay Shroff <nilay@linux.ibm.com>
null_blk: fix kmemleak by releasing references to fault configfs items
Zhang Heng <zhangheng@kylinos.cn>
ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED
Matthew Schwartz <matthew.schwartz@linux.dev>
ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X
Jaroslav Kysela <perex@perex.cz>
ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
Paolo Bonzini <pbonzini@redhat.com>
selftests: kvm: try getting XFD and XSAVE state out of sync
Paolo Bonzini <pbonzini@redhat.com>
selftests: kvm: replace numbered sync points with actions
Brian Kao <powenkao@google.com>
scsi: core: Fix error handler encryption support
Yonghong Song <yonghong.song@linux.dev>
selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22
Benjamin Tissoires <bentiss@kernel.org>
HID: usbhid: paper over wrong bNumDescriptor field
Peter Zijlstra <peterz@infradead.org>
sched: Deadline has dynamic priority
Peter Zijlstra <peterz@infradead.org>
sched/deadline: Avoid double update_rq_clock()
Carlos Song <carlos.song@nxp.com>
i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress
Neil Armstrong <neil.armstrong@linaro.org>
i2c: qcom-geni: make sure I2C hub controllers can't use SE DMA
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
soundwire: bus: fix off-by-one when allocating slave IDs
Haotian Zhang <vulab@iscas.ac.cn>
dmaengine: omap-dma: fix dma_pool resource leak in error paths
Günther Noack <gnoack3000@gmail.com>
selftests/landlock: Properly close a file descriptor
Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
Tingmao Wang <m@maowtm.org>
landlock: Fix wrong type usage
Matthieu Buffet <matthieu@buffet.re>
selftests/landlock: Remove invalid unix socket bind()
Matthieu Buffet <matthieu@buffet.re>
selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
Matthieu Buffet <matthieu@buffet.re>
landlock: Fix TCP handling of short AF_UNSPEC addresses
Haotian Zhang <vulab@iscas.ac.cn>
phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
Dan Carpenter <dan.carpenter@linaro.org>
phy: stm32-usphyc: Fix off by one in probe()
Loic Poulain <loic.poulain@oss.qualcomm.com>
phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
Stefano Radaelli <stefano.radaelli21@gmail.com>
phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it
Suraj Gupta <suraj.gupta2@amd.com>
dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing
Sheetal <sheetal@nvidia.com>
dmaengine: tegra-adma: Fix use-after-free
Anthony Brandon <anthony@amarulasolutions.com>
dmaengine: xilinx: xdma: Fix regmap max_register
Guodong Xu <guodong@riscstar.com>
dmaengine: mmp_pdma: fix DMA mask handling
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix size read races in truncate, fallocate and copy offload
John Groves <John@Groves.net>
drivers/dax: add some missing kerneldoc comment fields for struct dev_dax
Mike Rapoport (Microsoft) <rppt@kernel.org>
mips: fix HIGHMEM initialization
Bagas Sanjaya <bagasdotme@gmail.com>
mm, kfence: describe @slab parameter in __kfence_obj_info()
Bagas Sanjaya <bagasdotme@gmail.com>
textsearch: describe @list member in ts_ops search
Bagas Sanjaya <bagasdotme@gmail.com>
mm: describe @flags parameter in memalloc_flags_save()
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
drm/amdkfd: No need to suspend whole MES to evict process
Yang Wang <kevinyang.wang@amd.com>
drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
Mario Limonciello (AMD) <superm1@kernel.org>
drm/amd/display: Show link name in PSR status message
Lu Yao <yaolu@kylinos.cn>
drm/amdgpu: fix drm panic null pointer when driver not support atomic
Emil Svendsen <emas@bang-olufsen.dk>
ASoC: tlv320adcx140: fix word length
Emil Svendsen <emas@bang-olufsen.dk>
ASoC: tlv320adcx140: fix null pointer
Cole Leavitt <cole@unwrap.rs>
ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
Eric Dumazet <edumazet@google.com>
net/sched: sch_qfq: do not free existing class in qfq_change_class()
Gal Pressman <gal@nvidia.com>
selftests: drv-net: fix RPS mask handling for high CPU numbers
Kuniyuki Iwashima <kuniyu@google.com>
ipv6: Fix use-after-free in inet6_addr_del().
Eric Dumazet <edumazet@google.com>
dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
Aditya Garg <gargaditya@linux.microsoft.com>
net: hv_netvsc: reject RSS hash key programming without RX indirection table
Richard Fitzgerald <rf@opensource.cirrus.com>
ALSA: hda/cirrus_scodec_test: Fix test suite name
Richard Fitzgerald <rf@opensource.cirrus.com>
ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
Lorenzo Bianconi <lorenzo@kernel.org>
net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition
Jijie Shao <shaojijie@huawei.com>
net: phy: motorcomm: fix duplex setting error for phy leds
Kery Qi <qikeyu2017@gmail.com>
net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
Li Ming <ming.li@zohomail.com>
cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve()
Jiasheng Jiang <jiashengjiangcool@gmail.com>
btrfs: fix memory leaks in create_space_info() error paths
Saeed Mahameed <saeedm@nvidia.com>
net/mlx5e: Restore destroying state bit after profile cleanup
Saeed Mahameed <saeedm@nvidia.com>
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
Saeed Mahameed <saeedm@nvidia.com>
net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv
Saeed Mahameed <saeedm@nvidia.com>
net/mlx5e: Fix crash on profile change rollback failure
Stefano Garzarella <sgarzare@redhat.com>
vsock/test: add a final full barrier after run all tests
Eric Dumazet <edumazet@google.com>
ipv4: ip_gre: make ipgre_header() robust
Caleb Sander Mateos <csander@purestorage.com>
block: zero non-PI portion of auto integrity buffer
Eric Dumazet <edumazet@google.com>
macvlan: fix possible UAF in macvlan_forward_source()
Eric Dumazet <edumazet@google.com>
net: update netdev_lock_{type,name}
Eric Dumazet <edumazet@google.com>
ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
Eric Dumazet <edumazet@google.com>
net: bridge: annotate data-races around fdb->{updated,used}
Yang Li <yang.li@amlogic.com>
Bluetooth: hci_sync: enable PA Sync Lost event
Qu Wenruo <wqu@suse.com>
btrfs: send: check for inline extents in range_is_hole_in_parent()
Filipe Manana <fdmanana@suse.com>
btrfs: release path before iget_failed() in btrfs_read_locked_inode()
Robert Richter <rrichter@amd.com>
cxl/port: Fix target list setup for multiple decoders sharing the same dport
Shivam Kumar <kumar.shivam43666@gmail.com>
nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
Szymon Wilczek <swilczek.lx@gmail.com>
can: etas_es58x: allow partial RX URB allocation to succeed
Eric Dumazet <edumazet@google.com>
ipv4: ip_tunnel: spread netdev_lockdep_set_classes()
Yaxiong Tian <tianyaxiong@kylinos.cn>
PM: EM: Fix incorrect description of the cost field in struct em_perf_state
Andy Yan <andy.yan@rock-chips.com>
drm/rockchip: vop2: Only wait for changed layer cfg done when there is pending cfgdone bits
Andy Yan <andy.yan@rock-chips.com>
drm/rockchip: vop2: Add delay between poll registers
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS/localio: Deal with page bases that are > PAGE_SIZE
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
Ian Forbes <ian.forbes@broadcom.com>
drm/vmwgfx: Fix KMS with 3D on HW version 10
Sebastian Reichel <sebastian.reichel@collabora.com>
drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume
Zilin Guan <zilin@seu.edu.cn>
pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
Zilin Guan <zilin@seu.edu.cn>
pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix a deadlock involving nfs_release_folio()
Trond Myklebust <trond.myklebust@hammerspace.com>
pNFS: Fix a deadlock when returning a delegation during open()
Antony Antony <antony.antony@secunet.com>
xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
Jianbo Liu <jianbol@nvidia.com>
xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
Ming Lei <ming.lei@redhat.com>
io_uring: move local task_work in exit cancel loop
Gustavo A. R. Silva <gustavoars@kernel.org>
virtio_net: Fix misalignment bug in struct virtnet_info
Shenghao Yang <me@shenghaoyang.info>
drm/gud: fix NULL fb and crtc dereferences on USB disconnect
Johan Hovold <johan@kernel.org>
ASoC: codecs: wsa883x: fix unnecessary initialisation
Johan Hovold <johan@kernel.org>
ASoC: codecs: wsa884x: fix codec initialisation
Alice Ryhl <aliceryhl@google.com>
rust: bitops: fix missing _find_* functions on 32-bit ARM
Sean Christopherson <seanjc@google.com>
x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
Andreas Gruenbacher <agruenba@redhat.com>
Revert "gfs2: Fix use of bio_chain"
Janne Grunau <j@jannau.net>
nvme-apple: add "apple,t8103-nvme-ans2" as compatible
Morduan Zang <zhangdandan@uniontech.com>
efi/cper: Fix cper_bits_to_str buffer handling and return value
Peng Fan <peng.fan@nxp.com>
firmware: imx: scu-irq: Set mu_resource_id before get handle
-------------
Diffstat:
Makefile | 4 +-
arch/loongarch/boot/dts/loongson-2k0500.dtsi | 3 +
arch/loongarch/boot/dts/loongson-2k1000.dtsi | 31 +-
arch/loongarch/boot/dts/loongson-2k2000.dtsi | 35 +-
arch/loongarch/kernel/perf_event.c | 21 +-
arch/loongarch/kvm/intc/eiointc.c | 1 +
arch/loongarch/kvm/intc/ipi.c | 1 +
arch/loongarch/kvm/intc/pch_pic.c | 1 +
arch/mips/mm/init.c | 23 ++
arch/x86/Kconfig | 1 +
arch/x86/kernel/cpu/resctrl/core.c | 21 +-
arch/x86/kernel/cpu/resctrl/internal.h | 3 +
arch/x86/kernel/fpu/core.c | 32 +-
arch/x86/kvm/x86.c | 9 +
arch/x86/mm/init_64.c | 2 +-
arch/x86/mm/kaslr.c | 10 +-
arch/x86/mm/pat/set_memory.c | 2 +-
arch/x86/mm/pgtable.c | 12 +-
block/bio-integrity-auto.c | 2 +-
drivers/block/null_blk/main.c | 12 +-
drivers/cxl/core/hdm.c | 2 +-
drivers/cxl/core/port.c | 2 +-
drivers/dax/dax-private.h | 10 +-
drivers/dma/apple-admac.c | 1 +
drivers/dma/at_hdmac.c | 9 +-
drivers/dma/bcm-sba-raid.c | 6 +-
drivers/dma/cv1800b-dmamux.c | 17 +-
drivers/dma/dw/rzn1-dmamux.c | 4 +-
drivers/dma/fsl-edma-common.c | 1 +
drivers/dma/idxd/compat.c | 23 +-
drivers/dma/lpc18xx-dmamux.c | 19 +-
drivers/dma/lpc32xx-dmamux.c | 19 +-
drivers/dma/mmp_pdma.c | 20 +-
drivers/dma/qcom/gpi.c | 6 +-
drivers/dma/sh/rz-dmac.c | 18 +-
drivers/dma/stm32/stm32-dmamux.c | 22 +-
drivers/dma/tegra210-adma.c | 10 +-
drivers/dma/ti/dma-crossbar.c | 18 +-
drivers/dma/ti/k3-udma-private.c | 2 +-
drivers/dma/ti/omap-dma.c | 4 +
drivers/dma/xilinx/xdma-regs.h | 1 +
drivers/dma/xilinx/xdma.c | 2 +-
drivers/dma/xilinx/xilinx_dma.c | 7 +-
drivers/edac/i3200_edac.c | 11 +-
drivers/edac/x38_edac.c | 9 +-
drivers/firmware/efi/cper.c | 2 +-
drivers/firmware/imx/imx-scu-irq.c | 24 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 +
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 16 +
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 8 +
drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 8 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 31 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 21 +-
drivers/gpu/drm/amd/display/dc/dc_hdmi_types.h | 2 +-
.../gpu/drm/amd/display/dc/link/link_detection.c | 4 +-
.../gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 +-
drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 9 +
drivers/gpu/drm/gud/gud_pipe.c | 20 +-
drivers/gpu/drm/nouveau/dispnv50/curs507a.c | 1 +
drivers/gpu/drm/panel/panel-simple.c | 110 +++---
drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 12 +-
drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 17 +-
drivers/gpu/drm/sysfb/drm_sysfb_helper.h | 9 -
drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 +-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 14 +-
drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +-
drivers/hid/intel-ish-hid/ipc/ipc.c | 25 +-
drivers/hid/intel-ish-hid/ipc/pci-ish.c | 2 +-
drivers/hid/intel-ish-hid/ishtp-hid-client.c | 4 +-
drivers/hid/intel-ish-hid/ishtp/bus.c | 18 +-
drivers/hid/intel-ish-hid/ishtp/hbm.c | 4 +-
drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 3 +
drivers/hid/usbhid/hid-core.c | 17 +-
drivers/i2c/busses/i2c-imx-lpi2c.c | 7 +
drivers/i2c/busses/i2c-qcom-geni.c | 11 +-
drivers/i2c/busses/i2c-riic.c | 46 ++-
drivers/iommu/iommu-sva.c | 33 +-
drivers/net/can/ctucanfd/ctucanfd_base.c | 2 +-
drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
drivers/net/can/usb/gs_usb.c | 2 +
.../ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 13 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 86 +++--
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 15 +-
drivers/net/hyperv/netvsc_drv.c | 3 +
drivers/net/macvlan.c | 20 +-
drivers/net/phy/motorcomm.c | 4 +-
drivers/net/virtio_net.c | 59 ++--
drivers/nvme/host/apple.c | 1 +
drivers/nvme/host/pci.c | 7 +-
drivers/nvme/target/tcp.c | 12 +
drivers/pci/Kconfig | 6 -
drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 3 +-
drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 15 +-
drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 +-
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 14 +-
drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
drivers/phy/tegra/xusb-tegra186.c | 3 +
drivers/phy/ti/phy-da8xx-usb.c | 7 +-
drivers/phy/ti/phy-gmii-sel.c | 2 +-
drivers/scsi/scsi_error.c | 24 ++
drivers/soundwire/bus_type.c | 2 +-
drivers/usb/core/config.c | 5 +
drivers/usb/core/quirks.c | 3 +
drivers/usb/dwc3/core.c | 2 +
drivers/usb/dwc3/core.h | 1 +
drivers/usb/gadget/function/f_fs.c | 53 +--
drivers/usb/gadget/function/f_uvc.c | 4 +
drivers/usb/gadget/function/uvc.h | 3 +-
drivers/usb/gadget/function/uvc_queue.c | 15 +-
drivers/usb/gadget/function/uvc_video.c | 11 +-
drivers/usb/host/ohci-platform.c | 1 +
drivers/usb/host/uhci-platform.c | 1 +
drivers/usb/host/xhci-sideband.c | 1 -
drivers/usb/host/xhci-tegra.c | 2 +-
drivers/usb/host/xhci.c | 15 +-
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 2 +
drivers/usb/serial/option.c | 1 +
drivers/usb/typec/tcpm/tcpm.c | 2 +-
fs/btrfs/inode.c | 9 +
fs/btrfs/send.c | 2 +
fs/btrfs/space-info.c | 8 +-
fs/btrfs/transaction.c | 11 +-
fs/ext4/xattr.c | 1 +
fs/gfs2/lops.c | 2 +-
fs/nfs/blocklayout/dev.c | 6 +-
fs/nfs/file.c | 3 +-
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
fs/nfs/inode.c | 10 +-
fs/nfs/io.c | 2 +
fs/nfs/localio.c | 2 +
fs/nfs/nfs42proc.c | 29 +-
fs/nfs/nfs4proc.c | 6 +-
fs/nfs/nfstrace.h | 3 +
fs/nfs/pnfs.c | 58 +++-
fs/nfs/pnfs.h | 17 +-
fs/nfs/write.c | 33 ++
fs/xfs/libxfs/xfs_ialloc.c | 11 +-
fs/xfs/xfs_rtalloc.c | 2 +-
include/asm-generic/pgalloc.h | 18 +
include/drm/bridge/dw_hdmi_qp.h | 1 +
include/linux/energy_model.h | 2 +-
include/linux/gfp.h | 2 +-
include/linux/intel-ish-client-if.h | 2 +
include/linux/iommu.h | 4 +
include/linux/kfence.h | 1 +
include/linux/mm.h | 65 +++-
include/linux/nfs_fs.h | 1 +
include/linux/sched/mm.h | 1 +
include/linux/soc/airoha/airoha_offload.h | 4 +-
include/linux/textsearch.h | 1 +
include/linux/usb/quirks.h | 3 +
include/net/ip_tunnels.h | 13 +-
include/scsi/scsi_eh.h | 6 +
include/sound/pcm.h | 2 +-
include/uapi/linux/ext4.h | 2 +-
io_uring/io_uring.c | 8 +-
kernel/sched/core.c | 2 +-
kernel/sched/deadline.c | 3 +-
kernel/sched/syscalls.c | 2 +-
kernel/time/hrtimer.c | 2 +-
kernel/trace/ftrace.c | 29 +-
lib/buildid.c | 32 +-
mm/Kconfig | 13 +-
mm/damon/core.c | 33 +-
mm/damon/sysfs-schemes.c | 10 +-
mm/damon/sysfs.c | 9 +-
mm/kmsan/shadow.c | 2 +-
mm/numa_memblks.c | 2 +
mm/page_alloc.c | 74 +++-
mm/pgtable-generic.c | 39 +++
mm/vmstat.c | 28 +-
mm/zswap.c | 2 +-
net/bluetooth/hci_sync.c | 1 +
net/bridge/br_fdb.c | 28 +-
net/bridge/br_input.c | 4 +-
net/can/j1939/transport.c | 10 +-
net/core/dev.c | 25 +-
net/core/dst.c | 1 +
net/ipv4/esp4_offload.c | 4 +-
net/ipv4/ip_gre.c | 11 +-
net/ipv4/ip_tunnel.c | 5 +-
net/ipv4/route.c | 4 +-
net/ipv6/addrconf.c | 4 +-
net/ipv6/esp6_offload.c | 4 +-
net/ipv6/ip6_tunnel.c | 2 +-
net/ipv6/route.c | 4 +-
net/sched/sch_qfq.c | 6 +-
net/xfrm/xfrm_state.c | 1 +
rust/helpers/bitops.c | 42 +++
security/landlock/audit.c | 2 +-
security/landlock/net.c | 118 ++++---
sound/core/oss/pcm_oss.c | 4 +-
sound/core/pcm_native.c | 9 +-
sound/hda/codecs/realtek/alc269.c | 1 +
sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 3 +-
sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 13 +-
sound/soc/codecs/tlv320adcx140.c | 8 +-
sound/soc/codecs/wsa881x.c | 9 +
sound/soc/codecs/wsa883x.c | 9 +
sound/soc/codecs/wsa884x.c | 3 +-
sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +-
tools/testing/selftests/bpf/progs/strobemeta.h | 6 +-
tools/testing/selftests/kvm/x86/amx_test.c | 118 ++++---
tools/testing/selftests/landlock/common.h | 1 +
tools/testing/selftests/landlock/fs_test.c | 6 +-
tools/testing/selftests/landlock/net_test.c | 16 +-
tools/testing/selftests/mm/gup_longterm.c | 2 +-
tools/testing/selftests/mm/merge.c | 384 +++++++++++++++++++--
tools/testing/selftests/net/toeplitz.c | 4 +-
tools/testing/vsock/util.c | 12 +
215 files changed, 2132 insertions(+), 828 deletions(-)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 001/198] firmware: imx: scu-irq: Set mu_resource_id before get handle
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 002/198] efi/cper: Fix cper_bits_to_str buffer handling and return value Greg Kroah-Hartman
` (210 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Peng Fan, Shawn Guo,
Ben Hutchings
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
commit ff3f9913bc0749364fbfd86ea62ba2d31c6136c8 upstream.
mu_resource_id is referenced in imx_scu_irq_get_status() and
imx_scu_irq_group_enable() which could be used by other modules, so
need to set correct value before using imx_sc_irq_ipc_handle in
SCU API call.
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Fixes: 81fb53feb66a ("firmware: imx: scu-irq: Init workqueue before request mbox channel")
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/imx/imx-scu-irq.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/firmware/imx/imx-scu-irq.c
+++ b/drivers/firmware/imx/imx-scu-irq.c
@@ -203,6 +203,18 @@ int imx_scu_enable_general_irq_channel(s
struct mbox_chan *ch;
int ret = 0, i = 0;
+ if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
+ "#mbox-cells", 0, &spec)) {
+ i = of_alias_get_id(spec.np, "mu");
+ of_node_put(spec.np);
+ }
+
+ /* use mu1 as general mu irq channel if failed */
+ if (i < 0)
+ i = 1;
+
+ mu_resource_id = IMX_SC_R_MU_0A + i;
+
ret = imx_scu_get_handle(&imx_sc_irq_ipc_handle);
if (ret)
return ret;
@@ -225,18 +237,6 @@ int imx_scu_enable_general_irq_channel(s
return ret;
}
- if (!of_parse_phandle_with_args(dev->of_node, "mboxes",
- "#mbox-cells", 0, &spec)) {
- i = of_alias_get_id(spec.np, "mu");
- of_node_put(spec.np);
- }
-
- /* use mu1 as general mu irq channel if failed */
- if (i < 0)
- i = 1;
-
- mu_resource_id = IMX_SC_R_MU_0A + i;
-
/* Create directory under /sysfs/firmware */
wakeup_obj = kobject_create_and_add("scu_wakeup_source", firmware_kobj);
if (!wakeup_obj) {
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 002/198] efi/cper: Fix cper_bits_to_str buffer handling and return value
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 001/198] firmware: imx: scu-irq: Set mu_resource_id before get handle Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 003/198] nvme-apple: add "apple,t8103-nvme-ans2" as compatible Greg Kroah-Hartman
` (209 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Morduan Zang, Ard Biesheuvel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Morduan Zang <zhangdandan@uniontech.com>
commit d7f1b4bdc7108be1b178e1617b5f45c8918e88d7 upstream.
The return value calculation was incorrect: `return len - buf_size;`
Initially `len = buf_size`, then `len` decreases with each operation.
This results in a negative return value on success.
Fix by returning `buf_size - len` which correctly calculates the actual
number of bytes written.
Fixes: a976d790f494 ("efi/cper: Add a new helper function to print bitmasks")
Signed-off-by: Morduan Zang <zhangdandan@uniontech.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/cper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/efi/cper.c
+++ b/drivers/firmware/efi/cper.c
@@ -162,7 +162,7 @@ int cper_bits_to_str(char *buf, int buf_
len -= size;
str += size;
}
- return len - buf_size;
+ return buf_size - len;
}
EXPORT_SYMBOL_GPL(cper_bits_to_str);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 003/198] nvme-apple: add "apple,t8103-nvme-ans2" as compatible
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 001/198] firmware: imx: scu-irq: Set mu_resource_id before get handle Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 002/198] efi/cper: Fix cper_bits_to_str buffer handling and return value Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 004/198] Revert "gfs2: Fix use of bio_chain" Greg Kroah-Hartman
` (208 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neal Gompa, Christoph Hellwig,
Janne Grunau, Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janne Grunau <j@jannau.net>
commit 7d3fa7e954934fbda0a017ac1c305b7b10ecceef upstream.
After discussion with the devicetree maintainers we agreed to not extend
lists with the generic compatible "apple,nvme-ans2" anymore [1]. Add
"apple,t8103-nvme-ans2" as fallback compatible as it is the SoC the
driver and bindings were written for.
[1]: https://lore.kernel.org/asahi/12ab93b7-1fc2-4ce0-926e-c8141cfe81bf@kernel.org/
Cc: stable@vger.kernel.org # v6.18+
Fixes: 5bd2927aceba ("nvme-apple: Add initial Apple SoC NVMe driver")
Reviewed-by: Neal Gompa <neal@gompa.dev>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Janne Grunau <j@jannau.net>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/apple.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nvme/host/apple.c
+++ b/drivers/nvme/host/apple.c
@@ -1703,6 +1703,7 @@ static const struct apple_nvme_hw apple_
static const struct of_device_id apple_nvme_of_match[] = {
{ .compatible = "apple,t8015-nvme-ans2", .data = &apple_nvme_t8015_hw },
+ { .compatible = "apple,t8103-nvme-ans2", .data = &apple_nvme_t8103_hw },
{ .compatible = "apple,nvme-ans2", .data = &apple_nvme_t8103_hw },
{},
};
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 004/198] Revert "gfs2: Fix use of bio_chain"
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 003/198] nvme-apple: add "apple,t8103-nvme-ans2" as compatible Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 005/198] x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 Greg Kroah-Hartman
` (207 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andreas Gruenbacher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 469d71512d135907bf5ea0972dfab8c420f57848 upstream.
This reverts commit 8a157e0a0aa5143b5d94201508c0ca1bb8cfb941.
That commit incorrectly assumed that the bio_chain() arguments were
swapped in gfs2. However, gfs2 intentionally constructs bio chains so
that the first bio's bi_end_io callback is invoked when all bios in the
chain have completed, unlike bio chains where the last bio's callback is
invoked.
Fixes: 8a157e0a0aa5 ("gfs2: Fix use of bio_chain")
Cc: stable@vger.kernel.org
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/lops.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -487,7 +487,7 @@ static struct bio *gfs2_chain_bio(struct
new = bio_alloc(prev->bi_bdev, nr_iovecs, prev->bi_opf, GFP_NOIO);
bio_clone_blkg_association(new, prev);
new->bi_iter.bi_sector = bio_end_sector(prev);
- bio_chain(prev, new);
+ bio_chain(new, prev);
submit_bio(prev);
return new;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 005/198] x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 004/198] Revert "gfs2: Fix use of bio_chain" Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 006/198] rust: bitops: fix missing _find_* functions on 32-bit ARM Greg Kroah-Hartman
` (206 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Bonzini, Sean Christopherson,
Binbin Wu
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit b45f721775947a84996deb5c661602254ce25ce6 upstream.
When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in
response to a guest WRMSR, clear XFD-disabled features in the saved (or to
be restored) XSTATE_BV to ensure KVM doesn't attempt to load state for
features that are disabled via the guest's XFD. Because the kernel
executes XRSTOR with the guest's XFD, saving XSTATE_BV[i]=1 with XFD[i]=1
will cause XRSTOR to #NM and panic the kernel.
E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV:
------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848
Modules linked in: kvm_intel kvm irqbypass
CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:exc_device_not_available+0x101/0x110
Call Trace:
<TASK>
asm_exc_device_not_available+0x1a/0x20
RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90
switch_fpu_return+0x4a/0xb0
kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm]
kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]
__x64_sys_ioctl+0x8f/0xd0
do_syscall_64+0x62/0x940
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1,
and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler's
call to fpu_update_guest_xfd().
and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE:
------------[ cut here ]------------
WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867
Modules linked in: kvm_intel kvm irqbypass
CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:exc_device_not_available+0x101/0x110
Call Trace:
<TASK>
asm_exc_device_not_available+0x1a/0x20
RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90
fpu_swap_kvm_fpstate+0x6b/0x120
kvm_load_guest_fpu+0x30/0x80 [kvm]
kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm]
kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm]
__x64_sys_ioctl+0x8f/0xd0
do_syscall_64+0x62/0x940
entry_SYSCALL_64_after_hwframe+0x4b/0x53
</TASK>
---[ end trace 0000000000000000 ]---
The new behavior is consistent with the AMX architecture. Per Intel's SDM,
XSAVE saves XSTATE_BV as '0' for components that are disabled via XFD
(and non-compacted XSAVE saves the initial configuration of the state
component):
If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i,
the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1;
instead, it operates as if XINUSE[i] = 0 (and the state component was
in its initial state): it saves bit i of XSTATE_BV field of the XSAVE
header as 0; in addition, XSAVE saves the initial configuration of the
state component (the other instructions do not save state component i).
Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using
a constant XFD based on the set of enabled features when XSAVEing for
a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled
features can only happen in the above interrupt case, or in similar
scenarios involving preemption on preemptible kernels, because
fpu_swap_kvm_fpstate()'s call to save_fpregs_to_fpstate() saves the
outgoing FPU state with the current XFD; and that is (on all but the
first WRMSR to XFD) the guest XFD.
Therefore, XFD can only go out of sync with XSTATE_BV in the above
interrupt case, or in similar scenarios involving preemption on
preemptible kernels, and it we can consider it (de facto) part of KVM
ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features.
Reported-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 820a6ee944e7 ("kvm: x86: Add emulation for IA32_XFD", 2022-01-14)
Signed-off-by: Sean Christopherson <seanjc@google.com>
[Move clearing of XSTATE_BV from fpu_copy_uabi_to_guest_fpstate
to kvm_vcpu_ioctl_x86_set_xsave. - Paolo]
Reviewed-by: Binbin Wu <binbin.wu@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/fpu/core.c | 32 +++++++++++++++++++++++++++++---
arch/x86/kvm/x86.c | 9 +++++++++
2 files changed, 38 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -318,10 +318,29 @@ EXPORT_SYMBOL_GPL(fpu_enable_guest_xfd_f
#ifdef CONFIG_X86_64
void fpu_update_guest_xfd(struct fpu_guest *guest_fpu, u64 xfd)
{
+ struct fpstate *fpstate = guest_fpu->fpstate;
+
fpregs_lock();
- guest_fpu->fpstate->xfd = xfd;
- if (guest_fpu->fpstate->in_use)
- xfd_update_state(guest_fpu->fpstate);
+
+ /*
+ * KVM's guest ABI is that setting XFD[i]=1 *can* immediately revert the
+ * save state to its initial configuration. Likewise, KVM_GET_XSAVE does
+ * the same as XSAVE and returns XSTATE_BV[i]=0 whenever XFD[i]=1.
+ *
+ * If the guest's FPU state is in hardware, just update XFD: the XSAVE
+ * in fpu_swap_kvm_fpstate will clear XSTATE_BV[i] whenever XFD[i]=1.
+ *
+ * If however the guest's FPU state is NOT resident in hardware, clear
+ * disabled components in XSTATE_BV now, or a subsequent XRSTOR will
+ * attempt to load disabled components and generate #NM _in the host_.
+ */
+ if (xfd && test_thread_flag(TIF_NEED_FPU_LOAD))
+ fpstate->regs.xsave.header.xfeatures &= ~xfd;
+
+ fpstate->xfd = xfd;
+ if (fpstate->in_use)
+ xfd_update_state(fpstate);
+
fpregs_unlock();
}
EXPORT_SYMBOL_GPL(fpu_update_guest_xfd);
@@ -430,6 +449,13 @@ int fpu_copy_uabi_to_guest_fpstate(struc
return -EINVAL;
/*
+ * Disabled features must be in their initial state, otherwise XRSTOR
+ * causes an exception.
+ */
+ if (WARN_ON_ONCE(ustate->xsave.header.xfeatures & kstate->xfd))
+ return -EINVAL;
+
+ /*
* Nullify @vpkru to preserve its current value if PKRU's bit isn't set
* in the header. KVM's odd ABI is to leave PKRU untouched in this
* case (all other components are eventually re-initialized).
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5842,9 +5842,18 @@ static int kvm_vcpu_ioctl_x86_get_xsave(
static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
struct kvm_xsave *guest_xsave)
{
+ union fpregs_state *xstate = (union fpregs_state *)guest_xsave->region;
+
if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
return vcpu->kvm->arch.has_protected_state ? -EINVAL : 0;
+ /*
+ * For backwards compatibility, do not expect disabled features to be in
+ * their initial state. XSTATE_BV[i] must still be cleared whenever
+ * XFD[i]=1, or XRSTOR would cause a #NM.
+ */
+ xstate->xsave.header.xfeatures &= ~vcpu->arch.guest_fpu.fpstate->xfd;
+
return fpu_copy_uabi_to_guest_fpstate(&vcpu->arch.guest_fpu,
guest_xsave->region,
kvm_caps.supported_xcr0,
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 006/198] rust: bitops: fix missing _find_* functions on 32-bit ARM
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 005/198] x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 007/198] ASoC: codecs: wsa884x: fix codec initialisation Greg Kroah-Hartman
` (205 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Hindborg, Dirk Behme,
Alice Ryhl, Yury Norov (NVIDIA)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit 6a069876eb1402478900ee0eb7d7fe276bb1f4e3 upstream.
On 32-bit ARM, you may encounter linker errors such as this one:
ld.lld: error: undefined symbol: _find_next_zero_bit
>>> referenced by rust_binder_main.43196037ba7bcee1-cgu.0
>>> drivers/android/binder/rust_binder_main.o:(<rust_binder_main::process::Process>::insert_or_update_handle) in archive vmlinux.a
>>> referenced by rust_binder_main.43196037ba7bcee1-cgu.0
>>> drivers/android/binder/rust_binder_main.o:(<rust_binder_main::process::Process>::insert_or_update_handle) in archive vmlinux.a
This error occurs because even though the functions are declared by
include/linux/find.h, the definition is #ifdef'd out on 32-bit ARM. This
is because arch/arm/include/asm/bitops.h contains:
#define find_first_zero_bit(p,sz) _find_first_zero_bit_le(p,sz)
#define find_next_zero_bit(p,sz,off) _find_next_zero_bit_le(p,sz,off)
#define find_first_bit(p,sz) _find_first_bit_le(p,sz)
#define find_next_bit(p,sz,off) _find_next_bit_le(p,sz,off)
And the underscore-prefixed function is conditional on #ifndef of the
non-underscore-prefixed name, but the declaration in find.h is *not*
conditional on that #ifndef.
To fix the linker error, we ensure that the symbols in question exist
when compiling Rust code. We do this by defining them in rust/helpers/
whenever the normal definition is #ifndef'd out.
Note that these helpers are somewhat unusual in that they do not have
the rust_helper_ prefix that most helpers have. Adding the rust_helper_
prefix does not compile, as 'bindings::_find_next_zero_bit()' will
result in a call to a symbol called _find_next_zero_bit as defined by
include/linux/find.h rather than a symbol with the rust_helper_ prefix.
This is because when a symbol is present in both include/ and
rust/helpers/, the one from include/ wins under the assumption that the
current configuration is one where that helper is unnecessary. This
heuristic fails for _find_next_zero_bit() because the header file always
declares it even if the symbol does not exist.
The functions still use the __rust_helper annotation. This lets the
wrapper function be inlined into Rust code even if full kernel LTO is
not used once the patch series for that feature lands.
Yury: arches are free to implement they own find_bit() functions. Most
rely on generic implementation, but arm32 and m86k - not; so they require
custom handling. Alice confirmed it fixes the build for both.
Cc: stable@vger.kernel.org
Fixes: 6cf93a9ed39e ("rust: add bindings for bitops.h")
Reported-by: Andreas Hindborg <a.hindborg@kernel.org>
Closes: https://rust-for-linux.zulipchat.com/#narrow/channel/x/topic/x/near/561677301
Tested-by: Andreas Hindborg <a.hindborg@kernel.org>
Reviewed-by: Dirk Behme <dirk.behme@de.bosch.com>
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Signed-off-by: Yury Norov (NVIDIA) <yury.norov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/helpers/bitops.c | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/rust/helpers/bitops.c b/rust/helpers/bitops.c
index 5d0861d29d3f..e79ef9e6d98f 100644
--- a/rust/helpers/bitops.c
+++ b/rust/helpers/bitops.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0
#include <linux/bitops.h>
+#include <linux/find.h>
void rust_helper___set_bit(unsigned long nr, unsigned long *addr)
{
@@ -21,3 +22,44 @@ void rust_helper_clear_bit(unsigned long nr, volatile unsigned long *addr)
{
clear_bit(nr, addr);
}
+
+/*
+ * The rust_helper_ prefix is intentionally omitted below so that the
+ * declarations in include/linux/find.h are compatible with these helpers.
+ *
+ * Note that the below #ifdefs mean that the helper is only created if C does
+ * not provide a definition.
+ */
+#ifdef find_first_zero_bit
+__rust_helper
+unsigned long _find_first_zero_bit(const unsigned long *p, unsigned long size)
+{
+ return find_first_zero_bit(p, size);
+}
+#endif /* find_first_zero_bit */
+
+#ifdef find_next_zero_bit
+__rust_helper
+unsigned long _find_next_zero_bit(const unsigned long *addr,
+ unsigned long size, unsigned long offset)
+{
+ return find_next_zero_bit(addr, size, offset);
+}
+#endif /* find_next_zero_bit */
+
+#ifdef find_first_bit
+__rust_helper
+unsigned long _find_first_bit(const unsigned long *addr, unsigned long size)
+{
+ return find_first_bit(addr, size);
+}
+#endif /* find_first_bit */
+
+#ifdef find_next_bit
+__rust_helper
+unsigned long _find_next_bit(const unsigned long *addr, unsigned long size,
+ unsigned long offset)
+{
+ return find_next_bit(addr, size, offset);
+}
+#endif /* find_next_bit */
--
2.52.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 007/198] ASoC: codecs: wsa884x: fix codec initialisation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 006/198] rust: bitops: fix missing _find_* functions on 32-bit ARM Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 008/198] ASoC: codecs: wsa883x: fix unnecessary initialisation Greg Kroah-Hartman
` (204 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Johan Hovold,
Krzysztof Kozlowski, Srinivas Kandagatla, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 120f3e6ff76209ee2f62a64e5e7e9d70274df42b upstream.
The soundwire update_status() callback may be called multiple times with
the same ATTACHED status but initialisation should only be done when
transitioning from UNATTACHED to ATTACHED.
Fix the inverted hw_init flag which was set to false instead of true
after initialisation which defeats its purpose and may result in
repeated unnecessary initialisation.
Similarly, the initial state of the flag was also inverted so that the
codec would only be initialised and brought out of regmap cache only
mode if its status first transitions to UNATTACHED.
Fixes: aa21a7d4f68a ("ASoC: codecs: wsa884x: Add WSA884x family of speakers")
Cc: stable@vger.kernel.org # 6.5
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260102111413.9605-4-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wsa884x.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/sound/soc/codecs/wsa884x.c
+++ b/sound/soc/codecs/wsa884x.c
@@ -1534,7 +1534,7 @@ static void wsa884x_init(struct wsa884x_
wsa884x_set_gain_parameters(wsa884x);
- wsa884x->hw_init = false;
+ wsa884x->hw_init = true;
}
static int wsa884x_update_status(struct sdw_slave *slave,
@@ -2109,7 +2109,6 @@ static int wsa884x_probe(struct sdw_slav
/* Start in cache-only until device is enumerated */
regcache_cache_only(wsa884x->regmap, true);
- wsa884x->hw_init = true;
if (IS_REACHABLE(CONFIG_HWMON)) {
struct device *hwmon;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 008/198] ASoC: codecs: wsa883x: fix unnecessary initialisation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 007/198] ASoC: codecs: wsa884x: fix codec initialisation Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 009/198] drm/gud: fix NULL fb and crtc dereferences on USB disconnect Greg Kroah-Hartman
` (203 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Krzysztof Kozlowski, Srinivas Kandagatla, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 49aadf830eb048134d33ad7329d92ecff45d8dbb upstream.
The soundwire update_status() callback may be called multiple times with
the same ATTACHED status but initialisation should only be done when
transitioning from UNATTACHED to ATTACHED.
This avoids repeated initialisation of the codecs during boot of
machines like the Lenovo ThinkPad X13s:
[ 11.614523] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
[ 11.618022] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
[ 11.621377] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
[ 11.624065] wsa883x-codec sdw:1:0:0217:0202:00:1: WSA883X Version 1_1, Variant: WSA8835_V2
[ 11.631382] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2
[ 11.634424] wsa883x-codec sdw:1:0:0217:0202:00:2: WSA883X Version 1_1, Variant: WSA8835_V2
Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support")
Cc: stable@vger.kernel.org # 6.0
Cc: Srinivas Kandagatla <srini@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260102111413.9605-2-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wsa883x.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/sound/soc/codecs/wsa883x.c
+++ b/sound/soc/codecs/wsa883x.c
@@ -475,6 +475,7 @@ struct wsa883x_priv {
int active_ports;
int dev_mode;
int comp_offset;
+ bool hw_init;
/*
* Protects temperature reading code (related to speaker protection) and
* fields: temperature and pa_on.
@@ -1043,6 +1044,9 @@ static int wsa883x_init(struct wsa883x_p
struct regmap *regmap = wsa883x->regmap;
int variant, version, ret;
+ if (wsa883x->hw_init)
+ return 0;
+
ret = regmap_read(regmap, WSA883X_OTP_REG_0, &variant);
if (ret)
return ret;
@@ -1085,6 +1089,8 @@ static int wsa883x_init(struct wsa883x_p
wsa883x->comp_offset);
}
+ wsa883x->hw_init = true;
+
return 0;
}
@@ -1093,6 +1099,9 @@ static int wsa883x_update_status(struct
{
struct wsa883x_priv *wsa883x = dev_get_drvdata(&slave->dev);
+ if (status == SDW_SLAVE_UNATTACHED)
+ wsa883x->hw_init = false;
+
if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0)
return wsa883x_init(wsa883x);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 009/198] drm/gud: fix NULL fb and crtc dereferences on USB disconnect
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 008/198] ASoC: codecs: wsa883x: fix unnecessary initialisation Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 010/198] virtio_net: Fix misalignment bug in struct virtnet_info Greg Kroah-Hartman
` (202 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shenghao Yang, Ruben Wauters
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shenghao Yang <me@shenghaoyang.info>
commit dc2d5ddb193e363187bae2ad358245642d2721fb upstream.
On disconnect drm_atomic_helper_disable_all() is called which
sets both the fb and crtc for a plane to NULL before invoking a commit.
This causes a kernel oops on every display disconnect.
Add guards for those dereferences.
Cc: <stable@vger.kernel.org> # 6.18.x
Fixes: 73cfd166e045 ("drm/gud: Replace simple display pipe with DRM atomic helpers")
Signed-off-by: Shenghao Yang <me@shenghaoyang.info>
Reviewed-by: Ruben Wauters <rubenru09@aol.com>
Signed-off-by: Ruben Wauters <rubenru09@aol.com>
Link: https://patch.msgid.link/20251231055039.44266-1-me@shenghaoyang.info
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gud/gud_pipe.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c
index 76d77a736d84..4b77be94348d 100644
--- a/drivers/gpu/drm/gud/gud_pipe.c
+++ b/drivers/gpu/drm/gud/gud_pipe.c
@@ -457,27 +457,20 @@ int gud_plane_atomic_check(struct drm_plane *plane,
struct drm_plane_state *old_plane_state = drm_atomic_get_old_plane_state(state, plane);
struct drm_plane_state *new_plane_state = drm_atomic_get_new_plane_state(state, plane);
struct drm_crtc *crtc = new_plane_state->crtc;
- struct drm_crtc_state *crtc_state;
+ struct drm_crtc_state *crtc_state = NULL;
const struct drm_display_mode *mode;
struct drm_framebuffer *old_fb = old_plane_state->fb;
struct drm_connector_state *connector_state = NULL;
struct drm_framebuffer *fb = new_plane_state->fb;
- const struct drm_format_info *format = fb->format;
+ const struct drm_format_info *format;
struct drm_connector *connector;
unsigned int i, num_properties;
struct gud_state_req *req;
int idx, ret;
size_t len;
- if (drm_WARN_ON_ONCE(plane->dev, !fb))
- return -EINVAL;
-
- if (drm_WARN_ON_ONCE(plane->dev, !crtc))
- return -EINVAL;
-
- crtc_state = drm_atomic_get_new_crtc_state(state, crtc);
-
- mode = &crtc_state->mode;
+ if (crtc)
+ crtc_state = drm_atomic_get_new_crtc_state(state, crtc);
ret = drm_atomic_helper_check_plane_state(new_plane_state, crtc_state,
DRM_PLANE_NO_SCALING,
@@ -492,6 +485,9 @@ int gud_plane_atomic_check(struct drm_plane *plane,
if (old_plane_state->rotation != new_plane_state->rotation)
crtc_state->mode_changed = true;
+ mode = &crtc_state->mode;
+ format = fb->format;
+
if (old_fb && old_fb->format != format)
crtc_state->mode_changed = true;
@@ -598,7 +594,7 @@ void gud_plane_atomic_update(struct drm_plane *plane,
struct drm_atomic_helper_damage_iter iter;
int ret, idx;
- if (crtc->state->mode_changed || !crtc->state->enable) {
+ if (!crtc || crtc->state->mode_changed || !crtc->state->enable) {
cancel_work_sync(&gdrm->work);
mutex_lock(&gdrm->damage_lock);
if (gdrm->fb) {
--
2.52.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 010/198] virtio_net: Fix misalignment bug in struct virtnet_info
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 009/198] drm/gud: fix NULL fb and crtc dereferences on USB disconnect Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 011/198] io_uring: move local task_work in exit cancel loop Greg Kroah-Hartman
` (201 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva,
Michael S. Tsirkin, Paolo Abeni
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavoars@kernel.org>
commit 4156c3745f06bc197094b9ee97a9584e69ed00bf upstream.
Use the new TRAILING_OVERLAP() helper to fix a misalignment bug
along with the following warning:
drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
This helper creates a union between a flexible-array member (FAM)
and a set of members that would otherwise follow it (in this case
`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This
overlays the trailing members (rss_hash_key_data) onto the FAM
(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.
The static_assert() ensures this alignment remains.
Notice that due to tail padding in flexible `struct
virtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`
(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at
offset 84 in struct virtnet_info) are misaligned by one byte. See
below:
struct virtio_net_rss_config_trailer {
__le16 max_tx_vq; /* 0 2 */
__u8 hash_key_length; /* 2 1 */
__u8 hash_key_data[]; /* 3 0 */
/* size: 4, cachelines: 1, members: 3 */
/* padding: 1 */
/* last cacheline: 4 bytes */
};
struct virtnet_info {
...
struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */
/* XXX last struct has 1 byte of padding */
u8 rss_hash_key_data[40]; /* 84 40 */
...
/* size: 832, cachelines: 13, members: 48 */
/* sum members: 801, holes: 8, sum holes: 31 */
/* paddings: 2, sum paddings: 5 */
};
After changes, those members are correctly aligned at offset 795:
struct virtnet_info {
...
union {
struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */
struct {
unsigned char __offset_to_hash_key_data[3]; /* 792 3 */
u8 rss_hash_key_data[40]; /* 795 40 */
}; /* 792 43 */
}; /* 792 44 */
...
/* size: 840, cachelines: 14, members: 47 */
/* sum members: 801, holes: 8, sum holes: 35 */
/* padding: 4 */
/* paddings: 1, sum paddings: 4 */
/* last cacheline: 8 bytes */
};
As a result, the RSS key passed to the device is shifted by 1
byte: the last byte is cut off, and instead a (possibly
uninitialized) byte is added at the beginning.
As a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also
moved to the end, since it seems those three members should stick
around together. :)
Cc: stable@vger.kernel.org
Fixes: ed3100e90d0d ("virtio_net: Use new RSS config structs")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/aWIItWq5dV9XTTCJ@kspp
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/virtio_net.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -425,9 +425,6 @@ struct virtnet_info {
u16 rss_indir_table_size;
u32 rss_hash_types_supported;
u32 rss_hash_types_saved;
- struct virtio_net_rss_config_hdr *rss_hdr;
- struct virtio_net_rss_config_trailer rss_trailer;
- u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];
/* Has control virtqueue */
bool has_cvq;
@@ -493,7 +490,16 @@ struct virtnet_info {
struct failover *failover;
u64 device_stats_cap;
+
+ struct virtio_net_rss_config_hdr *rss_hdr;
+
+ /* Must be last as it ends in a flexible-array member. */
+ TRAILING_OVERLAP(struct virtio_net_rss_config_trailer, rss_trailer, hash_key_data,
+ u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];
+ );
};
+static_assert(offsetof(struct virtnet_info, rss_trailer.hash_key_data) ==
+ offsetof(struct virtnet_info, rss_hash_key_data));
struct padded_vnet_hdr {
struct virtio_net_hdr_v1_hash hdr;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 011/198] io_uring: move local task_work in exit cancel loop
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 010/198] virtio_net: Fix misalignment bug in struct virtnet_info Greg Kroah-Hartman
@ 2026-01-21 18:13 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 012/198] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Greg Kroah-Hartman
` (200 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:13 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ming Lei, Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ming Lei <ming.lei@redhat.com>
commit da579f05ef0faada3559e7faddf761c75cdf85e1 upstream.
With IORING_SETUP_DEFER_TASKRUN, task work is queued to ctx->work_llist
(local work) rather than the fallback list. During io_ring_exit_work(),
io_move_task_work_from_local() was called once before the cancel loop,
moving work from work_llist to fallback_llist.
However, task work can be added to work_llist during the cancel loop
itself. There are two cases:
1) io_kill_timeouts() is called from io_uring_try_cancel_requests() to
cancel pending timeouts, and it adds task work via io_req_queue_tw_complete()
for each cancelled timeout:
2) URING_CMD requests like ublk can be completed via
io_uring_cmd_complete_in_task() from ublk_queue_rq() during canceling,
given ublk request queue is only quiesced when canceling the 1st uring_cmd.
Since io_allowed_defer_tw_run() returns false in io_ring_exit_work()
(kworker != submitter_task), io_run_local_work() is never invoked,
and the work_llist entries are never processed. This causes
io_uring_try_cancel_requests() to loop indefinitely, resulting in
100% CPU usage in kworker threads.
Fix this by moving io_move_task_work_from_local() inside the cancel
loop, ensuring any work on work_llist is moved to fallback before
each cancel attempt.
Cc: stable@vger.kernel.org
Fixes: c0e0d6ba25f1 ("io_uring: add IORING_SETUP_DEFER_TASKRUN")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3017,12 +3017,12 @@ static __cold void io_ring_exit_work(str
mutex_unlock(&ctx->uring_lock);
}
- if (ctx->flags & IORING_SETUP_DEFER_TASKRUN)
- io_move_task_work_from_local(ctx);
-
/* The SQPOLL thread never reaches this path */
- while (io_uring_try_cancel_requests(ctx, NULL, true, false))
+ do {
+ if (ctx->flags & IORING_SETUP_DEFER_TASKRUN)
+ io_move_task_work_from_local(ctx);
cond_resched();
+ } while (io_uring_try_cancel_requests(ctx, NULL, true, false));
if (ctx->sq_data) {
struct io_sq_data *sqd = ctx->sq_data;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 012/198] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2026-01-21 18:13 ` [PATCH 6.18 011/198] io_uring: move local task_work in exit cancel loop Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 013/198] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Greg Kroah-Hartman
` (199 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Sabrina Dubroca,
Steffen Klassert, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 3d5221af9c7711b7aec8da1298c8fc393ef6183d ]
Commit 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner
protocol") attempted to fix GSO segmentation by reading the inner
protocol from XFRM_MODE_SKB_CB(skb)->protocol. This was incorrect
because the field holds the inner L4 protocol (TCP/UDP) instead of the
required tunnel protocol. Also, the memory location (shared by
XFRM_SKB_CB(skb) which could be overwritten by xfrm_replay_overflow())
is prone to corruption. This combination caused the kernel to select
the wrong inner mode and get the wrong address family.
The correct value is in xfrm_offload(skb)->proto, which is set from
the outer tunnel header's protocol field by esp[4|6]_gso_encap(). It
is initialized by xfrm[4|6]_tunnel_encap_add() to either IPPROTO_IPIP
or IPPROTO_IPV6, using xfrm_af2proto() and correctly reflects the
inner packet's address family.
Fixes: 61fafbee6cfe ("xfrm: Determine inner GSO type from packet inner protocol")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/esp4_offload.c | 4 ++--
net/ipv6/esp6_offload.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index 05828d4cb6cdb..abd77162f5e75 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -122,8 +122,8 @@ static struct sk_buff *xfrm4_tunnel_gso_segment(struct xfrm_state *x,
struct sk_buff *skb,
netdev_features_t features)
{
- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
- XFRM_MODE_SKB_CB(skb)->protocol);
+ struct xfrm_offload *xo = xfrm_offload(skb);
+ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
__be16 type = inner_mode->family == AF_INET6 ? htons(ETH_P_IPV6)
: htons(ETH_P_IP);
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 22410243ebe88..22895521a57d0 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -158,8 +158,8 @@ static struct sk_buff *xfrm6_tunnel_gso_segment(struct xfrm_state *x,
struct sk_buff *skb,
netdev_features_t features)
{
- const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x,
- XFRM_MODE_SKB_CB(skb)->protocol);
+ struct xfrm_offload *xo = xfrm_offload(skb);
+ const struct xfrm_mode *inner_mode = xfrm_ip2inner_mode(x, xo->proto);
__be16 type = inner_mode->family == AF_INET ? htons(ETH_P_IP)
: htons(ETH_P_IPV6);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 013/198] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 012/198] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 014/198] pNFS: Fix a deadlock when returning a delegation during open() Greg Kroah-Hartman
` (198 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Antony Antony, Steffen Klassert,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Antony Antony <antony.antony@secunet.com>
[ Upstream commit c196def07bbc6e8306d7a274433913444b0db20a ]
The XFRM_STATE_NOPMTUDISC flag is only meaningful for output SAs, but
it was being applied regardless of the SA direction when the sysctl
ip_no_pmtu_disc is enabled. This can unintentionally affect input SAs.
Limit setting XFRM_STATE_NOPMTUDISC to output SAs when the SA direction
is configured.
Closes: https://github.com/strongswan/strongswan/issues/2946
Fixes: a4a87fa4e96c ("xfrm: Add Direction to the SA in or out")
Signed-off-by: Antony Antony <antony.antony@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_state.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9e14e453b55cc..98b362d518363 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -3151,6 +3151,7 @@ int __xfrm_init_state(struct xfrm_state *x, struct netlink_ext_ack *extack)
int err;
if (family == AF_INET &&
+ (!x->dir || x->dir == XFRM_SA_DIR_OUT) &&
READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
x->props.flags |= XFRM_STATE_NOPMTUDISC;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 014/198] pNFS: Fix a deadlock when returning a delegation during open()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 013/198] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 015/198] NFS: Fix a deadlock involving nfs_release_folio() Greg Kroah-Hartman
` (197 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Coddington, Trond Myklebust,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 857bf9056291a16785ae3be1d291026b2437fc48 ]
Ben Coddington reports seeing a hang in the following stack trace:
0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415
1 [ffffd0b50e177548] schedule at ffffffff9ca05717
2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1
3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb
4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5
5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4]
6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4]
7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4]
8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4]
9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4]
10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4]
11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4]
12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4]
13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4]
14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4]
15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4]
16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4]
17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea
18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e
19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935
The issue is that the delegreturn is being asked to wait for a layout
return that cannot complete because a state recovery was initiated. The
state recovery cannot complete until the open() finishes processing the
delegations it was given.
The solution is to propagate the existing flags that indicate a
non-blocking call to the function pnfs_roc(), so that it knows not to
wait in this situation.
Reported-by: Benjamin Coddington <bcodding@hammerspace.com>
Fixes: 29ade5db1293 ("pNFS: Wait on outstanding layoutreturns to complete in pnfs_roc()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 6 ++---
fs/nfs/pnfs.c | 58 +++++++++++++++++++++++++++++++++--------------
fs/nfs/pnfs.h | 17 ++++++--------
3 files changed, 51 insertions(+), 30 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 3b436ba2ed3bf..3745c59f0af25 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -3894,8 +3894,8 @@ int nfs4_do_close(struct nfs4_state *state, gfp_t gfp_mask, int wait)
calldata->res.seqid = calldata->arg.seqid;
calldata->res.server = server;
calldata->res.lr_ret = -NFS4ERR_NOMATCHING_LAYOUT;
- calldata->lr.roc = pnfs_roc(state->inode,
- &calldata->lr.arg, &calldata->lr.res, msg.rpc_cred);
+ calldata->lr.roc = pnfs_roc(state->inode, &calldata->lr.arg,
+ &calldata->lr.res, msg.rpc_cred, wait);
if (calldata->lr.roc) {
calldata->arg.lr_args = &calldata->lr.arg;
calldata->res.lr_res = &calldata->lr.res;
@@ -6946,7 +6946,7 @@ static int _nfs4_proc_delegreturn(struct inode *inode, const struct cred *cred,
data->inode = nfs_igrab_and_active(inode);
if (data->inode || issync) {
data->lr.roc = pnfs_roc(inode, &data->lr.arg, &data->lr.res,
- cred);
+ cred, issync);
if (data->lr.roc) {
data->args.lr_args = &data->lr.arg;
data->res.lr_res = &data->lr.res;
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index 7ce2e840217cf..33bc6db0dc92f 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1533,10 +1533,9 @@ static int pnfs_layout_return_on_reboot(struct pnfs_layout_hdr *lo)
PNFS_FL_LAYOUTRETURN_PRIVILEGED);
}
-bool pnfs_roc(struct inode *ino,
- struct nfs4_layoutreturn_args *args,
- struct nfs4_layoutreturn_res *res,
- const struct cred *cred)
+bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args,
+ struct nfs4_layoutreturn_res *res, const struct cred *cred,
+ bool sync)
{
struct nfs_inode *nfsi = NFS_I(ino);
struct nfs_open_context *ctx;
@@ -1547,7 +1546,7 @@ bool pnfs_roc(struct inode *ino,
nfs4_stateid stateid;
enum pnfs_iomode iomode = 0;
bool layoutreturn = false, roc = false;
- bool skip_read = false;
+ bool skip_read;
if (!nfs_have_layout(ino))
return false;
@@ -1560,20 +1559,14 @@ bool pnfs_roc(struct inode *ino,
lo = NULL;
goto out_noroc;
}
- pnfs_get_layout_hdr(lo);
- if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) {
- spin_unlock(&ino->i_lock);
- rcu_read_unlock();
- wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN,
- TASK_UNINTERRUPTIBLE);
- pnfs_put_layout_hdr(lo);
- goto retry;
- }
/* no roc if we hold a delegation */
+ skip_read = false;
if (nfs4_check_delegation(ino, FMODE_READ)) {
- if (nfs4_check_delegation(ino, FMODE_WRITE))
+ if (nfs4_check_delegation(ino, FMODE_WRITE)) {
+ lo = NULL;
goto out_noroc;
+ }
skip_read = true;
}
@@ -1582,12 +1575,43 @@ bool pnfs_roc(struct inode *ino,
if (state == NULL)
continue;
/* Don't return layout if there is open file state */
- if (state->state & FMODE_WRITE)
+ if (state->state & FMODE_WRITE) {
+ lo = NULL;
goto out_noroc;
+ }
if (state->state & FMODE_READ)
skip_read = true;
}
+ if (skip_read) {
+ bool writes = false;
+
+ list_for_each_entry(lseg, &lo->plh_segs, pls_list) {
+ if (lseg->pls_range.iomode != IOMODE_READ) {
+ writes = true;
+ break;
+ }
+ }
+ if (!writes) {
+ lo = NULL;
+ goto out_noroc;
+ }
+ }
+
+ pnfs_get_layout_hdr(lo);
+ if (test_bit(NFS_LAYOUT_RETURN_LOCK, &lo->plh_flags)) {
+ if (!sync) {
+ pnfs_set_plh_return_info(
+ lo, skip_read ? IOMODE_RW : IOMODE_ANY, 0);
+ goto out_noroc;
+ }
+ spin_unlock(&ino->i_lock);
+ rcu_read_unlock();
+ wait_on_bit(&lo->plh_flags, NFS_LAYOUT_RETURN,
+ TASK_UNINTERRUPTIBLE);
+ pnfs_put_layout_hdr(lo);
+ goto retry;
+ }
list_for_each_entry_safe(lseg, next, &lo->plh_segs, pls_list) {
if (skip_read && lseg->pls_range.iomode == IOMODE_READ)
@@ -1627,7 +1651,7 @@ bool pnfs_roc(struct inode *ino,
out_noroc:
spin_unlock(&ino->i_lock);
rcu_read_unlock();
- pnfs_layoutcommit_inode(ino, true);
+ pnfs_layoutcommit_inode(ino, sync);
if (roc) {
struct pnfs_layoutdriver_type *ld = NFS_SERVER(ino)->pnfs_curr_ld;
if (ld->prepare_layoutreturn)
diff --git a/fs/nfs/pnfs.h b/fs/nfs/pnfs.h
index 91ff877185c8a..3db8f13d8fe4e 100644
--- a/fs/nfs/pnfs.h
+++ b/fs/nfs/pnfs.h
@@ -303,10 +303,9 @@ int pnfs_mark_matching_lsegs_return(struct pnfs_layout_hdr *lo,
u32 seq);
int pnfs_mark_layout_stateid_invalid(struct pnfs_layout_hdr *lo,
struct list_head *lseg_list);
-bool pnfs_roc(struct inode *ino,
- struct nfs4_layoutreturn_args *args,
- struct nfs4_layoutreturn_res *res,
- const struct cred *cred);
+bool pnfs_roc(struct inode *ino, struct nfs4_layoutreturn_args *args,
+ struct nfs4_layoutreturn_res *res, const struct cred *cred,
+ bool sync);
int pnfs_roc_done(struct rpc_task *task, struct nfs4_layoutreturn_args **argpp,
struct nfs4_layoutreturn_res **respp, int *ret);
void pnfs_roc_release(struct nfs4_layoutreturn_args *args,
@@ -773,12 +772,10 @@ pnfs_layoutcommit_outstanding(struct inode *inode)
return false;
}
-
-static inline bool
-pnfs_roc(struct inode *ino,
- struct nfs4_layoutreturn_args *args,
- struct nfs4_layoutreturn_res *res,
- const struct cred *cred)
+static inline bool pnfs_roc(struct inode *ino,
+ struct nfs4_layoutreturn_args *args,
+ struct nfs4_layoutreturn_res *res,
+ const struct cred *cred, bool sync)
{
return false;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 015/198] NFS: Fix a deadlock involving nfs_release_folio()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 014/198] pNFS: Fix a deadlock when returning a delegation during open() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 016/198] pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() Greg Kroah-Hartman
` (196 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Zhaolong, Trond Myklebust,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit cce0be6eb4971456b703aaeafd571650d314bcca ]
Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery
waiting on kthreadd, which is attempting to reclaim memory by calling
nfs_release_folio(). The latter cannot make progress due to state
recovery being needed.
It seems that the only safe thing to do here is to kick off a writeback
of the folio, without waiting for completion, or else kicking off an
asynchronous commit.
Reported-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
Fixes: 96780ca55e3c ("NFS: fix up nfs_release_folio() to try to release the page")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/file.c | 3 ++-
fs/nfs/nfstrace.h | 3 +++
fs/nfs/write.c | 33 +++++++++++++++++++++++++++++++++
include/linux/nfs_fs.h | 1 +
4 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/file.c b/fs/nfs/file.c
index d020aab40c64e..d1c138a416cfb 100644
--- a/fs/nfs/file.c
+++ b/fs/nfs/file.c
@@ -511,7 +511,8 @@ static bool nfs_release_folio(struct folio *folio, gfp_t gfp)
if ((current_gfp_context(gfp) & GFP_KERNEL) != GFP_KERNEL ||
current_is_kswapd() || current_is_kcompactd())
return false;
- if (nfs_wb_folio(folio->mapping->host, folio) < 0)
+ if (nfs_wb_folio_reclaim(folio->mapping->host, folio) < 0 ||
+ folio_test_private(folio))
return false;
}
return nfs_fscache_release_folio(folio, gfp);
diff --git a/fs/nfs/nfstrace.h b/fs/nfs/nfstrace.h
index 6ce55e8e6b67c..9f9ce4a565ea6 100644
--- a/fs/nfs/nfstrace.h
+++ b/fs/nfs/nfstrace.h
@@ -1062,6 +1062,9 @@ DECLARE_EVENT_CLASS(nfs_folio_event_done,
DEFINE_NFS_FOLIO_EVENT(nfs_aop_readpage);
DEFINE_NFS_FOLIO_EVENT_DONE(nfs_aop_readpage_done);
+DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio_reclaim);
+DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_reclaim_done);
+
DEFINE_NFS_FOLIO_EVENT(nfs_writeback_folio);
DEFINE_NFS_FOLIO_EVENT_DONE(nfs_writeback_folio_done);
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 336c510f37502..bf412455e8edf 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -2024,6 +2024,39 @@ int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio)
return ret;
}
+/**
+ * nfs_wb_folio_reclaim - Write back all requests on one page
+ * @inode: pointer to page
+ * @folio: pointer to folio
+ *
+ * Assumes that the folio has been locked by the caller
+ */
+int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio)
+{
+ loff_t range_start = folio_pos(folio);
+ size_t len = folio_size(folio);
+ struct writeback_control wbc = {
+ .sync_mode = WB_SYNC_ALL,
+ .nr_to_write = 0,
+ .range_start = range_start,
+ .range_end = range_start + len - 1,
+ .for_sync = 1,
+ };
+ int ret;
+
+ if (folio_test_writeback(folio))
+ return -EBUSY;
+ if (folio_clear_dirty_for_io(folio)) {
+ trace_nfs_writeback_folio_reclaim(inode, range_start, len);
+ ret = nfs_writepage_locked(folio, &wbc);
+ trace_nfs_writeback_folio_reclaim_done(inode, range_start, len,
+ ret);
+ return ret;
+ }
+ nfs_commit_inode(inode, 0);
+ return 0;
+}
+
/**
* nfs_wb_folio - Write back all requests on one page
* @inode: pointer to page
diff --git a/include/linux/nfs_fs.h b/include/linux/nfs_fs.h
index c585939b6cd60..2cf490a3a239b 100644
--- a/include/linux/nfs_fs.h
+++ b/include/linux/nfs_fs.h
@@ -636,6 +636,7 @@ extern int nfs_update_folio(struct file *file, struct folio *folio,
extern int nfs_sync_inode(struct inode *inode);
extern int nfs_wb_all(struct inode *inode);
extern int nfs_wb_folio(struct inode *inode, struct folio *folio);
+extern int nfs_wb_folio_reclaim(struct inode *inode, struct folio *folio);
int nfs_wb_folio_cancel(struct inode *inode, struct folio *folio);
extern int nfs_commit_inode(struct inode *, int);
extern struct nfs_commit_data *nfs_commitdata_alloc(void);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 016/198] pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 015/198] NFS: Fix a deadlock involving nfs_release_folio() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 017/198] pnfs/blocklayout: Fix memory leak in bl_parse_scsi() Greg Kroah-Hartman
` (195 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Trond Myklebust,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 0c728083654f0066f5e10a1d2b0bd0907af19a58 ]
In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails,
the function jumps to the out_scratch label without freeing the already
allocated dsaddrs list, leading to a memory leak.
Fix this by jumping to the out_err_drain_dsaddrs label, which properly
frees the dsaddrs list before cleaning up other resources.
Fixes: d67ae825a59d6 ("pnfs/flexfiles: Add the FlexFile Layout Driver")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/flexfilelayout/flexfilelayoutdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/flexfilelayout/flexfilelayoutdev.c b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
index c55ea8fa3bfa5..c2d8a13a9dbdd 100644
--- a/fs/nfs/flexfilelayout/flexfilelayoutdev.c
+++ b/fs/nfs/flexfilelayout/flexfilelayoutdev.c
@@ -103,7 +103,7 @@ nfs4_ff_alloc_deviceid_node(struct nfs_server *server, struct pnfs_device *pdev,
sizeof(struct nfs4_ff_ds_version),
gfp_flags);
if (!ds_versions)
- goto out_scratch;
+ goto out_err_drain_dsaddrs;
for (i = 0; i < version_count; i++) {
/* 20 = version(4) + minor_version(4) + rsize(4) + wsize(4) +
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 017/198] pnfs/blocklayout: Fix memory leak in bl_parse_scsi()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 016/198] pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 018/198] drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume Greg Kroah-Hartman
` (194 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zilin Guan, Trond Myklebust,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zilin Guan <zilin@seu.edu.cn>
[ Upstream commit 5a74af51c3a6f4cd22c128b0c1c019f68fa90011 ]
In bl_parse_scsi(), if the block device length is zero, the function
returns immediately without releasing the file reference obtained via
bl_open_path(), leading to a memory leak.
Fix this by jumping to the out_blkdev_put label to ensure the file
reference is properly released.
Fixes: d76c769c8db4c ("pnfs/blocklayout: Don't add zero-length pnfs_block_dev")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/blocklayout/dev.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/blocklayout/dev.c b/fs/nfs/blocklayout/dev.c
index ab76120705e20..134d7f760a33a 100644
--- a/fs/nfs/blocklayout/dev.c
+++ b/fs/nfs/blocklayout/dev.c
@@ -417,8 +417,10 @@ bl_parse_scsi(struct nfs_server *server, struct pnfs_block_dev *d,
d->map = bl_map_simple;
d->pr_key = v->scsi.pr_key;
- if (d->len == 0)
- return -ENODEV;
+ if (d->len == 0) {
+ error = -ENODEV;
+ goto out_blkdev_put;
+ }
ops = bdev->bd_disk->fops->pr_ops;
if (!ops) {
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 018/198] drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 017/198] pnfs/blocklayout: Fix memory leak in bl_parse_scsi() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 019/198] drm/vmwgfx: Fix KMS with 3D on HW version 10 Greg Kroah-Hartman
` (193 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Reichel,
Cristian Ciocaltea, Heiko Stuebner, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
[ Upstream commit 14adddc65340f2034751c95616861c0e888e2bb1 ]
After resume from suspend to RAM, the following splash is generated if
the HDMI driver is probed (independent of a connected cable):
[ 1194.484052] irq 80: nobody cared (try booting with the "irqpoll" option)
[ 1194.484074] CPU: 0 UID: 0 PID: 627 Comm: rtcwake Not tainted 6.17.0-rc7-g96f1a11414b3 #1 PREEMPT
[ 1194.484082] Hardware name: Rockchip RK3576 EVB V10 Board (DT)
[ 1194.484085] Call trace:
[ 1194.484087] ... (stripped)
[ 1194.484283] handlers:
[ 1194.484285] [<00000000bc363dcb>] dw_hdmi_qp_main_hardirq [dw_hdmi_qp]
[ 1194.484302] Disabling IRQ #80
Apparently the HDMI IP is losing part of its state while the system
is suspended and generates spurious interrupts during resume. The
bug has not yet been noticed, as system suspend does not yet work
properly on upstream kernel with either the Rockchip RK3588 or RK3576
platform.
Fixes: 128a9bf8ace2 ("drm/rockchip: Add basic RK3588 HDMI output support")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patch.msgid.link/20251014-rockchip-hdmi-suspend-fix-v1-1-983fcbf44839@collabora.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c | 9 +++++++++
drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c | 12 +++++++++++-
include/drm/bridge/dw_hdmi_qp.h | 1 +
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
index 39332c57f2c54..c85eb340e5a35 100644
--- a/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
+++ b/drivers/gpu/drm/bridge/synopsys/dw-hdmi-qp.c
@@ -143,6 +143,7 @@ struct dw_hdmi_qp {
} phy;
struct regmap *regm;
+ int main_irq;
unsigned long tmds_char_rate;
};
@@ -1068,6 +1069,7 @@ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev,
dw_hdmi_qp_init_hw(hdmi);
+ hdmi->main_irq = plat_data->main_irq;
ret = devm_request_threaded_irq(dev, plat_data->main_irq,
dw_hdmi_qp_main_hardirq, NULL,
IRQF_SHARED, dev_name(dev), hdmi);
@@ -1106,9 +1108,16 @@ struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev,
}
EXPORT_SYMBOL_GPL(dw_hdmi_qp_bind);
+void dw_hdmi_qp_suspend(struct device *dev, struct dw_hdmi_qp *hdmi)
+{
+ disable_irq(hdmi->main_irq);
+}
+EXPORT_SYMBOL_GPL(dw_hdmi_qp_suspend);
+
void dw_hdmi_qp_resume(struct device *dev, struct dw_hdmi_qp *hdmi)
{
dw_hdmi_qp_init_hw(hdmi);
+ enable_irq(hdmi->main_irq);
}
EXPORT_SYMBOL_GPL(dw_hdmi_qp_resume);
diff --git a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
index ed6e8f036f4b3..9ac45e7bc987a 100644
--- a/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
+++ b/drivers/gpu/drm/rockchip/dw_hdmi_qp-rockchip.c
@@ -597,6 +597,15 @@ static void dw_hdmi_qp_rockchip_remove(struct platform_device *pdev)
component_del(&pdev->dev, &dw_hdmi_qp_rockchip_ops);
}
+static int __maybe_unused dw_hdmi_qp_rockchip_suspend(struct device *dev)
+{
+ struct rockchip_hdmi_qp *hdmi = dev_get_drvdata(dev);
+
+ dw_hdmi_qp_suspend(dev, hdmi->hdmi);
+
+ return 0;
+}
+
static int __maybe_unused dw_hdmi_qp_rockchip_resume(struct device *dev)
{
struct rockchip_hdmi_qp *hdmi = dev_get_drvdata(dev);
@@ -612,7 +621,8 @@ static int __maybe_unused dw_hdmi_qp_rockchip_resume(struct device *dev)
}
static const struct dev_pm_ops dw_hdmi_qp_rockchip_pm = {
- SET_SYSTEM_SLEEP_PM_OPS(NULL, dw_hdmi_qp_rockchip_resume)
+ SET_SYSTEM_SLEEP_PM_OPS(dw_hdmi_qp_rockchip_suspend,
+ dw_hdmi_qp_rockchip_resume)
};
struct platform_driver dw_hdmi_qp_rockchip_pltfm_driver = {
diff --git a/include/drm/bridge/dw_hdmi_qp.h b/include/drm/bridge/dw_hdmi_qp.h
index e9be6d507ad9c..8955450663e53 100644
--- a/include/drm/bridge/dw_hdmi_qp.h
+++ b/include/drm/bridge/dw_hdmi_qp.h
@@ -28,5 +28,6 @@ struct dw_hdmi_qp_plat_data {
struct dw_hdmi_qp *dw_hdmi_qp_bind(struct platform_device *pdev,
struct drm_encoder *encoder,
const struct dw_hdmi_qp_plat_data *plat_data);
+void dw_hdmi_qp_suspend(struct device *dev, struct dw_hdmi_qp *hdmi);
void dw_hdmi_qp_resume(struct device *dev, struct dw_hdmi_qp *hdmi);
#endif /* __DW_HDMI_QP__ */
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 019/198] drm/vmwgfx: Fix KMS with 3D on HW version 10
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 018/198] drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 020/198] drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions Greg Kroah-Hartman
` (192 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit d9186faeae6efb7d0841a5e8eb213ff4c7966614 ]
HW version 10 does not have GB Surfaces so there is no backing buffer for
surface backed FBs. This would result in a nullptr dereference and crash
the driver causing a black screen.
Fixes: 965544150d1c ("drm/vmwgfx: Refactor cursor handling")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Reviewed-by: Zack Rusin <zack.rusin@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20251114203703.1946616-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
index 54ea1b513950a..535d844191e7a 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -763,13 +763,15 @@ static struct drm_framebuffer *vmw_kms_fb_create(struct drm_device *dev,
return ERR_PTR(ret);
}
- ttm_bo_reserve(&bo->tbo, false, false, NULL);
- ret = vmw_bo_dirty_add(bo);
- if (!ret && surface && surface->res.func->dirty_alloc) {
- surface->res.coherent = true;
- ret = surface->res.func->dirty_alloc(&surface->res);
+ if (bo) {
+ ttm_bo_reserve(&bo->tbo, false, false, NULL);
+ ret = vmw_bo_dirty_add(bo);
+ if (!ret && surface && surface->res.func->dirty_alloc) {
+ surface->res.coherent = true;
+ ret = surface->res.func->dirty_alloc(&surface->res);
+ }
+ ttm_bo_unreserve(&bo->tbo);
}
- ttm_bo_unreserve(&bo->tbo);
return &vfb->base;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 020/198] drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 019/198] drm/vmwgfx: Fix KMS with 3D on HW version 10 Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 021/198] NFS/localio: Deal with page bases that are > PAGE_SIZE Greg Kroah-Hartman
` (191 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Forbes, Zack Rusin, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Forbes <ian.forbes@broadcom.com>
[ Upstream commit 37a0cff4551c14aca4cfa6ef3f2f0e0f61d66825 ]
Some of the warnings need to be reordered between these two functions
in order to be correct. This has happened multiple times.
Merging them solves this problem once and for all.
Fixes: d6667f0ddf46 ("drm/vmwgfx: Fix handling of dumb buffers")
Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20260107152059.3048329-1-ian.forbes@broadcom.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_bo.c | 22 ++++++++--------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
index f031a312c7835..b22887e8c8815 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_bo.c
@@ -32,9 +32,15 @@
#include <drm/ttm/ttm_placement.h>
-static void vmw_bo_release(struct vmw_bo *vbo)
+/**
+ * vmw_bo_free - vmw_bo destructor
+ *
+ * @bo: Pointer to the embedded struct ttm_buffer_object
+ */
+static void vmw_bo_free(struct ttm_buffer_object *bo)
{
struct vmw_resource *res;
+ struct vmw_bo *vbo = to_vmw_bo(&bo->base);
WARN_ON(kref_read(&vbo->tbo.base.refcount) != 0);
vmw_bo_unmap(vbo);
@@ -62,20 +68,8 @@ static void vmw_bo_release(struct vmw_bo *vbo)
}
vmw_surface_unreference(&vbo->dumb_surface);
}
- drm_gem_object_release(&vbo->tbo.base);
-}
-
-/**
- * vmw_bo_free - vmw_bo destructor
- *
- * @bo: Pointer to the embedded struct ttm_buffer_object
- */
-static void vmw_bo_free(struct ttm_buffer_object *bo)
-{
- struct vmw_bo *vbo = to_vmw_bo(&bo->base);
-
WARN_ON(!RB_EMPTY_ROOT(&vbo->res_tree));
- vmw_bo_release(vbo);
+ drm_gem_object_release(&vbo->tbo.base);
WARN_ON(vbo->dirty);
kfree(vbo);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 021/198] NFS/localio: Deal with page bases that are > PAGE_SIZE
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 020/198] drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 022/198] drm/rockchip: vop2: Add delay between poll registers Greg Kroah-Hartman
` (190 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Mike Snitzer,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 60699ab7cbf0a4eb19929cce243002b39c67917d ]
When resending requests, etc, the page base can quickly grow larger than
the page size.
Fixes: 091bdcfcece0 ("nfs/localio: refactor iocb and iov_iter_bvec initialization")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Reviewed-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/localio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nfs/localio.c b/fs/nfs/localio.c
index ed2a7efaf8f20..f537bc3386bf2 100644
--- a/fs/nfs/localio.c
+++ b/fs/nfs/localio.c
@@ -461,6 +461,8 @@ nfs_local_iters_init(struct nfs_local_kiocb *iocb, int rw)
v = 0;
total = hdr->args.count;
base = hdr->args.pgbase;
+ pagevec += base >> PAGE_SHIFT;
+ base &= ~PAGE_MASK;
while (total && v < hdr->page_array.npages) {
len = min_t(size_t, total, PAGE_SIZE - base);
bvec_set_page(&iocb->bvec[v], *pagevec, len, base);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 022/198] drm/rockchip: vop2: Add delay between poll registers
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 021/198] NFS/localio: Deal with page bases that are > PAGE_SIZE Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 023/198] drm/rockchip: vop2: Only wait for changed layer cfg done when there is pending cfgdone bits Greg Kroah-Hartman
` (189 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Yan, Heiko Stuebner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Yan <andy.yan@rock-chips.com>
[ Upstream commit 9fae82450d8a5f9c8fa016cd15186e975609b2ac ]
According to the implementation of read_poll_timeout_atomic, if the
delay time is 0, it will only use a simple loop based on timeout_us to
decrement the count. Therefore, the final timeout time will differ
significantly from the set timeout time. So, here we set a specific
delay time to ensure that the calculation of the timeout duration
is accurate.
Fixes: 3e89a8c68354 ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568")
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patch.msgid.link/20250718064120.8811-1-andyshrk@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
index cd8380f0eddc8..855386a6a9f5c 100644
--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
@@ -2104,7 +2104,7 @@ static void rk3568_vop2_wait_for_port_mux_done(struct vop2 *vop2)
* Spin until the previous port_mux figuration is done.
*/
ret = readx_poll_timeout_atomic(rk3568_vop2_read_port_mux, vop2, port_mux_sel,
- port_mux_sel == vop2->old_port_sel, 0, 50 * 1000);
+ port_mux_sel == vop2->old_port_sel, 10, 50 * 1000);
if (ret)
DRM_DEV_ERROR(vop2->dev, "wait port_mux done timeout: 0x%x--0x%x\n",
port_mux_sel, vop2->old_port_sel);
@@ -2124,7 +2124,7 @@ static void rk3568_vop2_wait_for_layer_cfg_done(struct vop2 *vop2, u32 cfg)
* Spin until the previous layer configuration is done.
*/
ret = readx_poll_timeout_atomic(rk3568_vop2_read_layer_cfg, vop2, atv_layer_cfg,
- atv_layer_cfg == cfg, 0, 50 * 1000);
+ atv_layer_cfg == cfg, 10, 50 * 1000);
if (ret)
DRM_DEV_ERROR(vop2->dev, "wait layer cfg done timeout: 0x%x--0x%x\n",
atv_layer_cfg, cfg);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 023/198] drm/rockchip: vop2: Only wait for changed layer cfg done when there is pending cfgdone bits
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 022/198] drm/rockchip: vop2: Add delay between poll registers Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 024/198] PM: EM: Fix incorrect description of the cost field in struct em_perf_state Greg Kroah-Hartman
` (188 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Yan, Heiko Stuebner,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Yan <andy.yan@rock-chips.com>
[ Upstream commit 7f6721b767e219343cfe9a894f5bd869ff5b9d3a ]
The write of cfgdone bits always done at .atomic_flush.
When userspace makes plane zpos changes of two crtc within one commit,
at the .atomic_begin stage, crtcN will never receive the "layer change
cfg done" event of crtcM because crtcM has not yet written "cfgdone".
So only wait when there is pending cfgdone bits to avoid long timeout.
Fixes: 3e89a8c68354 ("drm/rockchip: vop2: Fix the update of LAYER/PORT select registers when there are multi display output on rk3588/rk3568")
Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patch.msgid.link/20250718064120.8811-2-andyshrk@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/rockchip_vop2_reg.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
index 855386a6a9f5c..f3950e8476a75 100644
--- a/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
+++ b/drivers/gpu/drm/rockchip/rockchip_vop2_reg.c
@@ -2144,6 +2144,7 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
u8 layer_sel_id;
unsigned int ofs;
u32 ovl_ctrl;
+ u32 cfg_done;
int i;
struct vop2_video_port *vp0 = &vop2->vps[0];
struct vop2_video_port *vp1 = &vop2->vps[1];
@@ -2298,8 +2299,16 @@ static void rk3568_vop2_setup_layer_mixer(struct vop2_video_port *vp)
rk3568_vop2_wait_for_port_mux_done(vop2);
}
- if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel)
- rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel);
+ if (layer_sel != old_layer_sel && atv_layer_sel != old_layer_sel) {
+ cfg_done = vop2_readl(vop2, RK3568_REG_CFG_DONE);
+ cfg_done &= (BIT(vop2->data->nr_vps) - 1);
+ cfg_done &= ~BIT(vp->id);
+ /*
+ * Changes of other VPs' overlays have not taken effect
+ */
+ if (cfg_done)
+ rk3568_vop2_wait_for_layer_cfg_done(vop2, vop2->old_layer_sel);
+ }
vop2_writel(vop2, RK3568_OVL_LAYER_SEL, layer_sel);
mutex_unlock(&vop2->ovl_lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 024/198] PM: EM: Fix incorrect description of the cost field in struct em_perf_state
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 023/198] drm/rockchip: vop2: Only wait for changed layer cfg done when there is pending cfgdone bits Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 025/198] ipv4: ip_tunnel: spread netdev_lockdep_set_classes() Greg Kroah-Hartman
` (187 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yaxiong Tian, Lukasz Luba,
Rafael J. Wysocki, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yaxiong Tian <tianyaxiong@kylinos.cn>
[ Upstream commit 54b603f2db6b95495bc33a8f2bde80f044baff9a ]
Due to commit 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove
division"), the logic for energy consumption calculation has been modified.
The actual calculation of cost is 10 * power * max_frequency / frequency
instead of power * max_frequency / frequency.
Therefore, the comment for cost has been updated to reflect the correct
content.
Fixes: 1b600da51073 ("PM: EM: Optimize em_cpu_energy() and remove division")
Signed-off-by: Yaxiong Tian <tianyaxiong@kylinos.cn>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
[ rjw: Added Fixes: tag ]
Link: https://patch.msgid.link/20251230061534.816894-1-tianyaxiong@kylinos.cn
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/energy_model.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/energy_model.h b/include/linux/energy_model.h
index 61d50571ad88a..ce2db5447d221 100644
--- a/include/linux/energy_model.h
+++ b/include/linux/energy_model.h
@@ -18,7 +18,7 @@
* @power: The power consumed at this level (by 1 CPU or by a registered
* device). It can be a total power: static and dynamic.
* @cost: The cost coefficient associated with this level, used during
- * energy calculation. Equal to: power * max_frequency / frequency
+ * energy calculation. Equal to: 10 * power * max_frequency / frequency
* @flags: see "em_perf_state flags" description below.
*/
struct em_perf_state {
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 025/198] ipv4: ip_tunnel: spread netdev_lockdep_set_classes()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 024/198] PM: EM: Fix incorrect description of the cost field in struct em_perf_state Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 026/198] can: etas_es58x: allow partial RX URB allocation to succeed Greg Kroah-Hartman
` (186 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1240b33467289f5ab50b,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 872ac785e7680dac9ec7f8c5ccd4f667f49d6997 ]
Inspired by yet another syzbot report.
IPv6 tunnels call netdev_lockdep_set_classes() for each tunnel type,
while IPv4 currently centralizes netdev_lockdep_set_classes() call from
ip_tunnel_init().
Make ip_tunnel_init() a macro, so that we have different lockdep
classes per tunnel type.
Fixes: 0bef512012b1 ("net: add netdev_lockdep_set_classes() to virtual drivers")
Reported-by: syzbot+1240b33467289f5ab50b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/695d439f.050a0220.1c677c.0347.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260106172426.1760721-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_tunnels.h | 13 ++++++++++++-
net/ipv4/ip_tunnel.c | 5 ++---
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
index ecae35512b9b4..4021e6a73e32b 100644
--- a/include/net/ip_tunnels.h
+++ b/include/net/ip_tunnels.h
@@ -19,6 +19,7 @@
#include <net/rtnetlink.h>
#include <net/lwtunnel.h>
#include <net/dst_cache.h>
+#include <net/netdev_lock.h>
#if IS_ENABLED(CONFIG_IPV6)
#include <net/ipv6.h>
@@ -372,7 +373,17 @@ static inline void ip_tunnel_init_flow(struct flowi4 *fl4,
fl4->flowi4_flags = flow_flags;
}
-int ip_tunnel_init(struct net_device *dev);
+int __ip_tunnel_init(struct net_device *dev);
+#define ip_tunnel_init(DEV) \
+({ \
+ struct net_device *__dev = (DEV); \
+ int __res = __ip_tunnel_init(__dev); \
+ \
+ if (!__res) \
+ netdev_lockdep_set_classes(__dev);\
+ __res; \
+})
+
void ip_tunnel_uninit(struct net_device *dev);
void ip_tunnel_dellink(struct net_device *dev, struct list_head *head);
struct net *ip_tunnel_get_link_net(const struct net_device *dev);
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 158a30ae7c5f2..50d0f5fe4e4c6 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -1281,7 +1281,7 @@ int ip_tunnel_changelink(struct net_device *dev, struct nlattr *tb[],
}
EXPORT_SYMBOL_GPL(ip_tunnel_changelink);
-int ip_tunnel_init(struct net_device *dev)
+int __ip_tunnel_init(struct net_device *dev)
{
struct ip_tunnel *tunnel = netdev_priv(dev);
struct iphdr *iph = &tunnel->parms.iph;
@@ -1308,10 +1308,9 @@ int ip_tunnel_init(struct net_device *dev)
if (tunnel->collect_md)
netif_keep_dst(dev);
- netdev_lockdep_set_classes(dev);
return 0;
}
-EXPORT_SYMBOL_GPL(ip_tunnel_init);
+EXPORT_SYMBOL_GPL(__ip_tunnel_init);
void ip_tunnel_uninit(struct net_device *dev)
{
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 026/198] can: etas_es58x: allow partial RX URB allocation to succeed
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 025/198] ipv4: ip_tunnel: spread netdev_lockdep_set_classes() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 027/198] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
` (185 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e8cb6691a7cf68256cb8,
Szymon Wilczek, Vincent Mailhol, Marc Kleine-Budde, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Szymon Wilczek <swilczek.lx@gmail.com>
[ Upstream commit b1979778e98569c1e78c2c7f16bb24d76541ab00 ]
When es58x_alloc_rx_urbs() fails to allocate the requested number of
URBs but succeeds in allocating some, it returns an error code.
This causes es58x_open() to return early, skipping the cleanup label
'free_urbs', which leads to the anchored URBs being leaked.
As pointed out by maintainer Vincent Mailhol, the driver is designed
to handle partial URB allocation gracefully. Therefore, partial
allocation should not be treated as a fatal error.
Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been
allocated, restoring the intended behavior and preventing the leak
in es58x_open().
Fixes: 8537257874e9 ("can: etas_es58x: add core support for ETAS ES58X CAN USB interfaces")
Reported-by: syzbot+e8cb6691a7cf68256cb8@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=e8cb6691a7cf68256cb8
Signed-off-by: Szymon Wilczek <swilczek.lx@gmail.com>
Reviewed-by: Vincent Mailhol <mailhol@kernel.org>
Link: https://patch.msgid.link/20251223011732.39361-1-swilczek.lx@gmail.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/etas_es58x/es58x_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
index adc91873c083f..6eeba9baa1317 100644
--- a/drivers/net/can/usb/etas_es58x/es58x_core.c
+++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
@@ -1736,7 +1736,7 @@ static int es58x_alloc_rx_urbs(struct es58x_device *es58x_dev)
dev_dbg(dev, "%s: Allocated %d rx URBs each of size %u\n",
__func__, i, rx_buf_len);
- return ret;
+ return 0;
}
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 027/198] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 026/198] can: etas_es58x: allow partial RX URB allocation to succeed Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 028/198] cxl/port: Fix target list setup for multiple decoders sharing the same dport Greg Kroah-Hartman
` (184 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagi Grimberg, Shivam Kumar,
Keith Busch, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shivam Kumar <kumar.shivam43666@gmail.com>
[ Upstream commit 32b63acd78f577b332d976aa06b56e70d054cbba ]
Commit efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
added ttag bounds checking and data_offset
validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate
whether the command's data structures (cmd->req.sg and cmd->iov) have
been properly initialized before processing H2C_DATA PDUs.
The nvmet_tcp_build_pdu_iovec() function dereferences these pointers
without NULL checks. This can be triggered by sending H2C_DATA PDU
immediately after the ICREQ/ICRESP handshake, before
sending a CONNECT command or NVMe write command.
Attack vectors that trigger NULL pointer dereferences:
1. H2C_DATA PDU sent before CONNECT → both pointers NULL
2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL
3. H2C_DATA PDU for uninitialized command slot → both pointers NULL
The fix validates both cmd->req.sg and cmd->iov before calling
nvmet_tcp_build_pdu_iovec(). Both checks are required because:
- Uninitialized commands: both NULL
- READ commands: cmd->req.sg allocated, cmd->iov NULL
- WRITE commands: both allocated
Fixes: efa56305908b ("nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length")
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Shivam Kumar <kumar.shivam43666@gmail.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/tcp.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
index 470bf37e5a637..41b6fd05519e4 100644
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -982,6 +982,18 @@ static int nvmet_tcp_handle_h2c_data_pdu(struct nvmet_tcp_queue *queue)
pr_err("H2CData PDU len %u is invalid\n", cmd->pdu_len);
goto err_proto;
}
+ /*
+ * Ensure command data structures are initialized. We must check both
+ * cmd->req.sg and cmd->iov because they can have different NULL states:
+ * - Uninitialized commands: both NULL
+ * - READ commands: cmd->req.sg allocated, cmd->iov NULL
+ * - WRITE commands: both allocated
+ */
+ if (unlikely(!cmd->req.sg || !cmd->iov)) {
+ pr_err("queue %d: H2CData PDU received for invalid command state (ttag %u)\n",
+ queue->idx, data->ttag);
+ goto err_proto;
+ }
cmd->pdu_recv = 0;
nvmet_tcp_build_pdu_iovec(cmd);
queue->cmd = cmd;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 028/198] cxl/port: Fix target list setup for multiple decoders sharing the same dport
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 027/198] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 029/198] btrfs: release path before iget_failed() in btrfs_read_locked_inode() Greg Kroah-Hartman
` (183 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Jiang, Alison Schofield,
Jonathan Cameron, Robert Richter, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Richter <rrichter@amd.com>
[ Upstream commit 3e8aaacdad4f66641f87ab441fe644b45f8ebdff ]
If a switch port has more than one decoder that is using the same
downstream port, the enumeration of the target lists may fail with:
# dmesg | grep target.list
update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3
update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2
update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0
update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1
update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1
cxl_mem mem6: failed to find endpoint12:0000:00:01.4 in target list of decoder2.1
cxl_mem mem8: failed to find endpoint13:0000:20:01.4 in target list of decoder4.1
The case, that the same downstream port can be used in multiple target
lists, is allowed and possible.
Fix the update of the target list. Enumerate all children of the
switch port and do not stop the iteration after the first matching
target was found.
With the fix applied:
# dmesg | grep target.list
update_decoder_targets: cxl decoder1.0: dport2 found in target list, index 2
update_decoder_targets: cxl decoder1.0: dport0 found in target list, index 0
update_decoder_targets: cxl decoder1.0: dport3 found in target list, index 3
update_decoder_targets: cxl decoder2.0: dport3 found in target list, index 1
update_decoder_targets: cxl decoder2.1: dport3 found in target list, index 1
update_decoder_targets: cxl decoder4.0: dport3 found in target list, index 1
update_decoder_targets: cxl decoder4.1: dport3 found in target list, index 1
Analyzing the conditions when this happens:
1) A dport is shared by multiple decoders.
2) The decoders have interleaving configured (ways > 1).
The configuration above has the following hierarchy details (fixed
version):
root0
|_
| |
| decoder0.1
| ways: 2
| target_list: 0,1
|_______________________________________
| |
| dport0 | dport1
| |
port2 port4
| |
|___________________ |_____________________
| | | | | |
| decoder2.0 decoder2.1 | decoder4.0 decoder4.1
| ways: 2 ways: 2 | ways: 2 ways: 2
| target_list: 2,3 target_list: 2,3 | target_list: 2,3 target_list: 2,3
|___________________ |___________________
| | | |
| dport2 | dport3 | dport2 | dport3
| | | |
endpoint7 endpoint12 endpoint9 endpoint13
|_ |_ |_ |_
| | | | | | | |
| decoder7.0 | decoder12.0 | decoder9.0 | decoder13.0
| decoder7.2 | decoder12.2 | decoder9.2 | decoder13.2
| | | |
mem3 mem5 mem6 mem8
Note: Device numbers vary for every boot.
Current kernel fails to enumerate endpoint12 and endpoint13 as the
target list is not updated for the second decoder.
Fixes: 4f06d81e7c6a ("cxl: Defer dport allocation for switch ports")
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Reviewed-by: Alison Schofield <alison.schofield@intel.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
Signed-off-by: Robert Richter <rrichter@amd.com>
Link: https://patch.msgid.link/20260108101324.509667-1-rrichter@amd.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/core/port.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cxl/core/port.c b/drivers/cxl/core/port.c
index 8128fd2b5b317..804e4a48540f6 100644
--- a/drivers/cxl/core/port.c
+++ b/drivers/cxl/core/port.c
@@ -1591,7 +1591,7 @@ static int update_decoder_targets(struct device *dev, void *data)
cxlsd->target[i] = dport;
dev_dbg(dev, "dport%d found in target list, index %d\n",
dport->port_id, i);
- return 1;
+ return 0;
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 029/198] btrfs: release path before iget_failed() in btrfs_read_locked_inode()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 028/198] cxl/port: Fix target list setup for multiple decoders sharing the same dport Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 030/198] btrfs: send: check for inline extents in range_is_hole_in_parent() Greg Kroah-Hartman
` (182 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c1c6edb02bea1da754d8,
Boris Burkov, Filipe Manana, David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 1e1f2055ad5a7a5d548789b334a4473a7665c418 ]
In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to
the 'out' label with a path that has a read locked leaf and then we call
iget_failed(). This can result in a ABBA deadlock, since iget_failed()
triggers inode eviction and that causes the release of the delayed inode,
which must lock the delayed inode's mutex, and a task updating a delayed
inode starts by taking the node's mutex and then modifying the inode's
subvolume btree.
Syzbot reported the following lockdep splat for this:
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
btrfs-cleaner/8725 is trying to acquire lock:
ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
but task is already holding lock:
ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (btrfs-tree-00){++++}-{4:4}:
__lock_release kernel/locking/lockdep.c:5574 [inline]
lock_release+0x198/0x39c kernel/locking/lockdep.c:5889
up_read+0x24/0x3c kernel/locking/rwsem.c:1632
btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169
btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]
btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133
btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395
__btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032
btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]
__btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141
__btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176
btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219
flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828
do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158
btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226
process_one_work+0x7e8/0x155c kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x958/0xed8 kernel/workqueue.c:3427
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
-> #0 (&delayed_node->mutex){+.+.}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
__mutex_lock kernel/locking/mutex.c:760 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
__btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
evict+0x414/0x928 fs/inode.c:810
iput_final fs/inode.c:1914 [inline]
iput+0x95c/0xad4 fs/inode.c:1966
iget_failed+0xec/0x134 fs/bad_inode.c:248
btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309
cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(btrfs-tree-00);
lock(&delayed_node->mutex);
lock(btrfs-tree-00);
lock(&delayed_node->mutex);
*** DEADLOCK ***
1 lock held by btrfs-cleaner/8725:
#0: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145
stack backtrace:
CPU: 0 UID: 0 PID: 8725 Comm: btrfs-cleaner Not tainted syzkaller #0 PREEMPT
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
dump_stack+0x1c/0x28 lib/dump_stack.c:129
print_circular_bug+0x324/0x32c kernel/locking/lockdep.c:2043
check_noncircular+0x154/0x174 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237
lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868
__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598
__mutex_lock kernel/locking/mutex.c:760 [inline]
mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812
__btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290
btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]
btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326
btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587
evict+0x414/0x928 fs/inode.c:810
iput_final fs/inode.c:1914 [inline]
iput+0x95c/0xad4 fs/inode.c:1966
iget_failed+0xec/0x134 fs/bad_inode.c:248
btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101
btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837
btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]
btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrfs/defrag.c:309
cleaner_kthread+0x21c/0x418 fs/btrfs/disk-io.c:1516
kthread+0x5fc/0x75c kernel/kthread.c:463
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
Fix this by releasing the path before calling iget_failed().
Reported-by: syzbot+c1c6edb02bea1da754d8@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/694530c2.a70a0220.207337.010d.GAE@google.com/
Fixes: 69673992b1ae ("btrfs: push cleanup into btrfs_read_locked_inode()")
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 27a562bad6e87..1af9b05328ce8 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -4108,6 +4108,15 @@ static int btrfs_read_locked_inode(struct btrfs_inode *inode, struct btrfs_path
return 0;
out:
+ /*
+ * We may have a read locked leaf and iget_failed() triggers inode
+ * eviction which needs to release the delayed inode and that needs
+ * to lock the delayed inode's mutex. This can cause a ABBA deadlock
+ * with a task running delayed items, as that require first locking
+ * the delayed inode's mutex and then modifying its subvolume btree.
+ * So release the path before iget_failed().
+ */
+ btrfs_release_path(path);
iget_failed(vfs_inode);
return ret;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 030/198] btrfs: send: check for inline extents in range_is_hole_in_parent()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 029/198] btrfs: release path before iget_failed() in btrfs_read_locked_inode() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 031/198] Bluetooth: hci_sync: enable PA Sync Lost event Greg Kroah-Hartman
` (181 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Qu Wenruo,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit 08b096c1372cd69627f4f559fb47c9fb67a52b39 ]
Before accessing the disk_bytenr field of a file extent item we need
to check if we are dealing with an inline extent.
This is because for inline extents their data starts at the offset of
the disk_bytenr field. So accessing the disk_bytenr
means we are accessing inline data or in case the inline data is less
than 8 bytes we can actually cause an invalid
memory access if this inline extent item is the first item in the leaf
or access metadata from other items.
Fixes: 82bfb2e7b645 ("Btrfs: incremental send, fix unnecessary hole writes for sparse files")
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/send.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 96a030d28e091..9012ce7a742f4 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6399,6 +6399,8 @@ static int range_is_hole_in_parent(struct send_ctx *sctx,
extent_end = btrfs_file_extent_end(path);
if (extent_end <= start)
goto next;
+ if (btrfs_file_extent_type(leaf, fi) == BTRFS_FILE_EXTENT_INLINE)
+ return 0;
if (btrfs_file_extent_disk_bytenr(leaf, fi) == 0) {
search_start = extent_end;
goto next;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 031/198] Bluetooth: hci_sync: enable PA Sync Lost event
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 030/198] btrfs: send: check for inline extents in range_is_hole_in_parent() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 032/198] net: bridge: annotate data-races around fdb->{updated,used} Greg Kroah-Hartman
` (180 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Li, Luiz Augusto von Dentz,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Li <yang.li@amlogic.com>
[ Upstream commit ab749bfe6a1fc233213f2d00facea5233139d509 ]
Enable the PA Sync Lost event mask to ensure PA sync loss is properly
reported and handled.
Fixes: 485e0626e587 ("Bluetooth: hci_event: Fix not handling PA Sync Lost event")
Signed-off-by: Yang Li <yang.li@amlogic.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786b..f5896c023a9fa 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -4402,6 +4402,7 @@ static int hci_le_set_event_mask_sync(struct hci_dev *hdev)
if (bis_capable(hdev)) {
events[1] |= 0x20; /* LE PA Report */
events[1] |= 0x40; /* LE PA Sync Established */
+ events[1] |= 0x80; /* LE PA Sync Lost */
events[3] |= 0x04; /* LE Create BIG Complete */
events[3] |= 0x08; /* LE Terminate BIG Complete */
events[3] |= 0x10; /* LE BIG Sync Established */
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 032/198] net: bridge: annotate data-races around fdb->{updated,used}
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 031/198] Bluetooth: hci_sync: enable PA Sync Lost event Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 033/198] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Greg Kroah-Hartman
` (179 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bfab43087ad57222ce96,
Eric Dumazet, Nikolay Aleksandrov, Ido Schimmel, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit b25a0b4a2193407aa72a4cd1df66a7ed07dd4f1e ]
fdb->updated and fdb->used are read and written locklessly.
Add READ_ONCE()/WRITE_ONCE() annotations.
Fixes: 31cbc39b6344 ("net: bridge: add option to allow activity notifications for any fdb entries")
Reported-by: syzbot+bfab43087ad57222ce96@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/695e3d74.050a0220.1c677c.035f.GAE@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20260108093806.834459-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_fdb.c | 28 ++++++++++++++++------------
net/bridge/br_input.c | 4 ++--
2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 58d22e2b85fc3..0501ffcb8a3dd 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -70,7 +70,7 @@ static inline int has_expired(const struct net_bridge *br,
{
return !test_bit(BR_FDB_STATIC, &fdb->flags) &&
!test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags) &&
- time_before_eq(fdb->updated + hold_time(br), jiffies);
+ time_before_eq(READ_ONCE(fdb->updated) + hold_time(br), jiffies);
}
static int fdb_to_nud(const struct net_bridge *br,
@@ -126,9 +126,9 @@ static int fdb_fill_info(struct sk_buff *skb, const struct net_bridge *br,
if (nla_put_u32(skb, NDA_FLAGS_EXT, ext_flags))
goto nla_put_failure;
- ci.ndm_used = jiffies_to_clock_t(now - fdb->used);
+ ci.ndm_used = jiffies_to_clock_t(now - READ_ONCE(fdb->used));
ci.ndm_confirmed = 0;
- ci.ndm_updated = jiffies_to_clock_t(now - fdb->updated);
+ ci.ndm_updated = jiffies_to_clock_t(now - READ_ONCE(fdb->updated));
ci.ndm_refcnt = 0;
if (nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
goto nla_put_failure;
@@ -551,7 +551,7 @@ void br_fdb_cleanup(struct work_struct *work)
*/
rcu_read_lock();
hlist_for_each_entry_rcu(f, &br->fdb_list, fdb_node) {
- unsigned long this_timer = f->updated + delay;
+ unsigned long this_timer = READ_ONCE(f->updated) + delay;
if (test_bit(BR_FDB_STATIC, &f->flags) ||
test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &f->flags)) {
@@ -924,6 +924,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
{
struct net_bridge_fdb_entry *f;
struct __fdb_entry *fe = buf;
+ unsigned long delta;
int num = 0;
memset(buf, 0, maxnum*sizeof(struct __fdb_entry));
@@ -953,8 +954,11 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
fe->port_hi = f->dst->port_no >> 8;
fe->is_local = test_bit(BR_FDB_LOCAL, &f->flags);
- if (!test_bit(BR_FDB_STATIC, &f->flags))
- fe->ageing_timer_value = jiffies_delta_to_clock_t(jiffies - f->updated);
+ if (!test_bit(BR_FDB_STATIC, &f->flags)) {
+ delta = jiffies - READ_ONCE(f->updated);
+ fe->ageing_timer_value =
+ jiffies_delta_to_clock_t(delta);
+ }
++fe;
++num;
}
@@ -1002,8 +1006,8 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
unsigned long now = jiffies;
bool fdb_modified = false;
- if (now != fdb->updated) {
- fdb->updated = now;
+ if (now != READ_ONCE(fdb->updated)) {
+ WRITE_ONCE(fdb->updated, now);
fdb_modified = __fdb_mark_active(fdb);
}
@@ -1242,10 +1246,10 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
if (fdb_handle_notify(fdb, notify))
modified = true;
- fdb->used = jiffies;
+ WRITE_ONCE(fdb->used, jiffies);
if (modified) {
if (refresh)
- fdb->updated = jiffies;
+ WRITE_ONCE(fdb->updated, jiffies);
fdb_notify(br, fdb, RTM_NEWNEIGH, true);
}
@@ -1556,7 +1560,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
goto err_unlock;
}
- fdb->updated = jiffies;
+ WRITE_ONCE(fdb->updated, jiffies);
if (READ_ONCE(fdb->dst) != p) {
WRITE_ONCE(fdb->dst, p);
@@ -1565,7 +1569,7 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
/* Refresh entry */
- fdb->used = jiffies;
+ WRITE_ONCE(fdb->used, jiffies);
} else {
modified = true;
}
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 777fa869c1a14..e355a15bf5ab1 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -221,8 +221,8 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
if (test_bit(BR_FDB_LOCAL, &dst->flags))
return br_pass_frame_up(skb, false);
- if (now != dst->used)
- dst->used = now;
+ if (now != READ_ONCE(dst->used))
+ WRITE_ONCE(dst->used, now);
br_forward(dst->dst, skb, local_rcv, false);
} else {
if (!mcast_hit)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 033/198] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 032/198] net: bridge: annotate data-races around fdb->{updated,used} Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 034/198] net: update netdev_lock_{type,name} Greg Kroah-Hartman
` (178 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+d4dda070f833dc5dc89a,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 81c734dae203757fb3c9eee6f9896386940776bd ]
Blamed commit did not take care of VLAN encapsulations
as spotted by syzbot [1].
Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull().
[1]
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
__INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321
ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729
__ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860
ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903
gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1
ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438
ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489
NF_HOOK include/linux/netfilter.h:318 [inline]
ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500
ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590
dst_input include/net/dst.h:474 [inline]
ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79
NF_HOOK include/linux/netfilter.h:318 [inline]
ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311
__netif_receive_skb_one_core net/core/dev.c:6139 [inline]
__netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252
netif_receive_skb_internal net/core/dev.c:6338 [inline]
netif_receive_skb+0x57/0x630 net/core/dev.c:6397
tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485
tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Uninit was created at:
slab_post_alloc_hook mm/slub.c:4960 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315
kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586
__alloc_skb+0x805/0x1040 net/core/skbuff.c:690
alloc_skb include/linux/skbuff.h:1383 [inline]
alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712
sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995
tun_alloc_skb drivers/net/tun.c:1461 [inline]
tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794
tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xbe2/0x15d0 fs/read_write.c:686
ksys_write fs/read_write.c:738 [inline]
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746
x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Fixes: 8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
Reported-by: syzbot+d4dda070f833dc5dc89a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/695e88b2.050a0220.1c677c.036d.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260107163109.4188620-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 6405072050e0e..c1f39735a2367 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -844,7 +844,7 @@ static int __ip6_tnl_rcv(struct ip6_tnl *tunnel, struct sk_buff *skb,
skb_reset_network_header(skb);
- if (!pskb_inet_may_pull(skb)) {
+ if (skb_vlan_inet_prepare(skb, true)) {
DEV_STATS_INC(tunnel->dev, rx_length_errors);
DEV_STATS_INC(tunnel->dev, rx_errors);
goto drop;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 034/198] net: update netdev_lock_{type,name}
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 033/198] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 035/198] macvlan: fix possible UAF in macvlan_forward_source() Greg Kroah-Hartman
` (177 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit eb74c19fe10872ee1f29a8f90ca5ce943921afe9 ]
Add missing entries in netdev_lock_type[] and netdev_lock_name[] :
CAN, MCTP, RAWIP, CAIF, IP6GRE, 6LOWPAN, NETLINK, VSOCKMON,
IEEE802154_MONITOR.
Also add a WARN_ONCE() in netdev_lock_pos() to help future bug hunting
next time a protocol is added without updating these arrays.
Fixes: 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260108093244.830280-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/dev.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 2acfa44927daa..5b536860138d1 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -478,15 +478,21 @@ static const unsigned short netdev_lock_type[] = {
ARPHRD_IEEE1394, ARPHRD_EUI64, ARPHRD_INFINIBAND, ARPHRD_SLIP,
ARPHRD_CSLIP, ARPHRD_SLIP6, ARPHRD_CSLIP6, ARPHRD_RSRVD,
ARPHRD_ADAPT, ARPHRD_ROSE, ARPHRD_X25, ARPHRD_HWX25,
+ ARPHRD_CAN, ARPHRD_MCTP,
ARPHRD_PPP, ARPHRD_CISCO, ARPHRD_LAPB, ARPHRD_DDCMP,
- ARPHRD_RAWHDLC, ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
+ ARPHRD_RAWHDLC, ARPHRD_RAWIP,
+ ARPHRD_TUNNEL, ARPHRD_TUNNEL6, ARPHRD_FRAD,
ARPHRD_SKIP, ARPHRD_LOOPBACK, ARPHRD_LOCALTLK, ARPHRD_FDDI,
ARPHRD_BIF, ARPHRD_SIT, ARPHRD_IPDDP, ARPHRD_IPGRE,
ARPHRD_PIMREG, ARPHRD_HIPPI, ARPHRD_ASH, ARPHRD_ECONET,
ARPHRD_IRDA, ARPHRD_FCPP, ARPHRD_FCAL, ARPHRD_FCPL,
ARPHRD_FCFABRIC, ARPHRD_IEEE80211, ARPHRD_IEEE80211_PRISM,
- ARPHRD_IEEE80211_RADIOTAP, ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
- ARPHRD_IEEE802154, ARPHRD_VOID, ARPHRD_NONE};
+ ARPHRD_IEEE80211_RADIOTAP,
+ ARPHRD_IEEE802154, ARPHRD_IEEE802154_MONITOR,
+ ARPHRD_PHONET, ARPHRD_PHONET_PIPE,
+ ARPHRD_CAIF, ARPHRD_IP6GRE, ARPHRD_NETLINK, ARPHRD_6LOWPAN,
+ ARPHRD_VSOCKMON,
+ ARPHRD_VOID, ARPHRD_NONE};
static const char *const netdev_lock_name[] = {
"_xmit_NETROM", "_xmit_ETHER", "_xmit_EETHER", "_xmit_AX25",
@@ -495,15 +501,21 @@ static const char *const netdev_lock_name[] = {
"_xmit_IEEE1394", "_xmit_EUI64", "_xmit_INFINIBAND", "_xmit_SLIP",
"_xmit_CSLIP", "_xmit_SLIP6", "_xmit_CSLIP6", "_xmit_RSRVD",
"_xmit_ADAPT", "_xmit_ROSE", "_xmit_X25", "_xmit_HWX25",
+ "_xmit_CAN", "_xmit_MCTP",
"_xmit_PPP", "_xmit_CISCO", "_xmit_LAPB", "_xmit_DDCMP",
- "_xmit_RAWHDLC", "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
+ "_xmit_RAWHDLC", "_xmit_RAWIP",
+ "_xmit_TUNNEL", "_xmit_TUNNEL6", "_xmit_FRAD",
"_xmit_SKIP", "_xmit_LOOPBACK", "_xmit_LOCALTLK", "_xmit_FDDI",
"_xmit_BIF", "_xmit_SIT", "_xmit_IPDDP", "_xmit_IPGRE",
"_xmit_PIMREG", "_xmit_HIPPI", "_xmit_ASH", "_xmit_ECONET",
"_xmit_IRDA", "_xmit_FCPP", "_xmit_FCAL", "_xmit_FCPL",
"_xmit_FCFABRIC", "_xmit_IEEE80211", "_xmit_IEEE80211_PRISM",
- "_xmit_IEEE80211_RADIOTAP", "_xmit_PHONET", "_xmit_PHONET_PIPE",
- "_xmit_IEEE802154", "_xmit_VOID", "_xmit_NONE"};
+ "_xmit_IEEE80211_RADIOTAP",
+ "_xmit_IEEE802154", "_xmit_IEEE802154_MONITOR",
+ "_xmit_PHONET", "_xmit_PHONET_PIPE",
+ "_xmit_CAIF", "_xmit_IP6GRE", "_xmit_NETLINK", "_xmit_6LOWPAN",
+ "_xmit_VSOCKMON",
+ "_xmit_VOID", "_xmit_NONE"};
static struct lock_class_key netdev_xmit_lock_key[ARRAY_SIZE(netdev_lock_type)];
static struct lock_class_key netdev_addr_lock_key[ARRAY_SIZE(netdev_lock_type)];
@@ -516,6 +528,7 @@ static inline unsigned short netdev_lock_pos(unsigned short dev_type)
if (netdev_lock_type[i] == dev_type)
return i;
/* the last key is used by default */
+ WARN_ONCE(1, "netdev_lock_pos() could not find dev_type=%u\n", dev_type);
return ARRAY_SIZE(netdev_lock_type) - 1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 035/198] macvlan: fix possible UAF in macvlan_forward_source()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 034/198] net: update netdev_lock_{type,name} Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 036/198] block: zero non-PI portion of auto integrity buffer Greg Kroah-Hartman
` (176 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7182fbe91e58602ec1fe,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7470a7a63dc162f07c26dbf960e41ee1e248d80e ]
Add RCU protection on (struct macvlan_source_entry)->vlan.
Whenever macvlan_hash_del_source() is called, we must clear
entry->vlan pointer before RCU grace period starts.
This allows macvlan_forward_source() to skip over
entries queued for freeing.
Note that macvlan_dev are already RCU protected, as they
are embedded in a standard netdev (netdev_priv(ndev)).
Fixes: 79cf79abce71 ("macvlan: add source mode")
Reported-by: syzbot+7182fbe91e58602ec1fe@syzkaller.appspotmail.com
https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260108133651.1130486-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macvlan.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 7966545512cfe..b4df7e184791d 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -59,7 +59,7 @@ struct macvlan_port {
struct macvlan_source_entry {
struct hlist_node hlist;
- struct macvlan_dev *vlan;
+ struct macvlan_dev __rcu *vlan;
unsigned char addr[6+2] __aligned(sizeof(u16));
struct rcu_head rcu;
};
@@ -146,7 +146,7 @@ static struct macvlan_source_entry *macvlan_hash_lookup_source(
hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
if (ether_addr_equal_64bits(entry->addr, addr) &&
- entry->vlan == vlan)
+ rcu_access_pointer(entry->vlan) == vlan)
return entry;
}
return NULL;
@@ -168,7 +168,7 @@ static int macvlan_hash_add_source(struct macvlan_dev *vlan,
return -ENOMEM;
ether_addr_copy(entry->addr, addr);
- entry->vlan = vlan;
+ RCU_INIT_POINTER(entry->vlan, vlan);
h = &port->vlan_source_hash[macvlan_eth_hash(addr)];
hlist_add_head_rcu(&entry->hlist, h);
vlan->macaddr_count++;
@@ -187,6 +187,7 @@ static void macvlan_hash_add(struct macvlan_dev *vlan)
static void macvlan_hash_del_source(struct macvlan_source_entry *entry)
{
+ RCU_INIT_POINTER(entry->vlan, NULL);
hlist_del_rcu(&entry->hlist);
kfree_rcu(entry, rcu);
}
@@ -390,7 +391,7 @@ static void macvlan_flush_sources(struct macvlan_port *port,
int i;
hash_for_each_safe(port->vlan_source_hash, i, next, entry, hlist)
- if (entry->vlan == vlan)
+ if (rcu_access_pointer(entry->vlan) == vlan)
macvlan_hash_del_source(entry);
vlan->macaddr_count = 0;
@@ -433,9 +434,14 @@ static bool macvlan_forward_source(struct sk_buff *skb,
hlist_for_each_entry_rcu(entry, h, hlist) {
if (ether_addr_equal_64bits(entry->addr, addr)) {
- if (entry->vlan->flags & MACVLAN_FLAG_NODST)
+ struct macvlan_dev *vlan = rcu_dereference(entry->vlan);
+
+ if (!vlan)
+ continue;
+
+ if (vlan->flags & MACVLAN_FLAG_NODST)
consume = true;
- macvlan_forward_source_one(skb, entry->vlan);
+ macvlan_forward_source_one(skb, vlan);
}
}
@@ -1680,7 +1686,7 @@ static int macvlan_fill_info_macaddr(struct sk_buff *skb,
struct macvlan_source_entry *entry;
hlist_for_each_entry_rcu(entry, h, hlist, lockdep_rtnl_is_held()) {
- if (entry->vlan != vlan)
+ if (rcu_access_pointer(entry->vlan) != vlan)
continue;
if (nla_put(skb, IFLA_MACVLAN_MACADDR, ETH_ALEN, entry->addr))
return 1;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 036/198] block: zero non-PI portion of auto integrity buffer
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 035/198] macvlan: fix possible UAF in macvlan_forward_source() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 037/198] ipv4: ip_gre: make ipgre_header() robust Greg Kroah-Hartman
` (175 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Caleb Sander Mateos, Anuj Gupta,
Christoph Hellwig, Martin K. Petersen, Jens Axboe, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Caleb Sander Mateos <csander@purestorage.com>
[ Upstream commit ca22c566b89164f6e670af56ecc45f47ef3df819 ]
The auto-generated integrity buffer for writes needs to be fully
initialized before being passed to the underlying block device,
otherwise the uninitialized memory can be read back by userspace or
anyone with physical access to the storage device. If protection
information is generated, that portion of the integrity buffer is
already initialized. The integrity data is also zeroed if PI generation
is disabled via sysfs or the PI tuple size is 0. However, this misses
the case where PI is generated and the PI tuple size is nonzero, but the
metadata size is larger than the PI tuple. In this case, the remainder
("opaque") of the metadata is left uninitialized.
Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the
metadata is larger than just the PI tuple.
Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: c546d6f43833 ("block: only zero non-PI metadata tuples in bio_integrity_prep")
Reviewed-by: Anuj Gupta <anuj20.g@samsung.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/bio-integrity-auto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/block/bio-integrity-auto.c b/block/bio-integrity-auto.c
index 687952f63bbbf..b8b7587be9679 100644
--- a/block/bio-integrity-auto.c
+++ b/block/bio-integrity-auto.c
@@ -142,7 +142,7 @@ bool bio_integrity_prep(struct bio *bio)
return true;
set_flags = false;
gfp |= __GFP_ZERO;
- } else if (bi->csum_type == BLK_INTEGRITY_CSUM_NONE)
+ } else if (bi->metadata_size > bi->pi_tuple_size)
gfp |= __GFP_ZERO;
break;
default:
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 037/198] ipv4: ip_gre: make ipgre_header() robust
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 036/198] block: zero non-PI portion of auto integrity buffer Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 038/198] vsock/test: add a final full barrier after run all tests Greg Kroah-Hartman
` (174 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7c134e1c3aa3283790b9,
Eric Dumazet, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e67c577d89894811ce4dcd1a9ed29d8b63476667 ]
Analog to commit db5b4e39c4e6 ("ip6_gre: make ip6gre_header() robust")
Over the years, syzbot found many ways to crash the kernel
in ipgre_header() [1].
This involves team or bonding drivers ability to dynamically
change their dev->needed_headroom and/or dev->hard_header_len
In this particular crash mld_newpack() allocated an skb
with a too small reserve/headroom, and by the time mld_sendpack()
was called, syzbot managed to attach an ipgre device.
[1]
skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0
kernel BUG at net/core/skbuff.c:213 !
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213
Call Trace:
<TASK>
skb_under_panic net/core/skbuff.c:223 [inline]
skb_push+0xc3/0xe0 net/core/skbuff.c:2641
ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897
dev_hard_header include/linux/netdevice.h:3436 [inline]
neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Reported-by: syzbot+7c134e1c3aa3283790b9@syzkaller.appspotmail.com
Closes: https://www.spinics.net/lists/netdev/msg1147302.html
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260108190214.1667040-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_gre.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 8178c44a3cdd4..e13244729ad8d 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -891,10 +891,17 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
const void *daddr, const void *saddr, unsigned int len)
{
struct ip_tunnel *t = netdev_priv(dev);
- struct iphdr *iph;
struct gre_base_hdr *greh;
+ struct iphdr *iph;
+ int needed;
+
+ needed = t->hlen + sizeof(*iph);
+ if (skb_headroom(skb) < needed &&
+ pskb_expand_head(skb, HH_DATA_ALIGN(needed - skb_headroom(skb)),
+ 0, GFP_ATOMIC))
+ return -needed;
- iph = skb_push(skb, t->hlen + sizeof(*iph));
+ iph = skb_push(skb, needed);
greh = (struct gre_base_hdr *)(iph+1);
greh->flags = gre_tnl_flags_to_gre_flags(t->parms.o_flags);
greh->protocol = htons(type);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 038/198] vsock/test: add a final full barrier after run all tests
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 037/198] ipv4: ip_gre: make ipgre_header() robust Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 039/198] net/mlx5e: Fix crash on profile change rollback failure Greg Kroah-Hartman
` (173 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luigi Leonardi, Stefano Garzarella,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit c39a6a277e0e67ffff6a8efcbbf7e7e23ce9e38c ]
If the last test fails, the other side still completes correctly,
which could lead to false positives.
Let's add a final barrier that ensures that the last test has finished
correctly on both sides, but also that the two sides agree on the
number of tests to be performed.
Fixes: 2f65b44e199c ("VSOCK: add full barrier between test cases")
Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/20260108114419.52747-1-sgarzare@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/vsock/util.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/tools/testing/vsock/util.c b/tools/testing/vsock/util.c
index d843643ced6b7..9430ef5b8bc3e 100644
--- a/tools/testing/vsock/util.c
+++ b/tools/testing/vsock/util.c
@@ -511,6 +511,18 @@ void run_tests(const struct test_case *test_cases,
printf("ok\n");
}
+
+ printf("All tests have been executed. Waiting other peer...");
+ fflush(stdout);
+
+ /*
+ * Final full barrier, to ensure that all tests have been run and
+ * that even the last one has been successful on both sides.
+ */
+ control_writeln("COMPLETED");
+ control_expectln("COMPLETED");
+
+ printf("ok\n");
}
void list_tests(const struct test_case *test_cases)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 039/198] net/mlx5e: Fix crash on profile change rollback failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 038/198] vsock/test: add a final full barrier after run all tests Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 040/198] net/mlx5e: Dont store mlx5e_priv in mlx5e_dev devlink priv Greg Kroah-Hartman
` (172 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saeed Mahameed, Tariq Toukan,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saeed Mahameed <saeedm@nvidia.com>
[ Upstream commit 4dadc4077e3f77d6d31e199a925fc7a705e7adeb ]
mlx5e_netdev_change_profile can fail to attach a new profile and can
fail to rollback to old profile, in such case, we could end up with a
dangling netdev with a fully reset netdev_priv. A retry to change
profile, e.g. another attempt to call mlx5e_netdev_change_profile via
switchdev mode change, will crash trying to access the now NULL
priv->mdev.
This fix allows mlx5e_netdev_change_profile() to handle previous
failures and an empty priv, by not assuming priv is valid.
Pass netdev and mdev to all flows requiring
mlx5e_netdev_change_profile() and avoid passing priv.
In mlx5e_netdev_change_profile() check if current priv is valid, and if
not, just attach the new profile without trying to access the old one.
This fixes the following oops, when enabling switchdev mode for the 2nd
time after first time failure:
## Enabling switchdev mode first time:
mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
^^^^^^^^
mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
## retry: Enabling switchdev mode 2nd time:
mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload
BUG: kernel NULL pointer dereference, address: 0000000000000038
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_detach_netdev+0x3c/0x90
Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07
RSP: 0018:ffffc90000673890 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000
RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000
R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000
R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000
FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0
Call Trace:
<TASK>
mlx5e_netdev_change_profile+0x45/0xb0
mlx5e_vport_rep_load+0x27b/0x2d0
mlx5_esw_offloads_rep_load+0x72/0xf0
esw_offloads_enable+0x5d0/0x970
mlx5_eswitch_enable_locked+0x349/0x430
? is_mp_supported+0x57/0xb0
mlx5_devlink_eswitch_mode_set+0x26b/0x430
devlink_nl_eswitch_set_doit+0x6f/0xf0
genl_family_rcv_msg_doit+0xe8/0x140
genl_rcv_msg+0x18b/0x290
? __pfx_devlink_nl_pre_doit+0x10/0x10
? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10
? __pfx_devlink_nl_post_doit+0x10/0x10
? __pfx_genl_rcv_msg+0x10/0x10
netlink_rcv_skb+0x52/0x100
genl_rcv+0x28/0x40
netlink_unicast+0x282/0x3e0
? __alloc_skb+0xd6/0x190
netlink_sendmsg+0x1f7/0x430
__sys_sendto+0x213/0x220
? __sys_recvmsg+0x6a/0xd0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x50/0x1f0
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7fdfb8495047
Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260108212657.25090-2-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en.h | 9 ++--
.../net/ethernet/mellanox/mlx5/core/en_main.c | 48 +++++++++++++------
.../net/ethernet/mellanox/mlx5/core/en_rep.c | 11 ++---
3 files changed, 44 insertions(+), 24 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
index a6479e4d8d8c6..cfdbeb21b61cf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -1239,9 +1239,12 @@ mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *prof
int mlx5e_attach_netdev(struct mlx5e_priv *priv);
void mlx5e_detach_netdev(struct mlx5e_priv *priv);
void mlx5e_destroy_netdev(struct mlx5e_priv *priv);
-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
- const struct mlx5e_profile *new_profile, void *new_ppriv);
-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv);
+int mlx5e_netdev_change_profile(struct net_device *netdev,
+ struct mlx5_core_dev *mdev,
+ const struct mlx5e_profile *new_profile,
+ void *new_ppriv);
+void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
+ struct mlx5_core_dev *mdev);
void mlx5e_set_netdev_mtu_boundaries(struct mlx5e_priv *priv);
void mlx5e_build_nic_params(struct mlx5e_priv *priv, struct mlx5e_xsk *xsk, u16 mtu);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 1545f9c008f49..3850c267dfc02 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -6564,19 +6564,28 @@ mlx5e_netdev_attach_profile(struct net_device *netdev, struct mlx5_core_dev *mde
return err;
}
-int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
- const struct mlx5e_profile *new_profile, void *new_ppriv)
+int mlx5e_netdev_change_profile(struct net_device *netdev,
+ struct mlx5_core_dev *mdev,
+ const struct mlx5e_profile *new_profile,
+ void *new_ppriv)
{
- const struct mlx5e_profile *orig_profile = priv->profile;
- struct net_device *netdev = priv->netdev;
- struct mlx5_core_dev *mdev = priv->mdev;
- void *orig_ppriv = priv->ppriv;
+ struct mlx5e_priv *priv = netdev_priv(netdev);
+ const struct mlx5e_profile *orig_profile;
int err, rollback_err;
+ void *orig_ppriv;
- /* cleanup old profile */
- mlx5e_detach_netdev(priv);
- priv->profile->cleanup(priv);
- mlx5e_priv_cleanup(priv);
+ orig_profile = priv->profile;
+ orig_ppriv = priv->ppriv;
+
+ /* NULL could happen if previous change_profile failed to rollback */
+ if (priv->profile) {
+ WARN_ON_ONCE(priv->mdev != mdev);
+ /* cleanup old profile */
+ mlx5e_detach_netdev(priv);
+ priv->profile->cleanup(priv);
+ mlx5e_priv_cleanup(priv);
+ }
+ /* priv members are not valid from this point ... */
if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
mlx5e_netdev_init_profile(netdev, mdev, new_profile, new_ppriv);
@@ -6593,16 +6602,25 @@ int mlx5e_netdev_change_profile(struct mlx5e_priv *priv,
return 0;
rollback:
+ if (!orig_profile) {
+ netdev_warn(netdev, "no original profile to rollback to\n");
+ priv->profile = NULL;
+ return err;
+ }
+
rollback_err = mlx5e_netdev_attach_profile(netdev, mdev, orig_profile, orig_ppriv);
- if (rollback_err)
- netdev_err(netdev, "%s: failed to rollback to orig profile, %d\n",
- __func__, rollback_err);
+ if (rollback_err) {
+ netdev_err(netdev, "failed to rollback to orig profile, %d\n",
+ rollback_err);
+ priv->profile = NULL;
+ }
return err;
}
-void mlx5e_netdev_attach_nic_profile(struct mlx5e_priv *priv)
+void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
+ struct mlx5_core_dev *mdev)
{
- mlx5e_netdev_change_profile(priv, &mlx5e_nic_profile, NULL);
+ mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL);
}
void mlx5e_destroy_netdev(struct mlx5e_priv *priv)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
index 0335ca8277efa..2f6aa5e61747c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
@@ -1508,17 +1508,16 @@ mlx5e_vport_uplink_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *
{
struct mlx5e_rep_priv *rpriv = mlx5e_rep_to_rep_priv(rep);
struct net_device *netdev;
- struct mlx5e_priv *priv;
int err;
netdev = mlx5_uplink_netdev_get(dev);
if (!netdev)
return 0;
- priv = netdev_priv(netdev);
- rpriv->netdev = priv->netdev;
- err = mlx5e_netdev_change_profile(priv, &mlx5e_uplink_rep_profile,
- rpriv);
+ /* must not use netdev_priv(netdev), it might not be initialized yet */
+ rpriv->netdev = netdev;
+ err = mlx5e_netdev_change_profile(netdev, dev,
+ &mlx5e_uplink_rep_profile, rpriv);
mlx5_uplink_netdev_put(dev, netdev);
return err;
}
@@ -1546,7 +1545,7 @@ mlx5e_vport_uplink_rep_unload(struct mlx5e_rep_priv *rpriv)
if (!(priv->mdev->priv.flags & MLX5_PRIV_FLAGS_SWITCH_LEGACY))
unregister_netdev(netdev);
- mlx5e_netdev_attach_nic_profile(priv);
+ mlx5e_netdev_attach_nic_profile(netdev, priv->mdev);
}
static int
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 040/198] net/mlx5e: Dont store mlx5e_priv in mlx5e_dev devlink priv
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 039/198] net/mlx5e: Fix crash on profile change rollback failure Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 041/198] net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv Greg Kroah-Hartman
` (171 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saeed Mahameed, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saeed Mahameed <saeedm@nvidia.com>
[ Upstream commit 123eda2e5b1638e298e3a66bb1e64a8da92de5e1 ]
mlx5e_priv is an unstable structure that can be memset(0) if profile
attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to
reference the netdev and mdev associated with that struct. Instead,
store netdev directly into mlx5e_dev and get mdev from the containing
mlx5_adev aux device structure.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg:
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000520
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_remove+0x68/0x130
RSP: 0018:ffffc900034838f0 EFLAGS: 00010246
RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10
R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0
R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400
FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0
Call Trace:
<TASK>
device_release_driver_internal+0x19c/0x200
bus_remove_device+0xc6/0x130
device_del+0x160/0x3d0
? devl_param_driverinit_value_get+0x2d/0x90
mlx5_detach_device+0x89/0xe0
mlx5_unload_one_devl_locked+0x3a/0x70
mlx5_devlink_reload_down+0xc8/0x220
devlink_reload+0x7d/0x260
devlink_nl_reload_doit+0x45b/0x5a0
genl_family_rcv_msg_doit+0xe8/0x140
Fixes: ee75f1fc44dd ("net/mlx5e: Create separate devlink instance for ethernet auxiliary device")
Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Link: https://patch.msgid.link/20260108212657.25090-3-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +-
.../net/ethernet/mellanox/mlx5/core/en_main.c | 20 ++++++++++---------
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
index cfdbeb21b61cf..bc1b343f89a25 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -963,7 +963,7 @@ struct mlx5e_priv {
};
struct mlx5e_dev {
- struct mlx5e_priv *priv;
+ struct net_device *netdev;
struct devlink_port dl_port;
};
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 3850c267dfc02..dcf1cd3488709 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -6635,8 +6635,8 @@ static int _mlx5e_resume(struct auxiliary_device *adev)
{
struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
- struct mlx5e_priv *priv = mlx5e_dev->priv;
- struct net_device *netdev = priv->netdev;
+ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev);
+ struct net_device *netdev = mlx5e_dev->netdev;
struct mlx5_core_dev *mdev = edev->mdev;
struct mlx5_core_dev *pos, *to;
int err, i;
@@ -6682,10 +6682,11 @@ static int mlx5e_resume(struct auxiliary_device *adev)
static int _mlx5e_suspend(struct auxiliary_device *adev, bool pre_netdev_reg)
{
+ struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
- struct mlx5e_priv *priv = mlx5e_dev->priv;
- struct net_device *netdev = priv->netdev;
- struct mlx5_core_dev *mdev = priv->mdev;
+ struct mlx5e_priv *priv = netdev_priv(mlx5e_dev->netdev);
+ struct net_device *netdev = mlx5e_dev->netdev;
+ struct mlx5_core_dev *mdev = edev->mdev;
struct mlx5_core_dev *pos;
int i;
@@ -6746,11 +6747,11 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
goto err_devlink_port_unregister;
}
SET_NETDEV_DEVLINK_PORT(netdev, &mlx5e_dev->dl_port);
+ mlx5e_dev->netdev = netdev;
mlx5e_build_nic_netdev(netdev);
priv = netdev_priv(netdev);
- mlx5e_dev->priv = priv;
priv->profile = profile;
priv->ppriv = NULL;
@@ -6813,7 +6814,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
{
struct mlx5_adev *edev = container_of(adev, struct mlx5_adev, adev);
struct mlx5e_dev *mlx5e_dev = auxiliary_get_drvdata(adev);
- struct mlx5e_priv *priv = mlx5e_dev->priv;
+ struct net_device *netdev = mlx5e_dev->netdev;
+ struct mlx5e_priv *priv = netdev_priv(netdev);
struct mlx5_core_dev *mdev = edev->mdev;
mlx5_core_uplink_netdev_set(mdev, NULL);
@@ -6822,8 +6824,8 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
* if it's from legacy mode. If from switchdev mode, it
* is already unregistered before changing to NIC profile.
*/
- if (priv->netdev->reg_state == NETREG_REGISTERED) {
- unregister_netdev(priv->netdev);
+ if (netdev->reg_state == NETREG_REGISTERED) {
+ unregister_netdev(netdev);
_mlx5e_suspend(adev, false);
} else {
struct mlx5_core_dev *pos;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 041/198] net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 040/198] net/mlx5e: Dont store mlx5e_priv in mlx5e_dev devlink priv Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 042/198] net/mlx5e: Restore destroying state bit after profile cleanup Greg Kroah-Hartman
` (170 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saeed Mahameed, Shay Drori,
Tariq Toukan, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saeed Mahameed <saeedm@nvidia.com>
[ Upstream commit 4ef8512e1427111f7ba92b4a847d181ff0aeec42 ]
mlx5e_priv is an unstable structure that can be memset(0) if profile
attaching fails.
Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a
valid netdev.
On mlx5e_remove: Check validity of priv->profile, before attempting
to cleanup any resources that might be not there.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due
to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg:
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12
workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12
mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000370
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100
RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286
RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0
RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10
R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0
R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400
FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0
Call Trace:
<TASK>
mlx5e_remove+0x57/0x110
device_release_driver_internal+0x19c/0x200
bus_remove_device+0xc6/0x130
device_del+0x160/0x3d0
? devl_param_driverinit_value_get+0x2d/0x90
mlx5_detach_device+0x89/0xe0
mlx5_unload_one_devl_locked+0x3a/0x70
mlx5_devlink_reload_down+0xc8/0x220
devlink_reload+0x7d/0x260
devlink_nl_reload_doit+0x45b/0x5a0
genl_family_rcv_msg_doit+0xe8/0x140
Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Shay Drori <shayd@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260108212657.25090-4-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 15 +++++++++------
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 4 ++--
3 files changed, 12 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en.h b/drivers/net/ethernet/mellanox/mlx5/core/en.h
index bc1b343f89a25..b34b85539f3b1 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en.h
@@ -1238,7 +1238,7 @@ struct net_device *
mlx5e_create_netdev(struct mlx5_core_dev *mdev, const struct mlx5e_profile *profile);
int mlx5e_attach_netdev(struct mlx5e_priv *priv);
void mlx5e_detach_netdev(struct mlx5e_priv *priv);
-void mlx5e_destroy_netdev(struct mlx5e_priv *priv);
+void mlx5e_destroy_netdev(struct net_device *netdev);
int mlx5e_netdev_change_profile(struct net_device *netdev,
struct mlx5_core_dev *mdev,
const struct mlx5e_profile *new_profile,
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index dcf1cd3488709..3863fb40ff929 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -6623,11 +6623,12 @@ void mlx5e_netdev_attach_nic_profile(struct net_device *netdev,
mlx5e_netdev_change_profile(netdev, mdev, &mlx5e_nic_profile, NULL);
}
-void mlx5e_destroy_netdev(struct mlx5e_priv *priv)
+void mlx5e_destroy_netdev(struct net_device *netdev)
{
- struct net_device *netdev = priv->netdev;
+ struct mlx5e_priv *priv = netdev_priv(netdev);
- mlx5e_priv_cleanup(priv);
+ if (priv->profile)
+ mlx5e_priv_cleanup(priv);
free_netdev(netdev);
}
@@ -6784,7 +6785,7 @@ static int _mlx5e_probe(struct auxiliary_device *adev)
err_profile_cleanup:
profile->cleanup(priv);
err_destroy_netdev:
- mlx5e_destroy_netdev(priv);
+ mlx5e_destroy_netdev(netdev);
err_devlink_port_unregister:
mlx5e_devlink_port_unregister(mlx5e_dev);
err_devlink_unregister:
@@ -6819,7 +6820,9 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
struct mlx5_core_dev *mdev = edev->mdev;
mlx5_core_uplink_netdev_set(mdev, NULL);
- mlx5e_dcbnl_delete_app(priv);
+
+ if (priv->profile)
+ mlx5e_dcbnl_delete_app(priv);
/* When unload driver, the netdev is in registered state
* if it's from legacy mode. If from switchdev mode, it
* is already unregistered before changing to NIC profile.
@@ -6840,7 +6843,7 @@ static void _mlx5e_remove(struct auxiliary_device *adev)
/* Avoid cleanup if profile rollback failed. */
if (priv->profile)
priv->profile->cleanup(priv);
- mlx5e_destroy_netdev(priv);
+ mlx5e_destroy_netdev(netdev);
mlx5e_devlink_port_unregister(mlx5e_dev);
mlx5e_destroy_devlink(mlx5e_dev);
}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
index 2f6aa5e61747c..8b65441246244 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
@@ -1611,7 +1611,7 @@ mlx5e_vport_vf_rep_load(struct mlx5_core_dev *dev, struct mlx5_eswitch_rep *rep)
priv->profile->cleanup(priv);
err_destroy_netdev:
- mlx5e_destroy_netdev(netdev_priv(netdev));
+ mlx5e_destroy_netdev(netdev);
return err;
}
@@ -1666,7 +1666,7 @@ mlx5e_vport_rep_unload(struct mlx5_eswitch_rep *rep)
mlx5e_rep_vnic_reporter_destroy(priv);
mlx5e_detach_netdev(priv);
priv->profile->cleanup(priv);
- mlx5e_destroy_netdev(priv);
+ mlx5e_destroy_netdev(netdev);
free_ppriv:
kvfree(ppriv); /* mlx5e_rep_priv */
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 042/198] net/mlx5e: Restore destroying state bit after profile cleanup
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 041/198] net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 043/198] btrfs: fix memory leaks in create_space_info() error paths Greg Kroah-Hartman
` (169 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Saeed Mahameed, Tariq Toukan,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Saeed Mahameed <saeedm@nvidia.com>
[ Upstream commit 5629f8859dca7ef74d7314b60de6a957f23166c0 ]
Profile rollback can fail in mlx5e_netdev_change_profile() and we will
end up with invalid mlx5e_priv memset to 0, we must maintain the
'destroying' bit in order to gracefully shutdown even if the
profile/priv are not valid.
This patch maintains the previous state of the 'destroying' state of
mlx5e_priv after priv cleanup, to allow the remove flow to cleanup
common resources from mlx5_core to avoid FW fatal errors as seen below:
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev
Error: mlx5_core: Failed setting eswitch to offloads.
dmesg: mlx5_core 0000:00:03.0 enp0s3np0: failed to rollback to orig profile, ...
$ devlink dev reload pci/0000:00:03.0
mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)
mlx5_core 0000:00:03.0: poll_health:803:(pid 519): Fatal error 3 detected
mlx5_core 0000:00:03.0: firmware version: 28.41.1000
mlx5_core 0000:00:03.0: 0.000 Gb/s available PCIe bandwidth (Unknown x255 link)
mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
mlx5_core 0000:00:03.0: mlx5_function_enable:1200:(pid 519): enable hca failed
mlx5_core 0000:00:03.0: mlx5_health_try_recover:340:(pid 141): handling bad device here
mlx5_core 0000:00:03.0: mlx5_handle_bad_state:285:(pid 141): Expected to see disabled NIC but it is full driver
mlx5_core 0000:00:03.0: mlx5_error_sw_reset:236:(pid 141): start
mlx5_core 0000:00:03.0: NIC IFC still 0 after 4000ms.
Fixes: c4d7eb57687f ("net/mxl5e: Add change profile method")
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20260108212657.25090-5-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index 3863fb40ff929..f8d9968542d9c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -6305,6 +6305,7 @@ int mlx5e_priv_init(struct mlx5e_priv *priv,
void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
{
+ bool destroying = test_bit(MLX5E_STATE_DESTROYING, &priv->state);
int i;
/* bail if change profile failed and also rollback failed */
@@ -6332,6 +6333,8 @@ void mlx5e_priv_cleanup(struct mlx5e_priv *priv)
}
memset(priv, 0, sizeof(*priv));
+ if (destroying) /* restore destroying bit, to allow unload */
+ set_bit(MLX5E_STATE_DESTROYING, &priv->state);
}
static unsigned int mlx5e_get_max_num_txqs(struct mlx5_core_dev *mdev,
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 043/198] btrfs: fix memory leaks in create_space_info() error paths
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 042/198] net/mlx5e: Restore destroying state bit after profile cleanup Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 044/198] cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve() Greg Kroah-Hartman
` (168 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Jiasheng Jiang,
David Sterba, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
[ Upstream commit a11224a016d6d1d46a4d9b6573244448a80d4d7f ]
In create_space_info(), the 'space_info' object is allocated at the
beginning of the function. However, there are two error paths where the
function returns an error code without freeing the allocated memory:
1. When create_space_info_sub_group() fails in zoned mode.
2. When btrfs_sysfs_add_space_info_type() fails.
In both cases, 'space_info' has not yet been added to the
fs_info->space_info list, resulting in a memory leak. Fix this by
adding an error handling label to kfree(space_info) before returning.
Fixes: 2be12ef79fe9 ("btrfs: Separate space_info create/update")
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/space-info.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/space-info.c b/fs/btrfs/space-info.c
index 85c466c85910a..a6f94e9f55915 100644
--- a/fs/btrfs/space-info.c
+++ b/fs/btrfs/space-info.c
@@ -305,18 +305,22 @@ static int create_space_info(struct btrfs_fs_info *info, u64 flags)
0);
if (ret)
- return ret;
+ goto out_free;
}
ret = btrfs_sysfs_add_space_info_type(info, space_info);
if (ret)
- return ret;
+ goto out_free;
list_add(&space_info->list, &info->space_info);
if (flags & BTRFS_BLOCK_GROUP_DATA)
info->data_sinfo = space_info;
return ret;
+
+out_free:
+ kfree(space_info);
+ return ret;
}
int btrfs_init_space_info(struct btrfs_fs_info *fs_info)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 044/198] cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 043/198] btrfs: fix memory leaks in create_space_info() error paths Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 045/198] net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback Greg Kroah-Hartman
` (167 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Ming, Ira Weiny, Dave Jiang,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Ming <ming.li@zohomail.com>
[ Upstream commit d4026a44626490dc4eca4dd2c4d0816338fa179b ]
In __cxl_dpa_reserve(), it will check if the new resource range is
included in one of paritions of the cxl memory device.
cxlds->nr_paritions is used to represent how many partitions information
the cxl memory device has. In the loop, if driver cannot find a
partition including the new resource range, it will be an infinite loop.
[ dj: Removed incorrect fixes tag ]
Fixes: 991d98f17d31 ("cxl: Make cxl_dpa_alloc() DPA partition number agnostic")
Signed-off-by: Li Ming <ming.li@zohomail.com>
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260112120526.530232-1-ming.li@zohomail.com
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cxl/core/hdm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cxl/core/hdm.c b/drivers/cxl/core/hdm.c
index d3a094ca01ad9..20dd638108062 100644
--- a/drivers/cxl/core/hdm.c
+++ b/drivers/cxl/core/hdm.c
@@ -403,7 +403,7 @@ static int __cxl_dpa_reserve(struct cxl_endpoint_decoder *cxled,
* is not set.
*/
if (cxled->part < 0)
- for (int i = 0; cxlds->nr_partitions; i++)
+ for (int i = 0; i < cxlds->nr_partitions; i++)
if (resource_contains(&cxlds->part[i].res, res)) {
cxled->part = i;
break;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 045/198] net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 044/198] cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 046/198] net: phy: motorcomm: fix duplex setting error for phy leds Greg Kroah-Hartman
` (166 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kery Qi, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kery Qi <qikeyu2017@gmail.com>
[ Upstream commit f93fc5d12d69012788f82151bee55fce937e1432 ]
octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to
ioq_vector. If request_irq() fails part-way, the rollback loop calls
free_irq() with dev_id set to 'oct', which does not match the original
dev_id and may leave the irqaction registered.
This can keep IRQ handlers alive while ioq_vector is later freed during
unwind/teardown, leading to a use-after-free or crash when an interrupt
fires.
Fix the error path to free IRQs with the same ioq_vector dev_id used
during request_irq().
Fixes: 1cd3b407977c ("octeon_ep_vf: add Tx/Rx processing and interrupt support")
Signed-off-by: Kery Qi <qikeyu2017@gmail.com>
Link: https://patch.msgid.link/20260108164256.1749-2-qikeyu2017@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
index 420c3f4cf7417..1d9760b4b8f47 100644
--- a/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
+++ b/drivers/net/ethernet/marvell/octeon_ep_vf/octep_vf_main.c
@@ -218,7 +218,7 @@ static int octep_vf_request_irqs(struct octep_vf_device *oct)
ioq_irq_err:
while (i) {
--i;
- free_irq(oct->msix_entries[i].vector, oct);
+ free_irq(oct->msix_entries[i].vector, oct->ioq_vector[i]);
}
return -1;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 046/198] net: phy: motorcomm: fix duplex setting error for phy leds
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 045/198] net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 047/198] net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition Greg Kroah-Hartman
` (165 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jijie Shao, Andrew Lunn,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jijie Shao <shaojijie@huawei.com>
[ Upstream commit e02f2a0f1f9b6d4f0c620de2ce037d4436b58f70 ]
fix duplex setting error for phy leds
Fixes: 355b82c54c12 ("net: phy: motorcomm: Add support for PHY LEDs on YT8521")
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://patch.msgid.link/20260108071409.2750607-1-shaojijie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/motorcomm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/phy/motorcomm.c b/drivers/net/phy/motorcomm.c
index a3593e6630594..b49897500a592 100644
--- a/drivers/net/phy/motorcomm.c
+++ b/drivers/net/phy/motorcomm.c
@@ -1741,10 +1741,10 @@ static int yt8521_led_hw_control_set(struct phy_device *phydev, u8 index,
val |= YT8521_LED_1000_ON_EN;
if (test_bit(TRIGGER_NETDEV_FULL_DUPLEX, &rules))
- val |= YT8521_LED_HDX_ON_EN;
+ val |= YT8521_LED_FDX_ON_EN;
if (test_bit(TRIGGER_NETDEV_HALF_DUPLEX, &rules))
- val |= YT8521_LED_FDX_ON_EN;
+ val |= YT8521_LED_HDX_ON_EN;
if (test_bit(TRIGGER_NETDEV_TX, &rules) ||
test_bit(TRIGGER_NETDEV_RX, &rules))
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 047/198] net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 046/198] net: phy: motorcomm: fix duplex setting error for phy leds Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 048/198] ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip Greg Kroah-Hartman
` (164 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Lorenzo Bianconi,
Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Bianconi <lorenzo@kernel.org>
[ Upstream commit dfdf774656205515b2d6ad94fce63c7ccbe92d91 ]
Fix Typo in airoha_ppe_dev_setup_tc_block_cb routine definition when
CONFIG_NET_AIROHA is not enabled.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202601090517.Fj6v501r-lkp@intel.com/
Fixes: f45fc18b6de04 ("net: airoha: Add airoha_ppe_dev struct definition")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260109-airoha_ppe_dev_setup_tc_block_cb-typo-v1-1-282e8834a9f9@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/soc/airoha/airoha_offload.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/soc/airoha/airoha_offload.h b/include/linux/soc/airoha/airoha_offload.h
index 1a33f846afafa..0e82f1f4d36c4 100644
--- a/include/linux/soc/airoha/airoha_offload.h
+++ b/include/linux/soc/airoha/airoha_offload.h
@@ -51,8 +51,8 @@ static inline void airoha_ppe_put_dev(struct airoha_ppe_dev *dev)
{
}
-static inline int airoha_ppe_setup_tc_block_cb(struct airoha_ppe_dev *dev,
- void *type_data)
+static inline int airoha_ppe_dev_setup_tc_block_cb(struct airoha_ppe_dev *dev,
+ void *type_data)
{
return -EOPNOTSUPP;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 048/198] ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 047/198] net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 049/198] ALSA: hda/cirrus_scodec_test: Fix test suite name Greg Kroah-Hartman
` (163 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit c5e96e54eca3876d4ce8857e2e22adbe9f44f4a2 ]
Set gpiochip parent to the struct device of the dummy GPIO driver
so that the software node will be associated with the GPIO chip.
The recent commit e5d527be7e698 ("gpio: swnode: don't use the
swnode's name as the key for GPIO lookup") broke cirrus_scodec_test,
because the software node no longer gets associated with the GPIO
driver by name.
Instead, setting struct gpio_chip.parent to the owning struct device
will find the node using a normal fwnode lookup.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test")
Link: https://patch.msgid.link/20260113130954.574670-1-rf@opensource.cirrus.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
index 3cca750857b68..159ac80a93144 100644
--- a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
+++ b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
@@ -103,6 +103,7 @@ static int cirrus_scodec_test_gpio_probe(struct platform_device *pdev)
/* GPIO core modifies our struct gpio_chip so use a copy */
gpio_priv->chip = cirrus_scodec_test_gpio_chip;
+ gpio_priv->chip.parent = &pdev->dev;
ret = devm_gpiochip_add_data(&pdev->dev, &gpio_priv->chip, gpio_priv);
if (ret)
return dev_err_probe(&pdev->dev, ret, "Failed to add gpiochip\n");
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 049/198] ALSA: hda/cirrus_scodec_test: Fix test suite name
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 048/198] ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 050/198] net: hv_netvsc: reject RSS hash key programming without RX indirection table Greg Kroah-Hartman
` (162 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Takashi Iwai,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit 6a0243c4020636482797acfd48d7d9b0ea2f2a20 ]
Change the test suite name string to "snd-hda-cirrus-scodec-test".
It was incorrectly named "snd-hda-scodec-cs35l56-test", a leftover
from when the code under test was actually in the cs35l56 driver.
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 2144833e7b414 ("ALSA: hda: cirrus_scodec: Add KUnit test")
Link: https://patch.msgid.link/20260113134056.619051-1-rf@opensource.cirrus.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/codecs/side-codecs/cirrus_scodec_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
index 159ac80a93144..dc35932b6b22f 100644
--- a/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
+++ b/sound/hda/codecs/side-codecs/cirrus_scodec_test.c
@@ -320,7 +320,7 @@ static struct kunit_case cirrus_scodec_test_cases[] = {
};
static struct kunit_suite cirrus_scodec_test_suite = {
- .name = "snd-hda-scodec-cs35l56-test",
+ .name = "snd-hda-cirrus-scodec-test",
.init = cirrus_scodec_test_case_init,
.test_cases = cirrus_scodec_test_cases,
};
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 050/198] net: hv_netvsc: reject RSS hash key programming without RX indirection table
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 049/198] ALSA: hda/cirrus_scodec_test: Fix test suite name Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 051/198] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() Greg Kroah-Hartman
` (161 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Garg, Dipayaan Roy,
Haiyang Zhang, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Garg <gargaditya@linux.microsoft.com>
[ Upstream commit d23564955811da493f34412d7de60fa268c8cb50 ]
RSS configuration requires a valid RX indirection table. When the device
reports a single receive queue, rndis_filter_device_add() does not
allocate an indirection table, accepting RSS hash key updates in this
state leads to a hang.
Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return
-EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device
capabilities and prevents incorrect behavior.
Fixes: 962f3fee83a4 ("netvsc: add ethtool ops to get/set RSS key")
Signed-off-by: Aditya Garg <gargaditya@linux.microsoft.com>
Reviewed-by: Dipayaan Roy <dipayanroy@linux.microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://patch.msgid.link/1768212093-1594-1-git-send-email-gargaditya@linux.microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hyperv/netvsc_drv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c
index 39c892e46cb01..25a358524a096 100644
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -1757,6 +1757,9 @@ static int netvsc_set_rxfh(struct net_device *dev,
rxfh->hfunc != ETH_RSS_HASH_TOP)
return -EOPNOTSUPP;
+ if (!ndc->rx_table_sz)
+ return -EOPNOTSUPP;
+
rndis_dev = ndev->extension;
if (rxfh->indir) {
for (i = 0; i < ndc->rx_table_sz; i++)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 051/198] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 050/198] net: hv_netvsc: reject RSS hash key programming without RX indirection table Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 052/198] ipv6: Fix use-after-free in inet6_addr_del() Greg Kroah-Hartman
` (160 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+179fc225724092b8b2b2,
Eric Dumazet, Martin KaFai Lau, David Ahern, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9a6f0c4d5796ab89b5a28a890ce542344d58bd69 ]
syzbot was able to crash the kernel in rt6_uncached_list_flush_dev()
in an interesting way [1]
Crash happens in list_del_init()/INIT_LIST_HEAD() while writing
list->prev, while the prior write on list->next went well.
static inline void INIT_LIST_HEAD(struct list_head *list)
{
WRITE_ONCE(list->next, list); // This went well
WRITE_ONCE(list->prev, list); // Crash, @list has been freed.
}
Issue here is that rt6_uncached_list_del() did not attempt to lock
ul->lock, as list_empty(&rt->dst.rt_uncached) returned
true because the WRITE_ONCE(list->next, list) happened on the other CPU.
We might use list_del_init_careful() and list_empty_careful(),
or make sure rt6_uncached_list_del() always grabs the spinlock
whenever rt->dst.rt_uncached_list has been set.
A similar fix is neeed for IPv4.
[1]
BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline]
BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline]
BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450
CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)}
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
INIT_LIST_HEAD include/linux/list.h:46 [inline]
list_del_init include/linux/list.h:296 [inline]
rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline]
rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020
addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853
addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1
notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
call_netdevice_notifiers net/core/dev.c:2282 [inline]
netif_close_many+0x29c/0x410 net/core/dev.c:1785
unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248
cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Allocated by task 803:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
unpoison_slab_object mm/kasan/common.c:340 [inline]
__kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
dst_alloc+0x105/0x170 net/core/dst.c:89
ip6_dst_alloc net/ipv6/route.c:342 [inline]
icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Freed by task 20:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free mm/slub.c:6670 [inline]
kmem_cache_free+0x18f/0x8d0 mm/slub.c:6781
dst_destroy+0x235/0x350 net/core/dst.c:121
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core kernel/rcu/tree.c:2857 [inline]
rcu_cpu_kthread+0xba5/0x1af0 kernel/rcu/tree.c:2945
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Last potentially related work creation:
kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
__call_rcu_common kernel/rcu/tree.c:3119 [inline]
call_rcu+0xee/0x890 kernel/rcu/tree.c:3239
refdst_drop include/net/dst.h:266 [inline]
skb_dst_drop include/net/dst.h:278 [inline]
skb_release_head_state+0x71/0x360 net/core/skbuff.c:1156
skb_release_all net/core/skbuff.c:1180 [inline]
__kfree_skb net/core/skbuff.c:1196 [inline]
sk_skb_reason_drop+0xe9/0x170 net/core/skbuff.c:1234
kfree_skb_reason include/linux/skbuff.h:1322 [inline]
tcf_kfree_skb_list include/net/sch_generic.h:1127 [inline]
__dev_xmit_skb net/core/dev.c:4260 [inline]
__dev_queue_xmit+0x26aa/0x3210 net/core/dev.c:4785
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247
NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318
mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
The buggy address belongs to the object at ffff8880294cfa00
which belongs to the cache ip6_dst_cache of size 232
The buggy address is located 120 bytes inside of
freed 232-byte region [ffff8880294cfa00, ffff8880294cfae8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cf
memcg:ffff88803536b781
flags: 0x80000000000000(node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000000 ffff88802ff1c8c0 ffffea0000bf2bc0 dead000000000006
raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88803536b781
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 9, tgid 9 (kworker/0:0), ts 91119585830, free_ts 91088628818
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
prep_new_page mm/page_alloc.c:1865 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3915
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2486
alloc_slab_page mm/slub.c:3075 [inline]
allocate_slab+0x86/0x3b0 mm/slub.c:3248
new_slab mm/slub.c:3302 [inline]
___slab_alloc+0xb10/0x13e0 mm/slub.c:4656
__slab_alloc+0xc6/0x1f0 mm/slub.c:4779
__slab_alloc_node mm/slub.c:4855 [inline]
slab_alloc_node mm/slub.c:5251 [inline]
kmem_cache_alloc_noprof+0x101/0x6c0 mm/slub.c:5270
dst_alloc+0x105/0x170 net/core/dst.c:89
ip6_dst_alloc net/ipv6/route.c:342 [inline]
icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333
mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844
mld_send_cr net/ipv6/mcast.c:2154 [inline]
mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693
process_one_work kernel/workqueue.c:3257 [inline]
process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
page last free pid 5859 tgid 5859 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1406 [inline]
__free_frozen_pages+0xfe1/0x1170 mm/page_alloc.c:2943
discard_slab mm/slub.c:3346 [inline]
__put_partials+0x149/0x170 mm/slub.c:3886
__slab_free+0x2af/0x330 mm/slub.c:5952
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4953 [inline]
slab_alloc_node mm/slub.c:5263 [inline]
kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270
getname_flags+0xb8/0x540 fs/namei.c:146
getname include/linux/fs.h:2498 [inline]
do_sys_openat2+0xbc/0x200 fs/open.c:1426
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
Fixes: 8d0b94afdca8 ("ipv6: Keep track of DST_NOCACHE routes in case of iface down/unregister")
Fixes: 78df76a065ae ("ipv4: take rt_uncached_lock only if needed")
Reported-by: syzbot+179fc225724092b8b2b2@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6964cdf2.050a0220.eaf7.009d.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20260112103825.3810713-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/dst.c | 1 +
net/ipv4/route.c | 4 ++--
net/ipv6/route.c | 4 ++--
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/core/dst.c b/net/core/dst.c
index e9d35f49c9e78..1dae26c51ebec 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -68,6 +68,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
dst->lwtstate = NULL;
rcuref_init(&dst->__rcuref, 1);
INIT_LIST_HEAD(&dst->rt_uncached);
+ dst->rt_uncached_list = NULL;
dst->__use = 0;
dst->lastuse = jiffies;
dst->flags = flags;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index b549d6a573073..11d990703d31a 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1537,9 +1537,9 @@ void rt_add_uncached_list(struct rtable *rt)
void rt_del_uncached_list(struct rtable *rt)
{
- if (!list_empty(&rt->dst.rt_uncached)) {
- struct uncached_list *ul = rt->dst.rt_uncached_list;
+ struct uncached_list *ul = rt->dst.rt_uncached_list;
+ if (ul) {
spin_lock_bh(&ul->lock);
list_del_init(&rt->dst.rt_uncached);
spin_unlock_bh(&ul->lock);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index a3e051dc66ee0..e3a260a5564ba 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -148,9 +148,9 @@ void rt6_uncached_list_add(struct rt6_info *rt)
void rt6_uncached_list_del(struct rt6_info *rt)
{
- if (!list_empty(&rt->dst.rt_uncached)) {
- struct uncached_list *ul = rt->dst.rt_uncached_list;
+ struct uncached_list *ul = rt->dst.rt_uncached_list;
+ if (ul) {
spin_lock_bh(&ul->lock);
list_del_init(&rt->dst.rt_uncached);
spin_unlock_bh(&ul->lock);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 052/198] ipv6: Fix use-after-free in inet6_addr_del().
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 051/198] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 053/198] selftests: drv-net: fix RPS mask handling for high CPU numbers Greg Kroah-Hartman
` (159 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+72e610f4f1a930ca9d8a,
Kuniyuki Iwashima, Hangbin Liu, Eric Dumazet, Jakub Kicinski,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@google.com>
[ Upstream commit ddf96c393a33aef4887e2e406c76c2f8cda1419c ]
syzbot reported use-after-free of inet6_ifaddr in
inet6_addr_del(). [0]
The cited commit accidentally moved ipv6_del_addr() for
mngtmpaddr before reading its ifp->flags for temporary
addresses in inet6_addr_del().
Let's move ipv6_del_addr() down to fix the UAF.
[0]:
BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593
CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117
addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181
inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f164cf8f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749
RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003
RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288
</TASK>
Allocated by task 9593:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120
inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050
addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160
inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580
sock_do_ioctl+0x118/0x280 net/socket.c:1254
sock_ioctl+0x227/0x6b0 net/socket.c:1375
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6099:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:56
kasan_save_track+0x14/0x30 mm/kasan/common.c:77
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2540 [inline]
slab_free_freelist_hook mm/slub.c:2569 [inline]
slab_free_bulk mm/slub.c:6696 [inline]
kmem_cache_free_bulk mm/slub.c:7383 [inline]
kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362
kfree_bulk include/linux/slab.h:830 [inline]
kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523
kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline]
kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Fixes: 00b5b7aab9e42 ("net/ipv6: delete temporary address if mngtmpaddr is removed or unmanaged")
Reported-by: syzbot+72e610f4f1a930ca9d8a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/696598e9.050a0220.3be5c5.0009.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260113010538.2019411-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/addrconf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 40e9c336f6c55..cad5e4ab8c3db 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3112,12 +3112,12 @@ static int inet6_addr_del(struct net *net, int ifindex, u32 ifa_flags,
in6_ifa_hold(ifp);
read_unlock_bh(&idev->lock);
- ipv6_del_addr(ifp);
-
if (!(ifp->flags & IFA_F_TEMPORARY) &&
(ifp->flags & IFA_F_MANAGETEMPADDR))
delete_tempaddrs(idev, ifp);
+ ipv6_del_addr(ifp);
+
addrconf_verify_rtnl(net);
if (ipv6_addr_is_multicast(pfx)) {
ipv6_mc_config(net->ipv6.mc_autojoin_sk,
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 053/198] selftests: drv-net: fix RPS mask handling for high CPU numbers
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 052/198] ipv6: Fix use-after-free in inet6_addr_del() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 054/198] net/sched: sch_qfq: do not free existing class in qfq_change_class() Greg Kroah-Hartman
` (158 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nimrod Oren, Gal Pressman,
Willem de Bruijn, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gal Pressman <gal@nvidia.com>
[ Upstream commit cf055f8c000445aa688c53a706ef4f580818eedb ]
The RPS bitmask bounds check uses ~(RPS_MAX_CPUS - 1) which equals ~15 =
0xfff0, only allowing CPUs 0-3.
Change the mask to ~((1UL << RPS_MAX_CPUS) - 1) = ~0xffff to allow CPUs
0-15.
Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
Reviewed-by: Nimrod Oren <noren@nvidia.com>
Signed-off-by: Gal Pressman <gal@nvidia.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260112173715.384843-3-gal@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/toeplitz.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
index 9ba03164d73a6..5099157f01b9a 100644
--- a/tools/testing/selftests/net/toeplitz.c
+++ b/tools/testing/selftests/net/toeplitz.c
@@ -473,8 +473,8 @@ static void parse_rps_bitmap(const char *arg)
bitmap = strtoul(arg, NULL, 0);
- if (bitmap & ~(RPS_MAX_CPUS - 1))
- error(1, 0, "rps bitmap 0x%lx out of bounds 0..%lu",
+ if (bitmap & ~((1UL << RPS_MAX_CPUS) - 1))
+ error(1, 0, "rps bitmap 0x%lx out of bounds, max cpu %lu",
bitmap, RPS_MAX_CPUS - 1);
for (i = 0; i < RPS_MAX_CPUS; i++)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 054/198] net/sched: sch_qfq: do not free existing class in qfq_change_class()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 053/198] selftests: drv-net: fix RPS mask handling for high CPU numbers Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 055/198] ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type Greg Kroah-Hartman
` (157 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+07f3f38f723c335f106d,
Eric Dumazet, Jamal Hadi Salim, Jakub Kicinski, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 ]
Fixes qfq_change_class() error case.
cl->qdisc and cl should only be freed if a new class and qdisc
were allocated, or we risk various UAF.
Fixes: 462dbc9101ac ("pkt_sched: QFQ Plus: fair-queueing service at DRR cost")
Reported-by: syzbot+07f3f38f723c335f106d@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/6965351d.050a0220.eaf7.00c5.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260112175656.17605-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_qfq.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index a91a5bac8f737..9b16ad431028f 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -529,8 +529,10 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
return 0;
destroy_class:
- qdisc_put(cl->qdisc);
- kfree(cl);
+ if (!existing) {
+ qdisc_put(cl->qdisc);
+ kfree(cl);
+ }
return err;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 055/198] ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 054/198] net/sched: sch_qfq: do not free existing class in qfq_change_class() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 056/198] ASoC: tlv320adcx140: fix null pointer Greg Kroah-Hartman
` (156 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Keepax, Cole Leavitt,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cole Leavitt <cole@unwrap.rs>
[ Upstream commit 390caeed0897fcac75f3c414dbdd85d593183d9c ]
The CS42L43 codec's load detection can return different impedance values
that map to either HEADPHONE or LINEOUT jack types. However, the
soc_jack_pins array only maps SND_JACK_HEADPHONE to the "Headphone" DAPM
pin, not SND_JACK_LINEOUT.
When headphones are detected with an impedance that maps to LINEOUT
(such as impedance value 0x2), the driver reports SND_JACK_LINEOUT.
Since this doesn't match the jack pin mask, the "Headphone" DAPM pin
is not activated, and no audio is routed to the headphone outputs.
Fix by adding SND_JACK_LINEOUT to the Headphone pin mask, so that both
headphone and line-out detection properly enable the headphone output
path.
This fixes no audio output on devices like the Lenovo ThinkPad P16 Gen 3
where headphones are detected with LINEOUT impedance.
Fixes: d74bad3b7452 ("ASoC: intel: sof_sdw_cs42l43: Create separate jacks for hp and mic")
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Cole Leavitt <cole@unwrap.rs>
Link: https://patch.msgid.link/20260114025518.28519-1-cole@unwrap.rs
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sdw_utils/soc_sdw_cs42l43.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/sdw_utils/soc_sdw_cs42l43.c b/sound/soc/sdw_utils/soc_sdw_cs42l43.c
index b415d45d520d0..3e8e2e3bdf7c5 100644
--- a/sound/soc/sdw_utils/soc_sdw_cs42l43.c
+++ b/sound/soc/sdw_utils/soc_sdw_cs42l43.c
@@ -44,7 +44,7 @@ static const struct snd_soc_dapm_route cs42l43_dmic_map[] = {
static struct snd_soc_jack_pin soc_jack_pins[] = {
{
.pin = "Headphone",
- .mask = SND_JACK_HEADPHONE,
+ .mask = SND_JACK_HEADPHONE | SND_JACK_LINEOUT,
},
{
.pin = "Headset Mic",
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 056/198] ASoC: tlv320adcx140: fix null pointer
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 055/198] ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 057/198] ASoC: tlv320adcx140: fix word length Greg Kroah-Hartman
` (155 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Svendsen, Sascha Hauer,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Svendsen <emas@bang-olufsen.dk>
[ Upstream commit be7664c81d3129fc313ef62ff275fd3d33cfecd4 ]
The "snd_soc_component" in "adcx140_priv" was only used once but never
set. It was only used for reaching "dev" which is already present in
"adcx140_priv".
Fixes: 4e82971f7b55 ("ASoC: tlv320adcx140: Add a new kcontrol")
Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-2-8f7ecec525c8@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tlv320adcx140.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
index d594bf166c0e7..ccfec4c0c159a 100644
--- a/sound/soc/codecs/tlv320adcx140.c
+++ b/sound/soc/codecs/tlv320adcx140.c
@@ -23,7 +23,6 @@
#include "tlv320adcx140.h"
struct adcx140_priv {
- struct snd_soc_component *component;
struct regulator *supply_areg;
struct gpio_desc *gpio_reset;
struct regmap *regmap;
@@ -701,7 +700,6 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
{
int pwr_ctrl = 0;
int ret = 0;
- struct snd_soc_component *component = adcx140->component;
if (power_state)
pwr_ctrl = ADCX140_PWR_CFG_ADC_PDZ | ADCX140_PWR_CFG_PLL_PDZ;
@@ -713,7 +711,7 @@ static void adcx140_pwr_ctrl(struct adcx140_priv *adcx140, bool power_state)
ret = regmap_write(adcx140->regmap, ADCX140_PHASE_CALIB,
adcx140->phase_calib_on ? 0x00 : 0x40);
if (ret)
- dev_err(component->dev, "%s: register write error %d\n",
+ dev_err(adcx140->dev, "%s: register write error %d\n",
__func__, ret);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 057/198] ASoC: tlv320adcx140: fix word length
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 056/198] ASoC: tlv320adcx140: fix null pointer Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 058/198] drm/amdgpu: fix drm panic null pointer when driver not support atomic Greg Kroah-Hartman
` (154 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Svendsen, Sascha Hauer,
Mark Brown, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emil Svendsen <emas@bang-olufsen.dk>
[ Upstream commit 46378ab9fcb796dca46b51e10646f636e2c661f9 ]
The word length is the physical width of the channel slots. So the
hw_params would misconfigure when format width and physical width
doesn't match. Like S24_LE which has data width of 24 bits but physical
width of 32 bits. So if using asymmetric formats you will get a lot of
noise.
Fixes: 689c7655b50c5 ("ASoC: tlv320adcx140: Add the tlv320adcx140 codec driver family")
Signed-off-by: Emil Svendsen <emas@bang-olufsen.dk>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Link: https://patch.msgid.link/20260113-sound-soc-codecs-tvl320adcx140-v4-4-8f7ecec525c8@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/tlv320adcx140.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/codecs/tlv320adcx140.c b/sound/soc/codecs/tlv320adcx140.c
index ccfec4c0c159a..62d936c2838c9 100644
--- a/sound/soc/codecs/tlv320adcx140.c
+++ b/sound/soc/codecs/tlv320adcx140.c
@@ -727,7 +727,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
struct adcx140_priv *adcx140 = snd_soc_component_get_drvdata(component);
u8 data = 0;
- switch (params_width(params)) {
+ switch (params_physical_width(params)) {
case 16:
data = ADCX140_16_BIT_WORD;
break;
@@ -742,7 +742,7 @@ static int adcx140_hw_params(struct snd_pcm_substream *substream,
break;
default:
dev_err(component->dev, "%s: Unsupported width %d\n",
- __func__, params_width(params));
+ __func__, params_physical_width(params));
return -EINVAL;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 058/198] drm/amdgpu: fix drm panic null pointer when driver not support atomic
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 057/198] ASoC: tlv320adcx140: fix word length Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 059/198] drm/amd/display: Show link name in PSR status message Greg Kroah-Hartman
` (153 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lu Yao, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Yao <yaolu@kylinos.cn>
[ Upstream commit 9cb6278b44c38899961b36d303d7b18b38be2a6e ]
When driver not support atomic, fb using plane->fb rather than
plane->state->fb.
Fixes: fe151ed7af54 ("drm/amdgpu: add generic display panic helper code")
Signed-off-by: Lu Yao <yaolu@kylinos.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
index 51bab32fd8c6f..2f416d12e2e7e 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -1824,7 +1824,12 @@ int amdgpu_display_get_scanout_buffer(struct drm_plane *plane,
struct drm_scanout_buffer *sb)
{
struct amdgpu_bo *abo;
- struct drm_framebuffer *fb = plane->state->fb;
+ struct drm_framebuffer *fb;
+
+ if (drm_drv_uses_atomic_modeset(plane->dev))
+ fb = plane->state->fb;
+ else
+ fb = plane->fb;
if (!fb)
return -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 059/198] drm/amd/display: Show link name in PSR status message
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 058/198] drm/amdgpu: fix drm panic null pointer when driver not support atomic Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 060/198] drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 Greg Kroah-Hartman
` (152 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Mario Limonciello (AMD),
Matthew Stewart, Dan Wheeler, Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
[ Upstream commit 0a1253ba5096f531eaaef40caa4c069da6ad48ae ]
[Why]
The PSR message was moved in commit 4321742c394e ("drm/amd/display:
Move PSR support message into amdgpu_dm"). This message however shows
for every single link without showing which link is which. This can
send a confusing message to the user.
[How]
Add link name into the message.
Fixes: 4321742c394e ("drm/amd/display: Move PSR support message into amdgpu_dm")
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Matthew Stewart <matthew.stewart2@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 99f77f6229c0766b980ae05affcf9f742d97de6a)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 7fe40bbba2658..f4381d44864f1 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -5545,7 +5545,8 @@ static int amdgpu_dm_initialize_drm_device(struct amdgpu_device *adev)
if (psr_feature_enabled) {
amdgpu_dm_set_psr_caps(link);
- drm_info(adev_to_drm(adev), "PSR support %d, DC PSR ver %d, sink PSR ver %d DPCD caps 0x%x su_y_granularity %d\n",
+ drm_info(adev_to_drm(adev), "%s: PSR support %d, DC PSR ver %d, sink PSR ver %d DPCD caps 0x%x su_y_granularity %d\n",
+ aconnector->base.name,
link->psr_settings.psr_feature_enabled,
link->psr_settings.psr_version,
link->dpcd_caps.psr_info.psr_version,
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 060/198] drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 059/198] drm/amd/display: Show link name in PSR status message Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 061/198] drm/amdkfd: No need to suspend whole MES to evict process Greg Kroah-Hartman
` (151 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Wang, Hawking Zhang,
Alex Deucher, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Wang <kevinyang.wang@amd.com>
[ Upstream commit 90dbc0bc2aa60021615969841fed06790c992bde ]
resolving the issue of incorrect type definitions potentially causing calculation errors.
Fixes: 54f7f3ca982a ("drm/amdgpu/swm14: Update power limit logic")
Signed-off-by: Yang Wang <kevinyang.wang@amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit e3a03d0ae16d6b56e893cce8e52b44140e1ed985)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
index 086501cc5213b..e735da7ab6126 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu14/smu_v14_0_2_ppt.c
@@ -1701,8 +1701,9 @@ static int smu_v14_0_2_get_power_limit(struct smu_context *smu,
table_context->power_play_table;
PPTable_t *pptable = table_context->driver_pptable;
CustomSkuTable_t *skutable = &pptable->CustomSkuTable;
- uint32_t power_limit, od_percent_upper = 0, od_percent_lower = 0;
+ int16_t od_percent_upper = 0, od_percent_lower = 0;
uint32_t msg_limit = pptable->SkuTable.MsgLimits.Power[PPT_THROTTLER_PPT0][POWER_SOURCE_AC];
+ uint32_t power_limit;
if (smu_v14_0_get_current_power_limit(smu, &power_limit))
power_limit = smu->adev->pm.ac_power ?
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 061/198] drm/amdkfd: No need to suspend whole MES to evict process
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 060/198] drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 062/198] drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 Greg Kroah-Hartman
` (150 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harish Kasiviswanathan, Alex Deucher,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
[ Upstream commit 18dbcfb46f692e665c3fe3eee804e56c4eae53d6 ]
Each queue of the process is individually removed and there is not need
to suspend whole mes. Suspending mes stops kernel mode queues also
causing unnecessary timeouts when running mixed work loads
Fixes: 079ae5118e1f ("drm/amdkfd: fix suspend/resume all calls in mes based eviction path")
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4765
Signed-off-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 3fd20580b96a6e9da65b94ac3b58ee288239b731)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index 6e7bc983fc0b6..36fb3db16572a 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -1209,14 +1209,8 @@ static int evict_process_queues_cpsch(struct device_queue_manager *dqm,
pr_debug_ratelimited("Evicting process pid %d queues\n",
pdd->process->lead_thread->pid);
- if (dqm->dev->kfd->shared_resources.enable_mes) {
+ if (dqm->dev->kfd->shared_resources.enable_mes)
pdd->last_evict_timestamp = get_jiffies_64();
- retval = suspend_all_queues_mes(dqm);
- if (retval) {
- dev_err(dev, "Suspending all queues failed");
- goto out;
- }
- }
/* Mark all queues as evicted. Deactivate all active queues on
* the qpd.
@@ -1246,10 +1240,6 @@ static int evict_process_queues_cpsch(struct device_queue_manager *dqm,
KFD_UNMAP_QUEUES_FILTER_ALL_QUEUES :
KFD_UNMAP_QUEUES_FILTER_DYNAMIC_QUEUES, 0,
USE_DEFAULT_GRACE_PERIOD);
- } else {
- retval = resume_all_queues_mes(dqm);
- if (retval)
- dev_err(dev, "Resuming all queues failed");
}
out:
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 062/198] drm/amdgpu/userq: Fix fence reference leak on queue teardown v2
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 061/198] drm/amdkfd: No need to suspend whole MES to evict process Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 063/198] mm: describe @flags parameter in memalloc_flags_save() Greg Kroah-Hartman
` (149 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Deucher, Christian König,
Srinivasan Shanmugam, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit b2426a211dba6432e32a2e70e9183c6e134475c6 ]
The user mode queue keeps a pointer to the most recent fence in
userq->last_fence. This pointer holds an extra dma_fence reference.
When the queue is destroyed, we free the fence driver and its xarray,
but we forgot to drop the last_fence reference.
Because of the missing dma_fence_put(), the last fence object can stay
alive when the driver unloads. This leaves an allocated object in the
amdgpu_userq_fence slab cache and triggers
This is visible during driver unload as:
BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown()
kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects
Call Trace:
kmem_cache_destroy
amdgpu_userq_fence_slab_fini
amdgpu_exit
__do_sys_delete_module
Fix this by putting userq->last_fence and clearing the pointer during
amdgpu_userq_fence_driver_free().
This makes sure the fence reference is released and the slab cache is
empty when the module exits.
v2: Update to only release userq->last_fence with dma_fence_put()
(Christian)
Fixes: edc762a51c71 ("drm/amdgpu/userq: move some code around")
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
index 4d0096d0baa9d..53fe10931fab0 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -141,6 +141,8 @@ static void amdgpu_userq_walk_and_drop_fence_drv(struct xarray *xa)
void
amdgpu_userq_fence_driver_free(struct amdgpu_usermode_queue *userq)
{
+ dma_fence_put(userq->last_fence);
+
amdgpu_userq_walk_and_drop_fence_drv(&userq->fence_drv_xa);
xa_destroy(&userq->fence_drv_xa);
/* Drop the fence_drv reference held by user queue */
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 063/198] mm: describe @flags parameter in memalloc_flags_save()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 062/198] drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 064/198] textsearch: describe @list member in ts_ops search Greg Kroah-Hartman
` (148 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya,
David Hildenbrand (Red Hat), Harry Yoo, Andrew Morton,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit e2fb7836b01747815f8bb94981c35f2688afb120 ]
Patch series "mm kernel-doc fixes".
Here are kernel-doc fixes for mm subsystem. I'm also including textsearch
fix since there's currently no maintainer for include/linux/textsearch.h
(get_maintainer.pl only shows LKML).
This patch (of 4):
Sphinx reports kernel-doc warning:
WARNING: ./include/linux/sched/mm.h:332 function parameter 'flags' not described in 'memalloc_flags_save'
Describe @flags to fix it.
Link: https://lkml.kernel.org/r/20251219014006.16328-2-bagasdotme@gmail.com
Link: https://lkml.kernel.org/r/20251219014006.16328-3-bagasdotme@gmail.com
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Fixes: 3f6d5e6a468d ("mm: introduce memalloc_flags_{save,restore}")
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Acked-by: Harry Yoo <harry.yoo@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched/mm.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
index 0232d983b7153..a3094379b5790 100644
--- a/include/linux/sched/mm.h
+++ b/include/linux/sched/mm.h
@@ -323,6 +323,7 @@ static inline void might_alloc(gfp_t gfp_mask)
/**
* memalloc_flags_save - Add a PF_* flag to current->flags, save old value
+ * @flags: Flags to add.
*
* This allows PF_* flags to be conveniently added, irrespective of current
* value, and then the old version restored with memalloc_flags_restore().
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 064/198] textsearch: describe @list member in ts_ops search
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 063/198] mm: describe @flags parameter in memalloc_flags_save() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 065/198] mm, kfence: describe @slab parameter in __kfence_obj_info() Greg Kroah-Hartman
` (147 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Thomas Graf,
David S. Miller, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit f26528478bb102c28e7ac0cbfc8ec8185afdafc7 ]
Sphinx reports kernel-doc warning:
WARNING: ./include/linux/textsearch.h:49 struct member 'list' not described in 'ts_ops'
Describe @list member to fix it.
Link: https://lkml.kernel.org/r/20251219014006.16328-4-bagasdotme@gmail.com
Fixes: 2de4ff7bd658 ("[LIB]: Textsearch infrastructure.")
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Cc: Thomas Graf <tgraf@suug.ch>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/textsearch.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/textsearch.h b/include/linux/textsearch.h
index 6673e4d4ac2e1..4933777404d61 100644
--- a/include/linux/textsearch.h
+++ b/include/linux/textsearch.h
@@ -35,6 +35,7 @@ struct ts_state
* @get_pattern: return head of pattern
* @get_pattern_len: return length of pattern
* @owner: module reference to algorithm
+ * @list: list to search
*/
struct ts_ops
{
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 065/198] mm, kfence: describe @slab parameter in __kfence_obj_info()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 064/198] textsearch: describe @list member in ts_ops search Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 066/198] mips: fix HIGHMEM initialization Greg Kroah-Hartman
` (146 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bagas Sanjaya, Marco Elver,
David Hildenbrand (Red Hat), Harry Yoo, Andrew Morton,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
[ Upstream commit 6cfab50e1440fde19af7c614aacd85e11aa4dcea ]
Sphinx reports kernel-doc warning:
WARNING: ./include/linux/kfence.h:220 function parameter 'slab' not described in '__kfence_obj_info'
Fix it by describing @slab parameter.
Link: https://lkml.kernel.org/r/20251219014006.16328-6-bagasdotme@gmail.com
Fixes: 2dfe63e61cc3 ("mm, kfence: support kmem_dump_obj() for KFENCE objects")
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Acked-by: Marco Elver <elver@google.com>
Acked-by: David Hildenbrand (Red Hat) <david@kernel.org>
Acked-by: Harry Yoo <harry.yoo@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/kfence.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/linux/kfence.h b/include/linux/kfence.h
index 0ad1ddbb8b996..e5822f6e7f279 100644
--- a/include/linux/kfence.h
+++ b/include/linux/kfence.h
@@ -211,6 +211,7 @@ struct kmem_obj_info;
* __kfence_obj_info() - fill kmem_obj_info struct
* @kpp: kmem_obj_info to be filled
* @object: the object
+ * @slab: the slab
*
* Return:
* * false - not a KFENCE object
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 066/198] mips: fix HIGHMEM initialization
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 065/198] mm, kfence: describe @slab parameter in __kfence_obj_info() Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 067/198] drivers/dax: add some missing kerneldoc comment fields for struct dev_dax Greg Kroah-Hartman
` (145 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Rapoport (Microsoft),
Markus Stockhausen, Chris Packham, Hauke Mehrtens, Jonas Jelonek,
Thomas Bogendoerfer, Thomas Gleinxer, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Rapoport (Microsoft) <rppt@kernel.org>
[ Upstream commit f171b55f1441294344b86edfeaa575ea9673fd23 ]
Commit 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing") overzealously
removed mem_init_free_highmem() function that beside freeing high memory
pages checked for CPU support for high memory as a prerequisite.
Partially restore mem_init_free_highmem() with a new highmem_init() name
and make it discard high memory in case there is no CPU support for it.
Link: https://lkml.kernel.org/r/20251231105701.519711-1-rppt@kernel.org
Fixes: 6faea3422e3b ("arch, mm: streamline HIGHMEM freeing")
Signed-off-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Reported-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Cc: Chris Packham <chris.packham@alliedtelesis.co.nz>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Jonas Jelonek <jelonek.jonas@gmail.com>
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/mm/init.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/arch/mips/mm/init.c b/arch/mips/mm/init.c
index a673d3d68254b..8986048f9b110 100644
--- a/arch/mips/mm/init.c
+++ b/arch/mips/mm/init.c
@@ -425,6 +425,28 @@ void __init paging_init(void)
static struct kcore_list kcore_kseg0;
#endif
+static inline void __init highmem_init(void)
+{
+#ifdef CONFIG_HIGHMEM
+ unsigned long tmp;
+
+ /*
+ * If CPU cannot support HIGHMEM discard the memory above highstart_pfn
+ */
+ if (cpu_has_dc_aliases) {
+ memblock_remove(PFN_PHYS(highstart_pfn), -1);
+ return;
+ }
+
+ for (tmp = highstart_pfn; tmp < highend_pfn; tmp++) {
+ struct page *page = pfn_to_page(tmp);
+
+ if (!memblock_is_memory(PFN_PHYS(tmp)))
+ SetPageReserved(page);
+ }
+#endif
+}
+
void __init arch_mm_preinit(void)
{
/*
@@ -435,6 +457,7 @@ void __init arch_mm_preinit(void)
maar_init();
setup_zero_pages(); /* Setup zeroed pages. */
+ highmem_init();
#ifdef CONFIG_64BIT
if ((unsigned long) &_text > (unsigned long) CKSEG0)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 067/198] drivers/dax: add some missing kerneldoc comment fields for struct dev_dax
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 066/198] mips: fix HIGHMEM initialization Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 068/198] NFS: Fix size read races in truncate, fallocate and copy offload Greg Kroah-Hartman
` (144 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Groves, Dan Williams,
Joao Martins, Vishal Verma, Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: John Groves <John@Groves.net>
[ Upstream commit 3e8e590fd65d0572584ab7bba89a35e6d19931f1 ]
Add the missing @align and @memmap_on_memory fields to kerneldoc comment
header for struct dev_dax.
Also, some other fields were followed by '-' and others by ':'. Fix all
to be ':' for actual kerneldoc compliance.
Link: https://lkml.kernel.org/r/20260110191804.5739-1-john@groves.net
Fixes: 33cf94d71766 ("device-dax: make align a per-device property")
Fixes: 4eca0ef49af9 ("dax/kmem: allow kmem to add memory with memmap_on_memory")
Signed-off-by: John Groves <john@groves.net>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Joao Martins <joao.m.martins@oracle.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dax/dax-private.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/dax/dax-private.h b/drivers/dax/dax-private.h
index 0867115aeef2e..c6ae27c982f43 100644
--- a/drivers/dax/dax-private.h
+++ b/drivers/dax/dax-private.h
@@ -67,14 +67,16 @@ struct dev_dax_range {
/**
* struct dev_dax - instance data for a subdivision of a dax region, and
* data while the device is activated in the driver.
- * @region - parent region
- * @dax_dev - core dax functionality
+ * @region: parent region
+ * @dax_dev: core dax functionality
+ * @align: alignment of this instance
* @target_node: effective numa node if dev_dax memory range is onlined
* @dyn_id: is this a dynamic or statically created instance
* @id: ida allocated id when the dax_region is not static
* @ida: mapping id allocator
- * @dev - device core
- * @pgmap - pgmap for memmap setup / lifetime (driver owned)
+ * @dev: device core
+ * @pgmap: pgmap for memmap setup / lifetime (driver owned)
+ * @memmap_on_memory: allow kmem to put the memmap in the memory
* @nr_range: size of @ranges
* @ranges: range tuples of memory used
*/
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 068/198] NFS: Fix size read races in truncate, fallocate and copy offload
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 067/198] drivers/dax: add some missing kerneldoc comment fields for struct dev_dax Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 069/198] dmaengine: mmp_pdma: fix DMA mask handling Greg Kroah-Hartman
` (143 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit d5811e6297f3fd9020ac31f51fc317dfdb260cb0 ]
If the pre-operation file size is read before locking the inode and
quiescing O_DIRECT writes, then nfs_truncate_last_folio() might end up
overwriting valid file data.
Fixes: b1817b18ff20 ("NFS: Protect against 'eof page pollution'")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/inode.c | 10 ++++++----
fs/nfs/io.c | 2 ++
fs/nfs/nfs42proc.c | 29 +++++++++++++++++++----------
3 files changed, 27 insertions(+), 14 deletions(-)
diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 13ad70fc00d84..8c2bfcc323e02 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -716,7 +716,7 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
{
struct inode *inode = d_inode(dentry);
struct nfs_fattr *fattr;
- loff_t oldsize = i_size_read(inode);
+ loff_t oldsize;
int error = 0;
kuid_t task_uid = current_fsuid();
kuid_t owner_uid = inode->i_uid;
@@ -727,6 +727,10 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
if (attr->ia_valid & (ATTR_KILL_SUID | ATTR_KILL_SGID))
attr->ia_valid &= ~ATTR_MODE;
+ if (S_ISREG(inode->i_mode))
+ nfs_file_block_o_direct(NFS_I(inode));
+
+ oldsize = i_size_read(inode);
if (attr->ia_valid & ATTR_SIZE) {
BUG_ON(!S_ISREG(inode->i_mode));
@@ -774,10 +778,8 @@ nfs_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
trace_nfs_setattr_enter(inode);
/* Write all dirty data */
- if (S_ISREG(inode->i_mode)) {
- nfs_file_block_o_direct(NFS_I(inode));
+ if (S_ISREG(inode->i_mode))
nfs_sync_inode(inode);
- }
fattr = nfs_alloc_fattr_with_label(NFS_SERVER(inode));
if (fattr == NULL) {
diff --git a/fs/nfs/io.c b/fs/nfs/io.c
index d275b0a250bf3..8337f0ae852d4 100644
--- a/fs/nfs/io.c
+++ b/fs/nfs/io.c
@@ -84,6 +84,7 @@ nfs_start_io_write(struct inode *inode)
nfs_file_block_o_direct(NFS_I(inode));
return err;
}
+EXPORT_SYMBOL_GPL(nfs_start_io_write);
/**
* nfs_end_io_write - declare that the buffered write operation is done
@@ -97,6 +98,7 @@ nfs_end_io_write(struct inode *inode)
{
up_write(&inode->i_rwsem);
}
+EXPORT_SYMBOL_GPL(nfs_end_io_write);
/* Call with exclusively locked inode->i_rwsem */
static void nfs_block_buffered(struct nfs_inode *nfsi, struct inode *inode)
diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
index d537fb0c230e8..c08520828708b 100644
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -114,7 +114,6 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
exception.inode = inode;
exception.state = lock->open_context->state;
- nfs_file_block_o_direct(NFS_I(inode));
err = nfs_sync_inode(inode);
if (err)
goto out;
@@ -138,13 +137,17 @@ int nfs42_proc_allocate(struct file *filep, loff_t offset, loff_t len)
.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ALLOCATE],
};
struct inode *inode = file_inode(filep);
- loff_t oldsize = i_size_read(inode);
+ loff_t oldsize;
int err;
if (!nfs_server_capable(inode, NFS_CAP_ALLOCATE))
return -EOPNOTSUPP;
- inode_lock(inode);
+ err = nfs_start_io_write(inode);
+ if (err)
+ return err;
+
+ oldsize = i_size_read(inode);
err = nfs42_proc_fallocate(&msg, filep, offset, len);
@@ -155,7 +158,7 @@ int nfs42_proc_allocate(struct file *filep, loff_t offset, loff_t len)
NFS_SERVER(inode)->caps &= ~(NFS_CAP_ALLOCATE |
NFS_CAP_ZERO_RANGE);
- inode_unlock(inode);
+ nfs_end_io_write(inode);
return err;
}
@@ -170,7 +173,9 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
if (!nfs_server_capable(inode, NFS_CAP_DEALLOCATE))
return -EOPNOTSUPP;
- inode_lock(inode);
+ err = nfs_start_io_write(inode);
+ if (err)
+ return err;
err = nfs42_proc_fallocate(&msg, filep, offset, len);
if (err == 0)
@@ -179,7 +184,7 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
NFS_SERVER(inode)->caps &= ~(NFS_CAP_DEALLOCATE |
NFS_CAP_ZERO_RANGE);
- inode_unlock(inode);
+ nfs_end_io_write(inode);
return err;
}
@@ -189,14 +194,17 @@ int nfs42_proc_zero_range(struct file *filep, loff_t offset, loff_t len)
.rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_ZERO_RANGE],
};
struct inode *inode = file_inode(filep);
- loff_t oldsize = i_size_read(inode);
+ loff_t oldsize;
int err;
if (!nfs_server_capable(inode, NFS_CAP_ZERO_RANGE))
return -EOPNOTSUPP;
- inode_lock(inode);
+ err = nfs_start_io_write(inode);
+ if (err)
+ return err;
+ oldsize = i_size_read(inode);
err = nfs42_proc_fallocate(&msg, filep, offset, len);
if (err == 0) {
nfs_truncate_last_folio(inode->i_mapping, oldsize,
@@ -205,7 +213,7 @@ int nfs42_proc_zero_range(struct file *filep, loff_t offset, loff_t len)
} else if (err == -EOPNOTSUPP)
NFS_SERVER(inode)->caps &= ~NFS_CAP_ZERO_RANGE;
- inode_unlock(inode);
+ nfs_end_io_write(inode);
return err;
}
@@ -416,7 +424,7 @@ static ssize_t _nfs42_proc_copy(struct file *src,
struct nfs_server *src_server = NFS_SERVER(src_inode);
loff_t pos_src = args->src_pos;
loff_t pos_dst = args->dst_pos;
- loff_t oldsize_dst = i_size_read(dst_inode);
+ loff_t oldsize_dst;
size_t count = args->count;
ssize_t status;
@@ -461,6 +469,7 @@ static ssize_t _nfs42_proc_copy(struct file *src,
&src_lock->open_context->state->flags);
set_bit(NFS_CLNT_DST_SSC_COPY_STATE,
&dst_lock->open_context->state->flags);
+ oldsize_dst = i_size_read(dst_inode);
status = nfs4_call_sync(dst_server->client, dst_server, &msg,
&args->seq_args, &res->seq_res, 0);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 069/198] dmaengine: mmp_pdma: fix DMA mask handling
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 068/198] NFS: Fix size read races in truncate, fallocate and copy offload Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 070/198] dmaengine: xilinx: xdma: Fix regmap max_register Greg Kroah-Hartman
` (142 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naresh Kamboju, Arnd Bergmann,
Guodong Xu, Vinod Koul, Sasha Levin, Nathan Chancellor
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guodong Xu <guodong@riscstar.com>
[ Upstream commit 49400b701eca849c1b53717b1f5d779a8d066ec0 ]
The driver's existing logic for setting the DMA mask for "marvell,pdma-1.0"
was flawed. It incorrectly relied on pdev->dev->coherent_dma_mask instead
of declaring the hardware's fixed addressing capability. A cleaner and
more correct approach is to define the mask directly based on the hardware
limitations.
The MMP/PXA PDMA controller is a 32-bit DMA engine. This is supported by
datasheets and various dtsi files for PXA25x, PXA27x, PXA3xx, and MMP2,
all of which are 32-bit systems.
This patch simplifies the driver's logic by replacing the 'u64 dma_mask'
field with a simpler 'u32 dma_width' to store the addressing capability
in bits. The complex if/else block in probe() is then replaced with a
single, clear call to dma_set_mask_and_coherent(). This sets a fixed
32-bit DMA mask for "marvell,pdma-1.0" and a 64-bit mask for
"spacemit,k1-pdma," matching each device's hardware capabilities.
Finally, this change also works around a specific build error encountered
with clang-20 on x86_64 allyesconfig. The shift-count-overflow error is
caused by a known clang compiler issue where the DMA_BIT_MASK(n) macro's
ternary operator is not correctly evaluated in static initializers. By
moving the macro's evaluation into the probe() function, the driver avoids
this compiler bug.
Fixes: 5cfe585d8624 ("dmaengine: mmp_pdma: Add SpacemiT K1 PDMA support with 64-bit addressing")
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Closes: https://lore.kernel.org/lkml/CA+G9fYsPcMfW-e_0_TRqu4cnwqOqYF3aJOeKUYk6Z4qRStdFvg@mail.gmail.com
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Guodong Xu <guodong@riscstar.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Nathan Chancellor <nathan@kernel.org> # build
Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mmp_pdma.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c
index d07229a748868..86661eb3cde1f 100644
--- a/drivers/dma/mmp_pdma.c
+++ b/drivers/dma/mmp_pdma.c
@@ -152,8 +152,8 @@ struct mmp_pdma_phy {
*
* Controller Configuration:
* @run_bits: Control bits in DCSR register for channel start/stop
- * @dma_mask: DMA addressing capability of controller. 0 to use OF/platform
- * settings, or explicit mask like DMA_BIT_MASK(32/64)
+ * @dma_width: DMA addressing width in bits (32 or 64). Determines the
+ * DMA mask capability of the controller hardware.
*/
struct mmp_pdma_ops {
/* Hardware Register Operations */
@@ -173,7 +173,7 @@ struct mmp_pdma_ops {
/* Controller Configuration */
u32 run_bits;
- u64 dma_mask;
+ u32 dma_width;
};
struct mmp_pdma_device {
@@ -1172,7 +1172,7 @@ static const struct mmp_pdma_ops marvell_pdma_v1_ops = {
.get_desc_src_addr = get_desc_src_addr_32,
.get_desc_dst_addr = get_desc_dst_addr_32,
.run_bits = (DCSR_RUN),
- .dma_mask = 0, /* let OF/platform set DMA mask */
+ .dma_width = 32,
};
static const struct mmp_pdma_ops spacemit_k1_pdma_ops = {
@@ -1185,7 +1185,7 @@ static const struct mmp_pdma_ops spacemit_k1_pdma_ops = {
.get_desc_src_addr = get_desc_src_addr_64,
.get_desc_dst_addr = get_desc_dst_addr_64,
.run_bits = (DCSR_RUN | DCSR_LPAEEN),
- .dma_mask = DMA_BIT_MASK(64), /* force 64-bit DMA addr capability */
+ .dma_width = 64,
};
static const struct of_device_id mmp_pdma_dt_ids[] = {
@@ -1314,13 +1314,9 @@ static int mmp_pdma_probe(struct platform_device *op)
pdev->device.directions = BIT(DMA_MEM_TO_DEV) | BIT(DMA_DEV_TO_MEM);
pdev->device.residue_granularity = DMA_RESIDUE_GRANULARITY_DESCRIPTOR;
- /* Set DMA mask based on ops->dma_mask, or OF/platform */
- if (pdev->ops->dma_mask)
- dma_set_mask(pdev->dev, pdev->ops->dma_mask);
- else if (pdev->dev->coherent_dma_mask)
- dma_set_mask(pdev->dev, pdev->dev->coherent_dma_mask);
- else
- dma_set_mask(pdev->dev, DMA_BIT_MASK(64));
+ /* Set DMA mask based on controller hardware capabilities */
+ dma_set_mask_and_coherent(pdev->dev,
+ DMA_BIT_MASK(pdev->ops->dma_width));
ret = dma_async_device_register(&pdev->device);
if (ret) {
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 070/198] dmaengine: xilinx: xdma: Fix regmap max_register
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 069/198] dmaengine: mmp_pdma: fix DMA mask handling Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 071/198] dmaengine: tegra-adma: Fix use-after-free Greg Kroah-Hartman
` (141 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lizhi Hou, Radhey Shyam Pandey,
Alexander Stein, Anthony Brandon, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anthony Brandon <anthony@amarulasolutions.com>
[ Upstream commit c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 ]
The max_register field is assigned the size of the register memory
region instead of the offset of the last register.
The result is that reading from the regmap via debugfs can cause
a segmentation fault:
tail /sys/kernel/debug/regmap/xdma.1.auto/registers
Unable to handle kernel paging request at virtual address ffff800082f70000
Mem abort info:
ESR = 0x0000000096000007
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x07: level 3 translation fault
[...]
Call trace:
regmap_mmio_read32le+0x10/0x30
_regmap_bus_reg_read+0x74/0xc0
_regmap_read+0x68/0x198
regmap_read+0x54/0x88
regmap_read_debugfs+0x140/0x380
regmap_map_read_file+0x30/0x48
full_proxy_read+0x68/0xc8
vfs_read+0xcc/0x310
ksys_read+0x7c/0x120
__arm64_sys_read+0x24/0x40
invoke_syscall.constprop.0+0x64/0x108
do_el0_svc+0xb0/0xd8
el0_svc+0x38/0x130
el0t_64_sync_handler+0x120/0x138
el0t_64_sync+0x194/0x198
Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000)
---[ end trace 0000000000000000 ]---
note: tail[1217] exited with irqs disabled
note: tail[1217] exited with preempt_count 1
Segmentation fault
Fixes: 17ce252266c7 ("dmaengine: xilinx: xdma: Add xilinx xdma driver")
Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Anthony Brandon <anthony@amarulasolutions.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xdma-regs.h | 1 +
drivers/dma/xilinx/xdma.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/xilinx/xdma-regs.h b/drivers/dma/xilinx/xdma-regs.h
index 6ad08878e9386..70bca92621aa4 100644
--- a/drivers/dma/xilinx/xdma-regs.h
+++ b/drivers/dma/xilinx/xdma-regs.h
@@ -9,6 +9,7 @@
/* The length of register space exposed to host */
#define XDMA_REG_SPACE_LEN 65536
+#define XDMA_MAX_REG_OFFSET (XDMA_REG_SPACE_LEN - 4)
/*
* maximum number of DMA channels for each direction:
diff --git a/drivers/dma/xilinx/xdma.c b/drivers/dma/xilinx/xdma.c
index 0d88b1a670e14..5ecf8223c112e 100644
--- a/drivers/dma/xilinx/xdma.c
+++ b/drivers/dma/xilinx/xdma.c
@@ -38,7 +38,7 @@ static const struct regmap_config xdma_regmap_config = {
.reg_bits = 32,
.val_bits = 32,
.reg_stride = 4,
- .max_register = XDMA_REG_SPACE_LEN,
+ .max_register = XDMA_MAX_REG_OFFSET,
};
/**
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 071/198] dmaengine: tegra-adma: Fix use-after-free
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 070/198] dmaengine: xilinx: xdma: Fix regmap max_register Greg Kroah-Hartman
@ 2026-01-21 18:14 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 072/198] dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing Greg Kroah-Hartman
` (140 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:14 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sheetal, Thierry Reding, Vinod Koul,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sheetal <sheetal@nvidia.com>
[ Upstream commit 2efd07a7c36949e6fa36a69183df24d368bf9e96 ]
A use-after-free bug exists in the Tegra ADMA driver when audio streams
are terminated, particularly during XRUN conditions. The issue occurs
when the DMA buffer is freed by tegra_adma_terminate_all() before the
vchan completion tasklet finishes accessing it.
The race condition follows this sequence:
1. DMA transfer completes, triggering an interrupt that schedules the
completion tasklet (tasklet has not executed yet)
2. Audio playback stops, calling tegra_adma_terminate_all() which
frees the DMA buffer memory via kfree()
3. The scheduled tasklet finally executes, calling vchan_complete()
which attempts to access the already-freed memory
Since tasklets can execute at any time after being scheduled, there is
no guarantee that the buffer will remain valid when vchan_complete()
runs.
Fix this by properly synchronizing the virtual channel completion:
- Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the
descriptors as terminated instead of freeing the descriptor.
- Add the callback tegra_adma_synchronize() that calls
vchan_synchronize() which kills any pending tasklets and frees any
terminated descriptors.
Crash logs:
[ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0
[ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0
[ 337.427562] Call trace:
[ 337.427564] dump_backtrace+0x0/0x320
[ 337.427571] show_stack+0x20/0x30
[ 337.427575] dump_stack_lvl+0x68/0x84
[ 337.427584] print_address_description.constprop.0+0x74/0x2b8
[ 337.427590] kasan_report+0x1f4/0x210
[ 337.427598] __asan_load8+0xa0/0xd0
[ 337.427603] vchan_complete+0x124/0x3b0
[ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0
[ 337.427617] tasklet_action+0x30/0x40
[ 337.427623] __do_softirq+0x1a0/0x5c4
[ 337.427628] irq_exit+0x110/0x140
[ 337.427633] handle_domain_irq+0xa4/0xe0
[ 337.427640] gic_handle_irq+0x64/0x160
[ 337.427644] call_on_irq_stack+0x20/0x4c
[ 337.427649] do_interrupt_handler+0x7c/0x90
[ 337.427654] el1_interrupt+0x30/0x80
[ 337.427659] el1h_64_irq_handler+0x18/0x30
[ 337.427663] el1h_64_irq+0x7c/0x80
[ 337.427667] cpuidle_enter_state+0xe4/0x540
[ 337.427674] cpuidle_enter+0x54/0x80
[ 337.427679] do_idle+0x2e0/0x380
[ 337.427685] cpu_startup_entry+0x2c/0x70
[ 337.427690] rest_init+0x114/0x130
[ 337.427695] arch_call_rest_init+0x18/0x24
[ 337.427702] start_kernel+0x380/0x3b4
[ 337.427706] __primary_switched+0xc0/0xc8
Fixes: f46b195799b5 ("dmaengine: tegra-adma: Add support for Tegra210 ADMA")
Signed-off-by: Sheetal <sheetal@nvidia.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Link: https://patch.msgid.link/20251110142445.3842036-1-sheetal@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/tegra210-adma.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c
index fad896ff29a2d..812f64569e6d8 100644
--- a/drivers/dma/tegra210-adma.c
+++ b/drivers/dma/tegra210-adma.c
@@ -429,10 +429,17 @@ static void tegra_adma_stop(struct tegra_adma_chan *tdc)
return;
}
- kfree(tdc->desc);
+ vchan_terminate_vdesc(&tdc->desc->vd);
tdc->desc = NULL;
}
+static void tegra_adma_synchronize(struct dma_chan *dc)
+{
+ struct tegra_adma_chan *tdc = to_tegra_adma_chan(dc);
+
+ vchan_synchronize(&tdc->vc);
+}
+
static void tegra_adma_start(struct tegra_adma_chan *tdc)
{
struct virt_dma_desc *vd = vchan_next_desc(&tdc->vc);
@@ -1155,6 +1162,7 @@ static int tegra_adma_probe(struct platform_device *pdev)
tdma->dma_dev.device_config = tegra_adma_slave_config;
tdma->dma_dev.device_tx_status = tegra_adma_tx_status;
tdma->dma_dev.device_terminate_all = tegra_adma_terminate_all;
+ tdma->dma_dev.device_synchronize = tegra_adma_synchronize;
tdma->dma_dev.src_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
tdma->dma_dev.dst_addr_widths = BIT(DMA_SLAVE_BUSWIDTH_4_BYTES);
tdma->dma_dev.directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 072/198] dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2026-01-21 18:14 ` [PATCH 6.18 071/198] dmaengine: tegra-adma: Fix use-after-free Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 073/198] phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it Greg Kroah-Hartman
` (139 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Suraj Gupta, Radhey Shyam Pandey,
Folker Schwesinger, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Suraj Gupta <suraj.gupta2@amd.com>
[ Upstream commit c0732fe78728718c853ef8e7af5bbb05262acbd1 ]
When device tree lacks optional "xlnx,addrwidth" property, the addr_width
variable remained uninitialized with garbage values, causing incorrect
DMA mask configuration and subsequent probe failure. The fix ensures a
fallback to the default 32-bit address width when this property is missing.
Signed-off-by: Suraj Gupta <suraj.gupta2@amd.com>
Fixes: b72db4005fe4 ("dmaengine: vdma: Add 64 bit addressing support to the driver")
Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Reviewed-by: Folker Schwesinger <dev@folker-schwesinger.de>
Link: https://patch.msgid.link/20251021183006.3434495-1-suraj.gupta2@amd.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/xilinx_dma.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
index fabff602065f6..89a8254d9cdc6 100644
--- a/drivers/dma/xilinx/xilinx_dma.c
+++ b/drivers/dma/xilinx/xilinx_dma.c
@@ -131,6 +131,7 @@
#define XILINX_MCDMA_MAX_CHANS_PER_DEVICE 0x20
#define XILINX_DMA_MAX_CHANS_PER_DEVICE 0x2
#define XILINX_CDMA_MAX_CHANS_PER_DEVICE 0x1
+#define XILINX_DMA_DFAULT_ADDRWIDTH 0x20
#define XILINX_DMA_DMAXR_ALL_IRQ_MASK \
(XILINX_DMA_DMASR_FRM_CNT_IRQ | \
@@ -3159,7 +3160,7 @@ static int xilinx_dma_probe(struct platform_device *pdev)
struct device_node *node = pdev->dev.of_node;
struct xilinx_dma_device *xdev;
struct device_node *child, *np = pdev->dev.of_node;
- u32 num_frames, addr_width, len_width;
+ u32 num_frames, addr_width = XILINX_DMA_DFAULT_ADDRWIDTH, len_width;
int i, err;
/* Allocate and initialize the DMA engine structure */
@@ -3235,7 +3236,9 @@ static int xilinx_dma_probe(struct platform_device *pdev)
err = of_property_read_u32(node, "xlnx,addrwidth", &addr_width);
if (err < 0)
- dev_warn(xdev->dev, "missing xlnx,addrwidth property\n");
+ dev_warn(xdev->dev,
+ "missing xlnx,addrwidth property, using default value %d\n",
+ XILINX_DMA_DFAULT_ADDRWIDTH);
if (addr_width > 32)
xdev->ext_addr = true;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 073/198] phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 072/198] dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 074/198] phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Greg Kroah-Hartman
` (138 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leonid Segal, Pierluigi Passaro,
Stefano Radaelli, Xu Yang, Frank Li, Fabio Estevam, Ahmad Fatoum,
Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Radaelli <stefano.radaelli21@gmail.com>
[ Upstream commit 8becf9179a4b45104a1701010ed666b55bf4b3a6 ]
Clear the PCS_TX_SWING_FULL field mask before setting the new value
in PHY_CTRL5 register. Without clearing the mask first, the OR operation
could leave previously set bits, resulting in incorrect register
configuration.
Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning")
Suggested-by: Leonid Segal <leonids@variscite.com>
Acked-by: Pierluigi Passaro <pierluigi.p@variscite.com>
Signed-off-by: Stefano Radaelli <stefano.r@variscite.com>
Reviewed-by: Xu Yang <xu.yang_2@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://patch.msgid.link/20251219160912.561431-1-stefano.r@variscite.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
index b94f242420fc7..0c84f5f7a82cb 100644
--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
@@ -502,6 +502,7 @@ static void imx8m_phy_tune(struct imx8mq_usb_phy *imx_phy)
if (imx_phy->pcs_tx_swing_full != PHY_TUNE_DEFAULT) {
value = readl(imx_phy->base + PHY_CTRL5);
+ value &= ~PHY_CTRL5_PCS_TX_SWING_FULL_MASK;
value |= FIELD_PREP(PHY_CTRL5_PCS_TX_SWING_FULL_MASK,
imx_phy->pcs_tx_swing_full);
writel(value, imx_phy->base + PHY_CTRL5);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 074/198] phy: qcom-qusb2: Fix NULL pointer dereference on early suspend
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 073/198] phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 075/198] phy: stm32-usphyc: Fix off by one in probe() Greg Kroah-Hartman
` (137 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Loic Poulain, Dmitry Baryshkov,
Abel Vesa, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Loic Poulain <loic.poulain@oss.qualcomm.com>
[ Upstream commit 1ca52c0983c34fca506921791202ed5bdafd5306 ]
Enabling runtime PM before attaching the QPHY instance as driver data
can lead to a NULL pointer dereference in runtime PM callbacks that
expect valid driver data. There is a small window where the suspend
callback may run after PM runtime enabling and before runtime forbid.
This causes a sporadic crash during boot:
```
Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1
[...]
CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT
Workqueue: pm pm_runtime_work
pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2]
lr : pm_generic_runtime_suspend+0x2c/0x44
[...]
```
Attach the QPHY instance as driver data before enabling runtime PM to
prevent NULL pointer dereference in runtime PM callbacks.
Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a
short window where an unnecessary runtime suspend can occur.
Use the devres-managed version to ensure PM runtime is symmetrically
disabled during driver removal for proper cleanup.
Fixes: 891a96f65ac3 ("phy: qcom-qusb2: Add support for runtime PM")
Signed-off-by: Loic Poulain <loic.poulain@oss.qualcomm.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
Reviewed-by: Abel Vesa <abel.vesa@oss.qualcomm.com>
Link: https://patch.msgid.link/20251219085640.114473-1-loic.poulain@oss.qualcomm.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
index b5514a32ff8ff..eb93015be841f 100644
--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
+++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
@@ -1093,29 +1093,29 @@ static int qusb2_phy_probe(struct platform_device *pdev)
or->hsdisc_trim.override = true;
}
- pm_runtime_set_active(dev);
- pm_runtime_enable(dev);
+ dev_set_drvdata(dev, qphy);
+
/*
- * Prevent runtime pm from being ON by default. Users can enable
- * it using power/control in sysfs.
+ * Enable runtime PM support, but forbid it by default.
+ * Users can allow it again via the power/control attribute in sysfs.
*/
+ pm_runtime_set_active(dev);
pm_runtime_forbid(dev);
+ ret = devm_pm_runtime_enable(dev);
+ if (ret)
+ return ret;
generic_phy = devm_phy_create(dev, NULL, &qusb2_phy_gen_ops);
if (IS_ERR(generic_phy)) {
ret = PTR_ERR(generic_phy);
dev_err(dev, "failed to create phy, %d\n", ret);
- pm_runtime_disable(dev);
return ret;
}
qphy->phy = generic_phy;
- dev_set_drvdata(dev, qphy);
phy_set_drvdata(generic_phy, qphy);
phy_provider = devm_of_phy_provider_register(dev, of_phy_simple_xlate);
- if (IS_ERR(phy_provider))
- pm_runtime_disable(dev);
return PTR_ERR_OR_ZERO(phy_provider);
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 075/198] phy: stm32-usphyc: Fix off by one in probe()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 074/198] phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 076/198] phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
` (136 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Amelie Delaunay,
Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit cabd25b57216ddc132efbcc31f972baa03aad15a ]
The "index" variable is used as an index into the usbphyc->phys[] array
which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys
then it is one element out of bounds. The "index" comes from the
device tree so it's data that we trust and it's unlikely to be wrong,
however it's obviously still worth fixing the bug. Change the > to >=.
Fixes: 94c358da3a05 ("phy: stm32: add support for STM32 USB PHY Controller (USBPHYC)")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Link: https://patch.msgid.link/aTfHcMJK1wFVnvEe@stanley.mountain
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/st/phy-stm32-usbphyc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/phy/st/phy-stm32-usbphyc.c b/drivers/phy/st/phy-stm32-usbphyc.c
index 27fe92f73f331..b44afbff8616b 100644
--- a/drivers/phy/st/phy-stm32-usbphyc.c
+++ b/drivers/phy/st/phy-stm32-usbphyc.c
@@ -712,7 +712,7 @@ static int stm32_usbphyc_probe(struct platform_device *pdev)
}
ret = of_property_read_u32(child, "reg", &index);
- if (ret || index > usbphyc->nphys) {
+ if (ret || index >= usbphyc->nphys) {
dev_err(&phy->dev, "invalid reg property: %d\n", ret);
if (!ret)
ret = -EINVAL;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 076/198] phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 075/198] phy: stm32-usphyc: Fix off by one in probe() Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 077/198] landlock: Fix TCP handling of short AF_UNSPEC addresses Greg Kroah-Hartman
` (135 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Haotian Zhang,
Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 08aa19de72110df8ac10c9e67349dd884eeed41d ]
devm_pm_runtime_enable() can fail due to memory allocation. The current
code ignores its return value after calling pm_runtime_set_active(),
leaving the device in an inconsistent state if runtime PM initialization
fails.
Check the return value of devm_pm_runtime_enable() and return on
failure. Also move the declaration of 'ret' to the function scope
to support this check.
Fixes: ee8e41b5044f ("phy: ti: phy-da8xx-usb: Add runtime PM support")
Suggested-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20251124105734.1027-1-vulab@iscas.ac.cn
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/ti/phy-da8xx-usb.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/phy/ti/phy-da8xx-usb.c b/drivers/phy/ti/phy-da8xx-usb.c
index 1d81a1e6ec6b6..62fa6f89c0e61 100644
--- a/drivers/phy/ti/phy-da8xx-usb.c
+++ b/drivers/phy/ti/phy-da8xx-usb.c
@@ -180,6 +180,7 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
struct da8xx_usb_phy_platform_data *pdata = dev->platform_data;
struct device_node *node = dev->of_node;
struct da8xx_usb_phy *d_phy;
+ int ret;
d_phy = devm_kzalloc(dev, sizeof(*d_phy), GFP_KERNEL);
if (!d_phy)
@@ -233,8 +234,6 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
return PTR_ERR(d_phy->phy_provider);
}
} else {
- int ret;
-
ret = phy_create_lookup(d_phy->usb11_phy, "usb-phy",
"ohci-da8xx");
if (ret)
@@ -249,7 +248,9 @@ static int da8xx_usb_phy_probe(struct platform_device *pdev)
PHY_INIT_BITS, PHY_INIT_BITS);
pm_runtime_set_active(dev);
- devm_pm_runtime_enable(dev);
+ ret = devm_pm_runtime_enable(dev);
+ if (ret)
+ return ret;
/*
* Prevent runtime pm from being ON by default. Users can enable
* it using power/control in sysfs.
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 077/198] landlock: Fix TCP handling of short AF_UNSPEC addresses
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 076/198] phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 078/198] selftests/landlock: Fix TCP bind(AF_UNSPEC) test case Greg Kroah-Hartman
` (134 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Buffet,
Mickaël Salaün, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Buffet <matthieu@buffet.re>
[ Upstream commit e4d82cbce2258f454634307fdabf33aa46b61ab0 ]
current_check_access_socket() treats AF_UNSPEC addresses as
AF_INET ones, and only later adds special case handling to
allow connect(AF_UNSPEC), and on IPv4 sockets
bind(AF_UNSPEC+INADDR_ANY).
This would be fine except AF_UNSPEC addresses can be as
short as a bare AF_UNSPEC sa_family_t field, and nothing
more. The AF_INET code path incorrectly enforces a length of
sizeof(struct sockaddr_in) instead.
Move AF_UNSPEC edge case handling up inside the switch-case,
before the address is (potentially incorrectly) treated as
AF_INET.
Fixes: fff69fb03dde ("landlock: Support network rules with TCP bind and connect")
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251027190726.626244-4-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/landlock/net.c | 118 +++++++++++++++++++++++-----------------
1 file changed, 67 insertions(+), 51 deletions(-)
diff --git a/security/landlock/net.c b/security/landlock/net.c
index 1f3915a90a808..e6367e30e5b0e 100644
--- a/security/landlock/net.c
+++ b/security/landlock/net.c
@@ -71,6 +71,61 @@ static int current_check_access_socket(struct socket *const sock,
switch (address->sa_family) {
case AF_UNSPEC:
+ if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP) {
+ /*
+ * Connecting to an address with AF_UNSPEC dissolves
+ * the TCP association, which have the same effect as
+ * closing the connection while retaining the socket
+ * object (i.e., the file descriptor). As for dropping
+ * privileges, closing connections is always allowed.
+ *
+ * For a TCP access control system, this request is
+ * legitimate. Let the network stack handle potential
+ * inconsistencies and return -EINVAL if needed.
+ */
+ return 0;
+ } else if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
+ /*
+ * Binding to an AF_UNSPEC address is treated
+ * differently by IPv4 and IPv6 sockets. The socket's
+ * family may change under our feet due to
+ * setsockopt(IPV6_ADDRFORM), but that's ok: we either
+ * reject entirely or require
+ * %LANDLOCK_ACCESS_NET_BIND_TCP for the given port, so
+ * it cannot be used to bypass the policy.
+ *
+ * IPv4 sockets map AF_UNSPEC to AF_INET for
+ * retrocompatibility for bind accesses, only if the
+ * address is INADDR_ANY (cf. __inet_bind). IPv6
+ * sockets always reject it.
+ *
+ * Checking the address is required to not wrongfully
+ * return -EACCES instead of -EAFNOSUPPORT or -EINVAL.
+ * We could return 0 and let the network stack handle
+ * these checks, but it is safer to return a proper
+ * error and test consistency thanks to kselftest.
+ */
+ if (sock->sk->__sk_common.skc_family == AF_INET) {
+ const struct sockaddr_in *const sockaddr =
+ (struct sockaddr_in *)address;
+
+ if (addrlen < sizeof(struct sockaddr_in))
+ return -EINVAL;
+
+ if (sockaddr->sin_addr.s_addr !=
+ htonl(INADDR_ANY))
+ return -EAFNOSUPPORT;
+ } else {
+ if (addrlen < SIN6_LEN_RFC2133)
+ return -EINVAL;
+ else
+ return -EAFNOSUPPORT;
+ }
+ } else {
+ WARN_ON_ONCE(1);
+ }
+ /* Only for bind(AF_UNSPEC+INADDR_ANY) on IPv4 socket. */
+ fallthrough;
case AF_INET: {
const struct sockaddr_in *addr4;
@@ -119,57 +174,18 @@ static int current_check_access_socket(struct socket *const sock,
return 0;
}
- /* Specific AF_UNSPEC handling. */
- if (address->sa_family == AF_UNSPEC) {
- /*
- * Connecting to an address with AF_UNSPEC dissolves the TCP
- * association, which have the same effect as closing the
- * connection while retaining the socket object (i.e., the file
- * descriptor). As for dropping privileges, closing
- * connections is always allowed.
- *
- * For a TCP access control system, this request is legitimate.
- * Let the network stack handle potential inconsistencies and
- * return -EINVAL if needed.
- */
- if (access_request == LANDLOCK_ACCESS_NET_CONNECT_TCP)
- return 0;
-
- /*
- * For compatibility reason, accept AF_UNSPEC for bind
- * accesses (mapped to AF_INET) only if the address is
- * INADDR_ANY (cf. __inet_bind). Checking the address is
- * required to not wrongfully return -EACCES instead of
- * -EAFNOSUPPORT.
- *
- * We could return 0 and let the network stack handle these
- * checks, but it is safer to return a proper error and test
- * consistency thanks to kselftest.
- */
- if (access_request == LANDLOCK_ACCESS_NET_BIND_TCP) {
- /* addrlen has already been checked for AF_UNSPEC. */
- const struct sockaddr_in *const sockaddr =
- (struct sockaddr_in *)address;
-
- if (sock->sk->__sk_common.skc_family != AF_INET)
- return -EINVAL;
-
- if (sockaddr->sin_addr.s_addr != htonl(INADDR_ANY))
- return -EAFNOSUPPORT;
- }
- } else {
- /*
- * Checks sa_family consistency to not wrongfully return
- * -EACCES instead of -EINVAL. Valid sa_family changes are
- * only (from AF_INET or AF_INET6) to AF_UNSPEC.
- *
- * We could return 0 and let the network stack handle this
- * check, but it is safer to return a proper error and test
- * consistency thanks to kselftest.
- */
- if (address->sa_family != sock->sk->__sk_common.skc_family)
- return -EINVAL;
- }
+ /*
+ * Checks sa_family consistency to not wrongfully return
+ * -EACCES instead of -EINVAL. Valid sa_family changes are
+ * only (from AF_INET or AF_INET6) to AF_UNSPEC.
+ *
+ * We could return 0 and let the network stack handle this
+ * check, but it is safer to return a proper error and test
+ * consistency thanks to kselftest.
+ */
+ if (address->sa_family != sock->sk->__sk_common.skc_family &&
+ address->sa_family != AF_UNSPEC)
+ return -EINVAL;
id.key.data = (__force uintptr_t)port;
BUILD_BUG_ON(sizeof(port) > sizeof(id.key.data));
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 078/198] selftests/landlock: Fix TCP bind(AF_UNSPEC) test case
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 077/198] landlock: Fix TCP handling of short AF_UNSPEC addresses Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 079/198] selftests/landlock: Remove invalid unix socket bind() Greg Kroah-Hartman
` (133 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Buffet,
Mickaël Salaün, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Buffet <matthieu@buffet.re>
[ Upstream commit bd09d9a05cf04028f639e209b416bacaeffd4909 ]
The nominal error code for bind(AF_UNSPEC) on an IPv6 socket
is -EAFNOSUPPORT, not -EINVAL. -EINVAL is only returned when
the supplied address struct is too short, which happens to be
the case in current selftests because they treat AF_UNSPEC
like IPv4 sockets do: as an alias for AF_INET (which is a
16-byte struct instead of the 24 bytes required by IPv6
sockets).
Make the union large enough for any address (by adding struct
sockaddr_storage to the union), and make AF_UNSPEC addresses
large enough for any family.
Test for -EAFNOSUPPORT instead, and add a dedicated test case
for truncated inputs with -EINVAL.
Fixes: a549d055a22e ("selftests/landlock: Add network tests")
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Link: https://lore.kernel.org/r/20251027190726.626244-2-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/landlock/common.h | 1 +
tools/testing/selftests/landlock/net_test.c | 16 +++++++++++++++-
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/landlock/common.h b/tools/testing/selftests/landlock/common.h
index 9acecae36f51b..98c2362954e21 100644
--- a/tools/testing/selftests/landlock/common.h
+++ b/tools/testing/selftests/landlock/common.h
@@ -237,6 +237,7 @@ struct service_fixture {
struct sockaddr_un unix_addr;
socklen_t unix_addr_len;
};
+ struct sockaddr_storage _largest;
};
};
diff --git a/tools/testing/selftests/landlock/net_test.c b/tools/testing/selftests/landlock/net_test.c
index 2a45208551e61..3bbc0508420b1 100644
--- a/tools/testing/selftests/landlock/net_test.c
+++ b/tools/testing/selftests/landlock/net_test.c
@@ -121,6 +121,10 @@ static socklen_t get_addrlen(const struct service_fixture *const srv,
{
switch (srv->protocol.domain) {
case AF_UNSPEC:
+ if (minimal)
+ return sizeof(sa_family_t);
+ return sizeof(struct sockaddr_storage);
+
case AF_INET:
return sizeof(srv->ipv4_addr);
@@ -758,6 +762,11 @@ TEST_F(protocol, bind_unspec)
bind_fd = socket_variant(&self->srv0);
ASSERT_LE(0, bind_fd);
+ /* Tries to bind with too small addrlen. */
+ EXPECT_EQ(-EINVAL, bind_variant_addrlen(
+ bind_fd, &self->unspec_any0,
+ get_addrlen(&self->unspec_any0, true) - 1));
+
/* Allowed bind on AF_UNSPEC/INADDR_ANY. */
ret = bind_variant(bind_fd, &self->unspec_any0);
if (variant->prot.domain == AF_INET) {
@@ -766,6 +775,8 @@ TEST_F(protocol, bind_unspec)
TH_LOG("Failed to bind to unspec/any socket: %s",
strerror(errno));
}
+ } else if (variant->prot.domain == AF_INET6) {
+ EXPECT_EQ(-EAFNOSUPPORT, ret);
} else {
EXPECT_EQ(-EINVAL, ret);
}
@@ -792,6 +803,8 @@ TEST_F(protocol, bind_unspec)
} else {
EXPECT_EQ(0, ret);
}
+ } else if (variant->prot.domain == AF_INET6) {
+ EXPECT_EQ(-EAFNOSUPPORT, ret);
} else {
EXPECT_EQ(-EINVAL, ret);
}
@@ -801,7 +814,8 @@ TEST_F(protocol, bind_unspec)
bind_fd = socket_variant(&self->srv0);
ASSERT_LE(0, bind_fd);
ret = bind_variant(bind_fd, &self->unspec_srv0);
- if (variant->prot.domain == AF_INET) {
+ if (variant->prot.domain == AF_INET ||
+ variant->prot.domain == AF_INET6) {
EXPECT_EQ(-EAFNOSUPPORT, ret);
} else {
EXPECT_EQ(-EINVAL, ret)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 079/198] selftests/landlock: Remove invalid unix socket bind()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 078/198] selftests/landlock: Fix TCP bind(AF_UNSPEC) test case Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 080/198] landlock: Fix wrong type usage Greg Kroah-Hartman
` (132 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Buffet, Günther Noack,
Mickaël Salaün, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Buffet <matthieu@buffet.re>
[ Upstream commit e1a57c33590a50a6639798e60a597af4a23b0340 ]
Remove bind() call on a client socket that doesn't make sense.
Since strlen(cli_un.sun_path) returns a random value depending on stack
garbage, that many uninitialized bytes are read from the stack as an
unix socket address. This creates random test failures due to the bind
address being invalid or already in use if the same stack value comes up
twice.
Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets")
Signed-off-by: Matthieu Buffet <matthieu@buffet.re>
Reviewed-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20251201003631.190817-1-matthieu@buffet.re
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/landlock/fs_test.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index fa0f18ec62c41..a6eb9681791a5 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -4375,9 +4375,6 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
cli_fd = socket(AF_UNIX, SOCK_STREAM, 0);
ASSERT_LE(0, cli_fd);
- size = offsetof(struct sockaddr_un, sun_path) + strlen(cli_un.sun_path);
- ASSERT_EQ(0, bind(cli_fd, (struct sockaddr *)&cli_un, size));
-
bzero(&cli_un, sizeof(cli_un));
cli_un.sun_family = AF_UNIX;
strncpy(cli_un.sun_path, path, sizeof(cli_un.sun_path));
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 080/198] landlock: Fix wrong type usage
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 079/198] selftests/landlock: Remove invalid unix socket bind() Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 081/198] phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again) Greg Kroah-Hartman
` (131 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tingmao Wang, Günther Noack,
Mickaël Salaün, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tingmao Wang <m@maowtm.org>
[ Upstream commit 29fbfa46e4287c596bdc77e2c599e3a1bbf8bb67 ]
I think, based on my best understanding, that this type is likely a typo
(even though in the end both are u16)
Signed-off-by: Tingmao Wang <m@maowtm.org>
Fixes: 2fc80c69df82 ("landlock: Log file-related denials")
Reviewed-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/7339ad7b47f998affd84ca629a334a71f913616d.1765040503.git.m@maowtm.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/landlock/audit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/landlock/audit.c b/security/landlock/audit.c
index c52d079cdb77b..e899995f1fd59 100644
--- a/security/landlock/audit.c
+++ b/security/landlock/audit.c
@@ -191,7 +191,7 @@ static size_t get_denied_layer(const struct landlock_ruleset *const domain,
long youngest_layer = -1;
for_each_set_bit(access_bit, &access_req, layer_masks_size) {
- const access_mask_t mask = (*layer_masks)[access_bit];
+ const layer_mask_t mask = (*layer_masks)[access_bit];
long layer;
if (!mask)
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 081/198] phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again)
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 080/198] landlock: Fix wrong type usage Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 082/198] selftests/landlock: Properly close a file descriptor Greg Kroah-Hartman
` (130 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Vinod Koul,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
[ Upstream commit fb21116099bbea1fc59efa9207e63c4be390ab72 ]
"family" is an enum, thus cast of pointer on 64-bit compile test with
clang W=1 causes:
phy-bcm-ns-usb3.c:206:17: error: cast to smaller integer type 'enum bcm_ns_family' from 'const void *' [-Werror,-Wvoid-pointer-to-enum-cast]
This was already fixed in commit bd6e74a2f0a0 ("phy: broadcom: ns-usb3:
fix Wvoid-pointer-to-enum-cast warning") but then got bad in commit
21bf6fc47a1e ("phy: Use device_get_match_data()").
Note that after various discussions the preferred cast is via "unsigned
long", not "uintptr_t".
Fixes: 21bf6fc47a1e ("phy: Use device_get_match_data()")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20251224115533.154162-2-krzysztof.kozlowski@oss.qualcomm.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/broadcom/phy-bcm-ns-usb3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/phy/broadcom/phy-bcm-ns-usb3.c b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
index 9f995e156f755..6e56498d0644b 100644
--- a/drivers/phy/broadcom/phy-bcm-ns-usb3.c
+++ b/drivers/phy/broadcom/phy-bcm-ns-usb3.c
@@ -203,7 +203,7 @@ static int bcm_ns_usb3_mdio_probe(struct mdio_device *mdiodev)
usb3->dev = dev;
usb3->mdiodev = mdiodev;
- usb3->family = (enum bcm_ns_family)device_get_match_data(dev);
+ usb3->family = (unsigned long)device_get_match_data(dev);
syscon_np = of_parse_phandle(dev->of_node, "usb3-dmp-syscon", 0);
err = of_address_to_resource(syscon_np, 0, &res);
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 082/198] selftests/landlock: Properly close a file descriptor
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 081/198] phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again) Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 083/198] dmaengine: omap-dma: fix dma_pool resource leak in error paths Greg Kroah-Hartman
` (129 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Günther Noack,
Mickaël Salaün, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Günther Noack <gnoack3000@gmail.com>
[ Upstream commit 15e8d739fda1084d81f7d3813e9600eba6e0f134 ]
Add a missing close(srv_fd) call, and use EXPECT_EQ() to check the
result.
Signed-off-by: Günther Noack <gnoack3000@gmail.com>
Fixes: f83d51a5bdfe ("selftests/landlock: Check IOCTL restrictions for named UNIX domain sockets")
Link: https://lore.kernel.org/r/20260101134102.25938-2-gnoack3000@gmail.com
[mic: Use EXPECT_EQ() and update commit message]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/landlock/fs_test.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c
index a6eb9681791a5..29cdbb8367358 100644
--- a/tools/testing/selftests/landlock/fs_test.c
+++ b/tools/testing/selftests/landlock/fs_test.c
@@ -4385,7 +4385,8 @@ TEST_F_FORK(layout1, named_unix_domain_socket_ioctl)
/* FIONREAD and other IOCTLs should not be forbidden. */
EXPECT_EQ(0, test_fionread_ioctl(cli_fd));
- ASSERT_EQ(0, close(cli_fd));
+ EXPECT_EQ(0, close(cli_fd));
+ EXPECT_EQ(0, close(srv_fd));
}
/* clang-format off */
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 083/198] dmaengine: omap-dma: fix dma_pool resource leak in error paths
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 082/198] selftests/landlock: Properly close a file descriptor Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 084/198] soundwire: bus: fix off-by-one when allocating slave IDs Greg Kroah-Hartman
` (128 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haotian Zhang, Vinod Koul,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haotian Zhang <vulab@iscas.ac.cn>
[ Upstream commit 2e1136acf8a8887c29f52e35a77b537309af321f ]
The dma_pool created by dma_pool_create() is not destroyed when
dma_async_device_register() or of_dma_controller_register() fails,
causing a resource leak in the probe error paths.
Add dma_pool_destroy() in both error paths to properly release the
allocated dma_pool resource.
Fixes: 7bedaa553760 ("dmaengine: add OMAP DMA engine driver")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Link: https://patch.msgid.link/20251103073018.643-1-vulab@iscas.ac.cn
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/ti/omap-dma.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
index 8c023c6e623a5..73ed4b7946304 100644
--- a/drivers/dma/ti/omap-dma.c
+++ b/drivers/dma/ti/omap-dma.c
@@ -1808,6 +1808,8 @@ static int omap_dma_probe(struct platform_device *pdev)
if (rc) {
pr_warn("OMAP-DMA: failed to register slave DMA engine device: %d\n",
rc);
+ if (od->ll123_supported)
+ dma_pool_destroy(od->desc_pool);
omap_dma_free(od);
return rc;
}
@@ -1823,6 +1825,8 @@ static int omap_dma_probe(struct platform_device *pdev)
if (rc) {
pr_warn("OMAP-DMA: failed to register DMA controller\n");
dma_async_device_unregister(&od->ddev);
+ if (od->ll123_supported)
+ dma_pool_destroy(od->desc_pool);
omap_dma_free(od);
}
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 084/198] soundwire: bus: fix off-by-one when allocating slave IDs
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 083/198] dmaengine: omap-dma: fix dma_pool resource leak in error paths Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 085/198] i2c: qcom-geni: make sure I2C hub controllers cant use SE DMA Greg Kroah-Hartman
` (127 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
Harshit Mogalapalli, Charles Keepax, Vinod Koul, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit 12d4fd9a657174496677cff2841315090f1c11fc ]
ida_alloc_max() interprets its max argument as inclusive.
Using SDW_FW_MAX_DEVICES(16) therefore allows an ID of 16 to be
allocated, but the IRQ domain created for the bus is sized for IDs
0-15. If 16 is returned, irq_create_mapping() fails and the driver
ends up with an invalid IRQ mapping.
Limit the allocation to 0-15 by passing SDW_FW_MAX_DEVICES - 1.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202512240450.hlDH3nCs-lkp@intel.com/
Fixes: aab12022b076 ("soundwire: bus: Add internal slave ID and use for IRQs")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://patch.msgid.link/20260110201959.2523024-1-harshit.m.mogalapalli@oracle.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soundwire/bus_type.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soundwire/bus_type.c b/drivers/soundwire/bus_type.c
index 91e70cb46fb57..5c67c13e57357 100644
--- a/drivers/soundwire/bus_type.c
+++ b/drivers/soundwire/bus_type.c
@@ -105,7 +105,7 @@ static int sdw_drv_probe(struct device *dev)
if (ret)
return ret;
- ret = ida_alloc_max(&slave->bus->slave_ida, SDW_FW_MAX_DEVICES, GFP_KERNEL);
+ ret = ida_alloc_max(&slave->bus->slave_ida, SDW_FW_MAX_DEVICES - 1, GFP_KERNEL);
if (ret < 0) {
dev_err(dev, "Failed to allocated ID: %d\n", ret);
return ret;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 085/198] i2c: qcom-geni: make sure I2C hub controllers cant use SE DMA
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 084/198] soundwire: bus: fix off-by-one when allocating slave IDs Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 086/198] i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress Greg Kroah-Hartman
` (126 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neil Armstrong, Konrad Dybcio,
Wolfram Sang, Sasha Levin, Mukesh Kumar Savaliya
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Armstrong <neil.armstrong@linaro.org>
[ Upstream commit c0c50e3743e467ec4752c638e10e97f89c8644e2 ]
The I2C Hub controller is a simpler GENI I2C variant that doesn't
support DMA at all, add a no_dma flag to make sure it nevers selects
the SE DMA mode with mappable 32bytes long transfers.
Fixes: cacd9643eca7 ("i2c: qcom-geni: add support for I2C Master Hub variant")
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Reviewed-by: Mukesh Kumar Savaliya <mukesh.savaliya@oss.qualcomm.com>>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
index 43fdd89b8bebc..bfb352b04902c 100644
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -97,6 +97,7 @@ struct geni_i2c_dev {
dma_addr_t dma_addr;
struct dma_chan *tx_c;
struct dma_chan *rx_c;
+ bool no_dma;
bool gpi_mode;
bool abort_done;
};
@@ -425,7 +426,7 @@ static int geni_i2c_rx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
size_t len = msg->len;
struct i2c_msg *cur;
- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
+ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
if (dma_buf)
geni_se_select_mode(se, GENI_SE_DMA);
else
@@ -464,7 +465,7 @@ static int geni_i2c_tx_one_msg(struct geni_i2c_dev *gi2c, struct i2c_msg *msg,
size_t len = msg->len;
struct i2c_msg *cur;
- dma_buf = i2c_get_dma_safe_msg_buf(msg, 32);
+ dma_buf = gi2c->no_dma ? NULL : i2c_get_dma_safe_msg_buf(msg, 32);
if (dma_buf)
geni_se_select_mode(se, GENI_SE_DMA);
else
@@ -880,10 +881,12 @@ static int geni_i2c_probe(struct platform_device *pdev)
goto err_resources;
}
- if (desc && desc->no_dma_support)
+ if (desc && desc->no_dma_support) {
fifo_disable = false;
- else
+ gi2c->no_dma = true;
+ } else {
fifo_disable = readl_relaxed(gi2c->se.base + GENI_IF_DISABLE_RO) & FIFO_IF_DISABLE;
+ }
if (fifo_disable) {
/* FIFO is disabled, so we can only use GPI DMA */
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 086/198] i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 085/198] i2c: qcom-geni: make sure I2C hub controllers cant use SE DMA Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 087/198] sched/deadline: Avoid double update_rq_clock() Greg Kroah-Hartman
` (125 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Song, Frank Li, Wolfram Sang,
Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Song <carlos.song@nxp.com>
[ Upstream commit f2a3f51365bf672dab4b58d1e8954926a9196b44 ]
EDMA resumes early and suspends late in the system power transition
sequence, while LPI2C enters the NOIRQ stage for both suspend and resume.
This means LPI2C resources become available before EDMA is fully resumed.
Once IRQs are enabled, a slave device may immediately trigger an LPI2C
transfer. If the transfer length meets DMA requirements, the driver will
attempt to use EDMA even though EDMA may still be unavailable.
This timing gap can lead to transfer failures. To prevent this, force
LPI2C to use PIO mode during system-wide suspend and resume transitions.
This reduces dependency on EDMA and avoids using an unready DMA resource.
Fixes: a09c8b3f9047 ("i2c: imx-lpi2c: add eDMA mode support for LPI2C")
Signed-off-by: Carlos Song <carlos.song@nxp.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-imx-lpi2c.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c b/drivers/i2c/busses/i2c-imx-lpi2c.c
index 2a0962a0b4417..d882126c1778c 100644
--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
+++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
@@ -592,6 +592,13 @@ static bool is_use_dma(struct lpi2c_imx_struct *lpi2c_imx, struct i2c_msg *msg)
if (!lpi2c_imx->can_use_dma)
return false;
+ /*
+ * A system-wide suspend or resume transition is in progress. LPI2C should use PIO to
+ * transfer data to avoid issue caused by no ready DMA HW resource.
+ */
+ if (pm_suspend_in_progress())
+ return false;
+
/*
* When the length of data is less than I2C_DMA_THRESHOLD,
* cpu mode is used directly to avoid low performance.
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 087/198] sched/deadline: Avoid double update_rq_clock()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 086/198] i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 088/198] sched: Deadline has dynamic priority Greg Kroah-Hartman
` (124 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre Gondois,
Peter Zijlstra (Intel), Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 4de9ff76067b40c3660df73efaea57389e62ea7a ]
When setup_new_dl_entity() is called from enqueue_task_dl() ->
enqueue_dl_entity(), the rq-clock should already be updated, and
calling update_rq_clock() again is not right.
Move the update_rq_clock() to the one other caller of
setup_new_dl_entity(): sched_init_dl_server().
Fixes: 9f239df55546 ("sched/deadline: Initialize dl_servers after SMP")
Reported-by: Pierre Gondois <pierre.gondois@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Pierre Gondois <pierre.gondois@arm.com>
Link: https://patch.msgid.link/20260113115622.GA831285@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/deadline.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/sched/deadline.c b/kernel/sched/deadline.c
index d3be71d5a9ccc..465592fa530ef 100644
--- a/kernel/sched/deadline.c
+++ b/kernel/sched/deadline.c
@@ -761,8 +761,6 @@ static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
struct rq *rq = rq_of_dl_rq(dl_rq);
- update_rq_clock(rq);
-
WARN_ON(is_dl_boosted(dl_se));
WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
@@ -1623,6 +1621,7 @@ void sched_init_dl_servers(void)
rq = cpu_rq(cpu);
guard(rq_lock_irq)(rq);
+ update_rq_clock(rq);
dl_se = &rq->fair_server;
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 088/198] sched: Deadline has dynamic priority
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 087/198] sched/deadline: Avoid double update_rq_clock() Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 089/198] HID: usbhid: paper over wrong bNumDescriptor field Greg Kroah-Hartman
` (123 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Pierre Gondois, Juri Lelli, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit e008ec6c7904ed99d3b2cb634b6545b008a99288 ]
While FIFO/RR have static priority, DEADLINE is a dynamic priority
scheme. Notably it has static priority -1. Do not assume the priority
doesn't change for deadline tasks just because the static priority
doesn't change.
This ensures DL always sees {DE,EN}QUEUE_MOVE where appropriate.
Fixes: ff77e4685359 ("sched/rt: Fix PI handling vs. sched_setscheduler()")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Pierre Gondois <pierre.gondois@arm.com>
Tested-by: Juri Lelli <juri.lelli@redhat.com>
Link: https://patch.msgid.link/20260114130528.GB831285@noisy.programming.kicks-ass.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 2 +-
kernel/sched/syscalls.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index eb47d294e2c5a..e460c22de8ad4 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -7383,7 +7383,7 @@ void rt_mutex_setprio(struct task_struct *p, struct task_struct *pi_task)
trace_sched_pi_setprio(p, pi_task);
oldprio = p->prio;
- if (oldprio == prio)
+ if (oldprio == prio && !dl_prio(prio))
queue_flag &= ~DEQUEUE_MOVE;
prev_class = p->sched_class;
diff --git a/kernel/sched/syscalls.c b/kernel/sched/syscalls.c
index bf360a6fbb800..6805a63d47af7 100644
--- a/kernel/sched/syscalls.c
+++ b/kernel/sched/syscalls.c
@@ -688,7 +688,7 @@ int __sched_setscheduler(struct task_struct *p,
* itself.
*/
newprio = rt_effective_prio(p, newprio);
- if (newprio == oldprio)
+ if (newprio == oldprio && !dl_prio(newprio))
queue_flags &= ~DEQUEUE_MOVE;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 089/198] HID: usbhid: paper over wrong bNumDescriptor field
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 088/198] sched: Deadline has dynamic priority Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 090/198] selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22 Greg Kroah-Hartman
` (122 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Tissoires,
Salvatore Bonaccorso
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Tissoires <bentiss@kernel.org>
commit f28beb69c51517aec7067dfb2074e7c751542384 upstream.
Some faulty devices (ZWO EFWmini) have a wrong optional HID class
descriptor count compared to the provided length.
Given that we plainly ignore those optional descriptor, we can attempt
to fix the provided number so we do not lock out those devices.
Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/usbhid/hid-core.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -985,6 +985,7 @@ static int usbhid_parse(struct hid_devic
struct usb_device *dev = interface_to_usbdev (intf);
struct hid_descriptor *hdesc;
struct hid_class_descriptor *hcdesc;
+ __u8 fixed_opt_descriptors_size;
u32 quirks = 0;
unsigned int rsize = 0;
char *rdesc;
@@ -1015,7 +1016,21 @@ static int usbhid_parse(struct hid_devic
(hdesc->bNumDescriptors - 1) * sizeof(*hcdesc)) {
dbg_hid("hid descriptor invalid, bLen=%hhu bNum=%hhu\n",
hdesc->bLength, hdesc->bNumDescriptors);
- return -EINVAL;
+
+ /*
+ * Some devices may expose a wrong number of descriptors compared
+ * to the provided length.
+ * However, we ignore the optional hid class descriptors entirely
+ * so we can safely recompute the proper field.
+ */
+ if (hdesc->bLength >= sizeof(*hdesc)) {
+ fixed_opt_descriptors_size = hdesc->bLength - sizeof(*hdesc);
+
+ hid_warn(intf, "fixing wrong optional hid class descriptors count\n");
+ hdesc->bNumDescriptors = fixed_opt_descriptors_size / sizeof(*hcdesc) + 1;
+ } else {
+ return -EINVAL;
+ }
}
hid->version = le16_to_cpu(hdesc->bcdHID);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 090/198] selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 089/198] HID: usbhid: paper over wrong bNumDescriptor field Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 091/198] scsi: core: Fix error handler encryption support Greg Kroah-Hartman
` (121 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonghong Song, Alexei Starovoitov,
Shung-Hsi Yu
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yonghong Song <yonghong.song@linux.dev>
commit 4f8543b5f20f851cedbb23f8eade159871d84e2a upstream.
With latest llvm22, I hit the verif_scale_strobemeta selftest failure
below:
$ ./test_progs -n 618
libbpf: prog 'on_event': BPF program load failed: -E2BIG
libbpf: prog 'on_event': -- BEGIN PROG LOAD LOG --
BPF program is too large. Processed 1000001 insn
verification time 7019091 usec
stack depth 488
processed 1000001 insns (limit 1000000) max_states_per_insn 28 total_states 33927 peak_states 12813 mark_read 0
-- END PROG LOAD LOG --
libbpf: prog 'on_event': failed to load: -E2BIG
libbpf: failed to load object 'strobemeta.bpf.o'
scale_test:FAIL:expect_success unexpected error: -7 (errno 7)
#618 verif_scale_strobemeta:FAIL
But if I increase the verificaiton insn limit from 1M to 10M, the above
test_progs run actually will succeed. The below is the result from veristat:
$ ./veristat strobemeta.bpf.o
Processing 'strobemeta.bpf.o'...
File Program Verdict Duration (us) Insns States Program size Jited size
---------------- -------- ------- ------------- ------- ------ ------------ ----------
strobemeta.bpf.o on_event success 90250893 9777685 358230 15954 80794
---------------- -------- ------- ------------- ------- ------ ------------ ----------
Done. Processed 1 files, 0 programs. Skipped 1 files, 0 programs.
Further debugging shows the llvm commit [1] is responsible for the verificaiton
failure as it tries to convert certain switch statement to if-condition. Such
change may cause different transformation compared to original switch statement.
In bpf program strobemeta.c case, the initial llvm ir for read_int_var() function is
define internal void @read_int_var(ptr noundef %0, i64 noundef %1, ptr noundef %2,
ptr noundef %3, ptr noundef %4) #2 !dbg !535 {
%6 = alloca ptr, align 8
%7 = alloca i64, align 8
%8 = alloca ptr, align 8
%9 = alloca ptr, align 8
%10 = alloca ptr, align 8
%11 = alloca ptr, align 8
%12 = alloca i32, align 4
...
%20 = icmp ne ptr %19, null, !dbg !561
br i1 %20, label %22, label %21, !dbg !562
21: ; preds = %5
store i32 1, ptr %12, align 4
br label %48, !dbg !563
22:
%23 = load ptr, ptr %9, align 8, !dbg !564
...
47: ; preds = %38, %22
store i32 0, ptr %12, align 4, !dbg !588
br label %48, !dbg !588
48: ; preds = %47, %21
call void @llvm.lifetime.end.p0(ptr %11) #4, !dbg !588
%49 = load i32, ptr %12, align 4
switch i32 %49, label %51 [
i32 0, label %50
i32 1, label %50
]
50: ; preds = %48, %48
ret void, !dbg !589
51: ; preds = %48
unreachable
}
Note that the above 'switch' statement is added by clang frontend.
Without [1], the switch statement will survive until SelectionDag,
so the switch statement acts like a 'barrier' and prevents some
transformation involved with both 'before' and 'after' the switch statement.
But with [1], the switch statement will be removed during middle end
optimization and later middle end passes (esp. after inlining) have more
freedom to reorder the code.
The following is the related source code:
static void *calc_location(struct strobe_value_loc *loc, void *tls_base):
bpf_probe_read_user(&tls_ptr, sizeof(void *), dtv);
/* if pointer has (void *)-1 value, then TLS wasn't initialized yet */
return tls_ptr && tls_ptr != (void *)-1
? tls_ptr + tls_index.offset
: NULL;
In read_int_var() func, we have:
void *location = calc_location(&cfg->int_locs[idx], tls_base);
if (!location)
return;
bpf_probe_read_user(value, sizeof(struct strobe_value_generic), location);
...
The static func calc_location() is called inside read_int_var(). The asm code
without [1]:
77: .123....89 (85) call bpf_probe_read_user#112
78: ........89 (79) r1 = *(u64 *)(r10 -368)
79: .1......89 (79) r2 = *(u64 *)(r10 -8)
80: .12.....89 (bf) r3 = r2
81: .123....89 (0f) r3 += r1
82: ..23....89 (07) r2 += 1
83: ..23....89 (79) r4 = *(u64 *)(r10 -464)
84: ..234...89 (a5) if r2 < 0x2 goto pc+13
85: ...34...89 (15) if r3 == 0x0 goto pc+12
86: ...3....89 (bf) r1 = r10
87: .1.3....89 (07) r1 += -400
88: .1.3....89 (b4) w2 = 16
In this case, 'r2 < 0x2' and 'r3 == 0x0' go to null 'locaiton' place,
so the verifier actually prefers to do verification first at 'r1 = r10' etc.
The asm code with [1]:
119: .123....89 (85) call bpf_probe_read_user#112
120: ........89 (79) r1 = *(u64 *)(r10 -368)
121: .1......89 (79) r2 = *(u64 *)(r10 -8)
122: .12.....89 (bf) r3 = r2
123: .123....89 (0f) r3 += r1
124: ..23....89 (07) r2 += -1
125: ..23....89 (a5) if r2 < 0xfffffffe goto pc+6
126: ........89 (05) goto pc+17
...
144: ........89 (b4) w1 = 0
145: .1......89 (6b) *(u16 *)(r8 +80) = r1
In this case, if 'r2 < 0xfffffffe' is true, the control will go to
non-null 'location' branch, so 'goto pc+17' will actually go to
null 'location' branch. This seems causing tremendous amount of
verificaiton state.
To fix the issue, rewrite the following code
return tls_ptr && tls_ptr != (void *)-1
? tls_ptr + tls_index.offset
: NULL;
to if/then statement and hopefully these explicit if/then statements
are sticky during middle-end optimizations.
Test with llvm20 and llvm21 as well and all strobemeta related selftests
are passed.
[1] https://github.com/llvm/llvm-project/pull/161000
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20251014051639.1996331-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/bpf/progs/strobemeta.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/tools/testing/selftests/bpf/progs/strobemeta.h
+++ b/tools/testing/selftests/bpf/progs/strobemeta.h
@@ -330,9 +330,9 @@ static void *calc_location(struct strobe
}
bpf_probe_read_user(&tls_ptr, sizeof(void *), dtv);
/* if pointer has (void *)-1 value, then TLS wasn't initialized yet */
- return tls_ptr && tls_ptr != (void *)-1
- ? tls_ptr + tls_index.offset
- : NULL;
+ if (!tls_ptr || tls_ptr == (void *)-1)
+ return NULL;
+ return tls_ptr + tls_index.offset;
}
#ifdef SUBPROGS
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 091/198] scsi: core: Fix error handler encryption support
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 090/198] selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22 Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 092/198] selftests: kvm: replace numbered sync points with actions Greg Kroah-Hartman
` (120 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Kao, Bart Van Assche,
Martin K. Petersen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Kao <powenkao@google.com>
commit 9a49157deeb23581fc5c8189b486340d7343264a upstream.
Some low-level drivers (LLD) access block layer crypto fields, such as
rq->crypt_keyslot and rq->crypt_ctx within `struct request`, to
configure hardware for inline encryption. However, SCSI Error Handling
(EH) commands (e.g., TEST UNIT READY, START STOP UNIT) should not
involve any encryption setup.
To prevent drivers from erroneously applying crypto settings during EH,
this patch saves the original values of rq->crypt_keyslot and
rq->crypt_ctx before an EH command is prepared via scsi_eh_prep_cmnd().
These fields in the 'struct request' are then set to NULL. The original
values are restored in scsi_eh_restore_cmnd() after the EH command
completes.
This ensures that the block layer crypto context does not leak into EH
command execution.
Signed-off-by: Brian Kao <powenkao@google.com>
Link: https://patch.msgid.link/20251218031726.2642834-1-powenkao@google.com
Cc: stable@vger.kernel.org
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_error.c | 24 ++++++++++++++++++++++++
include/scsi/scsi_eh.h | 6 ++++++
2 files changed, 30 insertions(+)
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -1060,6 +1060,9 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd
unsigned char *cmnd, int cmnd_size, unsigned sense_bytes)
{
struct scsi_device *sdev = scmd->device;
+#ifdef CONFIG_BLK_INLINE_ENCRYPTION
+ struct request *rq = scsi_cmd_to_rq(scmd);
+#endif
/*
* We need saved copies of a number of fields - this is because
@@ -1112,6 +1115,18 @@ void scsi_eh_prep_cmnd(struct scsi_cmnd
(sdev->lun << 5 & 0xe0);
/*
+ * Encryption must be disabled for the commands submitted by the error handler.
+ * Hence, clear the encryption context information.
+ */
+#ifdef CONFIG_BLK_INLINE_ENCRYPTION
+ ses->rq_crypt_keyslot = rq->crypt_keyslot;
+ ses->rq_crypt_ctx = rq->crypt_ctx;
+
+ rq->crypt_keyslot = NULL;
+ rq->crypt_ctx = NULL;
+#endif
+
+ /*
* Zero the sense buffer. The scsi spec mandates that any
* untransferred sense data should be interpreted as being zero.
*/
@@ -1128,6 +1143,10 @@ EXPORT_SYMBOL(scsi_eh_prep_cmnd);
*/
void scsi_eh_restore_cmnd(struct scsi_cmnd* scmd, struct scsi_eh_save *ses)
{
+#ifdef CONFIG_BLK_INLINE_ENCRYPTION
+ struct request *rq = scsi_cmd_to_rq(scmd);
+#endif
+
/*
* Restore original data
*/
@@ -1140,6 +1159,11 @@ void scsi_eh_restore_cmnd(struct scsi_cm
scmd->underflow = ses->underflow;
scmd->prot_op = ses->prot_op;
scmd->eh_eflags = ses->eh_eflags;
+
+#ifdef CONFIG_BLK_INLINE_ENCRYPTION
+ rq->crypt_keyslot = ses->rq_crypt_keyslot;
+ rq->crypt_ctx = ses->rq_crypt_ctx;
+#endif
}
EXPORT_SYMBOL(scsi_eh_restore_cmnd);
--- a/include/scsi/scsi_eh.h
+++ b/include/scsi/scsi_eh.h
@@ -41,6 +41,12 @@ struct scsi_eh_save {
unsigned char cmnd[32];
struct scsi_data_buffer sdb;
struct scatterlist sense_sgl;
+
+ /* struct request fields */
+#ifdef CONFIG_BLK_INLINE_ENCRYPTION
+ struct bio_crypt_ctx *rq_crypt_ctx;
+ struct blk_crypto_keyslot *rq_crypt_keyslot;
+#endif
};
extern void scsi_eh_prep_cmnd(struct scsi_cmnd *scmd,
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 092/198] selftests: kvm: replace numbered sync points with actions
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 091/198] scsi: core: Fix error handler encryption support Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 093/198] selftests: kvm: try getting XFD and XSAVE state out of sync Greg Kroah-Hartman
` (119 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit a1025dcd377ef92d9a09af03b70ce80be281ee22 upstream.
Rework the guest=>host syncs in the AMX test to use named actions instead
of arbitrary, incrementing numbers. The "stage" of the test has no real
meaning, what matters is what action the test wants the host to perform.
The incrementing numbers are somewhat helpful for triaging failures, but
fully debugging failures almost always requires a much deeper dive into
the test (and KVM).
Using named actions not only makes it easier to extend the test without
having to shift all sync point numbers, it makes the code easier to read.
[Commit message by Sean Christopherson]
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/kvm/x86/amx_test.c | 88 ++++++++++++++---------------
1 file changed, 43 insertions(+), 45 deletions(-)
--- a/tools/testing/selftests/kvm/x86/amx_test.c
+++ b/tools/testing/selftests/kvm/x86/amx_test.c
@@ -124,6 +124,14 @@ static void set_tilecfg(struct tile_conf
}
}
+enum {
+ /* Check TMM0 against tiledata */
+ TEST_COMPARE_TILEDATA = 1,
+
+ /* Full VM save/restore */
+ TEST_SAVE_RESTORE = 2,
+};
+
static void __attribute__((__flatten__)) guest_code(struct tile_config *amx_cfg,
struct tile_data *tiledata,
struct xstate *xstate)
@@ -131,20 +139,20 @@ static void __attribute__((__flatten__))
GUEST_ASSERT(this_cpu_has(X86_FEATURE_XSAVE) &&
this_cpu_has(X86_FEATURE_OSXSAVE));
check_xtile_info();
- GUEST_SYNC(1);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
/* xfd=0, enable amx */
wrmsr(MSR_IA32_XFD, 0);
- GUEST_SYNC(2);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == 0);
set_tilecfg(amx_cfg);
__ldtilecfg(amx_cfg);
- GUEST_SYNC(3);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
/* Check save/restore when trap to userspace */
__tileloadd(tiledata);
- GUEST_SYNC(4);
+ GUEST_SYNC(TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE);
__tilerelease();
- GUEST_SYNC(5);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
/*
* After XSAVEC, XTILEDATA is cleared in the xstate_bv but is set in
* the xcomp_bv.
@@ -154,6 +162,8 @@ static void __attribute__((__flatten__))
GUEST_ASSERT(!(xstate->header.xstate_bv & XFEATURE_MASK_XTILE_DATA));
GUEST_ASSERT(xstate->header.xcomp_bv & XFEATURE_MASK_XTILE_DATA);
+ /* #NM test */
+
/* xfd=0x40000, disable amx tiledata */
wrmsr(MSR_IA32_XFD, XFEATURE_MASK_XTILE_DATA);
@@ -166,13 +176,13 @@ static void __attribute__((__flatten__))
GUEST_ASSERT(!(xstate->header.xstate_bv & XFEATURE_MASK_XTILE_DATA));
GUEST_ASSERT((xstate->header.xcomp_bv & XFEATURE_MASK_XTILE_DATA));
- GUEST_SYNC(6);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == XFEATURE_MASK_XTILE_DATA);
set_tilecfg(amx_cfg);
__ldtilecfg(amx_cfg);
/* Trigger #NM exception */
__tileloadd(tiledata);
- GUEST_SYNC(10);
+ GUEST_SYNC(TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE);
GUEST_DONE();
}
@@ -180,18 +190,18 @@ static void __attribute__((__flatten__))
void guest_nm_handler(struct ex_regs *regs)
{
/* Check if #NM is triggered by XFEATURE_MASK_XTILE_DATA */
- GUEST_SYNC(7);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
GUEST_ASSERT(!(get_cr0() & X86_CR0_TS));
GUEST_ASSERT(rdmsr(MSR_IA32_XFD_ERR) == XFEATURE_MASK_XTILE_DATA);
GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == XFEATURE_MASK_XTILE_DATA);
- GUEST_SYNC(8);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
GUEST_ASSERT(rdmsr(MSR_IA32_XFD_ERR) == XFEATURE_MASK_XTILE_DATA);
GUEST_ASSERT(rdmsr(MSR_IA32_XFD) == XFEATURE_MASK_XTILE_DATA);
/* Clear xfd_err */
wrmsr(MSR_IA32_XFD_ERR, 0);
/* xfd=0, enable amx */
wrmsr(MSR_IA32_XFD, 0);
- GUEST_SYNC(9);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
}
int main(int argc, char *argv[])
@@ -244,6 +254,7 @@ int main(int argc, char *argv[])
memset(addr_gva2hva(vm, xstate), 0, PAGE_SIZE * DIV_ROUND_UP(XSAVE_SIZE, PAGE_SIZE));
vcpu_args_set(vcpu, 3, amx_cfg, tiledata, xstate);
+ int iter = 0;
for (;;) {
vcpu_run(vcpu);
TEST_ASSERT_KVM_EXIT_REASON(vcpu, KVM_EXIT_IO);
@@ -253,20 +264,9 @@ int main(int argc, char *argv[])
REPORT_GUEST_ASSERT(uc);
/* NOT REACHED */
case UCALL_SYNC:
- switch (uc.args[1]) {
- case 1:
- case 2:
- case 3:
- case 5:
- case 6:
- case 7:
- case 8:
- fprintf(stderr, "GUEST_SYNC(%ld)\n", uc.args[1]);
- break;
- case 4:
- case 10:
- fprintf(stderr,
- "GUEST_SYNC(%ld), check save/restore status\n", uc.args[1]);
+ ++iter;
+ if (uc.args[1] & TEST_COMPARE_TILEDATA) {
+ fprintf(stderr, "GUEST_SYNC #%d, check TMM0 contents\n", iter);
/* Compacted mode, get amx offset by xsave area
* size subtract 8K amx size.
@@ -279,11 +279,25 @@ int main(int argc, char *argv[])
ret = memcmp(amx_start, tiles_data, TILE_SIZE);
TEST_ASSERT(ret == 0, "memcmp failed, ret=%d", ret);
kvm_x86_state_cleanup(state);
- break;
- case 9:
- fprintf(stderr,
- "GUEST_SYNC(%ld), #NM exception and enable amx\n", uc.args[1]);
- break;
+ }
+ if (uc.args[1] & TEST_SAVE_RESTORE) {
+ fprintf(stderr, "GUEST_SYNC #%d, save/restore VM state\n", iter);
+ state = vcpu_save_state(vcpu);
+ memset(®s1, 0, sizeof(regs1));
+ vcpu_regs_get(vcpu, ®s1);
+
+ kvm_vm_release(vm);
+
+ /* Restore state in a new VM. */
+ vcpu = vm_recreate_with_one_vcpu(vm);
+ vcpu_load_state(vcpu, state);
+ kvm_x86_state_cleanup(state);
+
+ memset(®s2, 0, sizeof(regs2));
+ vcpu_regs_get(vcpu, ®s2);
+ TEST_ASSERT(!memcmp(®s1, ®s2, sizeof(regs2)),
+ "Unexpected register values after vcpu_load_state; rdi: %lx rsi: %lx",
+ (ulong) regs2.rdi, (ulong) regs2.rsi);
}
break;
case UCALL_DONE:
@@ -293,22 +307,6 @@ int main(int argc, char *argv[])
TEST_FAIL("Unknown ucall %lu", uc.cmd);
}
- state = vcpu_save_state(vcpu);
- memset(®s1, 0, sizeof(regs1));
- vcpu_regs_get(vcpu, ®s1);
-
- kvm_vm_release(vm);
-
- /* Restore state in a new VM. */
- vcpu = vm_recreate_with_one_vcpu(vm);
- vcpu_load_state(vcpu, state);
- kvm_x86_state_cleanup(state);
-
- memset(®s2, 0, sizeof(regs2));
- vcpu_regs_get(vcpu, ®s2);
- TEST_ASSERT(!memcmp(®s1, ®s2, sizeof(regs2)),
- "Unexpected register values after vcpu_load_state; rdi: %lx rsi: %lx",
- (ulong) regs2.rdi, (ulong) regs2.rsi);
}
done:
kvm_vm_free(vm);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 093/198] selftests: kvm: try getting XFD and XSAVE state out of sync
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 092/198] selftests: kvm: replace numbered sync points with actions Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 094/198] ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer Greg Kroah-Hartman
` (118 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paolo Bonzini
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 0383a8edef396cf0a6884b0be81d62bde60737b0 upstream.
The host is allowed to set FPU state that includes a disabled
xstate component. Check that this does not cause bad effects.
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/kvm/x86/amx_test.c | 38 ++++++++++++++++++++++-------
1 file changed, 30 insertions(+), 8 deletions(-)
--- a/tools/testing/selftests/kvm/x86/amx_test.c
+++ b/tools/testing/selftests/kvm/x86/amx_test.c
@@ -125,11 +125,17 @@ static void set_tilecfg(struct tile_conf
}
enum {
+ /* Retrieve TMM0 from guest, stash it for TEST_RESTORE_TILEDATA */
+ TEST_SAVE_TILEDATA = 1,
+
/* Check TMM0 against tiledata */
- TEST_COMPARE_TILEDATA = 1,
+ TEST_COMPARE_TILEDATA = 2,
+
+ /* Restore TMM0 from earlier save */
+ TEST_RESTORE_TILEDATA = 4,
/* Full VM save/restore */
- TEST_SAVE_RESTORE = 2,
+ TEST_SAVE_RESTORE = 8,
};
static void __attribute__((__flatten__)) guest_code(struct tile_config *amx_cfg,
@@ -150,7 +156,16 @@ static void __attribute__((__flatten__))
GUEST_SYNC(TEST_SAVE_RESTORE);
/* Check save/restore when trap to userspace */
__tileloadd(tiledata);
- GUEST_SYNC(TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE);
+ GUEST_SYNC(TEST_SAVE_TILEDATA | TEST_COMPARE_TILEDATA | TEST_SAVE_RESTORE);
+
+ /* xfd=0x40000, disable amx tiledata */
+ wrmsr(MSR_IA32_XFD, XFEATURE_MASK_XTILE_DATA);
+
+ /* host tries setting tiledata while guest XFD is set */
+ GUEST_SYNC(TEST_RESTORE_TILEDATA);
+ GUEST_SYNC(TEST_SAVE_RESTORE);
+
+ wrmsr(MSR_IA32_XFD, 0);
__tilerelease();
GUEST_SYNC(TEST_SAVE_RESTORE);
/*
@@ -210,10 +225,10 @@ int main(int argc, char *argv[])
struct kvm_vcpu *vcpu;
struct kvm_vm *vm;
struct kvm_x86_state *state;
+ struct kvm_x86_state *tile_state = NULL;
int xsave_restore_size;
vm_vaddr_t amx_cfg, tiledata, xstate;
struct ucall uc;
- u32 amx_offset;
int ret;
/*
@@ -265,20 +280,27 @@ int main(int argc, char *argv[])
/* NOT REACHED */
case UCALL_SYNC:
++iter;
+ if (uc.args[1] & TEST_SAVE_TILEDATA) {
+ fprintf(stderr, "GUEST_SYNC #%d, save tiledata\n", iter);
+ tile_state = vcpu_save_state(vcpu);
+ }
if (uc.args[1] & TEST_COMPARE_TILEDATA) {
fprintf(stderr, "GUEST_SYNC #%d, check TMM0 contents\n", iter);
/* Compacted mode, get amx offset by xsave area
* size subtract 8K amx size.
*/
- amx_offset = xsave_restore_size - NUM_TILES*TILE_SIZE;
- state = vcpu_save_state(vcpu);
- void *amx_start = (void *)state->xsave + amx_offset;
+ u32 amx_offset = xsave_restore_size - NUM_TILES*TILE_SIZE;
+ void *amx_start = (void *)tile_state->xsave + amx_offset;
void *tiles_data = (void *)addr_gva2hva(vm, tiledata);
/* Only check TMM0 register, 1 tile */
ret = memcmp(amx_start, tiles_data, TILE_SIZE);
TEST_ASSERT(ret == 0, "memcmp failed, ret=%d", ret);
- kvm_x86_state_cleanup(state);
+ }
+ if (uc.args[1] & TEST_RESTORE_TILEDATA) {
+ fprintf(stderr, "GUEST_SYNC #%d, before KVM_SET_XSAVE\n", iter);
+ vcpu_xsave_set(vcpu, tile_state->xsave);
+ fprintf(stderr, "GUEST_SYNC #%d, after KVM_SET_XSAVE\n", iter);
}
if (uc.args[1] & TEST_SAVE_RESTORE) {
fprintf(stderr, "GUEST_SYNC #%d, save/restore VM state\n", iter);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 094/198] ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 093/198] selftests: kvm: try getting XFD and XSAVE state out of sync Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 095/198] ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X Greg Kroah-Hartman
` (117 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jaroslav Kysela, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaroslav Kysela <perex@perex.cz>
commit 47c27c9c9c720bc93fdc69605d0ecd9382e99047 upstream.
Handle the error code from snd_pcm_buffer_access_lock() in
snd_pcm_runtime_buffer_set_silence() function.
Found by Alexandros Panagiotou <apanagio@redhat.com>
Fixes: 93a81ca06577 ("ALSA: pcm: Fix race of buffer access at PCM OSS layer")
Cc: stable@vger.kernel.org # 6.15
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://patch.msgid.link/20260107213642.332954-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/sound/pcm.h | 2 +-
sound/core/oss/pcm_oss.c | 4 +++-
sound/core/pcm_native.c | 9 +++++++--
3 files changed, 11 insertions(+), 4 deletions(-)
--- a/include/sound/pcm.h
+++ b/include/sound/pcm.h
@@ -1402,7 +1402,7 @@ int snd_pcm_lib_mmap_iomem(struct snd_pc
#define snd_pcm_lib_mmap_iomem NULL
#endif
-void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime);
+int snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime);
/**
* snd_pcm_limit_isa_dma_size - Get the max size fitting with ISA DMA transfer
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1074,7 +1074,9 @@ static int snd_pcm_oss_change_params_loc
runtime->oss.params = 0;
runtime->oss.prepare = 1;
runtime->oss.buffer_used = 0;
- snd_pcm_runtime_buffer_set_silence(runtime);
+ err = snd_pcm_runtime_buffer_set_silence(runtime);
+ if (err < 0)
+ goto failure;
runtime->oss.period_frames = snd_pcm_alsa_frames(substream, oss_period_size);
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -730,13 +730,18 @@ static void snd_pcm_buffer_access_unlock
}
/* fill the PCM buffer with the current silence format; called from pcm_oss.c */
-void snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime)
+int snd_pcm_runtime_buffer_set_silence(struct snd_pcm_runtime *runtime)
{
- snd_pcm_buffer_access_lock(runtime);
+ int err;
+
+ err = snd_pcm_buffer_access_lock(runtime);
+ if (err < 0)
+ return err;
if (runtime->dma_area)
snd_pcm_format_set_silence(runtime->format, runtime->dma_area,
bytes_to_samples(runtime, runtime->dma_bytes));
snd_pcm_buffer_access_unlock(runtime);
+ return 0;
}
EXPORT_SYMBOL_GPL(snd_pcm_runtime_buffer_set_silence);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 095/198] ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 094/198] ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 096/198] ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED Greg Kroah-Hartman
` (116 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baojun Xu, Matthew Schwartz,
Antheas Kapenekakis, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Schwartz <matthew.schwartz@linux.dev>
commit b7e26c8bdae70832d7c4b31ec2995b1812a60169 upstream.
There is currently an issue with UEFI calibration data parsing for some
TAS devices, like the ASUS ROG Xbox Ally X (RC73XA), that causes audio
quality issues such as gaps in playback. Until the issue is root caused
and fixed, add a quirk to skip using the UEFI calibration data and fall
back to using the calibration data provided by the DSP firmware, which
restores full speaker functionality on affected devices.
Cc: stable@vger.kernel.org # 6.18
Link: https://lore.kernel.org/all/160aef32646c4d5498cbfd624fd683cc@ti.com/
Closes: https://lore.kernel.org/all/0ba100d0-9b6f-4a3b-bffa-61abe1b46cd5@linux.dev/
Suggested-by: Baojun Xu <baojun.xu@ti.com>
Signed-off-by: Matthew Schwartz <matthew.schwartz@linux.dev>
Reviewed-by: Antheas Kapenekakis <lkml@antheas.dev>
Link: https://patch.msgid.link/20260108093650.1142176-1-matthew.schwartz@linux.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/side-codecs/tas2781_hda_i2c.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
+++ b/sound/hda/codecs/side-codecs/tas2781_hda_i2c.c
@@ -60,6 +60,7 @@ struct tas2781_hda_i2c_priv {
int (*save_calibration)(struct tas2781_hda *h);
int hda_chip_id;
+ bool skip_calibration;
};
static int tas2781_get_i2c_res(struct acpi_resource *ares, void *data)
@@ -491,7 +492,8 @@ static void tasdevice_dspfw_init(void *c
/* If calibrated data occurs error, dsp will still works with default
* calibrated data inside algo.
*/
- hda_priv->save_calibration(tas_hda);
+ if (!hda_priv->skip_calibration)
+ hda_priv->save_calibration(tas_hda);
}
static void tasdev_fw_ready(const struct firmware *fmw, void *context)
@@ -548,6 +550,7 @@ static int tas2781_hda_bind(struct devic
void *master_data)
{
struct tas2781_hda *tas_hda = dev_get_drvdata(dev);
+ struct tas2781_hda_i2c_priv *hda_priv = tas_hda->hda_priv;
struct hda_component_parent *parent = master_data;
struct hda_component *comp;
struct hda_codec *codec;
@@ -573,6 +576,14 @@ static int tas2781_hda_bind(struct devic
break;
}
+ /*
+ * Using ASUS ROG Xbox Ally X (RC73XA) UEFI calibration data
+ * causes audio dropouts during playback, use fallback data
+ * from DSP firmware as a workaround.
+ */
+ if (codec->core.subsystem_id == 0x10431384)
+ hda_priv->skip_calibration = true;
+
pm_runtime_get_sync(dev);
comp->dev = dev;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 096/198] ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 095/198] ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 097/198] null_blk: fix kmemleak by releasing references to fault configfs items Greg Kroah-Hartman
` (115 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Heng, Takashi Iwai
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Heng <zhangheng@kylinos.cn>
commit ab2be3af8c4ea57f779474cd2a2fe8dd4ad537a6 upstream.
This quirk enables mute LED on HP Pavilion x360 2-in-1 Laptop 14-ek0xxx,
which use ALC245 codec.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220220
Cc: <stable@vger.kernel.org>
Signed-off-by: Zhang Heng <zhangheng@kylinos.cn>
Link: https://patch.msgid.link/20260115015844.3129890-1-zhangheng@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/codecs/realtek/alc269.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/hda/codecs/realtek/alc269.c
+++ b/sound/hda/codecs/realtek/alc269.c
@@ -6529,6 +6529,7 @@ static const struct hda_quirk alc269_fix
SND_PCI_QUIRK(0x103c, 0x8a2e, "HP Envy 16", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x103c, 0x8a30, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x103c, 0x8a31, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8a34, "HP Pavilion x360 2-in-1 Laptop 14-ek0xxx", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
SND_PCI_QUIRK(0x103c, 0x8a4f, "HP Victus 15-fa0xxx (MB 8A4F)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
SND_PCI_QUIRK(0x103c, 0x8a6e, "HP EDNA 360", ALC287_FIXUP_CS35L41_I2C_4),
SND_PCI_QUIRK(0x103c, 0x8a74, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 097/198] null_blk: fix kmemleak by releasing references to fault configfs items
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 096/198] ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 098/198] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
` (114 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kulkarni, Nilay Shroff,
Jens Axboe
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nilay Shroff <nilay@linux.ibm.com>
commit 40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 upstream.
When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk
driver sets up fault injection support by creating the timeout_inject,
requeue_inject, and init_hctx_fault_inject configfs items as children
of the top-level nullbX configfs group.
However, when the nullbX device is removed, the references taken to
these fault-config configfs items are not released. As a result,
kmemleak reports a memory leak, for example:
unreferenced object 0xc00000021ff25c40 (size 32):
comm "mkdir", pid 10665, jiffies 4322121578
hex dump (first 32 bytes):
69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_
69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject..........
backtrace (crc 1a018c86):
__kmalloc_node_track_caller_noprof+0x494/0xbd8
kvasprintf+0x74/0xf4
config_item_set_name+0xf0/0x104
config_group_init_type_name+0x48/0xfc
fault_config_init+0x48/0xf0
0xc0080000180559e4
configfs_mkdir+0x304/0x814
vfs_mkdir+0x49c/0x604
do_mkdirat+0x314/0x3d0
sys_mkdir+0xa0/0xd8
system_call_exception+0x1b0/0x4f0
system_call_vectored_common+0x15c/0x2ec
Fix this by explicitly releasing the references to the fault-config
configfs items when dropping the reference to the top-level nullbX
configfs group.
Cc: stable@vger.kernel.org
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Fixes: bb4c19e030f4 ("block: null_blk: make fault-injection dynamically configurable per device")
Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/null_blk/main.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -665,12 +665,22 @@ static void nullb_add_fault_config(struc
configfs_add_default_group(&dev->init_hctx_fault_config.group, &dev->group);
}
+static void nullb_del_fault_config(struct nullb_device *dev)
+{
+ config_item_put(&dev->init_hctx_fault_config.group.cg_item);
+ config_item_put(&dev->requeue_config.group.cg_item);
+ config_item_put(&dev->timeout_config.group.cg_item);
+}
+
#else
static void nullb_add_fault_config(struct nullb_device *dev)
{
}
+static void nullb_del_fault_config(struct nullb_device *dev)
+{
+}
#endif
static struct
@@ -702,7 +712,7 @@ nullb_group_drop_item(struct config_grou
null_del_dev(dev->nullb);
mutex_unlock(&lock);
}
-
+ nullb_del_fault_config(dev);
config_item_put(item);
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 098/198] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 097/198] null_blk: fix kmemleak by releasing references to fault configfs items Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 099/198] can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit Greg Kroah-Hartman
` (113 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Kleine-Budde <mkl@pengutronix.de>
commit 7352e1d5932a0e777e39fa4b619801191f57e603 upstream.
In gs_can_open(), the URBs for USB-in transfers are allocated, added to the
parent->rx_submitted anchor and submitted. In the complete callback
gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In
gs_can_close() the URBs are freed by calling
usb_kill_anchored_urbs(parent->rx_submitted).
However, this does not take into account that the USB framework unanchors
the URB before the complete function is called. This means that once an
in-URB has been completed, it is no longer anchored and is ultimately not
released in gs_can_close().
Fix the memory leak by anchoring the URB in the
gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor.
Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices")
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260105-gs_usb-fix-memory-leak-v2-1-cc6ed6438034@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/gs_usb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -751,6 +751,8 @@ resubmit_urb:
hf, parent->hf_size_rx,
gs_usb_receive_bulk_callback, parent);
+ usb_anchor_urb(urb, &parent->rx_submitted);
+
rc = usb_submit_urb(urb, GFP_ATOMIC);
/* USB failure take down all interfaces */
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 099/198] can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit.
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 098/198] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 100/198] net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Greg Kroah-Hartman
` (112 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ondrej Ille, Pavel Pisa,
Marc Kleine-Budde
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Ille <ondrej.ille@gmail.com>
commit e707c591a139d1bfa4ddc83036fc820ca006a140 upstream.
The Secondary Sample Point Source field has been
set to an incorrect value by some mistake in the
past
0b01 - SSP_SRC_NO_SSP - SSP is not used.
for data bitrates above 1 MBit/s. The correct/default
value already used for lower bitrates is
0b00 - SSP_SRC_MEAS_N_OFFSET - SSP position = TRV_DELAY
(Measured Transmitter delay) + SSP_OFFSET.
The related configuration register structure is described
in section 3.1.46 SSP_CFG of the CTU CAN FD
IP CORE Datasheet.
The analysis leading to the proper configuration
is described in section 2.8.3 Secondary sampling point
of the datasheet.
The change has been tested on AMD/Xilinx Zynq
with the next CTU CN FD IP core versions:
- 2.6 aka master in the "integration with Zynq-7000 system" test
6.12.43-rt12+ #1 SMP PREEMPT_RT kernel with CTU CAN FD git
driver (change already included in the driver repo)
- older 2.5 snapshot with mainline kernels with this patch
applied locally in the multiple CAN latency tester nightly runs
6.18.0-rc4-rt3-dut #1 SMP PREEMPT_RT
6.19.0-rc3-dut
The logs, the datasheet and sources are available at
https://canbus.pages.fel.cvut.cz/
Signed-off-by: Ondrej Ille <ondrej.ille@gmail.com>
Signed-off-by: Pavel Pisa <pisa@fel.cvut.cz>
Link: https://patch.msgid.link/20260105111620.16580-1-pisa@fel.cvut.cz
Fixes: 2dcb8e8782d8 ("can: ctucanfd: add support for CTU CAN FD open-source IP core - bus independent part.")
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/ctucanfd/ctucanfd_base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/ctucanfd/ctucanfd_base.c
+++ b/drivers/net/can/ctucanfd/ctucanfd_base.c
@@ -310,7 +310,7 @@ static int ctucan_set_secondary_sample_p
}
ssp_cfg = FIELD_PREP(REG_TRV_DELAY_SSP_OFFSET, ssp_offset);
- ssp_cfg |= FIELD_PREP(REG_TRV_DELAY_SSP_SRC, 0x1);
+ ssp_cfg |= FIELD_PREP(REG_TRV_DELAY_SSP_SRC, 0x0);
}
ctucan_write32(priv, CTUCANFD_TRV_DELAY, ssp_cfg);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 100/198] net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 099/198] can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 101/198] tools/testing/selftests: add tests for !tgt, src mremap() merges Greg Kroah-Hartman
` (111 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Oleksij Rempel,
Marc Kleine-Budde
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit 1809c82aa073a11b7d335ae932d81ce51a588a4a upstream.
Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is
called only when the timer is enabled, we need to call
j1939_session_deactivate_activate_next() if we cancelled the timer.
Otherwise, refcount for j1939_session leaks, which will later appear as
| unregister_netdevice: waiting for vcan0 to become free. Usage count = 2.
problem.
Reported-by: syzbot <syzbot+881d65229ca4f9ae8c84@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=881d65229ca4f9ae8c84
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://patch.msgid.link/b1212653-8fa1-44e1-be9d-12f950fb3a07@I-love.SAKURA.ne.jp
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/transport.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/net/can/j1939/transport.c
+++ b/net/can/j1939/transport.c
@@ -1695,8 +1695,16 @@ static int j1939_xtp_rx_rts_session_acti
j1939_session_timers_cancel(session);
j1939_session_cancel(session, J1939_XTP_ABORT_BUSY);
- if (session->transmission)
+ if (session->transmission) {
j1939_session_deactivate_activate_next(session);
+ } else if (session->state == J1939_SESSION_WAITING_ABORT) {
+ /* Force deactivation for the receiver.
+ * If we rely on the timer starting in j1939_session_cancel,
+ * a second RTS call here will cancel that timer and fail
+ * to restart it because the state is already WAITING_ABORT.
+ */
+ j1939_session_deactivate_activate_next(session);
+ }
return -EBUSY;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 101/198] tools/testing/selftests: add tests for !tgt, src mremap() merges
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 100/198] net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 102/198] tools/testing/selftests: add forked (un)/faulted VMA merge tests Greg Kroah-Hartman
` (110 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
David Hildenbrand (Red Hat), Jann Horn, Jeongjun Park,
Liam Howlett, Pedro Falcato, Rik van Riel, Vlastimil Babka,
Yeoreum Yun, Harry Yoo, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
commit 0ace8f2db6b3b4b0677e559d1a7ab7fd625d61ec upstream.
Test that mremap()'ing a VMA into a position such that the target VMA on
merge is unfaulted and the source faulted is correctly performed.
We cover 4 cases:
1. Previous VMA unfaulted:
copied -----|
v
|-----------|.............|
| unfaulted |(faulted VMA)|
|-----------|.............|
prev
target = prev, expand prev to cover.
2. Next VMA unfaulted:
copied -----|
v
|.............|-----------|
|(faulted VMA)| unfaulted |
|.............|-----------|
next
target = next, expand next to cover.
3. Both adjacent VMAs unfaulted:
copied -----|
v
|-----------|.............|-----------|
| unfaulted |(faulted VMA)| unfaulted |
|-----------|.............|-----------|
prev next
target = prev, expand prev to cover.
4. prev unfaulted, next faulted:
copied -----|
v
|-----------|.............|-----------|
| unfaulted |(faulted VMA)| faulted |
|-----------|.............|-----------|
prev next
target = prev, expand prev to cover. Essentially equivalent to 3, but
with additional requirement that next's anon_vma is the same as the
copied VMA's.
Each of these are performed with MREMAP_DONTUNMAP set, which will cause a
KASAN assert for UAF or an assert on zero refcount anon_vma if a bug
exists with correctly propagating anon_vma state in each scenario.
Link: https://lkml.kernel.org/r/f903af2930c7c2c6e0948c886b58d0f42d8e8ba3.1767638272.git.lorenzo.stoakes@oracle.com
Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Jeongjun Park <aha310510@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Pedro Falcato <pfalcato@suse.de>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yeoreum Yun <yeoreum.yun@arm.com>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/merge.c | 232 +++++++++++++++++++++++++++++++++++++
1 file changed, 232 insertions(+)
--- a/tools/testing/selftests/mm/merge.c
+++ b/tools/testing/selftests/mm/merge.c
@@ -1171,4 +1171,236 @@ TEST_F(merge, mremap_correct_placed_faul
ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr + 15 * page_size);
}
+TEST_F(merge, mremap_faulted_to_unfaulted_prev)
+{
+ struct procmap_fd *procmap = &self->procmap;
+ unsigned int page_size = self->page_size;
+ char *ptr_a, *ptr_b;
+
+ /*
+ * mremap() such that A and B merge:
+ *
+ * |------------|
+ * | \ |
+ * |-----------| | / |---------|
+ * | unfaulted | v \ | faulted |
+ * |-----------| / |---------|
+ * B \ A
+ */
+
+ /* Map VMA A into place. */
+ ptr_a = mmap(&self->carveout[page_size + 3 * page_size],
+ 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+ /* Fault it in. */
+ ptr_a[0] = 'x';
+
+ /*
+ * Now move it out of the way so we can place VMA B in position,
+ * unfaulted.
+ */
+ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+
+ /* Map VMA B into place. */
+ ptr_b = mmap(&self->carveout[page_size], 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+
+ /*
+ * Now move VMA A into position with MREMAP_DONTUNMAP to catch incorrect
+ * anon_vma propagation.
+ */
+ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP,
+ &self->carveout[page_size + 3 * page_size]);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+
+ /* The VMAs should have merged. */
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size);
+}
+
+TEST_F(merge, mremap_faulted_to_unfaulted_next)
+{
+ struct procmap_fd *procmap = &self->procmap;
+ unsigned int page_size = self->page_size;
+ char *ptr_a, *ptr_b;
+
+ /*
+ * mremap() such that A and B merge:
+ *
+ * |---------------------------|
+ * | \ |
+ * | |-----------| / |---------|
+ * v | unfaulted | \ | faulted |
+ * |-----------| / |---------|
+ * B \ A
+ *
+ * Then unmap VMA A to trigger the bug.
+ */
+
+ /* Map VMA A into place. */
+ ptr_a = mmap(&self->carveout[page_size], 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+ /* Fault it in. */
+ ptr_a[0] = 'x';
+
+ /*
+ * Now move it out of the way so we can place VMA B in position,
+ * unfaulted.
+ */
+ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+
+ /* Map VMA B into place. */
+ ptr_b = mmap(&self->carveout[page_size + 3 * page_size], 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+
+ /*
+ * Now move VMA A into position with MREMAP_DONTUNMAP to catch incorrect
+ * anon_vma propagation.
+ */
+ ptr_a = mremap(ptr_a, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP,
+ &self->carveout[page_size]);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+
+ /* The VMAs should have merged. */
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 6 * page_size);
+}
+
+TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next)
+{
+ struct procmap_fd *procmap = &self->procmap;
+ unsigned int page_size = self->page_size;
+ char *ptr_a, *ptr_b, *ptr_c;
+
+ /*
+ * mremap() with MREMAP_DONTUNMAP such that A, B and C merge:
+ *
+ * |---------------------------|
+ * | \ |
+ * |-----------| | |-----------| / |---------|
+ * | unfaulted | v | unfaulted | \ | faulted |
+ * |-----------| |-----------| / |---------|
+ * A C \ B
+ */
+
+ /* Map VMA B into place. */
+ ptr_b = mmap(&self->carveout[page_size + 3 * page_size], 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+ /* Fault it in. */
+ ptr_b[0] = 'x';
+
+ /*
+ * Now move it out of the way so we can place VMAs A, C in position,
+ * unfaulted.
+ */
+ ptr_b = mremap(ptr_b, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+
+ /* Map VMA A into place. */
+
+ ptr_a = mmap(&self->carveout[page_size], 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+
+ /* Map VMA C into place. */
+ ptr_c = mmap(&self->carveout[page_size + 3 * page_size + 3 * page_size],
+ 3 * page_size, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_c, MAP_FAILED);
+
+ /*
+ * Now move VMA B into position with MREMAP_DONTUNMAP to catch incorrect
+ * anon_vma propagation.
+ */
+ ptr_b = mremap(ptr_b, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP,
+ &self->carveout[page_size + 3 * page_size]);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+
+ /* The VMAs should have merged. */
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size);
+}
+
+TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next)
+{
+ struct procmap_fd *procmap = &self->procmap;
+ unsigned int page_size = self->page_size;
+ char *ptr_a, *ptr_b, *ptr_bc;
+
+ /*
+ * mremap() with MREMAP_DONTUNMAP such that A, B and C merge:
+ *
+ * |---------------------------|
+ * | \ |
+ * |-----------| | |-----------| / |---------|
+ * | unfaulted | v | faulted | \ | faulted |
+ * |-----------| |-----------| / |---------|
+ * A C \ B
+ */
+
+ /*
+ * Map VMA B and C into place. We have to map them together so their
+ * anon_vma is the same and the vma->vm_pgoff's are correctly aligned.
+ */
+ ptr_bc = mmap(&self->carveout[page_size + 3 * page_size],
+ 3 * page_size + 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_bc, MAP_FAILED);
+
+ /* Fault it in. */
+ ptr_bc[0] = 'x';
+
+ /*
+ * Now move VMA B out the way (splitting VMA BC) so we can place VMA A
+ * in position, unfaulted, and leave the remainder of the VMA we just
+ * moved in place, faulted, as VMA C.
+ */
+ ptr_b = mremap(ptr_bc, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE, &self->carveout[20 * page_size]);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+
+ /* Map VMA A into place. */
+ ptr_a = mmap(&self->carveout[page_size], 3 * page_size,
+ PROT_READ | PROT_WRITE,
+ MAP_PRIVATE | MAP_ANON | MAP_FIXED, -1, 0);
+ ASSERT_NE(ptr_a, MAP_FAILED);
+
+ /*
+ * Now move VMA B into position with MREMAP_DONTUNMAP to catch incorrect
+ * anon_vma propagation.
+ */
+ ptr_b = mremap(ptr_b, 3 * page_size, 3 * page_size,
+ MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP,
+ &self->carveout[page_size + 3 * page_size]);
+ ASSERT_NE(ptr_b, MAP_FAILED);
+
+ /* The VMAs should have merged. */
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size);
+}
+
TEST_HARNESS_MAIN
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 102/198] tools/testing/selftests: add forked (un)/faulted VMA merge tests
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 101/198] tools/testing/selftests: add tests for !tgt, src mremap() merges Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 103/198] tools/testing/selftests: fix gup_longterm for unknown fs Greg Kroah-Hartman
` (109 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
David Hildenbrand (Red Hat), Jann Horn, Jeongjun Park,
Liam Howlett, Pedro Falcato, Rik van Riel, Vlastimil Babka,
Yeoreum Yun, Harry Yoo, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
commit fb39444732f02c32a8312c168d97e33d872c14d3 upstream.
Now we correctly handle forked faulted/unfaulted merge on mremap(),
exhaustively assert that we handle this correctly.
Do this in the less duplicative way by adding a new merge_with_fork
fixture and forked/unforked variants, and abstract the forking logic as
necessary to avoid code duplication with this also.
Link: https://lkml.kernel.org/r/1daf76d89fdb9d96f38a6a0152d8f3c2e9e30ac7.1767638272.git.lorenzo.stoakes@oracle.com
Fixes: 879bca0a2c4f ("mm/vma: fix incorrectly disallowed anonymous VMA merges")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Jann Horn <jannh@google.com>
Cc: Jeongjun Park <aha310510@gmail.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Pedro Falcato <pfalcato@suse.de>
Cc: Rik van Riel <riel@surriel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Yeoreum Yun <yeoreum.yun@arm.com>
Cc: Harry Yoo <harry.yoo@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/merge.c | 180 ++++++++++++++++++++++-------
1 file changed, 139 insertions(+), 41 deletions(-)
diff --git a/tools/testing/selftests/mm/merge.c b/tools/testing/selftests/mm/merge.c
index 22be149f7109..10b686102b79 100644
--- a/tools/testing/selftests/mm/merge.c
+++ b/tools/testing/selftests/mm/merge.c
@@ -22,12 +22,37 @@ FIXTURE(merge)
struct procmap_fd procmap;
};
+static char *map_carveout(unsigned int page_size)
+{
+ return mmap(NULL, 30 * page_size, PROT_NONE,
+ MAP_ANON | MAP_PRIVATE, -1, 0);
+}
+
+static pid_t do_fork(struct procmap_fd *procmap)
+{
+ pid_t pid = fork();
+
+ if (pid == -1)
+ return -1;
+ if (pid != 0) {
+ wait(NULL);
+ return pid;
+ }
+
+ /* Reopen for child. */
+ if (close_procmap(procmap))
+ return -1;
+ if (open_self_procmap(procmap))
+ return -1;
+
+ return 0;
+}
+
FIXTURE_SETUP(merge)
{
self->page_size = psize();
/* Carve out PROT_NONE region to map over. */
- self->carveout = mmap(NULL, 30 * self->page_size, PROT_NONE,
- MAP_ANON | MAP_PRIVATE, -1, 0);
+ self->carveout = map_carveout(self->page_size);
ASSERT_NE(self->carveout, MAP_FAILED);
/* Setup PROCMAP_QUERY interface. */
ASSERT_EQ(open_self_procmap(&self->procmap), 0);
@@ -36,7 +61,8 @@ FIXTURE_SETUP(merge)
FIXTURE_TEARDOWN(merge)
{
ASSERT_EQ(munmap(self->carveout, 30 * self->page_size), 0);
- ASSERT_EQ(close_procmap(&self->procmap), 0);
+ /* May fail for parent of forked process. */
+ close_procmap(&self->procmap);
/*
* Clear unconditionally, as some tests set this. It is no issue if this
* fails (KSM may be disabled for instance).
@@ -44,6 +70,44 @@ FIXTURE_TEARDOWN(merge)
prctl(PR_SET_MEMORY_MERGE, 0, 0, 0, 0);
}
+FIXTURE(merge_with_fork)
+{
+ unsigned int page_size;
+ char *carveout;
+ struct procmap_fd procmap;
+};
+
+FIXTURE_VARIANT(merge_with_fork)
+{
+ bool forked;
+};
+
+FIXTURE_VARIANT_ADD(merge_with_fork, forked)
+{
+ .forked = true,
+};
+
+FIXTURE_VARIANT_ADD(merge_with_fork, unforked)
+{
+ .forked = false,
+};
+
+FIXTURE_SETUP(merge_with_fork)
+{
+ self->page_size = psize();
+ self->carveout = map_carveout(self->page_size);
+ ASSERT_NE(self->carveout, MAP_FAILED);
+ ASSERT_EQ(open_self_procmap(&self->procmap), 0);
+}
+
+FIXTURE_TEARDOWN(merge_with_fork)
+{
+ ASSERT_EQ(munmap(self->carveout, 30 * self->page_size), 0);
+ ASSERT_EQ(close_procmap(&self->procmap), 0);
+ /* See above. */
+ prctl(PR_SET_MEMORY_MERGE, 0, 0, 0, 0);
+}
+
TEST_F(merge, mprotect_unfaulted_left)
{
unsigned int page_size = self->page_size;
@@ -322,8 +386,8 @@ TEST_F(merge, forked_target_vma)
unsigned int page_size = self->page_size;
char *carveout = self->carveout;
struct procmap_fd *procmap = &self->procmap;
- pid_t pid;
char *ptr, *ptr2;
+ pid_t pid;
int i;
/*
@@ -344,19 +408,10 @@ TEST_F(merge, forked_target_vma)
*/
ptr[0] = 'x';
- pid = fork();
+ pid = do_fork(&self->procmap);
ASSERT_NE(pid, -1);
-
- if (pid != 0) {
- wait(NULL);
+ if (pid != 0)
return;
- }
-
- /* Child process below: */
-
- /* Reopen for child. */
- ASSERT_EQ(close_procmap(&self->procmap), 0);
- ASSERT_EQ(open_self_procmap(&self->procmap), 0);
/* unCOWing everything does not cause the AVC to go away. */
for (i = 0; i < 5 * page_size; i += page_size)
@@ -386,8 +441,8 @@ TEST_F(merge, forked_source_vma)
unsigned int page_size = self->page_size;
char *carveout = self->carveout;
struct procmap_fd *procmap = &self->procmap;
- pid_t pid;
char *ptr, *ptr2;
+ pid_t pid;
int i;
/*
@@ -408,19 +463,10 @@ TEST_F(merge, forked_source_vma)
*/
ptr[0] = 'x';
- pid = fork();
+ pid = do_fork(&self->procmap);
ASSERT_NE(pid, -1);
-
- if (pid != 0) {
- wait(NULL);
+ if (pid != 0)
return;
- }
-
- /* Child process below: */
-
- /* Reopen for child. */
- ASSERT_EQ(close_procmap(&self->procmap), 0);
- ASSERT_EQ(open_self_procmap(&self->procmap), 0);
/* unCOWing everything does not cause the AVC to go away. */
for (i = 0; i < 5 * page_size; i += page_size)
@@ -1171,10 +1217,11 @@ TEST_F(merge, mremap_correct_placed_faulted)
ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr + 15 * page_size);
}
-TEST_F(merge, mremap_faulted_to_unfaulted_prev)
+TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev)
{
struct procmap_fd *procmap = &self->procmap;
unsigned int page_size = self->page_size;
+ unsigned long offset;
char *ptr_a, *ptr_b;
/*
@@ -1197,6 +1244,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev)
/* Fault it in. */
ptr_a[0] = 'x';
+ if (variant->forked) {
+ pid_t pid = do_fork(&self->procmap);
+
+ ASSERT_NE(pid, -1);
+ if (pid != 0)
+ return;
+ }
+
/*
* Now move it out of the way so we can place VMA B in position,
* unfaulted.
@@ -1220,16 +1275,19 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev)
&self->carveout[page_size + 3 * page_size]);
ASSERT_NE(ptr_a, MAP_FAILED);
- /* The VMAs should have merged. */
+ /* The VMAs should have merged, if not forked. */
ASSERT_TRUE(find_vma_procmap(procmap, ptr_b));
ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b);
- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size);
+
+ offset = variant->forked ? 3 * page_size : 6 * page_size;
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + offset);
}
-TEST_F(merge, mremap_faulted_to_unfaulted_next)
+TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_next)
{
struct procmap_fd *procmap = &self->procmap;
unsigned int page_size = self->page_size;
+ unsigned long offset;
char *ptr_a, *ptr_b;
/*
@@ -1253,6 +1311,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_next)
/* Fault it in. */
ptr_a[0] = 'x';
+ if (variant->forked) {
+ pid_t pid = do_fork(&self->procmap);
+
+ ASSERT_NE(pid, -1);
+ if (pid != 0)
+ return;
+ }
+
/*
* Now move it out of the way so we can place VMA B in position,
* unfaulted.
@@ -1276,16 +1342,18 @@ TEST_F(merge, mremap_faulted_to_unfaulted_next)
&self->carveout[page_size]);
ASSERT_NE(ptr_a, MAP_FAILED);
- /* The VMAs should have merged. */
+ /* The VMAs should have merged, if not forked. */
ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 6 * page_size);
+ offset = variant->forked ? 3 * page_size : 6 * page_size;
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + offset);
}
-TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next)
+TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev_unfaulted_next)
{
struct procmap_fd *procmap = &self->procmap;
unsigned int page_size = self->page_size;
+ unsigned long offset;
char *ptr_a, *ptr_b, *ptr_c;
/*
@@ -1307,6 +1375,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next)
/* Fault it in. */
ptr_b[0] = 'x';
+ if (variant->forked) {
+ pid_t pid = do_fork(&self->procmap);
+
+ ASSERT_NE(pid, -1);
+ if (pid != 0)
+ return;
+ }
+
/*
* Now move it out of the way so we can place VMAs A, C in position,
* unfaulted.
@@ -1337,13 +1413,21 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_unfaulted_next)
&self->carveout[page_size + 3 * page_size]);
ASSERT_NE(ptr_b, MAP_FAILED);
- /* The VMAs should have merged. */
+ /* The VMAs should have merged, if not forked. */
ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size);
+ offset = variant->forked ? 3 * page_size : 9 * page_size;
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + offset);
+
+ /* If forked, B and C should also not have merged. */
+ if (variant->forked) {
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 3 * page_size);
+ }
}
-TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next)
+TEST_F(merge_with_fork, mremap_faulted_to_unfaulted_prev_faulted_next)
{
struct procmap_fd *procmap = &self->procmap;
unsigned int page_size = self->page_size;
@@ -1373,6 +1457,14 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next)
/* Fault it in. */
ptr_bc[0] = 'x';
+ if (variant->forked) {
+ pid_t pid = do_fork(&self->procmap);
+
+ ASSERT_NE(pid, -1);
+ if (pid != 0)
+ return;
+ }
+
/*
* Now move VMA B out the way (splitting VMA BC) so we can place VMA A
* in position, unfaulted, and leave the remainder of the VMA we just
@@ -1397,10 +1489,16 @@ TEST_F(merge, mremap_faulted_to_unfaulted_prev_faulted_next)
&self->carveout[page_size + 3 * page_size]);
ASSERT_NE(ptr_b, MAP_FAILED);
- /* The VMAs should have merged. */
- ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
- ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
- ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size);
+ /* The VMAs should have merged. A,B,C if unforked, B, C if forked. */
+ if (variant->forked) {
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_b));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_b);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_b + 6 * page_size);
+ } else {
+ ASSERT_TRUE(find_vma_procmap(procmap, ptr_a));
+ ASSERT_EQ(procmap->query.vma_start, (unsigned long)ptr_a);
+ ASSERT_EQ(procmap->query.vma_end, (unsigned long)ptr_a + 9 * page_size);
+ }
}
TEST_HARNESS_MAIN
--
2.52.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 103/198] tools/testing/selftests: fix gup_longterm for unknown fs
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 102/198] tools/testing/selftests: add forked (un)/faulted VMA merge tests Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 104/198] ftrace: Do not over-allocate ftrace memory Greg Kroah-Hartman
` (108 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lorenzo Stoakes,
David Hildenbrand (Red Hat), Jason Gunthorpe, John Hubbard,
Liam Howlett, Liam R. Howlett, Mark Brown, Michal Hocko,
Mike Rapoport, Peter Xu, Shuah Khan, Suren Baghdasaryan,
Vlastimil Babka, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
commit 21c68ad1d9771d331198cc73cbf6e908d7915f35 upstream.
Commit 66bce7afbaca ("selftests/mm: fix test result reporting in
gup_longterm") introduced a small bug causing unknown filesystems to
always result in a test failure.
This is because do_test() was updated to use a common reporting path, but
this case appears to have been missed.
This is problematic for e.g. virtme-ng which uses an overlayfs file
system, causing gup_longterm to appear to fail each time due to a test
count mismatch:
# Planned tests != run tests (50 != 46)
# Totals: pass:24 fail:0 xfail:0 xpass:0 skip:22 error:0
The fix is to simply change the return into a break.
Link: https://lkml.kernel.org/r/20260106154547.214907-1-lorenzo.stoakes@oracle.com
Fixes: 66bce7afbaca ("selftests/mm: fix test result reporting in gup_longterm")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Reviewed-by: David Hildenbrand (Red Hat) <david@kernel.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Peter Xu <peterx@redhat.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/mm/gup_longterm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/mm/gup_longterm.c b/tools/testing/selftests/mm/gup_longterm.c
index 6279893a0adc..f61150d28eb2 100644
--- a/tools/testing/selftests/mm/gup_longterm.c
+++ b/tools/testing/selftests/mm/gup_longterm.c
@@ -179,7 +179,7 @@ static void do_test(int fd, size_t size, enum test_type type, bool shared)
if (rw && shared && fs_is_unknown(fs_type)) {
ksft_print_msg("Unknown filesystem\n");
result = KSFT_SKIP;
- return;
+ break;
}
/*
* R/O pinning or pinning in a private mapping is always
--
2.52.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 104/198] ftrace: Do not over-allocate ftrace memory
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 103/198] tools/testing/selftests: fix gup_longterm for unknown fs Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 105/198] xfs: set max_agbno to allow sparse alloc of last full inode chunk Greg Kroah-Hartman
` (107 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Guenter Roeck,
Steven Rostedt (Google)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
commit be55257fab181b93af38f8c4b1b3cb453a78d742 upstream.
The pg_remaining calculation in ftrace_process_locs() assumes that
ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the
allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE
(integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g.
4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages)
have significantly more capacity than 256 * 170. This leads to pg_remaining
being underestimated, which in turn makes skip (derived from skipped -
pg_remaining) larger than expected, causing the WARN(skip != remaining)
to trigger.
Extra allocated pages for ftrace: 2 with 654 skipped
WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0
A similar problem in ftrace_allocate_records() can result in allocating
too many pages. This can trigger the second warning in
ftrace_process_locs().
Extra allocated pages for ftrace
WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580
Use the actual capacity of a page group to determine the number of pages
to allocate. Have ftrace_allocate_pages() return the number of allocated
pages to avoid having to calculate it. Use the actual page group capacity
when validating the number of unused pages due to skipped entries.
Drop the definition of ENTRIES_PER_PAGE since it is no longer used.
Cc: stable@vger.kernel.org
Fixes: 4a3efc6baff93 ("ftrace: Update the mcount_loc check of skipped entries")
Link: https://patch.msgid.link/20260113152243.3557219-1-linux@roeck-us.net
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 29 +++++++++++++++--------------
1 file changed, 15 insertions(+), 14 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1122,7 +1122,6 @@ struct ftrace_page {
};
#define ENTRY_SIZE sizeof(struct dyn_ftrace)
-#define ENTRIES_PER_PAGE (PAGE_SIZE / ENTRY_SIZE)
static struct ftrace_page *ftrace_pages_start;
static struct ftrace_page *ftrace_pages;
@@ -3808,7 +3807,8 @@ static int ftrace_update_code(struct mod
return 0;
}
-static int ftrace_allocate_records(struct ftrace_page *pg, int count)
+static int ftrace_allocate_records(struct ftrace_page *pg, int count,
+ unsigned long *num_pages)
{
int order;
int pages;
@@ -3818,7 +3818,7 @@ static int ftrace_allocate_records(struc
return -EINVAL;
/* We want to fill as much as possible, with no empty pages */
- pages = DIV_ROUND_UP(count, ENTRIES_PER_PAGE);
+ pages = DIV_ROUND_UP(count * ENTRY_SIZE, PAGE_SIZE);
order = fls(pages) - 1;
again:
@@ -3833,6 +3833,7 @@ static int ftrace_allocate_records(struc
}
ftrace_number_of_pages += 1 << order;
+ *num_pages += 1 << order;
ftrace_number_of_groups++;
cnt = (PAGE_SIZE << order) / ENTRY_SIZE;
@@ -3861,12 +3862,14 @@ static void ftrace_free_pages(struct ftr
}
static struct ftrace_page *
-ftrace_allocate_pages(unsigned long num_to_init)
+ftrace_allocate_pages(unsigned long num_to_init, unsigned long *num_pages)
{
struct ftrace_page *start_pg;
struct ftrace_page *pg;
int cnt;
+ *num_pages = 0;
+
if (!num_to_init)
return NULL;
@@ -3880,7 +3883,7 @@ ftrace_allocate_pages(unsigned long num_
* waste as little space as possible.
*/
for (;;) {
- cnt = ftrace_allocate_records(pg, num_to_init);
+ cnt = ftrace_allocate_records(pg, num_to_init, num_pages);
if (cnt < 0)
goto free_pages;
@@ -7148,8 +7151,6 @@ static int ftrace_process_locs(struct mo
if (!count)
return 0;
- pages = DIV_ROUND_UP(count, ENTRIES_PER_PAGE);
-
/*
* Sorting mcount in vmlinux at build time depend on
* CONFIG_BUILDTIME_MCOUNT_SORT, while mcount loc in
@@ -7162,7 +7163,7 @@ static int ftrace_process_locs(struct mo
test_is_sorted(start, count);
}
- start_pg = ftrace_allocate_pages(count);
+ start_pg = ftrace_allocate_pages(count, &pages);
if (!start_pg)
return -ENOMEM;
@@ -7261,27 +7262,27 @@ static int ftrace_process_locs(struct mo
/* We should have used all pages unless we skipped some */
if (pg_unuse) {
unsigned long pg_remaining, remaining = 0;
- unsigned long skip;
+ long skip;
/* Count the number of entries unused and compare it to skipped. */
- pg_remaining = (ENTRIES_PER_PAGE << pg->order) - pg->index;
+ pg_remaining = (PAGE_SIZE << pg->order) / ENTRY_SIZE - pg->index;
if (!WARN(skipped < pg_remaining, "Extra allocated pages for ftrace")) {
skip = skipped - pg_remaining;
- for (pg = pg_unuse; pg; pg = pg->next)
+ for (pg = pg_unuse; pg && skip > 0; pg = pg->next) {
remaining += 1 << pg->order;
+ skip -= (PAGE_SIZE << pg->order) / ENTRY_SIZE;
+ }
pages -= remaining;
- skip = DIV_ROUND_UP(skip, ENTRIES_PER_PAGE);
-
/*
* Check to see if the number of pages remaining would
* just fit the number of entries skipped.
*/
- WARN(skip != remaining, "Extra allocated pages for ftrace: %lu with %lu skipped",
+ WARN(pg || skip > 0, "Extra allocated pages for ftrace: %lu with %lu skipped",
remaining, skipped);
}
/* Need to synchronize with ftrace_location_range() */
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 105/198] xfs: set max_agbno to allow sparse alloc of last full inode chunk
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 104/198] ftrace: Do not over-allocate ftrace memory Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 106/198] xfs: Fix the return value of xfs_rtcopy_summary() Greg Kroah-Hartman
` (106 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Foster, Darrick J. Wong,
Carlos Maiolino
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Foster <bfoster@redhat.com>
commit c360004c0160dbe345870f59f24595519008926f upstream.
Sparse inode cluster allocation sets min/max agbno values to avoid
allocating an inode cluster that might map to an invalid inode
chunk. For example, we can't have an inode record mapped to agbno 0
or that extends past the end of a runt AG of misaligned size.
The initial calculation of max_agbno is unnecessarily conservative,
however. This has triggered a corner case allocation failure where a
small runt AG (i.e. 2063 blocks) is mostly full save for an extent
to the EOFS boundary: [2050,13]. max_agbno is set to 2048 in this
case, which happens to be the offset of the last possible valid
inode chunk in the AG. In practice, we should be able to allocate
the 4-block cluster at agbno 2052 to map to the parent inode record
at agbno 2048, but the max_agbno value precludes it.
Note that this can result in filesystem shutdown via dirty trans
cancel on stable kernels prior to commit 9eb775968b68 ("xfs: walk
all AGs if TRYLOCK passed to xfs_alloc_vextent_iterate_ags") because
the tail AG selection by the allocator sets t_highest_agno on the
transaction. If the inode allocator spins around and finds an inode
chunk with free inodes in an earlier AG, the subsequent dir name
creation path may still fail to allocate due to the AG restriction
and cancel.
To avoid this problem, update the max_agbno calculation to the agbno
prior to the last chunk aligned agbno in the AG. This is not
necessarily the last valid allocation target for a sparse chunk, but
since inode chunks (i.e. records) are chunk aligned and sparse
allocs are cluster sized/aligned, this allows the sb_spino_align
alignment restriction to take over and round down the max effective
agbno to within the last valid inode chunk in the AG.
Note that even though the allocator improvements in the
aforementioned commit seem to avoid this particular dirty trans
cancel situation, the max_agbno logic improvement still applies as
we should be able to allocate from an AG that has been appropriately
selected. The more important target for this patch however are
older/stable kernels prior to this allocator rework/improvement.
Cc: stable@vger.kernel.org # v4.2
Fixes: 56d1115c9bc7 ("xfs: allocate sparse inode chunks on full chunk allocation failure")
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_ialloc.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/fs/xfs/libxfs/xfs_ialloc.c
+++ b/fs/xfs/libxfs/xfs_ialloc.c
@@ -848,15 +848,16 @@ sparse_alloc:
* invalid inode records, such as records that start at agbno 0
* or extend beyond the AG.
*
- * Set min agbno to the first aligned, non-zero agbno and max to
- * the last aligned agbno that is at least one full chunk from
- * the end of the AG.
+ * Set min agbno to the first chunk aligned, non-zero agbno and
+ * max to one less than the last chunk aligned agbno from the
+ * end of the AG. We subtract 1 from max so that the cluster
+ * allocation alignment takes over and allows allocation within
+ * the last full inode chunk in the AG.
*/
args.min_agbno = args.mp->m_sb.sb_inoalignmt;
args.max_agbno = round_down(xfs_ag_block_count(args.mp,
pag_agno(pag)),
- args.mp->m_sb.sb_inoalignmt) -
- igeo->ialloc_blks;
+ args.mp->m_sb.sb_inoalignmt) - 1;
error = xfs_alloc_vextent_near_bno(&args,
xfs_agbno_to_fsb(pag,
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 106/198] xfs: Fix the return value of xfs_rtcopy_summary()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 105/198] xfs: set max_agbno to allow sparse alloc of last full inode chunk Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 107/198] virtio-net: dont schedule delayed refill worker Greg Kroah-Hartman
` (105 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nirjhar Roy (IBM), Darrick J. Wong,
Christoph Hellwig, Carlos Maiolino
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nirjhar Roy (IBM) <nirjhar.roy.lists@gmail.com>
commit 6b2d155366581705a848833a9b626bfea41d5a8d upstream.
xfs_rtcopy_summary() should return the appropriate error code
instead of always returning 0. The caller of this function which is
xfs_growfs_rt_bmblock() is already handling the error.
Fixes: e94b53ff699c ("xfs: cache last bitmap block in realtime allocator")
Signed-off-by: Nirjhar Roy (IBM) <nirjhar.roy.lists@gmail.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org # v6.7
Signed-off-by: Carlos Maiolino <cem@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/xfs_rtalloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/xfs/xfs_rtalloc.c
+++ b/fs/xfs/xfs_rtalloc.c
@@ -126,7 +126,7 @@ xfs_rtcopy_summary(
error = 0;
out:
xfs_rtbuf_cache_relse(oargs);
- return 0;
+ return error;
}
/*
* Mark an extent specified by start and len allocated.
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 107/198] virtio-net: dont schedule delayed refill worker
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 106/198] xfs: Fix the return value of xfs_rtcopy_summary() Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 108/198] lib/buildid: use __kernel_read() for sleepable context Greg Kroah-Hartman
` (104 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Xuan Zhuo,
Bui Quang Minh, Michael S. Tsirkin, Jakub Kicinski
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bui Quang Minh <minhquangbui99@gmail.com>
commit fcdef3bcbb2c04e06ae89f8faff2cd6416b3a467 upstream.
When we fail to refill the receive buffers, we schedule a delayed worker
to retry later. However, this worker creates some concurrency issues.
For example, when the worker runs concurrently with virtnet_xdp_set,
both need to temporarily disable queue's NAPI before enabling again.
Without proper synchronization, a deadlock can happen when
napi_disable() is called on an already disabled NAPI. That
napi_disable() call will be stuck and so will the subsequent
napi_enable() call.
To simplify the logic and avoid further problems, we will instead retry
refilling in the next NAPI poll.
Fixes: 4bc12818b363 ("virtio-net: disable delayed refill when pausing rx")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Closes: https://lore.kernel.org/526b5396-459d-4d02-8635-a222d07b46d7@redhat.com
Cc: stable@vger.kernel.org
Suggested-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://patch.msgid.link/20260106150438.7425-2-minhquangbui99@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/virtio_net.c | 47 ++++++++++++++++++++++++-----------------------
1 file changed, 24 insertions(+), 23 deletions(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -3037,16 +3037,16 @@ static int virtnet_receive(struct receiv
else
packets = virtnet_receive_packets(vi, rq, budget, xdp_xmit, &stats);
+ u64_stats_set(&stats.packets, packets);
if (rq->vq->num_free > min((unsigned int)budget, virtqueue_get_vring_size(rq->vq)) / 2) {
- if (!try_fill_recv(vi, rq, GFP_ATOMIC)) {
- spin_lock(&vi->refill_lock);
- if (vi->refill_enabled)
- schedule_delayed_work(&vi->refill, 0);
- spin_unlock(&vi->refill_lock);
- }
+ if (!try_fill_recv(vi, rq, GFP_ATOMIC))
+ /* We need to retry refilling in the next NAPI poll so
+ * we must return budget to make sure the NAPI is
+ * repolled.
+ */
+ packets = budget;
}
- u64_stats_set(&stats.packets, packets);
u64_stats_update_begin(&rq->stats.syncp);
for (i = 0; i < ARRAY_SIZE(virtnet_rq_stats_desc); i++) {
size_t offset = virtnet_rq_stats_desc[i].offset;
@@ -3226,9 +3226,10 @@ static int virtnet_open(struct net_devic
for (i = 0; i < vi->max_queue_pairs; i++) {
if (i < vi->curr_queue_pairs)
- /* Make sure we have some buffers: if oom use wq. */
- if (!try_fill_recv(vi, &vi->rq[i], GFP_KERNEL))
- schedule_delayed_work(&vi->refill, 0);
+ /* Pre-fill rq agressively, to make sure we are ready to
+ * get packets immediately.
+ */
+ try_fill_recv(vi, &vi->rq[i], GFP_KERNEL);
err = virtnet_enable_queue_pair(vi, i);
if (err < 0)
@@ -3473,16 +3474,15 @@ static void __virtnet_rx_resume(struct v
struct receive_queue *rq,
bool refill)
{
- bool running = netif_running(vi->dev);
- bool schedule_refill = false;
+ if (netif_running(vi->dev)) {
+ /* Pre-fill rq agressively, to make sure we are ready to get
+ * packets immediately.
+ */
+ if (refill)
+ try_fill_recv(vi, rq, GFP_KERNEL);
- if (refill && !try_fill_recv(vi, rq, GFP_KERNEL))
- schedule_refill = true;
- if (running)
virtnet_napi_enable(rq);
-
- if (schedule_refill)
- schedule_delayed_work(&vi->refill, 0);
+ }
}
static void virtnet_rx_resume_all(struct virtnet_info *vi)
@@ -3827,11 +3827,12 @@ static int virtnet_set_queues(struct vir
}
succ:
vi->curr_queue_pairs = queue_pairs;
- /* virtnet_open() will refill when device is going to up. */
- spin_lock_bh(&vi->refill_lock);
- if (dev->flags & IFF_UP && vi->refill_enabled)
- schedule_delayed_work(&vi->refill, 0);
- spin_unlock_bh(&vi->refill_lock);
+ if (dev->flags & IFF_UP) {
+ local_bh_disable();
+ for (int i = 0; i < vi->curr_queue_pairs; ++i)
+ virtqueue_napi_schedule(&vi->rq[i].napi, vi->rq[i].vq);
+ local_bh_enable();
+ }
return 0;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 108/198] lib/buildid: use __kernel_read() for sleepable context
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 107/198] virtio-net: dont schedule delayed refill worker Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 109/198] x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers Greg Kroah-Hartman
` (103 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+09b7d050e4806540153d,
Shakeel Butt, Christoph Hellwig, Jinchao Wang, Christian Brauner,
Alexei Starovoitov, Andrii Nakryiko, Daniel Borkman,
Darrick J. Wong, Matthew Wilcox (Oracle), Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shakeel Butt <shakeel.butt@linux.dev>
commit 777a8560fd29738350c5094d4166fe5499452409 upstream.
Prevent a "BUG: unable to handle kernel NULL pointer dereference in
filemap_read_folio".
For the sleepable context, convert freader to use __kernel_read() instead
of direct page cache access via read_cache_folio(). This simplifies the
faultable code path by using the standard kernel file reading interface
which handles all the complexity of reading file data.
At the moment we are not changing the code for non-sleepable context which
uses filemap_get_folio() and only succeeds if the target folios are
already in memory and up-to-date. The reason is to keep the patch simple
and easier to backport to stable kernels.
Syzbot repro does not crash the kernel anymore and the selftests run
successfully.
In the follow up we will make __kernel_read() with IOCB_NOWAIT work for
non-sleepable contexts. In addition, I would like to replace the
secretmem check with a more generic approach and will add fstest for the
buildid code.
Link: https://lkml.kernel.org/r/20251222205859.3968077-1-shakeel.butt@linux.dev
Fixes: ad41251c290d ("lib/buildid: implement sleepable build_id_parse() API")
Reported-by: syzbot+09b7d050e4806540153d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=09b7d050e4806540153d
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Tested-by: Jinchao Wang <wangjinchao600@gmail.com>
Link: https://lkml.kernel.org/r/aUteBPWPYzVWIZFH@ndev
Reviewed-by: Christian Brauner <brauner@kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andrii Nakryiko <andrii@kernel.org>
Cc: Daniel Borkman <daniel@iogearbox.net>
Cc: "Darrick J. Wong" <djwong@kernel.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/buildid.c | 32 ++++++++++++++++++++------------
1 file changed, 20 insertions(+), 12 deletions(-)
--- a/lib/buildid.c
+++ b/lib/buildid.c
@@ -5,6 +5,7 @@
#include <linux/elf.h>
#include <linux/kernel.h>
#include <linux/pagemap.h>
+#include <linux/fs.h>
#include <linux/secretmem.h>
#define BUILD_ID 3
@@ -65,20 +66,9 @@ static int freader_get_folio(struct frea
freader_put_folio(r);
- /* reject secretmem folios created with memfd_secret() */
- if (secretmem_mapping(r->file->f_mapping))
- return -EFAULT;
-
+ /* only use page cache lookup - fail if not already cached */
r->folio = filemap_get_folio(r->file->f_mapping, file_off >> PAGE_SHIFT);
- /* if sleeping is allowed, wait for the page, if necessary */
- if (r->may_fault && (IS_ERR(r->folio) || !folio_test_uptodate(r->folio))) {
- filemap_invalidate_lock_shared(r->file->f_mapping);
- r->folio = read_cache_folio(r->file->f_mapping, file_off >> PAGE_SHIFT,
- NULL, r->file);
- filemap_invalidate_unlock_shared(r->file->f_mapping);
- }
-
if (IS_ERR(r->folio) || !folio_test_uptodate(r->folio)) {
if (!IS_ERR(r->folio))
folio_put(r->folio);
@@ -116,6 +106,24 @@ static const void *freader_fetch(struct
return r->data + file_off;
}
+ /* reject secretmem folios created with memfd_secret() */
+ if (secretmem_mapping(r->file->f_mapping)) {
+ r->err = -EFAULT;
+ return NULL;
+ }
+
+ /* use __kernel_read() for sleepable context */
+ if (r->may_fault) {
+ ssize_t ret;
+
+ ret = __kernel_read(r->file, r->buf, sz, &file_off);
+ if (ret != sz) {
+ r->err = (ret < 0) ? ret : -EIO;
+ return NULL;
+ }
+ return r->buf;
+ }
+
/* fetch or reuse folio for given file offset */
r->err = freader_get_folio(r, file_off);
if (r->err)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 109/198] x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 108/198] lib/buildid: use __kernel_read() for sleepable context Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 110/198] phy: rockchip: inno-usb2: fix communication disruption in gadget mode Greg Kroah-Hartman
` (102 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ingo Molnar, Kees Cook,
Bjorn Helgaas, Peter Zijlstra, Andy Lutomirski, Logan Gunthorpe,
Andrew Morton, David Hildenbrand, Lorenzo Stoakes,
Liam R. Howlett, Vlastimil Babka, Mike Rapoport,
Suren Baghdasaryan, Michal Hocko, Dan Williams, Balbir Singh,
Yasunori Goto, Dave Hansen, Dave Jiang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams <dan.j.williams@intel.com>
commit 269031b15c1433ff39e30fa7ea3ab8f0be9d6ae2 upstream.
Commit 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
is too narrow. The effect being mitigated in that commit is caused by
ZONE_DEVICE which PCI_P2PDMA has a dependency. ZONE_DEVICE, in general,
lets any physical address be added to the direct-map. I.e. not only ACPI
hotplug ranges, CXL Memory Windows, or EFI Specific Purpose Memory, but
also any PCI MMIO range for the DEVICE_PRIVATE and PCI_P2PDMA cases. Update
the mitigation, limit KASLR entropy, to apply in all ZONE_DEVICE=y cases.
Distro kernels typically have PCI_P2PDMA=y, so the practical exposure of
this problem is limited to the PCI_P2PDMA=n case.
A potential path to recover entropy would be to walk ACPI and determine the
limits for hotplug and PCI MMIO before kernel_randomize_memory(). On
smaller systems that could yield some KASLR address bits. This needs
additional investigation to determine if some limited ACPI table scanning
can happen this early without an open coded solution like
arch/x86/boot/compressed/acpi.c needs to deploy.
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Kees Cook <kees@kernel.org>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Logan Gunthorpe <logang@deltatee.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Fixes: 7ffb791423c7 ("x86/kaslr: Reduce KASLR entropy on most x86 systems")
Cc: <stable@vger.kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reviewed-by: Balbir Singh <balbirs@nvidia.com>
Tested-by: Yasunori Goto <y-goto@fujitsu.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: http://patch.msgid.link/692e08b2516d4_261c1100a3@dwillia2-mobl4.notmuch
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/kaslr.c | 10 +++++-----
drivers/pci/Kconfig | 6 ------
mm/Kconfig | 10 +++++++---
3 files changed, 12 insertions(+), 14 deletions(-)
--- a/arch/x86/mm/kaslr.c
+++ b/arch/x86/mm/kaslr.c
@@ -115,12 +115,12 @@ void __init kernel_randomize_memory(void
/*
* Adapt physical memory region size based on available memory,
- * except when CONFIG_PCI_P2PDMA is enabled. P2PDMA exposes the
- * device BAR space assuming the direct map space is large enough
- * for creating a ZONE_DEVICE mapping in the direct map corresponding
- * to the physical BAR address.
+ * except when CONFIG_ZONE_DEVICE is enabled. ZONE_DEVICE wants to map
+ * any physical address into the direct-map. KASLR wants to reliably
+ * steal some physical address bits. Those design choices are in direct
+ * conflict.
*/
- if (!IS_ENABLED(CONFIG_PCI_P2PDMA) && (memory_tb < kaslr_regions[0].size_tb))
+ if (!IS_ENABLED(CONFIG_ZONE_DEVICE) && (memory_tb < kaslr_regions[0].size_tb))
kaslr_regions[0].size_tb = memory_tb;
/*
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -207,12 +207,6 @@ config PCI_P2PDMA
P2P DMA transactions must be between devices behind the same root
port.
- Enabling this option will reduce the entropy of x86 KASLR memory
- regions. For example - on a 46 bit system, the entropy goes down
- from 16 bits to 15 bits. The actual reduction in entropy depends
- on the physical address bits, on processor features, kernel config
- (5 level page table) and physical memory present on the system.
-
If unsure, say N.
config PCI_LABEL
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -1135,10 +1135,14 @@ config ZONE_DEVICE
Device memory hotplug support allows for establishing pmem,
or other device driver discovered memory regions, in the
memmap. This allows pfn_to_page() lookups of otherwise
- "device-physical" addresses which is needed for using a DAX
- mapping in an O_DIRECT operation, among other things.
+ "device-physical" addresses which is needed for DAX, PCI_P2PDMA, and
+ DEVICE_PRIVATE features among others.
- If FS_DAX is enabled, then say Y.
+ Enabling this option will reduce the entropy of x86 KASLR memory
+ regions. For example - on a 46 bit system, the entropy goes down
+ from 16 bits to 15 bits. The actual reduction in entropy depends
+ on the physical address bits, on processor features, kernel config
+ (5 level page table) and physical memory present on the system.
#
# Helpers to mirror range of the CPU page tables of a process into device page
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 110/198] phy: rockchip: inno-usb2: fix communication disruption in gadget mode
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 109/198] x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 111/198] phy: ti: gmii-sel: fix regmap leak on probe failure Greg Kroah-Hartman
` (101 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Ceresoli, Théo Lebrun,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit 7d8f725b79e35fa47e42c88716aad8711e1168d8 upstream.
When the OTG USB port is used to power to SoC, configured as peripheral and
used in gadget mode, communication stops without notice about 6 seconds
after the gadget is configured and enumerated.
The problem was observed on a Radxa Rock Pi S board, which can only be
powered by the only USB-C connector. That connector is the only one usable
in gadget mode. This implies the USB cable is connected from before boot
and never disconnects while the kernel runs.
The related code flow in the PHY driver code can be summarized as:
* the first time chg_detect_work starts (6 seconds after gadget is
configured and enumerated)
-> rockchip_chg_detect_work():
if chg_state is UNDEFINED:
property_enable(base, &rphy->phy_cfg->chg_det.opmode, false); [Y]
* rockchip_chg_detect_work() changes state and re-triggers itself a few
times until it reaches the DETECTED state:
-> rockchip_chg_detect_work():
if chg_state is DETECTED:
property_enable(base, &rphy->phy_cfg->chg_det.opmode, true); [Z]
At [Y] all existing communications stop. E.g. using a CDC serial gadget,
the /dev/tty* devices are still present on both host and device, but no
data is transferred anymore. The later call with a 'true' argument at [Z]
does not restore it.
Due to the lack of documentation, what chg_det.opmode does exactly is not
clear, however by code inspection it seems reasonable that is disables
something needed to keep the communication working, and testing proves that
disabling these lines lets gadget mode keep working. So prevent changes to
chg_det.opmode when there is a cable connected (VBUS present).
Fixes: 98898f3bc83c ("phy: rockchip-inno-usb2: support otg-port for rk3399")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/lkml/20250414185458.7767aabc@booty/
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com>
Link: https://patch.msgid.link/20251127-rk3308-fix-usb-gadget-phy-disconnect-v2-2-dac8a02cd2ca@bootlin.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
@@ -831,7 +831,8 @@ static void rockchip_chg_detect_work(str
if (!rport->suspended)
rockchip_usb2phy_power_off(rport->phy);
/* put the controller in non-driving mode */
- property_enable(base, &rphy->phy_cfg->chg_det.opmode, false);
+ if (!vbus_attach)
+ property_enable(base, &rphy->phy_cfg->chg_det.opmode, false);
/* Start DCD processing stage 1 */
rockchip_chg_enable_dcd(rphy, true);
rphy->chg_state = USB_CHG_STATE_WAIT_FOR_DCD;
@@ -894,7 +895,8 @@ static void rockchip_chg_detect_work(str
fallthrough;
case USB_CHG_STATE_DETECTED:
/* put the controller in normal mode */
- property_enable(base, &rphy->phy_cfg->chg_det.opmode, true);
+ if (!vbus_attach)
+ property_enable(base, &rphy->phy_cfg->chg_det.opmode, true);
rockchip_usb2phy_otg_sm_work(&rport->otg_sm_work.work);
dev_dbg(&rport->phy->dev, "charger = %s\n",
chg_to_string(rphy->chg_type));
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 111/198] phy: ti: gmii-sel: fix regmap leak on probe failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 110/198] phy: rockchip: inno-usb2: fix communication disruption in gadget mode Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 112/198] phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() Greg Kroah-Hartman
` (100 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Davis, Johan Hovold,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4914d67da947031d6f645c81c74f7879e0844d5d upstream.
The mmio regmap that may be allocated during probe is never freed.
Switch to using the device managed allocator so that the regmap is
released on probe failures (e.g. probe deferral) and on driver unbind.
Fixes: 5ab90f40121a ("phy: ti: gmii-sel: Do not use syscon helper to build regmap")
Cc: stable@vger.kernel.org # 6.14
Cc: Andrew Davis <afd@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Andrew Davis <afd@ti.com>
Link: https://patch.msgid.link/20251127134834.2030-1-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/ti/phy-gmii-sel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/phy/ti/phy-gmii-sel.c
+++ b/drivers/phy/ti/phy-gmii-sel.c
@@ -512,7 +512,7 @@ static int phy_gmii_sel_probe(struct pla
return dev_err_probe(dev, PTR_ERR(base),
"failed to get base memory resource\n");
- priv->regmap = regmap_init_mmio(dev, base, &phy_gmii_sel_regmap_cfg);
+ priv->regmap = devm_regmap_init_mmio(dev, base, &phy_gmii_sel_regmap_cfg);
if (IS_ERR(priv->regmap))
return dev_err_probe(dev, PTR_ERR(priv->regmap),
"Failed to get syscon\n");
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 112/198] phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 111/198] phy: ti: gmii-sel: fix regmap leak on probe failure Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 113/198] phy: freescale: imx8m-pcie: assert phy reset during power on Greg Kroah-Hartman
` (99 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wentao Liang, Neil Armstrong,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wentao Liang <vulab@iscas.ac.cn>
commit e07dea3de508cd6950c937cec42de7603190e1ca upstream.
The for_each_available_child_of_node() calls of_node_put() to
release child_np in each success loop. After breaking from the
loop with the child_np has been released, the code will jump to
the put_child label and will call the of_node_put() again if the
devm_request_threaded_irq() fails. These cause a double free bug.
Fix by returning directly to avoid the duplicate of_node_put().
Fixes: ed2b5a8e6b98 ("phy: phy-rockchip-inno-usb2: support muxed interrupts")
Cc: stable@vger.kernel.org
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260109154626.2452034-1-vulab@iscas.ac.cn
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
@@ -1493,7 +1493,7 @@ next_child:
rphy);
if (ret) {
dev_err_probe(rphy->dev, ret, "failed to request usb2phy irq handle\n");
- goto put_child;
+ return ret;
}
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 113/198] phy: freescale: imx8m-pcie: assert phy reset during power on
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 112/198] phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 114/198] phy: rockchip: inno-usb2: fix disconnection in gadget mode Greg Kroah-Hartman
` (98 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael Beims, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael Beims <rafael.beims@toradex.com>
commit f2ec4723defbc66a50e0abafa830ae9f8bceb0d7 upstream.
After U-Boot initializes PCIe with "pcie enum", Linux fails to detect
an NVMe disk on some boot cycles with:
phy phy-32f00000.pcie-phy.0: phy poweron failed --> -110
Discussion with NXP identified that the iMX8MP PCIe PHY PLL may fail to
lock when re-initialized without a reset cycle [1].
The issue reproduces on 7% of tested hardware platforms, with a 30-40%
failure rate per affected device across boot cycles.
Insert a reset cycle in the power-on routine to ensure the PHY is
initialized from a known state.
[1] https://community.nxp.com/t5/i-MX-Processors/iMX8MP-PCIe-initialization-in-U-Boot/m-p/2248437#M242401
Signed-off-by: Rafael Beims <rafael.beims@toradex.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251223150254.1075221-1-rafael@beims.me
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/freescale/phy-fsl-imx8m-pcie.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
+++ b/drivers/phy/freescale/phy-fsl-imx8m-pcie.c
@@ -89,7 +89,8 @@ static int imx8_pcie_phy_power_on(struct
writel(imx8_phy->tx_deemph_gen2,
imx8_phy->base + PCIE_PHY_TRSV_REG6);
break;
- case IMX8MP: /* Do nothing. */
+ case IMX8MP:
+ reset_control_assert(imx8_phy->reset);
break;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 114/198] phy: rockchip: inno-usb2: fix disconnection in gadget mode
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 113/198] phy: freescale: imx8m-pcie: assert phy reset during power on Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 115/198] phy: fsl-imx8mq-usb: fix typec orientation switch when built as module Greg Kroah-Hartman
` (97 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Louis Chauvet, Luca Ceresoli,
Théo Lebrun, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Louis Chauvet <louis.chauvet@bootlin.com>
commit 028e8ca7b20fb7324f3e5db34ba8bd366d9d3acc upstream.
When the OTG USB port is used to power the SoC, configured as peripheral
and used in gadget mode, there is a disconnection about 6 seconds after the
gadget is configured and enumerated.
The problem was observed on a Radxa Rock Pi S board, which can only be
powered by the only USB-C connector. That connector is the only one usable
in gadget mode. This implies the USB cable is connected from before boot
and never disconnects while the kernel runs.
The problem happens because of the PHY driver code flow, summarized as:
* UDC start code (triggered via configfs at any time after boot)
-> phy_init
-> rockchip_usb2phy_init
-> schedule_delayed_work(otg_sm_work [A], 6 sec)
-> phy_power_on
-> rockchip_usb2phy_power_on
-> enable clock
-> rockchip_usb2phy_reset
* Now the gadget interface is up and running.
* 6 seconds later otg_sm_work starts [A]
-> rockchip_usb2phy_otg_sm_work():
if (B_IDLE state && VBUS present && ...):
schedule_delayed_work(&rport->chg_work [B], 0);
* immediately the chg_detect_work starts [B]
-> rockchip_chg_detect_work():
if chg_state is UNDEFINED:
if (!rport->suspended):
rockchip_usb2phy_power_off() <--- [X]
At [X], the PHY is powered off, causing a disconnection. This quickly
triggers a new connection and following re-enumeration, but any connection
that had been established during the 6 seconds is broken.
The code already checks for !rport->suspended (which, somewhat
counter-intuitively, means the PHY is powered on), so add a guard for VBUS
as well to avoid a disconnection when a cable is connected.
Fixes: 98898f3bc83c ("phy: rockchip-inno-usb2: support otg-port for rk3399")
Cc: stable@vger.kernel.org
Closes: https://lore.kernel.org/lkml/20250414185458.7767aabc@booty/
Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
Co-developed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Reviewed-by: Théo Lebrun <theo.lebrun@bootlin.com>
Link: https://patch.msgid.link/20251127-rk3308-fix-usb-gadget-phy-disconnect-v2-1-dac8a02cd2ca@bootlin.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
+++ b/drivers/phy/rockchip/phy-rockchip-inno-usb2.c
@@ -821,14 +821,16 @@ static void rockchip_chg_detect_work(str
container_of(work, struct rockchip_usb2phy_port, chg_work.work);
struct rockchip_usb2phy *rphy = dev_get_drvdata(rport->phy->dev.parent);
struct regmap *base = get_reg_base(rphy);
- bool is_dcd, tmout, vout;
+ bool is_dcd, tmout, vout, vbus_attach;
unsigned long delay;
+ vbus_attach = property_enabled(rphy->grf, &rport->port_cfg->utmi_bvalid);
+
dev_dbg(&rport->phy->dev, "chg detection work state = %d\n",
rphy->chg_state);
switch (rphy->chg_state) {
case USB_CHG_STATE_UNDEFINED:
- if (!rport->suspended)
+ if (!rport->suspended && !vbus_attach)
rockchip_usb2phy_power_off(rport->phy);
/* put the controller in non-driving mode */
if (!vbus_attach)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 115/198] phy: fsl-imx8mq-usb: fix typec orientation switch when built as module
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 114/198] phy: rockchip: inno-usb2: fix disconnection in gadget mode Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 116/198] phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 Greg Kroah-Hartman
` (96 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xu Yang, Franz Schnyder, Frank Li,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Franz Schnyder <franz.schnyder@toradex.com>
commit 49ccab4bedd4779899246107dc19fb01c5b6fea3 upstream.
Currently, the PHY only registers the typec orientation switch when it
is built in. If the typec driver is built as a module, the switch
registration is skipped due to the preprocessor condition, causing
orientation detection to fail.
With commit
45fe729be9a6 ("usb: typec: Stub out typec_switch APIs when CONFIG_TYPEC=n")
the preprocessor condition is not needed anymore and the orientation
switch is correctly registered for both built-in and module builds.
Fixes: b58f0f86fd61 ("phy: fsl-imx8mq-usb: add tca function driver for imx95")
Cc: stable@vger.kernel.org
Suggested-by: Xu Yang <xu.yang_2@nxp.com>
Signed-off-by: Franz Schnyder <franz.schnyder@toradex.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20251126140136.1202241-1-fra.schnyder@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 14 --------------
1 file changed, 14 deletions(-)
--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
@@ -124,8 +124,6 @@ struct imx8mq_usb_phy {
static void tca_blk_orientation_set(struct tca_blk *tca,
enum typec_orientation orientation);
-#ifdef CONFIG_TYPEC
-
static int tca_blk_typec_switch_set(struct typec_switch_dev *sw,
enum typec_orientation orientation)
{
@@ -173,18 +171,6 @@ static void tca_blk_put_typec_switch(str
typec_switch_unregister(sw);
}
-#else
-
-static struct typec_switch_dev *tca_blk_get_typec_switch(struct platform_device *pdev,
- struct imx8mq_usb_phy *imx_phy)
-{
- return NULL;
-}
-
-static void tca_blk_put_typec_switch(struct typec_switch_dev *sw) {}
-
-#endif /* CONFIG_TYPEC */
-
static void tca_blk_orientation_set(struct tca_blk *tca,
enum typec_orientation orientation)
{
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 116/198] phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 115/198] phy: fsl-imx8mq-usb: fix typec orientation switch when built as module Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 117/198] usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs Greg Kroah-Hartman
` (95 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wayne Chang, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
commit b246caa68037aa495390a60d080acaeb84f45fff upstream.
The USB2 Bias Pad Control register manages analog parameters for signal
detection. Previously, the HS_DISCON_LEVEL relied on hardware reset
values, which may lead to the detection failure.
Explicitly configure HS_DISCON_LEVEL to 0x7. This ensures the disconnect
threshold is sufficient to guarantee reliable detection.
Fixes: bbf711682cd5 ("phy: tegra: xusb: Add Tegra186 support")
Cc: stable@vger.kernel.org
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Link: https://patch.msgid.link/20251212032116.768307-1-waynec@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/tegra/xusb-tegra186.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/phy/tegra/xusb-tegra186.c
+++ b/drivers/phy/tegra/xusb-tegra186.c
@@ -84,6 +84,7 @@
#define XUSB_PADCTL_USB2_BIAS_PAD_CTL0 0x284
#define BIAS_PAD_PD BIT(11)
#define HS_SQUELCH_LEVEL(x) (((x) & 0x7) << 0)
+#define HS_DISCON_LEVEL(x) (((x) & 0x7) << 3)
#define XUSB_PADCTL_USB2_BIAS_PAD_CTL1 0x288
#define USB2_TRK_START_TIMER(x) (((x) & 0x7f) << 12)
@@ -623,6 +624,8 @@ static void tegra186_utmi_bias_pad_power
value &= ~BIAS_PAD_PD;
value &= ~HS_SQUELCH_LEVEL(~0);
value |= HS_SQUELCH_LEVEL(priv->calib.hs_squelch);
+ value &= ~HS_DISCON_LEVEL(~0);
+ value |= HS_DISCON_LEVEL(0x7);
padctl_writel(padctl, value, XUSB_PADCTL_USB2_BIAS_PAD_CTL0);
udelay(1);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 117/198] usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 116/198] phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 118/198] xhci: sideband: dont dereference freed ring when removing sideband endpoint Greg Kroah-Hartman
` (94 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Wayne Chang, Wei-Cheng Chen,
Jon Hunter
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wayne Chang <waynec@nvidia.com>
commit d13b6a128a12e528bb18f971f2969feb286f45c7 upstream.
When some wake IRQs are disabled in the device tree, the corresponding
interrupt entries are removed from DT. In such cases, the driver
currently calls platform_get_irq(), which returns -ENXIO and logs
an error like:
tegra-xusb 3610000.usb: error -ENXIO: IRQ index 2 not found
However, not all wake IRQs are mandatory. The hardware can operate
normally even if some wake sources are not defined in DT. To avoid this
false alarm and allow missing wake IRQs gracefully, use
platform_get_irq_optional() instead of platform_get_irq().
Fixes: 5df186e2ef11 ("usb: xhci: tegra: Support USB wakeup function for Tegra234")
Cc: stable <stable@kernel.org>
Signed-off-by: Wayne Chang <waynec@nvidia.com>
Signed-off-by: Wei-Cheng Chen <weichengc@nvidia.com>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://patch.msgid.link/20260112145653.95691-1-weichengc@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-tegra.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-tegra.c
+++ b/drivers/usb/host/xhci-tegra.c
@@ -1564,7 +1564,7 @@ static int tegra_xusb_setup_wakeup(struc
for (i = 0; i < tegra->soc->max_num_wakes; i++) {
struct irq_data *data;
- tegra->wake_irqs[i] = platform_get_irq(pdev, i + WAKE_IRQ_START_INDEX);
+ tegra->wake_irqs[i] = platform_get_irq_optional(pdev, i + WAKE_IRQ_START_INDEX);
if (tegra->wake_irqs[i] < 0)
break;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 118/198] xhci: sideband: dont dereference freed ring when removing sideband endpoint
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 117/198] usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 119/198] usb: gadget: uvc: fix interval_duration calculation Greg Kroah-Hartman
` (93 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, 胡连勤,
Mathias Nyman
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman <mathias.nyman@linux.intel.com>
commit dd83dc1249737b837ac5d57c81f2b0977c613d9f upstream.
xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is
running and has a valid transfer ring.
Lianqin reported a crash during suspend/wake-up stress testing, and
found the cause to be dereferencing a non-existing transfer ring
'ep->ring' during xhci_sideband_remove_endpoint().
The endpoint and its ring may be in unknown state if this function
is called after xHCI was reinitialized in resume (lost power), or if
device is being re-enumerated, disconnected or endpoint already dropped.
Fix this by both removing unnecessary ring access, and by checking
ep->ring exists before dereferencing it. Also make sure endpoint is
running before attempting to stop it.
Remove the xhci_initialize_ring_info() call during sideband endpoint
removal as is it only initializes ring structure enqueue, dequeue and
cycle state values to their starting values without changing actual
hardware enqueue, dequeue and cycle state. Leaving them out of sync
is worse than leaving it as it is. The endpoint will get freed in after
this in most usecases.
If the (audio) class driver want's to reuse the endpoint after offload
then it is up to the class driver to ensure endpoint is properly set up.
Reported-by: 胡连勤 <hulianqin@vivo.com>
Closes: https://lore.kernel.org/linux-usb/TYUPR06MB6217B105B059A7730C4F6EC8D2B9A@TYUPR06MB6217.apcprd06.prod.outlook.com/
Tested-by: 胡连勤 <hulianqin@vivo.com>
Fixes: de66754e9f80 ("xhci: sideband: add initial api to register a secondary interrupter entity")
Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://patch.msgid.link/20260115233758.364097-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-sideband.c | 1 -
drivers/usb/host/xhci.c | 15 ++++++++++++---
2 files changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/usb/host/xhci-sideband.c
+++ b/drivers/usb/host/xhci-sideband.c
@@ -210,7 +210,6 @@ xhci_sideband_remove_endpoint(struct xhc
return -ENODEV;
__xhci_sideband_remove_endpoint(sb, ep);
- xhci_initialize_ring_info(ep->ring);
return 0;
}
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -2891,16 +2891,25 @@ int xhci_stop_endpoint_sync(struct xhci_
gfp_t gfp_flags)
{
struct xhci_command *command;
+ struct xhci_ep_ctx *ep_ctx;
unsigned long flags;
- int ret;
+ int ret = -ENODEV;
command = xhci_alloc_command(xhci, true, gfp_flags);
if (!command)
return -ENOMEM;
spin_lock_irqsave(&xhci->lock, flags);
- ret = xhci_queue_stop_endpoint(xhci, command, ep->vdev->slot_id,
- ep->ep_index, suspend);
+
+ /* make sure endpoint exists and is running before stopping it */
+ if (ep->ring) {
+ ep_ctx = xhci_get_ep_ctx(xhci, ep->vdev->out_ctx, ep->ep_index);
+ if (GET_EP_CTX_STATE(ep_ctx) == EP_STATE_RUNNING)
+ ret = xhci_queue_stop_endpoint(xhci, command,
+ ep->vdev->slot_id,
+ ep->ep_index, suspend);
+ }
+
if (ret < 0) {
spin_unlock_irqrestore(&xhci->lock, flags);
goto out;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 119/198] usb: gadget: uvc: fix interval_duration calculation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 118/198] xhci: sideband: dont dereference freed ring when removing sideband endpoint Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 120/198] usb: gadget: uvc: fix req_payload_size calculation Greg Kroah-Hartman
` (92 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Xu Yang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 010dc57cb5163e5f4a32430dd5091cc29efd0471 upstream.
According to USB specification:
For full-/high-speed isochronous endpoints, the bInterval value is
used as the exponent for a 2^(bInterval-1) value.
To correctly convert bInterval as interval_duration:
interval_duration = 2^(bInterval-1) * frame_interval
Because the unit of video->interval is 100ns, add a comment info to
make it clear.
Fixes: 48dbe731171e ("usb: gadget: uvc: set req_size and n_requests based on the frame interval")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260113-uvc-gadget-fix-patch-v2-2-62950ef5bcb5@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/uvc.h | 2 +-
drivers/usb/gadget/function/uvc_video.c | 7 +++++--
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -107,7 +107,7 @@ struct uvc_video {
unsigned int width;
unsigned int height;
unsigned int imagesize;
- unsigned int interval;
+ unsigned int interval; /* in 100ns units */
struct mutex mutex; /* protects frame parameters */
unsigned int uvc_num_requests;
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -499,7 +499,7 @@ uvc_video_prep_requests(struct uvc_video
{
struct uvc_device *uvc = container_of(video, struct uvc_device, video);
struct usb_composite_dev *cdev = uvc->func.config->cdev;
- unsigned int interval_duration = video->ep->desc->bInterval * 1250;
+ unsigned int interval_duration;
unsigned int max_req_size, req_size, header_size;
unsigned int nreq;
@@ -515,8 +515,11 @@ uvc_video_prep_requests(struct uvc_video
return;
}
+ interval_duration = 2 << (video->ep->desc->bInterval - 1);
if (cdev->gadget->speed < USB_SPEED_HIGH)
- interval_duration = video->ep->desc->bInterval * 10000;
+ interval_duration *= 10000;
+ else
+ interval_duration *= 1250;
nreq = DIV_ROUND_UP(video->interval, interval_duration);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 120/198] usb: gadget: uvc: fix req_payload_size calculation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 119/198] usb: gadget: uvc: fix interval_duration calculation Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 121/198] usb: dwc3: Check for USB4 IP_NAME Greg Kroah-Hartman
` (91 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Xu Yang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit 2edc1acb1a2512843425aa19d0c6060a0a924605 upstream.
Current req_payload_size calculation has 2 issue:
(1) When the first time calculate req_payload_size for all the buffers,
reqs_per_frame = 0 will be the divisor of DIV_ROUND_UP(). So
the result is undefined.
This happens because VIDIOC_STREAMON is always executed after
VIDIOC_QBUF. So video->reqs_per_frame will be 0 until VIDIOC_STREAMON
is run.
(2) The buf->req_payload_size may be bigger than max_req_size.
Take YUYV pixel format as example:
If bInterval = 1, video->interval = 666666, high-speed:
video->reqs_per_frame = 666666 / 1250 = 534
720p: buf->req_payload_size = 1843200 / 534 = 3452
1080p: buf->req_payload_size = 4147200 / 534 = 7766
Based on such req_payload_size, the controller can't run normally.
To fix above issue, assign max_req_size to buf->req_payload_size when
video->reqs_per_frame = 0. And limit buf->req_payload_size to
video->req_size if it's large than video->req_size. Since max_req_size
is used at many place, add it to struct uvc_video and set the value once
endpoint is enabled.
Fixes: 98ad03291560 ("usb: gadget: uvc: set req_length based on payload by nreqs instead of req_size")
Cc: stable@vger.kernel.org
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://patch.msgid.link/20260113-uvc-gadget-fix-patch-v2-1-62950ef5bcb5@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_uvc.c | 4 ++++
drivers/usb/gadget/function/uvc.h | 1 +
drivers/usb/gadget/function/uvc_queue.c | 15 +++++++++++----
drivers/usb/gadget/function/uvc_video.c | 4 +---
4 files changed, 17 insertions(+), 7 deletions(-)
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -362,6 +362,10 @@ uvc_function_set_alt(struct usb_function
return ret;
usb_ep_enable(uvc->video.ep);
+ uvc->video.max_req_size = uvc->video.ep->maxpacket
+ * max_t(unsigned int, uvc->video.ep->maxburst, 1)
+ * (uvc->video.ep->mult);
+
memset(&v4l2_event, 0, sizeof(v4l2_event));
v4l2_event.type = UVC_EVENT_STREAMON;
v4l2_event_queue(&uvc->vdev, &v4l2_event);
--- a/drivers/usb/gadget/function/uvc.h
+++ b/drivers/usb/gadget/function/uvc.h
@@ -117,6 +117,7 @@ struct uvc_video {
/* Requests */
bool is_enabled; /* tracks whether video stream is enabled */
unsigned int req_size;
+ unsigned int max_req_size;
struct list_head ureqs; /* all uvc_requests allocated by uvc_video */
/* USB requests that the video pump thread can encode into */
--- a/drivers/usb/gadget/function/uvc_queue.c
+++ b/drivers/usb/gadget/function/uvc_queue.c
@@ -86,10 +86,17 @@ static int uvc_buffer_prepare(struct vb2
buf->bytesused = 0;
} else {
buf->bytesused = vb2_get_plane_payload(vb, 0);
- buf->req_payload_size =
- DIV_ROUND_UP(buf->bytesused +
- (video->reqs_per_frame * UVCG_REQUEST_HEADER_LEN),
- video->reqs_per_frame);
+
+ if (video->reqs_per_frame != 0) {
+ buf->req_payload_size =
+ DIV_ROUND_UP(buf->bytesused +
+ (video->reqs_per_frame * UVCG_REQUEST_HEADER_LEN),
+ video->reqs_per_frame);
+ if (buf->req_payload_size > video->req_size)
+ buf->req_payload_size = video->req_size;
+ } else {
+ buf->req_payload_size = video->max_req_size;
+ }
}
return 0;
--- a/drivers/usb/gadget/function/uvc_video.c
+++ b/drivers/usb/gadget/function/uvc_video.c
@@ -503,9 +503,7 @@ uvc_video_prep_requests(struct uvc_video
unsigned int max_req_size, req_size, header_size;
unsigned int nreq;
- max_req_size = video->ep->maxpacket
- * max_t(unsigned int, video->ep->maxburst, 1)
- * (video->ep->mult);
+ max_req_size = video->max_req_size;
if (!usb_endpoint_xfer_isoc(video->ep->desc)) {
video->req_size = max_req_size;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 121/198] usb: dwc3: Check for USB4 IP_NAME
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 120/198] usb: gadget: uvc: fix req_payload_size calculation Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 122/198] usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor Greg Kroah-Hartman
` (90 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 0ed91d47959cb7573c17e06487f0fb891d59dfb3 upstream.
Synopsys renamed DWC_usb32 IP to DWC_usb4 as of IP version 1.30. No
functional change except checking for the IP_NAME here. The driver will
treat the new IP_NAME as if it's DWC_usb32. Additional features for USB4
will be introduced and checked separately.
Cc: stable@vger.kernel.org
Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://patch.msgid.link/e6f1827754c7a7ddc5eb7382add20bfe3a9b312f.1767390747.git.Thinh.Nguyen@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 2 ++
drivers/usb/dwc3/core.h | 1 +
2 files changed, 3 insertions(+)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -991,6 +991,8 @@ static bool dwc3_core_is_valid(struct dw
reg = dwc3_readl(dwc->regs, DWC3_GSNPSID);
dwc->ip = DWC3_GSNPS_ID(reg);
+ if (dwc->ip == DWC4_IP)
+ dwc->ip = DWC32_IP;
/* This should read as U3 followed by revision number */
if (DWC3_IP_IS(DWC3)) {
--- a/drivers/usb/dwc3/core.h
+++ b/drivers/usb/dwc3/core.h
@@ -1265,6 +1265,7 @@ struct dwc3 {
#define DWC3_IP 0x5533
#define DWC31_IP 0x3331
#define DWC32_IP 0x3332
+#define DWC4_IP 0x3430
u32 revision;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 122/198] usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 121/198] usb: dwc3: Check for USB4 IP_NAME Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 123/198] USB: OHCI/UHCI: Add soft dependencies on ehci_platform Greg Kroah-Hartman
` (89 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Johannes Brüderl
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Brüderl <johannes.bruederl@gmail.com>
commit 2740ac33c87b3d0dfa022efd6ba04c6261b1abbd upstream.
Add USB_QUIRK_NO_BOS quirk flag to skip requesting the BOS descriptor
for devices that cannot handle it.
Add Elgato 4K X (0fd9:009b) to the quirk table. This device hangs when
the BOS descriptor is requested at SuperSpeed Plus (10Gbps).
Link: https://bugzilla.kernel.org/show_bug.cgi?id=220027
Cc: stable <stable@kernel.org>
Signed-off-by: Johannes Brüderl <johannes.bruederl@gmail.com>
Link: https://patch.msgid.link/20251207090220.14807-1-johannes.bruederl@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 5 +++++
drivers/usb/core/quirks.c | 3 +++
include/linux/usb/quirks.h | 3 +++
3 files changed, 11 insertions(+)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -1040,6 +1040,11 @@ int usb_get_bos_descriptor(struct usb_de
__u8 cap_type;
int ret;
+ if (dev->quirks & USB_QUIRK_NO_BOS) {
+ dev_dbg(ddev, "skipping BOS descriptor\n");
+ return -ENOMSG;
+ }
+
bos = kzalloc(sizeof(*bos), GFP_KERNEL);
if (!bos)
return -ENOMEM;
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -450,6 +450,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x0c45, 0x7056), .driver_info =
USB_QUIRK_IGNORE_REMOTE_WAKEUP },
+ /* Elgato 4K X - BOS descriptor fetch hangs at SuperSpeed Plus */
+ { USB_DEVICE(0x0fd9, 0x009b), .driver_info = USB_QUIRK_NO_BOS },
+
/* Sony Xperia XZ1 Compact (lilac) smartphone in fastboot mode */
{ USB_DEVICE(0x0fce, 0x0dde), .driver_info = USB_QUIRK_NO_LPM },
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -75,4 +75,7 @@
/* short SET_ADDRESS request timeout */
#define USB_QUIRK_SHORT_SET_ADDRESS_REQ_TIMEOUT BIT(16)
+/* skip BOS descriptor request */
+#define USB_QUIRK_NO_BOS BIT(17)
+
#endif /* __LINUX_USB_QUIRKS_H */
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 123/198] USB: OHCI/UHCI: Add soft dependencies on ehci_platform
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 122/198] usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 124/198] USB: serial: option: add Telit LE910 MBIM composition Greg Kroah-Hartman
` (88 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Shengwen Xiao, Huacai Chen,
Alan Stern
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen <chenhuacai@loongson.cn>
commit 01ef7f1b8713a78ab1a9512cf8096d2474c70633 upstream.
Commit 9beeee6584b9aa4f ("USB: EHCI: log a warning if ehci-hcd is not
loaded first") said that ehci-hcd should be loaded before ohci-hcd and
uhci-hcd. However, commit 05c92da0c52494ca ("usb: ohci/uhci - add soft
dependencies on ehci_pci") only makes ohci-pci/uhci-pci depend on ehci-
pci, which is not enough and we may still see the warnings in boot log.
To eliminate the warnings we should make ohci-hcd/uhci-hcd depend on
ehci-hcd. But Alan said that the warning introduced by 9beeee6584b9aa4f
is bogus, we only need the soft dependencies in the PCI level rather
than the HCD level.
However, there is really another neccessary soft dependencies between
ohci-platform/uhci-platform and ehci-platform, which is added by this
patch. The boot logs are below.
1. ohci-platform loaded before ehci-platform:
ohci-platform 1f058000.usb: Generic Platform OHCI controller
ohci-platform 1f058000.usb: new USB bus registered, assigned bus number 1
ohci-platform 1f058000.usb: irq 28, io mem 0x1f058000
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 4 ports detected
Warning! ehci_hcd should always be loaded before uhci_hcd and ohci_hcd, not after
usb 1-4: new low-speed USB device number 2 using ohci-platform
ehci-platform 1f050000.usb: EHCI Host Controller
ehci-platform 1f050000.usb: new USB bus registered, assigned bus number 2
ehci-platform 1f050000.usb: irq 29, io mem 0x1f050000
ehci-platform 1f050000.usb: USB 2.0 started, EHCI 1.00
usb 1-4: device descriptor read/all, error -62
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 4 ports detected
usb 1-4: new low-speed USB device number 3 using ohci-platform
input: YSPRINGTECH USB OPTICAL MOUSE as /devices/platform/bus@10000000/1f058000.usb/usb1/1-4/1-4:1.0/0003:10C4:8105.0001/input/input0
hid-generic 0003:10C4:8105.0001: input,hidraw0: USB HID v1.11 Mouse [YSPRINGTECH USB OPTICAL MOUSE] on usb-1f058000.usb-4/input0
2. ehci-platform loaded before ohci-platform:
ehci-platform 1f050000.usb: EHCI Host Controller
ehci-platform 1f050000.usb: new USB bus registered, assigned bus number 1
ehci-platform 1f050000.usb: irq 28, io mem 0x1f050000
ehci-platform 1f050000.usb: USB 2.0 started, EHCI 1.00
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 4 ports detected
ohci-platform 1f058000.usb: Generic Platform OHCI controller
ohci-platform 1f058000.usb: new USB bus registered, assigned bus number 2
ohci-platform 1f058000.usb: irq 29, io mem 0x1f058000
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 4 ports detected
usb 2-4: new low-speed USB device number 2 using ohci-platform
input: YSPRINGTECH USB OPTICAL MOUSE as /devices/platform/bus@10000000/1f058000.usb/usb2/2-4/2-4:1.0/0003:10C4:8105.0001/input/input0
hid-generic 0003:10C4:8105.0001: input,hidraw0: USB HID v1.11 Mouse [YSPRINGTECH USB OPTICAL MOUSE] on usb-1f058000.usb-4/input0
In the later case, there is no re-connection for USB-1.0/1.1 devices,
which is expected.
Cc: stable <stable@kernel.org>
Reported-by: Shengwen Xiao <atzlinux@sina.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://patch.msgid.link/20260112084802.1995923-1-chenhuacai@loongson.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/ohci-platform.c | 1 +
drivers/usb/host/uhci-platform.c | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/usb/host/ohci-platform.c
+++ b/drivers/usb/host/ohci-platform.c
@@ -376,3 +376,4 @@ MODULE_DESCRIPTION(DRIVER_DESC);
MODULE_AUTHOR("Hauke Mehrtens");
MODULE_AUTHOR("Alan Stern");
MODULE_LICENSE("GPL");
+MODULE_SOFTDEP("pre: ehci_platform");
--- a/drivers/usb/host/uhci-platform.c
+++ b/drivers/usb/host/uhci-platform.c
@@ -191,3 +191,4 @@ static struct platform_driver uhci_platf
.of_match_table = platform_uhci_ids,
},
};
+MODULE_SOFTDEP("pre: ehci_platform");
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 124/198] USB: serial: option: add Telit LE910 MBIM composition
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 123/198] USB: OHCI/UHCI: Add soft dependencies on ehci_platform Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 125/198] USB: serial: ftdi_sio: add support for PICAXE AXE027 cable Greg Kroah-Hartman
` (87 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ulrich Mohr, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulrich Mohr <u.mohr@semex-engcon.com>
commit 8af4274ab5999831f4757dfd5bd11665ba3b1569 upstream.
Add support for Telit LE910 module when operating in MBIM composition
with additional ttys. This USB product ID is used by the module
when AT#USBCFG is set to 7.
0x1252: MBIM + tty(NMEA) + tty(MODEM) + tty(MODEM) + SAP
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1252 Rev=03.18
S: Manufacturer=Android
S: Product=LE910C1-EU
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=88(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
I: If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=8a(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
Signed-off-by: Ulrich Mohr <u.mohr@semex-engcon.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1505,6 +1505,7 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1231, 0xff), /* Telit LE910Cx (RNDIS) */
.driver_info = NCTRL(2) | RSVD(3) },
{ USB_DEVICE_AND_INTERFACE_INFO(TELIT_VENDOR_ID, 0x1250, 0xff, 0x00, 0x00) }, /* Telit LE910Cx (rmnet) */
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1252, 0xff) }, /* Telit LE910Cx (MBIM) */
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1260),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
{ USB_DEVICE(TELIT_VENDOR_ID, 0x1261),
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 125/198] USB: serial: ftdi_sio: add support for PICAXE AXE027 cable
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 124/198] USB: serial: option: add Telit LE910 MBIM composition Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 126/198] nvme-pci: disable secondary temp for Wodposit WPBSNM8 Greg Kroah-Hartman
` (86 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ethan Nelson-Moore, Johan Hovold
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ethan Nelson-Moore <enelsonmoore@gmail.com>
commit c0afe95e62984ceea171c3ea319beaf84a21181c upstream.
The vendor provides instructions to write "0403 bd90" to
/sys/bus/usb-serial/drivers/ftdi_sio/new_id; see:
https://picaxe.com/docs/picaxe_linux_instructions.pdf
Cc: stable@vger.kernel.org
Signed-off-by: Ethan Nelson-Moore <enelsonmoore@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 2 ++
2 files changed, 3 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -850,6 +850,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID, 1) },
{ USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID, 1) },
+ { USB_DEVICE(FTDI_VID, FTDI_AXE027_PID) },
{ USB_DEVICE_INTERFACE_NUMBER(FTDI_VID, FTDI_TURTELIZER_PID, 1) },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_SCU18) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -96,6 +96,8 @@
#define LMI_LM3S_EVAL_BOARD_PID 0xbcd9
#define LMI_LM3S_ICDI_BOARD_PID 0xbcda
+#define FTDI_AXE027_PID 0xBD90 /* PICAXE AXE027 USB download cable */
+
#define FTDI_TURTELIZER_PID 0xBDC8 /* JTAG/RS-232 adapter by egnite GmbH */
/* OpenDCC (www.opendcc.de) product id */
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 126/198] nvme-pci: disable secondary temp for Wodposit WPBSNM8
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 125/198] USB: serial: ftdi_sio: add support for PICAXE AXE027 cable Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 127/198] ASoC: codecs: wsa881x: fix unnecessary initialisation Greg Kroah-Hartman
` (85 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wu Haotian, Ilikara Zheng,
Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilikara Zheng <ilikara@aosc.io>
commit 340f4fc5508c2905a1f30de229e2a4b299d55735 upstream.
Secondary temperature thresholds (temp2_{min,max}) were not reported
properly on this NVMe SSD. This resulted in an error while attempting to
read these values with sensors(1):
ERROR: Can't get value of subfeature temp2_min: I/O error
ERROR: Can't get value of subfeature temp2_max: I/O error
Add the device to the nvme_id_table with the
NVME_QUIRK_NO_SECONDARY_TEMP_THRESH flag to suppress access to all non-
composite temperature thresholds.
Cc: stable@vger.kernel.org
Tested-by: Wu Haotian <rigoligo03@gmail.com>
Signed-off-by: Ilikara Zheng <ilikara@aosc.io>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3917,6 +3917,8 @@ static const struct pci_device_id nvme_i
.driver_data = NVME_QUIRK_NO_DEEPEST_PS, },
{ PCI_DEVICE(0x1e49, 0x0041), /* ZHITAI TiPro7000 NVMe SSD */
.driver_data = NVME_QUIRK_NO_DEEPEST_PS, },
+ { PCI_DEVICE(0x1fa0, 0x2283), /* Wodposit WPBSNM8-256GTP */
+ .driver_data = NVME_QUIRK_NO_SECONDARY_TEMP_THRESH, },
{ PCI_DEVICE(0x025e, 0xf1ac), /* SOLIDIGM P44 pro SSDPFKKW020X7 */
.driver_data = NVME_QUIRK_NO_DEEPEST_PS, },
{ PCI_DEVICE(0xc0a9, 0x540a), /* Crucial P2 */
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 127/198] ASoC: codecs: wsa881x: fix unnecessary initialisation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 126/198] nvme-pci: disable secondary temp for Wodposit WPBSNM8 Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 128/198] ext4: fix ext4_tune_sb_params padding Greg Kroah-Hartman
` (84 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Krzysztof Kozlowski, Srinivas Kandagatla, Mark Brown
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 29d71b8a5a40708b3eed9ba4953bfc2312c9c776 upstream.
The soundwire update_status() callback may be called multiple times with
the same ATTACHED status but initialisation should only be done when
transitioning from UNATTACHED to ATTACHED.
Fixes: a0aab9e1404a ("ASoC: codecs: add wsa881x amplifier support")
Cc: stable@vger.kernel.org # 5.6
Cc: Srinivas Kandagatla <srini@kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@oss.qualcomm.com>
Link: https://patch.msgid.link/20260102111413.9605-3-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wsa881x.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/sound/soc/codecs/wsa881x.c
+++ b/sound/soc/codecs/wsa881x.c
@@ -678,6 +678,7 @@ struct wsa881x_priv {
*/
unsigned int sd_n_val;
int active_ports;
+ bool hw_init;
bool port_prepared[WSA881X_MAX_SWR_PORTS];
bool port_enable[WSA881X_MAX_SWR_PORTS];
};
@@ -687,6 +688,9 @@ static void wsa881x_init(struct wsa881x_
struct regmap *rm = wsa881x->regmap;
unsigned int val = 0;
+ if (wsa881x->hw_init)
+ return;
+
regmap_register_patch(wsa881x->regmap, wsa881x_rev_2_0,
ARRAY_SIZE(wsa881x_rev_2_0));
@@ -724,6 +728,8 @@ static void wsa881x_init(struct wsa881x_
regmap_update_bits(rm, WSA881X_OTP_REG_28, 0x3F, 0x3A);
regmap_update_bits(rm, WSA881X_BONGO_RESRV_REG1, 0xFF, 0xB2);
regmap_update_bits(rm, WSA881X_BONGO_RESRV_REG2, 0xFF, 0x05);
+
+ wsa881x->hw_init = true;
}
static int wsa881x_component_probe(struct snd_soc_component *comp)
@@ -1067,6 +1073,9 @@ static int wsa881x_update_status(struct
{
struct wsa881x_priv *wsa881x = dev_get_drvdata(&slave->dev);
+ if (status == SDW_SLAVE_UNATTACHED)
+ wsa881x->hw_init = false;
+
if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0)
wsa881x_init(wsa881x);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 128/198] ext4: fix ext4_tune_sb_params padding
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 127/198] ASoC: codecs: wsa881x: fix unnecessary initialisation Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 129/198] ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref Greg Kroah-Hartman
` (83 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Jan Kara,
Theodore Tso, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit cd16edba1c6a24af138e1a5ded2711231fffa99f upstream.
The padding at the end of struct ext4_tune_sb_params is architecture
specific and in particular is different between x86-32 and x86-64,
since the __u64 member only enforces struct alignment on the latter.
This shows up as a new warning when test-building the headers with
-Wpadded:
include/linux/ext4.h:144:1: error: padding struct size to alignment boundary with 4 bytes [-Werror=padded]
All members inside the structure are naturally aligned, so the only
difference here is the amount of padding at the end. Make the padding
explicit, to have a consistent sizeof(struct ext4_tune_sb_params) of
232 on all architectures and avoid adding compat ioctl handling for
EXT4_IOC_GET_TUNE_SB_PARAM/EXT4_IOC_SET_TUNE_SB_PARAM.
This is an ABI break on x86-32 but hopefully this can go into 6.18.y early
enough as a fixup so no actual users will be affected. Alternatively, the
kernel could handle the ioctl commands for both sizes (232 and 228 bytes)
on all architectures.
Fixes: 04a91570ac67 ("ext4: implemet new ioctls to set and get superblock parameters")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20251204101914.1037148-1-arnd@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/ext4.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/uapi/linux/ext4.h
+++ b/include/uapi/linux/ext4.h
@@ -139,7 +139,7 @@ struct ext4_tune_sb_params {
__u32 clear_feature_incompat_mask;
__u32 clear_feature_ro_compat_mask;
__u8 mount_opts[64];
- __u8 pad[64];
+ __u8 pad[68];
};
#define EXT4_TUNE_FL_ERRORS_BEHAVIOR 0x00000001
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 129/198] ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 128/198] ext4: fix ext4_tune_sb_params padding Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 130/198] hrtimer: Fix softirq base check in update_needs_ipi() Greg Kroah-Hartman
` (82 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Erkun, Baokun Li, Zhang Yi,
Theodore Tso, stable
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yang Erkun <yangerkun@huawei.com>
commit d250bdf531d9cd4096fedbb9f172bb2ca660c868 upstream.
The error branch for ext4_xattr_inode_update_ref forget to release the
refcount for iloc.bh. Find this when review code.
Fixes: 57295e835408 ("ext4: guard against EA inode refcount underflow in xattr update")
Signed-off-by: Yang Erkun <yangerkun@huawei.com>
Reviewed-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Link: https://patch.msgid.link/20251213055706.3417529-1-yangerkun@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1037,6 +1037,7 @@ static int ext4_xattr_inode_update_ref(h
ext4_error_inode(ea_inode, __func__, __LINE__, 0,
"EA inode %lu ref wraparound: ref_count=%lld ref_change=%d",
ea_inode->i_ino, ref_count, ref_change);
+ brelse(iloc.bh);
ret = -EFSCORRUPTED;
goto out;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 130/198] hrtimer: Fix softirq base check in update_needs_ipi()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 129/198] ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 131/198] EDAC/x38: Fix a resource leak in x38_probe1() Greg Kroah-Hartman
` (81 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh,
Thomas Gleixner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 05dc4a9fc8b36d4c99d76bbc02aa9ec0132de4c2 upstream.
The 'clockid' field is not the correct way to check for a softirq base.
Fix the check to correctly compare the base type instead of the clockid.
Fixes: 1e7f7fbcd40c ("hrtimer: Avoid more SMP function calls in clock_was_set()")
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20260107-hrtimer-clock-base-check-v1-1-afb5dbce94a1@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/time/hrtimer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -913,7 +913,7 @@ static bool update_needs_ipi(struct hrti
return true;
/* Extra check for softirq clock bases */
- if (base->clockid < HRTIMER_BASE_MONOTONIC_SOFT)
+ if (base->index < HRTIMER_BASE_MONOTONIC_SOFT)
continue;
if (cpu_base->softirq_activated)
continue;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 131/198] EDAC/x38: Fix a resource leak in x38_probe1()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 130/198] hrtimer: Fix softirq base check in update_needs_ipi() Greg Kroah-Hartman
@ 2026-01-21 18:15 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 132/198] EDAC/i3200: Fix a resource leak in i3200_probe1() Greg Kroah-Hartman
` (80 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Borislav Petkov (AMD)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 0ff7c44106b4715fc27a2e455d9f57f1dfcfd54f upstream.
If edac_mc_alloc() fails, also unmap the window.
[ bp: Use separate labels, turning it into the classic unwind pattern. ]
Fixes: df8bc08c192f ("edac x38: new MC driver module")
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251223124350.1496325-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/edac/x38_edac.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/edac/x38_edac.c
+++ b/drivers/edac/x38_edac.c
@@ -341,9 +341,12 @@ static int x38_probe1(struct pci_dev *pd
layers[1].type = EDAC_MC_LAYER_CHANNEL;
layers[1].size = x38_channel_num;
layers[1].is_virt_csrow = false;
+
+
+ rc = -ENOMEM;
mci = edac_mc_alloc(0, ARRAY_SIZE(layers), layers, 0);
if (!mci)
- return -ENOMEM;
+ goto unmap;
edac_dbg(3, "MC: init mci\n");
@@ -403,9 +406,9 @@ static int x38_probe1(struct pci_dev *pd
return 0;
fail:
+ edac_mc_free(mci);
+unmap:
iounmap(window);
- if (mci)
- edac_mc_free(mci);
return rc;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 132/198] EDAC/i3200: Fix a resource leak in i3200_probe1()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2026-01-21 18:15 ` [PATCH 6.18 131/198] EDAC/x38: Fix a resource leak in x38_probe1() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 133/198] tcpm: allow looking for role_sw device in the main node Greg Kroah-Hartman
` (79 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Borislav Petkov (AMD)
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit d42d5715dcb559342ff356327b241c53a67584d9 upstream.
If edac_mc_alloc() fails, also unmap the window.
[ bp: Use separate labels, turning it into the classic unwind pattern. ]
Fixes: dd8ef1db87a4 ("edac: i3200 memory controller driver")
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251223123202.1492038-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/edac/i3200_edac.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/drivers/edac/i3200_edac.c
+++ b/drivers/edac/i3200_edac.c
@@ -358,10 +358,11 @@ static int i3200_probe1(struct pci_dev *
layers[1].type = EDAC_MC_LAYER_CHANNEL;
layers[1].size = nr_channels;
layers[1].is_virt_csrow = false;
- mci = edac_mc_alloc(0, ARRAY_SIZE(layers), layers,
- sizeof(struct i3200_priv));
+
+ rc = -ENOMEM;
+ mci = edac_mc_alloc(0, ARRAY_SIZE(layers), layers, sizeof(struct i3200_priv));
if (!mci)
- return -ENOMEM;
+ goto unmap;
edac_dbg(3, "MC: init mci\n");
@@ -421,9 +422,9 @@ static int i3200_probe1(struct pci_dev *
return 0;
fail:
+ edac_mc_free(mci);
+unmap:
iounmap(window);
- if (mci)
- edac_mc_free(mci);
return rc;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 133/198] tcpm: allow looking for role_sw device in the main node
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 132/198] EDAC/i3200: Fix a resource leak in i3200_probe1() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 134/198] i2c: riic: Move suspend handling to NOIRQ phase Greg Kroah-Hartman
` (78 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Heikki Krogerus,
Dragan Simic, Arnaud Ferraris
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaud Ferraris <arnaud.ferraris@collabora.com>
commit 1366cd228b0c67b60a2c0c26ef37fe9f7cfedb7f upstream.
If ports are defined in the tcpc main node, fwnode_usb_role_switch_get()
returns an error, meaning usb_role_switch_get() (which would succeed)
never gets a chance to run as port->role_sw isn't NULL, causing a
regression on devices where this is the case.
Fix this by turning the NULL check into IS_ERR_OR_NULL(), so
usb_role_switch_get() can actually run and the device get properly probed.
Fixes: 2d8713f807a4 ("tcpm: switch check for role_sw device with fw_node")
Cc: stable <stable@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Dragan Simic <dsimic@manjaro.org>
Signed-off-by: Arnaud Ferraris <arnaud.ferraris@collabora.com>
Link: https://patch.msgid.link/20260105-fix-ppp-power-v2-1-6924f5a41224@collabora.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -7877,7 +7877,7 @@ struct tcpm_port *tcpm_register_port(str
port->partner_desc.identity = &port->partner_ident;
port->role_sw = fwnode_usb_role_switch_get(tcpc->fwnode);
- if (!port->role_sw)
+ if (IS_ERR_OR_NULL(port->role_sw))
port->role_sw = usb_role_switch_get(port->dev);
if (IS_ERR(port->role_sw)) {
err = PTR_ERR(port->role_sw);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 134/198] i2c: riic: Move suspend handling to NOIRQ phase
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 133/198] tcpm: allow looking for role_sw device in the main node Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 135/198] x86/resctrl: Add missing resctrl initialization for Hygon Greg Kroah-Hartman
` (77 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tommaso Merciai, Biju Das,
Wolfram Sang
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
commit e383f0961422f983451ac4dd6aed1a3d3311f2be upstream.
Commit 53326135d0e0 ("i2c: riic: Add suspend/resume support") added
suspend support for the Renesas I2C driver and following this change
on RZ/G3E the following WARNING is seen on entering suspend ...
[ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[ 134.285536] ------------[ cut here ]------------
[ 134.290298] i2c i2c-2: Transfer while suspended
[ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388
[ 134.365507] Tainted: [W]=WARN
[ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT)
[ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214
[ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214
[ 134.391717] sp : ffff800083f23860
[ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60
[ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001
[ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936
[ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006
[ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280
[ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09
[ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8
[ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000
[ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000
[ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80
[ 134.466851] Call trace:
[ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P)
[ 134.473715] i2c_smbus_xfer+0xbc/0x120
[ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84
[ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208]
[ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208]
[ 134.493226] __rtc_read_time+0x44/0x88
[ 134.497012] rtc_read_time+0x3c/0x68
[ 134.500622] rtc_suspend+0x9c/0x170
The warning is triggered because I2C transfers can still be attempted
while the controller is already suspended, due to inappropriate ordering
of the system sleep callbacks.
If the controller is autosuspended, there is no way to wake it up once
runtime PM disabled (in suspend_late()). During system resume, the I2C
controller will be available only after runtime PM is re-enabled
(in resume_early()). However, this may be too late for some devices.
Wake up the controller in the suspend() callback while runtime PM is
still enabled. The I2C controller will remain available until the
suspend_noirq() callback (pm_runtime_force_suspend()) is called. During
resume, the I2C controller can be restored by the resume_noirq() callback
(pm_runtime_force_resume()). Finally, the resume() callback re-enables
autosuspend. As a result, the I2C controller can remain available until
the system enters suspend_noirq() and from resume_noirq().
Cc: stable@vger.kernel.org
Fixes: 53326135d0e0 ("i2c: riic: Add suspend/resume support")
Signed-off-by: Tommaso Merciai <tommaso.merciai.xr@bp.renesas.com>
Reviewed-by: Biju Das <biju.das.jz@bp.renesas.com>
Tested-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-riic.c | 46 +++++++++++++++++++++++++++++++++++-------
1 file changed, 39 insertions(+), 7 deletions(-)
--- a/drivers/i2c/busses/i2c-riic.c
+++ b/drivers/i2c/busses/i2c-riic.c
@@ -670,12 +670,39 @@ static const struct riic_of_data riic_rz
static int riic_i2c_suspend(struct device *dev)
{
- struct riic_dev *riic = dev_get_drvdata(dev);
- int ret;
+ /*
+ * Some I2C devices may need the I2C controller to remain active
+ * during resume_noirq() or suspend_noirq(). If the controller is
+ * autosuspended, there is no way to wake it up once runtime PM is
+ * disabled (in suspend_late()).
+ *
+ * During system resume, the I2C controller will be available only
+ * after runtime PM is re-enabled (in resume_early()). However, this
+ * may be too late for some devices.
+ *
+ * Wake up the controller in the suspend() callback while runtime PM
+ * is still enabled. The I2C controller will remain available until
+ * the suspend_noirq() callback (pm_runtime_force_suspend()) is
+ * called. During resume, the I2C controller can be restored by the
+ * resume_noirq() callback (pm_runtime_force_resume()).
+ *
+ * Finally, the resume() callback re-enables autosuspend, ensuring
+ * the I2C controller remains available until the system enters
+ * suspend_noirq() and from resume_noirq().
+ */
+ return pm_runtime_resume_and_get(dev);
+}
- ret = pm_runtime_resume_and_get(dev);
- if (ret)
- return ret;
+static int riic_i2c_resume(struct device *dev)
+{
+ pm_runtime_put_autosuspend(dev);
+
+ return 0;
+}
+
+static int riic_i2c_suspend_noirq(struct device *dev)
+{
+ struct riic_dev *riic = dev_get_drvdata(dev);
i2c_mark_adapter_suspended(&riic->adapter);
@@ -683,12 +710,12 @@ static int riic_i2c_suspend(struct devic
riic_clear_set_bit(riic, ICCR1_ICE, 0, RIIC_ICCR1);
pm_runtime_mark_last_busy(dev);
- pm_runtime_put_sync(dev);
+ pm_runtime_force_suspend(dev);
return reset_control_assert(riic->rstc);
}
-static int riic_i2c_resume(struct device *dev)
+static int riic_i2c_resume_noirq(struct device *dev)
{
struct riic_dev *riic = dev_get_drvdata(dev);
int ret;
@@ -697,6 +724,10 @@ static int riic_i2c_resume(struct device
if (ret)
return ret;
+ ret = pm_runtime_force_resume(dev);
+ if (ret)
+ return ret;
+
ret = riic_init_hw(riic);
if (ret) {
/*
@@ -714,6 +745,7 @@ static int riic_i2c_resume(struct device
}
static const struct dev_pm_ops riic_i2c_pm_ops = {
+ NOIRQ_SYSTEM_SLEEP_PM_OPS(riic_i2c_suspend_noirq, riic_i2c_resume_noirq)
SYSTEM_SLEEP_PM_OPS(riic_i2c_suspend, riic_i2c_resume)
};
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 135/198] x86/resctrl: Add missing resctrl initialization for Hygon
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 134/198] i2c: riic: Move suspend handling to NOIRQ phase Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 136/198] x86/resctrl: Fix memory bandwidth counter width " Greg Kroah-Hartman
` (76 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaochen Shen, Borislav Petkov (AMD),
Reinette Chatre
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaochen Shen <shenxiaochen@open-hieco.net>
commit 6ee98aabdc700b5705e4f1833e2edc82a826b53b upstream.
Hygon CPUs supporting Platform QoS features currently undergo partial resctrl
initialization through resctrl_cpu_detect() in the Hygon BSP init helper and
AMD/Hygon common initialization code. However, several critical data
structures remain uninitialized for Hygon CPUs in the following paths:
- get_mem_config()-> __rdt_get_mem_config_amd():
rdt_resource::membw,alloc_capable
hw_res::num_closid
- rdt_init_res_defs()->rdt_init_res_defs_amd():
rdt_resource::cache
hw_res::msr_base,msr_update
Add the missing AMD/Hygon common initialization to ensure proper Platform QoS
functionality on Hygon CPUs.
Fixes: d8df126349da ("x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper")
Signed-off-by: Xiaochen Shen <shenxiaochen@open-hieco.net>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251209062650.1536952-2-shenxiaochen@open-hieco.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/resctrl/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/cpu/resctrl/core.c
+++ b/arch/x86/kernel/cpu/resctrl/core.c
@@ -818,7 +818,8 @@ static __init bool get_mem_config(void)
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
return __get_mem_config_intel(&hw_res->r_resctrl);
- else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
+ else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
+ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)
return __rdt_get_mem_config_amd(&hw_res->r_resctrl);
return false;
@@ -978,7 +979,8 @@ static __init void rdt_init_res_defs(voi
{
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
rdt_init_res_defs_intel();
- else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD)
+ else if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
+ boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)
rdt_init_res_defs_amd();
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 136/198] x86/resctrl: Fix memory bandwidth counter width for Hygon
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 135/198] x86/resctrl: Add missing resctrl initialization for Hygon Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 137/198] nvme: fix PCIe subsystem reset controller state transition Greg Kroah-Hartman
` (75 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaochen Shen, Borislav Petkov (AMD),
Tony Luck, Reinette Chatre
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaochen Shen <shenxiaochen@open-hieco.net>
commit 7517e899e1b87b4c22a92c7e40d8733c48e4ec3c upstream.
The memory bandwidth calculation relies on reading the hardware counter
and measuring the delta between samples. To ensure accurate measurement,
the software reads the counter frequently enough to prevent it from
rolling over twice between reads.
The default Memory Bandwidth Monitoring (MBM) counter width is 24 bits.
Hygon CPUs provide a 32-bit width counter, but they do not support the
MBM capability CPUID leaf (0xF.[ECX=1]:EAX) to report the width offset
(from 24 bits).
Consequently, the kernel falls back to the 24-bit default counter width,
which causes incorrect overflow handling on Hygon CPUs.
Fix this by explicitly setting the counter width offset to 8 bits (resulting
in a 32-bit total counter width) for Hygon CPUs.
Fixes: d8df126349da ("x86/cpu/hygon: Add missing resctrl_cpu_detect() in bsp_init helper")
Signed-off-by: Xiaochen Shen <shenxiaochen@open-hieco.net>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20251209062650.1536952-3-shenxiaochen@open-hieco.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/resctrl/core.c | 15 +++++++++++++--
arch/x86/kernel/cpu/resctrl/internal.h | 3 +++
2 files changed, 16 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/cpu/resctrl/core.c
+++ b/arch/x86/kernel/cpu/resctrl/core.c
@@ -1012,8 +1012,19 @@ void resctrl_cpu_detect(struct cpuinfo_x
c->x86_cache_occ_scale = ebx;
c->x86_cache_mbm_width_offset = eax & 0xff;
- if (c->x86_vendor == X86_VENDOR_AMD && !c->x86_cache_mbm_width_offset)
- c->x86_cache_mbm_width_offset = MBM_CNTR_WIDTH_OFFSET_AMD;
+ if (!c->x86_cache_mbm_width_offset) {
+ switch (c->x86_vendor) {
+ case X86_VENDOR_AMD:
+ c->x86_cache_mbm_width_offset = MBM_CNTR_WIDTH_OFFSET_AMD;
+ break;
+ case X86_VENDOR_HYGON:
+ c->x86_cache_mbm_width_offset = MBM_CNTR_WIDTH_OFFSET_HYGON;
+ break;
+ default:
+ /* Leave c->x86_cache_mbm_width_offset as 0 */
+ break;
+ }
+ }
}
}
--- a/arch/x86/kernel/cpu/resctrl/internal.h
+++ b/arch/x86/kernel/cpu/resctrl/internal.h
@@ -14,6 +14,9 @@
#define MBM_CNTR_WIDTH_OFFSET_AMD 20
+/* Hygon MBM counter width as an offset from MBM_CNTR_WIDTH_BASE */
+#define MBM_CNTR_WIDTH_OFFSET_HYGON 8
+
#define RMID_VAL_ERROR BIT_ULL(63)
#define RMID_VAL_UNAVAIL BIT_ULL(62)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 137/198] nvme: fix PCIe subsystem reset controller state transition
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 136/198] x86/resctrl: Fix memory bandwidth counter width " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 138/198] mm: kmsan: fix poisoning of high-order non-compound pages Greg Kroah-Hartman
` (74 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Wagner, Nilay Shroff,
Keith Busch
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nilay Shroff <nilay@linux.ibm.com>
commit 0edb475ac0a7d153318a24d4dca175a270a5cc4f upstream.
The commit d2fe192348f9 (“nvme: only allow entering LIVE from CONNECTING
state”) disallows controller state transitions directly from RESETTING
to LIVE. However, the NVMe PCIe subsystem reset path relies on this
transition to recover the controller on PowerPC (PPC) systems.
On PPC systems, issuing a subsystem reset causes a temporary loss of
communication with the NVMe adapter. A subsequent PCIe MMIO read then
triggers EEH recovery, which restores the PCIe link and brings the
controller back online. For EEH recovery to proceed correctly, the
controller must transition back to the LIVE state.
Due to the changes introduced by commit d2fe192348f9 (“nvme: only allow
entering LIVE from CONNECTING state”), the controller can no longer
transition directly from RESETTING to LIVE. As a result, EEH recovery
exits prematurely, leaving the controller stuck in the RESETTING state.
Fix this by explicitly transitioning the controller state from RESETTING
to CONNECTING and then to LIVE. This satisfies the updated state
transition rules and allows the controller to be successfully recovered
on PPC systems following a PCIe subsystem reset.
Cc: stable@vger.kernel.org
Fixes: d2fe192348f9 ("nvme: only allow entering LIVE from CONNECTING state")
Reviewed-by: Daniel Wagner <dwagner@suse.de>
Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/pci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1461,7 +1461,10 @@ static int nvme_pci_subsystem_reset(stru
}
writel(NVME_SUBSYS_RESET, dev->bar + NVME_REG_NSSR);
- nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE);
+
+ if (!nvme_change_ctrl_state(ctrl, NVME_CTRL_CONNECTING) ||
+ !nvme_change_ctrl_state(ctrl, NVME_CTRL_LIVE))
+ goto unlock;
/*
* Read controller status to flush the previous write and trigger a
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 138/198] mm: kmsan: fix poisoning of high-order non-compound pages
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 137/198] nvme: fix PCIe subsystem reset controller state transition Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 139/198] mm: numa,memblock: include <asm/numa.h> for numa_nodes_parsed Greg Kroah-Hartman
` (73 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Roberts, Alexander Potapenko,
Dmitriy Vyukov, Marco Elver, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryan Roberts <ryan.roberts@arm.com>
commit 4795d205d78690a46b60164f44b8bb7b3e800865 upstream.
kmsan_free_page() is called by the page allocator's free_pages_prepare()
during page freeing. Its job is to poison all the memory covered by the
page. It can be called with an order-0 page, a compound high-order page
or a non-compound high-order page. But page_size() only works for order-0
and compound pages. For a non-compound high-order page it will
incorrectly return PAGE_SIZE.
The implication is that the tail pages of a high-order non-compound page
do not get poisoned at free, so any invalid access while they are free
could go unnoticed. It looks like the pages will be poisoned again at
allocation time, so that would bookend the window.
Fix this by using the order parameter to calculate the size.
Link: https://lkml.kernel.org/r/20260104134348.3544298-1-ryan.roberts@arm.com
Fixes: b073d7f8aee4 ("mm: kmsan: maintain KMSAN metadata for page operations")
Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
Reviewed-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Marco Elver <elver@google.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/kmsan/shadow.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/kmsan/shadow.c
+++ b/mm/kmsan/shadow.c
@@ -207,7 +207,7 @@ void kmsan_free_page(struct page *page,
if (!kmsan_enabled || kmsan_in_runtime())
return;
kmsan_enter_runtime();
- kmsan_internal_poison_memory(page_address(page), page_size(page),
+ kmsan_internal_poison_memory(page_address(page), PAGE_SIZE << order,
GFP_KERNEL & ~(__GFP_RECLAIM),
KMSAN_POISON_CHECK | KMSAN_POISON_FREE);
kmsan_leave_runtime();
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 139/198] mm: numa,memblock: include <asm/numa.h> for numa_nodes_parsed
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 138/198] mm: kmsan: fix poisoning of high-order non-compound pages Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 140/198] mm/zswap: fix error pointer free in zswap_cpu_comp_prepare() Greg Kroah-Hartman
` (72 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Mike Rapoport (Microsoft),
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
commit f46c26f1bcd9164d7f3377f15ca75488a3e44362 upstream.
The 'numa_nodes_parsed' is defined in <asm/numa.h> but this file
is not included in mm/numa_memblks.c (build x86_64) so add this
to the incldues to fix the following sparse warning:
mm/numa_memblks.c:13:12: warning: symbol 'numa_nodes_parsed' was not declared. Should it be static?
Link: https://lkml.kernel.org/r/20260108101539.229192-1-ben.dooks@codethink.co.uk
Fixes: 87482708210f ("mm: introduce numa_memblks")
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Ben Dooks <ben.dooks@codethink.co.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/numa_memblks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/mm/numa_memblks.c
+++ b/mm/numa_memblks.c
@@ -7,6 +7,8 @@
#include <linux/numa.h>
#include <linux/numa_memblks.h>
+#include <asm/numa.h>
+
int numa_distance_cnt;
static u8 *numa_distance;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 140/198] mm/zswap: fix error pointer free in zswap_cpu_comp_prepare()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 139/198] mm: numa,memblock: include <asm/numa.h> for numa_nodes_parsed Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 141/198] mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free Greg Kroah-Hartman
` (71 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pavel Butsykin, SeongJae Park,
Yosry Ahmed, Nhat Pham, Johannes Weiner, Chengming Zhou,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Butsykin <pbutsykin@cloudlinux.com>
commit 590b13669b813d55844fecd9142c56abd567914d upstream.
crypto_alloc_acomp_node() may return ERR_PTR(), but the fail path checks
only for NULL and can pass an error pointer to crypto_free_acomp(). Use
IS_ERR_OR_NULL() to only free valid acomp instances.
Link: https://lkml.kernel.org/r/20251231074638.2564302-1-pbutsykin@cloudlinux.com
Fixes: 779b9955f643 ("mm: zswap: move allocations during CPU init outside the lock")
Signed-off-by: Pavel Butsykin <pbutsykin@cloudlinux.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Acked-by: Yosry Ahmed <yosry.ahmed@linux.dev>
Acked-by: Nhat Pham <nphamcs@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Chengming Zhou <chengming.zhou@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/zswap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/zswap.c
+++ b/mm/zswap.c
@@ -787,7 +787,7 @@ static int zswap_cpu_comp_prepare(unsign
return 0;
fail:
- if (acomp)
+ if (!IS_ERR_OR_NULL(acomp))
crypto_free_acomp(acomp);
kfree(buffer);
return ret;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 141/198] mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 140/198] mm/zswap: fix error pointer free in zswap_cpu_comp_prepare() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 142/198] mm/damon/core: remove call_control in inactive contexts Greg Kroah-Hartman
` (70 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aboorva Devarajan, Michal Hocko,
Brendan Jackman, Johannes Weiner, Suren Baghdasaryan,
Vlastimil Babka, Zi Yan, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aboorva Devarajan <aboorvad@linux.ibm.com>
commit b9efe36b5e3eb2e91aa3d706066428648af034fc upstream.
When page isolation loops indefinitely during memory offline, reading
/proc/sys/vm/percpu_pagelist_high_fraction blocks on pcp_batch_high_lock,
causing hung task warnings.
Make procfs reads lock-free since percpu_pagelist_high_fraction is a
simple integer with naturally atomic reads, writers still serialize via
the mutex.
This prevents hung task warnings when reading the procfs file during
long-running memory offline operations.
[akpm@linux-foundation.org: add comment, per Michal]
Link: https://lkml.kernel.org/r/aS_y9AuJQFydLEXo@tiehlicka
Link: https://lkml.kernel.org/r/20251201060009.1420792-1-aboorvad@linux.ibm.com
Signed-off-by: Aboorva Devarajan <aboorvad@linux.ibm.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -6611,11 +6611,19 @@ static int percpu_pagelist_high_fraction
int old_percpu_pagelist_high_fraction;
int ret;
+ /*
+ * Avoid using pcp_batch_high_lock for reads as the value is read
+ * atomically and a race with offlining is harmless.
+ */
+
+ if (!write)
+ return proc_dointvec_minmax(table, write, buffer, length, ppos);
+
mutex_lock(&pcp_batch_high_lock);
old_percpu_pagelist_high_fraction = percpu_pagelist_high_fraction;
ret = proc_dointvec_minmax(table, write, buffer, length, ppos);
- if (!write || ret < 0)
+ if (ret < 0)
goto out;
/* Sanity checking to avoid pcp imbalance */
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 142/198] mm/damon/core: remove call_control in inactive contexts
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 141/198] mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 143/198] mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure Greg Kroah-Hartman
` (69 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, JaeJoon Jung,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit f9132fbc2e83baf2c45a77043672a63a675c9394 upstream.
If damon_call() is executed against a DAMON context that is not running,
the function returns error while keeping the damon_call_control object
linked to the context's call_controls list. Let's suppose the object is
deallocated after the damon_call(), and yet another damon_call() is
executed against the same context. The function tries to add the new
damon_call_control object to the call_controls list, which still has the
pointer to the previous damon_call_control object, which is deallocated.
As a result, use-after-free happens.
This can actually be triggered using the DAMON sysfs interface. It is not
easily exploitable since it requires the sysfs write permission and making
a definitely weird file writes, though. Please refer to the report for
more details about the issue reproduction steps.
Fix the issue by making two changes. Firstly, move the final
kdamond_call() for cancelling all existing damon_call() requests from
terminating DAMON context to be done before the ctx->kdamond reset. This
makes any code that sees NULL ctx->kdamond can safely assume the context
may not access damon_call() requests anymore. Secondly, let damon_call()
to cleanup the damon_call_control objects that were added to the
already-terminated DAMON context, before returning the error.
Link: https://lkml.kernel.org/r/20251231012315.75835-1-sj@kernel.org
Fixes: 004ded6bee11 ("mm/damon: accept parallel damon_call() requests")
Signed-off-by: SeongJae Park <sj@kernel.org>
Reported-by: JaeJoon Jung <rgbi3307@gmail.com>
Closes: https://lore.kernel.org/20251224094401.20384-1-rgbi3307@gmail.com
Cc: <stable@vger.kernel.org> # 6.17.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/core.c | 33 +++++++++++++++++++++++++++++++--
1 file changed, 31 insertions(+), 2 deletions(-)
--- a/mm/damon/core.c
+++ b/mm/damon/core.c
@@ -1426,6 +1426,35 @@ bool damon_is_running(struct damon_ctx *
return running;
}
+/*
+ * damon_call_handle_inactive_ctx() - handle DAMON call request that added to
+ * an inactive context.
+ * @ctx: The inactive DAMON context.
+ * @control: Control variable of the call request.
+ *
+ * This function is called in a case that @control is added to @ctx but @ctx is
+ * not running (inactive). See if @ctx handled @control or not, and cleanup
+ * @control if it was not handled.
+ *
+ * Returns 0 if @control was handled by @ctx, negative error code otherwise.
+ */
+static int damon_call_handle_inactive_ctx(
+ struct damon_ctx *ctx, struct damon_call_control *control)
+{
+ struct damon_call_control *c;
+
+ mutex_lock(&ctx->call_controls_lock);
+ list_for_each_entry(c, &ctx->call_controls, list) {
+ if (c == control) {
+ list_del(&control->list);
+ mutex_unlock(&ctx->call_controls_lock);
+ return -EINVAL;
+ }
+ }
+ mutex_unlock(&ctx->call_controls_lock);
+ return 0;
+}
+
/**
* damon_call() - Invoke a given function on DAMON worker thread (kdamond).
* @ctx: DAMON context to call the function for.
@@ -1456,7 +1485,7 @@ int damon_call(struct damon_ctx *ctx, st
list_add_tail(&control->list, &ctx->call_controls);
mutex_unlock(&ctx->call_controls_lock);
if (!damon_is_running(ctx))
- return -EINVAL;
+ return damon_call_handle_inactive_ctx(ctx, control);
if (control->repeat)
return 0;
wait_for_completion(&control->completion);
@@ -2704,13 +2733,13 @@ done:
if (ctx->ops.cleanup)
ctx->ops.cleanup(ctx);
kfree(ctx->regions_score_histogram);
+ kdamond_call(ctx, true);
pr_debug("kdamond (%d) finishes\n", current->pid);
mutex_lock(&ctx->kdamond_lock);
ctx->kdamond = NULL;
mutex_unlock(&ctx->kdamond_lock);
- kdamond_call(ctx, true);
damos_walk_cancel(ctx);
mutex_lock(&damon_lock);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 143/198] mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 142/198] mm/damon/core: remove call_control in inactive contexts Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 144/198] mm/damon/sysfs-scheme: cleanup access_pattern " Greg Kroah-Hartman
` (68 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, chongjiapeng,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit dc7e1d75fd8c505096d0cddeca9e2efb2b55aaf9 upstream.
When a DAMOS-scheme DAMON sysfs directory setup fails after setup of
quotas/ directory, subdirectories of quotas/ directory are not cleaned up.
As a result, DAMON sysfs interface is nearly broken until the system
reboots, and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Link: https://lkml.kernel.org/r/20251225023043.18579-4-sj@kernel.org
Fixes: 1b32234ab087 ("mm/damon/sysfs: support DAMOS watermarks")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: chongjiapeng <jiapeng.chong@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -2117,7 +2117,7 @@ static int damon_sysfs_scheme_add_dirs(s
goto put_dests_out;
err = damon_sysfs_scheme_set_watermarks(scheme);
if (err)
- goto put_quotas_access_pattern_out;
+ goto rmdir_put_quotas_access_pattern_out;
err = damos_sysfs_set_filter_dirs(scheme);
if (err)
goto put_watermarks_quotas_access_pattern_out;
@@ -2142,7 +2142,8 @@ put_filters_watermarks_quotas_access_pat
put_watermarks_quotas_access_pattern_out:
kobject_put(&scheme->watermarks->kobj);
scheme->watermarks = NULL;
-put_quotas_access_pattern_out:
+rmdir_put_quotas_access_pattern_out:
+ damon_sysfs_quotas_rm_dirs(scheme->quotas);
kobject_put(&scheme->quotas->kobj);
scheme->quotas = NULL;
put_dests_out:
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 144/198] mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 143/198] mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 145/198] mm/damon/sysfs: cleanup intervals subdirs on attrs " Greg Kroah-Hartman
` (67 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, chongjiapeng,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 392b3d9d595f34877dd745b470c711e8ebcd225c upstream.
When a DAMOS-scheme DAMON sysfs directory setup fails after setup of
access_pattern/ directory, subdirectories of access_pattern/ directory are
not cleaned up. As a result, DAMON sysfs interface is nearly broken until
the system reboots, and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Link: https://lkml.kernel.org/r/20251225023043.18579-5-sj@kernel.org
Fixes: 9bbb820a5bd5 ("mm/damon/sysfs: support DAMOS quotas")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: chongjiapeng <jiapeng.chong@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs-schemes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/damon/sysfs-schemes.c
+++ b/mm/damon/sysfs-schemes.c
@@ -2111,7 +2111,7 @@ static int damon_sysfs_scheme_add_dirs(s
return err;
err = damos_sysfs_set_dests(scheme);
if (err)
- goto put_access_pattern_out;
+ goto rmdir_put_access_pattern_out;
err = damon_sysfs_scheme_set_quotas(scheme);
if (err)
goto put_dests_out;
@@ -2149,7 +2149,8 @@ rmdir_put_quotas_access_pattern_out:
put_dests_out:
kobject_put(&scheme->dests->kobj);
scheme->dests = NULL;
-put_access_pattern_out:
+rmdir_put_access_pattern_out:
+ damon_sysfs_access_pattern_rm_dirs(scheme->access_pattern);
kobject_put(&scheme->access_pattern->kobj);
scheme->access_pattern = NULL;
return err;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 145/198] mm/damon/sysfs: cleanup intervals subdirs on attrs dir setup failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 144/198] mm/damon/sysfs-scheme: cleanup access_pattern " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 146/198] mm/damon/sysfs: cleanup attrs subdirs on context " Greg Kroah-Hartman
` (66 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, chongjiapeng,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit a24ca8ebb0cd5ea07a1462b77be0f0823c40f319 upstream.
Patch series "mm/damon/sysfs: free setup failures generated zombie sub-sub
dirs".
Some DAMON sysfs directory setup functions generates its sub and sub-sub
directories. For example, 'monitoring_attrs/' directory setup creates
'intervals/' and 'intervals/intervals_goal/' directories under
'monitoring_attrs/' directory. When such sub-sub directories are
successfully made but followup setup is failed, the setup function should
recursively clean up the subdirectories.
However, such setup functions are only dereferencing sub directory
reference counters. As a result, under certain setup failures, the
sub-sub directories keep having non-zero reference counters. It means the
directories cannot be removed like zombies, and the memory for the
directories cannot be freed.
The user impact of this issue is limited due to the following reasons.
When the issue happens, the zombie directories are still taking the path.
Hence attempts to generate the directories again will fail, without
additional memory leak. This means the upper bound memory leak is
limited. Nonetheless this also implies controlling DAMON with a feature
that requires the setup-failed sysfs files will be impossible until the
system reboots.
Also, the setup operations are quite simple. The certain failures would
hence only rarely happen, and are difficult to artificially trigger.
This patch (of 4):
When attrs/ DAMON sysfs directory setup is failed after setup of
intervals/ directory, intervals/intervals_goal/ directory is not cleaned
up. As a result, DAMON sysfs interface is nearly broken until the system
reboots, and the memory for the unremoved directory is leaked.
Cleanup the directory under such failures.
Link: https://lkml.kernel.org/r/20251225023043.18579-1-sj@kernel.org
Link: https://lkml.kernel.org/r/20251225023043.18579-2-sj@kernel.org
Fixes: 8fbbcbeaafeb ("mm/damon/sysfs: implement intervals tuning goal directory")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: chongjiapeng <jiapeng.chong@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # 6.15.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -764,7 +764,7 @@ static int damon_sysfs_attrs_add_dirs(st
nr_regions_range = damon_sysfs_ul_range_alloc(10, 1000);
if (!nr_regions_range) {
err = -ENOMEM;
- goto put_intervals_out;
+ goto rmdir_put_intervals_out;
}
err = kobject_init_and_add(&nr_regions_range->kobj,
@@ -778,6 +778,8 @@ static int damon_sysfs_attrs_add_dirs(st
put_nr_regions_intervals_out:
kobject_put(&nr_regions_range->kobj);
attrs->nr_regions_range = NULL;
+rmdir_put_intervals_out:
+ damon_sysfs_intervals_rm_dirs(intervals);
put_intervals_out:
kobject_put(&intervals->kobj);
attrs->intervals = NULL;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 146/198] mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 145/198] mm/damon/sysfs: cleanup intervals subdirs on attrs " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 147/198] LoongArch: Fix PMU counter allocation for mixed-type event groups Greg Kroah-Hartman
` (65 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, SeongJae Park, chongjiapeng,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: SeongJae Park <sj@kernel.org>
commit 9814cc832b88bd040fc2a1817c2b5469d0f7e862 upstream.
When a context DAMON sysfs directory setup is failed after setup of attrs/
directory, subdirectories of attrs/ directory are not cleaned up. As a
result, DAMON sysfs interface is nearly broken until the system reboots,
and the memory for the unremoved directory is leaked.
Cleanup the directories under such failures.
Link: https://lkml.kernel.org/r/20251225023043.18579-3-sj@kernel.org
Fixes: c951cd3b8901 ("mm/damon: implement a minimal stub for sysfs-based DAMON interface")
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: chongjiapeng <jiapeng.chong@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/sysfs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/mm/damon/sysfs.c
+++ b/mm/damon/sysfs.c
@@ -922,7 +922,7 @@ static int damon_sysfs_context_add_dirs(
err = damon_sysfs_context_set_targets(context);
if (err)
- goto put_attrs_out;
+ goto rmdir_put_attrs_out;
err = damon_sysfs_context_set_schemes(context);
if (err)
@@ -932,7 +932,8 @@ static int damon_sysfs_context_add_dirs(
put_targets_attrs_out:
kobject_put(&context->targets->kobj);
context->targets = NULL;
-put_attrs_out:
+rmdir_put_attrs_out:
+ damon_sysfs_attrs_rm_dirs(context->attrs);
kobject_put(&context->attrs->kobj);
context->attrs = NULL;
return err;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 147/198] LoongArch: Fix PMU counter allocation for mixed-type event groups
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 146/198] mm/damon/sysfs: cleanup attrs subdirs on context " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 148/198] LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended Greg Kroah-Hartman
` (64 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lisa Robinson, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lisa Robinson <lisa@bytefly.space>
commit a91f86e27087f250a5d9c89bb4a427b9c30fd815 upstream.
When validating a perf event group, validate_group() unconditionally
attempts to allocate hardware PMU counters for the leader, sibling
events and the new event being added.
This is incorrect for mixed-type groups. If a PERF_TYPE_SOFTWARE event
is part of the group, the current code still tries to allocate a hardware
PMU counter for it, which can wrongly consume hardware PMU resources and
cause spurious allocation failures.
Fix this by only allocating PMU counters for hardware events during group
validation, and skipping software events.
A trimmed down reproducer is as simple as this:
#include <stdio.h>
#include <assert.h>
#include <unistd.h>
#include <string.h>
#include <sys/syscall.h>
#include <linux/perf_event.h>
int main (int argc, char *argv[])
{
struct perf_event_attr attr = { 0 };
int fds[5];
attr.disabled = 1;
attr.exclude_kernel = 1;
attr.exclude_hv = 1;
attr.read_format = PERF_FORMAT_TOTAL_TIME_ENABLED |
PERF_FORMAT_TOTAL_TIME_RUNNING | PERF_FORMAT_ID | PERF_FORMAT_GROUP;
attr.size = sizeof (attr);
attr.type = PERF_TYPE_SOFTWARE;
attr.config = PERF_COUNT_SW_DUMMY;
fds[0] = syscall (SYS_perf_event_open, &attr, 0, -1, -1, 0);
assert (fds[0] >= 0);
attr.type = PERF_TYPE_HARDWARE;
attr.config = PERF_COUNT_HW_CPU_CYCLES;
fds[1] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0);
assert (fds[1] >= 0);
attr.type = PERF_TYPE_HARDWARE;
attr.config = PERF_COUNT_HW_INSTRUCTIONS;
fds[2] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0);
assert (fds[2] >= 0);
attr.type = PERF_TYPE_HARDWARE;
attr.config = PERF_COUNT_HW_BRANCH_MISSES;
fds[3] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0);
assert (fds[3] >= 0);
attr.type = PERF_TYPE_HARDWARE;
attr.config = PERF_COUNT_HW_CACHE_REFERENCES;
fds[4] = syscall (SYS_perf_event_open, &attr, 0, -1, fds[0], 0);
assert (fds[4] >= 0);
printf ("PASSED\n");
return 0;
}
Cc: stable@vger.kernel.org
Fixes: b37042b2bb7c ("LoongArch: Add perf events support")
Signed-off-by: Lisa Robinson <lisa@bytefly.space>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kernel/perf_event.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/arch/loongarch/kernel/perf_event.c
+++ b/arch/loongarch/kernel/perf_event.c
@@ -626,6 +626,18 @@ static const struct loongarch_perf_event
return pev;
}
+static inline bool loongarch_pmu_event_requires_counter(const struct perf_event *event)
+{
+ switch (event->attr.type) {
+ case PERF_TYPE_HARDWARE:
+ case PERF_TYPE_HW_CACHE:
+ case PERF_TYPE_RAW:
+ return true;
+ default:
+ return false;
+ }
+}
+
static int validate_group(struct perf_event *event)
{
struct cpu_hw_events fake_cpuc;
@@ -633,15 +645,18 @@ static int validate_group(struct perf_ev
memset(&fake_cpuc, 0, sizeof(fake_cpuc));
- if (loongarch_pmu_alloc_counter(&fake_cpuc, &leader->hw) < 0)
+ if (loongarch_pmu_event_requires_counter(leader) &&
+ loongarch_pmu_alloc_counter(&fake_cpuc, &leader->hw) < 0)
return -EINVAL;
for_each_sibling_event(sibling, leader) {
- if (loongarch_pmu_alloc_counter(&fake_cpuc, &sibling->hw) < 0)
+ if (loongarch_pmu_event_requires_counter(sibling) &&
+ loongarch_pmu_alloc_counter(&fake_cpuc, &sibling->hw) < 0)
return -EINVAL;
}
- if (loongarch_pmu_alloc_counter(&fake_cpuc, &event->hw) < 0)
+ if (loongarch_pmu_event_requires_counter(event) &&
+ loongarch_pmu_alloc_counter(&fake_cpuc, &event->hw) < 0)
return -EINVAL;
return 0;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 148/198] LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 147/198] LoongArch: Fix PMU counter allocation for mixed-type event groups Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 149/198] drm/amd/display: Bump the HDMI clock to 340MHz Greg Kroah-Hartman
` (63 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yao Zi, Binbin Zhou, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yao Zi <me@ziyao.cc>
commit 762cf75bec2ad9d17899087899a34336b1757238 upstream.
SoC integrated peripherals on LS2K1000 and LS2K2000 could be discovered
as PCI devices, but require sideband interrupts to function, which are
previously described by interrupts and interrupt-parent properties.
However, pci/pci-device.yaml allows interrupts property to only specify
PCI INTx interrupts, not sideband ones. Convert these devices to use
interrupt-extended property, which describes sideband interrupts used by
PCI devices since dt-schema commit e6ea659d2baa ("schemas: pci-device:
Allow interrupts-extended for sideband interrupts"), eliminating
dtbs_check warnings.
Cc: stable@vger.kernel.org
Fixes: 30a5532a3206 ("LoongArch: dts: DeviceTree for Loongson-2K1000")
Signed-off-by: Yao Zi <me@ziyao.cc>
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/boot/dts/loongson-2k1000.dtsi | 25 +++++++--------------
arch/loongarch/boot/dts/loongson-2k2000.dtsi | 32 ++++++++++-----------------
2 files changed, 21 insertions(+), 36 deletions(-)
--- a/arch/loongarch/boot/dts/loongson-2k1000.dtsi
+++ b/arch/loongarch/boot/dts/loongson-2k1000.dtsi
@@ -437,54 +437,47 @@
gmac0: ethernet@3,0 {
reg = <0x1800 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc0>;
- interrupts = <12 IRQ_TYPE_LEVEL_HIGH>,
- <13 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc0 12 IRQ_TYPE_LEVEL_HIGH>,
+ <&liointc0 13 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "macirq", "eth_lpi";
status = "disabled";
};
gmac1: ethernet@3,1 {
reg = <0x1900 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc0>;
- interrupts = <14 IRQ_TYPE_LEVEL_HIGH>,
- <15 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc0 14 IRQ_TYPE_LEVEL_HIGH>,
+ <&liointc0 15 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "macirq", "eth_lpi";
status = "disabled";
};
ehci0: usb@4,1 {
reg = <0x2100 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc1>;
- interrupts = <18 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc1 18 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
ohci0: usb@4,2 {
reg = <0x2200 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc1>;
- interrupts = <19 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc1 19 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
display@6,0 {
reg = <0x3000 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc0>;
- interrupts = <28 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc0 28 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
hda@7,0 {
reg = <0x3800 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc0>;
- interrupts = <4 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc0 4 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
sata: sata@8,0 {
reg = <0x4000 0x0 0x0 0x0 0x0>;
- interrupt-parent = <&liointc0>;
- interrupts = <19 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&liointc0 19 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
--- a/arch/loongarch/boot/dts/loongson-2k2000.dtsi
+++ b/arch/loongarch/boot/dts/loongson-2k2000.dtsi
@@ -291,65 +291,57 @@
gmac0: ethernet@3,0 {
reg = <0x1800 0x0 0x0 0x0 0x0>;
- interrupts = <12 IRQ_TYPE_LEVEL_HIGH>,
- <13 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&pic 12 IRQ_TYPE_LEVEL_HIGH>,
+ <&pic 13 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "macirq", "eth_lpi";
- interrupt-parent = <&pic>;
status = "disabled";
};
gmac1: ethernet@3,1 {
reg = <0x1900 0x0 0x0 0x0 0x0>;
- interrupts = <14 IRQ_TYPE_LEVEL_HIGH>,
- <15 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&pic 14 IRQ_TYPE_LEVEL_HIGH>,
+ <&pic 15 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "macirq", "eth_lpi";
- interrupt-parent = <&pic>;
status = "disabled";
};
gmac2: ethernet@3,2 {
reg = <0x1a00 0x0 0x0 0x0 0x0>;
- interrupts = <17 IRQ_TYPE_LEVEL_HIGH>,
- <18 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&pic 17 IRQ_TYPE_LEVEL_HIGH>,
+ <&pic 18 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "macirq", "eth_lpi";
- interrupt-parent = <&pic>;
status = "disabled";
};
xhci0: usb@4,0 {
reg = <0x2000 0x0 0x0 0x0 0x0>;
- interrupts = <48 IRQ_TYPE_LEVEL_HIGH>;
- interrupt-parent = <&pic>;
+ interrupts-extended = <&pic 48 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
xhci1: usb@19,0 {
reg = <0xc800 0x0 0x0 0x0 0x0>;
- interrupts = <22 IRQ_TYPE_LEVEL_HIGH>;
- interrupt-parent = <&pic>;
+ interrupts-extended = <&pic 22 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
display@6,1 {
reg = <0x3100 0x0 0x0 0x0 0x0>;
- interrupts = <28 IRQ_TYPE_LEVEL_HIGH>;
- interrupt-parent = <&pic>;
+ interrupts-extended = <&pic 28 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
i2s@7,0 {
reg = <0x3800 0x0 0x0 0x0 0x0>;
- interrupts = <78 IRQ_TYPE_LEVEL_HIGH>,
- <79 IRQ_TYPE_LEVEL_HIGH>;
+ interrupts-extended = <&pic 78 IRQ_TYPE_LEVEL_HIGH>,
+ <&pic 79 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "tx", "rx";
- interrupt-parent = <&pic>;
status = "disabled";
};
sata: sata@8,0 {
reg = <0x4000 0x0 0x0 0x0 0x0>;
- interrupts = <16 IRQ_TYPE_LEVEL_HIGH>;
- interrupt-parent = <&pic>;
+ interrupts-extended = <&pic 16 IRQ_TYPE_LEVEL_HIGH>;
status = "disabled";
};
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 149/198] drm/amd/display: Bump the HDMI clock to 340MHz
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 148/198] LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 150/198] drm/amd/display: Initialise backlight level values from hw Greg Kroah-Hartman
` (62 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dianne Skoll, Chris Park,
Mario Limonciello, Matthew Stewart, Dan Wheeler, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
commit fee50077656d8a58011f13bca48f743d1b6d6015 upstream.
[Why]
DP-HDMI dongles can execeed bandwidth requirements on high resolution
monitors. This can lead to pruning the high resolution modes.
HDMI 1.3 bumped the clock to 340MHz, but display code never matched it.
[How]
Set default to (DVI) 165MHz. Once HDMI display is identified update
to 340MHz.
Reported-by: Dianne Skoll <dianne@skoll.ca>
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4780
Reviewed-by: Chris Park <chris.park@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Matthew Stewart <matthew.stewart2@amd.com>
Tested-by: Dan Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit ac1e65d8ade46c09fb184579b81acadf36dcb91e)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dc_hdmi_types.h | 2 +-
drivers/gpu/drm/amd/display/dc/link/link_detection.c | 4 +++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/dc_hdmi_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_hdmi_types.h
@@ -41,7 +41,7 @@
/* kHZ*/
#define DP_ADAPTOR_DVI_MAX_TMDS_CLK 165000
/* kHZ*/
-#define DP_ADAPTOR_HDMI_SAFE_MAX_TMDS_CLK 165000
+#define DP_ADAPTOR_HDMI_SAFE_MAX_TMDS_CLK 340000
struct dp_hdmi_dongle_signature_data {
int8_t id[15];/* "DP-HDMI ADAPTOR"*/
--- a/drivers/gpu/drm/amd/display/dc/link/link_detection.c
+++ b/drivers/gpu/drm/amd/display/dc/link/link_detection.c
@@ -332,7 +332,7 @@ static void query_dp_dual_mode_adaptor(
/* Assume we have no valid DP passive dongle connected */
*dongle = DISPLAY_DONGLE_NONE;
- sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_HDMI_SAFE_MAX_TMDS_CLK;
+ sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_DVI_MAX_TMDS_CLK;
/* Read DP-HDMI dongle I2c (no response interpreted as DP-DVI dongle)*/
if (!i2c_read(
@@ -388,6 +388,8 @@ static void query_dp_dual_mode_adaptor(
}
}
+ if (is_valid_hdmi_signature)
+ sink_cap->max_hdmi_pixel_clock = DP_ADAPTOR_HDMI_SAFE_MAX_TMDS_CLK;
if (is_type2_dongle) {
uint32_t max_tmds_clk =
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 150/198] drm/amd/display: Initialise backlight level values from hw
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 149/198] drm/amd/display: Bump the HDMI clock to 340MHz Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 151/198] drm/amd: Clean up kfd node on surprise disconnect Greg Kroah-Hartman
` (61 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vivek Das Mohapatra,
Mario Limonciello (AMD), Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vivek Das Mohapatra <vivek@collabora.com>
commit 52d3d115e9cc975b90b1fc49abf6d36ad5e8847a upstream.
Internal backlight levels are initialised from ACPI but the values
are sometimes out of sync with the levels in effect until there has
been a read from hardware (eg triggered by reading from sysfs).
This means that the first drm_commit can cause the levels to be set
to a different value than the actual starting one, which results in
a sudden change in brightness.
This path shows the problem (when the values are out of sync):
amdgpu_dm_atomic_commit_tail()
-> amdgpu_dm_commit_streams()
-> amdgpu_dm_backlight_set_level(..., dm->brightness[n])
This patch calls the backlight ops get_brightness explicitly
at the end of backlight registration to make sure dm->brightness[n]
is in sync with the actual hardware levels.
Fixes: 2fe87f54abdc ("drm/amd/display: Set default brightness according to ACPI")
Signed-off-by: Vivek Das Mohapatra <vivek@collabora.com>
Reviewed-by: Mario Limonciello (AMD) <superm1@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 318b1c36d82a0cd2b06a4bb43272fa6f1bc8adc1)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -5193,6 +5193,8 @@ amdgpu_dm_register_backlight_device(stru
struct amdgpu_dm_backlight_caps *caps;
char bl_name[16];
int min, max;
+ int real_brightness;
+ int init_brightness;
if (aconnector->bl_idx == -1)
return;
@@ -5217,6 +5219,8 @@ amdgpu_dm_register_backlight_device(stru
} else
props.brightness = props.max_brightness = MAX_BACKLIGHT_LEVEL;
+ init_brightness = props.brightness;
+
if (caps->data_points && !(amdgpu_dc_debug_mask & DC_DISABLE_CUSTOM_BRIGHTNESS_CURVE)) {
drm_info(drm, "Using custom brightness curve\n");
props.scale = BACKLIGHT_SCALE_NON_LINEAR;
@@ -5235,8 +5239,20 @@ amdgpu_dm_register_backlight_device(stru
if (IS_ERR(dm->backlight_dev[aconnector->bl_idx])) {
drm_err(drm, "DM: Backlight registration failed!\n");
dm->backlight_dev[aconnector->bl_idx] = NULL;
- } else
+ } else {
+ /*
+ * dm->brightness[x] can be inconsistent just after startup until
+ * ops.get_brightness is called.
+ */
+ real_brightness =
+ amdgpu_dm_backlight_ops.get_brightness(dm->backlight_dev[aconnector->bl_idx]);
+
+ if (real_brightness != init_brightness) {
+ dm->actual_brightness[aconnector->bl_idx] = real_brightness;
+ dm->brightness[aconnector->bl_idx] = real_brightness;
+ }
drm_dbg_driver(drm, "DM: Registered Backlight device: %s\n", bl_name);
+ }
}
static int initialize_plane(struct amdgpu_display_manager *dm,
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 151/198] drm/amd: Clean up kfd node on surprise disconnect
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 150/198] drm/amd/display: Initialise backlight level values from hw Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 152/198] drm/amdgpu: Fix gfx9 update PTE mtype flag Greg Kroah-Hartman
` (60 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kent.russell,
Mario Limonciello (AMD), Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello (AMD) <superm1@kernel.org>
commit 28695ca09d326461f8078332aa01db516983e8a2 upstream.
When an eGPU is unplugged the KFD topology should also be destroyed
for that GPU. This never happens because the fini_sw callbacks never
get to run. Run them manually before calling amdgpu_device_ip_fini_early()
when a device has already been disconnected.
This location is intentionally chosen to make sure that the kfd locking
refcount doesn't get incremented unintentionally.
Cc: kent.russell@amd.com
Closes: https://community.frame.work/t/amd-egpu-on-linux/8691/33
Signed-off-by: Mario Limonciello (AMD) <superm1@kernel.org>
Reviewed-by: Kent Russell <kent.russell@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 6a23e7b4332c10f8b56c33a9c5431b52ecff9aab)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4985,6 +4985,14 @@ void amdgpu_device_fini_hw(struct amdgpu
amdgpu_ttm_set_buffer_funcs_status(adev, false);
+ /*
+ * device went through surprise hotplug; we need to destroy topology
+ * before ip_fini_early to prevent kfd locking refcount issues by calling
+ * amdgpu_amdkfd_suspend()
+ */
+ if (drm_dev_is_unplugged(adev_to_drm(adev)))
+ amdgpu_amdkfd_device_fini_sw(adev);
+
amdgpu_device_ip_fini_early(adev);
amdgpu_irq_fini_hw(adev);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 152/198] drm/amdgpu: Fix gfx9 update PTE mtype flag
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 151/198] drm/amd: Clean up kfd node on surprise disconnect Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 153/198] drm/amdgpu: make sure userqs are enabled in userq IOCTLs Greg Kroah-Hartman
` (59 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Christian König,
Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
commit 292e5757b2229c0c6f1d059123a85f8a28f4464d upstream.
Fix copy&paste error, that should have been an assignment instead of an or,
otherwise MTYPE_UC 0x3 can not be updated to MTYPE_RW 0x1.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit fc1366016abe4103c0f0fac882811aea961ef213)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c
@@ -1233,16 +1233,16 @@ static void gmc_v9_0_get_vm_pte(struct a
*flags = AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_NC);
break;
case AMDGPU_VM_MTYPE_WC:
- *flags |= AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_WC);
+ *flags = AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_WC);
break;
case AMDGPU_VM_MTYPE_RW:
- *flags |= AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_RW);
+ *flags = AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_RW);
break;
case AMDGPU_VM_MTYPE_CC:
- *flags |= AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_CC);
+ *flags = AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_CC);
break;
case AMDGPU_VM_MTYPE_UC:
- *flags |= AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_UC);
+ *flags = AMDGPU_PTE_MTYPE_VG10(*flags, MTYPE_UC);
break;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 153/198] drm/amdgpu: make sure userqs are enabled in userq IOCTLs
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 152/198] drm/amdgpu: Fix gfx9 update PTE mtype flag Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 154/198] drm/amdkfd: fix a memory leak in device_queue_manager_init() Greg Kroah-Hartman
` (58 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christian König, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit b6dff005fcf32dd072f6f2d08ca461394a21bd4f upstream.
These IOCTLs shouldn't be called when userqs are not
enabled. Make sure they are enabled before executing
the IOCTLs.
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit d967509651601cddce7ff2a9f09479f3636f684d)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c | 16 ++++++++++++++++
drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c | 6 ++++++
3 files changed, 23 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.c
@@ -681,12 +681,28 @@ static int amdgpu_userq_input_args_valid
return 0;
}
+bool amdgpu_userq_enabled(struct drm_device *dev)
+{
+ struct amdgpu_device *adev = drm_to_adev(dev);
+ int i;
+
+ for (i = 0; i < AMDGPU_HW_IP_NUM; i++) {
+ if (adev->userq_funcs[i])
+ return true;
+ }
+
+ return false;
+}
+
int amdgpu_userq_ioctl(struct drm_device *dev, void *data,
struct drm_file *filp)
{
union drm_amdgpu_userq *args = data;
int r;
+ if (!amdgpu_userq_enabled(dev))
+ return -ENOTSUPP;
+
if (amdgpu_userq_input_args_validate(dev, args, filp) < 0)
return -EINVAL;
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq.h
@@ -135,6 +135,7 @@ uint64_t amdgpu_userq_get_doorbell_index
struct drm_file *filp);
u32 amdgpu_userq_get_supported_ip_mask(struct amdgpu_device *adev);
+bool amdgpu_userq_enabled(struct drm_device *dev);
int amdgpu_userq_suspend(struct amdgpu_device *adev);
int amdgpu_userq_resume(struct amdgpu_device *adev);
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_userq_fence.c
@@ -472,6 +472,9 @@ int amdgpu_userq_signal_ioctl(struct drm
struct drm_exec exec;
u64 wptr;
+ if (!amdgpu_userq_enabled(dev))
+ return -ENOTSUPP;
+
num_syncobj_handles = args->num_syncobj_handles;
syncobj_handles = memdup_user(u64_to_user_ptr(args->syncobj_handles),
size_mul(sizeof(u32), num_syncobj_handles));
@@ -654,6 +657,9 @@ int amdgpu_userq_wait_ioctl(struct drm_d
int r, i, rentry, wentry, cnt;
struct drm_exec exec;
+ if (!amdgpu_userq_enabled(dev))
+ return -ENOTSUPP;
+
num_read_bo_handles = wait_info->num_bo_read_handles;
bo_handles_read = memdup_user(u64_to_user_ptr(wait_info->bo_read_handles),
size_mul(sizeof(u32), num_read_bo_handles));
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 154/198] drm/amdkfd: fix a memory leak in device_queue_manager_init()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 153/198] drm/amdgpu: make sure userqs are enabled in userq IOCTLs Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 155/198] drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare Greg Kroah-Hartman
` (57 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Felix Kuehling,
Oak Zeng, Alex Deucher
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit 80614c509810fc051312d1a7ccac8d0012d6b8d0 upstream.
If dqm->ops.initialize() fails, add deallocate_hiq_sdma_mqd()
to release the memory allocated by allocate_hiq_sdma_mqd().
Move deallocate_hiq_sdma_mqd() up to ensure proper function
visibility at the point of use.
Fixes: 11614c36bc8f ("drm/amdkfd: Allocate MQD trunk for HIQ and SDMA")
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
Reviewed-by: Oak Zeng <Oak.Zeng@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit b7cccc8286bb9919a0952c812872da1dcfe9d390)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 19 ++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -2905,6 +2905,14 @@ static int allocate_hiq_sdma_mqd(struct
return retval;
}
+static void deallocate_hiq_sdma_mqd(struct kfd_node *dev,
+ struct kfd_mem_obj *mqd)
+{
+ WARN(!mqd, "No hiq sdma mqd trunk to free");
+
+ amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem);
+}
+
struct device_queue_manager *device_queue_manager_init(struct kfd_node *dev)
{
struct device_queue_manager *dqm;
@@ -3028,19 +3036,14 @@ struct device_queue_manager *device_queu
return dqm;
}
+ if (!dev->kfd->shared_resources.enable_mes)
+ deallocate_hiq_sdma_mqd(dev, &dqm->hiq_sdma_mqd);
+
out_free:
kfree(dqm);
return NULL;
}
-static void deallocate_hiq_sdma_mqd(struct kfd_node *dev,
- struct kfd_mem_obj *mqd)
-{
- WARN(!mqd, "No hiq sdma mqd trunk to free");
-
- amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem);
-}
-
void device_queue_manager_uninit(struct device_queue_manager *dqm)
{
dqm->ops.stop(dqm);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 155/198] drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 154/198] drm/amdkfd: fix a memory leak in device_queue_manager_init() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 156/198] drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel Greg Kroah-Hartman
` (56 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Airlie, Lyude Paul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lyude Paul <lyude@redhat.com>
commit 9e9bc6be0fa0b6b6b73f4f831f3b77716d0a8d9e upstream.
For a while, I've been seeing a strange issue where some (usually not all)
of the display DMA channels will suddenly hang, particularly when there is
a visible cursor on the screen that is being frequently updated, and
especially when said cursor happens to go between two screens. While this
brings back lovely memories of fixing Intel Skylake bugs, I would quite
like to fix it :).
It turns out the problem that's happening here is that we're managing to
reach nv50_head_flush_set() in our atomic commit path without actually
holding nv50_disp->mutex. This means that cursor updates happening in
parallel (along with any other atomic updates that need to use the core
channel) will race with eachother, which eventually causes us to corrupt
the pushbuffer - leading to a plethora of various GSP errors, usually:
nouveau 0000:c1:00.0: gsp: Xid:56 CMDre 00000000 00000218 00102680 00000004 00800003
nouveau 0000:c1:00.0: gsp: Xid:56 CMDre 00000000 0000021c 00040509 00000004 00000001
nouveau 0000:c1:00.0: gsp: Xid:56 CMDre 00000000 00000000 00000000 00000001 00000001
The reason this is happening is because generally we check whether we need
to set nv50_atom->lock_core at the end of nv50_head_atomic_check().
However, curs507a_prepare is called from the fb_prepare callback, which
happens after the atomic check phase. As a result, this can lead to commits
that both touch the core channel but also don't grab nv50_disp->mutex.
So, fix this by making sure that we set nv50_atom->lock_core in
cus507a_prepare().
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Lyude Paul <lyude@redhat.com>
Fixes: 1590700d94ac ("drm/nouveau/kms/nv50-: split each resource type into their own source files")
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://patch.msgid.link/20251219215344.170852-2-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/dispnv50/curs507a.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/nouveau/dispnv50/curs507a.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/curs507a.c
@@ -84,6 +84,7 @@ curs507a_prepare(struct nv50_wndw *wndw,
asyh->curs.handle = handle;
asyh->curs.offset = offset;
asyh->set.curs = asyh->curs.visible;
+ nv50_atom(asyh->state.state)->lock_core = true;
}
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 156/198] drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 155/198] drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 157/198] drm/panel: simple: restore connector_type fallback Greg Kroah-Hartman
` (55 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Neil Armstrong
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@nabladev.com>
commit 6ab3d4353bf75005eaa375677c9fed31148154d6 upstream.
The connector type for the DataImage SCF0700C48GGU18 panel is missing and
devm_drm_panel_bridge_add() requires connector type to be set. This leads
to a warning and a backtrace in the kernel log and panel does not work:
"
WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8
"
The warning is triggered by a check for valid connector type in
devm_drm_panel_bridge_add(). If there is no valid connector type
set for a panel, the warning is printed and panel is not added.
Fill in the missing connector type to fix the warning and make
the panel operational once again.
Cc: stable@vger.kernel.org
Fixes: 97ceb1fb08b6 ("drm/panel: simple: Add support for DataImage SCF0700C48GGU18")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20260110152750.73848-1-marex@nabladev.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panel/panel-simple.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -1900,6 +1900,7 @@ static const struct panel_desc dataimage
},
.bus_format = MEDIA_BUS_FMT_RGB888_1X24,
.bus_flags = DRM_BUS_FLAG_DE_HIGH | DRM_BUS_FLAG_PIXDATA_DRIVE_POSEDGE,
+ .connector_type = DRM_MODE_CONNECTOR_DPI,
};
static const struct display_timing dlc_dlc0700yzg_1_timing = {
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 157/198] drm/panel: simple: restore connector_type fallback
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 156/198] drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 158/198] drm/sysfb: Remove duplicate declarations Greg Kroah-Hartman
` (54 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ludovic Desroches, Luca Ceresoli,
Neil Armstrong
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ludovic Desroches <ludovic.desroches@microchip.com>
commit 9380dc33cd6ae4a6857818fcefce31cf716f3fae upstream.
The switch from devm_kzalloc() + drm_panel_init() to
devm_drm_panel_alloc() introduced a regression.
Several panel descriptors do not set connector_type. For those panels,
panel_simple_probe() used to compute a connector type (currently DPI as a
fallback) and pass that value to drm_panel_init(). After the conversion
to devm_drm_panel_alloc(), the call unconditionally used
desc->connector_type instead, ignoring the computed fallback and
potentially passing DRM_MODE_CONNECTOR_Unknown, which
drm_panel_bridge_add() does not allow.
Move the connector_type validation / fallback logic before the
devm_drm_panel_alloc() call and pass the computed connector_type to
devm_drm_panel_alloc(), so panels without an explicit connector_type
once again get the DPI default.
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Fixes: de04bb0089a9 ("drm/panel/panel-simple: Use the new allocation in place of devm_kzalloc()")
Cc: stable@vger.kernel.org
Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Link: https://lore.kernel.org/stable/20251126-lcd_panel_connector_type_fix-v2-1-c15835d1f7cb%40microchip.com
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patch.msgid.link/20251218-lcd_panel_connector_type_fix-v3-1-ddcea6d8d7ef@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/panel/panel-simple.c | 89 +++++++++++++++++------------------
1 file changed, 44 insertions(+), 45 deletions(-)
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -623,49 +623,6 @@ static struct panel_simple *panel_simple
if (IS_ERR(desc))
return ERR_CAST(desc);
- panel = devm_drm_panel_alloc(dev, struct panel_simple, base,
- &panel_simple_funcs, desc->connector_type);
- if (IS_ERR(panel))
- return ERR_CAST(panel);
-
- panel->desc = desc;
-
- panel->supply = devm_regulator_get(dev, "power");
- if (IS_ERR(panel->supply))
- return ERR_CAST(panel->supply);
-
- panel->enable_gpio = devm_gpiod_get_optional(dev, "enable",
- GPIOD_OUT_LOW);
- if (IS_ERR(panel->enable_gpio))
- return dev_err_cast_probe(dev, panel->enable_gpio,
- "failed to request GPIO\n");
-
- err = of_drm_get_panel_orientation(dev->of_node, &panel->orientation);
- if (err) {
- dev_err(dev, "%pOF: failed to get orientation %d\n", dev->of_node, err);
- return ERR_PTR(err);
- }
-
- ddc = of_parse_phandle(dev->of_node, "ddc-i2c-bus", 0);
- if (ddc) {
- panel->ddc = of_find_i2c_adapter_by_node(ddc);
- of_node_put(ddc);
-
- if (!panel->ddc)
- return ERR_PTR(-EPROBE_DEFER);
- }
-
- if (!of_device_is_compatible(dev->of_node, "panel-dpi") &&
- !of_get_display_timing(dev->of_node, "panel-timing", &dt))
- panel_simple_parse_panel_timing_node(dev, panel, &dt);
-
- if (desc->connector_type == DRM_MODE_CONNECTOR_LVDS) {
- /* Optional data-mapping property for overriding bus format */
- err = panel_simple_override_nondefault_lvds_datamapping(dev, panel);
- if (err)
- goto free_ddc;
- }
-
connector_type = desc->connector_type;
/* Catch common mistakes for panels. */
switch (connector_type) {
@@ -690,8 +647,7 @@ static struct panel_simple *panel_simple
break;
case DRM_MODE_CONNECTOR_eDP:
dev_warn(dev, "eDP panels moved to panel-edp\n");
- err = -EINVAL;
- goto free_ddc;
+ return ERR_PTR(-EINVAL);
case DRM_MODE_CONNECTOR_DSI:
if (desc->bpc != 6 && desc->bpc != 8)
dev_warn(dev, "Expected bpc in {6,8} but got: %u\n", desc->bpc);
@@ -720,6 +676,49 @@ static struct panel_simple *panel_simple
break;
}
+ panel = devm_drm_panel_alloc(dev, struct panel_simple, base,
+ &panel_simple_funcs, connector_type);
+ if (IS_ERR(panel))
+ return ERR_CAST(panel);
+
+ panel->desc = desc;
+
+ panel->supply = devm_regulator_get(dev, "power");
+ if (IS_ERR(panel->supply))
+ return ERR_CAST(panel->supply);
+
+ panel->enable_gpio = devm_gpiod_get_optional(dev, "enable",
+ GPIOD_OUT_LOW);
+ if (IS_ERR(panel->enable_gpio))
+ return dev_err_cast_probe(dev, panel->enable_gpio,
+ "failed to request GPIO\n");
+
+ err = of_drm_get_panel_orientation(dev->of_node, &panel->orientation);
+ if (err) {
+ dev_err(dev, "%pOF: failed to get orientation %d\n", dev->of_node, err);
+ return ERR_PTR(err);
+ }
+
+ ddc = of_parse_phandle(dev->of_node, "ddc-i2c-bus", 0);
+ if (ddc) {
+ panel->ddc = of_find_i2c_adapter_by_node(ddc);
+ of_node_put(ddc);
+
+ if (!panel->ddc)
+ return ERR_PTR(-EPROBE_DEFER);
+ }
+
+ if (!of_device_is_compatible(dev->of_node, "panel-dpi") &&
+ !of_get_display_timing(dev->of_node, "panel-timing", &dt))
+ panel_simple_parse_panel_timing_node(dev, panel, &dt);
+
+ if (desc->connector_type == DRM_MODE_CONNECTOR_LVDS) {
+ /* Optional data-mapping property for overriding bus format */
+ err = panel_simple_override_nondefault_lvds_datamapping(dev, panel);
+ if (err)
+ goto free_ddc;
+ }
+
dev_set_drvdata(dev, panel);
/*
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 158/198] drm/sysfb: Remove duplicate declarations
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 157/198] drm/panel: simple: restore connector_type fallback Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 159/198] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() Greg Kroah-Hartman
` (53 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Zimmermann,
Javier Martinez Canillas, dri-devel
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit b91a565ed14fcf900b4d95e86882b4b763860986 upstream.
Commit 6046b49bafff ("drm/sysfb: Share helpers for integer validation")
and commit e8c086880b2b ("drm/sysfb: Share helpers for screen_info
validation") added duplicate function declarations. Remove the latter
ones.
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: e8c086880b2b ("drm/sysfb: Share helpers for screen_info validation")
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.16+
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
Link: https://patch.msgid.link/20260108145058.56943-7-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/sysfb/drm_sysfb_helper.h | 9 ---------
1 file changed, 9 deletions(-)
--- a/drivers/gpu/drm/sysfb/drm_sysfb_helper.h
+++ b/drivers/gpu/drm/sysfb/drm_sysfb_helper.h
@@ -48,15 +48,6 @@ const struct drm_format_info *drm_sysfb_
#endif
/*
- * Input parsing
- */
-
-int drm_sysfb_get_validated_int(struct drm_device *dev, const char *name,
- u64 value, u32 max);
-int drm_sysfb_get_validated_int0(struct drm_device *dev, const char *name,
- u64 value, u32 max);
-
-/*
* Display modes
*/
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 159/198] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 158/198] drm/sysfb: Remove duplicate declarations Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 160/198] LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells Greg Kroah-Hartman
` (52 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haoxiang Li, Zack Rusin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
commit bf72b4b7bb7dbb643d204fa41e7463894a95999f upstream.
In vmw_compat_shader_add(), the return value check of vmw_shader_alloc()
is not proper. Modify the check for the return pointer 'res'.
Found by code review and compiled on ubuntu 20.04.
Fixes: 18e4a4669c50 ("drm/vmwgfx: Fix compat shader namespace")
Cc: stable@vger.kernel.org
Signed-off-by: Haoxiang Li <lihaoxiang@isrc.iscas.ac.cn>
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Link: https://patch.msgid.link/20251224091105.1569464-1-lihaoxiang@isrc.iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_shader.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_shader.c
@@ -923,8 +923,10 @@ int vmw_compat_shader_add(struct vmw_pri
ttm_bo_unreserve(&buf->tbo);
res = vmw_shader_alloc(dev_priv, buf, size, 0, shader_type);
- if (unlikely(ret != 0))
+ if (IS_ERR(res)) {
+ ret = PTR_ERR(res);
goto no_reserve;
+ }
ret = vmw_cmdbuf_res_add(man, vmw_cmdbuf_res_shader,
vmw_shader_key(user_key, shader_type),
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 160/198] LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 159/198] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 161/198] LoongArch: dts: loongson-2k1000: " Greg Kroah-Hartman
` (51 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Binbin Zhou, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Binbin Zhou <zhoubinbin@loongson.cn>
commit c4461754e6fe7e12a3ff198cce4707e3e20e43d4 upstream.
Add missing address-cells 0 to the Local I/O and Extend I/O interrupt
controller node to silence W=1 warning:
loongson-2k0500.dtsi:513.5-51: Warning (interrupt_map): /bus@10000000/pcie@1a000000/pcie@0,0:interrupt-map:
Missing property '#address-cells' in node /bus@10000000/interrupt-controller@1fe11600, using 0 as fallback
Value '0' is correct because:
1. The Local I/O & Extend I/O interrupt controller do not have children,
2. interrupt-map property (in PCI node) consists of five components and
the fourth component "parent unit address", which size is defined by
'#address-cells' of the node pointed to by the interrupt-parent
component, is not used (=0)
Cc: stable@vger.kernel.org
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/boot/dts/loongson-2k0500.dtsi | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/loongarch/boot/dts/loongson-2k0500.dtsi
+++ b/arch/loongarch/boot/dts/loongson-2k0500.dtsi
@@ -131,6 +131,7 @@
reg-names = "main", "isr0";
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <2>;
interrupt-parent = <&cpuintc>;
interrupts = <2>;
@@ -149,6 +150,7 @@
reg-names = "main", "isr0";
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <2>;
interrupt-parent = <&cpuintc>;
interrupts = <4>;
@@ -164,6 +166,7 @@
compatible = "loongson,ls2k0500-eiointc";
reg = <0x0 0x1fe11600 0x0 0xea00>;
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <1>;
interrupt-parent = <&cpuintc>;
interrupts = <3>;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 161/198] LoongArch: dts: loongson-2k1000: Add default interrupt controller address cells
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 160/198] LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 162/198] LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names Greg Kroah-Hartman
` (50 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Binbin Zhou, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Binbin Zhou <zhoubinbin@loongson.cn>
commit 81e8cb7e504a5adbcc48f7f954bf3c2aa9b417f8 upstream.
Add missing address-cells 0 to the Local I/O interrupt controller node
to silence W=1 warning:
loongson-2k1000.dtsi:498.5-55: Warning (interrupt_map): /bus@10000000/pcie@1a000000/pcie@9,0:interrupt-map:
Missing property '#address-cells' in node /bus@10000000/interrupt-controller@1fe01440, using 0 as fallback
Value '0' is correct because:
1. The Local I/O interrupt controller does not have children,
2. interrupt-map property (in PCI node) consists of five components and
the fourth component "parent unit address", which size is defined by
'#address-cells' of the node pointed to by the interrupt-parent
component, is not used (=0)
Cc: stable@vger.kernel.org
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/boot/dts/loongson-2k1000.dtsi | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/loongarch/boot/dts/loongson-2k1000.dtsi
+++ b/arch/loongarch/boot/dts/loongson-2k1000.dtsi
@@ -114,6 +114,7 @@
<0x0 0x1fe01140 0x0 0x8>;
reg-names = "main", "isr0", "isr1";
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <2>;
interrupt-parent = <&cpuintc>;
interrupts = <2>;
@@ -131,6 +132,7 @@
<0x0 0x1fe01148 0x0 0x8>;
reg-names = "main", "isr0", "isr1";
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <2>;
interrupt-parent = <&cpuintc>;
interrupts = <3>;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 162/198] LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 161/198] LoongArch: dts: loongson-2k1000: " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 163/198] LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells Greg Kroah-Hartman
` (49 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Binbin Zhou,
Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Binbin Zhou <zhoubinbin@loongson.cn>
commit 14ea5a3625881d79f75418c66e3a7d98db8518e1 upstream.
The binding wants the node to be named "i2c-number", but those are named
"i2c-gpio-number" instead.
Thus rename those to i2c-0, i2c-1 to adhere to the binding and suppress
dtbs_check warnings.
Cc: stable@vger.kernel.org
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/boot/dts/loongson-2k1000.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/loongarch/boot/dts/loongson-2k1000.dtsi
+++ b/arch/loongarch/boot/dts/loongson-2k1000.dtsi
@@ -46,7 +46,7 @@
};
/* i2c of the dvi eeprom edid */
- i2c-gpio-0 {
+ i2c-0 {
compatible = "i2c-gpio";
scl-gpios = <&gpio0 0 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
sda-gpios = <&gpio0 1 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
@@ -57,7 +57,7 @@
};
/* i2c of the eeprom edid */
- i2c-gpio-1 {
+ i2c-1 {
compatible = "i2c-gpio";
scl-gpios = <&gpio0 33 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
sda-gpios = <&gpio0 32 (GPIO_ACTIVE_HIGH | GPIO_OPEN_DRAIN)>;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 163/198] LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 162/198] LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 164/198] LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() Greg Kroah-Hartman
` (48 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Binbin Zhou, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Binbin Zhou <zhoubinbin@loongson.cn>
commit e65df3f77ecd59d3a8647d19df82b22a6ce210a9 upstream.
Add missing address-cells 0 to the Local I/O, Extend I/O and PCH-PIC
Interrupt Controller node to silence W=1 warning:
loongson-2k2000.dtsi:364.5-49: Warning (interrupt_map): /bus@10000000/pcie@1a000000/pcie@9,0:interrupt-map:
Missing property '#address-cells' in node /bus@10000000/interrupt-controller@10000000, using 0 as fallback
Value '0' is correct because:
1. The LIO/EIO/PCH interrupt controller does not have children,
2. interrupt-map property (in PCI node) consists of five components and
the fourth component "parent unit address", which size is defined by
'#address-cells' of the node pointed to by the interrupt-parent
component, is not used (=0)
Cc: stable@vger.kernel.org
Signed-off-by: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/boot/dts/loongson-2k2000.dtsi | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/loongarch/boot/dts/loongson-2k2000.dtsi
+++ b/arch/loongarch/boot/dts/loongson-2k2000.dtsi
@@ -126,6 +126,7 @@
reg = <0x0 0x1fe01400 0x0 0x64>;
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <2>;
interrupt-parent = <&cpuintc>;
interrupts = <2>;
@@ -140,6 +141,7 @@
compatible = "loongson,ls2k2000-eiointc";
reg = <0x0 0x1fe01600 0x0 0xea00>;
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <1>;
interrupt-parent = <&cpuintc>;
interrupts = <3>;
@@ -149,6 +151,7 @@
compatible = "loongson,pch-pic-1.0";
reg = <0x0 0x10000000 0x0 0x400>;
interrupt-controller;
+ #address-cells = <0>;
#interrupt-cells = <2>;
loongson,pic-base-vec = <0>;
interrupt-parent = <&eiointc>;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 164/198] LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 163/198] LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 165/198] LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() Greg Kroah-Hartman
` (47 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Qiang Ma, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 7d8553fc75aefa7ec936af0cf8443ff90b51732e upstream.
In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_eiointc_destroy() is not currently doing this, that
would lead to a memory leak.
So, fix it.
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/intc/eiointc.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -679,6 +679,7 @@ static void kvm_eiointc_destroy(struct k
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &eiointc->device);
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &eiointc->device_vext);
kfree(eiointc);
+ kfree(dev);
}
static struct kvm_device_ops kvm_eiointc_dev_ops = {
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 165/198] LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 164/198] LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 166/198] LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() Greg Kroah-Hartman
` (46 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Qiang Ma, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21 upstream.
In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_ipi_destroy() is not currently doing this, that
would lead to a memory leak.
So, fix it.
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/intc/ipi.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/loongarch/kvm/intc/ipi.c
+++ b/arch/loongarch/kvm/intc/ipi.c
@@ -459,6 +459,7 @@ static void kvm_ipi_destroy(struct kvm_d
ipi = kvm->arch.ipi;
kvm_io_bus_unregister_dev(kvm, KVM_IOCSR_BUS, &ipi->device);
kfree(ipi);
+ kfree(dev);
}
static struct kvm_device_ops kvm_ipi_dev_ops = {
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 166/198] LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 165/198] LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 167/198] dmaengine: apple-admac: Add "apple,t8103-admac" compatible Greg Kroah-Hartman
` (45 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bibo Mao, Qiang Ma, Huacai Chen
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qiang Ma <maqianga@uniontech.com>
commit 1cf342a7c3adc5877837b53bbceb5cc9eff60bbf upstream.
In kvm_ioctl_create_device(), kvm_device has allocated memory,
kvm_device->destroy() seems to be supposed to free its kvm_device
struct, but kvm_pch_pic_destroy() is not currently doing this, that
would lead to a memory leak.
So, fix it.
Cc: stable@vger.kernel.org
Reviewed-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Qiang Ma <maqianga@uniontech.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/kvm/intc/pch_pic.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/loongarch/kvm/intc/pch_pic.c
+++ b/arch/loongarch/kvm/intc/pch_pic.c
@@ -475,6 +475,7 @@ static void kvm_pch_pic_destroy(struct k
/* unregister pch pic device and free it's memory */
kvm_io_bus_unregister_dev(kvm, KVM_MMIO_BUS, &s->device);
kfree(s);
+ kfree(dev);
}
static struct kvm_device_ops kvm_pch_pic_dev_ops = {
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 167/198] dmaengine: apple-admac: Add "apple,t8103-admac" compatible
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 166/198] LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 168/198] dmaengine: at_hdmac: fix device leak on of_dma_xlate() Greg Kroah-Hartman
` (44 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Neal Gompa, Janne Grunau, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Janne Grunau <j@jannau.net>
commit 76cba1e60b69c9cd53b9127d017a7dc5945455b1 upstream.
After discussion with the devicetree maintainers we agreed to not extend
lists with the generic compatible "apple,admac" anymore [1]. Use
"apple,t8103-admac" as base compatible as it is the SoC the driver and
bindings were written for.
[1]: https://lore.kernel.org/asahi/12ab93b7-1fc2-4ce0-926e-c8141cfe81bf@kernel.org/
Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver")
Cc: stable@vger.kernel.org
Reviewed-by: Neal Gompa <neal@gompa.dev>
Signed-off-by: Janne Grunau <j@jannau.net>
Link: https://patch.msgid.link/20251231-apple-admac-t8103-base-compat-v1-1-ec24a3708f76@jannau.net
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/apple-admac.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/dma/apple-admac.c
+++ b/drivers/dma/apple-admac.c
@@ -936,6 +936,7 @@ static void admac_remove(struct platform
}
static const struct of_device_id admac_of_match[] = {
+ { .compatible = "apple,t8103-admac", },
{ .compatible = "apple,admac", },
{ }
};
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 168/198] dmaengine: at_hdmac: fix device leak on of_dma_xlate()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 167/198] dmaengine: apple-admac: Add "apple,t8103-admac" compatible Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 169/198] dmaengine: bcm-sba-raid: fix device leak on probe Greg Kroah-Hartman
` (43 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Kuai, Johan Hovold, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b9074b2d7a230b6e28caa23165e9d8bc0677d333 upstream.
Make sure to drop the reference taken when looking up the DMA platform
device during of_dma_xlate() when releasing channel resources.
Note that commit 3832b78b3ec2 ("dmaengine: at_hdmac: add missing
put_device() call in at_dma_xlate()") fixed the leak in a couple of
error paths but the reference is still leaking on successful allocation.
Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding")
Fixes: 3832b78b3ec2 ("dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()")
Cc: stable@vger.kernel.org # 3.10: 3832b78b3ec2
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-2-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/at_hdmac.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -1765,6 +1765,7 @@ static int atc_alloc_chan_resources(stru
static void atc_free_chan_resources(struct dma_chan *chan)
{
struct at_dma_chan *atchan = to_at_dma_chan(chan);
+ struct at_dma_slave *atslave;
BUG_ON(atc_chan_is_enabled(atchan));
@@ -1774,8 +1775,12 @@ static void atc_free_chan_resources(stru
/*
* Free atslave allocated in at_dma_xlate()
*/
- kfree(chan->private);
- chan->private = NULL;
+ atslave = chan->private;
+ if (atslave) {
+ put_device(atslave->dma_dev);
+ kfree(atslave);
+ chan->private = NULL;
+ }
dev_vdbg(chan2dev(chan), "free_chan_resources: done\n");
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 169/198] dmaengine: bcm-sba-raid: fix device leak on probe
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 168/198] dmaengine: at_hdmac: fix device leak on of_dma_xlate() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 170/198] dmaengine: cv1800b-dmamux: fix device leak on route allocation Greg Kroah-Hartman
` (42 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 7c3a46ebf15a9796b763a54272407fdbf945bed8 upstream.
Make sure to drop the reference taken when looking up the mailbox device
during probe on probe failures and on driver unbind.
Fixes: 743e1c8ffe4e ("dmaengine: Add Broadcom SBA RAID driver")
Cc: stable@vger.kernel.org # 4.13
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-4-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/bcm-sba-raid.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/dma/bcm-sba-raid.c
+++ b/drivers/dma/bcm-sba-raid.c
@@ -1699,7 +1699,7 @@ static int sba_probe(struct platform_dev
/* Prealloc channel resource */
ret = sba_prealloc_channel_resources(sba);
if (ret)
- goto fail_free_mchan;
+ goto fail_put_mbox;
/* Check availability of debugfs */
if (!debugfs_initialized())
@@ -1729,6 +1729,8 @@ skip_debugfs:
fail_free_resources:
debugfs_remove_recursive(sba->root);
sba_freeup_channel_resources(sba);
+fail_put_mbox:
+ put_device(sba->mbox_dev);
fail_free_mchan:
mbox_free_channel(sba->mchan);
return ret;
@@ -1744,6 +1746,8 @@ static void sba_remove(struct platform_d
sba_freeup_channel_resources(sba);
+ put_device(sba->mbox_dev);
+
mbox_free_channel(sba->mchan);
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 170/198] dmaengine: cv1800b-dmamux: fix device leak on route allocation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 169/198] dmaengine: bcm-sba-raid: fix device leak on probe Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 171/198] dmaengine: dw: dmamux: fix OF node leak on route allocation failure Greg Kroah-Hartman
` (41 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Inochi Amaoto, Johan Hovold,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 7bb7d696e0361bbfc1411462c784998cca0afcbb upstream.
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: db7d07b5add4 ("dmaengine: add driver for Sophgo CV18XX/SG200X dmamux")
Cc: stable@vger.kernel.org # 6.17
Cc: Inochi Amaoto <inochiama@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-5-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/cv1800b-dmamux.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/dma/cv1800b-dmamux.c b/drivers/dma/cv1800b-dmamux.c
index e900d6595617..f7a952fcbc7d 100644
--- a/drivers/dma/cv1800b-dmamux.c
+++ b/drivers/dma/cv1800b-dmamux.c
@@ -102,11 +102,11 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec,
struct llist_node *node;
unsigned long flags;
unsigned int chid, devid, cpuid;
- int ret;
+ int ret = -EINVAL;
if (dma_spec->args_count != DMAMUX_NCELLS) {
dev_err(&pdev->dev, "invalid number of dma mux args\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
devid = dma_spec->args[0];
@@ -115,18 +115,18 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec,
if (devid > MAX_DMA_MAPPING_ID) {
dev_err(&pdev->dev, "invalid device id: %u\n", devid);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
if (cpuid > MAX_DMA_CPU_ID) {
dev_err(&pdev->dev, "invalid cpu id: %u\n", cpuid);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0);
if (!dma_spec->np) {
dev_err(&pdev->dev, "can't get dma master\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
spin_lock_irqsave(&dmamux->lock, flags);
@@ -136,8 +136,6 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec,
if (map->peripheral == devid && map->cpu == cpuid)
goto found;
}
-
- ret = -EINVAL;
goto failed;
} else {
node = llist_del_first(&dmamux->free_maps);
@@ -171,12 +169,17 @@ static void *cv1800_dmamux_route_allocate(struct of_phandle_args *dma_spec,
dev_dbg(&pdev->dev, "register channel %u for req %u (cpu %u)\n",
chid, devid, cpuid);
+ put_device(&pdev->dev);
+
return map;
failed:
spin_unlock_irqrestore(&dmamux->lock, flags);
of_node_put(dma_spec->np);
dev_err(&pdev->dev, "errno %d\n", ret);
+err_put_pdev:
+ put_device(&pdev->dev);
+
return ERR_PTR(ret);
}
--
2.52.0
^ permalink raw reply related [flat|nested] 215+ messages in thread
* [PATCH 6.18 171/198] dmaengine: dw: dmamux: fix OF node leak on route allocation failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 170/198] dmaengine: cv1800b-dmamux: fix device leak on route allocation Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 172/198] dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure Greg Kroah-Hartman
` (40 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Johan Hovold,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit ec25e60f9f95464aa11411db31d0906b3fb7b9f2 upstream.
Make sure to drop the reference taken to the DMA master OF node also on
late route allocation failures.
Fixes: 134d9c52fca2 ("dmaengine: dw: dmamux: Introduce RZN1 DMA router support")
Cc: stable@vger.kernel.org # 5.19
Cc: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://patch.msgid.link/20251117161258.10679-6-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/dw/rzn1-dmamux.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/dma/dw/rzn1-dmamux.c
+++ b/drivers/dma/dw/rzn1-dmamux.c
@@ -90,7 +90,7 @@ static void *rzn1_dmamux_route_allocate(
if (test_and_set_bit(map->req_idx, dmamux->used_chans)) {
ret = -EBUSY;
- goto free_map;
+ goto put_dma_spec_np;
}
mask = BIT(map->req_idx);
@@ -103,6 +103,8 @@ static void *rzn1_dmamux_route_allocate(
clear_bitmap:
clear_bit(map->req_idx, dmamux->used_chans);
+put_dma_spec_np:
+ of_node_put(dma_spec->np);
free_map:
kfree(map);
put_device:
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 172/198] dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 171/198] dmaengine: dw: dmamux: fix OF node leak on route allocation failure Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 173/198] dmaengine: idxd: fix device leaks on compat bind and unbind Greg Kroah-Hartman
` (39 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Frank Li, Zhen Ni, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhen Ni <zhen.ni@easystack.cn>
commit b18cd8b210417f90537d914ffb96e390c85a7379 upstream.
When fsl_edma_alloc_chan_resources() fails after clk_prepare_enable(),
the error paths only free IRQs and destroy the TCD pool, but forget to
call clk_disable_unprepare(). This causes the channel clock to remain
enabled, leaking power and resources.
Fix it by disabling the channel clock in the error unwind path.
Fixes: d8d4355861d8 ("dmaengine: fsl-edma: add i.MX8ULP edma support")
Cc: stable@vger.kernel.org
Suggested-by: Frank Li <Frank.Li@nxp.com>
Signed-off-by: Zhen Ni <zhen.ni@easystack.cn>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20251014090522.827726-1-zhen.ni@easystack.cn
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/fsl-edma-common.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/dma/fsl-edma-common.c
+++ b/drivers/dma/fsl-edma-common.c
@@ -852,6 +852,7 @@ err_errirq:
free_irq(fsl_chan->txirq, fsl_chan);
err_txirq:
dma_pool_destroy(fsl_chan->tcd_pool);
+ clk_disable_unprepare(fsl_chan->clk);
return ret;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 173/198] dmaengine: idxd: fix device leaks on compat bind and unbind
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 172/198] dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 174/198] dmaengine: lpc18xx-dmamux: fix device leak on route allocation Greg Kroah-Hartman
` (38 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dave Jiang, Johan Hovold, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 799900f01792cf8b525a44764f065f83fcafd468 upstream.
Make sure to drop the reference taken when looking up the idxd device as
part of the compat bind and unbind sysfs interface.
Fixes: 6e7f3ee97bbe ("dmaengine: idxd: move dsa_drv support to compatible mode")
Cc: stable@vger.kernel.org # 5.15
Cc: Dave Jiang <dave.jiang@intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-7-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/idxd/compat.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/drivers/dma/idxd/compat.c
+++ b/drivers/dma/idxd/compat.c
@@ -20,11 +20,16 @@ static ssize_t unbind_store(struct devic
int rc = -ENODEV;
dev = bus_find_device_by_name(bus, NULL, buf);
- if (dev && dev->driver) {
+ if (!dev)
+ return -ENODEV;
+
+ if (dev->driver) {
device_driver_detach(dev);
rc = count;
}
+ put_device(dev);
+
return rc;
}
static DRIVER_ATTR_IGNORE_LOCKDEP(unbind, 0200, NULL, unbind_store);
@@ -38,9 +43,12 @@ static ssize_t bind_store(struct device_
struct idxd_dev *idxd_dev;
dev = bus_find_device_by_name(bus, NULL, buf);
- if (!dev || dev->driver || drv != &dsa_drv.drv)
+ if (!dev)
return -ENODEV;
+ if (dev->driver || drv != &dsa_drv.drv)
+ goto err_put_dev;
+
idxd_dev = confdev_to_idxd_dev(dev);
if (is_idxd_dev(idxd_dev)) {
alt_drv = driver_find("idxd", bus);
@@ -53,13 +61,20 @@ static ssize_t bind_store(struct device_
alt_drv = driver_find("user", bus);
}
if (!alt_drv)
- return -ENODEV;
+ goto err_put_dev;
rc = device_driver_attach(alt_drv, dev);
if (rc < 0)
- return rc;
+ goto err_put_dev;
+
+ put_device(dev);
return count;
+
+err_put_dev:
+ put_device(dev);
+
+ return rc;
}
static DRIVER_ATTR_IGNORE_LOCKDEP(bind, 0200, NULL, bind_store);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 174/198] dmaengine: lpc18xx-dmamux: fix device leak on route allocation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 173/198] dmaengine: idxd: fix device leaks on compat bind and unbind Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 175/198] dmaengine: lpc32xx-dmamux: " Greg Kroah-Hartman
` (37 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Vladimir Zapolskiy,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit d4d63059dee7e7cae0c4d9a532ed558bc90efb55 upstream.
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: e5f4ae84be74 ("dmaengine: add driver for lpc18xx dmamux")
Cc: stable@vger.kernel.org # 4.3
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251117161258.10679-8-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/lpc18xx-dmamux.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/drivers/dma/lpc18xx-dmamux.c
+++ b/drivers/dma/lpc18xx-dmamux.c
@@ -57,30 +57,31 @@ static void *lpc18xx_dmamux_reserve(stru
struct lpc18xx_dmamux_data *dmamux = platform_get_drvdata(pdev);
unsigned long flags;
unsigned mux;
+ int ret = -EINVAL;
if (dma_spec->args_count != 3) {
dev_err(&pdev->dev, "invalid number of dma mux args\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
mux = dma_spec->args[0];
if (mux >= dmamux->dma_master_requests) {
dev_err(&pdev->dev, "invalid mux number: %d\n",
dma_spec->args[0]);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
if (dma_spec->args[1] > LPC18XX_DMAMUX_MAX_VAL) {
dev_err(&pdev->dev, "invalid dma mux value: %d\n",
dma_spec->args[1]);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
/* The of_node_put() will be done in the core for the node */
dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0);
if (!dma_spec->np) {
dev_err(&pdev->dev, "can't get dma master\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
spin_lock_irqsave(&dmamux->lock, flags);
@@ -89,7 +90,8 @@ static void *lpc18xx_dmamux_reserve(stru
dev_err(&pdev->dev, "dma request %u busy with %u.%u\n",
mux, mux, dmamux->muxes[mux].value);
of_node_put(dma_spec->np);
- return ERR_PTR(-EBUSY);
+ ret = -EBUSY;
+ goto err_put_pdev;
}
dmamux->muxes[mux].busy = true;
@@ -106,7 +108,14 @@ static void *lpc18xx_dmamux_reserve(stru
dev_dbg(&pdev->dev, "mapping dmamux %u.%u to dma request %u\n", mux,
dmamux->muxes[mux].value, mux);
+ put_device(&pdev->dev);
+
return &dmamux->muxes[mux];
+
+err_put_pdev:
+ put_device(&pdev->dev);
+
+ return ERR_PTR(ret);
}
static int lpc18xx_dmamux_probe(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 175/198] dmaengine: lpc32xx-dmamux: fix device leak on route allocation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 174/198] dmaengine: lpc18xx-dmamux: fix device leak on route allocation Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 176/198] dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Greg Kroah-Hartman
` (36 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piotr Wojtaszczyk, Johan Hovold,
Vladimir Zapolskiy, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit d9847e6d1d91462890ba297f7888fa598d47e76e upstream.
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: 5d318b595982 ("dmaengine: Add dma router for pl08x in LPC32XX SoC")
Cc: stable@vger.kernel.org # 6.12
Cc: Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://patch.msgid.link/20251117161258.10679-9-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/lpc32xx-dmamux.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
--- a/drivers/dma/lpc32xx-dmamux.c
+++ b/drivers/dma/lpc32xx-dmamux.c
@@ -95,11 +95,12 @@ static void *lpc32xx_dmamux_reserve(stru
struct lpc32xx_dmamux_data *dmamux = platform_get_drvdata(pdev);
unsigned long flags;
struct lpc32xx_dmamux *mux = NULL;
+ int ret = -EINVAL;
int i;
if (dma_spec->args_count != 3) {
dev_err(&pdev->dev, "invalid number of dma mux args\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
for (i = 0; i < ARRAY_SIZE(lpc32xx_muxes); i++) {
@@ -111,20 +112,20 @@ static void *lpc32xx_dmamux_reserve(stru
if (!mux) {
dev_err(&pdev->dev, "invalid mux request number: %d\n",
dma_spec->args[0]);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
if (dma_spec->args[2] > 1) {
dev_err(&pdev->dev, "invalid dma mux value: %d\n",
dma_spec->args[1]);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
/* The of_node_put() will be done in the core for the node */
dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0);
if (!dma_spec->np) {
dev_err(&pdev->dev, "can't get dma master\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
spin_lock_irqsave(&dmamux->lock, flags);
@@ -133,7 +134,8 @@ static void *lpc32xx_dmamux_reserve(stru
dev_err(dev, "dma request signal %d busy, routed to %s\n",
mux->signal, mux->muxval ? mux->name_sel1 : mux->name_sel1);
of_node_put(dma_spec->np);
- return ERR_PTR(-EBUSY);
+ ret = -EBUSY;
+ goto err_put_pdev;
}
mux->busy = true;
@@ -148,7 +150,14 @@ static void *lpc32xx_dmamux_reserve(stru
dev_dbg(dev, "dma request signal %d routed to %s\n",
mux->signal, mux->muxval ? mux->name_sel1 : mux->name_sel1);
+ put_device(&pdev->dev);
+
return mux;
+
+err_put_pdev:
+ put_device(&pdev->dev);
+
+ return ERR_PTR(ret);
}
static int lpc32xx_dmamux_probe(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 176/198] dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 175/198] dmaengine: lpc32xx-dmamux: " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 177/198] dmaengine: sh: rz-dmac: fix device leak on probe failure Greg Kroah-Hartman
` (35 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Bjorn Andersson,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miaoqian Lin <linmq006@gmail.com>
commit 3f747004bbd641131d9396d87b5d2d3d1e182728 upstream.
Fix a memory leak in gpi_peripheral_config() where the original memory
pointed to by gchan->config could be lost if krealloc() fails.
The issue occurs when:
1. gchan->config points to previously allocated memory
2. krealloc() fails and returns NULL
3. The function directly assigns NULL to gchan->config, losing the
reference to the original memory
4. The original memory becomes unreachable and cannot be freed
Fix this by using a temporary variable to hold the krealloc() result
and only updating gchan->config when the allocation succeeds.
Found via static analysis and code review.
Fixes: 5d0c3533a19f ("dmaengine: qcom: Add GPI dma driver")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Link: https://patch.msgid.link/20251029123421.91973-1-linmq006@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/qcom/gpi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/dma/qcom/gpi.c
+++ b/drivers/dma/qcom/gpi.c
@@ -1605,14 +1605,16 @@ static int
gpi_peripheral_config(struct dma_chan *chan, struct dma_slave_config *config)
{
struct gchan *gchan = to_gchan(chan);
+ void *new_config;
if (!config->peripheral_config)
return -EINVAL;
- gchan->config = krealloc(gchan->config, config->peripheral_size, GFP_NOWAIT);
- if (!gchan->config)
+ new_config = krealloc(gchan->config, config->peripheral_size, GFP_NOWAIT);
+ if (!new_config)
return -ENOMEM;
+ gchan->config = new_config;
memcpy(gchan->config, config->peripheral_config, config->peripheral_size);
return 0;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 177/198] dmaengine: sh: rz-dmac: fix device leak on probe failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 176/198] dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 178/198] dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all() Greg Kroah-Hartman
` (34 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabrizio Castro, Johan Hovold,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 9fb490323997dcb6f749cd2660a17a39854600cd upstream.
Make sure to drop the reference taken when looking up the ICU device
during probe also on probe failures (e.g. probe deferral).
Fixes: 7de873201c44 ("dmaengine: sh: rz-dmac: Add RZ/V2H(P) support")
Cc: stable@vger.kernel.org # 6.16
Cc: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Fabrizio Castro <fabrizio.castro.jz@renesas.com>
Link: https://patch.msgid.link/20251117161258.10679-10-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/sh/rz-dmac.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/dma/sh/rz-dmac.c
+++ b/drivers/dma/sh/rz-dmac.c
@@ -854,6 +854,13 @@ static int rz_dmac_chan_probe(struct rz_
return 0;
}
+static void rz_dmac_put_device(void *_dev)
+{
+ struct device *dev = _dev;
+
+ put_device(dev);
+}
+
static int rz_dmac_parse_of_icu(struct device *dev, struct rz_dmac *dmac)
{
struct device_node *np = dev->of_node;
@@ -876,6 +883,10 @@ static int rz_dmac_parse_of_icu(struct d
return -ENODEV;
}
+ ret = devm_add_action_or_reset(dev, rz_dmac_put_device, &dmac->icu.pdev->dev);
+ if (ret)
+ return ret;
+
dmac_index = args.args[0];
if (dmac_index > RZV2H_MAX_DMAC_INDEX) {
dev_err(dev, "DMAC index %u invalid.\n", dmac_index);
@@ -1055,8 +1066,6 @@ static void rz_dmac_remove(struct platfo
reset_control_assert(dmac->rstc);
pm_runtime_put(&pdev->dev);
pm_runtime_disable(&pdev->dev);
-
- platform_device_put(dmac->icu.pdev);
}
static const struct of_device_id of_rz_dmac_match[] = {
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 178/198] dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 177/198] dmaengine: sh: rz-dmac: fix device leak on probe failure Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 179/198] dmaengine: stm32: dmamux: fix device leak on route allocation Greg Kroah-Hartman
` (33 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Geert Uytterhoeven, Biju Das,
Claudiu Beznea, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
commit 747213b08a1ab6a76e3e3b3e7a209cc1d402b5d0 upstream.
After audio full duplex testing, playing the recorded file contains a few
playback frames from the previous time. The rz_dmac_terminate_all() does
not reset all the hardware descriptors queued previously, leading to the
wrong descriptor being picked up during the next DMA transfer. Fix the
above issue by resetting all the descriptor headers for a channel in
rz_dmac_terminate_all() as rz_dmac_lmdesc_recycle() points to the proper
descriptor header filled by the rz_dmac_prepare_descs_for_slave_sg().
Cc: stable@kernel.org
Fixes: 5000d37042a6 ("dmaengine: sh: Add DMAC driver for RZ/G2L SoC")
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Tested-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
Link: https://patch.msgid.link/20251113195052.564338-1-biju.das.jz@bp.renesas.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/sh/rz-dmac.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/dma/sh/rz-dmac.c
+++ b/drivers/dma/sh/rz-dmac.c
@@ -557,11 +557,16 @@ rz_dmac_prep_slave_sg(struct dma_chan *c
static int rz_dmac_terminate_all(struct dma_chan *chan)
{
struct rz_dmac_chan *channel = to_rz_dmac_chan(chan);
+ struct rz_lmdesc *lmdesc = channel->lmdesc.base;
unsigned long flags;
+ unsigned int i;
LIST_HEAD(head);
rz_dmac_disable_hw(channel);
spin_lock_irqsave(&channel->vc.lock, flags);
+ for (i = 0; i < DMAC_NR_LMDESC; i++)
+ lmdesc[i].header = 0;
+
list_splice_tail_init(&channel->ld_active, &channel->ld_free);
list_splice_tail_init(&channel->ld_queue, &channel->ld_free);
vchan_get_all_descriptors(&channel->vc, &head);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 179/198] dmaengine: stm32: dmamux: fix device leak on route allocation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 178/198] dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 180/198] dmaengine: stm32: dmamux: fix OF node leak on route allocation failure Greg Kroah-Hartman
` (32 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Yves MORDRET, Johan Hovold,
Amelie Delaunay, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit dd6e4943889fb354efa3f700e42739da9bddb6ef upstream.
Make sure to drop the reference taken when looking up the DMA mux
platform device during route allocation.
Note that holding a reference to a device does not prevent its driver
data from going away so there is no point in keeping the reference.
Fixes: df7e762db5f6 ("dmaengine: Add STM32 DMAMUX driver")
Cc: stable@vger.kernel.org # 4.15
Cc: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Link: https://patch.msgid.link/20251117161258.10679-11-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/stm32/stm32-dmamux.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/drivers/dma/stm32/stm32-dmamux.c
+++ b/drivers/dma/stm32/stm32-dmamux.c
@@ -90,23 +90,25 @@ static void *stm32_dmamux_route_allocate
struct stm32_dmamux_data *dmamux = platform_get_drvdata(pdev);
struct stm32_dmamux *mux;
u32 i, min, max;
- int ret;
+ int ret = -EINVAL;
unsigned long flags;
if (dma_spec->args_count != 3) {
dev_err(&pdev->dev, "invalid number of dma mux args\n");
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
if (dma_spec->args[0] > dmamux->dmamux_requests) {
dev_err(&pdev->dev, "invalid mux request number: %d\n",
dma_spec->args[0]);
- return ERR_PTR(-EINVAL);
+ goto err_put_pdev;
}
mux = kzalloc(sizeof(*mux), GFP_KERNEL);
- if (!mux)
- return ERR_PTR(-ENOMEM);
+ if (!mux) {
+ ret = -ENOMEM;
+ goto err_put_pdev;
+ }
spin_lock_irqsave(&dmamux->lock, flags);
mux->chan_id = find_first_zero_bit(dmamux->dma_inuse,
@@ -133,7 +135,6 @@ static void *stm32_dmamux_route_allocate
dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", i - 1);
if (!dma_spec->np) {
dev_err(&pdev->dev, "can't get dma master\n");
- ret = -EINVAL;
goto error;
}
@@ -160,6 +161,8 @@ static void *stm32_dmamux_route_allocate
dev_dbg(&pdev->dev, "Mapping DMAMUX(%u) to DMA%u(%u)\n",
mux->request, mux->master, mux->chan_id);
+ put_device(&pdev->dev);
+
return mux;
error:
@@ -167,6 +170,9 @@ error:
error_chan_id:
kfree(mux);
+err_put_pdev:
+ put_device(&pdev->dev);
+
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 180/198] dmaengine: stm32: dmamux: fix OF node leak on route allocation failure
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 179/198] dmaengine: stm32: dmamux: fix device leak on route allocation Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 181/198] dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation Greg Kroah-Hartman
` (31 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Yves MORDRET, Johan Hovold,
Amelie Delaunay, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b1b590a590af13ded598e70f0b72bc1e515787a1 upstream.
Make sure to drop the reference taken to the DMA master OF node also on
late route allocation failures.
Fixes: df7e762db5f6 ("dmaengine: Add STM32 DMAMUX driver")
Cc: stable@vger.kernel.org # 4.15
Cc: Pierre-Yves MORDRET <pierre-yves.mordret@foss.st.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Link: https://patch.msgid.link/20251117161258.10679-12-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/stm32/stm32-dmamux.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/dma/stm32/stm32-dmamux.c
+++ b/drivers/dma/stm32/stm32-dmamux.c
@@ -143,7 +143,7 @@ static void *stm32_dmamux_route_allocate
ret = pm_runtime_resume_and_get(&pdev->dev);
if (ret < 0) {
spin_unlock_irqrestore(&dmamux->lock, flags);
- goto error;
+ goto err_put_dma_spec_np;
}
spin_unlock_irqrestore(&dmamux->lock, flags);
@@ -165,6 +165,8 @@ static void *stm32_dmamux_route_allocate
return mux;
+err_put_dma_spec_np:
+ of_node_put(dma_spec->np);
error:
clear_bit(mux->chan_id, dmamux->dma_inuse);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 181/198] dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 180/198] dmaengine: stm32: dmamux: fix OF node leak on route allocation failure Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 182/198] dmaengine: ti: dma-crossbar: fix device leak on am335x " Greg Kroah-Hartman
` (30 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Miaoqian Lin,
Johan Hovold, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit dc7e44db01fc2498644e3106db3e62a9883a93d5 upstream.
Make sure to drop the reference taken when looking up the crossbar
platform device during dra7x route allocation.
Note that commit 615a4bfc426e ("dmaengine: ti: Add missing put_device in
ti_dra7_xbar_route_allocate") fixed the leak in the error paths but the
reference is still leaking on successful allocation.
Fixes: a074ae38f859 ("dmaengine: Add driver for TI DMA crossbar on DRA7x")
Fixes: 615a4bfc426e ("dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate")
Cc: stable@vger.kernel.org # 4.2: 615a4bfc426e
Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
Cc: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-14-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/ti/dma-crossbar.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/dma/ti/dma-crossbar.c
+++ b/drivers/dma/ti/dma-crossbar.c
@@ -288,6 +288,8 @@ static void *ti_dra7_xbar_route_allocate
ti_dra7_xbar_write(xbar->iomem, map->xbar_out, map->xbar_in);
+ put_device(&pdev->dev);
+
return map;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 182/198] dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 181/198] dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 183/198] dmaengine: ti: k3-udma: fix device leak on udma lookup Greg Kroah-Hartman
` (29 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Ujfalusi, Johan Hovold,
Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 upstream.
Make sure to drop the reference taken when looking up the crossbar
platform device during am335x route allocation.
Fixes: 42dbdcc6bf96 ("dmaengine: ti-dma-crossbar: Add support for crossbar on AM33xx/AM43xx")
Cc: stable@vger.kernel.org # 4.4
Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-15-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/ti/dma-crossbar.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/dma/ti/dma-crossbar.c
+++ b/drivers/dma/ti/dma-crossbar.c
@@ -79,34 +79,35 @@ static void *ti_am335x_xbar_route_alloca
{
struct platform_device *pdev = of_find_device_by_node(ofdma->of_node);
struct ti_am335x_xbar_data *xbar = platform_get_drvdata(pdev);
- struct ti_am335x_xbar_map *map;
+ struct ti_am335x_xbar_map *map = ERR_PTR(-EINVAL);
if (dma_spec->args_count != 3)
- return ERR_PTR(-EINVAL);
+ goto out_put_pdev;
if (dma_spec->args[2] >= xbar->xbar_events) {
dev_err(&pdev->dev, "Invalid XBAR event number: %d\n",
dma_spec->args[2]);
- return ERR_PTR(-EINVAL);
+ goto out_put_pdev;
}
if (dma_spec->args[0] >= xbar->dma_requests) {
dev_err(&pdev->dev, "Invalid DMA request line number: %d\n",
dma_spec->args[0]);
- return ERR_PTR(-EINVAL);
+ goto out_put_pdev;
}
/* The of_node_put() will be done in the core for the node */
dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0);
if (!dma_spec->np) {
dev_err(&pdev->dev, "Can't get DMA master\n");
- return ERR_PTR(-EINVAL);
+ goto out_put_pdev;
}
map = kzalloc(sizeof(*map), GFP_KERNEL);
if (!map) {
of_node_put(dma_spec->np);
- return ERR_PTR(-ENOMEM);
+ map = ERR_PTR(-ENOMEM);
+ goto out_put_pdev;
}
map->dma_line = (u16)dma_spec->args[0];
@@ -120,6 +121,9 @@ static void *ti_am335x_xbar_route_alloca
ti_am335x_xbar_write(xbar->iomem, map->dma_line, map->mux_val);
+out_put_pdev:
+ put_device(&pdev->dev);
+
return map;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 183/198] dmaengine: ti: k3-udma: fix device leak on udma lookup
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 182/198] dmaengine: ti: dma-crossbar: fix device leak on am335x " Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 184/198] mm: add a ptdesc flag to mark kernel page tables Greg Kroah-Hartman
` (28 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grygorii Strashko, Yu Kuai,
Johan Hovold, Vinod Koul
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit 430f7803b69cd5e5694e5dfc884c6628870af36e upstream.
Make sure to drop the reference taken when looking up the UDMA platform
device.
Note that holding a reference to a platform device does not prevent its
driver data from going away so there is no point in keeping the
reference after the lookup helper returns.
Fixes: d70241913413 ("dmaengine: ti: k3-udma: Add glue layer for non DMAengine users")
Fixes: 1438cde8fe9c ("dmaengine: ti: k3-udma: add missing put_device() call in of_xudma_dev_get()")
Cc: stable@vger.kernel.org # 5.6: 1438cde8fe9c
Cc: Grygorii Strashko <grygorii.strashko@ti.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20251117161258.10679-17-johan@kernel.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/ti/k3-udma-private.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/dma/ti/k3-udma-private.c
+++ b/drivers/dma/ti/k3-udma-private.c
@@ -42,9 +42,9 @@ struct udma_dev *of_xudma_dev_get(struct
}
ud = platform_get_drvdata(pdev);
+ put_device(&pdev->dev);
if (!ud) {
pr_debug("UDMA has not been probed\n");
- put_device(&pdev->dev);
return ERR_PTR(-EPROBE_DEFER);
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 184/198] mm: add a ptdesc flag to mark kernel page tables
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 183/198] dmaengine: ti: k3-udma: fix device leak on udma lookup Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 185/198] mm: actually mark kernel page table pages Greg Kroah-Hartman
` (27 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Lu Baolu,
Jason Gunthorpe, Kevin Tian, David Hildenbrand,
Mike Rapoport (Microsoft), Alistair Popple, Andy Lutomirski,
Borislav Betkov, Ingo Molnar, Jann Horn, Jean-Philippe Brucker,
Joerg Roedel, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Michal Hocko, Peter Zijlstra,
Robin Murohy, Thomas Gleinxer, Uladzislau Rezki (Sony),
Vasant Hegde, Vinicius Costa Gomes, Vlastimil Babka, Will Deacon,
Yi Lai, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 27bfafac65d87c58639f5d7af1353ec1e7886963 upstream.
The page tables used to map the kernel and userspace often have very
different handling rules. There are frequently *_kernel() variants of
functions just for kernel page tables. That's not great and has lead to
code duplication.
Instead of having completely separate call paths, allow a 'ptdesc' to be
marked as being for kernel mappings. Introduce helpers to set and clear
this status.
Note: this uses the PG_referenced bit. Page flags are a great fit for
this since it is truly a single bit of information. Use PG_referenced
itself because it's a fairly benign flag (as opposed to things like
PG_lock). It's also (according to Willy) unlikely to go away any time
soon.
PG_referenced is not in PAGE_FLAGS_CHECK_AT_FREE. It does not need to be
cleared before freeing the page, and pages coming out of the allocator
should have it cleared. Regardless, introduce an API to clear it anyway.
Having symmetry in the API makes it easier to change the underlying
implementation later, like if there was a need to move to a
PAGE_FLAGS_CHECK_AT_FREE bit.
Link: https://lkml.kernel.org/r/20251022082635.2462433-3-baolu.lu@linux.intel.com
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2947,6 +2947,7 @@ static inline pmd_t *pmd_alloc(struct mm
#endif /* CONFIG_MMU */
enum pt_flags {
+ PT_kernel = PG_referenced,
PT_reserved = PG_reserved,
/* High bits are used for zone/node/section */
};
@@ -2973,6 +2974,46 @@ static inline bool pagetable_is_reserved
}
/**
+ * ptdesc_set_kernel - Mark a ptdesc used to map the kernel
+ * @ptdesc: The ptdesc to be marked
+ *
+ * Kernel page tables often need special handling. Set a flag so that
+ * the handling code knows this ptdesc will not be used for userspace.
+ */
+static inline void ptdesc_set_kernel(struct ptdesc *ptdesc)
+{
+ set_bit(PT_kernel, &ptdesc->pt_flags.f);
+}
+
+/**
+ * ptdesc_clear_kernel - Mark a ptdesc as no longer used to map the kernel
+ * @ptdesc: The ptdesc to be unmarked
+ *
+ * Use when the ptdesc is no longer used to map the kernel and no longer
+ * needs special handling.
+ */
+static inline void ptdesc_clear_kernel(struct ptdesc *ptdesc)
+{
+ /*
+ * Note: the 'PG_referenced' bit does not strictly need to be
+ * cleared before freeing the page. But this is nice for
+ * symmetry.
+ */
+ clear_bit(PT_kernel, &ptdesc->pt_flags.f);
+}
+
+/**
+ * ptdesc_test_kernel - Check if a ptdesc is used to map the kernel
+ * @ptdesc: The ptdesc being tested
+ *
+ * Call to tell if the ptdesc used to map the kernel.
+ */
+static inline bool ptdesc_test_kernel(const struct ptdesc *ptdesc)
+{
+ return test_bit(PT_kernel, &ptdesc->pt_flags.f);
+}
+
+/**
* pagetable_alloc - Allocate pagetables
* @gfp: GFP flags
* @order: desired pagetable order
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 185/198] mm: actually mark kernel page table pages
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 184/198] mm: add a ptdesc flag to mark kernel page tables Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 186/198] x86/mm: use ptdesc when freeing PMD pages Greg Kroah-Hartman
` (26 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Lu Baolu,
Jason Gunthorpe, Kevin Tian, David Hildenbrand,
Mike Rapoport (Microsoft), Alistair Popple, Andy Lutomirski,
Borislav Betkov, Ingo Molnar, Jann Horn, Jean-Philippe Brucker,
Joerg Roedel, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Michal Hocko, Peter Zijlstra,
Robin Murohy, Thomas Gleinxer, Uladzislau Rezki (Sony),
Vasant Hegde, Vinicius Costa Gomes, Vlastimil Babka, Will Deacon,
Yi Lai, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 977870522af34359b461060597ee3a86f27450d6 upstream.
Now that the API is in place, mark kernel page table pages just after they
are allocated. Unmark them just before they are freed.
Note: Unconditionally clearing the 'kernel' marking (via
ptdesc_clear_kernel()) would be functionally identical to what is here.
But having the if() makes it logically clear that this function can be
used for kernel and non-kernel page tables.
Link: https://lkml.kernel.org/r/20251022082635.2462433-4-baolu.lu@linux.intel.com
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/asm-generic/pgalloc.h | 18 ++++++++++++++++++
include/linux/mm.h | 3 +++
2 files changed, 21 insertions(+)
--- a/include/asm-generic/pgalloc.h
+++ b/include/asm-generic/pgalloc.h
@@ -28,6 +28,8 @@ static inline pte_t *__pte_alloc_one_ker
return NULL;
}
+ ptdesc_set_kernel(ptdesc);
+
return ptdesc_address(ptdesc);
}
#define __pte_alloc_one_kernel(...) alloc_hooks(__pte_alloc_one_kernel_noprof(__VA_ARGS__))
@@ -146,6 +148,10 @@ static inline pmd_t *pmd_alloc_one_nopro
pagetable_free(ptdesc);
return NULL;
}
+
+ if (mm == &init_mm)
+ ptdesc_set_kernel(ptdesc);
+
return ptdesc_address(ptdesc);
}
#define pmd_alloc_one(...) alloc_hooks(pmd_alloc_one_noprof(__VA_ARGS__))
@@ -179,6 +185,10 @@ static inline pud_t *__pud_alloc_one_nop
return NULL;
pagetable_pud_ctor(ptdesc);
+
+ if (mm == &init_mm)
+ ptdesc_set_kernel(ptdesc);
+
return ptdesc_address(ptdesc);
}
#define __pud_alloc_one(...) alloc_hooks(__pud_alloc_one_noprof(__VA_ARGS__))
@@ -233,6 +243,10 @@ static inline p4d_t *__p4d_alloc_one_nop
return NULL;
pagetable_p4d_ctor(ptdesc);
+
+ if (mm == &init_mm)
+ ptdesc_set_kernel(ptdesc);
+
return ptdesc_address(ptdesc);
}
#define __p4d_alloc_one(...) alloc_hooks(__p4d_alloc_one_noprof(__VA_ARGS__))
@@ -277,6 +291,10 @@ static inline pgd_t *__pgd_alloc_noprof(
return NULL;
pagetable_pgd_ctor(ptdesc);
+
+ if (mm == &init_mm)
+ ptdesc_set_kernel(ptdesc);
+
return ptdesc_address(ptdesc);
}
#define __pgd_alloc(...) alloc_hooks(__pgd_alloc_noprof(__VA_ARGS__))
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3042,6 +3042,9 @@ static inline void pagetable_free(struct
{
struct page *page = ptdesc_page(pt);
+ if (ptdesc_test_kernel(pt))
+ ptdesc_clear_kernel(pt);
+
__free_pages(page, compound_order(page));
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 186/198] x86/mm: use ptdesc when freeing PMD pages
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 185/198] mm: actually mark kernel page table pages Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 187/198] mm: introduce pure page table freeing function Greg Kroah-Hartman
` (25 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Lu Baolu,
Jason Gunthorpe, Kevin Tian, Alistair Popple, Andy Lutomirski,
Borislav Betkov, David Hildenbrand, Ingo Molnar, Jann Horn,
Jean-Philippe Brucker, Joerg Roedel, Liam Howlett,
Lorenzo Stoakes, Matthew Wilcox (Oracle), Michal Hocko,
Mike Rapoport (Microsoft), Peter Zijlstra, Robin Murohy,
Thomas Gleinxer, Uladzislau Rezki (Sony), Vasant Hegde,
Vinicius Costa Gomes, Vlastimil Babka, Will Deacon, Yi Lai,
Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 412d000346ea38ac4b9bb715a86c73ef89d90dea upstream.
There are a billion ways to refer to a physical memory address. One of
the x86 PMD freeing code location chooses to use a 'pte_t *' to point to a
PMD page and then call a PTE-specific freeing function for it. That's a
bit wonky.
Just use a 'struct ptdesc *' instead. Its entire purpose is to refer to
page table pages. It also means being able to remove an explicit cast.
Right now, pte_free_kernel() is a one-liner that calls
pagetable_dtor_free(). Effectively, all this patch does is remove one
superfluous __pa(__va(paddr)) conversion and then call
pagetable_dtor_free() directly instead of through a helper.
Link: https://lkml.kernel.org/r/20251022082635.2462433-5-baolu.lu@linux.intel.com
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/pgtable.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
@@ -729,7 +729,7 @@ int pmd_clear_huge(pmd_t *pmd)
int pud_free_pmd_page(pud_t *pud, unsigned long addr)
{
pmd_t *pmd, *pmd_sv;
- pte_t *pte;
+ struct ptdesc *pt;
int i;
pmd = pud_pgtable(*pud);
@@ -750,8 +750,8 @@ int pud_free_pmd_page(pud_t *pud, unsign
for (i = 0; i < PTRS_PER_PMD; i++) {
if (!pmd_none(pmd_sv[i])) {
- pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]);
- pte_free_kernel(&init_mm, pte);
+ pt = page_ptdesc(pmd_page(pmd_sv[i]));
+ pagetable_dtor_free(pt);
}
}
@@ -772,15 +772,15 @@ int pud_free_pmd_page(pud_t *pud, unsign
*/
int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
{
- pte_t *pte;
+ struct ptdesc *pt;
- pte = (pte_t *)pmd_page_vaddr(*pmd);
+ pt = page_ptdesc(pmd_page(*pmd));
pmd_clear(pmd);
/* INVLPG to clear all paging-structure caches */
flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1);
- pte_free_kernel(&init_mm, pte);
+ pagetable_dtor_free(pt);
return 1;
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 187/198] mm: introduce pure page table freeing function
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 186/198] x86/mm: use ptdesc when freeing PMD pages Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 188/198] x86/mm: use pagetable_free() Greg Kroah-Hartman
` (24 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Lu Baolu,
Jason Gunthorpe, Kevin Tian, David Hildenbrand,
Mike Rapoport (Microsoft), Alistair Popple, Andy Lutomirski,
Borislav Betkov, Ingo Molnar, Jann Horn, Jean-Philippe Brucker,
Joerg Roedel, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Michal Hocko, Peter Zijlstra,
Robin Murohy, Thomas Gleinxer, Uladzislau Rezki (Sony),
Vasant Hegde, Vinicius Costa Gomes, Vlastimil Babka, Will Deacon,
Yi Lai, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 01894295672335ff304beed4359f30d14d5765f2 upstream.
The pages used for ptdescs are currently freed back to the allocator in a
single location. They will shortly be freed from a second location.
Create a simple helper that just frees them back to the allocator.
Link: https://lkml.kernel.org/r/20251022082635.2462433-6-baolu.lu@linux.intel.com
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3031,6 +3031,13 @@ static inline struct ptdesc *pagetable_a
}
#define pagetable_alloc(...) alloc_hooks(pagetable_alloc_noprof(__VA_ARGS__))
+static inline void __pagetable_free(struct ptdesc *pt)
+{
+ struct page *page = ptdesc_page(pt);
+
+ __free_pages(page, compound_order(page));
+}
+
/**
* pagetable_free - Free pagetables
* @pt: The page table descriptor
@@ -3040,12 +3047,10 @@ static inline struct ptdesc *pagetable_a
*/
static inline void pagetable_free(struct ptdesc *pt)
{
- struct page *page = ptdesc_page(pt);
-
if (ptdesc_test_kernel(pt))
ptdesc_clear_kernel(pt);
- __free_pages(page, compound_order(page));
+ __pagetable_free(pt);
}
#if defined(CONFIG_SPLIT_PTE_PTLOCKS)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 188/198] x86/mm: use pagetable_free()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 187/198] mm: introduce pure page table freeing function Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 189/198] mm: introduce deferred freeing for kernel page tables Greg Kroah-Hartman
` (23 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lu Baolu, Jason Gunthorpe,
David Hildenbrand, Mike Rapoport (Microsoft), Alistair Popple,
Andy Lutomirski, Borislav Betkov, Dave Hansen, Ingo Molnar,
Jann Horn, Jean-Philippe Brucker, Joerg Roedel, Kevin Tian,
Liam Howlett, Lorenzo Stoakes, Matthew Wilcox (Oracle),
Michal Hocko, Peter Zijlstra, Robin Murohy, Thomas Gleinxer,
Uladzislau Rezki (Sony), Vasant Hegde, Vinicius Costa Gomes,
Vlastimil Babka, Will Deacon, Yi Lai, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit bf9e4e30f3538391745a99bc2268ec4f5e4a401e upstream.
The kernel's memory management subsystem provides a dedicated interface,
pagetable_free(), for freeing page table pages. Updates two call sites to
use pagetable_free() instead of the lower-level __free_page() or
free_pages(). This improves code consistency and clarity, and ensures the
correct freeing mechanism is used.
Link: https://lkml.kernel.org/r/20251022082635.2462433-7-baolu.lu@linux.intel.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Kevin Tian <kevin.tian@intel.com>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/mm/init_64.c | 2 +-
arch/x86/mm/pat/set_memory.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/mm/init_64.c
+++ b/arch/x86/mm/init_64.c
@@ -1031,7 +1031,7 @@ static void __meminit free_pagetable(str
free_reserved_pages(page, nr_pages);
#endif
} else {
- __free_pages(page, order);
+ pagetable_free(page_ptdesc(page));
}
}
--- a/arch/x86/mm/pat/set_memory.c
+++ b/arch/x86/mm/pat/set_memory.c
@@ -429,7 +429,7 @@ static void cpa_collapse_large_pages(str
list_for_each_entry_safe(ptdesc, tmp, &pgtables, pt_list) {
list_del(&ptdesc->pt_list);
- __free_page(ptdesc_page(ptdesc));
+ pagetable_free(ptdesc);
}
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 189/198] mm: introduce deferred freeing for kernel page tables
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 188/198] x86/mm: use pagetable_free() Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 190/198] iommu/sva: invalidate stale IOTLB entries for kernel address space Greg Kroah-Hartman
` (22 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Lu Baolu,
Jason Gunthorpe, Kevin Tian, David Hildenbrand,
Mike Rapoport (Microsoft), Alistair Popple, Andy Lutomirski,
Borislav Betkov, Ingo Molnar, Jann Horn, Jean-Philippe Brucker,
Joerg Roedel, Liam Howlett, Lorenzo Stoakes,
Matthew Wilcox (Oracle), Michal Hocko, Peter Zijlstra,
Robin Murohy, Thomas Gleinxer, Uladzislau Rezki (Sony),
Vasant Hegde, Vinicius Costa Gomes, Vlastimil Babka, Will Deacon,
Yi Lai, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dave Hansen <dave.hansen@linux.intel.com>
commit 5ba2f0a1556479638ac11a3c201421f5515e89f5 upstream.
This introduces a conditional asynchronous mechanism, enabled by
CONFIG_ASYNC_KERNEL_PGTABLE_FREE. When enabled, this mechanism defers the
freeing of pages that are used as page tables for kernel address mappings.
These pages are now queued to a work struct instead of being freed
immediately.
This deferred freeing allows for batch-freeing of page tables, providing a
safe context for performing a single expensive operation (TLB flush) for a
batch of kernel page tables instead of performing that expensive operation
for each page table.
Link: https://lkml.kernel.org/r/20251022082635.2462433-8-baolu.lu@linux.intel.com
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mm.h | 16 +++++++++++++---
mm/Kconfig | 3 +++
mm/pgtable-generic.c | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 53 insertions(+), 3 deletions(-)
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -3038,6 +3038,14 @@ static inline void __pagetable_free(stru
__free_pages(page, compound_order(page));
}
+#ifdef CONFIG_ASYNC_KERNEL_PGTABLE_FREE
+void pagetable_free_kernel(struct ptdesc *pt);
+#else
+static inline void pagetable_free_kernel(struct ptdesc *pt)
+{
+ __pagetable_free(pt);
+}
+#endif
/**
* pagetable_free - Free pagetables
* @pt: The page table descriptor
@@ -3047,10 +3055,12 @@ static inline void __pagetable_free(stru
*/
static inline void pagetable_free(struct ptdesc *pt)
{
- if (ptdesc_test_kernel(pt))
+ if (ptdesc_test_kernel(pt)) {
ptdesc_clear_kernel(pt);
-
- __pagetable_free(pt);
+ pagetable_free_kernel(pt);
+ } else {
+ __pagetable_free(pt);
+ }
}
#if defined(CONFIG_SPLIT_PTE_PTLOCKS)
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -915,6 +915,9 @@ config HAVE_GIGANTIC_FOLIOS
def_bool (HUGETLB_PAGE && ARCH_HAS_GIGANTIC_PAGE) || \
(ZONE_DEVICE && HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD)
+config ASYNC_KERNEL_PGTABLE_FREE
+ def_bool n
+
# TODO: Allow to be enabled without THP
config ARCH_SUPPORTS_HUGE_PFNMAP
def_bool n
--- a/mm/pgtable-generic.c
+++ b/mm/pgtable-generic.c
@@ -406,3 +406,40 @@ again:
pte_unmap_unlock(pte, ptl);
goto again;
}
+
+#ifdef CONFIG_ASYNC_KERNEL_PGTABLE_FREE
+static void kernel_pgtable_work_func(struct work_struct *work);
+
+static struct {
+ struct list_head list;
+ /* protect above ptdesc lists */
+ spinlock_t lock;
+ struct work_struct work;
+} kernel_pgtable_work = {
+ .list = LIST_HEAD_INIT(kernel_pgtable_work.list),
+ .lock = __SPIN_LOCK_UNLOCKED(kernel_pgtable_work.lock),
+ .work = __WORK_INITIALIZER(kernel_pgtable_work.work, kernel_pgtable_work_func),
+};
+
+static void kernel_pgtable_work_func(struct work_struct *work)
+{
+ struct ptdesc *pt, *next;
+ LIST_HEAD(page_list);
+
+ spin_lock(&kernel_pgtable_work.lock);
+ list_splice_tail_init(&kernel_pgtable_work.list, &page_list);
+ spin_unlock(&kernel_pgtable_work.lock);
+
+ list_for_each_entry_safe(pt, next, &page_list, pt_list)
+ __pagetable_free(pt);
+}
+
+void pagetable_free_kernel(struct ptdesc *pt)
+{
+ spin_lock(&kernel_pgtable_work.lock);
+ list_add(&pt->pt_list, &kernel_pgtable_work.list);
+ spin_unlock(&kernel_pgtable_work.lock);
+
+ schedule_work(&kernel_pgtable_work.work);
+}
+#endif
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 190/198] iommu/sva: invalidate stale IOTLB entries for kernel address space
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 189/198] mm: introduce deferred freeing for kernel page tables Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 191/198] HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking Greg Kroah-Hartman
` (21 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Lu Baolu, Jann Horn,
Vasant Hegde, Kevin Tian, Alistair Popple, Andy Lutomirski,
Borislav Betkov, Dave Hansen, David Hildenbrand, Ingo Molnar,
Jean-Philippe Brucker, Joerg Roedel, Liam Howlett,
Lorenzo Stoakes, Matthew Wilcox (Oracle), Michal Hocko,
Mike Rapoport (Microsoft), Peter Zijlstra, Robin Murohy,
Thomas Gleinxer, Uladzislau Rezki (Sony), Vinicius Costa Gomes,
Vlastimil Babka, Will Deacon, Yi Lai, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
commit e37d5a2d60a338c5917c45296bac65da1382eda5 upstream.
Introduce a new IOMMU interface to flush IOTLB paging cache entries for
the CPU kernel address space. This interface is invoked from the x86
architecture code that manages combined user and kernel page tables,
specifically before any kernel page table page is freed and reused.
This addresses the main issue with vfree() which is a common occurrence
and can be triggered by unprivileged users. While this resolves the
primary problem, it doesn't address some extremely rare case related to
memory unplug of memory that was present as reserved memory at boot, which
cannot be triggered by unprivileged users. The discussion can be found at
the link below.
Enable SVA on x86 architecture since the IOMMU can now receive
notification to flush the paging cache before freeing the CPU kernel page
table pages.
Link: https://lkml.kernel.org/r/20251022082635.2462433-9-baolu.lu@linux.intel.com
Link: https://lore.kernel.org/linux-iommu/04983c62-3b1d-40d4-93ae-34ca04b827e5@intel.com/
Co-developed-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Suggested-by: Jann Horn <jannh@google.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Vasant Hegde <vasant.hegde@amd.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Betkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mike Rapoport (Microsoft) <rppt@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robin Murohy <robin.murphy@arm.com>
Cc: Thomas Gleinxer <tglx@linutronix.de>
Cc: "Uladzislau Rezki (Sony)" <urezki@gmail.com>
Cc: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Will Deacon <will@kernel.org>
Cc: Yi Lai <yi1.lai@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/Kconfig | 1 +
drivers/iommu/iommu-sva.c | 32 ++++++++++++++++++++++++++++----
include/linux/iommu.h | 4 ++++
mm/pgtable-generic.c | 2 ++
4 files changed, 35 insertions(+), 4 deletions(-)
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -279,6 +279,7 @@ config X86
select HAVE_PCI
select HAVE_PERF_REGS
select HAVE_PERF_USER_STACK_DUMP
+ select ASYNC_KERNEL_PGTABLE_FREE if IOMMU_SVA
select MMU_GATHER_RCU_TABLE_FREE
select MMU_GATHER_MERGE_VMAS
select HAVE_POSIX_CPU_TIMERS_TASK_WORK
--- a/drivers/iommu/iommu-sva.c
+++ b/drivers/iommu/iommu-sva.c
@@ -10,6 +10,8 @@
#include "iommu-priv.h"
static DEFINE_MUTEX(iommu_sva_lock);
+static bool iommu_sva_present;
+static LIST_HEAD(iommu_sva_mms);
static struct iommu_domain *iommu_sva_domain_alloc(struct device *dev,
struct mm_struct *mm);
@@ -42,6 +44,7 @@ static struct iommu_mm_data *iommu_alloc
return ERR_PTR(-ENOSPC);
}
iommu_mm->pasid = pasid;
+ iommu_mm->mm = mm;
INIT_LIST_HEAD(&iommu_mm->sva_domains);
/*
* Make sure the write to mm->iommu_mm is not reordered in front of
@@ -77,9 +80,6 @@ struct iommu_sva *iommu_sva_bind_device(
if (!group)
return ERR_PTR(-ENODEV);
- if (IS_ENABLED(CONFIG_X86))
- return ERR_PTR(-EOPNOTSUPP);
-
mutex_lock(&iommu_sva_lock);
/* Allocate mm->pasid if necessary. */
@@ -135,8 +135,13 @@ struct iommu_sva *iommu_sva_bind_device(
if (ret)
goto out_free_domain;
domain->users = 1;
- list_add(&domain->next, &mm->iommu_mm->sva_domains);
+ if (list_empty(&iommu_mm->sva_domains)) {
+ if (list_empty(&iommu_sva_mms))
+ iommu_sva_present = true;
+ list_add(&iommu_mm->mm_list_elm, &iommu_sva_mms);
+ }
+ list_add(&domain->next, &iommu_mm->sva_domains);
out:
refcount_set(&handle->users, 1);
mutex_unlock(&iommu_sva_lock);
@@ -178,6 +183,13 @@ void iommu_sva_unbind_device(struct iomm
list_del(&domain->next);
iommu_domain_free(domain);
}
+
+ if (list_empty(&iommu_mm->sva_domains)) {
+ list_del(&iommu_mm->mm_list_elm);
+ if (list_empty(&iommu_sva_mms))
+ iommu_sva_present = false;
+ }
+
mutex_unlock(&iommu_sva_lock);
kfree(handle);
}
@@ -315,3 +327,15 @@ static struct iommu_domain *iommu_sva_do
return domain;
}
+
+void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end)
+{
+ struct iommu_mm_data *iommu_mm;
+
+ guard(mutex)(&iommu_sva_lock);
+ if (!iommu_sva_present)
+ return;
+
+ list_for_each_entry(iommu_mm, &iommu_sva_mms, mm_list_elm)
+ mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end);
+}
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -1134,7 +1134,9 @@ struct iommu_sva {
struct iommu_mm_data {
u32 pasid;
+ struct mm_struct *mm;
struct list_head sva_domains;
+ struct list_head mm_list_elm;
};
int iommu_fwspec_init(struct device *dev, struct fwnode_handle *iommu_fwnode);
@@ -1615,6 +1617,7 @@ struct iommu_sva *iommu_sva_bind_device(
struct mm_struct *mm);
void iommu_sva_unbind_device(struct iommu_sva *handle);
u32 iommu_sva_get_pasid(struct iommu_sva *handle);
+void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end);
#else
static inline struct iommu_sva *
iommu_sva_bind_device(struct device *dev, struct mm_struct *mm)
@@ -1639,6 +1642,7 @@ static inline u32 mm_get_enqcmd_pasid(st
}
static inline void mm_pasid_drop(struct mm_struct *mm) {}
+static inline void iommu_sva_invalidate_kva_range(unsigned long start, unsigned long end) {}
#endif /* CONFIG_IOMMU_SVA */
#ifdef CONFIG_IOMMU_IOPF
--- a/mm/pgtable-generic.c
+++ b/mm/pgtable-generic.c
@@ -13,6 +13,7 @@
#include <linux/swap.h>
#include <linux/swapops.h>
#include <linux/mm_inline.h>
+#include <linux/iommu.h>
#include <asm/pgalloc.h>
#include <asm/tlb.h>
@@ -430,6 +431,7 @@ static void kernel_pgtable_work_func(str
list_splice_tail_init(&kernel_pgtable_work.list, &page_list);
spin_unlock(&kernel_pgtable_work.lock);
+ iommu_sva_invalidate_kva_range(PAGE_OFFSET, TLB_FLUSH_ALL);
list_for_each_entry_safe(pt, next, &page_list, pt_list)
__pagetable_free(pt);
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 191/198] HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 190/198] iommu/sva: invalidate stale IOTLB entries for kernel address space Greg Kroah-Hartman
@ 2026-01-21 18:16 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 192/198] HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue() Greg Kroah-Hartman
` (20 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Lixu, Jiri Kosina
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Lixu <lixu.zhang@intel.com>
commit 0d30dae38fe01cd1de358c6039a0b1184689fe51 upstream.
During suspend/resume tests with S2IDLE, some ISH functional failures were
observed because of delay in executing ISH resume handler. Here
schedule_work() is used from resume handler to do actual work.
schedule_work() uses system_wq, which is a per CPU work queue. Although
the queuing is not bound to a CPU, but it prefers local CPU of the caller,
unless prohibited.
Users of this work queue are not supposed to queue long running work.
But in practice, there are scenarios where long running work items are
queued on other unbound workqueues, occupying the CPU. As a result, the
ISH resume handler may not get a chance to execute in a timely manner.
In one scenario, one of the ish_resume_handler() executions was delayed
nearly 1 second because another work item on an unbound workqueue occupied
the same CPU. This delay causes ISH functionality failures.
A similar issue was previously observed where the ISH HID driver timed out
while getting the HID descriptor during S4 resume in the recovery kernel,
likely caused by the same workqueue contention problem.
Create dedicated unbound workqueues for all ISH operations to allow work
items to execute on any available CPU, eliminating CPU-specific bottlenecks
and improving resume reliability under varying system loads. Also ISH has
three different components, a bus driver which implements ISH protocols, a
PCI interface layer and HID interface. Use one dedicated work queue for all
of them.
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/intel-ish-hid/ipc/ipc.c | 21 ++++++++++++++++++++-
drivers/hid/intel-ish-hid/ipc/pci-ish.c | 2 +-
drivers/hid/intel-ish-hid/ishtp-hid-client.c | 4 ++--
drivers/hid/intel-ish-hid/ishtp/bus.c | 18 +++++++++++++++++-
drivers/hid/intel-ish-hid/ishtp/hbm.c | 4 ++--
drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h | 3 +++
include/linux/intel-ish-client-if.h | 2 ++
7 files changed, 47 insertions(+), 7 deletions(-)
--- a/drivers/hid/intel-ish-hid/ipc/ipc.c
+++ b/drivers/hid/intel-ish-hid/ipc/ipc.c
@@ -628,7 +628,7 @@ static void recv_ipc(struct ishtp_device
if (!ishtp_dev) {
ishtp_dev = dev;
}
- schedule_work(&fw_reset_work);
+ queue_work(dev->unbound_wq, &fw_reset_work);
break;
case MNG_RESET_NOTIFY_ACK:
@@ -933,6 +933,21 @@ static const struct ishtp_hw_ops ish_hw_
.dma_no_cache_snooping = _dma_no_cache_snooping
};
+static struct workqueue_struct *devm_ishtp_alloc_workqueue(struct device *dev)
+{
+ struct workqueue_struct *wq;
+
+ wq = alloc_workqueue("ishtp_unbound_%d", WQ_UNBOUND, 0, dev->id);
+ if (!wq)
+ return NULL;
+
+ if (devm_add_action_or_reset(dev, (void (*)(void *))destroy_workqueue,
+ wq))
+ return NULL;
+
+ return wq;
+}
+
/**
* ish_dev_init() -Initialize ISH devoce
* @pdev: PCI device
@@ -953,6 +968,10 @@ struct ishtp_device *ish_dev_init(struct
if (!dev)
return NULL;
+ dev->unbound_wq = devm_ishtp_alloc_workqueue(&pdev->dev);
+ if (!dev->unbound_wq)
+ return NULL;
+
dev->devc = &pdev->dev;
ishtp_device_init(dev);
--- a/drivers/hid/intel-ish-hid/ipc/pci-ish.c
+++ b/drivers/hid/intel-ish-hid/ipc/pci-ish.c
@@ -384,7 +384,7 @@ static int __maybe_unused ish_resume(str
ish_resume_device = device;
dev->resume_flag = 1;
- schedule_work(&resume_work);
+ queue_work(dev->unbound_wq, &resume_work);
return 0;
}
--- a/drivers/hid/intel-ish-hid/ishtp-hid-client.c
+++ b/drivers/hid/intel-ish-hid/ishtp-hid-client.c
@@ -860,7 +860,7 @@ static int hid_ishtp_cl_reset(struct ish
hid_ishtp_trace(client_data, "%s hid_ishtp_cl %p\n", __func__,
hid_ishtp_cl);
- schedule_work(&client_data->work);
+ queue_work(ishtp_get_workqueue(cl_device), &client_data->work);
return 0;
}
@@ -902,7 +902,7 @@ static int hid_ishtp_cl_resume(struct de
hid_ishtp_trace(client_data, "%s hid_ishtp_cl %p\n", __func__,
hid_ishtp_cl);
- schedule_work(&client_data->resume_work);
+ queue_work(ishtp_get_workqueue(cl_device), &client_data->resume_work);
return 0;
}
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -541,7 +541,7 @@ void ishtp_cl_bus_rx_event(struct ishtp_
return;
if (device->event_cb)
- schedule_work(&device->event_work);
+ queue_work(device->ishtp_dev->unbound_wq, &device->event_work);
}
/**
@@ -877,6 +877,22 @@ struct device *ishtp_get_pci_device(stru
EXPORT_SYMBOL(ishtp_get_pci_device);
/**
+ * ishtp_get_workqueue - Retrieve the workqueue associated with an ISHTP device
+ * @cl_device: Pointer to the ISHTP client device structure
+ *
+ * Returns the workqueue_struct pointer (unbound_wq) associated with the given
+ * ISHTP client device. This workqueue is typically used for scheduling work
+ * related to the device.
+ *
+ * Return: Pointer to struct workqueue_struct.
+ */
+struct workqueue_struct *ishtp_get_workqueue(struct ishtp_cl_device *cl_device)
+{
+ return cl_device->ishtp_dev->unbound_wq;
+}
+EXPORT_SYMBOL(ishtp_get_workqueue);
+
+/**
* ishtp_trace_callback() - Return trace callback
* @cl_device: ISH-TP client device instance
*
--- a/drivers/hid/intel-ish-hid/ishtp/hbm.c
+++ b/drivers/hid/intel-ish-hid/ishtp/hbm.c
@@ -573,7 +573,7 @@ void ishtp_hbm_dispatch(struct ishtp_dev
/* Start firmware loading process if it has loader capability */
if (version_res->host_version_supported & ISHTP_SUPPORT_CAP_LOADER)
- schedule_work(&dev->work_fw_loader);
+ queue_work(dev->unbound_wq, &dev->work_fw_loader);
dev->version.major_version = HBM_MAJOR_VERSION;
dev->version.minor_version = HBM_MINOR_VERSION;
@@ -864,7 +864,7 @@ void recv_hbm(struct ishtp_device *dev,
dev->rd_msg_fifo_tail = (dev->rd_msg_fifo_tail + IPC_PAYLOAD_SIZE) %
(RD_INT_FIFO_SIZE * IPC_PAYLOAD_SIZE);
spin_unlock_irqrestore(&dev->rd_msg_spinlock, flags);
- schedule_work(&dev->bh_hbm_work);
+ queue_work(dev->unbound_wq, &dev->bh_hbm_work);
eoi:
return;
}
--- a/drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h
+++ b/drivers/hid/intel-ish-hid/ishtp/ishtp-dev.h
@@ -175,6 +175,9 @@ struct ishtp_device {
struct hbm_version version;
int transfer_path; /* Choice of transfer path: IPC or DMA */
+ /* Alloc a dedicated unbound workqueue for ishtp device */
+ struct workqueue_struct *unbound_wq;
+
/* work structure for scheduling firmware loading tasks */
struct work_struct work_fw_loader;
/* waitq for waiting for command response from the firmware loader */
--- a/include/linux/intel-ish-client-if.h
+++ b/include/linux/intel-ish-client-if.h
@@ -87,6 +87,8 @@ bool ishtp_wait_resume(struct ishtp_devi
ishtp_print_log ishtp_trace_callback(struct ishtp_cl_device *cl_device);
/* Get device pointer of PCI device for DMA acces */
struct device *ishtp_get_pci_device(struct ishtp_cl_device *cl_device);
+/* Get the ISHTP workqueue */
+struct workqueue_struct *ishtp_get_workqueue(struct ishtp_cl_device *cl_device);
struct ishtp_cl *ishtp_cl_allocate(struct ishtp_cl_device *cl_device);
void ishtp_cl_free(struct ishtp_cl *cl);
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 192/198] HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue()
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2026-01-21 18:16 ` [PATCH 6.18 191/198] HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 193/198] btrfs: fix deadlock in wait_current_trans() due to ignored transaction type Greg Kroah-Hartman
` (19 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Nathan Chancellor,
Srinivas Pandruvada, Zhang Lixu, Jiri Kosina
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nathan Chancellor <nathan@kernel.org>
commit 3644f4411713f52bf231574aa8759e3d8e20b341 upstream.
Clang warns (or errors with CONFIG_WERROR=y / W=e):
drivers/hid/intel-ish-hid/ipc/ipc.c:935:36: error: cast from 'void (*)(struct workqueue_struct *)' to 'void (*)(void *)' converts to incompatible function type [-Werror,-Wcast-function-type-strict]
935 | if (devm_add_action_or_reset(dev, (void (*)(void *))destroy_workqueue,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/device/devres.h:168:34: note: expanded from macro 'devm_add_action_or_reset'
168 | __devm_add_action_or_ireset(dev, action, data, #action)
| ^~~~~~
This warning is pointing out a kernel control flow integrity (kCFI /
CONFIG_CFI=y) violation will occur due to this function cast when the
destroy_workqueue() is indirectly called via devm_action_release()
because the prototype of destroy_workqueue() does not match the
prototype of (*action)().
Use a local function with the correct prototype to wrap
destroy_workqueue() to resolve the warning and CFI violation.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202510190103.qTZvfdjj-lkp@intel.com/
Closes: https://github.com/ClangBuiltLinux/linux/issues/2139
Fixes: 0d30dae38fe0 ("HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Reviewed-by: Zhang Lixu <lixu.zhang@intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/intel-ish-hid/ipc/ipc.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/hid/intel-ish-hid/ipc/ipc.c
+++ b/drivers/hid/intel-ish-hid/ipc/ipc.c
@@ -933,6 +933,11 @@ static const struct ishtp_hw_ops ish_hw_
.dma_no_cache_snooping = _dma_no_cache_snooping
};
+static void ishtp_free_workqueue(void *wq)
+{
+ destroy_workqueue(wq);
+}
+
static struct workqueue_struct *devm_ishtp_alloc_workqueue(struct device *dev)
{
struct workqueue_struct *wq;
@@ -941,8 +946,7 @@ static struct workqueue_struct *devm_ish
if (!wq)
return NULL;
- if (devm_add_action_or_reset(dev, (void (*)(void *))destroy_workqueue,
- wq))
+ if (devm_add_action_or_reset(dev, ishtp_free_workqueue, wq))
return NULL;
return wq;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 193/198] btrfs: fix deadlock in wait_current_trans() due to ignored transaction type
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 192/198] HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue() Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 194/198] mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection Greg Kroah-Hartman
` (18 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, Robbie Ko,
David Sterba, Motiejus Jakštys
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robbie Ko <robbieko@synology.com>
commit 5037b342825df7094a4906d1e2a9674baab50cb2 upstream.
When wait_current_trans() is called during start_transaction(), it
currently waits for a blocked transaction without considering whether
the given transaction type actually needs to wait for that particular
transaction state. The btrfs_blocked_trans_types[] array already defines
which transaction types should wait for which transaction states, but
this check was missing in wait_current_trans().
This can lead to a deadlock scenario involving two transactions and
pending ordered extents:
1. Transaction A is in TRANS_STATE_COMMIT_DOING state
2. A worker processing an ordered extent calls start_transaction()
with TRANS_JOIN
3. join_transaction() returns -EBUSY because Transaction A is in
TRANS_STATE_COMMIT_DOING
4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes
5. A new Transaction B is created (TRANS_STATE_RUNNING)
6. The ordered extent from step 2 is added to Transaction B's
pending ordered extents
7. Transaction B immediately starts commit by another task and
enters TRANS_STATE_COMMIT_START
8. The worker finally reaches wait_current_trans(), sees Transaction B
in TRANS_STATE_COMMIT_START (a blocked state), and waits
unconditionally
9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START
according to btrfs_blocked_trans_types[]
10. Transaction B is waiting for pending ordered extents to complete
11. Deadlock: Transaction B waits for ordered extent, ordered extent
waits for Transaction B
This can be illustrated by the following call stacks:
CPU0 CPU1
btrfs_finish_ordered_io()
start_transaction(TRANS_JOIN)
join_transaction()
# -EBUSY (Transaction A is
# TRANS_STATE_COMMIT_DOING)
# Transaction A completes
# Transaction B created
# ordered extent added to
# Transaction B's pending list
btrfs_commit_transaction()
# Transaction B enters
# TRANS_STATE_COMMIT_START
# waiting for pending ordered
# extents
wait_current_trans()
# waits for Transaction B
# (should not wait!)
Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered
extents:
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
btrfs_commit_transaction+0xbf7/0xda0 [btrfs]
btrfs_sync_file+0x342/0x4d0 [btrfs]
__x64_sys_fdatasync+0x4b/0x80
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Task kworker in wait_current_trans waiting for transaction commit:
Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs]
__schedule+0x2e7/0x8a0
schedule+0x64/0xe0
wait_current_trans+0xb0/0x110 [btrfs]
start_transaction+0x346/0x5b0 [btrfs]
btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs]
btrfs_work_helper+0xe8/0x350 [btrfs]
process_one_work+0x1d3/0x3c0
worker_thread+0x4d/0x3e0
kthread+0x12d/0x150
ret_from_fork+0x1f/0x30
Fix this by passing the transaction type to wait_current_trans() and
checking btrfs_blocked_trans_types[cur_trans->state] against the given
type before deciding to wait. This ensures that transaction types which
are allowed to join during certain blocked states will not unnecessarily
wait and cause deadlocks.
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Robbie Ko <robbieko@synology.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Cc: Motiejus Jakštys <motiejus@jakstys.lt>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/transaction.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -518,13 +518,14 @@ static inline int is_transaction_blocked
* when this is done, it is safe to start a new transaction, but the current
* transaction might not be fully on disk.
*/
-static void wait_current_trans(struct btrfs_fs_info *fs_info)
+static void wait_current_trans(struct btrfs_fs_info *fs_info, unsigned int type)
{
struct btrfs_transaction *cur_trans;
spin_lock(&fs_info->trans_lock);
cur_trans = fs_info->running_transaction;
- if (cur_trans && is_transaction_blocked(cur_trans)) {
+ if (cur_trans && is_transaction_blocked(cur_trans) &&
+ (btrfs_blocked_trans_types[cur_trans->state] & type)) {
refcount_inc(&cur_trans->use_count);
spin_unlock(&fs_info->trans_lock);
@@ -699,12 +700,12 @@ again:
sb_start_intwrite(fs_info->sb);
if (may_wait_transaction(fs_info, type))
- wait_current_trans(fs_info);
+ wait_current_trans(fs_info, type);
do {
ret = join_transaction(fs_info, type);
if (ret == -EBUSY) {
- wait_current_trans(fs_info);
+ wait_current_trans(fs_info, type);
if (unlikely(type == TRANS_ATTACH ||
type == TRANS_JOIN_NOSTART))
ret = -ENOENT;
@@ -1001,7 +1002,7 @@ out:
void btrfs_throttle(struct btrfs_fs_info *fs_info)
{
- wait_current_trans(fs_info);
+ wait_current_trans(fs_info, TRANS_START);
}
bool btrfs_should_end_transaction(struct btrfs_trans_handle *trans)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 194/198] mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 193/198] btrfs: fix deadlock in wait_current_trans() due to ignored transaction type Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 195/198] mm/page_alloc: batch page freeing in decay_pcp_high Greg Kroah-Hartman
` (17 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hahn, Vlastimil Babka,
SeongJae Park, Brendan Jackman, Chris Mason, Johannes Weiner,
Kirill A. Shutemov, Michal Hocko, Suren Baghdasaryan, Zi Yan,
Andrew Morton, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hahn <joshua.hahnjy@gmail.com>
commit 0acc67c4030c39f39ac90413cc5d0abddd3a9527 upstream.
Patch series "mm/page_alloc: Batch callers of free_pcppages_bulk", v5.
Motivation & Approach
=====================
While testing workloads with high sustained memory pressure on large
machines in the Meta fleet (1Tb memory, 316 CPUs), we saw an unexpectedly
high number of softlockups. Further investigation showed that the zone
lock in free_pcppages_bulk was being held for a long time, and was called
to free 2k+ pages over 100 times just during boot.
This causes starvation in other processes for the zone lock, which can
lead to the system stalling as multiple threads cannot make progress
without the locks. We can see these issues manifesting as warnings:
[ 4512.591979] rcu: INFO: rcu_sched self-detected stall on CPU
[ 4512.604370] rcu: 20-....: (9312 ticks this GP) idle=a654/1/0x4000000000000000 softirq=309340/309344 fqs=5426
[ 4512.626401] rcu: hardirqs softirqs csw/system
[ 4512.638793] rcu: number: 0 145 0
[ 4512.651177] rcu: cputime: 30 10410 174 ==> 10558(ms)
[ 4512.666657] rcu: (t=21077 jiffies g=783665 q=1242213 ncpus=316)
While these warnings don't indicate a crash or a kernel panic, they do
point to the underlying issue of lock contention. To prevent starvation
in both locks, batch the freeing of pages using pcp->batch.
Because free_pcppages_bulk is called with the pcp lock and acquires the
zone lock, relinquishing and reacquiring the locks are only effective when
both of them are broken together (unless the system was built with queued
spinlocks). Thus, instead of modifying free_pcppages_bulk to break both
locks, batch the freeing from its callers instead.
A similar fix has been implemented in the Meta fleet, and we have seen
significantly less softlockups.
Testing
=======
The following are a few synthetic benchmarks, made on three machines. The
first is a large machine with 754GiB memory and 316 processors.
The second is a relatively smaller machine with 251GiB memory and 176
processors. The third and final is the smallest of the three, which has 62GiB
memory and 36 processors.
On all machines, I kick off a kernel build with -j$(nproc).
Negative delta is better (faster compilation).
Large machine (754GiB memory, 316 processors)
make -j$(nproc)
+------------+---------------+-----------+
| Metric (s) | Variation (%) | Delta(%) |
+------------+---------------+-----------+
| real | 0.8070 | - 1.4865 |
| user | 0.2823 | + 0.4081 |
| sys | 5.0267 | -11.8737 |
+------------+---------------+-----------+
Medium machine (251GiB memory, 176 processors)
make -j$(nproc)
+------------+---------------+----------+
| Metric (s) | Variation (%) | Delta(%) |
+------------+---------------+----------+
| real | 0.2806 | +0.0351 |
| user | 0.0994 | +0.3170 |
| sys | 0.6229 | -0.6277 |
+------------+---------------+----------+
Small machine (62GiB memory, 36 processors)
make -j$(nproc)
+------------+---------------+----------+
| Metric (s) | Variation (%) | Delta(%) |
+------------+---------------+----------+
| real | 0.1503 | -2.6585 |
| user | 0.0431 | -2.2984 |
| sys | 0.1870 | -3.2013 |
+------------+---------------+----------+
Here, variation is the coefficient of variation, i.e. standard deviation
/ mean.
Based on these results, it seems like there are varying degrees to how
much lock contention this reduces. For the largest and smallest machines
that I ran the tests on, it seems like there is quite some significant
reduction. There is also some performance increases visible from
userspace.
Interestingly, the performance gains don't scale with the size of the
machine, but rather there seems to be a dip in the gain there is for the
medium-sized machine. One possible theory is that because the high
watermark depends on both memory and the number of local CPUs, what
impacts zone contention the most is not these individual values, but
rather the ratio of mem:processors.
This patch (of 5):
Currently, refresh_cpu_vm_stats returns an int, indicating how many
changes were made during its updates. Using this information, callers
like vmstat_update can heuristically determine if more work will be done
in the future.
However, all of refresh_cpu_vm_stats's callers either (a) ignore the
result, only caring about performing the updates, or (b) only care about
whether changes were made, but not *how many* changes were made.
Simplify the code by returning a bool instead to indicate if updates
were made.
In addition, simplify fold_diff and decay_pcp_high to return a bool
for the same reason.
Link: https://lkml.kernel.org/r/20251014145011.3427205-1-joshua.hahnjy@gmail.com
Link: https://lkml.kernel.org/r/20251014145011.3427205-2-joshua.hahnjy@gmail.com
Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Reviewed-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Chris Mason <clm@fb.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 038a102535eb ("mm/page_alloc: prevent pcp corruption with SMP=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/gfp.h | 2 +-
mm/page_alloc.c | 8 ++++----
mm/vmstat.c | 28 +++++++++++++++-------------
3 files changed, 20 insertions(+), 18 deletions(-)
--- a/include/linux/gfp.h
+++ b/include/linux/gfp.h
@@ -387,7 +387,7 @@ extern void free_pages(unsigned long add
#define free_page(addr) free_pages((addr), 0)
void page_alloc_init_cpuhp(void);
-int decay_pcp_high(struct zone *zone, struct per_cpu_pages *pcp);
+bool decay_pcp_high(struct zone *zone, struct per_cpu_pages *pcp);
void drain_zone_pages(struct zone *zone, struct per_cpu_pages *pcp);
void drain_all_pages(struct zone *zone);
void drain_local_pages(struct zone *zone);
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2552,10 +2552,10 @@ static int rmqueue_bulk(struct zone *zon
* Called from the vmstat counter updater to decay the PCP high.
* Return whether there are addition works to do.
*/
-int decay_pcp_high(struct zone *zone, struct per_cpu_pages *pcp)
+bool decay_pcp_high(struct zone *zone, struct per_cpu_pages *pcp)
{
int high_min, to_drain, batch;
- int todo = 0;
+ bool todo = false;
high_min = READ_ONCE(pcp->high_min);
batch = READ_ONCE(pcp->batch);
@@ -2568,7 +2568,7 @@ int decay_pcp_high(struct zone *zone, st
pcp->high = max3(pcp->count - (batch << CONFIG_PCP_BATCH_SCALE_MAX),
pcp->high - (pcp->high >> 3), high_min);
if (pcp->high > high_min)
- todo++;
+ todo = true;
}
to_drain = pcp->count - pcp->high;
@@ -2576,7 +2576,7 @@ int decay_pcp_high(struct zone *zone, st
spin_lock(&pcp->lock);
free_pcppages_bulk(zone, to_drain, pcp, 0);
spin_unlock(&pcp->lock);
- todo++;
+ todo = true;
}
return todo;
--- a/mm/vmstat.c
+++ b/mm/vmstat.c
@@ -771,25 +771,25 @@ EXPORT_SYMBOL(dec_node_page_state);
/*
* Fold a differential into the global counters.
- * Returns the number of counters updated.
+ * Returns whether counters were updated.
*/
static int fold_diff(int *zone_diff, int *node_diff)
{
int i;
- int changes = 0;
+ bool changed = false;
for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
if (zone_diff[i]) {
atomic_long_add(zone_diff[i], &vm_zone_stat[i]);
- changes++;
+ changed = true;
}
for (i = 0; i < NR_VM_NODE_STAT_ITEMS; i++)
if (node_diff[i]) {
atomic_long_add(node_diff[i], &vm_node_stat[i]);
- changes++;
+ changed = true;
}
- return changes;
+ return changed;
}
/*
@@ -806,16 +806,16 @@ static int fold_diff(int *zone_diff, int
* with the global counters. These could cause remote node cache line
* bouncing and will have to be only done when necessary.
*
- * The function returns the number of global counters updated.
+ * The function returns whether global counters were updated.
*/
-static int refresh_cpu_vm_stats(bool do_pagesets)
+static bool refresh_cpu_vm_stats(bool do_pagesets)
{
struct pglist_data *pgdat;
struct zone *zone;
int i;
int global_zone_diff[NR_VM_ZONE_STAT_ITEMS] = { 0, };
int global_node_diff[NR_VM_NODE_STAT_ITEMS] = { 0, };
- int changes = 0;
+ bool changed = false;
for_each_populated_zone(zone) {
struct per_cpu_zonestat __percpu *pzstats = zone->per_cpu_zonestats;
@@ -839,7 +839,8 @@ static int refresh_cpu_vm_stats(bool do_
if (do_pagesets) {
cond_resched();
- changes += decay_pcp_high(zone, this_cpu_ptr(pcp));
+ if (decay_pcp_high(zone, this_cpu_ptr(pcp)))
+ changed = true;
#ifdef CONFIG_NUMA
/*
* Deal with draining the remote pageset of this
@@ -861,13 +862,13 @@ static int refresh_cpu_vm_stats(bool do_
}
if (__this_cpu_dec_return(pcp->expire)) {
- changes++;
+ changed = true;
continue;
}
if (__this_cpu_read(pcp->count)) {
drain_zone_pages(zone, this_cpu_ptr(pcp));
- changes++;
+ changed = true;
}
#endif
}
@@ -887,8 +888,9 @@ static int refresh_cpu_vm_stats(bool do_
}
}
- changes += fold_diff(global_zone_diff, global_node_diff);
- return changes;
+ if (fold_diff(global_zone_diff, global_node_diff))
+ changed = true;
+ return changed;
}
/*
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 195/198] mm/page_alloc: batch page freeing in decay_pcp_high
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 194/198] mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 196/198] mm/page_alloc: prevent pcp corruption with SMP=n Greg Kroah-Hartman
` (16 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joshua Hahn, Chris Mason,
Andrew Morton, Vlastimil Babka, Brendan Jackman,
Kirill A. Shutemov, Michal Hocko, SeongJae Park,
Suren Baghdasaryan, Zi Yan, Sasha Levin, Johannes Weiner
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Hahn <joshua.hahnjy@gmail.com>
commit fc4b909c368f3a7b08c895dd5926476b58e85312 upstream.
It is possible for pcp->count - pcp->high to exceed pcp->batch by a lot.
When this happens, we should perform batching to ensure that
free_pcppages_bulk isn't called with too many pages to free at once and
starve out other threads that need the pcp or zone lock.
Since we are still only freeing the difference between the initial
pcp->count and pcp->high values, there should be no change to how many
pages are freed.
Link: https://lkml.kernel.org/r/20251014145011.3427205-3-joshua.hahnjy@gmail.com
Signed-off-by: Joshua Hahn <joshua.hahnjy@gmail.com>
Suggested-by: Chris Mason <clm@fb.com>
Suggested-by: Andrew Morton <akpm@linux-foundation.org>
Co-developed-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Michal Hocko <mhocko@suse.com>
Cc: SeongJae Park <sj@kernel.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 038a102535eb ("mm/page_alloc: prevent pcp corruption with SMP=n")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -2554,7 +2554,7 @@ static int rmqueue_bulk(struct zone *zon
*/
bool decay_pcp_high(struct zone *zone, struct per_cpu_pages *pcp)
{
- int high_min, to_drain, batch;
+ int high_min, to_drain, to_drain_batched, batch;
bool todo = false;
high_min = READ_ONCE(pcp->high_min);
@@ -2572,11 +2572,14 @@ bool decay_pcp_high(struct zone *zone, s
}
to_drain = pcp->count - pcp->high;
- if (to_drain > 0) {
+ while (to_drain > 0) {
+ to_drain_batched = min(to_drain, batch);
spin_lock(&pcp->lock);
- free_pcppages_bulk(zone, to_drain, pcp, 0);
+ free_pcppages_bulk(zone, to_drain_batched, pcp, 0);
spin_unlock(&pcp->lock);
todo = true;
+
+ to_drain -= to_drain_batched;
}
return todo;
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 196/198] mm/page_alloc: prevent pcp corruption with SMP=n
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 195/198] mm/page_alloc: batch page freeing in decay_pcp_high Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 197/198] Revert "functionfs: fix the open/removal races" Greg Kroah-Hartman
` (15 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vlastimil Babka, kernel test robot,
Mel Gorman, Brendan Jackman, Johannes Weiner, Michal Hocko,
Sebastian Andrzej Siewior, Steven Rostedt, Suren Baghdasaryan,
Zi Yan, Andrew Morton, Sasha Levin, Matthew Wilcox
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vlastimil Babka <vbabka@suse.cz>
commit 038a102535eb49e10e93eafac54352fcc5d78847 upstream.
The kernel test robot has reported:
BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28
lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0
CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470
Call Trace:
<IRQ>
__dump_stack (lib/dump_stack.c:95)
dump_stack_lvl (lib/dump_stack.c:123)
dump_stack (lib/dump_stack.c:130)
spin_dump (kernel/locking/spinlock_debug.c:71)
do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?)
_raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138)
__free_frozen_pages (mm/page_alloc.c:2973)
___free_pages (mm/page_alloc.c:5295)
__free_pages (mm/page_alloc.c:5334)
tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290)
? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289)
? rcu_core (kernel/rcu/tree.c:?)
rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861)
rcu_core_si (kernel/rcu/tree.c:2879)
handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)
__irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725)
irq_exit_rcu (kernel/softirq.c:741)
sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052)
</IRQ>
<TASK>
RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194)
free_pcppages_bulk (mm/page_alloc.c:1494)
drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632)
__drain_all_pages (mm/page_alloc.c:2731)
drain_all_pages (mm/page_alloc.c:2747)
kcompactd (mm/compaction.c:3115)
kthread (kernel/kthread.c:465)
? __cfi_kcompactd (mm/compaction.c:3166)
? __cfi_kthread (kernel/kthread.c:412)
ret_from_fork (arch/x86/kernel/process.c:164)
? __cfi_kthread (kernel/kthread.c:412)
ret_from_fork_asm (arch/x86/entry/entry_64.S:255)
</TASK>
Matthew has analyzed the report and identified that in drain_page_zone()
we are in a section protected by spin_lock(&pcp->lock) and then get an
interrupt that attempts spin_trylock() on the same lock. The code is
designed to work this way without disabling IRQs and occasionally fail the
trylock with a fallback. However, the SMP=n spinlock implementation
assumes spin_trylock() will always succeed, and thus it's normally a
no-op. Here the enabled lock debugging catches the problem, but otherwise
it could cause a corruption of the pcp structure.
The problem has been introduced by commit 574907741599 ("mm/page_alloc:
leave IRQs enabled for per-cpu page allocations"). The pcp locking scheme
recognizes the need for disabling IRQs to prevent nesting spin_trylock()
sections on SMP=n, but the need to prevent the nesting in spin_lock() has
not been recognized. Fix it by introducing local wrappers that change the
spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places
that do spin_lock(&pcp->lock).
[vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven]
Link: https://lkml.kernel.org/r/20260105-fix-pcp-up-v1-1-5579662d2071@suse.cz
Fixes: 574907741599 ("mm/page_alloc: leave IRQs enabled for per-cpu page allocations")
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202512101320.e2f2dd6f-lkp@intel.com
Analyzed-by: Matthew Wilcox <willy@infradead.org>
Link: https://lore.kernel.org/all/aUW05pyc9nZkvY-1@casper.infradead.org/
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: Brendan Jackman <jackmanb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/page_alloc.c | 47 +++++++++++++++++++++++++++++++++++++++--------
1 file changed, 39 insertions(+), 8 deletions(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -166,6 +166,33 @@ static DEFINE_MUTEX(pcp_batch_high_lock)
#define pcp_spin_unlock(ptr) \
pcpu_spin_unlock(lock, ptr)
+/*
+ * With the UP spinlock implementation, when we spin_lock(&pcp->lock) (for i.e.
+ * a potentially remote cpu drain) and get interrupted by an operation that
+ * attempts pcp_spin_trylock(), we can't rely on the trylock failure due to UP
+ * spinlock assumptions making the trylock a no-op. So we have to turn that
+ * spin_lock() to a spin_lock_irqsave(). This works because on UP there are no
+ * remote cpu's so we can only be locking the only existing local one.
+ */
+#if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT_RT)
+static inline void __flags_noop(unsigned long *flags) { }
+#define pcp_spin_lock_maybe_irqsave(ptr, flags) \
+({ \
+ __flags_noop(&(flags)); \
+ spin_lock(&(ptr)->lock); \
+})
+#define pcp_spin_unlock_maybe_irqrestore(ptr, flags) \
+({ \
+ spin_unlock(&(ptr)->lock); \
+ __flags_noop(&(flags)); \
+})
+#else
+#define pcp_spin_lock_maybe_irqsave(ptr, flags) \
+ spin_lock_irqsave(&(ptr)->lock, flags)
+#define pcp_spin_unlock_maybe_irqrestore(ptr, flags) \
+ spin_unlock_irqrestore(&(ptr)->lock, flags)
+#endif
+
#ifdef CONFIG_USE_PERCPU_NUMA_NODE_ID
DEFINE_PER_CPU(int, numa_node);
EXPORT_PER_CPU_SYMBOL(numa_node);
@@ -2555,6 +2582,7 @@ static int rmqueue_bulk(struct zone *zon
bool decay_pcp_high(struct zone *zone, struct per_cpu_pages *pcp)
{
int high_min, to_drain, to_drain_batched, batch;
+ unsigned long UP_flags;
bool todo = false;
high_min = READ_ONCE(pcp->high_min);
@@ -2574,9 +2602,9 @@ bool decay_pcp_high(struct zone *zone, s
to_drain = pcp->count - pcp->high;
while (to_drain > 0) {
to_drain_batched = min(to_drain, batch);
- spin_lock(&pcp->lock);
+ pcp_spin_lock_maybe_irqsave(pcp, UP_flags);
free_pcppages_bulk(zone, to_drain_batched, pcp, 0);
- spin_unlock(&pcp->lock);
+ pcp_spin_unlock_maybe_irqrestore(pcp, UP_flags);
todo = true;
to_drain -= to_drain_batched;
@@ -2593,14 +2621,15 @@ bool decay_pcp_high(struct zone *zone, s
*/
void drain_zone_pages(struct zone *zone, struct per_cpu_pages *pcp)
{
+ unsigned long UP_flags;
int to_drain, batch;
batch = READ_ONCE(pcp->batch);
to_drain = min(pcp->count, batch);
if (to_drain > 0) {
- spin_lock(&pcp->lock);
+ pcp_spin_lock_maybe_irqsave(pcp, UP_flags);
free_pcppages_bulk(zone, to_drain, pcp, 0);
- spin_unlock(&pcp->lock);
+ pcp_spin_unlock_maybe_irqrestore(pcp, UP_flags);
}
}
#endif
@@ -2611,10 +2640,11 @@ void drain_zone_pages(struct zone *zone,
static void drain_pages_zone(unsigned int cpu, struct zone *zone)
{
struct per_cpu_pages *pcp = per_cpu_ptr(zone->per_cpu_pageset, cpu);
+ unsigned long UP_flags;
int count;
do {
- spin_lock(&pcp->lock);
+ pcp_spin_lock_maybe_irqsave(pcp, UP_flags);
count = pcp->count;
if (count) {
int to_drain = min(count,
@@ -2623,7 +2653,7 @@ static void drain_pages_zone(unsigned in
free_pcppages_bulk(zone, to_drain, pcp, 0);
count -= to_drain;
}
- spin_unlock(&pcp->lock);
+ pcp_spin_unlock_maybe_irqrestore(pcp, UP_flags);
} while (count);
}
@@ -6081,6 +6111,7 @@ static void zone_pcp_update_cacheinfo(st
{
struct per_cpu_pages *pcp;
struct cpu_cacheinfo *cci;
+ unsigned long UP_flags;
pcp = per_cpu_ptr(zone->per_cpu_pageset, cpu);
cci = get_cpu_cacheinfo(cpu);
@@ -6091,12 +6122,12 @@ static void zone_pcp_update_cacheinfo(st
* This can reduce zone lock contention without hurting
* cache-hot pages sharing.
*/
- spin_lock(&pcp->lock);
+ pcp_spin_lock_maybe_irqsave(pcp, UP_flags);
if ((cci->per_cpu_data_slice_size >> PAGE_SHIFT) > 3 * pcp->batch)
pcp->flags |= PCPF_FREE_HIGH_BATCH;
else
pcp->flags &= ~PCPF_FREE_HIGH_BATCH;
- spin_unlock(&pcp->lock);
+ pcp_spin_unlock_maybe_irqrestore(pcp, UP_flags);
}
void setup_pcp_cacheinfo(unsigned int cpu)
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 197/198] Revert "functionfs: fix the open/removal races"
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 196/198] mm/page_alloc: prevent pcp corruption with SMP=n Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 198/198] iommu/sva: include mmu_notifier.h header Greg Kroah-Hartman
` (14 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit b49c766856fb5901490de577e046149ebf15e39d which is
commit e5bf5ee266633cb18fff6f98f0b7d59a62819eee upstream.
It has been reported to cause test problems in Android devices. As the
other functionfs changes were not also backported at the same time,
something is out of sync. So just revert this one for now and it can
come back in the future as a patch series if it is tested.
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_fs.c | 53 ++++++-------------------------------
1 file changed, 10 insertions(+), 43 deletions(-)
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -640,22 +640,13 @@ done_mutex:
static int ffs_ep0_open(struct inode *inode, struct file *file)
{
- struct ffs_data *ffs = inode->i_sb->s_fs_info;
- int ret;
-
- /* Acquire mutex */
- ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
- if (ret < 0)
- return ret;
+ struct ffs_data *ffs = inode->i_private;
- ffs_data_opened(ffs);
- if (ffs->state == FFS_CLOSING) {
- ffs_data_closed(ffs);
- mutex_unlock(&ffs->mutex);
+ if (ffs->state == FFS_CLOSING)
return -EBUSY;
- }
- mutex_unlock(&ffs->mutex);
+
file->private_data = ffs;
+ ffs_data_opened(ffs);
return stream_open(inode, file);
}
@@ -1202,33 +1193,14 @@ error:
static int
ffs_epfile_open(struct inode *inode, struct file *file)
{
- struct ffs_data *ffs = inode->i_sb->s_fs_info;
- struct ffs_epfile *epfile;
- int ret;
-
- /* Acquire mutex */
- ret = ffs_mutex_lock(&ffs->mutex, file->f_flags & O_NONBLOCK);
- if (ret < 0)
- return ret;
+ struct ffs_epfile *epfile = inode->i_private;
- if (!atomic_inc_not_zero(&ffs->opened)) {
- mutex_unlock(&ffs->mutex);
- return -ENODEV;
- }
- /*
- * we want the state to be FFS_ACTIVE; FFS_ACTIVE alone is
- * not enough, though - we might have been through FFS_CLOSING
- * and back to FFS_ACTIVE, with our file already removed.
- */
- epfile = smp_load_acquire(&inode->i_private);
- if (unlikely(ffs->state != FFS_ACTIVE || !epfile)) {
- mutex_unlock(&ffs->mutex);
- ffs_data_closed(ffs);
+ if (WARN_ON(epfile->ffs->state != FFS_ACTIVE))
return -ENODEV;
- }
- mutex_unlock(&ffs->mutex);
file->private_data = epfile;
+ ffs_data_opened(epfile->ffs);
+
return stream_open(inode, file);
}
@@ -1360,7 +1332,7 @@ static void ffs_dmabuf_put(struct dma_bu
static int
ffs_epfile_release(struct inode *inode, struct file *file)
{
- struct ffs_epfile *epfile = file->private_data;
+ struct ffs_epfile *epfile = inode->i_private;
struct ffs_dmabuf_priv *priv, *tmp;
struct ffs_data *ffs = epfile->ffs;
@@ -2380,11 +2352,6 @@ static int ffs_epfiles_create(struct ffs
return 0;
}
-static void clear_one(struct dentry *dentry)
-{
- smp_store_release(&dentry->d_inode->i_private, NULL);
-}
-
static void ffs_epfiles_destroy(struct ffs_epfile *epfiles, unsigned count)
{
struct ffs_epfile *epfile = epfiles;
@@ -2392,7 +2359,7 @@ static void ffs_epfiles_destroy(struct f
for (; count; --count, ++epfile) {
BUG_ON(mutex_is_locked(&epfile->mutex));
if (epfile->dentry) {
- simple_recursive_removal(epfile->dentry, clear_one);
+ simple_recursive_removal(epfile->dentry, NULL);
epfile->dentry = NULL;
}
}
^ permalink raw reply [flat|nested] 215+ messages in thread
* [PATCH 6.18 198/198] iommu/sva: include mmu_notifier.h header
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 197/198] Revert "functionfs: fix the open/removal races" Greg Kroah-Hartman
@ 2026-01-21 18:17 ` Greg Kroah-Hartman
2026-01-21 22:12 ` [PATCH 6.18 000/198] 6.18.7-rc1 review Ronald Warsow
` (13 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Greg Kroah-Hartman @ 2026-01-21 18:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlos Llamas, Baolu Lu,
Jason Gunthorpe, Joerg Roedel, Kevin Tian, Robin Murphy,
Vasant Hegde, Will Deacon, Andrew Morton
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Llamas <cmllamas@google.com>
commit 4b5c493ff762bb0433529ca6870b284f0a2a5ca8 upstream.
A call to mmu_notifier_arch_invalidate_secondary_tlbs() was introduced in
commit e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel
address space") but without explicitly adding its corresponding header
file <linux/mmu_notifier.h>. This was evidenced while trying to enable
compile testing support for IOMMU_SVA:
config IOMMU_SVA
select IOMMU_MM_DATA
- bool
+ bool "Shared Virtual Addressing" if COMPILE_TEST
The thing is for certain architectures this header file is indirectly
included via <asm/tlbflush.h>. However, for others such as 32-bit arm the
header is missing and it results in a build failure:
$ make ARCH=arm allmodconfig
[...]
drivers/iommu/iommu-sva.c:340:3: error: call to undeclared function 'mmu_notifier_arch_invalidate_secondary_tlbs' [...]
340 | mmu_notifier_arch_invalidate_secondary_tlbs(iommu_mm->mm, start, end);
| ^
Fix this by including the appropriate header file.
Link: https://lkml.kernel.org/r/20260105190747.625082-1-cmllamas@google.com
Fixes: e37d5a2d60a3 ("iommu/sva: invalidate stale IOTLB entries for kernel address space")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Cc: Baolu Lu <baolu.lu@linux.intel.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: Kevin Tian <kevin.tian@intel.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Vasant Hegde <vasant.hegde@amd.com>
Cc: Will Deacon <will@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommu-sva.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/iommu/iommu-sva.c
+++ b/drivers/iommu/iommu-sva.c
@@ -3,6 +3,7 @@
* Helpers for IOMMU drivers implementing SVA
*/
#include <linux/mmu_context.h>
+#include <linux/mmu_notifier.h>
#include <linux/mutex.h>
#include <linux/sched/mm.h>
#include <linux/iommu.h>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2026-01-21 18:17 ` [PATCH 6.18 198/198] iommu/sva: include mmu_notifier.h header Greg Kroah-Hartman
@ 2026-01-21 22:12 ` Ronald Warsow
2026-01-21 23:35 ` Shuah Khan
` (12 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Ronald Warsow @ 2026-01-21 22:12 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
conor, hargar, broonie, achill, sr
Hi
no regressions here on x86_64 (Intel 11th Gen. CPU)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2026-01-21 22:12 ` [PATCH 6.18 000/198] 6.18.7-rc1 review Ronald Warsow
@ 2026-01-21 23:35 ` Shuah Khan
2026-01-21 23:57 ` Florian Fainelli
` (11 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Shuah Khan @ 2026-01-21 23:35 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr, Shuah Khan
On 1/21/26 11:13, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2026-01-21 23:35 ` Shuah Khan
@ 2026-01-21 23:57 ` Florian Fainelli
2026-01-22 2:07 ` Justin Forbes
` (10 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Florian Fainelli @ 2026-01-21 23:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, rwarsow, conor,
hargar, broonie, achill, sr
On 1/21/26 10:13, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2026-01-21 23:57 ` Florian Fainelli
@ 2026-01-22 2:07 ` Justin Forbes
2026-01-22 4:07 ` Takeshi Ogasawara
` (9 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Justin Forbes @ 2026-01-22 2:07 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Jan 21, 2026 at 07:13:48PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Tested rc1 against the Fedora build system (aarch64, ppc64le, s390x,
x86_64), and boot tested x86_64. No regressions noted.
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2026-01-22 2:07 ` Justin Forbes
@ 2026-01-22 4:07 ` Takeshi Ogasawara
2026-01-22 5:41 ` Brett A C Sheffield
` (8 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Takeshi Ogasawara @ 2026-01-22 4:07 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
Hi Greg
On Thu, Jan 22, 2026 at 4:38 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
6.18.7-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.18.7-rc1rv-g28a73c31d7f5
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 15.2.1 20260103, GNU ld (GNU
Binutils) 2.45.1) #1 SMP PREEMPT_DYNAMIC Thu Jan 22 11:47:11 JST 2026
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2026-01-22 4:07 ` Takeshi Ogasawara
@ 2026-01-22 5:41 ` Brett A C Sheffield
2026-01-22 7:36 ` Shung-Hsi Yu
` (7 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Brett A C Sheffield @ 2026-01-22 5:41 UTC (permalink / raw)
To: gregkh
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
Brett A C Sheffield
# Librecast Test Results
020/020 [ OK ] liblcrq
010/010 [ OK ] libmld
120/120 [ OK ] liblibrecast
CPU/kernel: Linux auntie 6.18.7-rc1-g28a73c31d7f5 #1 SMP PREEMPT_DYNAMIC Thu Jan 22 05:27:29 -00 2026 x86_64 AMD Ryzen 9 9950X 16-Core Processor AuthenticAMD GNU/Linux
Tested-by: Brett A C Sheffield <bacs@librecast.net>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2026-01-22 5:41 ` Brett A C Sheffield
@ 2026-01-22 7:36 ` Shung-Hsi Yu
2026-01-22 8:43 ` Jon Hunter
` (6 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Shung-Hsi Yu @ 2026-01-22 7:36 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Jan 21, 2026 at 07:13:48PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
test_progs, test_progs-no_alu32, test_progs-cpuv4, test_maps,
test_verifier in BPF selftests all passes on x86_64.
Link: https://github.com/shunghsiyu/libbpf/actions/runs/21221602824/job/61107573538
Tested-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
...
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2026-01-22 7:36 ` Shung-Hsi Yu
@ 2026-01-22 8:43 ` Jon Hunter
2026-01-22 12:17 ` Ron Economos
` (5 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Jon Hunter @ 2026-01-22 8:43 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr,
linux-tegra, stable
On Wed, 21 Jan 2026 19:13:48 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.18:
10 builds: 10 pass, 0 fail
28 boots: 28 pass, 0 fail
133 tests: 133 pass, 0 fail
Linux version: 6.18.7-rc1-g28a73c31d7f5
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra186-p3509-0000+p3636-0001, tegra194-p2972-0000,
tegra194-p3509-0000+p3668-0000, tegra20-ventana,
tegra210-p2371-2180, tegra210-p3450-0000,
tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2026-01-22 8:43 ` Jon Hunter
@ 2026-01-22 12:17 ` Ron Economos
2026-01-22 15:08 ` Brett Mastbergen
` (4 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Ron Economos @ 2026-01-22 12:17 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
On 1/21/26 10:13, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2026-01-22 12:17 ` Ron Economos
@ 2026-01-22 15:08 ` Brett Mastbergen
2026-01-22 15:51 ` Peter Schneider
` (3 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Brett Mastbergen @ 2026-01-22 15:08 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Wed, Jan 21, 2026 at 2:47 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Builds successfully. Boots and works on qemu and Intel Core i7-10810U
Tested-by: Brett Mastbergen <bmastbergen@ciq.com>
Thanks,
Brett
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2026-01-22 15:08 ` Brett Mastbergen
@ 2026-01-22 15:51 ` Peter Schneider
2026-01-22 18:15 ` Mark Brown
` (2 subsequent siblings)
211 siblings, 0 replies; 215+ messages in thread
From: Peter Schneider @ 2026-01-22 15:51 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor, hargar, broonie, achill, sr
Am 21.01.2026 um 19:13 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2026-01-22 15:51 ` Peter Schneider
@ 2026-01-22 18:15 ` Mark Brown
2026-01-22 18:23 ` Lorenzo Stoakes
2026-01-23 17:08 ` Dileep malepu
2026-01-23 22:06 ` Miguel Ojeda
211 siblings, 1 reply; 215+ messages in thread
From: Mark Brown @ 2026-01-22 18:15 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr,
Ryan.Roberts, Lorenzo Stoakes
[-- Attachment #1: Type: text/plain, Size: 2965 bytes --]
On Wed, Jan 21, 2026 at 07:13:48PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
However:
> Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> tools/testing/selftests: add forked (un)/faulted VMA merge tests
These are failing for me on arm64 and I think arm (something literally
exploded in my lab so the arm bisect didn't complete yet due to the
half of the lab with that board being powered off until I get that
fixed), that in turn causes a new top level failure of the merge
selftest program but the actual failure is purely newly added tests not
working so I don't think the kernel itself is any worse than it was
before. The tests are OK in Linus' tree so we are I guess missing a
backport?
Log:
https://lava.sirena.org.uk/scheduler/job/2395273#L4133
# # # RUN merge_with_fork.forked.mremap_faulted_to_unfaulted_prev ...
# # # merge.c:1283:mremap_faulted_to_unfaulted_prev:Expected procmap->query.vma_end (281473166635008) == (unsigned long)ptr_b + offset (281473166622720)
# # # mremap_faulted_to_unfaulted_prev: Test terminated by assertion
# # # FAIL merge_with_fork.forked.mremap_faulted_to_unfaulted_prev
# # not ok 16 merge_with_fork.forked.mremap_faulted_to_unfaulted_prev
# # # RUN merge_with_fork.forked.mremap_faulted_to_unfaulted_next ...
# # # merge.c:1349:mremap_faulted_to_unfaulted_next:Expected procmap->query.vma_end (281473166635008) == (unsigned long)ptr_a + offset (281473166622720)
# # # mremap_faulted_to_unfaulted_next: Test terminated by assertion
# # # FAIL merge_with_fork.forked.mremap_faulted_to_unfaulted_next
# # not ok 17 merge_with_fork.forked.mremap_faulted_to_unfaulted_next
# # # RUN merge_with_fork.forked.mremap_faulted_to_unfaulted_prev_unfaulted_next ...
# # # merge.c:1420:mremap_faulted_to_unfaulted_prev_unfaulted_next:Expected procmap->query.vma_end (281473166647296) == (unsigned long)ptr_a + offset (281473166622720)
# # # mremap_faulted_to_unfaulted_prev_unfaulted_next: Test terminated by assertion
# # # FAIL merge_with_fork.forked.mremap_faulted_to_unfaulted_prev_unfaulted_next
# # not ok 18 merge_with_fork.forked.mremap_faulted_to_unfaulted_prev_unfaulted_next
# # # RUN merge_with_fork.forked.mremap_faulted_to_unfaulted_prev_faulted_next ...
# # # merge.c:1495:mremap_faulted_to_unfaulted_prev_faulted_next:Expected procmap->query.vma_start (281473166610432) == (unsigned long)ptr_b (281473166622720)
# # # mremap_faulted_to_unfaulted_prev_faulted_next: Test terminated by assertion
# # # FAIL merge_with_fork.forked.mremap_faulted_to_unfaulted_prev_faulted_next
# # not ok 19 merge_with_fork.forked.mremap_faulted_to_unfaulted_prev_faulted_next
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-22 18:15 ` Mark Brown
@ 2026-01-22 18:23 ` Lorenzo Stoakes
2026-01-22 19:14 ` Lorenzo Stoakes
0 siblings, 1 reply; 215+ messages in thread
From: Lorenzo Stoakes @ 2026-01-22 18:23 UTC (permalink / raw)
To: Mark Brown
Cc: Greg Kroah-Hartman, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr,
Ryan.Roberts
On Thu, Jan 22, 2026 at 06:15:12PM +0000, Mark Brown wrote:
> On Wed, Jan 21, 2026 at 07:13:48PM +0100, Greg Kroah-Hartman wrote:
>
> > This is the start of the stable review cycle for the 6.18.7 release.
> > There are 198 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
>
> Tested-by: Mark Brown <broonie@kernel.org>
>
> However:
>
> > Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > tools/testing/selftests: add forked (un)/faulted VMA merge tests
>
> These are failing for me on arm64 and I think arm (something literally
> exploded in my lab so the arm bisect didn't complete yet due to the
> half of the lab with that board being powered off until I get that
> fixed), that in turn causes a new top level failure of the merge
> selftest program but the actual failure is purely newly added tests not
> working so I don't think the kernel itself is any worse than it was
> before. The tests are OK in Linus' tree so we are I guess missing a
> backport?
Yeah, I wouldn't recommend running these tests as they repro the the bug that
the backport fixes :)
You may experience instability as a result of that.
I'm fixing the failed backport to 6.18.y literally right now, should have it out
soon.
I guess maybe I should have put a 'please do not take this until previous patch
was taken' note in there, but ther we go.
Cheers, Lorenzo
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-22 18:23 ` Lorenzo Stoakes
@ 2026-01-22 19:14 ` Lorenzo Stoakes
0 siblings, 0 replies; 215+ messages in thread
From: Lorenzo Stoakes @ 2026-01-22 19:14 UTC (permalink / raw)
To: Mark Brown
Cc: Greg Kroah-Hartman, stable, patches, linux-kernel, torvalds, akpm,
linux, shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, achill, sr,
Ryan.Roberts
On Thu, Jan 22, 2026 at 06:23:25PM +0000, Lorenzo Stoakes wrote:
> On Thu, Jan 22, 2026 at 06:15:12PM +0000, Mark Brown wrote:
> > On Wed, Jan 21, 2026 at 07:13:48PM +0100, Greg Kroah-Hartman wrote:
> >
> > > This is the start of the stable review cycle for the 6.18.7 release.
> > > There are 198 patches in this series, all will be posted as a response
> > > to this one. If anyone has any issues with these being applied, please
> > > let me know.
> >
> > Tested-by: Mark Brown <broonie@kernel.org>
> >
> > However:
> >
> > > Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > > tools/testing/selftests: add forked (un)/faulted VMA merge tests
> >
> > These are failing for me on arm64 and I think arm (something literally
> > exploded in my lab so the arm bisect didn't complete yet due to the
> > half of the lab with that board being powered off until I get that
> > fixed), that in turn causes a new top level failure of the merge
> > selftest program but the actual failure is purely newly added tests not
> > working so I don't think the kernel itself is any worse than it was
> > before. The tests are OK in Linus' tree so we are I guess missing a
> > backport?
>
> Yeah, I wouldn't recommend running these tests as they repro the the bug that
> the backport fixes :)
>
> You may experience instability as a result of that.
>
> I'm fixing the failed backport to 6.18.y literally right now, should have it out
> soon.
>
> I guess maybe I should have put a 'please do not take this until previous patch
> was taken' note in there, but ther we go.
>
> Cheers, Lorenzo
FYI the fixes are now sent to stable at
https://lore.kernel.org/stable/f1e305c89aaf15fc62c6160505eb6d19adf5d49b.1769108022.git.lorenzo.stoakes@oracle.com/
Cheers, Lorenzo
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2026-01-22 18:15 ` Mark Brown
@ 2026-01-23 17:08 ` Dileep malepu
2026-01-23 22:06 ` Miguel Ojeda
211 siblings, 0 replies; 215+ messages in thread
From: Dileep malepu @ 2026-01-23 17:08 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, rwarsow, conor, hargar, broonie, achill, sr
On Thu, Jan 22, 2026 at 2:12 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.18.7-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.18.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
build and boot report for Linux 6.18.7-rc1.
The kernel was built and booted successfull on both arm64 and x86_64
architectures using the defconfig. Testing was performed in virtual
environments,
and the system ran as expected.
No dmesg regressions were found during testing.
Build details:
Architectures: arm64, x86_64
Kernel version: 6.18.7
Configuration: defconfig
Source: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Commit: 28a73c31d7f5d9d2276c92e1d4891c18a5631e6e
Tested-by: Dileep Malepu <dileep.debian@gmail.com>
^ permalink raw reply [flat|nested] 215+ messages in thread
* Re: [PATCH 6.18 000/198] 6.18.7-rc1 review
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2026-01-23 17:08 ` Dileep malepu
@ 2026-01-23 22:06 ` Miguel Ojeda
211 siblings, 0 replies; 215+ messages in thread
From: Miguel Ojeda @ 2026-01-23 22:06 UTC (permalink / raw)
To: gregkh
Cc: achill, akpm, broonie, conor, f.fainelli, hargar, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, sr, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Wed, 21 Jan 2026 19:13:48 +0100 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.18.7 release.
> There are 198 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Fri, 23 Jan 2026 18:13:40 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64, arm64 and riscv64; built-tested
for loongarch64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 215+ messages in thread
end of thread, other threads:[~2026-01-23 22:06 UTC | newest]
Thread overview: 215+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-21 18:13 [PATCH 6.18 000/198] 6.18.7-rc1 review Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 001/198] firmware: imx: scu-irq: Set mu_resource_id before get handle Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 002/198] efi/cper: Fix cper_bits_to_str buffer handling and return value Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 003/198] nvme-apple: add "apple,t8103-nvme-ans2" as compatible Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 004/198] Revert "gfs2: Fix use of bio_chain" Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 005/198] x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 006/198] rust: bitops: fix missing _find_* functions on 32-bit ARM Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 007/198] ASoC: codecs: wsa884x: fix codec initialisation Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 008/198] ASoC: codecs: wsa883x: fix unnecessary initialisation Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 009/198] drm/gud: fix NULL fb and crtc dereferences on USB disconnect Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 010/198] virtio_net: Fix misalignment bug in struct virtnet_info Greg Kroah-Hartman
2026-01-21 18:13 ` [PATCH 6.18 011/198] io_uring: move local task_work in exit cancel loop Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 012/198] xfrm: Fix inner mode lookup in tunnel mode GSO segmentation Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 013/198] xfrm: set ipv4 no_pmtu_disc flag only on output sa when direction is set Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 014/198] pNFS: Fix a deadlock when returning a delegation during open() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 015/198] NFS: Fix a deadlock involving nfs_release_folio() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 016/198] pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 017/198] pnfs/blocklayout: Fix memory leak in bl_parse_scsi() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 018/198] drm/bridge: dw-hdmi-qp: Fix spurious IRQ on resume Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 019/198] drm/vmwgfx: Fix KMS with 3D on HW version 10 Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 020/198] drm/vmwgfx: Merge vmw_bo_release and vmw_bo_free functions Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 021/198] NFS/localio: Deal with page bases that are > PAGE_SIZE Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 022/198] drm/rockchip: vop2: Add delay between poll registers Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 023/198] drm/rockchip: vop2: Only wait for changed layer cfg done when there is pending cfgdone bits Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 024/198] PM: EM: Fix incorrect description of the cost field in struct em_perf_state Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 025/198] ipv4: ip_tunnel: spread netdev_lockdep_set_classes() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 026/198] can: etas_es58x: allow partial RX URB allocation to succeed Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 027/198] nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 028/198] cxl/port: Fix target list setup for multiple decoders sharing the same dport Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 029/198] btrfs: release path before iget_failed() in btrfs_read_locked_inode() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 030/198] btrfs: send: check for inline extents in range_is_hole_in_parent() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 031/198] Bluetooth: hci_sync: enable PA Sync Lost event Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 032/198] net: bridge: annotate data-races around fdb->{updated,used} Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 033/198] ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 034/198] net: update netdev_lock_{type,name} Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 035/198] macvlan: fix possible UAF in macvlan_forward_source() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 036/198] block: zero non-PI portion of auto integrity buffer Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 037/198] ipv4: ip_gre: make ipgre_header() robust Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 038/198] vsock/test: add a final full barrier after run all tests Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 039/198] net/mlx5e: Fix crash on profile change rollback failure Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 040/198] net/mlx5e: Dont store mlx5e_priv in mlx5e_dev devlink priv Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 041/198] net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 042/198] net/mlx5e: Restore destroying state bit after profile cleanup Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 043/198] btrfs: fix memory leaks in create_space_info() error paths Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 044/198] cxl/hdm: Fix potential infinite loop in __cxl_dpa_reserve() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 045/198] net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 046/198] net: phy: motorcomm: fix duplex setting error for phy leds Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 047/198] net: airoha: Fix typo in airoha_ppe_setup_tc_block_cb definition Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 048/198] ALSA: hda/cirrus_scodec_test: Fix incorrect setup of gpiochip Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 049/198] ALSA: hda/cirrus_scodec_test: Fix test suite name Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 050/198] net: hv_netvsc: reject RSS hash key programming without RX indirection table Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 051/198] dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 052/198] ipv6: Fix use-after-free in inet6_addr_del() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 053/198] selftests: drv-net: fix RPS mask handling for high CPU numbers Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 054/198] net/sched: sch_qfq: do not free existing class in qfq_change_class() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 055/198] ASoC: sdw_utils: cs42l43: Enable Headphone pin for LINEOUT jack type Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 056/198] ASoC: tlv320adcx140: fix null pointer Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 057/198] ASoC: tlv320adcx140: fix word length Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 058/198] drm/amdgpu: fix drm panic null pointer when driver not support atomic Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 059/198] drm/amd/display: Show link name in PSR status message Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 060/198] drm/amd/pm: fix smu overdrive data type wrong issue on smu 14.0.2 Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 061/198] drm/amdkfd: No need to suspend whole MES to evict process Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 062/198] drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 063/198] mm: describe @flags parameter in memalloc_flags_save() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 064/198] textsearch: describe @list member in ts_ops search Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 065/198] mm, kfence: describe @slab parameter in __kfence_obj_info() Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 066/198] mips: fix HIGHMEM initialization Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 067/198] drivers/dax: add some missing kerneldoc comment fields for struct dev_dax Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 068/198] NFS: Fix size read races in truncate, fallocate and copy offload Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 069/198] dmaengine: mmp_pdma: fix DMA mask handling Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 070/198] dmaengine: xilinx: xdma: Fix regmap max_register Greg Kroah-Hartman
2026-01-21 18:14 ` [PATCH 6.18 071/198] dmaengine: tegra-adma: Fix use-after-free Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 072/198] dmaengine: xilinx_dma: Fix uninitialized addr_width when "xlnx,addrwidth" property is missing Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 073/198] phy: fsl-imx8mq-usb: Clear the PCS_TX_SWING_FULL field before using it Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 074/198] phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 075/198] phy: stm32-usphyc: Fix off by one in probe() Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 076/198] phy: ti: da8xx-usb: Handle devm_pm_runtime_enable() errors Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 077/198] landlock: Fix TCP handling of short AF_UNSPEC addresses Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 078/198] selftests/landlock: Fix TCP bind(AF_UNSPEC) test case Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 079/198] selftests/landlock: Remove invalid unix socket bind() Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 080/198] landlock: Fix wrong type usage Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 081/198] phy: broadcom: ns-usb3: Fix Wvoid-pointer-to-enum-cast warning (again) Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 082/198] selftests/landlock: Properly close a file descriptor Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 083/198] dmaengine: omap-dma: fix dma_pool resource leak in error paths Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 084/198] soundwire: bus: fix off-by-one when allocating slave IDs Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 085/198] i2c: qcom-geni: make sure I2C hub controllers cant use SE DMA Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 086/198] i2c: imx-lpi2c: change to PIO mode in system-wide suspend/resume progress Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 087/198] sched/deadline: Avoid double update_rq_clock() Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 088/198] sched: Deadline has dynamic priority Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 089/198] HID: usbhid: paper over wrong bNumDescriptor field Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 090/198] selftests/bpf: Fix selftest verif_scale_strobemeta failure with llvm22 Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 091/198] scsi: core: Fix error handler encryption support Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 092/198] selftests: kvm: replace numbered sync points with actions Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 093/198] selftests: kvm: try getting XFD and XSAVE state out of sync Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 094/198] ALSA: pcm: Improve the fix for race of buffer access at PCM OSS layer Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 095/198] ALSA: hda/tas2781: Skip UEFI calibration on ASUS ROG Xbox Ally X Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 096/198] ALSA: hda/realtek: Add quirk for HP Pavilion x360 to enable mute LED Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 097/198] null_blk: fix kmemleak by releasing references to fault configfs items Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 098/198] can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 099/198] can: ctucanfd: fix SSP_SRC in cases when bit-rate is higher than 1 MBit Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 100/198] net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 101/198] tools/testing/selftests: add tests for !tgt, src mremap() merges Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 102/198] tools/testing/selftests: add forked (un)/faulted VMA merge tests Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 103/198] tools/testing/selftests: fix gup_longterm for unknown fs Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 104/198] ftrace: Do not over-allocate ftrace memory Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 105/198] xfs: set max_agbno to allow sparse alloc of last full inode chunk Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 106/198] xfs: Fix the return value of xfs_rtcopy_summary() Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 107/198] virtio-net: dont schedule delayed refill worker Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 108/198] lib/buildid: use __kernel_read() for sleepable context Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 109/198] x86/kaslr: Recognize all ZONE_DEVICE users as physaddr consumers Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 110/198] phy: rockchip: inno-usb2: fix communication disruption in gadget mode Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 111/198] phy: ti: gmii-sel: fix regmap leak on probe failure Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 112/198] phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 113/198] phy: freescale: imx8m-pcie: assert phy reset during power on Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 114/198] phy: rockchip: inno-usb2: fix disconnection in gadget mode Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 115/198] phy: fsl-imx8mq-usb: fix typec orientation switch when built as module Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 116/198] phy: tegra: xusb: Explicitly configure HS_DISCON_LEVEL to 0x7 Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 117/198] usb: host: xhci-tegra: Use platform_get_irq_optional() for wake IRQs Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 118/198] xhci: sideband: dont dereference freed ring when removing sideband endpoint Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 119/198] usb: gadget: uvc: fix interval_duration calculation Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 120/198] usb: gadget: uvc: fix req_payload_size calculation Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 121/198] usb: dwc3: Check for USB4 IP_NAME Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 122/198] usb: core: add USB_QUIRK_NO_BOS for devices that hang on BOS descriptor Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 123/198] USB: OHCI/UHCI: Add soft dependencies on ehci_platform Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 124/198] USB: serial: option: add Telit LE910 MBIM composition Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 125/198] USB: serial: ftdi_sio: add support for PICAXE AXE027 cable Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 126/198] nvme-pci: disable secondary temp for Wodposit WPBSNM8 Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 127/198] ASoC: codecs: wsa881x: fix unnecessary initialisation Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 128/198] ext4: fix ext4_tune_sb_params padding Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 129/198] ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 130/198] hrtimer: Fix softirq base check in update_needs_ipi() Greg Kroah-Hartman
2026-01-21 18:15 ` [PATCH 6.18 131/198] EDAC/x38: Fix a resource leak in x38_probe1() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 132/198] EDAC/i3200: Fix a resource leak in i3200_probe1() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 133/198] tcpm: allow looking for role_sw device in the main node Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 134/198] i2c: riic: Move suspend handling to NOIRQ phase Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 135/198] x86/resctrl: Add missing resctrl initialization for Hygon Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 136/198] x86/resctrl: Fix memory bandwidth counter width " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 137/198] nvme: fix PCIe subsystem reset controller state transition Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 138/198] mm: kmsan: fix poisoning of high-order non-compound pages Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 139/198] mm: numa,memblock: include <asm/numa.h> for numa_nodes_parsed Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 140/198] mm/zswap: fix error pointer free in zswap_cpu_comp_prepare() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 141/198] mm/page_alloc: make percpu_pagelist_high_fraction reads lock-free Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 142/198] mm/damon/core: remove call_control in inactive contexts Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 143/198] mm/damon/sysfs-scheme: cleanup quotas subdirs on scheme dir setup failure Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 144/198] mm/damon/sysfs-scheme: cleanup access_pattern " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 145/198] mm/damon/sysfs: cleanup intervals subdirs on attrs " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 146/198] mm/damon/sysfs: cleanup attrs subdirs on context " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 147/198] LoongArch: Fix PMU counter allocation for mixed-type event groups Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 148/198] LoongArch: dts: Describe PCI sideband IRQ through interrupt-extended Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 149/198] drm/amd/display: Bump the HDMI clock to 340MHz Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 150/198] drm/amd/display: Initialise backlight level values from hw Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 151/198] drm/amd: Clean up kfd node on surprise disconnect Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 152/198] drm/amdgpu: Fix gfx9 update PTE mtype flag Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 153/198] drm/amdgpu: make sure userqs are enabled in userq IOCTLs Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 154/198] drm/amdkfd: fix a memory leak in device_queue_manager_init() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 155/198] drm/nouveau/disp/nv50-: Set lock_core in curs507a_prepare Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 156/198] drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 157/198] drm/panel: simple: restore connector_type fallback Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 158/198] drm/sysfb: Remove duplicate declarations Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 159/198] drm/vmwgfx: Fix an error return check in vmw_compat_shader_add() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 160/198] LoongArch: dts: loongson-2k0500: Add default interrupt controller address cells Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 161/198] LoongArch: dts: loongson-2k1000: " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 162/198] LoongArch: dts: loongson-2k1000: Fix i2c-gpio node names Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 163/198] LoongArch: dts: loongson-2k2000: Add default interrupt controller address cells Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 164/198] LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 165/198] LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 166/198] LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 167/198] dmaengine: apple-admac: Add "apple,t8103-admac" compatible Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 168/198] dmaengine: at_hdmac: fix device leak on of_dma_xlate() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 169/198] dmaengine: bcm-sba-raid: fix device leak on probe Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 170/198] dmaengine: cv1800b-dmamux: fix device leak on route allocation Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 171/198] dmaengine: dw: dmamux: fix OF node leak on route allocation failure Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 172/198] dmaengine: fsl-edma: Fix clk leak on alloc_chan_resources failure Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 173/198] dmaengine: idxd: fix device leaks on compat bind and unbind Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 174/198] dmaengine: lpc18xx-dmamux: fix device leak on route allocation Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 175/198] dmaengine: lpc32xx-dmamux: " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 176/198] dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 177/198] dmaengine: sh: rz-dmac: fix device leak on probe failure Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 178/198] dmaengine: sh: rz-dmac: Fix rz_dmac_terminate_all() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 179/198] dmaengine: stm32: dmamux: fix device leak on route allocation Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 180/198] dmaengine: stm32: dmamux: fix OF node leak on route allocation failure Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 181/198] dmaengine: ti: dma-crossbar: fix device leak on dra7x route allocation Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 182/198] dmaengine: ti: dma-crossbar: fix device leak on am335x " Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 183/198] dmaengine: ti: k3-udma: fix device leak on udma lookup Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 184/198] mm: add a ptdesc flag to mark kernel page tables Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 185/198] mm: actually mark kernel page table pages Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 186/198] x86/mm: use ptdesc when freeing PMD pages Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 187/198] mm: introduce pure page table freeing function Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 188/198] x86/mm: use pagetable_free() Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 189/198] mm: introduce deferred freeing for kernel page tables Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 190/198] iommu/sva: invalidate stale IOTLB entries for kernel address space Greg Kroah-Hartman
2026-01-21 18:16 ` [PATCH 6.18 191/198] HID: intel-ish-hid: Use dedicated unbound workqueues to prevent resume blocking Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 192/198] HID: intel-ish-hid: Fix -Wcast-function-type-strict in devm_ishtp_alloc_workqueue() Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 193/198] btrfs: fix deadlock in wait_current_trans() due to ignored transaction type Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 194/198] mm/page_alloc/vmstat: simplify refresh_cpu_vm_stats change detection Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 195/198] mm/page_alloc: batch page freeing in decay_pcp_high Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 196/198] mm/page_alloc: prevent pcp corruption with SMP=n Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 197/198] Revert "functionfs: fix the open/removal races" Greg Kroah-Hartman
2026-01-21 18:17 ` [PATCH 6.18 198/198] iommu/sva: include mmu_notifier.h header Greg Kroah-Hartman
2026-01-21 22:12 ` [PATCH 6.18 000/198] 6.18.7-rc1 review Ronald Warsow
2026-01-21 23:35 ` Shuah Khan
2026-01-21 23:57 ` Florian Fainelli
2026-01-22 2:07 ` Justin Forbes
2026-01-22 4:07 ` Takeshi Ogasawara
2026-01-22 5:41 ` Brett A C Sheffield
2026-01-22 7:36 ` Shung-Hsi Yu
2026-01-22 8:43 ` Jon Hunter
2026-01-22 12:17 ` Ron Economos
2026-01-22 15:08 ` Brett Mastbergen
2026-01-22 15:51 ` Peter Schneider
2026-01-22 18:15 ` Mark Brown
2026-01-22 18:23 ` Lorenzo Stoakes
2026-01-22 19:14 ` Lorenzo Stoakes
2026-01-23 17:08 ` Dileep malepu
2026-01-23 22:06 ` Miguel Ojeda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox